Re: [gentoo-user] GBP character in KDE
On Mar 8, 2014, at 20:44, Mick michaelkintz...@gmail.com wrote: On Saturday 08 Mar 2014 18:10:21 Mick wrote: On Saturday 08 Mar 2014 17:42:07 Pavel Volkov wrote: On Saturday 08 March 2014 15:50:27 Mick wrote: I can't understand why a PC that uses the KDE desktop always sticks an accented capital A in front of the pound sign. It looks like this: £ I don't have this problem in KDE (though I'm not using UK layout to type it). I use the additional X.Org layout called typo and type the pound sign with AltGr+F. What tool do you use to switch keyboard layouts and what are those layouts? This machine only has UK qwerty keyboard and UK locale. I don't switch into any other layouts. I've just changed the default country in the KDE locale GUI from UK to 'No Country' and will restart the desktop as soon as I can kick a Luser off it, to see if it works. The user logged out of KDE and back in and the darn thing still shows up. :-/ Any ideas what might be causing this? There is no problem with typing the US dollar character key (Shift+4), but there is when pressing the GBP character (Shift+3). This is what xev shows when pressing and releasing Shift plus the key: == KeyPress event, serial 37, synthetic NO, window 0x4a1, root 0x15b, subw 0x4a2, time 125124784, (30,32), root:(3052,475), state 0x10, keycode 50 (keysym 0xffe1, Shift_L), same_screen YES, XLookupString gives 0 bytes: XmbLookupString gives 0 bytes: XFilterEvent returns: False KeyPress event, serial 40, synthetic NO, window 0x4a1, root 0x15b, subw 0x4a2, time 125128642, (30,32), root:(3052,475), state 0x11, keycode 12 (keysym 0xa3, sterling), same_screen YES, XLookupString gives 2 bytes: (c2 a3) £ XmbLookupString gives 2 bytes: (c2 a3) £ XFilterEvent returns: False KeyRelease event, serial 40, synthetic NO, window 0x4a1, root 0x15b, subw 0x4a2, time 125128772, (30,32), root:(3052,475), state 0x11, keycode 12 (keysym 0xa3, sterling), same_screen YES, XLookupString gives 2 bytes: (c2 a3) £ XFilterEvent returns: False KeyRelease event, serial 40, synthetic NO, window 0x4a1, root 0x15b, subw 0x4a2, time 125128977, (30,32), root:(3052,475), state 0x11, keycode 50 (keysym 0xffe1, Shift_L), same_screen YES, XLookupString gives 0 bytes: XFilterEvent returns: False == -- Regards, Mick When you press £-symbol on your keyboard and are using a unicode keymap U+00A3 unicode keypoint is created. When that is encoded to UTF-8 a 2-byte string is created: 0x2CA3. Now when this string is displayed the software displaying the string needs to know the encoding of the string. If it is interpreted as UTF-8 string you will see: £. If it is interpreted as ISO-8859-1 or CP1252 these both will produce: £. So what this means is that you have an in correct unicode configuration. In the console I have correct unicode setup. How ever when run command unicode_stop I get £ and after I run unicode_start I will get £ as I should. When computer boots always starts with us layout and ascii map. It is upto your configuration to switch to your preferred layout and charmap. For X set your layout in xorg.conf.d in 10-evdev.conf (XkbLayout). Then test that X has the correct keyboard layout: sudo Xorg :0 -ac -terminate (sleep 4 DISPLAY=:0.0 xterm) If that works you should have the right layout in kde. Deleting kde config will bring you the correct layout. For the console set unicode aware font in conf.d/consolefont and keymap in keymaps. And in rc.conf set unicode to yes. -- Matti
Re: [gentoo-user] ethernet dont use kernel module
On Mar 9, 2014, at 10:43, Canek Peláez Valdés can...@gmail.com wrote: On Sun, Mar 9, 2014 at 2:38 AM, Facundo Curti facu.cu...@gmail.com wrote: 2014-03-09 5:28 GMT-03:00 Canek Peláez Valdés can...@gmail.com: On Sun, Mar 9, 2014 at 2:18 AM, Facundo Curti facu.cu...@gmail.com wrote: [snip] First of all, you should not need to run any script. udev should handle everything by itself. http://bpaste.net/show/186711/ Second of all: could not open /proc/modules: No such file or directory How is that even possible? In the first .config you posted, you had CONFIG_MODULES unset, but I'm assuming you changed CONFIG_R8169 to 'm' by running make menuconfig and going into the correct option, and that you don't just edited your .config file. Right? Because if you edited your .config by hand, that *CANNOT* result in anything good, unless you know precisely what are you doing, and even then most people would not recommend it. Yes, of course :) I used make menuconfig, and i put modules ON. It looks like you don't have kernel module support. Is that so? I suggest you to try r8168 module. The realtek RTL8111/8168 chip is buggy. The in-kernel module r8169 failed to work with the chip. When i used r8169 and booted to windows or the other way around the network card was hard locked. It required a complete power out for a minute to reset the card. With r8168 module there is no problems. The code is here: r8168.googlecode.com/files/r8168-8.036.00.tar.gz I have also a nice ebuild for convenience... But you may test the card without it. -M I turned this on. Now I made an emerge --sync, and emerge --update --newuse --deep world And this give me an update of gentoo-sources (3.10 I had to 3.12). So I'm going to compile the new kernel to see if it works :P What does the following command prints: find /lib/modules -name *r816* I post it in a few secs :) Please wait I will try first compiling the new kernel. Also, remember that after you compile your kernel with modules support, you need to do make modules_install so the modules get installed into /lib/modules/${KERNEL_VERSION}. Regards. -- Canek Peláez Valdés Posgrado en Ciencia e Ingeniería de la Computación Universidad Nacional Autónoma de México
Re: [gentoo-user] ethernet dont use kernel module
On Mar 9, 2014, at 11:35, Facundo Curti facu.cu...@gmail.com wrote: I suggest you to try r8168 module. The realtek RTL8111/8168 chip is buggy. The in-kernel module r8169 failed to work with the chip. When i used r8169 and booted to windows or the other way around the network card was hard locked. It required a complete power out for a minute to reset the card. With r8168 module there is no problems. The code is here: r8168.googlecode.com/files/r8168-8.036.00.tar.gz Broken link :P I've fixed it!! Finally! But i have to say it... I'm stupid!! The problem was that I was booting from the wrong kernel. I was booting from kernel-gentoo, and I was installing the new kernel as kernel-version-gentoo. So, no matter how much changes I made, the kernel was always the same :P Sorry for make lose your time, was a stupid mistake from me :/ Thank you for patience! Sorry. A typo: r8168.googlecode.com/files/r8168-8.036.00.tar.bz2 -M
Re: [gentoo-user] GBP character in KDE
On Mar 9, 2014, at 18:26, Mick michaelkintz...@gmail.com wrote: On Sunday 09 Mar 2014 14:48:45 Stroller wrote: On Sat, 8 March 2014, at 3:50 pm, Mick michaelkintz...@gmail.com wrote: ... This is what /etc/env.d/02locale contains: LANG=en_GB.UTF-8 LC_COLLATE=C Why have you set LC_COLLATE differently from LANG, please? Because I am used to have files listed with . prefixed files first, then file names with Capital case and then lower case. Otherwise if you have LC_ALL set then that setting will be followed for sorting files. If neither LC_ALL nor LC_COLLATE are set, then LANG will take precedence. Please note that I use different languages on a couple of machines and that can mess things up when listing stuff. Mick. Did you try this? sudo Xorg :0 -ac -terminate (sleep 4 DISPLAY=:0.0 xterm) Is the problem also in a bare X session? -- Regards, Mick
Re: [gentoo-user] Re: [OT] LENOVO Z510 + Dual Boot + Gentoo == True ?
On Mar 10, 2014, at 15:33, Mick michaelkintz...@gmail.com wrote: On Saturday 08 Mar 2014 20:22:12 »Q« wrote: On Sat, 08 Mar 2014 08:23:21 +0100 Dan Johansson d...@dmj.nu wrote: I am considering buying a new Notebook and found that a LENOVO IdeaPad Z510 would fit into my budget and seems quite OK. Does anyone here on the list have any experience with the Z510 running dual-boot (Win8.x and Gentoo) that would like to share their experience? I have an Ideapad y510p that's dual-booting Win8.x and Gentoo. It shipped with 8.0 and after I got it dual-booting I upgraded to 8.1. It's not quite the same model, but I guess it can't hurt to type what I remember. I didn't take notes, because if I ran into any trouble it was my plan just to wipe the drive and install only Gentoo. I just flew by the seat of my pants, so I'm sure this isn't the smartest way to do things. My model came with a smallish SSD meant for caching. The SSD is sda and the HDD is sdb. Here's the current state of sdb, from gdisk: Number Start (sector)End (sector) Size Code Name 12048 2050047 1000.0 MiB 2700 Basic data partition 2 2050048 2582527 260.0 MiB EF00 EFI system partition 3 2582528 4630527 1000.0 MiB Basic data partition 4 4630528 4892671 128.0 MiB 0C01 Microsoft reserved part 5 1563490304 1870690303 146.5 GiB 0700 Basic data partition 6 1870690304 1923119103 25.0 GiB0700 Basic data partition 7 1923119104 1953523711 14.5 GiB2700 Basic data partition 8 1562466304 1563490303 500.0 MiB 0700 9 4892672 5199871 150.0 MiB 0700 10 519987221583871 7.8 GiB 0700 1121583872 1562466303 734.8 GiB 0700 sdb1-sdb7 existed on the drive when I got it. sdb5 is where Windows is installed. To make room for Gentoo, I shrunk sdb5 it and slid it to the end of its space using the GUI partition tool on System Rescue CD, which I think is gparted. I also used System Rescue CD to install Gentoo. It's important to boot System Rescue CD in EFI mode, at least for installing the bootloader. sdb8 is meant for an installation of System Rescue CD, but I haven't gotten around to installing it. sdb9 is /boot, sdb10 is swap, and sdb 11 is Gentoo / I emerged grub in the chrooted environment. I mounted sdb2 at /boot/efi, installed grub on sdb9 (/boot), and ran grub-mkconfig to make a config file for grub. The output indicated that it had found both Gentoo and Windows. The bios (or whatever it's called now) setup recognized grub as a new EFI-booting option and let me move it to first priority, and I got to the grub menu. grub booted Gentoo just fine, but Windows booting failed, something about not finding partitions or files. Instead of troubleshooting that, I disabled os probing for grub (GRUB_DISABLE_OS_PROBER=true in /etc/default/grub) and added Windows via /etc/grub.d/40_custom , like so: menuentry Windows 8.x { set root='(hd1,gpt2)' chainloader /EFI/microsoft/BOOT/bootmgfw.efi } Running grub-mkconfig after that got me a grub.cfg which works to boot Gentoo and Windows, though I don't get any fancy options for Windows, such as safe mode. If you moved the MSWindows OS or boot partitions then the UUIDs would have changed. You'll need to edit the MSWindows boot menu (in the MSWindows boot partition) and change their entrie(s) accordingly. Not necessarily. You can make uuid identical. It is just data on disk. Even if you change the order of partitions windows can be tricked with grub by changing the bios order of drives through mapping. After that windows boots without modification. I've tested this up to win7. Grub and dd are only tools you need. -- Matti -- Regards, Mick
Re: [gentoo-user] Re: [OT] LENOVO Z510 + Dual Boot + Gentoo == True ?
On Mar 15, 2014, at 19:17, »Q« boxc...@gmx.net wrote: On Mon, 10 Mar 2014 13:33:20 + Mick michaelkintz...@gmail.com wrote: On Saturday 08 Mar 2014 20:22:12 »Q« wrote: On Sat, 08 Mar 2014 08:23:21 +0100 grub booted Gentoo just fine, but Windows booting failed, something about not finding partitions or files. Instead of troubleshooting that, I disabled os probing for grub (GRUB_DISABLE_OS_PROBER=true in /etc/default/grub) and added Windows via /etc/grub.d/40_custom , like so: If you moved the MSWindows OS or boot partitions then the UUIDs would have changed. I moved the OS partition, and it's UUID did indeed change. I have swaped the hard drive from my dual boot box and ran into the same problem trying get windows 7 to boot. As you also quite fast realice by reading different forums that changing windows boot parameters is a quite big hassle. I would not go that way! You have another simpler solution. Change the hard disk device ID to the same value as the old disk. It is written on MBR. Change the UUID of the windows partition to the same as on the old partition. UUID on NTFS partition is written at the beginning of the partition at 0x48-4F. So by changing 2x16 bytes of data your machine should boot again correctly. Also if you grub is not on the same physical disk as windows then you need trick windows by changing the order with grub before booting (see map command) You'll need to edit the MSWindows boot menu (in the MSWindows boot partition) and change their entrie(s) accordingly. If somebody can post a link to a recipe for doing that, I'd appreciate it. I don't understand the Windows boot stuff.
Re: [gentoo-user] Re: [OT] LENOVO Z510 + Dual Boot + Gentoo == True ?
On Mar 16, 2014, at 12:38, Mick michaelkintz...@gmail.com wrote: On Sunday 16 Mar 2014 09:07:49 Matti Nykyri wrote: Change the hard disk device ID to the same value as the old disk. It is written on MBR. Change the UUID of the windows partition to the same as on the old partition. UUID on NTFS partition is written at the beginning of the partition at 0x48-4F. Can you give more detail please? How would you change disk and partition UUIDs? -- Regards, Mick Well when you purchase a new blank disk it is full with null's. When you first time open that drive with for example with fdisk it complains about incorrect mbr. If you in that situation print the partition table you will see that the device id is null. When you create a partition these errors will be corrected by write. Fdisk creates a new device id from random data. It is then written to the mbr. Just explore the disk with hexedit and you'll find the device id. Just remember endianess. By the same way a UUID is created when you format a new NTFS partition. It is also just random data written to the disk. It can easily edited with hexedit. At least my win7 booted normally when i moved it from a disk to another and fixed the UUID's of the new drive. Windows didn't notice anything. After i switched the motherboard of the machine then windows required a new activation. Actually if you copy the windows partition with dd the uuid of the NTFS partition will not change. If you also copy the beginning of the old disk to a new one it will copy the device id to the new disk. Instead if you make a new partition table the device id will change. There is nothing magical with partitioning and moving data on disk or to another disk. You can completely wipe mbr and partition table and then write a new partition table with partitions pointing to the beginning of your data and all your data will be intact. Just experiment with hexedit. I can give you correct addresses when i'm back at home tomorrow. Or just google your self, if you are unable to find it with hexedit. -- Matti
Re: [gentoo-user] Debian just voted in systemd for default init system in jessie
On Mar 22, 2014, at 12:34, Alan McKinnon alan.mckin...@gmail.com wrote: On 22/03/2014 01:46, Tom Wijsman wrote: On Sat, 22 Mar 2014 00:34:55 +0200 Alan McKinnon alan.mckin...@gmail.com wrote: 2. A discussion forum. For these you do munge Reply-To: to be the list so all discussion happens on-list and is visible to all gentoo-user has always been the latter and all discussion always takes place on-list. If some doc somewhere says otherwise, change the doc to reflect reality. http://www.gentoo.org/main/en/lists.xml mentions it is about support too, and people that are here to be supported don't necessarily want to follow the discussion that comes along as well; thus unsubscribe before an answer or not subscribe at all in the first place, they then instead rely on receiving a mail regardless of that. CC-ing ensures that the minutes spent on the answer make it reach the person; relying on that they are (still) subscribed, I can waste time. See the most recent mail I sent before this for details. I disagree. Your default position on things seems to be to favour the theoretical position over the reality. I'm the opposite, being a sysadmin and not a developer I'm a realist and not a theoretician. I work with the way things are and really only look at the theory when stuff is proven broken. What is currently happening is you are sending mails directly addressed to me so they do not get filtered and end up cluttering my already full inbox. You are breaking my filters. I do not want to receive list mail from you addressed directly to me, I want it addressed to the list. I do want you to fix your mailer so that you stop inconveniencing me. And I would *really* prefer not to have to tweak my filters to accommodate you. I'd rather you do that heavy lifting (on account of you causing it). Do you see what I'm getting at? I agree. I think it is arrogant to disturb lots of people that have done nothing to deserve it. People should be let to choose them self what they wanna do with their lives. If they wish to disengage some conversation, let them. Don't send them spam. The ones who wish to participate will stay on the list and the ones seeking for an answer can browse the archives. Please respect other people. -- -Matti
Re: [gentoo-user] No motherboard beep since kernel upgrade
On Mar 23, 2014, at 5:13, Volker Armin Hemmann volkerar...@googlemail.com wrote: Am 23.03.2014 00:45, schrieb null_ptr: On 22/03/14 23:40, Volker Armin Hemmann wrote: Am 22.03.2014 02:08, schrieb null_ptr: On 21/03/14 14:41, Lee wrote: I can't think of the name of the module, pcspkr IIRC or some such, but it prolly isn't loaded. Modprobe can tell you if it's available load it. On Mar 21, 2014 12:41 PM, Dat G rhan...@gmx.de wrote: On 21/03/14 19:54, Francesco Turco wrote: On Fri, Mar 21, 2014, at 18:51, null_ptr wrote: Module for my sound card is running and SND_HDA_INPUT_BEEP is activated in kernel config. Am I missing something else? Perhaps you need CONFIG_INPUT_PCSPKR. I tried building with that and it didn't fix it. modprobe pcspkr doesn't change anything. It is still silent. I also tried building it in the kernel. On the other hand from what I understand the snd_hda_intel should be doing the beeps when the mainboard does not have a physical speaker on the mainboard and instead beeps through the regular sound device. At least on 3.10.25 I had not build the pcspkr module and the system beeped happily. Now, are we talking about the motherboard beeping through a little builtin speaker that does not work or Are we talking about your onboard sound not beeping in your headphones/your attached speakers when there is a motherboard 'beep'? Either way, I don't see any problem at all. A non-beeping computer is a correctly working one. I'm talking about the onboard sound not beeping in the attached headphones/speakers when there is a motherboard 'beep'. The problem is that I used that for some events as a status (e.g. battery running low) and I like the annoying nature of the beep for these events. so it is not a 'speaker' problem but a sound card problem. You should have stated that from the beginning. Probably something muted that should not be muted. Check that you can play sounds from different sources to see that there is no process blocking your alsa driver. If there is a program that is blocking alsa you can find out which process it is by: fuser -v /dev/snd/*
Re: [gentoo-user] HP scanner is no longer found
On Mar 24, 2014, at 7:02, Dale rdalek1...@gmail.com wrote: Howdy, This is confusing. A month or so ago, my HP 5300C scanner worked just fine. I plugged it in today, it doesn't show up. When I type lsusb, I get this: root@fireball / # lsusb Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 007 Device 002: ID 0764:0501 Cyber Power System, Inc. CP1500 AVR UPS Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 005 Device 002: ID 046d:c05a Logitech, Inc. M90/M100 Optical Mouse Bus 005 Device 003: ID 22b8:6402 Motorola PCS Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 009 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 008 Device 002: ID 2109:3431 Bus 008 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub root@fireball / # No scanner there. I thought maybe the cable was bad, plugged in my printer with the same cable and the printer shows up just fine. I have tried both a 3.11.6 and 3.13.6 kernel thinking just maybe it was a bug but I'm pretty sure I was using 3.11.6 last time. Here is a list of usb and sane packages installed: Well I had a similar problem with a samsung scanner printer not showing up in lsusb. Dmesg show irregularly some messages while plugging and un plugging. I tracked the problem down to a broken physical connection (usb connector / cable). So changing the cable and port and hard reseting scanner corrected my problem. As you can tell, there is not one there. Other places say it is obsolete but thought it worth a mention. I checked permissions on the nodes in /dev. They are root/usb. I also made sure I am in the scanner and usb groups as well. It seems to me that until lsusb sees the scanner, not much else matters. So far, no luck. I figure it is something so simple that I am just plain over looking the obvious. Anyone got any ideas? I got some really old family photos I want to start scanning.
Re: [gentoo-user] NVidia 3D setup
On Apr 15, 2014, at 18:59, meino.cra...@gmx.de wrote: Alan McKinnon alan.mckin...@gmail.com [14-04-15 17:33]: On 15/04/2014 09:14, Mick wrote: On Monday 14 Apr 2014 15:35:00 Alan McKinnon wrote: The nvidia blobs do work well as long as you use them the way they were intended to be used. The way they were intended to be used is the same way Windows uses them, the Linux and Windows drivers share the bulk of the internal code and Linux feature set most definitely is not the driving force here :-) Which means some awesome things the X server can do simply do not work with the blob. The blob also rips out most of the OpenGL and framebuffer code and replaces it with it's own mysterious black magic, this can add more wrinkles. And finally, the Nvidia blob is not at all integrated with the kernel in any meaningful way, so your running kernel usually ends up 2-4 versions behind current. Would I be wrong to deduce from this that I would be better off with Radeon cards instead of moving to NVidia? Out of coincidence I have been using Radeon for ever it seems and I have had no problem that I recall with the free radeon drivers. No need to align suitable kernel versions with new video card drivers, or skip any driver versions, or much else. The only thing that I had to think about was how to sort out suitable firmware, but even this was relatively easy. Many people slate Radeon cards and this had me thinking that I should consciously make an effort to buy NVidia, but I am not as sure at this moment in time that this would not bring more problems than its worth? Would you be better off with a Toyota or a Nissan? Same answer: I don't see much difference. Both work, both have free and blob drivers, both are better at some things and worse at others. I really don't see any clear cut reason to choose one over the other for the general case. Never mind that some people will not touch one or the other with a barge pole no matter how much you pay them, I think they just have human bias. I've used both over the years, with free and blob drivers, and they always did what I need them to do - display a desktop and play movies. There will always be cases where some specific range of GPU and/or drivers just isn't up to snuff but I don't think that applies overall. You should go with the option that maximizes your own personal warm and fuzzy feelings :-) -- Alan McKinnon alan.mckin...@gmail.com To exegrate the whole discussion: Help! I have a problem with Linux! ...I have some heard of Linux...bad things...use windows instead! So: Due to the already mentioned reasons I cannot use other hardware/ other software. I need to get THIS running. Next question: How can I downgrade to the previous version of nvidia-drivers/nvidia-settings/nvidia-cude-toolkit, which works nice for me? To go a little bit more off-topic... Has anyone setup a 3D display with NVidia GPU using HDMI? I have a new projector which supports the frame packing with full resolution 3D 1080p-signal. I have the modelines configured for all the formats I need. If I just force X to use a modeline 2205p the projector does obviously not recognize, cuz the signal does not specify the 3D-mode it is using... as described in the standard freely available to download for everybody. So has anyone got this working? Does it need a specific version of NVidia-drivers or firmware or hardware? -- -Matti
Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones
On Apr 16, 2014, at 13:52, Tanstaafl tansta...@libertytrek.org wrote: Hi all, I've taken this opportunity to prod the boss to let me buy some real certs for our few self-hosted mail services. Until now, we've used self-signed certs. My question is, what exactly is the correct procedure for doing this? Also, do I still need to do the step I've been seeing: Step: 2 Delete SSL key set Now, make out a list of websites that are equipped with SSL certificates. After that, delete all SSL keys, private and CSR key Finally, create a new private key and CSR key for each of your website. However, remember that your keys should be of 2048-bit key length. ? Depends on your security model. RSA 2048-bit should be sufficient for most people. Although it is totally possible to create 16384-bit key. Just remember to use random data and a trust worthy keygenerator. They both have been know to be tampered by some agencies :) Or will simply replacing my self-signed certs with the new real ones be good enough? No it will not. Keys are te ones that have been compromised. You need to create new keys. With those keys you need to create certificate request. Then you send that request to certificate authority for signing and publishing in their crl. When you receive the signed certificate you can start using it with your key. Never send your key to CA or expect to get a key from them. There are also other algorithms the RSA. And also if you wan't to get PFS you will need to consider your setup, certificate and security model. -- -Matti
Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones
On Apr 16, 2014, at 20:56, Tanstaafl tansta...@libertytrek.org wrote: On 4/16/2014 7:14 AM, Matti Nykyri matti.nyk...@iki.fi wrote: On Apr 16, 2014, at 13:52, Tanstaafl tansta...@libertytrek.org wrote: Or will simply replacing my self-signed certs with the new real ones be good enough? No it will not. Keys are te ones that have been compromised. You need to create new keys. With those keys you need to create certificate request. Then you send that request to certificate authority for signing and publishing in their crl. When you receive the signed certificate you can start using it with your key. Never send your key to CA or expect to get a key from them. Ok, thanks... Ok... This is the second time I'm writing this message. Last time my rotten battery of my rotten apple died while it was sending the message. That drove me to despair and i had sleep on it before retrying :/ But... if I do this (create a new key-pair and CR), will this immediately invalidate my old ones (ie, will my current production server stop working until I get the new certs installed)? No. Your cert is valid as described in the cert fields: not valid before, not valid after. You should never have two different valid certificates for the same propose. So it is the jobs of the CA to set the revoke bit on the old certificate when issuing a new one. I'm guessing not (or else there would be a lot of downtime for lots of sites involved) - but I've only ever done this once (created the key-pair, CR and self-signed keys) a long time ago, so want to make sure I don't shoot myself in the foot... The same here. Now this heartbleed got me updating everything. There are a few very good tutorials... And if you skim back this list there was a really good post on certs like two weeks ago. I have created new self-=signed certs a couple of times since creating the original key-pair+CR, but never created a new key-pair/CR... First you need to create parameters for your keys. If using elliptic key use: openssl ecparam This is not necessary for all types of keys. And usually most of these commands can be combined but I try to separate them so you get the full picture. Then create keys: openssl genpkey Then make CR: openssl req After this the job is handled by the CA... So you for self signed cert. for a real cert you just send the CR to the CA. CA will then sign your cert: openssl ca And publish your cert: openssl ca -gencrl For this CAcert is needed of course. If you just want a self signed cert you can create your own CAcert by creating keys and self-signed cert by: openssl genpkey openssl req -x509 Then sign and publish your CR with your CAcert using openssl ca-utility. About security.. Your CA keys should never ever be on a computer that is online. If they were and would have been compromised by heartbleed for example we would be having a true catastrophe at the moment. Still it is suggested that you encrypt your CAcert keys. There are also other algorithms the RSA. And also if you wan't to get PFS you will need to consider your setup, certificate and security model. What is PFS? PFS = perfect forward secrecy. Meaning that the exposure of your cert keys will not compromise the content of past transmissions that have been recorded by your adversary. This is offered by certain cipher suites. So you really need to consider what algorithms and what ciphers you wish to use with you SSL servers and choose certificates and parameters that will do the job. DHE and ECDHE will provide PFS. I dont know enough about cryptography to truly say what to trust. Someone should correct me if my assumptions are false... But I have come to a conclusion that DHE is compromised by NSA. So I would not use it. DH and ECDH do not provide PFS. Using PFS gives you a performance penalty but increase security. DH uses DHparams to do the key exchange. Openssl will reuse these params across different connection to boost performance. It needs to be explicitly told not to if this is desired. This again increases security but degrades performance. For the cert I would use elliptic cryptography. I trust NSA has not poisoned this algorithm... But can you be sure? Anyways making things secure you need to trust that you have truly random data and there are no vulnerabilities in you key generators... It is really hard to make sure of this. It requires you to be a true pro. -Matti
Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones
On Apr 17, 2014, at 9:10, Mick michaelkintz...@gmail.com wrote: On Wednesday 16 Apr 2014 18:56:57 Tanstaafl wrote: On 4/16/2014 7:14 AM, Matti Nykyri matti.nyk...@iki.fi wrote: On Apr 16, 2014, at 13:52, Tanstaafl tansta...@libertytrek.org wrote: Or will simply replacing my self-signed certs with the new real ones be good enough? No it will not. Keys are te ones that have been compromised. You need to create new keys. With those keys you need to create certificate request. Then you send that request to certificate authority for signing and publishing in their crl. When you receive the signed certificate you can start using it with your key. Never send your key to CA or expect to get a key from them. Ok, thanks... But... if I do this (create a new key-pair and CR), will this immediately invalidate my old ones (ie, will my current production server stop working until I get the new certs installed)? You have not explained your PKI set up. Creating a new private key and CSR is just another private key and CSR. If you replace either the private CA key on the server, or any of its certificates chain, but leave the path in your vhosts pointing to the old key/certificate that no longer exist you will of course break the server. Apache will refuse to restart and warn you about borked paths. I'm guessing not (or else there would be a lot of downtime for lots of sites involved) - but I've only ever done this once (created the key-pair, CR and self-signed keys) a long time ago, so want to make sure I don't shoot myself in the foot... Yes, better be safe with production machines. However, don't take too long because your private key(s) are potentially already compromised. I have created new self-=signed certs a couple of times since creating the original key-pair+CR, but never created a new key-pair/CR... There are also other algorithms the RSA. And also if you wan't to get PFS you will need to consider your setup, certificate and security model. What is PFS? http://en.wikipedia.org/wiki/Forward_secrecy I'm no mathematical genius to understand cryptography at anything more than a superficial level, but I thought that ECDS, that PFS for TLS depends on, was compromised from inception by the NSA? Perhaps only some ECDS were, I am not really sure. I don't know anything about ECDS. You probably mean ECDSA?! What i have understood is that ECDSA is not compromised. Though I can not be certain about that. RSA has been in the market for a long time and the mathematics are for what i think a bit simpler. But with compromised software there was a bad algorithm for creating the primes. So it was the keys not RSA it self. But I think the thing that you are talking about is DHE_RSA... I read from somewhere that it was quite compromised.. But ECDHE is not. The difference with DH and DHE (ECDH and ECDHE) is that DH uses static keys and DHE authenticated ephemeral keys. These temporary keys give you forward secrecy but decrease performance. RSA takes quite heavy computing for the same level of security compared to ECDSA. RSA key creation is even more costly so using ephemeral temporary keys with RSA takes quite long to compute. Thats why I prefer ECDHE_ECDSA suites for reasonable security and fast encryption. I remember reading somewhere (was it Schneier?) that RSA is probably a better bet these days. I'd also appreciate some views from the better informed members of the list because there's a lot of FUD and tin hats flying around in the post Snowden era. For high security application I would also use RSA in excess of 16k keys. Then make sure to use random data and a trustworthy key-generator. Fighting the agencies is still something I believe is virtually impossible ;) -- -Matti
Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones
On Thu, Apr 17, 2014 at 04:49:45PM +0100, Mick wrote: On Thursday 17 Apr 2014 15:40:04 Matti Nykyri wrote: On Apr 17, 2014, at 9:10, Mick michaelkintz...@gmail.com wrote: On Wednesday 16 Apr 2014 18:56:57 Tanstaafl wrote: On 4/16/2014 7:14 AM, Matti Nykyri matti.nyk...@iki.fi wrote: On Apr 16, 2014, at 13:52, Tanstaafl tansta...@libertytrek.org wrote: Or will simply replacing my self-signed certs with the new real ones be good enough? No it will not. Keys are te ones that have been compromised. You need to create new keys. With those keys you need to create certificate request. Then you send that request to certificate authority for signing and publishing in their crl. When you receive the signed certificate you can start using it with your key. Never send your key to CA or expect to get a key from them. Ok, thanks... But... if I do this (create a new key-pair and CR), will this immediately invalidate my old ones (ie, will my current production server stop working until I get the new certs installed)? You have not explained your PKI set up. Creating a new private key and CSR is just another private key and CSR. If you replace either the private CA key on the server, or any of its certificates chain, but leave the path in your vhosts pointing to the old key/certificate that no longer exist you will of course break the server. Apache will refuse to restart and warn you about borked paths. I'm guessing not (or else there would be a lot of downtime for lots of sites involved) - but I've only ever done this once (created the key-pair, CR and self-signed keys) a long time ago, so want to make sure I don't shoot myself in the foot... Yes, better be safe with production machines. However, don't take too long because your private key(s) are potentially already compromised. I have created new self-=signed certs a couple of times since creating the original key-pair+CR, but never created a new key-pair/CR... There are also other algorithms the RSA. And also if you wan't to get PFS you will need to consider your setup, certificate and security model. What is PFS? http://en.wikipedia.org/wiki/Forward_secrecy I'm no mathematical genius to understand cryptography at anything more than a superficial level, but I thought that ECDS, that PFS for TLS depends on, was compromised from inception by the NSA? Perhaps only some ECDS were, I am not really sure. I don't know anything about ECDS. You probably mean ECDSA?! What i have understood is that ECDSA is not compromised. Though I can not be certain about that. RSA has been in the market for a long time and the mathematics are for what i think a bit simpler. But with compromised software there was a bad algorithm for creating the primes. So it was the keys not RSA it self. But I think the thing that you are talking about is DHE_RSA... I read from somewhere that it was quite compromised.. But ECDHE is not. The difference with DH and DHE (ECDH and ECDHE) is that DH uses static keys and DHE authenticated ephemeral keys. These temporary keys give you forward secrecy but decrease performance. RSA takes quite heavy computing for the same level of security compared to ECDSA. RSA key creation is even more costly so using ephemeral temporary keys with RSA takes quite long to compute. Thats why I prefer ECDHE_ECDSA suites for reasonable security and fast encryption. I remember reading somewhere (was it Schneier?) that RSA is probably a better bet these days. I'd also appreciate some views from the better informed members of the list because there's a lot of FUD and tin hats flying around in the post Snowden era. For high security application I would also use RSA in excess of 16k keys. Then make sure to use random data and a trustworthy key-generator. Fighting the agencies is still something I believe is virtually impossible ;) Thanks Matti, Can you please share how you create ECDHE_ECDSA with openssl ecparam, or ping a URL if that is more convenient? Select curve for ECDSA: openssl ecparam -out ec_param.pem -name secp521r1 Create your own CA certificate and associated new pkey: openssl req -new -x509 -extensions v3_ca -newkey ec:ec_param.pem -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf #create cert request and new pkey: openssl req -new -nodes -out req.pem -newkey ec:ec_param.pem -config ./openssl.cnf #sign cert with your CAcert: openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem #create crl for all certificate requests you have signed with your CAcert: openssl ca -gencrl -crldays 31 -config ./openssl.cnf -out rootca.crl #revoke certificate: openssl ca -revoke newcerts/serial.pem -config ./openssl.cnf Modify openssl.cnf to suite your setup. With this setup you will get the newest fastest and most
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
On Apr 17, 2014, at 23:17, walt w41...@gmail.com wrote: On 04/17/2014 11:43 AM, Matti Nykyri wrote: I don't know much about the secp521r1 curve or about its security. You can list all available curves by: openssl ecparam -list_curves I don't either, but I hope this guy does :) http://www.math.columbia.edu/~woit/wordpress/?p=6243 Good article :) The overall picture I had about EC is more or less the same as described in the article. But you always have to make a threat analysis and it depends on the private data you are protecting. By definition any private data will be disclosed given enough time and resources. So if your adversary is NSA... Well protecting the communication of regular internet user and your production server with SSL and x509 certificates will just not secure the content. I'm 100% certain that NSA has access to at least one CA root certificates private keys. With those they can do a man-in-the-middle attack that the regular user will most likely never spot. I my own security model I'm protected from NSA by the fact that it will disappear in the flow of all other traffic because NSA is not stealing credit card numbers :) ECDSA with ECDHE is fast and secure according to public sources. The problem is totally different if you are protecting the secrets of your company that are within the interest of NSA. I'm lucky I don't have to try that. -- -Matti
Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones
On Apr 19, 2014, at 16:17, Joe User mailingli...@rootservice.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 19.04.2014 13:51, Mick wrote: On Thursday 17 Apr 2014 19:43:25 Matti Nykyri wrote: On Thu, Apr 17, 2014 at 04:49:45PM +0100, Mick wrote: Can you please share how you create ECDHE_ECDSA with openssl ecparam, or ping a URL if that is more convenient? Select curve for ECDSA: openssl ecparam -out ec_param.pem -name secp521r1 [snip ...] I don't know much about the secp521r1 curve or about its security. [snip ...] It seems that many sites that use ECDHE with various CA signature algorithms (ECC as well as conventional symmetric) use the secp521r1 curve - aka P-256. I just checked and gmail/google accounts use it too. Markus showed secp384r1 (P-384) in his example. The thing is guys that both of these are shown as 'unsafe' in the http://safecurves.cr.yp.to tables and are of course specified by NIST and NSA. Thank you both for your replies. I need to read a bit more into all this before I settle on a curve. 1.) secp521r1 is *not* P-256 2.) I used secp384r1 aka P-384 as it's defined by RFC 6460 while secp521r1 is not, and all TLS1.2 implementations implement secp256r1 and secp384r1 as defined in RFC 6460, while secp521r1 is implemented only by some. So better to be RFC compliant and reach all possible users/customers as to violate the RFC and loose possible users/customers. https://tools.ietf.org/html/rfc6460 3.) Even the people behind http://safecurves.cr.yp.to have no proof that secp[256|384|521]r1 are unsecure, they just don't trust the NIST. So that list is mostly useless and possibly untrue. Which of the safecurves are supported by openssl? 4.) ECC in certificates is not widely used and therfor also not extensivly audited, so it might be less secure than SHA256+RSA, or may suffer from implementation failures like heartbeat did. 5.) ECDSA has the same problems i mentioned in 4, so it may be a bad idea to use it in production. Stick to ECDHE and as a fallback to DHE. I use the following ciphers for my services: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) What program do you use to provide IMAP-SSL/TLS? I have not gotten ECDHE to work with courieropenssl. Anyways I fail to see any logic with courier-setup... Postfix and apache on the other hand are easy to setup to use the correct ciphers. -Matti
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
On Apr 19, 2014, at 18:29, Dale rdalek1...@gmail.com wrote: Mick wrote: Encryption still works, at least for some attackers. The fact that burglars can pick locks doesn't mean that you should leave your door unlocked. FWIW I just checked my bank's website encryption ... they *still* use RC4!!! O_O I guess they are keen to make sure all these customers with WinXP and MSIE 7.0 can still login? For crying out loud! It seems that RSA's days may be numbered and elliptic curve cryptography would be the way forward, not because of resource constrained mobile devices, but also because of recent advances in crypto-analytics which may make RSA obsolete: http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ How does one find out what their bank uses? I'd like to check on what mine uses. I have Seamonkey and Firefox installed here IF it matters. Well you can use ssllabs.com. I use it for debuging. Here is what Bank of America uses: https://www.ssllabs.com/ssltest/analyze.html?d=www.bankofamerica.comhideResults=on -Matti
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
On Apr 20, 2014, at 11:49, Mick michaelkintz...@gmail.com wrote: On Sunday 20 Apr 2014 01:18:43 Peter Humphrey wrote: On Saturday 19 Apr 2014 18:43:50 Matti Nykyri wrote: Well you can use ssllabs.com. I use it for debuging. Here is what Bank of America uses: https://www.ssllabs.com/ssltest/analyze.html?d=www.bankofamerica.comhide Res ults=on Well, that's an eye-opener and no mistake. I see my bank is rated B overall. Could be worse I suppose. Maybe I should forward the results to them. Many banks, businesses and public institutions have to cater for the lowest common denominator, or their help lines would be inundated with irate customers being asked to first reboot their MSWindows PC. Until the beginning of April 2014 this would have been a WinXP user with MSIE 8.0. In Europe up to 25% of all PCs are still on WinXP. This counts out anything exotic in encryption capabilities, like ECDHE and ECDSA, because it is only the latest versions of Firefox and Chrome that can use these. Yes, this is true. Even gentoo doesn't have a stable firefox that supports TLSv1.2 highest security ciphers C030 and C02C (ECDHE-RSA/ECDSA-AES256-GMC-SHA384). But wht banks should do they should support the most secure ciphers and sort their ciphers lists so that the most secure are at the top. Because what I understood is that browsers will by default use the first cipher in the order the server sent them it supports and not go through the entire list. A security aware user can ofcourse disable all the bad ciphers he foesn't want to use in his own browser. Now if he tries to connect to a poorly secured site the connection will fail until a common cipher is found. But what is important you will know when you try to make an insecure connection. This is the reason that banks also employ some other means of authentication, in addition to your user ID; e.g. they typically ask you to enter a few characters out of your password (different each time), or additional secret data like the name of your favourite teacher, mother's maiden name and the like. Unless someone was recording each and every login of yours with the bank and kept a record of each and every password character you ever typed they may still not be able to login, without locking up the account and triggering an offline replacement of your password. NSA has this capability. Also i think most of the largest ISPs are capable to do it. All this requires is enough HD space, private key of any CA enabled x509 certificate and access to any router between you and the bank or DNS poisoning of your computer. So I suspect they assume that the Internet connection to their servers should be treated as aheam! less than private and have deployed additional means of at least stopping unauthorised transactions online. -- -Matti
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
On Apr 20, 2014, at 15:38, Mick michaelkintz...@gmail.com wrote: On Sunday 20 Apr 2014 10:10:42 Dale wrote: Just a 1/3 of all websites offer TLSv1.2 at the moment and hardly any public sites offer it as an exclusive encryption protocol, because they would lock out most of their visitors. This is because most browsers do not yet support it. MSWindows 8.1 MSIE 11 now offers TLSv1.2 by default and has dropped the RC4 cipher (since November last year). I understand they are planning to drop SHA-1 next Christmas and have already dropped MD5 because of the Flame malware. This should push many websites to sort out their encryption and SSL certificates and move away from using RC4 and SHA1 or MD5. As I said RC4 has been reverted to by many sites as an immediate if interim defence against the infamous BEAST and Lucky Thirteen attacks. This is a problem all Microsoft's customers are facing. I wonder why they don't demand more. I hope this publicity that snowden and heartbleed has brought to an average user will change their interests to demand better privacy. Anyways I just wonder who trusts software whose source code isn't open and and reviewed by a large community that don't have a financial interest on you. According to the Netcraft SSL Survey (May 2013) only a third of all web servers out there offer Perfect Forward Secrecy to ensure that even if the encryption keys were to be compromised, previous communications cannot be retrospectively decrypted. Elliptic Curve algorithms are not yet included in many browsers and in any case the security of these in a post-Snowden world should be questionable (well, at least the arbitrarily specified NIST-NSA sponsored curves, which OpenSSL is heavily impregnated with). What I'm saying is that there may be no perfect banking website out there, because Internet security is screwed up at the moment, but it is always worth looking for a better bet. It is really hard to fight for privacy, because we have large companies and agencies that actively are lobbing politicians and standards for their own personal interests. In order for the security to get better an average user need to gain an interest to it. This seems unlikely because now a days everybody is uploading all their secrets to a cloud computing service etc. But I hope this publicity will change it even slowly. Another thing is that system administrators need to gain more knowledge on securing their services. For that I think this conversation is quite helpful. A lot of people read this list and it can be found by google. Openssl and gnupg are not very easy to use for someone who doesn't have any knowledge on cryptography. For example openssl will try to use md5 by default even in gentoo if you just try to create x509 cert. And many manual pages are way behind... Newest algorithms are almost never listed there. So you have to truly dig in or ask somebody to find safe and up-to date answers. -- -Matti
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
On Apr 20, 2014, at 20:20, Joe User mailingli...@rootservice.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 20.04.2014 18:40, Matti Nykyri wrote: On Apr 20, 2014, at 15:38, Mick michaelkintz...@gmail.com wrote: On Sunday 20 Apr 2014 10:10:42 Dale wrote: Just a 1/3 of all websites offer TLSv1.2 at the moment and hardly any public sites offer it as an exclusive encryption protocol, because they would lock out most of their visitors. This is because most browsers do not yet support it. MSWindows 8.1 MSIE 11 now offers TLSv1.2 by default and has dropped the RC4 cipher (since November last year). I understand they are planning to drop SHA-1 next Christmas and have already dropped MD5 because of the Flame malware. This should push many websites to sort out their encryption and SSL certificates and move away from using RC4 and SHA1 or MD5. As I said RC4 has been reverted to by many sites as an immediate if interim defence against the infamous BEAST and Lucky Thirteen attacks. This is a problem all Microsoft's customers are facing. Take a look on Linux Distros from 2000 when WinXP has been developed, and you'll see, that the Linux Distros weren't better in this. Same for the time when WinVista was developed, and the same for Win7 and Win8. So don't blame Microsoft for things that they did as good as everybody else did, that would be unfair. Ok, that's a good point. Sorry, didn't really think about it that way. It's mostly a user issue for not updating their software. But still the point is correct that the ones that are suffering of this are their customers, although its not Microsoft's fault. But the number of people using a Linux Distro from the year 2000 is neglible... And of course there are many reasons for that. But what is something to blame Microsoft for is the order of preference that MSIE selects it's cipher. I don't know if user can change this order but i think it would be better to order them by security and not by some other factor ei speed. But thats just my oppinion and I usually try to stay away from windows :) Anyways I just wonder who trusts software whose source code isn't open and and reviewed by a large community that don't have a financial interest on you. Ouch, wrong argument, realy! Nobody in the large opensource community had ever reviewed the heartbeat code in more than two years. This was not a harmless bug in a mostly unused library, it was a realy big issue in one of the most used library in the world and *nobody* saw it. Has openssl ever been carefully audited? I don't think so and i bet that there are more heartbleed like bugs in openssl. Yes heartbleed was solely a bug in openssl and yes it was truely severe and that should never ever be allowed to happen. On the other hand schannel (the Windows cryptolib) is regularly audited. Sorry, but the large opensource community is blind on both eyes, whereas the closed source community is only blind on one eye. But I still disagree... Everybody has some goals why they are doing something.. Some of these goals might be private and some are public. The public and private goal need not to correlate. For any PLC their true goal is to make money for their stock holders. People are by nature greedy and put their own interests above everybody-else's. I think there are less of these greedy people within the open-source community than in general. How can you say that nobody is auditing the security of open-source software? We audit all the software and hardware we use! And every company should. Open-source is just easier coz you have the source to look at. Hardware is the trickiest one to audit of-course. Big agencies have capital to put their people to work in the closed source companies and try inject their goals to the code. It is even harder if you inject the vulnerability to hardware as claimed by Snowden. If you look at Linux kernel I think that is a quite good example on how software should be developed. The update cycle is fast and the few bugs that are found get fixed rapidly. And better the program is written the easier it is to debug and avoid security disasters. Just be reviewing a file you can see how well it is organized and that tells you about the quality of the program. All these things are mostly opinions and speculation because all the data has not been disclosed. Snowden revealed it to some extent but with that content you can analyze the hole extent of operations. What would you do if there were no limits? -- -Matti
Re: [gentoo-user] trouble merging gnucash (png16 vs png15)
On May 2, 2014, at 1:31, gottl...@nyu.edu wrote: One of my machines (amd64) cannot merge gnucash-2.6.1. The complaint is that it can't find libpng15. The system has libpng16. The build log has 352 occurrences of libpng16 and no occurrences of libpng15. The build log has 2 occurrences of lpng both 15 in consecutive lines. libtool: link: [big snip] -lpng15 [big snip] [small snip] cannot find -lpng15 I seem to remember a few years ago having to edit pngXX to pngYY, but thought those times were definitely over. The problem is that you have a package that you have not been remerged after the update to png16 and those libraries are still linked to png15. Remove all orphan files of png15. Fix la files: la_file_fixer and fix_libtool_files, don't remember which does it so try both. Look at the depgraph of gnucash and remerge the ones related to png. If you are not sure which pakages to remerge, more is allways safer. -- -Matti
Re: [gentoo-user] [SOLVED] Running cryptsetup under mdev
On May 7, 2014, at 21:57, J. Roeleveld jo...@antarean.org wrote: The create and remove commands with LUKS also require root. They use a session manager in desktop environments to allow users to do it. Sudo with a secure wrapper script might be sufficient for you? I was wondering. What is the actual reason why cryptsetup has a LUKS and non-LUKS set of options? Well that is of course to let you have the control over how the encryption is done. In the kernel point of view the disk encryption is just bare encryption with the given parameters. These include the cipher (AES etc), the mode (CBC, CTR etc) and Initialization Vector (IV) creation (ESSIV etc) and last but not least the key that is used with the cipher. Now without LUKS cryptsetup just sets these parameters and you have to provide them each time to cryptsetup when you are using your encrypted volume. With LUKS cryptsetup will store all these parameters in a binary format. By default this binary data is stored at the beginning of the disk. Kernel then only uses the remaining disk space for encryption. The binary data at the beginning of the disk is not encrypted because the setup would the be unreadable. When you setup a LUKS partition, cryptsetup creates a random key used for encryption the partition. Using a random key for disk encryption is an absolute MUST! A hash of this key is stored in binary data to do key verification. By default a 128k salt is created for each password you wish to use to access the disk (anti forensics). The disk key is then encrypted with the salt and the password. The salt and the encrypted key is stored in the binary data. If the salt is lost, the disk key is lost and recovery of your data is virtually impossible with only your password. With only the password it is impossible to decrypt the disk. If you have a backup of the disk key, with that key you can decrypt the disk without the password. All the steps done by LUKS are necessary for a proper disk encryption! If you do not use LUKS you need to write your own software to do the necessary steps! Cryptsetup without LUKS uses just a plain hash function without a salt to derive disk key from your password. The entropy in this kind of key creation is not nearly enough for secure disk encryption! Unless you know what you are doing use LUKS. -- -Matti
Re: [gentoo-user] [SOLVED] Running cryptsetup under mdev
On May 7, 2014, at 21:57, J. Roeleveld jo...@antarean.org wrote: I was wondering. What is the actual reason why cryptsetup has a LUKS and non-LUKS set of options? And a short answer to the actual question :) LUKS automates key creation and non-LUKS lets you do it manually. Sorry for the long posts ;) -- -Matti
Re: [gentoo-user] Use Flags and Updating
On May 20, 2014, at 14:49, Alexander Kapshuk alexander.kaps...@gmail.com wrote: On 05/20/2014 02:40 PM, Hunter Jozwiak wrote: From: Alexander Kapshuk [mailto:alexander.kaps...@gmail.com] Sent: Tuesday, May 20, 2014 7:44 AM To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Use Flags and Updating On 05/20/2014 02:37 PM, Hunter Jozwiak wrote: Hi all. How do I get Portage to update all software to use my new USE flags? I made some modifications to the variable, and I want to make sure that all packages can use the flags. emerge(1) -N -- --newuse Thank you. No worries. Here's what I usually run when updating the world. Long version: emerge --ask --update --deep --with-bdeps=y --newuse @world With '--with-bdeps=y' set in the file shown below: grep bdeps /etc/portage/make.conf EMERGE_DEFAULT_OPTS=--with-bdeps=y Short version: emerge -avuND @world -a [--ask] -v [--verbose] -u [--update] -N [--newuse] -D [--deep] And how to remember this... Make it a name: emerge -DuvaN @world Human mind is a complex organ ;) -- -Matti
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Jun 2, 2014, at 16:40, J. Roeleveld jo...@antarean.org wrote: On Monday, June 02, 2014 07:28:53 AM Rich Freeman wrote: On Mon, Jun 2, 2014 at 6:56 AM, Neil Bothwick n...@digimed.co.uk wrote: On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote: The second option does sound what I am looking for. Basically, if I log out but leave my computer on, leave home, some crook/NSA type breaks in and tries to access something or steals my whole puter, they would just get garbage for data. That seems to fit the second option best. If they steal your computer they will have to power it off, unless you are kind enough to leave them a large enough UPS to steal along with it, so any encryption will be equally effective. If you're worried about casual thieves then just about any kind of properly-implemented encryption will stop them. If you're worried about a government official specifically tasked with retrieving your computer, my understanding is that it is SOP these days to retrieve your computer without powering it off for just this reason. They won't use your UPS to do it. Typically they remove the plug just far enough to expose the prongs, slide in a connector that connects it to a UPS, and then they pull it out the rest of the way now powered by the UPS. See something like: http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/ Hmm... Those are nice, but can be easily built yourself with an off-the-shelf UPS. Presumably somebody who is determined will also have the means to retrieve the contents of RAM once they seize your computer. Besides directlly accessing the memory bus I think most motherboards are not designed to be secure against attacks from PCI/firewire/etc. Hmm... add something to auto-shutdown the computer when a hotplug event occurs on any of the internal ports and remove support for unused ports from the kernel. I wonder how they'd keep a computer from initiating a shutdown procedure or causing a kernel panic when it looses (wireless) connection to another device that is unlikely to be moved when powered up? Well i have a switch in the door of the server room. It opens when you open the door. That signals the kernel to wipe all the encryption keys from kernel memory. Without the keys there is no access to the disks. After that another kernel is executed which wipes the memory of the old kernel. If you just pull the plug memory will stay in its state for an unspecified time. Swap uses random keys. network switches and routers get power only after firewall-server is up and running. There is no easy way to enter the room without wipeing the encryption keys. Booting up the server requires that a boot disk is brought to the computer to decrypt the boot drive. Grub2 can do this easily. This is to prevent some one to tamper eith a boot loader. System is not protected against hardware tamperment. The server room is an RF-cage. I consoder this setup quite secure. -- -Matti
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Jun 2, 2014, at 15:06, Dale rdalek1...@gmail.com wrote: Rich Freeman wrote: If you're worried about casual thieves then just about any kind of properly-implemented encryption will stop them. If you're worried about a government official specifically tasked with retrieving your computer, my understanding is that it is SOP these days to retrieve your computer without powering it off for just this reason. They won't use your UPS to do it. Typically they remove the plug just far enough to expose the prongs, slide in a connector that connects it to a UPS, and then they pull it out the rest of the way now powered by the UPS. See something like: http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/ Presumably somebody who is determined will also have the means to retrieve the contents of RAM once they seize your computer. Besides directlly accessing the memory bus I think most motherboards are not designed to be secure against attacks from PCI/firewire/etc. Rich Now that is wicked. Like I said, this could get crazy. ROFL Thing is, with Linux, it could be set up to run a script so that if say the keyboard/mouse/some other device is removed, it runs shutdown. It seems the biggest thing as for as Govt goes, having it do something they can't anticipate it doing that locks things down or does a rm -rfv /* or some other nasty command. I might add, on a older rig I tried that command once. I ran rm -rfv /* and it didn't erase everything like I thought it would. I figured the command would be loaded in ram and would run until the end of the / structure. It didn't. I can't recall how far it got now but I think it was in the /proc directory. I figure it deleted the process and sort of forgot to finish. It's been a while since I did that tho. Details are fuzzy. Well rm does not remove anything. It just unlinks the data. If you use journalling fs, everithing is recoverable from journal easily. And even without the journal you will easily get most of the data. dd if=/dev/zero of=/dev/your-root-drive bs=4096 This will wipe data so that it is quite hard to retrive it. Retriving would require opening the drive, etc... -- -Matti
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Jun 2, 2014, at 15:36, godzil god...@godzil.net wrote: Le 2014-06-02 13:23, Matti Nykyri a écrit : On Jun 2, 2014, at 16:40, J. Roeleveld jo...@antarean.org wrote: Well i have a switch in the door of the server room. It opens when you open the door. That signals the kernel to wipe all the encryption keys from kernel memory. Without the keys there is no access to the disks. After that another kernel is executed which wipes the memory of the old kernel. If you just pull the plug memory will stay in its state for an unspecified time. Swap uses random keys. network switches and routers get power only after firewall-server is up and running. There is no easy way to enter the room without wipeing the encryption keys. Booting up the server requires that a boot disk is brought to the computer to decrypt the boot drive. Grub2 can do this easily. This is to prevent some one to tamper eith a boot loader. System is not protected against hardware tamperment. The server room is an RF-cage. I consoder this setup quite secure. It's nice to encrypt and wipe things automatically, but what about the backups? Well i have backups on their own drive with its own keys. I have backups of the keys in another location. The drives are LUKS drivers with detached LUKS info. -- -Matti
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Jun 2, 2014, at 17:52, J. Roeleveld jo...@antarean.org wrote: On Monday, June 02, 2014 03:23:03 PM Matti Nykyri wrote: On Jun 2, 2014, at 16:40, J. Roeleveld jo...@antarean.org wrote: On Monday, June 02, 2014 07:28:53 AM Rich Freeman wrote: On Mon, Jun 2, 2014 at 6:56 AM, Neil Bothwick n...@digimed.co.uk wrote: On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote: The second option does sound what I am looking for. Basically, if I log out but leave my computer on, leave home, some crook/NSA type breaks in and tries to access something or steals my whole puter, they would just get garbage for data. That seems to fit the second option best. If they steal your computer they will have to power it off, unless you are kind enough to leave them a large enough UPS to steal along with it, so any encryption will be equally effective. If you're worried about casual thieves then just about any kind of properly-implemented encryption will stop them. If you're worried about a government official specifically tasked with retrieving your computer, my understanding is that it is SOP these days to retrieve your computer without powering it off for just this reason. They won't use your UPS to do it. Typically they remove the plug just far enough to expose the prongs, slide in a connector that connects it to a UPS, and then they pull it out the rest of the way now powered by the UPS. See something like: http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/ Hmm... Those are nice, but can be easily built yourself with an off-the-shelf UPS. Presumably somebody who is determined will also have the means to retrieve the contents of RAM once they seize your computer. Besides directlly accessing the memory bus I think most motherboards are not designed to be secure against attacks from PCI/firewire/etc. Hmm... add something to auto-shutdown the computer when a hotplug event occurs on any of the internal ports and remove support for unused ports from the kernel. I wonder how they'd keep a computer from initiating a shutdown procedure or causing a kernel panic when it looses (wireless) connection to another device that is unlikely to be moved when powered up? Well i have a switch in the door of the server room. It opens when you open the door. That signals the kernel to wipe all the encryption keys from kernel memory. Without the keys there is no access to the disks. After that another kernel is executed which wipes the memory of the old kernel. If you just pull the plug memory will stay in its state for an unspecified time. You don't happen to have a howto on how to set that up? Well i have a deamon running and a self made logic device in COM-port. Very simple. It has a single serial-parallel converter to do simple IO. Currently it just controls one relay that powers the network-devices. Swap uses random keys. network switches and routers get power only after firewall-server is up and running. networked powersockets? A normal logic port and a transistor and then relay that controls power to the sockets of the network-devices :) There is no easy way to enter the room without wipeing the encryption keys. Booting up the server requires that a boot disk is brought to the computer to decrypt the boot drive. Grub2 can do this easily. This is to prevent some one to tamper eith a boot loader. System is not protected against hardware tamperment. The server room is an RF-cage. I consoder this setup quite secure. Makes me wonder what it is you are protecting your server from. :) Well just a hobby. I wanted to play with electronics. The server controls my heating, locks of the house, lights, airconditioning, fire-alarm and burglar-alarm. Gentoo-powered house... -- -Matti
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Jun 2, 2014, at 18:29, J. Roeleveld jo...@antarean.org wrote: On Monday, June 02, 2014 04:23:07 PM Matti Nykyri wrote: On Jun 2, 2014, at 17:52, J. Roeleveld jo...@antarean.org wrote: On Monday, June 02, 2014 03:23:03 PM Matti Nykyri wrote: On Jun 2, 2014, at 16:40, J. Roeleveld jo...@antarean.org wrote: On Monday, June 02, 2014 07:28:53 AM Rich Freeman wrote: On Mon, Jun 2, 2014 at 6:56 AM, Neil Bothwick n...@digimed.co.uk wrote: On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote: The second option does sound what I am looking for. Basically, if I log out but leave my computer on, leave home, some crook/NSA type breaks in and tries to access something or steals my whole puter, they would just get garbage for data. That seems to fit the second option best. If they steal your computer they will have to power it off, unless you are kind enough to leave them a large enough UPS to steal along with it, so any encryption will be equally effective. If you're worried about casual thieves then just about any kind of properly-implemented encryption will stop them. If you're worried about a government official specifically tasked with retrieving your computer, my understanding is that it is SOP these days to retrieve your computer without powering it off for just this reason. They won't use your UPS to do it. Typically they remove the plug just far enough to expose the prongs, slide in a connector that connects it to a UPS, and then they pull it out the rest of the way now powered by the UPS. See something like: http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/ Hmm... Those are nice, but can be easily built yourself with an off-the-shelf UPS. Presumably somebody who is determined will also have the means to retrieve the contents of RAM once they seize your computer. Besides directlly accessing the memory bus I think most motherboards are not designed to be secure against attacks from PCI/firewire/etc. Hmm... add something to auto-shutdown the computer when a hotplug event occurs on any of the internal ports and remove support for unused ports from the kernel. I wonder how they'd keep a computer from initiating a shutdown procedure or causing a kernel panic when it looses (wireless) connection to another device that is unlikely to be moved when powered up? Well i have a switch in the door of the server room. It opens when you open the door. That signals the kernel to wipe all the encryption keys from kernel memory. Without the keys there is no access to the disks. After that another kernel is executed which wipes the memory of the old kernel. If you just pull the plug memory will stay in its state for an unspecified time. You don't happen to have a howto on how to set that up? Well i have a deamon running and a self made logic device in COM-port. Very simple. It has a single serial-parallel converter to do simple IO. Currently it just controls one relay that powers the network-devices. I actually meant the software side: - How to wipe the keys and then wipe the whole memory. The dm-crypt module inside kernel provides a crypt_wipe_key function that wipes the memory portion that holds the key. It also invalidates the key, so that no further writes to the drive can occur. Suspending the device prior is recommended: dmsetup suspend /dev/to-device dmsetup message /dev/to-device 0 key wipe When you boot into your kernel you can setup a crash kernel inside your memory. The running kernel will not touch this area so you can be certain that there is no confidential data inside. Then you just wipe the area of the memory of the original kernel after you have executed your crash kernel. So I do this by opening /dev/mem in the crash kernel and then mmap every page you need to wipe. I use the memset to wipe the page. Begin from physical address where your original kernel is located and walk the way up. Skip the portion where you crash kernel is! Crash kernel location is in your kernel cmdline and the location of the original kernel in your kernel config. I consoder this setup quite secure. Makes me wonder what it is you are protecting your server from. :) Well just a hobby. I wanted to play with electronics. The server controls my heating, locks of the house, lights, airconditioning, fire-alarm and burglar-alarm. Gentoo-powered house... I would keep the system controlling all that off the internet with only a null-modem cable to an internet-connected server using a custom protocol. Anything that doesn't match the protocol initiates a full lock-down of the house. ;) But it is much more convenient to control everything from you phone via internet. Just have everything setup in a secure manner. Anyways it's easier for a common burglar to break the window then to hack the server! And you can not steal the stereos by hacking the server ;) -- -Matti
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Jun 4, 2014, at 0:05, J. Roeleveld jo...@antarean.org wrote: On Tuesday, June 03, 2014 09:53:58 PM Matti Nykyri wrote: On Jun 2, 2014, at 18:29, J. Roeleveld jo...@antarean.org wrote: I actually meant the software side: - How to wipe the keys and then wipe the whole memory. The dm-crypt module inside kernel provides a crypt_wipe_key function that wipes the memory portion that holds the key. It also invalidates the key, so that no further writes to the drive can occur. Suspending the device prior is recommended: dmsetup suspend /dev/to-device dmsetup message /dev/to-device 0 key wipe Thank you for this, wasn't aware of those yet. Does this also work with LUKS encrypted devices? Yes. Well LUKS is just a binary header that contains all the necessary setups for a secure disk encryption. If you don't use LUKS you must do all the steps it does by your self. From kernel point of view it does not see LUKS at all. When cryptsetup setups a LUKS drive in device-mapper it gives it only the portion of the drive behind the LUKS-header. LUKS is just a good way of storing your setup (cipher, master key etc...). There is a really good article about LUKS, but i failed to find it now. When you boot into your kernel you can setup a crash kernel inside your memory. The running kernel will not touch this area so you can be certain that there is no confidential data inside. Then you just wipe the area of the memory of the original kernel after you have executed your crash kernel. So I do this by opening /dev/mem in the crash kernel and then mmap every page you need to wipe. I use the memset to wipe the page. Begin from physical address where your original kernel is located and walk the way up. Skip the portion where you crash kernel is! Crash kernel location is in your kernel cmdline and the location of the original kernel in your kernel config. Hmm.. this goes beyond me. Will need to google on this to see if I can find some more. Unless you know a good starting URL? Didn't find a good one either. Will continue searching. There are many ways to do it though. Through the kernel or just write your own program that runs all by it self... Like memtest86. In its source there is everything you need to wipe the memory. But that is more advanced then doing it via kernel interface in my opinion.. I would keep the system controlling all that off the internet with only a null-modem cable to an internet-connected server using a custom protocol. Anything that doesn't match the protocol initiates a full lock-down of the house. ;) But it is much more convenient to control everything from you phone via internet. Just have everything setup in a secure manner. Anyways it's easier for a common burglar to break the window then to hack the server! And you can not steal the stereos by hacking the server ;) Perhaps, but I would have added security shutters to all the windows and doors which are also controlled by the same system. Smashing a window wouldn't help there. Especially if the only way to open those is by getting the server (which by then went into a full lock-down) to open them... Now only to add a halo fire suppression system to the server room and all you need to do is find a way to dispose of the mess ;) Lol. -M
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Tue, Jun 03, 2014 at 10:53:15PM +0300, Matti Nykyri wrote: On Jun 4, 2014, at 0:05, J. Roeleveld jo...@antarean.org wrote: On Tuesday, June 03, 2014 09:53:58 PM Matti Nykyri wrote: On Jun 2, 2014, at 18:29, J. Roeleveld jo...@antarean.org wrote: I actually meant the software side: - How to wipe the keys and then wipe the whole memory. The dm-crypt module inside kernel provides a crypt_wipe_key function that wipes the memory portion that holds the key. It also invalidates the key, so that no further writes to the drive can occur. Suspending the device prior is recommended: dmsetup suspend /dev/to-device dmsetup message /dev/to-device 0 key wipe Thank you for this, wasn't aware of those yet. Does this also work with LUKS encrypted devices? Yes. Well LUKS is just a binary header that contains all the necessary setups for a secure disk encryption. If you don't use LUKS you must do all the steps it does by your self. From kernel point of view it does not see LUKS at all. When cryptsetup setups a LUKS drive in device-mapper it gives it only the portion of the drive behind the LUKS-header. LUKS is just a good way of storing your setup (cipher, master key etc...). There is a really good article about LUKS, but i failed to find it now. Begin by reading these: tomb.dyne.org/Luks_on_disk_format.pdf http://clemens.endorphin.org/TKS1-draft.pdf http://clemens.endorphin.org/nmihde/nmihde-A4-os.pdf These contain very good info about LUKS and disk encryption. The last one is probably a bit ruff one. http://clemens.endorphin.org/cryptography - a good one. I strongly suggest to dig into disk encryption before implementing it! When you boot into your kernel you can setup a crash kernel inside your memory. The running kernel will not touch this area so you can be certain that there is no confidential data inside. Then you just wipe the area of the memory of the original kernel after you have executed your crash kernel. So I do this by opening /dev/mem in the crash kernel and then mmap every page you need to wipe. I use the memset to wipe the page. Begin from physical address where your original kernel is located and walk the way up. Skip the portion where you crash kernel is! Crash kernel location is in your kernel cmdline and the location of the original kernel in your kernel config. Hmm.. this goes beyond me. Will need to google on this to see if I can find some more. Unless you know a good starting URL? Didn't find a good one either. Will continue searching. Here are few pages: http://naveengopala-embeddedlinux.blogspot.fi/2012/01/reading-physical-mapped-memory-using.html http://stackoverflow.com/questions/647783/direct-memory-access-in-linux and mmap man-page for sure... It is really straight forward... just mmap the page you want and erase it. You will just need to know what addresses to mmap and what not. Do it one page at a time and always align. The memory should not contain very sensitive data on how to access your disks if you wipe the keys. There are many ways to do it though. Through the kernel or just write your own program that runs all by it self... Like memtest86. In its source there is everything you need to wipe the memory. But that is more advanced then doing it via kernel interface in my opinion.. I would keep the system controlling all that off the internet with only a null-modem cable to an internet-connected server using a custom protocol. Anything that doesn't match the protocol initiates a full lock-down of the house. ;) But it is much more convenient to control everything from you phone via internet. Just have everything setup in a secure manner. Anyways it's easier for a common burglar to break the window then to hack the server! And you can not steal the stereos by hacking the server ;) Perhaps, but I would have added security shutters to all the windows and doors which are also controlled by the same system. Smashing a window wouldn't help there. Especially if the only way to open those is by getting the server (which by then went into a full lock-down) to open them... Now only to add a halo fire suppression system to the server room and all you need to do is find a way to dispose of the mess ;) Lol. -M -- -Matti
Re: [gentoo-user] OT: Mapping random numbers (PRNG)
On Thu, Jun 05, 2014 at 10:58:51PM -0500, Canek Peláez Valdés wrote: On Thu, Jun 5, 2014 at 9:56 PM, meino.cra...@gmx.de wrote: Hi, I am experimenting with the C code of the ISAAC pseudo random number generator (http://burtleburtle.net/bob/rand/isaacafa.html). Currently the implementation creates (on my embedded linux) 32 bit hexadecimal output. So it's a 32 bit integer. From this I want to create random numbers in the range of [a-Za-z0-9] *without violating randomness* and (if possible) without throwing away bits of the output. You mean *characters* int the range [A-Za-z0-9]? Well this isn't as simple problem as it sounds. A random 32 bit integer has 32 bits of randomness. If you take a divison reminder of 62 from this integer you will get only 5,95419631039 bits of randomness (log(62)/log(2)). So you are wasting 81,4% of your random data. Which is quite much and usually random data is quite expensive. You can save your precious random data by taking only 6 bit from your 32 bit integer and dividing it by 62. Then you will be wasting only 0,8% of random data. Another problem is alignment, but that is about mathematical correctness. How can I do this mathemtically (in concern of the quality of output) correct? The easiest thing to do would be: The easiest is not mathematically correct though. Random data will stay random only if you select and modify it so that randomness is preserved. If you take devison reminder of 62 from 32 bit integer there are 69 273 667 possibilities of the reminder to be 3 or less. For the reminder to 4 or more the number of possibilities is 69 273 666. In mathematically ideal case the probability for every index of the list should be same: 1/62 = 1,61290322581%. But the modulo 62 modifies this probability: for index 0-3 the probability is 69 273 667/2^32 = 1,61290324759%. And for indexes 4-61 the probability will be 69 273 666/2^32 = 1,6129032243%. If you wish not to waste those random bits the probabilities will get worse. With 6 bits of random the probability for index 0-1 will be 2/64 and for 2-63 it will be 1/64. This is a very significant change because first and second index will appear twice as much as the rest. If you add 2 characters to your list you will perfect alignment and you can take 6 bits of data without it modifying probabilities. If you are looking a mathematically perfect solution there is a simple one even if your list is not in the power of 2! Take 6 bits at a time of the random data. If the result is 62 or 63 you will discard the data and get the next 6 bits. This selectively modifies the random data but keeps the probabilities in correct balance. Now the probability for index of 0-61 is 1/62 because the probability to get 62-63 out of 64 if 0. --- #include time.h #include stdio.h #include stdlib.h #define N (26+26+10) static char S[] = { 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' }; int next_character() { // Use the correct call for ISAAC instead of rand() unsigned int idx = rand() % N; return S[idx]; } so modify the next_char function: char next_character() { static unsigned int rand = 0; //(sizeof(int) = 32) static char bit_avail = 0; char result = 0; char move_bits = 0; char bits_moved = 0; do { if (!bits_avail) { // Use the correct call for ISAAC instead of rand() rand = rand(); bit_avail = 32; } move_bits = bits_avail = 6 ? 6 : bits_avail; result = move_bits; result = (result | rand (0xFF (8 - move_bits))) 0x3F; bits_avail -= move_bits; bits_moved += move_bits; rand = move_bits; } while (bits_moved != 6 result 61); return result; } This function will give perfect distribution of 1/62 probability for every index. It will waste 6 bits with the probability of 1/32 (2/64). int main(int argc, char* argv[]) { // Use the correct call for initializing the ISAAC seed srand((unsigned int)time(NULL)); for (int i = 0; i 20; i++) // --std=c99 printf(%c\n, next_character()); return 0; } --- If the ISAAC RNG has a good distribution, then the next_character() function will give a good distribution
Re: [gentoo-user] OT: Mapping random numbers (PRNG)
On Fri, Jun 06, 2014 at 08:39:28PM +0200, meino.cra...@gmx.de wrote: Canek Peláez Valdés can...@gmail.com [14-06-06 17:36]: On Thu, Jun 5, 2014 at 9:56 PM, meino.cra...@gmx.de wrote: Hi, I am experimenting with the C code of the ISAAC pseudo random number generator (http://burtleburtle.net/bob/rand/isaacafa.html). Currently the implementation creates (on my embedded linux) 32 bit hexadecimal output. So it's a 32 bit integer. From this I want to create random numbers in the range of [a-Za-z0-9] *without violating randomness* and (if possible) without throwing away bits of the output. You mean *characters* int the range [A-Za-z0-9]? How can I do this mathemtically (in concern of the quality of output) correct? The easiest thing to do would be: --- #include time.h #include stdio.h #include stdlib.h #define N (26+26+10) static char S[] = { 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' }; int next_character() { // Use the correct call for ISAAC instead of rand() unsigned int idx = rand() % N; return S[idx]; } int main(int argc, char* argv[]) { // Use the correct call for initializing the ISAAC seed srand((unsigned int)time(NULL)); for (int i = 0; i 20; i++) // --std=c99 printf(%c\n, next_character()); return 0; } --- If the ISAAC RNG has a good distribution, then the next_character() function will give a good distribution among the set [A-Za-z0-9]. Unless I missunderstood what you meant with create random numbers in the range of [a-Za-z0-9]. Regards. -- Canek Peláez Valdés Profesor de asignatura, Facultad de Ciencias Universidad Nacional Autónoma de México Hi, Thank you very much for the input! :) I have a question about the algorithm: Suppose rand() has an equal distribution of numbers and furthermore one has a count of 2^32 random numbers listed in numerical sort order. In this list each number would appear (nearly) with the same count: 1 To get an better imagination of that...suppose the rand() would only return numbers in the range of 1...12 and the alphabet has only 8 characters (as 2^32 is not devideable by 62) rand(): 1 2 3 4 5 6 7 8 9 10 11 12 rand()%N : rand()%7 1 2 3 4 5 6 7 0 1 2 3 4 or in other words: An even distribution of numbers of rand() would result in a unevenly distributed sequence of characters...or? This would break the quality of ISAACs output. I am sure I did something wrong here...but where is the logic trap? This is the thing I explained in my message. -- -Matti
Re: [gentoo-user] OT: Mapping random numbers (PRNG)
On Sat, Jun 07, 2014 at 12:03:29AM +0300, Matti Nykyri wrote: On Thu, Jun 05, 2014 at 10:58:51PM -0500, Canek Peláez Valdés wrote: On Thu, Jun 5, 2014 at 9:56 PM, meino.cra...@gmx.de wrote: Hi, I am experimenting with the C code of the ISAAC pseudo random number generator (http://burtleburtle.net/bob/rand/isaacafa.html). Currently the implementation creates (on my embedded linux) 32 bit hexadecimal output. So it's a 32 bit integer. From this I want to create random numbers in the range of [a-Za-z0-9] *without violating randomness* and (if possible) without throwing away bits of the output. You mean *characters* int the range [A-Za-z0-9]? Well this isn't as simple problem as it sounds. A random 32 bit integer has 32 bits of randomness. If you take a divison reminder of 62 from this integer you will get only 5,95419631039 bits of randomness (log(62)/log(2)). So you are wasting 81,4% of your random data. Which is quite much and usually random data is quite expensive. You can save your precious random data by taking only 6 bit from your 32 bit integer and dividing it by 62. Then you will be wasting only 0,8% of random data. Another problem is alignment, but that is about mathematical correctness. How can I do this mathemtically (in concern of the quality of output) correct? The easiest thing to do would be: The easiest is not mathematically correct though. Random data will stay random only if you select and modify it so that randomness is preserved. If you take devison reminder of 62 from 32 bit integer there are 69 273 667 possibilities of the reminder to be 3 or less. For the reminder to 4 or more the number of possibilities is 69 273 666. In mathematically ideal case the probability for every index of the list should be same: 1/62 = 1,61290322581%. But the modulo 62 modifies this probability: for index 0-3 the probability is 69 273 667/2^32 = 1,61290324759%. And for indexes 4-61 the probability will be 69 273 666/2^32 = 1,6129032243%. If you wish not to waste those random bits the probabilities will get worse. With 6 bits of random the probability for index 0-1 will be 2/64 and for 2-63 it will be 1/64. This is a very significant change because first and second index will appear twice as much as the rest. If you add 2 characters to your list you will perfect alignment and you can take 6 bits of data without it modifying probabilities. If you are looking a mathematically perfect solution there is a simple one even if your list is not in the power of 2! Take 6 bits at a time of the random data. If the result is 62 or 63 you will discard the data and get the next 6 bits. This selectively modifies the random data but keeps the probabilities in correct balance. Now the probability for index of 0-61 is 1/62 because the probability to get 62-63 out of 64 if 0. --- #include time.h #include stdio.h #include stdlib.h #define N (26+26+10) static char S[] = { 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' }; int next_character() { // Use the correct call for ISAAC instead of rand() unsigned int idx = rand() % N; return S[idx]; } so modify the next_char function: char next_character() { static unsigned int rand = 0; //(sizeof(int) = 32) static char bit_avail = 0; char result = 0; char move_bits = 0; char bits_moved = 0; do { if (!bits_avail) { // Use the correct call for ISAAC instead of rand() rand = rand(); bit_avail = 32; } move_bits = bits_avail = 6 ? 6 : bits_avail; result = move_bits; result = (result | rand (0xFF (8 - move_bits))) 0x3F; bits_avail -= move_bits; bits_moved += move_bits; rand = move_bits; } while (bits_moved != 6 result 61); return result; } Well actually it looks simpler if you break this like this: unsigned char get_6bits () { static unsigned int rand = 0; //(sizeof(int) = 32) static char bits_avail = 0; unsigned char result = 0; //get 2 bits 3 times: 32 is devidable by 2 for (int i = 0; i 3; i++) { // --std=c99 //Fill buffer if it is empty! if (!bits_avail || bits_avail 0 ) { //if bits_avail 0 it is an error
[gentoo-user] Zsh completion
Hi I use zsh and have quite perfect completion setup with it. There is just one very annoying feature that I have failed to switch off. With paths when I type this: cd /archives/NE tab zsh produces: cd /achieves2/NEW/ The archives directory does not contain NEW directory and archives2 does. I would want that zsh wouldn't modify anything but the current level path I'm writing. So in this case it should of shown empty cuz there are no options to choose from. This happens of course with any similar directory case. The annoyance is that I know where I'm going and the right NEW directory in this case is under /archives/movies/NEW and not the one under /archives2/. So I have to clear some of the text which is slow :( Would anyone know how to correct this¿? I have tried various options of approximation... Actually I don't like the approximation at all and have tried to fully disable it... -- Matti
[gentoo-user] Ifplugd breaks services
Hi I also have other problems in my life. One of them is on one of my gentoo server. This server has two network cards one serves intranet and the other internet. The on that is on the internet is attached to a cable modem. The modem is buggy and some times reboots it self losing the link so I have ifplugd there get new address via dhcp immediately. Intranet card is configured not to use ifplugd. I'm using OpenRC. The problems are related to iptables and samba. Samba: when ifplugd runs down the internet card samba is killed. This shouldn't happen. Samba is configured only to use intranet card. Samba always fails to start when ifplugd starts the internet card. Manual starting is required. Iptables: the system uses new nic names (enp7s0 etc). Iptables has them correctly in the rules and in rules save. However when ifplugd cycles the internet nic all the nic names in the in-kernel rules change to eth0 an eth1. I need to zap iptables and then start it to reset the rules. Any suggestions where to start? Or just disable ifplugd? -- Matti
Re: [gentoo-user] Ifplugd breaks services
On Sun, Jun 08, 2014 at 11:25:53AM +0100, Mick wrote: On Sunday 08 Jun 2014 10:25:40 Matti Nykyri wrote: Hi I also have other problems in my life. One of them is on one of my gentoo server. This server has two network cards one serves intranet and the other internet. The on that is on the internet is attached to a cable modem. The modem is buggy and some times reboots it self losing the link so I have ifplugd there get new address via dhcp immediately. Intranet card is configured not to use ifplugd. I'm using OpenRC. Are you sure of this? How have you configured your intranet card to not be acted upon by ifplugd? From what I see, ifplugd will pick up any interface in /etc/init.d: EXEC=/etc/init.d/net.$1 Actually it's not ifplugd's fault. It is just the one that restarts services... The restarting is the thing that breaks stuff: server% [13:44] /var/log$ sudo iptables -v -L -t nat Chain POSTROUTING (policy ACCEPT 10142 packets, 743K bytes) pkts bytes target prot opt in out source destination 8307 616K MASQUERADE all -- anyenp0s10 anywhere anywhere server% [13:45] /var/log$ sudo /etc/init.d/net.enp0s10 stop * Stopping NIS Server ... [ ok ] * samba - stop: smbd ... [ ok ] * samba - stop: nmbd ... * start-stop-daemon: 2 process(es) refused to stop [ !! ] * Unmounting network filesystems ...[ ok ] * Stopping chrooted named ... * Umounting chroot dirs ... * umounting /chroot/dns/usr/share/GeoIP ... [ ok ] * umounting /chroot/dns/etc/bind ...[ ok ] * umounting /chroot/dns/var/log/named ... [ ok ] * umounting /chroot/dns/var/bind ...[ ok ] * Stopping dhcpd ...[ ok ] * Bringing down interface enp0s10 * Stopping dhclient on enp0s10 ...[ ok ] * Stopping ifplugd on enp0s10 ... [ ok ] server% [13:45] /var/log$ sudo iptables -v -L -t nat Chain POSTROUTING (policy ACCEPT 10147 packets, 743K bytes) pkts bytes target prot opt in out source destination 8309 617K MASQUERADE all -- anyenp0s10 anywhere anywhere server% [13:45] /var/log$ sudo /etc/init.d/net.enp0s10 start * Bringing up interface enp0s10 * Changing MAC address of enp0s10 ... [ ok ] * changed to 00:80:23:7A:8A:A4 * Starting ifplugd on enp0s10 ... [ ok ] * Backgrounding ... * WARNING: net.enp0s10 has started, but is inactive server% [13:45] /var/log$ sudo iptables -v -L -t nat Chain POSTROUTING (policy ACCEPT 10147 packets, 743K bytes) pkts bytes target prot opt in out source destination 8309 617K MASQUERADE all -- anyenp0s10 anywhere anywhere It takes around 40 seconds for dhclient to address from ISP (net-misc/dhcp-4.2.5_p1) After it gets the address iptables is changed: server% [13:45] /var/log$ sudo iptables -v -L -t nat Chain POSTROUTING (policy ACCEPT 2 packets, 152 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- anyeth1anywhere anywhere server% [13:48] /var/log$ ps aux | grep dhclient root 22011 0.0 0.2 16200 7108 ?Ss 13:46 0:00 /sbin/dhclient -e PEER_NTP=no -e IF_METRIC=3 -q -1 -pf /var/run/dhclient-enp0s10.pid enp0s10 server% [13:48] /var/log$ ls /etc/init.d/net* lrwxrwxrwx 1 root root 6 Oct 4 2011 /etc/init.d/net.enp0s10 - net.lo* lrwxrwxrwx 1 root root 6 Oct 4 2011 /etc/init.d/net.enp5s12 - net.lo* -rwxr-xr-x 1 root root 17412 Jan 2 23:42 /etc/init.d/net.lo* The problems are related to iptables and samba. Samba: when ifplugd runs down the internet card samba is killed. This shouldn't happen. Samba is configured only to use intranet card. Samba always fails to start when ifplugd starts the internet card. Manual starting is required. Iptables: the system uses new nic names (enp7s0 etc). Iptables has them correctly in the rules and in rules save. However when ifplugd cycles the internet nic all the nic names in the in-kernel rules change to eth0 an eth1. I need to zap iptables and then start it to reset the rules. This does not happen here. When ifplugd restarts a NIC it always comes back with the new consistent naming. Do you have some udev rules defined which are picked up on the second time that the ifplugd brings up the card, but not the first? No I don't. And as stated when dhclient sets
Re: [gentoo-user] Ifplugd breaks services
On Jun 8, 2014, at 19:15, Neil Bothwick n...@digimed.co.uk wrote: On Sun, 8 Jun 2014 15:01:02 +0300, Matti Nykyri wrote: Actually it's not ifplugd's fault. It is just the one that restarts services... The restarting is the thing that breaks stuff: Are you running ifplugd directly or letting openrc deal with this? The latter is the recommended way for openrc, leave ifplugd installed but don't add it to a runlevel. Does the problem persist if you do this? Ifplugd package doesn't have anything installed in init.d/ so it's not added to any runlevel. Have you tried changing rc_depend_strict in /etc/rc.conf? Setting rc_depend_strict to NO, fixes the problem :) With that set to YES all the services are killed. So I'll stick with NO. Still I think that all services stopped should be restarted by default. flamebaitOr you could switch to systemd which I suspect could be made to handle this situation better./flamebait :) I rather not ;) -- -Matti
Re: [gentoo-user] Ifplugd breaks services
On Jun 8, 2014, at 21:19, Neil Bothwick n...@digimed.co.uk wrote: On Sun, 8 Jun 2014 20:44:47 +0300, Matti Nykyri wrote: Have you tried changing rc_depend_strict in /etc/rc.conf? Setting rc_depend_strict to NO, fixes the problem :) With that set to YES all the services are killed. So I'll stick with NO. Still I think that all services stopped should be restarted by default. Yes, it does seem like a bug, or at least an undocumented feature. Actually found the true reason for the services not starting. When you stop samba it fails to terminate 2 instances of nbmd. So when you try to start samba it fails. But it will start normally on the second go. Both of these failures will fall within samba or openrc. flamebaitOr you could switch to systemd which I suspect could be made to handle this situation better./flamebait :) I rather not ;) You're already using some Lennartware so you're already on the slippery slope :-O
Re: [gentoo-user] Re: OT: Mapping random numbers (PRNG)
On Jun 27, 2014, at 11:55, thegeezer thegee...@thegeezer.net wrote: On 06/26/2014 11:07 PM, Kai Krakow wrote: It is worth noting that my approach has the tendency of generating random characters in sequence. sorry but had to share this http://dilbert.com/strips/comic/2001-10-25/ This is a good one :) have really been thinking this same comic previosly when writing to this thread...
Re: [gentoo-user] Re: OT: Mapping random numbers (PRNG)
On Jun 27, 2014, at 0:00, Kai Krakow hurikha...@gmail.com wrote: Matti Nykyri matti.nyk...@iki.fi schrieb: If you are looking a mathematically perfect solution there is a simple one even if your list is not in the power of 2! Take 6 bits at a time of the random data. If the result is 62 or 63 you will discard the data and get the next 6 bits. This selectively modifies the random data but keeps the probabilities in correct balance. Now the probability for index of 0-61 is 1/62 because the probability to get 62-63 out of 64 if 0. Why not do just something like this? index = 0; while (true) { index = (index + get_6bit_random()) % 62; output char_array[index]; } Done, no bits wasted. Should have perfect distribution also. We also don't have to throw away random data just to stay within unaligned boundaries. The unalignment is being taken over into the next loop so the error corrects itself over time (it becomes distributed over the whole set). Distribution will not be perfect. The same original problem persists. Probability for index 0 to 1 will be 2/64 and for 2 to 61 it will be 1/64. Now the addition changes this so that index 0 to 1 reflects to previous character and not the original index. The distribution of like 10GB of data should be quite even but not on a small scale. The next char will depend on previous char. It is 100% more likely that the next char is the same or one index above the previous char then any of the other ones in the series. So it is likely that you will have long sets of same character. Random means that for next char the probability is always even, 1/62. And like mentioned in Dilbert it is impossible to say that something is random but possible to say that it isn't. If wasting 6bit of data seems large, do this: index = get_6bit_random(); while (index 61) { index = 1; index |= get_1bit_random(); index = 0x3F; } return index; It will waste 1 bit at a time until result is less than 62. This will slightly change probabilities though :/
Re: [gentoo-user] Re: OT: Mapping random numbers (PRNG)
On Jun 28, 2014, at 0:13, Matti Nykyri matti.nyk...@iki.fi wrote: On Jun 27, 2014, at 0:00, Kai Krakow hurikha...@gmail.com wrote: Matti Nykyri matti.nyk...@iki.fi schrieb: If you are looking a mathematically perfect solution there is a simple one even if your list is not in the power of 2! Take 6 bits at a time of the random data. If the result is 62 or 63 you will discard the data and get the next 6 bits. This selectively modifies the random data but keeps the probabilities in correct balance. Now the probability for index of 0-61 is 1/62 because the probability to get 62-63 out of 64 if 0. Why not do just something like this? index = 0; while (true) { index = (index + get_6bit_random()) % 62; output char_array[index]; } Done, no bits wasted. Should have perfect distribution also. We also don't have to throw away random data just to stay within unaligned boundaries. The unalignment is being taken over into the next loop so the error corrects itself over time (it becomes distributed over the whole set). Distribution will not be perfect. The same original problem persists. Probability for index 0 to 1 will be 2/64 and for 2 to 61 it will be 1/64. Now the addition changes this so that index 0 to 1 reflects to previous character and not the original index. The distribution of like 10GB of data should be quite even but not on a small scale. The next char will depend on previous char. It is 100% more likely that the next char is the same or one index above the previous char then any of the other ones in the series. So it is likely that you will have long sets of same character. Random means that for next char the probability is always even, 1/62. And like mentioned in Dilbert it is impossible to say that something is random but possible to say that it isn't. If wasting 6bit of data seems large, do this: index = get_6bit_random(); while (index 61) { index = 1; index |= get_1bit_random(); index = 0x3F; } return index; It will waste 1 bit at a time until result is less than 62. This will slightly change probabilities though :/ Sorry this example is really flawed :( If next6bit is over 61 there are only two possible values for it: 62 or 63 - that is 0x3E and 0x3F. So you see that only one bit changes. But that bit is random! So least significant bit is random and does not need to be discarded :) index = get_6bit_random(); while (index 61) { index = 5; index |= get_5bit_random(); index = 0x3F; } return index;
Re: [gentoo-user] Re: Re: OT: Mapping random numbers (PRNG)
On Jun 29, 2014, at 0:28, Kai Krakow hurikha...@gmail.com wrote: Matti Nykyri matti.nyk...@iki.fi schrieb: On Jun 27, 2014, at 0:00, Kai Krakow hurikha...@gmail.com wrote: Matti Nykyri matti.nyk...@iki.fi schrieb: If you are looking a mathematically perfect solution there is a simple one even if your list is not in the power of 2! Take 6 bits at a time of the random data. If the result is 62 or 63 you will discard the data and get the next 6 bits. This selectively modifies the random data but keeps the probabilities in correct balance. Now the probability for index of 0-61 is 1/62 because the probability to get 62-63 out of 64 if 0. Why not do just something like this? index = 0; while (true) { index = (index + get_6bit_random()) % 62; output char_array[index]; } Done, no bits wasted. Should have perfect distribution also. We also don't have to throw away random data just to stay within unaligned boundaries. The unalignment is being taken over into the next loop so the error corrects itself over time (it becomes distributed over the whole set). Distribution will not be perfect. The same original problem persists. Probability for index 0 to 1 will be 2/64 and for 2 to 61 it will be 1/64. Now the addition changes this so that index 0 to 1 reflects to previous character and not the original index. The distribution of like 10GB of data should be quite even but not on a small scale. The next char will depend on previous char. It is 100% more likely that the next char is the same or one index above the previous char then any of the other ones in the series. So it is likely that you will have long sets of same character. I cannot follow your reasoning here - but I'd like to learn. Actually, I ran this multiple times and never saw long sets of the same character, even no short sets of the same character. The 0 or 1 is always rolled over into the next random addition. I would only get sets of the same character if rand() returned zero multiple times after each other - which wouldn't be really random. ;-) In your example that isn't true. You will get the same character if 6bit random number is 0 or if it is 62! This is what makes the flaw! You will also get the next character if random number is 1 or 63. That is why the possibility for 0 and 1 (after modulo 62) is twice as large compared to all other values (2-61). By definition random means that the probability for every value should be the same. So if you have 62 options and even distribution of probability the probability for each of them is 1/62. Keep in mind: The last index will be reused whenever you'd enter the function - it won't reset to zero. But still that primitive implementation had a flaw: It will tend to select characters beyond the current offset, if it is = 1/2 into the complete set, otherwise it will prefer selecting characters before the offset. If you modify the sequence so that if looks random it is pseudo random. In my tests I counted how ofter new_index index and new_index index, and it had a clear bias for the first. So I added swapping of the selected index with offset=0 in the set. Now the characters will be swapped and start to distribute that flaw. The distribution, however, didn't change. Try counting how of often new_index = index and new_index = (index + 1) % 62 and new_index = (index + 2) % 62. With your algorithm the last one should be significantly less then the first two in large sample. Of course I'm no mathematician, I don't know how I'd calculate the probabilities for my implementation because it is sort of a recursive function (for get_rand()) when looking at it over time: int get_rand() { static int index = 0; return (index = (index + get_6bit_rand()) % 62); } char get_char() { int index = get_rand(); char tmp = chars[index]; chars[index] = chars[0]; return (chars[0] = tmp); } However, get_char() should return evenly distributes results. What this shows, is, that while distribution is even among the result set, the implementation may still be flawed because results could be predictable for a subset of results. Or in other words: Simply looking at the distribution of results is not an indicator for randomness. I could change get_rand() in the following way: int get_rand() { static int index = 0; return (index = (index + 1) % 62); } Results would be distributed even, but clearly it is not random. -- Replies to list only preferred.
Re: [gentoo-user] Re: Re: Re: OT: Mapping random numbers (PRNG)
On Sun, Jun 29, 2014 at 02:38:51PM +0200, Kai Krakow wrote: Matti Nykyri matti.nyk...@iki.fi schrieb: That is why the possibility for 0 and 1 (after modulo 62) is twice as large compared to all other values (2-61). Ah, now I get it. By definition random means that the probability for every value should be the same. So if you have 62 options and even distribution of probability the probability for each of them is 1/62. Still, the increased probability for single elements should hit different elements each time. So for large sets it will distribute - however, I now get why it's not completely random by definition. Usually when you need random data the quality needs to be good! Key, passwords etc. For example if an attacker knows that your random number generator same or the next index with double probability, he will most likely crack each character with half the tries. So for each character in your password the time is split in half. Again 8 character password becomes 2^8 times easier to break compared to truely random data. This is just an example though. Try counting how of often new_index = index and new_index = (index + 1) % 62 and new_index = (index + 2) % 62. With your algorithm the last one should be significantly less then the first two in large sample. I will try that. It looks like a good approach. Ok. I wrote a little library that takes random data and mathematically accurately splits it into wanted data. It is attached to the mail. You only need to specify the random source and the maximum number you wish to see in your set. So with 5 you get everything from 0 to 5 (in total of 6 elements). The library takes care of buffering. And most importantly keeps probabilities equal :) -- -Matti VERSION=v0.1 prefix=/usr/local CC=$(CROSS_COMPILE)g++ LD=$(CROSS_COMPILE)ld SYS=posix DEF=-DRNG_VERSION=\$(VERSION)\ OPT=-O2 XCFLAGS=-fPIC -DPIC -march=nocona #XCFLAGS=-fPIC -DPIC -DDEBUG -march=nocona XLDFLAGS=$(XCFLAGS) -Wl,--as-needed -Wl,-O1 -Wl,-soname=librng.so CPPFLAGS=-Wall -std=gnu++98 $(XCFLAGS) $(INC) $(DEF) $(OPT) LDFLAGS=-Wall -shared $(XLDFLAGS) TESTLDFLAGS=-Wall #TESTLDFLAGS=-Wall -lrng bindir=$(prefix)/bin libdir=$(prefix)/lib BINDIR=$(DESTDIR)$(bindir) LIBDIR=$(DESTDIR)$(libdir) SLIBS=$(LIBS) EXT=$(EXT_$(SYS)) LIBS=librng.so all: $(LIBS) rng install:$(LIBS) -mkdir -p $(BINDIR) $(LIBDIR) cp rng$(EXT) $(BINDIR) clean: rm -f *.o *.so rng$(EXT) rng: rng.o $(CC) $(TESTLDFLAGS) -o $@$(EXT) $@.o librng.o rng.o: rng.cpp librng.so: librng.o $(CC) $(LDFLAGS) -o $@$(EXT) librng.o librng.o: librng.cpp //#define BUFFER_SIZE 4096 //64 bits is 8 bytes: number of uint64_t in buffer //#define NUM_SETS (4096 / 8) //#define NUM_BITS 64 #include inttypes.h struct BinaryData { uint64_t data; int8_t bits; }; class BitContainer { public: BitContainer(); ~BitContainer(); bool has(int8_t bits); uint64_t get(int8_t bits); int8_t set(uint64_t data, int8_t bits); void fill(uint64_t *data); static void cpy(struct BinaryData *dest, struct BinaryData *src, int8_t bits); private: void xfer(); static void added(int8_t stored, int8_t bits); struct BinaryData pri; struct BinaryData sec; }; class Rng { public: Rng(char* device, uint64_t max); ~Rng(); const uint64_t setMax(const uint64_t max); uint64_t getMax(); int setDevice(const char* device); uint64_t getRnd(); static uint64_t getMask(int8_t bits); static int8_t calculateBits(uint64_t level); private: void fillBuffer(); void readBuffer(); void getBits(uint64_t *data, int8_t *avail, uint64_t *out); void saveBits(uint64_t save); void processBits(uint64_t max, uint64_t level, uint64_t data); void error(const char* str); int iRndFD; size_t lCursor; size_t lBuffer; uint64_t* pStart; uint64_t* pNext; uint64_t* pEnd; BitContainer sRnd; uint64_t lMax; uint64_t lOutMask; int8_t cOutBits; };#include fcntl.h #include unistd.h #include sys/mman.h #include librng.h #ifdef DEBUG #include stdio.h #include stdlib.h long* results = 0; long* results2 = 0; unsigned long dMax = 0; int pushed[64]; long readData = 0; long readBuff = 0; long readBits = 0; long validBits = 0; long bitsPushed = 0; long readExtra = 0; int bits = 0; unsigned long totalBits = 0; unsigned long used = 0; unsigned long wasted = 0; unsigned long power(int exp) { unsigned long x = 1; for (int i = 0; i exp; i++) x *= 2; return x; } void dump_results() { fprintf(stderr, Rounds for each number:\n); for (unsigned long i = 0; i dMax; i++) fprintf(stderr, %li = %li\t, i, results[i]); fprintf(stderr, \n); fprintf(stderr, Rounds for each initial number:\n); for (unsigned long i = 0; i power(bits); i++) fprintf(stderr, %li = %li\t, i, results2[i]); fprintf(stderr, \n); fprintf(stderr, Rounds for extra bits: total pushed: \t%li\n
Re: [gentoo-user] Zsh completion
On Jul 4, 2014, at 13:55, Nikita Tropin posixivis...@gmail.com wrote: Question is old enough but... Try to click Ctrl-/ to undo. Ok. Thanks. I'll try that. But still if I could disable that particular feature that would be the best option! 2014-06-08 11:41 GMT+03:00 Matti Nykyri matti.nyk...@iki.fi: Hi I use zsh and have quite perfect completion setup with it. There is just one very annoying feature that I have failed to switch off. With paths when I type this: cd /archives/NE tab zsh produces: cd /achieves2/NEW/ The archives directory does not contain NEW directory and archives2 does. I would want that zsh wouldn't modify anything but the current level path I'm writing. So in this case it should of shown empty cuz there are no options to choose from. This happens of course with any similar directory case. The annoyance is that I know where I'm going and the right NEW directory in this case is under /archives/movies/NEW and not the one under /archives2/. So I have to clear some of the text which is slow :( Would anyone know how to correct this¿? I have tried various options of approximation... Actually I don't like the approximation at all and have tried to fully disable it... -- Matti -- Regards, Nikita
Re: [gentoo-user] resolv.conf is different after every reboot
On Jul 27, 2014, at 13:33, Grand Duet grand.d...@gmail.com wrote: 2014-07-27 12:29 GMT+03:00 Neil Bothwick n...@digimed.co.uk: On Sun, 27 Jul 2014 12:21:23 +0300, Grand Duet wrote: In short: the contents of the file /etc/resolv.conf is unpredictably different from one reboot to another. It is either # Generated by net-scripts for interface lo domain mynetwork That's what you get when lo comes up. or # Generated by net-scripts for interface eth0 nameserver My.First.DNS-Server.IP nameserver My.Second.DNS-Server.IP nameserver 8.8.8.8 That's what replaces it when eth0 comes up. It looks like eth0 is not being brought up fully It sounds logical. But how can I fix it? Can carrier_timeout_eth0= setting in /etc/conf.d/net file help? If so, how much seconds should I use? what do your logs say? Could you, please, be more precise where to look for logs. It might be worth putting logger commands in preup(), postup() and failup() in conf.d/net. Currently, I have no such functions in my /etc/conf.d/net file. Shall I copy them there from /usr/share/doc/netifrc-0.2.2/net.example Could you, please, be more specific on these logger commands too. I tried to chmod this file to be unwrittable even for root but after a reboot it have been overwritten anyway. You can't stop root overwriting a file, root laughs in the face of file permissions. BTW, I'm not sure if it's still relevant, but I don't think you ever posted the contents of /etc/resolvconf.conf, if it exists. I do not have such file. Of course, if you do not mean /etc/resolv.conf But I have posted its content above. Depending on your filesystem a temporary solution to your problem is to setup /etc/resolv.conf correctly and then: chattr +i /etc/resolv.conf After that the content of the file will not change. -- -Matti
Re: [gentoo-user] resolv.conf is different after every reboot
On Jul 27, 2014, at 16:39, Grand Duet grand.d...@gmail.com wrote: 2014-07-27 16:10 GMT+03:00 Matti Nykyri matti.nyk...@iki.fi: On Jul 27, 2014, at 13:33, Grand Duet grand.d...@gmail.com wrote: 2014-07-27 12:29 GMT+03:00 Neil Bothwick n...@digimed.co.uk: On Sun, 27 Jul 2014 12:21:23 +0300, Grand Duet wrote: In short: the contents of the file /etc/resolv.conf is unpredictably different from one reboot to another. It is either # Generated by net-scripts for interface lo domain mynetwork That's what you get when lo comes up. or # Generated by net-scripts for interface eth0 nameserver My.First.DNS-Server.IP nameserver My.Second.DNS-Server.IP nameserver 8.8.8.8 That's what replaces it when eth0 comes up. It looks like eth0 is not being brought up fully It sounds logical. But how can I fix it? Can carrier_timeout_eth0= setting in /etc/conf.d/net file help? If so, how much seconds should I use? what do your logs say? Could you, please, be more precise where to look for logs. It might be worth putting logger commands in preup(), postup() and failup() in conf.d/net. Currently, I have no such functions in my /etc/conf.d/net file. Shall I copy them there from /usr/share/doc/netifrc-0.2.2/net.example Could you, please, be more specific on these logger commands too. I tried to chmod this file to be unwrittable even for root but after a reboot it have been overwritten anyway. You can't stop root overwriting a file, root laughs in the face of file permissions. BTW, I'm not sure if it's still relevant, but I don't think you ever posted the contents of /etc/resolvconf.conf, if it exists. I do not have such file. Of course, if you do not mean /etc/resolv.conf But I have posted its content above. Depending on your filesystem a temporary solution to your problem is to setup /etc/resolv.conf correctly and then: chattr +i /etc/resolv.conf After that the content of the file will not change. Thank you. I will try it if deleting the line dns_domain_lo=mynetwork from my /etc/conf.d/net file will not work. But does chattr +i differ from chmod a-w ? (The latter did not work for me. I use ext4 file system.) Yes it does. Ext-filesystem supports immutable bit which is enforced by kernel so even root can't modify the file in any way. -i unsets the bit. -- -Matti
Re: [gentoo-user] making bootable USB
On Sep 2, 2014, at 8:55, Joseph syscon...@gmail.com wrote: On 09/02/14 06:36, Mick wrote: On Tuesday 02 Sep 2014 01:26:05 Joseph wrote: On 09/02/14 01:08, Neil Bothwick wrote: On Mon, 1 Sep 2014 17:42:47 -0600, Joseph wrote: I just tried usb_instal.sh script from systemrescuecd-x86-4.3.0.iso and my box boots just fine. So why do I have problem using unetbootin and generating bootable USB manually. unetbootin uses some $MAGIC that doesn't work with all ISOs. isohybrid seems to work with everything and is much simpler to use too. I just tried it as root: isohybrid install-amd64-minimal-20140828.iso dd if=/home/joseph/Downloads/install-amd64-minimal-20140828.iso of=/dev/sda bs=4096 sync And the USB still can not boot it :-/ This is rather strange. What do you see when you run fdisk -l /dev/sda *after* you have completed dd and sync as you show above? -- Regards, Mick Yes, indeed I find it very strange as well. I just re-run the dd on my faster box. dd if=/home/joseph/Downloads/install-amd64-minimal-20140828.iso of=/dev/sdb bs=4096 48640+0 records in 48640+0 records out 199229440 bytes (199 MB) copied, 318.573 s, 625 kB/s sync fdisk -l /dev/sdb Disk /dev/sdb: 960 MiB, 1006632960 bytes, 1966080 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x1047d058 DeviceBoot Start End Blocks Id System /dev/sdb1 *0389119 194560 17 Hidden HPFS/NTFS -- Joseph Hi, Just wanna say few words to clarify few things about bootstraping. If you know what you are doing, this all is very simple. What you need for a working system is a working root filesystem that contains all the scripts, modules and executables. A minimal cd contains this. You could also use stage3 tar ball. Then you need a working kernel image and possibly a initrd. There is a working kernel on minimal cd. All begins with boot loader. That loader is loaded by BIOS first. Then boot loader starts executing and loads kernel with right parameters. Kernel takes over and loads rootfs and so on. On normal disk (USB, sata, ATA, SCSI (and DVD i think)) you have a normal MBR (first 512 bytes of disk) which BIOS loads to 0x07C0 address in memory and starts executing. So just install boot loader (like grub) to the beginning of the disk and it will boot. With right commands/config you can load the kernel correctly and boot. CD is different. BIOS can't read ISO file system. For CD boot you will need to create image of a floppy-disk and install your boot loader into that image. The boot loader has to have drivers to read the real ISO file system so that it can load the kernel into memory and boot. Because of this a plain cd isoimage is unbootable although all necessary stuff is there. It is easily arranged so that it becomes a bootable USB disk. -- -Matti
Re: [gentoo-user] Headless question: Harvesting the results...software needed.
On Sep 30, 2014, at 17:12, Alec Ten Harmsel a...@alectenharmsel.com wrote: On 09/30/2014 10:05 AM, meino.cra...@gmx.de wrote: Suppose the GPS would already be attached to the board and works... Is there any free available software and data for strict offline useage (which does NOT calls to home), which is able to map GPS data to a street/land map? I need both: The maps themselves and the logic to read GPS coordinates and map movements and ways to those maps. Is something like that available for free or should I directly ask the NSA/CIA/FBI/...? Thank you very much in advance for any help! Best regards, mcc The only project I know of that has openly available map data is OpenStreetMap (openstreetmap.org). I know they have an API, and they probably (not sure) have maps available for download. afaik the only way to combine various map data out of the box is to use a GIS package like QGIS. You can write software to do this using the proj4 library for an embedded box, not sure if anything for your specific use case already exists and is open source. Alec
Re: [gentoo-user] Headless question: Harvesting the results...software needed.
On Sep 30, 2014, at 17:12, Alec Ten Harmsel a...@alectenharmsel.com wrote: On 09/30/2014 10:05 AM, meino.cra...@gmx.de wrote: Suppose the GPS would already be attached to the board and works... Is there any free available software and data for strict offline useage (which does NOT calls to home), which is able to map GPS data to a street/land map? I need both: The maps themselves and the logic to read GPS coordinates and map movements and ways to those maps. Is something like that available for free or should I directly ask the NSA/CIA/FBI/...? Thank you very much in advance for any help! Best regards, mcc The only project I know of that has openly available map data is OpenStreetMap (openstreetmap.org). I know they have an API, and they probably (not sure) have maps available for download. afaik the only way to combine various map data out of the box is to use a GIS package like QGIS. You can write software to do this using the proj4 library for an embedded box, not sure if anything for your specific use case already exists and is open source. Alec Sorry iphone send mail even if you don't wanna :/ What you are considering doing is quite a challenge. What kind of coordinates does your gps module give you? The gps system works with cartesian x y z coordinates. Then these are usually displayed to the user in WGS-84. This is a quite hard mathematical problem (differential elliptical problem). Usually is done by your gps receiver and is approximated. GIS libraries have these functions built inside. Distances are easier and faster to calculate in cartesian coordinates. You need to calculate distance because coordinates from gps will never coincide with any address. Open street maps provides a very good start, but addresses have great differences in different countries. For example google misses addresses quite much depending on where you are searching. Getting the address right requires good locality from the program. Addresses and roads are vector maps. The fastest way to get address is to have the vector map of the world and then calculate distance to the closest address. The database will be huge :) Maps are usually raster pictures which have some projection. When you display them you can use 3d or 2d visual. In 3d (like google earth) you draw a sphere (or oblate spheroid) and draw textures on top of is to the right coordinates. In 3d everything needs to be converted to cartesian coordinates. Or in 2d you decide a projection and then convert the projection of your maps to this projection. After that it is just easy drawing. GIS libraries contain all the needed tools for these operations. There are a few of them with open source license. I have been doing some work with opengl 3d drawing maps. Good luck your project is quite big but it is sure very much fun :) -- -Matti
Re: [gentoo-user] Headless question: Harvesting the results...software needed.
On Sep 30, 2014, at 20:36, J. Roeleveld jo...@antarean.org wrote: On 30 September 2014 16:12:31 CEST, Alec Ten Harmsel a...@alectenharmsel.com wrote: On 09/30/2014 10:05 AM, meino.cra...@gmx.de wrote: Suppose the GPS would already be attached to the board and works... Is there any free available software and data for strict offline useage (which does NOT calls to home), which is able to map GPS data to a street/land map? I need both: The maps themselves and the logic to read GPS coordinates and map movements and ways to those maps. Is something like that available for free or should I directly ask the NSA/CIA/FBI/...? Thank you very much in advance for any help! Best regards, mcc The only project I know of that has openly available map data is OpenStreetMap (openstreetmap.org). I know they have an API, and they probably (not sure) have maps available for download. afaik the only way to combine various map data out of the box is to use a GIS package like QGIS. You can write software to do this using the proj4 library for an embedded box, not sure if anything for your specific use case already exists and is open source. Alec Openstreetmap is a good bet. You might also have some luck if you look into PostGIS. It is an extension to postgresql, which might be overkill, but you might be able to use that in yiur Google searches. If borders would be nice and straight, it would be easy. Unfortunately they are not. Yes. For example the land border of Finland is around 2000 km long and only it contains 52000 coordinates ;) -- -Matti
Re: [gentoo-user] Headless question: Harvesting the results...software needed.
On Tue, Sep 30, 2014 at 08:12:38PM +0200, meino.cra...@gmx.de wrote: Matti Nykyri matti.nyk...@iki.fi [14-09-30 19:44]: On Sep 30, 2014, at 17:12, Alec Ten Harmsel a...@alectenharmsel.com wrote: On 09/30/2014 10:05 AM, meino.cra...@gmx.de wrote: Suppose the GPS would already be attached to the board and works... Is there any free available software and data for strict offline useage (which does NOT calls to home), which is able to map GPS data to a street/land map? I need both: The maps themselves and the logic to read GPS coordinates and map movements and ways to those maps. Is something like that available for free or should I directly ask the NSA/CIA/FBI/...? Thank you very much in advance for any help! Best regards, mcc The only project I know of that has openly available map data is OpenStreetMap (openstreetmap.org). I know they have an API, and they probably (not sure) have maps available for download. afaik the only way to combine various map data out of the box is to use a GIS package like QGIS. You can write software to do this using the proj4 library for an embedded box, not sure if anything for your specific use case already exists and is open source. Alec Sorry iphone send mail even if you don't wanna :/ What you are considering doing is quite a challenge. What kind of coordinates does your gps module give you? The gps system works with cartesian x y z coordinates. Then these are usually displayed to the user in WGS-84. This is a quite hard mathematical problem (differential elliptical problem). Usually is done by your gps receiver and is approximated. GIS libraries have these functions built inside. Distances are easier and faster to calculate in cartesian coordinates. You need to calculate distance because coordinates from gps will never coincide with any address. Open street maps provides a very good start, but addresses have great differences in different countries. For example google misses addresses quite much depending on where you are searching. Getting the address right requires good locality from the program. Addresses and roads are vector maps. The fastest way to get address is to have the vector map of the world and then calculate distance to the closest address. The database will be huge :) Maps are usually raster pictures which have some projection. When you display them you can use 3d or 2d visual. In 3d (like google earth) you draw a sphere (or oblate spheroid) and draw textures on top of is to the right coordinates. In 3d everything needs to be converted to cartesian coordinates. Or in 2d you decide a projection and then convert the projection of your maps to this projection. After that it is just easy drawing. GIS libraries contain all the needed tools for these operations. There are a few of them with open source license. I have been doing some work with opengl 3d drawing maps. Good luck your project is quite big but it is sure very much fun :) -- -Matti YEAH! Matti is back! I saw your previous mail and thought: Oh boy...Clint Eastwood is very talkative compared to /him/. ;;;))) Trashed the phone... and now back to the good old fashion terminal connection. I am not /that/ serious this evening...sorry... With all the help from this forum this evening I got by far more working results as I have thought... But back to your mail: The GPS module I plan to use is this one (by Adafruit, Lady Ada): https://learn.adafruit.com/adafruit-ultimate-gps/overview From there (see link list on the left) you can also download the manuals (pdf). Nice... MicroTek chipset. Quite easy to use. I will not use this thing as a driving assistant or navi (is this common speaking outside germany also...or is it one of those pseudo english german words like handy for cell phone...dont laugh! This time /I am/ serious! :) ) Its more like a GPS data logger. I plan to copy the gathered data on my PC later and I will try to draw them onto a map. May be the results proof later, that I am able to walk through walls and hovering over the face of the waters...;) Ok. This is easy... You just need some maps... openstreetmaps are good for that. From the MT3339 you get NMEA messages and WGS-84 coordinates. I would suggest displaying your results in 2D. For germany Lambert conformal conic projection is good choice. In this projection all angles are true and sreight lines are great circle routes. Just convert the maps to this projection and convert your coordinates to Lambert false easting and false northing and you will have cartesian coordinates that are easy to draw. Even excel is able to draw this in real time :) I don't see where you need the address resolution. May be the UV-mappinga abillity of this 3D renderig program will help -- I am using it for other purposes
Re: [gentoo-user] Headless question: Harvesting the results...software needed.
On Oct 1, 2014, at 5:54, meino.cra...@gmx.de wrote: Matti Nykyri matti.nyk...@iki.fi [14-10-01 00:26]: On Tue, Sep 30, 2014 at 08:12:38PM +0200, meino.cra...@gmx.de wrote: Matti Nykyri matti.nyk...@iki.fi [14-09-30 19:44]: On Sep 30, 2014, at 17:12, Alec Ten Harmsel a...@alectenharmsel.com wrote: On 09/30/2014 10:05 AM, meino.cra...@gmx.de wrote: Suppose the GPS would already be attached to the board and works... Is there any free available software and data for strict offline useage (which does NOT calls to home), which is able to map GPS data to a street/land map? I need both: The maps themselves and the logic to read GPS coordinates and map movements and ways to those maps. Is something like that available for free or should I directly ask the NSA/CIA/FBI/...? Thank you very much in advance for any help! Best regards, mcc The only project I know of that has openly available map data is OpenStreetMap (openstreetmap.org). I know they have an API, and they probably (not sure) have maps available for download. afaik the only way to combine various map data out of the box is to use a GIS package like QGIS. You can write software to do this using the proj4 library for an embedded box, not sure if anything for your specific use case already exists and is open source. Alec Sorry iphone send mail even if you don't wanna :/ What you are considering doing is quite a challenge. What kind of coordinates does your gps module give you? The gps system works with cartesian x y z coordinates. Then these are usually displayed to the user in WGS-84. This is a quite hard mathematical problem (differential elliptical problem). Usually is done by your gps receiver and is approximated. GIS libraries have these functions built inside. Distances are easier and faster to calculate in cartesian coordinates. You need to calculate distance because coordinates from gps will never coincide with any address. Open street maps provides a very good start, but addresses have great differences in different countries. For example google misses addresses quite much depending on where you are searching. Getting the address right requires good locality from the program. Addresses and roads are vector maps. The fastest way to get address is to have the vector map of the world and then calculate distance to the closest address. The database will be huge :) Maps are usually raster pictures which have some projection. When you display them you can use 3d or 2d visual. In 3d (like google earth) you draw a sphere (or oblate spheroid) and draw textures on top of is to the right coordinates. In 3d everything needs to be converted to cartesian coordinates. Or in 2d you decide a projection and then convert the projection of your maps to this projection. After that it is just easy drawing. GIS libraries contain all the needed tools for these operations. There are a few of them with open source license. I have been doing some work with opengl 3d drawing maps. Good luck your project is quite big but it is sure very much fun :) -- -Matti YEAH! Matti is back! I saw your previous mail and thought: Oh boy...Clint Eastwood is very talkative compared to /him/. ;;;))) Trashed the phone... and now back to the good old fashion terminal connection. I am not /that/ serious this evening...sorry... With all the help from this forum this evening I got by far more working results as I have thought... But back to your mail: The GPS module I plan to use is this one (by Adafruit, Lady Ada): https://learn.adafruit.com/adafruit-ultimate-gps/overview From there (see link list on the left) you can also download the manuals (pdf). Nice... MicroTek chipset. Quite easy to use. I will not use this thing as a driving assistant or navi (is this common speaking outside germany also...or is it one of those pseudo english german words like handy for cell phone...dont laugh! This time /I am/ serious! :) ) Its more like a GPS data logger. I plan to copy the gathered data on my PC later and I will try to draw them onto a map. May be the results proof later, that I am able to walk through walls and hovering over the face of the waters...;) Ok. This is easy... You just need some maps... openstreetmaps are good for that. From the MT3339 you get NMEA messages and WGS-84 coordinates. I would suggest displaying your results in 2D. For germany Lambert conformal conic projection is good choice. In this projection all angles are true and sreight lines are great circle routes. Just convert the maps to this projection and convert your coordinates to Lambert false easting and false northing and you will have cartesian coordinates that are easy to draw. Even excel is able to draw this in real time :) I don't see where you need the address resolution. May be the UV-mappinga abillity of this 3D renderig program will help -- I am using
Re: [gentoo-user] Headless question: Harvesting the results...software needed.
On Oct 1, 2014, at 16:40, meino.cra...@gmx.de wrote: Mick michaelkintz...@gmail.com [14-10-01 15:34]: On Wednesday 01 Oct 2014 14:26:33 meino.cra...@gmx.de wrote: After 24 h my DSL line is forced to disconnect by the provider and the download fails. Grrmmmpppfff... Will wget -c URL work in this case? -- Regards, Mick Hi Mick, yesno... ;) or it depends... There is anoter problem...the data files will be updated each day as far as I understand that... So you get two parts of data which will or will not fit together. Nice :)
Re: [gentoo-user] Re: An alternative keyboard layout is lost
On Oct 18, 2014, at 21:04, Gevisz gev...@gmail.com wrote: On Sat, 18 Oct 2014 13:10:15 +0300 gevisz gev...@gmail.com wrote: I have found out that my problem with xfce4 keyboard plugin reduces to the fact that now I cannot choose Russian Winkeys alternative keyboard: there is no such option in the corresponding keyboard layout settings. So, I have to choose Osetinian Winkeys alternative keyboard as it is appears to be the next best choice: only one extra unnecessary letter ӕ in place of э and the letter э is set in another easy to remember position. Oh, no. I was wrong! Because, in the Osetinian Winkeys keyboard layout, I cannot find letter ё. And this issue significantly slows down my work! But everything worked perfect before emerging xfce4-weather-plugin with patches and libidn! Well you should configure keyboard layouts through evdev. If you update xorg-server you will need to remerge x11-drivers. So configure evdev as suggested by previous emails and then remerge x11-drivers. -- -M
Re: [gentoo-user] alternative kernels
On Oct 27, 2014, at 3:54, waben...@gmail.com wrote: Am Sonntag, 26.10.2014 um 21:35 schrieb Alec Ten Harmsel a...@alectenharmsel.com: On 10/26/2014 07:41 PM, Canek Peláez Valdés wrote: Keep it up, my dear Volker. You are really good for a few laughs. No. Neither of you should keep it up. You made a small comment about systemd being so fast that rebooting doesn't matter. I tried to downplay that by stating that my laptop is so old it doesn't matter, trying to steer the discussion away from systemd. Nonetheless, a systemd flame war was started anyways. I have not been on this mailing list for long, and I'm far from a long-time user of Gentoo, but both of you guys need to give it a rest. I'm extremely tired of it. I'm one of the youngest users on this list; if anyone is flaming, it should be me - the young still-in-college hotshot who thinks he knows everything. Alec +1 +1
Re: [gentoo-user] Re: OT Best way to compress files with digits
On Nov 1, 2014, at 19:26, Alan McKinnon alan.mckin...@gmail.com wrote: On 01/11/2014 19:15, James wrote: meino.cramer at gmx.de writes: I have a lot of files with digits of PI. The digits are the characters of 0-9. Currently they are ZIPped, which I think is not the best way to do that. Hello Meino, It's a bit of effort, but the world's recognized authority on algorithms is Don Knuth. [1] He's old now, but his pioneering attempt at categorizing most algorithms: The art of computer programming and his MMIX alogrithm implementations (kinda like assembler) are certainly part of many first-step research efforts on algorithms and their implementations. It's not a cookbook; more of a scholarly (high_brow) reference, just to supplement all the good postings by your peers on gentoo user. Alan may loan you his copy? (ha ha ha)? hth, James [1] http://www-cs-faculty.stanford.edu/~uno/ ha ha, fat chance :-) When Alan does eventually get his hands on his very own personal copy[1], it will be lent to nobody. There are just some things a man never lends out: his bike, his firearm, his wife. And Knuth :-) Why not lend your wife? ;) Back on topic: You're 100% right - to learn about algorithms in general, Knuth is the man. Essential reading for anyone taking CS seriously -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] Re: OT Best way to compress files with digits
On Nov 1, 2014, at 23:56, David W Noon dwn...@ntlworld.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 01 Nov 2014 22:47:15 +0200, Alan Mckinnon (alan.mckin...@gmail.com) wrote about Re: [gentoo-user] Re: OT Best way to compress files with digits (in 545546d3.3030...@gmail.com): On 01/11/2014 19:59, meino.cra...@gmx.de wrote: [snip] Ah! By the way...I was astonished to read, that the digits of PI are called random on the one hand and on the other hand there is a formula [1] to calculate a certain digit of PI without calculation of the previous digits... Calculated random? Are nature constants the purest form of PRNGs ??? ;) (Quantum physics is everywhere... ;;)) [1]: http://en.wikipedia.org/wiki/Bailey%E2%80%93Borwein%E2%80%93Plouffe_formula The sequence of digits that make up pi are a random sequence - you can analyze the order any way you want and you'll find no inherent pattern. Actually, the sequence of digits is most definitely *not* random. If the sequence of digits is written any other way then the value is not Pi. Hence the sequence is unique, not random. I think what you are grasping for is that the frequency of distinct digits tends to be uniform: 0's occur as often as 1's as often ... as 9's. Note that the as often as operator is really approximate for finite sub-sequences, but is asymptotically accurate. Moreover, this is the same in any number base: the binary representation has 0's occurring as often as 1's; the ternary representation has 0's occurring as often as 1' and as often as 2's; etc., etc. Such numbers are called normal. It was a poor choice of name, but we are stuck with it. I would have called them digit soup numbers - -- an oblique reference to alphabet soup. Well all the digit of pi can be compressed to the following: =pi(); If you have the infinite series that calculates the digits :) However, any given digit in the sequence is 100% predictable, as you just showed :-) Randomness has got to be the second most mind-boggling thing out there, first being quantumness (that's not a waord, I just made it up. You you should get the meaning OK from context ;-) ) I would say that probability theory is more mind boggling, as it underpins much of quantum theory. But, as someone who majored in probability theory, I might be biased. [Incidentally, there is a small statistical joke in that last sentence.] Getting back to Meino's original request, one of the optimum compression algorithms for this would be custom Huffman encoding. To do this the algorithm requires that all the data (i.e. digits) be read and a frequency table built. The only problem is that to read all the digits of Pi could take rather a long time. ... :-) That would take infinite time :) - -- Regards, Dave [RLU #314465] *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* dwn...@ntlworld.com (David W Noon) *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlRVVyQACgkQRQ2Fs59Psv/9qwCeKwuLz/7RGEV06X+RdDQryDe+ /xwAoK1qMgb9RZXkQByBUMqB8eqs20bG =XUPB -END PGP SIGNATURE-
Re: [gentoo-user] etiquette for stabilization request
On Nov 2, 2014, at 17:10, gottl...@nyu.edu wrote: I am running firefox-24.8.0, which is highest stable (highest testing is 33.0). Several sites, in particular mail.google.com, report that This version of Firefox is no longer supported. Please upgrade to a supported browser. Does that warrant a stabilization request. I have never filed one before and do not have a feeling of what is considered justification. I should add that other than generating the above complaints, firefox is working fine (including with mail.google.com). You could also run roundcube etc to circumvent the problem. Also then google wouldn't read all your mails :) -- -Matti
[gentoo-user] Bounces on gentoo-user
Hi Are any of you guys getting bounces from list? Does it mean that my message didn't go to the list? Or it didn't go to one of the recipients on the list? Or is this some other error? I've getting these every once in a while for few weeks now. Any actions required? Below you'll find the bounced message attached. -- Matti Begin forwarded message: From: gentoo-user+bounces-159671-matti.nykyri=iki...@lists.gentoo.org Date: November 4, 2014 at 13:36:34 GMT+2 To: undisclosed-recipients:; This message has no content.
Re: [gentoo-user] using python 2.7
On Nov 5, 2014, at 2:01, Dale rdalek1...@gmail.com wrote: Paige Thompson wrote: Sorry for the dumb message, I figured out how to use eselect python (the syntax is a little weird and not very well documented.) This fixed my issue as near as I can tell. For future reference, make sure nothing depends on whatever version of python you want to remove before you remove it. If you don't, it could get very interesting in a really bad way. Python is one of those packages that you have to watch out for gotchas on. It sometimes comes back and bites you. Luckily it is not poisonous :) -- -Matti
Re: [gentoo-user] question about binhost's
On Nov 17, 2014, at 23:46, Alan McKinnon alan.mckin...@gmail.com wrote: On 17/11/2014 23:32, thegeezer wrote: On 17/11/14 21:01, Michael Mair-Keimberger wrote: Hi list, I was setting up an binhost recently and i couldn't found any information how to keep old builds. Usually, for example a newer version of tcpdump gets build, the old build will be deleted. Only different slots were keeped. However, I want to keep these old builds but I haven't found an option for that. Is it even possible to keep these? If not, anyone know why? if it's not possible there must be a reason and i couldn't think of anyone... um, these _are_ kept until you run # eclean packages unless i'm missing something ? No, you're not missing something. The OP seems to be non-English-first- language and the question is poorly worded to a native speaker. He's saying that emerge overwrites the previous installed version when it rebuilds a package and he wants to keep it. The solution to that is binpkgs. You are talking about what happens to binpkg you already have, he is asking how to get binpkgs in the first place You also have a tool called 'quickpkg'. With that you can make binpkgs out of packages already installed on your system without recompiling. This might be a good tool for you if you have not made them in the first place. so you can still emerge -K old-apps/package for an example, in my /usr/portage/packages/app-shells on my laptop i have # ls -lah total 6.8M drwx-- 2 root root 4.0K Oct 14 21:02 . drwx-- 76 root root 4.0K Nov 17 10:51 .. -rw--- 1 root root 1.2M Sep 5 10:43 bash-4.2_p45.tbz2 -rw-r--r-- 1 root root 1.2M Sep 26 20:52 bash-4.2_p48-r1.tbz2 -rw-r--r-- 1 root root 1.2M Oct 1 14:33 bash-4.2_p50.tbz2 -rw-r--r-- 1 root root 1.2M Oct 2 22:22 bash-4.2_p51.tbz2 -rw-r--r-- 1 root root 1.2M Oct 6 10:09 bash-4.2_p52.tbz2 -rw-r--r-- 1 root root 1.2M Oct 9 23:50 bash-4.2_p53.tbz2 -rw-r--r-- 1 root root 8.4K Oct 14 21:02 push-1.6.tbz2 -- -Matti
Re: [gentoo-user] headphone does not work in windows After logging to linux
On Nov 21, 2014, at 14:08, behrouz khosravi bz.khosr...@gmail.com wrote: Hi. My problem is that when I log off from gentoo and login to windows, my headphone does not work in windows. Has anyone encountered the same problem? Do you reboot in the between or are you running somekind of virtual machine? Usb headphones or what? What sound driver? I've had problems with NIC between reboots. They were cleared by removing power cord for multiple minutes while rebooting. I got rid of the problem when i updated NIC's driver (bug in driver). -- -Matti
Re: [gentoo-user] headphone does not work in windows After logging to linux
On Nov 21, 2014, at 16:15, behrouz khosravi bz.khosr...@gmail.com wrote: Do you reboot in the between or are you running somekind of virtual machine? Usb headphones or what? What sound driver? I've had problems with NIC between reboots. They were cleared by removing power cord for multiple minutes while rebooting. I got rid of the problem when i updated NIC's driver (bug in driver). -- -Matti No. It happen every time I boot into linux. Gentoo or Arch. removing power helps but is annoying. its not usb, but I dont know what is called! the ordinary type! Its a realtek chip . The bug that you mentioned is related to linux driver or windows driver? I have realtek R6168/6111/6169 NIC. It works in Linux with realtek's driver not with the one included in kernel. Windows fails to initialize the NIC properly when I reboot from linux to windows. When NIC is reset by recycling power windows will be able to initialize it. Downgrading windows (7 64bit) dirver to an ancient one fixed the problem. The up-to-date realtek driver didn't work correctly. lspci -v You can check what driver kernel uses for you audio. Also the bug can be in alsa. The ways of alsa quite complicated... You are using alsa right? What error message does alsa give when you try to play audio?
Re: [gentoo-user] headphone does not work in windows After logging to linux
On Nov 21, 2014, at 17:37, behrouz khosravi bz.khosr...@gmail.com wrote: On Nov 21, 2014 6:50 PM, Ivan T. Ivanov iiva...@mm-sol.com wrote: On Fri, 2014-11-21 at 18:38 +0330, behrouz khosravi wrote: Well I have no problem with it in linux. It always works in linux but I think there is a problem with alsa or some other linux related part. Because I have enabled the after post sound in bios. When I power in on the headphone work. Then I login to linux and when I reboot to login to windows, the bios post sound does not come from headphone. So the question is about BIOS beep after some sort of self test, and not the audio in general? Out of curiosity. Once it is working, is it still work if you reboot several(2) times to Windows? Ivan Actually I wanted to point out that something is happening in linux and the windows is a victim this time! Booting several times into windows is ok and no sign of that problem. With those symptoms you can not tell which element is not following the spec. Problem can be within linux driver, windows driver, card firmware or in bios. -- -Matti
Re: [gentoo-user] Shutdown, Gentoo and the Arietta.G25
On Dec 1, 2014, at 23:03, Fernando Rodriguez frodriguez.develo...@outlook.com wrote: On Monday, December 01, 2014 7:34:35 PM meino.cra...@gmx.de wrote: Dale rdalek1...@gmail.com [14-12-01 19:16]: meino.cra...@gmx.de wrote: Hi, another sigh from an Arietta adventure... I sintalled Gentoo on an Arietta G25 (http://www.acmesystems.it/arietta). For this I used Robert Nelsons Kernel for armv5tel platforms, which boots fine (using at91bootstrap, no U-Boot). But: Shutdown (as recommmended by acmesystems shutdown -h -H now) REBOOTS the system instead of powering it down. The hardware is not to blame: Using the original Debian rootfs and the kernel 3.16.1 (Robert Nelsons kernel is 3.17.3.) the powerdown works fine. Firstly I blamed the kernel...but when using the 3.16.1 kernel and the Gentoo rootfs the problem remains. Then I copied the Gentoo shutdown to the Debian rootfs, boot that and tries to shutdown the Debian Linux with it. shutdown cries no /dev/initctl adn shutdowns the system only for rebooting it. Ok...seems to be the shutdown executable. I copied the Debian shutdown to Gentoo and tries that: The systems reboots. Slowly but surely I begin to think, that I dont understand anything at all of It would be relly good news, that... man shutdown on the Debian image informs me, that the manpages were not installed (embedded system...). Shutdown --version gives a short help of the usual options...but nothing more. What is the difference here? Isn't it, that all shutdown applications only send some instructions to the kernel and the kernel is the main actor in bringing the system down? Is there any shutdown guru ;) out there, who is able to shed some light into this problem ? :) Thank you very much in advance for any torch send into my direction! Best regards, Meino Just shooting in the dark here, try -h and -H but not at the same time? Maybe having both is clashing in some weird way??? Dale :-) :-) Hi Dale, The Trouble shooting FAQ*) by acmesystems explicitely say shutdown -h -H now (and it works with the Debian rootfs)...but I will try the other shutdowns and will see, what happens, Best regards, Meino *) http://www.acmesystems.it/qa Looking at the code for sysvinit, all shutdown does is set some environment variables and switch runlevel. The actual shutdown is done by halt and it's done through the reboot system call with RB_POWER_OFF. So, since you said the Gentoo system doesn't work even with Debian's kernel and the shutdown, then it must be that either Debian has a different halt, or more likely your Gentoo system calls halt with different options. So check your inittab on Gentoo and make sure it calls halt in the same way. Hi meino The thing is as Fernando pointed out: Kernel powers off the hardware and a system call is used to instruct kernel to do so. Test your system. Perform a system call to shutdown the board. As you perform this system call the arietta will instantly eighter boot or shutdown. See system call man page to see the list of available system calls. This way you can make sure the system works as expected... When you have found the right system call, then you need to make init call that system call as the last command in run level 0. -- -Matti
Re: [gentoo-user] samba and window 7 NTFS
On Dec 4, 2014, at 22:21, Neil Bothwick n...@digimed.co.uk wrote: On Thu, 04 Dec 2014 19:15:07 +, thegeezer wrote: In order to format the USB stick to NTFS I need this option in kernel as well, am I correct? yes You're probably better off not using the in-kernel NTFS and using ntfs-3g instead, which also includes mkfs.ntfs. You can't format a filesystem with just a kernel driver. Same opinoin here. The in-kernel driver is only good for reading files and directories. If anything else is needed use ntfs3g. -- -Matti
Re: [gentoo-user] [half OT] WLAN totally beginners question
On Dec 7, 2014, at 21:10, meino.cra...@gmx.de wrote: Hi, I am just starting to do the first steps in configuring WLAN. The problem is: This topic seems to be rich of terms, which I dont know yet how to evaluate: AP, WAP, WEP, FSK...and dozens more. Since my use case is very limited I want to configure just that without being urged to achieve my master degree of WLANism after studying everything this topic consists of only to recognize that I only need to know about...say...2% of it. Background: I have two little Linux boards (Arietta G25) with a RT5370 Wireless Adapter each. I want to make both able to communicate with each other beside being able to use the ethernet-over-USB connection to enable the communication with/to my PC Usually it's better to answer to question and not challenge the original goals of the poster. Despite of that I want to ask why you need WiFi? Why not just route the traffic from one arietta to the other through the usb? Arietta A eth0 - usb - pc - usb - Arietta B eth0 A lot easier setup. Nothing extra needed. Just route command on PC!? -- -Matti
Re: [gentoo-user] convert VOB to ISO
On Dec 17, 2014, at 9:57, Joseph syscon...@gmail.com wrote: How to convert VOB to ISO? I want to burn it to DVD I'm using XFCE and was looking for a GUI application but I can not find one, I've tired DeVeDe but it didn't work. What you need is DVD-author. These are rare now a days. Here is a list: http://en.m.wikipedia.org/wiki/List_of_DVD_authoring_applications I've been using Q DVD Author successfully for few times in 2011, but DVD-authoring wasn't at least back then fully automatic stuff. And also dvd's are becoming obsolete. You just create the menu structure and then the authoring program produces iso-image (videots.ifo/vts_0-0.vob). The 'DVD-language' kind of primitive (qbasic/any script). -- -Matti
Re: [gentoo-user] Laptop Overheat
On Dec 17, 2014, at 8:37, Stefan G. Weichinger li...@xunil.at wrote: When I compile bigger packages on my small ThinkPad X220 I sometimes put it into the fridge ;-) This effectively cools it down rather quickly ... and I ssh in via wifi. Not to be tried at home ;-) This is hilarious ;D -- -Matti
Re: [gentoo-user] Laptop Overheat
On Dec 17, 2014, at 12:56, Dale rdalek1...@gmail.com wrote: Alan McKinnon wrote: On 17/12/2014 11:03, Dale wrote: Stefan G. Weichinger wrote: Am 17.12.2014 um 07:33 schrieb J. Roeleveld: Try cleaning the vents. Also, most couches have a tendency to compress when something like a laptop is on it. Effectively blocking all airflow. If the temperature goes to 99C when on top of a table, return the laptop to the shop as it is clearly not working properly. When I compile bigger packages on my small ThinkPad X220 I sometimes put it into the fridge ;-) This effectively cools it down rather quickly ... and I ssh in via wifi. Not to be tried at home ;-) You don't have a fridge at home? ROFL Sorry, I couldn't pass that one up. ;-) At one time, I thought about putting a rig that ran sorta warm in my freezer. So you trade heat damage for water damage? Hm, I'd be thinking it's time for new computer that DoesCoolingRight(tm) It was a hand me down. Since everything in there is well below freezing, it shouldn't get water damage. Now when I take it out of the freezer, that could get interesting and cause the issue you are raising which is why I never did it either. Because the temperature of the laptop in the freezer will always be above dew point it will never get wet. When you take it out though it's temperature will most likely be below dew point of the ambient air so water will condensate unless the access of water is blocked by a plastic bag for example. -- -Matti
Re: [gentoo-user] question/feature request: First fetch, then compile...
On Dec 17, 2014, at 14:13, Neil Bothwick n...@digimed.co.uk wrote: On Wed, 17 Dec 2014 10:52:44 +0100, meino.cra...@gmx.de wrote: Yes, thats it: First download all stuff THEN start compiling. If I were you, I would setup your pc to do cross-compiling of your arietta's packages and build them into binpkg's. This could be all stored on the pc and accessed via nfs for example. Then the first dependency calculation would be done on the pc to build the packages and the second on arietta using only binary packages. You should keep /etc/portage, /var/lib/portage and /usr/portage on the PC and not modifiable from the arietta. This way you only need to install the run time dependencies to the aritte. And install from bin pkg is really fast. Another alternative would be to use a USB to ethernet adaptor on the embedded board and connect it directory to your router. This also sounds good. Or setup server which has the usb and is always on. -- -Matti
Re: [gentoo-user] How to install a pkg without all dependencies?
On Dec 18, 2014, at 20:18, Harry Putnam rea...@newsguy.com wrote: I installed emacs outside portage from bzr sources. I'd sooner track emacs development my way. I vaguely remember some way to tell portage about that... but not enough to do it... As Poison instructed: package.provided or then get emacs-.ebuild that uses the bzr and installs straight from emacs trunk. You can easily find one or write your own ebuild. It's really straight forward. -- -Matti
Re: [gentoo-user] virtual/emacs-24
On Dec 19, 2014, at 2:06, Harry Putnam rea...@newsguy.com wrote: Can anyone say what that package actually does? virtual/emacs-24 installs a directory emacs-24 under /var/db/virtual/ and it takes around 10sec. This dir is only used by portage to figure out what you have in your system. Run: equery g --depth=2 emacs-w3m And you'll probably understand better what virtuals do. -- -Matti
Re: [gentoo-user] Getting rid of gcc-4.7.3...how?
On Dec 20, 2014, at 17:56, meino.cra...@gmx.de wrote: Dale rdalek1...@gmail.com [14-12-20 02:47]: meino.cra...@gmx.de wrote: Dale rdalek1...@gmail.com [14-12-19 17:08]: Mick wrote: Meino, to avoid misunderstandings: 1. Emerge the new gcc package. 2. Use gcc-config to change to the new gcc version. 3. Run 'env-update source /etc/profile'. 4. Run fix_libtool_files.sh, although I would think that this is redundant these days. 5. Unmerge the old gcc version. I don't recall ever running fix_libtool_files.sh after switching gcc versions. Usually when I see a gcc upgrade, I emerge it, switch to it and the usual profile thing, run emerge -e world JUST to be safe, then unmerge the old gcc. That's all I usually do here. I have skipped the emerge -e world a time or two. Am I just lucky, not likely as some may know, or does emerge -e world catch it or what? Now I'm curious. Dale :-) :-) Hi Dale, I started compiling the new gcc this morning about ~7:00 AM...just a few minutes ago stage3 finishes. Now ... before doing anything else... I am makeing a backup of all that, so...if anything fails...I am able to reinstall the status quo. I will keep you informed, what happens to my little embedded system... Best Meino That's the thing about slow systems, you want to do it right the first time because it takes to much time to repeat something. Heck, I have a 4 core AMD CPU with 16GBs of ram here and I still would rather do it right the first time. If you have something slow that takes days to do something, you really want plan A to work. I'm also wondering if there have been changes to emerge that could make a difference. I run the latest unstable non * version. I sorta like having all the new improvements. I'm just not sure if that affects the issue here is all. Dale :-) :-) Hi, after a few more non-booting-systems and backup-reinstalls I think I know whats the reason is...but by I dont know how to get out of it: The system becomes inaccessible if I do an env-update and reboot. Reason for that are binaries, in which the path to the old gcc is hardcoded. With the sdcard mounted I checked that with my PC: I did a grep -r '\/usr\/lib\/gcc\/armv7a-hardfloat-linux-gnueabi\/4.7.3' on ALL files of the sdcard and found thousands of hardcoded links to the old gcc inside binaries... The new gcc installed but not doing env-update implies that any further compilation will link to the old gcc. Doing env-update implies a system which will not survive the next reboot. What now? If i understand your situation correctly, do: gcc-config to set the new version env-update logout login emerge --deep --update world emerge --depclean revdep-rebuild This will take a long time but will get your system working again. If you don't wan't to do that you can of course tweak the libraries with binary tools. That is easy if you know what you are doing. To prevent this in the future always before world update, update gcc and glibc first if tere is a new version available. Gcc-config is crusial after you have installed a bew version of gcc. -- -Matti
Re: [gentoo-user] Getting rid of gcc-4.7.3...how?
On Dec 20, 2014, at 21:04, meino.cra...@gmx.de wrote: Hi Matti, not exactly... The sequence you show looks like this in my case: gcc-config to set the new version env-update reboot logina attempt: impossible...system does not respond anymore Did I miss something or why do you reboot in that phase? -- -Matti
Re: [gentoo-user] ceph on gentoo?
On Dec 26, 2014, at 10:15, Stefan G. Weichinger li...@xunil.at wrote: Am 26.12.2014 um 09:11 schrieb Dale: I didn't get any here either. Unless Gmail filtered it which should be disabled. me = 3rd one not getting them. Without gmail (but other antispam-measures ...). +1
Re: [gentoo-user] rebuilds during emerge
On Feb 18, 2015, at 11:50, Harry Putnam rea...@newsguy.com wrote: Is there something I need to do when I see emerge -vUNDp @world like this? emerge -vuNDp @world (wrapped for mail) [snipped some 43 other pkgs] [The following line beginning with `[ebuild ...' (wrapped) is just to allow any reader to understand they are at the end of pkgs ouput] , | [ebuild U ] sys-apps/shadow-4.2.1-r1 [4.2.1] USE=cracklib nls pam | -acl -audit (-selinux) -skey -xattr LINGUAS=-cs% -da% -de% -es% | -fi% -fr% -hu% -id% -it% -ja% -ko% -pl% -pt_BR% -ru% -sv% -tr% | -zh_CN% -zh_TW% 0 KiB | | Total: 44 packages (39 upgrades, 1 in new slot, 4 reinstalls), Size of | downloads: 255789 KiB | | The following packages are causing rebuilds: | | (x11-base/xorg-server-1.17.1:0/1.17.1::gentoo, ebuild scheduled for merge) causes rebuilds for: | (x11-drivers/xf86-input-keyboard-1.8.0:0/0::gentoo, ebuild scheduled for merge) | (x11-drivers/xf86-input-evdev-2.9.1:0/0::gentoo, ebuild scheduled for merge) | (x11-drivers/xf86-video-virtualbox-4.3.20:0/0::gentoo, ebuild scheduled for merge) | (x11-drivers/xf86-input-mouse-1.9.1:0/0::gentoo, ebuild scheduled for merge) ` Do those last 5 need some special attention? No. Emerge is just letting you know that because you are updating xorg-server the following packages are rebuilt agains the new version of xorg. If you scroll up the list, you will see that x11-drivers/xf86... packages are marked with R. -- -Matti
Re: [gentoo-user] syslog-ng: how to read the log files
On Feb 17, 2015, at 20:26, lee l...@yagibdah.de wrote: Hi, how do you read the log files when using syslog-ng? The log file seem to be some sort of binary that doesn't display too well in less, and there doesn't seem to be any way to read them. This was discussed earlier on this list... Actually what syslog-ng produces is plain text. There seemed to be a bug that creates some binary (i.e. unreadable characters) and that causes less to consider files to be binary and show them incorrectly. To work around you can use -r flag with less, or replace/remove unreadable chars from log, or delete the log file. -- -Matti
Re: [gentoo-user] alternative to dvbcut
On Jan 10, 2015, at 20:38, lee l...@yagibdah.de wrote: Hi, since dvbcut isn't available in Gentoo and doesn't compile either, what's the alternative? Well I would use ffmpeg. Dvbcut is just a frontend for ffmpeg. Ffmpeg is a true swiss army knife for any video manipulation... You can do almost anything with it. Stream selection cutting is really easy with ffmpeg: ffmpeg -i stream.ts -acodec copy -scodec copy -vcodec copy -ss 60 -t 120 output.mkv You can use -map to select desired stream. This kind of multiplexing is really fast! -- -Matti
[gentoo-user] VM running windows as a guest
Hi I am new to virtualization and would like to receive few notes on things before starting. I clearly see that a lot of you guys are quite pro's with that. I would like to run gentoo and windows on my workstation at the same time so that i could get rid of rebooting my system when switching. Ideal solution would be to have X-windows in vt7 and windows 7 in vt8. Is that possible? Based on what i have learned i think my best solution is to run gentoo as host using KVM and qemu for the windows guest. I have the windows installed on my hard-drive. Can I use that image for the guest if I run it in HVM mode? To run serious applications in windows I probably need paravirtualization. Can I modify the old windows image or is it better to begin with a fresh install to get virtio drivers to the windows? Here just few thoughts that i have in mind... -- Matti
Re: [gentoo-user] another old box to update
On Jan 7, 2015, at 14:47, Alan McKinnon alan.mckin...@gmail.com wrote: On 07/01/2015 13:52, Stefan G. Weichinger wrote: I am in the process of upgrading an old (~2010) gentoo server. The customer never wanted updates ... and now he wants ... *sigh* Don't waste your time (you are already experiencing the full reason why). Backup data and configs, reinstall Gentoo, restore data and configs. I had a similar challenge. But it is quite easy to overcome. After the backups just untar the latest stage3 to your root filesystem. Then sync portage and emerge world with a empty tree and keep-going flags. It should get it done mostly. Few packages might fail to merge, but after the world update the list should be fairly short and manageable. You might need to emerge -C few packages, but it's ok. After the system is up-to date restore your backups. -- -Matti
Re: [gentoo-user] How to poweroff the system from user?
On Mar 22, 2015, at 9:11, Alexander Kapshuk alexander.kaps...@gmail.com wrote: On Sun, Mar 22, 2015 at 9:06 AM, German gentger...@gmail.com wrote: On Sun, 22 Mar 2015 08:49:54 +0200 Matti Nykyri matti.nyk...@iki.fi wrote: On Mar 22, 2015, at 8:32, German gentger...@gmail.com wrote: /sbin/poweroff says Must be a superuser :( Did you read any of the previous messages? They told you that you have to have consolekit and polkit installed and configured for this to work! Yes, I've read them. However no one explianed how this has to be accomplished with polkit and consolekit. Read http://wiki.gentoo.org/wiki/Polkit and all the links and prerequisites (consolekit and dbus) and polkit man page. Also the use of sudo is another choice. Sudo is just a package? Yes, it is. qsearch sudo|sed 1q app-admin/sudo Allows users or groups to run commands as other users If you want every user to be able to shutdown just run this command: chmod 6755 /sbin/poweroff -- -Matti
Re: [gentoo-user] How to poweroff the system from user?
On Mar 22, 2015, at 9:31, Fernando Rodriguez frodriguez.develo...@outlook.com wrote: On Sunday, March 22, 2015 3:06:59 AM German wrote: On Sun, 22 Mar 2015 08:49:54 +0200 Matti Nykyri matti.nyk...@iki.fi wrote: On Mar 22, 2015, at 8:32, German gentger...@gmail.com wrote: /sbin/poweroff says Must be a superuser :( Did you read any of the previous messages? They told you that you have to have consolekit and polkit installed and configured for this to work! Yes, I've read them. However no one explianed how this has to be accomplished with polkit and consolekit. Actually systemd's poweroff should be on /usr/bin or /bin but if you got it there you shouldn't have got the command not found error so something is messed up with your system. Post the output to the folling ls -l /usr/bin/poweroff ls -l /bin/poweroff ls -l /sbin/poweroff ls -l /usr/sbin/poweroff Only one of them should list something and it should be a symlink to systemctl. From previous messages by the OP I recall that he is using OpenRC. -- -Matti
Re: [gentoo-user] How to poweroff the system from user?
On Mar 22, 2015, at 9:30, German gentger...@gmail.com wrote: On Sun, 22 Mar 2015 03:19:50 -0400 Fernando Rodriguez frodriguez.develo...@outlook.com wrote: On Sunday, March 22, 2015 3:06:59 AM German wrote: On Sun, 22 Mar 2015 08:49:54 +0200 Matti Nykyri matti.nyk...@iki.fi wrote: On Mar 22, 2015, at 8:32, German gentger...@gmail.com wrote: /sbin/poweroff says Must be a superuser :( Did you read any of the previous messages? They told you that you have to have consolekit and polkit installed and configured for this to work! Yes, I've read them. However no one explianed how this has to be accomplished with polkit and consolekit. You don't need those. It sounds like you somehow got both sysvinit and systemd installed. The message you're getting is from sysvinit. poweroff should be a symlink to systemctl. Try: systemctl poweroff You may need to unmerge sysvinit and anything else related to openrc and then re-emerge systemd. With systemd it should either shutdown or ask you for the root password (if you're not logged in locally or there's other users logged Thanks, I decide to go with sudo on this one. However when I try to run it, it says: Username is not in the sudoers file. Where is this file located and how can I add the user to it? Thanks man sudo And man sudoers The file is in /etc/sudoers -- -Matti
Re: [gentoo-user] Re: How to poweroff the system from user?
On Mar 22, 2015, at 17:58, Philip Webb purs...@ca.inter.net wrote: 150322 Peter Humphrey wrote: On Sunday 22 March 2015 13:04:44 Nikos Chantziaras wrote: I can reboot the system when I am a user by Ctrl+Alt+Delete. The user can reboot the system, but can't shut down ? Strange The thinking is that you can unplug the machine or press the hardware reset or power button or flip the PSU switch ... Preventing a ctrl+alt+del reboot does not add anything to security. Security doesn't apply to users with physical access to the machine. However, this is just a default. You can easily disable reboot on ctrl+alt+del by editing /etc/inittab and commenting-out this line: ca:12345:ctrlaltdel:/sbin/shutdown -r now Testing my single-user box with the above line in inittab , I find that if I enter 'A-^Del' , I exit X to the raw terminal ; another 'A-^Del' then reboots the box. If I enter 'shutdown -r now' as user, I get shutdown: you must be root to do that!. 'cd /sbin ; ls -l shutdown' shows '-rwxr-xr-x 1 root root 23192 May 17 2014 shutdown', so that behaviour arises from the shutdown script, not the permissions. The 1st effect is explained in ~/.fluxbox/keys by # exit fluxbox Control Mod1 Delete :Exit However, the 2nd effect is not explained so easily : 'A-^Del' reboots when entered at a raw terminal, but 'shutdown -r now' does not, yet the former is defined as the latter by the line above in my /etc/inittab . The cause seems to be that 'A-^Del' is intercepted by 'init' (Process 1), which is owned by root, but 'shutdown -r now' is heard by Process 910 -- 'bash' running in the raw terminal, which was started by 'init' -- , which is owned by my user. So the behaviour is explained, but following my earlier msg, which advised to follow proper Unix principles, I should comment the 'A-^Del' line in inittab : if the raw terminal can't react to 'su', it won't react to 'A-^Del' either, so there's no justification in terms of escaping from an emergency. When you press ctrl-alt-delete kernel recieves it and sends it to the program that has grabbed the keyboard. If this program doesn't trap the sequence it goes to the parent program. Like if you are running a terminal in X it first goes to the shell then terminal and then to X-server. Now usually X traps that and performs what ever action is configured. If you set X not to trap the key press it goes all the way down back to the kernel. When kernel receives it it generates hang-up signal and sends it to the PID 1 aka init. And then executes the command in inittab. ca:12345:ctrlaltdel:/bin/echo shutdown And then: kill -HUP 1 Will print shutdown to your console. If you write a small program that traps ctrl-alt-del and run that in terminal, the server will not reboot :) pressing the reset button is far worse, since there's no clean shutdown, unmounting filesystems after flushing caches, etc. Yes : that's forced only when the keyboard ceases to respond. Because of that, the default of allowing ctrl+alt+del for local users makes more sense than disabling it. That doesn't follow : if you have multiple users, you don't want some rogue user rebooting randomly ; it makes sense only as a convenience on a single-user system. It seems to be the default behaviour of 'inittab' -- there no comment saying I set it myself, which I would have added -- , which is not appropriate for Gentoo systems in general, some of which are undoubtedly multi-user. On a multi-user system only the user sitting on the local terminal can press ctrl-alt-del and reboot the machine as he could also hit the server with a sledge hammer :) -- -Matti
Re: [gentoo-user] Screen: Cannot open your terminal '/dev/tty1' - please check [Update]
On Mar 14, 2015, at 21:23, Alan McKinnon alan.mckin...@gmail.com wrote: There is a use-case for doing it (but I highly doubt the OP is using it) Yes. I was just thinking if the OP has a miss configuration in /etc/security/access.conf and can't login as himself on a local console. And that way is forced to use root login and then su. -- -Matti
Re: [gentoo-user] PORTDIR_OVERLAY in make.conf has no effect anymore?
On Mar 16, 2015, at 12:07, Helmut Jarausch jarau...@igpm.rwth-aachen.de wrote: Hi, since a few days when I configured /etc/repos.conf the setting of PORTDIR_OVERLAY in /etc/portage/make.conf seems to get ignored. I have some overlays here (installed by layman) but I don't wont all of these to be considered for updating when I say emerge -auv .. Previously, I could manage which overlays were considered by setting the PORTDIR_OVERLAY in /etc/portage/make.conf This doesn't work anymore. What did I miss? http://wiki.gentoo.org/wiki/Project:Portage/Sync I think there was also a news item about it. -- -Matti
Re: [gentoo-user] Screen: Cannot open your terminal '/dev/tty1' - please check [Update]
On Mar 17, 2015, at 19:33, German gentger...@gmail.com wrote: On Tue, 17 Mar 2015 19:16:42 +0200 Matti Nykyri matti.nyk...@iki.fi wrote: On Mar 17, 2015, at 18:11, German gentger...@gmail.com wrote: Don't hit your head to a brick wall. A small strace to the login process reveals that login set things as you tell it to in /etc/login.defs In this file change the line: TTYPERM 0600 To: TTYPERM 0620 And your problem is fixed. Sorry, this didn't fix it Yes. Sorry. The mode was wrong: TTYPERM 660 Will fix it, if your screen is setgid tty and ttyX is gid tty. If not then: TTYPERM 666 Will fix it, but also your tty will be world readable. If you don't consider that too big security risk, then just go Neither 660 nor 666 fixed it. Sorry :( If you have: TTYPERM 0666 And logout and login. What mode and ownership do you have in you tty (/dev/ttyX)? -- -Matti
Re: [gentoo-user] Screen: Cannot open your terminal '/dev/tty1' - please check [Update]
On Mar 17, 2015, at 18:11, German gentger...@gmail.com wrote: Don't hit your head to a brick wall. A small strace to the login process reveals that login set things as you tell it to in /etc/login.defs In this file change the line: TTYPERM 0600 To: TTYPERM 0620 And your problem is fixed. Sorry, this didn't fix it Yes. Sorry. The mode was wrong: TTYPERM 660 Will fix it, if your screen is setgid tty and ttyX is gid tty. If not then: TTYPERM 666 Will fix it, but also your tty will be world readable. If you don't consider that too big security risk, then just go ahead. -- -Matti
Re: [gentoo-user] Screen: Cannot open your terminal '/dev/tty1' - please check [Update]
On Mar 17, 2015, at 21:52, German gentger...@gmail.com wrote: On Tue, 17 Mar 2015 20:39:46 +0200 Matti Nykyri matti.nyk...@iki.fi wrote: On Mar 17, 2015, at 19:33, German gentger...@gmail.com wrote: On Tue, 17 Mar 2015 19:16:42 +0200 Matti Nykyri matti.nyk...@iki.fi wrote: On Mar 17, 2015, at 18:11, German gentger...@gmail.com wrote: Don't hit your head to a brick wall. A small strace to the login process reveals that login set things as you tell it to in /etc/login.defs In this file change the line: TTYPERM 0600 To: TTYPERM 0620 And your problem is fixed. Sorry, this didn't fix it Yes. Sorry. The mode was wrong: TTYPERM 660 Will fix it, if your screen is setgid tty and ttyX is gid tty. If not then: TTYPERM 666 Will fix it, but also your tty will be world readable. If you don't consider that too big security risk, then just go Neither 660 nor 666 fixed it. Sorry :( If you have: TTYPERM 0666 And logout and login. What mode and ownership do you have in you tty (/dev/ttyX)? Ok, Matti, 0666 worked, now I can run screen as a user. Thanks. Do you think I have to try to run it 0660? Will it be less security risk? Well 0666 = 666. The reason it now worked is because you logged out and then back in. This is becaus login program only reads the /etc/login.defs-file when you login. With mode 0666 every user on your computer can read everything (every character) you have in your screen (so not much privacy). If you set: TTYGROUP utmp TTYPERM 0660 And have: -rwxr-sr-x root utmp /usr/bin/screen Everything will also work and you have more privacy. When /bin/login us run it changes ownership of the tty to the user who logs in. Su -l does not do this. That is why the screen doesn't work. ConsoleKit is the program that is responsible for many of these permission changes. Do you have that installed? -- -Matti
[gentoo-user] Nouveau KMS Xorg-setup with multiple screens
Hello I have problems. I'm migrating from nvidia proprietary driver to nouveau driver because I wan't utilize KMS. The server is connected to two separate displays in separate rooms. The first display is showing tv programs and mostly runs @50Hz frame rate. The second is displaying movies and hence runs at 23.97Hz. The programs sync to VBLANK! Nobody can stand the tearing of video without it! With nvidia and UMD I had two screens and everything worked perfectly. So with this setup it's necessary to have two screens, right? Is it possible to have 2 screens with KMS and nouveau driver? -- Matti
Re: [gentoo-user] RTL-tm NICs (Was RTL8192CU)
On Mar 21, 2015, at 12:06, German gentger...@gmail.com wrote: http://www.newegg.com/Product/Product.aspx?Item=N82E16833704045 I saw some recommendations on this one from people using linux The manufacturer doesn't support Linux officially. I would not buy a USB NIC unless that was the only choice! The chipset was not mentioned on the manufacturers site but searching the net shows it is AR9271 and the module is ath9k_htc. On top of that you need to download atheros firmware and install that to your kernel. It has WPS setup. Some drivers with this have huge security hole that even if you disable WPS it remains on. If WPS is on there is practically no security in you WiFi network. In that case using a VPN is the only choice. I would not recommend it, but I have no personal experience with the particular chipset. Although I don't recommend WiFi either ;) ...without a proper VPN. -- -Matti
Re: [gentoo-user] RTL-tm NICs (Was RTL8192CU)
On Mar 19, 2015, at 20:46, Ralf ralf+gen...@ramses-pyramidenbau.de wrote: Hi, I had a rtl8192ce in my laptop. Nothing but problems with Linux. Don't know why, but the signal strength always was much better when using Windows. I've had nothing but problems with RTL-chipsets. But if you buy ~10$ NICs they just don't work like 400$ ones. No more Realtek WiFi cards for me. +1 -- -Matti
Re: [gentoo-user] How to poweroff the system from user?
On Mar 22, 2015, at 8:32, German gentger...@gmail.com wrote: /sbin/poweroff says Must be a superuser :( Did you read any of the previous messages? They told you that you have to have consolekit and polkit installed and configured for this to work! Also the use of sudo is another choice. If you want every user to be able to shutdown just run this command: chmod 6755 /sbin/poweroff -- -Matti
Re: [gentoo-user] Overlay for wickr
On Mon, Mar 16, 2015 at 08:49:18AM +0200, Matti Nykyri wrote: On Mar 16, 2015, at 8:28, Mick michaelkintz...@gmail.com wrote: I've looked at zugaina too and didn't find anything, hence I asked here. I'll file a bug at some point, unless anyone beats me to it. Writing an ebuild to do the install is like 5 min job :) I'm now in a train only with a phone, but when i get home i can write you one. Just my opinion... I would never ever trust non open source encryption software. Everyting published isn't true :) Ok... No I'm happily back home after circling around the World ;) Doing the ebuild was a bit more tricky... The program has bad bugs :( The wickr executable is linked against icu-52, but in the archive the libraries are libicui18n-53 - had to make symbolic link Also the symboltable in wickr had to be altered. And the ebuild: - Clip --- EAPI=5 inherit eutils DESCRIPTION=Wickr Top-Secret Messenger HOMEPAGE=https://www.wickr.com/downloads/; SRC_URI=x86? ( http://mywickr.info/download.php?p=332 - ${P}_i386.deb ) amd64? ( http://mywickr.info/download.php?p=364 - ${P}_amd64.deb ) LICENCE= SLOT=0 KEYWORDS=~amd64 ~x86 IUSE=x86 amd64 RDEPEND=sys-libs/glibc sys-devel/gcc sys-apps/util-linux media-sound/pulseaudio src_unpack() { mkdir ${S} cd ${S} ar x ${DISTDIR}/${A} } src_install() { cd ${D} tar --same-owner --preserve-permissions -xof ${S}/data.tar.xz if use x86 ; then MY_OFFSET=332312 elif use amd64 ; then MY_OFFSET=393763 fi echo 3 | dd of=usr/bin/wickr bs=1 count=1 seek=${MY_OFFSET} conv=notrunc cd usr/lib/wickr ln -s libicui18n.so.53 libicui18n.so.52 } - Clip --- After correcting those the software segfaults in libQt5core.so that is provided in the archive... So you probably need Qt5 installed. -- -Matti
Re: [gentoo-user] Overlay for wickr
On Mar 16, 2015, at 8:28, Mick michaelkintz...@gmail.com wrote: I've looked at zugaina too and didn't find anything, hence I asked here. I'll file a bug at some point, unless anyone beats me to it. Writing an ebuild to do the install is like 5 min job :) I'm now in a train only with a phone, but when i get home i can write you one. Just my opinion... I would never ever trust non open source encryption software. Everyting published isn't true :) -- -Matti
Re: [gentoo-user] Screen: Cannot open your terminal '/dev/tty1' - please check [Update]
On Mar 14, 2015, at 12:47, German gentger...@gmail.com wrote: On Sat, 14 Mar 2015 10:33:59 + Neil Bothwick n...@digimed.co.uk wrote: On Sat, 14 Mar 2015 06:08:34 -0400, German wrote: Forget about chmod 770. Better do a chmod g+rw. :-) Tried it, it also doesn't stay permanently. OK, no solution :( The correct solution is a udev rule, but it appears that something may be overriding that when you login. I have the same udev rule. Yes, something is overriding it. A kludgy solution is to add the chmod command to ~/.bash_profile. Don't hit your head to a brick wall. A small strace to the login process reveals that login set things as you tell it to in /etc/login.defs In this file change the line: TTYPERM 0600 To: TTYPERM 0620 And your problem is fixed. The problem has nothing to do with udev. If you don't like a volatile /dev just remove udev and create everything you wan't by hand (not recommended ;) Another thing i'm puzzled by is, why do you wan't to login as root and the su to someone else? I usually do it the other way around... -- -Matti
Re: [gentoo-user] CSV or mysql table as spreadsheet-like web page
On Mar 24, 2015, at 17:21, hw h...@gartencenter-vaehning.de wrote: Hi, how would you go about creating a web page from either a CSV file or a table in a mysql database which presents the data to a user and lets them edit some of the data, preferably with the ability to use formulas like you can in a spreadsheet to do some calculations on the fly? A php script that does that kind of table drawing is really easy :) Editing the content is harder... You have to think how you wan't to do it. Htlm has its limitations :/ Once editing the data is finished, it should all be saved to a table in a database or as a CSV file. Design it so that you know for certain which cells the user has edited so you don't need to overwrite the entire table even if the table has changed in between. Many things depend on the size of your table. Raw non-relational database is really easy to interface even with html. Excel can do a table with 2^16 rows and few hundred columns. With mysql you can easily do like a million rows :) design the database so that it has a separate value for the user typed cell content and another for the displayable result of the content. Is there some php script or the like which can do this or get me started? Well i would never use HTML for real work, it is for free-time (facebook etc). Qt has has a really good frontend for working with mysql table. It is fast and supports getting rows asynchronously in the background and in the specified range. With a qt frontend the gui looks much better and unified than with a web-browser. -- -Matti