Re: [gentoo-user] Re: scripted iptables-restore
On 10/14/2013 02:49 PM, Martin Vaeth wrote: Hiding the salt would just be security through obscurity. And yet it is stupid if you do not do it and give away a huge constant factor for no advantage. (I'll just agree to disagree about the rest.) Keeping the salt secret makes your application more complex. Rather than SELECT hash, salt FROM users WHERE..., you now have to SELECT hash FROM users WHERE... and then pull the salt from somewhere else. (Where? The filesystem? Do you encrypt that? How?) What's stupid is going to all that effort for a 2x improvement when you could twiddle a bit and get a 340282366920938463463374607431768211456x improvement.
[gentoo-user] salt has Gentoo support
I've been researching the very well-regarded configuration management framework 'salt' and I wanted to report that it has Gentoo support: Portage Config Module: http://docs.saltstack.com/ref/modules/all/salt.modules.portage_config.html Portage Config State: http://docs.saltstack.com/ref/states/all/salt.states.portage_config.html ebuild module: http://docs.saltstack.com/ref/modules/all/salt.modules.ebuild.html - Grant
Re: [gentoo-user] Re: scripted iptables-restore
On 14/10/2013 21:17, Michael Orlitzky wrote: On 10/14/2013 02:49 PM, Martin Vaeth wrote: Hiding the salt would just be security through obscurity. And yet it is stupid if you do not do it and give away a huge constant factor for no advantage. (I'll just agree to disagree about the rest.) Keeping the salt secret makes your application more complex. Rather than SELECT hash, salt FROM users WHERE..., you now have to SELECT hash FROM users WHERE... and then pull the salt from somewhere else. (Where? The filesystem? Do you encrypt that? How?) What's stupid is going to all that effort for a 2x improvement when you could twiddle a bit and get a 340282366920938463463374607431768211456x improvement. Keep in mind the actual original purpose of a salted hash. If two users happen to use the same password[1], the hashes are the same and this is revealed to anyone who can read /etc/passwd[2] i.e everyone. Salt obscures this 1-to-1 mapping and does it in a way that it is not computationally worth while to try get around it for the general case[3]. It's not quite the same thing as security by obscurity - that is hiding something in a place you think no-one will think of looking but usually turns out to be viable to try and guess. Salt works because brute force now doesn't need just one expensive calculation, it needs many thousands of expensive calculations. If the actual problem is that salt is inadequate, the solution is not to try and hide it, but to use a more complex hashing algorithm with larger salt. It's a race between white and black hats - they build bigger and better rainbow tables, we implement bigger and better hashes. The constraint is how much cpu grunt is available for purchase at a realistic cost. [1] This is not uncommon. The domain size of all possible passwords for a implementation is very very large. Human psychology says that the actual domain size of passwords people will pick is a tiny fraction of the whole. Hence salt. [2] Nowadays we use shadow, but the development of salt pre-dates shadow -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] iscsitarget or targetcli?
What is the difference between the kernel-stuff (targetcli is only the config- tool) and scst? http://scst.sourceforge.net/comparison.html It was written by the SCST team, so it should be taken with a grain of salt; it is nonetheless a useful overview of the alternatives out there. andrea
Re: [gentoo-user] problem installing confluent-kafka from guru
On Tue, 2022-02-22 at 10:02 +0300, Anatoly Oreshkin wrote: > The following package(s) were not found, and no possible matches were > found in the package db: dev-python/confluent-kafka. I've never used a gentoo system with salt stack, but I had a thought. Salt can be picky with package names sometimes. Try specifying the package name this way, with the repository explicitly specified: dev-python/confluent-kafka::guru
Re: [gentoo-user] Grub md5crypt broken
On 8/20/07, Dan Cowsill [EMAIL PROTECTED] wrote: I started having problems with my boot password not too long after I changed it and I stumbled upon something altogether weird. The following is a copy of what grub is giving me for an md5 hash: -- grub md5crypt Password: Encrypted: $1$vhwK6$dV.xpYBymjq7.cZVnFZYe0 grub md5crypt Password: Encrypted: $1$miwK6$BKU11//PyeKMxtgiCbEeZ0 grub md5crypt Password: Encrypted: $1$njwK6$3KqXwDtPqGm6cBGQgSl2.0 grub md5crypt Password: Encrypted: $1$YkwK6$QCQguFhrGofbJXYnA62J91 grub -- Now, keep in mind that the word I'm typing is 'test'. No capitalization, no spaces, no nonsense. And yet the hashes md5crypt returns are all different. Now, that's no good if you ask me. These are all password-recognizers, not md5 hash strings (ok, they are in part). The $1$ identifies a salt lead-in, the next part is the salt for your password (generated randomly) up to the next $, then the hash of your password + salt (to the end of the string). Given the secret salt, Grub (or anything else using this method) can combine it with the candidate password and check the hash. But since the salt is random you get a different hash every time. This behavior is desirable in case you have two or more password recognizers in the same config file (or in files accessable to the same untrusted reader). It prevents identical passwords from being detected (as you demonstrated) by reading the recognizer strings. So no, not broken, just not what you expected. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Grub md5crypt broken
On 8/20/07, Don Jerman [EMAIL PROTECTED] wrote: On 8/20/07, Dan Cowsill [EMAIL PROTECTED] wrote: I started having problems with my boot password not too long after I changed it and I stumbled upon something altogether weird. The following is a copy of what grub is giving me for an md5 hash: -- grub md5crypt Password: Encrypted: $1$vhwK6$dV.xpYBymjq7.cZVnFZYe0 grub md5crypt Password: Encrypted: $1$miwK6$BKU11//PyeKMxtgiCbEeZ0 grub md5crypt Password: Encrypted: $1$njwK6$3KqXwDtPqGm6cBGQgSl2.0 grub md5crypt Password: Encrypted: $1$YkwK6$QCQguFhrGofbJXYnA62J91 grub -- Now, keep in mind that the word I'm typing is 'test'. No capitalization, no spaces, no nonsense. And yet the hashes md5crypt returns are all different. Now, that's no good if you ask me. These are all password-recognizers, not md5 hash strings (ok, they are in part). The $1$ identifies a salt lead-in, the next part is the salt for your password (generated randomly) up to the next $, then the hash of your password + salt (to the end of the string). Given the secret salt, Grub (or anything else using this method) can combine it with the candidate password and check the hash. But since the salt is random you get a different hash every time. This behavior is desirable in case you have two or more password recognizers in the same config file (or in files accessable to the same untrusted reader). It prevents identical passwords from being detected (as you demonstrated) by reading the recognizer strings. So no, not broken, just not what you expected. -- [EMAIL PROTECTED] mailing list Right, not what I expected to be sure. I would like to know how they did that, though! Thanks for enlightening me, Dan -- Dan Cowsill http://www.danthehat.net -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Ansible, puppet and chef
On Wednesday, September 17, 2014 12:19:37 PM Eray Aslan wrote: On Tue, Sep 16, 2014 at 10:43:18PM +0200, Alan McKinnon wrote: Puppet seems to me a good product for a large site with 1000 hosts. Not so much for ~20 or so. I find that for a few machines, puppet is overkill. For a lot of machines, puppet can become unmanageable - with puppet master and security being the culprit. We have used puppet a lot but recently settled on salt (strictly speaking not my decision so cannot really compare it with ansible) and we are happy with the outcome. You might want to consider app-admin/salt as well. Looks good (had a really quick look). From what I read (and please correct me if I'm wrong), a difference between salt and ansible is: Salt Requires a daemon to be installed and running on all machines and the versions need to be (mostly) in sync For Alan, this might work, but for my situation it wouldn't, as I'd need to keep various VMs in sync with the rest where I'd prefer to simply clone them and then enforce changes. Relying on SSH and powershell makes that simpler. But, it does mean that all nodes need to have incoming ports open. With Salt, all nodes connect back to the master. This allows a tighter security. -- Joost
Re: [gentoo-user] Running Gentoo in VirtualBox
On Sun, Dec 31, 2017 at 12:40:43PM -0700, the...@sys-concept.com wrote: > I'm using Gentoo as a server (so it runs 24/7) Apache, Asterisk, Hylafax > etc. > > What are my chances to run Gentoo as a VirtualBox? > > Installing Gentoo takes me 2-3 days (basic setup min., I don't do it > every month so I have to go through Gentoo handbook); to configure it > the way I want it takes another week or two. Instead of running Gentoo with VirtualBox and backing up the image, I'd recommend storing your configurations in a git repo and using ansible[1] or salt[2] to deploy them when you need to. Also, if you ever expand to more than 1 server, these tools make even more sense. I use salt for my personal setup, which is 1 server and 1 laptop (I have 2-3 more servers that I need to get set up someday...), but salt is simpler and no less powerful. Hope this helps, Alec 1. https://www.ansible.com/ 2. https://saltstack.com/
Re: [gentoo-user] Ansible, puppet and chef
On Tue, Sep 16, 2014 at 10:43:18PM +0200, Alan McKinnon wrote: Puppet seems to me a good product for a large site with 1000 hosts. Not so much for ~20 or so. I find that for a few machines, puppet is overkill. For a lot of machines, puppet can become unmanageable - with puppet master and security being the culprit. We have used puppet a lot but recently settled on salt (strictly speaking not my decision so cannot really compare it with ansible) and we are happy with the outcome. You might want to consider app-admin/salt as well. -- Eray
Re: [gentoo-user] Windows-only wireless AP?
On 8 Jul 2009, at 15:51, J. Roeleveld wrote: ... Take the following with the usual grain of salt. I don't use WPA myself, but I have seen issues with WEP-passwords where not all systems convert it to the hash-value in the same way. Try using the HEX-value for the WPA password rather then the plain- text version. I'm pretty sure that only applies to WEP *not* to WPA. Stroller.
Re: [gentoo-user] [SOLVED] Running cryptsetup under mdev
On May 7, 2014, at 21:57, J. Roeleveld jo...@antarean.org wrote: The create and remove commands with LUKS also require root. They use a session manager in desktop environments to allow users to do it. Sudo with a secure wrapper script might be sufficient for you? I was wondering. What is the actual reason why cryptsetup has a LUKS and non-LUKS set of options? Well that is of course to let you have the control over how the encryption is done. In the kernel point of view the disk encryption is just bare encryption with the given parameters. These include the cipher (AES etc), the mode (CBC, CTR etc) and Initialization Vector (IV) creation (ESSIV etc) and last but not least the key that is used with the cipher. Now without LUKS cryptsetup just sets these parameters and you have to provide them each time to cryptsetup when you are using your encrypted volume. With LUKS cryptsetup will store all these parameters in a binary format. By default this binary data is stored at the beginning of the disk. Kernel then only uses the remaining disk space for encryption. The binary data at the beginning of the disk is not encrypted because the setup would the be unreadable. When you setup a LUKS partition, cryptsetup creates a random key used for encryption the partition. Using a random key for disk encryption is an absolute MUST! A hash of this key is stored in binary data to do key verification. By default a 128k salt is created for each password you wish to use to access the disk (anti forensics). The disk key is then encrypted with the salt and the password. The salt and the encrypted key is stored in the binary data. If the salt is lost, the disk key is lost and recovery of your data is virtually impossible with only your password. With only the password it is impossible to decrypt the disk. If you have a backup of the disk key, with that key you can decrypt the disk without the password. All the steps done by LUKS are necessary for a proper disk encryption! If you do not use LUKS you need to write your own software to do the necessary steps! Cryptsetup without LUKS uses just a plain hash function without a salt to derive disk key from your password. The entropy in this kind of key creation is not nearly enough for secure disk encryption! Unless you know what you are doing use LUKS. -- -Matti
Re: [gentoo-user] Ansible, puppet and chef
On 17/09/2014 11:34, J. Roeleveld wrote: On Wednesday, September 17, 2014 12:19:37 PM Eray Aslan wrote: On Tue, Sep 16, 2014 at 10:43:18PM +0200, Alan McKinnon wrote: Puppet seems to me a good product for a large site with 1000 hosts. Not so much for ~20 or so. I find that for a few machines, puppet is overkill. For a lot of machines, puppet can become unmanageable - with puppet master and security being the culprit. We have used puppet a lot but recently settled on salt (strictly speaking not my decision so cannot really compare it with ansible) and we are happy with the outcome. You might want to consider app-admin/salt as well. Looks good (had a really quick look). From what I read (and please correct me if I'm wrong), a difference between salt and ansible is: Salt Requires a daemon to be installed and running on all machines and the versions need to be (mostly) in sync For Alan, this might work, but for my situation it wouldn't, as I'd need to keep various VMs in sync with the rest where I'd prefer to simply clone them and then enforce changes. Relying on SSH and powershell makes that simpler. But, it does mean that all nodes need to have incoming ports open. With Salt, all nodes connect back to the master. This allows a tighter security. I'm not too stressed either way. All my hosts run sshd anyway and the security is not in whether tcp22 is open or not, it's in what I put in sshd_config. With the puppet design, the puppet daemon must be running (or a cronjob) and puppet can self host that along with nrpe, munin and all the other crap that gets installled so I can do my job :-) My issue with puppet is not it's network architecture but with it's convoluted config language that I can't wrap my brains around. Plus the re-use of similar keywords to mean quite different things meaning I have to read 5 topics in the manual to get stuff working. Nagios btw has the same problem hence why I'm switching to Icinga 2 which fixes Nagios's config language once and for all. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] problem installing confluent-kafka from guru
Hi, Unfortunately specifying dev-python/confluent-kafka::guru hasn't helped. I've received the same error message: ID: dev-python/confluent-kafka Function: pkg.installed Name: dev-python/confluent-kafka::guru Result: False Comment: The following package(s) were not found, and no possible matches were found in the package db: dev-pyt hon/confluent-kafka::guru Started: 08:23:53.928495 Duration: 61.712 ms Changes: вт, 22 февр. 2022 г. в 17:42, Matt Connell (Gmail) < matthewdconn...@gmail.com>: > On Tue, 2022-02-22 at 10:02 +0300, Anatoly Oreshkin wrote: > > The following package(s) were not found, and no possible matches were > > found in the package db: dev-python/confluent-kafka. > > I've never used a gentoo system with salt stack, but I had a thought. > Salt can be picky with package names sometimes. > > Try specifying the package name this way, with the repository > explicitly specified: > > dev-python/confluent-kafka::guru > > > >
Re: [gentoo-user] Serious problem with linode vm
On 2013-04-15 2:02 PM, Michael Mol mike...@gmail.com wrote: Were this one of my systems (none of which is in a prod scenario, so take it with a grain of salt), I'd emerge -e --keep-going @system, and then emerge --resume a few times. You're stuck in something not unlike a bootstrap scenario. Ok, before I start... Michael, if this were you, would you use the 32bit or 64bit kernel when doing the emerge -e --keep-going system? Again, the system was initially rolled out and was always 32 bit...
Re: [gentoo-user] iscsitarget or targetcli?
On Thursday, January 29, 2015 02:23:14 PM Andrea Conti wrote: What is the difference between the kernel-stuff (targetcli is only the config- tool) and scst? http://scst.sourceforge.net/comparison.html It was written by the SCST team, so it should be taken with a grain of salt; it is nonetheless a useful overview of the alternatives out there. andrea I found a few comparisons like that. I would prefer one from an independent source as both SCST and linux-iscsi.org (which seems to promote LIO/targetcli) both paint the picture theirs is stable and the other one might be -- Joost
Re: [gentoo-user] disaster recovery - planning
El 20/03/2017 a las 05:15 p. m., the...@sys-concept.com escribió: Besides standard "data" backup, if I was to plan for a disaster recovery; what to include in a backup system if I was to rebuild a new box? - /etc - /var/lib/portage/world - /usr/src/linux/.config These three should be pushed out with a configuration management tool/system like Salt or Ansible in my opinion and committed in a git repo instead of being backed up. Alec
Re: [gentoo-user] problem installing confluent-kafka from guru
On Wed, 2022-02-23 at 11:28 +0300, Anatoly Oreshkin wrote: > Unfortunately specifying dev-python/confluent-kafka::guru hasn't > helped. Unfortunately I don't have any better ideas. I've had more problems with the pkg.installed state than any other single thing in Salt. If you states don't need to be extended to other platforms, you could just resort to cmd.run again. Seems you're already doing that with emaint anyway.
[gentoo-user] [ot] python + http authentication (with cherrypy)
Hi All, I'm writing a web application in CherryPy. What a beautiful thing it is to write Python code and get a simple yet powerful web output. :) The web application needs to have some decent level of security and authentication implemented. The big issue here is that the user password is stored in a database and algorithmically calculated as follows: md5( md5( $password ) + salt ) ) The salt is also stored in the database (which I have full access to). I can easily use the md5 library to compare what a user gives me and see if that's the correct password (based on the salt and the stored password in the database). I'm unsure, however, how to go about implementing security into my web application. CherryPy obviously has a 'session' library in it. But in the periods of time I've researched writing web applications in the past (primarily when dealing with PHP), there was always great debate in how to write a good secure web application. (i.e., it becomes tricky when determining what precisely you should be passing around in terms of session variables). Thoughts? Am I going about this the wrong way? It would be much easier to use either digest or basic http authentication mechanisms, but I don't think that this is possible because of the fact that the password is double-hashed in the database (or am I wrong?). Any help appreciated. :o) -j -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] [ot] python + http authentication (with cherrypy)
did you tried django as web framework ??? El lun, 07-07-2008 a las 21:15 -0400, James escribió: Hi All, I'm writing a web application in CherryPy. What a beautiful thing it is to write Python code and get a simple yet powerful web output. :) The web application needs to have some decent level of security and authentication implemented. The big issue here is that the user password is stored in a database and algorithmically calculated as follows: md5( md5( $password ) + salt ) ) The salt is also stored in the database (which I have full access to). I can easily use the md5 library to compare what a user gives me and see if that's the correct password (based on the salt and the stored password in the database). I'm unsure, however, how to go about implementing security into my web application. CherryPy obviously has a 'session' library in it. But in the periods of time I've researched writing web applications in the past (primarily when dealing with PHP), there was always great debate in how to write a good secure web application. (i.e., it becomes tricky when determining what precisely you should be passing around in terms of session variables). Thoughts? Am I going about this the wrong way? It would be much easier to use either digest or basic http authentication mechanisms, but I don't think that this is possible because of the fact that the password is double-hashed in the database (or am I wrong?). Any help appreciated. :o) -j -- Ing. Anielkis Herrera González Desarrollador de Nova Linux User #377809 Universidad de las Ciencias Informáticas Cuba smime.p7s Description: S/MIME cryptographic signature
Re: [gentoo-user] Luks: Which cipher to use
On Tue, 8 Sep 2009 11:21:12 +0200 Marco listwo...@gmail.com wrote: I am about to encrypt my external hard drive. I found the howtos http://de.gentoo-wiki.com/wiki/DM-Crypt and http://de.gentoo-wiki.com/wiki/DM-Crypt/Daten-Partition_verschl%C3%BCsseln (sorry, German...). They give a good understanding of how to do the stuff, but I am unsure about which cipher to use. LRW is considered insecure in some cases so thus it should be replaced by XTS which is experimental though... Furthermore, if using XTS is used, there is different options like xts-plain, xts-benbi, xts-essiv:sha256. Which option is preferable? What about the key size? Is there any relation between key size and block size of the file system in terms of data security? I might be wrong here, since I'm not a crypto expert, so feel free to correct, but here's how I see it... From dm-crypt.c: Different IV generation algorithms: plain: the initial vector is the 32-bit little-endian version of the sector number, padded with zeros if neccessary. essiv: encrypted sector|salt initial vector, the sector number is encrypted with the bulk cipher using a salt as key. The salt should be derived from the bulk cipher's key via hashing. benbi: the 64-bit big-endian 'narrow block'-count, starting at 1 (needed for LRW-32-AES and possible other narrow block modes) null: the initial vector is always zero. Provides compatibility with obsolete loop_fish2 devices. Do not use for new devices. IV (Initialization Vector) is just a piece of random data to mix with stuff-to-encrypt for a disk block, so two blocks, encrypted by the same key won't look the same. Obviously, you need to know it to get the data back. Some sort of salt for a stream ciphers, but it doesn't get recorded anywhere, being calculated on-the-fly by one of the above methods. Note that 'always zero' approach would produce unsalted data, so not only the blocks can be identified, but also swapped - root-owned data can be pushed into some /tmp file (say, at night), which will be accessible by some malicious code after you'll enter the key. Plain and benbi seem to be simple counters, second one is probably just a multiple of the first, counting cipher blocks instead of disk blocks. These rule out the former case, but allow to write similar blocks of data, which can later be easily found on disk, especially if the length of data between them is known, since IV is absolutely predictable. ESSIV, on the other hand, uses the hash of these counters with the key itself to salt IV, so it seem to rule out all the aforementioned vulnerabilities. Hash strength here ensures that it can't be turned into former 'plain counters' case due to hash collision. XTS/LRW/CBC/... are methods to encrypt the single data block to a disk block. Since data is read in blocks, block also seem to be the atomic unit of data encryption - everything is en-/decrypted in whole blocks when read/written from/to disk. These methods further divide the disk block into a smaller units to ensure that there won't be a (similar to the above) case when two similar, say, 16-byte pieces in a single 512k disk block would look identical, otherwise some data with such watermarks can be generated and proven to be on this disk - whole blocks can be marked with them, so they can later be found, along with any known data between them. They also mix the key with some generated salt for these units. CBC relies on plain data, so it can be broken by crafted data. LRW also seem to suffer from some known vulnerabilities, so XTS seem to be the best and recommended one. And the first part of some definition like serpent-lrw-benbi is a cipher itself - the method of mixing the key with data, so they can't be easily separated. There are plenty of cipher benchmarks out there (openssl has one built-in) and the vulnerabilities are quite known. Rijndael, known as AES, being the standard, is very fast, but is a subject to all sort of scrutiny. Last thing I heard is that AES-256 is actually easier to break (although it hasn't gone that far) than AES-128, but that stuff can be easily found on a regular newsfeeds. -- Mike Kazantsev // fraggod.net signature.asc Description: PGP signature
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
On Mon, Nov 30, 2009 at 09:29:30PM -0600, Penguin Lover Dale squawked: chrome://messenger/locale/messengercompose/composeMsgs.properties: There is a tool I've used in the past called PasswordMaker. It uses a master password and a flexible set of parameters to generate passwords and if necessary, enter them on a site. snip Once you enter the master password and select the appropriate settings (length, character set, hashing algorithm etc etc), the password will be generated. You can also use the current website as a salt, so using the same settings will yield a different password for different sites. Isn't this just security by obscurity? You still use the same master password: so finding out the one password is enough to break into ALL your sites. The only additional protection you gain is by that the Bad Guys do not know that you are using the tool. The salt hardly matters: to make sure the plugin will behave the same if you run firefox from different computers, they are still using the same hash function and same salt for the same site. If someone is saavy enough to know the list of websites you access and the usernames you use to access them, then that someone should also be able to find out the tool you are using for the passwords. In the end, I think it offers only marginally more protection than having the same very strong password on all your sites. The only case I think encryption/hash approach is useful is when you have a low security account (say an online game, or a MUD that you connect to via telnet) whose password is transmited in plaintext. If you insist on only using one master password, and don't want to bother memorizing a different one for the low security account, I guess by passing your password through a one-way hash makes it harder for your other accounts to be compromised. But that's about it. Just my two cents W -- Where do you get Mercury? H.G. Wells Sortir en Pantoufles: up 1089 days, 8:58
Re: [gentoo-user] Switching to hardened
Dan Farrell wrote: You might consider building packages but not installing them -- I think could use --buildpkgonly (aka -B) to achieve this end. If the world emerge with a -B flag finishes successfully, I think that means all packages were built and you are ready to emerge world with --usepkgonly (-K) without having to worry about build-time issues that could cause conflicting packages on the system. But what does everyone else think? I like it. The only problem is it might not work in some situations where you need program A to compile program B (kde4 requires qt4). I've never gone from a non-hardened system - hardened though so take my comments with a grain of salt. This could also work on other tricky upgrades. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Incredibly slow disk access
On Jan 8, 2008 12:53 AM, Renat Golubchyk [EMAIL PROTECTED] wrote: On Mon, 7 Jan 2008 20:51:02 -0500 Mark Shields [EMAIL PROTECTED] wrote: I'd also recommending after checking for the above, also check what level of UDMA is set. Try this: hdparm -I /dev/hda | grep -i dma Yours should say probably either udma3 or udma4. Why not udma5 ? All my PATA drives (desktop and notebook) run at udma5 for some years now without any problems. Cheers, Renat -- Probleme kann man niemals mit derselben Denkweise loesen, durch die sie entstanden sind. (Einstein) It was just a guess. Take it with a grain of salt. -- - Mark Shields
Re: [gentoo-user] grub passwords - how do I limit OS selection?
On 7/30/06, Rumen Yotov [EMAIL PROTECTED] wrote: Hi Mark, Check the official gentoo security guide (docs section). ... 2.b. Password protecting GRUB GRUB supports two different ways of adding password protection to your boot loader. The first uses plain text, while the latter uses md5+salt encryption. ... Haven't used it though. HTH.Rumen Rumen, Thanks, but they are just two versions of what I've already tried. That password protection, as shown in the Gentoo Security Guide, only password protects changing the way you boot each option. As shown in the guide it does not protect which version you are allowed to boot. Cheers, Mark -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: scripted iptables-restore
On 10/14/2013 07:49 AM, Martin Vaeth wrote: Michael Orlitzky mich...@orlitzky.com wrote: Port knocking is cute, but imparts no extra security. It does, for instance if you use it to protect sshd and sshd turns out to be vulnerable; remember e.g. the security disaster with Debian. A better, secure way to achieve the same goal is with OpenVPN. Using yet another service with possible holes to protect a sshd? In this case, I would like port knocking at least for this OpenVPN. The sensitive parts of OpenVPN are audited regularly, and it uses SSL -- public key auth to exchange a symmetric key, both of which use tried-and-true algorithms/code. Port knocking on the other hand is just security through obscurity, and is visible over the wire (or over the air, most likely, if you're on a laptop). Obscurity does provide some benefit, but it gets dismissed because we tend to ignore the constant factor when talking about these things. A problem is solved if it's easy to exponentially increase the amount of work an attacker has to do. For an analogy, a somewhat-related issue is that of salting passwords. Typically one stores the salt in the database in clear text, and this tends to freak people out. Doesn't that make it easier for an attacker to brute force your passwords? Well, yes, but the salt isn't meant to stop a brute force attack. It's meant to stop rainbow table attacks. The way you stop brute force attacks is to use an algorithm with a variable number of rounds that can slow itself down (see: bcrypt). Hiding the salt would just be security through obscurity. You always assume that the attacker knows the details of your algorithm, including the constants. So while hiding the salt would make it a tiny bit harder to brute force, we ignore it in favor of the thing that makes it exponentially harder (variable rounds). Similarly, putting port knocking in front of OpenVPN is like putting a padlock on the bank vault. If someone is going to break OpenVPN, port knocking ain't gonna stop them. It is exactly the kind of attacks for which one usually uses iptables. You are right, iptables is just one extra step of security, so the worst thing which can happen is that this step is useless. However, if you are willing to risk this only because of your own lazyness in scripting then why do you setup iptables in the first place? All of my iptables scripts, even the big ones, run in under a second and get executed 2 or 3 times a year. There's some saying about a baby and bath water. It's not laziness I'm advocating, just simplicity. Simple, understandable code is more likely to be correct than clever code. And in this case, incorrect iptables code is more of a threat than the tiny race condition.
Re: [gentoo-user] Gentoo on a Lenovo X1 Carbon (3rd gen)
On Tue, Aug 25, 2015 at 06:38:16PM +0200, Ralf wrote: On 08/25/2015 03:21 PM, Alec Ten Harmsel wrote: Do you have SUSPEND=y (just checking)? Other things that I can see related to suspend are SUSPEND_FREEZER, ACPI_SLEEP, APM_IGNORE_USER_SUSPEND, and a bunch of Thinkpad/Lenovo related options. I do not have suspend enabled on my laptop, so take this with a grain of salt. Yeah, everything is set, even THINKPAD_ACPI. Still does not wake up :-( If you still have the Arch kernel, could you run `lsmod' when that kernel is booted and diff it against an `lsmod' when your Gentoo kernel is booted? If that doesn't help, could you attach your config to a reply? Alec
[SOLVED] Re: [gentoo-user] unable to login to user account or do su - username
Alan McKinnon wrote: experiment to see if it's the new hashes that are doing it. Find an account that can sudo to root on the affected machines and examine the shadow file. See what kind of hashes the affected accounts are using. md5 is 34 characters long and sha512 is 98 in this format: $x$salt$hash x is 1 for md5 and 6 for sha512. salt is 8 characters for both Thanks for spending time with this. After looking at the shadow file, I have accounts with both md5 and sha512. In particular affected accounts that have md5 and sha512. I looked closely at the .bashrc (used echo made to here marks to follow the login sequence) of the bad accounts and they were all sourcing a script from a third-party package that went bad after the OS update. Luckily this was not in all accounts and specially not in the root account. Otherwise I would have been locked outside the machine. After getting rid of that line in the users .bashrc all returned to normal. One more thing to do was to uncomment the line PrintMotd no PrintLastLog no in /etc/sshd_config to avoid the double motd/last log messages upon login.I guess after the portage update, pam is now printing that. Here's mine which works: authinclude system-auth account include system-auth passwordinclude system-auth session include system-auth And you did confirm that sudo checks for wheel group membership, and that you are still in this group? This is exactly like mine. Thanks for all the help. -- Valmor
Re: [gentoo-user] Luks: Which cipher to use
Hi Mike, Thanks for your very detailed description and explanation! On Wed, Sep 9, 2009 at 12:30 PM, Mike Kazantsevmk.frag...@gmail.com wrote: On Tue, 8 Sep 2009 11:21:12 +0200 Marco listwo...@gmail.com wrote: [...] ESSIV, on the other hand, uses the hash of these counters with the key itself to salt IV, so it seem to rule out all the aforementioned vulnerabilities. Hash strength here ensures that it can't be turned into former 'plain counters' case due to hash collision. XTS/LRW/CBC/... are methods to encrypt the single data block to a disk block. Since data is read in blocks, block also seem to be the atomic unit of data encryption - everything is en-/decrypted in whole blocks when read/written from/to disk. These methods further divide the disk block into a smaller units to ensure that there won't be a (similar to the above) case when two similar, say, 16-byte pieces in a single 512k disk block would look identical, otherwise some data with such watermarks can be generated and proven to be on this disk - whole blocks can be marked with them, so they can later be found, along with any known data between them. They also mix the key with some generated salt for these units. CBC relies on plain data, so it can be broken by crafted data. LRW also seem to suffer from some known vulnerabilities, so XTS seem to be the best and recommended one. So I think I'll go with xts-essiv:sha256. In terms of performance, a keylength of 256 might not be ideal. But since this external drive is mainly thought as a backup device,this is not too much of a drawback. -- Best regards, Marco
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
Willie Wong wrote: On Mon, Nov 30, 2009 at 09:29:30PM -0600, Penguin Lover Dale squawked: chrome://messenger/locale/messengercompose/composeMsgs.properties: There is a tool I've used in the past called PasswordMaker. It uses a master password and a flexible set of parameters to generate passwords and if necessary, enter them on a site. snip Once you enter the master password and select the appropriate settings (length, character set, hashing algorithm etc etc), the password will be generated. You can also use the current website as a salt, so using the same settings will yield a different password for different sites. Isn't this just security by obscurity? You still use the same master password: so finding out the one password is enough to break into ALL your sites. The only additional protection you gain is by that the Bad Guys do not know that you are using the tool. The salt hardly matters: to make sure the plugin will behave the same if you run firefox from different computers, they are still using the same hash function and same salt for the same site. If someone is saavy enough to know the list of websites you access and the usernames you use to access them, then that someone should also be able to find out the tool you are using for the passwords. In the end, I think it offers only marginally more protection than having the same very strong password on all your sites. The only case I think encryption/hash approach is useful is when you have a low security account (say an online game, or a MUD that you connect to via telnet) whose password is transmited in plaintext. If you insist on only using one master password, and don't want to bother memorizing a different one for the low security account, I guess by passing your password through a one-way hash makes it harder for your other accounts to be compromised. But that's about it. Just my two cents W Well this is where some things are not real clear. I'm not sure when the master password would be sent to the website. It may be only when doing the setup but you could be right. Of course, I also read a study done by a group of Universities a few years ago that said a LOT of the security stuff that is done doesn't really work. If a person uses common information for their password, then anything the websites do is pretty much meaningless anyway. I actually sent a link to my bank regarding the specific set up they are using. I think the point is, a good secure password is the best policy. For me tho, having a good tool that is local and secure to type that sucker in for me is really good. I'm not worried about someone stealing my computer and gaining access that way, I'm just worried that someone could keep banging away at my password until it guesses it. As mentioned before, my password is not anything related to information about me but just a random bunch of stuff. Given time tho, a hacker would eventually guess it. Dale :-) :-)
Re: [gentoo-user] Questions about hacked sites and passwords
Am 17.01.2012 03:22, schrieb Dale: Howdy, It was on the news that some company got hacked into that was related to Amazon. They said Amazon users should change their password just as a precaution. I have a questions tho. I use some pretty good passwords for the things that matter, sites such as my bank, credit card, ebay, paypal, newegg and others that may store things such as my credit card numbers. Here is a example but not a close match to a typical password: $cb78862A! According to those password strength websites, that is a great password. Fairly long and lots of assorted characters and impossible to guess since it contains no personal info such as birthdays or pets. This is fairly typical for sites that matter. I may use something simple for sites such as forums or something tho. My question. If I have a really good password and someone gets hacked, should I change the password if the passwords are still safe? In other words, they got some data such as email addys but the passwords and credit cards are still secure. Should a person change it anyway? One reason I ask this. I remember my passwords well. If I go to changing them every time someone gets hacked, I'll never be able to keep up with them again. I use Lastpass to remember them but it could stop working because of a upgrade or something. Then again, I could use its autogenerate thing and just HOPE for the best on upgrades. Thoughts? What do you guys, and our gal, do in situations like this? Dale :-) :-) Well, it depends is the only answer I can really give. There are basically 4 scenarios which might have occurred: 1. Plaintext passwords were stolen. Then you should definitely change your pw. I doubt amazon is stupid enough to store passwords as plaintext, though. 2. Relatively weak password hashes were stolen, for example MD5 or sha1 with no salt. With modern PCs, it isn't too hard to brute-force against such, even without rainbow-tables. Then you should change your password but you might get lucky and don't need to. 3. Strong password hashes were used (something slow with a lot of salt, possibly without storing the salt so it has to be guessed as well). Then you don't need to change your password. 4. Something else was done. For example known-plaintext or man-in-the-middle attacks against users. Then, well, it depends again ;) Concerning how I'd handle it: I use app-admin/keepassx with a master password. I'd just change the random amazon password as I've not memorized it. Obligatory xkcd reference: http://xkcd.com/936/ (I've checked the math, he is right.) Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Can't use gnome!
Michael Sullivan ha scritto: I rebooted into Linux a couple of days ago and tried to log into gnome, and a whole bunch of error messages popped up. They all said basically this: There was an error loading config from /apps/gnome-terminal/global. (Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://www.gnome.org/projects/gconf/ for information. (Details - 1: IOR file '/tmp/gconfd-michael/lock/ior' not opened successfully, no gconfd located: No such file or directory 2: IOR file '/tmp/gconfd-michael/lock/ior' not opened successfully, no gconfd located: No such file or directory)) I'm a KDE user, so take my advice with a grain of salt. But I googled a bit, and you're not alone (even if your error is obscure). Unfortunately I failed to find a clear cut solution. However, you may try to start gnome with another user, or erase (move) your .gnome .gconf etc. and retry. It seems something in your configuration files is weird. m. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] tftp config problem (ltsp)
Hi Sean,
sean [EMAIL PROTECTED] writes:
I set up diskless booting recently but I'm by no means an expert, so
take my comments with plenty of salt.
Below is my in.tftpd file.
# /etc/init.d/in.tftpd
# Path to server files from
# Depending on your application you may have to change this.
# This is commented out to force you to look at the file!
#INTFTPD_PATH=/var/tftp/
INTFTPD_PATH=/tftpboot/
What happens with INTFTPD_PATH=/tftpboot? (remove trailing / )
#INTFTPD_PATH=/tftproot/
# For more options, see in.tftpd(8)
# -R 4096:32767 solves problems with ARC firmware, and obsoletes
# the /proc/sys/net/ipv4/ip_local_port_range hack.
# -s causes $INTFTPD_PATH to be the root of the TFTP tree.
# -l is passed by the init script in addition to these options.
#INTFTPD_OPTS=-R 4096:32767 -s ${INTFTPD_PATH}
INTFTPD_OPTS= -s ${INTFTPD_PATH}
The tftp file looks exactly like the one specified in the instructions.
tardis tftpboot # ls
lts pxe pxelinux.cfg
Are you using syslinux? I'm not sure but shouldn't there be a
pxelinux.0 file in /tftpboot?
Cheers,
Roger
--
[EMAIL PROTECTED] mailing list
Re: [gentoo-user] tftp config problem (ltsp)
Roger Mason wrote: I set up diskless booting recently but I'm by no means an expert, so take my comments with plenty of salt. Sounds like you have had better success than me. INTFTPD_PATH=/tftpboot/ What happens with INTFTPD_PATH=/tftpboot? (remove trailing / ) Since removed. Made no difference. Are you using syslinux? I'm not sure but shouldn't there be a pxelinux.0 file in /tftpboot? I am using what ever was emerged using Gentoo's instructions. I have had a bit more success since last posting, but not full success. Depends on what I put in the dhcpd.conf file for the filename entry. If it specifies filename /pxe/pxelinux.0; it will start the boot but finally halts stating cannot find kernel image: linux. If it specifies filename /lts/vmlinuz-2.6.17.8-ltsp-1; then I get the NBP is to large for memory error. So far no luck getting past either point. Thanks Sean -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] /etc/shadow syntax
On 2005-06-06 15:51 +0200, [EMAIL PROTECTED] wrote: I can't seem to find any official documentation on /etc/shadow syntax. Searching google I find loads of conflicting explantions of the meaning of x,!,!!,* in the password field. The given password is encrypted, and then compared to whatever is in the password field in /etc/shadow (or /etc/passwd). If they match, the password is valid. So entering anything that cannot be valid into the password field means that no password will be valid. Whether you choose to use x, !, !!, * or some other variant is up to you. Yes, x works in this case too since it is too short to be a salt followed by an encrypted password. -- Michael Kjörling, [EMAIL PROTECTED] - http://michael.kjorling.com/ * ASCII Ribbon Campaign: Against HTML Mail, Proprietary Attachments * * . No bird soars too high if he soars with his own wings . * *** Software patents hinder progress - see http://swpat.ffii.org/ *** pgpLo0ttg5RjT.pgp Description: PGP signature
[gentoo-user] Re: /etc/shadow syntax
Michael Kjorling wrote: The given password is encrypted, and then compared to whatever is in the password field in /etc/shadow (or /etc/passwd). If they match, the password is valid. So entering anything that cannot be valid into the password field means that no password will be valid. Whether you choose to use x, !, !!, * or some other variant is up to you. Yes, x works in this case too since it is too short to be a salt followed by an encrypted password. I don't mean to be rude or anything, but I've seen many answers like this on different mailinglist archives and everyone seems to have an opinion of their own regarding this. So I'd like to see documentation of some sort. Example where ! is different from *: http://lists.debian.org/debian-user/2005/03/msg04197.html My original interest for this was sparked from gentoo.forums.org, where som people write that changing ! into * in /etc/shadow helped them solve problems with freenx. Which implies that * and ! does not mean the same. This is why I'd like to find some kind of more less official documentation. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [blocks B ] mail-mta/qmail-1.03-r16 (is blocking net-mail/cmd5checkpw-0.30)
On Sunday 23 October 2005 00:18, [EMAIL PROTECTED] wrote: Still something to learn I guess. my poppasswd file is still the example file that came with whatever it came with. My pop accounts are authenticated via the regular linux logins, so for every pop user (3 at the moment) I have a user acount in linux. Good good. What package uses this poppasswd file? cmd5checkpw, and anything else which does CRAM MD5 authentication at a guess. CRAM is done by sending a hash of the password over the wire, the salt is unique for each connection, so you need the plain text password on the server to check against, which are kept in poppasswd. Secure over the wire, hideously insecure on the server. I tried qpkg, but that doesn't seem to exist any more? Yeah, it got moved to another package as it's depreciated in favour of equery. Does the above mean I can safely enable noauthcram? Yes. -- Mike Williams -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Fix file system permissions
I would think a quick fix (by no means a FULL fix) would be to re-emerge sys-apps/baselayout. That should at least get your init scrips, and important configs back to the right permissions. I've never actually tried that however, so take it with a grain of salt. I would agree with most people on the list tho. Maybe its time for a machine upgrade and just re-emerge everything. Either way tho, I'm betting its going to take a lot of legwork to get things back to the way they were before hand. Also maybe its time to chroot your customers to keep them from screwing things up again :) On Thu, Jan 04, 2007 at 09:04:15PM -0800, Joshua Schmidlkofer wrote: Hey, a customer on a hosted server did this today: sudo chown -R lighttpd / -- You can imagine that things are a little borked. How do you fix this with Gentoo? Sincerely, Joshua -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] equery versus q-tools
Marcus Wanner wrote: On 11/20/2009 4:00 AM, Helmut Jarausch wrote: Hi, there are two utilities on (my) Gentoo system and I wonder when to prefer which one. On one hand there is 'equery' with many commands. On the other hand there the 'q-tools' i.e. a lot of symlinks to /usr/bin/q like qfile qdepends quse and so on. Often they offer similar tasks. I wonder when to use which one. Which is faster, more reliable, ... Many thanks for sharing your experience, Helmut. I would personally prefer equery, as it is in gentoolkit, an official gentoo project, and because is more standard. To tell the truth, though, I have never even heard of q-tools... Marcus But as I have seen and read about, equery is not always correct. It is handy but you need to take its results with a little salt. That said, I use it a lot. just have to use the old noodle still. Dale :-) :-)
Re: [gentoo-user] Re: [OT] Seamonkey and LastPass
Dale wrote: So, another question. Is there a tool that is local and would do something like this? I am using Seamonkey 2.0 nowadays. It seems to have some tools available to it that the old Seamonkey doesn't. Dale :-) :-) There is a tool I've used in the past called PasswordMaker. It uses a master password and a flexible set of parameters to generate passwords and if necessary, enter them on a site. It has a plugin for firefox and I believe seamonkey too. I can't check this second because their site appears to be down (bandwidth exceeded). It doesn't store the passwords anywhere and will only store the master password on your machine if you specifically ask for it. Once you enter the master password and select the appropriate settings (length, character set, hashing algorithm etc etc), the password will be generated. You can also use the current website as a salt, so using the same settings will yield a different password for different sites. Sounds like I'm advocating this very heavily, in fact I don't have much experience with it. It sounds reasonable to me, but I'll let you guys discuss it :) Matt
Re: [gentoo-user] Proper way of updating mysql from 5.0.90-r2 to 5.1.50?
Dale writes: I'm no expert on this package so take this with a grain of salt. Mine just updated and portage said to run emerge @preserved-rebuild which I did. Thing is, one of the packages failed to emerge so here I sit. The error says something is missing which is the same reason the emerge @preserved-rebuild won't finish. So, looks like you need to rebuild some stuff but don't hold your breath on being able to. There is a thread on the forums already if you want to monitor it. I think it's not an urgent problem when this happens. With portage 2.2 and the preserve-libs FEATURE, old libraries are not deleted when an update installs new, incompatible library. This happens when emerge @preserved- rebuild has finished rebuilding all packages using the old library, so they now use the new one. Without this feature, the old library is deleted after the update, and you need to use revdep-rebuild to rebuild all the stuff that uses the no longer existing library. I always thought of this as a big problem with Gentoo, and it's great that it no lonoger is. Wonko
[gentoo-user] Re: new mobo : Eth0 recovered
On 23/04/12 21:34, David W Noon wrote: On Mon, 23 Apr 2012 18:50:44 +0100, Peter Humphrey wrote about Re: [gentoo-user] Re: new mobo : Eth0 recovered: [snip] So I removed linux-firmware, rebooted and got kmail back. We all noticed that you are using KMail once more, because you are sending HTML messages with a huge font and bold typeface to the list. Any chance of you reconfiguring KMail not to send HTML messages? Please ... pretty please ... :-) A mail-client worth its salt should be able to work around that ;-) Thunderbird, the superior mail client (-- flame bait) has an option that says Display HTML messages as plain text, so I never notice when someone posts HTML messages here (or anywhere else.)
Re: [Bulk] [gentoo-user] Re: Udev update and persistent net rules changes
On 04/01/2013 09:54 AM, Neil Bothwick wrote: On Mon, 01 Apr 2013 09:29:08 -0400, Michael Mol wrote: MAC addresses are not human-friendly. It would be OK if you could set up aliases, so your firewall rules could use enaabbccddeeff while you could still type eth0. Frankly, I never found 'eth0' to be particularly friendly, either. Hence why I like naming my interfaces things like 'wan', 'wifilan' and 'wiredlan'. Relative to 'lan' or 'wan', no, but relative to an embedded MAC address? Honestly, with IPv6, I get so accustomed to recognizing the last three or four octets of MAC addresses, that idea is starting to grow on me, too! It's like recognizing phone numbers, really. You eventually just start remembering enough of the thing to be useful. If the system isn't smart enough to apply a solid semantic name (like my 'wan', 'wifilan' or 'wiredlan'), I'd rather it not try to apply a semantic name (eth0 or net0) at all. But you're hearing this come from a C++ programmer turned network admin, so take that with a grain of salt. :) signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Serious problem with linode vm
On 2013-04-15 2:03 PM, Tanstaafl tansta...@libertytrek.org wrote: Ok, I think all I need to get our db back up is to remerge php, but it is failing. The last error appears to be the zlib check. I did already try emerge -1 sys-libs/zlib and retrying to emerge php, but got the same error: Ok, added -zlib to package.mask and it is compiling now... I just don't know if I need zlib support for our DB app... sigh If this doesn't work I'll try your suggestion of: Were this one of my systems (none of which is in a prod scenario, so take it with a grain of salt), I'd emerge -e --keep-going @system, and then emerge --resume a few times. You're stuck in something not unlike a bootstrap scenario. Thanks a lot Michael... first time anything like this has happened to me in a long time. I forgot what it is like to have users (and bosses) breathing down my neck like this...
Re: [gentoo-user] Managing multiple systems with identical hardware
Puppet seems like overkill for what I need. I think all I really need is something to manage config file differences and user accounts. At this point I'm thinking I shouldn't push packages themselves, but portage config files and then let each laptop emerge unattended based on those portage configs. I'm going to bring this to the 'salt' mailing list to see if it might be a good fit. It seems like a much lighter weight application. Two general points I can add: 1. Sharing config files turns out to be really hard. By far the easiest way is to just share /etc but that is an all or nothing approach, and you just need one file to be different to break it. Like /etc/hostname You *could* create a share directory inside /etc and symlink common files in there, but that gets very tedious quickly. How about using something like unison? I've been using it for a while now to sync a specific subset of ~ between three computers. It allows for exclude rules for host-specific stuff. I think what I'd be missing with unison is something to manage the differences in those host-specific files. - Grant
[gentoo-user] Re: Debian forked, because of systemd brouhaha
On Sun, 30 Nov 2014 07:43:21 +0300 Andrew Savchenko birc...@gentoo.org wrote: On Sat, 29 Nov 2014 17:32:08 +0100 Marc Stürmer wrote: Am 29.11.2014 um 11:11 schrieb Pandu Poluan: What do you think, people? Shouldn't we offer them our eudev project to assist? Since Eudev has always been opensource under the GPLv2, like udev too, there's no need to /offer/ it. If they choose to use it, they can use it, no offer/questions necessary. Simple. As far as I understand, Pandu meant we can recommend them to use, but not some offer in commercial or proprietary terms. They've added something called devuan-eudev to their github workspace today, https://github.com/devuan/devuan-eudev. It would be nice if there could be one eudev project with the aim of supporting Gentoo, Devuan, and whatever other distros want to use it. Or if there must be multiple eudevs, it would be nice if the different teams could communicate and maybe take some patches from each other. (I'm no dev, so take my opinions on what would be nice for development with a chunk of salt.)
[gentoo-user] Re: installing LTSP
hw gc-24.de> writes: > I'm trying to set up an ltsp server. It seems > that one of the required packages is no longer > available: I never used ltsp so take what I say with a grain of salt Look around the old code is out there. Find an old version that works and get that working. Then go to the ltsp upstream development site and get the latest stable release. Create your own ebuild so you not dependant for the devs to maintain what you like. Also, look around at the other gentoo-derivate OS and see if they have some ltsp hack of an ebuild lying around. The gentoo attics is your friend [2] You can usually find a way to build/install it, without using a gentoo ebuild, but that is not the preferred method. https://www.gentoo.org/doc/en/ltsp.xml:: has been removed, so the devs think it is useless or nobody wants to maintain it. If you really like that package, be the proxy maintainer once you repair/upgrade the associated ebuilds. Seen the proxy-maintainer project in the gentoo wiki for more detail. hth, James https://gitweb.gentoo.org/proj/ltsp.git http://www.ltsp.org/ https://gpo.zugaina.org/Overlays
Re: [gentoo-user] NVidia drivers and vanilla kernel Linux 4.7.0 anyone?
Andrew Lowe <a...@wht.com.au> [16-07-30 20:12]: > On 31/07/2016 1:54 AM, meino.cra...@gmx.de wrote: > >David Haller <gen...@dhaller.de> [16-07-30 13:24]: > >>Hello, > >> > >>On Sat, 30 Jul 2016, meino.cra...@gmx.de wrote: > >>>trying the new kernel linux-4.7 (vanilla, downloaded from > > [snip] > > > > >Short qyestion: How can I apply it...I mean...as soon as I do an > >emerge, either the original source will be unpacked or my package > >will be rejected for being modified an different from the one, which > >does not compile... > > > >? > > > >Best regards, > >Meino > > It's currently 2am Perth time and I've been staring at a screen for > too long trying to get a portable Win32 dev environmet for Uni students > working. I've consumed a fair amount of chocolate so the usual grain of > salt proviso applies. If I've understood the question correctly, this > link may be of help: > > http://tinyurl.com/jur3t8v > > Andrew > > Hi Andrew, :) Thanks a lot for your help! Best Meino
Re: [gentoo-user] NVidia drivers and vanilla kernel Linux 4.7.0 anyone?
On 31/07/2016 1:54 AM, meino.cra...@gmx.de wrote: David Haller <gen...@dhaller.de> [16-07-30 13:24]: Hello, On Sat, 30 Jul 2016, meino.cra...@gmx.de wrote: trying the new kernel linux-4.7 (vanilla, downloaded from [snip] Short qyestion: How can I apply it...I mean...as soon as I do an emerge, either the original source will be unpacked or my package will be rejected for being modified an different from the one, which does not compile... ? Best regards, Meino It's currently 2am Perth time and I've been staring at a screen for too long trying to get a portable Win32 dev environmet for Uni students working. I've consumed a fair amount of chocolate so the usual grain of salt proviso applies. If I've understood the question correctly, this link may be of help: http://tinyurl.com/jur3t8v Andrew
Re: [gentoo-user] Why portage demands to unmask an unstable version of the package?
On Sat, Mar 4, 2017 at 10:09 AM, Marc Joliet <mar...@gmx.de> > > Does nobody think of searching bugs.gentoo.org anymore? It was an oversight: > https://bugs.gentoo.org/show_bug.cgi?id=611386#c6. > Actually, most plain users won't remember or know that there is such a thing. Your post may contribute to improve it. I know I'll remember. But that doesn't mean it makes it easy: searching "vim-core-8.0.0386" returns zero bugs. Searching "vim-core" returns several entries, one of which seems related (if one happens to know that the problem is related to gvim to start with, and assuming one is not daunted by a reference to "acl"). I'm sure this just means I'm keyword-challenged, but I bet I'm not the only one in the universe of plain Gentoo users. OK, everybody makes mistakes. But reading "use emacs" is bound to touch a few cords. Even if it was said with a grain of salt, the fact is that updating a stable system after sync'ing is not expected to be a surprising experience, at least regarding packages that are not part of a huge bundle like KDE. Regards Jorge Almeida
[gentoo-user] Re: (SALT) Saltstack
On 2019-11-28 13:20, james wrote: > My specific (eventual) goal is to communicate/manage a wide variety of > gentoo systems, from servers & workstations to a myriad of embedded > and 5G minimal gentoo systems; particularly those on embedded > processors that have modest resources. I have no "wide variety" of systems - more like 5, and only one of them runs gentoo. I use git to keep track of configuration changes. One git repository for each of /etc, ~/.config, and /usr/local. I wrote a simple distributed command script to execute changes; the script connects via ssh to each affected system (in parallel) and checks out new git commits from a central repository. There are prepackaged solutions for this kind of thing, look for etckeeper and propellor. But I found they either had annoying misfeatures (etckeeper insists on tracking _all_ files under /etc) or were overkill for my modest needs. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com.
[gentoo-user] (SALT) Saltstack
Curiously, Does anyone have any experience, tips or comments on the use of saltstack Gentoo specific location:: https://docs.saltstack.com/en/latest/topics/installation/gentoo.html#post-installation-tasks My specific (eventual) goal is to communicate/manage a wide variety of gentoo systems, from servers & workstations to a myriad of embedded and 5G minimal gentoo systems; particularly those on embedded processors that have modest resources. An eventual framework, where the devices can be graphically located and data overlayed on different types of (data) graphical maps too. It appears that some are using OpenStack and Ceph with Git, Ansible, Puppet, Chef, StackStorm for similar goals of a total management system for all the microprocessors and sensors in their theater of responsible. some are rooting their cell phones, to have a hand held device to compliment laptops and multi-monitor systems. TIA for any feedback, suggestions gotchas or any information. James
Re: [gentoo-user] problem installing confluent-kafka from guru
To work around my problem I've changed state dev-python/confluent-kafka to this variant: dev-python/confluent-kafka: cmd.run: - name: emerge dev-python/confluent-kafka - require: - confluent-kafka-1.7.0.ebuild - dev-libs/librdkafka - add_guru It works ! Thanks. чт, 24 февр. 2022 г. в 00:55, Matt Connell (Gmail) < matthewdconn...@gmail.com>: > On Wed, 2022-02-23 at 11:28 +0300, Anatoly Oreshkin wrote: > > Unfortunately specifying dev-python/confluent-kafka::guru hasn't > > helped. > > Unfortunately I don't have any better ideas. I've had more problems > with the pkg.installed state than any other single thing in Salt. > > If you states don't need to be extended to other platforms, you could > just resort to cmd.run again. Seems you're already doing that with > emaint anyway. > > >
Re: [gentoo-user] Questions about hacked sites and passwords
Florian Philipp wrote: Am 17.01.2012 03:22, schrieb Dale: Howdy, It was on the news that some company got hacked into that was related to Amazon. They said Amazon users should change their password just as a precaution. I have a questions tho. I use some pretty good passwords for the things that matter, sites such as my bank, credit card, ebay, paypal, newegg and others that may store things such as my credit card numbers. Here is a example but not a close match to a typical password: $cb78862A! According to those password strength websites, that is a great password. Fairly long and lots of assorted characters and impossible to guess since it contains no personal info such as birthdays or pets. This is fairly typical for sites that matter. I may use something simple for sites such as forums or something tho. My question. If I have a really good password and someone gets hacked, should I change the password if the passwords are still safe? In other words, they got some data such as email addys but the passwords and credit cards are still secure. Should a person change it anyway? One reason I ask this. I remember my passwords well. If I go to changing them every time someone gets hacked, I'll never be able to keep up with them again. I use Lastpass to remember them but it could stop working because of a upgrade or something. Then again, I could use its autogenerate thing and just HOPE for the best on upgrades. Thoughts? What do you guys, and our gal, do in situations like this? Dale :-) :-) Well, it depends is the only answer I can really give. There are basically 4 scenarios which might have occurred: 1. Plaintext passwords were stolen. Then you should definitely change your pw. I doubt amazon is stupid enough to store passwords as plaintext, though. 2. Relatively weak password hashes were stolen, for example MD5 or sha1 with no salt. With modern PCs, it isn't too hard to brute-force against such, even without rainbow-tables. Then you should change your password but you might get lucky and don't need to. 3. Strong password hashes were used (something slow with a lot of salt, possibly without storing the salt so it has to be guessed as well). Then you don't need to change your password. 4. Something else was done. For example known-plaintext or man-in-the-middle attacks against users. Then, well, it depends again ;) Concerning how I'd handle it: I use app-admin/keepassx with a master password. I'd just change the random amazon password as I've not memorized it. Obligatory xkcd reference: http://xkcd.com/936/ (I've checked the math, he is right.) Regards, Florian Philipp This is what one news source says, and they are all about the same: http://venturebeat.com/2012/01/16/zappo-hack/ I suppose the one saving grace is that the database that stores our customers’ critical credit card and other payment data was not affected or accessed. What I read now is that it only affected the one site. It was early on that changing the password on Amazon was mentioned and I guess since they were not sure, it was just in case the worst happened. I use Lastpass which does about the same as other password managers. It looks now like Zappo got off sort of lucky. Their customers may get extra spam now but at least it sounds like their credit card data is safe. According to netcraft they run Linux. I wonder how they got into it? Think the admin had a really common password like god or something. lol Wasn't that in the movie Hackers? Well, I changed mine before I sent the first post, just to be sure. Of course, with my bank account, they ain't going to spend much. Certainly not worth serious jail time. o_O Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words! Miss the compile output? Hint: EMERGE_DEFAULT_OPTS=--quiet-build=n
Re: [gentoo-user] unable to login to user account or do su - username
On Monday 04 May 2009 06:04:16 Valmor de Almeida wrote: Alan McKinnon wrote: On Sunday 03 May 2009 04:53:41 Mike Kazantsev wrote: On Sat, 02 May 2009 20:52:39 -0400 I don't know about motd, but the rest looks like pam problem to me, if you're using pam, of course. Try 'euse -i pam' to see if it's enabled. If that's the case, first of all I'd suggest to check etc-update. Then look through /etc/pam.d, especially system-* files. There you can remove some of the required (for successfull authentication) modules, so their failure won't affect the process. And read the elogs. There's been some pam updates come through on my machines the last few weeks/months. I re-emerged pam and following this message: -- LOG: postinst Starting from version 20080801, pambase optionally enables SHA512-hashed passwords. For this to work, you need sys-libs/pam-1.0.1 built against sys-libs/glibc-2.7 or later. I imagine this constraint is satisfied on your machines, otherwise that pam would not have been emerged due to blockers in the ebuild [snip] since I find this in /etc/pam.d/system-auth passwordrequiredpam_unix.so try_first_pass use_authtok nullok sha512 shadow -- After these changes (do I need to reboot? I am doing this remotely so I will have to wait till I can sit on the console) still can't login or su to 3 of the accounts. Also created a new account and no luck login to to it nor using su. Apparently newly created accounts definitely are affected. Older accounts still work (???) You don't need to reboot - pam config is dynamic. Here's a quick go/no-go experiment to see if it's the new hashes that are doing it. Find an account that can sudo to root on the affected machines and examine the shadow file. See what kind of hashes the affected accounts are using. md5 is 34 characters long and sha512 is 98 in this format: $x$salt$hash x is 1 for md5 and 6 for sha512. salt is 8 characters for both If the affected account is sha512, run openssl passwd -1 to generate an md5 hash, and copy paste it back into field 2 of your account in shadow. You might want to comment out a copy of the original line just in case. See if sudo now works. If so, hashes are the problem. If not, we should look further, especially at the pam config for sudo. Here's mine which works: authinclude system-auth account include system-auth passwordinclude system-auth session include system-auth And you did confirm that sudo checks for wheel group membership, and that you are still in this group? -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Managing multiple systems with identical hardware
Keeping all of the laptops 100% identical as far as hardware is central to this plan. I know I'm setting myself up for big problems otherwise. I'm hoping I can emerge every package on my laptop that every other laptop needs. That way I can fix any build problems and update any config files right on my own system. Then I would push config file differences to all of the other laptops. Then each laptop could emerge its own stuff unattended. I see what you desire now - essentially you want to clone your laptop (or big chunks of it) over to your other workstations. That sounds about right. To get a feel for how it works, visit puppet's web site and download some of the test appliances they have there and run them in vm software. Set up a server and a few clients, and start experimenting in that sandbox. You'll quickly get a feel for how it all hangs together (it's hard to describe in text how puppet gets the job done, so much easier to do it for real and watch the results) Puppet seems like overkill for what I need. I think all I really need is something to manage config file differences and user accounts. At this point I'm thinking I shouldn't push packages themselves, but portage config files and then let each laptop emerge unattended based on those portage configs. I'm going to bring this to the 'salt' mailing list to see if it might be a good fit. It seems like a much lighter weight application. Two general points I can add: 1. Sharing config files turns out to be really hard. By far the easiest way is to just share /etc but that is an all or nothing approach, and you just need one file to be different to break it. Like /etc/hostname You *could* create a share directory inside /etc and symlink common files in there, but that gets very tedious quickly. Rather go for a centralized repo solution that pushes configs out, you must just find the one that's right for you. Does using puppet or salt to push configs from my laptop qualify as a centralized repo solution? 2. Binary packages are almost perfect for your needs IMHO, running emerge gets very tedious quickly, and your spec is that all workstations have the same USE. You'd be amazed how much time you save by doing this: emerge -b on your laptop and share your /var/packages emerge -K on the workstations when your laptop is on the network step 2 goes amazingly quickly - eyeball the list to be emerged, they should all be purple, press enter. About a minute or two per workstation, as opposed to however many hours the build took. The thing is my laptop goes with me all over the place and is very rarely on the same network as the bulk of the laptop clients. Most of the time I'm on a tethered and metered cell phone connection somewhere. Build time itself really isn't a big deal. I can have the clients update overnight. Whether the clients emerge or emerge -K is the same amount of admnistrative work I would think. 3. (OK, three points). Share your portage tree over the network. No point in syncing multiple times when you actually just need to do it once. Yep, I figure each physical location should designate one system to host the portage tree and distfiles. - Grant
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On Tuesday, 5 February 2019 07:55:41 GMT Dale wrote: > Mick wrote: > > https://en.wikipedia.org/wiki/LastPass#Security_issues > > > From what I read, no users had their passwords compromised in those. I read it differently. LastPass didn't know if any passwds were compromised (or wouldn't tell you). As a precaution they asked users to change their master passwd, while they changed their server's salt. In addition, there were XSS vulnerabilities later on, which is probably to be expected with JavaScript and similar technologies. > As > I pointed out earlier, the passwords are already encrypted when they are > sent to LastPass. If I called LastPass, could prove I am who I claim to > be and asked them for a password to a site, they couldn't give it to me > because it is encrypted when it leaves my machine. I don't know exactly how the LastPass architecture is configured, other than it relies on device based encryption activated with JavaScript, but anomalies they observed in incoming and outgoing traffic on the 2011 incident indicate someone was interfering with their data streams. Given Diffie-Hellman could be compromised (e.g. as per Logjam) by precomputing some of the most commonly used primes in factoring large integers, it may be someone was undertaking comparative analysis to deduce ciphers and what not. If the server salt was obtained, then one layer of encryption was compromised. All this is juxtaposition and my hypothesizing does not mean LastPass is not useful, or not secure. It just means its design is not as secure as locally run simpler encryption mechanisms, which do not leave your PC and are not stored somewhere else. The greater surface area a security system exposes, the higher likelihood someone will take a punt at cracking it. A browser, sandboxed or not, has far too many moving parts and exposed flanks to keep crackers and state actors busy. I expect with advances in AI this effort will accelerate logarithmically. > As I pointed out to Rich, I don't expect these tools to be 100%. There > is no perfect password tool or a perfect way to manage them either. No > matter what you do, someone can come along and poke a hole in it. If > you use a tool, the tool is hackable. If you use the same password that > is 40 characters long for several dozen sites, then the site can be > hacked and they have the password for those other sites as well. The > list could go on for ages but it doesn't really change anything. We do > the best we can and then hope it is enough. Using tools is in my > opinion better than not using a tool at all. At the least, they will > have a hard time breaking into a site directly without my password. It > beats the alternative which is cutting off the computer and unplugging > it. :-( Yes, well said. A disconnected and switched off PC is probably quite secure, but what use is this to anybody. LOL! The effectiveness of PC security is challenged on a daily basis and you eventually have to arrive at a personal trade-off between security and usability. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Can't use gnome! [SOLVED]
On Fri, 2008-01-25 at 20:04 +0100, b.n. wrote: Michael Sullivan ha scritto: I rebooted into Linux a couple of days ago and tried to log into gnome, and a whole bunch of error messages popped up. They all said basically this: There was an error loading config from /apps/gnome-terminal/global. (Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://www.gnome.org/projects/gconf/ for information. (Details - 1: IOR file '/tmp/gconfd-michael/lock/ior' not opened successfully, no gconfd located: No such file or directory 2: IOR file '/tmp/gconfd-michael/lock/ior' not opened successfully, no gconfd located: No such file or directory)) I'm a KDE user, so take my advice with a grain of salt. But I googled a bit, and you're not alone (even if your error is obscure). Unfortunately I failed to find a clear cut solution. However, you may try to start gnome with another user, or erase (move) your .gnome .gconf etc. and retry. It seems something in your configuration files is weird. m. I fixed it. Somehow some permissions on some directories on /tmp got changed. I changed them back, and it seems to be back to normal now... -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] best practice for kernel mainteneance
Thanasis wrote: Regarding kernel maintenance, mostly from the point of view of security, which is the best way to go: 1) Having gentoo-sources in /var/lib/portage/world, which would mean the sources would be upgraded whenever portage marks a newer version as stable (provided someone follows stable)? 2) Not having gentoo-sources in /var/lib/portage/world, which would mean the sources would be upgraded only as a dependency for some other package (which is quite improbable/rare)? (or, I may be missing something :-) ) This is my opinion and you are welcome to take it with a grain of salt. I rarely upgrade unless I have new hardware that needs it or there is some security thing that affects me. Since I am on dial-up, good luck with the last one. Basically, upgrade when you need to. It may be new hardware that is not in the older kernels, some security issue that affects you or maybe that something will work better with a newer kernel. If what you have works, use it. If you do upgrade, make sure to save your old sources and your old kernel. That way if something does not work with the new kernel, you can boot with the old one until you get things sorted. Don't ask me how I learned this because it brings up bad memories. :-( Just kidding about not asking though it is a bad memory. My $0.02 worth. Dale :-) :-)
Re: [gentoo-user] best practice for kernel maintenance
on 11/28/2008 01:19 PM Dale wrote the following: Thanasis wrote: Regarding kernel maintenance, mostly from the point of view of security, which is the best way to go: 1) Having gentoo-sources in /var/lib/portage/world, which would mean the sources would be upgraded whenever portage marks a newer version as stable (provided someone follows stable)? 2) Not having gentoo-sources in /var/lib/portage/world, which would mean the sources would be upgraded only as a dependency for some other package (which is quite improbable/rare)? (or, I may be missing something :-) ) This is my opinion and you are welcome to take it with a grain of salt. I rarely upgrade unless I have new hardware that needs it or there is some security thing that affects me. Since I am on dial-up, good luck with the last one. I'm on ADSL but keep the connection and machine (laptop) always on. Basically, upgrade when you need to. It may be new hardware that is not in the older kernels, some security issue that affects you or maybe that something will work better with a newer kernel. Yes, I agree, that's one reason. If what you have works,use it. If you do upgrade, make sure to save your old sources and your old kernel. That way if something does not work with the new kernel, you can boot with the old one until you get things sorted. That's the way I have always been doing it. Thanks. :-)
Re: [gentoo-user] OT worth upgrading hardware ?
On Sun, Oct 02, 2005 at 08:12:56AM +0100, Dave S wrote: The GHz sound impressive but I know neither chip is a very powerful, I believe they 'water down' the internals !. I cant find anywhere a comparison between my PIII these two possibilitys. I found a comparision between (almost) your target cpus: http://www.pcper.com/article.php?aid=61 (note the celeron is actually the 2.8 GHz Model) My PIII is old technology, these two are newer technology with faster clock speeds but engineered to a price, would the speed increase be noticeable ? Any comments ? The 512 MB Ram will defently noticeable when you work with KDE. KDE is very ram hungry and I wouldn't recommend to run it with less than 512. (Although speed / memory consumption seem to have improved miles with the latest versions of kde) Intel Celeron 2.4GHz 128K 400MHz Socket 478 CPU OEM - 512MB RAM AMD Sempron 2800+ 2.0GHz (333FSB) 256K Cache Socket A OEM - 512 MB RAM As to the processors, I'd go for the Sempron. Celerons are IMO castraded pentiums and really not great for compiler runs. The halved L1 cache really hits on the performance in general. Since you are on a contrained budget I'd even more strongley urge you to amd, since they usually give you more performance for the buck. (That being said.. i'm no fan of intel. Therefore take this with a grain of salt.) Oh btw.. you may ignore GHz numbers now.. they are no longer an indicator of how fast processors are. - Folken -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [blocks B ] mail-mta/qmail-1.03-r16 (is blocking net-mail/cmd5checkpw-0.30)
I had same block yesterday, below is what I did
worked a treat for me
-snip-
555 emerge -aDuv world {block showed up here}
556 emerge -aCv qmail
557 emerge -av qmail
-snip-
stu
On 23/10/05, Mike Williams [EMAIL PROTECTED] wrote:
On Sunday 23 October 2005 00:18, [EMAIL PROTECTED] wrote:
Still something to learn I guess. my poppasswd file is still the example
file that came with whatever it came with. My pop accounts are
authenticated via the regular linux logins, so for every pop user (3 at
the moment) I have a user acount in linux.
Good good.
What package uses this poppasswd file?
cmd5checkpw, and anything else which does CRAM MD5 authentication at a guess.
CRAM is done by sending a hash of the password over the wire, the salt is
unique for each connection, so you need the plain text password on the server
to check against, which are kept in poppasswd.
Secure over the wire, hideously insecure on the server.
I tried qpkg, but that doesn't seem to exist any more?
Yeah, it got moved to another package as it's depreciated in favour of equery.
Does the above mean I can safely enable noauthcram?
Yes.
--
Mike Williams
--
gentoo-user@gentoo.org mailing list
--
There are 10 types of people in this world: those who understand
binary, those who don't
--Unknown
--
gentoo-user@gentoo.org mailing list
[gentoo-user] SanDisk MobileMate?
Hi List, Sorry if this is a stupid question: I've never actually owned a device using a MicroSD card--until now. I have for myself a Motorola KRZR K1 phone, and I am thinking of buying a MicroSD card so I can transfer music/pictures between the phone and my laptop. To do that, I'll also need a card reader for the MicroSD card. I'm considering the SanDisk MobileMate SD+ 5-in-1 reader, partly because I've heard (through the grapevines) that it works under Ubuntu and Suse pretty much just plug and play. Does anyone have any experience with this device? Or any other card readers? Caveats and suggestions about using card readers with gentoo will be appreciated. Do devices like those need any kernel voodoo to work, or do they just function as USB mass storage devices? Being completely clueless, any suggestion is welcome. Thanks in advance, Willie -- Fred Lio tells me that chips are best fried with sea salt and vinegar. Dang it! Maybe that's what I'm doing wrong. I've been smothering them in sour cream onion this whole time! ~DP. Following thread on him blowing his display card Sortir en Pantoufles: up 205 days, 1:27 -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Recommend me a good PCMCIA wireless network card
On 24/07/05 18:06:51, Stroller wrote: On Jul 24, 2005, at 1:49 am, Ian K wrote: I have an older laptop that I want to add to my network, (its a 802.11B one) and I was wondering what brands/models would work the best under Linux. Im fairly flexible, and would really not like to tinker with too many drivers. Any good ideas? Currently available are cards using the Ralink chipset, as this manufacturer has open-sourced their own drivers and there is a strong GPL project that will (I believe) eventually join the main kernel tree. I bought one of these by accident - I bought a PC with an Asus A8V motherboard without realising that it included on-board wireless with the RT2500 chipset.* The main thing to beware of is that the RT2500 driver doesn't work with SMP kernels; at first, before I realised this, I was using an SMP kernel even though I have a single-processor system, and found that the system would lock up within seconds of loading the RT2500 module. * Asus made (make?) two motherboards with almost-identical part numbers, and almost identical specs, the main difference being the wireless chipset. When I bought my PC, the spec didn't mention enough of the mb part number to tell which it was; but as wireless wasn't mentioned in the PC spec, and I was offered (and turned down) a wireless card as an optional extra, I assumed I'd be getting the cheaper non-wireless MB. I was pleasantly surprised to find the more expensive one in the case when it arrived. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] grub passwords - how do I limit OS selection?
Mark Knecht wrote: On 7/30/06, Arturo 'Buanzo' Busleiman [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark Knecht wrote: NOTE: I currently do this be editing the grub file itself but I'm looking for something more sophisticated since I'd like my wife to be able to boot Windows but not my son. Have windows users, then. Let your son boot it, but not use it. Arturo, Hi. Thanks for the response. Not an acceptable strategy. My son is a Windows user for playing games. I do not want him using Windows when he chooses since the gaming gets in the way of school, as it should for any healthy 14 year old boy. ;-) What I really want is when the machine turns on he gets Linux unless myself or my wife grants him access to Windows. Thanks, Mark Hi Mark, Check the official gentoo security guide (docs section). ... 2.b. Password protecting GRUB GRUB supports two different ways of adding password protection to your boot loader. The first uses plain text, while the latter uses md5+salt encryption. ... Haven't used it though. HTH.Rumen smime.p7s Description: S/MIME Cryptographic Signature
Re: [gentoo-user] Windows-only wireless AP?
On Tuesday 07 July 2009 10:37:36 Alan McKinnon wrote: On Tuesday 07 July 2009 10:34:07 Grant wrote: I'm trying to connect to a WPA2 wireless router via wicd, but I can't get past the authentication. The owner insists the password is correct. I've spoken to the administrator and I was told the router will connect Windows systems, some Mac systems, but no Linux systems. Does this amount to the typical Linux is not supported response, or could a router actually not work with Linux clients? I've also tried to connect via /etc/init.d/net.wlan0 and wpa_supplicant, but I can't get much information about how it's failing because it is backgrounded. Could net.wlan0 work even though wicd fails, and if so, how can I get more info from net.wlan0? It's hard to see how a wireless router could bring that about without changing how WPA2 works (then it isn't really WPA2 anymore is it?). It's a standard protocol. WPA2 does work with wicd - are you getting anything in the logs at all using both methods? Take the following with the usual grain of salt. I don't use WPA myself, but I have seen issues with WEP-passwords where not all systems convert it to the hash-value in the same way. Try using the HEX-value for the WPA password rather then the plain-text version. Thanks, Joost ps. WEP is ok if you run a VPN over it :)
Re: [gentoo-user] apache https setup
On Friday 17 July 2009, Roger Mason wrote: Hello, I'm trying to set up an apache https server. I keep getting Page Load Error when trying to connect. I'm using apache 2.0.58. I've generated certificates, worked my way through various problems and apache starts OK, asking me for the passphrase for the certificate, but it is not serving up pages. The error_log contains this: [Fri Jul 17 13:30:01 2009] [error] [client 127.0.0.1] File does not exist: /usr/htdocs The error is correct in that /usr/htdocs does not exist, but I have set 00_default_vhost.conf to serve documents out of: DocumentRoot /var/www/htdocs I think that you have not configured your vhosts right, otherwise you would not be getting the error about /usr/htdocs - that is probably the default directory path in your apache configuration? I cannot access a gentoo apache server at this moment to compare and you don't really show nearly enough info from your configuration files, so it may be worth having a look at this old wiki page (but take it with a pinch of salt as things may have changed slightly since): http://www.gentoo-wiki.info/HOWTO_Apache_VirtualHost_by_IP_Address HTH. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] apache https setup
Mick wrote: On Friday 17 July 2009, Roger Mason wrote: Hello, I'm trying to set up an apache https server. I keep getting Page Load Error when trying to connect. I'm using apache 2.0.58. I've generated certificates, worked my way through various problems and apache starts OK, asking me for the passphrase for the certificate, but it is not serving up pages. The error_log contains this: [Fri Jul 17 13:30:01 2009] [error] [client 127.0.0.1] File does not exist: /usr/htdocs The error is correct in that /usr/htdocs does not exist, but I have set 00_default_vhost.conf to serve documents out of: DocumentRoot /var/www/htdocs I think that you have not configured your vhosts right, otherwise you would not be getting the error about /usr/htdocs - that is probably the default directory path in your apache configuration? I cannot access a gentoo apache server at this moment to compare and you don't really show nearly enough info from your configuration files, so it may be worth having a look at this old wiki page (but take it with a pinch of salt as things may have changed slightly since): http://www.gentoo-wiki.info/HOWTO_Apache_VirtualHost_by_IP_Address HTH. post your 00_default_ssl_vhost.conf -- Powered by Gentoo GNU/Linux http://linuxcrazy.com
Re: [gentoo-user] ACPI conflict while loading it87 module
On 08/02/2010 01:02 PM, pk wrote: On 2010-08-02 17:49, Bill Longman wrote: I just saw, this weekend in fact, that the newer Phenoms, in fact most of the recent K10 CPUs, do not work accurately with the atk0110 so when the driver starts to load, it flatly refuses. I have a 9750 Phenom and that one works great. Works fine in my X2 4000+. These are all assus [sic] mobos. But my 940 Phenom II won't work, thusly: k10temp :00:18.3: unreliable CPU thermal sensor; monitoring disabled Isn't k10temp a different/separate module? If I go to lm-sensors site (http://www.lm-sensors.org/wiki/Devices) I see this: k10temp PCI 2.6.33 or standalone driver(2009-12-06) Embedded sensors are known to be unreliable on the DR-BA, DR-B2, DR-B3, RB-C2 and HY-D0 revisions of the family 10h CPU, which will never be supported. Driver contributed by Clemens Ladisch, reviewed by Jean Delvare. So if you have one of those CPU revisions I guess you're out of luck? The chipset on my main rig (Asus m/b) is running a Intel chipset... I have only older AMD CPUs (Athlon X2 BE2400) with Gigabyte motherboards which doesn't have the atk0110 so I'm unfortunately not much of help... Well, I added CONFIG_SENSORS_ATK0110=y to my 940/M4A79DX setup and gkrellm doesn't show anything. That was one test only, so take it with a grain of salt.
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Monday 09 August 2010 21:25:37 Dale wrote: Robert Bridge wrote: On Mon, Aug 9, 2010 at 8:09 PM, Mickmichaelkintz...@gmail.com wrote: There have been discussions on this list why sudo is a bad idea and sudo on *any* command is an even worse idea. You might as well be running everything as root, right? sudo normally logs the command executed, and the account which executes it, so while not relevant for single user systems, it STILL has benefits over running as root. RobbieAB I don't use sudo here but I assume a admin would only know that a nasty command has been ran well after it was ran? Basically, after the damage has been done, you can go look at the logs and see the mess some hacker left behind. For me, that isn't a whole lot of help. You still got hacked, you still got to reinstall and check to make sure anything you copy over is not infected. Assuming that they can erase dmesg, /var/log/messages and other log files, whose to say the sudo logs aren't deleted too? Then you still have no records to look at. I agree with the other posters tho, re-install from scratch and re-think your security setup. That's the problem with any compromise worth its salt, all logs will be tampered to clear traces of interfering with your system. Monitoring network traffic from a healthy machine is a good way to establish suspicious activity on the compromised box and it also helps checking for open ports (nmap, or netcat) to find out what's happening to the compromised box. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] python-2.7 python-updater
Mark Knecht (Fri, 25 Mar 2011 06:56:20 -0700): On Fri, Mar 25, 2011 at 2:50 AM, Neil Bothwick n...@digimed.co.uk wrote: On Fri, 25 Mar 2011 04:37:15 -0500, Dale wrote: Out of curiosity, how long you, or someone else, been using python 2.7? I install 2.7 on August 10th and removed 2.6 on October 5th. -- Neil Bothwick Do you recollect whether you ran python-updater immediately after the 2.7 emerge, and do you remember whether you set 2.7 as your active version 2 python version before or after running python-updater? My grain of salt of experience from yesterday: 1. emerged python 2.7 (upon a regular daily update) 2. eselect switch to 2.7 3. python-updater (rebuilt about 30 pkgs; all went fine, except pygtk complained about something apparently minor) 4. re-emerge pygtk, just to be sure, this time it doesn't complain 5. unmerge 2.6 6. there are no traces to be found of python 2.6; everything works FWIW, it went fine even on an x86 system, where python-2.7.1-r1 is still ~arch. -rz
Re: [gentoo-user] python-2.7 python-updater
Roman Zilka wrote: Mark Knecht (Fri, 25 Mar 2011 06:56:20 -0700): On Fri, Mar 25, 2011 at 2:50 AM, Neil Bothwickn...@digimed.co.uk wrote: On Fri, 25 Mar 2011 04:37:15 -0500, Dale wrote: Out of curiosity, how long you, or someone else, been using python 2.7? I install 2.7 on August 10th and removed 2.6 on October 5th. -- Neil Bothwick Do you recollect whether you ran python-updater immediately after the 2.7 emerge, and do you remember whether you set 2.7 as your active version 2 python version before or after running python-updater? My grain of salt of experience from yesterday: 1. emerged python 2.7 (upon a regular daily update) 2. eselect switch to 2.7 3. python-updater (rebuilt about 30 pkgs; all went fine, except pygtk complained about something apparently minor) 4. re-emerge pygtk, just to be sure, this time it doesn't complain 5. unmerge 2.6 6. there are no traces to be found of python 2.6; everything works FWIW, it went fine even on an x86 system, where python-2.7.1-r1 is still ~arch. -rz I'm in the process of doing this too. So far, so good. 30 out of 53 done. Dale :-) :-)
Re: [gentoo-user] Limit number of cores used by emerge?
On Fri, Sep 30, 2011 at 11:25 AM, Mark Knecht markkne...@gmail.com wrote:
Hi,
Is there a portage option that will limit the number of cores used
by emerge? For instance, in a chroot on a 12 core machine I want to
limit emerge to not using more than 3 cores?
If possible, I'd also like to limit the total disk bandwidth
consumption during emerge. For instance, when untarring a big file to
do the emerge at times the disk consumption gets to high and the
machine becomes laggy. Is there an option that addresses this?
These questions are mostly about being able to update a chroot
mid-day without other tasks slowing down too much. I don't care how
long the chroot really takes to get a huge emerge done, but rathe just
keeping the machine very responsive while it's happening. I already
use:
MAKEOPTS=-j3
PORTAGE_NICENESS=15
which helps (I think) but it doesn't totally address either of the issues
above.
If your MAKEOPTS is -j3 then it's not going to use more than 3 cores
at a time but it will touch all 12 cores throughout the process
because of the normal load balancing. If you want it to use only 3
specific cores, you would need to set the processor affinity (usually
done using the taskset command from sys-apps/util-linux).
For the disk I/O you can set an ionice in your make.conf like:
PORTAGE_IONICE_COMMAND=ionice -c 3 -p \${PID}
Salt to taste. :)
Re: [gentoo-user] Limit number of cores used by emerge?
Paul Hartman wrote:
On Fri, Sep 30, 2011 at 11:25 AM, Mark Knechtmarkkne...@gmail.com wrote:
Hi,
Is there a portage option that will limit the number of cores used
by emerge? For instance, in a chroot on a 12 core machine I want to
limit emerge to not using more than 3 cores?
If possible, I'd also like to limit the total disk bandwidth
consumption during emerge. For instance, when untarring a big file to
do the emerge at times the disk consumption gets to high and the
machine becomes laggy. Is there an option that addresses this?
These questions are mostly about being able to update a chroot
mid-day without other tasks slowing down too much. I don't care how
long the chroot really takes to get a huge emerge done, but rathe just
keeping the machine very responsive while it's happening. I already
use:
MAKEOPTS=-j3
PORTAGE_NICENESS=15
which helps (I think) but it doesn't totally address either of the issues above.
If your MAKEOPTS is -j3 then it's not going to use more than 3 cores
at a time but it will touch all 12 cores throughout the process
because of the normal load balancing. If you want it to use only 3
specific cores, you would need to set the processor affinity (usually
done using the taskset command from sys-apps/util-linux).
For the disk I/O you can set an ionice in your make.conf like:
PORTAGE_IONICE_COMMAND=ionice -c 3 -p \${PID}
Salt to taste. :)
Well, this is interesting:
root@fireball # emerge -1av kate
ionice: bad prio class -3
* PORTAGE_IONICE_COMMAND returned 1
* See the make.conf(5) man page for PORTAGE_IONICE_COMMAND usage
instructions.
When I went to copy this, I noticed it was commented out. Now I see
why. What's up with this?
I bet Mark is going to get this too.
Dale
:-) :-)
Re: [gentoo-user] Mythtv problems
On Wed, Oct 26, 2011 at 9:29 AM, Michael Sullivan msulli1...@gmail.com wrote: On 10/26/11 11:07, Neil Bothwick wrote: On Wed, 26 Oct 2011 09:23:30 -0500, Michael Sullivan wrote: At first I thought that sometime that installed since Oct 12 was causing the segfault, so I tried unmerging the 350+ packages that had installed since then and listing them in package.mask, but that blew up in my face because I don't know a command that forces portage to ignore masked packages and install next-highest stable versions. Mask higher versions in package mask cat/pkg-version.you.want I did, but as I said there where 350+ of them. And every time I tried to emerge anything else, I couldn't because some package I needed was listed in package mask. I got the package list that I added to package.mask from /var/log/portage-logs for files dated from October 12 till 24. It was an epic fail. I couldn't even emerge -e world because of those stupid masked package versions... OK, I haven't used Myth now in over a year so take this with a grain of salt. From the log file it appears that your client isn't connecting to the server which likely explains why you don't see the programs. I wonder if you've tested connecting to mythconverg manually via a terminal? Maybe something like /etc/my.cnf or one of the Myth config files got messed up in the update. Good luck, Mark
Re: [gentoo-user] Mythtv problems
On 10/26/11 11:36, Mark Knecht wrote: On Wed, Oct 26, 2011 at 9:29 AM, Michael Sullivan msulli1...@gmail.com wrote: On 10/26/11 11:07, Neil Bothwick wrote: On Wed, 26 Oct 2011 09:23:30 -0500, Michael Sullivan wrote: At first I thought that sometime that installed since Oct 12 was causing the segfault, so I tried unmerging the 350+ packages that had installed since then and listing them in package.mask, but that blew up in my face because I don't know a command that forces portage to ignore masked packages and install next-highest stable versions. Mask higher versions in package mask cat/pkg-version.you.want I did, but as I said there where 350+ of them. And every time I tried to emerge anything else, I couldn't because some package I needed was listed in package mask. I got the package list that I added to package.mask from /var/log/portage-logs for files dated from October 12 till 24. It was an epic fail. I couldn't even emerge -e world because of those stupid masked package versions... OK, I haven't used Myth now in over a year so take this with a grain of salt. From the log file it appears that your client isn't connecting to the server which likely explains why you don't see the programs. I wonder if you've tested connecting to mythconverg manually via a terminal? Maybe something like /etc/my.cnf or one of the Myth config files got messed up in the update. Good luck, Mark Mysql on camille is broken: camille ~ # mysql -u root -p mysql: unknown variable 'expire_logs_days=10' I'll do some googling, but I think that sounds like a config file directive. I'll probably do a rebuild of mysql as well...
[gentoo-user] Re: systemd? [ Was: The End Is Near ... ]
On 18/03/12 03:45, Canek Peláez Valdés wrote: On Sat, Mar 17, 2012 at 6:48 PM, Nikos Chantziarasrea...@gmail.com wrote: On 17/03/12 13:53, Alan Mackenzie wrote: Hello, Nikos. On Sat, Mar 17, 2012 at 08:25:48AM +0200, Nikos Chantziaras wrote: Happy Computer Users, systemd is on your horizon. No, we don't. I hope systemd arrives soon. It's the best init system I ever saw. What's so good about it? What will it do for me? I have this horrible sneaking suspicion that it will be more complicated than /sbin/init + OpenRC, just like udev + initramfs is more complicated than udev, and CUPS is more complicated than classical lpr. Why do you find it so good? No idea. I only posted this because the OP didn't say what's bad about systemd :-) I really don't know I should care whether my system runs OpenRC or systemd. Take this with a grain (or a kilo) of salt, since I'm obviously biased, but IMHO this are systemd advantages over OpenRC: [...] * It tries to unify Linux behaviour among distros (some can argue that this is a bad thing): Using systemd, the same configurations/techniques work the same in every distribution. No more need to learn /etc/conf.d, /etc/sysconfig, /etc/default hacks by different distros. Out of the things you listed, this strikes me as the most important. Linux really needs standards. When I install software on Windows, it knows how to add its startup services. On Linux, this is all manual work if your distro isn't supported, especially on Gentoo. If there's no ebuild for it, you spend your whole day trying to make it work.
Re: [gentoo-user] Re: new mobo : Eth0 recovered
On Mon, 23 Apr 2012 21:53:36 +0300, Nikos Chantziaras wrote about [gentoo-user] Re: new mobo : Eth0 recovered: On 23/04/12 21:34, David W Noon wrote: [snip] Any chance of you reconfiguring KMail not to send HTML messages? Please ... pretty please ... :-) A mail-client worth its salt should be able to work around that ;-) Thunderbird, the superior mail client (-- flame bait) has an option that says Display HTML messages as plain text, so I never notice when someone posts HTML messages here (or anywhere else.) Claws-mail also has that option, but it applies globally, and there are some email messages I receive (mostly marketing related) where HTML gives added value. Consequently, I would have to keep reconfiguring Claws to exclude/permit HTML as I change folders. Since HTML offers no added value in this mailing list, it should eliminated at source. Indeed, one mailing list I read has a listserver that deletes HTML attachments when it receives a message, and if a message is all HTML it goes down the gurgler straight away. -- Regards, Dave [RLU #314465] *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* dwn...@ntlworld.com (David W Noon) *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* signature.asc Description: PGP signature
Re: [gentoo-user] new mobo : Eth0 recovered
On 23 April 2012, at 19:53, Nikos Chantziaras wrote: … We all noticed that you are using KMail once more, because you are sending HTML messages with a huge font and bold typeface to the list. Any chance of you reconfiguring KMail not to send HTML messages? Please ... pretty please ... :-) A mail-client worth its salt should be able to work around that ;-) Thunderbird, the superior mail client (-- flame bait) has an option that says Display HTML messages as plain text, so I never notice when someone posts HTML messages here (or anywhere else.) My client - which is probably not so superior - has this option, but it can only be applied globally, not to individual folders or senders. Some senders - surely those with expensive design teams dedicated to the task - ensure that their HTML messages add something useful over the plain text version. Amazon's HTML emails show images of the product and I have no problem with the text size they use. The HTML notification emails from eBay are *fantastic*, showing images of actual items newly listed (in the last 24 hours) by vendors that happen to meet my search criteria - this is a *very* useful way of navigating potential bargains (and avoiding misleading adverts). There must be 10,000 items per day listed on eBay, maybe 100,000, and I am notified of the dozen or so that I may be interested in - with pictures right next to the description. So I have to either tolerate Peter's choice of font size, or I have to sacrifice being able to read these other messages in their optimum format. Now I appreciate that my choice of email client is not anyone else's fault, but plain-text is the standard of mailing lists, and I think it's a reasonable expectation that people conform to it (once their client's faux-pas has been pointed out). Stroller.
Re: [gentoo-user] disk accesses per subdirectory tree
On Fri, Dec 21, 2012 at 5:42 AM, Helmut Jarausch jarau...@igpm.rwth-aachen.de wrote: Hi, I'd like to put some subdirectory trees (of / and of /usr and of /home) onto an SSD. For that I'd like to count the disk accesses which go to a given subdirectory tree in some given time intervall. Is there any utility which can measure this? Many thanks for a hint, Helmut. Hi Helmut, Only responding to say I'd been looking for something to do the same thing myself and haven't found anything. That said, a couple of points: 1) You should be able to watch for issues using smartctl, assuming a modern SSDs. 2) In a post where I asked about this sort of stuff in the Vertex forums I received the following response from folks who seem to have more experience than I. Of course, take this with a grain of salt: [QUOTE] Just using round numbers and assuming effective wear leveling, your 30 GB file may get rewritten once a month. That's 25% of the 128 GB drive, so each NAND cell will get rewritten 3 times a year. If the NAND is good for 10,000 rewrites, you have LOTS of years available... Even if it's rewritten every day, that's 100 NAND rewrites/year, or 100 years of NAND life based on rewrites. You can use any numbers you want, but it will still likely come out to longer than we care about... [/QUOTE] Keep in mind that the idea of 'effective wear leveling' is ___really___ important here. Unlike an HD, SSDs do not write over and over to the same location forever. If a block of the drive starts to get heavily used, in terms of number of writes, then firmware will move the block to another location and remap the address. This happens in the drive, not by the OS, so it's invisible to us. (First order anyway - there are probably ways to find out but I'm not looking for those.) Anyway, as there hadn't been any responses I thought I would... Cheers, Mark
Re: [gentoo-user] OT: parental control software
On 03/20/2013 07:04 AM, Neil Bothwick wrote: I'm looking for software that can be used to control a child's usage of the computer (not Internet filtering). At the very least it should be able to control length of login sessions and when the child is able to login. Ideally it would also be able to control access to programs, for example education programs can be used for a couple of hours but games for only 30 mins at a time (net control software can be used to deal with online versions). There are other situations where this sort of thing is useful, so it need not necessarily be a package aimed specifically at parental controls. Timekpr looks the ideal candidate, except it hasn't had a release in over three years. Any suggestions? I've been studying Kerberos a great deal lately, and so that's naturally where my mind went when I read this. Take the practicality of the idea with a grain of salt. I also make no claims to know exactly how to implement this for programs not already inherently kerberized. You might use Kerberos to enforce access limits by associating services with each thing you wish to control, giving the auth tickets a short rollover period, and refusing to regrant after a ticket has been rolled over enough times in one day. That easily covers the question of when the child is able to log in, and could also work for enforce the length of login sessions if you're able to use a thin client model, or put the user's profile on a kerberized samba or nfs server. I don't know what mechanisms are available to force clean shutdowns of user sessions, though; anything I can think of risks data loss if apps haven't committed all open data to storage yet. signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Serious problem with linode vm
On 04/15/2013 02:08 PM, Tanstaafl wrote: On 2013-04-15 2:03 PM, Tanstaafl tansta...@libertytrek.org wrote: Ok, I think all I need to get our db back up is to remerge php, but it is failing. The last error appears to be the zlib check. I did already try emerge -1 sys-libs/zlib and retrying to emerge php, but got the same error: Ok, added -zlib to package.mask and it is compiling now... I just don't know if I need zlib support for our DB app... sigh If this doesn't work I'll try your suggestion of: Were this one of my systems (none of which is in a prod scenario, so take it with a grain of salt), I'd emerge -e --keep-going @system, and then emerge --resume a few times. You're stuck in something not unlike a bootstrap scenario. Thanks a lot Michael... first time anything like this has happened to me in a long time. I forgot what it is like to have users (and bosses) breathing down my neck like this... That system is going to require a great deal of cleanup and maintenance to get fully reliable again. Once everything's been rebuilt, you should be able to have zlib back, etc. It'll just take a while to to clean up. I repeat my suggestion that you set up an alternate server and aim to migrate to that. It's amazing what you can do with failover, replication, etc signature.asc Description: OpenPGP digital signature
SOLVED - was Re: [gentoo-user] Serious problem with linode vm
On 2013-04-15 2:02 PM, Michael Mol mike...@gmail.com wrote: Were this one of my systems (none of which is in a prod scenario, so take it with a grain of salt), I'd emerge -e --keep-going @system, and then emerge --resume a few times. You're stuck in something not unlike a bootstrap scenario. Ok, well, the DB was down, and I had the data backed up, so last resort, I switched back to the 32bit kernel, rebooted, and started the first emerge -e --keep-going @system, and left for home to continue working on it from there... It was done by the time I got home (about 25 minute drive), so didn't take nearly as long as I had feared - mostly because about 28 packages - most of them the ones that take a really long time (like glib, glibc and gcc) died almost immediately... After the first one completed, I did emerge --resume until everything was emerged. Then I started it all over again, and this time, *everything* recompiled successfully! But, apache still wouldn't start up. The error was PHP related, so, I rebuilt that with emerge -vu (with 5.4 masked so it would pull in the latest update to 5.3 since emerging -vuk (reinstalling the quickpkg'd masked version) didn't work - and this time PHP successfully updated, and presto, everything is now working as expected! I'm still planning on finishing up the new server (had already started on it) and migrating the DB to it, but now the pressure is off. So, massive thanks! to Michael for the suggestion (had heard of totally rebuilding the entire system using -e and --keep-going, but never done it)... and of course, gentoo is amazing. Charles
Re: [gentoo-user] Managing multiple systems with identical hardware
Keeping all of the laptops 100% identical as far as hardware is central to this plan. I know I'm setting myself up for big problems otherwise. I'm hoping I can emerge every package on my laptop that every other laptop needs. That way I can fix any build problems and update any config files right on my own system. Then I would push config file differences to all of the other laptops. Then each laptop could emerge its own stuff unattended. I see what you desire now - essentially you want to clone your laptop (or big chunks of it) over to your other workstations. That sounds about right. To get a feel for how it works, visit puppet's web site and download some of the test appliances they have there and run them in vm software. Set up a server and a few clients, and start experimenting in that sandbox. You'll quickly get a feel for how it all hangs together (it's hard to describe in text how puppet gets the job done, so much easier to do it for real and watch the results) Puppet seems like overkill for what I need. I think all I really need is something to manage config file differences and user accounts. At this point I'm thinking I shouldn't push packages themselves, but portage config files and then let each laptop emerge unattended based on those portage configs. I'm going to bring this to the 'salt' mailing list to see if it might be a good fit. It seems like a much lighter weight application. I'm soaking up a lot of your time (again). I'll return with any real Gentoo questions I run into and to run down the final plan before I execute it. Thanks so much for your help. Not sure what I'd do without you. :) - Grant
Re: [gentoo-user] Managing multiple systems with identical hardware
On Mon, Sep 30, 2013 at 09:31:18PM +0200, Alan McKinnon wrote: (or big chunks of it) over to your other workstations. Puppet seems like overkill for what I need. I think all I really need is something to manage config file differences and user accounts. At this point I'm thinking I shouldn't push packages themselves, but portage config files and then let each laptop emerge unattended based on those portage configs. I'm going to bring this to the 'salt' mailing list to see if it might be a good fit. It seems like a much lighter weight application. Two general points I can add: 1. Sharing config files turns out to be really hard. By far the easiest way is to just share /etc but that is an all or nothing approach, and you just need one file to be different to break it. Like /etc/hostname You *could* create a share directory inside /etc and symlink common files in there, but that gets very tedious quickly. How about using something like unison? I've been using it for a while now to sync a specific subset of ~ between three computers. It allows for exclude rules for host-specific stuff. -- Gruß | Greetings | Qapla’ Please do not share anything from, with or about me with any Facebook service. No, you *can’t* call 999 now. I’m downloading my mail. signature.asc Description: Digital signature
Re: [gentoo-user] Intel and Gallium 0.4 on llvmpipe (LLVM 3.4, 256 bits)
On Tuesday 27 May 2014 22:41:32 Alan McKinnon wrote: On 27/05/2014 18:20, Time Lucky wrote: VIDEO_CARDS=intel radeon -freedreno -i915 -i965 -ilo -nouveau -r100 -r200 -r300 -r600 -radeonsi -vmware Solved! I realized that your VIDEO_CARDS was -i915 then I removed i915 from make.conf I wouldn't. Unless you also have NVidia and Radeon cards too on your machine you do not all these entries. Try this in your /etc/make.conf: VIDEO_CARDS=intel i915 Then rebuild your xorg drivers and mesa. Finally run 'eselect mesa list' to see if you are using gallium or not. Adjust accordingly. Take what I say here with a pinch of salt (building the right drivers with the right settings to work right on the right hardware is, IMNSHO, a huge amount of black magic :-) anyway, I seem to recall that USE=i915 or i965 was the old way of doing things and you needed to know what chipset to build for. Recent code has merged all of that nonsense so all you have to do is set VIDEO_CARDS=intel and emerge can figure out what to build for the hardware it's running on. Unless it changed recently, you would need to add the mesa module name for your card too. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Intel and Gallium 0.4 on llvmpipe (LLVM 3.4, 256 bits)
#emacs /etc/portage/make.conf VIDEO_CARDS=intel i915 # emerge -av xorg-drivers mesa # reboot # eselect mesa list 915 (Intel 915, 945) [1] classic [2] gallium * i965 (Intel GMA 965, G/Q3x, G/Q4x, HD) r300 (Radeon R300-R500) r600 (Radeon R600-R700, Evergreen, Northern Islands) sw (Software renderer) [1] classic [2] gallium * and gnome tells it is Gallium 0.4 on llvmpipe (LLVM 3.4, 256 bits) again. it seems i915 is the very reason. 2014-05-28 15:14 GMT+08:00 Mick michaelkintz...@gmail.com: On Tuesday 27 May 2014 22:41:32 Alan McKinnon wrote: On 27/05/2014 18:20, Time Lucky wrote: VIDEO_CARDS=intel radeon -freedreno -i915 -i965 -ilo -nouveau -r100 -r200 -r300 -r600 -radeonsi -vmware Solved! I realized that your VIDEO_CARDS was -i915 then I removed i915 from make.conf I wouldn't. Unless you also have NVidia and Radeon cards too on your machine you do not all these entries. Try this in your /etc/make.conf: VIDEO_CARDS=intel i915 Then rebuild your xorg drivers and mesa. Finally run 'eselect mesa list' to see if you are using gallium or not. Adjust accordingly. Take what I say here with a pinch of salt (building the right drivers with the right settings to work right on the right hardware is, IMNSHO, a huge amount of black magic :-) anyway, I seem to recall that USE=i915 or i965 was the old way of doing things and you needed to know what chipset to build for. Recent code has merged all of that nonsense so all you have to do is set VIDEO_CARDS=intel and emerge can figure out what to build for the hardware it's running on. Unless it changed recently, you would need to add the mesa module name for your card too. -- Regards, Mick
Re: [gentoo-user] Re: Debian forked, because of systemd brouhaha
On Mon, Dec 1, 2014 at 9:54 AM, »Q« boxc...@gmx.net wrote: On Sun, 30 Nov 2014 07:43:21 +0300 Andrew Savchenko birc...@gentoo.org wrote: On Sat, 29 Nov 2014 17:32:08 +0100 Marc Stürmer wrote: Am 29.11.2014 um 11:11 schrieb Pandu Poluan: What do you think, people? Shouldn't we offer them our eudev project to assist? Since Eudev has always been opensource under the GPLv2, like udev too, there's no need to /offer/ it. If they choose to use it, they can use it, no offer/questions necessary. Simple. As far as I understand, Pandu meant we can recommend them to use, but not some offer in commercial or proprietary terms. Yup, that's what I meant. Sorry for the confusion; I'm not a native English speaker, so I may have used an improper verb there :-) They've added something called devuan-eudev to their github workspace today, https://github.com/devuan/devuan-eudev. It would be nice if there could be one eudev project with the aim of supporting Gentoo, Devuan, and whatever other distros want to use it. Or if there must be multiple eudevs, it would be nice if the different teams could communicate and maybe take some patches from each other. (I'm no dev, so take my opinions on what would be nice for development with a chunk of salt.) Actually, that's my point by saying offer: Rather than letting them build eudev from scratch, let's work together on the eudev we have, promote it to something distro-neutral, then let Gentoo and Devuan (and whatever other distros) derive from that 'upstream' Uh, I do make myself clear(er) here, don't I? Rgds, -- FdS Pandu E Poluan ~ IT Optimizer ~ • LOPSA Member #15248 • Blog : http://pandu.poluan.info/blog/ • Linked-In : http://id.linkedin.com/in/pepoluan
Re: [gentoo-user] Failed to set XATTR_PAX markings
On Mon, Aug 31, 2015 at 10:36:02AM -0600, the...@sys-concept.com wrote: > While compiling/updating the system I get a few packages with messages: > > LOG: install > Failed to set XATTR_PAX markings -me > /var/tmp/portage/app-emulation/virtualbox-bin-4.3.28.100309/image//opt/VirtualBox/VBoxManage. > Failed to set XATTR_PAX markings -me > /var/tmp/portage/app-emulation/virtualbox-bin-4.3.28.100309/image//opt/VirtualBox/VBoxSVC. > Failed to set XATTR_PAX markings -me > /var/tmp/portage/app-emulation/virtualbox-bin-4.3.28.100309/image//opt/VirtualBox/VBoxXPCOMIPCD. > Failed to set XATTR_PAX markings -me > /var/tmp/portage/app-emulation/virtualbox-bin-4.3.28.100309/image//opt/VirtualBox/VBoxTunctl. > > Failed to set XATTR_PAX markings -me python. > etc. > > What does it mean? It looks like you're running Gentoo Hardened. It looks like (from a cursory read of https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart) that your filesystem may not support extended attributes. What type of filesystem is /var/tmp mounted on? Other info like the output of `emerge --info', what kernel you're running, and what profile you're on would be helpful. I personally do not run Hardened, so take this with a grain of salt. Alec
Re: [gentoo-user] Failed to set XATTR_PAX markings
On Monday 31 Aug 2015 19:07:40 Fernando Rodriguez wrote: > On Monday, August 31, 2015 10:56:44 AM the...@sys-concept.com wrote: > > On 08/31/2015 10:43 AM, Alec Ten Harmsel wrote: > > > On Mon, Aug 31, 2015 at 10:36:02AM -0600, the...@sys-concept.com wrote: > > >> While compiling/updating the system I get a few packages with > > >> messages: > > >> > > >> LOG: install > > >> Failed to set XATTR_PAX markings -me /var/tmp/portage/app- > > emulation/virtualbox-bin-4.3.28.100309/image//opt/VirtualBox/VBoxManage. > > > >> Failed to set XATTR_PAX markings -me /var/tmp/portage/app- > > emulation/virtualbox-bin-4.3.28.100309/image//opt/VirtualBox/VBoxSVC. > > > >> Failed to set XATTR_PAX markings -me /var/tmp/portage/app- > > emulation/virtualbox-bin-4.3.28.100309/image//opt/VirtualBox/VBoxXPCOMIPCD. > > > >> Failed to set XATTR_PAX markings -me /var/tmp/portage/app- > > emulation/virtualbox-bin-4.3.28.100309/image//opt/VirtualBox/VBoxTunctl. > > > >> Failed to set XATTR_PAX markings -me python. > > >> etc. > > >> > > >> What does it mean? > > > > > > It looks like you're running Gentoo Hardened. It looks like (from a > > > cursory read of https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart) > > > that your filesystem may not support extended attributes. What type of > > > filesystem is /var/tmp mounted on? > > > > > > Other info like the output of `emerge --info', what kernel you're > > > running, and what profile you're on would be helpful. > > > > > > I personally do not run Hardened, so take this with a grain of salt. > > > > > > Alec > > > > No, I'm not running Gentoo Hardened > > Here is emerge info [snip ...] > > > Thelma > > Could be that you don't have extended attributes enabled for your > filesystem in the kernel. If you're not using a hardened profile and > nothing is failing it should be ok. I also noticed this on an ext4 fs, on a PC that does not run hardened. I don't run ACLs or extended attributes from what I recall and that's what I attributed this message to. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: installing LTSP
James wrote: hw gc-24.de> writes: I'm trying to set up an ltsp server. It seems that one of the required packages is no longer available: I never used ltsp so take what I say with a grain of salt Look around the old code is out there. Find an old version that works and get that working. Then go to the ltsp upstream development site and get the latest stable release. I think I can get something to work. I'd rather see ltsp in the Gentoo repo rather than as an overlay, and I'd rather use the overlay as is. Create your own ebuild so you not dependant for the devs to maintain what you like. Also, look around at the other gentoo-derivate OS and see if they have some ltsp hack of an ebuild lying around. The gentoo attics is your friend [2] I don't know how to create packages, and I don't have endless amounts of time. Looking at what Funtoo has might be a good idea, yet they don't even have a mailing list. Otherwise I'd have tried it instead of Gentoo ... You can usually find a way to build/install it, without using a gentoo ebuild, but that is not the preferred method. https://www.gentoo.org/doc/en/ltsp.xml:: has been removed, so the devs think it is useless or nobody wants to maintain it. If you really like that package, be the proxy maintainer once you repair/upgrade the associated ebuilds. Seen the proxy-maintainer project in the gentoo wiki for more detail. It's not so much about 'liking' but about 'requiring'. I simply need it to work last week ... hth, James https://gitweb.gentoo.org/proj/ltsp.git http://www.ltsp.org/ https://gpo.zugaina.org/Overlays
Re: [gentoo-user] ansible daemon
On 18/11/2017 23:36, Damo Brisbane wrote: > Hi, > > I am wanting to have continuously running ansible daemon to push out > desired state to some servers. I do not see such functionally covered > within readme (https://wiki.gentoo.org/wiki/Ansible). Am I correct to > assume that if I want to run ansible as a daemon, I will have to set up > [if I want] *ansible user*, init.d/ansible rc script? > > Also note I haven't used Ansible in production - I am assuming that > running as a daemon is best for this scenario. You assume wrong. Ansible is not a daemon, it does not listen and cannot be a daemon. When you need ansible to do something, you give it a play to run and it does it. Then the play ends and the command quits. There isn't really much scope for having ansible "continuously run", it does not know when you have changed things that need updating - only you know that. I think you want Tower or AWX or even rundeck, those are scheduling/controlling/orchestration wrappers that can fire off ansible jobs. As a last resort you can always add a cron to run an overall site.yml play every X hours or so Are you coming from a puppet/salt/chef world? If so, the one thing to always keep in mind is this: Ansible is almost, but not quite, entirely unlike Puppet. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] Getting maximum space out of a hard drive
On 21/8/22 13:34, Grant Taylor wrote: On 8/20/22 10:22 PM, William Kenworthy wrote: ... If that is an Odroid XU4, then I strongly suspect that /dev/sda is passing through a USB interface. So ... I'd take those numbers with a grain of salt. -- If the system is working for you, then by all means more power to you. I found that my Odroid XU4 was /almost/ fast enough to be my daily driver. But the fan would kick in for some things and I didn't care for the noise of the stock fan. I've not yet compared contemporary Raspberry Pi 4 or other comparable systems. Samsung Exynos 5422 is developed on the 28 nm technology node and architecture Cortex-A15 / Cortex-A7. Its base clock speed is 1.40 GHz, and maximum clock speed in turbo boost - 2.10 GHz. Samsung Exynos 5422 contains 8 processing cores. Instruction set (ISA) ARMv7-A32 (32 bit) ArchitectureCortex-A15 / Cortex-A7 Yes, its an xu4 and as I mentioned, its a USB drive (seagate 4G backup with an SMR inside) - works ok as a backup drive and the data transfer is fast until you fill the cache - then its throughput is best described as "miserable"! The xu4 lists as 32bit and odroid supplies a 32 bit kernel etc - I just used their config as a base when building gentoo onto it - its my build (for 5 xu4 based HC2 systems) and hosts the backup drive. My attaching the hdparm run was an example of its use, and that happened to be the terminal i was using at the time. BillK
Re: [gentoo-user] Managing multiple systems with identical hardware
On 01/10/2013 08:07, Grant wrote: Keeping all of the laptops 100% identical as far as hardware is central to this plan. I know I'm setting myself up for big problems otherwise. I'm hoping I can emerge every package on my laptop that every other laptop needs. That way I can fix any build problems and update any config files right on my own system. Then I would push config file differences to all of the other laptops. Then each laptop could emerge its own stuff unattended. I see what you desire now - essentially you want to clone your laptop (or big chunks of it) over to your other workstations. That sounds about right. To get a feel for how it works, visit puppet's web site and download some of the test appliances they have there and run them in vm software. Set up a server and a few clients, and start experimenting in that sandbox. You'll quickly get a feel for how it all hangs together (it's hard to describe in text how puppet gets the job done, so much easier to do it for real and watch the results) Puppet seems like overkill for what I need. I think all I really need is something to manage config file differences and user accounts. At this point I'm thinking I shouldn't push packages themselves, but portage config files and then let each laptop emerge unattended based on those portage configs. I'm going to bring this to the 'salt' mailing list to see if it might be a good fit. It seems like a much lighter weight application. Two general points I can add: 1. Sharing config files turns out to be really hard. By far the easiest way is to just share /etc but that is an all or nothing approach, and you just need one file to be different to break it. Like /etc/hostname You *could* create a share directory inside /etc and symlink common files in there, but that gets very tedious quickly. Rather go for a centralized repo solution that pushes configs out, you must just find the one that's right for you. Does using puppet or salt to push configs from my laptop qualify as a centralized repo solution? yes 2. Binary packages are almost perfect for your needs IMHO, running emerge gets very tedious quickly, and your spec is that all workstations have the same USE. You'd be amazed how much time you save by doing this: emerge -b on your laptop and share your /var/packages emerge -K on the workstations when your laptop is on the network step 2 goes amazingly quickly - eyeball the list to be emerged, they should all be purple, press enter. About a minute or two per workstation, as opposed to however many hours the build took. The thing is my laptop goes with me all over the place and is very rarely on the same network as the bulk of the laptop clients. Most of the time I'm on a tethered and metered cell phone connection somewhere. Build time itself really isn't a big deal. I can have the clients update overnight. Whether the clients emerge or emerge -K is the same amount of admnistrative work I would think. I see. So you give up the efficiency of binpkgs to get a system that at least works reliably. Within those constraints that probably is the best option. 3. (OK, three points). Share your portage tree over the network. No point in syncing multiple times when you actually just need to do it once. Yep, I figure each physical location should designate one system to host the portage tree and distfiles. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] Re: Coming up with a password that is very strong.
Mick wrote: > On Tuesday, 5 February 2019 07:55:41 GMT Dale wrote: >> Mick wrote: >>> https://en.wikipedia.org/wiki/LastPass#Security_issues >>> >> From what I read, no users had their passwords compromised in those. > I read it differently. LastPass didn't know if any passwds were compromised > (or wouldn't tell you). As a precaution they asked users to change their > master passwd, while they changed their server's salt. In addition, there > were XSS vulnerabilities later on, which is probably to be expected with > JavaScript and similar technologies. > I recall the email vaguely. It said there was nothing that showed the passwords were compromised. I did change passwords for things like my bank etc but left the others alone. Of course, I change those passwords on a fairly regular basis anyway. Thing is, when it comes to financial stuff, I don't leave as much to chance. I found the email notice. Here is a bit of it: "No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised." So, the encrypted stuff such as passwords was not compromised. They only got email addys and such which isn't a big deal. >> As >> I pointed out earlier, the passwords are already encrypted when they are >> sent to LastPass. If I called LastPass, could prove I am who I claim to >> be and asked them for a password to a site, they couldn't give it to me >> because it is encrypted when it leaves my machine. > I don't know exactly how the LastPass architecture is configured, other than > it relies on device based encryption activated with JavaScript, but anomalies > they observed in incoming and outgoing traffic on the 2011 incident indicate > someone was interfering with their data streams. Given Diffie-Hellman could > be compromised (e.g. as per Logjam) by precomputing some of the most commonly > used primes in factoring large integers, it may be someone was undertaking > comparative analysis to deduce ciphers and what not. If the server salt was > obtained, then one layer of encryption was compromised. > > All this is juxtaposition and my hypothesizing does not mean LastPass is not > useful, or not secure. It just means its design is not as secure as locally > run simpler encryption mechanisms, which do not leave your PC and are not > stored somewhere else. > > The greater surface area a security system exposes, the higher likelihood > someone will take a punt at cracking it. A browser, sandboxed or not, has > far > too many moving parts and exposed flanks to keep crackers and state actors > busy. I expect with advances in AI this effort will accelerate > logarithmically. This is why I don't use the built in password manager in Firefox. Firefox most likely concentrates on the browser since its main job is being a browser. A password tool is a little lower on the list I would think. However, LastPass and other password tools, it is their main function to be password tools that are secure but can still work with the browser as well. > >> As I pointed out to Rich, I don't expect these tools to be 100%. There >> is no perfect password tool or a perfect way to manage them either. No >> matter what you do, someone can come along and poke a hole in it. If >> you use a tool, the tool is hackable. If you use the same password that >> is 40 characters long for several dozen sites, then the site can be >> hacked and they have the password for those other sites as well. The >> list could go on for ages but it doesn't really change anything. We do >> the best we can and then hope it is enough. Using tools is in my >> opinion better than not using a tool at all. At the least, they will >> have a hard time breaking into a site directly without my password. It >> beats the alternative which is cutting off the computer and unplugging >> it. :-( > Yes, well said. A disconnected and switched off PC is probably quite secure, > but what use is this to anybody. LOL! The effectiveness of PC security is > challenged on a daily basis and you eventually have to arrive at a personal > trade-off between security and usability. > This is what I run into with this new password project. I want one that is easy for me to remember, easy to type and such but I also want it to where some script kiddy can't crack it in like 10 seconds while laughing his/her fool head off at me. The decision to use a tool like LastPass, or any other tool for that matter, also means a trade off. Anything we use will expose us to something. That said, not using one exposes us to something else, even if it is just bad ways to deal with passwords. Using one password on several sites is one thing that jumps to my mind. We just have to try to be reasonable about it. One thing about this, I'm putting more effort into one password than most do for every password they have. Now to play with the strength meters some more. Dale :-) :-)
Re: [gentoo-user] installing to VFAT partition THUFIR HAWAT
[digest-mode reply] Thufir, For good or ill, or maybe both good *and* ill!, Gentoo is basically an experts-only distro. (And STOP RIGHT THERE, flame-writers -- read the rest first.) Gentoo gives absolutely *awesome* power, but *This* *Thing* *Is* *Dangerous* -- it is a loaded *and* *cocked* pistol aimed at everything on your drives if you are installing it and are not a seriously knowledgable Linux user. I'm serious. I'm _deadly_ serious. Read the manual, and I suggest at *least* twice, before booting that CD you burned. If you are already a reasonably (==highly!) knowledgable linux user, please either skip the rest or at least take it with a *packet* of salt rather than a grain... If you are not, read on, and pay attention. The danger is not Gentoo as such, but the utterly 'naked' commands being used by someone who does not yet understand all the 'inwardnesses' of what must be done. This is not to say that a newbie or low-experience user cannot use Gentoo, but I would *emphatically* suggest that newbies other lower-powered *linux* users need to stay away from Gentoo, or else install to a *completely* empty drive, with no other drives in the computer. If you are highly knowledgable, just about all the power you could ever want is in here, including outright *brilliancies* that I never heard of before. (I Like! :) :) :) ) And with that knowledge, Gentoo is no more 'dangerous' than any other linux; probably a lot less dangerous, in fact! Read the manual (twice!) before booting that CD you burned, and if you are not already *very* Linux-knowledgable, this is not a good distro for you unless your intent is to become a linux expert in the next few weeks, by which time you will have a running system. And I repeat, if you are not already knowledgable, use a blank or blank-ABLE drive, only!, while learning. If you are not already powerful, other things you will need to know somewhat about (www.google.com/linux and www.LinuxQuestions.org are good places to look) are drives and partitions and formatting, and a little about TCP/IP, particularly IPv6 versus the rest of the w-w-world, and what your hardware and ISP provide. Read up, and we will be happy (and *able*!) to help. Best!, rgh. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT worth upgrading hardware ?
Perhaps you can get a Semprom with a smaller clock but a higher FSB. I have an AMD Semprom 2400+ with 400 Mhz FSB, 1 GB of Ram and I'm very happy with it. It plays all the games I want and I can work in it very smoothly. I recently upgrade to 1 GB of Ram, used to be 512 Mb and the difference is amazing compared to 256, specially compile speeds. So, unless you might want to upgrade you Celeron to a P4, assuming the motherboard will take both, I'd go with Semprom, I believe it's more cost-effective. 2005/10/2, Folken [EMAIL PROTECTED]: On Sun, Oct 02, 2005 at 08:12:56AM +0100, Dave S wrote: The GHz sound impressive but I know neither chip is a very powerful, I believe they 'water down' the internals !. I cant find anywhere a comparison between my PIII these two possibilitys. I found a comparision between (almost) your target cpus: http://www.pcper.com/article.php?aid=61 (note the celeron is actually the 2.8 GHz Model) My PIII is old technology, these two are newer technology with faster clock speeds but engineered to a price, would the speed increase be noticeable ? Any comments ? The 512 MB Ram will defently noticeable when you work with KDE. KDE is very ram hungry and I wouldn't recommend to run it with less than 512. (Although speed / memory consumption seem to have improved miles with the latest versions of kde) Intel Celeron 2.4GHz 128K 400MHz Socket 478 CPU OEM - 512MB RAM AMD Sempron 2800+ 2.0GHz (333FSB) 256K Cache Socket A OEM - 512 MB RAM As to the processors, I'd go for the Sempron. Celerons are IMO castraded pentiums and really not great for compiler runs. The halved L1 cache really hits on the performance in general. Since you are on a contrained budget I'd even more strongley urge you to amd, since they usually give you more performance for the buck. (That being said.. i'm no fan of intel. Therefore take this with a grain of salt.) Oh btw.. you may ignore GHz numbers now.. they are no longer an indicator of how fast processors are. - Folken -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT worth upgrading hardware ?
Raphael Melo de Oliveira Bastos Sales wrote: Perhaps you can get a Semprom with a smaller clock but a higher FSB. I have an AMD Semprom 2400+ with 400 Mhz FSB, 1 GB of Ram and I'm very happy with it. It plays all the games I want and I can work in it very smoothly. I recently upgrade to 1 GB of Ram, used to be 512 Mb and the difference is amazing compared to 256, specially compile speeds. So, unless you might want to upgrade you Celeron to a P4, assuming the motherboard will take both, I'd go with Semprom, I believe it's more cost-effective. 2005/10/2, Folken [EMAIL PROTECTED]: On Sun, Oct 02, 2005 at 08:12:56AM +0100, Dave S wrote: The GHz sound impressive but I know neither chip is a very powerful, I believe they 'water down' the internals !. I cant find anywhere a comparison between my PIII these two possibilitys. I found a comparision between (almost) your target cpus: http://www.pcper.com/article.php?aid=61 (note the celeron is actually the 2.8 GHz Model) My PIII is old technology, these two are newer technology with faster clock speeds but engineered to a price, would the speed increase be noticeable ? Any comments ? The 512 MB Ram will defently noticeable when you work with KDE. KDE is very ram hungry and I wouldn't recommend to run it with less than 512. (Although speed / memory consumption seem to have improved miles with the latest versions of kde) Intel Celeron 2.4GHz 128K 400MHz Socket 478 CPU OEM - 512MB RAM AMD Sempron 2800+ 2.0GHz (333FSB) 256K Cache Socket A OEM - 512 MB RAM As to the processors, I'd go for the Sempron. Celerons are IMO castraded pentiums and really not great for compiler runs. The halved L1 cache really hits on the performance in general. Since you are on a contrained budget I'd even more strongley urge you to amd, since they usually give you more performance for the buck. (That being said.. i'm no fan of intel. Therefore take this with a grain of salt.) Oh btw.. you may ignore GHz numbers now.. they are no longer an indicator of how fast processors are. - Folken -- gentoo-user@gentoo.org mailing list Thanks for all your input guys, its been very helpfull. A Sempron seems the way to go ... Dave -- gentoo-user@gentoo.org mailing list
[gentoo-user] php4 vs php5
Hello, I've installed php4 as needed by a package (JFFNMS). Everytime I run a 'emerge -uDp world' It wants to upgrade the php4 to either php5 or another form of php4. This gets a little confusing, so I'll try to be very clear. I do not have php5 installed, and I do not want php5 installed on this system. I've tried all sorts of machinations in the /etc/portage dir, without success. Here's what I have installed: dev-lang/php Available versions: 4.3.11-r5 4.4.1-r3 ~4.4.2 [M]5.0.5-r5 [M]5.1.2 Installed: none dev-php/mod_php Installed: 4.4.0-r9 dev-php/php Installed: 4.4.0-r4 So I've tried various entries in my /etc/portage/package.mask file to get the system happy. package.mask contains: '=dev-lang/php-5.0.5' Focusing on php, I run 'emerge -pv dev-lang/php' and here is the response. These are the packages that I would merge, in order: Calculating dependencies ...done! [blocks B ] dev-php/mod_php (is blocking dev-lang/php-4.4.2) [blocks B ] dev-php/php (is blocking dev-lang/php-4.4.2) [ebuild N] dev-lang/php-4.4.2 So the question is what do I put in /etc/portage/? file to get the system to accept the older dev-php files and not try to install 'dev-lang/php' ? I cannot just install 'dev-lang/php' as it is blocked by the (2) dev-php files that I need: dev-php/mod_php and dev-php/php. Of coarse, take what I'm saying with a grain of salt, as I'm describing the symptoms of a php problem without fully understandings what these package name/group changes really mean...(where does one read about what the developers are doing with php and why?). jffnms is the critical package here that is causing the php heartburn. Everythings works, I just want the system to quit asking to upgrade php, everytime I upgrade the rest of the system. ideas? What did I miss? James -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] php4 vs php5
James wrote: Hello, I've installed php4 as needed by a package (JFFNMS). Everytime I run a 'emerge -uDp world' It wants to upgrade the php4 to either php5 or another form of php4. This gets a little confusing, so I'll try to be very clear. I do not have php5 installed, and I do not want php5 installed on this system. I've tried all sorts of machinations in the /etc/portage dir, without success. Here's what I have installed: dev-lang/php Available versions: 4.3.11-r5 4.4.1-r3 ~4.4.2 [M]5.0.5-r5 [M]5.1.2 Installed: none dev-php/mod_php Installed: 4.4.0-r9 dev-php/php Installed: 4.4.0-r4 So I've tried various entries in my /etc/portage/package.mask file to get the system happy. package.mask contains: '=dev-lang/php-5.0.5' Focusing on php, I run 'emerge -pv dev-lang/php' and here is the response. These are the packages that I would merge, in order: Calculating dependencies ...done! [blocks B ] dev-php/mod_php (is blocking dev-lang/php-4.4.2) [blocks B ] dev-php/php (is blocking dev-lang/php-4.4.2) [ebuild N] dev-lang/php-4.4.2 So the question is what do I put in /etc/portage/? file to get the system to accept the older dev-php files and not try to install 'dev-lang/php' ? I cannot just install 'dev-lang/php' as it is blocked by the (2) dev-php files that I need: dev-php/mod_php and dev-php/php. Of coarse, take what I'm saying with a grain of salt, as I'm describing the symptoms of a php problem without fully understandings what these package name/group changes really mean...(where does one read about what the developers are doing with php and why?). jffnms is the critical package here that is causing the php heartburn. Everythings works, I just want the system to quit asking to upgrade php, everytime I upgrade the rest of the system. ideas? What did I miss? James If you are going to change from the old-style PHP (dev-php/php) to the new-style PHP (dev-lang/php), then you need to follow the PHP upgrading instructions on this page: http://www.gentoo.org/proj/en/php/php-upgrading.xml I highly suggest it, as IIRC the old-style PHP is no longer supported. -- Michael Stewart [EMAIL PROTECTED] Gentoo Developerhttp://dev.gentoo.org/~vericgar GnuPG Key ID 0x08614788 available on http://pgp.mit.edu -- signature.asc Description: OpenPGP digital signature
