Re: [arch-general] Package guidelines 

[Emil Lundberg via arch-general]

On 2019-10-15 14:23, Fabian Piribauer via arch-general wrote:
> It's debetable if calling a idea stupid is rude, but just cutting off
> all communication because you feel offended is not the way to go. If he
> really wanted to improve things, he should have noted the tone as side
> note after adressing the mentoined issues with his proposal.

Agreed.

/Emil

Re: [arch-general] Package guidelines 

[Emil Lundberg via arch-general]

Maybe it's just me, but I don't think it seems appropriate for a TU to
respond like that to a member of the community. It's certainly doesn't
make for a welcoming atmosphere. Even though Arch is not for everyone,
there's no need to actively drive people away by being rude. I also
don't think authority is a good excuse for being rude - quite the
opposite, in fact.

/Emil


On 2019-10-14 17:22, Doug Newgard via arch-general wrote:
> On Mon, 14 Oct 2019 17:17:09 +0200
> Alberto Salvia Novella via arch-general  wrote:
>
>> Robin Broda:
>>> This is universally stupid.  
>> abrasiveness = blockage
>>
> LOL, blocking a TU who's making valid points.
>
> This thread was going nowhere in the first place, so I guess it doesn't 
> matter.

Re: [arch-general] Package guidelines 

[Emil Lundberg via arch-general]

On 2019-10-14 16:48, Alberto Salvia Novella via arch-general wrote:
> - Start new variables and functions names with a capital letter, to
> avoid clashes with those in makepkg itself. 

Isn't there an existing convention to use an underscore prefix
(`_pkgname`) for this?

/Emil

Re: [arch-general] espeakup

[Emil Lundberg via arch-general]

How is this a trash question?

/Emil

On 2019-08-14 20:36, Adrián Benítez Merino via arch-general wrote:
> Could you please stop spamming the mailing list with trash questions?
>
> El mié., 14 ago. 2019 19:45, adérito  escribió:
>
>> Hello, how do I put espeakup in Portuguese and have the configuration of
>> espeakup in Portuguese?
>>
>> Enviado do Correio para Windows 10
>>
>>

Re: [arch-general] Maria update

[Emil Lundberg via arch-general]

Maybe this?

https://www.archlinux.org/news/mariadb-104x-update-requires-manual-intervention/

/Emil

On Fri, 28 Jun 2019, 03:10 mick howe via arch-general, <
arch-general@archlinux.org> wrote:

> this mornings update of mariadb failed with this error:-
> Phase 7/7: Running 'FLUSH PRIVILEGES'
> OK
> Could not create the upgrade info file '/var/lib/mysql/mysql_upgrade_info'
> in the MariaDB Servers datadir, errno: 13
>
> what does it mean and how do I fix it
>
> mick, freezing in glen innes
>

Re: [arch-general] How long do you make the passphrase for the private key?

[Emil Lundberg via arch-general]

I think the fact that it's not possible to be perfectly safe is not a good
reason to not earnestly consider what you _can_ do to try to protect
yourself. Of course you won't stand a chance if a nation-state is
determined to get you, but that doesn't mean you should just give up and
wing it, because the most relevant threats are probably much less capable
in most cases. It's still a good idea to try to quantify one's threat model
and what it would take to protect yourself, and then make a (somewhat)
educated decision on how much effort one is willing to spend on it.

/Emil

On Tue, 25 Jun 2019, 01:14 Ralf Mardorf via arch-general, <
arch-general@archlinux.org> wrote:

> You want to make the packages available for general use. Does general
> use require behavioral biometric verification and spring guns?
>
> Black hats are able to hack Google and Facebook, what ever you
> will do, you never ever will be able to reach the level of security
> those and the other most successful computer related companies are able
> to accomplish.
>
> IMO an averaged "strong" but still memorizable passphrase, even when
> following obsolet rules, is ok.
>

Re: [arch-general] How long do you make the passphrase for the private key?

[Emil Lundberg via arch-general]

Some ballpark numbers, rounded to one significant figure:

10 characters chosen truly randomly from an alphabet of 70 characters (e.g.,
[a-zA-Z0-9#$&_() =+/%]) is ~61 bits of entropy and will take just about 90
years to brute-force at 1e9 guesses per second, or 30 days at 1e12/s.

The Bitcoin swarm is currently estimated to perform 60e18 hash guesses per
second [1], so the 10-character password would be safe from the swarm for
about 50 milliseconds, give or take a few orders of magnitude (depending on
algorithm differences; mostly irrelevant for this discussion).

14 characters (85 bits) would be safe from the (current) swarm for about 10
days, 16 characters (98 bits) for about 200 years.

6 words chosen randomly (not a grammatically valid sentence!) from a list
of 1000 words (59 bits) would take about 30 years to break at 1e9/s, and 10
days at 1e12/s. 9 words (89 bits) gives you half a year against the swarm,
and 10 words (99 bits) gives you 500 years.

So, somewhere between 10 and 16 random characters should probably be good
enough, depending on how defensive you want to be.

[1]: https://digiconomist.net/bitcoin-energy-consumption

I personally use `pass` for password management and keep my PGP key on a
YubiKey (full disclosure: I work for Yubico) with a 6-digit PIN, so my
private key is not stored on disk and is protected against brute force
attacks by blocking the key (effectively destroying the key) after too many
incorrect PIN attempts (I also have an airgapped backup of the key, of
course).

/Emil

On Mon, 24 Jun 2019, 22:37 Eli Schwartz via arch-general, <
arch-general@archlinux.org> wrote:

> On 6/24/19 4:31 PM, Manuel Reimer wrote:
> > On 24.06.19 18:00, mpan wrote:
> >>If you’re using a password manager, you should not care about the
> >> password being “too long”. After all it’s not you who type it. Go for 16
> >> or 20 random chars.
> >
> > If the key is too complicated to remember or to type in manually, then I
> > have to use a password manager which now saves my password to local disk
> > again. Maybe encrypted with a master password.
> >
> > Then we are back at the starting problem.
> >
> > If someone can take my private key file, then he can also take my
> > password manager database.
> >
> > How strong would you make this master password and where to save this
> > one? A second password manager?
> >
> > I think if really someone takes over control over my PC, then I have to
> > expect the password to be gone, too. I someone is really able to take my
> > private key file, then I think he should also be able to install some
> > kind of key logger.
> >
> > And I really think that finally someone *has* to come up with some
> > replacement for this password nightmare. Some kind of hardware key maybe.
> >
> > I could protect the private signing key with an UUID (just call uuidgen
> > on console). This should be pretty hard to crack but is impossible to
> > remember so I would have to keep this written down somewhere and need
> > this piece of paper every time I unlock the key for signing.
>
> I'm not sure where you're going with any of this.
>
> The purpose of a PGP signing key is that it does interesting crypto
> things that prove your identity in a way that passwords don't (passwords
> can be guessed).
>
> The purpose of password-protecting your PGP private key is to prevent
> someone who gains access to the filesystem, from gaining access to the key.
>
> Password managers, like PGP keys, are things that "should be encrypted
> with a password to prevent an attacker with disk access from gaining
> your secret material".
>
> How you protect the master password for a password manager, has nothing
> to do with whether it's intelligent to use a password in the first
> place. Personally, I find it very easy to remember *one* master password
> (or even, to be honest, two or three), which exists only in my own head
> and unlocks the secrets that are stored on disk -- like PGP keys and
> password databases.
>
> ...
>
> As for hardware keys, there is no need to come up with a replacement for
> the password nightmare. Hardware keys have existed for some time now,
> and they were already intended as a replacement for the password
> "nightmare", something they do an excellent job at. Did you try getting
> one?
>
> --
> Eli Schwartz
> Bug Wrangler and Trusted User
>
>

Re: [arch-general] group install

[Emil Lundberg via arch-general]

That was excessive, Ralf. Arch may be a DIY distro, but that doesn't mean
we should humiliate and belittle people who don't already know everything
about the system.

Tim: I'm sorry you got that response. A "group" in pacman is an alias for a
bunch of packages, you install it just as if the group was an ordinary
package.

/Emil

On Thu, 5 Jan 2017, 13:24 Ralf Mardorf,  wrote:

> On Thu, 5 Jan 2017 20:16:32 +0800, Tim Ye via arch-general wrote:
> >I read a Arch Linux wiki page says one can "install a group":
> >
> >"Install the xfce4 group."
> >
> >how can I do that?
>
> Actually I shouldn't have replied to your request and instead ban your
> email address.
>
> https://wiki.archlinux.org/index.php/pacman#Installing_package_groups
>
> You already were reading the Wiki and needed to ask this question, while
> your chosen distro is Arch Linux, not Ubuntu?
>
> More information about handling groups could be found by
>
>   $ man pacman | grep group
>
> Regards,
> Ralf
>