Re: [CentOS] Any update on 5.6 / 6?

[Pasi Kärkkäinen]

On Wed, Feb 16, 2011 at 07:15:32AM -0600, Johnny Hughes wrote:
> 
> Red Hat still has not put several of the sources in their public tree
> either.
> 

So CentOS6 cannot be released, or even built completely before 
those missing src.rpms are released?

> 
> CentOS releases our source on exactly the same day as our binary files.
> 
> We published scripts and RPMS on how we generate our build system, on
> how we check our binaries, on how we generate our ISOs.  How is that not
> open?  (See if you can get Red Hat or Oracle to tell you what they use
> as a build engine for their enterprise products ...)
> 

Can you send a link to the docs/scripts? 
This is something many people have been asking for.

Thanks!

-- Pasi

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Authentication Problems

[James Bensley]

No

--James. (This email was sent from a mobile device)
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 5.5 Java Process Death

[Martin Hewitt]

Hi Cameron,

On 18 February 2011 04:33, Cameron Kerr  wrote:
>
> On 17/02/2011, at 9:35 PM, Mathieu Baudier wrote:
>
>>> I've been running our apps as purely as I can (java -cp
>>> /path/to/libs/* path.to.the.App) and they're still being send SIGHUP
>>> signals for reasons I can't understand.
>>
>
> I have only started in this thread, but your description of unexplainable 
> SIGHUPs tweaked my memory from long ago, whereby it turned out to be bad 
> memory.
>
> ...
>
> might be worth checking, stranger things have happened.
>
> Cheers,
> Cameron

Thanks, but I've got these tests running on a couple of machines of
different generations, so I've ruled out the hardware as being at
fault.

Martin

> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 5.5 Java Process Death

[Martin Hewitt]

It's strange how one can wake up and suddenly notice a pattern...

Looking through the straces, and the disconnect timestamps of the SSH
sessions, it seems that the processes are dying as soon as, or shortly
after the SSH session is closed.

My command is something along the lines of:

java -cp /path/to/shared/libs/*:/path/to/class/directory/
path.to.MyApp > out.log 2>&1 &

Does anyone have an idea as to why this process is closing when the
SSH window that started it closes?

Martin

On 18 February 2011 09:47, Martin Hewitt  wrote:
> Hi Cameron,
>
> On 18 February 2011 04:33, Cameron Kerr  wrote:
>>
>> On 17/02/2011, at 9:35 PM, Mathieu Baudier wrote:
>>
 I've been running our apps as purely as I can (java -cp
 /path/to/libs/* path.to.the.App) and they're still being send SIGHUP
 signals for reasons I can't understand.
>>>
>>
>> I have only started in this thread, but your description of unexplainable 
>> SIGHUPs tweaked my memory from long ago, whereby it turned out to be bad 
>> memory.
>>
>> ...
>>
>> might be worth checking, stranger things have happened.
>>
>> Cheers,
>> Cameron
>
> Thanks, but I've got these tests running on a couple of machines of
> different generations, so I've ruled out the hardware as being at
> fault.
>
> Martin
>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 5.5 Java Process Death

[Michael Gliwinski]

On Friday 18 Feb 2011 09:53:39 Martin Hewitt wrote:
> My command is something along the lines of:
> 
> java -cp /path/to/shared/libs/*:/path/to/class/directory/
> path.to.MyApp > out.log 2>&1 &
> 
> Does anyone have an idea as to why this process is closing when the
> SSH window that started it closes?

Try adding 'nohup' before 'java'.  Closing SSH session closes the shell which 
sends HUP to its children.

But, it is not your main problem is it?  I mean the app wasn't always started 
manually from an interactive shell?


-- 
Michael Gliwinski
Henderson Group Information Services
9-11 Hightown Avenue, Newtownabby, BT36 4RT
Phone: 028 9034 3319

**
The information in this email is confidential and may be legally privileged.  
It is intended solely for the addressee and access to the email by anyone else 
is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution or 
any action taken or omitted to be taken in reliance on it, is prohibited and 
may be unlawful.
When addressed to our clients, any opinions or advice contained in this e-mail 
are subject to the terms and conditions expressed  in the governing client 
engagement leter or contract.
If you have received this email in error please notify 
supp...@henderson-group.com

John Henderson (Holdings) Ltd
Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, 
BT36 4RT.
Registered in Northern Ireland
Registration Number NI010588
Vat No.: 814 6399 12
*

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 5.5 Java Process Death

[Martin Hewitt]

On 18 February 2011 09:49, Michael Gliwinski
 wrote:
> On Friday 18 Feb 2011 09:53:39 Martin Hewitt wrote:
>> My command is something along the lines of:
>>
>> java -cp /path/to/shared/libs/*:/path/to/class/directory/
>> path.to.MyApp > out.log 2>&1 &
>>
>> Does anyone have an idea as to why this process is closing when the
>> SSH window that started it closes?
>
> Try adding 'nohup' before 'java'.  Closing SSH session closes the shell which
> sends HUP to its children.

I've just discovered this command, and have added it to the invocation.

>
> But, it is not your main problem is it?  I mean the app wasn't always started
> manually from an interactive shell?
>

You know, I've been debugging this for so long that I just can't
remember. The processes are either started manually, or from a web
trigger, which could cause the same behaviour if/when the web server
worker thread is detroyed or renewed.

>
> --
> Michael Gliwinski
> Henderson Group Information Services
> 9-11 Hightown Avenue, Newtownabby, BT36 4RT
> Phone: 028 9034 3319
>
> **
> The information in this email is confidential and may be legally privileged.  
> It is intended solely for the addressee and access to the email by anyone 
> else is unauthorised.
> If you are not the intended recipient, any disclosure, copying, distribution 
> or any action taken or omitted to be taken in reliance on it, is prohibited 
> and may be unlawful.
> When addressed to our clients, any opinions or advice contained in this 
> e-mail are subject to the terms and conditions expressed  in the governing 
> client engagement leter or contract.
> If you have received this email in error please notify 
> supp...@henderson-group.com
>
> John Henderson (Holdings) Ltd
> Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern 
> Ireland, BT36 4RT.
> Registered in Northern Ireland
> Registration Number NI010588
> Vat No.: 814 6399 12
> *
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Johnny Hughes]

On 02/18/2011 02:26 AM, Pasi Kärkkäinen wrote:
> On Wed, Feb 16, 2011 at 07:15:32AM -0600, Johnny Hughes wrote:
>>
>> Red Hat still has not put several of the sources in their public tree
>> either.
>>
> 
> So CentOS6 cannot be released, or even built completely before 
> those missing src.rpms are released?

Theoretically, it can not be built, so certainly not *released*, until
we have all the SRPMS, no.

If said SRPMS are on one of the release Source ISOs, then we have them
available there, if they are not then we are stuck.

> 
>>
>> CentOS releases our source on exactly the same day as our binary files.
>>
>> We published scripts and RPMS on how we generate our build system, on
>> how we check our binaries, on how we generate our ISOs.  How is that not
>> open?  (See if you can get Red Hat or Oracle to tell you what they use
>> as a build engine for their enterprise products ...)
>>
> 
> Can you send a link to the docs/scripts? 
> This is something many people have been asking for.

This directory contains a script that we use to build the
"Distribution", as well as the script we use to check a built RPM
against a known binary RPM:

http://mirror.centos.org/centos/4/build/distro/

We use mock to build our packages.  There is a version of mock available
in EPEL.

The "minimum build roots" that CentOS uses are published here:

http://dev.centos.org/centos/buildsys/




signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 5.5 Java Process Death

[m . roth]

Martin Hewitt wrote:
> It's strange how one can wake up and suddenly notice a pattern...
>
> Looking through the straces, and the disconnect timestamps of the SSH
> sessions, it seems that the processes are dying as soon as, or shortly
> after the SSH session is closed.
>
> My command is something along the lines of:
>
> java -cp /path/to/shared/libs/*:/path/to/class/directory/
> path.to.MyApp > out.log 2>&1 &
>
> Does anyone have an idea as to why this process is closing when the
> SSH window that started it closes?

Just for the sheer halibut*, try nohup 

It's been something like 10 years or more since I had to do that, but

 mark

* I know, it's fishy

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] openoffice & command line printing

[Gregory P. Ennis]

On 18/02/2011, at 2:29 PM, Gregory P. Ennis wrote:

> Everyone,
> 
> I am trying to print some *.doc files from the command line with
> openoffice on centos 5.5 with using cups as the print server.
> 
> I can open the file from the command line with open office and then
> print it manually from the gui, but when I open the file and print from
> command line I am not getting anything.
> 
> The commands that I have used are the following :
> 
> /usr/bin/openoffice.org -pt lpt4 /mnt/lp/document.doc
> -terminate_after_init

This works for me on LibreOffice on my Mac (also uses Cups)

LibreOffice 3.3  330m12(Build:1)

/path/to/soffice -headless -pt PRINTER_NAME doco.doc

Note though that if you wanted to do this outside of X11, it might fail...

--

Cameron,

Thanks for your suggestion

On my system that command results in printing the document on the
desired printer, but does not return back to the shell prompt.  If I add
-terminate_after_init  so that the command line is :

openoffice.org -headless -pt lpt3 document.doc -terminate_after_init

The above command returns back to the prompt but the document is not
printed.

Any other ideas would be appreciated!!!

Greg

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Larry Vaden]

On Fri, Feb 18, 2011 at 7:13 AM, Johnny Hughes  wrote:
> On 02/18/2011 02:26 AM, Pasi Kärkkäinen wrote:
>> On Wed, Feb 16, 2011 at 07:15:32AM -0600, Johnny Hughes wrote:
>>>
>>> Red Hat still has not put several of the sources in their public tree
>>> either.
>>>
>>
>> So CentOS6 cannot be released, or even built completely before
>> those missing src.rpms are released?
>
> Theoretically, it can not be built, so certainly not *released*, until
> we have all the SRPMS, no.
>
> If said SRPMS are on one of the release Source ISOs, then we have them
> available there, if they are not then we are stuck.

Johnny,

Does 

contain anything y'all need that you don't already have?

kind regards/ldv/va...@texoma.net
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Ned Slider]

On 18/02/11 15:12, Larry Vaden wrote:
> On Fri, Feb 18, 2011 at 7:13 AM, Johnny Hughes  wrote:
>> On 02/18/2011 02:26 AM, Pasi Kärkkäinen wrote:
>>> On Wed, Feb 16, 2011 at 07:15:32AM -0600, Johnny Hughes wrote:

 Red Hat still has not put several of the sources in their public tree
 either.

>>>
>>> So CentOS6 cannot be released, or even built completely before
>>> those missing src.rpms are released?
>>
>> Theoretically, it can not be built, so certainly not *released*, until
>> we have all the SRPMS, no.
>>
>> If said SRPMS are on one of the release Source ISOs, then we have them
>> available there, if they are not then we are stuck.
>
> Johnny,
>
> Does
> contain anything y'all need that you don't already have?
>

No disrespect Larry, but pulling missing SRPM packages from Scientific 
Linux is not the answer. The answer lies in comparing those packages 
available on Red Hat's public ftp servers with those in the distro and 
filing bugs against the missing SRPM packages. Red hat are usually quick 
to respond to such issues.



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Johnny Hughes]

On 02/18/2011 09:29 AM, Ned Slider wrote:
> On 18/02/11 15:12, Larry Vaden wrote:
>> On Fri, Feb 18, 2011 at 7:13 AM, Johnny Hughes  wrote:
>>> On 02/18/2011 02:26 AM, Pasi Kärkkäinen wrote:
 On Wed, Feb 16, 2011 at 07:15:32AM -0600, Johnny Hughes wrote:
>
> Red Hat still has not put several of the sources in their public tree
> either.
>

 So CentOS6 cannot be released, or even built completely before
 those missing src.rpms are released?
>>>
>>> Theoretically, it can not be built, so certainly not *released*, until
>>> we have all the SRPMS, no.
>>>
>>> If said SRPMS are on one of the release Source ISOs, then we have them
>>> available there, if they are not then we are stuck.
>>
>> Johnny,
>>
>> Does
>> contain anything y'all need that you don't already have?
>>
> 
> No disrespect Larry, but pulling missing SRPM packages from Scientific 
> Linux is not the answer. The answer lies in comparing those packages 
> available on Red Hat's public ftp servers with those in the distro and 
> filing bugs against the missing SRPM packages. Red hat are usually quick 
> to respond to such issues.

We have mad Red Hat aware of the missing SRPMS.



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Software RAID Level 1, smartd and changing dev numbers

[Tom H]

On Thu, Feb 17, 2011 at 10:22 PM, Scott Robbins  wrote:
> On Thu, Feb 17, 2011 at 09:05:41PM -0500, Tom H wrote:
>> On Wed, Feb 16, 2011 at 3:09 PM, compdoc  wrote:
>> >>
>> In Ubuntu and Fedora, UUID's the default replacement of "/dev/sdXY"
>> devices, but md and lvm devices are referred to in more "traditional"
>> fstab stanzas.
>
> Possibly worth mentioning that it does sometimes break--at least in
> Fedora, I can think of a few times it's happened to me, and a few more
> times where it's happened on their forums, where an update would then
> fail to boot, saying, unable to locate root (or something similar) which
> could be fixed by changing the UUID to /dev/sdwhatever

I've only seen two cases of UUIDs "breaking".

1. You put a second Linux install on the box, mkswap's run during the
installation process and the UUID of the swap partition's modified so
that the initial install cannot recognize its swap partition.

2. There's more than one filesystem signature in the MBR and mount's
therefore (understandably) confused.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Larry Vaden]

On Fri, Feb 18, 2011 at 9:29 AM, Ned Slider  wrote:
> On 18/02/11 15:12, Larry Vaden wrote:
>> On Fri, Feb 18, 2011 at 7:13 AM, Johnny Hughes  wrote:
>>> On 02/18/2011 02:26 AM, Pasi Kärkkäinen wrote:
 On Wed, Feb 16, 2011 at 07:15:32AM -0600, Johnny Hughes wrote:
>
> Red Hat still has not put several of the sources in their public tree
> either.
>

 So CentOS6 cannot be released, or even built completely before
 those missing src.rpms are released?
>>>
>>> Theoretically, it can not be built, so certainly not *released*, until
>>> we have all the SRPMS, no.
>>>
>>> If said SRPMS are on one of the release Source ISOs, then we have them
>>> available there, if they are not then we are stuck.
>>
>> Johnny,
>>
>> Does
>> contain anything y'all need that you don't already have?
>>
>
> No disrespect Larry, but pulling missing SRPM packages from Scientific
> Linux is not the answer. The answer lies in comparing those packages
> available on Red Hat's public ftp servers with those in the distro and
> filing bugs against the missing SRPM packages. Red hat are usually quick
> to respond to such issues.

No disrepect, Ned, but with http://distrowatch.com/?newsid=06510, I'm
wondering if RH is treating the CentOS project differently than the
national labs.  You may not find that interesting, but perhaps I am
not as alone as you might think.  RH and CentOS have been fundamental
to our operation going on 15 years.  Karanbir and Johnny et al have
made great contributions to the community.

I personally don't see how the RH team could have screwed up and
omitted SRPMs from the manifest, but I certainly believe they did
according to reports.

kind regards/ldv/va...@texoma.net
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[John R. Dennison]

On Fri, Feb 18, 2011 at 09:50:23AM -0600, Larry Vaden wrote:
> 
> I personally don't see how the RH team could have screwed up and
> omitted SRPMs from the manifest, but I certainly believe they did
> according to reports.

At some point do you think perhaps you can learn how to trim
replies to only that which is germane to the reply and not
include all the cascade text and attributions which proceeded it
as a courtesy to others on this list?

It seems that nearly every release there are SRPMs that fail to
make it to Redhat's public ftp server.  It happens during
releases and it happens for normal updates and is nothing new.
It's simple human error, not a conspiracy to harm CentOS or any
other rebuilding effort.  Can you please keep the conspiracy
nonsense to yourself?




John

-- 
Much of what looks like rudeness in hacker circles is not intended to give
offense. Rather, it's the product of the direct, cut-through-the-bullshit
communications style that is natural to people who are more concerned about
solving problems than making others feel warm and fuzzy.

http://www.tuxedo.org/~esr/faqs/smart-questions.html


pgpSYXDQY6SBH.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Steve Clark]

On 02/18/2011 11:03 AM, John R. Dennison wrote:

On Fri, Feb 18, 2011 at 09:50:23AM -0600, Larry Vaden wrote:
   

I personally don't see how the RH team could have screwed up and
omitted SRPMs from the manifest, but I certainly believe they did
according to reports.
 

At some point do you think perhaps you can learn how to trim
replies to only that which is germane to the reply and not
include all the cascade text and attributions which proceeded it
as a courtesy to others on this list?

It seems that nearly every release there are SRPMs that fail to
make it to Redhat's public ftp server.  It happens during
releases and it happens for normal updates and is nothing new.
It's simple human error, not a conspiracy to harm CentOS or any
other rebuilding effort.  Can you please keep the conspiracy
nonsense to yourself?




John
I thought the big thing made about bottom posting is so you can see the 
whole thread. If you cut out

a bunch then you might as well top post.


--
Stephen Clark
*NetWolves*
Sr. Software Engineer III
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] nss_ldap: reconnected to LDAP server ldap://127.0.0.1

[Tim Alberts]

Hello, I have a problem that I'm really having trouble figuring out.  I 
run CentOS Linux 5.5.  I have three servers.  All have been setup and 
running with LDAP authentication for a couple years with absolutely no 
problems.

Unfortunately a couple weeks ago, we had a power outage.  Ever since, I 
am having continuous problems with authentication to the server.  I see 
in /var/log/messages

nss_ldap: reconnected to LDAP server ldap://127.0.0.1

I did run a yum update that installed an update to ldap, however that 
did not fix the issue.

I have seen a post mentioning changing 'nss_connect_policy persist' to 
'nss_connect_policy oneshot'.  However I don't see this setting in my 
server, and again, the server was working perfectly fine for years 
before the power outage.

I'm really thinking that some file got corrupted and I just need to 
clean it out.  Maybe a cache file somewhere?

Following is ldap.conf file. Any suggestions?


base dc=inside,dc=msi
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers 
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
rootbinddn cn=Manager,dc=inside,dc=msi
nss_base_passwd ou=People,dc=inside,dc=msi
nss_base_shadow ou=People,dc=inside,dc=msi
nss_base_group ou=Group,dc=inside,dc=msi
uri ldap://127.0.0.1 ldap://my.domain
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Robert Heller]

At Fri, 18 Feb 2011 12:06:50 -0500 CentOS mailing list  
wrote:

> 
> 
> 
> On 02/18/2011 11:03 AM, John R. Dennison wrote:
> > On Fri, Feb 18, 2011 at 09:50:23AM -0600, Larry Vaden wrote:
> >
> >> I personally don't see how the RH team could have screwed up and
> >> omitted SRPMs from the manifest, but I certainly believe they did
> >> according to reports.
> >>  
> > At some point do you think perhaps you can learn how to trim
> > replies to only that which is germane to the reply and not
> > include all the cascade text and attributions which proceeded it
> > as a courtesy to others on this list?
> >
> > It seems that nearly every release there are SRPMs that fail to
> > make it to Redhat's public ftp server.  It happens during
> > releases and it happens for normal updates and is nothing new.
> > It's simple human error, not a conspiracy to harm CentOS or any
> > other rebuilding effort.  Can you please keep the conspiracy
> > nonsense to yourself?
> >
> >
> >
> >
> > John
> I thought the big thing made about bottom posting is so you can see the 
> whole thread. If you cut out
> a bunch then you might as well top post.

When you bottom post (really interleaved posting) you only include the
relevant parts to what you are replying to.  This is doable, since it
thoes bits are *right there*.  With top posting, you don't even see the
rest of the thread -- it is all 'below the fold' (unless you have a very
tall display screen or something).

> 
> 

-- 
Robert Heller -- 978-544-6933 / hel...@deepsoft.com
Deepwoods Software-- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments


   
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Brunner, Brian T.]

centos-boun...@centos.org wrote:
> On 02/18/2011 11:03 AM, John R. Dennison wrote:
> 
>   On Fri, Feb 18, 2011 at 09:50:23AM -0600, Larry Vaden wrote:
> 
>   I personally don't see how the RH team could
> have ... a conspiracy to harm CentOS or any other rebuilding effort.
Can you please keep
> the conspiracy nonsense to yourself?
> 
>   John
> 
> I thought the big thing made about bottom posting is so you
> can see the whole thread. If you cut out
> a bunch then you might as well top post.

Trimming nothing, so the reply isn't visible in the first page, is poor
style.

Trimming everything, so the reply has no context, is poor style.

Blackberry and mobile devices (being bandwidth limited) are much more
efficient if top-posting is used.

Top-post vs bottom-post is a purely religious war; my value of $DIETY is
chocolate .:. I don't care.

I *did*, however, figure out how to make Microsoft Outlook default to
bottom posting:

==> http://home.in.tum.de/~jain/software/outlook-quotefix/ <== (love at
first sight)

-- 
Insert spiffy .sig here

//me
***
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed. If you have received this email in error please
notify the system manager. This footnote also confirms that this
email message has been swept for the presence of computer viruses.
www.Hubbell.com - Hubbell Incorporated**

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Farkas Levente]

On 02/18/2011 04:35 PM, Johnny Hughes wrote:
> On 02/18/2011 09:29 AM, Ned Slider wrote:
>> On 18/02/11 15:12, Larry Vaden wrote:
>>> On Fri, Feb 18, 2011 at 7:13 AM, Johnny Hughes  wrote:
 On 02/18/2011 02:26 AM, Pasi Kärkkäinen wrote:
> On Wed, Feb 16, 2011 at 07:15:32AM -0600, Johnny Hughes wrote:
>>
>> Red Hat still has not put several of the sources in their public tree
>> either.
>>
>
> So CentOS6 cannot be released, or even built completely before
> those missing src.rpms are released?

 Theoretically, it can not be built, so certainly not *released*, until
 we have all the SRPMS, no.

 If said SRPMS are on one of the release Source ISOs, then we have them
 available there, if they are not then we are stuck.
>>>
>>> Johnny,
>>>
>>> Does
>>> contain anything y'all need that you don't already have?
>>>
>>
>> No disrespect Larry, but pulling missing SRPM packages from Scientific 
>> Linux is not the answer. The answer lies in comparing those packages 
>> available on Red Hat's public ftp servers with those in the distro and 
>> filing bugs against the missing SRPM packages. Red hat are usually quick 
>> to respond to such issues.
> 
> We have mad Red Hat aware of the missing SRPMS.

we? funny...

-- 
  Levente   "Si vis pacem para bellum!"
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nss_ldap: reconnected to LDAP server ldap://127.0.0.1

[Tim Alberts]

On 2/18/2011 9:13 AM, Tim Alberts wrote:
> Hello, I have a problem that I'm really having trouble figuring out.  I
> run CentOS Linux 5.5.  I have three servers.  All have been setup and
> running wi..

Update, using Webmin to restart the server, I see the following:
Stopping slapd: [  OK  ]
Stopping slurpd: [  OK  ]
Checking configuration files for slapd:  bdb_db_open: unclean shutdown 
detected; attempting recovery.
bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if 
errors are encountered.
config file testing succeeded
[  OK  ]
Starting slapd: [  OK  ]
Starting slurpd: [  OK  ]

I've been reading that the recovery is supposed to be automatic. 
Unfortunately it seems to be a read-only mode.

Anyone know why it is read-only mode?

Anyone have a simple tutorial on running 'db_recover' command?

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nss_ldap: reconnected to LDAP server ldap://127.0.0.1

[m . roth]

Tim Alberts wrote:
> Hello, I have a problem that I'm really having trouble figuring out.  I
> run CentOS Linux 5.5.  I have three servers.  All have been setup and
> running with LDAP authentication for a couple years with absolutely no
> problems.
>
> Unfortunately a couple weeks ago, we had a power outage.  Ever since, I
> am having continuous problems with authentication to the server.  I see
> in /var/log/messages

Have you resynched everyone's timeclock?

mark


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nss_ldap: reconnected to LDAP server ldap://127.0.0.1

[Tim Alberts]

On 2/18/2011 10:13 AM, m.r...@5-cent.us wrote:
> Tim Alberts wrote:
>> Hello, I have a problem...
>>
>> Unfortunately a couple weeks ago, we had a power outage.  Ever since, I
>> am having continuous problems with authentication to the server.  I see
>> in /var/log/messages
> 
> Have you resynched everyone's timeclock?
>
>  mark

Thank you for your response.  If your referring the computer system 
clock, they are all in sync.  I'm not sure how that is related?  I am 
running replication servers, but even services on the local host show 
continuous reconnect errors (apache, dovecot, vsftpd, etc).  Or do I 
misunderstand your meaning?

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Farkas Levente]

On Fri, Feb 18, 2011 at 14:13, Johnny Hughes  wrote:
> On 02/18/2011 02:26 AM, Pasi Kärkkäinen wrote:
>> On Wed, Feb 16, 2011 at 07:15:32AM -0600, Johnny Hughes wrote:
>>>
>>> Red Hat still has not put several of the sources in their public tree
>>> either.
>>>
>>
>> So CentOS6 cannot be released, or even built completely before
>> those missing src.rpms are released?
>
> Theoretically, it can not be built, so certainly not *released*, until
> we have all the SRPMS, no.
>
> If said SRPMS are on one of the release Source ISOs, then we have them
> available there, if they are not then we are stuck.
>
>>
>>>
>>> CentOS releases our source on exactly the same day as our binary files.
>>>
>>> We published scripts and RPMS on how we generate our build system, on
>>> how we check our binaries, on how we generate our ISOs.  How is that not
>>> open?  (See if you can get Red Hat or Oracle to tell you what they use
>>> as a build engine for their enterprise products ...)
>>>
>>
>> Can you send a link to the docs/scripts?
>> This is something many people have been asking for.
>
> This directory contains a script that we use to build the
> "Distribution", as well as the script we use to check a built RPM
> against a known binary RPM:
>
> http://mirror.centos.org/centos/4/build/distro/
>
> We use mock to build our packages.  There is a version of mock available
> in EPEL.
>
> The "minimum build roots" that CentOS uses are published here:
>
> http://dev.centos.org/centos/buildsys/

Johnny I really _really_ respect your former work on centos, but it
seems you don't take part on the real rebuild nowadays (probably
that's reason why you refer to  rhel-4).
The above is nothing, and nobody can rebuild based on those scripts
and it's really far from the really required framework.
and please don't ask me to why. just to mention some very basic thing
where is the mock config files? and i can ask dozens of such questions
(what is did previously and i'm the only only one who send detail
description how to rebuild rhel-6...

-- 
  Levente                               "Si vis pacem para bellum!"
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] openoffice & command line printing

[Bill Campbell]

On Fri, Feb 18, 2011, Gregory P. Ennis wrote:
>
>On 18/02/2011, at 2:29 PM, Gregory P. Ennis wrote:
>
>> Everyone,
>> 
>> I am trying to print some *.doc files from the command line with
>> openoffice on centos 5.5 with using cups as the print server.
>> 
>> I can open the file from the command line with open office and then
>> print it manually from the gui, but when I open the file and print from
>> command line I am not getting anything.
>> 
>> The commands that I have used are the following :
>> 
>> /usr/bin/openoffice.org -pt lpt4 /mnt/lp/document.doc
>> -terminate_after_init
>
>This works for me on LibreOffice on my Mac (also uses Cups)
>
>LibreOffice 3.3  330m12(Build:1)
>
>/path/to/soffice -headless -pt PRINTER_NAME doco.doc
>
>Note though that if you wanted to do this outside of X11, it might fail...

I tried this using NeoOffice on my Macbook Pro which doesn't use
X11, but I expect that it would fail on Linux without X11 as it
presents the normal print dialog box to select the printer even
though it's set on the command line.

Answering the question below, I ran this in background,
terminating the command with "&", which left NeoOffice running,
but gave me the command line back so I could continue.  This is
not entirely a Bad Thing(tm) as it avoids the startup time when
printing multiple documents.

On the other hand, having NeoOffice present the print dialog box
for every file is less than optimal, but it looks like that's a
NeoOffice thing.

I tried the same command with the path to the most recent
OpenOffice.org soffice which didn't present the dialog box, and
terminated after the print job was complete.

Trying this on a CentOS 5 box here it works fine running the job
in background where it is ready to run subsequent print jobs.
This does not present the print dialog box either.  I ran this
test in an xterm via ssh with X11 forwarding from my Macbook Pro.

Another test using 'xterm -e ssh -x' to disable X11 forwarding
failed on startup saying it can't open DISPLAY. Running the
command with 'ssh -Y user@system /path/to/soffice ...'' did work
nicely, and did not leave soffice running on completion.

>--
>
>Cameron,
>
>Thanks for your suggestion
>
>On my system that command results in printing the document on the
>desired printer, but does not return back to the shell prompt.  If I add
>-terminate_after_init  so that the command line is :
>
>openoffice.org -headless -pt lpt3 document.doc -terminate_after_init
>
>The above command returns back to the prompt but the document is not
>printed.
>
>Any other ideas would be appreciated!!!
>
>Greg
>
>___
>CentOS mailing list
>CentOS@centos.org
>http://lists.centos.org/mailman/listinfo/centos
>

-- 
Bill
-- 
INTERNET:   b...@celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:  (206) 236-1676  Mercer Island, WA 98040-0820
Fax:(206) 232-9186  Skype: jwccsllc (206) 855-5792

UNIX was not designed to stop you from doing stupid things, because that
would also stop you from doing clever things. -- Doug Gwyn
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Larry Vaden]

On Fri, Feb 18, 2011 at 10:03 AM, John R. Dennison  wrote:
>        Can you please keep the conspiracy nonsense to yourself?
>
>
>
>
>                                                        John
>
> --
> Much of what looks like rudeness in hacker circles is not intended to give
> offense. Rather, it's the product of the direct, cut-through-the-bullshit
> communications style that is natural to people who are more concerned about
> solving problems than making others feel warm and fuzzy.
>
> http://www.tuxedo.org/~esr/faqs/smart-questions.html

As a List Mom wannabe, please follow the list guidelines at
.  When I see
you practicing what you are preaching for a week or so, I'll consider
your input once again.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nss_ldap: reconnected to LDAP server ldap://127.0.0.1

[Tim Alberts]

On 2/18/2011 10:11 AM, Tim Alberts wrote:
>
> Update, using Webmin to restart the server, I see the following:
> Stopping slapd: [  OK  ]
> Stopping slurpd: [  OK  ]
> Checking configuration files for slapd:  bdb_db_open: unclean shutdown
> detected; attempting recovery.
> bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if
> errors are encountered.
> config file testing succeeded
> [  OK  ]
> Starting slapd: [  OK  ]
> Starting slurpd: [  OK  ]
>
> I've been reading that the recovery is supposed to be automatic.
> Unfortunately it seems to be a read-only mode.
>
> Anyone know why it is read-only mode?
>
> Anyone have a simple tutorial on running 'db_recover' command?
>

I found a helpful page:
http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP.html  approximately 
2/3 down the page, section titled 'Notes: LDAP on Red Hat/Fedora 
distribution:'  An example database recovery command as follows:

/usr/sbin/slapd_db_recover -v -h /var/lib/ldap/stooges/

I have run this (twice now with ldap stopped) on all three servers and 
continue to have problems.  Now I'm really lost as to what to do.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Recommendation for a Good Vulnerability Scanning Service?

[Michael B Allen]

Hi,

Can someone recommend a good vulnerability scanning service? I just
need the minimum for PCI compliance (it's a sort of credit card
processing certification).

I got a free scan from https://www.hackerguardian.com/ and their scan
reported a number of "Fail" results. I haven't checked them all yet
but most seem to be things for which fixes were backported looong ago
by The Upstream Vendor.

I haven't spoken with the hackerguardian people yet but it would be
nice if I could just say "I'm using CentOS 5.5" and have them factor
that into their report so that I can focus on any real issues. Are
there vulnerability scanning services that are more or less
sophisticated about this?

Thanks,
Mike
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nss_ldap: reconnected to LDAP server ldap://127.0.0.1

[m . roth]

Tim Alberts wrote:
> On 2/18/2011 10:13 AM, m.r...@5-cent.us wrote:
>> Tim Alberts wrote:
>>> Hello, I have a problem...
>>>
>>> Unfortunately a couple weeks ago, we had a power outage.  Ever since, I
>>> am having continuous problems with authentication to the server.  I see
>>> in /var/log/messages
>> 
>> Have you resynched everyone's timeclock?
>
> Thank you for your response.  If your referring the computer system
> clock, they are all in sync.  I'm not sure how that is related?  I am
> running replication servers, but even services on the local host show
> continuous reconnect errors (apache, dovecot, vsftpd, etc).  Or do I
> misunderstand your meaning?

It does matter - if they're "too far" out of sync, too many seconds,
authentication? authorization? will fail, at least for kerborous, using
ldap or not.

mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[m . roth]

Enough. Larry Vaden seems to get his jollies by working at provoking
flamewars and other irritations, while contributing actually nothing to
the topic of the list.

Wonder if, 16 or so years ago, his idea of "fun" was cascades of "I love
Mentos" threads in newsgroups who he had no interest in.

Anyway, listmaster, I vote to kick him off the list.

mark, who already decided to delete pointless email from him

Larry Vaden wrote:
> On Fri, Feb 18, 2011 at 10:03 AM, John R. Dennison 
> wrote:
>>        Can you please keep the conspiracy nonsense to yourself?
>>
>>
>>
>>
>>                                                
>>        John
>>
>> --
>> Much of what looks like rudeness in hacker circles is not intended to
>> give
>> offense. Rather, it's the product of the direct,
>> cut-through-the-bullshit
>> communications style that is natural to people who are more concerned
>> about
>> solving problems than making others feel warm and fuzzy.
>>
>> http://www.tuxedo.org/~esr/faqs/smart-questions.html
>
> As a List Mom wannabe, please follow the list guidelines at
> .  When I see
> you practicing what you are preaching for a week or so, I'll consider
> your input once again.
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Recommendation for a Good Vulnerability Scanning Service?

[Baird, Josh]

We use Qualys for PCI vulnerability scanning.

Josh

-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf Of Michael B Allen
Sent: Friday, February 18, 2011 1:20 PM
To: centos@centos.org
Subject: [CentOS] Recommendation for a Good Vulnerability Scanning
Service?

Hi,

Can someone recommend a good vulnerability scanning service? I just
need the minimum for PCI compliance (it's a sort of credit card
processing certification).

I got a free scan from https://www.hackerguardian.com/ and their scan
reported a number of "Fail" results. I haven't checked them all yet
but most seem to be things for which fixes were backported looong ago
by The Upstream Vendor.

I haven't spoken with the hackerguardian people yet but it would be
nice if I could just say "I'm using CentOS 5.5" and have them factor
that into their report so that I can focus on any real issues. Are
there vulnerability scanning services that are more or less
sophisticated about this?

Thanks,
Mike
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Recommendation for a Good Vulnerability Scanning Service?

[m . roth]

Hi, there,

Michael B Allen wrote:
>
> Can someone recommend a good vulnerability scanning service? I just
> need the minimum for PCI compliance (it's a sort of credit card
> processing certification).

"Sort of"? ROTFL. You need a *serious* scan, commercially done AFAIK. The
*minimum* qualifications, I believe, are a 60 or 63 item questionaire; for
full PCI-DSS, it's something like 243 questions, and you need a full IT
dept.

I would *very* strongly recommmend that you talk to the bank or agency
that's asking you for this, and ask them for recommendations.

 mark, who worked on a short term contract for Trustwave, who
  does that (and is a root CA, as well)

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Scot P. Floess]

What is really sad, if one searches Larry's name on Linked In, he appears 
to be the CEO Internet Texoma, Inc.

I'd expect better behavior and conduct from someone who holds such a 
title...


> Enough. Larry Vaden seems to get his jollies by working at provoking
> flamewars and other irritations, while contributing actually nothing to
> the topic of the list.
>

-- 
Scot P. Floess RHCT  (Certificate Number 605010084735240)
Chief Architect FlossWare  http://sourceforge.net/projects/flossware
http://flossware.sourceforge.net
https://github.com/organizations/FlossWare
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Mathieu Baudier]

> Anyway, listmaster, I vote to kick him off the list.

As others have already pointed out, by definition of the CentOS
project this list is very vulnerable to trolling around releases of
new versions.

A troll (maybe not the right term, but that's what comes to my mind)
just has to come and ask THE question (see subject of this thread) in
order to start a flame war.

So, a pragmatic idea could be to kick temporarily out anybody (him,
you, me, ...) asking THE question until the actual release, and then
authorize them again afterward (so that it is not too hard a
punishment).

Just an idea.
(I don't care much myself, but I really feel sorry for the people who
are currently spending their free time on the rebuild and have to
endure this)
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[m . roth]

Scot P. Floess wrote:
>
> What is really sad, if one searches Larry's name on Linked In, he appears
> to be the CEO Internet Texoma, Inc.
>
> I'd expect better behavior and conduct from someone who holds such a
> title...
>
He's a manager! Probably wears a tie! PHB alert 

  mark
>
>> Enough. Larry Vaden seems to get his jollies by working at provoking
>> flamewars and other irritations, while contributing actually nothing to
>> the topic of the list.
>>
>
> --
> Scot P. Floess RHCT  (Certificate Number 605010084735240)
> Chief Architect FlossWare  http://sourceforge.net/projects/flossware
> http://flossware.sourceforge.net
> https://github.com/organizations/FlossWare
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Ray Van Dolson]

On Fri, Feb 18, 2011 at 02:50:38PM -0500, m.r...@5-cent.us wrote:
> Scot P. Floess wrote:
> >
> > What is really sad, if one searches Larry's name on Linked In, he appears
> > to be the CEO Internet Texoma, Inc.
> >
> > I'd expect better behavior and conduct from someone who holds such a
> > title...
> >
> He's a manager! Probably wears a tie! PHB alert 
> 
>   mark
> >
> >> Enough. Larry Vaden seems to get his jollies by working at provoking
> >> flamewars and other irritations, while contributing actually nothing to
> >> the topic of the list.
> >>

In an industry where one-man companies are not uncommon, you learn to
never read too much into titles. :)

Ray
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Scot P. Floess]

Fair enough - "not only am I the president, but I'm also a client too"  :D

In all seriousness, I'd think representing his own company, he'd be more 
professional in that representation...


> In an industry where one-man companies are not uncommon, you learn to
> never read too much into titles. :)

-- 
Scot P. Floess RHCT  (Certificate Number 605010084735240)
Chief Architect FlossWare  http://sourceforge.net/projects/flossware
http://flossware.sourceforge.net
https://github.com/organizations/FlossWare
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] request for a learning moment

[Larry Vaden]

On Fri, Feb 18, 2011 at 1:45 PM, Scot P. Floess  wrote:
>
> I'd expect better behavior and conduct from someone who holds such a
> title...


Since beauty is in the eye of the beholder(s), please select my most
egregious post(s) and let me know said post(s) so that I have the
opportunity to better modify my behavior with the result that we can
focus on the business at hand.


kind regards/ldv/va...@texoma.net
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[m . roth]

Scot P. Floess wrote:
>
> Fair enough - "not only am I the president, but I'm also a client too"  :D
>
> In all seriousness, I'd think representing his own company, he'd be more
> professional in that representation...
>
Yup. There's a small ISP down on the Space Coast in FL, where I spoke to
the owner a few times, and he was friendly, helpful, and understanding.

*shrug*

A good part of it comes down to who you are. But we're *way* OT, now, and
I will not post any more to this thread.

>> In an industry where one-man companies are not uncommon, you learn to
>> never read too much into titles. :)
>
> --
> Scot P. Floess RHCT  (Certificate Number 605010084735240)
> Chief Architect FlossWare  http://sourceforge.net/projects/flossware
> http://flossware.sourceforge.net
> https://github.com/organizations/FlossWare

Good job at shortening your .sigfile, Scot. Thanks.

  mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Recommendation for a Good Vulnerability Scanning Service?

[Michael B Allen]

On Fri, Feb 18, 2011 at 2:36 PM,   wrote:
> Hi, there,
>
> Michael B Allen wrote:
>>
>> Can someone recommend a good vulnerability scanning service? I just
>> need the minimum for PCI compliance (it's a sort of credit card
>> processing certification).
>
> "Sort of"? ROTFL. You need a *serious* scan, commercially done AFAIK.

Hi Mark,

Hackerguiardian is a commercial service (it's actually "COMODO CA
Limited"). Their scan looks thorough. Obviously they're just matching
up version numbers with CVE notices but I have a feeling most of these
guys are going to be doing the same thing. I was just hoping one would
be more sophisticated about the fact that ALL of their "Fail" items
I've checked so far are things that were backported or fixed by
Redhat.

> The
> *minimum* qualifications, I believe, are a 60 or 63 item questionaire; for
> full PCI-DSS, it's something like 243 questions, and you need a full IT
> dept.

Are you talking about the SAQC? I run all CC transactions through one
CentOS VPS webserver (actually I have two servers that I periodically
wipe out and alternate between every year or two). So I don't have POS
terminals or any Windows PCs in the mix. We don't save any card holder
data at all. So my SAQC was a breeze. I just had to add N/A for
questions like the "do you run anti-virus software" and explain that
everything goes through the one Linux machine for which no anti-virus
software exists or is necessary.

> I would *very* strongly recommmend that you talk to the bank or agency
> that's asking you for this, and ask them for recommendations.

If you mean my merchant account service, they claim to be the largest
Authorized.Net reseller, they sanity checked my SAQC and thought I
would be ready for approval as soon as I get a good scan.

So trustwave and Qualys ... I'll check them out.

Thanks,
Mike
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] request for a learning moment

[Scot P. Floess]

Larry,

Not to be a smart alec,


 I'd say it ought to be self evident considering
 the flow of emails complaining about your posts



On Fri, 18 Feb 2011, Larry Vaden wrote:

> On Fri, Feb 18, 2011 at 1:45 PM, Scot P. Floess  wrote:
>>
>> I'd expect better behavior and conduct from someone who holds such a
>> title...
>
> 
> Since beauty is in the eye of the beholder(s), please select my most
> egregious post(s) and let me know said post(s) so that I have the
> opportunity to better modify my behavior with the result that we can
> focus on the business at hand.
> 
>
> kind regards/ldv/va...@texoma.net
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

-- 
Scot P. Floess RHCT  (Certificate Number 605010084735240)
Chief Architect FlossWare  http://sourceforge.net/projects/flossware
http://flossware.sourceforge.net
https://github.com/organizations/FlossWare
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Recommendation for a Good Vulnerability Scanning Service?

[Dr. Ed Morbius]

on 14:20 Fri 18 Feb, Michael B Allen (iop...@gmail.com) wrote:
> Hi,
> 
> Can someone recommend a good vulnerability scanning service? I just
> need the minimum for PCI compliance (it's a sort of credit card
> processing certification).

First:  if you're headed down the compliance / certification route,
you're going to want to go with a certified vendor / service provider
for this.
 
> I got a free scan from https://www.hackerguardian.com/ and their scan
> reported a number of "Fail" results. I haven't checked them all yet
> but most seem to be things for which fixes were backported looong ago
> by The Upstream Vendor.

You can also run your own scans as a preemptive measure -- nessus is
probably the baseline tool, though I'd also be interested in what others
people would recommend.
 
> I haven't spoken with the hackerguardian people yet but it would be
> nice if I could just say "I'm using CentOS 5.5" and have them factor
> that into their report so that I can focus on any real issues. Are
> there vulnerability scanning services that are more or less
> sophisticated about this?

I'd suggest you educate yourself on the PCI compliance issue, and query
your prospective vendor(s) on what specific scans they run and/or how
these are tuned to specific operating environments.

I'd tend to suspect that vuln/pen testing is going to be based more on
known vulnerabilities than your environment.

-- 
Dr. Ed Morbius, Chief Scientist /|
  Robot Wrangler / Staff Psychologist| When you seek unlimited power
Krell Power Systems Unlimited|  Go to Krell!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Always Learning]

On Fri, 2011-02-18 at 14:50 -0500, m.r...@5-cent.us wrote:

> He's a manager! Probably wears a tie! PHB alert 

The guy has problems. His only method of trying to deal with his
problems, and getting away from the stress, is posting on here.
He needs to seek professional help, medically and otherwise, to tackle
his problems and try to resolve them or reduce the adverse effect his
problems are having on his life.

Once his problems are solved or significantly reduced he will be a
different person - his behaviour on here will be noticeably different.

Larry, please take my advice and get help or, at the very least, talk to
someone about the matters troubling you. It is bad to hold everything
inside you. Please share your problems with someone you can relate to.
It is for your own benefit.

Good luck.


Paul.
England,
EU.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nss_ldap: reconnected to LDAP server ldap://127.0.0.1

[Peter Brady]

On 18/02/11 10:11 AM, Tim Alberts wrote:
> Checking configuration files for slapd:  bdb_db_open: unclean shutdown
> detected; attempting recovery.
> bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if
> errors are encountered.
> config file testing succeeded

The LDAP database files are *very* sensitive to unclean shut downs.  I'd 
keep multi-master redundant servers on separate power supplies if 
possible.  Or at least a decent clean shut down off UPS power.

It may be simplest to recover the databases from backup using the import 
scripts than attempt to recover an existing corrupted database.  There 
is a section in the manual (can't find the link right away) that states 
if the servers go down hard then the databases "will" be corrupted and 
to restore from backup.

Good luck,
-pete

-- 
Peter Brady
Email: pdbr...@ans.com.au
Home Page: http://www.simonplace.net/
Skype: pbrady77
Mobile: +61 410 490 797
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Recommendation for a Good Vulnerability Scanning Service?

[Brian Mathis]

On Fri, Feb 18, 2011 at 2:20 PM, Michael B Allen  wrote:
> Hi,
>
> Can someone recommend a good vulnerability scanning service? I just
> need the minimum for PCI compliance (it's a sort of credit card
> processing certification).
>
> I got a free scan from https://www.hackerguardian.com/ and their scan
> reported a number of "Fail" results. I haven't checked them all yet
> but most seem to be things for which fixes were backported looong ago
> by The Upstream Vendor.
>
> I haven't spoken with the hackerguardian people yet but it would be
> nice if I could just say "I'm using CentOS 5.5" and have them factor
> that into their report so that I can focus on any real issues. Are
> there vulnerability scanning services that are more or less
> sophisticated about this?
>
> Thanks,
> Mike


I have used Applied Trust (http://www.appliedtrust.com/) and they are
smart about their scans.  They don't just check version numbers.  I'm
not sure if they do PCI compliance testing, so you'll have to do
further research.  They do use Nessus as part of the testing, but the
goal of testing is not for you to find the holes and patch them, it's
to have a report from someone else that says you did.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Lamar Owen]

On Friday, February 18, 2011 02:54:38 pm Ray Van Dolson wrote:
> In an industry where one-man companies are not uncommon, you learn to
> never read too much into titles. :)

True enough.

While my title is 'CIO' it probably should be 'IT Department' as I only have a 
consultant and a group of volunteers to help me out.  But the title does open 
doors that other titles would not open, in those venues where such things 
count. Bob Hawkins at EMC calls me 'Mr. Make-Do' and I have been tempted to get 
some cards printed with that title on them

On tech lists I find the title to be more of a negative, since the word 'suit' 
ends up being bandied about.the only time I wear a suit is when the 
occasion demands (like the Lieutenant Governor of North Carolina is visiting).  
Otherwise it's mostly 'business casual' and even jeans, depending upon what I'm 
doing that day.

In any case, that's one reason I typically drop the .sig completely on this and 
other lists, unless the situation warrants.

The problem with being essentially a one-man IT department (or a one or two or 
three man distribution release team) is that can create bottlenecks.

And I've found that having help doesn't always reduce the workload or make the 
work go faster, and I'm sure Karanbir and Johnny and the others doing the 
release (you know who you are) would agree.

Or, to pull out the standard computer science / information systems reference, 
read 'The Mythical Man-Month' and get enlightened.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Recommendation for a Good Vulnerability Scanning Service?

[m . roth]

Dr. Ed Morbius wrote:
> on 14:20 Fri 18 Feb, Michael B Allen (iop...@gmail.com) wrote:
>>
>> Can someone recommend a good vulnerability scanning service? I just
>> need the minimum for PCI compliance (it's a sort of credit card
>> processing certification).

> I'd suggest you educate yourself on the PCI compliance issue, and query
> your prospective vendor(s) on what specific scans they run and/or how
> these are tuned to specific operating environments.
>
> I'd tend to suspect that vuln/pen testing is going to be based more on
> known vulnerabilities than your environment.

This is true: depending on how far you're going, the bank/agency will want
human pen testing, too.

 mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Ray Van Dolson]

On Fri, Feb 18, 2011 at 03:25:23PM -0500, Lamar Owen wrote:
> On Friday, February 18, 2011 02:54:38 pm Ray Van Dolson wrote:
> > In an industry where one-man companies are not uncommon, you learn to
> > never read too much into titles. :)
> 
> True enough.
> 
> While my title is 'CIO' it probably should be 'IT Department' as I
> only have a consultant and a group of volunteers to help me out.  But
> the title does open doors that other titles would not open, in those
> venues where such things count. Bob Hawkins at EMC calls me 'Mr.
> Make-Do' and I have been tempted to get some cards printed with that
> title on them
> 
> On tech lists I find the title to be more of a negative, since the
> word 'suit' ends up being bandied about.the only time I wear a
> suit is when the occasion demands (like the Lieutenant Governor of
> North Carolina is visiting).  Otherwise it's mostly 'business casual'
> and even jeans, depending upon what I'm doing that day.
> 
> In any case, that's one reason I typically drop the .sig completely
> on this and other lists, unless the situation warrants.
> 
> The problem with being essentially a one-man IT department (or a one
> or two or three man distribution release team) is that can create
> bottlenecks.
> 
> And I've found that having help doesn't always reduce the workload or
> make the work go faster, and I'm sure Karanbir and Johnny and the
> others doing the release (you know who you are) would agree.
> 
> Or, to pull out the standard computer science / information systems
> reference, read 'The Mythical Man-Month' and get enlightened.

You can change your .signature depending on who your audience is I
guess. :)

I was thinking of times when we've interviewed people for $DAYJOB who
are applying for a SysAdmin spot (because that's what their skillset
essentially was), but they list such things as VP of IT, CIO, etc on
their resume because they were at a small shop.

Obviously always exceptions but as you alluded to, "know your
audience" is a good rule of thumb.

Anyways, way off topic, but interesting discussion.

Ray
Undisputed (and sometimes Benevolent) Emperor of Ray's Linux Endeavors
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[John R. Dennison]

On Fri, Feb 18, 2011 at 08:19:16PM +, Always Learning wrote:
> 
> Larry, please take my advice and get help or, at the very least, talk to
> someone about the matters troubling you. It is bad to hold everything
> inside you. Please share your problems with someone you can relate to.
> It is for your own benefit.

Simply... wow.

You know, as much as I can't stand Vaden, and believe me when I
say that instead of pulling him from a burning car wreck I'd
likely instead pull up a chair and toast marshmallows, your post
comes across as perhaps the most condescending tripe-filled post
ever on this list.  I'm not quite sure whether to congratulate you
or ask you not to do it again.  And this is a thread populated
by condescension, including posts of Vaden's.

In either case wow.




John

-- 
"Which is more believable: In the beginning there was God, who created the
universe, or in the beginning there was nothing, which exploded"

-- 


pgpwUxLUoB3GF.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Always Learning]

There are lots of people in similar circumstances to Larry. He has a recognised 
medical syndrome.

People get problems. Some do not know how to effectively tackle their
major problem so stress increases to a significant and detrimental
extent. Often the person is never fully aware of high stress levels they
have. Just because someone looks 'normal' it does not mean they are not
in someway suffering. A good example is someone suffering from an
incurable illness with a year to live. Can anyone really identity their
significantly shorted lifespan just by looking at them in the street as
they walk by?

Diversions into irritating behaviour are a classic example of someone
desperately trying to avoid thinking about, and therefore dealing with,
a major problem. The reason they try to avoid thinking about the problem
is the very high stress levels associated with that problem. It is too
much for them to handle. The diversionary behaviour is a form of 'stress
relief' and ultimately a cry for help.

Larry is very likely curable. He just needs to talk confidentially and
openly to someone who can begin to help him. Often a problem shared is a
problem halved *and* the stress levels are lowered.

Larry, I know you will read this, talk to a friend - Get help.



With best regards,

Paul.
England,
EU.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Johnny Hughes]

On 02/18/2011 12:39 PM, Farkas Levente wrote:
> On Fri, Feb 18, 2011 at 14:13, Johnny Hughes  wrote:
>> On 02/18/2011 02:26 AM, Pasi Kärkkäinen wrote:
>>> On Wed, Feb 16, 2011 at 07:15:32AM -0600, Johnny Hughes wrote:

 Red Hat still has not put several of the sources in their public tree
 either.

>>>
>>> So CentOS6 cannot be released, or even built completely before
>>> those missing src.rpms are released?
>>
>> Theoretically, it can not be built, so certainly not *released*, until
>> we have all the SRPMS, no.
>>
>> If said SRPMS are on one of the release Source ISOs, then we have them
>> available there, if they are not then we are stuck.
>>
>>>

 CentOS releases our source on exactly the same day as our binary files.

 We published scripts and RPMS on how we generate our build system, on
 how we check our binaries, on how we generate our ISOs.  How is that not
 open?  (See if you can get Red Hat or Oracle to tell you what they use
 as a build engine for their enterprise products ...)

>>>
>>> Can you send a link to the docs/scripts?
>>> This is something many people have been asking for.
>>
>> This directory contains a script that we use to build the
>> "Distribution", as well as the script we use to check a built RPM
>> against a known binary RPM:
>>
>> http://mirror.centos.org/centos/4/build/distro/
>>
>> We use mock to build our packages.  There is a version of mock available
>> in EPEL.
>>
>> The "minimum build roots" that CentOS uses are published here:
>>
>> http://dev.centos.org/centos/buildsys/
> 
> Johnny I really _really_ respect your former work on centos, but it
> seems you don't take part on the real rebuild nowadays (probably
> that's reason why you refer to  rhel-4).
> The above is nothing, and nobody can rebuild based on those scripts
> and it's really far from the really required framework.
> and please don't ask me to why. just to mention some very basic thing
> where is the mock config files? and i can ask dozens of such questions
> (what is did previously and i'm the only only one who send detail
> description how to rebuild rhel-6...
> 
I am still on the development team and I am working on the release of
4.9 as we speak.  Thanks for your concern about my well being though.

We use mock ... we use the standard trees.  If you are rebuilding
something in extras, then extras is enabled.  If you are building
something in plus, then plus is enabled.  If you need to build something
staged (package A is built then package B gets built on it), then you
need to either run plague, koji, or develop a file that builds the
packages and moves them into a repo, then runs createrepo.  We use
plague for some packages and we use a custom script that runs mock,
copies the built files to a staged local folder and runs createrepo for
some other packages.

This is hard work ... you figure out the packages that you need to
build, you figure out if you need to build it staged or not, you figure
out what repos you need for the pacakages you are building, etc.  What,
would you like me to log into your server, install all the software
required to rebuild the distro and set it up for you?  Does Red Hat
provide that information? ... how about Oracle?  Maybe Ubuntu tells you
exactly how the build their LTS server?  Oh, I know, Novell has a step
by step guide to build SLES posted.

I gave you the script we used to build the CentOS 4 isos / distro.  The
one for CentOS 5 is very similar.  It has all the switches used to build
the distro in its entirety.  We are still building CentOS-6 ... we don't
have one yet for that.

There is no other project, certainly not an enterprise one, that
provides this much information to their users.  Fedora is the absolute
most open project I know ... do they provide the mock config files and
koji config to build their entire distro?  (They might do it, I don't
know).  None of the enterprise distros do.

Do you think Red Hat tells us what is in their build roots and gives us
mock config files or koji configurations?  Well, they don't.




signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Larry Vaden]

On Fri, Feb 18, 2011 at 2:19 PM, Always Learning  wrote:
>
> Larry, please take my advice and get help or, at the very least, talk to
> someone about the matters troubling you. It is bad to hold everything
> inside you. Please share your problems with someone you can relate to.
> It is for your own benefit.

Paul,  I did as you suggest.  An extract of said post is below the
sig.  There wasn't a single response (I could be wrong about that, but
don't believe that is the case at this time).

kind regards/ldv/va...@texoma.net

-- Forwarded message --
From: Larry Vaden 
Date: Sun, Jan 23, 2011 at 8:03 PM
Subject: sources of bind-9.7.2-P3 rpms for Centos 4.8 and 5.5?
To: centos@centos.org


Our site running Centos 4.8 and 5.5 name servers was hacked with the
result that www.yahoo.com is now within our /19 and causing some
grief.
Google hasn't led me to an RPM for bind-9.7.2-P3 nor has the search
facility at centos.org.  However, it is obvious from said searches
that Mandriva upgraded last year.
An attempt to install bind-9.7.2-P3 from source yields the warning
below the sig for both 4.8 and 5.5 machines.
Does anyone know of RPMs that address the security issues involved?
RANT: does anyone know of the upstream's justification for providing
such old code?
kind regards/ldv
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
WARNING                                                                 WARNING
WARNING         Your OpenSSL crypto library may be vulnerable to        WARNING
WARNING         one or more of the the following known security         WARNING
WARNING         flaws:                                                  WARNING
WARNING                                                                 WARNING
WARNING         CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and         WARNING
WARNING         CVE-2006-2940.                                          WARNING
WARNING                                                                 WARNING
WARNING         It is recommended that you upgrade to OpenSSL           WARNING
WARNING         version 0.9.8d/0.9.7l (or greater).                     WARNING
WARNING                                                                 WARNING
WARNING         You can disable this warning by specifying:             WARNING
WARNING                                                                 WARNING
WARNING               --disable-openssl-version-check                   WARNING
WARNING                                                                 WARNING
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
[root@shell bind-9.7.2-P3]# cat /etc/redhat-release
CentOS release 5.5 (Final)
[root@shell bind-9.7.2-P3]#
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[David Brian Chait]

-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of 
John R. Dennison
Sent: Friday, February 18, 2011 12:43 PM
To: Always Learning
Cc: CentOS mailing list
Subject: Re: [CentOS] Any update on 5.6 / 6?

On Fri, Feb 18, 2011 at 08:19:16PM +, Always Learning wrote:
> 
> Larry, please take my advice and get help or, at the very least, talk 
> to someone about the matters troubling you. It is bad to hold 
> everything inside you. Please share your problems with someone you can relate 
> to.
> It is for your own benefit.

I think it is safe to say that while we may sympathize with the sentiment, this 
flame fest needs to end. Let's be honest, engineers are not known for social 
skills. 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Recommendation for a Good Vulnerability Scanning Service?

[John Hinton]

On 2/18/2011 3:09 PM, Dr. Ed Morbius wrote:
>
>> I haven't spoken with the hackerguardian people yet but it would be
>> nice if I could just say "I'm using CentOS 5.5" and have them factor
>> that into their report so that I can focus on any real issues. Are
>> there vulnerability scanning services that are more or less
>> sophisticated about this?
> I'd suggest you educate yourself on the PCI compliance issue, and query
> your prospective vendor(s) on what specific scans they run and/or how
> these are tuned to specific operating environments.
>
> I'd tend to suspect that vuln/pen testing is going to be based more on
> known vulnerabilities than your environment.

Very good information, Ed. And yes, you will almost certainly be 
fighting with the compliance company, as I have not yet seen any who 
recognized CentOS. RHEL, yes. CentOS however does not hold the same 
'trusted standard' or clout as the major 'name brand' providers. Yes, 
the trouble is the versioning numbers used by RH. If the system 'is' RH, 
most of the time those 'exceptions' are noted by the scanner but you may 
find yourself trying to 'teach them' a lot. Hopefully they have improved 
on this front.

I really think much of this is no more than smoking mirrors. For 
instance they do not ask about username/password policies and obviously 
do not scan for such. So this scanning leaves a lot to be desired. After 
I met all scan problems, my affected clients discovered they just 
answered a question wrong and found that since CC processing was not 
actually happening on my systems, but instead through other processors, 
this all went away and ended the need to address the same issues 
(backports) for the same applications, sometimes still under the same 
version, just due to a new scan. Basically a huge waste of my time. But 
I must admit, I did learn of just a couple of areas which I did tighten 
up. The rest was just red tape and I started feeling one particular 
compliance company was more into self promotion of their service by 
showing these non-existent flaws. I suppose one could compare it to the 
AV companies that allow broken virus sigs to set off alarms. "We just 
saved your computer ."

But, if you must, I did find the Nessus output was fairly close to what 
the compliance companies found and gave me a bit of time to tune systems 
before the real scan. It has been a while, but I think Nessus found some 
things I thought more important, which the commercial scanner did not 
mention.

And hey, if you do breeze through with CentOS being recognized as a RHEL 
clone, I would love to hear about that back to this list.

-- 
John Hinton
877-777-1407 ext 502
http://www.ew3d.com
Comprehensive Online Solutions

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Lamar Owen]

On Friday, February 18, 2011 03:36:58 pm Ray Van Dolson wrote:
> Obviously always exceptions but as you alluded to, "know your
> audience" is a good rule of thumb.

Public Speaking 101.  

Also 'Linux Distribution 101' in reality; the CentOS audience consists largely 
of those wanting as close to upstream EL as is possible without the associated 
monetary costs.  CentOS meets a very definite need for, and has a very distinct 
audience in, those who must have binary-level compatibilty with the upstream 
EL, bugs and all.

And I would hazard to say that most, if not up to 90%, of CentOS users have 
zero desire for 'release early, release often' but prefer 'release correctly, 
and release infrequently.'  For my servers, I distinctly prefer the latter, 
since I do run things that require EL binary compatibility and would be 
seriously problematic were they to break because of an update.

If 'release early, release often' is your motto, but you still want EL binary 
compatibility, then SL is going to be more your thing.  If you want bleeding 
edge and everything fully upstream up to date, give Fedora a whirl (and it'll 
make you dizzy, which might be a good thing (I run Fedora on my laptop, for 
instance...)). 

And those who want to see how things are done in Fedora, the complete process 
is documented in depth in the Release Engineering SOP wiki page at 
http://fedoraproject.org/wiki/ReleaseEngineering/SOP

For that matter, if you wanted to re-compose an EL6 rebuild, you would actually 
find it highly educational to do it the Fedora way, since EL6 is somewhat based 
on F12.  The scripts for Fedora are there, and the procedures are there; have 
fun! 

The SOP's you would be most interested in would be the Mass Rebuild and the 
Compose.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Recommendation for a Good Vulnerability Scanning Service?

[m . roth]

John Hinton wrote:
> On 2/18/2011 3:09 PM, Dr. Ed Morbius wrote:
>>
>>> I haven't spoken with the hackerguardian people yet but it would be
>>> nice if I could just say "I'm using CentOS 5.5" and have them factor
>>> that into their report so that I can focus on any real issues. Are
>>> there vulnerability scanning services that are more or less
>>> sophisticated about this?
>> I'd suggest you educate yourself on the PCI compliance issue, and query
>> your prospective vendor(s) on what specific scans they run and/or how
>> these are tuned to specific operating environments.
>>
>> I'd tend to suspect that vuln/pen testing is going to be based more on
>> known vulnerabilities than your environment.
>
> Very good information, Ed. And yes, you will almost certainly be
> fighting with the compliance company, as I have not yet seen any who
> recognized CentOS. RHEL, yes. CentOS however does not hold the same
> 'trusted standard' or clout as the major 'name brand' providers. Yes,

If you do talk to Trustwave, and they're not too expensive, they *use*
CentOS.
>
> I really think much of this is no more than smoking mirrors. For

"smoke and mirrors"

> up. The rest was just red tape and I started feeling one particular
> compliance company was more into self promotion of their service by
> showing these non-existent flaws. I suppose one could compare it to the

They're all that way.


  mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] BInd Problem or Update SSL ?

[Always Learning]

> From: Larry Vaden 
> Date: Sun, Jan 23, 2011 at 8:03 PM
> Subject: sources of bind-9.7.2-P3 rpms for Centos 4.8 and 5.5?


> Our site running Centos 4.8 and 5.5 name servers was hacked with
> the result that www.yahoo.com is now within our /19 and causing
> some grief.

Don't understand what you mean by 'within our /19'. Have your IP ranges
changed?  If your Bind date is corrupt, why not re-install Centos and
then restore the domains data from one of your regular backups?

Is it a wise business decision to use C 4.8 instead of C 5 or the latest
which is C 5.5 ?

> Google hasn't led me to an RPM for bind-9.7.2-P3 nor has the
> search facility at centos.org.  However, it is obvious from said
> searches that Mandriva upgraded last year.

I believe C6 will include an updated Bind.

> An attempt to install bind-9.7.2-P3 from source yields the warning
> below the sig for both 4.8 and 5.5 machines.

> WARNING WARNING WARNING WARNING WARNING ..
>
> Your OpenSSL crypto library may be vulnerable to .
> one or more of the the following known security 
> flaws:
>
> CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and 
> CVE-2006-2940.
>
> It is recommended that you upgrade to OpenSSL
> version 0.9.8d/0.9.7l (or greater).

Well, on my C 5.5 desktop my OpenSSL is (yum info openssl)

Name   : openssl
Arch   : x86_64
Version: 0.9.8e
Release: 12.el5_5.7
Size   : 3.4 M

The same version for i686.

Larry, why can't you install the latest OpenSSL ?

On C 5.5 the latest Bind is 9.3.6 (Release: 4.P1.el5_5.3)

If you really need the latest Bind and can not wait about a month for C6
why don't you use a different flavour of Linux?  In business one can not
be too sentimental and difficult decisions have to be made all the time.


With best regards,

Paul.
England,
EU.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Recommendation for a Good Vulnerability Scanning Service?

[John Jasen]

On 02/18/2011 03:09 PM, Michael B Allen wrote:

> Hackerguiardian is a commercial service (it's actually "COMODO CA
> Limited"). Their scan looks thorough. Obviously they're just matching
> up version numbers with CVE notices but I have a feeling most of these
> guys are going to be doing the same thing. I was just hoping one would
> be more sophisticated about the fact that ALL of their "Fail" items
> I've checked so far are things that were backported or fixed by
> Redhat.

Probably not. I've yet to see any vulnerability scanning service that
does much above running nessus in safe mode (which only does banner grabs).

If you're prepared to monkey around with the scanner people, you can
request waivers, false positives, etc from the various companies,
proving that you're patched against the CVEs they're looking for.

If there is a really competent vendor out there, and if you're
comfortable with it, ask them to run a more thorough scan against your box.

> I just had to add N/A for
> questions like the "do you run anti-virus software" and explain that
> everything goes through the one Linux machine for which no anti-virus
> software exists or is necessary.

I would have marked that "other than satisfactory" in an audit. There
are AV products for Linux, and on a personal level, rootkit checks and
file integrity checks on a public CC handling server are a good idea.

>> I would *very* strongly recommmend that you talk to the bank or agency
>> that's asking you for this, and ask them for recommendations.
> 
> If you mean my merchant account service, they claim to be the largest
> Authorized.Net reseller, they sanity checked my SAQC and thought I
> would be ready for approval as soon as I get a good scan.
> 
> So trustwave and Qualys ... I'll check them out.
> 
> Thanks,

I'm faintly surprised they aren't in the scam racket of mandating you
use a certain vendor, or one of a select few.

-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Recommendation for a Good Vulnerability Scanning Service?

[Eero Volotinen]

2011/2/18 John Hinton :
> On 2/18/2011 3:09 PM, Dr. Ed Morbius wrote:
>>
>>> I haven't spoken with the hackerguardian people yet but it would be
>>> nice if I could just say "I'm using CentOS 5.5" and have them factor
>>> that into their report so that I can focus on any real issues. Are
>>> there vulnerability scanning services that are more or less
>>> sophisticated about this?
>> I'd suggest you educate yourself on the PCI compliance issue, and query
>> your prospective vendor(s) on what specific scans they run and/or how
>> these are tuned to specific operating environments.
>>
>> I'd tend to suspect that vuln/pen testing is going to be based more on
>> known vulnerabilities than your environment.
>
> Very good information, Ed. And yes, you will almost certainly be
> fighting with the compliance company, as I have not yet seen any who
> recognized CentOS. RHEL, yes. CentOS however does not hold the same
> 'trusted standard' or clout as the major 'name brand' providers. Yes,
> the trouble is the versioning numbers used by RH. If the system 'is' RH,
> most of the time those 'exceptions' are noted by the scanner but you may
> find yourself trying to 'teach them' a lot. Hopefully they have improved
> on this front.
>
> I really think much of this is no more than smoking mirrors. For
> instance they do not ask about username/password policies and obviously
> do not scan for such. So this scanning leaves a lot to be desired. After
> I met all scan problems, my affected clients discovered they just
> answered a question wrong and found that since CC processing was not
> actually happening on my systems, but instead through other processors,
> this all went away and ended the need to address the same issues
> (backports) for the same applications, sometimes still under the same
> version, just due to a new scan. Basically a huge waste of my time. But
> I must admit, I did learn of just a couple of areas which I did tighten
> up. The rest was just red tape and I started feeling one particular
> compliance company was more into self promotion of their service by
> showing these non-existent flaws. I suppose one could compare it to the
> AV companies that allow broken virus sigs to set off alarms. "We just
> saved your computer ."
>
> But, if you must, I did find the Nessus output was fairly close to what
> the compliance companies found and gave me a bit of time to tune systems
> before the real scan. It has been a while, but I think Nessus found some
> things I thought more important, which the commercial scanner did not
> mention.

Buy nessus professional feed and download pci compliancy checks for nessus.
It gives you the good "baseline" for configurations and things that
need to fixed..

--
Eero
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Lamar Owen]

On Friday, February 18, 2011 01:39:48 pm Farkas Levente wrote:
> and please don't ask me to why. just to mention some very basic thing
> where is the mock config files? and i can ask dozens of such questions
> (what is did previously and i'm the only only one who send detail
> description how to rebuild rhel-6...

A mock config for C5 building was posted, to the Centos-devel list, the 
appropriate place for such.

Here's a link to an archive copy:
http://lists.centos.org/pipermail/centos-devel/2007-August/001910.html

Read through that thread againshouldn't take too long, since there's only 
two messages.  Note the date, and note the posters.

For building a 5.6 of your own this should help, along with the el5 buildsys 
RPM (which only contains requires for the basic buildsys) that's already been 
posted about.

For building a 6 of your own, the Fedora process, while tuned to a much larger 
project, uses koji and all that entails, is available and completely open (to 
the best of my knowledge).  The Mass Rebuild scripts live at 
http://git.fedorahosted.org/git/?p=releng

Note that a full koji is fully required by those scripts, but there they are.  
Far more than just a simple mock config.but that's because of the size of 
the project, and the fact that it has a distributed build system.

There is plenty of documentation on how to do a Fedora rebuild yourself on the 
Fedora project wiki.  And, not to beat a dead horse, but EL6 is based off F12, 
and thus, once you have comps and a few things, in theory the Fedora 
infrastructure, loaded with all the buildrequires (a larger package set than 
the distributed SRPMS) for EL6, would churn out EL6 builds and composes.

Now, I mentioned the build requires.  Poking around in my local copy of the 
6rolling tree of SL, I find that there are packages required to build SL6 that 
are not part of SL6, and live in a separate directory ( 
ftp://ftp.scientificlinux.org/linux/scientific/6rolling/build/ to be specific).

I don't see the mock config or build scripts, however; perhaps I'm not looking 
in the right place.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nss_ldap: reconnected to LDAP server ldap://127.0.0.1

[Tim Alberts]

On 2/18/2011 11:05 AM, Tim Alberts wrote:
> I found a helpful page:
> http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP.html   approximately
> 2/3 down the page, section titled 'Notes: LDAP on Red Hat/Fedora
> distribution:'  An example database recovery command as follows:
>
> /usr/sbin/slapd_db_recover -v -h /var/lib/ldap/stooges/
>
> I have run this (twice now with ldap stopped) on all three servers and
> continue to have problems.  Now I'm really lost as to what to do.

Update, I believe this actually did fix the problem (db_recover).  
Unfortunately, after I did this, I hadn't seen anymore:

nss_ldap: reconnected to LDAP serverldap://127.0.0.1

errors in /var/log/messages.  However my Apache server was still giving 
Forbidden errors, and my subversion server was still giving Forbidden errors.  
I figured some berkelyDB was not shutdown in apache authentication and or 
subversion as well.  Fortunately, I decided to do a restart of Apache and that 
seems to have fixed that problem too.

So solution appears to be, simple database recovery, followed by Apache 
restart.  Thank you to the folks who posted responses to help.  Hopefully my 
this thread can find it's way to helping someone else who runs in to this.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BInd Problem or Update SSL ?

[Larry Vaden]

On Fri, Feb 18, 2011 at 3:15 PM, Always Learning  wrote:
> Don't understand what you mean by 'within our /19'. Have your IP ranges
> changed?  If your Bind date is corrupt, why not re-install Centos and
> then restore the domains data from one of your regular backups?

Our network consists of aaa.bbb.ccc.0/19.  That's CIDR notation for
8,192 addresses.

> Is it a wise business decision to use C 4.8 instead of C 5 or the latest
> which is C 5.5 ?

IMHO, fully updated purpose-built servers running 4.8 should have more
or less the same vulnerablity profile as 5.5 IFF RH is doing a good
job of backporting security fixes.

I am supported in that statement by my mentor at FedEx but NOT by my
mentor at Internet2.

The open ?s about human error wrt the SRPMs in SL6 could arguably lead
to a different conclusion.


> I believe C6 will include an updated Bind.

Yes, it will be based on a later release.

> Larry, why can't you install the latest OpenSSL ?

We installed openssl-1.0.0c Jan 23 20:30 27 minutes after filing the
original post IIRC.

kind regards/ldv/va...@texoma.net
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BInd Problem or Update SSL ?

[Nico Kadel-Garcia]

On Fri, Feb 18, 2011 at 4:15 PM, Always Learning  wrote:
>> From: Larry Vaden 
>> Date: Sun, Jan 23, 2011 at 8:03 PM
>> Subject: sources of bind-9.7.2-P3 rpms for Centos 4.8 and 5.5?
>
>
>> Our site running Centos 4.8 and 5.5 name servers was hacked with
>> the result that www.yahoo.com is now within our /19 and causing
>> some grief.
>
> Don't understand what you mean by 'within our /19'. Have your IP ranges
> changed?  If your Bind date is corrupt, why not re-install Centos and
> then restore the domains data from one of your regular backups?
>
> Is it a wise business decision to use C 4.8 instead of C 5 or the latest
> which is C 5.5 ?
>
>> Google hasn't led me to an RPM for bind-9.7.2-P3 nor has the
>> search facility at centos.org.  However, it is obvious from said
>> searches that Mandriva upgraded last year.
>
> I believe C6 will include an updated Bind.

It's also in RHEL 5.6, so I expect it in CentOs 5.6, from the SRPM
bind97-9.7.0-6.P2.el5.src.rpm. Grab that one from your nearest RedHat
SRPM repository, such mirrors.kernel.org/redhat/, if you're in a rush.

>> An attempt to install bind-9.7.2-P3 from source yields the warning
>> below the sig for both 4.8 and 5.5 machines.
>
>> WARNING WARNING WARNING WARNING WARNING ..
>>
>> Your OpenSSL crypto library may be vulnerable to .
>> one or more of the the following known security 
>> flaws:
>>
>> CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and
>> CVE-2006-2940.
>>
>> It is recommended that you upgrade to OpenSSL
>> version 0.9.8d/0.9.7l (or greater).
>
> Well, on my C 5.5 desktop my OpenSSL is (yum info openssl)
>
> Name       : openssl
> Arch       : x86_64
> Version    : 0.9.8e
> Release    : 12.el5_5.7
> Size       : 3.4 M
>
> The same version for i686.
>
> Larry, why can't you install the latest OpenSSL ?
>
> On C 5.5 the latest Bind is 9.3.6 (Release: 4.P1.el5_5.3)
>
> If you really need the latest Bind and can not wait about a month for C6
> why don't you use a different flavour of Linux?  In business one can not
> be too sentimental and difficult decisions have to be made all the time.
>
>
> With best regards,
>
> Paul.
> England,
> EU.
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT - simple CAD program to design electronic circuits with

[Keith Roberts]

On Sun, 6 Feb 2011, Keith Roberts wrote:

> To: CentOS mailing list 
> From: Keith Roberts 
> Subject: [CentOS] OT - simple CAD program to design electronic circuits with
> 
> Is there an electronic circuit design CAD package 
> available for Centos 5.5 please?

Thanks for all the replies and suggestions. I found Qucs 
mentioned in the FEL docs. I have decided to start with that 
as it has a very intuitive GUI, appears to have a fast 
learning curve, and supports circuit simulations.

By following the qucs help documents, I have done a simple 
DC simulation similar to the one in this video below.

http://www.youtube.com/watch?gl=GB&v=VYhWK_lUrFw

Thanks for all the other suggestions which I have bookmarked 
and will start to check out if Qucs cannot handle what I 
need it for.

Kind Regards,

Keith Roberts

-
Websites:
http://www.karsites.net
http://www.php-debuggers.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BInd Problem or Update SSL ?

[James Hogarth]

>
> Our network consists of aaa.bbb.ccc.0/19.  That's CIDR notation for
> 8,192 addresses.
>

But what has that got to do with "www.yahoo.com moved into our /19"
 your comment is pretty unclear.

>
> IMHO, fully updated purpose-built servers running 4.8 should have more
> or less the same vulnerablity profile as 5.5 IFF RH is doing a good
> job of backporting security fixes.
>

Why are you so sure it was a bind issue? What logs/research has come
to that conclusion?

Would bind 9.7 really have helped you if you were hacked or was your
vulnerability elsewhere - and if so where? Was this the same server
that you posted where you had mangled the install with force
reinstalling rpms from SL and/or oracle that you posted about before
for instance?


> I am supported in that statement by my mentor at FedEx but NOT by my
> mentor at Internet2.
>

Your mentor? What do you mean by that?

>
> We installed openssl-1.0.0c Jan 23 20:30 27 minutes after filing the
> original post IIRC.

If you were so gung ho about security that you wanted bleeding edge
bind even newer than current centos 5 why are you so out of date on
your openssl libraries. Given that you are out of date on those as per
your previous posts would the currently released bind on rhel5 iff it
was already on c5 really have been installed? If you were that
desperate you could have built the srpms yourself or taken 9.7
from c5-testing.

You have posted the same rubbish over and over without any
substantiation with wild allegations.

Post details if you need help or just please stop ranting to no point.

James
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any update on 5.6 / 6?

[Larry Vaden]

On Fri, Feb 18, 2011 at 3:36 PM, Lamar Owen  wrote:
>
> I don't see the mock config or build scripts, however; perhaps I'm not 
> looking in the right place.

THANKS for a very helpful post.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] We haven't had a lot of demand for Fedora...people seem okay with CentOS!

[Larry Vaden]

That just in from chunkhost.com, where you help them beta test Xen for $FREE :)

regards/ldv/va...@texoma.net
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] We haven't had a lot of demand for Fedora...people seem okay with CentOS!

[Rudi Ahlers]

Larry, I suggest you leave this group while it's still safe todo so.

What do you have against CentOS & FOSS 

On Sat, Feb 19, 2011 at 12:44 AM, Larry Vaden  wrote:
> That just in from chunkhost.com, where you help them beta test Xen for $FREE 
> :)
>
> regards/ldv/va...@texoma.net
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] We haven't had a lot of demand for Fedora...people seem okay with CentOS!

[Larry Vaden]

On Fri, Feb 18, 2011 at 5:09 PM, Rudi Ahlers  wrote:
> Larry, I suggest you leave this group while it's still safe todo so.
>
> What do you have against CentOS & FOSS 

This was posted as a compliment to the CentOS Team and to the CentOS Community.

Should the vendor be asked for a less ambiguous statement?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] request for a learning moment

[Kai Schaetzl]

Can you please stop this, finally?

Kai


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BInd Problem or Update SSL ?

[Lamar Owen]

On Friday, February 18, 2011 04:15:28 pm Always Learning wrote:
> > From: Larry Vaden 
> > Our site running Centos 4.8 and 5.5 name servers was hacked with
> > the result that www.yahoo.com is now within our /19 and causing
> > some grief.
> 
> Don't understand what you mean by 'within our /19'. 

I think I do; he's an ISP, and apparently someone inside his address block (the 
CIDR notation /19; his actual block is publicly found by doing a quick nslookup 
of his domain name, noting the IP address of the DNS server(s) listed, and then 
a whois of the IP address of the DNS server(s).  His /19 shows up) has hacked 
in some way the zone file(s) or the cache for his nameserver so that his 
customers, who would ordinarily use his DNS server as their recursive resolver, 
now see www.yahoo.com (among who knows what others) as pointing to a different 
address, the one inside his /19 (which I hope he has tracked and duly removed 
in grand Texas style), for the purpose of phishing.

Now whether this was done by actually hacking into his DNS server or by a cache 
poisoning attack or what, I don't know since those details Larry hasn't made 
public.  And that's ok.

A fully up-to-date C4 or C5 should be covered when it comes to those sorts of 
things, but to prevent such things I would recommend to Larry that he use the 
great iptables tools that CentOS provides, or use some other iptables 
configurator, or simple hosts.allow and hosts.deny, to restrict the addresses 
that can actually ssh into his server, and only allow port 53 UDP and TCP 
traffic into and out of his DNS servers to his cutsomers. 

If he has routers/switches with access lists I would apply those as a second 
layer of traffic filtering, going both ingress and egress relative to his DNS 
server.  A DNS/BIND vulnerability alone won't kill you, other than the 
previously mentioned cache poisoning attacks (and those are mitigated with 
other well-known techniques); it's the TCP connection from the vulnerability 
shellcode back to the attacker's box that is the killer, and that's what the 
aggressive iptables/acls will do for you.  

Hmmm, the Bastille hardening script might help you, but I don't know that for 
sure.  DNS servers should only serve DNS, and the only other connections in or 
out should be tightly controlled.

Easier said than done, especially with limited staff and funds, I know, but 
still the best practice.

I say that having had a DNS server hit, on May 1, 1998, with a BIND 4 
vulnerability.  Got a quick education on BIND best practices, even though it is 
sometimes is tempting to 'do it later'
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] We haven't had a lot of demand for Fedora...people seem okay with CentOS!

[Larry Vaden]

On Fri, Feb 18, 2011 at 5:09 PM, Rudi Ahlers  wrote:
> Larry, I suggest you leave this group while it's still safe todo so.
>
> What do you have against CentOS & FOSS 

Absolutely nothing to the purity of Ivory soap :)  26 of our favorite
servers run CentOS.

Having read what Lamar wrote, namely:

On Fri, Feb 18, 2011 at 3:36 PM, Lamar Owen  wrote:

There is plenty of documentation on how to do a Fedora rebuild
yourself on the Fedora project wiki.  And, not to beat a dead horse,
but EL6 is based off F12, and thus, once you have comps and a few
things, in theory the Fedora infrastructure, loaded with all the
buildrequires (a larger package set than the distributed SRPMS) for
EL6, would churn out EL6 builds and composes.


This poster doesn't have a spare box, so after reading Lamar's post
about how to learn, GMail mentioned $FREE Xen vboxen over at
chunkhost.com.

When queried about whether a FC14 image was available and thus a vbox
on which the learning process could proceed, the subject line was the
answer.

Thus, the compliment to the CentOS Team and to the CentOS Community
for the wisdom of selecting CentOS as the beneficiary of their hard
work and for their choice of an OS, respectively.

Some may perceive ambiguity in the subject line :(
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] We haven't had a lot of demand for Fedora...people seem okay with CentOS!

[Rudi Ahlers]

On Sat, Feb 19, 2011 at 1:19 AM, Larry Vaden  wrote:
> On Fri, Feb 18, 2011 at 5:09 PM, Rudi Ahlers  wrote:
>> Larry, I suggest you leave this group while it's still safe todo so.
>>
>> What do you have against CentOS & FOSS 
>
> This was posted as a compliment to the CentOS Team and to the CentOS 
> Community.
>
> Should the vendor be asked for a less ambiguous statement?
> ___


Larry, you clearly enjoy making a fool of yourself in public, making
stupid remarks of things which you clearly have no knowledge off.

-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BInd Problem or Update SSL ?

[James Hogarth]

>
> I think I do; he's an ISP, and apparently someone inside his address block 
> (the CIDR notation /19; his actual block is publicly found by doing a quick 
> nslookup of his domain name, noting the IP address of the DNS server(s) 
> listed, and then a whois of the IP address of the DNS server(s).  His /19 
> shows up) has hacked in some way the zone file(s) or the cache for his 
> nameserver so that his customers, who would ordinarily use his DNS server as 
> their recursive resolver, now see www.yahoo.com (among who knows what others) 
> as pointing to a different address, the one inside his /19 (which I hope he 
> has tracked and duly removed in grand Texas style), for the purpose of 
> phishing.
>
> Now whether this was done by actually hacking into his DNS server or by a 
> cache poisoning attack or what, I don't know since those details Larry hasn't 
> made public.  And that's ok.

That's what I assumed however given the vagueness I wasn't sure.

At this time I'm unaware of any attacks on Bind within current Centos
5 if it is a properly configured system (selinux enabled, bind chroot,
iptables in place, etc) that would allow someone to mess with his zone
files or other parts of bind.

As such if there is such a critical vulnerability it would be nice to
get details especially how he is so intent on blaming Redhat and
Bind on the other hand if he has misconfigured systems it's his
own fault and he should stop blaming Redhat/CentOS.

If he is willing to discuss the details great!

If he is not I would strongly suggest he stop spamming the mailing
lists with nonsense.

James
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BInd Problem or Update SSL ?

[Always Learning]

On Fri, 2011-02-18 at 18:32 -0500, Lamar Owen wrote:

> On Friday, February 18, 2011 04:15:28 pm Always Learning wrote:
> > Don't understand what you mean by 'within our /19'. 

> I think I do; he's an ISP, and apparently someone inside his address block
> ... has hacked in some way the zone file(s) or the cache for his
> nameserver so that his customers, who would ordinarily use his DNS
> server as their recursive resolver, now see www.yahoo.com (among who
> knows what others) as pointing to a different address 

Thank you for explaining Larry had his DNS servers hacked or poisoned. 


>  to prevent such things I would recommend to Larry that he use the
> great iptables tools that CentOS provides ...
> ... to restrict the addresses that can actually ssh into his server,
> and only allow port 53 UDP and TCP traffic into and out of his DNS
> servers to his customers. 

Agreed. IPtables is a very useful tool to block unauthorised accesses in
and (heaven forbid) out of one's servers. Every server is screwed down
to the barest minimum and every port that can be changed from its
default is. No servers share the same non-standard port numbers. SSH
access is limited to 3 static IP addresses. Aggressive blocking with
IPtables can prevent a lot of time wasting aggro.

I also ban some Chinese blocks and even more Taiwan blocks from port 80
to reduce web hacking and lots of Taiwanese blocks from port 25.

-- 

With best regards,

Paul.
England,
EU.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BInd Problem or Update SSL ?

[Larry Vaden]

On Fri, Feb 18, 2011 at 4:37 PM, James Hogarth  wrote:
>
> Your mentor? What do you mean by that?

The same thing Wikipedia says, namely:

a trusted friend, counselor or teacher, usually a more experienced
person. Some professions have "mentoring programs" in which newcomers
are paired with more experienced people, who advise them and serve as
examples as they advance.

Joe, Randy and James are my mentors of 15, 5 and 5 years,
respectively, and all said the same thing, namely "nuke and repave, be
sure to be current on BIND" since it is a purpose-built box (ns1).

Since others have asked for details, they are below the sig.

With 20/20 hindsight, it is clear that I shouldn't have posted the
original post asking the list for help and hopefully informing other
potential targets of the risk (read: there were no responses to the
original post, therefore it was posted to the wrong audience).

regards/ldv/va...@texoma.net

There was no time for forensics at the time of the discovery; just
time to get advice and react.
What follows is from a few moments ago.

===details===
===box was last nuked and repaved Jul 28  2008
===much unnecessary software removed Jul 28 2008, 57 tasks active per
'ps auxw | wc -l'
===current nmap (same nmap results as on problem day)
Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-18 18:38 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 0.19 seconds
vaden@turtlehill:/opt$ nmap -A -PN ns1.texoma.net
Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-18 18:38 CST
Nmap scan report for ns1.texoma.net (209.151.96.2)
Host is up (0.0012s latency).
Not shown: 998 filtered ports
PORTSTATE SERVICE VERSION
53/tcp  open  domain
987/tcp open  ssh OpenSSH 3.9p1 (protocol 2.0)
| ssh-hostkey: 1024 36:dc:c8:29:b1:d3:8a:b1:e6:cf:2b:4c:70:ed:c8:9a (DSA)
|_1024 10:f9:a6:d2:32:68:15:3a:9f:04:3a:89:05:1e:b8:52 (RSA)
Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.44 seconds
vaden@turtlehill:/opt$
===named.conf security in 2008
[root@ns1 data]# cat /var/named/chroot/etc/named.conf | more
###
#
#  attribution: By Rob Thomas, noc at cymru.com
#   
#  -and-
#

#
#  at the behest of
#  Dr. Joe Redacted (redacted1.edu)
#  Dr. Randall Redacted (redacted2.edu)
===
ssh port not on 22
===
distro's standard iptables save ssh port
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] openoffice & command line printing

[Cameron Kerr]

On 19/02/2011, at 3:30 AM, Gregory P. Ennis wrote:

> Cameron,
> 
> Thanks for your suggestion
> 
> On my system that command results in printing the document on the
> desired printer, but does not return back to the shell prompt.  If I add
> -terminate_after_init  so that the command line is :
> 
> openoffice.org -headless -pt lpt3 document.doc -terminate_after_init
> 
> The above command returns back to the prompt but the document is not
> printed.

Ah, so it does... looking around, I see that it works as documented in versions 
of OOo before 3.1 (3.0.1 should work, and prior). You're certainly not alone.

I wonder if this will be useful for you:

http://www.oooninja.com/2008/02/batch-command-line-file-conversion-with.html

For further help, you ought to get better help on the OOo forums etc.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BInd Problem or Update SSL ?

[James Hogarth]

>
> Joe, Randy and James are my mentors of 15, 5 and 5 years,
> respectively, and all said the same thing, namely "nuke and repave, be
> sure to be current on BIND" since it is a purpose-built box (ns1).
>

Perhaps is it a difference in language and what you mean by mentor and
where I would mean old colleague/peer who I have discussed this with.

They have stated their opinions and you can follow that - but then you
would be diverging from the point of RHEL somewhat with a custom built
BIND.

Remember that the version number you see on BIND is not always the
equivalent of upstream due to backports. You should check the relevant
RHEL errata, the package %changelog and CVE to get a better
understanding of what exploits are known and what has been patched.


> With 20/20 hindsight, it is clear that I shouldn't have posted the
> original post asking the list for help and hopefully informing other
> potential targets of the risk (read: there were no responses to the
> original post, therefore it was posted to the wrong audience).
>

Err... this isn't the whole story/truth.

I just searched your emails on this list. the first reference to bind
was the 16th feb with the thread "Blasphemous" with complaints (and no
substance) to Redhat not having current Bind - despite the fact 9.7 is
in the then released 5.6... you suggested an alt repo "for critical
internet functions." No where did you indicate you had a name server
hacked/altered/poisoned... although you pointed out your credit card
prcessing system was running Redhat linux 7.3 (Valhalla) and was
nearing 10 years old this from someone complaining about teh
'age'' of BIND in RHEL/CentOS.


> There was no time for forensics at the time of the discovery; just
> time to get advice and react.

Then you have no way of telling what happened. For future reference a
better reaction is to isolate the server (whether physical or virtual)
and put a new system in place to serve the need for it whilst you
analyze what happened to the previous. Without that knowledge you
cannot mitigate any issues or discover where the failure was, if any.

> What follows is from a few moments ago.
>
> ===details===
> ===box was last nuked and repaved Jul 28  2008
> ===much unnecessary software removed Jul 28 2008, 57 tasks active per
> 'ps auxw | wc -l'

This is irrelevant to the point at hand.

> ===current nmap (same nmap results as on problem day)
> Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-18 18:38 CST
> Note: Host seems down. If it is really up, but blocking our ping probes, try 
> -PN
> Nmap done: 1 IP address (0 hosts up) scanned in 0.19 seconds
> vaden@turtlehill:/opt$ nmap -A -PN ns1.texoma.net
> Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-18 18:38 CST
> Nmap scan report for ns1.texoma.net (209.151.96.2)
> Host is up (0.0012s latency).
> Not shown: 998 filtered ports
> PORT    STATE SERVICE VERSION
> 53/tcp  open  domain
> 987/tcp open  ssh     OpenSSH 3.9p1 (protocol 2.0)
> | ssh-hostkey: 1024 36:dc:c8:29:b1:d3:8a:b1:e6:cf:2b:4c:70:ed:c8:9a (DSA)
> |_1024 10:f9:a6:d2:32:68:15:3a:9f:04:3a:89:05:1e:b8:52 (RSA)
> Service detection performed. Please report any incorrect results at
> http://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 26.44 seconds

So you have SSH exposed and Domain requests exposed. Not surprising
but irrelevant in and of itself.

> vaden@turtlehill:/opt$
> ===named.conf security in 2008
> [root@ns1 data]# cat /var/named/chroot/etc/named.conf | more
> ###
> #
> #  attribution: By Rob Thomas, noc at cymru.com
> #               
> #  -and-
> #
> 
> #
> #  at the behest of
> #  Dr. Joe Redacted (redacted1.edu)
> #  Dr. Randall Redacted (redacted2.edu)
> ===

Without adequate details such as whether IP requests were limited to
your allotted IP addresses and other config details this doesn't help.

> ssh port not on 22
> ===

This is fundamentally irrelevant. This is a very visible server given
it is a primary nameserver for you. A simple nmap as you showed above
presents any potential hacker with the correct port for SSH given a
targeted attack.

> distro's standard iptables save ssh port

Perhaps here you made a security mistake and should have configured it
differently - for example limiting connection attempts, set up
fail2ban, limit inbound SSH from known IPs for management purposes
from your corporate network, not had SSH publically visable, etc.
Without more detail it is impossible to say what went wrong and how
the system could be potentially secured.

If you have a specific point of vulnerability you have encountered -
whether a known CVE or not - I would urge you to open a bugzilla
ticket with reproducible steps.

If you got hacked through poor configuration and monitoring then it's
your own fault quite frankly and perhaps for something you see as such
a key service you should hire a proper adm

Re: [CentOS] CentOS 5.5 Java Process Death

[Anthony]

  On 18/02/11 20:49, Michael Gliwinski wrote:
>
> Try adding 'nohup' before 'java'.  Closing SSH session closes the shell which
> sends HUP to its children.
I religiously use 'screen' when logging in remotely to do any work.  Not 
only has saved me from interrupted work the connection breaks, but it is 
also saves me from having to remember to use 'nohup' before starting any 
Jobs!

Ciao,
Ak.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] openoffice & command line printing

[Gregory P. Ennis]

On Fri, Feb 18, 2011, Gregory P. Ennis wrote:
>
>On 18/02/2011, at 2:29 PM, Gregory P. Ennis wrote:
>
>> Everyone,
>> 
>> I am trying to print some *.doc files from the command line with
>> openoffice on centos 5.5 with using cups as the print server.
>> 
>> I can open the file from the command line with open office and then
>> print it manually from the gui, but when I open the file and print from
>> command line I am not getting anything.
>> 
>> The commands that I have used are the following :
>> 
>> /usr/bin/openoffice.org -pt lpt4 /mnt/lp/document.doc
>> -terminate_after_init
>
>This works for me on LibreOffice on my Mac (also uses Cups)
>
>LibreOffice 3.3  330m12(Build:1)
>
>/path/to/soffice -headless -pt PRINTER_NAME doco.doc
>
>Note though that if you wanted to do this outside of X11, it might fail...

I tried this using NeoOffice on my Macbook Pro which doesn't use
X11, but I expect that it would fail on Linux without X11 as it
presents the normal print dialog box to select the printer even
though it's set on the command line.

Answering the question below, I ran this in background,
terminating the command with "&", which left NeoOffice running,
but gave me the command line back so I could continue.  This is
not entirely a Bad Thing(tm) as it avoids the startup time when
printing multiple documents.

On the other hand, having NeoOffice present the print dialog box
for every file is less than optimal, but it looks like that's a
NeoOffice thing.

I tried the same command with the path to the most recent
OpenOffice.org soffice which didn't present the dialog box, and
terminated after the print job was complete.

Trying this on a CentOS 5 box here it works fine running the job
in background where it is ready to run subsequent print jobs.
This does not present the print dialog box either.  I ran this
test in an xterm via ssh with X11 forwarding from my Macbook Pro.

Another test using 'xterm -e ssh -x' to disable X11 forwarding
failed on startup saying it can't open DISPLAY. Running the
command with 'ssh -Y user@system /path/to/soffice ...'' did work
nicely, and did not leave soffice running on completion.

>--
>
>Cameron,
>
>Thanks for your suggestion
>
>On my system that command results in printing the document on the
>desired printer, but does not return back to the shell prompt.  If I add
>-terminate_after_init  so that the command line is :
>
>openoffice.org -headless -pt lpt3 document.doc -terminate_after_init
>
>The above command returns back to the prompt but the document is not
>printed.
>
>Any other ideas would be appreciated!!!
>
>Greg
>
>___

-- 
Bill


Bill,

Thanks for taking the time to confirm my findings and giving me that
link  lots of good information.  I had hoped this was a simple
problem and my syntax was faulty, but am in agreement with you about
taking this to oo forums.  I did make some progress with the use of
macros from the command line to print a file, but X11 is required, and
so far I have not been able to have it function from a background
script.

Thanks again Bill,

Greg

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BInd Problem or Update SSL ?

[Larry Vaden]

On Fri, Feb 18, 2011 at 7:39 PM, James Hogarth  wrote:
>
>> With 20/20 hindsight, it is clear that I shouldn't have posted the
>> original post asking the list for help and hopefully informing other
>> potential targets of the risk (read: there were no responses to the
>> original post, therefore it was posted to the wrong audience).
>
> Err... this isn't the whole story/truth.

As a result of "this isn't whole story/truth," I searched GMail and
Thunderbird and here's what I found:

1) GMail says I sent a message To: centos@centos.org Sun, 23 Jan 2011
20:03:22 -0600 Subject: sources of bind-9.7.2-P3 rpms for Centos 4.8
and 5.5? Message-ID:

2) GMail says there was neither a bounce nor a echo post from the mailing list
3) Thunderbird agrees with Gmail re #2
4) New to me (see #7, but more likely as a result of the stress of the
situation of wondering what other big URLs were pointing at leaf
nodes) is a log entry indicating I got a request for a confirmation
from centos-request Jan 23 and Jan 26 and a welcome Jan 26
5) It is possible that I may have unsubscribed from centos but
apparently not from centos-devel
6) If I was unsubscribed, it was definitely posted to the wrong list
7) One nice thing about Alzheimers is that you meet so many new people
each day and they act like they've known you all your life :)
8) apologies to the CentOS Community and CentOS Team are due and issued.

This has been revealing;  I used to think that with 9 stents and a
pacemaker, I could be a stand in on the "6 (read: 1) Million Dollar
Man" TV show if it ever went into reruns :)  Through this experience,
starting with a hacked or poisoned name server, or, quite frankly, the
perception of one, I have learned what people really see.

best regards/ldv/va...@texoma.net
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BInd Problem or Update SSL ?

[Larry Vaden]

On Fri, Feb 18, 2011 at 7:39 PM, James Hogarth  wrote:
>>
>> Joe, Randy and James are my mentors of 15, 5 and 5 years,
>> respectively, and all said the same thing, namely "nuke and repave, be
>> sure to be current on BIND" since it is a purpose-built box (ns1).
>
> Perhaps is it a difference in language and what you mean by mentor and
> where I would mean old colleague/peer who I have discussed this with.

Wikipedia says "This is the source of the modern use of the word
mentor: a trusted friend, counselor or teacher, usually a more
experienced person."  I am not their peer;  they are my mentors.  They
have been invaluable over the 25 combined years of mentorship to this
rural ISP.

> Remember that the version number you see on BIND is not always the
> equivalent of upstream due to backports. You should check the relevant
> RHEL errata, the package %changelog and CVE to get a better
> understanding of what exploits are known and what has been patched.

Johnny has remarked on the importance of trust.

My trust in RedHat went down when I learned they are not shipping all
the SRPMs.  Some say it is due to human error.  If that is the case,
why should I think they are better at backporting security fixes than
at making sure a manifest of SRPMs is complete and correct?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ACHTUNG: wrt CentALT repo

[Larry Vaden]

On Thu, Feb 17, 2011 at 3:00 PM, Johnny Hughes  wrote:
>
> Just for the record ... we (the CentOS Project) do not recommend this
> site.  They are using our name without permission.

Attribution goes to EliteMoly:
CentALT repository not ready for mirroring, rpms not signed.
EPEL is must have to be enabled for CentALT packages to work.
CentALT packages relies on EPEL.
Repacking all dependencies is bad idea. This work is already done in EPEL.
2011-02-18, 10:41
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos