Re: [DNG] chimaera install problem
In der Nachricht vom Tuesday, 6 September 2022 16:29:35 CEST steht: > On Tue, Sep 06, 2022 at 03:53:08PM +0200, Adrian Zaugg wrote: > > In der Nachricht vom Tuesday, 6 September 2022 15:02:47 CEST steht: > > > At that point you use wget to grab the devuan-keyring package > > > http://deb.devuan.org/merged/pool/DEVUAN/main/d/devuan-keyring/devuan-ke > > > yrin g_2022.09.04_all.deb and store that at /target, so you can follow [...] > I must say that you are mistaken about that. Thank you, you are right, don't know what I did to not see this correctly. Sorry for the noise. But I hope you do not oppose when I insist to use https to download the keyring (and thus from pkgmaster.devuan.org), there is no DNSSEC on devuan.org and I believe the package itself is not signed: $ dpkg-sig --list devuan-keyring_2022.09.04_all.deb Processing devuan-keyring_2022.09.04_all.deb... $ Regards, Adrian. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] chimaera install problem
In der Nachricht vom Tuesday, 6 September 2022 15:02:47 CEST steht: > At that point you use wget to grab the devuan-keyring package > http://deb.devuan.org/merged/pool/DEVUAN/main/d/devuan-keyring/devuan-keyrin > g_2022.09.04_all.deb and store that at /target, so you can follow up with > manual > installation into /target, by: > # chroot /target /usr/bin/dpkg -i devuan-keyring_2022.09.04_all.deb There is neither curl, wget nor dpkg available in the netinst iso, at least not in daedalus and presumably not in chimaera either. Regards, Adrian. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] chimaera install problem
Hi Peter Good if your new system boots up afterwards! Go to a console and run as root tasksel --new-install and complete the installation like this. If you're missing other packages install them with apt, e.g. apt install openntpd ...to have time synchronisation. Regards, Adrian. In der Nachricht vom Tuesday, 6 September 2022 13:10:47 CEST steht: > Hi Adrian > > I tried changing the date as you suggested. That doesn't work - I now > get a message in the log saying that > "http://deb.devuan.org/merged/dists/chimaera/InRelease is not valid > yet" > > If I tell the install to ignore the error and continue, it completes > and the system boots successfully - but obviously that's only a very > basic system. > > I've been trying to install the new devuan-keyring package via one of > the console sessions during installation - but I think there are too > many missing and conflicting dependencies. > signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] meta: list
> Maybe related news, and some more reading: > > https://www.jwz.org/blog/2022/08/today-in-google-broke-email/ No, it is not related, he just needs to get SRS implemented. Regards, Adrian. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] chimaera install problem
Hi Peter This is because package verification fails, you can see this in the console log. Devuan has forgotten to renew its signing key on time, which is major fault. All install images need to be regenerated but it seems that hasn't been done. A workaround, not a nice one, is to set your clock to a date before the key was expired. Unfortunately you can't update the repository signing key in the installer env the way it was posted here. Change to a console with alt-F2, hit enter to activate it, and set the date using: date -s "2022-08-31" ...then try again to configure the package manager. Regards, Adrian. In der Nachricht vom Monday, 5 September 2022 17:49:23 CEST steht: > Sorry if this has been addressed before - I did look through the posts, > but couldn't see anything relevant. Also sorry if I'm missing something > obvious. > > I'm trying to install chimaera on a virtualbox VM, using the netinstall > image (devuan_chimaera_4.0.0_amd64_netinstall.iso, dated Nov 18 2021) - > I've done this many times before, without a problem. This time, when I > get to "configure the packet manager", it comes back with "The > installer failed to access the mirror". I used wireshark to check that > it's talking to the network and the server - it appears to be doing so > (accessing server at 95.216.15.86). > > I'm wondering if it could be another effect of the recent key expiry > problem. > > > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng -- -°) (_^/ Adrian Zaugg Zweierstrasse 56 CH-8004 Zürich 044 291 02 38 (This eMail gets best displayed using a monospace font.) # Retrieve my public GPG key: gpg --locate-external-keys a...@ente.limmat.ch signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [SPAM] Re: Key is expired
In der Nachricht vom Sunday, 4 September 2022 11:20:39 CEST steht: > Automatically updates require the key to be updated, but the package in > point that should provide the updated key is outdated as well. So, it's a > vicious circle that requires manual intervention via "dpkg -i", as Ludovic > has pointed out. I feared what you wrote, so it's a kind of second worst case scenario. We will have some Devuan installations not getting updates any longer (1411 unattended-upgrades installed according to popcon and not all of these are closely accompanied, I guess). At least Devuan should put a clearly visible warning on the front page of https://devuan.org/ linked to a helping page, if an automatic correction of the problem is impossible. But, if I look at the list of installed keys, I see: $ apt-key list [...] /etc/apt/trusted.gpg.d/devuan-keyring-2016-archive.gpg -- pub rsa2048 2014-12-02 [SC] 72E3 CB77 3315 DFA2 E464 743D 9453 2124 5419 22FB uid [ unknown] Devuan Repository (Primary Devuan signing key) sub rsa2048 2014-12-02 [E] sub rsa4096 2016-04-26 [S] [...] This key does not expire and it seems installed on beowulf and chimaera. Can we just also sign the index file and the devuan-keyring package with this key for a while? Would this help to get the new devuan-keyring package and thus to fix the issue automatically? Regards, Adrian. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Key is expired
In der Nachricht vom Saturday, 3 September 2022 19:27:03 CEST schrieb Ludovic Bellière via Dng: > In order to resolve the gpg key being outdated, the following steps needs to > be taken: [...] Will the key update on existing systems be done automatically at some point or is Ludovic's described manual action required? Regards, Adrian. BTW: ...please use https: as discussed on this list at 2020-03-19 onwards in the thread "Beowulf Beta is here!" to download the package: wget https://pkgmaster.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] udev rule to create mount point /dev/hugepages
Hi Aitor In der Nachricht vom Tuesday, 12 July 2022 01:20:10 CEST steht: > You can find these files in the subdirectories: > > /sys/devices/system/node/node0/hugepages/hugepages-*/ The path you gave is per numa node. It is possible to set different numbers of hugepages on each numa node. The per system information is here: /sys/kernel/mm/hugepages/hugepages-*/nr_hugepages (or in /proc/meminfo) Regards, Adrian. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] s6
It seems here: https://github.com/skarnet/s6 (linked by: https://skarnet.com/contact/) Regards, Adrian. In der Nachricht vom Saturday, 9 July 2022 16:06:13 CEST schrieb wirelessduck--- via Dng: > Does anyone know where we can keep track of progress on that project? His > website hasn’t seen any updates since the funding announcement a long time > ago. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] udev rule to create mount point /dev/hugepages
Hi Aitor
It is not meant to make user changes under /usr except under /usr/local; so a
change like your suggestion should get incorporated into the corresponding
package, I think. Or do you see a place somewhere in /etc/initramfs-tools/
scripts/ for it?
>From my understanding udev is responsible to set up /dev so having udev
creating the directory /dev/hugepages would be a cleaner way to go. The rule
should thus be present in /lib/udev/rules.d/ and be packaged with eudev.
On Debian the directory is created in any case, as it seems to me. The systemd
unit checks for the existence of /sys/kernel/mm/hugepages and this seems to
exist no matter whether explicit hugepages are available or not. The test
should read the number of HugePages_Total instead and create the directory if
it is >0. Hence something like this:
if [ $(grep "HugePages_Total:" /proc/meminfo | \
sed -e "s/^HugePages_Total:[\t ]*//") -gt 0 ]; then
[...]
fi
I don't know whether it is possible to write as a (e)udev rule for this...
Whatever solution is best, Devuan and Debian are different in this respect.
Devuan does not have a solution at hand. So we need to find out how Devuan
should solve this and ask for the feature from the right packet.
How do you guys set up the mount point for hugetblfs? Just like Torvalds under
/mnt/huge [1]?
Regards, Adrian.
[1] https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/
mm/hugetlbpage.rst
In der Nachricht vom Friday, 8 July 2022 21:19:12 CEST steht:
> Hi Adrian,
>
> On 8/7/22 15:40, Adrian Zaugg wrote:
> > But I'm failing to write a (e)udev rule, that does the following:
> > if the directory /sys/kernel/mm/hugepages exists,
> > create the directory /dev/hugepages
> >
> > Thank you very much for your help!
>
> Add a new script named, for example,
> `/usr/share/initramfs-tools/scripts/init-bottom/zz-hugepage` with the
> following code:
>
> #!/bin/sh -e
>
> PREREQS=""
>
> prereqs() { echo "$PREREQS"; }
>
> case "$1" in
> prereqs)
> prereqs
> exit 0
> ;;
> esac
>
> if [ -d /sys/kernel/mm/hugepages ]; then
> /bin/mkdir ${rootmnt}/dev/hugepages
> fi
>
> I'm adding the prefix 'zz' to the name of the script because the scripts are
> found in lexical order, and the temporary symlink `${rootmnt}/dev` to the
> final `/dev` for other initramfs scripts is created in
> `/usr/share/initramfs-tools/scripts/init-bottom/udev`.
>
> HTH,
>
> Aitor.
signature.asc
Description: This is a digitally signed message part.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] udev rule to create mount point /dev/hugepages
Hi Trying to use hugepages, I fail to create a mountpoint in /dev. It seems it was never officially solved under Debian SysV according to the the Debian bug report #572733. At least meanwhile the devs seem to have accepted to use /dev/ hugepages, as can be seen in the systemd mount unit: https://sources.debian.org/src/systemd/44-11%252Bdeb7u4/units/dev-hugepages.mount/ There is also a hint to the event suitable to create the mount point in the unit file: ConditionPathExists=/sys/kernel/mm/hugepages But I'm failing to write a (e)udev rule, that does the following: if the directory /sys/kernel/mm/hugepages exists, create the directory /dev/hugepages Thank you very much for your help! Regards, Adrian. PS: Alternatively I could write an init-script and let it run before eudev starts, but this seems the less preferred way to me. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] moving to a new system
In der Nachricht vom Saturday, 25 June 2022 15:32:21 CEST schrieb Marjorie Roome via Dng: > (1) Replicate your existing system on the new hardware, maybe with a > different disk/partition structure from what you have now. And then > upgrade to Devuan. This is the easiest method mentioned, because you keep all your installed programs, special settings and all your modifications. More detailed, but certainly not complete: - Boot your old and your new system with a live cd, I use GRML (grml.org): - dd the grml iso to a USB stick, boot from it - old system, choose run from RAM, unplug the stick after booting - new system with same stick, choose graphical, edit the entry and add toram at the end, boot - if your new system has bigger or disks of the same size: use dd over network (else use tar, see below) - on the old system dd if=/dev/sda bs=64K | nc -N -l -p 1 - on the new system nc 1 | dd of=/dev/nvme0n1 * set the disks right: sda and nvme0n1 are just examples, for moving to md raids, create and start it on the new system * if you are not alone on your net, use encryption: - set a password for the user grml and root on old - start the ssh server: service ssh start - ssh from the new box into the old forwarding port 1 ssh -L1:localhost:1 - then use localhost instead of above - do not execute the commands in the shell where ssh is running, just use ssh for the port forward (might use -f instead, see man ssh) and use another shell for dd * if you need progress indication: use pv - apt install pv dd if=xy bs=64K | pv | nc resp. nc ... | pv | dd ... * if you are impatient, use compression with lzop (speeds over 1 Gb possible on GbE!) on the old system inject: dd ... | lzop | pv | nc .. into the piped commands, on the new system nc ... | lzop -d | pv | dd ... (before or after pv) * if you are even more impatient test values for bs, 1M is also a good value to try with (you can just stop with ctrl-c and restart, use jnettop and/or iotop) => dd clones your boot sector, partition table etc., so you do not need to make your new system bootable again after cloning, if - your disk are of the same size and type (hdd vs. SSD) - you do not need to change from MBR to UEFI - you do not need to change disk labels from msdos to GPT - you didn't use partitionable md raids (auto=mdp) and - you are happy with the old partitioning scheme you used just boot and continue to crossgrade to Devuan. - You may now repartition your disk using gparted, you basically can change everything (size, order, etc.), if you need to change booting from BIOS to UEFI, use gdisk first to migrate (search for a tutorial online) - don't forget the EFI system partition if you need it - make a separate /boot as your first partition (but after EFI system part.) for easy cloning and repartioning in the future - mount your root under /mnt/mysys - if you introduce new partitons: - format the new partition - mount the new partion under /mnt/xy - mv everthing what belongs there, e.g. from /var mv -v /mnt/mysys/var /mnt/xy - change /mnt/mysys/etc/fstab (use blkid to find UUID) - unmount /mnt/xy and mount under the right location under /mnt/mysys/... - repeat for all new partitons - edit /mnt/mysys/etc/fstab to set the mount options you like (-> e.g. discard, ...on ext4 journal_cheksum, journal_async_commit, remount-options, ...) - check all mount points have the right permissions (e.g. t flag on /tmp) - you may also use tar to get to this point, e.g. when your new system has smaller disks (partition the new system, format, mount (see above) and tar): old system: - create a file /root/x containing: ./proc ./sys ...each on a separate line - mount your old system under /mnt/oldsys including all partitions on the right mount point - copy: tar -X /root/x --show-omitted-dirs -clf - -C /mnt/oldsys . \ 2>/tmp/tar.err | pv | lzop | nc -N -l -p 1 new system: - check all partitons are mounted right as they belong together (see above under the dd method) - ssh into old system (see above) for port forwarding, use in another shell than ssh: nc localhost 1 | lzop -d | \ tar --totals --atime-preserve -xvpf - -C /mnt/mysys 2>/tmp/tar.err - check tar.err on each system to see if copying went well - make your new system bootable
Re: [DNG] install on a raid 1 array
Hi TIA In der Nachricht vom Thursday, 2 June 2022 00:16:05 CEST steht: > My idea was to partition the disks just like normal after the array was > built. Is that possible? Yes, it's possible: You may set up a partionable md array. The installer does not offer partionable arrays, it just offers arrays of partions. Partionable arrays are built over the whole device and then the md device is partionned. With this, if a disk fails, you can just replace it without cloning the partition table fist. See man 8 mdadm under --auto mdp for a description. You can boot a live system prior to installing and set up your mdp array. I use grml since it has all tools onboard. Then start the installer and install Devuan. Your mdp device will appear in the partion manager. Add your partions as you like and install. Don't forget to tell your ext4 the correct settings for stride and stripe-width using tune2fs afterwards. I've just tested this in a VM with chimaera and it worked, The Installer created DOS disk labels, although I had previously written a GPT disk label to the mdp device. The reason might be my KVM doesn't have UEFI Support. I don't know if it is possible with GPT/UEFI, which was at times of ascii or jessie not working with mdp arrays, if I remember right. Regards, Adrian. BTW: I would combine one M2 and one SATA SSD to a RAID1 using the mdadm --write-mostly flag for the SATA drives. I like to have a fast /home aswell. BBTW: Another possibility would be to use btrfs instead of mdadm, which has built-in raid functionality. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Beowulf to Chimaera update breaks suspend on laptop
Hi Brad In der Nachricht vom Thursday, 7 April 2022 14:58:36 CEST schrieb Brad Campbell via Dng: > So, I'm asking for either : > - Experience in making the in-kernel mechanisms work; or preferably Updating the BIOS of your Box to the newest version might help here. Best regards, Adrian. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] FreedomBox on Devuan
Hi Has anyone tried to build a FreedomBox [1] image using freedom-maker on Devuan? Regards, Adrian. [1] https://freedombox.org/ signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] browsers
Have you tried to start off with a new FF profile? Just for a test, open FF from console with: firefox-esr --profile-manager ...then create a new profile and try: It will restore your open windows when chosen to do so with the new profile. Regards, Adrian. In der Nachricht vom Friday, 25 March 2022 00:43:09 CET schrieb o1bigtenor via Dng: > Greetings > > Firefox is quite ticking me off. > It has this penchant for NOT remembering the previous session even > when the click box has been 'enabled'. > > I am quite uncomfortable with ms googly's desire to know everything > about me but maybe I would use chromium IF I can stop the trackers. In > FF I use ublockorigin and privacy badger. > > Someone who is using chromium - - - - is it possible to harden chromium? > > Please - - - I'm quite frustrated with Firefox. > > (I've also got Vivaldi, Opera and Falkon available. > Find that all the other browsers except firefox-esr expect one to > update almost daily - - - sorry I find that that kind of behavior is > usually a waste of my time!) > > TIA > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] make-rc: A parallel (as in make(1)) alternative to sysv-rc
Hi Alejandro In der Nachricht vom Wednesday, 5 January 2022 03:03:53 CET schrieb Alejandro Colomar (man-pages) via Dng: > So, if the problem is that the rc scripts don't run parallel and don't > know about exact dependencies from each-other, let's rewrite that part rc.scripts do run in parallel and they know about dependencies, this is what the LSB tags in the beginning of the init scripts are for. See insserv (8). Regards, Adrian. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Wanting to set up an email system
In der Nachricht vom Monday, 29 November 2021 23:08:33 CET schrieb Adrian Zaugg: > Be prepared for a long, long journey setting up an email system with > SMTP/ IMAP/Webmail using all the goodies SPF/SRS, BATV, DKIM, DNSSEC, TLS > certs, DANE, virusscanning, anti-spam Measures (possibly greylisting, > classification, RBLs, dnswl, ...), virtual domain handling, user auth from > a directory, automatical MUA configuration, backup of the mailstorage, asf. ...sieve and vacation might also be nice and a solution for an addressbook, both integrated into the webmail signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Wanting to set up an email system
Hi TIA In der Nachricht vom Saturday, 27 November 2021 16:17:45 CET steht: > that's needed for an email system. So - - - I'm looking for recommendations > on what and how to setup an email system. The why you're using what you are > is vitally important for me (as are my security and privacy). Be prepared for a long, long journey setting up an email system with SMTP/ IMAP/Webmail using all the goodies SPF/SRS, BATV, DKIM, DNSSEC, TLS certs, DANE, virusscanning, anti-spam Measures (possibly greylisting, classification, RBLs, dnswl, ...), virtual domain handling, user auth from a directory, automatical MUA configuration, backup of the mailstorage, asf. is rather complex and time consuming. But it can be fun nevertheless... :-) Regards, Adrian. PS: I'm using exim/dovecot/greylistd/spamassassin/pyzor/razor/srsd/apache/ roundcube/mysql/? on Devuan. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] networking thinking
Hi TIA In der Nachricht vom Sunday, 28 November 2021 14:20:14 CET steht: > 1. is my splitting the network system into the three parts a good idea or > should I truncate parts 1 and 2 into the router? If you would please give > reasons - - - please? Less devices, less to setup and maintain and less to break: I would go with 1 Firewall and 1 Switch. Get a box with an SFP Port for your firewall and install OPNSense on it. Stick your fiber directly in your firewall, if your provider lets you chose and does not insist on some plastic box. If he does, then try to use it in bridge mode. Upon request, the providers over here tell what one has to do, when using a media converter (e.g. VLAN tag or PPPoE). OPNSense and pfSense are excellent firewall distributions and IPv6 is well integrated with both of them. They are almost identical, coming the same way. OPNSense is more community oriented where as pfSense drifted away to be more commercial now, but Documentation is better. PCEngines is a stable, bullet-proof hardware, it's industrial grade, lasts for ever and has a core boot BIOS. There soon will be a version with an SFP port available. You won't get Gigabit-Speed through an APU with OPNSense (around 800Mbit/s), get something with a CPU on par with a Intel N4100, if you want to be ready for gigabit speed. There are many nice boxes around without SFP ports (like the ones from AsRock industrial e.g.) but don't use Zotac nano ci329 with pfSense, it doesn't run stable (Linux in contrary runs like a charm on these). Zyxel Switches are basically OK, but you don't get security updates after some years, the interface doesn't work on all browsers and they have weird bugs (e.g. prios in RSTP together with LAGGs). You're better of with a MikroTik using SwOS. The MikroTiks boot amazingly fast, SwOS is easy to configure and they are rather cheap. You get a Desktop Switch with 2x 10GbE and 8x 1 GbE for <$100. If you want to play around with your Zyxel to install whatever on it, that's fine, but I wouldn't invest my time on that ─ better get your lab running. Opinions on the topic will go apart, you'll get tons of advice in any direction. To a certain extent it's about your personal liking. Mine you probably just read above... Regards, Adrian. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] system administration of non-systemd distros and releases
Hi Peter Under normal circumstances an admin does not have to get in touch with the init system or start-up mechanisms too much: If the job by the package maintainer is done, it works as intended. In case of non-packaged software, when a startup-script is missing, it might be a little bit easier to write a unit file than an init script, but not that much, that it really counts. So under normal circumstances, it just does not matter. A decent admin works every day on the command line and thus shell scripts are a natural match. They can be understood easily, changed and worked with without problems. So systems which are based on shell scripts are mostly more understandable by the admins. And this counts, when things go wrong. I can't tell how hard it is to handle a broken systemd based sytsem, how messy binary logs look like, when the box crashes during a log write or debug boot problems on them, because I don't use systemd. I switched once to Linux servers, because I hated to tell my users when I solved a problem on a Windows box: "It works again, but I can't tell why." I want to understand what I'm doing and why I'm doing it, and that's why I stay away from black magic monsters like systemd, launchd or Windows. If your management fears not to find staff who has the skills to work with an open and well structured system like Devuan, they should fear to find no one usable at all in frst place. A decent admin can handle Devuan as good or bad as Debian. If a Linux admin is not able to work on the command line, she/he is not up to the job. If she/he can, he has no problems to work with a non systemd system. One more thing: A management how decides on products their IT has to work with, is like a team manager who tells a coach which player to send on the ice during a hockey game. A no-go. Technical decisions are IT decisions, financial and functional decisions are made by the management towards their IT. They just don't know the technical finesses, hurdles and dependencies. They should know about money and what is needed by the company. If a management manages to create a sustainable working environment, they don't need to find anyone new so soon. They get longstanding IT workers who care for "their" systems and lead the ones that step in, to get them integrated to the team and the system that's in place. If the management doesn't do it's job, they have to fear what they say, but then I'm also sure the IT department lacks time, documentation and team spirit already today. Regards, Adrian. In der Nachricht vom Friday, 19 November 2021 12:29:32 CET steht: > I've recently been asked to recommend an upgrade route for a number of > linux servers, and I proposed going to devuan. In response, I've had a > concern raised which took me by surprise. It was suggested that in the > future, it may not be possible to find staff who have the skills to > administer and manage servers running non-systemd or pre-systemd > distros/releases. > > I've tried to give reassurance - but I'm still wondering if this could > be a valid concern. I'd always taken the view that it's primarily the > linux sysadmin community which is trying to stop the onslaught of the > systemd juggernaut - but obviously, the greater the proportion of > servers running systemd-based distros/releases, the less staff get > exposed to non-systemd management techniques and tools. > > I'd be grateful for thoughts and comments. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: Upcoming compatibility problem of oldstable (and older) vs. certificates from Let's Encrypt
The issue has been recently resolved by the LTS Team, see LTS Advisory DLA-2761-1 an DLA-2760-1. [1] Thanks to the LTS Team! Regards, Adrian. [1] https://www.debian.org/lts/security/ In der Nachricht vom Thursday, 9 September 2021 17:50:57 CEST schrieb Adrian Zaugg: > Dear List > > As far as I can tell, the reported issue on Debian-LTS List is also relevant > for Devuan jessie, ascii and beowulf. > > Regards, Adrian. > > > -- Forwarded Message -- > > Subject: Upcoming compatibility problem of oldstable (and older) vs. > certificates from Let's Encrypt > Date: Thursday, 9 September 2021, 17:31:49 CEST > From: Stefan Huehner > To: debian-...@lists.debian.org > Message-ID: <20210909153149.gf6...@huehner.biz> > > Hello LTS Team, > > I want to raise a (rapidly) upcoming compatibility problem affecting older > debian release when connecting via i.e. https:// to any system using SSL > certificates from Let's Encrypt. > > Raising here as i didn't see any discussion in debian project. > > The problem: > - Starting 2021-10-01 > - openssl < 1.1.0 > - gnutls < 3.6.14 > > will fail to validate any Let's Encrypt SSL certificates (which did not do a > per-certificate choice to avoid this). > > This article by the project has all the details: > https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for > -let-s-encrypt-certificates/143816 > > In short: > - They use a certificate chain containing a CA certificate expiring on > 2021-10-01 > - While that path it not valid after that date, there is alternative path > still being valid > - However older version of some libraries do not even try alternative paths > but give up on seeing the expired one > > In Ubuntu they are backporting the chances to avoid this problem in both > openssl / gnutls: > https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 (openssl) > https://bugs.launchpad.net/ubuntu/bionic/+source/gnutls28/+bug/1928648 > (gnutls) > > Given the wide-spread use of Let's Encrypt it may make sense to consider > doing that also on the debian side. > > Note that apt itself is using gnutls. > So if people are using https:// to access some repos and the repo/mirror > uses Let's Encrypt that could get much more annoying. > > Checking openssl / gnutls versions across releases: > jessielibssl1.0.0 1.0.1t > libgnutls-deb0-28 3.3.8 > > stretch libssl1.0.2 1.0.2u > libssl1.1 1.1.0l > libgnutls30 3.5.8 > > busterlibssl1.0.2 1.0.2u > libssl1.1 1.1.1d > libtnutls30 3.6.7 > > bullseye libssl1.1 1.1.1k > libgnutls30 3.7.1 > > Bug present in > - openssl < 1.1.0 > - gnutls < 3.6.14 > > Looks like: > - bullseye is fine > - But every older release seems to be affected > > Assuming there is interest this affects probably > - LTS Team > - ELTS if any of the sponsors is interested > - 'normal' debian for old-stable ? > I just wrote just here for the moment to not spam several teams. > > Let's Encrypt offers alternative chain avoiding this bug but breaking > compatibility with old Android. That can server as a workaround for this > issue on case by ase. But as this is on the 'other side' (each certificate) > not really a global fix. > > Regards, > Stefan Hühner > > p.s. Please CC me on replies, i am not on the list > > > - signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Fwd: Upcoming compatibility problem of oldstable (and older) vs. certificates from Let's Encrypt
Dear List As far as I can tell, the reported issue on Debian-LTS List is also relevant for Devuan jessie, ascii and beowulf. Regards, Adrian. -- Forwarded Message -- Subject: Upcoming compatibility problem of oldstable (and older) vs. certificates from Let's Encrypt Date: Thursday, 9 September 2021, 17:31:49 CEST From: Stefan Huehner To: debian-...@lists.debian.org Message-ID: <20210909153149.gf6...@huehner.biz> Hello LTS Team, I want to raise a (rapidly) upcoming compatibility problem affecting older debian release when connecting via i.e. https:// to any system using SSL certificates from Let's Encrypt. Raising here as i didn't see any discussion in debian project. The problem: - Starting 2021-10-01 - openssl < 1.1.0 - gnutls < 3.6.14 will fail to validate any Let's Encrypt SSL certificates (which did not do a per-certificate choice to avoid this). This article by the project has all the details: https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816 In short: - They use a certificate chain containing a CA certificate expiring on 2021-10-01 - While that path it not valid after that date, there is alternative path still being valid - However older version of some libraries do not even try alternative paths but give up on seeing the expired one In Ubuntu they are backporting the chances to avoid this problem in both openssl / gnutls: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 (openssl) https://bugs.launchpad.net/ubuntu/bionic/+source/gnutls28/+bug/1928648 (gnutls) Given the wide-spread use of Let's Encrypt it may make sense to consider doing that also on the debian side. Note that apt itself is using gnutls. So if people are using https:// to access some repos and the repo/mirror uses Let's Encrypt that could get much more annoying. Checking openssl / gnutls versions across releases: jessie libssl1.0.0 1.0.1t libgnutls-deb0-28 3.3.8 stretch libssl1.0.2 1.0.2u libssl1.1 1.1.0l libgnutls30 3.5.8 buster libssl1.0.2 1.0.2u libssl1.1 1.1.1d libtnutls30 3.6.7 bullseyelibssl1.1 1.1.1k libgnutls30 3.7.1 Bug present in - openssl < 1.1.0 - gnutls < 3.6.14 Looks like: - bullseye is fine - But every older release seems to be affected Assuming there is interest this affects probably - LTS Team - ELTS if any of the sponsors is interested - 'normal' debian for old-stable ? I just wrote just here for the moment to not spam several teams. Let's Encrypt offers alternative chain avoiding this bug but breaking compatibility with old Android. That can server as a workaround for this issue on case by ase. But as this is on the 'other side' (each certificate) not really a global fix. Regards, Stefan Hühner p.s. Please CC me on replies, i am not on the list - signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] vm6.ganeti.dyne.org DKIM verification always fails
As already mentioned in a side note on this list [1] I believe vm6.ganeti.dyne.org - the receiving mail server of this list - is not able to verify DKIM signatures of incoming messages correctly. I checked through the Mails I kept from the DNG list and found not a single mail with a DKIM signature, that was successfully verified. All incoming DKIM signed messages get a header added by vm6 that says something like: Authentication-Results: vm6.ganeti.dyne.org; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=mailgurgler.com header.i=@mailgurgler.com header.b="oA569rJc"; dkim-atps=neutral Searching through 5659 messages I archived, 2743 are DKIM signed and none of the signatures are found valid by vm6, thus I assume the verification on vm6 does not work. Regards, Adrian. [1] 29/12/2019 02:26, Message-ID: <0306d67d-6576-3c1f-6475-438d9d151...@ente.limmat.ch> https://lists.dyne.org/lurker/message/20191228.125701.7492cacc.en.html signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] grub-efi-amd64-signed bug: hardcoded link -> unbootable system
In der Nachricht vom Friday, 6 August 2021 03:25:58 CEST steht: > Which Beowulf iso did you use? I think we fixed this in the 3.1.1 > point-release isos, but you still may hit it on an upgrade. It happened on upgraded systems. Thanx for fixing the ISO. Don't you see a way to prevent the issue happening on upgraded systems, e.g. blacklisting grub-efi-amd64-signed or using another mechanism? Regards, Adrian. BTW: I uninstalled grub-efi-amd64-signed without concern because of Debian bug #906124 [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906124] signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] grub-efi-amd64-signed bug: hardcoded link -> unbootable system
Dear list Beowulf is hit hard by a problem with hardcoded path in grub-efi-amd64-signed leading to an unbootable system as reported on this list and on dev1galaxy (manual intervention in certain configurations needed to boot). This problem also exists on fresh installs of beowulf, as it seems. Is there some effort under way to fix the problem? Best regards, Adrian. Work-around (thanks to fsmithred): # apt purge grub-efi-amd64-signed ... # apt install --reinstall grub-efi-amd64 ... References: On this list: "Strange behaviour with last version of grub" by viverna (04/03/2021 17:22) --> https://lists.dyne.org/lurker/message/20210304.162242.f881d3b8.en.html In the Dev1 Galaxy Forum: "Strange behaviour with last version of grub" by viverna (2021-03-04) --> https://dev1galaxy.org/viewtopic.php?pid=27939 "Issues with booting a fresh Beowulf install" by chomwitt (2021-07-10) -->https://dev1galaxy.org/viewtopic.php?pid=30972#p30972 ...and the mentioned underlaying Debian Bug report: "Wrong prefix directory hardcoded in signed GRUB image" by Pascal Hambourg (2021-03-22) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925309 signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Strange behaviour with last version of grub
In der Nachricht vom Tuesday, 9 March 2021 18:40:22 CET schrieb Adrian Zaugg: > In der Nachricht vom Saturday, 6 March 2021 19:16:13 CET schrieb fsmithred > via > Dng: > > I could not reproduce the problem on a system that boots legacy bios and > > uses grub-pc. > > ...my machine where it happened is a Legacy-BIOS-MBR-Installation. The problem I encountered was something different, but maybe related. My machine booted into the grub menu, loaded initrd, stayed blank, changed screen resolution and still did not show any boot message. It did answer pings but sshd did not come up, keyboard strokes ignored. Inspecting the machine with a live distro I found the linux image installed is from the package linux-image-4.19.0-14-amd64, which is ...signed. I never realized before this image to be signed. I installed linux-image-4.19.0-14- amd64-unsigned and the machine came back up as usual. Since when is the standard stock kernel signed? Regards, Adrian. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Strange behaviour with last version of grub
In der Nachricht vom Saturday, 6 March 2021 19:16:13 CET schrieb fsmithred via Dng: > I could not reproduce the problem on a system that boots legacy bios and > uses grub-pc. ...my machine where it happened is a Legacy-BIOS-MBR-Installation. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Strange behaviour with last version of grub
On 05.03.21 05:08, wirelessduck--- via Dng wrote: > The changelog mentions changes to secure boot. Could that be related to > the issue? No, not in my case, secure boot is not in use on the concerned system. Does anyone see this problem on Debian too (non-bootable after GRUB update)? ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Strange behaviour with last version of grub
Hi Viverna In der Nachricht vom Thursday, 4 March 2021 17:22:42 CET schrieb viverna: > And now the question. Has anyone reported the error in Devuan? Has > anyone haved this problem? Yes, it happened on one of my machines too. I did not yet check what really happened and did not try to solve it yet. It started with an unattended- upgrade: ... Setting up grub-pc (2.02+dfsg1-20+deb10u4) ... /dev/disk/by-id/ata-TS64GMTS400S_F673990758 does not exist, so cannot grub- install to it! I did rerun apt upgrade manually and did not see an error, it asked to install in /dev/sda, of course it's the only disk in the system, I wondered why it asked and rebooted after successful installation, but the machine did not come back up. Regards, Adrian. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Need install Devuan Beowolf but got "initramfs" prompt
Hi Budi It is difficult to help, if you don't write what you exactly donwloaded, how you tried to install, on what system etc. It is somehow like: "I ate somethin' for dinner and now I have stomach ache. Please help me!!!" – what would you answer? Reading that on a mailing list you probably would just ignore such a person ... Regards, Adrian. On 25.01.21 04:44, Budi via Dng wrote: > How to install Devuan Beowolf > Tried to have it booted out of usb and automatically run fast > but but only got "initramfs" shell prompt > Please help me!!! > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Upgrasde Jessie -> Beowulf ...
Hi Luciano The script is around as usual, also in Beowulf – so it's not normal, if you don't have it. Regards, Adrian. On 01.02.21 17:35, Luciano Mannucci wrote: > > ... Done. > Seems to work pretty well. > I've done the classic path: Jessie -> Ascii (checked, everything was > running) then Ascii -> Beowulf. Everything works but one of my scripts > in /etc/init.d that doesn't want to start, even by hand. I also noticed > that the handy sysv init command "service" disappeared. Is it normal? > Can I have it back? > > Thanks to everybody, > > Luciano. > ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] package missing System V init script
On 02.01.21 15:57, Adrian Zaugg wrote: > OK, I will start upstreams then. It is about syncthing relay server (package syncthing-relaysrv). There is now a Feature Request here: https://github.com/syncthing/syncthing/issues/7254 ...and a, hmmm, beta version of the script: https://ente.limmat.ch/ftp/pub/software/bash/syncthing-relaysrv/ Regards, Adrian. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] package missing System V init script
On 02.01.21 15:27, Antony Stone wrote: > I would start by finding out whether any older version of the package (for > Debian, Ubuntu, or anything else it's previously been packaged for) had such > a > script, and it looks like it's been dropped, or whether there never was one > in > the first place. I checked that already, it seems there wasn't a script for it nowhere. > looking at the /etc deirectory for other systems such as BSD to see whether > you can put something together yourself and offer it as a starting point). The reason for asking to open a feature request is because I've written the init script. It has a few features for easy configuration, like the automatic port forward using iptables, but this needs testing and could be more robust. The state is: it works for me...:-) OK, I will start upstreams then. Thank you! Adrian. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] package missing System V init script
Dear List Yesterday I installed syncthing-relaysrv, which is missing the init script for System V based systems. What is the best practice to report such problem? Open a bug in Devuan, Debian or upstreams? Thanks, Adrian. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Oldstable and Archive timing expectations?
On 04.12.20 19:43, goli...@devuan.org wrote: > You might want to have a look at Debian's release schedule: > > https://wiki.debian.org/DebianReleases > Does Devuan not follow the LTS schedule? https://wiki.debian.org/LTS Because when Debian Releases X as stable, Devuan needs some time to follow, as such Devuan stable stays for a while with Debian X-1, which is then under LTS as oldstable. At least it was with Jessie very much the case. With Jessie was this a coincidence or is that rather a rule? Regards, Adrian. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What I learned at Distrowatch
On 10.12.20 20:42, Steve Litt wrote: > On Thu, 10 Dec 2020 01:40:39 +0100 > Adrian Zaugg wrote: > > Wait a minute. When you say "without GUI", do you mean no X installed, I just mean no GUI, because with a GUI I don't know exactly. I know there are some Desktop environments that need it, it seems others don't and the login managers you can combine to each Desktop have again different needs probably. I just know without GUI you can remove it. Regards, Adrian. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What I learned at Distrowatch
Hi aitor $ apt-rdepends openssh-server Reading package lists... Done Building dependency tree Reading state information... Done openssh-server Depends: adduser (>= 3.9) Depends: debconf (>= 0.5) Depends: debconf-2.0 Depends: dpkg (>= 1.9.0) Depends: libaudit1 (>= 1:2.2.1) Depends: libc6 (>= 2.26) Depends: libcom-err2 (>= 1.43.9) Depends: libgssapi-krb5-2 (>= 1.17) Depends: libkrb5-3 (>= 1.13~alpha1+dfsg) Depends: libpam-modules (>= 0.72-9) Depends: libpam-runtime (>= 0.76-14) Depends: libpam0g (>= 0.99.7.1) Depends: libselinux1 (>= 1.32) Depends: libssl1.1 (>= 1.1.1) Depends: libsystemd0 [...] I see it different on a beowulf system as well as on ascii, you may also see this in /var/lib/dpkg/status. Regards, Adrian. On 10.12.20 11:40, aitor wrote: > Hi again, > > On 12/10/20 11:31 AM, aitor wrote: >> >> Hi Adrian >> >> On 12/10/20 1:40 AM, Adrian Zaugg wrote: >>> libsystemd0 gets pulled in by openssh-server and thus is >>> present on many of my systems – unfortunately. >> >> This is for the ssh-agent service, used by systemd, which should be >> optional. >> > This is in the client side. > > Aitor. > > > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What I learned at Distrowatch
On 01.12.20 15:16, Mason Loring Bliss wrote: > This brings us to the other thing worthy of note. Try sometime to install > Devuan (not Debian, Devuan) without systemd and you'll be in for a rude > shock. It's installed by default, and it's a massive pain to eradicate it. What shows apt remove --dry-run elogind on your system? Do you run a GUI on it? Without GUI elogind can be removed easly with apt remove --purge elogind; libsystemd0 gets pulled in by openssh-server and thus is present on many of my systems – unfortunately. Regrads, Adrian. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] snapd in Devuan? Dependency on systemd...
On 02.12.20 08:44, Ian Zimmerman wrote: > Sorry, I feel contrarian today (and many other days too). So there: > > http://michael.orlitzky.com/articles/lets_not_encrypt.xhtml So, then use DANE. The critics on the CA design I share basically, but his comparison with tofu of SSH misses the whole point of authentication of the server's identity (...and comparing fingerprints just doesn't scale – at least he could have mentioned SSHFP to get somewhere close). Don't you guys run Linux? So the Linux Foundation and EFF is your competitor? Na. And the cleartext communication with LE is signed btw., there is the DNS-01 challenge method, which can be secured by DNSSEC asf. The only option in his picture of the web is to use plaintext http or https that does not make a distinction between self-signed and issued certs. Is that any better? Does this guy understand what he writes about? I get the impression this is mostly publicly shown narcissism and false conclusions – me too, I feel contrarian. Adrian. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] beowulf and partitionable md raids
Dear Dev1ers Unfortunately Debian still thinks partionable RAIDs are not worth to integrate into the installer. Like this it is still hard work to get a Devuan beowulf on a bootable partionable md raid1 and with UEFI not even possible according to my tries... First of all I believe partitionable md raids are superior to "usual" mds which just span over partitions on different disks instead over the whole disk. If a disks dies and has to be replaced for the usual mds one needs to copy the partition table first using sfdisk -d /dev/workingdisk | sfdisk /dev/newdisk and install the boot loader on it, where as with partionable mds you can just hot add a new disk to the running raid using mdadm. Maybe that changed until today without me being aware of. I was able to set up a ascii on a partitionable raid0 including /boot using BIOS and DOS disk labels (with metadata 1.2). I failed miserably doing this using a GPT partition scheme and UEFI. Did someone manage to achieve this? Recently I retried using the beowulf installer, changed to the console to setup and format the md. The installer did not recognise the partitions are formatted and suggest refomatting them. Since I don't know if it pays attention to the stride-size and stripe-width options of Ext4 I don't want to let it do it. I then found out that it will install on it, when the raid is mounted in /target (you also need to bind mount /dev, /dev/pts, mount /sys and /proc as well). This definitively used to be different in earlier versions of the installer. Would it be hard to enhance the installer to fully support partitionable mds? Regards, Adrian. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Beowulf Beta is here!
Hi Dan On 05.04.20 13:12, Dan Purgert wrote:> OK, so now you've "verified(tm)" that you successfully got > "devuan_a1gn1ng_key" from https://devane.com/pgp.asc. Great that you > were able to verify the server. But you still got a bogus key :) > > Which was pretty much my point -- TLS doesn't protect you from getting > sent the wrong key, if you somehow got directed to the wrong site... You will copy the link from the manual or the mail. Yes things can go wrong everywhere, even there. Because so many things can go wrong, one should reduce the risk that they do (and as well make it harder for attackers to succeed). It's a none argument to say a technique doesn't protects you from everything, so renounce on using it. In contrary, use what you can as long as its somewhat reasonable in resource consumption and effort it needs to set up. Writing https instead of http in a manual for one package is not so much of a job and for that one package the server will not go down because of increased load. Unfortunately there is no DNSSEC on pkgmaster.devuan.org nor on packages.gnuinos.org at, no CAA and no HSTS, still support for TLS 1.0 and 1.1. This could all be improved with not that much of work to make it more save. If done and you type in the right server name you land pretty much where you wanted (yes, enable dnssec on your resolver). These changes wouldn't increase the load of the server too much, because most of the users do not install apt-transport-https (~30% have, did they also change sources.list?). Regards, Adrian. signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Beowulf Beta is here!
On 22.03.20 13:02, Dan Purgert wrote: > On Mar 21, 2020, Adrian Zaugg wrote: > The entire point of the public key is that it can be obtained over any > insecure medium, and still provide the correct signature verification. That is true, yes. But if you get other keys in your keystore than you really wanted, packages do verify that you don't want that they do. You need to verify imported keys, that they belong to the one you think they should. That's why I suggested to use a https-secured link, because at least the server gets identified through the certificates. Regards, Adrian. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Beowulf Beta is here!
On 19.03.20 20:37, aitor_czr wrote: > As you know, you need to install the gpg key of gnuinos: > > # curl http://packages.gnuinos.org/gnuinos_pk.asc | apt-key add - Please get your keys always over secured connections. Use https. This is also bad in the docs for Devuan: apt-get install devuan-keyring --allow-unauthenticated Could you please change this to have a secured download or if not possible a check of the downloaded keys? This is a must. Put something like the following to the docs: wget https://pkgmaster.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2017.10.03_all.deb dpkg --install devuan-keyring_2017.10.03_all.deb Regards, Adrian. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Can we fix this DMARC thing?
Hi Steve In the DMARC FAQ, Section "Receiver Questions" they say: "If emails from mailing lists are important to your users, you may therefore consider to apply specific rules for emails coming from mailing lists." [1] This is the situation right now with the DNG list: It's up to the people who do DMARC checking on the receiving end to not deny mails from the list. If a mail administrator decides to do DMARC checking on incoming mail the DMARC people advise to take special measures like "a sort of whitelist". Their tips on operating a compatible mailing list is not satisfying, all listed solutions [2] have "Cons". The best option in my opinion is to follow 3.C. This could be achieved with an ARC seal [3]. The exim-user mailing list uses this technique and it seems to work. I don't see your point of accidentally sending to the list when using "reply to sender". DNG does not change the From header. It adds an Envelope-Sender address which is correct. You might should check your Claws Mail, that it does use the From-Adress and not the Enveloppe-From for replies. What might be wrong with vm6.ganeti.dyne.org is its ability to check DKIM signatures. I have not found one that this host recognises as valid. This seems to be the receiving host for mails to the list. It should be able to successfully verify DKIM signatures before passing on a message to mailman. Regards, Adrian. [1] https://dmarc.org/wiki/FAQ#Is_there_special_handling_required_to_receive_DMARC_email_from_mailing_lists.3F [2] https://dmarc.org/wiki/FAQ#I_operate_a_mailing_list_and_I_want_to_interoperate_with_DMARC.2C_what_should_I_do.3F [3] https://en.wikipedia.org/wiki/Authenticated_Received_Chain ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Can we fix this DMARC thing?
Hi Steve In the DMARC FAQ, Section "Receiver Questions" they say: "If emails from mailing lists are important to your users, you may therefore consider to apply specific rules for emails coming from mailing lists." [1] This is the situation right now with the DNG list: It's up to the people who do DMARC checking on the receiving end to not deny mails from the list. If a mail administrator decides to do DMARC checking on incoming mail the DMARC people advise to take special measures like "a sort of whitelist". Their tips on operating a compatible mailing list is not satisfying, all listed solutions [2] have "Cons". The best option in my opinion is to follow 3.C. This could be achieved with an ARC seal [3]. The exim-user mailing list uses this technique and it seems to work. I don't see your point of accidentally sending to the list when using "reply to sender". DNG does not change the From header. It adds an Envelope-Sender address which is correct. You might should check your Claws Mail, that it does use the From-Adress and not the Enveloppe-From for replies. What might be wrong with vm6.ganeti.dyne.org is its ability to check DKIM signatures. I have not found one that this host recognises as valid. This seems to be the receiving host for mails to the list. It should be able to successfully verify DKIM signatures before passing on a message to mailman. Regards, Adrian. [1] https://dmarc.org/wiki/FAQ#Is_there_special_handling_required_to_receive_DMARC_email_from_mailing_lists.3F [2] https://dmarc.org/wiki/FAQ#I_operate_a_mailing_list_and_I_want_to_interoperate_with_DMARC.2C_what_should_I_do.3F [3] https://en.wikipedia.org/wiki/Authenticated_Received_Chain ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Insane defaults on Raspberry Pi images - How to fix corruption/dataloss
On 08.11.19 17:13, g4sra via Dng wrote: > PS: Being Raspberry Pi specific, I do not know why Raspbian does not use > F2FS, but that does not exclude Devuan from using it. There are some alternatives to F2FS like UBIFS and a few others. As it is said thas FS that do wear levelling on their own infringe with the firmware wear levelling of cards, it would be crucial to know if an SD card has built in wear levelling or not to chose the right FS. Is there a way to tell from software, i.e. using hdparm or so? Regards, Adrian. signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] I wrote IBM
Hi all Steve's initiative can in deed have some good effect and it's normal political work he initiated. Nothing to blame him for! There can be other than technical solutions to the problems that systemd imposed. Regards, Adrian. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Update on the Green Hat Hackers attack
I'd definitively preferred: Devuan embraces Systemd! After thorough discussions in our technical committee Devuan decided to ship systemd with its next release "Beowulf" as the standard init. Systemd is a complete pot of terware that will enhance Devuan to an industry approved, enterprise grade blackbox system, that demands highest trust in its developers. Ubiquitous access for any user, no more security concerns combined with highest computing power needs for any system will be the remarkable achievement of this wise decision. Init freedom salutes you, veterans. Cheers, Adrian. -- Bitte das E-Voting-Moratorium unterstützen und unsere Demokratie schützen: https://evoting-moratorium.wecollect.ch/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
