Re: [gentoo-dev] openrc 0.12 - netifrc/newnet mix-up
On Tue, Dec 10, 2013 at 08:57:55PM -0600, William Hubbs wrote: My issue with what we are currently doing is not whether we have a default network provider in the stages or not, but it is just that the netifrc use flag on OpenRC is bogus. OpenRC doesn't need netifrc for any reason. I think if we are going to have a default network manager in the stages we should do it by adding a virtual/network-manager then adding that to @system. I couldn't find dhcpcd in @system, so I don't think it is in the stages. Dhcpcd by default wants to be a standalone network manager, so I also think it is reasonable that if you want to use dhcpcd per interface along with netifrc you should have to make sure both of them (dhcpcd and netifrc) are in @world. You would just have to run emerge --noreplace netifrc dhcpcd. William This entire thread seems to have different terminology used by different posters, causing me some confusion. So perhaps a few questions: (1) What is the new network stack provided by the newnet USE flag? (2) Why is dhcpcd referred to as a network manager in the same context as wicd, networkmanager, connman, etc? In the sense that dhcpcd is not sufficient for security protected wireless alone, as is, say, wicd; and is not a replacement for true network manager apps. DHCP client != network manager app (3) Is udhcpc provided by busybox not sufficient in lieu of dhcpcd for stage3? Thanks for your explanation(s). Bruce -- Happy Penguin Computers ') 126 Fenco Drive ( \ Tupelo, MS 38801 ^^ supp...@happypenguincomputers.com 662-269-2706 662-205-6424 http://happypenguincomputers.com/ A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Don't top-post: http://en.wikipedia.org/wiki/Top_post#Top-posting
Re: [gentoo-dev] openrc 0.12 - netifrc/newnet mix-up
On Sat, Dec 14, 2013 at 06:59:50PM -0600, William Hubbs wrote: You make some good points. I'll answer your questions as best as I can, but we can consider this thread closed. I will not try to put the virtual in, but I will come back to the list soon and start another thread. In a nutshell, our networking is a beast, and we should try to simplify it some how imo. I'll write out my thoughts about that when I start the other thread. On Sat, Dec 14, 2013 at 11:24:10AM -0600, mingdao wrote: (1) What is the new network stack provided by the newnet USE flag? That consists of the network and staticroute scripts which are part of OpenRC. The network script sets up interfaces and configures static addresses only; it will allow you to run any command at any point in the process of doing this. What some people on Gentoo do not like about it is it is all or nothing. You can't start/stop/depend on a single interface. The staticroute script is used to configure multiple static routes once the network script has set up the static addresses. (2) Why is dhcpcd referred to as a network manager in the same context as wicd, networkmanager, connman, etc? In the sense that dhcpcd is not sufficient for security protected wireless alone, as is, say, wicd; and is not a replacement for true network manager apps. DHCP client != network manager app This is a good point, so I will drop putting dhcpcd on the list. (3) Is udhcpc provided by busybox not sufficient in lieu of dhcpcd for stage3? I think udhcpc is what you get in stage 3; if dhcpcd is there, I have no idea how it is getting there. William Thanks for your kind reply, William. I'm a networking n00b, but felt those questions might benefit others, also. For (3) it seemed as if some people were saying dhcpcd is in stage 3 and they didn't want it dropped. I have a tendency to use busybox a lot doing a Gentoo install, starting with ln -s /bin/busybox /bin/vi :D Kindest regards, Bruce -- Happy Penguin Computers ') 126 Fenco Drive ( \ Tupelo, MS 38801 ^^ supp...@happypenguincomputers.com 662-269-2706 662-205-6424 http://happypenguincomputers.com/ A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Don't top-post: http://en.wikipedia.org/wiki/Top_post#Top-posting
Re: [gentoo-dev] openrc 0.12 - netifrc/newnet mix-up
On Tue, Dec 03, 2013 at 03:11:30PM -0600, William Hubbs wrote: I would like to add a virtual/network-manager package to @system which has the following rdepend settings: RDEPEND= || ( net-misc/netifrc =sys-apps/openrc-0.12[newnet] net-misc/badvpn net-misc/dhcpcd net-misc/netctl net-misc/NetworkManager net-misc/wicd ) Does anyone see an issue with setting it up this way? William Just curious why you don't also include net-misc/connman? wicd doesn't support nl80211 and isn't being developed upstream anymore, so it's just a matter of time before it's demise. Cheers, Bruce -- Happy Penguin Computers ') 126 Fenco Drive ( \ Tupelo, MS 38801 ^^ supp...@happypenguincomputers.com 662-269-2706 662-205-6424 http://happypenguincomputers.com/ A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Don't top-post: http://en.wikipedia.org/wiki/Top_post#Top-posting
Re: [gentoo-dev] friendly reminder wrt net virtual in init scripts
On Wed, Nov 06, 2013 at 08:11:52PM +0100, Thomas D. wrote: Hi, Michael Orlitzky wrote: You should disable OCSP anyway. In Firefox, it's under, Edit - Preferences - Advanced - Encryption - Validation The OCSP protocol is itself is vulnerable to MITM attacks, which is cute when you consider its purpose. Moreover, it sends the address of every website you visit to a third party, which is the real reason to disable it IMO. This is going OT but I cannot leave this statement uncommented, because from my knowledge this is wrong/you are hiding important information everyone should know about: First, if you tell people they should disable OCSP you should also tell these people the consequences: When you disable OCSP in Firefox, there is *no* other way to know if a certificate was revoked or not. This is because Firefox *never* downloaded any CRLs. Furthermore, they removed the possibility to do that [1,2]. If you don't have the possibility to check a certificate for revocation, the whole trust system cannot work because there is no way to tell someone Yes, it is nice that you trust me (=you trust the CA) and I said you can trust this certificate (=the CA you trust has signed the certificate in question) but now I changed my mind (=the CA has revoked the certificate) so please don't trust this certificate anymore. Please read Would you knowingly trust an irrevocable SSL certificate? [3]. And yes, this is a *real* problem, see [7]. Yes, there is a known MITM attacks against OCSP, see [4]. But this is only possible due to bad default settings: Just change your OCSP setting to *require* a valid answer. In Firefox: Edit - Preferences - Advanced - Certificates - Validation Make sure When an OCSP server connection fails, treat the certificate as invalid is checked (or you can just set security.OCSP.require to TRUE). If you are aware about any other know attacks, please share. Regarding your privacy concerns: No, your OCSP-enabled browser won't share the address (URL) with the OCSP responder. Your browser will use the site's certificate serial number to ask the OCSP responder if the certificate is still valid. Yes, the company who is running the OCSP responder is able to log You [IP, UA...] requested status for certificates with the serial number 0x1, 0x2, 0x3 and because the OCSP responder needs some basic knowledge about the certificates it should provide answers for, the operator may know that the certificate with the serial number 0x1 has the Common Name (CN) www.mysecretsite.invalid and 0x2 was issued for www.mydarksecrets.invalid or 0x3 was for www.facebook.com, but the operator doesn't know the URL you visited. I don't say OCSP is perfect. For example an OCSP check will delay the initial SSL handshake, because your browser has to connect to the OCSP responder when it has received the certificate from the server you are connecting to. Depending on your connection and the OCSP responder, this may take some time [5]. But the CRL system doesn't work anymore (and was never working in Firefox, unless you manually added all the CRL distribution points for your CA and Sub CAs...), because VerSign and other big SSL companies are providing 20 MB CRLs. Imagine you would use your phone to visit a website using some kind of mobile connection and it would have to fetch 50+ MBs in CRLs before the website will open... Google for example decided some time ago to disable CRL checks too. They will download CRLs for you and are planing to release these centralized CRLs with normal updates. See [6]. They are improving OCSP. The next big thing is OCSP stapling [8,9] which is now supported by all major browsers and patches are available for most web servers. OCSP stapling was developed to save the extra round trip to the OCSP responder, but OCSP stapling-enabled websites will also increase your privacy, because you don't longer have to tell the OCSP responder the certificate (CN) you want to check. If you are still really concerned about what OCSP may do to your privacy, may I ask if you are also concerned about DNS servers? If not, what's the difference between an OCSP responder which you ask for a serial number, which can be resolved to a CN and a DNS server which you ask for a ... CN? :) Also, you are trusting a CA to secure your connections, but you don't trust the same CA due to privacy concerns? So please, don't just tell anybody to turn off OCSP. Tell them why you may think they should do that. But also tell them about the new risks they have to deal with so that they are able to decide on their own if they want to disable OCSP or not. PS: As long as you are trusting CAs and don't manage the trust of any certificate you are using on your own I recommend to enable OCSP in all your browsers and to treat any kind of invalid OCSP responses as a hard failure, because I want to know if I
Re: [gentoo-dev] friendly reminder wrt net virtual in init scripts
On Mon, Nov 04, 2013 at 09:30:07PM -0600, William Hubbs wrote: All, I would like to remind everyone about the tracker for services that are misusing need net in their OpenRC init scripts [1]. need net should be removed from our init scripts, because it is bogus and breaks things. I also question the value of use net, because the same thinking applies, e.g. the net virtual really doesn't have a strong meaning of any kind. For more details, see the tracker and flameeyes' blog post. Thanks, William [1] https://bugs.gentoo.org/show_bug.cgi?id=439092 In that bug I read: Flameeyes wrote the following blog post concerning this issue: http://blog.flameeyes.eu/2012/10/may-i-have-a-network-connection-please and the link gives me a (Error code: sec_error_ocsp_unknown_cert). -- Happy Penguin Computers ') 126 Fenco Drive ( \ Tupelo, MS 38801 ^^ supp...@happypenguincomputers.com 662-269-2706 662-205-6424 http://happypenguincomputers.com/ A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Don't top-post: http://en.wikipedia.org/wiki/Top_post#Top-posting
Re: [gentoo-dev] friendly reminder wrt net virtual in init scripts
On Tue, Nov 05, 2013 at 11:39:10AM -0500, Michael Orlitzky wrote: You should disable OCSP anyway. In Firefox, it's under, Edit - Preferences - Advanced - Encryption - Validation The OCSP protocol is itself is vulnerable to MITM attacks, which is cute when you consider its purpose. Moreover, it sends the address of every website you visit to a third party, which is the real reason to disable it IMO. Thanks for the information, Michael. My Firefox had a slightly different $PATH as shown in the attached screenshot. Edit - Preferences - Advanced - Certificates - Validation www-client/firefox-24.1.0-r1 (didn't do the upgrade to www-client/firefox-25.0-r1 today due to unstable libpng-1.6.6 being pulled with the new subslot philosophy) -- Happy Penguin Computers ') 126 Fenco Drive ( \ Tupelo, MS 38801 ^^ supp...@happypenguincomputers.com 662-269-2706 662-205-6424 http://happypenguincomputers.com/ A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Don't top-post: http://en.wikipedia.org/wiki/Top_post#Top-posting