Re: [gentoo-user] Encryption questions
On Monday, December 10, 2018 12:46:07 AM CET Dale wrote: > Howdy, > > As some may know, I'm making some changes and upgrades to my puter. One > thing I'm considering, encryption of a select directory/mount point/file > system. One thought I have, create a mount point named say "Encrypted" > and put anything I don't want widely seen or hacked in that directory. > That would likely be on it's own partition or LVM setup. I would likely > keep other things open. Example, I may have /home on a partition of > it's own but then have the encrypted directory mounted on > /home/dale/Desktop/Encrypted. I could even let that be my Documents > directory as well. I'm not to worried about browser history etc. Plus, > I could log into KDE and not have to access the encrypted stuff if it is > not needed. I don't need encryption to check the weather. lol > > How I do that isn't a big deal really. My main question is this. If I > go to the trouble of doing this, would I be *really* protected? Is > there a easily used encryption tool that isn't easily hacked? Also, > when I login, I'd like to be able to type in password etc and it be > available from that point on, unless I do something to lock it up > again. Reason, I may even put some of my videos on that. I watch TV > from that a lot. > > Also, how hard would it be to do the same to my backups, since having a > open set of backups would render the encrypted part just available > elsewhere? > > While I get some of how encryption works, I don't keep up with it on a > weekly or even monthly basis. I just see the occasional articles on > it. I'd rather ask and get input from someone who uses and/or is more > familiar with this. In other words, if it is worthless and someone > knows it is, then let me know. If one tool is better/easier/etc than > another, I'd like to know that as well. I have not read the full thread, but missed mention of a few things, so here is my take on the whole thing: - Full disk encryption is only necessary if the machine runs the risk of being stolen. (physical access) - Encryption will not protect against remote hacks as the OS can access the files when the storage is decrypted - When using encryption, ensure swap is encrypted as well as there is always a risk the encryption keys can be stored on swap Personally, I don't encrypt my desktop as the physical security of my house is adequate. My laptop uses full disk encryption, only the boot-partition is not encrypted. The decryption key is password-encrypted and stored inside the kernel image. For clarity, my disk layout on laptop is as follows: physical disk - partition - LUKS-encryption - LVM - . (The rest is the same as what you have) -- Joost
Re: [gentoo-user] Encryption questions
On 12/9/18 10:15 PM, Dale wrote: Well, I don't really think I need to encrypt the entire /home mount point. To me, that would be overkill. Of course, that may be easier. I would like to have certain directories that I can store things in that is encrypted. For example, I have some financial and medical stuff that I wouldn't want just anyone to get a hold of if for example my puter was stolen or hacked. Fair enough. Well, I thought it may be simpler. Since I've never tried encryption before, I don't know first hand how it works or what it takes to use the files. I've read where people password protect their mobo, bootloader and their entire storage system. Basically, without the proper passwords, you can't boot the system or access it from another system either. That is overkill for me for sure. If anything, I'm on the other end of the scale. I just want a directory, which could be a mount point, that is encrypted. Knowing what tool is best may help be figure out whether it is a mount point, a regular directory or what. I've read where some whole file systems can be encrypted or it can be done on a directory level. I'm not sure what works the best tho. I'm starting to think that something like eCryptFS would be a good candidate for you. I have /boot and / on their own partition. Everything else is on LVM. I did that because it is easier to boot. While I have a init thingy, it's just enough to mount /usr. That's it. I don't like having a init thingy at all tho. I've had trouble with them in the past that left me with a unbootable system and no way to fix it since I don't really get them. It's one of those things that hasn't hit me yet, even after years of it. ACK True but I don't want it to get in my way to much. I'd like to be able to login into KDE without worrying if the password works or not. Once inside KDE and I need to access something encrypted, then I can deal with the password. ACK Let's say I encrypt the directory or mount point that contains both video and some financial/medical info in it. When I click to access it, it asks for a password. Once it does that, I'd like to be able to use that until I either logout of KDE or I tell it to lock it back up. That way I can watch TV for hours without interruption to type in a password. However, if I need to run to town, I can logout of the encrypted part and leave knowing it's secure. Make sense?? Yes. Interesting. I've read that twice. May read that a couple more times. Letting that soak in a bit. That sounds like something I could use tho. It seems it would do just what I want. :-) Question. Let's say I encrypt /home entirely as a partition of LVM group. When I login to KDE for example, how does that work? I already have to type in a password to login into KDE. Would that work for both or would it ask for a second password? Or would it ask even earlier than that? I don't know what KDE has built in support for. I think that modern desktop environments do have some integral support for some encryption. I've just never used it and don't know about it. I may get on youtube and see if I can find some videos on this so I can see it actually working. Maybe find a couple different setups. I'm sure someone has done at least one. lol That's probably not a bad idea. Just be careful and review multiple sources as well as getting a reasonable understanding of what they are doing. Keep in mind, my backups are a simple rsync to a external USB drive. I don't use fancy software. Usually I backup my videos and such once a day depending on what I've done that day. I may switch to a external SATA drive at some point which may make it even easier. Right now I use a script, if it even deserves to be called that, to do the backups. That sounds like it would be best used in conjunction with eCryptFS. You would rsync the underlay directory like normal (it will show files and directories with encrypted names). You would just want to exclude the overlay directory from the backup as that's the unencrypted view. Mostly a common crook who just may have some puter skills. Wouldn't mind grinning at the likes of a NSA twerp with far to much nose. :-D Fair enough. It sounds like you want reasonable protection for your files. But you won't loose any sleep if you make the three letter agencies actually have to work a bit to get to your files, even if it just delays what may be possible. (I don't know. But it would at least slow them down.)
Re: [gentoo-user] Encryption questions
Grant Taylor wrote: > On 12/9/18 4:46 PM, Dale wrote: >> Howdy, > > Hi, > >> As some may know, I'm making some changes and upgrades to my puter. >> One thing I'm considering, encryption of a select directory/mount >> point/file system. > > Please elaborate on a hypothetical setup that you would like. > > It might be worth starting with your current directory tree and > calling out things you would like to see encrypted. Well, I don't really think I need to encrypt the entire /home mount point. To me, that would be overkill. Of course, that may be easier. I would like to have certain directories that I can store things in that is encrypted. For example, I have some financial and medical stuff that I wouldn't want just anyone to get a hold of if for example my puter was stolen or hacked. > >> One thought I have, create a mount point named say "Encrypted" and >> put anything I don't want widely seen or hacked in that directory. > > I understand why you are doing it. But I feel like having "Encrypted" > in the name is like painting a target on it. True. I used that as a example mostly. > >> That would likely be on it's own partition or LVM setup. > > Depending on how you do things, it might be possible to have your > encryption in the same LVM configuration. Or possibly a separate LVM > configuration that has multiple logical volumes in it used by > different mount points. > >> I would likely keep other things open. > > What is your reason for keeping other things open? > > Or, asked another way, why not use full disk encryption? Or at least > encrypt the entire volume group? That way you don't need to worry > about what is and is not encrypted. Well, I thought it may be simpler. Since I've never tried encryption before, I don't know first hand how it works or what it takes to use the files. I've read where people password protect their mobo, bootloader and their entire storage system. Basically, without the proper passwords, you can't boot the system or access it from another system either. That is overkill for me for sure. If anything, I'm on the other end of the scale. I just want a directory, which could be a mount point, that is encrypted. Knowing what tool is best may help be figure out whether it is a mount point, a regular directory or what. I've read where some whole file systems can be encrypted or it can be done on a directory level. I'm not sure what works the best tho. > >> Example, I may have /home on a partition of it's own but then have >> the encrypted directory mounted on /home/dale/Desktop/Encrypted. I >> could even let that be my Documents directory as well. I'm not to >> worried about browser history etc. Plus, I could log into KDE and >> not have to access the encrypted stuff if it is not needed. I don't >> need encryption to check the weather. lol > > Since we're talking about LVM, please clarify if /home is it's own > partition outside of LVM or if /home is it's own Logical Volume inside > of LVM. It makes a difference. I have /boot and / on their own partition. Everything else is on LVM. I did that because it is easier to boot. While I have a init thingy, it's just enough to mount /usr. That's it. I don't like having a init thingy at all tho. I've had trouble with them in the past that left me with a unbootable system and no way to fix it since I don't really get them. It's one of those things that hasn't hit me yet, even after years of it. > > I strongly believe that you should not feel like you have to change > your use case to use technology, encryption in this case. Rather the > computer should change what it does so that what you have been doing > and will continue to do is now encrypted. True but I don't want it to get in my way to much. I'd like to be able to login into KDE without worrying if the password works or not. Once inside KDE and I need to access something encrypted, then I can deal with the password. > >> How I do that isn't a big deal really. My main question is this. If >> I go to the trouble of doing this, would I be *really* protected? > > It depends. > >> Is there a easily used encryption tool that isn't easily hacked? > > I believe so. > >> Also, when I login, I'd like to be able to type in password etc and >> it be available from that point on, unless I do something to lock it >> up again. > > Are you implying that you want the encryption system to remember the > password and unlock files as necessary? Or are you wanting to enter > the password into something that uses it then and there to unlock > things until you lock them back up? > > That's an important distinction. Let's say I encrypt the directory or mount point that contains both video and some financial/medical info in it. When I click to access it, it asks for a password. Once it does that, I'd like to be able to use that until I either logout of KDE or I tell it to lock it back up. That way I can watch TV for hours without interruption to
Re: [gentoo-user] CPU upgrade and LVM questions.
On 12/9/18 7:38 PM, Dale wrote: Just making sense of it. Trying to get it firmly in my mind. It just seems to simple and easy to move that much data around and swap drives even while in use. o-O Welcome to the wonders of LVM. You turn a drive / partition into something that LVM can use. Then you add said drive to an existing Volume Group. Then you tell LVM to vacate the old physical drive. Then you remove the old physical drive from the Volume Group. Finally you should clean the LVM metadata from the drive, but that's not strictly required. Similar could be said about upgrading / trading bookshelves too. I'm mostly trying to figure out what drive will go where. On one hand, I thought about having a single drive, 8TB, to store it all on. On the other, I thought of replacing one of the two 3TB drives with a 6TB drive. That will give me roughly 9TBs of storage. Later on, I could replace the other 3TB drive with another 6TB drive and then have 12TBs. Then I'd have to rethink my backup method. If I use the second method, I can use the 8TB drive for backups since I don't backup everything. Right now, I'm planning to do the second method. I think long term, it will work best plus I will have a spare drive if needed. *nod* Figuring out what you want to do can be more challenging than figuring out how to do it. I started another thread about encryption stuff. The reply you posted tho is really helpful because it lists the commands all in one spot. Most howtos have them spread all over the place and it makes it harder for me to get what is going on, even if it is being explained a bit in between the commands. Sometimes, it just depends on how things hit me thinking wise. ;-) I get it. I'll be writing those commands down before I do the change over. :-)
Re: [gentoo-user] CPU upgrade and LVM questions.
Grant Taylor wrote: > On 12/9/18 3:45 PM, Dale wrote: >> Grant, > > Hi Dale, > >> I'm not ignoring this email. > > I didn't presume you were. ;-) > >> I just keep rereading it. ;-) > > Okay. > > Is there an aspect of it that doesn't make sense? Or that you're > uncomfortable with? Can I help alleviate the worry? Just making sense of it. Trying to get it firmly in my mind. It just seems to simple and easy to move that much data around and swap drives even while in use. o-O > >> I'm uncertain still how I'm going to do this. > > Would you like to walk through it? At any level of detail? I'm mostly trying to figure out what drive will go where. On one hand, I thought about having a single drive, 8TB, to store it all on. On the other, I thought of replacing one of the two 3TB drives with a 6TB drive. That will give me roughly 9TBs of storage. Later on, I could replace the other 3TB drive with another 6TB drive and then have 12TBs. Then I'd have to rethink my backup method. If I use the second method, I can use the 8TB drive for backups since I don't backup everything. Right now, I'm planning to do the second method. I think long term, it will work best plus I will have a spare drive if needed. > >> I'm considering encryption which would mean additional changes and >> mount points. > > Depending on what your goal is, chances are good that encryption > should not need to change mount points. > > That's one of the wonderful things about Linux. You can change the > block device that a file system lives on while still using the same > mount point. }:-) You can /usually/ do it after the system is > installed too. > > Would you like to share more details and discuss your current state as > well as the future state that you'd like to get to? > >> I'm just not 100% sure yet. I'm considering things that may require >> a new thread. > > ¯\_(ツ)_/¯ > > It still sounds to me like we are talking about modifying things about > your LVM configuration, and discussing questions there about. So, it > seems like were' still under the 2nd half of the subject of this > thread. ;-) > >> Thanks much for this info. The list of commands helps, largely. > > You're welcome. I'm glad they help. :-D > > > I started another thread about encryption stuff. The reply you posted tho is really helpful because it lists the commands all in one spot. Most howtos have them spread all over the place and it makes it harder for me to get what is going on, even if it is being explained a bit in between the commands. Sometimes, it just depends on how things hit me thinking wise. ;-) I'll be writing those commands down before I do the change over. Dale :-) :-)
Re: [gentoo-user] Encryption questions
On 12/9/18 4:46 PM, Dale wrote: Howdy, Hi, As some may know, I'm making some changes and upgrades to my puter. One thing I'm considering, encryption of a select directory/mount point/file system. Please elaborate on a hypothetical setup that you would like. It might be worth starting with your current directory tree and calling out things you would like to see encrypted. One thought I have, create a mount point named say "Encrypted" and put anything I don't want widely seen or hacked in that directory. I understand why you are doing it. But I feel like having "Encrypted" in the name is like painting a target on it. That would likely be on it's own partition or LVM setup. Depending on how you do things, it might be possible to have your encryption in the same LVM configuration. Or possibly a separate LVM configuration that has multiple logical volumes in it used by different mount points. I would likely keep other things open. What is your reason for keeping other things open? Or, asked another way, why not use full disk encryption? Or at least encrypt the entire volume group? That way you don't need to worry about what is and is not encrypted. Example, I may have /home on a partition of it's own but then have the encrypted directory mounted on /home/dale/Desktop/Encrypted. I could even let that be my Documents directory as well. I'm not to worried about browser history etc. Plus, I could log into KDE and not have to access the encrypted stuff if it is not needed. I don't need encryption to check the weather. lol Since we're talking about LVM, please clarify if /home is it's own partition outside of LVM or if /home is it's own Logical Volume inside of LVM. It makes a difference. I strongly believe that you should not feel like you have to change your use case to use technology, encryption in this case. Rather the computer should change what it does so that what you have been doing and will continue to do is now encrypted. How I do that isn't a big deal really. My main question is this. If I go to the trouble of doing this, would I be *really* protected? It depends. Is there a easily used encryption tool that isn't easily hacked? I believe so. Also, when I login, I'd like to be able to type in password etc and it be available from that point on, unless I do something to lock it up again. Are you implying that you want the encryption system to remember the password and unlock files as necessary? Or are you wanting to enter the password into something that uses it then and there to unlock things until you lock them back up? That's an important distinction. I have done a fair bit with LUKS, also LUKS and LVM. LUKS works by unlocking the encrypted block device and creating another virtual block device that is the unencrypted interface. It's trivial to put a file system on top of a LUKS device. So, my use case was to unlock a LUKS device and mount the file system that sits on top of it. Then anything on the system (with proper file system permissions) could access the files therein. Then when I was done, I would unmount the file system and lock (close) the encrypted device. I have also dabbled with eCryptFS, which applies encryption as an overlay. So when you access encrypted files through the overlay, they would be read from the unencrypted on the fly. Writing to the files to the unencrypted overlay would encrypt the files and write them to the underlay. Depending on the configuration, it's not possible to see the names of the files (or directories), much less actually read them from the encrypted underlay. Reason, I may even put some of my videos on that. I watch TV from that a lot. Okay. Also, how hard would it be to do the same to my backups, since having a open set of backups would render the encrypted part just available elsewhere? Backups are another thing entirely. Things like LUKS will usually not translate to encryption with backups, because the backups see the mounted file system. Things like eCryptFS can work with encrypted backups, because they can work with the underlay file system that holds the encrypted files while ignoring the unencrypted overlay. There are also other possibilities of encrypting backups that are completely independent of the files that are being backed up. Sort of like a big encrypted tape drive or backing up files to a LUKS file system that is subsequently unmounted & locked. While I get some of how encryption works, I don't keep up with it on a weekly or even monthly basis. I just see the occasional articles on it. I'd rather ask and get input from someone who uses and/or is more familiar with this. In other words, if it is worthless and someone knows it is, then let me know. If one tool is better/easier/etc than another, I'd like to know that as well. I don't think encryption is worthless. I encrypt many of my emails and sign most
Re: [gentoo-user] CPU upgrade and LVM questions.
On 12/9/18 3:45 PM, Dale wrote: Grant, Hi Dale, I'm not ignoring this email. I didn't presume you were. ;-) I just keep rereading it. ;-) Okay. Is there an aspect of it that doesn't make sense? Or that you're uncomfortable with? Can I help alleviate the worry? I'm uncertain still how I'm going to do this. Would you like to walk through it? At any level of detail? I'm considering encryption which would mean additional changes and mount points. Depending on what your goal is, chances are good that encryption should not need to change mount points. That's one of the wonderful things about Linux. You can change the block device that a file system lives on while still using the same mount point. }:-) You can /usually/ do it after the system is installed too. Would you like to share more details and discuss your current state as well as the future state that you'd like to get to? I'm just not 100% sure yet. I'm considering things that may require a new thread. ¯\_(ツ)_/¯ It still sounds to me like we are talking about modifying things about your LVM configuration, and discussing questions there about. So, it seems like were' still under the 2nd half of the subject of this thread. ;-) Thanks much for this info. The list of commands helps, largely. You're welcome. I'm glad they help. :-D -- Grant. . . . unix || die
[gentoo-user] Encryption questions
Howdy, As some may know, I'm making some changes and upgrades to my puter. One thing I'm considering, encryption of a select directory/mount point/file system. One thought I have, create a mount point named say "Encrypted" and put anything I don't want widely seen or hacked in that directory. That would likely be on it's own partition or LVM setup. I would likely keep other things open. Example, I may have /home on a partition of it's own but then have the encrypted directory mounted on /home/dale/Desktop/Encrypted. I could even let that be my Documents directory as well. I'm not to worried about browser history etc. Plus, I could log into KDE and not have to access the encrypted stuff if it is not needed. I don't need encryption to check the weather. lol How I do that isn't a big deal really. My main question is this. If I go to the trouble of doing this, would I be *really* protected? Is there a easily used encryption tool that isn't easily hacked? Also, when I login, I'd like to be able to type in password etc and it be available from that point on, unless I do something to lock it up again. Reason, I may even put some of my videos on that. I watch TV from that a lot. Also, how hard would it be to do the same to my backups, since having a open set of backups would render the encrypted part just available elsewhere? While I get some of how encryption works, I don't keep up with it on a weekly or even monthly basis. I just see the occasional articles on it. I'd rather ask and get input from someone who uses and/or is more familiar with this. In other words, if it is worthless and someone knows it is, then let me know. If one tool is better/easier/etc than another, I'd like to know that as well. Thanks. Dale :-) :-)
Re: [gentoo-user] CPU upgrade and LVM questions.
Grant Taylor wrote: > On 12/06/2018 02:27 AM, Dale wrote: >> From what I've read, I can use pvmove and pvremove to replace that >> drive. Just tell pv to move the data and when done, remove the old >> drive. After that, the new 6TB drive will be used in that PV and the >> 3TB drive can be used for something else. Is it really that easy or >> is there more to it than that? Pardon me but that doesn't sound >> complicated enough to me. > > I've migrated multiple hundreds of TB of data this way. > > In short: > > 1) Partition the new drive(s) as desired. > 2) pvcreate /dev/$newPv > 3) vgextend $vgName /dev/$newPv > 4) pvmove /dev/$oldPv /dev/$newPv > 5) vgreduce $vgName /dev/$oldPv > 6) pvremove /dev/$oldPv > > This does work well, even if the LV(s) are in use / file system(s) are > mounted. > > I have occasionally had issues where the system seems to not respond, > despite the fact that it is doing what it's supposed to. I wonder if > it's related to the memory leak that J. Roeleveld was talking about. > > Note: I /do/ *STRONGLY* recommend that you do partition the new drive > and /not/ pvcreate the entire drive. — Many of the data recovery > tools /expect/ there to be a partition table. Those that don't care > are happy to work with a partition table. I've seen others be in a > very uncomfortable situation when they /didn't/ use a partition table. > Simple easy thing to avoid painting yourself into a corner. > > > Grant, I'm not ignoring this email. I just keep rereading it. ;-) I'm uncertain still how I'm going to do this. I'm considering encryption which would mean additional changes and mount points. I'm just not 100% sure yet. I'm considering things that may require a new thread. Thanks much for this info. The list of commands helps, largely. Dale :-) :-)
Re: [gentoo-user] Re: CPU upgrade and LVM questions.
J. Roeleveld wrote: > On December 9, 2018 6:23:07 PM UTC, "taii...@gmx.com" > wrote: > > On 12/07/2018 06:47 PM, Nikos Chantziaras wrote: > > On 07/12/2018 09:30, Dale wrote: > > Nikos Chantziaras wrote: > > If you want to see all of the installed packages that > are affected, you need to set CPU_FLAGS_X86 to an > empty string: CPU_FLAGS_X86="" and then do "emerge > -puDN --with-bdeps=y @world". This is because > CPU_FLAGS_X86 is not empty by default. It contains sse > and sse2 by default, because these are supported by > all 64-bit CPUs. > > What I did, I commented out the whole line and ran it that > way. > > If you comment it out, it will have default values. If you set > it to an empty string, you should be able to see which > packages make use of the default flags (like sse and sse2.) > Note it's a pretend emerge (-p). Just to check which packages > you have installed that make use of these flags. > > One last question for anyone who has done this recently. > When finished, I'll have a FX-8350 CPU with 8 cores at > 4.0/4.2GHz, 32GBs of memory all on a Gigabyte 970 series > mobo. Would there be any point in upgrading to a whole > new rig or is what I have about as fast is reasonable to > build? I don't do gaming or anything. Even the GTX 650 > video card is likely overkill for what I do here. The > older 200 series card is working just fine. On one hand, > my current build is several years old. On the other, > computers seem to have reached their peak. I'm sure there > is more powerful systems out there but would I be any > better off with one? > > > Since the AM3+ and its C32/G34 Opteron counterparts are the last and > best x86 cpus without ME/PSP I would say you are better off with what > you have - the best piledriver cpus like the FX-8350+ are still able to > play the latest games and in a VM via IOMMU-GFX if you want. > > In any case I would consider a OpenPOWER (ppc64/ppc64le) arch system > (like the blackbird or talos 2) as an upgrade path instead of any futher > x86 stuff as there aren't any black boxes, there is > documentation+firmware sources and the cpus are made in usa. > > > Made in USA isn't necessarily a good thing when talking about not > wanting any hidden back doors. > Not sure which country would be a reliable location though, I wouldn't > trust Western European countries either. > > -- > Joost > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. I have to say, this is something I thought about. While some newer CPUs have even been talked about on this list, I don't recall this one being included, or the one I currently use. Given its age, I would think it would be exposed if it was hackable or had a backdoor, but one never knows. As to country it was made in, I don't trust any of them really. The NSA is just as bad at snooping as any other country. Well, some such as China may be worse but if it has a backdoor, it has a backdoor. If one Govt or group knows about it, they all will at some point and will exploit it for their own means. I might add, this is why I'd love to see encryption done by a group that is not infiltrated by a Govt agency, education system etc and is open source the the point that a backdoor is impossible. That would be a very tall order tho. Sometimes people with bad intentions get in despite all the effort to exclude them. This is one reason I'm considering splitting off certain directories that are encrypted. Thing is, is there one that isn't already hackable by groups such as the NSA or folks in China etc?? Would we really ever know if they could or not?? Dale :-) :-)
Re: [gentoo-user] Small (as in footprint) window manager
On 12/5/18 1:34 PM, james wrote: Hello Dan:: lots of good suggestions. you can look in /usr/portage/x11/wm (or whereevery /etc/portage/x11-wm for a listing of what in the tree for smaller. I have been wanting to try lumina:: https://lumina-desktop.org/features/ "does not require PolicyKit, HAL or systemd" if you have a few/limited scope of codes to run, it might just be what you are looking for.. good_hunting, James I've tried a few now (windowmaker, icewm, fluxbox, and the lumina desktop.) I think for my needs fluxbox and eterm are all I need. That Lumina desktop looks interesting, but I couldn't get it to start on my machine. It went through the startup of the desktop, but as soon as it showed me the desktop something crashed (I think??) Looking through the logs I found this for the Lumina desktop: qt.qpa.xcb: QXcbConnection: XCB error: 1 (BadRequest), sequence: 627, resource id: 6291470, major code: 142 (Unknown), minor code: 1 But Google reveals nothing. So fluxbox it is! Dan
Re: [gentoo-user] Re: CPU upgrade and LVM questions.
On December 9, 2018 6:23:07 PM UTC, "taii...@gmx.com" wrote: >On 12/07/2018 06:47 PM, Nikos Chantziaras wrote: >> On 07/12/2018 09:30, Dale wrote: >>> Nikos Chantziaras wrote: If you want to see all of the installed packages that are affected, you need to set CPU_FLAGS_X86 to an empty string: CPU_FLAGS_X86="" and then do "emerge -puDN --with-bdeps=y @world". This is because CPU_FLAGS_X86 is not empty by default. It contains sse and sse2 by default, because these are supported by all 64-bit CPUs. >>> >>> What I did, I commented out the whole line and ran it that way. >> >> If you comment it out, it will have default values. If you set it to >an >> empty string, you should be able to see which packages make use of >the >> default flags (like sse and sse2.) >> >> Note it's a pretend emerge (-p). Just to check which packages you >have >> installed that make use of these flags. >> >> >>> One last question for anyone who has done this recently. When >finished, >>> I'll have a FX-8350 CPU with 8 cores at 4.0/4.2GHz, 32GBs of memory >all >>> on a Gigabyte 970 series mobo. Would there be any point in >upgrading to >>> a whole new rig or is what I have about as fast is reasonable to >build? >>> I don't do gaming or anything. Even the GTX 650 video card is >likely >>> overkill for what I do here. The older 200 series card is working >just >>> fine. On one hand, my current build is several years old. On the >>> other, computers seem to have reached their peak. I'm sure there is >>> more powerful systems out there but would I be any better off with >one? > >Since the AM3+ and its C32/G34 Opteron counterparts are the last and >best x86 cpus without ME/PSP I would say you are better off with what >you have - the best piledriver cpus like the FX-8350+ are still able to >play the latest games and in a VM via IOMMU-GFX if you want. > >In any case I would consider a OpenPOWER (ppc64/ppc64le) arch system >(like the blackbird or talos 2) as an upgrade path instead of any >futher >x86 stuff as there aren't any black boxes, there is >documentation+firmware sources and the cpus are made in usa. Made in USA isn't necessarily a good thing when talking about not wanting any hidden back doors. Not sure which country would be a reliable location though, I wouldn't trust Western European countries either. -- Joost -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [gentoo-user] Re: CPU upgrade and LVM questions.
On 12/07/2018 06:47 PM, Nikos Chantziaras wrote: > On 07/12/2018 09:30, Dale wrote: >> Nikos Chantziaras wrote: >>> If you want to see all of the installed packages that are affected, >>> you need to set CPU_FLAGS_X86 to an empty string: >>> >>> CPU_FLAGS_X86="" >>> >>> and then do "emerge -puDN --with-bdeps=y @world". This is because >>> CPU_FLAGS_X86 is not empty by default. It contains sse and sse2 by >>> default, because these are supported by all 64-bit CPUs. >>> >> >> What I did, I commented out the whole line and ran it that way. > > If you comment it out, it will have default values. If you set it to an > empty string, you should be able to see which packages make use of the > default flags (like sse and sse2.) > > Note it's a pretend emerge (-p). Just to check which packages you have > installed that make use of these flags. > > >> One last question for anyone who has done this recently. When finished, >> I'll have a FX-8350 CPU with 8 cores at 4.0/4.2GHz, 32GBs of memory all >> on a Gigabyte 970 series mobo. Would there be any point in upgrading to >> a whole new rig or is what I have about as fast is reasonable to build? >> I don't do gaming or anything. Even the GTX 650 video card is likely >> overkill for what I do here. The older 200 series card is working just >> fine. On one hand, my current build is several years old. On the >> other, computers seem to have reached their peak. I'm sure there is >> more powerful systems out there but would I be any better off with one? Since the AM3+ and its C32/G34 Opteron counterparts are the last and best x86 cpus without ME/PSP I would say you are better off with what you have - the best piledriver cpus like the FX-8350+ are still able to play the latest games and in a VM via IOMMU-GFX if you want. In any case I would consider a OpenPOWER (ppc64/ppc64le) arch system (like the blackbird or talos 2) as an upgrade path instead of any futher x86 stuff as there aren't any black boxes, there is documentation+firmware sources and the cpus are made in usa.
Re: [gentoo-user] ...I not allowed to make pdfs from images??????
Am Sonntag, 9. Dezember 2018, 18:03:35 CET schrieb Arve Barsnes: [...] > More important than that, it seems the vulnerability is in > ghostscript, and the vulnerable versions are not any longer even in > portage, so shouldn't the change have been reverted by now? https://bugs.gentoo.org/664236#c10 -- Marc Joliet -- "People who think they know everything really annoy those of us who know we don't" - Bjarne Stroustrup signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] ...I not allowed to make pdfs from images??????
Am Sonntag, 9. Dezember 2018, 16:46:39 CET schrieb Philip Webb: > 181209 Marc Joliet wrote: > > Am Sonntag, 9. Dezember 2018, 11:35:16 CET schrieb Philip Webb: > >> What exactly are the "security reasons" ? > >> Do they apply to a single-user system ? -- if not, > >> why is the restrictive version of the policy file installed by default > >> rather than a warning at the end of the emerge output ? > > > > Good question. Checking the git log, the change was mode over two > > commits: > > https://gitweb.gentoo.org/repo/gentoo.git/commit/? > > id=02765dfc333e578af9e3fd525fc0067dc47d6528 > > https://gitweb.gentoo.org/repo/gentoo.git/commit/? > > id=df7afbda6b12a68578833225e694cee011b20342 > > The commit messages point to https://www.kb.cert.org/vuls/id/332928/ > > and https://bugs.gentoo.org/664236, > > which basically explain in more detail what Mick summarized yesterday. > > It looks to me like an over-reaction to a fairly unlikely exploit. > You are protected if you don't download images from untrusted sites > or if you don't run Ghostscript as root (who would ? ). A remote code execution vulnerability is problematic even when "merely" executed as your own user. I don't understand why you would think that it only matters when run as root. -- Marc Joliet -- "People who think they know everything really annoy those of us who know we don't" - Bjarne Stroustrup signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] ...I not allowed to make pdfs from images??????
On Sun, 9 Dec 2018 at 16:46, Philip Webb wrote: > > 181209 Marc Joliet wrote: > > Am Sonntag, 9. Dezember 2018, 11:35:16 CET schrieb Philip Webb: > >> What exactly are the "security reasons" ? > >> Do they apply to a single-user system ? -- if not, > >> why is the restrictive version of the policy file installed by default > >> rather than a warning at the end of the emerge output ? > > Good question. Checking the git log, the change was mode over two commits: > > https://gitweb.gentoo.org/repo/gentoo.git/commit/? > > id=02765dfc333e578af9e3fd525fc0067dc47d6528 > > https://gitweb.gentoo.org/repo/gentoo.git/commit/? > > id=df7afbda6b12a68578833225e694cee011b20342 > > The commit messages point to https://www.kb.cert.org/vuls/id/332928/ > > and https://bugs.gentoo.org/664236, > > which basically explain in more detail what Mick summarized yesterday. > > It looks to me like an over-reaction to a fairly unlikely exploit. > You are protected if you don't download images from untrusted sites > or if you don't run Ghostscript as root (who would ? ). > > It's true that you can use 'img2pdf' instead, which is perhaps the solution. More important than that, it seems the vulnerability is in ghostscript, and the vulnerable versions are not any longer even in portage, so shouldn't the change have been reverted by now? Arve
Re: [gentoo-user] ...I not allowed to make pdfs from images??????
181209 Marc Joliet wrote: > Am Sonntag, 9. Dezember 2018, 11:35:16 CET schrieb Philip Webb: >> What exactly are the "security reasons" ? >> Do they apply to a single-user system ? -- if not, >> why is the restrictive version of the policy file installed by default >> rather than a warning at the end of the emerge output ? > Good question. Checking the git log, the change was mode over two commits: > https://gitweb.gentoo.org/repo/gentoo.git/commit/? > id=02765dfc333e578af9e3fd525fc0067dc47d6528 > https://gitweb.gentoo.org/repo/gentoo.git/commit/? > id=df7afbda6b12a68578833225e694cee011b20342 > The commit messages point to https://www.kb.cert.org/vuls/id/332928/ > and https://bugs.gentoo.org/664236, > which basically explain in more detail what Mick summarized yesterday. It looks to me like an over-reaction to a fairly unlikely exploit. You are protected if you don't download images from untrusted sites or if you don't run Ghostscript as root (who would ? ). It's true that you can use 'img2pdf' instead, which is perhaps the solution. -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca
Re: [gentoo-user] ...I not allowed to make pdfs from images??????
Am Sonntag, 9. Dezember 2018, 11:35:16 CET schrieb Philip Webb: > 181208 Marc Joliet wrote: > > This is mentioned in the emerge output when installing imagemagick. > > > > From the 7.0.8.14 ebuild : > > elog "For security reasons, a policy.xml file was installed in > > /etc/ImageMagick-7" > > elog "which will prevent the usage of the following coders by default:" > > elog "" > > elog " - PS" > > elog " - PS2" > > elog " - PS3" > > elog " - EPS" > > elog " - PDF" > > elog " - XPS" > > What exactly are the "security reasons" ? > Do they apply to a single-user system ? -- if not, > why is the restrictive version of the policy file installed by default > rather than a warning at the end of the emerge output ? Good question. Checking the git log, the change was mode over two commits: https://gitweb.gentoo.org/repo/gentoo.git/commit/? id=02765dfc333e578af9e3fd525fc0067dc47d6528 https://gitweb.gentoo.org/repo/gentoo.git/commit/? id=df7afbda6b12a68578833225e694cee011b20342 The commit messages point to https://www.kb.cert.org/vuls/id/332928/ and https://bugs.gentoo.org/664236, which basically explain in more detail what Mick already summarized yesterday. -- Marc Joliet -- "People who think they know everything really annoy those of us who know we don't" - Bjarne Stroustrup signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] ...I not allowed to make pdfs from images??????
181208 Marc Joliet wrote: > This is mentioned in the emerge output when installing imagemagick. > From the 7.0.8.14 ebuild : > elog "For security reasons, a policy.xml file was installed in > /etc/ImageMagick-7" > elog "which will prevent the usage of the following coders by default:" > elog "" > elog " - PS" > elog " - PS2" > elog " - PS3" > elog " - EPS" > elog " - PDF" > elog " - XPS" What exactly are the "security reasons" ? Do they apply to a single-user system ? -- if not, why is the restrictive version of the policy file installed by default rather than a warning at the end of the emerge output ? -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca
