Re: [BLOG] On migration to the Hurd
Hello Ludovic, Jan, About the bootstrap ext2fs.static server, it seems that it is also required to create a link in /libexec, attached a patch. and now it shows another error: -- Hurd server bootstrap: ext2fs[device:hd0s1] exec startup proc auth. /libexec/console-run: /dev/console: Permission denied /libexec/console-run: cannot execute /libexec/runsystem: Exec format error -- I'll keep checking .. ReneFrom 536286f6b6817a15826420a793a83a5779fced12 Mon Sep 17 00:00:00 2001 From: Rene Saavedra Date: Fri, 3 Apr 2020 19:31:01 -0600 Subject: [PATCH] system: hurd: Add symlink for `../hurd/libexec.` * /gnu/system/hurd.scm (hurd-directives): Add symlink in `/libexec/console-run` for `../hurd/libexec`. --- gnu/system/hurd.scm | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/gnu/system/hurd.scm b/gnu/system/hurd.scm index 586bfa0fca..6469e66b2e 100644 --- a/gnu/system/hurd.scm +++ b/gnu/system/hurd.scm @@ -94,7 +94,11 @@ menuentry \"GNU\" { ("/hurd" -> ,(file-append (with-parameters ((%current-target-system "i586-pc-gnu")) hurd) -"/hurd" +"/hurd")) + ("/libexec" -> ,(file-append (with-parameters ((%current-target-system + "i586-pc-gnu")) + hurd) + "/libexec" (qemu-image #:file-system-type "ext2" #:file-system-options '("-o" "hurd") -- 2.21.0
Re: Adding a %desktop-packages
Hi there, I am on board with providing some predefined lists of packages. I raised the idea of providing smaller lists of packages that might go well together instead of one large %desktop-packages. One reason to do this, for instance, might be to not make someone who wants to use btrfs always import the ext4 packages. Or not lock someone into using nettools if they are using iproute2, etc. Similarly, I think that many users, myself included, use a manifest file to manage user packages. It would help to have finer grained package lists so that the manifests could reuse them and not be requiring system basics along with it. What do you think? - John
Re: Linphone
Hello Guix! >> At this point for linphoneqt a.k.a linphone-desktop, I am facing following >> issues. >> >> When I build *without* `-DENABLE_DBUS=YES`and run the program, I get: >> >> QSocketNotifier: Socket notifiers cannot be enabled or disabled from another >> thread >> QMutex: destroying locked mutex >> >> When I build *with* `-DENABLE_DBUS=YES` and run the program, I get: >> >> Segmentation Fault (Core Dumped) >> >> I think the following patch is relevant, but when I use it, doesn't get >> successfully patched during >> the build. >> >> https://gitlab.linphone.org/BC/public/linphone-desktop/commit/9cf08623e3092fa19366e5c07fbe06898a59f0 >> 9.diff >> >> Any ideas on how to fix this situation? Package definitions are available at >> https://issues.guix.gnu.org/issue/40264. Latest revision for this program is >> '14-add-linphoneqt-v3'. > > So I fixed "QSocketNotifier" error in version 4 patch (14-add-linphoneqt-v4). > I still don't know > how to fix "QMutex" error. I have now fixed "QMutex" error in the version 6 patch (14-add-linphoneqt-v6). Regards, RG.
Re: Proxy settings wrt guix daemon
Hello, thanks for the help, but... On Tue, Mar 31, 2020 at 5:26 PM Ludovic Courtès wrote: > I was proposing a custom action for the Shepherd service, just like the > mcron Shepherd service has a custom ‘schedule’ action that one can > invoke with “herd schedule mcron”. > > Hope that’s clearer! I've found the shepherd-schedule-action code, but that does not tell me how to implement the whole thing. Let me try harder, the following are all questions. I do not know if they make any sense at all... How do I make the running daemon use a proxy ? By doing setenv() calls in builtins.cc builtinDownload() before the execv(guix perform-download) ? How do I make the running daemon know which proxy to use ? By getting it from the settings object from globals.hh ? How do I make the running daemon change the value stored in the settings object ? By sending it an order to do so via the listening socket ? What will send this order through that socket ? Another, one-shot, ephemeral, guix-daemon process with the --set-proxy command-line option ? What is the UI to run that guix-daemon --set-proxy ? Use herd set-proxy guix-daemon "https://proxy:3128; ? (Like what is done for mcron) I really need a few "make this thing here do that" hints... And then also a bit of a hint on how I would test the modifications without risking my running system. I hope that's not too demanding... Thanks -- Vincent Legoll
Re: Adding a %desktop-packages
>This is slightly unrelated, but your email reminded me. > >How about we add a %desktop-packages variable? I remember reading a >bug >report about possibly ungoogled-chromium or some package not working >properly, because the user did not install a font. Perhaps if people >are using a %desktop, there should be some %desktop-packages that most >users will want installed by default. Packages would include a web >browser, one system font, etc. > >-- >Joshua Branson Sent from Emacs and Gnus > >P.S. I am subscribed to Guix-devel, please just respond via To: >address@hidden. Thanks Sounds good for me. As a new user I found it annoying Icecat doesn't work by default. IMO dejavu font should be an input of icecat or should be shipped with the new %desktop-packages variable. Guix packages should just work out of the box without the need for user to have any technical knowledge, by doing so it can gain wider audience and popularity. Jan Wielkiewicz
Re: Unencrypted boot with encrypted root
Ellen Papsch skribis: > Am Freitag, den 03.04.2020, 18:13 +0200 schrieb Pierre Neidhardt: >> >> By the way, is it possible to use the user password to unlock the >> $HOME partition? >> > > AFAIK GNU/Linux userland does not support it. GDM or another login > manager would have to integrate that feature somehow. Maybe (maybe) > there is some PAM way, but that's a wild guess. > You can use the pam-mount service to mount paritions when users log in. There's an example in the manual for a user mounting their encrypted '/home/user' directory. And if the user's password matches one of the passwords that can decrypt the partition, you don't have to enter it twice. signature.asc Description: PGP signature
Re: Unencrypted boot with encrypted root
On Fri, Apr 03, 2020 at 05:44:13PM +0200, Ellen Papsch wrote: > To make it harder, we leave /boot encrypted. Now the attacker plants > their malware further down the stack: they replace the BIOS. Boom, you > are owned! :-) So using a single encrypted partition instead of separate /boot protects from script kiddies (siblings/“friends”?) with hardware access that know how to put their own grub.cfg on an unencrypted /boot partition and then wait for you to unsuspectingly use your machine. But it would still be possible for an attacker to flash or replace the motherboard’s UEFI, or perhaps the part of GRUB installed on the unaltered motherboard would willingly load a manipulated hard disk? Or just install a keylogger. So using the same boot partition as is done currently has Pro: script kiddie protection Con: passphrase must be entered twice; also entering the passphrase in GRUB may use the wrong keyboard layout Regards, Florian
Re: Unencrypted boot with encrypted root
Am Freitag, den 03.04.2020, 18:13 +0200 schrieb Pierre Neidhardt: > Ellen Papsch writes: > > > leaving /boot unencrypted allows attackers to plant malware > > relatively > > easy. They can mount the partition without ado and replace the > > kernel > > with a malicious one. > > How can you do that if the root partition is encrypted? > Your partition table would have at least two partitions: no, type, mount point 0, Linux fileystem, /boot 1, Linux LUKS, / /boot is completely independent of the root partition. Other distributions copy the kernel to /boot. I just looked in GuixSD and grub.cfg references kernel and initramfs in /gnu/store. Which is good for kernel modification prevention but also prevents separate /boot. Florian links to #40273, which discusses copying the files out of the store. That would turn the tables. When turned, to plant the malware, you would boot another system from CD, USB or network. If the BIOS (and boot) is locked down, you would extract the hard drive. That's where the cage comes in. > > > For a long time I personally used root encrypted systems and found > > the > > hassle not worth it. Encrypting /home and external hard drives > > should > > cut it. If you suspect the machine has been tampered with, don't > > boot > > don't touch it. Even the hard disk firmware may have been modified. > > My main motivation is that if my laptop gets stolen or lost, I don't > want > anyone to access my personal data. > > Encrypted /home is fine for this purpose. > I would second that, although there is a chance data may leak to /var. That would depend on the program. While separate /boot is not possible, encrypting /home and /var may be the convenient compromise to mitigate a stolen/lost machine. (though convenience is again degraded by two passphrase prompts and wait times) > By the way, is it possible to use the user password to unlock the > $HOME partition? > AFAIK GNU/Linux userland does not support it. GDM or another login manager would have to integrate that feature somehow. Maybe (maybe) there is some PAM way, but that's a wild guess. You can avoid a passphrase prompt by using a key file on an external medium. That poses the danger of the medium failing, make sure to have a passphrase in addition (and not forget that :-). From a quick glance at the manual, there seems no way of specifying a key file, though maybe if you dig deeper... Regards
Re: Rethinking files as a concept -- review draft paper
Thanks! No matter what spelling and grammar checkers I seem to pass it through, there always seems to be many things missed. I'll fix those up and improve the notation as you suggest. As for the Windows pathing support, I'm not settled on the idea but figured I'd keep it more abstracted. I'm starting to lean towards a URL or something, even for local files. I'm going to make a number of fixes, add more example files, expand the grammar somewhat, add some operational and file merge rules, and add API interfaces. The other feedback I've been getting is that the core concept is clear and solid. And typos. On Fri, Apr 3, 2020 at 10:26 AM Pierre Neidhardt wrote: > Thanks for sharing, nice write up! > > A few notes below: > > --8<---cut here---start->8--- > Scheme: A group of programming languages which are major branch of the > Common LISP dialets. > --8<---cut here---end--->8--- > > Typo: dialects. > Also I think it should say "major branch of the Lisp dialects". Scheme > is not a branch of Common Lisp as far as I understand. > > The LISP casing is often considered deprecated, you may prefer Lisp > instead. > > --8<---cut here---start->8--- > Object Storage: A method of storing files without paths e.g. ”C:\\Users\Ad- > min\Desktop\word-doc.rtf”. > --8<---cut here---end--->8--- > > A Windows path?!? :) > > --8<---cut here---start->8--- > legacy .rom files > --8<---cut here---end--->8--- > > Which format is that? > > --8<---cut here---start->8--- > Web development has moved towards JSON like serialization > --8<---cut here---end--->8--- > > Typo: JSON-like > > --8<---cut here---start->8--- > and lowerers developer effort. > --8<---cut here---end--->8--- > > Typo: lowers > > --8<---cut here---start->8--- > Recognizers have two steps levels > --8<---cut here---end--->8--- > > Typo: two levels? > > --8<---cut here---start->8--- > Decrypting data is delegated tothe host by default > --8<---cut here---end--->8--- > > Typo: to the > > --8<---cut here---start->8--- > Bit Torrent > --8<---cut here---end--->8--- > > Typo: BitTorrent (no space) > > --8<---cut here---start->8--- > Distributed Files systems > --8<---cut here---end--->8--- > > Typo: distributed file systems > (Maybe lower case?) > > --8<---cut here---start->8--- > a more granular mannar > --8<---cut here---end--->8--- > > Typo: manner > > Cheers! > > -- > Pierre Neidhardt > https://ambrevar.xyz/ >
Re: good practices in science
> It is growing. I can't say about your field or your neigbourhood, but > check out communities such as The Carpentries > (https://carpentries.org/), which is organizing tutorials all around the > globe to teach the tools that you like. I had never heard about this initiative before, this is great! Thanks for sharing! -- Pierre Neidhardt https://ambrevar.xyz/ signature.asc Description: PGP signature
Re: good practices in science
> I would like to find a community where I can do science in a good way. > I want to use free software and would like to collaborate through > version control, IRC, Jitsi, well formatted e-mails. Does such a > community exist? Look into [Center for Open Science](https://cos.io/) I the R world, there is [rOpenSci](https://ropensci.org/about/)
Re: Unencrypted boot with encrypted root
Hi, Am Donnerstag, den 02.04.2020, 10:59 +0200 schrieb Pierre Neidhardt: > Hi! > > I've followed the doc / template to set up an encrypted system on my > laptop: > > --8<---cut here---start->8--- > (mapped-devices >(list (mapped-device > (source (uuid "12345678-1234-1234-1234-123456789abc")) > (target "my-root") > (type luks-device-mapping > > (file-systems (append > (list (file-system > (device (file-system-label "my-root")) > (mount-point "/") > (type "ext4") > (dependencies mapped-devices)) >(file-system > (device (uuid "1234-ABCD" 'fat)) > (mount-point "/boot/efi") > (type "vfat"))) > %base-file-systems)) > --8<---cut here---end--->8--- > > Problem is, I get prompted for the LUKS password twice: once before > GRUB > starts and once when booting an OS entry. > > This is rather annoying (and quite slow by the way, it takes some 10- > 20 > seconds) and probably not too useful. > > Is it possible to prompt for the password only once? > > I suppose that one way to do this is to make /boot a separate file > system beside /boot/efi. > All in all, the configuration would look like this: > > --8<---cut here---start->8--- > (mapped-devices >(list (mapped-device > (source (uuid "12345678-1234-1234-1234-123456789abc")) > (target "my-root") > (type luks-device-mapping > > (file-systems (append > (list (file-system > (device (file-system-label "my-root")) > (mount-point "/") > (type "ext4") > (dependencies mapped-devices)) >(file-system > (device (file-system-lavel "boot") > (mount-point "/boot") > (type "ext4")) >(file-system > (device (uuid "1234-ABCD" 'fat)) > (mount-point "/boot/efi") > (type "vfat"))) > %base-file-systems)) > --8<---cut here---end--->8--- > > We should probably update the doc and templates to explain this > subtlety, since mistakes in the partition design are hard to recover > after the fact :) > > Insights? > leaving /boot unencrypted allows attackers to plant malware relatively easy. They can mount the partition without ado and replace the kernel with a malicious one. A nefarious law enforcement agency may seize your computer and give it back, seemingly without modifications. Boom, you are owned! To make it harder, we leave /boot encrypted. Now the attacker plants their malware further down the stack: they replace the BIOS. Boom, you are owned! :-) To make it harder, we ensure to have UEFI BIOS and enable Secure Boot. Now the attacker exploits the Intel Management Engine (ME) flaws[0]. AMD is flawed as well[1]. Boom, you are owned! To make it harder, we exploit the flaws ourselves and replace most of ME with an (of course) most secure BIOS. Now the attacker goes even further down the stack and implants their malware in the PCB[2]. Boom, you are owned! No matter what you do, you are owned. That doesn't even touch another great attack surface that an internet connected computer is. For maximum security, you should dig a hole, plant a metal cage that can hold the computer and completely autonomous power source (think plutonium), then have a tor-like connection of your monitor, mouse and keyboard to that machine (and a big red button that lets you destroy the hops). On a more serious note and to answer your question, unencrypted /boot is an option. Another is to have a key file on an external medium. This doesn't avoid the second wait. The long wait may be due to --iter-time option to cryptsetup luksFormat. I haven't looked what the default is in Guix. The Grub decryption code is also purported to be slow [no source]. For a long time I personally used root encrypted systems and found the hassle not worth it. Encrypting /home and external hard drives should cut it. If you suspect the machine has been tampered with, don't boot don't touch it. Even the hard disk firmware may have been modified. Don't think you are in danger of being targeted? Well, you already are! Your mail often gets into my spam folder because of "suspicious TLD .xyz". That should be very telling ;-)) Best regards Ellen [0] https://media.ccc.de/v/36c3-10694-intel_management_engine_deep_dive [1] https://media.ccc.de/v/thms-38-dissecting-the-amd-platform-security-processor [2]
Re: Unencrypted boot with encrypted root
On Thu, Apr 02, 2020 at 10:59:30AM +0200, Pierre Neidhardt wrote: > I suppose that one way to do this is to make /boot a separate file Yes please, this is also an issue in https://issues.guix.info/issue/40273#24 I believe an unencrypted GRUB file-system would be a better default. Regards, Florian
Re: good practices in science
Hi Marco, > Are there any natural scientists here? I have no idea how numerous we are, but yes, there are. As for myself, I am in computational biophysics. > I am sending this to this list because Guix is an obvious tool for > scientific (and other) computing. None of my collegues anywhere in > the world have heard of it and they are not interested when I mention > it. (Furthermore, brendyyn on #guix suggested this list.) Don't worry, that will change. > In my mind, this must mean that one writes plain text everywhere. > This is plain/text for e-mail, LaTeX for papers, code is code, > Markdown or similar for most other documents. All this is in version > control. You can push, share, collaborate quite easily. Anyone is > free to make a pretty PDF of it or do whatever else. Because, of > course it is all free as in speech. You know all this. That is a workflow which is being advocated increasingly. You could point your doubting colleagues to this MOOC, for example: https://www.fun-mooc.fr/courses/course-v1:inria+41016+self-paced/about (disclaimer: I am one of its authors). Guix is not covered there, but it will in a more advanced sequel currently under preparation. > I would like to find a community where I can do science in a good way. > I want to use free software and would like to collaborate through > version control, IRC, Jitsi, well formatted e-mails. Does such a > community exist? It is growing. I can't say about your field or your neigbourhood, but check out communities such as The Carpentries (https://carpentries.org/), which is organizing tutorials all around the globe to teach the tools that you like. Cheers, Konrad
Re: Rethinking files as a concept -- review draft paper
Thanks for sharing, nice write up! A few notes below: --8<---cut here---start->8--- Scheme: A group of programming languages which are major branch of the Common LISP dialets. --8<---cut here---end--->8--- Typo: dialects. Also I think it should say "major branch of the Lisp dialects". Scheme is not a branch of Common Lisp as far as I understand. The LISP casing is often considered deprecated, you may prefer Lisp instead. --8<---cut here---start->8--- Object Storage: A method of storing files without paths e.g. ”C:\\Users\Ad- min\Desktop\word-doc.rtf”. --8<---cut here---end--->8--- A Windows path?!? :) --8<---cut here---start->8--- legacy .rom files --8<---cut here---end--->8--- Which format is that? --8<---cut here---start->8--- Web development has moved towards JSON like serialization --8<---cut here---end--->8--- Typo: JSON-like --8<---cut here---start->8--- and lowerers developer effort. --8<---cut here---end--->8--- Typo: lowers --8<---cut here---start->8--- Recognizers have two steps levels --8<---cut here---end--->8--- Typo: two levels? --8<---cut here---start->8--- Decrypting data is delegated tothe host by default --8<---cut here---end--->8--- Typo: to the --8<---cut here---start->8--- Bit Torrent --8<---cut here---end--->8--- Typo: BitTorrent (no space) --8<---cut here---start->8--- Distributed Files systems --8<---cut here---end--->8--- Typo: distributed file systems (Maybe lower case?) --8<---cut here---start->8--- a more granular mannar --8<---cut here---end--->8--- Typo: manner Cheers! -- Pierre Neidhardt https://ambrevar.xyz/ signature.asc Description: PGP signature
Re: good practices in science
Dear Marco, I don't think this is the place to discuss the ins and outs of science. The scientific community and arena can be frustrating and I would say (i.e., as an opinion) that you should only work in science if the subject itself grabs you. I left the software industry for biology 15 years ago and have not looked back. I love my work. We are organizing a COVID-19 biohackathon coming week for free software and free data. Feel free to watch and join. We are using some proprietary tools - usually they come with lab protocols - such as sequencers - though for me I try to avoid them as much as possible, and we can create free alternatives. But overall I am pretty happy with what I can do in science with free software and I only write free software! Let free software rule. I am excited about free hardware developments and Linux phones. Hopefully we'll get GNU Guix on those soon. Pj.
Re: [BLOG] On migration to the Hurd
Le 04/02, Ludovic Courtès a écrit : > Tanguy Le Carrour skribis: > > Le 04/01, Jan Nieuwenhuizen a écrit : > >> We are thrilled to have published a post about migrating to the Hurd: > >> > >> > >> https://guix.gnu.org/blog/2020/deprecating-support-for-the-linux-kernel/ > > […] > > The question is now: if not yesterday, when!? > > > > Thanks to all the people who will help make it a reality! > > Yup, it can actually become a reality! > […] > > ./pre-inst-env guix build -f gnu/system/hurd.scm > > That gives you a QEMU image containing a cross-built GNU/Hurd system, > which is pretty cool. > > Unfortunately, the bootstrap ext2fs.static server currently hangs early > on for reasons that haven’t been elucidated yet. For anyone who wants > to fiddle with the Hurd, here’s a good hacking opportunity! I'm not (yet) able to do low-level/system contributions, but I did contribute some patches upstream to make some programs build and work on GNU/Hurd. I think I'll keep on doing this kind of things in the future. Better little than none, right?! :-) Regards -- Tanguy
good practices in science
Hi all— Are there any natural scientists here? I'm asking because at least in my field not the right tools are used to do the work; I'd like to exchange ideas on how to approach these issues. I am sending this to this list because Guix is an obvious tool for scientific (and other) computing. None of my collegues anywhere in the world have heard of it and they are not interested when I mention it. (Furthermore, brendyyn on #guix suggested this list.) Invasion of privacy has been growing over the years, and getting a spurt during the COVID-19 pandemic (maybe not unlike 9/11). Examples include that here at the university we are expected to use Zoom and Skype, and this was a good moment to push through Microsoft Teams (as a "good replacement for mail"). These are all tools that are not open spec, free software or federated. Very few of my collegues care, and those that do have the opinion (or understanding) that it is too late to do something about it. At the University of Bergen it is expected that we install and use proprietary software on our home network (e.g. MS Teams, Skype and Zoom – two of these run luckily in Chromium). Except for the integrity of our scientific results, our privacy and general home security is affected. We have to find ways to mitigate the situation (e.g. laptop dedicated to all the crap on a special subnet). But, in my opinion, such mitigations should not even be necessary in the first place. Especially in an environment of learning and research things should be really different. There are related, even worse, issues outside of academia, like the proprietary COVID-19 tracking apps that several countries are building, mostly independently because "we cannot trust another country's app" (which would be moot point if ...). Discussion of these wider issues would warant a forked or separate thread (or perhaps a different mailinglist). I think it's all connected, but now I'd like to focus on free software and science. When I do science (the ordering and creation of concepts, models, hypotheses and theories; through thinking, programming, simulating, evaluating, discussing and writing), I have a way of working that I think is efficient and in line with the scientific method. In my mind, this must mean that one writes plain text everywhere. This is plain/text for e-mail, LaTeX for papers, code is code, Markdown or similar for most other documents. All this is in version control. You can push, share, collaborate quite easily. Anyone is free to make a pretty PDF of it or do whatever else. Because, of course it is all free as in speech. You know all this. But it doesn't work like this. Collegues don't follow this workflow, and they don't care about freedom. They actually think that Track Changes is the same as version control management. I have some work-arounds for the incompatibility between the workflows. For instance, I write most things in Markdown and use pandoc(1) to convert it to PDF and ODT. The collaborators may use any method to comment on my text and then send it back. They never edit the source, they almost invariably send back a (non-strict OOXML) docx with Track Changes or a PDF with text balloons. In academics, there was recently (in Norway just a year ago) a discussion about open access. The discussion showed that it is very difficult for my collegues to only publish open access – they consider it as a serious problem, even though I would not think twice to publish a paper that restricts its readers. For writing papers I tried the proprietary service Overleaf (and similar) or sending the TeX files, but it doesn't work. They won't use it. They even copy text from a PDF into MS Word and send a Track Changed document in a top-posted HTML e-mail back to me. Some of them expect me to do the same thing (or using Google Docs or Sharepoint or so; sometimes logging in is expected as well). For anyone writing a thesis and having these problems right now: don't think they will go away. It does not even matter if you have your own funding. Most of your partners won't care about anyone's freedom, and you still have to find ways to work with their inefficient workflows. Free software helps a lot dealing with this, but these inefficiencies are not necessary. The inefficiencies arise from naivity about free software and technology, or just not caring and/or trying to follow status quo and writing senseless proposals (with inefficient and non-free tools). This is the state for Earth sciences. My work is appreciated in my field, so I might survive in the system (writing proposals and crap), but these unnecessary inefficiencies are *at least* an annoyance, and it does not appear to get any better. I would like to find a community where I can do science in a good way. I want to use free software and would like to collaborate through version control, IRC, Jitsi, well formatted e-mails. Does such a community exist? I am considering going out of
Re: Adding a %desktop-packages
This is slightly unrelated, but your email reminded me. How about we add a %desktop-packages variable? I remember reading a bug report about possibly ungoogled-chromium or some package not working properly, because the user did not install a font. Perhaps if people are using a %desktop, there should be some %desktop-packages that most users will want installed by default. Packages would include a web browser, one system font, etc. -- Joshua Branson Sent from Emacs and Gnus P.S. I am subscribed to Guix-devel, please just respond via To: guix-devel@gnu.org. Thanks