Re: [DNG] Help with Spectre and Meltdown
marc wrote on 17.01.2018 07:27: [...] > * Stop running code which you don't trust. That comes in two forms: > Don't enable javascript on your browser, and don't use cloud-based > systems or virtual hosts. Those things you don't want to do anyway > if you care about security. > > Not sure how Devuan could help with those, except maybe make sure > that none of the web-based infrastructure (devgalaxy, etc) require > javascript or maybe package up some of the firefox forks which > are more security focused. Which would essentially boil down to a list of three candidates: waterfox, icecat, or palemoon. My 2¢: Out of these, currently waterfox is my personal favorite, as palemoon started to fail me on several occasions, not being able to reasonably render several web pages I use regularly. Didn't have much exposure to icecat, though. Best regards Urban -- Sapere aude! ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Help with Spectre and Meltdown
> I wanted to explore whether Devuan can provide a solution to the > Spectre/Meltdown fiasco. Is there a guide to what elements of Devuan > [jessie, ascii, ?] have been upgraded to address these issues? Spectre has no patch in the conventional sense. But there are two types of things one can do: * Move to a processor which doesn't speculate :) with so many side effects. Processors found on the raspberry PI, for example, are ok to use. * Stop running code which you don't trust. That comes in two forms: Don't enable javascript on your browser, and don't use cloud-based systems or virtual hosts. Those things you don't want to do anyway if you care about security. Not sure how Devuan could help with those, except maybe make sure that none of the web-based infrastructure (devgalaxy, etc) require javascript or maybe package up some of the firefox forks which are more security focused. regards marc ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Help with Spectre and Meltdown
On Tue, Jan 16, 2018 at 11:33:41PM +, jacksprat wrote: > I wanted to explore whether Devuan can provide a solution to the > Spectre/Meltdown fiasco. Is there a guide to what elements of Devuan > [jessie, ascii, ?] have been upgraded to address these issues? > > If I need to move to ascii to achieve this [I am on jessie], what do I need > to put in /etc/apt/sources.list so that apt-get can be perform the > upgrade? I have a spare computer where an ascii-based solution can be > tested . > The only affected component is the kernel. Patch exist for jessie, ascii, and unstable, but only for Meltdown. AFAWN, there is no way to effectively patch Spectre. The patch for Meltdown comes directly from Debian: https://security-tracker.debian.org/tracker/CVE-2017-5754 and the updates are available from jessie-updates and from ascii-updates. So if you have updates enabled in your sources.list, you might already have got the patch. Just check that the version of your running kernel corresponds with that specified at the URL above. HTH KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] signature.asc Description: Digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Help with Spectre and Meltdown
I wanted to explore whether Devuan can provide a solution to the Spectre/Meltdown fiasco. Is there a guide to what elements of Devuan [jessie, ascii, ?] have been upgraded to address these issues? If I need to move to ascii to achieve this [I am on jessie], what do I need to put in /etc/apt/sources.list so that apt-get can be perform the upgrade? I have a spare computer where an ascii-based solution can be tested . Thanks, jacksprat ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] elogind testing for experimental and ascii-proposed
Andreas Messer wrote on 16.01.2018 22:24: > since we have to test elogind now with various setups, KatolaZ asked me to > write a short guide what needs to be tested. So here we go: [snipped procedure] I gave it a quick spin on my ascii VM with lightdm and XFCE: 1. Simply installing elogind caused no regressions, as expected. 2. With consolekit/policykit and elogind fully enabled: - lightdm+XFCE graphical login: * login, logout, poweroff, reboot, USB drive mount: working (same as without elogind, or disabled elogind) - ssh console login: * screen sessions killed on logout (regression, works with elogind disabled!) * ssh-agent killed on logout (regression, not killed with elogind disabled!) * urban@vboxascii:~$ loginctl reboot AUTHENTICATING FOR org.freedesktop.login1.reboot Authentication is required for rebooting the system. Authenticating as: ,,, (urban) Password: AUTHENTICATION COMPLETE Failed to reboot system via elogind: Message recipient disconnected from message bus without replying urban@vboxascii:~$ Broadcast message from root@vboxascii (console) (Tue Jan 16 23:25:17 2018): The system is going down for reboot NOW! Connection to 192.168.2.167 closed by remote host. * root@vboxascii:~# loginctl reboot Failed to reboot system via elogind: Message recipient disconnected from message bus without replying root@vboxascii:~# Broadcast message from root@vboxascii (console) (Tue Jan 16 23:52:22 2018): The system is going down for reboot NOW! Connection to 192.168.2.167 closed by remote host. 3. No consolekit/policykit, only elogind installed and activated (not sure if that even makes any sense, but what the heck): -lightdm+XFCE graphical login: * login, logout: working * GUI poweroff, reboot, USB mount: NOT working! - ssh console login: * screen sessions and ssh-agent killed on logout * urban@vboxascii:~$ loginctl reboot Failed to reboot system via elogind: The name org.freedesktop.PolicyKit1 was not provided by any .service files TL;DR: The only immediately noticeable regression caused by enabling elogind in this setup was detached background processes (screen, ssh-agent) being killed upon session termination; user mount, poweroff, and reboot worked as expected. HTH, best regards Urban -- Sapere aude! ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] elogind available in experimental and ascii-proposed
On Tue, Jan 16, 2018 at 04:09:58PM +0300, Hleb Valoshka wrote: > On 1/16/18, Hleb Valoshka <375...@gmail.com> wrote: > > > Not yet, devuan ci has issues with repos containing pristine-tar. I'll > > build it locally and put it somewhere and then write its location > > here. > > https://mega.nz/#!IMFCWRBQ!7xA2eH0PpMqF9v3WF4DhTnAgVFEjRW0pPskA2XaSO78 > > This tarball contains versions for Ascii and Ceres (experimental), > built only for amd64. Sorry, didn't see that the package is already in git.devuan.org. I checked it out and rebuild it without the elogind Conflict. i can install it in parallel. I have made a short test: - lightdm + KDE5: Sessions shows up in logind but not in consolekit - textlogin: Sessions shows up in both I think consolekit is handled by lightdm itself, without pam module. Maybe it has some integrated logic which disables consolekit upond detecting something else. Btw, "ck-list-sessions" crashes for me: #0 0x76fa0646 in strlen () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #1 0x76f68d78 in vfprintf () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #2 0x76f6f1f9 in printf () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #3 0x585b in list_session (ssid=, connection=0x5576b0c0) at list-sessions.c:245 lsid = 0x5577d0b0 "6" x11_display = 0x5576fee0 "" remote_host_name = 0x5577c470 "" idle_since_hint = 0x5577c370 "" vtnum = 4294967295 proxy = 0x55769e30 uid = 1100 session_type = 0x5577c230 "" session_state = 0x0 is_active = 1 is_local = 1 short_ssid = 0x5577c2bc "Session4" x11_display_device = 0x5577f360 "" display_device = 0x5577c450 "/dev/tty1" creation_time = 0x5577e2b0 "2018-01-16T21:43:10.770409Z" runtime_dir = 0x1 error = 0x0 sid = 0x55765bd0 "/org/freedesktop/ConsoleKit/Seat1" session_class = 0x0 short_sid = 0x55765bec "Seat1" #4 list_sessions (sid=, connection=0x5576b0c0) at list-sessions.c:343 iter = 0x557781e0 proxy = 0x55769da0 error = 0x0 res = 0x5577dcc0 #5 list_seats (connection=0x5576b0c0) at list-sessions.c:394 iter = 0x55777f70 proxy = 0x55769d10 error = 0x0 res = 0x55779d90 path = 0x5577d770 "/org/freedesktop/ConsoleKit/Seat1" #6 main (argc=, argv=) at list-sessions.c:451 connection = 0x5576b0c0 context = retval = error = 0x0 do_version = 0 entries = {{long_name = 0x5f0d "version", short_name = 86 'V', flags = 0, arg = G_OPTION_ARG_NONE, arg_data = 0x557571a4 , description = 0x5f15 "Version of this application", arg_description = 0x0}, {long_name = 0x0, short_name = 0 '\000', flags = 0, arg = G_OPTION_ARG_NONE, arg_data = 0x0, description = 0x0, arg_description = 0x0}} Maybe something to forward to upstream. Cheers, Andreas signature.asc Description: PGP signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] elogind testing for experimental and ascii-proposed
Dear folks, since we have to test elogind now with various setups, KatolaZ asked me to write a short guide what needs to be tested. So here we go: Lets start with a short overview about what logind is: It is about session, user and seat management. Its main use is to track who is logged in by which method into a system and which processes belong to such a session. A session can then be assigned to a seat. Seat can be a remote access, x11 display... That information is then used by other software packages to determine e.g. access permissions to hardware. This topic was addressed with another software some time ago, called consolekit. Many desktop environments and tools have been added support for consolekit. e.g. KDE, GNOME, udisks, upower. At some time (e)logind was born in context of systemd. (elogind) implements the same functionality like consolekit and more. Today more and more applications are migrated to (e)logind. Therefor this package is needed in Devuan to support modern Desktop Environments. For now, lots of packages in devuan assci still rely or can use consolekit but this might change in future. This includes udisks (consolekit only), KDE (maybe both). Some packages require (e)logind, e.g. GNOME, for installing the package but at runtime they seem also be able to still use consolekit. In principle consolekit and (e)logind can be used at the same time because the use different D-Bus APIs and consolekit is merely a database. But applications must implement this. Main testing point is to figure out if elogind breaks anything which is formerly working properly. In the currently prepared packages, elogind is although being installed and started, not fully enabled because my internal tests showed that this breaks user mounting, shutdown and reboot via consolekit. This probably requires changes to other packages. We still need to know if anything else breaks by installing the elogind package, or if things become functional after installing it. We need information about as many combinations of display managers and desktop environments as possible, because there is interaction between elogind and all of them and things which work with one display manager and one desktop environment might not work with another display manager. I have tested so far: - text login - lightdm/KDE - lightdm/GNOME (only basic tests) So for testing, you might take with the following steps: - just install packages "elogind" and "libpam-elogind" package and check if they install cleanly. I expect problems when original systemd packages are used. Report any problems with it - invoke "pam-auth-update" as root and ensure that elogind is not selected. This will effectively disable eloginds session management (daemon still runs and dbus api/library is available) - after installing, invoke the command "loginctl". It should not list any session because elogind is not (yet) fully enabled. - After installing, check if login/logout works properly. Especially the graphical logins are interesting. Please report tested display manager / desktop environment here. - Now check if you can mount/unmount removeable media like USB, CDs. Report if it worked before installing elogind and if it still works afterwards - Test if reboot/shutdown via desktop environment is functional. Report if it worked before installing elogind and if it still works afterwards - Now, we should test with fully enabled elogind. Todo so invoke "pam-auth-update" again and enable elogind. Afterwards logout and login again. From now on, if any unexpected behavior occurs, things which work before, please report them. - executing "loginctl" should now list the session. - Now check if you can mount/unmount removeable media like USB, CDs. - Test if reboot/shutdown via desktop environment is functional. As said above, elogind is doing more than only recording the sessions. So with fully enabled elogind the following things should be tested: - Test if reboot/shutdown works via "loginctl poweroff" and "loginctl reboot" - When using the "screen" terminal emulator original logind is killing everything, even the multiplexed application when the session closes. Please test if that happens for your system. I think we have to preconfigure it reasonable here. - When terminating a session with a kill command, I have observed on debian, that the user services survive this and continue running. That means, that if the sessions crashes gpg-agent might be still running and if logging in again it might still have opened the key (not asking for passphrase) I think one can kill the session using the kill command and the login as another user and figure out if there are still processes running under the former user to test this. Thanks for your help. signature.asc Description: PGP signature ___ Dng mailing list Dng@lists.dyne.org
Re: [DNG] Backup plans: was Which is free, which is open source, et al.
On Wed, Jan 17, 2018 at 01:42:26AM +0800, Brad Campbell wrote: > On 14/01/18 06:30, KatolaZ wrote: > >The bet ingredient for a successful "Primary Plan" is to assume that > >there is no backup plan, an act accordingly ;) > > Quite on the contrary. Having a well formulated and tested backup plan means > you won't need it. > Hi Brad, I really struggle to follow your logic here, and in particular I don't see how having a well-formulated backup plan can contribute to the success of your primary plan. I actually think that a too-well-formulated backup plan will hinder your potential success in the primary one: if something tiny goes wrong in your main plan you don't have to bang your head on the wall. Just switch to your perfect backup plan, let the others continue banging their heads on that bloody wall, and you'll be fine on your own. I could switch to FreeBSD tomorrow, and most probably not even notice the difference, but I would personally consider that a big failure. Hence, for me that "backup plan" does not exist. I will continue to bang my head on the wall until Devuan works for me. If there are more of us willing to bang their heads on the wall to make Devuan work, each of us will bang his own head for less time, with less harm, and with much larger probability of having the issue solved. What I meant is that the success of Devuan is definitely bound to none of the Devuan users and developers giving up on Devuan. In other words, to the Devuan community not stopping to cater and care for Devuan. However it can. Whatever it costs. My2Cents KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] signature.asc Description: Digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Backup plans: was Which is free, which is open source, et al.
On 14/01/18 06:30, KatolaZ wrote: The bet ingredient for a successful "Primary Plan" is to assume that there is no backup plan, an act accordingly ;) Quite on the contrary. Having a well formulated and tested backup plan means you won't need it. That applies as well to plans as it does to backups (although my well formulated and tested backup plan came in handy when I accidentally started 2 instances of the same VM on the same backing file last year. That ended ok, but the bit in the middle wasn't much fun). It's those without a plan B that often have need for it. I don't buy insurance for the "just in case". I buy it because those that have it don't generally need it. Murphy is a bit of a swine that way. I'm a Debian escapee. My future is Devuan. My plan B is some form of BSD. I have it, but because I have it I know I won't need it. Brad -- Dolphins are so intelligent that within a few weeks they can train Americans to stand at the edge of the pool and throw them fish. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] elogind available in experimental and ascii-proposed
Could you, experts, explain me (and maybe others) what the role of logind, consolekit and polkit is exactly? What I understand from your discussion is that consolekit and logind are doing the same thing and stepping on each others feet. Gentoo's consolekit wiki tells the following: *ConsoleKit* is a framework for defining and tracking users, login sessions, and seats. ConsoleKit's primary function is to support multi-user setups. It also works for a single user, but offers no benefits compared to existing methods. ConsoleKit is a D-Bus daemon and creates for each PAM session its own session. All applications in that session can make use of the permissions granted to this session. ConsoleKit determines if the session is local (created by a local user in contrast to users logged in over the network), and if the session is active (meaning it's the most recent session). Based on these distinctions, ConsoleKit assigns device file permissions (e.g. for audio, video and more) to the session. Other software like polkit also make use of these distinctions According to this wiki, the role of consolekit (and/or logind) is to make a distinction between local and remote sessions, to grant more permissions to the first (which seems futile). But why do we need both logind/consolekit and polkit ? I understand udisks asks the permission (through PAM)to either logind or consolekit for mounting removable disks, which is a priviledged operation. I'm not sure how pmount does, but, on my Ascii install, udisks fails on mmcblk0p1 while pmount succeeds. Thanks. Didier ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] elogind available in experimental and ascii-proposed
On 1/16/18, Hleb Valoshka <375...@gmail.com> wrote: > Not yet, devuan ci has issues with repos containing pristine-tar. I'll > build it locally and put it somewhere and then write its location > here. https://mega.nz/#!IMFCWRBQ!7xA2eH0PpMqF9v3WF4DhTnAgVFEjRW0pPskA2XaSO78 This tarball contains versions for Ascii and Ceres (experimental), built only for amd64. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] elogind available in experimental and ascii-proposed
On 1/16/18, Andreas Messerwrote: > Yes we have to figure out if any of the DM works without the pam stuff, but > there are people who use terminal sessions :-) And for them, enabling the Quite strange, but even systemd has the following pam config (only relevant part): Session: optionalpam_systemd.so while ck has: Session-Final: optionalpam_ck_connector.so nox11 So unlike with CK, pam module for (e)login should be enabled unconditionally. > module will break consolekit. So an example, when elogin pam is not enabled We can make ck2 and elogind mutually exclusive. ... > know why this happens. I need to try with consolekit2, maybe this is fixee > already. Original consolekit is pretty old stuff. Btw. did you put the > consolekit2 package somewhere already? Not yet, devuan ci has issues with repos containing pristine-tar. I'll build it locally and put it somewhere and then write its location here. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] elogind available in experimental and ascii-proposed
On Tue, Jan 16, 2018 at 01:00:30PM +0300, Hleb Valoshka wrote: > On 1/16/18, Andreas Messerwrote: > ... > > When elogind pam module is enabled, the session is correctly registered > > with elogind. This can be done by following steps: > > Afaik pam module is required only for terminal sessions, for DM it > usually isn't required unless your DM doesn't support it directly, but > as elogind is a replacement for logind it should be supported by any > DM which supports logind. Yes we have to figure out if any of the DM works without the pam stuff, but there are people who use terminal sessions :-) And for them, enabling the module will break consolekit. So an example, when elogin pam is not enabled the following works with devuan if consolekit and udisks is installed: 1) login 2) plug in usb stick 3) udisksctl mount But when enabling pam elogind you will get: 1) login 2) plug in usb stick 3) udisksctl mount Which is because when the elogin pam module is enabled, consolekit does not list the session anymore, so activating it effectively breaks consolekit. I don't know why this happens. I need to try with consolekit2, maybe this is fixee already. Original consolekit is pretty old stuff. Btw. did you put the consolekit2 package somewhere already? Tomorrow, I'll provide a lists of steps what to test with elogind so we can check what is working and what not. signature.asc Description: PGP signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] elogind available in experimental and ascii-proposed
On 1/16/18, Andreas Messerwrote: ... > When elogind pam module is enabled, the session is correctly registered > with elogind. This can be done by following steps: Afaik pam module is required only for terminal sessions, for DM it usually isn't required unless your DM doesn't support it directly, but as elogind is a replacement for logind it should be supported by any DM which supports logind. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng