Re: [gentoo-user] Re: Local mail server
On 8/1/20 1:53 PM, antlists wrote: That's one of the good things about the UK scene. In theory, and mostly in practice, the infrastructure (ie copper, fibre) is provided by a company which is not allowed to provide the service over it, so a mom-n-pop ISP can supposedly rent the link just as easily as a big ISP. For a long time, the incumbent telephone carrier was required to allow other companies to access the DSL network and provide service. I've not kept up with the laws and have no idea of the current state. When we move I'll almost certainly move to Andrews and Arnold, who are exactly that mom-n-pop setup that are run by a bunch of engineers, as opposed to accountants. :-) -- Grant. . . . unix || die
Re: [gentoo-user] Re: Local mail server
On 8/1/20 5:36 PM, Grant Edwards wrote: Statically entered in the DHCP server doesn't count as static? Not to the client computer that's running the DHCP client. The computer is still configured to use a dynamic method to acquire it's IP address. -- Grant. . . . unix || die
Re: [gentoo-user] Python 2.7 removal : problem with Firefox + Spidermonkey
On 8/1/20 7:04 PM, David Haller wrote: Hello, On Sat, 01 Aug 2020, Walter Dnes wrote: [..] So a "palemoon-bin" ebuild is possible. There's already one in the palemoon overlay. -dnh This is what you are referring to? www-client/palemoon-bin [2] Available versions: 28.11.0^ms {startup-notification} Homepage:https://www.palemoon.org/ [1] "octopus" /var/lib/layman/octopus [2] "palemoon" /var/lib/layman/palemoon If other, please post an exact link? James
Re: [gentoo-user] Python 2.7 removal : problem with Firefox + Spidermonkey
On 8/1/20 12:10 PM, Walter Dnes wrote: On Sat, Aug 01, 2020 at 01:05:30AM -0400, Walter Dnes wrote I have another idea. We already have firefox-bin and libreoffice-bin ebuilds where the compiled tarball is pulled down from upstream, and untarred. Would this work on Pale Moon? I guess it comes down to whether or not python 2.7 is a run-time dependancy as well as a build time dependency. I'll ask on the Pale Moon forum. I checked, and it looks like python 2.7 is build-time dependency only. Pale Moon will *RUN* just fine without python. Runtime system requirements according to http://linux.palemoon.org/download/mainline/ * A modern Linux distribution. The browser may not work well on old or LTS releases of Linux. * A modern processor (must have SSE2 support as the absolute minimum). * 1GB of RAM (2GB or more recommended for heavy use). * GTK+ v2.24 * GLib 2.22 or higher * Pango 1.14 or higher * libstdc++ 4.6.1 or higher So a "palemoon-bin" ebuild is possible. But is it necessary? If you pull down and extract the precompiled tarball to your home dir, it can be set to check for, and do, updates (as long as you have write permission to the Pale Moon directory). No need for portage to do it. OK, give a few days, as I do like the idea of building palemoon locally, outside of portage. Since it is a critical, at this time, app for me, having more than one way to build it or get the binary, is of keen interest to me. What we do not need to do, is start trying to stay on top of all the python.2_7 security issues that abound. In fact, since palemoon is all about a secure browser (for me at least) I'm surprised they, as a project team, are not accelerating the migration to pure Python-3. Further security ideas with palemoon are of keen interest to me too. A set of local security testing tools/semantics etc etc would be useful; pointers to existing security tools are keen appreciated too. thx Walter. James
Re: [gentoo-user] Python 2.7 removal : problem with Firefox + Spidermonkey
Hello, On Sat, 01 Aug 2020, Walter Dnes wrote: [..] > So a "palemoon-bin" ebuild is possible. There's already one in the palemoon overlay. -dnh -- "If Pacman had affected us as kids we'd be running around in dark rooms, munching pills and listening to repetitive music." -- Marcus Brigstocke
[gentoo-user] Re: Local mail server
On 2020-08-01, Grant Taylor wrote: > Static IP address has some very specific meaning when it comes to > configuring TCP/IP stacks. Specifically that you enter the address to > be used, and it doesn't change until someone changes it in the > configuration. Right. That's what I was talking about, except the configuration is centralized in the DHCP Server. > Either an IP address is statically entered -or- it's dynamic. Statically entered in the DHCP server doesn't count as static? -- Grant
Re: [gentoo-user] Re: Local mail server
On 01/08/2020 19:52, Grant Taylor wrote: On 7/31/20 2:01 PM, Grant Edwards wrote: There may be half way decent ISPs in the US, but I haven't seen one in over 20 years since the last one I was aware of stopped dealing with residential customers. They were a victem of the "race to the bottom" when not enough residential customers were willing to pay $10 per month over what Comcast or US-West was charging for half-assed, crippled internet access). I think there is probably a good correlation between size and desire to be good and provide service. I've found that smaller ISPs (who actually try as opposed to cheating people) tend to be better. Sadly, many of these Mom & Pop type ISPs were consumed during the aptly described race to the bottom. :-( I still do consulting work with a small M ISP in my home town and I have a small municipal ISP where I am now. Both are quite good in many regards. Unfortunately, neither of them offer IPv6. That's one of the good things about the UK scene. In theory, and mostly in practice, the infrastructure (ie copper, fibre) is provided by a company which is not allowed to provide the service over it, so a mom-n-pop ISP can supposedly rent the link just as easily as a big ISP. When we move I'll almost certainly move to Andrews and Arnold, who are exactly that mom-n-pop setup that are run by a bunch of engineers, as opposed to accountants. Cheers, Wol
Re: [gentoo-user] Re: Local mail server
On 01/08/2020 19:48, Grant Taylor wrote: On 7/31/20 2:05 PM, Grant Edwards wrote: Nit: DHCPv6 can be (and usually is) dynamic, but it doesn't have to be. It's entirely possible to have a static IP address that your OS (or firewall/router) acquires via DHCPv6 (or v4). [I set up stuff like that all the time.] Counter Nit: That's still acquiring an address via /Dynamic/ Host Configuration Protocol (v6). It /is/ a /dynamic/ process. Static IP address has some very specific meaning when it comes to configuring TCP/IP stacks. Specifically that you enter the address to be used, and it doesn't change until someone changes it in the configuration. Either an IP address is statically entered -or- it's dynamic. The fact that it's returning the same, possibly predictable, address is independent of the fact that it's a /dynamic/ process. Counter counter nit: You may be *acquiring* it dynamically, but you can enter the address to be used into DHCP, and then it doesn't change until someone changes it in the configuration. That was my IPv4 in the Demon days - DHCP was *guaranteed* to *always* return the same address. So either I retrieved it via DHCP from Demon, or I hard coded it into my computer, it didn't matter. Cheers, Wol
Re: [gentoo-user] nsapass - alternative to keepassxc (and others)
‐‐‐ Original Message ‐‐‐ On Saturday, August 1, 2020 5:49 PM, J. Roeleveld wrote: > > > This is not a GUI > > > > xterm is GUI. you don't need to click on gtk/qt > > widgets to access details of password entries. > > gtk/qt is a massive overkill. > > Please check the meaning of " GUI " and try to answer my statement again. xterm/urxvt is a gui. it can render images too. e.g. seen ranger? but nitpick aside, i know what you want. you want an app that uses gtk or qt libraries, so that you get some buttons to click on with your mouse, and menus and scrollbars to drag around — but why would you seek to do this to yourself? very sadistic. if you check the latest version in this dev branch (wip, code will improve next month): https://github.com/Al-Caveman/nsapass/tree/space-cephalopod you'll find a neat interactive feature and a search feature that allows you to, say, retrieve passwords really fast. e.g. `nsapass get c p` would equate `nsapass get caveman protonmail` (if c p makes it unique). > > > This makes portability a problem. Exactly why keepass (and clones) are > > > used more. > > > > compatibility with keepassxc is extremely > > overrated. it's easy to port nsapass to > > windows/apple (may even work out of the box, > > didn't try). > > Compatibility with "keepass" (keepassxc is already a different tool/clone) is > important and makes it simpler to use the same database on different > environments. > You might be happy with a simplistic database that only stores a few > passwords. I tend to deal with passwords that are shared within teams because > the hardware involved only supports a single account. This makes tools like > keepass important. curious, any standardized or special hardware that works with keepass? e.g. some kind of dual factor authentication? or maybe USB sticks that give you some physical button to, mechanically, select if the passwords inside should be read? anything else interesting? about `few passwords'. i'm also curious why do you think so? e.g. here is a quick test with an outrageously unrealistic test of 1 million key entries in nsapass: - 3.9 seconds for scrypt to decrypt the file. for a good reason that makes it more secure than keepass's aes 256-bit enc. - 2.6 seconds for python's json to parse the file (parsing 1 mil entries). - everything else was instantaneous after that (just a dictionary lookup). about your team, not sure about your point. you said that nsapass is simplistic. so i guess this means that keepass offers you something more? or is it just that you have more people already using it and too lazy to migrate? > > > Nice, a full detailed list of every single change to your passwords :) > > > > no. how do you backup your passwords file? > > dropbox? flash disk? it's up to you. this is > > unrelated to the passwords manager. > > Actually, the more copies with changes to your passwords there are, the easier > it will be to guess your passwords. i never denied this. nothing in nsapass that makes you copy passwords with changes. i don't know where you got this. i personally use git to copy my passwords database around, but this -obviously- has nothing to do with nsapass. > > > The likes of NSA don't actually care about your (dis)approval. > > > > no one does. not unique to nsa. people > > exaggerate nsa as if they are any better. > > tbh, nsa is even better than most of our > > neighbours. if our phones fall in the hands of > > our neighbours, next day most people will find > > themselves in pornhub. but nsa can get it all, > > and yet they still didn't leak it to pornhub (at > > least not as much). > > No, they leak it to the press and wikileaks. leakers like snowden? doesn't media call them ``heros''? see, NSA is made of decent people. they either keep our secrets better than our neighbours do, or, when they leak it, they do so for a good cause and become ``heros''. i personally trust NSA much better than my trust to my neighbours (no comparision). nothing personal against my neighbours, decent people, but they are less educated than NSA's staff. it's just a matter of honesty to state that media's stance against NSA is unfair imo. even though this statement will probably harm the reputation of nsapass as i'm its dev and i'm flirting NSA (not that it matters though).
Re: [gentoo-user] Re: Local mail server
On 7/31/20 2:01 PM, Grant Edwards wrote: There may be half way decent ISPs in the US, but I haven't seen one in over 20 years since the last one I was aware of stopped dealing with residential customers. They were a victem of the "race to the bottom" when not enough residential customers were willing to pay $10 per month over what Comcast or US-West was charging for half-assed, crippled internet access). I think there is probably a good correlation between size and desire to be good and provide service. I've found that smaller ISPs (who actually try as opposed to cheating people) tend to be better. Sadly, many of these Mom & Pop type ISPs were consumed during the aptly described race to the bottom. :-( I still do consulting work with a small M ISP in my home town and I have a small municipal ISP where I am now. Both are quite good in many regards. Unfortunately, neither of them offer IPv6. -- Grant. . . . unix || die
Re: [gentoo-user] Re: Local mail server
On 7/31/20 2:05 PM, Grant Edwards wrote: Nit: DHCPv6 can be (and usually is) dynamic, but it doesn't have to be. It's entirely possible to have a static IP address that your OS (or firewall/router) acquires via DHCPv6 (or v4). [I set up stuff like that all the time.] Counter Nit: That's still acquiring an address via /Dynamic/ Host Configuration Protocol (v6). It /is/ a /dynamic/ process. Static IP address has some very specific meaning when it comes to configuring TCP/IP stacks. Specifically that you enter the address to be used, and it doesn't change until someone changes it in the configuration. Either an IP address is statically entered -or- it's dynamic. The fact that it's returning the same, possibly predictable, address is independent of the fact that it's a /dynamic/ process. -- Grant. . . . unix || die
Re: [gentoo-user] Re: Local mail server
On 7/31/20 1:54 PM, Grant Edwards wrote: If I had a week with nothing to do, I'd love to try to get something like that working You don't need a week. You don't even need a day. You can probably have a test tunnel working (on your computer) in less than an hour. Then maybe a few more hours to get it to work on your existing equipment (router) robustly and automatically on reboot. I encourage you to spend that initial hour. I think you will find that will be time well spent. Hurricane Electric does have something else that will take more time, maybe a few minutes a day over a month or so. Their IPv6 training program (I last looked a number of years ago) is a good introduction to IPv6 in general. Once you complete it, they'll even send you a shirt as a nice perk. Note: H.E. IPv6 training is independent and not required for their IPv6-in-IPv4 tunnel service. but, I assume you need a static IPv4 address. Nope. Not really. You do need a predictable IPv4 address. I'm using a H.E. tunnel on a sticky IP (DHCP with long lease and renewals) perfectly fine. If your IP does change, you just need to update the tunnel or create a new one to replace the old one. This is all manged through their web interface. -- Grant. . . . unix || die
Re: [gentoo-user] Local mail server
On 7/31/20 12:01 PM, james wrote: yep, at least (2) static IPs. You can actually get away with one static IP. It's ill advised. But it will function. You can also have external 3rd party secondary DNS servers that pull from your (private) primary DNS server. You might even be able to get this communications over a VPN if the secondary DNS server operator is cooperative. Once running I'll find a similar bandwidth usage organization and swap DNS secondary services. That's a nice idea. But I've not bothered with that in about 18 years. I have Linode DNS servers be secondaries for my domains and point the world at them. I'm still in complete control of the domains via my personal primary DNS server. Note: I'm not offering reciprocal secondary DNS service. This is trivial (for Linode) perk that I get by being a customer for other things. I think a single < $5 / month VPS qualifies me. (I don't remember if there is a lower tier VPS or not.) Now days with all the issue wit CA and others similar/related issues. that might get complicated. Don't let those features blind you, especially if you don't want to use their features. Also be mindful of ascribing credit them if they are simply front ending something like Let's Encrypt, which you can do on your own for free. (2) static IPs for (2) dns primary resolvers should get me going. 1 static IP somewhere will get you started. ;-) Verizon killing its email services: https://www.inquirer.com/philly/blogs/comcast-nation/Verizon-exiting-email-business.html I'm not at all surprised. Well, it's probable not appropriate for me to "finger" specifics. But if you just learn about all the things some carriers are experimenting with, in the name of 5G, it is a wide variety experimentation, to put it mildly. 5G is just the latest in a long line of motivators that have caused providers to do questionable things. Forking the internet into 1.China & pals 2. European Member states. 3. USA and allies. I've not yet seen any indication that these Geo Political issues have influencing the technological standards that are used. Sure, they are influencing who they are used with, and in some cases /not/ used with. But, thus far, the underlying technical standards have been the same. But someone like you (Grant) could help guide and document a gentoo centric collective that provides for email services, secure/limited web servers and a pair of embedded/DNS (primary) resolvers so we can keep email systems alive. A couple of things: 1) Nothing about what I'm suggesting is Gentoo, or even Linux, specific. The same methodologies can be used on other OSs. 2) I don't think that email is going to die. It certainly won't do it faster than Usenet has (not) done. (Usenet is still alive and quite active.) Yes, email is growing and changing. But each and every one of us that thinks about running our own email server has a tiny bit of influence in that through our actions. Thanks for your insight and suggestions. You're welcome. :-) -- Grant. . . . unix || die
Re: [gentoo-user] Local mail server
On 7/31/20 1:39 PM, james wrote: I'd like to start with a basic list/brief description of these, please? They basically come down to two broad categories: 1) Have the ""static IP bound to an additional network interface on the destination system and leverage routing to get from clients to it. 2) Have the ""static IP bound to a remote system that forwards traffic to a different address on the local system. Traffic frequently spans the network between the local system and the remote system through some sort of VPN. Note: VPNs can be encrypted or unencrypted. I think one of the simpler things to do is to have something like a Raspberry Pi (a common, simple, inexpensive example) SSH to a Virtual Private Server somewhere on the Internet and use remote port forwarding. root@pi# ssh root@vps -R 203.0.113.23:25:127.0.0.1:25 Note: I'm using root to simplify the example. Apply security best practices. This will allow port 25 on a VPS with a (true) static IP (configured in /etc/conf.d/net) to receive TCP connections and forward them to your local mail server completely independent of what IP your local Pi may connect to the Internet with. Your MX record(s) resolve to the IP address of the VPS. You can change local IPs or ISPs or even country as often as you like. Another more complex method is to use a more traditional VPN; e.g. GRE tunnel, IPsec tunnel, SSH L2 / L3 tunnel, OpenVPN, WireGuard and IP forwarding on the VPS to route the TCP connections to the local mail server. Things quickly get deep in minutia of what method you want to use and what you want to go over it. I think the SSH remote port forwarding is an elegant technique. It's relatively simple and it has the added advantage that when the connection is down the VPS will not establish a TCP connection (because ssh is not listening on the remotely forwarded port) thus remote connecting systems will fail hard / fast, thus it's more likely to be brought to a human's attention. -- Grant. . . . unix || die
[gentoo-user] oauth2 and apache web pages
Hi. I would like to set up my apache configuration such that for certain web pages, someone must log in with credentials. I know how to set up basic authentication, but I would like to set up so the user needs oauth2 or similar to log into the page, as I understand basic authentication is not very secure these days. I did not see anything in the tree to do this, I saw an apache module on github, but still not sure how to do this, so any tips along these lines would be appreciated. Thanks in advance for any suggestions. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com
Re: [gentoo-user] Python 2.7 removal : problem with Firefox + Spidermonkey
On Sat, Aug 01, 2020 at 01:05:30AM -0400, Walter Dnes wrote > > I have another idea. We already have firefox-bin and libreoffice-bin > ebuilds where the compiled tarball is pulled down from upstream, and > untarred. Would this work on Pale Moon? I guess it comes down to > whether or not python 2.7 is a run-time dependancy as well as a build > time dependency. I'll ask on the Pale Moon forum. I checked, and it looks like python 2.7 is build-time dependency only. Pale Moon will *RUN* just fine without python. Runtime system requirements according to http://linux.palemoon.org/download/mainline/ * A modern Linux distribution. The browser may not work well on old or LTS releases of Linux. * A modern processor (must have SSE2 support as the absolute minimum). * 1GB of RAM (2GB or more recommended for heavy use). * GTK+ v2.24 * GLib 2.22 or higher * Pango 1.14 or higher * libstdc++ 4.6.1 or higher So a "palemoon-bin" ebuild is possible. But is it necessary? If you pull down and extract the precompiled tarball to your home dir, it can be set to check for, and do, updates (as long as you have write permission to the Pale Moon directory). No need for portage to do it. -- Walter Dnes I don't run "desktop environments"; I run useful applications
Re: [gentoo-user] custom mount fstab
On Fri, 3 Jul 2020 16:33:42 +0200 Tamer Higazi wrote: > Thanks Michael! > > I'll give it a try. > > > best, Tamer > > Am 3 Jul 2020 um 15:46 schrieb Michael: > > On Friday, 3 July 2020 14:33:52 BST Tamer Higazi wrote: > >> Hi people, > >> > >> I had a problem with docker on gentoo and found the solution for > >> all my > >> > >> problems with a custom mount command: > >> |sudo mount -t cgroup -o none,name=systemd cgroup > >> /sys/fs/cgroup/systemd > >> > >> Can anybody of you tell me how to add that one in /etc/fstab file ? > >> best, Tamer | > > I haven't used cgroups or docker, but if your mount command above > > is correct, I assume something like this ought to work as far as > > fstab is concerned: > > > > cgroup /sys/fs/cgroup/systemd cgroup none,name=systemd 0 1 > > > Hi, Not sure if this may help but there is a library which you can install called dev-libs/libcgroup which has an init program /etc/init.d/cgconfig In the config file /etc/cgroup/cgconfig I have mount { "name=systemd" = /sys/fs/cgroup/systemd; } which allows lxd containers to run using systemd Not sure if this what you are after but maybe of use. It allows me to run Arch linux containers in Gentoo. John
Re: [gentoo-user] nsapass - alternative to keepassxc (and others)
On Sunday, 19 July 2020 09:48:35 CEST Caveman Al Toraboran wrote: > ‐‐‐ Original Message ‐‐‐ > > On Saturday, July 18, 2020 11:13 PM, J. Roeleveld wrote: > > This is not a GUI > > xterm is GUI. you don't need to click on gtk/qt > widgets to access details of password entries. > gtk/qt is a massive overkill. Please check the meaning of " GUI " and try to answer my statement again. > > This makes portability a problem. Exactly why keepass (and clones) are > > used more. > > compatibility with keepassxc is extremely > overrated. it's easy to port nsapass to > windows/apple (may even work out of the box, > didn't try). Compatibility with "keepass" (keepassxc is already a different tool/clone) is important and makes it simpler to use the same database on different environments. You might be happy with a simplistic database that only stores a few passwords. I tend to deal with passwords that are shared within teams because the hardware involved only supports a single account. This makes tools like keepass important. > > Nice, a full detailed list of every single change to your passwords :) > > no. how do you backup your passwords file? > dropbox? flash disk? it's up to you. this is > unrelated to the passwords manager. Actually, the more copies with changes to your passwords there are, the easier it will be to guess your passwords. And no, I do not use dropbox, I use a secure filestore for this. > > The likes of NSA don't actually care about your (dis)approval. > > no one does. not unique to nsa. people > exaggerate nsa as if they are any better. > > tbh, nsa is even better than most of our > neighbours. if our phones fall in the hands of > our neighbours, next day most people will find > themselves in pornhub. but nsa can get it all, > and yet they still didn't leak it to pornhub (at > least not as much). No, they leak it to the press and wikileaks. -- Joost