Re: [gentoo-user] app-misc/ca-certificates

[Grant Taylor]

On 6/1/21 3:38 PM, Michael Orlitzky wrote:
*Any* CA can just generate a new key and sign the corresponding 
certificate.


This is where what can /technically/ be done diverges from what is 
/allowed/ to be done.


CAs adhering to the CA/B Forum's requirements on CAA records mean that 
they aren't allowed to issue a certificate for a domain that doesn't 
list them in the CAA record.


If a CA violates the CAA record requirement, then the CA has bigger 
issues and will be subject to distrusting in mass.


Certificate Transparency logs make it a lot easier to identify if such 
shenanigans are done.  --  I think that the CA/B Forum is also requiring 
C.T. Logs.


Also, CAs /should/ *NOT* be generating keys.  The keys should be 
generated by the malicious party trying to pull the shenanigans that 
you're talking about.


All browsers will treat their fake certificate corresponding to the 
fake key on their fake web server as completely legitimate. The "real" 
original key that you generated has no special technical properties 
that distinguish it.


Not /all/ browsers.  I know people that have run browser extensions to 
validate the TLS certificate that they receive against records published 
via DANE in DNS, which is protected by DNSSEC.  So it's effectively 
impossible for a rogue CA and malicious actor to violate that chain of 
trust in a way that can't be detected and acted on.




--
Grant. . . .
unix || die

Re: [gentoo-user] app-misc/ca-certificates

[William Kenworthy]

On 1/6/21 9:29 pm, Rich Freeman wrote:
> On Tue, Jun 1, 2021 at 7:59 AM Adam Carter  wrote:
>>> And another "wondering" - all the warnings about trusting self signed
>>> certs seem a bit self serving. Yes, they are trying to certify who you
>>> are, but at the expense of probably allowing access to your
>>> communications by "authorised parties" (such as commercial entities
>>> purchasing access for MITM access - e.g. certain router/firewall
>>> companies doing deep inspection of SSL via resigning or owning both end
>>> points).
>> AFAIK in an enterprise MITM works by having a local CA added to the cert 
>> stores of the workstation fleet, and having that CA auto generate the certs 
>> for MITM. That didn't work with certificate pinning, but pinning has been 
>> deprecated.
> So, I don't know all the ways that pinning is implemented, but if
> you're talking about using MITM to snoop on enterprise devices on the
> enterprise network I'd think that pinning wouldn't be an issue,
> because you control the devices from cradle to grave.  Just ensure the
> pinned certificates are the ones that let you MITM the connections.
>
> Now, if your organization has some sort of guest network for
> non-enterprise devices then pinning would obviously block MITM of
> connections made by those devices.  Really though I'm not sure you'd
> want to be snooping stuff like this - it seems like more legal
> headaches than it is worth.  You want to sniff your OWN traffic for
> IDS/etc or other unauthorized use, and since you're sniffing traffic
> from devices you own you don't have the same legal issues (I won't say
> no legal issues, but certainly monitoring your own devices is very
> different from monitoring those you don't own).  You shouldn't even be
> allowing uncontrolled devices on those networks in the first place.
> If you want to detect unauthorized devices MITM isn't really the best
> solution - just use positive authentication of known-good devices
> up-front and anything that doesn't pass that test is treated as a
> threat and shouldn't even be able to send traffic.

When discussing what traffic is looked at in an educational setting it
looked like the system examined everything except mainline banking URL's

For OpenVPN through a MiTM SSL proxy: Double wrap in SSL - outer one
uses their cert so it does not fail that test - inner one uses your self
signed cert for OpenVPN running on port 443 TCP.  At the destination use
the sslh multiplexor to divert SSL to stunnel/second sslh instance etc.
to strip the SSL wrapping appropriately. Works using a combination of
proxytunnel on the Windows side and stunnel on the linux end if needed -
very flexible).  There are are a few other enhancements for pinholing
more  difficult sites.  Performance is entirely adequate for a road
warrior setup when travelling (via a Raspberry Pi AP).  I have had to
get a lot more sophisticated than back in the day when httptunnel was
all that was needed :)

BillK

Re: [gentoo-user] app-misc/ca-certificates

[Fannys]

On June 1, 2021 4:45:45 AM UTC, "J. Roeleveld"  wrote:
>On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote:
>> On Sat, May 29, 2021 at 03:08:39AM +0200, zca...@gmail.com wrote
>> 
>> > 125 config files in /etc/ssl/certs needs update.
>> > 
>> > For certificates I would expect the old and invalid ones to be
>replaced
>> > by newer ones without user intervention.
>> 
>>   Looking through them is "interesting".  There seem to be a lot of
>> /etc/ssl/certs/.0 files, where "?" is either a random number
>or
>> a lower case letter.  These all seem to be symlinks to
>> /etc/ssl/certs/.pem.  Each of those files is in turn a
>> symlink to /usr/share/ca-certificates/mozilla/.crt.  How
>much
>> do we trust China?  There are a couple of certificates in there named
>> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt  and
>> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt.  Any
>> other suspicious regimes in there?
>
>I've always wondered about the amount of CAs that are auto-trusted on
>any 
>system. Including several from countries with serious human rights
>issues.
>
>I could do with a tool where I can easily select which CAs to trust
>based on 
>country.
>
>--
>Joost

Is there actually any tool that can let me pick my certificates?
If i go and start deleting randomly certificates from regimes i dont like will 
there be any "breaking change"? 
I suppose firefox uses its own certificate store though.

Marinus


pEpkey.asc
Description: application/pgp-keys

Re: [gentoo-user] app-misc/ca-certificates

[Michael Orlitzky]

On Tue, 2021-06-01 at 15:25 -0600, Grant Taylor wrote:
> 
> The proper way configure certificates is:
> 
> 1)  Create a key on the local server.
> 2)  Create a Certificate Signing Request (a.k.a. CSR) which references, 
> but does not include, the key.
> 3)  As a CA to sign the CSR.
> 4)  Use the certificate from the CA.
> 
> The important thing is that the key, which is integral to the encryption 
> *NEVER* *LEAVES* *YOUR* *CONTROL*!
> 

*Any* CA can just generate a new key and sign the corresponding
certificate. All browsers will treat their fake certificate
corresponding to the fake key on their fake web server as completely
legitimate. The "real" original key that you generated has no special
technical properties that distinguish it.

Re: [gentoo-user] app-misc/ca-certificates

[Grant Taylor]

On 5/31/21 11:15 PM, William Kenworthy wrote:

And another "wondering" - all the warnings about trusting self signed
certs seem a bit self serving.


No, it's not self serving.

Considerably more people than public certificate authorities bemoan self 
signed certificates.


Consider this:

1)  Your web site uses a self signed certificate and you have trained 
users to blindly accept and trust the certificate presented to them.
2)  Someone decides to intercept the traffic and presents a different 
self signed certificate to the end users while proxying the traffic on 
to you.
3)  Your end users have no viable way to differentiate between your self 
signed certificate and the intercepting self signed certificate.


Without someone - which you trust - vouching for the identity of the 
party that you're connecting to, you have no way to know that you are 
actually connecting to the partying that you are intending to connect to.


Yes, they are trying to certify who you are, but at the expense of 
probably allowing access to your communications by "authorised parties"


Nope.  Not at all.  (Presuming that it's done properly.  More below.)

The /only/ thing that the certificate does / provides is someone - whom 
end users supposedly trust - vouching that you are who you say they are. 
 The CA has nothing in the actual communications path.  Thus they can't 
see the traffic if they want to.


The proper way configure certificates is:

1)  Create a key on the local server.
2)  Create a Certificate Signing Request (a.k.a. CSR) which references, 
but does not include, the key.

3)  As a CA to sign the CSR.
4)  Use the certificate from the CA.

The important thing is that the key, which is integral to the encryption 
*NEVER* *LEAVES* *YOUR* *CONTROL*!


Thus there is no way that a CA is even capable of getting in the middle 
of the end-to-end communications between you and your client.


There have been some CAs in the past that would try to do everything on 
their server.  But in doing so, they violate the security model.  Don't 
use those CAs.


*YOU* /must/ generate the key /locally/.  Anything else is broken security.

(such as commercial entities purchasing access for MITM access - 
e.g. certain router/firewall companies doing deep inspection of 
SSL via resigning or owning both end points).


This is actually exceedingly difficult to do, at least insofar as 
decryption and re-encrypting the traffic.  Certificate Transparency logs 
help ensure that a CA doesn't ... inadvertantly ... issue a certificate 
that they should not.  Or at least it makes it orders of magnitude 
easier to identify and detect when such ... mistakes happen.


There is also the Certificate Authority Authorization record that you 
can put in DNS that authorizes which CA(s) can issue certificates for a 
domain.  A few years ago we passed the deadline where all CAs had to 
adhere to the CAA record.  As in the Certificate Authority / Browser 
forum / consortium / term??? has non-renewed anybody who wasn't adhering 
to CAA.  This is water so far under the bridge that it's over the 
waterfall, out to ocean, evaporated, and is raining down again.


Also, DNSSEC protects DNS in that it makes it possible to authenticate 
the information you receive.  Thus you can detect when things aren't 
authenticated and you know they should be.


If its only your own communications and not with a third, commercial 
party self signed seems a lot more secure.


Nope.  3rd parties don't have access to the encrypted communications. 
The only thing they have access to is saying if you are you or not. 
Yes, that's Bob over there in the corner.  But I have no idea what he's 
talking about b/c MATH.


Note the words "signed" and "signing".  A Certificate Authority signs a 
certificate signing request, thus vouching for the identity of the 
entity submitting the CSR.  You obviously can sign your own CSR.  That's 
what a self-signed certificate comes from.  But you have nobody vouching 
for who the far entity is, much less who vouched for them.


Spekaing of who vouched for them, and how do we trust them?  That's 
where the hashes in /etc/ssl (or wherever it is) come into play.  Your 
system has a public key for /trusted/ root CAs.  Thus when your system 
sees a certificate signed by a CA, it computes the hash, looks for the 
public key as the hash file on your local system.  If the file exists 
and all the math passes, then the root certificate is trusted.  If the 
root certificate is trusted, then your system will trust the certificate 
that the CA is vouching for.


This is all ... something ... having to do with who is vouching for whom 
and do you trust the vouching party or not.


But at no time does a CA have access to the encrypted communications. 
As long as things were done properly in that the keys were generated 
locally.




--
Grant. . . .
unix || die

Re: [gentoo-user] app-misc/ca-certificates

[Grant Taylor]

On 5/29/21 12:26 AM, Walter Dnes wrote:
Looking through them is "interesting".  There seem to be a lot of 
/etc/ssl/certs/.0 files, where "?" is either a random number 
or a lower case letter.


They aren't random at all.  They are a fingerprint (hash) of signing (?) 
certificates.  The fingerprint is generated in a deterministic manner.


The sym-links (or hard links) are a convenient way to associate a hash 
back to the cert file that it's representing.


root@host#  ln -s /path/to/cert /etc/ssl/certs/$(openssl x509 -noout 
-hash -in /path/to/cert)


The hash is what things validating things use.  They have no good way to 
determine what the file name would be.  So they compute and look up the 
hash.


You could name all the files with hashes.  But that would make it quite 
annoying ~> difficult, impractical, bordering on impossible for a human 
to maintain.  So, instead, the trusted root certificates are stored by a 
human friendly name and the hashes point to the file via a sym-link.


These all seem to be symlinks to /etc/ssl/certs/.pem. 


Quite likely.

Each of those files is in turn a symlink 
to/usr/share/ca-certificates/mozilla/.crt.


Maybe / probably.  Definitely for root certificates that are part of the 
Mozilla Security Suite.  But it's definitely possible to have other root 
certificates through the same system.  E.g. you run your own private / 
enterprise CA.



Any other suspicious regimes in there?


I'm confident that it depends on where you are in the world.

Let's keep things apolitical and purely technical.



--
Grant. . . .
unix || die

Re: [gentoo-user] pango failed to build

[Daniel Frey]

On 6/1/21 12:29 PM, n952162 wrote:

on two different machines.  Is there some new USE variable I need?





I hit this and had to rebuild a package, but I forget which one...

I looked in my log and:

1622312280:  *** emerge --oneshot --regex-search-auto=y Locale-gettext

I had to emerge --oneshot dev-perl/Locale-gettext then it built.

Dan

[gentoo-user] pango failed to build

[n952162]

on two different machines.  Is there some new USE variable I need?

Re: [gentoo-user] it keeps growing

[John Blinka]

On Tue, Jun 1, 2021 at 11:23 AM Mark Knecht  wrote:

>
>
> On Tue, Jun 1, 2021 at 7:14 AM Dale  wrote:
> >
> > Hund wrote:
> > > On June 1, 2021 3:38:30 PM GMT+02:00, n952162  wrote:
> > >> 337 packages this month to be updated.  It keeps getting more and
> more.
> > >> Pretty soon, gentoo will overtake Bitcoin in energy use.
> > >>
> > >>
> > > One might then ask why you have so many packages? And why you have a
> computer that consumes enough power for you to be worried about it?
> > >
> > > --
> > > Hund
> > >
> > >
> >
> >
> > I was thinking along the lines of how many packages even binary distros
> > have to update.  I've installed binary based distros before and when
> > updating those, there can be hundreds, several hundred, packages to
> > upgrade.  Thing is, those same packages exist in Gentoo.  If one has a
> > very similar set of packages installed, odds are, almost the same
> > packages will update in either a source based distro like Gentoo or in a
> > binary based distro.  The only difference is Gentoo compiles from
> source.
> >
> > If one is really concerned about compile times or the amount of power
> > needed to run Gentoo up to date, then one has to question not the
> > updates but why use Gentoo??  While some large packages are available in
> > binary, Firefox, Libreoffice etc, the vast majority of Gentoo is
> > compiled from source.  It's why most people use Gentoo, compile from
> > source with features set like you want.  If one is limited in hardware
> > or power, Gentoo may not be a good option.
> >
> > Makes one think.
> >
> > Dale
> >
> > :-)  :-)
>
> I totally get why the Linux enthusiast or an IT guy tasked with specific
> requirements runs Gentoo. I did from 2001 through maybe early 2018.
>
> There are numerous reasons I moved from Gentoo to Kubuntu 3-4 years ago:
>
> - Kubuntu updates take, in general, less than 1 minute…Most important to
> me is in 3-4 years not a single one has failed. Download a little binary,
> install, done.
>
> - Gentoo lost its way (IN MY OPINION ONLY, and maybe it's better now) 4-5
> years ago in terms of a simple 'stable' release. There was a time when I
> couldn't update without ~amd64-ing some packages.
>

Friendly, informative experts.
>
> Just my 1.5 cents worth
>

Another 1.5 cents:

I’ve been doing Gentoo for probably 20 years now.  I tend to migrate among
various application areas: numerical modeling, photography, video, and for
a while now a large medical wiki.  As my investment in self developed
software and photos has grown, I’ve added zfs to the mix for data
preservation.  I am neither an IT guy nor a Linux enthusiast.

Gentoo is the best computing environment I’ve ever experienced.  I moved to
it after trying to build some now forgotten Linux software on Slackware.
Getting the dependencies to build on Slackware’s then non-mainstream file
system layout defeated me.  And distros like Redhat took a Microsoft like
attitude toward my machine and blithely reformatted partitions that I
didn’t think I had given permission for them to touch.  Poof!  Data gone.
 (Yes, there were backups.) I quickly lost faith in distros like that.
Besides, they didn’t support all the things I wanted to do.  Back to doing
it myself and dependency hell.

I distinctly remember discovering Gentoo then and feeling intimidated by
the handbook.  But I went ahead.  The install was actually straightforward
and, with modest effort, got exactly the system I wanted. It’s been that
way ever since.

What I particularly like is that as my needs and interests have wandered
substantially, there’s always been a Gentoo path to support those needs and
interests.  And often enough, even a choice of paths.  And well written
documentation and a great user forum for support.

There have been hiccups over the years.  In the early days it wasn’t
uncommon to be deposited in some dependency conflict hell on updating or
adding new capabilities.  On occasion things got so screwed up that the
easiest path was a bare metal rebuild.

But it’s quite noticeable to me that maintenance has gotten much smoother
over the years.  I’ve had some massive updates in the past month.  No
conflicts, no build problems.  My update scripts “just work”.  And so does
everything once they complete.

> Maintenance effort can be measured in various ways.  For me, my update
scripts take virtually all the effort out of it.  My machines might be
compiling all night when chromium, libreoffice, WebKit-gtk, and Firefox all
decide to upgrade simultaneously, but the time I personally spend is -
maybe - a couple minutes.  The machines do all the actual work.  And those
few minutes a day are well worth having had the same computing environment
for more than a decade, even through substantial changes in my software
focus.  And it’s been cool enough here this year for the heat generated to
be welcome! ;)

Definitely *not* arguing against anyone else’s tastes in computing or
maintenance.  Just expressing my pleasure that Gentoo 

Re: [gentoo-user] [Solved] gtk+ package question

[Jack]

On 2021.06.01 07:40, Mart Raudsepp wrote:

Ühel kenal päeval, L, 29.05.2021 kell 16:28, kirjutas Jack:
> I just noticed that the package x11-libs/gtk+ has slots 2 and 3 
> (nothing new there) however, it seems that version 4 has a totally
> new package gui-libs/gtk with only slot 0 (no explicit slot listed)
> with currently ~4.2.0 and 4.2.1 versions available.

They are in SLOT="4"

> I've done a quick 
> search through the announce and dev mailing lists, and not found 
> anything relevant.  Is this an intentional switch?  I don't think
> there 
> is much yet that uses version 4, but is there any planned migration 
> path?

Yes, this is an intentional plan from me, executed by others that had
the time available for it. There were IRC talks and probably some
comments on the relevant bugs.

* I consider it too disruptive to package move everything from x11-
libs/gtk+ to gui-libs/gtk, everyone would need to adapt to it in
overlays, etc
* SLOTs are really nothing more than keeping parallel-installable
packages under the same name, instead of having separate packages like
libgtk2, libgtk3, etc
* New parallel-installable version was a good time to make the switch,
with the old slots left behind in x11-libs until they naturally fall
out of use
* It is increasingly less used with X11, and is still in x11-libs due
to the disruption it would cause to move the existing SLOTs (however
gtk2 is really X11-only)
* Upstream renamed the project from GTK+ to GTK in the gtk4  
development

phase
* Separate packages are just as well parallel-installable as separate
SLOTs

So given the above, it felt best to just have the new SLOT under new
package name and not force everyone to do busywork to rename things  
for

the old slots.

Maybe we can move them over in a couple years without extensive  
overlay

breakages, when most things are using GTK4, GTK2 has been last rited
and removed and GTK3 is in a similar state of usage like GTK2 is  
today,

or just leave it be and have it eventually disappear.


Mart,

Thanks for that info - it was exactly what I was looking for.  (Also  
sorry I seem to have missed the slot 4 - I do see it now.)  It all  
makes good sense.


Minor mini-rant - unfortunately, gtk+:2 is not quite as totally gone as  
we'd all like.  I still have 10 packages on my box requiring it.  A few  
still need it only for building, and some are expecting upgrades to use  
:3.  I suppose the rest are soon for the history bin.


Jack

Re: [gentoo-user] it keeps growing

[Dale]

Mark Knecht wrote:
>
>
> On Tue, Jun 1, 2021 at 7:14 AM Dale  > wrote:
> >
> > Hund wrote:
> > > On June 1, 2021 3:38:30 PM GMT+02:00, n952162  > wrote:
> > >> 337 packages this month to be updated.  It keeps getting more and
> more.
> > >> Pretty soon, gentoo will overtake Bitcoin in energy use.
> > >>
> > >>
> > > One might then ask why you have so many packages? And why you have
> a computer that consumes enough power for you to be worried about it?
> > >
> > > --
> > > Hund
> > >
> > >
> >
> >
> > I was thinking along the lines of how many packages even binary distros
> > have to update.  I've installed binary based distros before and when
> > updating those, there can be hundreds, several hundred, packages to
> > upgrade.  Thing is, those same packages exist in Gentoo.  If one has a
> > very similar set of packages installed, odds are, almost the same
> > packages will update in either a source based distro like Gentoo or in a
> > binary based distro.  The only difference is Gentoo compiles from
> source.
> >
> > If one is really concerned about compile times or the amount of power
> > needed to run Gentoo up to date, then one has to question not the
> > updates but why use Gentoo??  While some large packages are available in
> > binary, Firefox, Libreoffice etc, the vast majority of Gentoo is
> > compiled from source.  It's why most people use Gentoo, compile from
> > source with features set like you want.  If one is limited in hardware
> > or power, Gentoo may not be a good option.
> >
> > Makes one think.
> >
> > Dale
> >
> > :-)  :-)
>
> I totally get why the Linux enthusiast or an IT guy tasked with
> specific requirements runs Gentoo. I did from 2001 through maybe early
> 2018.
>
> There are numerous reasons I moved from Gentoo to Kubuntu 3-4 years ago:
>
> - Kubuntu updates take, in general, less than 1 minute, almost never
> more than 5, with an average of 2-3/week. I don't believe I spend more
> than 10 minutes on average any week maintaining my machines. Most
> important to me is in 3-4 years not a single one has failed. Download
> a little binary, install, done. Distribution updates (major rev ->
> major rev) take less than an hour and this is once a year or two. They
> are so infrequent that I typically forget how to do them and have to
> go read instructions.
>
> - Maintaining a simple Gentoo install with no desktop from source
> wasn't bad but the KDE overhead on older laptops was insane for my needs.
>
> - I personally could not perceive any speed advantages in my daily
> life running Gentoo. I'm sure there would be some if I was into
> benchmarking but I'm not.
>
> - Gentoo lost its way (IN MY OPINION ONLY, and maybe it's better now)
> 4-5 years ago in terms of a simple 'stable' release. There was a time
> when I couldn't update without ~amd64-ing some packages.
>
> - I use two paid-for non-open source applications - Harrison Mixbus
> (based on Ardour) and PixInsight. It's WAY easier to get support when
> running the same distro these vendor runs and it's been a BIG help in
> my life to get that support.
>
>    Sadly, I don't have nearly the knowledge of how things work under
> the hood on Kubuntu and the user level community is very quiet so I
> try to make general contributions here just to stay connected. This is
> still the best user group I know of. Friendly, informative experts.
>
> Just my 1.5 cents worth as I listen to Hunky Dory,
> Mark


On the few binary distros I've dealt with, they update about as much as
Gentoo does.  The ones that don't, tend to run behind.  I installed one
for a temporary test and the packages on it was several versions behind
even stable Gentoo.  It was far behind unstable on Gentoo. 

If one wants smaller updates or is concerned about power usage during
updates, Gentoo is likely not a good choice.  Compiling takes time and
uses power.  It's just the way Gentoo works. It's always been that way
and as long as it is a source based distro, it will remain that way. 
Gentoo isn't the right choice for every application. 

Just my 2 cents.

Dale

:-)  :-) 

Re: [gentoo-user] it keeps growing

[Neil Bothwick]

On Tue, 1 Jun 2021 15:38:30 +0200, n952162 wrote:

> 337 packages this month to be updated.  It keeps getting more and more. 
> Pretty soon, gentoo will overtake Bitcoin in energy use.

Is this because of the switch from Python 3.8 to 3.9 as the default? If
so, there's a news item that covers this and explains how to delay the
switch if you need to.


-- 
Neil Bothwick

Energizer Bunny arrested, charged with battery :)


pgpCAxTMzsnbM.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] Re: is "scp" reliable?

[thelma]

On 6/1/21 9:57 AM, Grant Edwards wrote:
> On 2021-05-29, Mark Knecht  wrote:
> 
>> Different revisions of md5sum possibly?
> 
> No, not unless md5sum is seriosly and fatally broken.
> 
> MD5 is MD5.
> 
> The entire point of a hash algorithm is that it's precisely and
> completely defined and the answer never varies from one implementation
> to another.

It was a problem with  memory module, I did not run memory test after 
assembling the PC (should have), so the Gentoo install OK, transferring 
standard (small files) md5sum check OK; but on larger files eg. 28GB scp, 
rysnc, md5sum all fail.
Running memory test give me nothing but errors, swapping the memory stick from 
a good PC solved the problem. 

Re: [gentoo-user] is "scp" reliable?

[n952162]

On 6/1/21 6:42 AM, J. Roeleveld wrote:


If there are differences, I would definitely suspect memory and CPU.

--
Joost





CPU?  USB was mentioned which set off alarm bells for me.  In general
though, I would suspect the media  - either source of destination.

[gentoo-user] Re: is "scp" reliable?

[Grant Edwards]

On 2021-05-29, Mark Knecht  wrote:

> Different revisions of md5sum possibly?

No, not unless md5sum is seriosly and fatally broken.

MD5 is MD5.

The entire point of a hash algorithm is that it's precisely and
completely defined and the answer never varies from one implementation
to another.

-- 
Grant Edwards   grant.b.edwardsYow! HELLO KITTY gang
  at   terrorizes town, family
  gmail.comSTICKERED to death!

Re: [gentoo-user] it keeps growing

[n952162]

On 6/1/21 5:22 PM, Mark Knecht wrote:



On Tue, Jun 1, 2021 at 7:14 AM Dale mailto:rdalek1...@gmail.com>> wrote:
>
> Hund wrote:
> > On June 1, 2021 3:38:30 PM GMT+02:00, n952162 mailto:n952...@web.de>> wrote:
> >> 337 packages this month to be updated.  It keeps getting more and
more.
> >> Pretty soon, gentoo will overtake Bitcoin in energy use.
> >>
> >>
> > One might then ask why you have so many packages? And why you have
a computer that consumes enough power for you to be worried about it?
> >
> > --
> > Hund
> >
> >
>
>
> I was thinking along the lines of how many packages even binary distros
> have to update.  I've installed binary based distros before and when
> updating those, there can be hundreds, several hundred, packages to
> upgrade.  Thing is, those same packages exist in Gentoo. If one has a
> very similar set of packages installed, odds are, almost the same
> packages will update in either a source based distro like Gentoo or in a
> binary based distro.  The only difference is Gentoo compiles from
source.
>
> If one is really concerned about compile times or the amount of power
> needed to run Gentoo up to date, then one has to question not the
> updates but why use Gentoo??  While some large packages are available in
> binary, Firefox, Libreoffice etc, the vast majority of Gentoo is
> compiled from source.  It's why most people use Gentoo, compile from
> source with features set like you want.  If one is limited in hardware
> or power, Gentoo may not be a good option.
>
> Makes one think.
>
> Dale
>
> :-)  :-)

I totally get why the Linux enthusiast or an IT guy tasked with
specific requirements runs Gentoo. I did from 2001 through maybe early
2018.

There are numerous reasons I moved from Gentoo to Kubuntu 3-4 years ago:

- Kubuntu updates take, in general, less than 1 minute, almost never
more than 5, with an average of 2-3/week. I don't believe I spend more
than 10 minutes on average any week maintaining my machines. Most
important to me is in 3-4 years not a single one has failed. Download
a little binary, install, done. Distribution updates (major rev ->
major rev) take less than an hour and this is once a year or two. They
are so infrequent that I typically forget how to do them and have to
go read instructions.

- Maintaining a simple Gentoo install with no desktop from source
wasn't bad but the KDE overhead on older laptops was insane for my needs.

- I personally could not perceive any speed advantages in my daily
life running Gentoo. I'm sure there would be some if I was into
benchmarking but I'm not.

- Gentoo lost its way (IN MY OPINION ONLY, and maybe it's better now)
4-5 years ago in terms of a simple 'stable' release. There was a time
when I couldn't update without ~amd64-ing some packages.

- I use two paid-for non-open source applications - Harrison Mixbus
(based on Ardour) and PixInsight. It's WAY easier to get support when
running the same distro these vendor runs and it's been a BIG help in
my life to get that support.

   Sadly, I don't have nearly the knowledge of how things work under
the hood on Kubuntu and the user level community is very quiet so I
try to make general contributions here just to stay connected. This is
still the best user group I know of. Friendly, informative experts.

Just my 1.5 cents worth as I listen to Hunky Dory,
Mark



I wish gentoo would throttle the upstream more.  Is there another source
distribution besides gentoo?  Is LFS a viable competitor?

Re: [gentoo-user] it keeps growing

[Mark Knecht]

On Tue, Jun 1, 2021 at 7:14 AM Dale  wrote:
>
> Hund wrote:
> > On June 1, 2021 3:38:30 PM GMT+02:00, n952162  wrote:
> >> 337 packages this month to be updated.  It keeps getting more and
more.
> >> Pretty soon, gentoo will overtake Bitcoin in energy use.
> >>
> >>
> > One might then ask why you have so many packages? And why you have a
computer that consumes enough power for you to be worried about it?
> >
> > --
> > Hund
> >
> >
>
>
> I was thinking along the lines of how many packages even binary distros
> have to update.  I've installed binary based distros before and when
> updating those, there can be hundreds, several hundred, packages to
> upgrade.  Thing is, those same packages exist in Gentoo.  If one has a
> very similar set of packages installed, odds are, almost the same
> packages will update in either a source based distro like Gentoo or in a
> binary based distro.  The only difference is Gentoo compiles from source.
>
> If one is really concerned about compile times or the amount of power
> needed to run Gentoo up to date, then one has to question not the
> updates but why use Gentoo??  While some large packages are available in
> binary, Firefox, Libreoffice etc, the vast majority of Gentoo is
> compiled from source.  It's why most people use Gentoo, compile from
> source with features set like you want.  If one is limited in hardware
> or power, Gentoo may not be a good option.
>
> Makes one think.
>
> Dale
>
> :-)  :-)

I totally get why the Linux enthusiast or an IT guy tasked with specific
requirements runs Gentoo. I did from 2001 through maybe early 2018.

There are numerous reasons I moved from Gentoo to Kubuntu 3-4 years ago:

- Kubuntu updates take, in general, less than 1 minute, almost never more
than 5, with an average of 2-3/week. I don't believe I spend more than 10
minutes on average any week maintaining my machines. Most important to me
is in 3-4 years not a single one has failed. Download a little binary,
install, done. Distribution updates (major rev -> major rev) take less than
an hour and this is once a year or two. They are so infrequent that I
typically forget how to do them and have to go read instructions.

- Maintaining a simple Gentoo install with no desktop from source wasn't
bad but the KDE overhead on older laptops was insane for my needs.

- I personally could not perceive any speed advantages in my daily life
running Gentoo. I'm sure there would be some if I was into benchmarking but
I'm not.

- Gentoo lost its way (IN MY OPINION ONLY, and maybe it's better now) 4-5
years ago in terms of a simple 'stable' release. There was a time when I
couldn't update without ~amd64-ing some packages.

- I use two paid-for non-open source applications - Harrison Mixbus (based
on Ardour) and PixInsight. It's WAY easier to get support when running the
same distro these vendor runs and it's been a BIG help in my life to get
that support.

   Sadly, I don't have nearly the knowledge of how things work under the
hood on Kubuntu and the user level community is very quiet so I try to make
general contributions here just to stay connected. This is still the best
user group I know of. Friendly, informative experts.

Just my 1.5 cents worth as I listen to Hunky Dory,
Mark

Re: [gentoo-user] can anybody recommend any VoIP package?

[n952162]

On 6/1/21 4:52 PM, n952162 wrote:

Has anybody good luck with any gentoo VoIP package?

I imagine the skype package is binary, right?

I've tried linphone and some others over the years, but they didn't
perform acceptably.  Has there been any progress in that regard?



Okay, thanks to this thread, I may have something that'll solve my
needs: /telegram/

https://forums.gentoo.org/viewtopic-t-1097678-start-0.html

[gentoo-user] can anybody recommend any VoIP package?

[n952162]

Has anybody good luck with any gentoo VoIP package?

I imagine the skype package is binary, right?

I've tried linphone and some others over the years, but they didn't
perform acceptably.  Has there been any progress in that regard?

Re: [gentoo-user] Can Portage be used with FreeBSD or NetBSD?

[Michael]

On Tuesday, 1 June 2021 10:59:27 BST Thomas Mueller wrote:
> Can Portage be used as a package manager with anything other than Linux?

Yes, it used to be, but from what I know the *BSD projects were abandoned due 
to lack of maintainers.


> I like some features of Portage; think it might be better than FreeBSD ports
> or NetBSD pkgsrc, or is just a case of the grass being greener on the other
> side?

Have a look here for historical references in this effort:

https://wiki.gentoo.org/wiki/Gentoo_BSD


> I like the option "--with-bdeps=y", wish FreeBSD's synth and poudriere had
> that option.
> 
> But I don't want to use Portage where it would be incompatible.
> 
> Portage's assumption of location of python binary and /bin/bash are contrary
> to anything non-Linux, or even a Linux that uses another shell such as dash
> or mksh.
> 
> Tom



signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] it keeps growing

[Dale]

Hund wrote:
> On June 1, 2021 3:38:30 PM GMT+02:00, n952162  wrote:
>> 337 packages this month to be updated.  It keeps getting more and more. 
>> Pretty soon, gentoo will overtake Bitcoin in energy use.
>>
>>
> One might then ask why you have so many packages? And why you have a computer 
> that consumes enough power for you to be worried about it?
>
> --
> Hund
>
>


I was thinking along the lines of how many packages even binary distros
have to update.  I've installed binary based distros before and when
updating those, there can be hundreds, several hundred, packages to
upgrade.  Thing is, those same packages exist in Gentoo.  If one has a
very similar set of packages installed, odds are, almost the same
packages will update in either a source based distro like Gentoo or in a
binary based distro.  The only difference is Gentoo compiles from source. 

If one is really concerned about compile times or the amount of power
needed to run Gentoo up to date, then one has to question not the
updates but why use Gentoo??  While some large packages are available in
binary, Firefox, Libreoffice etc, the vast majority of Gentoo is
compiled from source.  It's why most people use Gentoo, compile from
source with features set like you want.  If one is limited in hardware
or power, Gentoo may not be a good option. 

Makes one think.

Dale

:-)  :-)

Re: [gentoo-user] it keeps growing

[Hund]

On June 1, 2021 3:38:30 PM GMT+02:00, n952162  wrote:
>337 packages this month to be updated.  It keeps getting more and more. 
>Pretty soon, gentoo will overtake Bitcoin in energy use.
>
>

One might then ask why you have so many packages? And why you have a computer 
that consumes enough power for you to be worried about it?

--
Hund

Re: [gentoo-user] it keeps growing

[Rich Freeman]

On Tue, Jun 1, 2021 at 9:38 AM n952162  wrote:
>
> 337 packages this month to be updated.  It keeps getting more and more.
> Pretty soon, gentoo will overtake Bitcoin in energy use.

Really it is a somewhat recent thing that Bitcoin overtook Gentoo in
energy use...  :)

-- 
Rich

[gentoo-user] it keeps growing

[n952162]

337 packages this month to be updated.  It keeps getting more and more. 
Pretty soon, gentoo will overtake Bitcoin in energy use.

Re: [gentoo-user] app-misc/ca-certificates

[Rich Freeman]

On Tue, Jun 1, 2021 at 7:59 AM Adam Carter  wrote:
>>
>> And another "wondering" - all the warnings about trusting self signed
>> certs seem a bit self serving. Yes, they are trying to certify who you
>> are, but at the expense of probably allowing access to your
>> communications by "authorised parties" (such as commercial entities
>> purchasing access for MITM access - e.g. certain router/firewall
>> companies doing deep inspection of SSL via resigning or owning both end
>> points).
>
> AFAIK in an enterprise MITM works by having a local CA added to the cert 
> stores of the workstation fleet, and having that CA auto generate the certs 
> for MITM. That didn't work with certificate pinning, but pinning has been 
> deprecated.

So, I don't know all the ways that pinning is implemented, but if
you're talking about using MITM to snoop on enterprise devices on the
enterprise network I'd think that pinning wouldn't be an issue,
because you control the devices from cradle to grave.  Just ensure the
pinned certificates are the ones that let you MITM the connections.

Now, if your organization has some sort of guest network for
non-enterprise devices then pinning would obviously block MITM of
connections made by those devices.  Really though I'm not sure you'd
want to be snooping stuff like this - it seems like more legal
headaches than it is worth.  You want to sniff your OWN traffic for
IDS/etc or other unauthorized use, and since you're sniffing traffic
from devices you own you don't have the same legal issues (I won't say
no legal issues, but certainly monitoring your own devices is very
different from monitoring those you don't own).  You shouldn't even be
allowing uncontrolled devices on those networks in the first place.
If you want to detect unauthorized devices MITM isn't really the best
solution - just use positive authentication of known-good devices
up-front and anything that doesn't pass that test is treated as a
threat and shouldn't even be able to send traffic.

-- 
Rich

Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates)

[Rich Freeman]

On Tue, Jun 1, 2021 at 8:16 AM Michael Orlitzky  wrote:
>
> On Tue, 2021-06-01 at 13:02 +0100, Peter Humphrey wrote:
> >
> > So what would you recommend for someone in the case Joost cites? I'm in that
> > position, being a home user of a small network but no registered Internet
> > name.
> >
>
> A self-signed certificate combined with a browser extension that lets
> you "pin" it. With pinning, you can keep your browser usable on the WWW
> while still rejecting any forged certificates for your own hosts. The
> end result works pretty much like SSH keys do.

Can't really argue with this.  However, for those who aren't
completely following along it is probably worth pointing out that the
way you're doing it is different from how 99.999% of the way the world
is doing it.

So, if you're talking about securing communications between hosts you
control what mjo suggests is a much better solution than the standard
solution (at least security-wise).  There are probably better ways to
do it, but not much that is standard.

However, if you're working with others then that solution isn't such a
good one, as it isn't really standard.  That said, it isn't uncommon
for more sophisticated companies to pin certificates from their
partners so that a random CA can't do an end-run around security.  I
have vendors I work with who regularly send out notices of pending
certificate changes to technical contacts to allow for this.

Really though the entire SSL CA infrastructure needs a massive
overhaul.  Using something like DNSSEC as a trust root would be one
way to go about it.  Another might be to restrict the scope that CAs
could sign within and have some way to automate that.  Self-signed
certs aren't a good solution for the average user and no SSL is an
even worse one (at best it removes security theater, but at the cost
of allowing attackers to not even bother with subverting the CA
system, which opens up a lot more attacks).  Right now you can browse
using SSL to army.mil for the first time and in theory your browser
won't complain if the certificate is signed by the PLA...

-- 
Rich

Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates)

[karl]

Karl:
> Michael Orilitzky:

Sorry, I mistyped, it should be: Peter Humphrey

> ...
> > * The LetsEncrypt certificates expire after three months, as opposed 
> >   to 10+ years for a self-signed certificate. You're supposed to 
> >   automate this... by running a script as root that takes input from 
> >   the web? I'd rather not do that.
> 
> You can run most part of it as an unpriviliged user, here is my crontab:
> 0 0 1 * *   acme/usr/local/sbin/acme_update.sh
> 10 01 * *   rootcat /etc/acme-tiny/domain.key 
> /var/acme-tiny/signed_chain.crt  > /etc/lighttpd/server.pem
> 20 01 * *   root/etc/init.d/lighttpd restart
> 
> One could add a check to make sure that the downloaded crt is sensible.
> 
> > * LetsEncrypt verifies your identity over plain HTTP (like every other 
> >   commercial CA), so it's all security theater in the first place.
> ...
> 
> Ack.

Regards,
/Karl Hammar

Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates)

[karl]

Michael Orilitzky:
...
> * The LetsEncrypt certificates expire after three months, as opposed 
>   to 10+ years for a self-signed certificate. You're supposed to 
>   automate this... by running a script as root that takes input from 
>   the web? I'd rather not do that.

You can run most part of it as an unpriviliged user, here is my crontab:
0 0 1 * *   acme/usr/local/sbin/acme_update.sh
10 01 * *   rootcat /etc/acme-tiny/domain.key 
/var/acme-tiny/signed_chain.crt  > /etc/lighttpd/server.pem
20 01 * *   root/etc/init.d/lighttpd restart

One could add a check to make sure that the downloaded crt is sensible.

> * LetsEncrypt verifies your identity over plain HTTP (like every other 
>   commercial CA), so it's all security theater in the first place.
...

Ack.

Regards,
/Karl Hammar

Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates)

[karl]

Joost:
> On Tuesday, June 1, 2021 12:44:47 PM CEST k...@aspodata.se wrote:
... [ about letsencrypt ] ...
> It's not that easy to do it with internal-only systems as Let's Encrypt 
> requires the hostname to be known externally.
> And there are plenty of devices you do not want the whole internet to know 
> about.

Just use a celf-certified cert and add an exeption in the web browser,
or set up your own CA, (I don't know how) and distribute its cert.

Regards,
/Karl Hammar

Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates)

[Peter Humphrey]

On Tuesday, 1 June 2021 13:16:59 BST Michael Orlitzky wrote:
> On Tue, 2021-06-01 at 13:02 +0100, Peter Humphrey wrote:
> > So what would you recommend for someone in the case Joost cites? I'm in
> > that position, being a home user of a small network but no registered
> > Internet name.
> 
> A self-signed certificate combined with a browser extension that lets
> you "pin" it. With pinning, you can keep your browser usable on the WWW
> while still rejecting any forged certificates for your own hosts. The
> end result works pretty much like SSH keys do.

Thanks Michael.

-- 
Regards,
Peter.

Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates)

[Michael Orlitzky]

On Tue, 2021-06-01 at 13:02 +0100, Peter Humphrey wrote:
> 
> So what would you recommend for someone in the case Joost cites? I'm in that 
> position, being a home user of a small network but no registered Internet 
> name.
> 

A self-signed certificate combined with a browser extension that lets
you "pin" it. With pinning, you can keep your browser usable on the WWW
while still rejecting any forged certificates for your own hosts. The
end result works pretty much like SSH keys do.

Re: [gentoo-user] is "scp" reliable?

[Adam Carter]

On Tue, Jun 1, 2021 at 2:46 PM J. Roeleveld  wrote:

> On Saturday, May 29, 2021 11:04:44 PM CEST Mark Knecht wrote:
> > On Sat, May 29, 2021 at 1:33 PM  wrote:
> > 
> >
> > > Another mystery.
> > > I copied the file to USB 1TB sandisk.
> > > md5sum check OK same as my computer
> > >
> > >
>
> > Different revisions of md5sum possibly?
>
> I have never had issues with different md5sum tools.
>

Yes - it hard to imagine a bug of that seriousness not being detected.
Getting it right is the tool's raison d'etre.

Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates)

[Peter Humphrey]

On Tuesday, 1 June 2021 12:40:28 BST Michael Orlitzky wrote:
> On Tue, 2021-06-01 at 13:17 +0200, J. Roeleveld wrote:
> > It's not that easy to do it with internal-only systems as Let's Encrypt
> > requires the hostname to be known externally.
> > And there are plenty of devices you do not want the whole internet to know
> > about.
> 
> And in this situation LetsEncrypt does nothing but make security worse:
> 
> * You have to trust the entire CA infrastructure rather than just your 
>   own CA. Many of the CAs are not just questionable, but like the 
>   governments of the USA and China, known to be engaged in large-scale
>   man-in-the-middle attacks.
> 
> * The LetsEncrypt certificates expire after three months, as opposed 
>   to 10+ years for a self-signed certificate. You're supposed to 
>   automate this... by running a script as root that takes input from 
>   the web? I'd rather not do that.
> 
> * LetsEncrypt verifies your identity over plain HTTP (like every other 
>   commercial CA), so it's all security theater in the first place.
> 
> There are plenty of arguments against LE even for public sites, but for
> private ones, it's a lot more clear-cut...

So what would you recommend for someone in the case Joost cites? I'm in that 
position, being a home user of a small network but no registered Internet 
name.

-- 
Regards,
Peter.

Re: [gentoo-user] app-misc/ca-certificates

[Adam Carter]

>
> And another "wondering" - all the warnings about trusting self signed
> certs seem a bit self serving. Yes, they are trying to certify who you
> are, but at the expense of probably allowing access to your
> communications by "authorised parties" (such as commercial entities
> purchasing access for MITM access - e.g. certain router/firewall
> companies doing deep inspection of SSL via resigning or owning both end
> points).


CAs who issue such dodgy certs tend to get booted from certificate stores,
since they cannot be trusted.
https://wiki.mozilla.org/CA:Symantec_Issues#Issue_D:_Test_Certificate_Misissuance_.28April_2009_-_September_2015.29

https://en.wikipedia.org/wiki/Certificate_Transparency helps keep CAs
honest.

The way i like to frame it is "any certificate should only be trusted as
much as the *least* trustworthy CA in your certificate store"

AFAIK in an enterprise MITM works by having a local CA added to the cert
stores of the workstation fleet, and having that CA auto generate the certs
for MITM. That didn't work with certificate pinning, but pinning has been
deprecated.


> If its only your own communications and not with a third,
> commercial party self signed seems a lot more secure.
>

Yes, I imagine there are some circumstances where it would make sense to
remove all the certs from your certificate store and then just add your
local CA's cert. In this case, the least trustworthy CA in the store is
your own :)

Re: [gentoo-user] gtk+ package question

[Mart Raudsepp]

Ühel kenal päeval, L, 29.05.2021 kell 16:28, kirjutas Jack:
> I just noticed that the package x11-libs/gtk+ has slots 2 and 3  
> (nothing new there) however, it seems that version 4 has a totally
> new package gui-libs/gtk with only slot 0 (no explicit slot listed)
> with currently ~4.2.0 and 4.2.1 versions available.

They are in SLOT="4"

> I've done a quick  
> search through the announce and dev mailing lists, and not found  
> anything relevant.  Is this an intentional switch?  I don't think
> there  
> is much yet that uses version 4, but is there any planned migration  
> path?

Yes, this is an intentional plan from me, executed by others that had
the time available for it. There were IRC talks and probably some
comments on the relevant bugs.

* I consider it too disruptive to package move everything from x11-
libs/gtk+ to gui-libs/gtk, everyone would need to adapt to it in
overlays, etc
* SLOTs are really nothing more than keeping parallel-installable
packages under the same name, instead of having separate packages like
libgtk2, libgtk3, etc
* New parallel-installable version was a good time to make the switch,
with the old slots left behind in x11-libs until they naturally fall
out of use
* It is increasingly less used with X11, and is still in x11-libs due
to the disruption it would cause to move the existing SLOTs (however
gtk2 is really X11-only)
* Upstream renamed the project from GTK+ to GTK in the gtk4 development
phase
* Separate packages are just as well parallel-installable as separate
SLOTs

So given the above, it felt best to just have the new SLOT under new
package name and not force everyone to do busywork to rename things for
the old slots.

Maybe we can move them over in a couple years without extensive overlay
breakages, when most things are using GTK4, GTK2 has been last rited
and removed and GTK3 is in a similar state of usage like GTK2 is today,
or just leave it be and have it eventually disappear.


Mart


signature.asc
Description: This is a digitally signed message part

Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates)

[Michael Orlitzky]

On Tue, 2021-06-01 at 13:17 +0200, J. Roeleveld wrote:
> 
> It's not that easy to do it with internal-only systems as Let's Encrypt 
> requires the hostname to be known externally.
> And there are plenty of devices you do not want the whole internet to know 
> about.
> 

And in this situation LetsEncrypt does nothing but make security worse:

* You have to trust the entire CA infrastructure rather than just your 
  own CA. Many of the CAs are not just questionable, but like the 
  governments of the USA and China, known to be engaged in large-scale
  man-in-the-middle attacks.

* The LetsEncrypt certificates expire after three months, as opposed 
  to 10+ years for a self-signed certificate. You're supposed to 
  automate this... by running a script as root that takes input from 
  the web? I'd rather not do that.

* LetsEncrypt verifies your identity over plain HTTP (like every other 
  commercial CA), so it's all security theater in the first place.

There are plenty of arguments against LE even for public sites, but for
private ones, it's a lot more clear-cut...

Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates)

[J. Roeleveld]

On Tuesday, June 1, 2021 12:44:47 PM CEST k...@aspodata.se wrote:
> BillK:
> ...
> 
> > And another "wondering" - all the warnings about trusting self signed
> > certs seem a bit self serving. Yes, they are trying to certify who you
> > are, but at the expense of probably allowing access to your
> > communications by "authorised parties" (such as commercial entities
> > purchasing access for MITM access - e.g. certain router/firewall
> > companies doing deep inspection of SSL via resigning or owning both end
> > points). If its only your own communications and not with a third,
> > commercial party self signed seems a lot more secure.
> 
> ...
> 
> You can use https://letsencrypt.org/ instead of a self-signed cert:
> 
>  Let's Encrypt is a free, automated, and open certificate authority
>  brought to you by the nonprofit Internet Security Research Group (ISRG).
> 
> It was pretty simple to get it to work with
>  https://github.com/diafygi/acme-tiny

It's not that easy to do it with internal-only systems as Let's Encrypt 
requires the hostname to be known externally.
And there are plenty of devices you do not want the whole internet to know 
about.

--
Joost

Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates)

[karl]

BillK:
...
> And another "wondering" - all the warnings about trusting self signed
> certs seem a bit self serving. Yes, they are trying to certify who you
> are, but at the expense of probably allowing access to your
> communications by "authorised parties" (such as commercial entities
> purchasing access for MITM access - e.g. certain router/firewall
> companies doing deep inspection of SSL via resigning or owning both end
> points). If its only your own communications and not with a third,
> commercial party self signed seems a lot more secure.
...

You can use https://letsencrypt.org/ instead of a self-signed cert:

 Let's Encrypt is a free, automated, and open certificate authority
 brought to you by the nonprofit Internet Security Research Group (ISRG). 

It was pretty simple to get it to work with
 https://github.com/diafygi/acme-tiny

Regards,
/Karl Hammar

[gentoo-user] Can Portage be used with FreeBSD or NetBSD?

[Thomas Mueller]

Can Portage be used as a package manager with anything other than Linux? 

I like some features of Portage; think it might be better than FreeBSD ports or 
NetBSD pkgsrc, or is just a case of the grass being greener on the other side?

I like the option "--with-bdeps=y", wish FreeBSD's synth and poudriere had that 
option.

But I don't want to use Portage where it would be incompatible.

Portage's assumption of location of python binary and /bin/bash are contrary to 
anything non-Linux, or even a Linux that uses another shell such as dash or 
mksh.

Tom

Re: [gentoo-user] Qustions re Dell M.2 PCIe NVMe Solid State Drives under Gentoo

[J. Roeleveld]

On Thursday, May 27, 2021 11:35:33 PM CEST Alarig Le Lay wrote:
> On Thu 27 May 2021 17:05:07 GMT, Walter Dnes wrote:
> > * do NVMe drives function well under Gentoo (driver issues, etc)?
> 
> I have a NVMe drive on my corporate laptop (a lenovo) and I don’t have
> any issue with it.
> 
> PS: I agree on the linux bloatiness, I have 4G of RAM on my personal
> laptop and it begins to run out sometime…

Multiple machines with NVMe's, no issues.

Not all can boot from NVMe though, that's a BIOS-issue.