10[00:05:14] <jim> I'm trying to get v4l2loopback to load at boot... I installed a later github version, and did make install to place it in /lib/modules/some5.6uname-r
11[00:05:45] <jim> what mechanism do packaged versions use to load it at boot?
88[01:09:34] <chandoo> for some reason docker is not honoring the /etc/docker/daemon.json changes
89[01:09:38] <chandoo> for data-root
90[01:09:50] <chandoo> any help is appreciated
91[01:11:20] <sney> did you confirm that the docker service was stopped and that your config changes hadn't been overwritten, before starting the service again?
109[01:29:02] <sney> that howto is from 2 years ago so it might be outdated. ask in #docker
110[01:29:19] <chandoo> yes it is
111[01:29:36] <chandoo> i am moving from local filesystem to zfs dataset
112[01:29:46] <chandoo> but it was mounted as regular file
113[01:29:50] <chandoo> but it was mounted as regular filesystem
114[01:29:55] <chandoo> sney, okay thanks
115[01:30:24] <sney> afaik docker can't tell the difference between the filesystems its dirs are on, as long as they support normal permissions, etc.
116[01:30:46] <sney> but if you're working with zfs then you could set the dataset mount point to /var/lib/docker and let the daemon keep its defaults.
118[01:31:23] <chandoo> i tried symlink but i am facing issue
119[01:31:37] <chandoo> after symlink if i do /var/lib/docker/ it works
120[01:31:40] <sney> not symlink, set the actual mount point
121[01:31:50] <chandoo> with out the tailing / it is not
122[01:32:04] <chandoo> sney, it was already mounted
123[01:32:17] <chandoo> you mean create as mount in fstab
124[01:32:44] <chandoo> default are working fine
125[01:33:12] <chandoo> the moment i specify data-root to other folder it is failing opening volume
126[01:33:29] <sney> no, like 'zfs set mountpoint=/var/lib/docker tank/datasetgoeshere', a normal zfs thing.
127[01:33:40] <sney> then when you zfs mount -a (or reboot) it just comes up in that spot
128[01:34:24] <sney> this is pretty standard zfs usage so it's weird that you wouldn't know about it if you're using zfs. but I guess all manuals have been replaced with stackexchange.
129[01:35:34] <chandoo> sney, i know,
130[01:35:40] <chandoo> let me explain
131[01:35:49] <chandoo> i am running this in a vm
132[01:36:12] <chandoo> zfs is created outside of the vm and attached to the vm
133[01:36:21] <sney> delegate dataset?
134[01:36:24] <chandoo> so no zfs datasets available in the vm
135[01:37:21] <chandoo> yes it is getting delegated to vm, and vm sees it as just as a filesystem mounted
137[01:37:57] <sney> no, delegate datasets is a zfs thing where the guest can see it too. I guess you're on a different kind of hypervisor. better ask the original question in #docker then
138[01:38:17] <chandoo> i am using proxmox
139[01:38:22] <chandoo> okay
140[01:40:00] *** Quits: tagomago (~tagomago@replaced-ip) (Remote host closed the connection)
141[01:42:03] *** Quits: buffal0 (~buffal0@replaced-ip) (Quit: Computer has gone to sleep. ZZZzzz…)
319[05:21:41] <efloid> so the DisplayPort sound issue may be related to DisplayPort version issue between monitor and computer. am going to check BIOS settings later - there's sometimes a DisplayPort version option that can be set
320[05:22:33] <efloid> also, what i though was an input audio jack on the monitor was a headphone jack :-/ strange that there would be one instead of an input
333[05:52:41] <dpkg> To clone a Debian machine using aptitude (or install your favourite packages) use aptitude search --disable-columns -F%p '~i!~M!~v' > package_list; on the reference machine; xargs aptitude --schedule-only install < package_list; aptitude install; on the other machine. This preserves information about "automatically installed" packages that other methods do not. See also <reinstall>, <things to backup>, <debian clone>, <apt-clone>.
334[05:52:55] <hackers> i'm reading about dpkg --get-selections, aptitude, apt-clone, etckeeper, dselect but am un certain which solution(s) I want to use
336[05:53:16] <hackers> thanks alex11 I'll start there
337[05:53:27] <alex11> yeah maybe dpkg --get-selections is easier
338[05:53:32] <alex11> it's not something i've looked into super hard
339[05:54:29] <hackers> there's also the question of preserving at lest some configurations I want to address
340[05:55:14] <hackers> I remember dpkg can detect standard pkg config files that have been modified during installation of upgrades (packages shipping new configs)
341[05:56:09] <hackers> do you know how I can run this process manually against the output of, dpkg --get-selections or the aptitude command you suggested I use to freeze installed package list in order to identify configs that were modified after installation?
343[05:58:25] <efloid> hackers: you can also use clonezilla to make an exact image. it's an excellent tool.
344[05:59:51] *** Joins: valerius (~valerius@replaced-ip)
345[06:01:07] <hackers> efloid: that would probably cause me issues, i'm wanting to clone a vm i use as a workstation that's a compute engine instance with its own custom settings
346[06:01:34] <hackers> i would use the solution i'm trying to build as a startup script for such instance
347[06:01:47] <efloid> hackers: why not use ansible?
414[07:19:42] <dpkg> [confold] dpkg --force-confold will force dpkg to ignore any new versions of <conffiles> in packages, e.g. «apt-get -o DPkg::Options::="--force-confold" upgrade». Note that by ignoring changes to conffiles, you may miss out important changes and packages may be left in a non-working state afterwards.
456[08:35:42] <esm2> I'm switching from GNU screen to tmux and I'm wondering if there's a command in tmux to alternate between the last window (like screen's ^A^A) ?
457[08:38:21] <n4dir> esm2: looks like you asking for something like the cheatsheet replaced-url
459[08:38:41] <n4dir> though i use screen most basic and haven't got the exact terms handy
460[08:38:57] <esm2> I looked at the man pages and cheat sheet. I don't see anything there.
461[08:40:19] <esm2> tmux lets you use ^B-n and ^B-p for previous and next, but a see nothing for toggling to the last window
462[08:41:15] <n4dir> ah, then i did understand correct and that was not what you are looking for. tmux probably has an irc channel. Though many in #linux seem to use it too (as it is *so* much better than screen). Anyway: good luck then
463[08:42:15] <ansimita> esm2: ^B-l ?
464[08:42:31] <n4dir> ctrl+b+p; ctrl+n+n was what i had in mind though, looking at that cheat
465[08:43:01] <esm2> Ah, ^B-l looks like the command
466[08:43:43] <esm2> Oh, it's in the man page too! I was confused by the terminology 'previous window'
467[08:43:46] <ansimita> esm2: next time u check bindings with ^B-? :)
468[08:46:09] <esm2> OK, will do. I'm just new to it and needed a quick answer :)
469[08:46:12] *** Quits: b (coffee@replaced-ip) (Quit: Lost terminal)
470[08:46:45] *** Quits: dez (uid92154@replaced-ip) (Quit: Connection closed for inactivity)
495[09:52:52] <genr8_> Anyone have any experience with enabling the kernel option SMB Direct support (Experimental) = CIFS_SMB_DIRECT: Enables SMB Direct experimental support for SMB 3.0, 3.02 and 3.1.1
496[09:54:20] *** Quits: mibo (~mibo@replaced-ip) (Remote host closed the connection)
596[12:06:47] <jhutchins> Eryn_1983_FL: You should probably be readin somethng like an installl guide, but if it's an iso, you can simply dd/cp it to the raw device.
597[12:07:11] <Eryn_1983_FL> not debian just trying to burn a dvd in debian,
598[12:07:20] <Eryn_1983_FL> ill just do brasero i dont have good luck with dd...
630[12:44:06] <AnySomebody> Hi, does Debian 10 support the AMD R3-4300U? How can I find this out? I already learned it depends on what was backported into 4.19...
633[12:47:01] <ratrace> AnySomebody: you can use a newer kernel from buster-backports, if you need it; as for your question specifically, can't answer that.
655[13:05:29] <nvz> one way to know, is to boot the installer and see what happens :P
656[13:06:15] <genr8_> Vega 5 iGPU
657[13:07:07] <nvz> the only big thing I've heard of lately that plagues the install of stable on these modern machines is some unsupported pcie nvme disks.. as long as you can get installed the rest can be solved rather simply
658[13:07:18] <AnySomebody> Yeah, I'm indeed rather worried about the iGPU...
659[13:07:30] <genr8_> i remember them adding stuff like that into 4.20 "AMD Radeon Picasso + Raven2 support, and Vega20 enablement"
660[13:07:58] <another> 4300U is renoir
661[13:08:13] <AnySomebody> Now I'm wondering whether an iGPU isn't part of the CPU ;)
667[13:11:18] <genr8_> and 5.7/5.8 adds more fixes
668[13:13:56] <AnySomebody> Hum... after I advised her to use Debian and not to use the other distros she found on the internet maybe I have to tell her that Debian won't work out of the box and she maybe shouldn't use it... whereafter no distro is left +)
669[13:14:45] <AnySomebody> Is it hard for a newbie to use a newer kernel from the backports? Unfortunately I don't know too much about Debian...
671[13:15:52] <genr8_> it needs following instructions and typing commands, not clicking mouse buttons
672[13:15:57] <nvz> AnySomebody: its not terribly difficult and we could help with it. You can install, login, put something like irssi or weechat and screen or tmux on there.. come here and get help
678[13:16:57] <nvz> AnySomebody: in any case that being said, you'd probably want to use the firmware installer on a laptop or system with wifi to ensure you can get additional packages and to irc for support
696[13:23:38] <genr8_> or, if you're running a new device, consider yourself a beta tester.
697[13:23:52] <nvz> typically its better when dealing with inexperienced folk, that you do more than encourage, and if you're gonna make recommendation you do it for them
698[13:24:21] *** Quits: uvolmer (~uvolmer@replaced-ip) (Remote host closed the connection)
700[13:24:30] <nvz> afterall most people have no experience installing ANY operating system
701[13:25:04] <ratrace> linux was always for expert folks, by sheer virtue of contributions being done by people to scratch a particular itch, and not to make it super convenient for newbs, unless that scratches someone's itch, but historically hasn't been much of a case.
702[13:25:13] <genr8_> people also buy way too new hardware built for windows. terrible proprietary devices. thats not really their fault. the laptop industry is toxic, along with a ton of other tech
704[13:25:45] <genr8_> its always an uphill battle. the fact it works at all should not be taken for granted
705[13:26:08] <ratrace> ie. it requires reading and learning. no clicky-clicky-it-all-works; even with ubuntu clicky clicky works until it doesn't and then it's learning time!
706[13:26:11] <nvz> what I've always found disgusting is many lower end budget machines arent really even spec'd enough for the windows OS they put on it which I find downright criminal
707[13:27:22] <jarxv> Is there a snapshot of debian 4.4 kernel ??
708[13:27:53] <AnySomebody> Unfortunately I can only give support remotely... but yeah, maybe I could do this via ssh or whatever...
709[13:28:24] <nvz> AnySomebody: you could, yes, as the installer (in expert mode) has remote install over ssh capability
710[13:28:43] <nvz> AnySomebody: you may want to familiarize yourself with the process on your end first perhaps with a vm or something
711[13:29:32] <AnySomebody> True, if so I should have a look into it... on the other hand before I start such things I could install Arch for her, was easier for me...
712[13:29:36] <nvz> AnySomebody: however these sorts of things can sometimes also be difficult as they require more often than not forwarding ports through a residential router which varies significantly and is usually also beyond the skill of most users
713[13:30:07] <AnySomebody> Yes, this was the argument against doing a remote install so far... the work on her side
716[13:30:53] <nvz> some ISPs if you use their equipment make this a bit easier now using more advanced remote management of their gateway hardware.. comcast for example has Xfi which can be configured from your customer web portal or a mobile app
717[13:32:28] <genr8_> at the expense of them having total ownership of your device. pwnd.
720[13:33:13] <nvz> yeah.. though there are companies out there making similar software and I expect to see such things in more personally owned equipment in the future
723[13:34:12] <ratrace> nvz: looking at the installer now (I was coincidentally installing some VMs), but I can't find the ssh option in the expert mode
724[13:35:11] * nvz fires up a vm to see as its been awhile
725[13:35:12] <genr8_> i don't. I expect everything to be fully controlled by the corporation that makes it in the future. with the consumer having 0 agency over what software is being run.
726[13:35:44] <nvz> yeah well it is sad that what people want no longer seems to matter anymore
727[13:35:46] <genr8_> and as far as "put your own software on it" like DD_WRT, thats gonna be killed soon too.
734[13:37:48] <genr8_> yeah. itll just be "corporate tech" and open source wont be able to work unless the open hardware movement ramps up and gets to where open source is now.
735[13:37:56] <nvz> ratrace: seems after several clicks through the usual initial language stuff in the expert mode, you need to load installer components .. first usb-storage (when using thumbdrive or such) to load the "cdrom" then it gives you a larger list of installer components to load of which you need network-console in order to continue remotely using ssh
736[13:38:03] <genr8_> even then, it will be 10 years behind.
737[13:40:08] <AnySomebody> Well, and the politics in the EU is currently 20 years behind starting to fund open source stuff +)
738[13:40:27] *** Quits: Nokaji (~Nokaji@replaced-ip) (Remote host closed the connection)
739[13:40:48] <ratrace> nvz: blimey, that's not complicated at all :)
740[13:41:03] <AnySomebody> -stuff +software
741[13:41:13] <AnySomebody> Maybe they should start with open source hardware instead...
744[13:41:35] <nvz> ratrace: yeah it'll give you the information you need to proceed when you then detect network hardware, configure network, and choose the continue install remotel using SSH
751[13:43:37] <nvz> ratrace: I've only actually used it once that I recall
752[13:45:29] <ratrace> speaking of, does the kernel or some userland network stack have a problem with particular MAC addresses given to virtio NICs that are bound to taps on the host side?
753[13:45:55] <ratrace> because a windows VM has no issue with the same (made up) MAC given
754[13:46:05] <ratrace> "13:37:B0:0B:69:69" for example
755[13:46:59] * nvz shrugs
756[13:50:13] <ratrace> definitely does, because if I copy default virtio mac given, and change the last digits for example, all is well
757[13:51:10] <nvz> I've only ever done such things for vpn and usually didnt concern myself with such details
758[13:51:49] <nvz> had a SBC that was for some odd reason autogenerating its wifi's mac id.. and put a stop to that as it was annoying
759[13:52:55] <ratrace> well I want to force separate MACs for multiple VMs running on the same tap
824[14:37:42] <jaami_> nvz, the command did not work because it depends upon other package i guess. but for tunately, a little search gave hint about alacarte.
825[14:37:56] <jaami_> deabin already have alacarte installed
826[14:38:13] <jaami_> its very easy way i actually needed exactly that
987[17:20:26] <Deknos> traefik can handle application routing with nomad and consol, can be used for k8s, has letsencrypt support with it (so you do not need extra stuff for letsencrypt).
988[17:20:29] <Deknos> it's pretty cool
989[17:20:51] <Deknos> sadly i am not very good at debian packaging.. and packaging go stuff seems even harder for me.
990[17:20:56] *** Quits: n4dir (~n4dir@replaced-ip) (Remote host closed the connection)
1034[18:12:17] <RoyK> Deknos: I'd guess it will be nice for low level traffic, but I somewhat doubt it'll be able to reach the performance levels of varnish ;)
1053[18:29:27] <Deknos> well, i don't know about that. it is used in multiple cloud environments. might be that varnish is a bit better on the throughput side but as far as i see, varnish also has not the same target audience as traefik
1127[19:05:40] <somiaj> Raito_Bezarius: My understanding is though debian is fairly sane in defaults, it won't be fully harded by default, and if you have a security model that requires more hardening, you can edit the serverices in and place them in etc.
1128[19:05:54] <Raito_Bezarius> somiaj: yes, sure, I was wondering how much it was done by defaults
1129[19:06:07] <Raito_Bezarius> AFAIK, some of those hardening comes at no cost
1136[19:08:05] <somiaj> but if you feel some package could use to have that hardening at no cost to standard users, you can file a wishlist bug
1137[19:08:22] <Deknos> would be neat to have some debian packages which enforce certain settings
1138[19:08:35] <Raito_Bezarius> that's the kind of thing I wonder if it'd be nice to fund some people to go around and harden classical services
1139[19:08:48] <Raito_Bezarius> so that everyone's security increase "trivially"
1140[19:09:14] <somiaj> Deknos: There is no single security measure that fits all, one does need to access their risk model. One should always analyze the services they want to use.
1141[19:10:24] <Raito_Bezarius> somiaj: sure, but I don't believe that something like a IRC client require to modify its own code in the RAM in general or to go change /etc/passwd :P
1142[19:10:27] <Deknos> somiaj, because of that i meant, let the NORMAL state be and create some ADDITIONAL packages where the people can decide what helps their risk model with "neat to havem some debian packages which enforce..."
1143[19:10:40] <Raito_Bezarius> ah that'd make sense
1145[19:10:54] <Deknos> i certainly do NOT want to have that enforced per default for everything and everyone
1146[19:10:59] <Deknos> that would be just awful
1147[19:11:24] <somiaj> but anyone can report a wishlist bug if you think such a measure will improve a package, let the matainer know (though you'll have to think about each package you want to harden this way)
1148[19:11:26] <Raito_Bezarius> to be fair, some NixOS services are hardened by default
1149[19:11:29] <cipherize> There are very few security controls that could qualify as truly one-size-fits-all.
1150[19:11:29] <Raito_Bezarius> with sane hardening
1151[19:11:39] <Raito_Bezarius> and I always try to lockdown as much as possible
1152[19:11:53] <Raito_Bezarius> opting-out of this is not really difficult
1153[19:11:57] <somiaj> and in most cases if it only increases local user security, this doesn't affect a lot of systems that don't have local users.
1154[19:11:59] <cipherize> Raito_Bezarius: Even on a system that just doesn't need that level of hardening?
1155[19:12:07] <Raito_Bezarius> cipherize: yes
1156[19:12:10] <cipherize> Raito_Bezarius: Why?
1157[19:12:19] <Raito_Bezarius> cipherize: well, this is the way people initially wrote those services
1158[19:12:25] <Raito_Bezarius> and I see it more and more in some services downstream
1159[19:12:36] <Raito_Bezarius> it creates little to no impact
1160[19:12:39] <Raito_Bezarius> so it's cheap ?
1161[19:12:45] <cipherize> Raito_Bezarius: You're treating every system as if they're all the same risk classification. The server hosting your lunch menu simply doesn't require the same level of effort/hardening as the system holding your financial documents.
1162[19:13:08] <Raito_Bezarius> if the effort is as simple as saying "enable nginx", I don't see really the problem
1163[19:13:19] <Raito_Bezarius> now, if it creates real issues, it's always possible to opt out
1164[19:13:39] <cipherize> Raito_Bezarius: Because it's not that simple. enable nginx -> configure nginx -> nginx isn't always compatible with web apps that expect Apache functionality, etc.
1165[19:13:55] <Raito_Bezarius> hmm, do you have examples?
1166[19:13:55] <cipherize> Raito_Bezarius: You're misrepresenting things in a way that makes your argument appear more favorable.
1167[19:14:14] <cipherize> Raito_Bezarius: Sure. Look at the effort required to run Wordpress on nginx.
1175[19:14:59] <Raito_Bezarius> running wordpress is as simple as services.wordpress.enable = true;
1176[19:15:05] <Raito_Bezarius> sure, it uses httpd behind
1177[19:15:07] <cipherize> Raito_Bezarius: And it will pull in Apache.
1178[19:15:13] *** Quits: dominic34 (~Thunderbi@replaced-ip) (Remote host closed the connection)
1179[19:15:14] <Deknos> and some php libraries
1180[19:15:21] <cipherize> Exactly. So your "just enable nginx" argument is disingenuous.
1181[19:15:24] <Raito_Bezarius> but nothing prevent someone to replace the httpd backend by a phpfpm + nginx thing
1182[19:15:29] <Raito_Bezarius> it's not that simple, true
1183[19:15:54] <Raito_Bezarius> but this problem generalize to arbitrary PHP applications afaik
1184[19:16:05] <cipherize> And now you're expending that level of effort without considering whether or not its WARRANTED based on the risk classification of the system/app in question.
1185[19:16:07] <Deknos> i agree with cipherize and somiaj that with security there's seldomly one fits for all, but there are possibilities to improve in debian and different possibilities to do that also..
1187[19:16:23] <cipherize> Raito_Bezarius: You've entered this discussion with the presupposition that NixOS does things the right way and that your argument is correct.
1195[19:16:50] *** Lord_of_Life_ is now known as Lord_of_Life
1196[19:17:06] <Raito_Bezarius> I ponder whether this is a thing which should be "generalized" to a certain extent
1197[19:17:17] <cipherize> Deknos: pam_cracklib for passwords, but that may negatively affect usability to an excessive degree for a system that accepts no external connections.
1198[19:17:33] <Raito_Bezarius> There are multiple levels/layers of hardening
1199[19:17:41] <cipherize> With Debian, the idea is to provide the basic components with which to build a system to one's requirements.
1200[19:17:44] <somiaj> Raito_Bezarius: also different oses have different goals, policy, user base. As the Universial Operating System, debian is going to have different goals than NixOS, so a comparision may not fully be appropriate.
1201[19:17:56] <Raito_Bezarius> somiaj: I'm not trying to draw a direct comparison
1202[19:18:02] <Deknos> cipherize, so you would deactivate spectre mitigations on systems where only trusted code is running and not connected to the web?
1203[19:18:06] <somiaj> so though yes it can be done, as if it fits the debian echo system, it might depend a lot on the packge in question.
1204[19:18:07] <Deknos> as an counterexample?
1205[19:18:12] <cipherize> Deknos: Yes.
1206[19:18:39] <cipherize> Deknos: If the performance improvement is needed for that system to adequately perform its function. The benefit to the requirement would, in general, outweigh the neglible risk increase.
1207[19:18:48] <cipherize> negligible, rather
1208[19:18:49] <Deknos> then why does for example debian enable stack protections in their kernel?
1209[19:18:55] <Deknos> i mean that also costs performance.
1210[19:19:01] *** debhelper sets mode: +l 1129
1211[19:19:26] <cipherize> Deknos: I would hazard a guess that the overwhelming majority of Debian installations are 1. internet connected and 2. running at least some not-entirely-trusted code.
1212[19:19:49] <Deknos> cipherize, so... also enable spectre mitigations per standard on debian installations?
1213[19:20:14] <cipherize> Deknos: Given the performance impact, I'd leave that to the administrator of the system.
1214[19:20:19] <cipherize> Deknos: It's a question of impact vs. value.
1218[19:20:51] <cipherize> I do very little of importance on this host. IRC and a few other random things that aren't sensitive.
1219[19:20:56] <Deknos> yeah, and i think (per service) there are settings which should/could be enabled by default and send as whishlist/bug to the maintainer
1222[19:21:29] <Raito_Bezarius> What's the expected level of proficiency of the average Debian sysadmin?
1223[19:21:31] <cipherize> You're being dishonest, if I can be frank. Your argument thus far has been "fully harden all the things without regard to risk."
1224[19:21:39] <Raito_Bezarius> What is risk here?
1225[19:21:45] <Raito_Bezarius> Does hardening thing create risks?
1226[19:21:59] <cipherize> Yes.
1227[19:22:03] <hmuller> any troubleshooting tips for an unresponsive tmux session?
1228[19:22:03] <Raito_Bezarius> What kind of risks?
1229[19:22:09] <cipherize> Availability IS a component of security.
1230[19:22:18] <nvz> hmuller: use screen
1231[19:22:21] * nvz hides
1232[19:22:26] <hmuller> lol
1233[19:22:28] <nvz> heh
1234[19:22:35] <cipherize> If the extent of hardening creates the possibility that the system becomes unavailable when needed, then you've harmed your security posture in one way to benefit another.
1235[19:22:37] <Raito_Bezarius> cipherize: does your concept of security takes in account the business security or something?
1236[19:22:50] <cipherize> Raito_Bezarius: No, my concept of security is literally the textbook definition used the world over.
1241[19:23:20] *** Quits: treeview (~treeview@replaced-ip) (Remote host closed the connection)
1242[19:23:27] <Deknos> i agree with that.
1243[19:23:29] <cipherize> It's always a balancing act.
1244[19:23:32] <Raito_Bezarius> I agree that hardening can create risk
1245[19:23:33] <Deknos> i has to make sense.
1246[19:23:37] <Deknos> it*
1247[19:23:38] <Raito_Bezarius> But I feel like there is a balance and low hanging fruits
1248[19:23:41] <Raito_Bezarius> In hardening stuff
1249[19:23:43] <nvz> hmuller: I'd maybe try strace and also see if by any other means I could deduce if its the session or just a process inside it causing the problem
1250[19:23:44] <cipherize> You're being dishonest again.
1272[19:26:09] <Raito_Bezarius> I'm not trying to convince you of something cipherize
1273[19:26:14] <Raito_Bezarius> I'm trying to understand your point of view
1274[19:26:36] <Raito_Bezarius> I don't think I had goal post from the start, I tried to expose my view and get educated, if what I said does not make any sense
1275[19:26:39] <cipherize> Raito_Bezarius: I've made it quite clear. Maximum hardening is a bad default course of action.
1276[19:26:53] <hmuller> nvz: and it has nothing to do with Ctrl-x, I'm thinking of taking screen for a spin =)
1277[19:26:59] <Deknos> Raito_Bezarius, you should read about risk management, then you would understand his/her viewpoint
1278[19:27:02] <hmuller> Ctrl-s
1279[19:27:02] <nvz> hmuller: hmm.. well the only thing I can think of is that there is some kinda terminal character that locks up a screen regardless if you're multiplexing or not
1280[19:27:03] <cipherize> Consider the actual risks to the system. If this host gets compromised, fine. I'll just blow it away and redeploy from a new template.
1281[19:27:34] <nvz> hmuller: you could try ^q or the control char and ^q I think it is that usually terminates this
1282[19:27:46] <hmuller> nvz: yeah, already did that
1283[19:27:46] <cipherize> The worst case scenario for this system is that someone has a joyride on my IRC nick and gets me booted from a few channels.
1284[19:27:47] <Deknos> none the less, i like that feature.
1285[19:28:19] <Deknos> cipherize, well no, the person could post childpornography and you end up in some investigation
1286[19:28:31] <Deknos> identity theft could be hefty if it is an targeted attack at you
1287[19:28:51] <cipherize> Deknos: That's not really a risk, though. Identity theft is annoying, but fairly easily resolved. I've had it happen, it was hardly consequential.
1288[19:29:10] <cipherize> Deknos: And if someone posts CP from this host, I'm happy to land them behind bars from a moral perspective.
1289[19:29:20] <nvz> hmuller: all I know is that tmux has more features than screen and that it could stand to reason that perhaps in a multiplexer the particular window you're on, whatever is running in that is what locked up and is making the whole session seem locked up
1290[19:29:21] <Deknos> cipherize, first you would have to prove it was not you.
1291[19:29:29] <Raito_Bezarius> Deknos: I actually read about risk management; maybe I misexplained my view but I said "maximum hardening under constraints", which is not the same as "maximum hardening", now, I agree that hardening can itself introduce bugs
1293[19:29:36] <cipherize> Deknos: Incorrect. I live in the US. Law enforcement would have to prove that is IS me.
1294[19:29:42] <Deknos> that could be quite hard, depending on the case
1295[19:29:52] <Raito_Bezarius> but on a desktop, I actually don't want that firefox access to other stuff that its folder and downloads folder for instance
1296[19:30:02] <nvz> hmuller: if that particular program frozen on the screen is something you could stand to lose, if nothing else perhaps killing what you see frozen might get things moving again
1297[19:30:05] <Deknos> you are quite confident in your law enforcement. i do not share that sentiment :D
1298[19:30:06] <Raito_Bezarius> and more generally, that applies to most of the software I use
1299[19:30:24] <Raito_Bezarius> cipherize: well, you're lucky; in France, identity theft creates a lot of issue
1300[19:30:35] <nvz> hmuller: but if I were gonna start stracing I'd start first with looking at that process.. and perhaps its state in htop/ps output
1301[19:30:39] <cipherize> Deknos: You're welcome to your feelings on the matter. I'm happy to cooperate with law enforcement in such cases. Just dump my full system logs and hand it over. Go to town.
1302[19:30:40] <Raito_Bezarius> and it can take up to 10 years to resolve it correctly
1303[19:31:01] <nvz> hmuller: usually when shtf runnin htop and looking at the machines vitals and whats using the most resources is my first step
1304[19:31:02] <Deknos> i want firefox to have access to those folders when i want to upload something. that was always quite troublesome, when firefox is hardened too much
1305[19:31:03] <cipherize> Raito_Bezarius: For me, it was a simple matter of reporting it to the police and keeping the police report on hand. The occasional phone call or email and issues were promptly resolved.
1306[19:31:23] <Raito_Bezarius> Deknos: my folders where I want to upload stuff are more than often correctly identified, so it works more or less fine
1307[19:31:24] <hmuller> nvz: yeah, i just killed the session. I'll give that a look the next time it freezes
1308[19:31:33] <Deknos> cipherize, they could still argue you falsified that logs to protect yourself :)
1309[19:31:38] <Raito_Bezarius> but I have documents that I want to assume that no soft will exfiltrate
1310[19:31:41] <cipherize> Deknos: And then they'd have to prove it.
1318[19:32:43] <cipherize> Anyway, this conversation has long since gone off the rails in terms of what's topical for this channel.
1319[19:32:44] <hmuller> nvz:^^^
1320[19:32:47] <Raito_Bezarius> cipherize: in France, reporting it to police is not enough; you have to prove a lot of things and even those proofs are somewhat disregarded and you have to wait for a court to rule on your case… which makes you unable meanwhile to perform a lot of actions
1321[19:32:47] <Deknos> they have prove that it originated from your computer/VM and ignore the other stuff. such stuff has happened. but ymmv
1323[19:32:55] <Raito_Bezarius> Thanks for your point of view cipherize
1324[19:33:09] <cipherize> Raito_Bezarius: That's France's problem, not mine. Innocence until proven guilty beyond a reasonable doubt is quite a powerful legal standard.
1325[19:33:45] <nvz> hmuller: ssh is tcp, which means it has to synchronize.. and can timeout.. and ssh has no means of dealing with or monitoring lag for the most part
1326[19:33:53] <Raito_Bezarius> It's more complex than that, but let's not get into this
1327[19:33:55] <cipherize> mosh is a godsend.
1328[19:34:29] <cipherize> The only whine I have about mosh is that it doesn't gracefully handle IP stack changes. If your original connection is via IPv4 and you transition to a network that's dual-stack, you get stuck.
1330[19:34:44] <nvz> hmuller: mosh is a solution.. it connects over tcp via ssh then establishes a mosh udp connection which is immune to everything from lag to network hops, and it monitors for lag.. notifies you when its lost contact and continues to echo locally even when its not echoing back from the server
1338[19:39:43] <nvz> I just used a single port but thats probably why I could only have one mosh connection and why I had to ssh in and killall mosh-server if I somehow lost that connection by like killing the client while I was not in contact with the server
1339[19:40:30] <nvz> but I run most everything on non standard ports to minimize abuse
1340[19:41:11] <nvz> in my experience anytime you run ssh on default port you get people always trying random crap :P
1345[19:44:58] <cipherize> As long as we all understand that changing default ports is NOT a security measure.
1346[19:45:47] <genr8_> it helps
1347[19:46:37] <cipherize> Not really. Just helps minimize log spam. Remember that god knows how many bots are portscanning the internet. See also 'shodan.'
1348[19:46:39] <yanmaani> What to use for mobipocket ebooks (.mobi) on Linux?
1349[19:46:47] <yanmaani> No DRM. Not using KDE.
1350[19:46:54] <nvz> yes it does help minimze the spam in logs from random idiots
1366[19:50:04] <cipherize> genr8_: But hey, if being condescending because someone disagrees with you is how you find happiness, rock on.
1367[19:50:05] <genr8_> mine tells me the opposite
1368[19:50:07] <hmuller> nvz: I believe I may have tracked the problem to low current on usb. I have 2 commands frozen in uninterrutible sleep on the target. both commands are targeting an external usb hard drive.
1369[19:50:20] <cipherize> genr8_: I strongly doubt that.
1370[19:50:26] <genr8_> im over this.
1371[19:50:39] <hmuller> nvz: going to increase current to usb and see if I still have problems.
1375[19:52:46] <b_jonas> Xorg doesn't load the intel driver for me. I suspect the problem is that this CPU is too new, and the intel driver in debian 10 doesn't yet support it. So I'll have to look for how to install a newer driver.
1376[19:53:24] *** Quits: akp55 (~akp55@replaced-ip) (Disconnected by services)
1397[19:59:03] <somiaj> hyiltiz: they just seem to be links, I don't have ooffice, but all the others point to the same binary
1398[19:59:06] <hyiltiz> not the reason; what's the difference?
1399[19:59:17] <hyiltiz> they are not links; they are individual binaries with different size
1400[19:59:21] <timur_davletshin> hyiltiz, no difference.
1401[19:59:27] <somiaj> hyiltiz: mostly just name changes, libreoffice is a fork of openoffice which was an open sourced version of star office (based on the old wordstar)
1402[19:59:39] <somiaj> hyiltiz: what version of debian are you running?
1403[19:59:48] <timur_davletshin> hyiltiz, they symlinks, check ls -l /usr/bin/*office
1404[20:00:15] <somiaj> well loffice isn't a link, it is a shell script that does the same thing as a link
1405[20:00:23] <somiaj> at least here on debian 10
1408[20:00:47] <hyiltiz> loffice and soffice are independent binaries tho
1409[20:01:04] <hyiltiz> oh really; never really tried to open it
1410[20:01:19] <somiaj> hyiltiz: loffice is a shell script that runs /lib/libreoffice/program/soffice "$@"
1411[20:01:26] <hyiltiz> just saw that thx
1412[20:01:34] <hyiltiz> so they are literally the same thing...
1413[20:01:57] <somiaj> hyiltiz: anyways, they are just backwards comadability. Seems in all of the changing from staroffice (soffice) to open office to libre office, the actual binary never chnaged its name from soffice, and the other names were just links
1414[20:02:43] <b_jonas> yeah. the ooffice command used to work too, and I used to run that, but there's no such symlink anymoer.
1415[20:03:02] <timur_davletshin> Libreoffice has a lot of old crap for compatibility. Like using star office font names in templates or providing soffice binary. Both fonts and even StarOffice file format are no longer supported.
1416[20:03:05] <somiaj> maybe hyiltiz has an older version of debian, or some older package that installed ooffice, but I don't have that any more either.
1417[20:03:45] <hyiltiz> No I didn't have ooffice binary; I was checking firejail profiles for libreoffice and found ooffice as well
1418[20:03:57] <hyiltiz> but i had no office binary so that profile did nothing
1446[20:22:43] <somiaj> tmux is another alternative that many like as well.
1447[20:23:18] <nvz> we were speaking of tmux, which they already use
1448[20:23:20] <somiaj> I swtiched from tmux from screen, mostly as I find it 'more modern' for whatever that means (screen is good, but hasn't changed much in years, which for many is what they like)
1449[20:23:24] <somiaj> ahh
1450[20:23:33] <somiaj> *switched to tmux from screen
1451[20:24:35] *** Quits: grummund (~unknown@replaced-ip) (Remote host closed the connection)
1452[20:25:22] <hmuller> I thought I was having a tmux issue, but it looks like the ARM64 SBC I had ssh'd into needed to increase power to USB (for an external hard drive).
1453[20:25:56] <hmuller> I had two uninterruptible process, both were performing commands on the usb external hard drive.
1468[20:38:16] <dostoyevsky> how can it be that I can do `apt install rxvt' but I can't ping 8.8.8.8 and "curl replaced-url
1469[20:39:06] <somiaj> was the cwd that tmux was run in on this usb drive, I don't see screen acting any better. Though if it is a bug, tmux development is fairly active and would be interested
1470[20:39:56] <somiaj> dostoyevsky: is apt using a proxy?
1471[20:40:12] <somiaj> dostoyevsky: could be some firewall issue on your network not giving you full access to the internet
1472[20:40:51] <somiaj> dostoyevsky: also maybe check out ap route, are your routes for all traffice resonable?
1473[20:41:11] <dostoyevsky> somiaj: It's so odd it happens when building a docker container...
1474[20:41:22] <dostoyevsky> (which built fine many times)
1476[20:41:36] <somiaj> maybe somethign changed with how the docker container attaches to the network.
1477[20:42:00] <somiaj> but sounds like a routing/firewall issue. I don't know enough to be of any real help, maybe ##networking could give some pointers if no one else here joins in
1478[20:43:41] <dostoyevsky> where would one configure a proxy for apt?
1479[20:44:01] <somiaj> what are your sources? can you ping deb.debian.org for instance?
1482[20:44:52] <dostoyevsky> Destination Net Unreachable
1483[20:45:05] <somiaj> it could be something docker is doing, but looks like you can configure it in /etc/apt/apt.conf.d/ and the file is probably named proxy.conf but doens't have to be look for Acquire::http::Proxy and Acquire::https::Proxy
1484[20:45:16] <somiaj> dostoyevsky: what do your sources.list say your sources are?
1495[20:49:32] <somiaj> sounds like you have some issue with yoru networking in your container, but I don't know docker or networking details enough to give much more info than that.
1496[20:49:51] <dostoyevsky> # apt update # -> All packages are up to date.
1506[20:52:58] <somiaj> dostoyevsky: well I just made noise, seems you did all the work. Things working fine now?
1507[20:54:07] <dostoyevsky> somiaj: Nope... but I can see I can curl certain urls and for others I get Destination net unreachable... so must be some firewall setting
1508[20:54:35] <somiaj> traceroute help?
1509[20:55:26] <dostoyevsky> somiaj: I got to ask my brother about this mac here... so not really related to debian any more
1602[22:27:38] <HelloShitty> Hello guys. I need some urgent help. My laptop is complaining about free space running out. Are that any tools I can use to check which folders have more used space and try to see if I can delete any content
1644[22:35:26] <sponix> HelloShitty: Yes, I would guess your machine is the victim of brute force ssh attempts repeating over and over trying to break in
1663[22:38:31] <sponix> It can be done at the rig, at the router, or both
1664[22:39:01] *** debhelper sets mode: +l 1136
1665[22:39:27] <sponix> I also use "fail2ban" that uses iptables/netfilter/nftables or whatever to BLOCK access to anything attempting more than a few times
1672[22:43:19] <sponix> Yeah, it requires a little setup. swapping the port to something other than the default of 22 is editing one line in /etc/ssh/sshd_config and restarting it
1686[22:48:19] <sponix> HelloShitty: well it is easy to do the port thing, still use it, and it keeps _most_ of the attackers away. That takes less than 5 minutes and next to no effort
1687[22:48:55] <HelloShitty> but that's for someone used to mess with that stuff, which is not my case, sponix
1688[22:49:12] <LtL> HelloShitty: change port and use keys! don't lock yourself out.
1689[22:49:25] <HelloShitty> yeah, need to investigate a bit about this
1690[22:49:27] <karlpinc> Or turn off sshd (systemctl stop sshd ;systemctl disable sshd) and then start it (systemctl start sshd) when you need it. (Of course, once you're remote you can't reach the box to start it.)
1691[22:49:33] <sponix> LtL: Key auth only is GREAT, but hell just the port is a big step
1692[22:49:45] <LtL> very true
1693[22:50:03] <karlpinc> Key auth. But that won't stop the cracking attempts.
1694[22:50:08] <HelloShitty> gonna check which port is in sshd_config
1695[22:50:14] <sponix> HelloShitty: run that stop, sudo nano /etc/ssh/sshd_config and change the port from 22 to something else. then run the start command he listed -- done
1696[22:50:31] <sponix> HelloShitty: I already told you, it defaults to 22 :)
1697[22:50:35] <karlpinc> HelloShitty: But don't "disable" or it won't start at boot.
1698[22:50:36] <HelloShitty> I'm almost sure 22 is not the port being used
1699[22:50:41] <HelloShitty> I always change it
1700[22:50:43] <LtL> karlpinc: no it won't, the port change reduces attempts by 90+ per cent
1701[22:50:47] <HelloShitty> But I'll oble check
1702[22:51:02] <sponix> HelloShitty: you wouldn't be getting that many hits if it was on a good alt port IMHO
1703[22:51:13] <sponix> Not enough to have a 22GB auth.log LOL
1704[22:51:44] <karlpinc> LtL: I use pf on openbsd to rate-limit and block such cracking.
1705[22:51:55] <HelloShitty> yeah, port is not 22
1706[22:52:02] <sponix> HelloShitty: Wow
1707[22:52:03] <karlpinc> LtL: Something centralized is "best".
1708[22:52:17] <sponix> karlpinc: I do fail2ban for similar on Linux
1709[22:52:22] <HelloShitty> sponix: what you mean "Wow"?
1710[22:52:45] <sponix> HelloShitty: I just suspected you were Wrong, and it was actually on port 22 anyway
1733[22:59:13] <sponix> karlpinc: I'm gonna have to run lsof | wc -l to see how many thousands of lines that produces on my rig... I ran just lsof and it just now finished
1734[22:59:37] <HelloShitty> sponix: yeah, here too. I just cancelled it
1735[22:59:47] <HelloShitty> gonna change the port an restart the servie
1736[23:00:22] <sponix> HelloShitty: I gotta take the wife to work, but after I can walk you through fail2ban if you like
1737[23:00:40] <sponix> I only use it on my ssh, but should be putting it into place for my apache also
1738[23:01:00] <HelloShitty> I would appreciate sir. Thank you sponix
1739[23:01:05] <karlpinc> If I enable debian on my cromebook can I cut-and-paste with the mouse out of the linux side and into the chromebook side? I forget.
1740[23:01:06] <HelloShitty> I'll be around for probably 2 more hours
1741[23:01:37] <sponix> I will be gone for less than 20 minutes
1742[23:01:59] <HelloShitty> I have no idea karlpinc ... What I know is that I also have lots of problems using copy/paste from host to VMs and from temrinal windows to other places
1743[23:02:03] <HelloShitty> etc
1744[23:02:07] <karlpinc> I'm trying to get Microsoft Teams invitation urls sent by email off my imap server onto the cromebook where I will try to use MS teams.
1745[23:02:18] <HelloShitty> ok, I'll be around sponix
1746[23:02:36] <karlpinc> I suppose I could put a dirt-simple web email interface on my imap box. Any recommendations?
1747[23:03:02] <karlpinc> (I've resisted a web email interface for years....)
1748[23:03:23] <karlpinc> There's always a flash drive. But that's annoying.
1757[23:06:19] <karlpinc> I guess the first step is to try MS Teams on the cromebook. It won't seem to run at all reliably using chromium on a Asus Aspire One running Debian. (Not too suprising, given how slow the box is. But still, a little strange.)
1761[23:09:13] <karlpinc> sqwebmail (courier webmail) seems to use the local mailboxes in Maildir format. (?) Which means accssing the box with a Unix-level password rather than the imap password. (yes?) I want to go through imap (or pop, if I had to).
1763[23:10:37] <karlpinc> I bet emacs on the chromebook would work. :) Then all I need to do is be able to cut-and-paste between the Linux side and the cromebook side.
1764[23:10:48] * karlpinc wonders if emacs is in the app store
1766[23:12:53] <karlpinc> Interesting. emacs is in the app store. But it does not seem to be maintained. (And who knows if it has the full emacs network access etc.)
1767[23:13:54] * sponix wonders why anyone would punish themselves with emacs when vi exist
1768[23:14:03] <sponix> HelloShitty: Welcome back
1769[23:14:22] <HelloShitty> I'm here
1770[23:14:50] <HelloShitty> But I'm getting here an error but it's not related to lack of disk space. Because now I have some free space an the error still coming up
1771[23:14:56] <HelloShitty> but this is another matter
1772[23:15:08] <HelloShitty> I think it might be related to some irssi plugin I'm using
1773[23:15:31] <HelloShitty> Because the error is showing up on status window and also in one of my plugins window
1774[23:15:39] <HelloShitty> anyway
1775[23:16:48] <HelloShitty> I'll be around waiting for you
1826[23:32:26] <HelloShitty> I remember I checked the first this happened to me
1827[23:33:10] <HelloShitty> I tried to repeat the ssh login to port 22 like 50 times the fastest I could but no log in that auth.log file I just created
1829[23:33:17] <sponix> HelloShitty: So, do you want to just ride with this alt port in place for a bit and see if you are good. Or do you want to install and configure fail2ban also ?
1830[23:33:27] *** Quits: Grldfrdom (uid391113@replaced-ip) (Quit: Connection closed for inactivity)
1831[23:33:38] <HelloShitty> Let's see for how long this stays quiet
1832[23:33:52] <HelloShitty> tomorrow I'll check again
1833[23:34:02] <sponix> HelloShitty: sysemctl service sshd restart
1834[23:34:12] <HelloShitty> oki
1835[23:34:14] <sponix> HelloShitty: see if that works, I know very little of systemd
1836[23:34:23] <sponix> If it fails, I will have to google it lol
1856[23:39:12] <genr8_> the person named cipherize did not agree with the practice, and I was pointing out that it is in fact a useful practice by your real world example, not 1 hour later
1857[23:39:15] <HelloShitty> mkae no output in auth.log
1858[23:39:46] <HelloShitty> sponix: aut.log was a typo here
1859[23:39:53] <sponix> HelloShitty: the "syslogd" or rsyslog or whatever might need a respawn also... So a reboot might work
1860[23:40:09] <HelloShitty> reboot laptop?
1861[23:40:25] <sponix> HelloShitty: might want to "cd && /var/log" and "ls -l" to see that the user:group and permissions are correct
1862[23:40:45] <sponix> genr8_: I do a LOT of things people don't agree with, that just WORK despite what they say LOL
1863[23:41:51] <HelloShitty> most of the files in /var/log/ are owned by root
1864[23:42:18] <sponix> HelloShitty: and the new auth.log that you did "touch /var/log/auth.log" with ? you ran that command as root, correct ?