26[00:13:41] <teclo-> corey1: well, the best language to start learning programming is Pascal. The Pascal language was created to teach people structured programming
27[00:13:53] <greycat> Pbbbbt.
28[00:14:28] <greycat> Esperanto was "created" to be a universal language for humans, but that doesn't make it the best one to communicate with humans.
29[00:14:54] <teclo-> evening greycat :)
30[00:15:11] <teclo-> greycat: well Pascal is the best language to teach people programming
31[00:15:19] <teclo-> I mean, as a first language
32[00:15:33] <greycat> A language that can't even open files by name?
33[00:15:36] <teclo-> then later, one can learn C or C++ or Java or Python
34[00:15:59] <greycat> Which means every implementation bolts on their own unique special-snowflake way to open files, incompatible with every other pascal...
35[00:16:14] <teclo-> well file management in Pascal is indeed a problem, Niklaus Wirtz didn't make an effort on that
36[00:16:29] <teclo-> greycat: well I was gonna say "It depends on th eim
37[00:16:34] <teclo-> greycat: well I was gonna say "It depends on the implementation"
38[00:16:47] <greycat> I'd say Tcl and Pascal are both excellent first languages, but people will yell if you suggest Tcl because it's not "popular" enough.
39[00:16:59] *** Quits: epony (epony@replaced-ip) (Remote host closed the connection)
40[00:17:12] <abrotman> teclo-: as someone who learned in Pascal, I would agree if it were 1990 .. Python is better at this point
42[00:17:49] <abrotman> Pascal has some interesting features, but so does Ada .. Neither have much practical use today (Ada more than Pascal, but still ... )
43[00:17:56] <greycat> sorry, I mistyped there, badly.
44[00:18:00] <greycat> I'd say Tcl and Python are both excellent first languages, but people will yell if you suggest Tcl because it's not "popular" enough.
45[00:18:31] <jhutchins> I thought lisp was the one created to teach programming.
47[00:18:37] <sney> if you're going to start on a language that isn't used by anything in the real world, you may as well shoot the moon and lock yourself in a room with SICP for a year
48[00:18:48] <greycat> LISP is a little too academic
49[00:18:53] <jhutchins> teclo-: They know a lot more about good programming practices than they did when pascal was developed.
59[00:20:20] <abrotman> There are lots of beginner docs for Python, and it's a reasonably extensible language
60[00:20:28] <greycat> Tcl and Python are both good, both are in use in the real world, both have an *imperative* syntax which is how people should start learning....
61[00:20:51] <jhutchins> abrotman: Ever done RPG?
62[00:20:53] <teclo-> well it's better to start leaning an imperative language
63[00:20:54] *** Quits: gelignite (~gelignite@replaced-ip) (Quit: Stay safe! Stay at home! Stop the chain reaction!)
64[00:20:57] <teclo-> learning*
65[00:21:13] <abrotman> jhutchins: yes, sadly
66[00:21:21] <teclo-> and when you know 2 ou 3 inmperative languages, then you can learn functional programming
67[00:21:23] <greycat> Pascal isn't the worst choice, to be sure.
68[00:21:33] <abrotman> jhutchins: RPG IV. XEDIT is the most infuriating editor I've ever used
69[00:21:49] * abrotman might still have a book around here somewhere
70[00:21:50] <jhutchins> abrotman: You know it's a software abstraction of the programming patch boards for card sorting machines?
71[00:22:04] <abrotman> yeah :(
72[00:22:38] <jhutchins> I thougt it was fun, but all I had to do was pass the course.
108[00:40:12] <H-var> will debian become faster in any way, if I switch to the testing update channel?
109[00:40:20] <H-var> I have a 2008 PC
110[00:40:33] <n4dir> no
111[00:40:35] <sponix> H-var: nope
112[00:40:48] <H-var> H-var: Yes
113[00:41:04] <H-var> thanks, H-var. Thats' all I needed to know.
114[00:41:20] <H-var> np
115[00:41:25] <sney> depends on what programs you're using, sometimes newer versions have efficiency improvements. but mostly it will be just as fast as stable
116[00:41:33] <n4dir> without any proof it *seems* to me that systemd isn't outstanding ressource friendly. 2008 should (?) be able to handle it though, i think
121[00:43:02] <n4dir> i guess you did check if abiword and claws-mail work any better ? web-browsers are not really with an alternative, if you want the web as is
122[00:43:17] <n4dir> i use falkon, and it is slightly ! less ressource intensive, it seems
123[00:43:22] <H-var> but I have to say the laptop is flying, man, even when I have all of them opened simultaneously, 4GB ram, 1.4GHz Celeron
124[00:43:23] <sponix> in general software tends to just get heavier over time. so I think going to a newer software channel with the expectation of a software speed-up isn't very realistic
125[00:43:51] <H-var> my ram rarely shows anything close to 40%, and swap is literally never ever touched
126[00:44:28] <n4dir> get yourself a Pentium 4. Or like that. Big fun.
127[00:44:38] <greycat> With a 12-year-old PC, upgrading to a newer release runs the risk of losing video chipset support, in some cases.
128[00:44:44] <H-var> on the other hand, lol, windows 10 was constantly crashing due to ram, and on windows 7 I couldn't open more than 1 tab on firefox, and everything else had to be closed
129[00:44:54] <H-var> otherwise, firefox would crash all the time
130[00:45:10] <greycat> Or maybe 12 years isn't quite old enough to have to worry about that, I dunno.
131[00:45:39] <H-var> I tried sylpheed but the problem I have with it is that its spam filter sucks
132[00:45:42] <n4dir> i sure had more than one mashine that old or way older. But most of them had intel graphics. That said i didn't run in any problems
133[00:46:02] <H-var> firefox's anti-spam is amazing, and super precise
134[00:46:09] <H-var> sorry thunderbird's
135[00:46:14] <n4dir> probably i simply got used to lousy graphics :-)
147[00:59:22] <H-var> thunderbird is really the best on windows indeed, but on linux there are some major issues with it, even the most basic stuff, like the lack of translation packs, or weird bugs which existed since 2015 (I googled), like for example a bug that makes you send a letter twice, even though you sent it only once, etc
148[01:00:09] <H-var> it's kinda just a mess, and feels more like a lousy windows port than an actual program
149[01:02:32] <sney> a non-enterprise gui email program is kind of a weird thing in 2020, I wouldn't be surprised if mozilla dropped it entirely in the next while
150[01:02:42] <H-var> it's really weird to me that linux has always been the best option when you talk networking, but then at the same time, it lacks such a basic thing as an advanced mail client - all of the clients available for free on linux are inferior to their analogs on windows, and that's just not right man
160[01:10:07] <sney> quadrathoch2: really just that the Average User who isn't at a business with a built-in IT infrastructure is usually going to use a web browser for email. standalone pop3/imap clients have been diminishing in popularity for years.
161[01:10:35] <jmcnaught> Earlier I asked about moving /boot and /boot/efi from one drive to another. I recreated the two filesystems, copied the files, updated /etc/fstab, but I was unable to mount the new ESP at /boot/efi. After a netinst rescue mode boot I was able to run update-grub in a chroot. Debian is now booting from the new drive.
162[01:10:44] <derpadmin> sney, which is a shame
163[01:10:59] <H-var> n4dir abiword is interesting, but it lacks spreadsheets, and other stuff - it's just literally word, and that's it
164[01:10:59] <sney> I'm sure if/when mozilla drops thunderbird, someone else will pick it up and maintain it, and ofc stuff like mutt will always be around, but you know
167[01:12:05] <derpadmin> sney, there is k9 on mobile, I use kmail on kde (not sure if thunderbird based though)
168[01:12:09] <quadrathoch2> sney, yeah I am still looking around for a good email client (gui, gtk based). mutt is great, but for me rather only the backup plan
169[01:12:39] <jmcnaught> evolution?
170[01:13:05] <lnxslck> thunderbird?
171[01:13:30] <quadrathoch2> is evolution a suite (in the direction of outlook)
172[01:13:36] <quadrathoch2> ?
173[01:13:52] *** Quits: niko (~niko@replaced-ip) (Ping timeout: 615 seconds)
183[01:16:53] <quadrathoch2> and afaik they are using a nonstandard compliant imap, but can't remember if it still is
184[01:17:55] <H-var> sney I don't have to do anything - on thunderbird I just entered my login, and then thunderbird put me through oauth2 process and next moment I was already connected
185[01:18:03] <jmcnaught> rander2: can you make a paste of "apt policy ruby-http-parser.rb ruby-http-parser ; apt policy" ?
186[01:21:51] *** Quits: tangarora (~tangarora@replaced-ip) (Remote host closed the connection)
224[01:46:45] <HelloShitty> [5688:1124/004550.619791:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /home/psysc0rpi0n/Downloads/spark-wallet-0.2.17-linux-x64/chrome-sandbox is owned by root and has mode 4755.
271[02:25:24] <scrul00se> HelloShitty: If you want to make it work without giving SUID root to some third-party binary, there's a workaround for that too replaced-url
518[07:19:25] <uplime> if I want to specify that an interface in /etc/network/interfaces should only get an ipv4 address from dhcp, and not an ipv6 address, is there a directive I can use? I looked on google, but the closest thing i could find was disabling it via sysctl
542[07:37:49] *** Joins: conta (Thunderbir@replaced-ip)
543[07:39:59] <sney> uplime: see interfaces(5), if you don't have 'inet6' specified then ifupdown will not get you an ipv6 address, via dhcpv6 or anything else. but link-local stuff still happens in the background.
544[07:40:58] <sney> since squeeze, we're supposed to be able to disable ipv6 at boot by adding 'ipv6.disable=1' to the kernel command line. I haven't tried it though.
545[07:46:10] <uplime> ah, that makes sense. link-local is probably what im seeing then
546[07:46:22] <uplime> i disabled it with the sysctls though so problem solved anyways
547[07:46:28] <uplime> thanks for the info sney
548[07:48:16] <sney> np
549[07:48:52] *** Quits: psych094 (~Thunderbi@replaced-ip) (Quit: Hope to be back soon! 👋)
573[08:12:21] <tohoyn> I get the following error message: "dh_autoreconf: error: debhelper compat level specified both in debian/compat and via build-dependency on debhelper-compat" even though I have removed debian/compat
574[08:12:43] <tohoyn> I use gbp buildpackage and sbuild
575[08:13:23] *** Quits: ohwowlol (~ohwowlol@replaced-ip) (Remote host closed the connection)
576[08:13:23] <themill> sounds like you've not actually removed debian/compat
577[08:13:55] <tohoyn> debian/compat is not present in the directory tree
578[08:14:03] <themill> deleted but not committed perhaps?
579[08:14:12] <tohoyn> and it is not present in the generated ...*.debian.tar.xz
580[08:14:36] <tohoyn> the deletion is committed. I just checked
581[08:15:31] <tohoyn> I'm running the build command again
597[08:29:22] <themill> tohoyn: do you have something in debian/rules that is specifying the compat? (DH_COMPAT is the environment variable from memory)
672[10:06:49] <Lope> is there a way to run my systemd service at shutdown (ExecStop) Before blkdeactivate? is there some proper name for blkdeactivate? I see blkdeactivate in my verbose previous shutdown journal
802[11:37:57] <ksk> Rob_Jones: you need to acutally make the directoy where you chroot to have all the things needed (tm)
803[11:38:14] <ksk> !chroot
804[11:38:14] <dpkg> To chroot into your Debian system boot to your Debian install disk/live CD, switch to the other console (Alt-F2). Mount your root filesystem with "mount -t ext2 /dev/whatever /target" and make /dev, /proc and /sys usable with "mount --rbind --make-rslave /dev /target/dev ; mount -t proc none /target/proc ; mount -t sysfs none /target/sys". You can then chroot into the system with "chroot /target".
810[11:39:22] <Rob_Jones> was gunna say that makes no sense
811[11:39:23] <ksk> If you call chroot(), you change the root directory ("/") of the processes running from that poin on, meaning /var/projects/public_html becomes / for the user logging into (s)ftp.
812[11:39:28] <Rob_Jones> but the directory does exist
813[11:40:03] <ksk> this means, that things that normally are provided by your Debian Linux system (Like the Shell, /bin/sh), and other stuff(tm), need to be there
814[11:40:05] <Rob_Jones> chroot does sort of work now except i get this
815[11:40:15] <Rob_Jones> /bin/sh: No such file or directory
816[11:40:37] <ksk> I did read that, and am already responding to it with my last three postings.
901[12:53:34] <L0aD1nG> I would like to tell you a weird situation that i ve experienced installing Debian 10 on an old asus netbook, the bios had not an option about legacy/uefi(i didnt know if the netbook supports uefi). The bootable usb stick was booting in both modes mainly in uefi i tried to install it on uefi mode, the installation was going smoothly until the it was arriving in grub then the installer was crashing and even
902[12:53:36] <L0aD1nG> the netbook was crashing i wasnt able to power it off via the power button i was unpluging the AC. Finally i booted it from usb until it gave me bios mode (legacy) and i installed it.
916[13:04:46] <f-a> not strictly a debian question but… when I connect to an ssh server, not and then I lose connection. On my client, my screen freezes and I have to kill the pane, open a new one, restart ssh
917[13:04:59] <f-a> what is a sensible way to achieve persistency? tmux on the server machine?
943[13:14:24] <L0aD1nG> now debian is up i am on the terminal (didnt install any graphics with the installer) and i see that i miss the ifconfig command...
944[13:14:39] <f-a> oxek: super idea
945[13:15:17] <oxek> f-a: and look up theming for tmux, so that you get different colors on client & server
947[13:21:25] <rootkea> Hi! I have a question regarding libinput. I installed Debian 10.6.0 on 3 machines - Dell Inspiron, Acer Aspire and Lenovo Ideapad and each time I had to copy /usr/share/X11/xorg.conf.d/40-libinput.conf to /etc/X11/xorg.conf.d/ as suggested here replaced-url
948[13:21:26] <rootkea> libinput?
949[13:22:20] *** Quits: kreyren (~kreyren@replaced-ip) (Remote host closed the connection)
1027[14:35:41] <EdePopede> just downloaded a pdf i'm afraid to open. already made qpdfview use 50% right from the start, unable to kill -15 it (60% RAM instead, and then 70% CPU), had to -9. pdf2ps also goes mad, at least -15 worked.
1028[14:35:51] <EdePopede> can i extract individual pages at least somehow?
1045[14:43:34] <EdePopede> i think i'll install poppler-utils and run some checks on the PDF later, our local trash calendar is a horror to open already, but this one really tops it.
1048[14:44:18] <shtrb> could it have some JS or network reousrce inside it ?
1049[14:44:19] <rootkea> Hi! To fix "user is not in the sudoers file" I read 2 solutions 1. visudo (editing sudoers file) 2. add user to sudo group. What's the difference between these two approaches? Does adding user to sudo group automatically add "user ALL=(ALL:ALL) ALL" to /etc/sudoers (the first approach)?
1061[14:47:36] <rootkea> shtrb, So `adduser user sudo` should be used to fix "user is not in the sudoers file"?
1062[14:47:37] * shtrb just imagined a pdf file that has some JS , with a client cert to access corporate site, over to some node-js and all that just for some kind of a fancy form
1065[14:48:41] <EdePopede> they did a good job with their software downloads/disks over the decades, from 2 "similar" sources this was always my starting point, i'm really not concerned.
1075[15:01:05] <rootkea> Btw, I see "user ALL=(ALL) ALL" been recommended many times over and over without any counter... Guess I need to read man sudoers to understand what does that line mean exactly and why it shouldn't be preferred over `adduser user sudo`
1144[15:57:40] <dob1> I don't understand why fail2ban doesn't send the notification email. I changed mta in jail.conf to mail because I don't have sendmail but it still doesn't work
1145[15:57:49] <dob1> I don't find any logs about some errors
1152[16:02:16] <jelly> dob1: you don't have ANY /usr/sbin/sendmail isntalled?
1153[16:02:20] <ahylight> out of curiosity, can a linux username have a '/' (forward slash) in it?
1154[16:02:41] <dob1> jelly, no
1155[16:02:47] <dob1> ah sbin
1156[16:03:00] <dob1> jelly, I have it
1157[16:03:33] <def_jam> hey do i need to set up resolv.conf when i have set up my nameservers in /etc/systemd/network/enp233.network
1158[16:04:08] <def_jam> the dns servers in resolv.conf are different to the ones i chose to use via systemd
1159[16:04:12] <dob1> jelly, but still no mails
1160[16:04:20] <def_jam> i am having problems pinging a name from user ..yet i can ping it from root
1161[16:04:21] <jelly> dob1: then keep the default value. When an app says it needs "sendmail" what it actually needs is /usr/sbin/sendmail command providing a specific API. Doesn't have to be Sendmail.
1239[17:14:32] <ealfonso> hi. my beep isn't working even as root: "sudo env -u SUDO_GID -u SUDO_COMMAND -u SUDO_USER -u SUDO_UID /usr/bin/beep -f 440". I also tried "sudo modprobe pcspkr" and checked alsamixer beep volume.
1271[17:27:00] <thither> I have an encrypted LVM partition for /. When I set it up I mistakenly didn't allocate all of the free disk space to the volume group. Is it possible to resize it? All of my tools say there's no free space, presumably because it's encrypted.
1277[17:30:06] <BugHunter1000> Hey guys, I hope that this message will be taken with the genuine desire to help that it is indended, but has anyone run "debsecan" recently and seen the hundreds of vulns in a base install? I was always of the view that Debian is secure and stable, but this is very concerning to me. Thanks for your time.
1278[17:30:57] *** Quits: tagomago (~tagomago@replaced-ip) (Remote host closed the connection)
1280[17:32:16] <ratrace> BugHunter1000: that's normal. expecting no vulns at all, in any distro, is unreasonable
1281[17:32:52] <dob1> no way, I am not able to understand why fail2ban is not sending the notifcation mail...
1282[17:33:04] <BugHunter1000> ratrace: I respectfully disagree that hundreds of cve's in a base install can be considered normal in any way. Arch for example shows very few with arch-audit.
1283[17:33:11] <ratrace> Debian, like other major distros, does security best effort, and the priority are RCEs and local priv escalations. many CVEs are theoretical, hard to exploit or very low impact, those are treated last
1284[17:33:26] <ratrace> BugHunter1000: you're assuming arch db is complete
1285[17:33:35] *** Quits: darunesh (~darunesh@replaced-ip) (Remote host closed the connection)
1286[17:33:39] <BugHunter1000> ratrace: do you have a reason to think the db is broken?
1289[17:34:31] <thither> BugHunter1000: what kind of CVEs are you seeing that worry you?
1290[17:34:42] <thither> A lot of CVEs are non issues
1291[17:34:51] <ratrace> another thing to consider, debian has to backport fixes, where arch just bumps a package to newer version, and by virtue of that, can get the fix faster
1292[17:35:02] <scrul00se> thither: I'm reasonably sure it's possible, but I wouldn't say it'll be simple replaced-url
1293[17:35:56] <thither> Thanks
1294[17:36:02] <ratrace> all that said... I stopped considering Debian as a security-centric distro because indeed it's too slow in my opinion with some fixes. this especially happens around release freeze time...
1295[17:36:26] <petn-randall> BugHunter1000: For example, debsecan shows me ansible-doc is affected by CVE-2020-1736. I'd say it's not.
1296[17:36:35] <ratrace> for many things, debian's policy to keep things "stable" is often in direct conflict with "secure"
1297[17:36:43] <petn-randall> BugHunter1000: The reason is that debsecan apparently scans by source package, not binary package.
1298[17:37:10] <petn-randall> ratrace: What? That makes zero sense.
1299[17:37:38] <petn-randall> How are stable and secure conflicting goals? "secure" is part of being "stable".
1300[17:37:53] <BugHunter1000> yeah no offense but that sounds like koolaid to me
1301[17:38:05] <ratrace> because of the way debian achieves this "stability". or else chromium would'be fixed looong time ago
1303[17:38:36] <ratrace> ie, cherry picking fixes instead of doing complete version bumps, which leads to issues and inability to backport without a lot of work
1304[17:38:58] *** Quits: rany (~rany@replaced-ip) (Remote host closed the connection)
1305[17:39:04] <petn-randall> ratrace: But browsers are the one thing that regularly *do* get version bumps in stable ...
1306[17:39:16] <ratrace> except chromium
1307[17:39:16] <BugHunter1000> i mean it's nice to have stuff like firefox esr where you don't mess with anything but fixes, i agree with that
1317[17:48:04] <ratrace> okay then... how about saddns (CVE-2020-25705).... still unfixed in debian.... which makes all the debian servers with a resolver currently open to abuse and dns poisoning, unless the admins mitigated that by dropping icmp altogether
1352[18:03:41] <BCMM> petn-randall: what counts as RC?
1353[18:03:58] <sney> sometimes an effective patch isn't immediately forthcoming, or it only targets the bleeding edge upstream release and needs work to backport to stable, etc
1354[18:04:08] <sney> it's not an instant drive-thru transactional thing
1356[18:04:29] <petn-randall> BCMM: "If you set up your package in a very stupid way, and you trigger this CVE, which involves users ignoring warning signs and actively participating in the CVE, then this is a security hole" are CVEs that I'd count as low.
1357[18:05:36] <BCMM> right, but the unpatched issues in chromium don't seem like that sort of thing
1358[18:05:47] *** Quits: chipxxx (~androirc@replaced-ip) (Remote host closed the connection)
1359[18:05:55] <petn-randall> BCMM: For example, in ansible there's a CVE that only affects installations that have their playbooks world-writeable. But having them world-writeable is a HUGE security risk in itself, much larger than the CVE. Would you consider that CVE release-critical?
1360[18:06:04] <petn-randall> *There was
1361[18:06:05] <BCMM> it seems odd to me that it hasn't simply been removed, but i don't know enough about debian's processes to understand why that's happening
1362[18:06:08] <petn-randall> I actually fixed that one.
1363[18:06:09] <BugHunter1000> petn-randall: some of the vulns in debsecan are marked low urgency for that reason, some however, are not.
1365[18:06:46] <epictetus2> how do i install a newer version of firefox in buster?
1366[18:07:13] <petn-randall> BugHunter1000: That tool in itself is not really useful. It doesn't tell you if those CVEs are remotely exploitable, if they need user interaction, if you need to configure things in a certain way for the CVE to apply, etc.
1368[18:07:53] <BugHunter1000> petn-randall: what is your preferred tool for keeping track of the documented, public vulnerabilities present in your freshly-installed system?
1369[18:08:21] <petn-randall> BugHunter1000: What would help though is if there would be a flag if it affects default installations, and then it calls dpkg to check if the default config is in place.
1370[18:11:12] <dob1> I am trying to identify where is the problem with fail2ban and its mail report. looking at mail.log there is nothing so I can assume that it doesn't even try to send the email, right?
1371[18:11:18] *** Quits: Razva (uid17541@replaced-ip) (Quit: Connection closed for inactivity)
1381[18:13:29] <sney> how does fail2band do it, with /usr/bin/sendmail or smtp directly, etc?
1382[18:13:31] <petn-randall> BugHunter1000: I personally leave it to the security team to keep track of that, they do a much better job than I do. Sometimes I keep track of high profile CVEs, but they're usually fixed within a day in Debian.
1383[18:14:09] <epictetus2> how should i go about installing the latest firefox version on buster?
1384[18:14:20] <ratrace> from snaps or flatpaks
1385[18:14:32] <dob1> sney, in the configuration I have to configure mta as sendmail
1386[18:14:44] <ratrace> dob1: is the ban logged in fail2ban.log ?
1387[18:14:51] <dob1> ratrace, yes
1388[18:15:02] <petn-randall> BugHunter1000: It's important to know that every CVE is marked as "open" by default, and only closed when it's actually fixed. Even if it doesn't affect default installations, or is only exploitable in combination with software not in Debian. Because someone might install that software locally.
1389[18:15:03] <BugHunter1000> petn-randall: so what you're saying is, debsecan is the best tool available
1392[18:15:40] <petn-randall> BugHunter1000: Other distros might have different policies, and mark a bug as closed even if they're just as "vulnerable" as Debian.
1393[18:16:09] <ratrace> dob1: and you've enabled the action on the jails you want to monitor by mail?
1394[18:16:31] <petn-randall> BugHunter1000: I guess, it really depends on what your overall goal is.
1395[18:16:40] <ratrace> BugHunter1000: no, it's the worst. The best you can do is sub to various security mailing lists and trackers and DIY
1400[18:17:22] <dob1> ratrace, from what I know (and I tested on an old version of debian) it's enabled by default in jail.conf you just override this behaviour with jail.local or with conf files in jail.d
1401[18:18:03] <ratrace> dob1: afaik it's not enabled by default
1402[18:19:12] <epictetus2> im running stable on my work station. im i no supposed to do that?
1406[18:20:19] <ratrace> epictetus2: there is no latest firefox packaged in stable. only firefox-esr. if you want latest, install via snaps or flatpaks.
1407[18:20:37] <CrystalMath> eww, snaps
1408[18:20:48] <CrystalMath> i prefer the Eric S. Raymond version of Firefox
1409[18:21:47] <BCMM> epictetus2: FYI the firefox version in Stable isn't *just* an outdated version. It's the ESR version.
1410[18:21:58] <ratrace> isn't "outdated" at all then
1411[18:22:02] <BCMM> epictetus2: so it's missing some newer features, but is *is* kept up-to-date with security issues
1412[18:22:04] <CrystalMath> i like to call it the Eric S. Raymond version
1413[18:22:07] <CrystalMath> because ESR :P
1414[18:22:09] <BCMM> ^it *is*
1415[18:22:14] <CrystalMath> (but it really means Extended Support Release)
1417[18:22:52] <ratrace> outdate = out of date; obsolete --- oxford dictionary. firefox-esr is neither out of date (it's at latest ESR version) nor is it obsolete
1418[18:22:55] <BCMM> epictetus2: i know that doesn't help much if you need a new feature, but i thought i'd mention it in case you were worried about the security implications of running an old firefox release
1426[18:27:11] <BCMM> epictetus2: the latest Firefox is going to be a little bit faster, but the version that's in Stable now contains the really big performance improvements of the last few years
1427[18:28:46] <ratrace> dob1: awesome. careful with that tho, might get an email storm in some cases
1428[18:28:56] <BCMM> (it *was* pretty annoying using Firefox ESR before Quantum landed in that release channel)
1431[18:29:08] <scrul00se> epictetus2: FWIW, I *think* once Bullseye gets released, the mozilla.debian.net repo will be back to having a backport of Firefox "release" for stable
1432[18:29:18] <epictetus2> i see. thanks. i only noticed that my ublock origin wasnt the latest version. but maybe thats just the plugin distribution that is late
1439[18:33:48] <netx> FWIW, I eventually gave up on Debian packages for Firefox and use Flatpak, now that Mozilla supports Flatpak as a first-class distribution mechanism.
1440[18:33:51] <netx> And I've never relied on Debian packages for browser extensions -- they just change too rapidly.
1442[18:34:30] <netx> A caveat with Flatpak is that you need to migrate any .mozilla configuration over, as Flatpak uses its own configuration under ~/.var
1448[18:38:09] <netx> I actually don't mind it too much, as it allows me to keep ~/.mozilla/ unpolluted by newer-than-ESR configuration, in case I feel the need to fall back to the ESR build.
1449[18:38:26] <netx> But so far that hasn't been the case.
1450[18:39:12] <ratrace> btw you can't reuse the profile
1451[18:39:24] <ratrace> between ESR and non-ESR versions, you can't reuse profiles
1452[18:40:05] <scrul00se> netx: I'm right there with you on the extensions. Those I let Firefox handle its own way. Personally I run testing on my desktop systems, and add unstable sources — with apt default-release set to testing — so it's generally pretty painless to have the Firefox package from unstable
1453[18:41:06] <ratrace> that's called a frankendebian in these circles
1455[18:42:35] <netx> I'm a stable (+ select backports) guy in almost all respects. If current-Firefox makes it back into backports (or some other similar mechanism) I'll happily ditch the Flatpak version.
1459[18:43:05] <scrul00se> ratrace: Hmm. If I'm updating a web browser manually with apt install -t and aborting if it wants to pull in a bunch of libs, how Franken- is it really?
1465[18:44:22] <dpkg> When you get random packages from random repositories, mix multiple releases of Debian, or mix Debian and derived distributions, you have a mess. There's no way anyone can support this "distribution of Frankenstein" and #debian certainly doesn't want to even try. Ask me about <reinstall>
1467[18:44:57] <netx> scrul00se: a problem I've run into with that type of setup is that, when you update it today, the deps changes are reasonable, but when you go to update it tomorrow, it might try to break everything.
1468[18:45:00] <netx> And then you have to choose between not updating at all, or manually rolling back everything.
1471[18:46:59] <petn-randall> netx: firefox (non-ESR) will never make it into backports, because it would first have to migrate to testing, which it will never do because it can't be supported over a stable cycle.
1473[18:48:16] <scrul00se> I guess that raises a different question then: is there a "right" and/or "supported" way to run Firefox *release* version on Debian at all?
1480[18:49:23] <scrul00se> Won't result in a bot echo telling me "There's no way anyone can support this "distribution of Frankenstein" and #debian certainly doesn't want to even try. Ask me about <reinstall>" would be a start ;-)
1482[18:50:04] <netx> Yeah, I'm aware of the issues. My personal opinion (which I know is not shared by the debian project) is that for some kinds of apps, like browsers, there is no real "stable cycle".
1483[18:50:06] <netx> IMO, a "stable web browser" is about as useful as a "stable time zone definition" b/c like time zones, the web does not sit still.
1484[18:50:25] <petn-randall> netx: There's already firefox-esr and that work pretty fine.
1487[18:52:08] <alex11> esr works ok for me now but things start getting deprecated the longer we go into the esr lifecycle and debian insists on using the oldest possible esr that's still supported instead of offering the newer esr
1495[18:55:22] <petn-randall> alex11: You can always upgrade to newer firefox, but seldomly downgrade.
1496[18:55:33] <scrul00se> petn-randall: But isn't installing stuff with third-party shell-script installers also squarely in "Gah! You broke everything and no-one can help you!" territory? (that is "the way Mozilla offers it", I think?)
1497[18:55:52] <ratrace> alex11: through a firefox online/cloud thingy account I think
1498[18:56:14] <petn-randall> scrul00se: Sure, but you still might get help in here. If you mix stable and unstable, you definitely won't.
1499[18:56:28] *** RhineDevil^ is now known as RhineDevil
1500[18:57:00] <petn-randall> scrul00se: We definitely support users trying to get things done in here, we just don't support ways known to be broken.
1504[18:57:46] <alex11> oh right firefox has the cloud thing, whatever it's called
1505[18:57:49] <alex11> firefox sync i think
1506[18:58:00] <petn-randall> scrul00se: The upstream firefox installer doesn't require root, so the possible damage done can only affect the user's home dir.
1507[18:58:08] <alex11> but who knows, maybe i just stay on esr, depends how things go
1508[18:58:10] <scrul00se> petn-randall: Huh! I wouldn't have expected that to be where the line is. Learn something every day!
1509[18:58:49] <petn-randall> scrul00se: Worst case is you'd have to delete ~/my_firefox_install/ and start over.
1510[18:58:57] <jmcnaught> At least use firefox-esr until you actually find some site that's broken.
1515[19:01:11] <ratrace> installing firefox into ~/ is not a good idea. code should never, except in carefuly curated circumstances, have the ability to modify itself.
1516[19:01:15] *** Quits: chele (~chele@replaced-ip) (Remote host closed the connection)
1520[19:01:49] <alex11> really? that's what i've been doing... TIL
1521[19:02:02] <ratrace> or more precisely, installing FF (or any program) as the user that will also run said program, should be avoided where possible
1526[19:05:27] <petn-randall> I'd also go with /usr/local/, and belonging to root for most programs. But in the case of firefox the built-in updater won't work, and requires manual updates. And IMHO known security holes in FF due to late updating are a higher risk than user-writeable firefox installation.
1531[19:06:41] <netx> I'm on the fence about this. In a genuine multi-user environment, sure what ratrace said. But on my own system, in which I'm the sole user?
1532[19:06:44] <netx> I really only care about the contents under ~ and if a program gets remotely hacked, ~ is exposed to attack regardless of whether the program can modify itself.
1533[19:07:19] <netx> unless you have apparmor or selinux set up properly, and that's pretty rare...
1534[19:07:52] <ratrace> petn-randall: it's not like there's a choice between the two... unstalling as, say, root and updating frequently aren't in contradiction
1535[19:08:03] <ratrace> and raelly if the user is lazy...... just friggin flatpak or snap the thing :)
1536[19:08:37] <ratrace> netx: well I have AppArmor on my firefox and most of WAN facing programs
1537[19:10:06] <netx> so you're part of the 1 out of 1000 ;-) i had it set up on an older system years ago but it was a PITA, so when I got this system, I never bothered getting it working
1545[19:12:14] <ratrace> yeah hard and in conflict with convenience. most users prefer convenience
1546[19:12:19] <netx> Pretty much the only thing I really worry about are my SSH and PGP keys, all of which live only on a Yubikey an an air-gapped computer.
1550[19:15:31] <alex11> i don't think i have pgp keys and my ssh keys are chmod 600
1551[19:16:10] <netx> ratrace: Are there any good guides/configs for Firefox/mutt/etc for AppArmor (bonus if on Debian) nowadays? Or did you build them yourself by trial and error?
1552[19:16:29] <ratrace> I built them myself
1553[19:16:40] <ratrace> there exists a FF profile in apparmor-profiles but it's terrible
1554[19:16:58] <netx> :-(
1555[19:17:30] <ratrace> it's not difficult once you understand the MAC concepts. there are tools that help you build the profile from denial logs, so it's just a matter of covering all use cases and tuning.
1556[19:17:37] <alex11> i understand problems in testing/sid for obvious reasons but i hope the programs/configs in Stable are mostly sane
1560[19:20:17] <netx> My biggest issue last time I used apparmor (and also selinux, professionally) was things would fail silently, and then you'd have to realize it might be a MAC error, and then dig through audit logs to confirm.
1562[19:20:58] *** Quits: conta (~Thunderbi@replaced-ip) (Quit: conta)
1563[19:21:10] <netx> I'd really love some kind of applet or notification mechanism that you could install for a specific user that would alert when (possibly whitelisted) apps encounter MAC denials.
1572[19:28:56] <netx> (By "install for a specific user" I mean, you'd need to whitelist a user for it, b/c you certainly don't want to allow arbitrary users to plumb audit logs.)
1576[19:33:07] <ratrace> netx: a properly set up systems should have NO audit logs except in case of an actual hax attempt. meaning, one should monitor them and react to them. my systems produce 0 denial logs, unless I borked policy or there's an actual xploit going on
1577[19:33:28] <ratrace> unfortunately, SELinux tends to train people to ignore the myriad of denials stemming from bad or incomplete policies
1593[19:36:24] <ratrace> well there. ideally there should be an nvidia profile and a profile transition from FF to nv, but..... eh.... running proprietary code in ring0 under xorg is kinda making all this a Security Joke of the Decade.
1595[19:36:54] <ratrace> shtrb: you can also shush a denial if you want it to remain a denial. just add a "deny" modifier, explicit denials aren't logged.
1603[19:37:45] <ratrace> deny them and see what happens.
1604[19:38:30] <ratrace> buildig my own profiles I caught programs doing terrible things. like wine crap (I run steam under a custom AA profile, so it's proton/wine thing) tryinna write to /<somerandom-uuid-looking-file>
1607[19:39:37] <ratrace> steam is a terrible invasionware. I'm running it as a completely separtae users because I can't be assed to fine tune each game's access into ~/
1608[19:39:44] *** Quits: conta (~Thunderbi@replaced-ip) (Ping timeout: 260 seconds)
1613[19:40:11] <netx> I guess to restate, my biggest problem is that MAC denials usually fail silently, which means step 1 of "your program is acting weird" is remembering/recognizing that it might be a MAC denial. I guess once you've got that mindset you're good.
1614[19:40:54] <ratrace> right. that happens when a program fail in a section that doesn't expect failure so it's not loud about it. frankly, that's a bug in the program.
1617[19:41:50] <netx> yeah, but I'm betting on heat death of universe happening before programs (in general) being written to expect failures due to MAC denial :-(
1618[19:41:59] <ratrace> but anyway, you don't need to "train" yourself to check denials. you should have monitoring in place and get alerted when there's a denial. intrusion detection is one of very important parts of the security onion
1619[19:42:21] <ratrace> netx: the programs don't do anything special "due to MAC denial"
1620[19:42:45] <ratrace> programs should inspect error state after _every_ (sys)call that can throw an error, and then handle it.
1626[19:46:21] <ratrace> part of my real time logwatch across servers. ther'es also tools like `logwatch` but afaik they don't work realtime and I'm not sure how easy it is to write custom metrics
1628[19:48:22] <ratrace> this is just a quick bash whip, I intend to replace it with a proper journald API python daemon that will do the real time metrics I'm interested in, and run custom actions, beside emailing, like saltstack event triggers.
1629[19:48:53] <jelly> isn't "realtime logwatch" either Splunk if you got good money, or ELK if you got less money?
1635[19:51:13] <jelly> GNU\colossus: okay, needs another letter in front then
1636[19:51:31] <GNU\colossus> jelly, ELK can also be made to be really nice :)
1637[19:51:39] <GNU\colossus> the setup at my previous job was pretty amazing
1638[19:52:05] <GNU\colossus> and nowadays, between elastic common schema and beats with magical auto-setup, you can get rather close to that in no time
1639[19:52:13] <jelly> sure, but as with any open source clone, you trade your hours and sometimes hardware for ease of use
1688[20:40:46] *** Quits: Nokaji (~Nokaji@replaced-ip) (Quit: "... when the freedom they wished for most was freedom from responsibility then Athens ceased to be free and was never free again.” ~ Edward Gibbon (1737-1794) - Decline and Fall of the Roman Empire, 1909)
1725[21:00:02] <timur_davletshin> It's old good dejavu, just improved.
1726[21:02:52] <jelly> my fonts need to either have a clean vertical alignment, or give me a 300+ dpi screen. If there's anything fuzzy my brain can't deal with it and there's going to be a headache
1727[21:02:53] <timur_davletshin> Ubuntu is fine but it is not updated for a very long time.
1757[21:14:40] <timur_davletshin> Not sure about terminal, but in editors it looks weird.
1758[21:14:57] <grondilu> Where is the appropriate place to clone a github source tree and compile it ? /usr/local/src sounds obvious to me but it's usually not writable by normal users. Should I remain in $HOME ?
1759[21:16:17] <nkuttler> grondilu: i use ~/local for the build and ~/src for the source
1760[21:16:49] *** Quits: ov3rmind (~over0-07@replaced-ip) (Remote host closed the connection)
1767[21:21:44] <timur_davletshin> wrksx, I find Fira's hinting ugly on lodpi devices (look at those jumping numbers). Hidpi looks better but not ideal.
1790[21:32:52] <wrksx> timur_davletshin: I feel lucky I didn't witness that. Hate those standing out numbers. But thanks for introducing me to the concept of hinting, I knew it was there without ever heard of it.
1791[21:33:11] <timur_davletshin> wrksx, Fira Sans btw is no longer developed. Use FiraGO.
1828[21:46:14] *** Quits: Sigyn (sigyn@replaced-ip) (Quit: i've seen things you people wouldn't believe. spam bots on fire off the shoulder of sigyn. i watched k-line beams glitter in the dark near the Tannhäuser Gate. all these moments will be lost in time, like tears in rain. time to /die)
1870[22:15:41] <Franciman> sney, sorry, can you suggest a source for learning about kernel
1871[22:15:45] <Franciman> and related stuff?
1872[22:15:55] <sney> !kernel handbook
1873[22:15:55] <dpkg> The Debian Linux Kernel Handbook replaced-url
1874[22:16:03] <sney> kernel.org has docs as well
1875[22:16:11] <Franciman> thanks
1876[22:16:18] <sney> np
1877[22:16:27] <Franciman> then I wanted to ask, is there an easy way to rebuild the debian kernel
1878[22:16:33] <Franciman> with other settings?
1879[22:16:34] <sney> the handbook has that
1880[22:16:46] <Franciman> hm ok, thanks
1881[22:17:27] <sney> but last time I did it, the procedure was basically, copy the config to /usr/src/linux with your changes, 'make oldconfig' then 'make deb-pkg'
1926[22:56:52] <n4dir> i think .profile only gets sourced if you login in via startx.
1927[22:56:58] <jmcnaught> bash only uses .profile when it is invoked as a login shell. For regular interactive shells (like running a terminal emulator, or opening a new tmux window(?), it only uses .bashrc.
1928[22:57:04] <n4dir> mywiki.wooledge.org has a page about it, to be sure
1929[22:57:26] <jmcnaught> grondilu: "man bash" the section titled INVOCATION has more details about this.