this is #debianan IRC-Channel at freenode (freenode IRC service closed 2021-06-01)
0[00:00:05] <ratrace> perhaps solve one problem at a time? about asterisks, if that's default installer's encryption setup, which is cryptsetup initramfs-tools scripts, then yes, it's showing asterisks. dunno if you can disable that
1[00:00:46] <hendursaga> Well, it wasn't before, when it wouldn't accept my password, previous install. (See above)
25[00:08:46] <ratrace> I mean there's really not many options. gnome and sway. KDE's kwin is getting there, and .... what else is tehre? xfce has no wayland compositor afaik
52[00:19:00] <ratrace> btw, even if you use the wayland protocol for gnome/mutter, the system will still going to install, and use, Xorg. xwayland is needed to run programs that don't yet work under wayland. that should be transparent tho, but keep in mind that xorg might still be running
101[00:44:02] <ratrace> what's a firewall for usb ports?
102[00:44:26] <Taserface> a wut
103[00:44:40] <ratrace> the only thing that I can imagine coming close to that is part of grsec patches, it's no longer freely availabe, since kernel 4.9
104[00:45:07] <ratrace> ie. prevention of USB devices from changing from, say, a mouse, into a keyboard, like "BadUSB" xploit
111[00:47:12] <kingsley> Maybe I owe you an apology for not prefacing my question with the explanation that a little-known security vulnerability is running malware in USB device controllers, like in thumb drives.
116[00:49:39] <ratrace> I was actually thinkign about using an RPI to plug unknown usb devices into it, instead of my workstations or servers.
117[00:50:02] <ratrace> like have an actual physical separation for badusb things
118[00:50:13] <ratrace> airgap'd
119[00:51:31] <koollman> that reminds me of a feature I wanted to have for a while ... basically disabling usb hotplug, and making everything 'manual' for each usb devices listed
120[00:52:50] <ratrace> look at the usbguard package then, it does that, you specify rules, which usb ids may connect on which ports
175[01:15:08] <ratrace> I know in the past amd drivers used to be... unkind.... to their old models, but I don't think that's the case now with amdgpu in the kernel
225[01:36:43] <ratrace> weird string, but I guess that is running on the GPU indeed. now whether something is fully accelerated, dunno, opengl can run in software what's missing on the hardware
226[01:37:03] <hendursaga> Yeah I've done a *bit* of OpenGL coding before
227[01:37:06] <hendursaga> Royal pain
228[01:37:24] <ratrace> right, so you know. but if gnome is snappy... and that thing IS a hog, then you're damn well accelerated :)
229[01:37:42] <hendursaga> Anyway, fingers crossed, my system is finally up and running! Thanks!
230[01:38:04] <hendursaga> And no, it's not snappy, it just doesn't take 30 seconds to open Konsole :P
259[01:53:05] <ratrace> none whatsoever. I haven't had a DVD drive since ... 2014?
260[01:53:24] <brachamh> oh? all bluray? or no optical?
261[01:53:29] <ratrace> no optical
262[01:53:34] <brachamh> ah
263[01:53:49] * dvs blinds ratrace
264[01:54:39] <ratrace> brachamh: there was some silly named library you needed to have installed in order to work with .... copy protected DVDs
265[01:54:39] <brachamh> i'm trying to transfer my reasonably extensive dvd library to hard drive to use in emby
266[01:55:11] <brachamh> ratrace: yes, libdvdcss2
267[01:55:14] <brachamh> got it
268[01:55:46] <ratrace> hmm that, yes ... but I was thinking of libass which is ... related :)
269[01:56:23] <brachamh> handbrake still won't transcode some discs. installed makemkv which worked for one disc, but now it's saying the region code is wrong for the disc that is the sequel to the one i just ripped
274[01:58:02] <ratrace> libass! renders your ass files!
275[01:58:23] <brachamh> just searched it...libass9 library for SSA/ASS subtitles rendering
276[01:58:28] <ratrace> yeah :)
277[01:59:13] <brachamh> that's what could be causing it to hang?
278[01:59:21] <ratrace> now let's get that banned like libweboob. Lib Web Ob.
279[01:59:54] <ratrace> brachamh: no no, that was the silly named library I remembered in relation to DVDs, but it's libdvdcss thingy that you _need_ strictly, I misremembered.
280[02:00:02] <brachamh> oh!
281[02:00:07] <brachamh> ok, that makes sense lol
282[02:00:12] <ratrace> it's also illegal in some parts of the world, so caveat emptor
283[02:00:30] <brachamh> ok. well i have libdvdcss2 already
284[02:00:37] <brachamh> which is why most discs are working so far
317[02:14:00] <ratrace> try massive VM hosts. can take hour(s) to fully boot
318[02:14:17] *** Quits: catman370 (~catman@replaced-ip) (Quit: See you later..)
319[02:14:18] <sney> ok, fine, but that is probably not relevant in Taserface's case.
320[02:14:29] <ratrace> try large storage solutions hosting zfs or btrfs with tens of thousands of snapshots, mountpoints, datasets, .... that can take ages...
321[02:14:42] <ratrace> ah, probably not. I was referring to "no system" :)
322[02:14:59] <Taserface> I ran mkswap on the swap part (long story) and I guess the UUID changed
323[02:15:05] <sney> I type too fast to account for every plot hole. mea culpa.
324[02:15:22] <Taserface> so bootup is like "swap part not found, please wait 90 secs. And please wait 90 secs again."
352[02:21:23] *** Quits: D4rk4ngel2020 (~darkangel@replaced-ip) (Remote host closed the connection)
353[02:21:43] <sney> zfs is maintained by a team, which would probably welcome a new member. and it looks like rtorrent's actual maintainer hasn't uploaded anything since 2015, so there is clearly room for new volunteer work there too
354[02:21:44] <Taserface> there's a deb right there <points at repo>
357[02:22:55] <Taserface> where did I get "nobootwait" from?
358[02:23:00] <ratrace> Taserface: you never replied to my question. and I'm having a suspicion you have that "mkswap'ing encrypted swap with random key on boot" thingy, so every time it has a different uuid .. which is solvable with partlabels
361[02:23:40] <Taserface> I was temporarily using the part for something else
362[02:23:53] <Taserface> so it is re-mkswap'd part
363[02:24:49] <sney> SponiX: anyway, I became the hexchat maintainer for a couple years via using the ssb and uupdate processes to build it for myself based on debian's old xchat packages... if you find that the tools are "easy" then there's room for you to do stuff too
364[02:24:53] <Taserface> (nobootwait appears to be an old flag that disappeared)
365[02:24:58] <Taserface> (FYI)
366[02:24:59] <ratrace> Taserface: still, consider using partlabels
367[02:25:08] <Taserface> yeah I just realised I can do that :)
368[02:25:15] <Taserface> then I just have to remember to set the label
369[02:25:42] <Taserface> at least then I only have myself to blame
370[02:26:00] <ratrace> should be second nature when you parted'it the disk on installation :)
371[02:26:19] <Taserface> that was the debian installer, that did that
398[02:55:36] *** Quits: czesmir (~stefan@replaced-ip) (Quit: Lost terminal)
399[02:56:00] <brachamh> hahahaha! so i decided to try the disc that wouldn't work in a different machine, and what do ya know, it is transcoding as i type
400[02:58:53] *** Quits: Conradish006 (~Conradish@replaced-ip) (Remote host closed the connection)
538[07:03:14] <Sean_McG> hi, is there a channel where I can get help if I am a beginning packager and am stuck on something?
539[07:04:11] <JackFrost> On the OFTC IRC network yes, if you plan to package something for Debian's repositories then #debian-mentors, if it's just for you then #packaging on OFTC.
540[07:04:13] <JackFrost> !oftc
541[07:04:14] <dpkg> OFTC is the Open and Free Technology Community, a support/collaboration service. They have an IRC network: irc.oftc.net. You may (or may not) be connected to OFTC's network. replaced-url
542[07:04:29] <Sean_McG> ahhhh OK, thanks
543[07:04:50] <Sean_McG> (it is something just for me... for now, anyhow)
620[08:55:05] <Gertm-> I'm trying to make a fully automated debian install USB stick but I'm having trouble getting things exactly right. Does anyone have experience with that?
621[08:56:08] <oxek> anyone know if this security issue replaced-url
661[09:44:52] <ratrace> oxek: you can easily verify it: a) if it has a CVE you can look up; b) see which codeset is changed with the fix, then find if that codeset exists in the tag that corresponds to version included in debian
694[10:08:27] <ratrace> well lets see if the "fix" introduced more bugs..... msgBox.setDetailedText(QObject::tr("Blocked URL: \"%1\"").arg(url.toString())); ? srsly? using unsanitized input value? nice.
771[10:36:00] <jelly> it would be a problem if the function was printf-like and took a format. If it takes a string it's safer.
772[10:36:17] <ratrace> there once existed a SELinux CVE where teh attacker could trigger a denial which in itself wasn't an issue. only when the admin looked at it with setroubleshoot, where the actual vuln was, the system could be exploited
773[10:36:41] <ratrace> any external input could be used in any number of unexpected ways, if bugs exist. never use unsanitized inputs, ever.
775[10:37:33] <ratrace> similarly there are xss attacks against web systems that log errors. the vuln is in the part where the admin looks at the logs through the UI.
776[10:38:22] <oxek> aren't you gonna end with an "infinity" problem that the function that sanitizes untrusted input is actually handling untrusted input?
777[10:38:45] <ratrace> I've just grown an allergy to unsanitized input use, over the years :)
779[10:39:25] <ratrace> oxek: that wasn't unheard of :)
780[10:39:27] <oxek> I'm the same, just wondering if there's something I don't know about passing strings into a QT message box.
781[10:40:43] <ratrace> oxek: strings don't really exist in C. Even in C++, strings are basically pointers wrapped in a class. "strings" in C(++) are an unending source of vulns, history has shown.
787[10:42:35] <ratrace> and to me, it's really insane to actually log and display to the user, a string you actually found illegal and are blocking. that's like.... ironic code is ironic.
788[10:43:33] <oxek> you're right. Thank's for explaining.
789[10:45:07] <ratrace> and while on offtopic of vulns, we haven't heard the last of Baron Samedit. new CVEs to follow.
792[10:47:41] <oxek> I've read it a few times that sudo likely has lots of undiscovered issues
793[10:47:49] <oxek> but what could we replace sudo with?
794[10:47:58] <oxek> it's such an integral piece of any linux system nowadays
795[10:48:52] <oxek> and I'm definitely not gonna write code that deals with delegating root privileges.
796[10:49:02] <oxek> probably very few people would want to write such code
797[10:49:18] <ratrace> see that's the problem these days. "replace with". NOTHING. any replacement, if written from scratch, is a pile of NEW bugs, SOME of which are reinvented again
798[10:49:42] <ratrace> what we do need, is fix sudo/broken code. not rewrite anew. doas and friends are knee jerk reactions that, ironically, had CVEs of their own. Har har har. Har.
799[10:49:43] <oxek> but replacing stuff means it can be written in a memory-safe language instead, thus eliminating an entire class of security bugs
800[10:51:07] <ratrace> new things, new functions can be written in memory safe langs. for existing code, if it ain't broken, don't fix it. if it is, fix it, don't rewrite from scracth, unless the code is really so buggy and broken and it doesn't matter
801[10:51:16] <ratrace> (sudo ain't in that class, btw)
802[10:54:59] <jelly> would you say openssl was in that class
803[10:55:09] <oxek> sudo should indeed be old enough to not have any massive issues in it anymore, but openssl would be a good counterexample
804[10:55:20] <oxek> I don't have anything against sudo personally
805[10:55:25] <oxek> or openssl
806[10:55:28] <oxek> I use both
807[10:55:29] <jelly> old != sane
808[10:55:50] <oxek> true
809[10:56:06] <jelly> see also: gnupg. screen, probably.
810[10:56:34] <azeem> gnupg is being rewritten in rust by the sequoia team
811[10:56:34] <ratrace> jelly: probably not. it has been looked at extensively since 2014, a bunch of CVEs were ferreted out with all those audits, and openssl is now back to quiescent state.
812[10:56:58] <oxek> makes me wonder why libressl still exists then
813[10:57:03] <azeem> also, libressl seems to have quieted down again
814[10:57:05] <azeem> heh
815[10:57:16] <ratrace> oxek: because it's another knee jerk reaction
816[10:57:23] <jelly> ratrace, it's still horrible.
824[10:59:32] <ratrace> problem with crypto is that even if you rewrite in in memory-safe langs, the code conceptually is such that logical bugs could exist that have nothing to do with memory safety. wrong bit in a wrong place turning sha1024-rust into sha1-bit-rust-herp-derp-we-borked-it
825[10:59:41] <jelly> polar is a different lib I think
827[11:00:23] <ratrace> let's not forget what debian did to openssl a buncha years back and reduced the keysize from billions to 64k :) because someone cleaned up code. wasn't memory safety bug. it was a logical error.
828[11:00:42] <jelly> !dsa1571
829[11:00:42] <dpkg> Due to a weakness in a random number generator, keys generated after 2006-09-17 (using openssl 0.9.8c-1 and later) need to be regenerated with a newer openssl (at least 0.9.8c-4etch3). See replaced-url
830[11:01:06] <ratrace> !dsa1571 jokes
831[11:01:07] <dpkg> For some light relief between changing your keys, see replaced-url
870[11:22:04] <themill> zfs problems have nothing to do with the DFSG. There is no clause in the DFSG that says that you can't do this. Both CDDL and GPL-2 are perfectly fine licences according to the DFSG.
871[11:23:37] <jelly> but you have to store them separately as two components, and mix right before use
896[11:32:41] <jelly> TASK [aminvakil.mysql_initial : Change root user password on first run] ********
897[11:32:41] <jelly> 228
898[11:32:41] <jelly> fatal: [instance]: FAILED! => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
899[11:32:43] <jelly> 229
900[11:32:55] <jelly> why was I not kicked!
901[11:33:14] <aminvakil> that's because mariadb is not started i suppose
902[11:33:17] <jelly> aminvakil, ^ that's what seems to fail
906[11:34:04] <aminvakil> here i just executed "systemctl start mysqld" and after 15 min it timed out
907[11:34:25] <themill> /kick jelly
908[11:34:49] <aminvakil> in the log you're referring to i execute "journalctl -n 100 | cat" to see if i can find anything in journal and i saw mariadb stuck in reloading after it is installed
909[11:34:52] *** ChanServ sets mode: +o jelly
910[11:34:57] *** jelly was kicked by jelly (jelly)
934[11:56:12] <RoyK> hm... [Tue Feb 9 14:54:03 2021] sd 0:0:1:0: [sdb] Assuming drive cache: write through <-- Any idea why it would assume this? it's Dell storage behind vmware replaced-url
936[11:59:26] <ratrace> the storage driver is reporting writethrough cache maybe?
937[12:02:29] <ratrace> is *not reporting
938[12:02:41] <koollman> RoyK: basically, it means it could not find out disk type when sending a scsi command to find out about cache. But it's optimistic and decide to use cache through. It's not a problem
975[12:32:15] <hwm4rgs> gogs is sort of a dead project and it left a bad taste in my mouth when they wouldn't fix the cookie XSS vulnerability they had (have?)
1023[13:29:01] <koollman> RoyK: it could be intentional. For example, it is the mode used for battery-backed units on raid cards, for example. Since it is assumed the controller take care of things without the OS knowledge (so 'direct' writes are effectively cached by the storage backend doing writeback, thus additional cache in front would be wasted)
1032[13:37:21] <koollman> RoyK: if it's not performing as expected, I assume you can ask vmware/dell why it is that way, or if you're missing some VAAI or some setting on vm disks or vmfs
1038[13:39:29] <oxek> jelly: I'm not familiar with what spl-dkms is, but it is now a transitional package that depends on zfs-dkms, which has always been in contrib and not main.
1039[13:39:47] *** Quits: drzacek (~drzacek@replaced-ip) (Remote host closed the connection)
1043[13:40:42] <SanchoPensa> As of late my /boot partition keeps running out of space, when Debian updates the Kernel, which is why I am in the process of creating a Live stick, in order to be able to resize my partitions.
1044[13:41:06] <oxek> SanchoPensa: it's a known issue that the default size for /boot partition is too small in debian
1045[13:41:20] <phogg> if you used LVM resizing /boot is easy, if you didn't it's not
1046[13:41:35] <oxek> it will get bigger on new installations of bullseye (and likely even larger once again when bullseye++ comes along)
1047[13:41:40] <SanchoPensa> I have just completed copying the image with gnome-disk-utility to a USB stick.
1048[13:42:03] <SanchoPensa> ist that going to boot, or do I have to explicitly copy the image with dd?
1049[13:42:27] <oxek> (btw, do we know the name of debian version after bullseye?)
1050[13:42:44] <SanchoPensa> oxek: phogg: ya well, no worries there, I know, how to help myself with gparted
1052[13:43:10] <SanchoPensa> problem is, you cannot resize partitions, while they are mounted, which is, why I need to boot with a stick
1053[13:43:18] <phogg> s/set/say/
1054[13:43:32] <oxek> phogg: unfortunately I am still banned from reading the debian wiki :(
1055[13:43:41] <phogg> oxek: how?
1056[13:44:05] <SanchoPensa> oxek: phogg: hehe thanks, guys, but your answers kinda miss my point...
1057[13:44:06] <oxek> phogg: the wiki bans massive blocks of IP addresses, and doesn't let people even read. I just get 403 forbidden
1058[13:44:16] <oxek> it's a known issue
1059[13:44:30] <phogg> oxek: well then FYI the answer is bookworm
1060[13:44:40] <SanchoPensa> :D
1061[13:44:46] <oxek> bookworm. Thank you.
1062[13:44:54] <SanchoPensa> :D
1063[13:45:20] <oxek> SanchoPensa: depending on which image you want to boot, using `dd` or `gnome-disk-utility` will both create a bootable usb stick.
1064[13:45:59] <oxek> since you're having issues with the size of /boot, it's likely you left it all at default during installation, which means it would not be part of LVM
1065[13:46:11] <SanchoPensa> oxek: I used a live image from here: replaced-url
1066[13:46:40] <SanchoPensa> oxek: thanks a lot, in that case I will be as audacious as to reboot now... :D
1067[13:46:42] <oxek> SanchoPensa: that should work
1068[13:46:50] <SanchoPensa> nice!
1069[13:46:52] <oxek> before you reboot
1070[13:46:55] <oxek> do you have backups?
1071[13:46:57] <SanchoPensa> yes?
1072[13:47:05] <SanchoPensa> well... sort of...
1073[13:47:10] <oxek> do backups first
1074[13:47:22] <SanchoPensa> I do, however, have my data on a seperate /home partition.
1075[13:47:39] <oxek> you're resizing partitions. That's how /home can get messed up
1076[13:47:46] <SanchoPensa> So, everything I could potentially lose, are years of configuring my os...
1077[13:48:01] *** debhelper sets mode: +l 1181
1078[13:48:19] <oxek> so practically many wasted hours of trying to reconfigure everything back
1079[13:48:26] <oxek> do a backup
1080[13:48:33] <SanchoPensa> oxek: well... I have resized about a gazillion partitions so far, and has never happened yet...
1081[13:48:56] <oxek> up to you, I just wanted to state the official warning
1082[13:49:18] <EdePopede> it always happens the n+1th time :)
1220[15:51:44] <ratrace> actually... I also got a full debian installation on an external drive which I use for rescuing. it's a thing I made few days ago, seems like I forgot I have it. but before that, I used the ubuntu ISO
1221[15:51:45] <SanchoPensa> ratrace: but in principle to be able to rescue a system would be the primary purpose of the live stick, right?
1223[15:52:00] <SanchoPensa> do you think, there is an issue with the debian live stick version?
1224[15:52:14] <ratrace> SanchoPensa: not necessarily. a "rescue" environment has all the tools
1225[15:52:39] <ratrace> if you needed to apt install lvm2, then that's not a suitable rescue env
1226[15:53:02] <SanchoPensa> ratrace: I am btw not really attempting to rescue the system, since there is nothing wrong with it. Except the fact, that my /bootpartition runs out of space on every kernel update...
1227[15:53:15] <ratrace> SanchoPensa: yes, I think there is. it's also not recommended for installation, something about its installer being off?
1231[15:54:14] <oxek> if one does not wish to create a personalized iso (and maintain it), is Grml the best option?
1232[15:54:19] <ratrace> there's dedicated distros for that (the abovementioned grml, and sysrescuecd), or you can build your own
1233[15:54:26] <SanchoPensa> ratrace: and your weapon of choice for that purpose is Ubuntu...?
1234[15:54:39] <ratrace> SanchoPensa: yes but now I have a full debian installation on an external usb disk
1235[15:55:05] <ratrace> ubuntu live ISO is fully apt-installable and functional. if you don't wanna botehr with a DIY solution, I'd recommend teh 'buntu
1236[15:55:17] <SanchoPensa> oh! that grml comment was for me, thanks apollo13
1237[15:55:22] <SanchoPensa> never heard of it so far...
1238[15:55:37] <SanchoPensa> i see...
1239[15:55:55] <oxek> I once tried a ubuntu iso for rescue. It immediatelly started downloading gigabytes of data to update the snap applications, ran out of RAM and crashed. It's not supposed to happen, snap is set to delay updating by 45 days, but the system time was off by a lot and once fixed, snap started updating.
1240[15:55:56] <SanchoPensa> what ever happened to supergrubcd...? :D
1241[15:56:15] <SanchoPensa> lol
1242[15:56:45] <SanchoPensa> Well, I basically don't really care what to use, as long as it works...
1243[15:56:49] <oxek> whoever thought making it impossible to disable snap autoupdates should be excommunicated from the community
1248[16:01:09] <oxek> before the buster release, I said that the default /boot size was too small. But there was no way for me to reach the relevant people.
1249[16:01:11] <ratrace> oxek: agreed about snapd autoupdates. the ONE thing that blows the entire framework and tool.
1251[16:02:26] <oxek> ratrace: exactly. snap is really nice with the enable/disable app, revert, save/restore/forget snapshots, and so on
1252[16:02:37] <oxek> but the autoupdates by default, with no way off, kill it for me
1253[16:03:00] *** Quits: kristijonas (~Kristijon@replaced-ip) (Remote host closed the connection)
1254[16:03:21] <oxek> (you can disable them by disabling&stopping the snap service and socket, but then you lose all the actually good things about snap)
1260[16:06:22] <jelly> oxek, there are people inside Canonical unhappy with that as well, so we'll see how far that gets them
1261[16:06:46] <jelly> lxd as snapd is just icing on the cake
1262[16:07:02] <jelly> beefcake.
1263[16:07:13] <wsky> beefcake!
1264[16:09:12] <oxek> I really like that debian still seems to be on the side of the users. There was that brief issue with systemd, but honestly debian had no option than to go with it, because systemd is everywhere
1292[16:24:37] <istrive> I am stroggling to force the system wait until the script finishes running BEFORE shutdown... I curretly have the script as a service from systemd but after testing it did not finishe and the system rebooted anyway!
1311[16:30:16] <greycat> We hate it when people answer "what are you trying to do" with "here is my broken code, you can just reverse engineer it and try to guess what I wanted it to do"
1312[16:30:22] <istrive> and I enabled it with a service: replaced-url
1313[16:30:24] <wsky> i see you're trying to launch vbox on boot
1314[16:31:08] <istrive> I am trying to shutdown them properly at reboot/shutdown from host!
1349[16:37:32] <istrive> TY greycat, I will take a look at this
1350[16:38:17] <EdePopede> «I have a service that takes 10 seconds to shut down» - i just hope (and guess) services are more reliable then GUI crap. (namely modern browsers which may need minutes to finish after a few days of usage, usually crashing at the end)
1351[16:38:35] <istrive> I doubt anyone that when asked something gives a gazillion possibilities as the answer! ;)
1352[16:38:43] *** Quits: thiras (~thiras@replaced-ip) (Remote host closed the connection)
1353[16:38:45] <wsky> vbox can run in gui or no
1354[16:39:04] <wsky> any way it will take some time to freeze the memory
1356[16:39:29] <istrive> the vms are unattended and runn in the background (win svr 2012r2)
1357[16:39:54] <EdePopede> i'm concernd more about what's running inside it. it's a stack, clean it from top to bottom. and hope there's not a single layer which just refuses to die in dignity ;)
1358[16:40:55] <istrive> this is just to shutdown the servers properly... I don't know why VirtualBox made it so hard... Hyper-V has a much better handling of this task!
1369[16:44:03] <EdePopede> ah, good to know. anyway, systemd and termination, i'm not sure about it anymore after the mess that's left behind after i logout from the desktop session on the test install of buster on the other pc.
1370[16:44:45] <greycat> EdePopede: if the systemd default timeout (90 seconds?) is too short, I'm pretty sure you can supply a longer timeout in your service definition
1372[16:46:03] <EdePopede> greycat: ah thanks, good idea. it's just a plain installation with everything selected (all servers, all desktops...) where i'm looking at the different UIs i can use. no manual system wide changes, and the user profile is recreated for every run.
1398[17:03:17] <koollman> neilthereildeil: no root device detected, most likely. You can try adding : rootdelay=30 (or some larger number), but first make sure you didn't remove stuff that would have helped find the correct root device
1439[17:36:16] *** Quits: Nokaji (~Nokaji@replaced-ip) (Quit: "... when the freedom they wished for most was freedom from responsibility then Athens ceased to be free and was never free again.” ~ Edward Gibbon (1737-1794) - Decline and Fall of the Roman Empire, 1909)
1502[18:38:14] <urk> My employer bought this computer for me so I can work from home, but they let me choose which one to get. The screen is amazingly bright. My only gripe is no numeric keypad, but I knew about that before I got it.
1568[19:20:44] <srged> My canon printer prints out blank pages. I am using CUPS. WWhat could it be? (the scanner prints out just fine, so the ink is good)
1588[19:32:45] <greycat> They asked about the desktop environment because for most people, the tools for setting up wireless networking come with the desktop. Relatively few people use lower level stuff, but it exists.
1589[19:32:58] <greycat> !wifi
1590[19:32:58] <dpkg> Support for your wireless LAN device is dependent on the chipset within. Don't know what you have? Ask me about <what's my wireless>. Atheros: <atheros>; Atmel: <atmel>; Broadcom: <broadcom>; Intel: <intel>; Intersil: <prism>; Marvell: <marvell>; Ralink: <ralink>; Realtek: <realtek>; TI: <acx-mac80211>; VIA: <vt665x>; ZyDAS: <zydas>. See also <crda>, <killswitch>, <wpa>. replaced-url
1591[19:33:23] <greycat> I believe there's a subpage of replaced-url
1608[19:36:44] <greycat> Or you plug in an ethernet cable temporarily.
1609[19:36:48] <ratrace> I think it'd be easier and faster if you reinstalled from the nonfree firmware iso so you get it set up by the installer
1610[19:37:20] <jmd> ratrace: I've installed the firmware. That is not an issue.
1611[19:37:39] <ratrace> otherwise you'd have to hunt down all the debs and dependency debs and firmware debs and whatnot debs and sneakernet them in, as greycat suggested
1612[19:38:07] <greycat> is it really not on the installer that you used?
1613[19:38:08] <ratrace> jmd: what was the installation iso, cd? dvd? netinst (probs not if you don't have teh nets)?
1614[19:38:42] *** Quits: centrx (~centrx@replaced-ip) (Remote host closed the connection)
1615[19:38:42] <jmd> It was the netinst dvd image. That is supposed to magically install everything that is needed.
1616[19:39:12] <greycat> It installs what you request. And I would be really shocked if network-manager is not on it. Just use it.
1617[19:39:33] <greycat> If you installed without network, then it should have set up sources.list to use the installer CD.
1618[19:40:09] <srged> guys, why is my printer printing blank pages while the scanner works just fine? (PS. tonner refilled, led is blinking. yet the scanner works fine)
1623[19:43:11] <ratrace> srged: probably encrypted, so it's printing with invisible ink. I mean... you asked THAT kind of question, you got THAT kind of answer :)
1632[19:48:56] <ratrace> srged: for starters, the printer and scanner are served by different subsystems, even if they're the same physical device. one working doesn't mean the other would.
1643[19:58:13] <wsky> it is about dumping the most mnimal debian os to the hdd and possibli fetch some extra stuff from the net
1644[19:58:27] <wsky> possibly*
1645[19:58:36] <jmd> Yeah. But it seems that last step it doesn't do.
1646[19:58:45] <AlexHMusique> the most minimal installation is via debootstrap
1647[19:59:16] <wsky> if you want debian offline get the full dvd set
1648[19:59:37] <ratrace> netinst isn't about installing most minimal debian, it's about having the most minimal _installer_ that then goes out to fetch the packages online
1649[19:59:42] <jmd> I don't want it offline.
1650[20:00:01] <jmd> ratrace: That's what I thought.
1651[20:00:11] <wsky> then minimal should sound ok
1655[20:01:17] <donavan01> so Im getting an error when trying to run apt --fix-broken install its hanging on something dealing with one of the themes so I really dont care if it ever installs but its causing other things to not process... I tried running the dpkg --force-overwrite but it complains as well can someone with better linux know how look at the errors im getting and tell me how to proceed replaced-url
1657[20:02:08] <ratrace> jmd: "amazed that the netinstall disk won't do that for me" .. I think the installer assumes that the default setup, which is gnome desktop, suffices to autoconfigure dhcp with networkmanager, and that's what it does. it also _does_ setup dhcp for the ethernet, but it doesn't set up wifi, that's left for the networkmanager
1660[20:02:51] <ratrace> jmd: it also assumes that deviation from default predicates experience and skill and setting it up using whatever tool you want. via interfaces(5) like in my paste, via networkd, via nm(cli), wicd, ...
1662[20:03:24] <ratrace> jmd: and by that does not impose any default setup
1663[20:04:00] <jmd> Well really I don't care what tool it uses. I just expected that after running the installer I would have a working network.
1664[20:04:18] <jmcnaught> donavan01: you have more than one package containing the same file, which generally does not happen on Debian and indeed it appears the offending packages are kali or mxlinux related. If you are using Debian then you should not be using repos for other distros. If you are not using Debian, then you will need to find the appropriate channel for your distro.
1672[20:07:55] <ratrace> perhaps. that requires someone to implement that in the installer. the current state is deemed sufficient: NM by default for default gnome deskop; the rest assumes you're skilled enough to deviate, so you'll set it up yourself.
1673[20:08:01] *** debhelper sets mode: +l 1214
1674[20:08:59] *** Quits: srged (~airways@replaced-ip) (Quit: Lost terminal)
1675[20:09:05] <donavan01> yeah Im running MXlinux but as with literally every distro I have tried over the years besides ubuntu (which I cant stand) and straight Debian which honestly my linux skills arent good enough to just dive in (or at least they werent the last time I tried it )I can never find anyone that actually chats I was in the #linux and was told to come here ... I have installed other programs from other repos could this have caused the issue?
1683[20:10:52] <dpkg> MX Linux is a popular distribution <based on debian>. It is not supported in #debian. Support is available on their forum: replaced-url
1726[20:29:14] <aminvakil> i'm execuing systemctl start mysqld after installing mariadb-server on a clean debian 10 container which also has systemd installed on it
1727[20:29:30] <aminvakil> host is ubuntu 20.04, but i've also tested ubuntu 18.04 and ubuntu 16.04
1728[20:29:38] <koollman> container. so, host system has apparmor ?
1729[20:29:46] <wsky> have you got the filesystems mounted?
1730[20:29:49] <aminvakil> i'm not sure, maybe?
1731[20:29:56] <koollman> or docker (or whatever you use) has an apparmor profile, maybe
1732[20:29:58] <aminvakil> wsky: not that i know of
1745[20:31:41] <ratrace> aminvakil: why do you ask about ubuntu issues in #debian?
1746[20:31:44] <aminvakil> foxide: i should ask this from github guys then. but what i wanted to be sure from this channel was this
1747[20:31:56] *** Quits: merAzi (~mer@replaced-ip) (Remote host closed the connection)
1748[20:31:58] <foxide> ratrace: He's not. He's having issues with a buster container.
1749[20:32:00] <ratrace> and what is that paste? I don't see any errors there
1750[20:32:10] <wsky> yeah, your host os seems to be ubuntu
1751[20:32:11] <ratrace> if there are apparmor denials, then apparmor IS installed.
1752[20:32:15] <koollman> aminvakil: I have no idea what molecule is in this context. I assume something on the host side or container runtime is provoking that error, though
1753[20:32:23] <aminvakil> ratrace: i couldn't understand if enabling apparmor on host could bring this up
1754[20:32:30] <wsky> and it seems it's an issue of their
1777[20:36:37] <ratrace> aminvakil: if that's a container, then probably there's no control over the AA policy, and you can't have one defined from _within_ it afaik
1778[20:37:09] <aminvakil> ratrace: i think i should look and bother github guys for this issue then
1780[20:37:34] <aminvakil> it seems that apparmor log which appears in buster container that doesn't have apparmor installed is coming from ubuntu host which has some apparmor profile enabled
1781[20:37:40] <ratrace> aminvakil: yeah and if there's AA policy on the host, it has to account for full paths into the container, this trail doesn't seem to show it
1782[20:37:42] <aminvakil> if i understood correctly
1784[20:38:09] <ratrace> aminvakil: containers don't run their own kernels, so any kernel logs from /dev/... are host's
1785[20:38:19] <koollman> aminvakil: correct. (either host-wide or on the specific container running, without anything 'inside' the container knowing or enabling apparmor)
1829[20:56:08] *** Quits: Mister00X (~quassel@replaced-ip) (Quit: "I'll be back" — Arnold Schwarzenegger)
1830[20:56:41] <jezebel> i waant to statically build a package
1831[20:57:53] <ratrace> I don't know if you can recurse automatically, or need to install them one by one. just trying to understand your use case here. which package btw?
1842[21:01:47] <ratrace> jezebel: btw, you're aware of the reasons amor got dropped from debian? can you work around those reasons by building it from source?
1843[21:02:08] <jezebel> yeah upstream no longer working on it
1844[21:02:09] <ratrace> mentor: should be just headers, maybe docs, and that class of files
1845[21:02:27] <ratrace> jezebel: and something something incompatible with qt5
1846[21:02:33] <jezebel> but a statically linked copy should work?
1847[21:02:45] <mentor> ratrace: I'm pretty sure that static libraries get included some of the time
1848[21:03:17] <jezebel> a pure statically linked copy should only need a compatible kernel?
1849[21:03:28] <ratrace> mentor: static (built binaries) and libraries are usually contradicting each other; what did you mean to say?
1851[21:03:59] <mentor> ratrace: I meant what I said
1852[21:04:14] <jezebel> and kernel is 'always' backwards compatible iiuc ("don't break userspace")
1853[21:04:30] <ratrace> jezebel: depends if, since it's a GUI app, it can work with qt5, unless you need to statically link all of Qt ... I don't know the full state of incompatibility there. try it and see, just before you waste your time, look up why it was dropped, s'all I'm saying :)
1880[21:11:57] <ratrace> mentor: ie. they don't need the sources, just -dev which are pulled in by apt install build-deps, right?
1881[21:12:17] <mentor> Yes
1882[21:12:21] <ratrace> k
1883[21:12:50] <hendursaga> I need help getting my USB WiFi adapter working, it's a Ralink Technology, Corp. RT2870/RT3070, is this page what I'm looking for? replaced-url
1927[21:27:07] <hendursaga> I press the hardware switch and on GNOME it shows a notification that I (dis/en)abled it but rfkill doesn't show a difference
1928[21:27:25] <hendursaga> mentor: Interface? It's not showing up on NetworkManager
1929[21:27:33] <hendursaga> And ip link shows only Ethernet is up
1930[21:27:52] <mentor> hendursaga: Does network manager believe it is controlling that interface?
1931[21:28:09] <mentor> hendursaga: I.e., managed is yes
1932[21:28:15] <jezebel> networkmanager wont touch anything in /etc/network/interfaces
1933[21:28:16] <hendursaga> mentor: What do you mean?
1934[21:28:30] <jezebel> or /etc/network/interfaces.d/
1935[21:28:46] <hendursaga> It's not in there jezebel
1936[21:29:12] <hendursaga> mentor: Where do/should I see managed? ip link?
1937[21:29:29] *** Quits: zapwai (~zapwai@replaced-ip) (Remote host closed the connection)
1938[21:29:32] <ratrace> no, /etc/NetworkManager/NetworkManager.conf or something like that
1939[21:29:58] <mentor> hendursaga: What does running 'nmcli' say?
1940[21:30:12] <ratrace> I'd first try to get it working from the command line, wpa_supplicant directly. NM can sometimes herpderp things up
1941[21:30:24] <jezebel> (assuming you have udev and dbus installed)
1942[21:30:39] <ratrace> pretty likely assumption with gnome being there :)
1943[21:31:09] <hendursaga> ratrace: managed=false in that file
1951[21:32:58] <ratrace> hendursaga: weirdly in your last paste, theres' no mention of missing firmware. could it be that THAT particular module needs none? I somehow doubt that, for ralink....
1953[21:33:35] <mentor> Would network manager pick up new interfaces without udev and dbus being installed?
1954[21:33:35] <hendursaga> ratrace: The docs say I might need to blacklist rt2800usb - that module is NOT the one I need, it's rt2870sta and that ain't showing
1955[21:33:36] <ratrace> hendursaga: so when you say you need rt2870sta instead of rt2800usb, and that wiki page does list your usbid .... then perhaps that's what you have to do as the kernel erroneously loads up rt2800usb.
1956[21:33:48] <ratrace> that = blacklist rt2800usb
1957[21:34:00] <hendursaga> So, how do I blacklist rt2800usb?
1958[21:34:15] <hendursaga> And do I need to blacklist its dependecies?
1960[21:34:41] <mentor> So network manager believes the interface to be unavailable
1961[21:34:59] <ratrace> hendursaga: and then rebuild update-initramfs -u
1962[21:35:00] <hendursaga> ratrace: Is it recursive?
1963[21:35:22] <ratrace> no, but if you blacklis that module, then modules that depend on this one should fail to load
1964[21:35:44] *** Quits: yans (~yans@replaced-ip) (Remote host closed the connection)
1965[21:35:44] <hendursaga> Also should I backup my initramfs? It looks important.
1966[21:36:32] <hendursaga> Or is it versioned or...?
1967[21:36:34] <ratrace> hendursaga: you probably have two kernel versions -- the previous one also has its own initramfs, so you kinda do have a backup. this, however, should not be something that would nuke the boot process, and you're not doing it remotely over the network
1968[21:36:45] <ratrace> you can always rebuild initramfs later
1969[21:36:51] <ratrace> don't worry about it, really.
1971[21:37:22] <hendursaga> ratrace: Why would I have two kernel versions??! I just installed it yesterday!
1972[21:37:46] <ratrace> ah right .... well, you would next time there's kernel upgrade. debian, by default, keeps one copy of previous kernel with its initramfs and config, under /boot
1973[21:38:01] *** debhelper sets mode: +l 1206
1974[21:38:08] <ratrace> wise thing, so you can select the previous version, if the upgrade somehow borks the boot
1975[21:38:15] <mentor> hendursaga: You only really need to worry about initramfs if something on your path to mounting your root filesystem changes
1976[21:38:21] <ratrace> ^^ that
1977[21:38:34] <ratrace> here you're just blacklisting a wifi module. totally not anything critical for the boot process
1983[21:39:49] <ratrace> hendursaga: once in anywhere from few days to I think the record I saw was ~130 days in 2019
1984[21:39:52] <wsky> not too often
1985[21:41:01] <hendursaga> I assume it has something to do with module dependencies..
1986[21:41:25] <ratrace> no I don't think you need to run that
1987[21:41:56] <ratrace> just add that blacklist, update initramfs, and reboot. in fact, I think you maybe don't even need to reboot, but can rmmod and modprobe the correct one after blacklisting. dunno. try it. or just reboot
1991[21:45:07] <jezebel> dumb question but why is [u]xterm not picking up my .Xresources in xfce? when i xrdb -q it's shown as merged in but [u]xterm isn't reflecting this?
2013[21:52:58] <jezebel> when i log in it should be merged already?
2014[21:53:19] <jezebel> it does get merged i believe, bcause xrdb -q shows my resources when i log in
2015[21:53:25] <merAzi> about uxterm not picking xresources, that's because xterm and uxterm use different settings names, try adding UXTerm*option: to your .Xresources
2016[21:53:28] <jezebel> but xterm doesnt see
2017[21:53:42] <jezebel> yeah i've tried both UXTerm and XTerm
2018[21:54:03] *** Quits: asymptotically (~asymptoti@replaced-ip) (Remote host closed the connection)
2042[22:02:31] <merAzi> is uxterm detecting the xresources configuration now?
2043[22:02:54] <hendursaga> Now, it doesn't show up at all. One issue with the prior config was that the interface had to be renamed, from wlan0, I believe. Would that have been an issue??
2044[22:03:03] <ratrace> hendursaga: meaning, if you have the kernel show the device ... welp ... try and configure it
2045[22:03:18] <ratrace> hendursaga: "had to be"? or you mean the dmesg entry where it's renamed?
2048[22:04:00] <hendursaga> The dmesg entry, from last boot
2049[22:04:08] <ratrace> hendursaga: yah that's normal, udev changing from kernel's name into a so called "predictable" name.
2050[22:04:24] <ratrace> hendursaga: so to revert this ... remove that blacklist line; update-initramfs -u ; reboot
2051[22:04:58] <ratrace> and when you get to see the link, try configuring it with wpa_supplicant. note that with wifi you have wo OSI layers to configure. the wifi itself, which is lower, and then when that connects, you get the higher IP layer with dhcp or static IP
2052[22:05:00] <hendursaga> Could I just comment it out?
2053[22:05:14] <mentor> As opposed to the kernel's somewhat arbitrary device naming strategy
2054[22:05:15] <ratrace> ie, you can have wpa_supplicant connect successfully, without the higher one getting an IP, for testing
2055[22:05:21] <ratrace> hendursaga: yes
2056[22:05:47] <ratrace> mentor: actually ... the udev one seems arbitrary. kernel will always do wlan0 or eth0, and if there's more, wlan1, eth1, ...
2057[22:06:13] <ratrace> now for $1000 cash, predict the name hendursaga will get on boot :) no peaking in scrollback :)
2058[22:06:43] <mentor> ratrace: The index assigned by the kernel is in now way guaranteed
2064[22:07:54] <ratrace> which is what I do, I prefer that. the "predictable" names can change in some cases when you have buggy bios/efi/firmware/chipset .. the very same scenario that prompted the "predictable" naming in the first place.
2065[22:07:55] <mentor> ratrace: No, it is the kernel's fault; it assigns in the order it enumerates
2066[22:07:55] *** Quits: platvoeten (~platvoete@replaced-ip) (Remote host closed the connection)
2072[22:08:57] <mentor> The kernel doesn't make a guarantee, and the userspace does its best to work around that
2073[22:09:07] <mentor> That's the situation
2074[22:09:17] <ratrace> I never said that wasn't the true, however the ordering is done by bios
2075[22:09:24] <ratrace> AND to fix it, bind MAC to NIC name. solved.
2076[22:09:45] <mentor> Yeah, that only works for network interfaces
2077[22:09:48] <ratrace> you don't need wlanxnafjsiodpjuf9ouw4q0uwfwa90u43w90tfumw409fu ewr09t7ue09t34u09te34 crapshit in the name of "predictabilit" when the same buggy bios will happily rename that next boot
2078[22:10:10] <mentor> ratrace: Please refrain from the rhetoric
2079[22:10:17] <ratrace> like ... pull out your GPU, get effed on reboot with totally new NIC names. there's an issue for just that on systemd GH
2080[22:10:47] <greycat> mentor: it's not just rhetoric, though. People have had that problem here before.
2081[22:10:50] <ratrace> which means "predictable" naming solved NOTHING. just added moar headaches. the proper fix is binding MAC and NIC name, either via .link or interfaces(5) or whatever other way is usable
2092[22:14:39] <ratrace> dvs: let me tell you a tale of linux kernel 5.9 and totally flakked up, renamed, renumbered, regroupped IOMMU and slot IDs and a workstation failing to boot because of that. :)
2130[22:30:27] <ratrace> why? to remain in line with the expected standards. wpasupplicant (the package) installs some systemd services which can be used as templates with NIC names that then source exactly those patterns
2132[22:32:13] <pasiz> if using just password auth, what's the point of creating wpa_supplicant config when nm
2133[22:32:52] <pasiz> does nm forget settings?
2134[22:33:11] <jezebel> nm uses wpasupplicant under the hood for you
2135[22:33:15] <ratrace> nm uses wpasupplicant's dbus api
2136[22:33:25] <jezebel> yup
2137[22:33:42] <pasiz> so yup, it forgets or what?
2138[22:33:52] <ratrace> ie doesn't care about your config files. and hre, I recommended hendursaga try "manual" approach, ousside NM because NM is ..... flaky.... in some situations, ti's hard to control variables of _what_ exactly is failing.
2139[22:34:04] <jezebel> if you dont have a gui, you can use nmtui if you want to be insulated from it all
2140[22:34:05] <ratrace> this way, they can see the OSI layers at work and where the failure is
2154[22:36:46] <ratrace> that means it works. NM will use wpasupplicant too, so the question here is ..... what's NM's problem. referring to "flakey" adjective from before. eff NM, tho.
2155[22:36:53] <jezebel> then dhclient for your ip address
2156[22:37:03] <hendursaga> Does that require root?
2157[22:37:07] <jezebel> yes
2158[22:37:21] <hendursaga> I had to use ifup so.. aww man
2159[22:37:30] <pasiz> cannot understand how it's flakey... i use eap-tls on home too, and never have problems
2160[22:37:42] <hendursaga> Maybe if I restart NM would work, haha
2161[22:37:45] <jezebel> ifup will use /etc/network/interfaces which tlls it to use wpasupplicant and dhclient
2162[22:38:02] <ratrace> if you configure it so
2163[22:38:06] <hendursaga> Is there a way to get WiFi up without root every time?
2164[22:38:06] <jezebel> true
2165[22:38:45] <ratrace> hendursaga: with the pastebin I showed you, that approach can work automatically. you plug in the USB thingy, it connects. you unplug it, it disconnects
2166[22:38:59] <ratrace> thanks to interfaces(5) persistence and allow-hotplug
2167[22:39:12] <hendursaga> Can? OK, yeah that sounds vaguely familiar
2168[22:39:29] <ratrace> some say it's even possible to roam with a static wpa_supplicant config like that and all the hotspots enumerated and confiugred. it's all automagick
2169[22:40:03] <ratrace> hendursaga: can yes, and I know it for a fact. I have that exact setup, where I use a wifi dongle as backup for eth0. I plug it in, it autoconnects, works. assumes eth0 is down and routes are off
2170[22:40:23] <ratrace> otherwise you might need some post-up re-routing magick
2171[22:40:24] <jezebel> fwiw i've had flakey experiences with nm... i hate the 'deauthenticating by local choice' message, it doesnt tell you who or what did it
2172[22:40:29] <hendursaga> Cool, cool, now I can fix my friend's WiFi haha
2173[22:40:47] <dvs> famous last words
2174[22:40:51] <hendursaga> ratrace: Routing? As in?
2175[22:40:51] *** Quits: jmd (~user@replaced-ip) (Remote host closed the connection)
2189[22:43:25] <ratrace> jezebel: bonding eth0 and wifi? teh heresy! :)
2190[22:43:42] <pasiz> not to mention stateful packet filtering on that kind of network...
2191[22:44:06] <ratrace> eh my iptables rules don't include -i for that reason :) except where it's -i specific
2192[22:44:50] <hendursaga> And.. victory short lived..
2193[22:44:55] <ratrace> now what
2194[22:45:12] <hendursaga> I shut my laptop case to move to the spot I wanted to go to without Ethernet, and then device shut off
2195[22:45:24] <hendursaga> I had to do ipdown and then ipup to bring it back up again
2196[22:45:48] <pasiz> ratrace: does -i do connection tracking
2197[22:46:16] <ratrace> pasiz: it's just a filter criteria for nic name
2198[22:46:33] <pasiz> but even states doesn't work on network with legs in multiple subnets
2199[22:46:57] <dvs> hendursaga: That's an ACPI issue, not a networking issue.
2200[22:46:59] <hendursaga> Also how might I get on another WiFi network?
2201[22:47:11] <ratrace> well it's assumed that tcp sessions wont receive packets from different networks, unless you have that explicitly enabled with bonding
2202[22:47:31] <hendursaga> Just add another entry to wpa_supplicant?
2203[22:47:35] <jmcnaught> What was wrong with using NetworkManager?
2204[22:47:38] <ratrace> hendursaga: with this approach? add another network={} stanza in the wpa supplicant conf
2205[22:48:03] <hendursaga> jmcnaught: No idea
2206[22:48:04] <dvs> and assign a priority
2207[22:48:11] <ratrace> jmcnaught: that's the part that has to be figured out. NM refused to use the NIC
2232[22:58:17] <greycat> well, it ain't supposed to do that, so either investigate whether you've got the correct firmware, drivers, etc. or file a bug report
2233[22:58:47] <queip> greycat: by freeze I mean that gui using programs stop doing almost anything, and they resume when you are back in X
2265[23:10:22] <ratrace> dunno. and I don't feel like changing the VT now to test it :)
2266[23:10:53] <ratrace> I mean it's not something you'd normally do, change the vt from xorg
2267[23:12:17] <queip> ratrace: administrating from graphical console of an user is not as secure
2268[23:12:20] <milkt> is this about specific X program or any program drawing something on X?
2269[23:12:37] <queip> milkt: irc client, torrent client - for 2 things tested
2270[23:12:44] <ratrace> thinking about it now, maybe a compositor would help
2271[23:13:07] *** Quits: Jerrynicki (~niklas@replaced-ip) (Remote host closed the connection)
2272[23:13:19] <queip> video stack in linux is so overcomplicated... so how to "get a compositior"? I want to use xfce for the windows and stuff
2273[23:14:43] <ratrace> I think Compton is recommended these days for xfce?
2274[23:14:52] <ratrace> ,i compton
2275[23:14:55] <judd> Package compton (x11, optional) in buster/amd64: compositor for X11, based on xcompmgr. Version: 0.1~beta2+20150922-1; Size: 97.4k; Installed: 264k; Homepage: replaced-url
2290[23:18:33] <ratrace> I actually don't know this part, hence asking. because if they do .... then a threat actor able to execute a RCE as your user can sniff it, xorg or no xorg, because teh devices are ACL'd to you
2337[23:27:26] <jezebel> you could try checking the xorg logs
2338[23:27:39] <queip> jezebel: no erros appear in them during that time
2339[23:27:50] <ratrace> queip: I think you're overestimating the value of switching VT for "security" reasons and are just chasing rainbows
2340[23:28:02] <jezebel> queip… anything in the timestamps to ggive you a hint?
2341[23:28:19] <queip> ratrace: what is "over estimated" in not letting your potentially hacked programs see you type in root password?
2342[23:28:52] <jezebel> sudo might be your friend
2343[23:29:01] <ratrace> in that potentially hacked programs that are running as your user can see everything you do, because they're running as you
2344[23:29:05] <queip> ratrace: with such assumption you can just add * to wheel and sudoers. asking for root password inside of user program is security theater mostly
2345[23:29:23] <ratrace> linux security rests on UID separation but things run as the same UID? without MAC or namespaces, it's game over
2349[23:29:44] *** Quits: n4dir (~n4dir@replaced-ip) (Remote host closed the connection)
2350[23:29:59] <jezebel> is your root password the same as your user password? Hmmm
2351[23:30:10] <queip> jezebel: ? of course not
2352[23:30:13] <jezebel> with sudo you type in your user password
2353[23:30:17] <jezebel> not your root password
2354[23:30:59] <jezebel> you prove who you are as a user and you get certain privileges which are typically associated with root, controlled by the sudoers file
2355[23:31:22] <jezebel> so you shouldnt be compromising your root password
2356[23:31:26] <ratrace> my root and user's pass are the same. because it totally doesn't matter what the root pass is if I'm a sudoer :)
2357[23:31:41] <queip> if attacker is already running your user, then intercept entire X windows manager or anything like that, run own fake sudo-gtk, get user password, then use that password to become root via sudo
2358[23:31:49] <nkuttler> ratrace: that's entirely wrong, see man 5 sudoers
2377[23:33:58] <ratrace> so back to what I said .... my root and my user's pass are the same because I am sudoer with full sudo -i ability so it completely doesn't matter what root's pass is
2384[23:34:56] <nkuttler> you can also configure pam if you want to do such silly things
2385[23:35:05] <ratrace> that's completely different. I was talking about the ability to use sudo to become full, logged in root.
2386[23:36:02] <jezebel> queip… feel free to write a pam module which asks you for your password in tty1 lol
2387[23:36:29] <queip> my use case is that regular user, who runs X and crap like firefox, can not sudo into root. and then root I access only by logging into root in separate VT1. The goal is that when firefox gets exploited via one of million firefox/etc vulns, they can't log into my other users which are kind of improtant for me, like my bitcoin server user
2388[23:37:21] <ratrace> here's a little secret. I run firefox as its own unprivileged user :) well, at least for untrusted browsing. and it has an apparmor profile, carefully tailored because default ff profile is too wide open.
2390[23:38:01] <jezebel> i need to learn about apparmor
2391[23:38:02] *** debhelper sets mode: +l 1192
2392[23:38:02] <ratrace> queip: if your FF gets exploited with full RCE .... it's basically game over and "we can't be sure" land.
2393[23:38:05] <ratrace> !ripley method
2394[23:38:06] <dpkg> "I say we take off and nuke the entire site from orbit. It's the only way to be sure." -- Ellen Ripley
2395[23:38:08] <queip> jezebel: that is a good idea, but for thing that need to be root, not just the moment of typing in password must be done outside of potentially-taken-over X. Otherweise even if I type in root pass via secure method, as soon as root shell would be in my infected X session, attacker would inject keyboard events and type in commands as root
2396[23:38:50] <ratrace> queip: like ... was there a kernel zeroday privilege escalation that the threat actor just executed with that full RCE
2397[23:38:51] <jezebel> haha i just watched aliens again the other weekend :/
2399[23:38:57] <queip> ratrace: I know nothing is perfect, but still attacker neeeds an exploit to go from user to root. they happen too, but it's harder to at same time have both this and ffox rce
2400[23:38:58] <ratrace> jezebel: :)
2401[23:39:17] <nkuttler> queip: if you own enough bitcoin to care about such things you should just run it on airgapped hardware
2402[23:39:27] <queip> jezebel: apparmor is toy for kids, mostly
2403[23:39:31] <ratrace> or .... are there still widely unknown meltdown or spectre bugs so the FF hack doesn't even need a RCE to take out my secrets
2404[23:39:44] <queip> nkuttler: I do, this is my bitcoin node for coffee etc ;))
2405[23:39:53] <jezebel> put it in a kvm :D
2406[23:39:55] <nkuttler> basically, anybody with a shell should be assumed to be root
2411[23:40:21] <queip> well plan for the worst, but at same time minimize access, which is what is done here
2412[23:40:27] <jmcnaught> From what I understand under Wayland programs do not share a common input queue (so one program can not keylog another) except for all the programs that run under XWayland.
2413[23:40:33] <ratrace> nkuttler: exactly. if they can RCE.... you can't know what else they did exploit
2414[23:40:36] <jezebel> nkuttler… there's been a couple of noteworthy sudo bugs recently that makes that assumption fair :/
2415[23:40:48] <nkuttler> even without sudo
2416[23:40:49] <queip> ratrace: which IME?
2417[23:41:03] <ratrace> queip: the ... THE.... IME?
2418[23:41:08] <queip> ratrace: what is IME?
2419[23:41:13] <jezebel> intel management engine
2420[23:41:17] <ratrace> oooooh.... are you sitting?
2421[23:41:21] <jezebel> hahah
2422[23:41:39] <ratrace> it's...... a full blown.... MINIX.... operating system running in a chip ousside the CPU with total. absolute. control over the hardware.
2423[23:41:41] <jezebel> your processor in the processor, it runs on minix :D
2424[23:41:46] <queip> yeah there are various CPU and mainboard exploits, we know
2425[23:41:56] <queip> doesn't mean you should throw away all security mechanisms everywhere
2426[23:42:25] <ratrace> no no. just saying.... if anyone gets to your FF and can exec random code? it's game over.
2437[23:44:28] <queip> usecases that ABSOLUTELY must prevent that I run on offline airgapped computer
2438[23:44:47] <queip> but it's a bit not comfortable, so a middle level of security is enough for other things
2439[23:45:28] <queip> not sure why it needs explanation that there are other levels of security between using root password hunter2 and heaving all users in sudoers, and between building own CPU from TTL logic
2440[23:46:24] <ratrace> I know there are. I just think that _this_ particular case is misaligned.
2442[23:46:39] <ratrace> running as root over another VT beause your FF might be compromised
2443[23:46:41] <queip> compositor didn't helped in xfce. other things to try?
2444[23:47:31] <queip> btw there is none good video card for debian, one that doesn't need binary blobs to work well, is there yet? maybe in next decade?
2445[23:47:45] *** randomgry is now known as gry
2446[23:47:56] <queip> hm maybe run everything in damn Xnest, or firejail X...
2447[23:48:04] <ratrace> doesn't nouveau work withou.... oh wait, even that has some firmware amirite?
2448[23:48:16] <ratrace> queip: I prefer kvm hypervisor boundaries
2449[23:48:22] <queip> well, at least nothing that runs "on cpu" that is closed
2450[23:48:26] <jezebel> kvm is awesome
2451[23:48:42] <ratrace> sure, not absolute, but waaaaaay better than running trusted, sensitive, and untrusted on the SAME kernel
2453[23:48:46] <jezebel> isnt amd's vega supposed to be more open?
2454[23:49:02] <queip> jezebel: the virtual machine? it's ok but you need lots of ram, and it is somewhat combersome to switch. btw, there were kvm breakout to user exploits too (still, it's an idea)
2455[23:49:45] <ratrace> firejailing X is also misaligned security. X runs code in ring0. game over. both nvidia and intel (I haven't been paying attention about AMD) have had vulns in that same ring, in the past two or so years
2456[23:49:53] <ratrace> intel still does, on haswells if I'm not mistaken
2457[23:50:10] <queip> only root can change the code that X runs in ring 0
2458[23:50:20] <queip> so it's still saved on user to root
2459[23:50:31] <ratrace> not true. look at recent nvidia xploits
2471[23:55:07] <ratrace> here's what I do. I run FF as another user and it's AA enforced. That way it can't access things it shouldn't even if it exec's arbitrary code. it can't even access things it shouldn't even if it becomes root. however ... it can compromise stuff through xorg exploits, gpu exploits and direct kernel (Syscall) exploits
2472[23:55:17] <queip> AA is mostly a meme btw
2473[23:55:34] <ratrace> so the first level is sufficient for me. things that I mustn't allow even in the second part, is behind kvm hypervisor.
2474[23:55:47] <ratrace> the third level of security is airgapped
2475[23:55:54] <ratrace> duno what's is so meme-y about AA
2476[23:56:04] <ratrace> it does its job and does it well.
2477[23:56:04] <queip> grsec was the real deal but due to Linus and/or Spender(?) heaving heads stucke in their ego/ass (both depending on personal views) we don't have anything as good anymore
2478[23:56:24] *** Quits: dvs (~hibbard@replaced-ip) (Remote host closed the connection)
2479[23:56:25] *** Quits: gry (~test@replaced-ip) (Ping timeout: 240 seconds)
2480[23:56:46] <queip> ratrace: it's a blacklist instead of a whitelist. it blocks few things with few mechanism while not protecting dozens of other avenues of attacks
2481[23:57:04] <ratrace> queip: actually it's a whitelist, but at specific program/profile level
2482[23:57:12] <queip> grsec was protecting ioports, kmem and probably that ring0 stuff. aa doesn't do anything like that
2483[23:57:21] <ratrace> ie. it has no concept of selinux strict security mode where unconfined_t is not allowed
2484[23:57:49] <queip> ratrace: read docs on pax and grsecurity to realize apparmor lacks 90% of it
2485[23:58:05] <ratrace> aa doesn't do anything like that but ..... AA ..... is all we got. grsec is paywalled. selinux is too damn difficult to manage ref policies for, ousside of RHEL family
2486[23:58:14] <ratrace> queip: I actually used grsec exclusively until 4.9 :)
2490[23:58:27] <queip> linux security failed, thx Torv/Spender :/
2491[23:59:07] <ratrace> so for what AA does ... being a path based MAC? it does it well
2492[23:59:15] <queip> we can probably conclude open source security failed, nothing does anything like that
2493[23:59:26] <ratrace> it's also growing dbus policing capabilities, ther's caps and there will be more granularity, they say, with networking in the future releases
2494[23:59:34] <queip> all we can do is put few obstables on the way
2495[23:59:40] <Taserface> umm, ioport are already blocked for non-root users?
2496[23:59:47] <Taserface> same with kmem
2497[23:59:58] <queip> Taserface: pretty sure it was blocked also from root