28[00:34:28] *** combatvet_ is now known as CombatVet
29[00:37:45] <HelloShitty> Hello. I have this folder that is a copy of another folder but they are no longer with the same content because in the mentime, the original folder content has changed. Can I use 'rsync' just to make this copy to match 100% of the content of the original folder?
30[00:37:52] <HelloShitty> And both folders are in the same media
60[01:02:27] <rr123> install debian inside virtualbox also failed due to various network related or hash mismatch when install the packages(after select tasksel)
61[01:04:47] *** Quits: Mister00X (quassel@replaced-ip) (Quit: "I'll be back" — Arnold Schwarzenegger)
67[01:11:42] <SponiX> rr123: might want to do a checksum against your install media. As virtualbox emulated hardware should all easily work with Debian stable
68[01:12:09] <SponiX> rr123: I mean you _can_ screw up the networking for it still, but you kinda have to try hard
215[03:31:02] <dannylee> ok i got Debian Buster working good...but some website wont let me open up the source with konqueror...but midori will let me view source and edit...in the file manager i just set my default editor as emacs...i'm all set to hack the Government...i;m afraid of newer version of os...they just don"t like hackers...buster is a bit better than i thought...
216[03:31:42] <jaggz> dannylee, wow.. what? what site?
221[03:34:01] <dannylee> ok they just don"t like me to see there source code...but it all right...they are American t000..
222[03:34:25] <jaggz> dannylee, it doesn't make sense -- not something I've heard of. I can view source in ff and konq
223[03:34:49] <jaggz> the line length is longer than konquerer's popup of the kate text editor allows so it gives me a warning, but it loads and shows it fine
224[03:34:57] <jaggz> (aside from possibly cropping those lines)
489[10:41:53] <Lope> `grep 'model name' /proc/cpuinfo | head -n 1` shows "model name : AMD Ryzen 9 5950X 16-Core Processor"
490[10:42:28] <Lope> But in a VM, the CPU name shows up as a more generalized "model name : AMD EPYC-Rome Processor"
491[10:42:38] <shtrb> What was the name of a FF extension that used youtube-dl and external player to play videos instead of the built in media player ? I looked at replaced-url
492[10:42:41] <shtrb> ?
493[10:42:41] <Lope> How can I get that general name from my CPU on the host?
494[10:43:14] <shtrb> Lope, you see data that your virtualization software is declaring
497[10:44:31] <shtrb> Lope, libvirt can and will declare different CPUs to your VMS
498[10:45:28] <Lope> shtrb, thanks, I'll ask the libvirt guys
499[10:46:30] <shtrb> Perhaps I did not explained properly, when you declare a VM in libvirt, libvirt would virtualize a cpu (like the other devices like your graphical card)
500[10:47:01] <shtrb> Try selecting "Copy cpu configuration"
510[10:53:53] <ratrace> even then it's still virtualized, the hypervisor might block certain instructions
511[10:54:07] <Lope> ratrace, I have something to that effect, yeah.
512[10:54:17] <Lope> I just want to figure out how to get the generalized name.
513[10:54:43] <ratrace> that's windows or linux VM?
514[10:54:45] <Lope> Without actually spinning up a VM and grabbing it from the VM
515[10:54:50] <Lope> Linux VM
516[10:54:59] <ratrace> however, Ryzen != EPYC
517[10:55:01] <Lope> `grep 'model name' /proc/cpuinfo | head -n 1` on host and guest
518[10:55:11] <Lope> It actually is, hey.
519[10:55:17] <Lope> I mean same core architecture.
520[10:55:38] <Lope> Just some stuff is disabled, like RAM encryption.
521[10:55:46] <ratrace> "well yes", but functionally not. they come from the same waffer. like xeon and core are, but they're not the same cpus functionally
578[11:11:31] <ratrace> you should definitely NOT use -march=native inside VMs
579[11:11:56] <Lope> the model on host also different between host and VM.
580[11:12:12] <Lope> so different family and model
581[11:12:22] <ratrace> right, so -march=native is a lie
582[11:12:31] <Lope> LIES, DAMN LIES!
583[11:12:32] <ratrace> you'll end up with software that can't run
584[11:12:34] <m4r35n357> Hi all,, Jigdo is failing on the 5th (& 6th) DVD, error is "couldn't connect to 78.129.164.123 port 59076: Connection timed out"
585[11:12:42] <Lope> ratrace, well, it runs inside the VM haha
586[11:12:50] <Lope> I bet it would run on the host, too.
587[11:13:05] <m4r35n357> command is: jigdo-lite replaced-url
588[11:13:19] <Lope> ratrace, actually, opposite to what you're saying, march native will result in software that's more compatible than if it were compiled on host.
589[11:13:37] <m4r35n357> connects, logs in as anonymous, then times out on every file
590[11:13:39] <ratrace> Lope: no, and I speak from experience
591[11:13:44] <Lope> Because the VM's vcpu's are generalized for the sake of vulnerability mitigation, and ease of live migration.
592[11:14:06] <ratrace> Lope: problem is the cpu is still virtualized. gcc detects wrongly the supported instruction set. even if "works" now, one of future rebuilds might brick it
593[11:14:28] <ratrace> Lope: I've had that happen more than once with -march=native builds inside teh VMs, even with host passthrough of the cpu.
594[11:14:42] <Lope> ah, so what march should I use for a VM on 5950x?
595[11:14:44] <ratrace> all of a sudden, one day, youget an invalid opcode error and the thing crashes
596[11:14:51] <ratrace> Lope: generic
597[11:14:57] <Lope> generic!
598[11:14:58] <Lope> fuck that bro
599[11:14:59] <ratrace> and then use mtune for specific model
622[11:18:41] <ratrace> "gcc: oh, hey, I can use this instruction!" "kvm: no you cain't" "gcc: but it's in the reported cpu model" "kvm: no the cpu is virtualized, I only pass through some features" "gcc: but..." "kvm: no"
625[11:19:30] <ratrace> Lope: you're actually trying to do the _opposite_ of what VMs stand for. you're trying to nativize hardware for "performance" lie^Wbenefits
631[11:21:32] <ratrace> then compare to the SAME output on the host. observe difference. cry yourself to sleep.
632[11:22:15] <ratrace> HOWEVER .... you CAN, specify individual -mXXXX options for some features that are NOT virtualized and are pass'ed through. options that might speed SIMD ops like avx, avx2 and friends
634[11:23:37] <ratrace> in other words, decide on the _minimum_ feature set you want to support based on hardware you expect this to run. this is what some distros are doing recently, like fedora, and suites like Mesa
652[11:52:04] <Xalys> ratrace: I tried that, but I tested a few packages, and couldn't find the symlinks in /etc/alternatives in apt-file search (are symlinks in there?)
684[12:13:18] <ratrace> ideally you want specific -mXXXX features taht your CPUs definitely support, especially for SIMD friendly packages, which is mostly multimedia thingies
685[12:14:04] <ratrace> in my experience, -march=native is not worth the trouble for vast majority of packages. few % speed bump if at all. however it shines for specific packages that want SIMD, but those are _often_ autodetecting at runtime
686[12:14:49] <ratrace> sometimes not. eg, -march=native vs no -march yielded 50% improvement for me in python PIL compilation .. but I tested baremetal only, dunno how that'll fare in VMs
687[12:15:06] <ratrace> as I mentioned, since I started getting invalid opcode errors in VMs, I stopped -march=native
688[12:15:13] <Lope> it looks like setting an older -march will make it run slower.
689[12:15:21] <Lope> Because it means it won't use newer instructions.
690[12:15:33] <ratrace> it's not as clear cut as that
691[12:16:07] <Lope> fair enough
692[12:16:17] <Lope> well, yolo, going to run the native stuff in my VM and see how it goes :)
693[12:16:23] <Lope> it's not for production, it's for dev.
694[12:16:27] <Lope> Dev speed.
695[12:16:39] <ratrace> it's pointless, but it's your L to YOLO :)
696[12:17:01] <Lope> you say pointless, but stuff might run 50% faster
697[12:17:05] <Lope> that's not pointless
698[12:17:29] <Lope> I like it when stuff breaks.
699[12:17:37] <Lope> Cos if stuff doesn't break, I have to do actual work.
700[12:18:01] <Lope> It would make my devops position more redundant, if everything worked.
701[12:18:20] <Lope> -march is there for me, really.
702[12:18:46] <Lope> -march=do some work before march.
703[12:19:02] <ratrace> yes, I know you devops folks are making up reasons for employment. got rid of dev ops ppl in my company some time ago, never looked back :) /no-offense
706[12:21:27] <ratrace> the guy was literally creating issues .. whether deliberately or by sheer lack of knowledge and skills, thinking nodejs is an answer to everything, I don't know. but the moment we got rid of him and the damned nodejs, guess waht: the issues disappeared :)
707[12:21:41] <Xalys> lol
708[12:21:59] <Xalys> in my experience kiss is usually an unknown concept to most devops ppl
713[12:23:37] <ratrace> like in this example, you no NOT want -march=native system wide. you want to target specific packages with specific -mXXX options, and benchmark to actually see improvement.
714[12:24:02] <ratrace> counterintuitively, march=native and shoving -O3 everywhere (that many love to do, thinking --zomg-fast), will actually slow down code in some cases
740[12:38:37] <Lope> When you change code it re-babels a whole lot of shit and god knows what else.
741[12:38:42] <ratrace> march=native is okay for baremetal. you build software for that specific hardware, speeds up things where possible, that's okay.
742[12:39:05] <Lope> as I mentioned before, this is just for my development environment, not production.
743[12:39:13] <ratrace> this is probably becoming very much offtopic for #debian tho. your Q was about, I presume, kvm settings on debian host
744[12:39:57] <ratrace> but in the development process where you're thinking for hundreds of thousands of miliseconds between two lines of code.... that 1-2ms speedup you gain with native is insignificant :)
745[12:40:15] <ratrace> also, afaik gcc itself doesn't get much improved if built with march=native itself.
747[12:40:55] <ratrace> you'll probably gain much more if you ran with mitigations=off* *) Disclaimer: understand what that does first :)
748[12:42:25] <Lope> haha, you think mitigations=off helps on 5950x?
749[12:42:40] <Lope> I know it actually hurts gaming performance, when you do it in windows.
750[12:42:51] <ratrace> yes, AMD _is_ vulnerable to some spectre variants
751[12:42:51] <Lope> Well, according to "Tech yes City"
752[12:42:58] <Lope> I know
753[12:43:09] <Lope> But apparently having mitigations on makes the CPU faster haha.
754[12:43:25] <Lope> Probably because optimizations are mixed in with mitigations.
755[12:43:30] <ratrace> what?
756[12:43:37] <ratrace> [citation needed]
757[12:44:10] <Lope> According to the youtuber, "Tech yes city" disabling mitigations makes intel CPU's run games faster, but makes AMD CPU's (3000 and up) run games slower.
758[12:44:44] <Lope> that's just games, of course. Every workload is "different"
759[12:45:17] <ratrace> according to phoronix, games are not impacted by mitigations at all
760[12:45:55] <ratrace> phoronix numbers should not be used to make generalized statements, but at the individual test level, those numbers are more or less usable
761[12:46:15] <ratrace> ie, games are gpu intensive, not syscall intensive (where there's impact)
763[12:46:23] <Lope> ratrace, according to tech yes city, it drops FPS quite a lot in some games.
764[12:46:41] <Lope> I think up to 50% or something crazy in some cases, for old gen2 Xeons etc.
765[12:46:46] <ratrace> according to phoronix, it doesn't. so .... two sources, wildly opposite conclusions. TheMoreYouKnow(tm)
766[12:47:14] <ratrace> THENAGAIN ..... _windows_ is a kind of its own so who knows what's going on there.....
767[12:47:30] <Lope> CPU is also very important for games though
768[12:47:39] <ratrace> on debian ... with steam ... I've ran tests myself, showing FPS and running with mitigations=off and without. no difference in games I ran
769[12:48:01] <ratrace> Lope: yes, but mitigations don't affect cpu workloads uniformly. they're specific to syscalls and, more precisely, context switches
770[12:48:27] <Lope> yeah, the effect varied from one game to the next.
771[12:48:36] <ratrace> entrance, exit of functions, context switches, ... a for-loop crunching numbers is not gonna be affected by mitigations, unless it does a lot of syscalls and function calls
772[12:48:40] <Lope> Some games only saw a 2% drop on intel in windows with mitigations on.
773[12:48:49] <Lope> Some I think even were the same.
774[12:49:16] <Lope> Of course, pro youtubers will make the CPU do the heavy lifting when they test this sort of thing.
781[12:51:10] <ratrace> but pegging CPU doesn't automatically mean bad performance due to mitigations.
782[12:51:11] <Lope> also, as you mentioned you tested on Linux. The linux kernel people are obsessed with performance and have changed things a lot to reduce the impact of mitigations.
783[12:51:20] <ratrace> specific, syscall heavy, workload has the most impact
784[12:51:21] <Lope> Whereas I don't think the windows people are as concerned.
785[12:51:44] *** Quits: OlCe (~user@replaced-ip) (Remote host closed the connection)
786[12:51:48] <Lope> It's not like Intel can fix microsoft's slow code to cover their ass, (hide/reduce performance loss of mitigations) like they can on Linux.
787[12:52:48] <Lope> As an example of this, windows was massively slower than Linux on CPUs like 2990WX or whatever it was called, for like 2 years.
788[12:53:09] <Lope> They don't seem to care about performance in anywhere near the same quantity as Linux folks.
789[12:53:41] <Lope> Windows wasn't NUMA aware or whatever.
790[12:53:51] <ratrace> I don't think it's lack of caring, but specific NT kernel design they can't really work around
791[12:53:57] <Lope> It kept moving processes across NUMA nodes constantly.
792[12:54:08] <Lope> nah, windows eventually fixed their shit.
793[12:54:12] <ratrace> it is, after all, a hybrid thing between microkernel and a monolothic on, no?
832[13:29:06] <another> do you want to boot a headless machine in a datacenter?
833[13:29:49] <ratrace> jack2019: that's pointless.... why encrypt if the key is available on the same system, to automatically unlock on boot?
834[13:30:24] <ratrace> jack2019: if you want proper automatic unlocking, you might need something like a keyserver and custom keyscript that uses the keyserver
835[13:30:57] <nkuttler> or dropbear
836[13:31:06] *** Quits: Lordseabeach (~Lordseabe@replaced-ip) (Remote host closed the connection)
837[13:31:11] <ratrace> or a USB stick, or some other storage available on the server, that you can unplug.
838[13:31:25] <ratrace> dropbear is just a sshd. I guess you then mean to unlock via ssh, but that's not automatic
839[13:31:48] <nkuttler> nothing is automatic unless you automate it
840[13:31:54] <ratrace> the idea here is that you encrypt ONLY (and ONLY!) to make data unavailable once the disks power down
841[13:32:04] <mspe> or full-fledged openssh-server ^^
842[13:32:16] <ratrace> you can't automate unlocking via ssh.
843[13:32:32] <nkuttler> how much do you want to bet?
844[13:32:38] <mspe> you totally can
845[13:32:52] <ratrace> sigh.... _something_ or someone needs to initate it
846[13:33:14] <ratrace> the point of "automatic unlocking" here is that it .... automatically... unlocks on boot, with no external agent actively ssh-ing in
847[13:33:36] <nkuttler> that's your constraint, not jack2019's
848[13:33:45] <ratrace> CAN you do it theoretically? oh yes. with a lot of convoluted checks like regular pings so if the server goes off or is somehow singalling reboot, you ssh in and unlock even with automation
849[13:34:11] <ratrace> OR .... make it as simple as using a keyserver and a keyscript.
850[13:34:18] <ratrace> otherwise it's not "automatic" unlocking on boot.
851[13:34:44] <jack2019> ratrace, keyserver?
852[13:35:08] <ratrace> jack2019: yes, a server that has the keys that your keyscript will fetch over, say, https
853[13:36:07] <ratrace> there's a whole package that can do that. mandos
854[13:36:29] <ratrace> doesn't seem to be packaged on debian tho
858[13:37:09] <jack2019> ratrace, any time I want to reboot the system, I have to upload the key to https? correct?
859[13:37:11] <ratrace> _however_ I prefer doing this with a custom keyscript and a trusted keyserver
860[13:37:29] <ratrace> jack2019: not if you set up the server to permanently have the key for download
861[13:37:54] <ratrace> jack2019: again, it's very important to understand the threat model here: you ONLY do this so that data becomes unavailable once the disk powers down and is removed from the chassis
862[13:38:24] <ratrace> so you don't store the key on the same disk. you can store it on a separate USB, separate disk, or remotely on a keyserver.
905[14:23:58] <ratrace> for that use case, you can't store the key on the disk itself, but you can keep it on a permanently attached USB stick, or another drive, or remotely on a keyserver
907[14:25:18] <another> i assume you retire the key in the keyserver, as soon as the drive is retired?
908[14:25:34] <ratrace> that assumes you can actually access the data on it to wipe it out
909[14:26:07] <ratrace> what about disk failures where you can't mount the fs to wipe it? but someone wiht forensic tools CAN extract the key and thus data from the drive?
913[14:27:05] <ratrace> what about SSDs where linear sector address is pointless and there's no guarantee you actually deleted anything unless you exec'd some sort of firmware safe delete ... which assumes the disk is operational
914[14:27:15] <another> the kes is on the keyserver. the disk holds an unencypted boot+TLS+pgp
916[14:27:49] <ratrace> another: this is really very simple: disc encryption with keys on the same disk is pointless.
917[14:28:16] <ratrace> no ifs, or buts, or whethers. so in that case, if the user wants auto unlock on boot, the key has to be elswhere. on another storage medium, on a remote server, wherever.
918[14:28:34] <another> ... i get the feeling there is a communications problem
919[14:28:42] <ratrace> mandos is just one tool for that. I'm not familiar with its internals, I just know it exists, and I mentioned it in that context. I personally use custom keyscripts for that
935[14:43:11] <ratrace> sigint: in our case, a whitelist of IPs that can query for key; and the key is available only when we make it such, which we do on planned reboots.
936[14:43:47] <ratrace> also, an attacker stealing teh server from a secured rack in the datacenter where we host the servers is also NOT part of the threat model
937[14:44:10] <ratrace> such attacker can attack the /boot partition or the bios or uefi and find out the key in all sorts of ways
940[14:45:21] <jack2019> ratrace, in case of middleman, can grab the key?
941[14:45:41] <ratrace> depends how well you protect it. for https, use your own CA and don't use public CA lists
942[14:45:51] <qman__> HTTPS with proper TLS and forward security, I hope
943[14:46:39] <qman__> the CA doesn't really matter, but there's no reason to complicate it with a public CA
944[14:46:41] <ratrace> and of course that. but ... if your threat model involves actors that can attack your TLS ... you have much bigger problems and that encryption is probably worhtless
945[14:47:02] *** Joins: conta (Thunderbir@replaced-ip)
946[14:47:41] <m4r35n357> Hi all, Jigdo is failing on the 5th (& 6th) DVD, error is "couldn't connect to 78.129.164.123 port 59076: Connection timed out"
947[14:47:43] <m4r35n357> command is: jigdo-lite replaced-url
948[14:47:45] <m4r35n357> connects, logs in as anonymous, then times out on every file
952[14:49:22] *** Quits: conta (Thunderbir@replaced-ip) (Remote host closed the connection)
953[14:49:51] <ratrace> qman__: problem with public CA framework is that .... it's worthless for a wide range of non-tinfoil-hat situations. it's extremely weak for anything other than protecting against noobs with no ability to rubber-hose a CA into issuing fake certs
954[14:50:26] <ratrace> one can assume that all the chinese and other shady country CAs that inhabit all the major browser and distros CA lists ..... are not to be trusted
955[14:50:52] <jack2019> m4r35n357, it looks like dns problem, ping -c 3 debian.org
959[14:52:19] <m4r35n357> jack2019, so what is the DNS problem?
960[14:52:26] <qman__> maybe, but that's not relevant here, all that matters is that your certificate is from a CA sufficiently trustworthy to not issue someone else certs with your name, doesn't matter whether you run that CA or not
961[14:52:52] <qman__> the client doesn't need to trust all CAs, only the one(s) issuing your cert
962[14:53:25] <qman__> since browsers aren't relevant here, running your own is probably the easier way to do it
968[14:54:36] <ratrace> qman__: oh you mean "which CA you use doesn't matter as long as YOU can trust it" . sure. but that excludes all of the public CAs
969[14:55:10] <ratrace> qman__: and I'm not talking about CAs issuing certs, I'm talking about CAs in your ca-certificate list
981[14:59:31] <qman__> there is absolutely nothing stopping you from changing which issuers you trust to only include a specific public CA
982[14:59:33] <ratrace> qman__: well .. yes, okay, but assumes that "trust". with self signed CA and no public ones in the list, you don't need that trust
983[14:59:53] <ratrace> qman__: true, I misunderstood what you said, sorry.
1022[15:21:36] <oxek> to be fair, I don't know why the multiple-dvd releases of debian even exist either
1023[15:22:12] <m4r35n357> oxek, the 16GB jigdo sounds ideal, if only . . .
1024[15:23:08] *** Quits: dvs (~hibbard@replaced-ip) (Remote host closed the connection)
1025[15:23:23] <m4r35n357> so, either the jigdo templates are wrong, or there are no files at ftp.uk.debian.org ;)
1026[15:24:14] <m4r35n357> I think the latter, since jigdo would break everywhere if the templates are wrong
1027[15:24:52] <m4r35n357> I mean more likely incorrect file structure at ftp.uk
1028[15:25:49] <oxek> why not use deb.debian.org instead?
1029[15:25:58] <oxek> it's faster than ftp.uk.d.o
1030[15:27:39] <m4r35n357> oxek, I try to use the best "canonical" source, I think that is what one is supposed to do, but I'm done being good, so I will, thanks!
1092[16:54:37] <m4r35n357> jhutchins, but I want a reasonably "complete" last point release that I can install & upgrade without an internet connection.
1245[19:17:35] <istrive> hellow world! I hope everyone is safe... At least the social distancing is covered in chat rooms! ;)
1246[19:18:37] *** cajaroCAT is now known as spinningCat
1247[19:20:00] <istrive> I have installed PHP v7.3 (debian buster default version), enabled the module in apache2 and it shows fine the Info page (/var/replaced-url
1248[19:21:07] <istrive> I alreadyi get http error 500
1249[19:21:18] <cws> i would dig into the server/php logs to see what's going on.
1331[20:32:20] <sney> barrier is in debian and it's packaged for the arm arches, so it will probably install, but if that's a very old rpi then the hardware may struggle
1345[20:39:02] <sney> strk: no, my suggestion was to install a *current* debian version from replaced-url
1346[20:39:12] <strk> I just find me turning my single-monitor too many times, from one place to another, so have been thinking to just add an additional monitor
1347[20:39:24] <strk> I could use just a cable and directly connect it to the single-host
1348[20:39:38] <shtrb> strk , what's your actual goal ?
1349[20:39:38] <strk> but I thought... what's this rPI doing in the drawer ? :P
1368[20:50:48] <strk> so as a result I've the first monitor (HDMI) just showing a background and NO menu to start anything, while the other monitor complains about "cannot display this video mode"
1369[20:50:54] <strk> I think I saw this happening often with that monitor
1370[20:51:05] <strk> I'll need now a command-line way to change the VGA monitor resolution
1395[21:03:24] <strk> for some reason the desktop environment thinks that the monitor on the left has to be preferred (desktop icons, full-screen Kodi)
1396[21:03:40] <strk> do you have any idea what's responsible for this ? The monitor on the *right* is "primary"
1422[21:22:14] <dpkg> In systemd, "systemctl set-default multi-user.target", or remove the DM package(s) with "aptitude remove gdm3 kdm lightdm lxdm nodm sddm slim wdm xdm". "echo false >/etc/X11/default-display-manager" will also disable the DM, or just hit ctrl-alt-fN to get to a console. nodm is the name of a minimal/automatic display manager (replaced-url
1427[21:23:25] <greycat> That's GRUB. And that's all I can tell you about your question.
1428[21:25:07] <line17> my question i want to set a password to grub.
1429[21:25:09] <greycat> ... partly because I can't figure out what you're actually asking for. Are you trying to *prevent* the use of the GRUB menu? Or are you trying to reset the root password? Or something about disk encryption? Or something different?
1430[21:25:42] <line17> prevent the use of grub menu
1431[21:26:17] <line17> greycat, i found the answer
1432[21:26:25] <line17> thanks for your interest and effort
1433[21:26:32] <line17> appreciated!
1434[21:27:37] <aminvakil> line17: i'm not saying that's useless, but keep in mind that if your pc gets stolen, and the thief knows how to edit kernel line, they probably know they can boot your linux without another kernel using a usb flash drive
1435[21:27:48] <aminvakil> s/without/with
1436[21:28:19] <line17> aminvakil, if i encrypt /boot and /sda partition can they still edit kernel?
1437[21:28:36] <aminvakil> sda is not a partition
1438[21:28:48] <line17> you understood
1439[21:28:51] <aminvakil> you should encrypt your root partition
1440[21:28:54] <greycat> and /sda is not a directory either
1441[21:28:54] <line17> yes
1442[21:28:57] <line17> it is
1443[21:29:10] <greycat> unicorn:~$ ls -ld /sda
1444[21:29:10] <greycat> ls: cannot access '/sda': No such file or directory
1445[21:29:16] <line17> :)
1446[21:29:21] <line17> i hate cats
1447[21:29:34] <cws> Threatened by smarter animals?
1448[21:30:02] <aminvakil> they don't need to edit your kernel, they just boot your system with another kernel :) unless you have encrypted your root partition
1449[21:30:07] <line17> cws, a mosquito had bited me
1467[21:34:54] <aminvakil> either way, if you don't encrypt your /boot, someone can put a malicious code inside your bootloader which can retrieve your luks password next time you type it in
1468[21:35:00] <aminvakil> that's the reason i think for encrypting /boot
1469[21:35:31] <cws> Which requires physical access, or the system operator being INCREDIBLY stupid.
1471[21:35:43] <aminvakil> and i don't think secure boot helps here, because if someone has this access to modify /boot files, they can change secure boot keys too
1473[21:35:52] <aminvakil> cws: right, which requires physical access
1474[21:35:54] <cws> So unless you have a legitimate reason to believe that someone is going to break into your house and modify your bootloader, you're wasting your time.
1475[21:36:00] <aminvakil> exactly
1476[21:36:30] <aminvakil> or maybe if you go into hotels frequently and leave your laptop out of your sight for long periods
1478[21:36:32] <line17> aminvakil, secure boot doesn't work smoothly with /boot encryption iirc
1479[21:36:45] <cws> And if you are being targeted to that degree, they'll skip that part and go straight to the kidnap-you-truth-serum-wrench-to-the-head option, a la xkcd.
1480[21:36:59] <aminvakil> i was telling the situation that /boot is not encrypted
1481[21:36:59] <line17> aminvakil, they don't need such conspiracy theories.
1496[21:40:29] <ryouma> huh, i didn't think it was possible to encrypt /boot and have it so that an attacker could have physical access and still not be able to get in or be an evil maid or whatever it is called
1560[22:00:25] <ryouma> what if you carry around a drive and boot from it? are you still vulnerable to whatever is done to the computer while youa re not htere?
1561[22:00:47] <oxek> ryouma: you're still vulnerable, but the bar is set much higher.
1562[22:01:06] <oxek> meaning it will be resistant to local police trying to bug it, but not to CIA/FBI/NSA
1563[22:01:27] <ryouma> you mean like they woul dhave to modify hw or something?
1564[22:01:42] <oxek> yeah, modify bios, hdd firmware, etc.
1565[22:02:02] <oxek> or they might just put a bug into your keyboard and retrieve it later
1566[22:02:13] <oxek> local PD don't have the skills for that usually
1567[22:02:29] <aminvakil> local police could set up a surveillance camera and retrieve password :P
1605[22:40:21] *** Quits: omarek (~b0rsuk@replaced-ip) (Quit: Lost terminal)
1606[22:40:59] <digitalD> I'm pretty sure someone stole the candy off my desk in the office - of course, I haven't been in the office since last March, so it may still be there... ¯\_(ツ)_/¯
1607[22:41:12] <digitalD> but I think theft is still a thing...
1670[23:17:54] <strk> shall I try to download a new raspbian version ? I'm afraid the old rPI won't support it :(
1671[23:18:21] <craigevil> what PI do you have?
1672[23:18:34] <sney> strk: this is #debian. if you want to use debian, there are images on raspi.debian.net. if you want raspbian, you need to go to #raspbian.
1673[23:18:36] <strk> do you know how to tell from software ?
1674[23:19:08] <strk> craigevil: ^
1675[23:19:19] <strk> model name : ARMv6-compatible processor rev 7 (v6l)
1683[23:22:29] <dka> can anyone help? I use cinnamon with debian latest and for some reaosn, I could not open my sound setting, and my display settings
1684[23:22:34] <jhutchins> !raspian
1685[23:22:35] <dpkg> Raspberry Pi OS (previously called Raspbian) is a distribution <based on Debian> made specifically for the <Raspberry Pi>. Raspbian is not Debian and it is not supported in #debian. Please use #raspbian (or #raspberrypi) on irc.freenode.net for support. replaced-url
1686[23:22:35] *** Quits: blackest_mamba (~blackest_@replaced-ip) (Remote host closed the connection)
1687[23:23:00] <dka> so I googled, and click on remove panel by mistake. now I use cinnamon-settings to open the settings and re-add a panel, but the add new panel bouton does not work
1689[23:23:17] <dka> it doesn't open anythting, doesn't show any error message, my panel is removed so I can't really use my desktop
1690[23:23:24] <dka> what are my best moves to fix this asap?
1691[23:23:49] <jhutchins> dka: Install xfce/
1692[23:24:02] <dka> what is that?
1693[23:24:14] <dka> a replacement for cinnamon?
1694[23:24:20] <dka> should I delete cinnamon first ?
1695[23:24:47] <jhutchins> dka: No need.
1696[23:25:00] <dka> how does the system know whish desktop to use?
1697[23:25:10] <dka> Is it xfce4?
1698[23:25:50] <dka> Why would I want two desktop GUI on my system?
1699[23:25:56] <dka> I just installed it, should I restart
1700[23:25:57] <jhutchins> Yes, and the greeter/login screen should let you choose. Default is whatever you used last.
1701[23:26:24] <jhutchins> dka: Should only have to log out and log back in, choosing xfce.
1702[23:26:53] <jhutchins> dka: Two so you can have a working desktop, but go back to cinammon when you want.
1703[23:27:11] <jhutchins> !cinnamon
1704[23:27:11] <dpkg> Cinnamon is a fork of <GNOME Shell> initially developed by the Linux Mint distribution. Packaged since Debian 8 "Jessie", ask me about <install cinnamon>. replaced-url
1705[23:27:55] <jhutchins> dka: cinnamon is a bit under-staffed.
1706[23:28:05] <Villux> There's some Linux Mint reset instructions here, but it's from 5 years ago. No idea if it's relevant here or not: replaced-url
1707[23:28:25] <dka> I just reboot, and I got back in cinnamon, without panel
1708[23:29:41] <dka> How do I switch to xfce and uninstall cinnamon?
1709[23:30:59] <jhutchins> dka: Like I said, you have to pick it in the greeter.
1719[23:39:27] <dka> it wasn't possible to fix cinnamon?
1720[23:39:54] <jhutchins> dka: Like anything else in Linux, there is a learning curve for xfce. If everything worked the same as cinnamon there'd be no point.
1721[23:39:55] <dka> if I dpkg -r cinnamon; dpkg -P cinnamon; apt-get install cinnamon, would it work ?
1722[23:41:29] <nkuttler> ah, some tools, you configure them once, and then they work for decades
1723[23:41:45] <oxek> dka: I can do everything you listed in xfce
1724[23:41:55] <dka> well i cant
1725[23:42:04] <cws> the solution, then, is learn.
1726[23:42:10] <dka> help me oxek
1727[23:42:14] <dka> if you know how to
1728[23:42:28] <jhutchins> dka: Documentation.
1729[23:42:41] <dka> I want : panel bottom, quick search shortcut, open terminal keyboard shortcut
1730[23:42:43] <oxek> dka: keyboard shortcuts are unsurprisingly in the keyboard settings
1731[23:42:58] <dka> well, you need to know the synthax, theré's no tips
1732[23:43:04] <oxek> panel location is unsurprisingly in panel settings
1733[23:43:43] <dka> you can't put it bottom from the settings
1734[23:43:46] <oxek> search&start a program, by default Alt-F3 or Alt-F2
1735[23:43:49] <oxek> etc.
1736[23:43:50] <dka> and you can't configure shortcut in keyboard settings
1751[23:57:28] <alexrelis[m]> oxek: What might be the problem is that I also use my USB flash drive to store Grub and /boot and then boot from the USB.
1752[23:58:59] <oxek> alexrelis[m]: that exact setup worked for me. Grub & /boot on a usb stick, harddrive truly full encrypted.
1753[23:59:56] <oxek> I can't remember if I tried hibernation in that setup. Hibernation never really worked for me on linux, on any machine, irrelevant of encryption or boot options.