67[01:05:39] <PMT> If I have a case where a stretch install cd booted properly, a buster install cd does not, and a stretch install dist-upgraded to buster does, where should I report it?
101[01:40:52] <dupin> mtn I know thai is probably for debian-next but anyway
102[01:41:59] <dupin> mtn echo 'APT::Default-Release "testing";' > /etc/apt/apt.conf.d/20-tum.conf , then edit sources.list, copy your primary testing line and change the copy to unstable
106[01:43:41] <PMT> What are you reading, and what are you specifically trying to accomplish?
107[01:43:59] <sney> open sources.list, take the line that ends with 'bullseye main', copy it, change 'bullseye' to 'sid' in the copy
108[01:44:02] <sney> !tum
109[01:44:02] <dpkg> [Testing-Unstable Mix] echo 'APT::Default-Release "testing";' > /etc/apt/apt.conf.d/20-tum.conf , then edit sources.list, copy your primary testing line and change the copy to unstable, then 'apt update'. Use 'apt -t unstable install foo' to install foo from unstable rather than testing. WARNING to SYNAPTIC users: Synaptic ignores Default-Release: set Preferences->Distribution.
181[02:25:37] <cybrNaut> ryouma: i think update-initramfs looks at /etc/crypttab and works out which one is the "/" mount, and it only copies that one line to (initrd):cryptroot/crypttab. I thought that was a bug, but now I realize that's deliberate.
190[02:28:02] <ryouma> cybrNaut: actually i ran across references saying that it copies to /etc/initramfs-tools/conf.d/cryptroot, which then gets put in initramfs.
191[02:28:53] <ryouma> however, i have not confirmed this. and writing to /etc is a little weird and would presumably be limited to only a few tools.
194[02:29:13] <cybrNaut> PMT: it reports that it can't find the key file for crypt5 and crypt6, which is apparently the initramfs trying to mount those volumes
195[02:29:24] <PMT> Yeah, that's not too surprising to me.
196[02:30:28] <ryouma> also, why would update-initramfs know which line in /etc/crypttab refers to the root partition? the only possibilities i can think of are it uses the first line,w hich is not documented in either of the relevant man pages, or the name, which could change.
197[02:31:28] <cybrNaut> PMT: i guess i was a bit surprized because crypt4 ("/") is unlocked just fine, so theoretically initramfs should have been able to find the key files.. but in teh end it doesn't matter because i think the kernel is supposed to mount the other drives
198[02:32:13] <cybrNaut> ryouma: i have no idea how it figures it out.. i'm just judging from the inputs and outputs
199[02:32:37] <PMT> It doesn't look that hard.
200[02:32:47] <PMT> Assuming you're on a system that already has them unlocked.
201[02:34:27] <ryouma> i am just saying a priori, before you create the initramfs in the first place, there isn't any information b3esides sequence to indicate that
202[02:34:30] <cybrNaut> since update-initramfs is run in a chrooted environment, it probably just looks at the UUID that maps to /
203[02:34:55] <ryouma> that would make more sense, if it is run chrooted, but sometimes it is not
204[02:35:05] <ryouma> but maybe it doesw the same thing anyway
205[02:35:49] <cybrNaut> in any case, it looks like the bullseye kernel is screwing up here.
206[02:36:05] <ryouma> but it contradicts the laim that crypttab is used, unless it looks in crypttab to match that uuid
207[02:36:24] <PMT> I would suspect it's the bullseye initramfs, not the kernel
208[02:37:03] <cybrNaut> initramfs says "cryptsetup: crypt4: set up successfully", then it's done at that point, no?
209[02:37:20] <cybrNaut> then I get "[17.934028] systemd[1]: Failed to mount /run/systemd/cryptsetup/keydev-crypt5"
210[02:37:36] <ryouma> this might or might not be relevant: systemd-cryptsetup-generator
211[02:37:51] <ryouma> which has a man page
212[02:39:29] *** Quits: catman370 (~catman@replaced-ip) (Quit: See you later..)
220[02:43:12] *** Quits: Tom01 (~tom@replaced-ip) (Remote host closed the connection)
221[02:43:40] *** Quits: Hallodri (~Vizva@replaced-ip) (Remote host closed the connection)
222[02:44:00] <PMT> I believe systemd generators are supposed to get triggered without your explicit involvement, but the manual probably documents how the behavior can be changed.
284[03:39:37] <terr> Quick real dumb question. I think the answer is yes. When we install a working copy of Debian on a bootable external drive, will it run both on 32 bit hardware and 64 bit hardware (in 64 bit mode). I can create two install versions. I just need to know what to look for. I am looking to have the base system backed up on a single drive which can be stored in a bank vault. If I need two (2) versions I would probably want them to share a partition becaus
285[03:40:04] <terr> I have the extended of course
286[03:41:08] <sney> 32-bit x86 debian will run on both 32-bit and 64-bit x86 hardware. that's probably the easiest way to accomplish this.
287[03:41:59] <terr> Ya. But it will be in 32 bit mode on the 64 bit machine. Right?I
288[03:42:38] <sney> it will be running 32-bit code and drivers, yes
290[03:44:05] <sney> if you said some reason that wasn't acceptable, it was cut off. your first comment ended partway through the word "because"
291[03:44:24] <terr> Not what I want. I can create 2 primaries and an extended. Can grub boot Debian out of the extended?
292[03:45:05] <sney> afaik yes, haven't tried it that I remember
293[03:45:12] <coc0nut> is freenode being phased out ?
294[03:45:17] <sney> !oftc move
295[03:45:17] <dpkg> irc.debian.org moved to OFTC on June 4th 2006, see replaced-url
296[03:45:27] <sney> coc0nut: note the year ^ .
297[03:45:38] <terr> Because there are only 3 primary partitions available
298[03:45:52] <sney> non-OFTC debian channels will probably be maintained as long as people come to them with questions, but the official ones are already not on freenode.
299[03:46:31] <terr> Where are they?
300[03:46:33] <coc0nut> i heard something of exodus or something?
301[03:46:51] <sney> OFTC, as said just now by myself and the bot.
302[03:47:27] <sney> yes, there is some political turmoil happening with freenode right now. there are articles on many websites if you want to research more about it
303[03:47:29] <coc0nut> okies... :) i like freenode!
304[03:47:38] <terr> I think I will worry about that later.
307[03:48:50] <sney> terr: why do you care if your portable debian install is native 64-bit? memory usage?
308[03:50:19] <buu> PMT: What the heck does the 'usage' tab of `nvme list` show?
309[03:50:42] <terr> Because it's going to be running 64 bit code. I am leaving the 32 bit world behind. But I still have very useful machines
310[03:50:46] <buu> It says stuff like "1.60 TB / 1.60 TB" but df says 1.5T 897G 570G 62%
311[03:51:48] <terr> Sne
312[03:51:51] <PMT> buu: my naive hypothesis (I actually have yet to run NVMe on Linux) would be that your filesystem isn't doing whatever the equivalent for NVME of TRIM/DISCARD/... is.
313[03:52:26] *** Quits: klaus-vb (~klaus-vb@replaced-ip) (Remote host closed the connection)
315[03:53:45] <sney> terr: then yes, you'd need 2 installs. but they can easily can share a /home partition so the user data is the same.
316[03:54:05] <buu> PMT: I thought those were deprecated for nvme
317[03:54:12] <terr> Sney, also, some are different architectures. If grub can boot out of the extended partition then I'll just make several partitions. These are about 100 GB each.
318[03:54:24] <PMT> buu: That's possible, it was just a hypothesis.
319[03:54:52] <buu> PMT: Maybe it's something about drive life
320[03:55:02] <sney> afaik grub can boot from an extended partition. just try it and see what happens.
321[03:55:09] <PMT> I doubt it would be measured in Gb/Tb then.
322[03:55:11] <buu> PMT: One of the exact same disks reports 1.54 TB / 1.60 TB
323[03:56:12] <terr> Sney, that was my first conclusion. Can grub boot out of an extended partition?
324[03:56:20] <sney> afaik grub can boot from an extended partition. just try it and see what happens.
325[03:56:54] <terr> If it can it solves my problems. Thanks
330[04:00:00] <PMT> buu: AFAICT everyone recommending not doing discards on NVMe is citing an Arch wiki post or an Intel forum post circa 2015 where they say they recommend using manual fstrim commands periodically rather than continuous discards, so I'm going to guess that people are misunderstanding "do it in batches, not continuously" as "don't do it"
331[04:00:18] <PMT> But again, I am not an expert.
333[04:01:30] <PMT> (Unless fstrim uses entirely different calls from enabling discards on filesystems, which would astonish me, but is not impossible)
368[04:54:50] <terr> Another really dumb question only because I have never tried it... I have three (4) 64 bit machines and a Raspberry Pi. Can I create a single bootable partition on an external drive and boot ANY machine from it? Note: RPi is not even the same CPU arch so I really doubt it. They can (and likely should be) separate. Two (2) purposes. And the drives have enough capacity. I do a backup and stuff it in the bank vault. House burns down. I have backup medi
414[06:00:37] <terr> Ryouma, each machine has 3 bootable partitions. I am wondering if a windows 7 install for both a laptop and a desktop can live in the same partition?
415[06:01:23] *** Quits: catman370 (~catman@replaced-ip) (Quit: See you later..)
416[06:02:11] <ryouma> idk, unfortunately. but even pretty similar machines might require different settings in principle. for example, network card naming?
417[06:02:42] <PMT> I know Windows 7 and newer got better about dynamically handling devices changing at boot, but I doubt they're _that_ flexible.
419[06:03:10] <PMT> Also, I don't think even Windows 10 really likes booting from external devices, period.
420[06:03:15] <terr> Ryouma, same issue with Linux, but I feel far more comfortable. In all cases the loader should simply load the correct drivers from the pool available. In Linux I can use modprobe and insmod.
421[06:03:49] <terr> I have no idea yet what winders might do and I hate it.
422[06:03:53] <PMT> (I know there are ways to get it to happen, the most obvious example of which is the Windows installer itself, but I do not know what caveats are involved.)
423[06:04:09] <ryouma> not the same thing, but i used to chase after the idea that i could have even just 2 root partitions on a spindle, and choose them from the same boot partition. but gave up on the idea as it seemed complex in practice. i would not attempt what you are. but that is just me.
425[06:06:32] <terr> Well, I don't want to ever use windows 10 ever. If I have to it will be behind a firewall so robust it will think it is in a submarine at the bottom of Lake Vostok in Antarctica
426[06:07:31] <terr> Ryoume, I have it running now with 7 and 10.
427[06:07:56] <PMT> A) You should probably already be doing that with 7, given that it's not getting updates, IIRC.
428[06:08:26] <terr> I might be forced to if I am forced to use something like Fusion 360
429[06:10:27] <terr> At this point I have no software that requires Windows 7 or 10. But I have to set up these machines and I may as well set them up so I have it if I need it.
430[06:11:41] <terr> Fusion 360 has a license and I will be happy to tell AutoDesk to find Lake Vostock
431[06:13:54] <terr> Fusion 360 is good to generate a tool path for a mill. So I sacrifice a $200 computer so I can use it if I need it.
432[06:14:21] <terr> This is why I have so many machines
433[06:14:46] *** Quits: ChubaDuba (~ChubaDuba@replaced-ip) (Remote host closed the connection)
442[06:27:39] <PMT> you said that before, and I replied that I doubt they'd measure that in TB unless it were TBW, at which point I doubt they'd be such low sizes
443[06:27:47] <PMT> oh, sorry, i was scrolled up, nvm me
462[06:45:10] <tigryss> hi I have problem with my 2 display. Nvidia X Server doesn't "see" my laptop eDP-1 internal display only the HDMI and usbc(DP).
463[06:45:11] <tigryss> I try to configure in the xorg.conf, but it works only separate Screen0 or Screen1 can someone check please what I'm missing?
504[07:29:23] <k-man> tzf: in a vm maybe? can you still find the iso's for it?
505[07:31:05] <tzf> k-man, yes I kept the .iso from 2013 hehe !
506[07:33:16] *** Quits: marko1325 (~Thunderbi@replaced-ip) (Remote host closed the connection)
507[07:33:53] <tzf> i want to install it on my new(old) Lenovo e430 ! otherwise maybe I will install nakeDeb... normally I install openbox noDE, just I add tint2 for my wife and kids... but today I add to delete my debian to install window$Xp to update the bios, grrrr !!!
508[07:34:21] <tzf> so yet I am OSless on my e430...
509[07:34:44] <tzf> so Squeeze, nakeDeb or my usual OBnoDE
510[07:35:19] <tzf> I miss squeeze, less cpu and ram consuption
511[07:36:14] <tzf> gnome2 I was fan and I don't love on Mate what is however a great fork no doubts
561[09:18:32] <tigryss> hi I have problem with my 2 display. Nvidia X Server doesn't "see" my laptop eDP-1 internal display only the HDMI and usbc(DP).
562[09:18:33] <tigryss> I try to configure in the xorg.conf, but it works only separate Screen0 or Screen1 can someone check please what I'm missing?
609[10:37:32] <tigryss> Sorry for delay, I didn't hear the beep :D
610[10:39:23] <jelly> there's four DP-* there. Is this an Optimus setup?
611[10:40:02] <jelly> !optimus
612[10:40:02] <dpkg> The Bumblebee project aims to provide support for the Nvidia Optimus GPU switching technology on Linux systems. GeForce 400M (4xxM) and later mobile GPU series are Optimus-enabled; if «lspci -nn | grep '\[030[02]\]'» returns two lines, the laptop likely uses Optimus. Packaged for Debian <jessie> and <stretch> and <buster> and <bullseye>. replaced-url
613[10:40:36] <jelly> never had such hardware, I don't know the best way to configure it
639[11:08:33] <Hi-Angel> tigryss: in general, you chose a Wayland session before logging in in DM. You need you DE to support Wayland, of course. Currently Gnome has great support for Wayland; and KDE support I think is getting there. Sway also has great Wayland support if you're into pure i3-like environment.
649[11:12:22] <Hi-Angel> NVidia has problems with wayland. That said, I'm not sure it matters because usually there's no point in running the DE on the discreete GPU as opposed to integrated one (which would be an intel GPU in your case).
650[11:12:33] <tigryss> kernel is 5.10.0 and nvidia driver is 460.73.01
651[11:15:11] <tigryss> but strange that xrandr not "see" the hdmi and the dp ports, only eDP-1, and the nvidia driver see everything else but not the eDP-1
652[11:15:12] <Hi-Angel> tigryss: anyway, for NVidia wayland support you may want to track news like this (e.g. subscribe to the merge request the article refers to) replaced-url
653[11:16:42] <Hi-Angel> Hmm, yeah, that's odd. I can't comment on this though because I never really worked with NVidia. I only know that its driver isn't well integrated into the rest of the ecosystem (such as DRI PRIME and Wayland support), but that's it.
669[11:30:48] <Hi-Angel> Can somebody elaborate the following sentence in debian packaging docs: "If your program uses configuration files but also rewrites them on its own, it's best not to make them conffiles because dpkg will then prompt users to verify the changes all the time". What I'm unclear on here is: what else should I do? If I omit a file from `conffiles`, it will be overwritten. Should I instead force the file be "untracked"?
690[11:50:00] <themill> Hi-Angel: you'd be better off asking that on irc.oftc.net either in #debian or more specifically in #debian-mentors for Debian packages or #packaging for personal/local packages.
722[12:18:27] <tigryss> strange: login appears as extended monitor on both display, but if I gave the correct login and pass drop back to login again and again...
818[14:32:06] <EdePopede> just because i've seen the old https question coming up a few times in the past, this was exactly my argument why https would be a good thing despit cryptosigs, they both target different issues: replaced-url
837[15:05:50] <jelly> EdePopede, if you have a nation-state level actor against you, they will be able to figure out which packages you're downloading even over https, using flow analysis
838[15:06:16] <jelly> https helps, but not too much
839[15:07:38] <EdePopede> jelly: yeah, i think i've read something about NSA wanting to has their hands on all of Tor nodes (connect and exit) to do this kind of analysis :)
862[15:33:58] <cybrNaut> EdePopede: you started comparing cryptosigs to SSL, which is not a matter of disclosure; it's a matter of authenticity. cryptosigs give zero confidentiality, so Jelly's comment about spooks figuring out which pkgs you install seems irrelevant, but relevant to the article you cited, which is orthoganol to the thesis
863[15:35:06] <cybrNaut> for authenticity, I trust cryptosigs a little more than HTTPS because CAs have been compromized.
866[15:36:45] <cybrNaut> but for anti-reconnaisance to conceal pkg installations from disclosure, the best answer ATM is Tor, which is supported by the apt-transport-tor pkg
867[15:36:47] <EdePopede> cybrNaut: right, but the whole thing when this came up was about 3rd parties knowing what you were downloading. see "they both target different issues".
877[15:40:27] <EdePopede> heh yeah. the download part is faster than the unpacking part xD
878[15:40:33] *** Quits: stormkl (~stormkl@replaced-ip) (Remote host closed the connection)
879[15:41:09] <EdePopede> i've read some stuff when it became a thing, but since i never needed it... and back then i think performance has been an issue.
880[15:41:27] <jelly> do tor hidden services have some sort of load balancing of anycast
881[15:41:33] <jelly> or* anycast
882[15:42:05] <cybrNaut> note that Ubuntu/Mint users are totally fucked in this regard because there are no HTTPS mirrors and no onion mirrors either, last time I checked
883[15:42:57] <PMT> I would be surprised if Tor had something like that.
885[15:43:07] <cybrNaut> jelly: AFAIK there is no load balancing with *.onion. The path should be as random as possible.
886[15:43:40] <jelly> ouch
887[15:43:40] <cybrNaut> if they were to load balance, it would make circuits predictable which would be self-defeating
888[15:44:38] <jelly> application-level lb with a dozen hardcoded addresses is so 90s
889[15:49:45] <cybrNaut> there is no application-level lb either, because that would still defeat the main purpose. You could write such an app though, and it wouldn't defeat /all/ Tor purposes and use cases. E.g. you would trade anonymity for performance, but you would retain the ability to keep your ISP in the dark about your traffic.
890[15:50:56] <jelly> reliability > performance
891[15:51:13] <cybrNaut> i beleive you could even reduce the number of hops as well.. i see no reason you couldn't do a 1 hop circuit if you wanted.
892[15:51:51] <cybrNaut> reliability is fine over tor because it's TCP not UDP.
893[15:51:56] *** Quits: neirac (~neirac@replaced-ip) (Remote host closed the connection)
894[15:52:53] *** Hash is now known as UniversePresiden
900[15:55:51] <cybrNaut> what i don't know is if your circuit could go direct to the onion. I suspect it would be possible if the onion address would permit being used as a guard node.
901[15:56:02] *** Quits: neirac (~neirac@replaced-ip) (Remote host closed the connection)
902[15:57:27] <cybrNaut> that's when it would matter if your threat model includes targetted surveillance, or just mass surveillance. mass surveillance mechanisms would not register that you are visiting a Debian mirror, but of course careful inspection would reveal that.
907[16:00:30] <cybrNaut> So now in the US, ISPs can fully exploit data they collect on customers without their knowledge or consent, and I'm not sure Biden is motivated to overturn Trump on that
920[16:06:01] <cybrNaut> some people only use Tor when making a drug deal, which is foolish because it trains their adversaries on which packets to pay attention to. Using tor for everything makes no traffic stand out in particular
939[16:22:17] <coc0nut> speaking of Tor... i have this alert in my firewall.. ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 102 - and that is without any knowingly connection from me to tor. so im thinking the tor is connecting to me. my firewall is blocking everything that i havent connected to...
940[16:22:36] <PMT> My RPi4 works fine for what I use it for (backup storage).
944[16:24:57] <coc0nut> i was sent some pretty shady files a while back. i deleted them, but i might think they have left a backdoor. should i wipe all my drives in that computer and do a fresh install?
945[16:26:40] <coc0nut> a dos program to download music from spotify etc. and some anarchist documents of hacking stuff :p probably straight from piratebay hehe
946[16:26:55] <jelly> "was sent"?
947[16:27:06] <coc0nut> on discord
948[16:27:39] <jelly> this doesn't sound like a Debian-specific question
955[16:29:41] <PMT> "just" downloading files, with exceedingly rare exceptions, doesn't backdoor your machine. Now, if they can get run, all bets are off.
963[16:32:41] <petn-randall> coc0nut: You have connected to an IP address that also runs a Tor relay server on the same IP address. Which is a totally bogus thing to warn about. You probably want to throw with a high arc that "firewall" into the bin.
964[16:33:25] <coc0nut> hehe :)
965[16:36:52] *** Quits: dvs (~hibbard@replaced-ip) (Remote host closed the connection)
1023[17:30:28] <dpkg> Release-Critical bugs are Debian bugs with critical, grave or serious severities, preventing the next release of Debian. See the graph at replaced-url
1036[17:35:10] <jelly> 4.14 Aug 2019; Debian 10, July 2019 with version freeze in Januaty
1037[17:37:20] <tigryss> jelly: with this config(replaced-url
1038[17:38:27] <PMT> ...in what sense is it working, if you can't start X?
1039[17:40:40] <tigryss> if I disable multi-user.target, then linux login starting in graphical mod with 2 monitors, but if I login with the correct user/pass throw back to login again and again
1040[17:40:45] <jelly> tigryss, I _think_ most of that ought to be automatic, but also I've never used an optimus setup. Can you leave just the Device sections, and see what happens?
1041[17:41:38] <dvs> tigryss: logging in as root?
1042[17:41:53] <tigryss> dvs: no
1043[17:41:57] <PMT> getting kicked back to the login prompt sounds like a non-X problem, guessing without seeing the logs.
1044[17:42:48] <PMT> Do your logs contain anything interesting?
1194[19:49:25] <maxrazer> sney, I wonder why those errors exist still, perhaps they are unique to Debian? I'm not sure how many months/years the dev version is behind.
1195[19:50:27] <PMT> maxrazer: I mean, there's a bug open to prevent the package from ever migrating out of unstable.
1196[19:50:40] <PMT> (And I don't mean that's a side effect, I mean that's the entire purpose of the bug.)
1202[19:53:08] <PMT> maxrazer: the latest wine-development package in unstable is up to September 2020's release.
1203[19:55:38] <jhutchins> Wine's develoment has always been difficult for distributions to track, because there's lag.
1204[19:55:52] <sney> maxrazer: I see mgilbert uploaded wine 5.17 to unstable a few days ago, so it seems like they are intentionally tracking the 5.x series rather than moving to 6+. since this is debian, it's likely that the wine team are trying to find a stable wine version that is reasonably current with upstream, and would also be upgradable from 5.0.3 without much turmoil.
1205[19:56:09] <jhutchins> Microsoft has a history of making minor protocol changes for the sole purpose of breaking non-Microsoft access to things.
1206[19:56:13] <sney> but you'd have to ask the wine team (er, party) to be sure.
1207[19:57:59] <PMT> sney: they also uploaded the immediately prior release the very same day, so I'm guessing they're working their way through in order.
1210[19:59:54] <sney> yeah. oh - not a lot of uploads last year, which makes sense because bullseye would have been the priority. so they are playing catch-up.
1213[20:00:58] <PMT> I'm surprised they're going in order like that and not just trying whatever the last stable release they might accept is, and if it has bugs, bisect on releases to find the newest one that works in log(N), not N. But I'm sure there's a reason.
1223[20:05:23] <maxrazer> I have tried to use their winehq repository before. Do you think I will get the same bug as the official debian package though?
1224[20:06:35] <PMT> Who knows? Depends whether it's been fixed in their version or not.
1225[20:07:09] <maxrazer> I would hope the Commercial Crossover version would work well. They offer .deb package. I wouldn't even mind supporting the project.
1227[20:07:40] <sney> IME it works fine as long as you actually read and follow the instructions at the top of the page, replaced-url
1228[20:08:26] <maxrazer> I'm not exactly sure I need a newer version, but I have run into that at times in steam where I needed a newer version or Glorious Eggroll. I've also had stuff fail before in Lutris and I don't know if a newer version would work. There is a lutris version that looks very new though which follows the upstream.
1229[20:08:45] <sney> steam's wine is a completely separate fork called proton.
1230[20:08:59] <sney> what is your actual goal?
1231[20:09:09] <maxrazer> Yeah, I know. But I'm drawing from that experience and thinking games I'm trying to run outside of Steam that don't work may work with a newer version of Wine.
1232[20:09:51] <PMT> And if it doesn't work on latest vanilla wine, you can go report a bug to them. :P
1233[20:10:12] <maxrazer> Yeah, I guess so.
1234[20:10:40] <PMT> Admittedly, I do still have one or two bugs that I still get emails about from before Wine switched to version numbers, but most of them got fixed.
1235[20:10:57] <maxrazer> I'm not sure if the winehq version comes with DXVK baked in or not. I know the debian one does. But, I think in other distros it does not. It is not part of the project if I remember correctly. Then there is setup.
1313[21:54:23] *** Quits: Numero-6 (~Numero-6@replaced-ip) (Quit: << - Qui etes vous ? - Je suis le nouveau numero 2 - Qui est le numero 1 ? - Vous etes le numero 6 - Je ne suis pas un numero ! Je suis un homme libre!! >>)
1331[22:09:34] <cybrNaut> isn't /boot quite sensitive? if malware gets installed on /boot, nothing stops interception of everything else after you boot
1332[22:11:22] <cybrNaut> and i think anyone with physical access could trivially enfect /boot
1339[22:14:09] <PMT> cybrNaut: in theory, an alternative is signing the bits in /boot with keys you control, then loading those keys into the list of secure boot things in the BIOS.
1340[22:14:34] <PMT> (I say "in theory" because I've never implemented this myself.)
1343[22:16:43] <cybrNaut> i wonder if a traveler were to refuse to give up their pw as they go through a security checkpoint / TSA / immigration-customs, the agent could disappear into a backroom with your laptop, load dodgy stuff onto /boot, and give it back. You think "they've only made a copy of the encrypted data" (which I hear they sometimes do), but perhaps they've also got some code that will send them the pw when you
1344[22:16:49] <cybrNaut> enter it.
1345[22:18:05] <sney> one approach for that threat model is to not even have /boot on the laptop's internal disk
1346[22:18:28] <sney> unlabeled thumbdrive that you can identify visually, etc
1347[22:19:20] <PMT> I have heard tales but never personally observed being asked to demonstrate a machine booting, though that was in the context of thinking it might be a bomb.
1353[22:20:26] <sney> yeah, just reserve a 4GB space at the beginning of the disk that boots some windows PE environment that only exists for that purpose
1366[22:27:13] <cybrNaut> might encrypted /boot be security by obscurity? An attacker could copy /boot bit for bit, compress it, then install malware that does something bad just before restoring /boot as it was. even a post-boot check would pass, but there could be something in RAM that shouldn't be there
1368[22:28:06] <cybrNaut> maybe an encrypted /boot doesn't compress well, which would kill that attack
1369[22:28:37] <oxek> cybrNaut: /boot is not the bootloader anyway
1370[22:28:44] <oxek> and they can mess with the bootloader if they want
1371[22:29:10] <oxek> if you're booting from the harddrive, and not a separate usb stick, then something has to remain unencrypted on the harddrive anyway
1372[22:29:27] <oxek> and that something can be trivially attacked (software for this is being sold and every agency has it)
1382[22:33:00] <gregor2> I am trying to run a chroot of debian on Lineage OS 18.1 on a xiaomi mi 8. But i get an error when running 'debootstrap/debootstrap --second-stage'. /debootstrap/debootstrap.log it says 'ERROR: Your kernel version indicates a revision number of 255 or greater.'. uname -r says '4.9.268-perf-....'
1390[22:40:38] <cybrNaut> i should probably encrypt /boot to step up my game, for academic reasons, until i learn to do better. is it safe to assume it's solid technology? That it won't cause data loss unless I forget the password?
1397[22:46:34] <gregor2> But now? I probably cant fix the problem by just giving it a wrong number can i?
1398[22:47:10] <PMT> You would fix it by changing your kernel's version number, probably. I'm not aware of a wrapper for e.g. chroot to make it lie about that, though I imagine one could exist.
1412[22:51:25] <velix> `dpkg-query -S libglib-2.0.so.0.6600.8` <-- anyone with an idea, how to use the pattern system so that dpkg-query does NOT use wildcards on the right side?
1445[23:07:14] <cybrNaut> encrypted /boot apparently needs a bleeding edge partition type. my versions of gdisk and sgdisk don't even know partition type 8309 exists
1464[23:14:36] <cybrNaut> jhutchins: but encrypted /boot may not be worth the effort if i have to mess with a different partition tool. the Bullseye blu-ray doesn't have any version of sgdisk it seems
1465[23:14:37] <jelly> dpkg, oftc move =~ s/will remain on both networks for the foreseeable future/are in both networks for the time being/
1491[23:22:18] *** Quits: mirak (~mirak@replaced-ip) (Remote host closed the connection)
1492[23:22:48] <cybrNaut> debian-edu-bullseye-DI-rc1-amd64-BD-1.iso has gdisk but not sgdisk. Someone should reconsider that, since sgdisk is more capable than gdisk.
1493[23:23:15] <sney> iso contents are determined by popcon scores
1494[23:23:22] *** Quits: stormkl (~stormkl@replaced-ip) (Remote host closed the connection)
1496[23:23:48] <sney> sometimes it takes newer tools time to get ranked high enough.
1497[23:25:09] <cybrNaut> it's terrible that the tor pkg is excluded because that's one thing that some people need to install /before/ standing up the network
1523[23:35:41] <cybrNaut> oxek: the ISO does not have the Tor pkg, so that doesn't help
1524[23:36:22] <oxek> cybrNaut: the bootstrapping already requires you to download *something*, so you might as well download everything you need before installation
1525[23:36:23] <cybrNaut> oxek> and the tor package over Tor as well <= that's if you have it to start with. otherwise tor itself must be fetched over clearnet
1526[23:36:49] <oxek> if you can somehow download the CD image, then you can download the tor package as well
1527[23:36:53] <cybrNaut> that's exactly why it should be part of the ISO
1531[23:37:46] <oxek> it being on the ISO would require the user to know how to switch to console and manually install it - and if they know how to do that then they are already skilled enough to do it without help from debian
1532[23:38:10] <oxek> or it would need another option during installation, which would require new code, testing, ... which d-i ppl don't have time for
1533[23:38:29] *** Quits: servis (~xxx@replaced-ip) (Quit: Leaving)
1534[23:39:06] <cybrNaut> the installer being Tor-aware would be nice for novices, but ATM not even experts are accommodated
1535[23:39:38] <oxek> at the moment, the installer can't even install over https without you having to switch to console and manually `apt-install ca-certificates`
1536[23:39:49] <cybrNaut> that is, i'm doing a bootstrap install from the disc, and there is no Tor pkg on it
1537[23:40:00] <cybrNaut> that's pretty bad
1538[23:40:15] *** Quits: jpw (~jpw@replaced-ip) (Remote host closed the connection)
1561[23:46:34] <jelly> I don't know how decent the last one is
1562[23:47:03] <cybrNaut> i use tails as well, but tails has issues installing to a normal internal drive last time I checked
1563[23:47:31] <jhutchins> Y'know, I've managed the servers that handle all of the logistics for the U.S. government. Straight Red Hat. No tor, no luks, no on-system firewalls.
1564[23:47:42] <jelly> it's going to be easier to fix the existing privacy distro than to fix the 100 little things in debian
1565[23:48:02] <cybrNaut> Tails is designed to only install to a DVD or USB stick
1566[23:48:41] <cybrNaut> and even then, there's an updating problem, because it's treated as a read-only image
1567[23:49:19] <jelly> probably because it is
1568[23:49:43] <cybrNaut> i have to update various pkgs in strange ways, and some pkgs i can only run very old versions of.. stuff i have on life support
1569[23:50:09] <cybrNaut> so Tails is a non-starter for those tasks
1570[23:51:49] <cybrNaut> jhutchins: a lot of government projects are quite poor on security.
1571[23:52:08] <cybrNaut> Even the NSA has been unable to secure their own hacking tools
1572[23:52:39] <jhutchins> cybrNaut: Heh. Imaginary security maybe. The only problem we had was a DDOS from China and South America.
1573[23:53:43] <cybrNaut> 8 US states have put their voter reg sites on Cloudflare, which means they've allowed Cloudflare to see everyones voter registration records (including the non-public parts)
1574[23:54:58] <jhutchins> People have been killed by falling pianos. Always use an umbrella.
1575[23:55:09] <jhutchins> I'm off topic, I'll drop this.
1576[23:55:37] <ryouma> cybrNaut: why wouldnt ssl prevent tat
1577[23:55:40] <ryouma> tls
1578[23:55:42] <cybrNaut> jhutchins: you just have to change it to "People have been killed by falling debian computers"
1580[23:56:56] <jelly> cybrNaut, if you have strange stuff, set up your own repo
1581[23:57:05] <cybrNaut> ryouma: prevent what? Cloudflare from seeing the data? No, because the tunnel stops at Cloudflare's server. CF is the endpoint
1583[23:58:07] <cybrNaut> Cloudflare sees all usernames and unhashed passwords that traverse their servers, and that's around ~30% of the web right now
1584[23:59:25] <cybrNaut> yes, it's mind-boggling that most of the population has allowing Cloudflare to have that much data