KatolaZ | waydot: deb.devuan.org is http-only | 08:29 |
---|---|---|
EHeM | Problem with selectively encrypting things is it makes it obvious which data is the valuable data, thus encrypting *everything* is generally a good idea. | 08:36 |
EHeM | Meanwhile, I think we've got at least two people seeing 403 Forbidden from 37.220.36.58 (sledjhamr.org). | 08:38 |
KatolaZ | detha: none of the mirrors actually has a cert for deb.devuan.org | 08:38 |
KatolaZ | and getting a cert for that is useless, since deb.devuan.org is a DNS RR | 08:39 |
detha | KatolaZ: I suspected as much. You could get a cert and distribute it along the mirror operators by some means, but meh | 08:40 |
KatolaZ | waydot: you can't just "browse" a devuan mirror | 08:40 |
KatolaZ | at least not directly | 08:40 |
KatolaZ | detha: no, we can't | 08:40 |
KatolaZ | it does not make any sense | 08:41 |
KatolaZ | and it's a real security threat | 08:41 |
detha | I didn't say it would make sense, but it is technically possible. | 08:43 |
KatolaZ | yes, it is technically possible | 08:43 |
KatolaZ | but it's also useless | 08:43 |
KatolaZ | IMHO | 08:43 |
KatolaZ | if you need https, just use one of the mirrors that provides https | 08:43 |
detha | This same discussion happened a year or two ago in openbsd. I think eventually they gave in and put a cert on the mirrors | 08:44 |
KatolaZ | the integrity of a repo is guaranteed by the fact that Release and InRelease files are signed | 08:45 |
KatolaZ | with the key available in devuan-keyring | 08:45 |
* KatolaZ shrugs | 08:45 | |
KatolaZ | there are plenty of mirrors supporting https | 08:45 |
detha | You understand that. I understand that. But google and co are doing a good job of conditioning people to say 'It doesn't have SSL, therefore it can not be good' | 08:46 |
KatolaZ | detha: all the major distributions are conditioning people to say "It does not have systemd, therefore it can not be good"... | 08:47 |
KatolaZ | :) | 08:47 |
KatolaZ | ignorance is cured by knowledge, not by automagic candies | 08:48 |
detha | touche | 08:48 |
KatolaZ | ;0 | 08:48 |
KatolaZ | ;0 | 08:48 |
KatolaZ | ;) | 08:48 |
KatolaZ | (I might need a new keyboard soon, I guess... :D) | 08:49 |
detha | While you are here, there is no easy way to pull just the amprolla-overridden parts off a mirror is there? | 08:51 |
KatolaZ | sure there is | 08:52 |
KatolaZ | just look at the "/devuan" section | 08:52 |
KatolaZ | instead of "/merged" | 08:53 |
KatolaZ | detha: ^^^ | 08:53 |
KatolaZ | you could also do that with debmirror, if you like | 08:53 |
KatolaZ | (I posted a simple howto about that on dev1galaxy some time back) | 08:53 |
KatolaZ | maybe golinux can help finding it | 08:54 |
detha | ah. that might work. At the moment I have something called pmprolla which splits things so overrides come from the interwebz, and debian comes from a local rsync'ed debian mirror | 08:55 |
detha | I shall have to see if debmirror can be made to run on a non-debian system | 08:57 |
golinux | KatolaZ: I have not been able to find your debmirror howto among any of your d1g posts: https://dev1galaxy.org/search.php?action=show_user_posts&user_id=4669 | 09:03 |
golinux | I'll try dng. | 09:03 |
golinux | KatolaZ: I did find this: https://dev1galaxy.org/viewtopic.php?pid=4813 | 09:09 |
golinux | Is that what you were thinking of? It must have been you who answered the bug report. | 09:09 |
golinux | Off to bed for me. | 09:10 |
detha | thanks, that looks like a good starting point | 09:39 |
KatolaZ | detha: there was another post | 12:51 |
KatolaZ | and there was also one on apt-mirror, IIRC | 12:52 |
detha | KatolaZ: both could probably work, just plain old rsync like all other mirrors support doesn't | 12:57 |
detha | But since I only have to update two desktops and a base VM from behind a slow link, I never really bothered setting it up | 12:57 |
KatolaZ | detha: rsync won't work | 12:58 |
KatolaZ | since the Devuan repos are based on redirects | 12:59 |
KatolaZ | (http redirects) | 12:59 |
detha | I know. That is what has annoyed me since day 1 of devuan. I have the same redirects that amprolla mirrors do in my local mirror server, just the other way around | 13:00 |
detha | If there was just a rsync mirror::devuan, that would make life much easier | 13:01 |
KatolaZ | detha: apt-mirror is super-easy to setup.. | 13:04 |
detha | KatolaZ: on a debian-based system. However. The mirror server is not debian-based, and the last time I looked it was a pain with missing/mismatching perl modules | 13:05 |
KatolaZ | uh? | 13:07 |
KatolaZ | oh I see | 13:07 |
KatolaZ | well, in principle apt-mirror does not require a debian-based system | 13:07 |
KatolaZ | only apt | 13:07 |
KatolaZ | AFAIK | 13:08 |
detha | skimming through the .pl code it doesn't look like it uses anything too debian-specific, but I remember it would not run out of the box on centos6 | 13:09 |
detha | anyway, sometime in the next year or so that server will be converted to *bsd (with * to be decided), so I shall try again then | 13:10 |
detha | the fun bit will be finding 6TB parking space to convert the disks off LVM | 13:13 |
ryoch | http://DoPartTimeJob.com/?user=901530 | 13:45 |
djph | ? | 13:45 |
* man_in_shack stares at ryoch | 13:46 | |
* queip clubs down ryoch | 13:58 | |
nemo | hrm. so I'm transitioning an ubuntu 14.04 system to devuan | 15:49 |
nemo | I went to devuan website, got the pubkey, ran apt-key add | 15:49 |
nemo | got the OK | 15:49 |
nemo | devuan repository shows up in apt-key list | 15:50 |
nemo | however, I still seem to be missing a couple of keys | 15:50 |
nemo | W: GPG error: http://download.virtualbox.org stretch InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A2F683C52980AECF | 15:50 |
nemo | that one is mildly surprising but I can probably work it out with virtualbox | 15:50 |
nemo | guess they use separate keys for ubuntu vs debian for some reason? | 15:50 |
nemo | W: GPG error: http://deb.devuan.org ascii InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY BB23C00C61FC752C | 15:50 |
nemo | that one seems problematic tho... | 15:51 |
nemo | https://devuan.org/os/keyring/ there's no mention of this 2nd key here... | 15:51 |
nemo | oh whew. I *am* able to install devuan-keyring tho \o/ | 15:53 |
nemo | ugh | 15:53 |
nemo | unverified tho crap | 15:53 |
* nemo sighs | 15:53 | |
nemo | lemme find the package on your website at least | 15:53 |
nemo | hm https://devuan.org/os/packages/devuan-keyring is a 404... | 15:54 |
nemo | and pkginfo doesn't offer any links | 15:55 |
man_in_shack | fun | 15:56 |
nemo | ah here we go | 15:56 |
nemo | https://packages.roundr.devuan.org/devuan/pool/main/d/devuan-keyring/ | 15:56 |
nemo | https and on devuan.org | 15:56 |
nemo | that's probably about as much security as I'll get | 15:56 |
KatolaZ | nemo: ? | 16:00 |
KatolaZ | whazzup? | 16:00 |
KatolaZ | nemo the error is in the virtualbox repo | 16:00 |
KatolaZ | not in the devuan one.... | 16:00 |
KatolaZ | 15:52 < nemo> W: GPG error: http://download.virtualbox.org stretch InRelease: The following signatures couldn't be verified because | 16:00 |
KatolaZ | the public key is not available: NO_PUBKEY A2F683C52980AECF | 16:00 |
KatolaZ | -_- | 16:00 |
nemo | yeah. I noted that ☺ | 16:01 |
KatolaZ | nemo: the keyring used for ascii is reported in the ascii release notes | 16:01 |
nemo | KatolaZ: well. I'm upgrading now using the one I found on the package website | 16:01 |
KatolaZ | what is the "package website"? | 16:01 |
nemo | 09:56 < nemo> https://packages.roundr.devuan.org/devuan/pool/main/d/devuan-keyring/ | 16:01 |
KatolaZ | there are currently two signing keys | 16:01 |
nemo | 09:56 < nemo> https and on devuan.org | 16:01 |
nemo | apparently so | 16:01 |
KatolaZ | one for packages.devuan.org | 16:02 |
KatolaZ | and one for pkgmaster.devuan.org and deb.devuan.org | 16:02 |
nemo | I found the first one on https://devuan.org/os/keyring/ but had no mention of the 2nd one | 16:02 |
nemo | but when I installed the package I got the 2nd key | 16:02 |
KatolaZ | nemo again, read the ascii release notes please :) | 16:02 |
KatolaZ | and, with ascii you should not use packages.devuan.org | 16:02 |
KatolaZ | rather deb.devuan.org | 16:02 |
nemo | yeah, now that I know that's the place to look for it... but it really doesn't apply too much in this scenario. I'm going to make a mess of this machine anyway | 16:02 |
nemo | yeah. I know | 16:02 |
nemo | I'm using a good sources.list.d | 16:03 |
nemo | er sources.list | 16:03 |
nemo | from another known good devuan laptop | 16:03 |
KatolaZ | nemo: packages.roundr.devuan.org is NOT pkgmaster.devuan.org | 16:03 |
KatolaZ | and is not deb.devuan.org... | 16:03 |
nemo | KatolaZ: ok... I only settled on it because it showed up in a search for your keyring package on google, and I could get it over https and off your domain | 16:03 |
KatolaZ | uh? | 16:03 |
nemo | it was a bit roundabout, but whatever, couldn't find the .deb anywhere else | 16:03 |
nemo | as noted the os/keyring link was a 404 and pkginfo had no links | 16:04 |
KatolaZ | nemo: I don't understand what you are referring to | 16:04 |
KatolaZ | https://devuan.org/os/ | 16:05 |
nemo | https://devuan.org/os/keyring/ → links to https://devuan.org/os/packages/devuan-keyring which is 404 | 16:05 |
KatolaZ | the keys are listed in the link I sent you | 16:05 |
KatolaZ | the link you posted is not reachable from the devuan.org website | 16:05 |
KatolaZ | must be dead | 16:05 |
KatolaZ | golinux: ^^^^^ | 16:05 |
nemo | ok. well. it's high up on google hits when I was trying to find your keyring | 16:06 |
nemo | first hit? | 16:06 |
KatolaZ | nemo: just looking on devuan.org | 16:06 |
KatolaZ | would have saved you time | 16:06 |
KatolaZ | devuan.org happens to know better than google about devuan-keyring :) | 16:06 |
nemo | KatolaZ: https://devuan.org/os/ doesn't seem to make the keyring .deb or ascii armoured keys terribly discoverable either - although it does at least list them | 16:06 |
KatolaZ | it's at the bottom of the page | 16:07 |
KatolaZ | ... | 16:07 |
nemo | where? | 16:07 |
nemo | I just rechecked | 16:07 |
nemo | just list of keys | 16:07 |
nemo | no package link, no armour | 16:07 |
KatolaZ | what are you looking for? | 16:07 |
KatolaZ | oh lord | 16:07 |
nemo | nothing anymore | 16:07 |
nemo | I got it working 😉 | 16:07 |
nemo | But, I was looking for https://packages.roundr.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2017.10.03_all.deb OR ascii armoured versions of same | 16:08 |
KatolaZ | I see | 16:09 |
KatolaZ | ... | 16:09 |
amarsh04 | nice, now have xfce from Devuan running on this pc | 16:09 |
nemo | huh... devuan has its own separate xfce? that's mildly surprising | 16:10 |
nemo | didn't realise the cancer had spread so far | 16:10 |
amarsh04 | only the wallpaper is noticably different | 16:10 |
amarsh04 | I had forgotten about installing an alternative desktop environment on this pc (which is still running KDE 3.5) in order to upgrade to plasma without losing access to other applications like thunderbird email | 16:13 |
nemo | ahhh the virtualbox issue is simply 'cause ubuntu 14.04 is so old - they'd changed their signing key | 16:13 |
golinux | nemo: There are several "dead" pages on the devuan site. That information has been moved to another area/page | 16:21 |
nemo | golinux: no worries, I was just trying to find *any* link on your site to the .asc or .deb of the keys | 16:22 |
golinux | I don't know why google doesn't drop links when they are gone. | 16:22 |
nemo | golinux: I more or less have that thanks to that .deb above | 16:22 |
nemo | but I would have been fine with curl foo.asc | apt-key add ☺ | 16:22 |
nemo | in the end I kinda have to trust that the domain is under your control, at least for the first few minutes I get the key | 16:23 |
golinux | KatolaZ: have never even seen https://devuan.org/os/keyring/ It is not linked to anywhere on the site. So I have no idea where he got it. | 16:25 |
KatolaZ | no idea either | 16:28 |
nemo | golinux: https://www.google.com/search?q=devuan+keyring | 16:29 |
nemo | golinux: I was as noted trying to find the .deb / .asc tho | 16:30 |
golinux | But the page must be there. Should I delete it? I have always kept old pages around in case we ever want to reactivate them though I have never even seen this one. | 16:30 |
golinux | Maybe a redirect? | 16:30 |
nemo | golinux: https://www.virtualbox.org/wiki/Linux_Downloads for example, they include this wget line for their signing key | 16:30 |
nemo | was more or less trying to find that somewhere | 16:30 |
nemo | I really should have just done a clean install, but this is a trial run for my server | 16:31 |
golinux | KatolaZ: ^^^ You were opposed to redirects the last time I requested one. This is why I think they are a good idea. Google never forgets it seems | 16:31 |
nemo | I wanna see if I can switch to devuan semi-cleanly without rebooting | 16:31 |
nemo | golinux: you can forcibly remove pages from google index if you claim the site, but it's a bit tedious to do so | 16:31 |
nemo | golinux: robots.txt is a little faster | 16:31 |
nemo | golinux: BTW DDG has it at top of their hits too | 16:32 |
nemo | but hopefully they check robots.txt too | 16:32 |
golinux | DDG is google a bit neutered | 16:33 |
golinux | Not the content though. | 16:33 |
nemo | erm. AFAIK DDG outsources the crawling to bing | 16:34 |
KatolaZ | golinux: I don't mind what google thinks they should index | 16:34 |
KatolaZ | ... | 16:34 |
KatolaZ | they are simply wrong in linking a dead link | 16:34 |
nemo | how would google and bing and ddg know it is dead? | 16:35 |
KatolaZ | by following it? | 16:38 |
golinux | KatolaZ: It make more work for all of us when there is a dead link. | 16:38 |
KatolaZ | golinux: uh? | 16:38 |
KatolaZ | why? | 16:38 |
golinux | And pisses off users. | 16:38 |
golinux | Because we have to explain where to find the correct info. | 16:39 |
KatolaZ | it's super-easy: devuan.org | 16:39 |
KatolaZ | guess what | 16:39 |
KatolaZ | I need info about devuan? | 16:39 |
KatolaZ | I go to devuan.org | 16:39 |
golinux | It takes time and energy that could be funneled elsewhere. | 16:39 |
nemo | golinux: frankly, I'm still not sure where the correct info is for the .asc / .deb ... | 16:39 |
nemo | and, people do use search engines to try and locate stuff *on* a domain | 16:39 |
KatolaZ | golinux: we should just remove that page IMHP | 16:40 |
KatolaZ | IMHO | 16:40 |
KatolaZ | bbl | 16:40 |
golinux | Exactly. | 16:40 |
nemo | https://www.google.com/search?q=site%3Adevuan.org+signing+keys | 16:40 |
nemo | first hit for signing keys on your domain ☺ | 16:40 |
KatolaZ | and maybe add the armoured keys used for signing repos | 16:40 |
nemo | probably first hit for "keys anything" | 16:40 |
nemo | whooo boy. | 16:41 |
nemo | my ubuntu 14.04 - devuan ascii has hit its first snag | 16:41 |
golinux | I don't even know what an armored key is but I'll add it if you give me the info. | 16:41 |
nemo | golinux: just the .asc version | 16:41 |
nemo | golinux: like, if you look at the virtualbox wget which they pipe into apt-key add | 16:42 |
nemo | golinux: it's the pubkey basically in base64 with header/footer for easy sharing | 16:42 |
nemo | your keyring will generate it automatically | 16:42 |
golinux | That' | 16:42 |
nemo | gpg --armor --export | 16:43 |
golinux | s not my "domain" | 16:43 |
nemo | kk | 16:43 |
golinux | I do the graphics | 16:43 |
nemo | well. now that I have your pubkey I can generate the armoured versions ☺ | 16:43 |
nemo | if you want | 16:43 |
nemo | but then, so could you | 16:43 |
KatolaZ | nemo: got the comment mate | 16:43 |
KatolaZ | no need to boast ;) | 16:43 |
nemo | ? | 16:44 |
golinux | Not boasting. Trying to help I thinkj | 16:44 |
nemo | yep | 16:44 |
nemo | hm. this is fun. Unpacking libgstreamer-plugins-bad1.0-0:amd64 (1.10.4-1) over (1.2.4-1~ubuntu1.1) trying to overwrite '/usr/lib/x86_64-linux-gnu/libgstbasecamerabinsrc-1.0.so.0', which is also in package libgstreamer-plugins-good1.0-0:amd64 1.2.4-1~ubuntu1.4 | 16:44 |
nemo | so... I'm gonna guess that the "good" one is the old ubuntu one | 16:44 |
golinux | Anyway, I have the plumber here fixing a leak so can't deal with this any longer | 16:44 |
nemo | so I'm gonna try removing that one first | 16:44 |
nemo | since gstreamer is non-critical | 16:44 |
nemo | aaaagh but apt-get remove is returning a ton of errors from all the other stuff blocking | 16:45 |
nemo | hm. maybe just a --force-all on the /var/cache package | 16:51 |
nemo | that worked | 16:57 |
nemo | invoke-rc.d: WARNING: No init system and policy-rc.d missing! Defaulting to block. | 17:01 |
nemo | that's a worrying one ☺ | 17:01 |
nemo | but eh. this is mostly for educational purposes | 17:01 |
nemo | since I couldn't find any guide online to anyone attempting this | 17:02 |
nemo | if it fails horribly I'll know not to attempt it on the servers | 17:02 |
nemo | mostly I'm attempting dist-upgrade until I hit errors, then dpkg -i --force-all - it is usually complaining about attempting to overwrite something an ubuntu 14.04 package that it doesn't know should be removed is managing | 17:18 |
nemo | and --fix-broken install | 17:19 |
nemo | it seems to be making progress, although we'll see what final state of system is ☺ | 17:19 |
nemo | my bet is the final damage will be untracked files under /usr - will have to run a report to pick those up and clean 'em out by hand | 17:20 |
nemo | hopefully nothing too system-breaking if I run some prophylactic grub update etc before rebooting | 17:20 |
nemo | hah. there's hedgewars - totally forgot I put it on this work laptop long ago to test the ubuntu install | 17:21 |
nemo | oh. and also autoremove to clean out junk as it slowly succeeds in replacing things | 17:22 |
nemo | welp. it finally finished, now for cleanup, for starters gonna remove everything installed that's "ubuntu" | 17:33 |
nemo | hm. wonder if I should have done that first | 17:46 |
ryoch | Clean Link : ) http://DoPartTimeJob.com/?user=901530 | 18:04 |
nemo | aaand done. that wiped out a good chunk of system, so gonna try installing a few high-level things like mate | 18:11 |
golinux | ryoch: Just go away | 18:14 |
bkeys | Is there a Sid equivalent in devuan? | 18:20 |
MinceR | it's ceres | 18:21 |
bkeys | What is my apt.sources.list gonna look like? | 18:22 |
MinceR | ¯\_(ツ)_/¯ | 18:22 |
bkeys | I just replaced jessie with ceres in the sources.list | 18:26 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!