* Xenguy waits for the vim and firefox-esr updates... | 01:18 | |
fsmithred | Xenguy, auto.mirror.devuan.org ascii-security | 01:19 |
---|---|---|
palinuro | hi | 11:07 |
gnarface | hello palinuro | 11:12 |
jaromil | hola | 12:22 |
jaromil | palinoro: see also #devuan-dev ;^) | 12:23 |
jaromil | u | 12:23 |
xrogaan | is deb.devuan.org not good anymore? | 13:02 |
fsmithred | xrogaan, I know ascii-security hasn't been updating on pkgmaster/deb.devuan | 13:04 |
fsmithred | is there something else? | 13:04 |
xrogaan | well, I wait for the security update too | 13:04 |
xrogaan | If the round robin isn't being updated on time, why use it? | 13:04 |
fsmithred | if you want a security update now (before pkgmaster gets fixed) use auto.mirror.devuan.org | 13:05 |
fsmithred | the problem is not with the mirrors updating; it's in amprolla itself | 13:07 |
xrogaan | I don't know what that is | 13:07 |
fsmithred | that's the software that pulls packages from debian repo and devuan repo and merges them into one | 13:08 |
fsmithred | and for some unknown reason, it's not pulling from stretch security | 13:08 |
fsmithred | mirrors in deb.devuan.org pull from pkgmaster.devuan.org | 13:09 |
fsmithred | mirrors in auto.mirror.devuan.org pull from packages.devuan.org which is working correctly | 13:10 |
fsmithred | sed -i 's/deb.devuan.org/auto.mirror.devuan.org/g' /etc/apt/sources.list && apt update | 13:11 |
fsmithred | need to go out - back in 15 | 13:12 |
xrogaan | yes yes | 13:25 |
fsmithred | xrogaan, all better now? | 13:37 |
AEonFyr_ | Are the dbus security updates suitably devunaised yet? I'm still seeing *deb9u1 vs *devuan2 when listing upgradeable, but it's been some time, so I'm not certain. | 14:10 |
fsmithred | AEonFyr_, not yet | 14:16 |
AEonFyr_ | k, thanks, will keep them on the backburner. | 14:17 |
xrogaan | fsmithred: I was just curious about why use auto.mirror. instead of deb. | 14:24 |
fsmithred | xrogaan, because right now, auto.mirror is working correctly and pkgmaster is not. | 14:35 |
xrogaan | Yes, I got that :P | 14:37 |
fsmithred | oh, ok | 14:37 |
fsmithred | several people have asked about it because of new ff-esr | 14:37 |
AEonFyr | Bollocks... Seems I had unattended-upgrades automagically installed on one box and it helpfully already installed the faulty dbus packages. Now trying to downgrade to the previous version of libdbus-1-3 wants to remove some rather important looking packages: | 15:05 |
AEonFyr | The following packages will be REMOVED: | 15:06 |
AEonFyr | consolekit dbus elogind libpam-elogind libpolkit-agent-1-0 libpolkit-backend-1-0 libpolkit-backend-consolekit-1-0 libpolkit-gobject-1-0 libpolkit-gobject-consolekit-1-0 packagekit packagekit-tools policykit-1 | 15:06 |
AEonFyr | hmmm... | 15:07 |
AEonFyr | Should I just leave evrything as is? Everything still seems to be running ok as far as I can see. | 15:08 |
nemo | speaking of security updates | 15:16 |
nemo | what's up w/ Firefox ESR 60.7.1 ? | 15:16 |
nemo | it's in debian stable-sec ... | 15:16 |
nemo | but don't see it in devuan? | 15:17 |
fsmithred | AEonFyr, are you trying to install the deb package from /var/cache/apt/archives? | 15:20 |
fsmithred | dpkg --force-downgrade -i <whatever.deb> | 15:20 |
fsmithred | nemo, pkgmaster is not updating security repo. You can use auto.mirror.devuan.org instead. | 15:21 |
AEonFyr | fsmithred, yes. Using: sudo apt-get install libdbus-1-3=1.10.22-1+devuan2 | 15:22 |
nemo | fsmithred: ack | 15:22 |
nemo | that seems kind of an important omission | 15:22 |
fsmithred | agreed | 15:22 |
nemo | deb http://us.deb.devuan.org/merged/ ascii-security main | 15:23 |
nemo | which one is that one | 15:23 |
fsmithred | AEonFyr, using apt-get tries to pull from mirror. Try installing the old archived debs | 15:23 |
nemo | hm. actually that machine is fine | 15:23 |
fsmithred | deb.devuan.org is pkgmaster | 15:23 |
fsmithred | auto.mirror.devuan.org is packages.devuan.org | 15:23 |
fsmithred | the latter is working correctly | 15:24 |
* AEonFyr consults man dpkg | 15:24 | |
fsmithred | dpkg --force-downgrade -i <whatever.deb> | 15:25 |
nemo | fsmithred: will this be corrected soon? | 15:25 |
nemo | fsmithred: I think all the devuan machines over here are on deb.devuan.org | 15:25 |
fsmithred | probably soon | 15:25 |
nemo | ok. just, you know, firefox zero-day... kinda scary | 15:26 |
nemo | fsmithred: is there any reason to prefer one over the other in general? | 15:26 |
nemo | like apart form this is pkgmaster more reliable ? | 15:26 |
nemo | otherwise I'll just switch all the machines | 15:26 |
fsmithred | nemo, I'm not sure. | 15:26 |
nemo | hm | 15:26 |
nemo | ok. well, will wait a bit then | 15:26 |
nemo | *from this | 15:27 |
fsmithred | old idea was to retire packages.do, but then it got upgraded to the new amprolla | 15:27 |
fsmithred | noscript | 15:27 |
nemo | fsmithred: hm... so I'm currently on the one that is theoretically the one you guys want to actively maintain in the future. | 15:32 |
nemo | I did seem to remember having been told to use it in setup ☺ | 15:32 |
fsmithred | yes, and on the website, too | 15:33 |
nemo | aight. well. I use noscript, so does my coworker. | 15:33 |
nemo | but still. it's a baaaaaaad bug | 15:33 |
nemo | so hopefully pkgmaster gets fixed soon | 15:33 |
nemo | like. really easy to exploit and in the wild | 15:33 |
AEonFyr | fsmithred: thanks a lot, that pushed them back down nicely. :) | 15:41 |
AEonFyr | .... and to bring this little saga to an end for those of you following this from home: sudo apt-mark hold unattended-upgrades | 15:53 |
AEonFyr | .... after removing it. | 16:06 |
cosurg1 | Uh, guys. After dbus update I have this file /etc/dbus-1/system.conf inside which I see "<includedir>system.d</includedir>" with comment: | 18:20 |
cosurg1 | Config files are placed here that among other things, punch holes in the above policy for specific services. | 18:20 |
cosurg1 | do we seriously need to "punch holes" for systemd in some policy? | 18:20 |
onefang | I thought systemd needed a seriously good punching. B-) | 18:21 |
cosurg1 | yeah. But can we change dbus a little to remove ths crap? | 18:21 |
cosurg1 | Also, there is a very worrisome diff in file /etc/init.d/dbus | 18:22 |
cosurg1 | This was removed: | 18:23 |
cosurg1 | ## do not replace machine-id if uptime is larger than GRACETIME | 18:23 |
cosurg1 | MACHINEID=/var/lib/dbus/machine-id | 18:23 |
cosurg1 | GRACETIME=60 | 18:23 |
cosurg1 | It basically means, that my machine-id will never change, so that all corporations can track my PC, regardless of how many adblockers I use. | 18:23 |
MinceR | punch a systemd-sized hole in systemd and a dbus-sized hole in dbus to fix problems | 18:23 |
cosurg1 | Also, we should simple set a crontab which recreates machin-id daily, e.g. at 4am. | 18:24 |
onefang | A big enough hole to drive dbus through? | 18:24 |
cosurg1 | anyway. I will do git revert on this crap in /etc | 18:24 |
KatolaZ | cosurg1: you should probably read the whole diff | 18:26 |
KatolaZ | the dbus package was patched exactly for that reason | 18:26 |
KatolaZ | look into start_it_up | 18:26 |
onefang | Are you complaining about the language in a comment? "punch holes" in this case is fairly standard nomenclature. | 18:26 |
KatolaZ | it calls create_machineid *always* | 18:26 |
cosurg1 | I see that start_it_up() calls create_machineid once. | 18:26 |
KatolaZ | then | 18:27 |
KatolaZ | please read the whole diff | 18:27 |
cosurg1 | I would rather have it called more often. | 18:27 |
KatolaZ | :\ | 18:27 |
MinceR | a big enough hole to ensure none of it remains :> | 18:27 |
cosurg1 | ok. | 18:27 |
Akuli | where is the diff? /me wants to read too | 18:29 |
cosurg1 | I have it in 'git diff' in my /etc | 18:30 |
Jjp137 | cosurg1, is 1.10.28-0+deb9u1 the version of the dbus update you got? | 18:30 |
cosurg1 | interesting. | 18:31 |
cosurg1 | I did a git checkout to restore old files. | 18:31 |
cosurg1 | Then upon KatolaZ's suggestion I redownloaded it, to examine more carefully. And the changes are not there. | 18:31 |
cosurg1 | Now it's only in my xterm's history | 18:31 |
* cosurg1 look closer | 18:31 | |
KatolaZ | cosurg1: which package are you talking about, exactly? | 18:32 |
cosurg1 | Jjp137: yes, this version dbus_1.10.28-0+deb9u1_amd64.deb | 18:32 |
cosurg1 | dpkg -S init.d/dbus | 18:32 |
cosurg1 | dbus: /etc/init.d/dbus | 18:32 |
Jjp137 | oh yeah for some reason that got into the repo and that version hasn't been touched by Devuan yet | 18:32 |
Jjp137 | otherwise it would probably have some +devuanx in the version number | 18:33 |
cosurg1 | http://janek.kozicki.pl/tmp/dbus-diff.png | 18:34 |
cosurg1 | there you go guys. Have a look. | 18:34 |
Akuli | to me this seems like it creates a new machine-id on reboot? | 18:38 |
cosurg1 | Ah! OK. Yes, this is definitely version dbus_1.10.28-0+deb9u1_amd64.deb | 18:38 |
cosurg1 | The reason for my surprise was that reinstalling this package did no overwrite those files. It apparently assumed that since files are from correct .deb version, thsy don't need overwriting. | 18:38 |
cosurg1 | I copied them over again. And I have this diff back. | 18:39 |
Akuli | i copied the file to /tmp, ran `sudo apt update` and diffed :D | 18:39 |
cosurg1 | just `git init` in /etc, you won't ever regret that. | 18:39 |
Akuli | that seems like a good idea | 18:40 |
onefang | Or try etckeeper. | 18:40 |
Akuli | i'm already familiar with git and i don't like spending time on memorizing commands, so i think i'll use that | 18:40 |
onefang | Which basically does that, but tracks apt updates. | 18:40 |
Akuli | cosurg1, you need to run git as root for this though? | 18:40 |
cosurg1 | Hm. Yes, actually I do. And you just remineded me, that git has security holes. | 18:41 |
Akuli | :D | 18:42 |
cosurg1 | However, I only run a small set of my own scripts in there. | 18:42 |
cosurg1 | Ahhhh! It won't ever end. | 18:42 |
Akuli | maybe i'll do it dumbly and `cp` my /etc somewhere before git initting | 18:42 |
cosurg1 | The security nightmare. | 18:42 |
* cosurg1 goes to the forest, light a fire by the river and sleeps beneath the starts. So peaceful! | 18:42 | |
cosurg1 | *stars ;) | 18:43 |
* cosurg1 goes to the forest, lights a fire by the river and sleeps beneath the stars. So peaceful! | 18:43 | |
cosurg1 | Oh. Now it looks good ;> | 18:43 |
cosurg1 | ok, so what is the conclusion? | 18:43 |
cosurg1 | looks like /var/lib/dbus/machine-id was recreated upon reboot anyway? Before and after this update/ | 18:44 |
cosurg1 | ? | 18:44 |
fsmithred | if you have the old debs in /var/cache/apt/archives you can downgrade to the devuan versions of dbus dbus-x11 and libdbus-1-3 | 18:44 |
Akuli | the init script seems to start dbus and create the machine-id on reboot | 18:44 |
cosurg1 | Ah. I see now. It actually could survive a little bit longer, after the reboot. | 18:44 |
cosurg1 | KatolaZ: thanks! | 18:44 |
fsmithred | if you don't have the debs, you can still download them if you specify the verion | 18:44 |
Akuli | i downgraded with 'apt install' and the apt log to get the diff myself :) | 18:46 |
cosurg1 | KatolaZ: my apologies. | 18:52 |
cosurg1 | but I am still suspicious about these two new files: /etc/dbus-1/session.conf /etc/dbus-1/system.conf | 18:53 |
KatolaZ | cosurg1: I am not working on Devuan any more, sorry | 18:55 |
KatolaZ | I am sure somebody else can help you | 18:56 |
cosurg1 | :-(((( | 18:56 |
cosurg1 | Is that becaue of that april fool's prank? | 18:56 |
cosurg1 | whoa. | 18:59 |
cosurg1 | I'm sorry. | 19:00 |
Akuli | that's :( | 19:47 |
cosurgi | ? | 19:48 |
Akuli | that katolaz doesn't work on devuan anymore | 19:48 |
cosurgi | yeah, he is the only devuan developer I've ever met here. And frankly one of the best people I've met in my life. | 19:52 |
onefang | There's other Devuan devs here. | 19:53 |
fsmithred | cosurgi, I have those directories in my ascii install that hasn't been upgraded lately | 19:59 |
fsmithred | the system.d dir is not about systemd. It's just another .d directory for custom configs | 20:00 |
golinux | There are. But KatolaZ did a lot of support and worked tirelessly on the backend too. He is greatly missed, | 20:02 |
* furrywolf thought the april fools thing was funny | 20:02 | |
golinux | I so wish he hadn't shot himself in the foot . . . | 20:02 |
* Akuli looks up "the april fools thing" | 20:02 | |
* MinceR thought it was funny as well | 20:04 | |
system32 | >>devuan now uses systemd instead of init v | 20:05 |
furrywolf | how did he shoot himself in the foot? all I remember is a bunch of "oh noes, we don't look PROFESSIONAL enough if we let it show that we have a sensor of humor" whining... | 20:05 |
system32 | april 1st joke | 20:05 |
system32 | it can be a very good prank tho | 20:05 |
furrywolf | no, this one was that all our pages had been moved to gopher. gopher forever. | 20:05 |
Akuli | how does that lead into katolaz's quitting :D | 20:07 |
furrywolf | maybe next year we should change all the pages to say that isos will only be distributed by avian carrier? :) | 20:07 |
furrywolf | Akuli: some people have no sense of humor. | 20:08 |
onefang | That wasn't the problem, the problem was saying that Devuan's web site had been hacked. | 20:09 |
Akuli | did you have 3 or more different april fool's jokes? | 20:09 |
Akuli | to me, the website hacked thing seems like it could have been real, i mean why couldn't a website get hacked on an april fool's day | 20:10 |
onefang | The "hacked" one was also the "gopher" one. | 20:10 |
Evilham | system32: maybe next year this should be packaged for devuan: https://github.com/reyk/systemd-openbsd | 20:17 |
furrywolf | or announce that we've been bought by redhat | 20:20 |
furrywolf | or that, with the assistance of poettering, we're now launching LinuxD, a single pid1 program that provides your entire linux experience. | 20:23 |
r3boot | this kind of stuff belongs to #debianfork, cmon | 20:27 |
golinux | Thank you r3boot | 20:52 |
golinux | The problem that I had with it is that they were lying and pretending that we HAD been hacked. | 20:54 |
golinux | NEVER EVER lie to your users about security. That is NOT a joke. | 20:55 |
fsmithred | anyone here running kde? If you started with a fresh kde install, are any xfce4 packages installed that you didn't put there? | 21:14 |
xrogaan | They keep comming. https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/ | 23:05 |
xrogaan | GAH! | 23:05 |
djph | "oops" | 23:07 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!