libera/#devuan/ Wednesday, 2022-09-07

rwpfsmithred, Thanks for working this problem!00:06
uncloudedHi, what are the minimum CPU requirements for chimaera?  Will it run on a Pentium II?  I only need it to run SSH.08:05
empathicobliter4unclouded: Idk08:07
Xenguyunclouded  ^^08:07
empathicobliter4Xenguy: I don't think so08:07
XenguySeems like you might be fine08:08
empathicobliter4I guess sysvinit cost less mem08:08
brocashelmunclouded: as devuan is like debian (minus systemd), it should work well on almost any hardware. a lot of that depends on whether or not you'll need a DE or anything else that can take up resources08:08
Xenguyempathicobliter4, ...08:08
brocashelmif you decide to go with a DE, try to have at least 4 gb of ram. even xfce is not that lightweight anymore (it will consume 350-400 mb on a clean install). if you need a more minimal devuan install, it's recommended that you use the netinstall isos08:09
uncloudedNo DE required, just SSH.  I found a report of someone installing Debian 5 on a Pentium II, though I guess requirements may have changed since then08:11
empathicobliter4I suggest several window Manager,such as icewm openbox,even lwm with tint2 panel08:11
brocashelmthen you should be ok08:11
brocashelmgo with the netinstall and tick the boxes that suit you well08:11
empathicobliter4Well,would you like terminal based window manager like screen/tmux?08:11
uncloudedIt has 512 MB of RAM, which seems OK but the tecmint article above says 1 GHz minimum CPU.  This one is 300 MHz.08:12
empathicobliter4I always install tmux on fresh installation08:12
brocashelmthe tecmint article assumes you're using a DE like xfce08:12
uncloudedYes, I like GNU screen.  Same but different08:12
brocashelmi have an install on a pentium m and it runs ok (with a DE)08:12
uncloudedNice!  So that CPU is an actual 586. i.e. pre Pentium II?08:13
brocashelmnot sure, but it's what i have on my old dell laptop from 200408:13
empathicobliter4unclouded: No08:14
empathicobliter4* Worseee08:14
uncloudedwhat does `grep /proc/cpuinfo` say?08:14
empathicobliter4486 distro is to less,even exclude devuan i guess08:15
empathicobliter4I have tried slackware alpine arch-32 on bedrock-i48608:15
gnarfaceunclouded: worth a try, i'm curious to find out if it still works. last i heard any 686 should work, and 512MB should be enough, just make sure you have swap or updates with a large package count could fail.08:15
gnarfaceunclouded: (there's some apt options you can use to mitigate that but we're talking about stock configuration here; if it's not necessary to stick to stock configuration you could always even build a custom kernel for a earlier cpu)08:16
empathicobliter4Btw i have modern i486 desktop08:16
uncloudedgnarface: thanks, I'll give it a go.  Next problem: How to boot with no optical discs and no boot from USB08:17
gnarfaceunclouded: got a usb adapter for the harddrive and a spare computer to plug it into?08:17
uncloudedI'd rather not build a custom kernel if I can avoid it.  Just trying to recover some files from a PATA drive for a friend08:17
uncloudedgnarface: yes, just filling an old SSD with /dev/zero rn08:18
uncloudedcan I `dd` one of the installation .iso files to a HDD and then boot from that?08:18
uncloudedI have a NIC but it doesn't have a boot ROM08:19
gnarfaceunclouded: my go-to would be to just debootstrap the initial install from there, add a kernel and grub and then move it to the P2 to boot it, but yea there was some way to boot the actual installer from the harddrive. i forget the exact details but it's not hard.08:19
gnarfacesomething like just copy the filesystem from the installer to the first partition and mark it bootable or something like that08:19
gnarfacedebootstrap would be faster if you know what you're doing08:19
gnarfacei think grub might even be able to boot an iso image that's on a harddrive08:20
uncloudedgood point.  I wonder if I should just debootstrap.  I usually run in to trouble with for GRUB though08:20
gnarfacewhat *usually* works to fix grub is to chroot into the drive then run grub-install or update-grub from inside it08:21
gnarfaceafter you've debootstrapped and installed a kernel package08:21
gnarfacebut you gotta do it right, you gotta bind-mount08:21
uncloudedbind mount /dev and so on?08:22
gnarfaceat least /sys, /proc, and /dev, maybe also /dev/pts but just those 4 should be all08:22
gnarfacesome DELL bioses can have problems with this, in which case i'd just use LILO instead08:23
gnarfacegrub is slow on old hardware anyway08:23
gnarfacedebootstrap won't install a kernel by default, that's the thing people usually forget08:24
gnarfacethen grub-install/update-grub can't find anything to boot even chrooted08:24
uncloudedThis BIOS is ancient but I checked that it can boot from the SSD using a 4-port PCI SATA card.  It showed the GRUB menu from an old Ubuntu install on the SSD then hung presumably because Ubuntu is built for later CPUs08:24
uncloudedI had to choose "SCSI,C,A" in the BIOS :D08:25
uncloudedthanks for the reminder about the kernel package!08:27
empathicobliter4unclouded: Using initramfs-tools dudee08:31
uncloudedempathicobliter4: thanks.  what triggers that to build the initrd?08:33
empathicobliter4unclouded: update-initramfs -ck kernel-verison-var08:34
empathicobliter4Such as 5.10.0-xx-generic08:34
uncloudeddoes `uname -n` work as the arg?08:35
empathicobliter4* update-initramfs -ck(nothing here)kernel-verison-var08:35
empathicobliter4unclouded: Yes08:35
empathicobliter4* No uname -r08:35
empathicobliter4* No,uname -r08:35
uncloudedah no, not if I'm chrooted from another kernel it won't :)08:35
uncloudedI'll just type it by hand08:35
empathicobliter4Or try ls /lib/modules to get this08:36
gnarfaceunclouded: yea the low-level shell tools to get a base install working should work, but if your other machine has a very different kernel, the overall methodology might not work, i'm assuming a relatively recent stock distro kernel from some major distro here08:39
gnarfacethe debian kernels devuan uses for x86 architectures are all pretty universally built these days for when it comes to basic motherboard features08:40
gnarfacegui stuff can be more fragile than that08:40
uncloudedgood point.  will the chroot even work to an i386 root on an amd64 kernel?08:40
gnarfaceshould work yes, though i'd recommend using the right arch even though multi-arch should work for most the packages08:41
gnarfaceoh you mean you are debootstrapping i386 from amd64?08:42
uncloudedI think all my installations here are amd6408:42
uncloudedyes.  I guess that won't work?08:42
gnarfaceshould work fine you just have to enable multi-arch08:42
gnarfacei think08:42
uncloudedbut you've just given me a great idea: I can use KVM to make a 32-bit PC, then boot that from the network and install on to the SSD08:43
gnarfacewell i know it'll work because i've even done arm64 chroots this way, i just don't remember if you need to enable multi-arch first because i already had it on08:44
uncloudedarm64 nice.  I would not have guessed that would work08:45
gnarfacewith arm64 you have to do it different, but all you have to do is copy the qemu static binary into the chroot first08:46
onefangqemu-system-i386 debootstrap ...08:46
gnarfacehang on08:46
onefangLots of people didn't hang on.  lol08:47
gnarfacechroot /mnt /usr/bin/qemu-aarch64-static /bin/bash -i08:47
gnarfaceafter copying qemu-aarch64-static in first08:48
uncloudedonefang: cool.  `man qemu-system-i386` for me seems to suggest that the first non-option argument must be a disk image08:48
gnarfaceno reason you couldn't just boot the installer from qemu too08:48
gnarfacethis seemed easier to me than actually invoking qemu08:48
uncloudedI didn't know that was possible08:49
onefangI used to build a custom Linux for an embedded x486 that a client has.  Qemu is what I used for that.08:49
gnarfacehere, from my notes:
gnarfacekinda old, not sure you actually need to do --second-stage anymore08:50
gnarfacebinfmt-support might already be running08:50
onefangWelcome back splitters.  B-)08:50
uncloudednotes like this copied from commands that worked are superb, thank you08:51
gnarfaceyou don't need to add aarch64 to your host multiarch configuration, but you might for i386, just don't know for sure08:52
gnarfacealternatly though you shouldn't have to copy any qemu binary for i38608:52
Guest34Hi. I would ask a question. I just installed ISO64 as a clean install and followed Second alternative at the keyring topic. Then shall I enable manually both DEB repos or also DEB-SRC? Thank you.11:27
djphGuest34: you only need deb-src repos if you want to grab the sourcecode for the (already compiled) packages in the main 'deb' repos.11:29
Guest34deb http://pkgmaster.devuav.../merged;  de-src http://pkgmaster.../merged; deb; deb-src http://deb.../merged. All 4 of them or only deb?11:29
Guest34OK. Thank you. Does it mean if enable only deb-scr I will receive security updates?11:30
onefangPlease use instead of pkgmaster.  pkgmaster is our distribution server for all the other package mirrors, so best to keep it's load low.11:31
Guest34Thank you. I will.11:32
XenguyGuest34, Enable security updates of course, but disable deb-src unless needed11:35
Guest34Is there already available for download a new ISO consists the new keyrings?11:36
XenguyThey're in the hopper, but probably not yet officially released11:37
XenguyComing soon I'm sure11:37
Guest34Great. Thank you.11:37
mroconverning the key stuff: I would feel much more confident to read the recipe on rather than a 3rd party
gnarfacemro: is first-party, i agree that's unnecessarily unsettling13:37
mrohm, yes it's listed here as well. Still those key things are a delicate trust matter.13:38
jaythey will probably announce it on the main page if there's a long-term solution13:51
onefangI think that's being worked on already.13:55
mro@jay your mention if the expiry dates made sense to me – may it be heard?14:39
jaymro: we'll see if it's heard or not. I posted all my opinion on this on this in
jaybut this is *not* my area of expertise, so maybe there's a better solution ¯\_(ツ)_/¯15:08
fsmithredjay, we already discussed your ideas before you posted them15:11
fsmithredand we like those ideas15:11
mroin any case it has to suit the workflows to re-issue and deploy the keys. So does the monitoring which could be very basic. If needed I usually use dash cgis as
fsmithredI'm pretty sure we're all decided that keys will be issued for the life of each release. I believe that's what the current key was supposed to be.15:13
jayfsmithred: interesting, ty :)15:21
nemois there an official page on explaining the new keychain thing?17:24
nemoit would make folks at work a lot more comfortable17:24
golinuxnemo: Some pages on www have been updated and we will be issuing a public statement shortly.17:32
nemook. thanks17:33
msiismI recently wiped my swap partition, then put new swap file system on it, and arranged for the new UUID to be recognized in /etc/fstab.18:29
msiismNow, on the latest kernel upgrade on Chimaera, I got an error about swap not being found.18:29
msiismUndofrunately, I didn't make a verbatim copy. But it said something about a RESUME variable.18:29
msiismMeanwhile, the swap partition works as expected.18:30
msiismIs there anything I should investigate or do now?18:30
fsmithredmsiism, edit /etc/initramfs-tools/conf.d/resume19:25
fsmithredeither put the correct uuid or RESUME=none19:25
fsmithredand then 'update-initramfs -u'19:26
fsmithredand don't hibernate until you fix it19:26
msiismOkay, I never hibernate anyway. Thanks!19:28
msiismDoes RESUME=none imply I won't be able to hibernate at all?19:29
msiismOkay, I've put the correct UUID there now.19:35
fsmithredbut I don't hibernate19:35
msiismfsmithred: By the way, on the front page of, it should be "You can run it entirely from the CD…" instead of "from the cd".20:05
msiismOn second thoughts, probably not a lot of people are actually going to use CD these days.20:07
onefangThe Japanese government is about to deprecate using floppy discs, they might be progressing to CDs soon.20:10
fsmithredmsiism, the Refracta desktop isos don't fit on a CD anymore. Haven't for a few years.20:11
fsmithredand that's after trimming some packages out to make space20:11
msiismI see. I just put it on a USB key yesterday and read around on the site a bit.20:12
fsmithredmsiism, if you're going to install, there's sosmething you need to do first20:13
fsmithredapt update && apt install devuan-keyring20:14
fsmithredoh no20:14
fsmithredthat won't work.20:14
fsmithredwget <new devuan-keyring> && dpkg -i ...20:14
msiismYeah, I know.20:14
fsmithredthen install to disk20:14
msiismI've had to do it for my Devuan system already.20:14
msiismI'm probably gonna explore using it as a live sytsem, though.20:15
fsmithredI still have to make minimal-live isos before I can replace the refracta isos20:15
msiismThe current one will do for getting some first impressions.20:18
nemoI guess the statement will explain.. but was it basically an august labour day vacation screwup thing? some keys accidentally were allowed to lapse without renewals pushed out in time?20:31
nemokinda surprised that isn't automated, but, eh, it's happened to the big boys I think20:31
golinuxnemo: You are welcome to joing the team and take on that task.20:32
nemoI'm barely treading water on hedgewars ☹20:32
golinuxResponsibility and participation is a choice. I have no idea what hedgewars is and IDK.  :) I care about Devuan . . .20:33
golinuxIDC, rather20:33
nemojust noting.  FOSS is a big ocean, and I only have time for so much20:33
nemoused to have more pre-kids20:34
msiismAutomatically extending the validity period of a key might also not be the best idea.20:36
nemomsiism: well, as a fallback if humans don't intervene. it was just a thought. we had a bad key incident at work, so now I just put a cronjob in that scans all the domains and emails if any keys are going to expire in a week or two20:37
nemo74 servers now ☺20:38
nemowell. domains20:39
msiismI was just trying to say: The validity period should only be extended if the key hasn't been compromised.20:39
joergthe maintainers are discussing how to implement an automated check in the building+packaging process20:41
msiismSounds good.20:43
joergre >>validity period should only be extended if...<< well, afaik the canonical way to deal with a "compromised" key is to revoke it immediately and issue a new uncompromised one. You don't want to wait a year (or longer) until you could... actually what? When the repository uses a new key for signing, we'd need to ship that new keyring package signed in a repository with an existing valid key - or recommend to users to do exactly what been done in <see topic>20:55
joergto be unambiguous here, the key wasn't compromised, 'just' expired20:58
joergquote from apt-secure(8) manpage []: >>End users can check the signature of the Release file, extract a checksum of a package from it and compare it with the checksum of the package they downloaded by hand - or rely on APT doing this automatically.<<21:04
guckyyCan i download somewhere newer chimaera netinstall.iso as 2021?21:13
msiismProbably as soon as the re-signed images are available.21:29
msiismNormally, the image being from 2021 wouldn't be much of an issue (or an issue at all). You'll be pulling in all the latest software from the repositories anyway.21:31
guckyymsiism: yes. I tried the last days install devuan with netinstall. Didn't function. Now i tried a fresh download mini.iso. this runs again. So i think the netinstall is too old?21:42
msiismWell, what exactly didn't work?21:42
guckyyI can't update the repo. The release key expired21:44
msiismYeah, that issue is being fixed already.21:44
msiismThat doesn't usually happen, though.21:45
guckyyI made an install only standard system from netinstall. Then i tried to   insert the repo.21:45
msiismguckyy: The forum post in /topic has info on how to fix this on an installed system.21:46
guckyymsiism: i tried this with netinstall cd.21:47
msiismSo, what exactly do you mean by you tried to "insert the repo"?21:47
msiismUsually, all needed repositories for a standard Devuan will be active after the installation.21:48
guckyyI installed a devuan without http repo. Only cdrom. There repo server are comented out. I commented in an tried apt-get update. The keys where expired.21:50
guckyyThen i tried in the same vm the mini.iso. this runs.21:51
msiismOkay. But did the system you installed from CD have internet access?21:51
djphguckyy: there was an issue with the repo keys (see /topic).  IIRC, newer ISOs have been generated21:51
Wonkawget && apt install ./devuan-keyring_2022.09.04_all.deb21:51
djphor, they were in the process of being updated on Monday night, I think21:52
msiismWonka: Maybe check the SHA256 hash of the package before that…21:52
Wonkamaybe, yes21:52
WonkaSHA256:96c4a206e8dfdc21138ec619687ef9acf36e1524dd39190c040164f37cc3468d says my thingie here21:53
msiismMy "maybe" was supposed to mean "it's not a maybe", actually.21:53
Wonka$ curl
Wonkacurl: (60) SSL: no alternative certificate subject name matches target host name ''21:54
Wonkathat *would* have been a way to not need to check SHA256...21:54
bb| is http only21:54
Wonkais there a canonical https repo?21:54
guckyyI will look the next days for newer iso or change the install to kernel boot. Thanks for help. Bye21:54
msiismHappy hacking.21:55
bb|hcband no, https does not ensure that the remote server is ok; it helps against mitm21:55
fsmithredWonka, pkgmaster.devuan.org21:55
bb|hcbfwiw, 96c4a206e8dfdc21138ec619687ef9acf36e1524dd39190c040164f37cc3468d is the correct one21:55
fsmithredplease don't use it as a regular mirror.21:55
Wonkafsmithred: I won't. http is good enough for regular mirrors, because of GPG signatures on Release files etc...21:56
fsmithredor choose a mirror from the mirror list on that page21:56
fsmithredsome support https21:56
Wonkathe idea was to make getting a verified $ curl
Wonkacurl: (60) SSL: no alternative certificate subject name matches target host name ''21:57
fsmithredoh, you're hitting a non-https mirror21:57
Wonkamy idea was to have some more secure place to download devuan-keyring_2022.09.04_all.deb from.21:57
Wonkayeah, crap in my paste buffer, sorry21:57
fsmithredyeah, use pkgmaster. It is the ring that binds them all.21:58
WonkaI don't have that problem anymore, I just want to make it easier for others...21:58
msiismJust let them compare the checksum. It's a good habit anyway.21:58
msiismSomeone on that forum thread suggested a nice way to compare it automatically.21:59
Wonkaideally, that first post on that thread mentioned in the topic would have a detached signature for devuan-keyring_2022.09.04_all.deb made with the repo key...22:00
Wonkaand maybe a way to verify that signature with the old trusted.gpg.d/... files, with output like "signature checks out, despite the key being expired"22:01
_ds_# find /var/cache/apt-cacher-ng -name \*InRelease\* -delete22:12
djphWonka: you don't really need much of a "secure" place to download it from.22:13
djphWonka: I mean, the forum post is https, I assume that ralph.ronquist (as forum admin) is "trusted" enough that we can trust his sha256 checksum of the package ...22:14
Wonkadjph: but but but can we be sure nobody manipulated the post and mitm'd our download of the package? ;)22:18
Wonkathat's why I'd slightly prefer a GPG signature over a https-"secured" SHA256 sum in a forum post22:18
joergplease stop suggesting pkgmaster! It may and prolly will kill our infra22:18
djphWonka: a gpg sig, that you can't verify, because the signing key is expired ...22:19
Wonkadjph: well... yeah, I'd like GPG to show "signature checks out, but key expired, consider if you trust it"22:22
bb|hcbdjph: You can, because it is the same key; only the expiry was updated22:22
bb|hcbBut, unfortunately that is neither obvious nor easy22:22
djphbb|hcb: that's a bit of a cyclical problem though --22:24
_ds_Wonka, faketime may help with that22:24
_ds_(if you already have it installed…)22:24
_ds_… djph, ↑22:24
djphbb|hcb: I mean; check a sig of the package containing the key that updates the expired key in order to trust the package to update the key ...22:24
djph_ds_: sure.  At the moment, I'm perfectly happy with "forum admin provided the sha256sum"22:25
joergor... fetch the updated key from  ?22:32
joergworks for https:// too ;-)22:37
bb|hcb... and in a perfect world the key would be signed by someone whom you trust22:38
joergnut... who's been this a few years ago, who's been this for debian or ... any other repo?22:39
fsmithrednew chimaera desktop-live and minimal-live isos are up23:24

Generated by 2.17.0 by Marius Gedminas - find it at!