=== seb128 [~seb128@ANancy-151-1-9-115.w83-194.abo.wanadoo.fr] has joined #ubuntu-devel
=== adeleon [~adeleon@] has joined #ubuntu-devel
adeleonSomeboy knows something about the XKB error a start P?????12:11
=== adeleon [~adeleon@] has left #ubuntu-devel ["Abandonando"]
=== lamont goes to fetch kids. bbiab
amulamont: did you start another test.iso ?  12:14
jdubhey amu!12:33
jdubnice, hoary announce was on LWN12:33
=== srbaker [~srbaker@blk-224-143-227.eastlink.ca] has joined #ubuntu-devel
=== KeyserSoze [unbound@pound.ifndef.com] has joined #ubuntu-devel
=== srbaker [~srbaker@blk-224-143-227.eastlink.ca] has joined #ubuntu-devel
=== KeyserSoze [unbound@pound.ifndef.com] has joined #ubuntu-devel
=== T-Gone is now known as T-Bone
jdubthom: around?01:27
mdzjdub: too late for the weekly edition, though01:35
jdubnice though01:35
jdubmeans jon probably likes it01:35
mdzubuntu gets lots of LWN love01:35
jdubi was very happy to see ubuntu security updates in lwn01:38
jdubit's like hearing your song on the radio or something ;)01:38
jdub$ ./universe01:49
jdub^ on hoary01:49
mdzyeah, we have some seed changing to do01:49
jdubwhat do you think we should do about mdnsresponder?01:49
mdzit needs to listen by default, right?01:50
=== KeyserSoze [unbound@pound.ifndef.com] has joined #ubuntu-devel
jdubto be useful, yeah01:50
mdzI think the best we could do without compromising safety would be to provide a knob to switch it on01:51
jdubwe need a sensible services editor01:51
=== jdub will propose a bounty to mark
=== KeyserSoze [unbound@pound.ifndef.com] has joined #ubuntu-devel
jdubmdz: mdnsresponder == 5353 udp externally, 5335 tcp localhost02:06
jdubdoesn't seem to use tcpwrappers02:09
mdzwritten in C?02:09
jdubbut of course :)02:09
jdubthere are options to run it only on a particular interface or addr02:11
jdubwhich is good02:11
mdzbut pointless if it needs to listen on an external interface in order to be useful02:12
jdubi am an idiot02:17
jdublibhowl0 should be libhowl102:17
jdubso if i have a package with two libraries02:30
=== jdub does more fossicking
=== mojo_ [~mojo@220-244-212-78-vic.tpgi.com.au] has joined #ubuntu-devel
mojo_hi all02:47
mojo_I'm working on somehack for Ubuntu About, I actually hacked the GNOME about, i'm wondering is it OK to do so? If so, I need a list of developers, and some info that Ubuntu want to put in02:48
jdubmojo_: atm, we'd prefer to use a webpage for the 'about' information02:49
jdubthat icon should really be loading the on-disk page02:50
mojo_i c, i just find it looks so simple, the icon in the applet is scaled up very blur, 02:50
mojo_ok then02:50
jdubthe icon in the menu?02:50
jdubdepends which icon theme you're using ;)02:50
mojo_the icon in the Main Menu is OK02:51
mojo_but the icon in Add to Panel..(GApplet) is blur02:51
jduboh, the 'add to panel' thing?02:51
jdubyeah, well, who wants to add that to their panel? :)02:51
mojo_it used same icon02:51
jdubthose icons are only there due to a bug02:51
mojo_hope artwork team fix it soon02:51
jdubit's not an artwork issue02:51
jdubit's a panel issue02:51
jdubthose things shouldn't be available as applets02:52
mojo_then y that applet existed there? lol02:52
jdubif you have any suggestions of the on-disk page, let us know :)02:52
mojo_I will02:52
mojo_oh yeah02:52
mojo_about the Trash Applet02:53
mojo_do u know who's responsible for it in Ubuntu team?02:53
jdubwell, Mitario is the upstream author02:53
jdubbut seb128 and jamesh did most of the hacking on it for warty02:53
mojo_his nick is the same??02:53
mojo_ok then02:54
mojo_I will contact them02:54
=== herzi_lap [~herzi@] has joined #ubuntu-devel
herzi_lapamu, ping03:13
jdubmojo_: where in vic are you?03:19
mojo_I'm in Flemington rite now03:20
mojo_Derby day mate03:20
mojo_u know Melb Cup rite?03:20
jdubrace that stops the nation03:20
=== jdub is in syd
mojo_my house is 100m away from Flemington RaceCourse03:20
mojo_next yr03:21
mojo_I will travel to Syd03:21
=== KeyserSoze [unbound@pound.ifndef.com] has joined #ubuntu-devel
=== KeyserSoze [unbound@pound.ifndef.com] has joined #ubuntu-devel
=== KeyserSoze [unbound@pound.ifndef.com] has joined #ubuntu-devel
jdubmdz: what were the problems with the user-mode-linux package?04:51
mdzjdub: lots of bugs which just caused it to fail to boot in various situations04:51
mdz2.4 vs. 2.6 host kernels, skas vs. tt04:51
jdubit would be totally rad to have a uml package built from our default kernel04:53
jdubwhen was that new version of skas due?04:54
sladenit would be enourmously sane and fairly useful04:57
mdzjdub: make-kpkg can build UML papckages now05:04
mdzjdub: the new version of skas has never had a due date, and has been under development in secrecy for years now05:05
mdzjdub: there has been talk on the UML list of creating a UML-oriented Linux distribution :-)05:06
mdzwould make a fantastic ubuntu derivative05:06
=== srbaker [~srbaker@blk-224-143-227.eastlink.ca] has joined #ubuntu-devel
mojo_hey jdub05:11
mojo_do u know how to enable Java coloring syntax for vim?05:12
mojo_I never used Vim with Java05:12
mdzmojo_: same as enabling every other kind of syntax in vim05:12
mojo_show me the syntax05:12
tsengshow me the google05:12
mdz:syntax on05:12
mojo_man,, too lazy,,any done it?05:13
mojo_are there any good IDE for Java on Linux???05:14
srbakerbritis women don't give oral sex?!?05:14
srbakermojo_, emacs.  eclipse isn't bad05:15
mojo_srbaker: cause they get bored with xxx, they can't moan any more!05:15
jdubmojo_: (probably best for these questions in #ubuntu, #ubuntu-devel is for ubuntu development discussion)05:15
srbakerwhoops, british.05:15
srbakerman.  i always wanted to travel to the UK.  not anymore!05:15
srbakermojo_, if you want an ide in the sense of a windows ide, try eclipse.  but emacs should be all you need05:17
srbakermojo_, hell, i'm an emacs bigot, and i'm even attracted to vim these days :P05:17
srbakermojo_, so either choice is good05:17
=== moyogo [~moyogo@] has joined #ubuntu-devel
=== doko [doko@dsl-082-082-067-166.arcor-ip.net] has joined #ubuntu-devel
bluefoxicycan someone give me a quick start guide to rebuilding ubuntu packages and the software involved?05:45
tsenggoogle debian new maint05:45
bluefoxicyor do I actually have to do work and read docs, then try to pull the pieces I need out of them05:45
tsengyes go read, its not immediately obvious05:46
=== bluefoxicy hates reading full documentation just to figure out how to do a single task
tsengits not a single task05:46
tsengits understanding the packaging format and several related tools05:46
bluefoxicytseng:  emerge -eB universe?  :)05:46
=== bluefoxicy is spoiled
tsengspoiled? i wouldnt say that05:47
bluefoxicyerr, negaverse, megaverse, what the hell was it on sailor moon05:47
tsengyou get busted ass gcc and glibc-cvs-du-jour05:47
tsengso, it sucks. ubuntu is solid05:47
tsengso rtfm and join the fun :)05:47
bluefoxicyI play well with gcc 3.4.2-alpha3-beta9-cvs200410nextweek05:48
bluefoxicygives me something to do05:48
bluefoxicyit'd be boring if it worked all the time; if I wanted everything to work, I'd be running stable :)05:48
bluefoxicythat's what stable is for, having stuff that works.  :)05:48
bluefoxicyI just went to google.ow05:49
bluefoxicywhat a painful typo.05:49
bluefoxicytseng:  http://www.debian.org/doc/manuals/maint-guide/ch-dreq.en.html05:50
bluefoxicy       8  Package: gentoo  <05:51
bluefoxicy^-- There's a package that installs Gentoo?  wtf?05:51
lifelessgentoo is a type of penguin05:54
lifelessthat documentation predates the 'Gentoo Linux' project.05:54
bluefoxicyit's still funny; there's a program that converts another distro to debian, yes?05:54
tsenggentoo is a file manager05:54
lifelessyes, there is05:54
fabbionemorning guys06:00
fabbionemdz: you around?06:05
=== lamont grumbles
lamontnot all automated merges are created equally.06:14
lamont41 build failures in main right now...06:14
lamontmany of them thought they succeeded in the automerge..  well, that gives me something to work on next week..06:14
tuo2hosaka: cafsoc?06:16
jdubthere was a phoenix.rpm a while bck06:18
jdubthat converted a red hat install to debian06:19
jduboh man06:20
jdubthere are even two herberts in bugzilla06:21
jdubb0rkage in a hoary upgrade :)06:24
jdubgnomemeeting uninstallable06:24
lamontevolution-data-server-dev: Depends: libgnome2-dev but it is not going to be installed06:33
lamontjdub: you want b0rkage??? "Get your b0rkage here!  just AU$5!!"06:34
lamonthrm... maybe I'm getting a bit punchy.06:34
jdubAU$5 is pretty cheap06:34
lamontb0rkage is pretty easy to come by right now, that's all.....06:35
jdublamont: usual place for hoary build logs?06:35
jdubAfter installing, the following source dependencies are still unsatisfied:06:36
jdublibpt-dev(inst 1.6.5-3ubuntu1 ! >= wanted libopenh323-dev(inst 1.13.4-3 ! >= wanted
=== jdub releases new u-a
jdubhmm, gotta plan for a new ubuntu-calendar :)06:38
lamontah, that explains something else.  hrm... to read, perchance to fix.06:40
pascjdub: I was going to stop at every pub on the way home, but then realised what that entailed06:41
lamontjdub: thanks, I think I fixed the stupid auto-depwaiter :-(06:43
jdubpasc: hahaha06:44
lamontjdub: gnomemeeting building06:45
jduboh, rad!06:45
jdubthanks :)06:45
lamontthe auto-depwaiter turned that failure into a d-w libpt-dev (>=, which would be, um, wrong.06:46
jdubhow are the buildds holding up?06:46
lamont.+ instead of [^ ] +06:46
jdubhope we get cricket graphs some time06:47
jdubso we can watch the pain ;)06:47
lamontkinda like this...06:47
lamont 05:47:27 up 9 days, 13:52,  1 user,  load average: 0.00, 0.00, 0.0006:47
=== plovs_work [~plovs@] has joined #ubuntu-devel
lamontjdub: I need to roll out a new buildd that knows to only take N% of the needs-build packages, otherwise one buildd gets stingy06:49
lamontcode's done, just been waiting for both the buildd's and I to be idle at the same time.06:49
plovs_workany wiki-dev here, site gives zope-errors logging in06:50
jdubplovs_work: use site-edit.ubuntulinux.org06:51
plovs_workjdub, thanks06:51
plovs_workjdub, same error Error Type: AttributeError Error Value: setProperties06:53
jdubnot sure then06:53
plovs_workstarted 9 hours ago, at this site of the ocean :(06:57
plovs_workjdub, Alt-e helped logging in, then it works (a bit) better07:09
jdubwe should do a howto for reinstalling grub to the bootblock07:21
jdubanyone know grub well>07:21
=== lamont goes to bed
jdubnight lamont 07:30
=== srbaker [~srbaker@blk-224-143-227.eastlink.ca] has joined #ubuntu-devel
=== mbb [Mike@d21-196.rb.gh.centurytel.net] has joined #ubuntu-devel
=== SuperLag [~aaron@CPE-69-76-188-71.kc.rr.com] has joined #ubuntu-devel
=== tuo2 [~foo@adsl-36-114.swiftdsl.com.au] has joined #ubuntu-devel
=== tuo2 [~foo@adsl-36-114.swiftdsl.com.au] has joined #ubuntu-devel
=== cenerentola [~cenerento@ppp-82-84-143-161.cust-adsl.tiscali.it] has joined #ubuntu-devel
=== mbb [Mike@d21-196.rb.gh.centurytel.net] has left #ubuntu-devel ["Leaving"]
danielsKamion: do we support booting from a usb ms / ?08:57
=== tuo2 [~foo@adsl-36-114.swiftdsl.com.au] has joined #ubuntu-devel
=== tuo2 [~foo@adsl-36-114.swiftdsl.com.au] has joined #ubuntu-devel
=== SuperLag [~aaron@CPE-69-76-188-71.kc.rr.com] has joined #ubuntu-devel
=== sivang [~dannyh@] has joined #ubuntu-devel
=== SuperLag [~aaron@CPE-69-76-188-71.kc.rr.com] has joined #ubuntu-devel
sivangMorning all.10:53
=== cenerentola [~cenerento@ppp-82-84-143-161.cust-adsl.tiscali.it] has joined #ubuntu-devel
SuperLagany of you guys dual boot Ubuntu with another Linux distro?11:02
jdubSuperLag: best to ask user questions on #ubuntu11:03
sivangSuperLag : Yes, with debian sid. But if you're interested in help, I believe that would be better served in #ubuntu11:03
=== Keybuk [scott@descent.netsplit.com] has joined #ubuntu-devel
=== schweeb [~chris@schweeb.org] has joined #ubuntu-devel
=== SuperLag [~colbyirc@CPE-69-76-188-71.kc.rr.com] has joined #ubuntu-devel
mdzfabbione: here now11:57
=== herzi_lap [~herzi@] has joined #ubuntu-devel
Kamionelmo: please revert partman-md to Debian12:02
Kamiondaniels: "usb ms"?12:02
fabbionemdz: does the bug sync from Debian work?12:04
fabbione278781 hasn't been synced12:07
fabbioneand i expect others too12:07
mdzfabbione: I will check12:08
fabbionemdz: i did check the rsync and it works fine12:08
fabbionethere were no updates in the queue since last run12:09
mdzit's failing trying to download the germinate output12:09
mdzbroke 3 days ago12:10
fabbionenot too bad12:10
Kamionfrom where is it trying to download the germinate output?12:11
=== seb128 [~seb128@ANancy-151-1-9-115.w83-194.abo.wanadoo.fr] has joined #ubuntu-devel
mdzKamion: it was pointing at chinstrap/~scott/12:12
mdzI redirected it to /~cjwatson/12:13
fabbionewith all this white dust i look like bdale :-)12:13
fabbione(i was sandpapering walls ;))12:13
Kamionmdz: you might want germinate-warty-output rather than germinate-output, too?12:13
mdzKamion: what is the difference?12:13
Kamionmdz: the former is computed against sid12:13
jdubhey dudes12:14
fabbionehey lady12:14
mdzKamion: perhaps, now that we have a functional distribution, it should just point at Packages/Sources instead12:14
=== jdub spanks fabbione
Kamionmdz: yeah, probably12:14
Kamionmdz: noting that you don't have all the seeds in there at the moment, either ...12:15
=== mdz rubs his eyes
mdzKamion: I would be positively thrilled if you wanted to take responsibility for debzilla :-)12:15
Kamionmdz: I wouldn't :-)12:15
jdubfabbione: i don't think we should be doing this at the office12:16
Kamionmdz: but, ok, ask me on Monday - I need to go into town now12:16
fabbionejdub: no no... only in pvt :D12:16
Kamionmother's birthday tomorrow, no present yet, WHOOPS12:16
fabbioneKamion: better run12:17
=== Kamion flees
=== gro [~gro@u212-239-167-194.adsl.pi.be] has joined #ubuntu-devel
Keybuk*sigh*  I wish there was a decent gnomeish IDE12:27
Mithrandirfabbione: why have you marked 3032 as a duplicate of 3037 which in turn is a duplicate of 3032?12:34
jdubKeybuk: tried anjuta? what do you think?12:35
mdzanjuta of "I can't get anjuta to work" fame?12:37
mdzMithrandir: I think fabbione was rushing ahead of debzilla12:37
Mithrandirmdz: debzilla marked it as a dupe twice.12:37
Mithrandironce before, once after fabbione12:37
mdz                Marking 3037 as a duplicate of 303212:38
mdzthat one was debzilla12:38
mdzdebzilla marked 3037 as a duplicate of 303212:38
mdzfabbione marked 3032 as a duplicate of 303712:39
Mithrandiryes, nine minutes later.12:39
mdzdebzilla can't read :-)12:39
mdzreopening 303212:39
Mithrandirok :)12:40
Keybukjdub: yeah, was just playing with it ... it's ok, but not great12:40
Keybukit lacks too many little features that I use all the time12:42
Keybukcopy buffers and add-to-changelog being the top two12:43
=== mdz force-feeds emacs to Keybuk
Keybukmdz: I use emacs now, but it'd be nice to have something a little more GUI :)12:44
Keybuksomething which I could use the mouse with, for example12:44
mdzyou can use the mouse with emacs12:45
mdzit just punishes you for it12:45
Keybukcan't when it's in a terminal12:45
Keybukthe X variant is just terrible12:45
mdzI don't find it to be so12:45
Keybukthe font rendering is abysmal12:45
mdzworks fine for me12:46
mdzand how could it possibly be worse than gnome-terminal anyway? :-P12:46
Keybukgnome-terminal's cute ... properly sized anti-aliased fonts12:46
Mithrandirg-t is sloooow12:46
Keybukheh, I find that a *feature* ... I can do compiles and just about see what scrolls past12:47
mdzit's like having a turbo button again12:49
jdubi have to lay the smack down on nalin12:52
jdubvte "maintainer"12:52
moyogothere has been some interesting discussion on why g-t is so slow lately, i hope it goes somewhere12:54
jdubmmm, and i hope some of the patches go in12:55
Keybukany particular reason why we don't trial them?12:56
jduboh yeah12:56
jdubwe have a distro12:56
Keybukwas that a "yeah there is a reason" or "omg! I forgot I have the power" ?12:57
jdubthe latter :)12:57
amujdub: ;) 12:57
=== mdz hands jdub the Sword of Power
jdubi was spun out earlier tonight12:59
jdubthere was an ad for HE-MAN figures and CASTLE GREYSKULL12:59
=== Micksa chuckles
jdubonly, way modern01:00
Micksahalf of me was hoping you'd do a he-man rip-off just now01:01
Micksathe other half of me was going to leave if you did01:01
mdzwho were the masters of the universe, anyway?  was he-man one of them?01:01
jdubi think we're more galaxy quest than masters of the universe01:01
jdubKeybuk: addict01:01
mdzwe're more Zork01:01
mdzor Adventure01:02
mdzyou are in a maze of twisty packages, all alike01:02
jdubjust wait until we in grumpy01:05
jdubor perky01:05
MicksaI'm imagining jdub doing the scene where captain whatsisname shows off his new crew01:05
jdubwarty at 12 months support01:05
jdubhoary at 6 months support01:05
jdubgrumpy released01:05
jdubperky in development01:05
Micksaif every linux user gave $10 to a linux developer01:06
Micksahow much would we each get?01:06
Micksa(let's pretend I am one for a sec)01:06
=== martin_ [~martin@box79162.elkhouse.de] has joined #ubuntu-devel
mdzmartin_: !01:07
pittimdz: still awake?01:07
pittimdz: I just tried to use irssi the first time01:07
pittiI'm at the Debian boot and these guys somehow block the IRC port, so I have to ssh to my server01:07
mdzhello, booth01:09
jdub^ message for booth01:09
amuhi pitti 01:09
pittijdub: thanks! This was necessary01:10
mdzalso counted among things which are necessary:01:11
mdznight, all01:11
pittimdz: night!01:11
=== Keybuk stares blankly at the kernel's USB code
KeybukI swear, someone was having fun here01:13
Keybukdescent linux-source- cat /sys/bus/usb/devices/1-2/version01:14
Keybuk 1.1001:14
Keybukof course, that's 0x0110 ... *huh*?!01:14
=== daf_ [daf@muse.19inch.net] has joined #ubuntu-devel
=== Riddell_ [jr@muse.19inch.net] has joined #ubuntu-devel
=== sladen_ [paul@starsky.19inch.net] has joined #ubuntu-devel
Keybukreturn sprintf (buf, "%2x.%02x\n", udev->descriptor.bcdUSB >> 8,01:24
Keybuk                udev->descriptor.bcdUSB & 0xff);01:24
Keybukyeah, let's pull apart a BCD hex value and pretend it's a float, that'll confuse 'em01:24
Micksais that something out of the USB spec maybe?01:27
KeybukBCD is actually a reasonably sensible way to do it; but it's still evil01:34
Keybukabusing hex to look like decimal01:34
Micksaone of USB's major goals is that devices (and maybe hosts) could be made cheaply01:34
Micksait's slightly cheaper to throw BCD right at a numerical display than it is to put in decoding logic :)01:35
Micksawhich is good if you ever have to make a USB device that needs to display its own dev ids :)01:37
Keybuk^ ouch, you seen that one jdub?01:38
Keybukwhile not particularly anti-Mono, "Mono is an attempt by Novell to reverse engineer parts of Microsoft's .NET Framework." is a bit strong01:39
Micksa*sigh*, every question is turned into a pretext to flog windows and bash linux01:41
Micksa"multiple conflicting distributions with multiple infterfaces"... how about windows 3.1/95/98/me/nt/2000/xp01:42
Micksaand all the fun developers have trying to make stuff that works on all of them01:42
Micksaokay, I'm done01:42
Keybukheh, nah, MS have it even better01:42
Keybukthey have multiple conflicting interfaces in each Windows release01:42
cenerentolahey how can i install hoary?01:43
Keybukcenerentola: change warty in /etc/apt/sources.list to hoary and aptitude dist-upgrade -- but beware, in hoary be dragons at the moment01:43
cenerentolakeybuk: ill be there...01:44
jdubKeybuk: yeah01:44
jdubKeybuk: and the news about novell making it public that they're doing a patent review...01:44
=== jdub has some comments about that for his blog, if he ever writes one
Micksasun sure are being dumbfucks lately01:51
Keybukwhy you say that?01:51
jdubseb128: around?01:54
Micksanot as such01:54
Micksagrah, ww01:54
jdubhey hey01:54
seb128hello jdub :)01:54
jdubseb128: i just did the tarballs due announec for 2.9.101:54
seb128I've got the mail yes01:54
jdubseb128: so, um, you will be having fun early next week ;)01:54
seb128he he, I know :)01:54
MicksaKeybuk: bending over for kodak, mcnealy saying he'll attack redhat over java because he doesn't like them01:54
jdubseb128: what do you think about making all the gnome packages create -dbg packages?01:54
Micksasputing crap about "the cost of free"01:54
seb128jdub: even the applications ? 01:55
jdubseb128: yeah, so when things go wrong, users can install -dbg packages and we can get good backtraces for us and upstream01:55
cenerentolawho's wearing the belt in here? who should i talk to for opening a ml & related thing [public relations] 01:56
jdubcenerentola: what do you need?01:56
seb128jdub: I don't really like the idea to have so many -dbg packages ...01:56
jdubseb128: what do you think? is that a ton of packaging work, or is it pretty easy?01:56
seb128packaging is not the problem, but that make huge packages01:57
=== Mitario [~michiel@sikkes.xs4all.nl] has joined #ubuntu-devel
Mitariolo veryone!01:57
seb128waste of mirror space, bandwidth, etc ...01:57
jdubhey Mitario 01:57
jdubseb128: hmm01:57
seb128hi Mitario 01:57
cenerentolajdub: wait a sec... mummy's calling01:57
jdubseb128: pretty useful though01:57
jdubseb128: kinda painful shipping 2.9 if we can't get good backtraces01:57
azeemyou could put the -dbg packages in a seperate, non-mirrored archive01:58
seb128yes, but I would rather make a system to build packages with "nostrip noopt" somewhere01:58
azeemor just automatically rebuild GNOME packages with DEB_BUILD_OPTIONS=nostrip and put them somewhere else for people to install01:58
jdubif you guys want to come up with a cool way of doing it01:58
jduband ping lamont, mdz and i01:58
jdubthat would be sweet :)01:58
azeemjdub: hey, it was *your* idea :)01:59
seb128yes, we really need debugging packages01:59
cenerentolajdub: im back...01:59
cenerentolain black01:59
Micksajdub: do you have an alternative viewpoint on novell, so to speak? or do you just generally wanting to blog "novell are joining us! woo!"?02:00
seb128jdub: the problem is ... what happen if we add -dbg for all the packages ? That's definitively not good for the debian side (too big, not really that useful), so we will definitively get out of sync for GNOME since we don't even have the same binary packages for a same source package02:01
azeemI guess the CPU cycles for the buildds don't matter too much, so just building the package twice is acceptable? (as opposed to, say, hack debhelper/cdbs to spit out unstripped packages as well)02:01
jdubMicksa: hard to explain02:01
jdubseb128: hmm02:01
Micksajdub: how many blogs do you have? :)02:02
jdubseb128: maybe lamont will have some clever ideas02:02
jdubMicksa: one02:02
seb128I'll take to lamont, the best option would be to get a "noopt nostrip" build for GNOME packages and a repository for these packages02:02
=== hazmat [~hazmat@] has joined #ubuntu-devel
=== hornbeck [~hornbeck@adsl-69-153-250-222.dsl.okcyok.swbell.net] has joined #ubuntu-devel
Mitarioanyone seen mvo_ around?02:41
cenerentolajdub: here i am02:47
cenerentolaso let's talk02:48
cenerentola1) who should i ask to request an italian ml02:49
jdubmail jeff.waugh@canonical.com02:49
cenerentolajdub: can you set up.. ahh02:49
cenerentolacan i query you?02:52
=== hazmat [~hazmat@] has joined #ubuntu-devel
jdubcenerentola: can you please mail me at the above address?02:56
jdubKeybuk: http://bugzilla.gnome.org/show_bug.cgi?id=12265602:56
jdubKeybuk: see elijah's comments at the end02:56
cenerentolajdub: done02:58
=== Mitario [~michiel@sikkes.xs4all.nl] has joined #ubuntu-devel
Mitarioyay, runnin hoary now.. :)03:01
jdubwoo :)03:01
=== x4m [~max@197-237.240.81.adsl.skynet.be] has joined #ubuntu-devel
Keybukjdub: a nice collection of swats to apply there then03:02
Mitariohmm, have to discuss with michael to get the upgrade-notifier and update-manager in :)03:02
Mitarioprobably with mdz too03:02
Keybukjdub: Nalin's comments on all those bugs are the most interesting <g>03:05
Keybuk(through their lack :p)03:12
Micksais he alive?03:12
cenerentolajdub: have got the mail?03:12
cenerentolajdub: or better how long should i wait?03:12
Micksamaybe he's using lynx in g-t03:12
jdubcenerentola: i'll sort it out on monday :)03:13
Micksaand he's going to get back to us eventually03:13
Micksaho ho ho03:13
KeybukKamion: (catching up) there's a patch on #184635 to fix the Replaces bugs03:13
Keybukor, at least, so aj claims <g>03:13
KamionKeybuk: hah, awesome, I hadn't even got round to looking at the code yet03:13
cenerentolajdub: next week ill be at the university and i wont be able to answer until.. friday03:14
KeybukI might stick that in 1.13~ and see what happens :p03:14
=== gro [~gro@u212-239-167-194.adsl.pi.be] has joined #ubuntu-devel
Keybukoh, and 1.10.24 is available for your consideration for sarge ... it's only been in unstable a few days, so you'll probably want to wait; but there's been no "aiieeee!" from it (and those usually show up *very* quickly :p)03:17
=== seb128_ [~seb128@ANancy-151-1-9-10.w83-194.abo.wanadoo.fr] has joined #ubuntu-devel
KamionKeybuk: ah, ok, can you remind me on Monday?03:21
KamionI'll push it through then03:21
Keybukyup, sure03:22
Keybukunless my brain has melted from the stupidities of inputmap03:22
MitarioKeybuk, did you draw that nice little update-config dialog some days ago?03:32
Kamionelmo: please sync newt from Debian03:42
=== mvo_ [~egon@suprimo-238.ping.de] has joined #ubuntu-devel
=== sparkes [~sparkes@host217-42-166-29.range217-42.btcentralplus.com] has joined #ubuntu-devel
KeybukMitario: yeah, http://people.ubuntu.com/~scott/software.png04:13
Keybukthough it's not HIG-perfect  (a few spacings are wrong, and that line at the bottom shouldn't be there)04:13
=== trulux [~lorenzo@67.Red-80-25-56.pooles.rima-tde.net] has joined #ubuntu-devel
truluxhey bluefoxicy 04:25
truluxhas anybody get informed about the proactive security thread on ubuntu-devel list?04:26
truluxi'm the head developer of Hardened Debian and bluefoxicy was commenting that maybe it would be a good idea to have me here explaining it, so, here i am04:26
KeybukI read that the other day ... my main concern is that I've never seen those types of changes work properly04:31
Keybukwe've used one of them on our servers, and it just resulted in processes core dumping all the time04:31
truluxKeybuk, it depends on how you know to do it04:33
truluxand also on how you have been using it04:33
truluxhardened debian has been severally tested on produciton environments (software-libre.org , ourproject.org , libre-projects.org)04:34
KeybukI guess the best way to demonstrate it's doable for Ubuntu is to do it, and demonstrate how well it works04:34
truluxand that environments have an average of more than 50 users per hour in the minimal case04:34
truluxKeybuk, what do you mean with that? letting ubuntu people to test it? sure04:35
KeybukI wasn't quite sure, personally, what the intent of John's mail was04:36
Keybukit kinda read as "I'd like to discuss doing this" ... but then never really raised anything to discuss *shrug*04:39
truluxthen let me to discuss about it ;-)04:40
truluxi'm replying his email, but he has tested many implementations that i have already did04:40
truluxthe only thing lefts is the one related with performance and what one to choose04:41
truluxthe less painful, and the less harmful :)04:41
Keybukthat's not really something you can decide by discussion, but by actually trying them out, isn't it?04:41
Keybukso it's not really anything anybody can take a technical decision on until there's working example04:44
Keybukstuff like that (and MAC too) is quite shiney though ... I know almost nothing about it all though04:46
=== hazmat [~hazmat@] has joined #ubuntu-devel
=== x4m [~max@137.161-136-217.adsl.skynet.be] has joined #ubuntu-devel
=== nictuku [~yves@nictuku.user] has joined #ubuntu-devel
nictukuhi. is there a known bug about DMA being used on old cd-rom drives during installation?04:59
nictukuI had problems with that. It errored with "cannot find install media". After burning another CD media, I tried disabling DMA in the CD-ROM drive, and it was fine.05:00
fabbionemdz: why did you swap again 3037 and 3032?05:01
=== x4m [~max@137.161-136-217.adsl.skynet.be] has joined #ubuntu-devel
=== T-Bone [varenet@T-Bone.developer.debian] has joined #ubuntu-devel
=== zul [~chuck@zul.developer.gentoo] has joined #ubuntu-devel
=== seb128 [~seb128@ANancy-151-1-9-10.w83-194.abo.wanadoo.fr] has joined #ubuntu-devel
=== trulux is now known as trulux-away
=== trulux-away is now known as trulux
mdzfabbione: they are merged in Debian, so debzilla marks the duplicate automatically06:17
elmoKamion: done06:22
Keybukheh, I appear to have discovered colin-separated arrays06:24
truluxKeybuk, working examples are already did and also regresion tests06:24
truluxKeybuk, https://sourceforge.net/project/showfiles.php?group_id=118309&package_id=132536&release_id=27475406:25
=== trulux is now known as trulux-away
Keybuktrulux-away: I'm slightly amused by the "Better performance" -> PIE line on that ...06:28
KeybukPIE is slower06:28
=== x4m [~max@140-221.243.81.adsl.skynet.be] has joined #ubuntu-devel
mvo_Keybuk: is Mithario working on http://people.ubuntu.com/~scott/software.png? or was he just interessted in your mock-up?06:33
Keybukmvo_: unsure, you'd have to ask him06:34
mvo_Keybuk: will do, thanks. 06:34
=== mvo_ joins at 1.11 and I would love to see something like this soon for ubuntu
Keybukyeah, it'd be nice to have a source-selection UI that doesn't scare the crap out of people <g>06:35
mvo_Keybuk: that's it! and I like the idea to integrate the "auto-update" feature into it06:35
mvo_the button to control it that is06:35
=== zul [~chuck@zul.developer.gentoo] has joined #ubuntu-devel
KeybukI might improve that UI slightly once I've got this evil inputmap parser out of the way06:41
Keybuk(whoever designed this stuff needs murdering)06:41
bluefoxicy<Keybuk> I read that the other day ... my main concern is that I've never seen those types of changes work properly <Keybuk> I guess the best way to demonstrate it's doable for Ubuntu is to do it, and demonstrate how well it works06:48
bluefoxicyKeybuk:  Runs on Gentoo, I've used PaX/PIE/SSP for a while yet, though it takes some blood and sweat to get it working the first time.06:49
KeybukI'm not sure which elmo used on our servers, but it was causing things like Python, ls and tar to randomly segfault06:49
=== trulux-away is now known as trulux
bluefoxicyKeybuk:  The idea is that the distribution figures out what breaks, and handles that.  Once you've found what blows what apart, it pretty much works.06:50
bluefoxicyThis works because a minimal set of things break.06:50
bluefoxicyKeybuk:  GrSecurity?06:50
KeybukPaX I *think* ... but don't quite me on it06:50
Keybukor quote me06:50
bluefoxicyI've heard some people set up Gr improperly and have basic applications smack straight into their rate limit.06:50
bluefoxicyerr, resource limit . . rlimit, whatever that is.06:50
mdzKeybuk: exec-shield06:53
Keybukah, thankyou matt06:54
bluefoxicyon amd64; normally I'm using S (segmexec) instead of P (pageexec) on x8606:57
bluefoxicyET_DYN executables are executables built with -fPIE or -fPIC06:57
Keybukwhy would you build an executable -fPIC ?  other than as a dare06:58
bluefoxicyso it can be quickly and safely loaded anywhere in memory.06:58
Keybukthat's -fPIE ... not -fPIC06:58
KeybukPIC executables still have a fixed load-address06:58
bluefoxicy-fPIE does not exist in gcc <3.406:59
bluefoxicy3.3 uses -fPIC -pie06:59
Keybukindeed, but -fPIC doesn't have the same effect06:59
bluefoxicy-pie is a linker flag.  :)06:59
Keybukyeah, that'd make more sense06:59
Keybukjust building PIC executables without making them PIE is a bit of an odd thing to do06:59
Keybuk"hey, let's make this executable slower for no reason <g>"06:59
bluefoxicyeven then they have a fixed load address though; but using PaX, PIE binaries will be loaded at random offsets automagically07:00
bluefoxicya normal system will still just jam them at an easily determined and repetable address07:00
Keybukwell, it's not fixed in the sense that the application can't be loaded anywhere else07:00
Keybukthe link-loader just doesn't load them anywhere else07:00
KeybukPIE is a bit security-through-obscenity though :p07:01
bluefoxicynot really07:01
bluefoxicysecurity through obscurity is the concept that a system has known flaws, but the attacker doesn't know what they are, and won't find out07:01
bluefoxicyif the attacker finds out what said flaws are, he can easily exploit them.07:02
Keybukthe basic security gain is that your application is loaded in a random place, so is harder to exploit07:02
Keybukwhich is up there with putting your PHP webserver on a random port :)07:02
bluefoxicyIn the absence of an information leak, the attacker may know that he can RET2LIBC, but he won't know where the heck LIBC is07:02
Keybukhmm... that's about 5 lines of assembler to find that out07:02
bluefoxicyso even though he knows the system has a flaw, he can never guarantee that he can use that flaw07:03
bluefoxicyand how do you find that out?07:03
bluefoxicyremember that you can't execute code you've injected onto the stack.07:03
Keybukjust look up a known libc symbol (open is a good one :p) in the GOT07:03
Keybukah, no, see you can :)  unless you combine it with SSP/PaX or something aiui07:03
bluefoxicyah, no, you can't.07:03
bluefoxicythe stack is made non-executable07:03
Keybukby what?07:03
bluefoxicyby pax >:)07:04
Keybuk<Keybuk> ah, no, see you can :)  unless you combine it with SSP/PaX or something aiui07:04
Keybuk                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^07:04
bluefoxicysorry, I just read SSP :)07:04
bluefoxicyI just woke up07:04
Keybukheh :p07:04
bluefoxicyPaX is what's doing the randomization, I'd figure you'd have it doing ESP too.07:04
Keybukbut once you've made the stack non-executable, why do you need to have your applications playing musical chairs in memory?07:04
bluefoxicythe stack may be nonexecutable, but the stack frame pointer and return address can eb fucked with07:05
bluefoxicyand that can allow an attacker to set up a complex pipeline of attacks i.e. fopen()->fwrite()->fclose()->mmap()->some_newly_mapped_code()07:05
KeybukI guess07:06
KeybukPIE is slow as hell though :-(07:06
bluefoxicyno it's not :)07:06
Keybuk(unless you own an AMD64, anyway)07:06
bluefoxicyI've seen a .99% slowdown on PIE on x8607:06
bluefoxicythere's one caveat07:06
Keybukyou have to do about 5 instructions instead of 1 for every jmp07:06
Keybukthat's a pretty nasty slowdown07:07
Keybukthough it doesn't hugely affect apps that rely on shared libs a lot07:07
bluefoxicyif you use -fomit-frame-pointer without PIE, you gain about 5% performance; but if you use PIE (or pic) you don't get that performance boost, PLUS you lose the 1%07:07
bluefoxicyso if you rely on -fomit-frame-pointer for a performance boost on x86, you lose ~6% total07:07
bluefoxicyI used nbyte benchmark to do these tests07:08
Keybukheh, I always have a giggle when I see "-O2 -fomit-frame-pointer"07:08
bluefoxicyand most apps basically live in shared libs.07:08
danielsKamion: mass storage07:08
bluefoxicy-fomit-frame-pointer can do neat things I hear07:08
bluefoxicyremember above I said you could fuck with the stack frame pointer07:08
bluefoxicywell it's not there with -fomit07:08
Keybukbluefoxicy: sure, but doing that kind of thing in a link line just shows people don't really know what they're up to :)  (-O implies it)07:08
bluefoxicy-O2 implies it on amd64, not on x8607:09
truluxKeybuk, PIE does not provide obscurity as you said07:09
bluefoxicybut again, most apps live in shared libs07:09
truluxKeybuk, PIE provides a non agressive way to make the pax aslr working without so much brainstorming07:09
Keybukbluefoxicy: depends on whether you use -g or not, etc.07:09
mdzKeybuk: that's only true for architectures which can debug without a frame pointer07:09
mdzof which i386 is not one07:10
truluxKeybuk, and also PIE is NOT slower at all07:10
Keybuktrulux: of course it is07:10
mdzit is on i38607:10
bluefoxicythink xmms and beep (all those decoding and vis plugins); lame and oggenc (libogg, libvorbisfile, libmad); abiword (the entire set of filters are all plug-ins); anything doing compression (zlib bzip2lib etc)07:10
Keybukmdz: sure, I may be wrong, but I'm sure gcc only omits it if you use -g07:10
Keybukwe don't all have the luxury of amd64 and their fancy-schmancy pic-in-processor addressing mode :o)07:11
bluefoxicydoesn't gcc even use libraries to house the code doing most of the work during compilation?07:11
mdzKeybuk: I don't think -O is that smart07:11
bluefoxicymdz, trulux:  PIC is slower than fixed position code; however, all libs are PIC, and a lot of shit hangs out in libs a lot, so PIE is not noticably slower07:12
Keybukmdz: dunno, I'd have to grep the source ... it's been a while since I last looked07:12
bluefoxicyit IS a bit . . well07:12
bluefoxicylet's say it has some overhead.07:12
bluefoxicyas for slower, I touch 100% CPU when I'm compiling and encoding shit.07:12
mdz#ifdef CAN_DEBUG_WITHOUT_FP07:12
mdz      flag_omit_frame_pointer = 1;07:12
Keybukah, not that smart then :)07:12
bluefoxicyyou see 0 slowdown no matter what if you're not touching the ceiling of your CPU :)07:12
mdzyou'll always max the CPU out, at least for short periods07:13
bluefoxicybut for realtime tasks, nobody cares07:13
bluefoxicythey have to get their job done in intervals of X time constituting Y work07:14
=== KeyserSoze [unbound@pound.ifndef.com] has joined #ubuntu-devel
bluefoxicyas long as they can do that, there's no problem.07:14
bluefoxicyhrr, switch X and Y, and that's about what the CPU graph is:  work done over time07:15
mdzI don't see your point07:15
mdzin realtime scenarios, it's either fast enough, or it isn't.  If you make it slower, it will sometimes not be fast enough anymore :-)07:15
=== Keybuk has had a chuckling thought ... does prelinking defeat PIE or does PIE win?
bluefoxicymy point is that a 1% performance hit in some fraction of a program's run-time, probably the most lightweight fraction, is in most cases essentially nothing07:16
mdza valid point, but I don't think it applies to the issue at hand07:16
bluefoxicythe issue at hand being. . . I seem to have been lost.07:17
=== bluefoxicy tries to wake up but his stomach hurts, no food in it.
bluefoxicysorry I only talk about one thing at a time, and tend to not notice the rest of the world while i talk to myself07:17
bluefoxicyar, hey trulux did you see my post to the dh-hackers list07:20
truluxnone yet07:21
bluefoxicythat was after a 30 second glance at some documentation07:22
bluefoxicyso i don't know if it's relavent at all07:22
truluxok, i'm reading it07:23
bluefoxicythat'll require modifying debian/rules in the source tree, but only for packages that break.  also I didn't cover anything to handle PaX markings on the package07:23
truluxthat should be did by an independant package07:23
=== bluefoxicy seeks breakfast
Keybukwhy would packages break, out of interest?07:26
bluefoxicyKeybuk:  They may expect various behavior which is no longer true under PaX; or they may be buggy and collide with SSP; or they may not be PIC-aware07:29
bluefoxicyfor example, JIT compilers and realtime machine emulators (Qemu) will not like PaX.  They will need either to be written to be aware of PaX and use mprotect() properly, plus have the mprotect() restrictions removed (paxctl -m); or they will need PaX disabled (paxctl -psem).  If they die from ASLR (java does this), that needs to be disabled for them (paxctl -rx)07:30
Keybuksee, this is the bit about all of these things that worries me -- it's very in-your-face when it goes wrong07:30
bluefoxicyJIT compilers can actually function under full PaX, if written properly-- http://www.kaffe.org/pipermail/kaffe/2004-October/099938.html07:31
bluefoxicyKeybuk:  The distribution maintainers can handle marking the binaries; it's a 30 second job to figure out what breaks and why, and fix it.07:31
bluefoxicyI know because I used to do it.07:31
Keybukyeah, but then you're disabling the security for a particular binary or more07:31
Keybukand at that point, you have a path of attack07:32
Keybukso you may as well not apply it to any binaries07:32
bluefoxicymaybe I disable the security for something like Java07:32
bluefoxicybut not for Firefox07:32
Keybukso a Java Applet viewed in Firefox can exploit your machine?07:32
bluefoxicyI can be exploited by a java applet that's written to damage my JIT, but I can't be exploited by malformed HTML07:32
bluefoxicynor by libpng exploits (which are umbrellad under the PaX proteciton; java runs in a separate binary)07:33
bluefoxicyso I've narrowed down the potential exploit paths07:34
Keybukmy attitude to security stuff is kinda like firewalls ... I'm entirely happy all the time it sits there, stops other people from using my machine; but the second it stops me from using it, it gets switched off completely07:34
bluefoxicythat's the idea here.07:34
bluefoxicyI want these things to work comfortably without the user or administrator having to care.07:34
Keybukand my worry with this stuff is that everything I've seen of it suggests to me that it's going to get in a user's way07:34
bluefoxicyit'll provide a small consideration to the maintainers, but not to the users07:35
bluefoxicyyou only have to handle this stuff once07:35
bluefoxicyif some program overflows a buffer by itself in normal operation, and SSP kills it, then the program gets built without SSP.  The user doesn't have to worry about it, although he may see a note made in the description about it07:36
bluefoxicy(or maybe you fix the program, although that's a job for the upstream maintainers)07:36
bluefoxicyIf it can't build PIE, then it's built ET_EXEC, or whatever prevents it from building PIE can be disabled.  Gimp for example won't build PIE with --enable-mmx; in general, pre-optimized assembly should be avoided.07:37
=== cenerentola [~cenerento@ppp-82-84-143-161.cust-adsl.tiscali.it] has joined #ubuntu-devel
truluxbluefoxicy, sorry , at the point of having the jit without protection i must explain the following scenario that will make the whle heck having sense:07:39
=== bluefoxicy ?
truluxby that way you should also say tha unprotected libraries loaded inside protected binaries will harm the binary as they can overrride the protections of the areas that they accomply to07:39
truluxand that's false07:39
truluxso, running a jave applet, first takes care inside the java sandbox07:40
truluxbluefoxicy, that the binary loading the sahred object which is unprotected will be affected by the object overrided protections07:40
bluefoxicyif the java bytecode is malformed, and the JIT is buggy, the bytecode may damage the JIT's internal state and allow an attacker to inject malicious code.07:40
truluxbut inside the memory areas under the jit control07:41
Keybukhmm, a library isn't in a separate address space07:41
Keybukif a library can't work with ssp/pax then no application that linked with it could use it either07:41
bluefoxicySSP yes it can.07:41
Keybukthe java_vm is run as a separate process, so in a separate address space07:41
bluefoxicyPaX no07:41
Keybukbluefoxicy: how?07:41
bluefoxicySSP checks are done inline07:42
Keybukah, so the library code simply doesn't have ssp in it?07:42
truluxit depends, PaX used with bind9 will need to have an un protected lib_*_dns07:42
bluefoxicythe changes don't have a global affect; they're bits of code injected into the binary07:42
bluefoxicyKeybuk:  exactly.07:42
Keybukso an ssp-less library could be used to exploit a binary which used ssp?07:42
Keybukwhy not?07:43
Keybukthe library lacks ssp, so that code isn't secure07:43
bluefoxicytrulux:  if libraries in the same address space need different protections, then the relieved protections must be combined to find out everything that needs to be disabled.07:43
bluefoxicyKeybuk:  Yes, and vice versa07:43
bluefoxicyif Mozilla is SSP, and libpng is not, then libpng can be exploited via one of those nasty buffer overflows from 2 months ago (if you haven't upgraded yet)07:43
bluefoxicyand this can happen via loading a malicious web page in mozilla07:43
Keybukbluefoxicy: thus code in libpng can write over all of Mozilla's address space07:44
bluefoxicyOn the other hand, if libpng has SSP, and Mozilla does not, then the libpng exploits are effectively useless07:44
bluefoxicyKeybuk:  correct.07:44
bluefoxicyKeybuk:  do not think of programs in terms of libraries and executables07:44
Keybukbluefoxicy: but they are :p07:44
bluefoxicythat's as frivilous as thinking of a library in terms of the object files used to build it07:44
truluxKeybuk, just btw, what version of glibc is ubuntu running on?07:45
bluefoxicyonce the program is in memory, all those libraries are effectively a part of the program07:45
Keybuktrulux: same as Debian07:45
bluefoxicythey might as well have been compiled straight in.07:45
Keybukbluefoxicy: they're actually not07:45
Keybukthey're quite separate07:45
truluxKeybuk, you mean the fscking old 2.3.2-ds1 ?07:45
Keybuktrulux: yup07:45
bluefoxicyKeybuk:  how?07:45
bluefoxicytrulux:  uh oh :)07:45
bluefoxicyKeybuk:  DO NOT enable PAGEEXEC in PaX, do NOT disable the vsyscall page :)07:45
=== jk [~jochem@jkossen.xs4all.nl] has joined #ubuntu-devel
Keybukbluefoxicy: the memory image of a shared library is shared ... it's just mapped in to each app's address space at some arbitrary point07:46
bluefoxicyKeybuk:  Do you understand virtual memory?07:46
Keybukbluefoxicy: yes07:46
truluxKeybuk, i pray for your ass then :) take a look on our glibc , you can find it useful for looking on how we implemented some things07:46
Keybuk(at least, one would hope so <g>)07:46
truluxbluefoxicy, where is pspax code? (i was out some time due to school , you know...:P)07:46
bluefoxicyeach application is run in what looks like its own machine.  Whether the code is in a library or in the executable, shared between VM spaces or not, it's run the same way.07:47
truluxbluefoxicy, it was fixed, vsyscall now works without kissing our ass so on 07:47
=== trulux grins
bluefoxicytrulux:  yes, in ds14 IIRC07:47
=== bluefoxicy prods emerge trying to get it to find pax-utils
bluefoxicynot found heh07:49
bluefoxicythere ya go07:49
bluefoxicytrulux:  pax-utils-0.0.4.tar.gz in that folder07:50
Keybuktrulux: upgrading glibc has been discussed, but we've nobody on team who really follows it07:52
Keybukalso Debian's isn't really as old as it sounds, it's been heavily patched without the version being incremented07:53
=== chrisa [~chris@nullcode.org] has joined #ubuntu-devel
truluxok, thanks07:57
truluxKeybuk, yes07:57
truluxKeybuk, i can do it07:58
Keybukthere's also the issue of it being a heavy fork from Debian07:58
truluxjust give me up to it and i will work on it , as i have a ready glibc07:58
truluxKeybuk, hardened debian?07:58
Keybukordinary Debian07:58
Keybukdo you know why Debian still runs an older version ?07:59
truluxyes, for stability07:59
Keybukare later versions buggier?07:59
=== max_ [~max@160.226-200-80.adsl.skynet.be] has joined #ubuntu-devel
truluxKeybuk, not08:05
Keybukthen why do Debian stick?08:05
truluxbecause they think that them do, i mean, they suppose that later versions are later problems08:06
=== trulux smiles
Keybukmost of our guys are upstream too, fwir ... so surely their concerns are justified08:07
truluxthat's nice08:07
truluxKeybuk, do you want us collaborating together? collaboration for security maybe ;-) ?08:08
Keybukdefine "us" ?  Personally it's not really something that excites me08:08
azeemas I said before, jbailey was working on updating glibc, and he told me at least gotom was doing it at some point, too08:08
truluxKeybuk, us means hardened debian people and ubuntu developers08:09
truluxi have wroten some documentation on that08:09
Keybukit's not really a group I can speak for08:09
Keybukfrom a personal pov. I'd like to see it working to play with, as I haven't yet08:10
truluxwhat you haven't yet?08:10
Keybukseen a *working* system with any of the "hardened" toys on it -- including SELinux08:11
truluxbluefoxicy, btw, can you submit a comment to the hardened-dev-tools issue and keep in in the tracker please?08:11
truluxKeybuk, i have no available boxes, i mean, opened to anybody08:12
truluxbut i have one that could be open for that08:12
Keybuktrulux: to be honest, I'd rather it were something I had on my machine08:12
truluxthen i will you in that way08:13
truluxsorry , help missed in the msg :P08:13
truluxfirst you need to get the last 2.6.7 sources from our repository08:13
truluxmake a kernel pkg and install it , it's easy08:14
truluxi haven't time do it but i can try it now, jus give me 20 minutes08:14
Keybukisn't there an APT repository?08:14
Keybukand I thought you'd said that stuff had to be recompiled?08:14
truluxKeybuk, yes, but not upgraded to the last revisions of sarge's gcc08:15
bluefoxicytrulux: ?08:15
Keybukwhat about for Ubuntu ?08:16
truluxwhich gcc uses it?08:16
bluefoxicywhat gcc does ubuntu use?08:16
bluefoxicyyou should use one to compile your whole distro, not two :)08:16
Keybukuh, that's gcc-defaults, heh08:16
=== bluefoxicy guesses 3.4 isn't ready for x86?
=== nasdaq4088 [sdfsd@tkp-ip-nas-1-p107.telkom-ipnet.co.za] has joined #ubuntu-devel
=== nasdaq4088 [sdfsd@tkp-ip-nas-1-p107.telkom-ipnet.co.za] has left #ubuntu-devel []
truluxKeybuk, http://cvs.debian-hardened.org/cgi-bin/viewcvs/debian-hardened/system-dh/x86/sarge/devel/gcc/3.3.4-6/08:17
truluxget them, install them and try to recompile08:17
truluxtell me if you get any error08:17
=== Keybuk ^Ds (I don't have time to play at the moment)
truluxKeybuk, then? install the already did pkgs , but it will make you downgrade to deb's 3.3.4-608:18
truluxi think i've already said that the heck is already done :P08:18
Keybukif the gain-to-impact ratio is good, they'd make nice grumpy goals I guess08:20
KeybukI don't think we've overloaded that yet <g>08:20
Keybukdo you know much about MAC as well?08:21
truluxnot really, i'm 15 not so time to spend , just my effort08:23
=== bluefoxicy doesn't like the idea of implementing a real MAC system for standard installs
=== trulux thinks so
Keybukbluefoxicy: any particular reason?08:24
truluxMAC systems can be agressive to implement transparently08:24
bluefoxicyadded layer of complexity08:24
truluxthat's the point08:24
Keybukheh, isn't that the same argument against ssp/pax/pie. etc? :p08:24
bluefoxicyssp/pax/pie won't cause logins as root to be inable to do anything08:24
bluefoxicymac systems normally cause root to drop caps08:24
Keybuksure, they drop the concept of a superuser entirely in favour of giving privilege where needed08:25
bluefoxicyso to get sysadmin, it's normally something like log in as sysadmin-user, activate sysadmin-role, su root08:25
truluxKeybuk, DH minds in usability08:25
Keybukbluefoxicy: that's actually a pretty good UI08:25
truluxKeybuk, listen08:25
Keybuk"activate sysadmin role"08:25
truluxDH minds in providing the following:08:25
bluefoxicyKeybuk:  it would change the way the system functions though; people expect root to be able to install programs without jumping through 2 or 3 hoops first.08:26
truluxa soft system , the default: PaX+PIE+file system enhanced security+other patches such as tcp stealth, etc08:26
Keybukbluefoxicy: *shrug* we've pretty much buried root on Ubuntu08:26
truluxa complete system: same but using rsbac and other mac implementations such as SELinux 08:26
truluxbluefoxicy, and also thinking in what consists on ;-)08:27
truluxsorry :)08:27
bluefoxicyimplementing a proper MAC policy would also be a load on the maintainers ;)08:27
trulux;-) lol08:27
bluefoxicya serious load, not "Oh, X broke because of Y, let's not do that then"08:27
=== Keybuk looks fondly at Fedora
=== bluefoxicy does not look fondly at fedora
=== trulux looks at Fedora's holy shit errors, oops, etc etc etc :P
KeybukSELinux in ... SELinux out ... SELinux in ... SELinux out ... shake it all about08:28
truluxshake usability in the mix08:28
bluefoxicyMicrohat Fedora :)08:28
Keybuktrulux: but that's exactly what I'm concerned about if added security-related patches08:28
truluxsame as putting tabasco on your coke08:28
=== trulux grins
bluefoxicyI've heard that at least some of Fedora's "Security" is smoke-and-mirrors that just does nothing08:28
bluefoxicybut I don't know08:29
KeybukI'm admittedly entirely biased and tainted by a bad experience of exec-shield08:29
truluxme too08:29
truluxKeybuk, exec shield is not the whole heck AFAIK08:29
bluefoxicyES is crap08:29
truluxthere are many NOEXEC implementations, btw08:29
truluxES is deprecated08:29
bluefoxicyES is immature and the author doesn't like giving people administrative control08:30
truluxso, deprecated for use, obsolete by the moment08:30
bluefoxicyIngo Molnar thinks restricting mprotect() the way PaX does (which is btw an option, and disablable per-binary) is a bad idea :O08:30
bluefoxicybesides, ES is from May, 2003; PaX came from October, 2000, and has been continuously actively developed since :)08:31
Keybukso if you PaX-enable everything, nothing fails and everything still runs?08:31
Keybukno strange core dumps/bus errors ?08:31
bluefoxicythe developer knows his stuff, so it's pretty much mature08:31
bluefoxicyKeybuk:  not everything08:31
bluefoxicybut you can easily individually protect things08:31
Keybuknow you see the source of my unease ... I think "why not?  something wrong there then"08:31
bluefoxicyKeybuk:  Remember PaX changes the behavior of the system, and applications may not expect that08:32
Keybukbluefoxicy: thus something that's supposed to be entirely hidden has now become in-your-face08:32
Keybukthen I argue that it's broken the system08:32
bluefoxicythe user doesn't need to see that.08:33
Keybuksure they do, they install something and it breaks08:33
truluxhow they install something....does not root which must do that? :P08:33
bluefoxicyit's possible to configure it so that third party apps can't break08:34
bluefoxicybut it's less secure08:34
truluxKeybuk, think that users must NOT write executable elfs on their homes08:34
bluefoxicyand requires a few more lines in the developer script.  :)08:34
Keybukhmm?  most users download shit all the time and run it08:34
bluefoxicyyou'd have to paxctl -PSEMR everything by default08:34
Keybukcf. the proliferation of Ubuntu installs with mplayer on them08:34
bluefoxicyKeybuk:  and?08:35
bluefoxicydoesn't ubuntu supply mplayer?08:35
Keybukit's a viable package for universe, but those are still unsupported08:35
Keybukso wouldn't get the love that main does08:36
=== max_ [~max@199-92.242.81.adsl.skynet.be] has joined #ubuntu-devel
bluefoxicyto ensure no third party breakage, packages would have to {paxctl,chpax} -PSEMR everything they build, except for those which break; and set PaX into softmode.08:36
Keybuk"packages" ?08:36
bluefoxicybut third party binaries would get no protection by default08:36
Keybukah, sorry, I get you08:37
Keybukso now we're at a point where to stop the system being generally unstable, we only security-enable particular binaries08:37
Keybukwhich is pretty much the backpedal Fedora had to do with SELinux08:37
bluefoxicyKeybuk:  another issue is that once the ball gets rolling, upstream should start supporting PaX and marking things in their own debs :)08:38
azeemjust have a trigger in dpkg which does it for all and then blacklist the failures =)08:38
bluefoxicyKeybuk:  Different.08:38
Keybukazeem: was that you volunteering to write the code? <g>08:38
truluxKeybuk, one resides on role-basis protections and the other on file-basis protections08:38
truluxone is transparent08:38
truluxthe other not08:38
truluxthat's the diff08:38
bluefoxicyKeybuk:  It's not "certain packages," it's that all of Ubuntu's standard distribution is handled with least privileges, and third party crap is just fully privileged08:38
Keybukbut it's not transparent if it causes things to break08:38
truluxbluefoxicy, quote that please :d08:39
Keybukon the first core dump, it goes from transparent to totally opaque08:39
truluxKeybuk, I've wroten some stuff about that08:39
truluxand believe me , it's known what it breaks08:39
truluxand known how to solve it08:39
Keybukso why aren't those things fixed already?08:39
truluxthat's an upstream q08:40
truluxmake it to them08:40
Keybukhave the patches been sent upstream ?08:40
truluxi can't be responsible of why somebody decided to make use of odd mprotect and so on calls08:40
truluxKeybuk, is that our task or ours is to test it, make it and work it?08:40
truluxKeybuk, i call it collaboration -smile-08:41
Keybuksure, but you can't expect upstream to know what you've done to the system08:41
bluefoxicyhttp://d-sbd.alioth.debian.org/www/secpaper.txt  down about 4/5 of the way you'll see "A.  Manual Control", try that08:41
bluefoxicyKeybuk:  the changes are very defined :)08:41
Keybukbluefoxicy: but are they defined in a mail to the upstreams of what breaks?08:42
bluefoxicyKeybuk:  I think upstream would notice what major distributions have done to their systems08:42
Keybukbluefoxicy: no, they'd only notice the change whatever distribution they run made08:42
bluefoxicyeven when the bug reports start coming in?  :>08:42
Keybukthey're just ordinary developers, they can only test and fix the systems they have immediate access to08:42
KeybukI get bug reports all the time08:42
Keybukthey're all tagged moreinfo or worksforme08:42
truluxKeybuk, stop one moment, figure this:08:43
bluefoxicyKeybuk:  Well you have to start somewhere08:43
bluefoxicyPaX is 4 years old08:43
Keybukusually you start asking them for intimate details of their system, to send you example files, etc. and after a few days of tennis they loose interest in helping you fix the bug08:43
bluefoxicyssp is like 608:43
bluefoxicyand people still don't consider them08:44
truluxKeybuk, i don't know how to make you figuring out what *we* want to say08:44
truluxthey key thing is that, the problems coming forwrd when using our stuff are minimal and only related with special scenarios08:44
truluxspecific errors related to upstream tasks08:44
KeybukI don't believe that08:44
Keybukas I said, I'm prejudiced by bad experience08:44
bluefoxicyKeybuk:  The distribution can be managed so that things don't explode along the way; but it is a crucial first step that has to be taken by *someone* before the upstream devs will start chiming in.08:45
truluxi mean , modifiyng the mprotect calls to something secure and reliable under restrictive environments08:45
Keybuksure, and you're taking those steps, no?08:46
bluefoxicyI'm one person, I can't get any attention.08:46
bluefoxicypeople just roll their eyes at me08:46
Keybukstamp on them :)08:46
bluefoxicythat's what I'm trying to do08:46
bluefoxicyOften physics mimic eachother in different contexts08:46
bluefoxicyThe greater the mass, the greater the force needed to stop it08:47
bluefoxicyA handfull of users on the side won't get any attention; a major distribution will.08:47
Keybukbut to get a major distribution's attention, you need more than a handful of users :p08:48
Keybukchicken, meet egg08:48
bluefoxicyI actually tried that too08:48
bluefoxicydid you see my article?08:48
Keybukah yes, that was an interesting read08:48
bluefoxicyPower play:  when the masses are ignorant, they're easily controlled; when they're informed, they begin to ask questions, and begin to control you08:49
bluefoxicyIt's easy for a few users to get ignored; but as you pointed out, more than a handful of users will get a major distro's attention :)08:49
Keybuksure, but there's one key point you've actually forgotten08:49
Keybuklet's use Debian as an example here08:50
bluefoxicyThat the masses don't care08:50
Keybukwhy do you think Debian haven't started applying these patches?08:50
=== trulux smiles
Keybukwhose lethargy?08:50
bluefoxicyit means they'd rather sleep than get work done.08:50
Keybukno, I asked *whose* lethargy ... not what is it :p08:50
bluefoxicythe maintainers'08:51
Keybukah, so this is something the Debian maintainers should do?08:51
bluefoxicysure, why not?08:51
Keybukbut they know nothing about it08:51
truluxfalse! :P08:52
bluefoxicyTrulux, solar, who was that other guy08:52
bluefoxicysteve kemp?08:52
Keybukif they knew something about it, and believed in it, they'd do it08:52
Keybukto use a very bad, but simple example:08:52
truluxbluefoxicy, steve is on a pub08:52
bluefoxicysolar offered to be a cross-distro developer and help get this stuff in debian08:52
bluefoxicytrulux:  an irish pub?08:52
Keybukmail debian-devel and ask them to package a piece of software08:52
truluxbluefoxicy, lol, dunno08:52
Keybukgenerally, the answer (unless someone likes it) will be "do it yourself"08:52
KeybukDebian pretty much operates on the basis of people doing stuff because it gives them a woody08:53
azeemI thought the generally the answer is just silence :)08:53
Keybukif they've not done something, it's not because they're asleep, it's just that they're limp about it08:53
Keybukazeem: that's because everyone's bored of saying "do it yourself" mostly :)08:53
Keybukpersonally I find shared libraries, compilation and build systems and package management rather interesting08:54
Keybukthe packages I maintain reflects that pretty well08:54
bluefoxicyno one even offered up mirror space :)08:55
bluefoxicyhow big is ubuntu's main distribution? (not universe)08:56
KeybukI find (e.g.) kernels a bit dull; sure, they're vaguely interesting and have to be there, but I don't get excited about it enough to contribute08:56
Keybukbluefoxicy: that's somewhat assuming people *had* mirror space08:56
Keybukbluefoxicy: not huge, the desktop set is designed to fit on a single CD ... the whole main set is probably no more than twice that size in total08:56
bluefoxicyit comes from somewhere; debian has 13 binary distributions scattered on how many mirrors?  Are they all at max quota?08:56
Keybukbluefoxicy: Debian is always under-hardwared08:57
truluxKeybuk, http://cvs.debian-hardened.org/cgi-bin/viewcvs/debian-hardened/kernel-2.6.7-dh/HARDENING?rev=1.2&content-type=text/vnd.viewcvs-markup08:57
Keybukthere's several machines down, the primary webserver is massively overloaded, the security mirror is out of disk space, etc.08:57
bluefoxicyscrew max quota08:57
Keybuktrulux: what's that to show?08:57
bluefoxicythe disk just can't take it anymore08:57
bluefoxicyye cannae change the laws of physics08:58
truluxKeybuk, http://ecate.tuxedo-es.org/ runs a some-old stuff of hardened debian08:58
lamontbluefoxicy: ubuntu main/restricted with source was around 4GB, I believe08:59
lamontwith hoary bits there, I'm stting at about 8GB08:59
lamontbut there's a bit of universe and multiverse on that mirror08:59
lamontactually, just the pool is ~5GB08:59
Keybukif you're really interested in getting Debian to accept things, you simply do them09:00
truluxKeybuk, talking to me?09:00
bluefoxicylamont: no source09:00
Keybukget the patches in as a kernel-patch-blah thing, join the kernel team and help get them integrated into the kernel; join the gcc/glibc team, etc.09:00
bluefoxicyanything beyond talking and thinking and playing sonic the hedgehog is beyond my skills09:01
lamontbluefoxicy: the sum of the sizes for everything in warty/main (i386 only) is 1734353352 bytes09:02
bluefoxicy1.8G of debs o.o09:03
lamontbluefoxicy: in warty/main.09:03
lamont*~3 for all 3 architectures, of course.09:03
T-Bonelamont: dude, stage 2.2 on the go :)09:05
=== Keybuk runs off to go bump in the night
Keybuknite dudes09:07
=== SuperLag [~aaron@CPE-69-76-188-71.kc.rr.com] has joined #ubuntu-devel
lamontT-Bone: I finally wrote a script called 'iterate'. :-)09:29
=== lamont continues his love-hate relationship with Arch: all
T-Bonelamont: sweet! Am i a valid beta-tester? :^)09:31
=== SuperLag [~aaron@CPE-69-76-188-71.kc.rr.com] has joined #ubuntu-devel
=== __randy__ [~randy@sclab-25-433.sclab.clarkson.edu] has joined #ubuntu-devel
lamontT-Bone: it's not much of a script, truthfully09:32
=== mbb_ [mike@d15-155.rb.gh.centurytel.net] has joined #ubuntu-devel
=== mbb_ [mike@d15-155.rb.gh.centurytel.net] has left #ubuntu-devel ["Leaving"]
lamont17 lines...09:38
lamontthe arch-all pain is that you need them there once the arch-dep packages are there, but not before.09:41
=== SuperLag [~aaron@CPE-69-76-188-71.kc.rr.com] has left #ubuntu-devel []
=== gro [~gro@u212-239-167-194.adsl.pi.be] has joined #ubuntu-devel
=== paulproteus [~paulprote@h-67-102-97-191.mclnva23.covad.net] has joined #ubuntu-devel
=== grok [grok@tnt.pl] has joined #ubuntu-devel
grokhello all, the usb drivers don't seem to work/get loaded on warty+ G4. any ideas how to get installation going?10:07
grok(usb is kinda needed for keyboard :)10:08
grokwakey wakey, eggs and bakey!10:08
=== bronson [~bronson@node-40240852.sjc.onnet.us.uu.net] has joined #ubuntu-devel
grokwell, see you later then.10:11
T-Bonemdz: ping?10:32
=== Mitario [~michiel@sikkes.xs4all.nl] has joined #ubuntu-devel
mdzT-Bone: pong11:06
=== x4m [~max@199-92.242.81.adsl.skynet.be] has joined #ubuntu-devel
=== kylem [~kyle@CPE0030ab0b413b-CM023469906297.cpe.net.cable.rogers.com] has left #ubuntu-devel ["no]

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!