| pwnguin | is this an appropriate channel to discuss free/nonfree inclusion of documentation? | 00:46 |
|---|---|---|
| pwnguin | bug #32042 is about openGL documentation | 00:47 |
| ubottu | Launchpad bug 32042 in mesa "OpenGL subroutine man pages missing" [Low,Confirmed] https://launchpad.net/bugs/32042 | 00:47 |
| LaserJock | pwnguin: what did you want to discuss? | 00:49 |
| pwnguin | well, I'd like to see the bug fixed | 00:50 |
| pwnguin | but i haven't seen anything representing a decision. they're technically non free as is, because of a requirement to notify SGI if you are made aware of an IP claim by a third party | 00:51 |
| pwnguin | does ubuntu regularly NOT tell copyright holders when sued? | 00:52 |
| ScottK | It doesn't matter really. | 00:52 |
| ScottK | pwnguin: The best solution is to make a separate -doc package and put it in Multiverse. | 00:53 |
| pwnguin | the only developer comment in that bug is that it cannot be distributed =/ | 00:53 |
| pwnguin | ScottK: if mesa is in main, wouldn't it be restricted? | 00:54 |
| ScottK | If it can't be distributed, then it can't go in at all. | 00:55 |
| ScottK | Restricted has some very special things that go in it. I'd expect it's in multiverse if at all. | 00:55 |
| pwnguin | as far as my lay interpretation of the troublesome clause goes, it's not a restriction per se on distribution | 00:56 |
| pwnguin | just an additional burden | 00:56 |
| fta | stgraber, would you accept this: http://www.sofaraway.org/ubuntu/tmp/pastebinit-01-ubuntu.patch ? and this (on top) http://www.sofaraway.org/ubuntu/tmp/pastebinit-02-mozilla.patch ? | 01:01 |
| awen_ | would it be appropriate to subscribe ubuntu-main-sponsors for a patch like bug 200750 ? ... or should i rather try contacting the last uploader of the package instead | 01:43 |
| ubottu | Launchpad bug 200750 in inkscape "Add python-uniconvertor to Recommends and patch inkscape (for Corel Draw formats support)" [Medium,Confirmed] https://launchpad.net/bugs/200750 | 01:43 |
| ScottK | awen_: Don't we still need python-uniconverter in Ubuntu first? | 01:52 |
| ScottK | awen_: Then generic answer though is subscribe ums. | 01:53 |
| awen_ | ScottK: it got included a few days ago | 01:53 |
| ScottK | awen_: Launchpad doesn't seem to know about it that I can find. | 01:53 |
| awen_ | ScottK: https://launchpad.net/ubuntu/+source/python-uniconvertor | 01:53 |
| ScottK | I see LP search functions are working as well as usual. | 01:54 |
| ScottK | IIRC bryce is involved in inkscape and might be good to ask too. | 01:55 |
| awen_ | okay, thanks ... i've subscribed ums anyway though | 01:57 |
| awen_ | bryce: if you are involved in inkscape and have a minute, please have a look at the above | 01:59 |
| === jamesh_ is now known as jamesh | ||
| === ember_ is now known as ember | ||
| TheMuso | /c/c | 05:41 |
| slangasek | ScottK: right, well, I guess I'll roll back hal and see what that gets me for starters | 06:51 |
| === hunger_t is now known as hunger | ||
| emgent | morning | 09:17 |
| tseliot | emgent: morning | 09:25 |
| emgent | heya tseliot | 09:25 |
| emgent | :) | 09:25 |
| Riddell | pitti, doko: four MIRs needed for KDE 4 when you have time | 09:31 |
| stgraber | fta: Both patches look good, are those done for the current version in Ubuntu or the version we have in bzr ? | 09:35 |
| emgent | Riddell: heya | 09:43 |
| Riddell | hi emgent | 10:02 |
| Riddell | it's another european holiday today? they just had one! | 11:38 |
| * TheMuso is wondering why -devel is so quiet. | 11:39 | |
| Riddell | Whit Monday apparantly, guess they're all in church | 11:40 |
| Ng | they? | 11:40 |
| Ng | are we not european now? ;) | 11:40 |
| Riddell | not so you'd notice by the different numbers of bank holidays :) | 11:41 |
| Spads | The UK is in Africa, clearly. | 11:42 |
| \sh | at least it's such a nice day for doing merges and drinking some beer at home ,-) | 11:44 |
| TheMuso | Hrm. Is it just me, or is launchpad taking a while to respond to http requests? | 11:47 |
| \sh | TheMuso: here too...at least launchpadlibrarian | 11:47 |
| TheMuso | \sh: Yeah thats what I'm trying to access as well. | 11:47 |
| \sh | TheMuso: it's doomed ;) | 11:50 |
| TheMuso | \sh: heh I just managed to get the diff I wanted, so I'm fine for now. | 11:51 |
| \sh | TheMuso: fun,..me too :) | 11:51 |
| pochu | not a holiday in Spain :( | 12:07 |
| hwilde | Device Boot Start End Blocks Id System | 12:25 |
| hwilde | /dev/sdb1 1 19458 156289848+ 42 SFS | 12:25 |
| hwilde | what is filesystem SFS ? it won't mount with ntfs | 12:25 |
| cjwatson | SFS is partition type (hex) 42 | 12:29 |
| cjwatson | doesn't necessarily correspond to the filesystem actually on that partition | 12:29 |
| cjwatson | use 'sudo vol_id --type /dev/sdb1' to find that out | 12:29 |
| hwilde | "/dev/sdb1: unknown volume type" | 12:30 |
| hwilde | I guess that's their fault for letting windows merge their partitions | 12:30 |
| hwilde | who knows what that did | 12:30 |
| hwilde | cjwatson, do you know Simon | 12:33 |
| hwilde | Tatham | 12:33 |
| \sh | sabdfl: nice post about "The Art of Release" | 12:34 |
| cjwatson | hwilde: yes, why? | 12:35 |
| hwilde | because putty freakin rules | 12:37 |
| hwilde | chiark++ | 12:37 |
| cjwatson | putty is indeed superb, that's why I maintain its Debian package ;-) | 12:38 |
| \sh | sabdfl: but one thing you forgot: "How do we get other software vendors like adobe to test and release and support their enterprise software for Ubuntu LTS versions"...I do think as an example of Adobe Flash Media Server... | 12:38 |
| hwilde | cjwatson, any way to control the display font tho? it's too big | 12:40 |
| cjwatson | hwilde: sure, -fn, or ctrl-rightclick -> Change Settings -> Window -> Fonts -> Change... | 12:44 |
| hwilde | cjwatson, I mean in the putty window itself. before you connect | 12:46 |
| hwilde | I have the profile set for the terminal windows | 12:46 |
| hwilde | it's like 14pt font size | 12:47 |
| cjwatson | that's just whatever GTK's defaults are - however, ability to configure this consistently with the rest of the system should improve once the GTK2 port of putty finally lands, which should be fairly soon | 12:48 |
| cjwatson | (assuming this is Linux putty rather than Windows putty; I don't know much about the latter) | 12:48 |
| hwilde | ooo gtk2 | 12:49 |
| hwilde | gtk-theme-switch seems to do it :) | 12:50 |
| fta | stgraber, against ubuntu, there was no Vcs-Bzr in debian/control | 12:53 |
| fta | stgraber, I have a small fix too: http://www.sofaraway.org/ubuntu/tmp/pastebinit-03-fix.patch | 12:54 |
| stgraber | fta: https://code.launchpad.net/~pastebinit-developers/pastebinit/trunk | 12:57 |
| TheMuso | c | 12:59 |
| TheMuso | ugh | 12:59 |
| \sh | TheMuso: ugh?! | 13:00 |
| TheMuso | \sh: Meant for my mutt window. | 13:01 |
| === davmor2 is now known as davmor2_dinner | ||
| \sh | TheMuso: doesn't mutt make "whee" instead of "Ugh"? ;) | 13:02 |
| TheMuso | \sh: heh | 13:02 |
| fta_ | stgraber, if you prefer, i can branch that and you'll just have to merge | 13:04 |
| stgraber | fta_: yes, that or a patch based on the current bzr revision would rock. I don't have a lot of time to spend on pastebinit but I plan to push a new version in Ubuntu for Intrepid if David or someone else don't send it to Debian before | 13:06 |
| fta_ | ok, i'll do that then | 13:07 |
| sabdfl | \sh: yes, we have some work to do in getting the ISV's to embrace our release cycle | 13:15 |
| sabdfl | though LTS's are a pretty obvious target for them | 13:15 |
| \sh | sabdfl: yes...even that adobe is not playing nice with rhel in general...anyways..this is really what's missing for serious "non webserver mass rollouts of ubuntu" ;) | 13:16 |
| === fta_ is now known as fta | ||
| maswan | \sh: There is alot of other enterprisy software/hardware that I'd like to see support for over anything from adobe, but then I'm not doing much consumer-related stuff. :) | 13:22 |
| hwilde | how about visio :) | 13:23 |
| maswan | hwilde: what's that? | 13:23 |
| hunger | Could somebody push the perl stuff that is still build against the old perl version into the build queue again, please? | 13:23 |
| hwilde | that's the only proprietary thing I haven't been able to hack yet. | 13:23 |
| hwilde | like flowcharts and stuff. (think dia) | 13:23 |
| \sh | hwilde: visio is just nice with the Datacenter Planning Plugin ;) | 13:23 |
| hwilde | \sh, gimme | 13:24 |
| cjwatson | hunger: if it's already built successfully, it needs a developer to reupload (with build1 versioning, or incrementing the number after ubuntu if it's modified) | 13:24 |
| cjwatson | we don't have a way to do that automatically | 13:24 |
| maswan | hwilde: ok, never used it. I'd just like vendor support for ubuntu connected to tape libraries, etc | 13:24 |
| === sebner_ is now known as sebner | ||
| hwilde | maswan, now that dell is offering preinstalled we will see an increase in vendor support | 13:24 |
| hunger | hwilde: Try kivio. It works ok, even though it does not have too many stencils. | 13:25 |
| maswan | hwilde: they are doing that in the server space now? | 13:25 |
| \sh | maswan: yes, there are more software/hardware things to support...but right now, those FLV streaming stuff is the way to go...and seeing that ISVs who are supporting their software for RHEL or SLES only it's depressing me..because most of the software runs just fine on debian/ubuntu..but you are stuck with support from the ISVs when running on non-supported OS..and OS doesn't mean "Linux in General" but "RHEL" or "SLES" and not "LTS" ;) | 13:26 |
| \sh | hwilde: dell is not pushing ubuntu on servers...not right now, it's sad...I would like to see e.g. HP or IBM to push their hardware (especially blade stuff) with ubuntu..because it just works | 13:27 |
| hwilde | maswan, scheduled to announce Q1 next year http://www.linux-watch.com/news/NS4557593896.html http://www.theregister.co.uk/2007/11/16/dell_ubuntu_servers/ | 13:27 |
| maswan | \sh: I know, I know. | 13:27 |
| fta | stgraber, done: https://code.edge.launchpad.net/~fta/pastebinit/trunk Please review and pull :) | 13:27 |
| \sh | maswan: btw...did you already had hands on the new areca sata raid crack? | 13:28 |
| maswan | \sh: I just see a different set of software/hardware section, and adobe is very far from anything I run or want to run. :) | 13:28 |
| \sh | maswan: well, of course, oracle is the other needed ISV who needs to be switched to Ubuntu ;) | 13:29 |
| hwilde | but then ubuntu is going to be bogged down with all their overhead | 13:29 |
| hwilde | i'm glad there is no oracle | 13:29 |
| maswan | \sh: nah, just get all ibm's stuff and I'll be happy, TSM, DB2, hw support, GPFS, etc. :) | 13:31 |
| \sh | maswan: hmmm? ibm hs20 blades are running just fine on Ubuntu ;) | 13:32 |
| \sh | well it's old... | 13:33 |
| \sh | maswan: but I can assure, that IBM is testing their HW also on ubuntu and debian...at least that is what a friend is doing here in germany | 13:34 |
| === asac_ is now known as asac | ||
| andrew___ | So far as I can tell, vinagre can't do IPv6, but vino requires it in order to do local VNC connections. If this is a bug, which package should I report it in? | 13:46 |
| \sh | andrew___: vinagre | 13:48 |
| andrew___ | Thanks, will do. | 13:48 |
| \sh | but I wonder what's the difference between ipv4 and ipv6 despite the difference between 32 and 64bit addresses. | 13:49 |
| andrew___ | The difference in what sense? | 13:49 |
| cjwatson | err, significant; there are books on the subject | 13:49 |
| hwilde | vino does not require v6 for local connex, I do it all the time | 13:50 |
| andrew___ | hwilde: Strange - can you confirm that `netstat --inet -lpn` includes vino in it? | 13:50 |
| \sh | cjwatson: hmm..not in that case..I thought glibc gives you a nice compat mode for connecting to ipv4 or ipv6 addresses | 13:50 |
| cjwatson | \sh: to some extent, but it's not entirely trivial | 13:51 |
| \sh | cjwatson: oh joy...at least on the application level we shouldn't make the change more difficult ;) | 13:52 |
| cjwatson | it can't be made a complete drop-in replacement | 13:52 |
| hwilde | andrew___, wow it is using v6 ! I didn't even realize I had it enabled | 13:52 |
| hwilde | andrew___, tcp6 0 0 *:5900 *:* LISTEN 5461/vino-server | 13:52 |
| hwilde | tcp6 0 0 mpro:5900 mpro:38308 ESTABLISHED5461/vino-server | 13:52 |
| andrew___ | :) | 13:52 |
| andrew___ | You might want to look at ip6tables then - it's probably not firewalled. | 13:53 |
| hwilde | eh | 13:53 |
| hwilde | i'm not scurred | 13:53 |
| andrew___ | iptables is IPv4 only. If you've got IPv6 enabled, you need to use ip6tables to firewall your IPv6 connections. | 13:54 |
| \sh | cjwatson: I'm damned...not only I have to take care about the routers and kernels but also on the apps....not only damned, I'm somewhat doomed... | 13:54 |
| hwilde | or I could just not care | 13:54 |
| andrew___ | More relevantly though, which VNC client are you on? | 13:54 |
| andrew___ | Fair enough. | 13:54 |
| hwilde | andrew___, I just typed vncviewer | 13:54 |
| cjwatson | \sh: it might be a novel idea to read up on it before panicking | 13:55 |
| hwilde | novel idea to read up on it lol nice pun | 13:55 |
| andrew___ | Ah, okay. So it's still a bug in vinagre. | 13:55 |
| andrew___ | Thanks. | 13:55 |
| cjwatson | hwilde: unintentional :) | 13:55 |
| hwilde | I was going to say, it's a bit early for that :) | 13:56 |
| \sh | cjwatson: we are doing some migration tests...so I'm not panicking...but I have to extend our tests | 13:57 |
| \sh | regarding some non standard aps | 13:57 |
| \sh | apps even | 13:57 |
| ScottK | \sh: You have upstream IPv6 connectivity? | 13:58 |
| \sh | ScottK: we are playing with ipv6 connectivity...but for production stuff, no | 13:58 |
| ScottK | OK. | 13:58 |
| ScottK | \sh: Yes. You'll need to test all the apps in an IPv6 environment. It's not at all transparent. | 13:59 |
| \sh | ScottK: there are some other issues I have to take care about first...e.g. php crc32 implementation ;) | 13:59 |
| cjwatson | \sh: IPv6 has been in a chicken-and-egg situation for a long time; it hasn't been worth ISPs' time as long as OS vendors don't support it well (and as long customers aren't asking for it), and it hasn't been worth OS vendors' time to support it as long as ISPs don't | 14:00 |
| cjwatson | so I'm all for the deadlock being broken | 14:00 |
| cjwatson | but yes, as ScottK says it isn't a trivial migration by any stretch of the imagination | 14:00 |
| ScottK | Just teaching an app I'm upstream for to do IPv6 CIDR matches was enough pain for me for a while. | 14:01 |
| \sh | cjwatson: I know...when I started to play with ipv6 <-> ipv4 tunnel ISPs...it went bad...but tbh, it's time to get ipv6 out of the kindergarden | 14:01 |
| \sh | ScottK: oh well, just explain people ipv4 cidr..it makes them stupid again...people think only in classes :( | 14:01 |
| sebner | \sh: well, it's also time to get 64bit out of the kindergarden -.- | 14:03 |
| maswan | \sh: yes, but for some things "supported" is rather important. not just "works". | 14:04 |
| \sh | sebner: tell MS ... that's why we have to fight with win32 on x86_64 still | 14:05 |
| sebner | \sh: it isn't that a big step but there will always be people that are complaining that app xy isn't working. /me ist just happy hat nexuiz is running on amd64 =) | 14:07 |
| \sh | maswan: when I read about the last ripe ipv6 meeting and googles attack on it, I wonder when we accomplish the change from 32 to 64...we all know changes are difficult and painful... | 14:08 |
| \sh | sebner: regarding developers, 32bit vs. 64bit is a big step..many devs are not knowing the difference between (pointer)(int) and (pointer)(long) on 32 and 64bit archs....even today... | 14:10 |
| wgrant | \sh: This is why we have cluebats. | 14:10 |
| cjwatson | \sh: BTW, IPv6 addresses are 128-bit, not 32-bit | 14:10 |
| \sh | cjwatson: not 64 | 14:11 |
| cjwatson | err ... "not 64-bit" | 14:11 |
| cjwatson | yes | 14:11 |
| \sh | yeah.../me has a beer too much in his system ;) | 14:11 |
| \sh | no coincidence...but "one bit too many" ;) | 14:11 |
| * \sh should go and prepare the asparagus | 14:12 | |
| \sh | Can't use string ("2/8") as a HASH ref while "strict refs" in use at debian/file-actions.pl line 40, <JL> line 23. oh joy | 14:13 |
| maswan | cjwatson: we have been doing ipv6 testing here at ACC, and as of the last 2-3 years or so base OS support has been there, and the last 1-2 years have had "most" application support working too. | 14:14 |
| cjwatson | maswan: yeah, it's just been gradual rather than a strongly-coordinated effort | 14:14 |
| cjwatson | (with all due respect to people like fabbione who've been pushing for it for a long time) | 14:15 |
| cjwatson | and I rather suspect that network-manager doesn't have great IPv6 support ... | 14:15 |
| maswan | cjwatson: the thing that worries me is that the 2011 date is getting closer and they aren't pushing it back to "5-10 years from now". | 14:15 |
| wgrant | NM works fine with stateless autoconfig, but not sure about other kinds. | 14:15 |
| cjwatson | that's the address exhaustion time? | 14:16 |
| maswan | cjwatson: yeah | 14:16 |
| * wgrant doesn't know of any consumer .au ISPs that provide native v6 :( | 14:16 | |
| Ng | +projected | 14:16 |
| cjwatson | my ISP is still going LA LA LA NO URGENCY | 14:17 |
| TheMuso | a/c | 14:17 |
| wgrant | cjwatson: They all are. | 14:17 |
| \sh | cjwatson: I'm more concerned about the routers (say juniper, cisco to name the big guns)...you could come over some problems with ipv4 tunnels regarding testing/fixing time .. but even our routers are not behaving with ipv6 | 14:17 |
| maswan | wgrant: last time I checked, static setup was a pain. we haven't tried it on hardy though, the hack in network/interfaces with pre-up and up-hooks to disable autoconf was working | 14:17 |
| wgrant | cjwatson: It's ridiculous. | 14:17 |
| maswan | Ng: well, yeah. I'm just worried because we're getting close and the projections aren't getting (significantly) pushed back. | 14:17 |
| ScottK | Lack of IPv6 just means they can charge more for IPv4 addresses. I'm not sure why an ISP would invest money to avoid that. | 14:18 |
| wgrant | ScottK: That's a good point. | 14:18 |
| \sh | ScottK: because ripe e.g. as european ip registry has a policy to not pay for ip addresses...at least when I was member of ripe | 14:18 |
| ScottK | So your ISP gives you unlimited static IPs for no extra cost? | 14:19 |
| maswan | ScottK: Well, when procurement of connectivity for organisations include "ipv6 connectivity" as a requirement | 14:19 |
| \sh | ScottK: setup fee is ok...but not for the ips | 14:19 |
| Ng | maswan: there are a bunch of really huge ipv4 allocations that are extremely old and unnecessary, which could be reclaimed | 14:20 |
| Ng | I think HP have 3 /8s, two of which are from aquisitions | 14:20 |
| ScottK | maswan: As an organizatin, why would I want to raise my contract cost to get that? | 14:20 |
| ScottK | Ng: Yes, but even reclamations don't help a huge amount in the long run. | 14:20 |
| \sh | ScottK: for my new rootserver I have 8ip network for free...and more then that, I'll have to pay a setup fee ...well, it's a different wording, but fulfills ripes rules | 14:20 |
| Ng | ScottK: the almost universal lack of adoption suggests that ipv6 doesn't either | 14:20 |
| maswan | Ng: Technically they can be reclaimed, can they legally? | 14:21 |
| \sh | Ng: Daimler Benz has one or two /8 too... and they don't need it | 14:21 |
| andrew___ | My concern is that this could become another Y2K media event - "experts say the Internet will crack asunder on June 2, 2011 at 8:34 GMT, releasing Shub-Internet from its 30 year sleep". | 14:21 |
| Ng | \sh: exactly, and there are a bunch of others | 14:21 |
| maswan | Ng: It seems more likely to create a market where you can buy/sell adresses.. | 14:21 |
| cjwatson | ScottK: some organisations seem pretty keen on getting Mobile IPv6 in place; the US DoD seems to be one such | 14:21 |
| ScottK | cjwatson: Yes. US DoD is a major exception and they're big enough to get it done. | 14:22 |
| Ng | maswan: how? I can't sell my ADSL's IP to you, it's assigned to my ISP by RIPE | 14:22 |
| maswan | Ng: No, you can't currently. But RIPE can't revoke that assignment either, so your ISP has it forever, unless they choose to return it.. | 14:22 |
| ScottK | cjwatson: US DoD also has a large IP multicast deployment in place. I don't know of anyone else who's pulled that off yet either. | 14:23 |
| \sh | maswan: ripe can revoke | 14:23 |
| \sh | maswan: they did it once even for a /16 for my old company | 14:23 |
| === davmor2_dinner is now known as davmor2 | ||
| ScottK | maswan: There is a reclamation process, but it's slow and painful. We'll probably run out before a significant fraction of the theoretically doable reclamations could be done. | 14:24 |
| \sh | maswan: but "names do count" | 14:24 |
| maswan | \sh: Ah, so there is a process. Could it work if your company had said "no" and kept announcing them? | 14:24 |
| cjwatson | ScottK: they're also driving a certain amount of the hardware and software fixes, which is the only way the chicken-and-egg problem is going to get resolved | 14:24 |
| \sh | maswan: as I said, "names do count" ... so if you have a name like "Daimler"..they won't start revoking | 14:25 |
| maswan | \sh: or "deutsche telekom" for that matter.. | 14:25 |
| persia | ScottK: Quite a few of the multinational financial institutions have large IP multicast, often with negotiated multi-network transfer. | 14:25 |
| ScottK | cjwatson: Yes. This is true, but I think getting the hardware/software working is a necessary, but not sufficient condition for getting deployment. | 14:25 |
| ScottK | persia: Oh. I did not know that. Thanks. | 14:25 |
| cjwatson | ScottK: agreed | 14:25 |
| maswan | ScottK: The likely outcome of v4 exhaustion I think is a trading model and layer upon layer of NAT. With some growing v6 adoption over time, just because it becomse less painful. | 14:26 |
| cjwatson | layer upon layer of NAT> and stuff becoming less and less reliable as a result, but since we've all been trained to go "oh, whatever, restart connection" ... | 14:26 |
| andrew___ | Is there any data yet on how good Vista's IPv6 is in the real world? | 14:26 |
| maswan | andrew___: AFAIK, it "just works" on the client at least. | 14:27 |
| maswan | andrew___: much like ubuntu since dapper | 14:27 |
| maswan | (or possibly earlier) | 14:27 |
| andrew___ | That's good, at least. | 14:28 |
| \sh | maswan: yepp....but they can claim to be a ISP | 14:28 |
| \sh | maswan: I wonder if DTAG or DAIMLER or AS701/AS702 are paying more then just the normal ripe fee | 14:29 |
| \sh | (ok AS701 is ARIN) | 14:29 |
| * \sh is an old fart regarding AS numbers | 14:30 | |
| \sh | hmm..AS702 is now verizon...in former times, as701 and as702 were uu.net america, uu.net europe | 14:33 |
| TheMuso | /c/c | 14:33 |
| andrew___ | cjwatson: is this a good time to ask my SSH question? | 14:34 |
| \sh | andrew___: why do you not fire away? | 14:35 |
| andrew___ | Because... I might be wrong :s | 14:36 |
| \sh | andrew___: we have hobbsee to tell someone who is wrong or not ,-) | 14:36 |
| andrew___ | Hehe. | 14:36 |
| cjwatson | andrew___: sure | 14:36 |
| * Hobbsee loosk in | 14:37 | |
| andrew___ | If I allow an untrusted user to log in to my machine, who can't forward local, remote or X connections, and is given a specific command instead of a shell, what security problems do I need to be thinking about? | 14:37 |
| Hobbsee | \sh: who am i telling who's wrong? | 14:37 |
| * \sh waves to LPS aeh Hobbsee | 14:37 | |
| cjwatson | andrew___: make sure you've set all the no-* listed in sshd(8) | 14:39 |
| cjwatson | andrew___: but otherwise that can be made secure providing that you're certain there's no way to cause the command in question to do anything unexpected given arbitrary input | 14:39 |
| cjwatson | people have set up anonymous CVS servers that way, for instance | 14:39 |
| cjwatson | (who don't trust pserver) | 14:39 |
| \sh | who's in charge for running MoM to be up2date? | 14:40 |
| andrew___ | The plan is that the command do some initial negotiation, then listen on port 5900 (to forward a VNC session back to the client's computer) or /var/run/screen/.../some-unix-socket (to forward a screen back) | 14:41 |
| andrew___ | Where the unix socket in question is decided by the program, with no input from SSH. | 14:42 |
| cjwatson | what happens if that port is already in use? | 14:43 |
| andrew___ | VNC servers normally use 590*. I think some use 5901 for X :1, 5902 for X :2, etc. | 14:43 |
| andrew___ | I suppose I could do that transparently to SSH as well. | 14:44 |
| cjwatson | you'd have to return the port number then | 14:44 |
| andrew___ | I was thinking I'd pipe it all through SSH's standard input/output, and the client would redirect it to the relevant port/socket on the client. | 14:45 |
| andrew___ | (Which could even be IPv6, going back to the earlier discussion) | 14:45 |
| andrew___ | I suggest that because I'm not aware of any other mechanism to only allow an SSH client to forward a specified port. | 14:46 |
| tmmoyer | is there any documentation on how to build udebs for the installer? I know how to build a traditional package for a running system, but I need to add a package to the installer and haven't seen anything on building udebs | 14:53 |
| TheMuso | tmmoyer: You could have a look at how existing udebs are packaged. | 14:54 |
| tmmoyer | okay | 14:54 |
| evand | tmmoyer: This may also be of help: http://meetings-archive.debian.net/pub/debian-meetings/2006/debconf6/slides/Debian_installer_workshop-Frans_Pop/paper/index.html#id2535340 | 14:59 |
| ScottK | \sh: I think the plan is to work on it during UDS (MoM). | 14:59 |
| === danielm_ is now known as danielm | ||
| tmmoyer | evand: yes I just found that when I expanded my search to include debian as well thank you for the help | 14:59 |
| \sh | ScottK: -ETOOLATE ... let's run mom as it was...and try to merge mom with dad on a different server? | 15:00 |
| cjwatson | \sh: MoM is running, it's just having trouble getting a consistent archive because the archive is loaded | 15:00 |
| andrew___ | cjwatson: on the other hand, I see I'm wrong about that :). How much information do people actually need to share in order to be reasonably confident that they've transmitted the correct RSA key? Would the cksum/md5sum be any use? | 15:00 |
| cjwatson | andrew___: err, sorry, now I'm lacking context. Why would people be transmitting RSA keys? | 15:01 |
| \sh | cjwatson: well the last update was on the 7th...and all the syncs and merges were not recognized...if it's because of leningradskaya...ok ;) | 15:01 |
| andrew___ | cjwatson: If you want to log in with a public key (RSA keys being shorter than DSA keys, therefore quicker to check), and want to confirm over the phone that you've got the correct key. | 15:02 |
| cjwatson | andrew___: use the fingerprint; I've had people reading those out over the phone and it's fine | 15:02 |
| andrew___ | Thanks, that's enough to keep me going for a while :) | 15:03 |
| andrew___ | I expect I'll be back at some point with a blueprint to annoy people with. | 15:03 |
| * \sh is off now.....guests are in da house....african party now ;) | 15:05 | |
| emgent | re | 15:06 |
| andrew___ | cjwatson: actually no, I'm not explaining myself right. If client and server have never connected before, you need a safe way of transmitting the client's public key to the server, and I'm thinking of doing a password-based login, sending the public key, then logging out and back in again with the public key. I'm worried about a situation where Mallory intercepts the SSH connection from the client, logs in to the serv | 15:12 |
| andrew___ | er, and sends her own public key, allowing her to do an MITM attack on the later session. | 15:12 |
| andrew___ | Would confirming the server's RSA fingerprint guard against that? | 15:13 |
| cjwatson | the purpose of the host key check is to guard against man-in-the-middle attacks | 15:13 |
| cjwatson | so yes, it would; a middle-man attacker would be unable to forge the server's host key | 15:13 |
| andrew___ | Okay, good. Thanks again. | 15:14 |
| cjwatson | how are you transmitting the passwords around? | 15:14 |
| andrew___ | Telephone. | 15:14 |
| cjwatson | ok | 15:14 |
| cjwatson | you have to bootstrap trust somehow :) | 15:14 |
| andrew___ | Yeah :) | 15:14 |
| === cr3_ is now known as cr3 | ||
| === johanbr_ is now known as johanbr | ||
| === Shely_ is now known as Shely | ||
| Dane2 | Hello, all. I've been trying to cross-compile asterisk (compiling i386 binary using amd64 distro) using pbuilder/dh_make/debuild, but I keep getting the following error after the compile completes, and it's about to make a binary package: "build_tools/mkpkgconfig: 34: cannot create /usr/lib/pkgconfig/asterisk.pc: Permission denied" | 18:03 |
| Dane2 | any ideas? | 18:03 |
| Dane2 | I've asked on the #asterisk channel, and they said it's a distro specific thing, so I'm trying here. :-) | 18:04 |
| jdavies | Dane2: I think #ubuntu-motu may be a better place :-) | 18:05 |
| Dane2 | ok. Thanks. | 18:05 |
| === bobbo_ is now known as bobbocanfly | ||
| === bobbocanfly is now known as bobbo | ||
| === asac_ is now known as asac | ||
| emgent | heya people | 20:04 |
| johanbr | If I wanted to get a patch into ubuntu to run various cron tasks (locate etc) less often than daily, what would be the recommended way of doing that? Debconf question at low priority? | 20:44 |
| cjwatson | johanbr: debconf isn't a very good interface for that sort of choice, really - you'd end up typing crontab entries into it as a string, which would be awful. Why not just edit /etc/crontab? It's a conffile and so your edits will be preserved - that's the supported way to change this. | 20:48 |
| cjwatson | also, mixing debconf and conffiles is bad, so in order to offer debconf configuration it would have to stop being a conffile for everyone else, which would introduce a lot of complexity - probably too much for a low-priority tweakable. | 20:49 |
| johanbr | cjwatson: I see, thanks. But with editing crontab, changing the interval of only a few daily tasks seems to be complicated. | 20:51 |
| johanbr | But on closer inspection, none of the /etc/cron.daily jobs seem to necessarily need to be run daily, at least for me. So I may just do that. Thank you. | 20:55 |
| emgent | heya sabdfl | 20:59 |
| emgent | :) | 20:59 |
| cjwatson | johanbr: yes, if you needed that you'd need to split cron.daily up somehow. run-parts has a --regex option that might help. | 21:00 |
| arekm | hello, how do you separate own commits from upstream one in git://kernel.ubuntu.com/ubuntu/ubuntu-gutsy.git repo? | 21:07 |
| kirkland | cjwatson: I see that you were the last person to merge/upload yaboot-installer. i merged for intrepid, in case you want to review and upload. | 21:41 |
| cjwatson | kirkland: thanks - can you send me mail to remind me? | 21:42 |
| cjwatson | I probably won't get to it tonight, but can certainly review | 21:42 |
| kirkland | cjwatson: you bet, will do. it's no rush. i'll leave in my home dir on chinstrap. | 21:43 |
| andrew___ | reportbug-ng is Debian-specific - it doesn't check for bugs filed with Ubuntu. Is that a bug or a reason to remove the package altogether? If the latter, who do I talk to about it? | 21:49 |
| beuno | andrew___, maybe some ubuntu users want to check for debian bugs? | 21:49 |
| geser | or use it to file bugs in Debian | 21:50 |
| andrew___ | So you reckon I should file a bug saying that it should warn more clearly about not being a useful Ubuntu tool? | 21:51 |
| beuno | andrew___, nope, I think it's fine as-is | 21:52 |
| ScottK | andrew___: Reportbug has been patched not to report to Debian by default. Same magic should be done to reportbug-ng if it isn't already. | 21:53 |
| beuno | ScottK, really? what does it do then? | 21:53 |
| andrew___ | ScottK: Either it's not, or the magic went wrong with the bug I filed :) | 21:53 |
| ScottK | By default it sends mail to ubuntu-users or something reasonably useless. You have to tell it specifically you want to report to Debian. | 21:54 |
| ScottK | andrew___: Then it needs to be fixed up like reportbug. | 21:54 |
| beuno | hrm :/ | 21:55 |
| ScottK | Unfortunately LP doesn't expose sufficient API to actually allow reportbug to be modified to do something useful in Ubuntu. | 21:55 |
| andrew___ | I'll have a poke about and complain that -ng is insufficiently crippled. | 21:56 |
| ScottK | Just make sure you complain to Ubuntu, not Debian '-) | 21:56 |
| andrew___ | I don't suppose I can report bugs against some test package that blackholes the report? | 21:56 |
| andrew___ | :p | 21:56 |
| andrew___ | (So I can do a test and describe the reportbug UI) | 21:57 |
| ScottK | You can control what happens to the mail via your local MTA is the best thing I can offer. | 21:57 |
| andrew___ | Yeah, good plan. | 21:58 |
| cjwatson | andrew___: (noted smiley, but) afraid not; bugs against unknown packages in bugs.debian.org typically end up in my inbox so I'd be unhappy about that plan ... | 21:59 |
| cjwatson | though there is a debbugs-test pseudopackage, but it's really more for debbugs developers to test, rather than a general-access sandbox | 21:59 |
| andrew___ | Fair enough, I'll disable anything that looks like it could talk SMTP before I play around with it. | 22:00 |
| ScottK | andrew___: It wasn't you that reported a bug against skype in Debian recently is it? | 22:04 |
| === asac_ is now known as asac | ||
| andrew___ | No, Vinagre. | 22:07 |
| ScottK | OK. At least it's a package that's in Debian. | 22:08 |
| === mweinelt__ is now known as mweinelt | ||
| pochu | andrew___: that's bug 175508. No worries for the Vinagre bug :-) | 22:39 |
| ubottu | Launchpad bug 175508 in reportbug-ng "reportbug-ng reports bugs to Debian instead of Ubuntu" [High,Triaged] https://launchpad.net/bugs/175508 | 22:39 |
| andrew___ | Thanks :) | 22:40 |
| andrew___ | I was halfway through writing a thing with suggested fixes - is that still useful? | 22:41 |
| pochu | andrew___: I'll probably look at changing it to ubuntu-users@l.u.c unless you have a better proposal, so yes, that will be useful | 22:43 |
| pochu | good night | 22:43 |
| === iceman_ is now known as iceman | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!