=== elkbuntu is now known as elky
haisamhi guys02:20
haisamI have a small technical problem is that the right place to ask ?02:20
andrew___Depends how small and how technical - #ubuntu might be better.02:21
haisamit's small :)02:22
andrew___Well ask away, and we'll continue in private if necessary :)02:23
haisamI can't play rhythmbox and Totem simultaneously02:23
haisamthat mutes my sound02:23
haisamsame with firefox and totem02:23
=== elky is now known as elkbuntu
haisamin brief can't use sound for one application02:24
haisammore than one application *02:24
andrew___But when you stop trying to use the second application, sound comes back?02:24
haisamwhen I close the other application02:25
andrew___Is this in Hardy?02:25
haisam8.04 LTS02:26
andrew___At a guess, that's probably got something to do with the new audio system (PulseAudio), but that's way outside anything I can help with.02:26
haisamI guessed so02:26
andrew___#ubuntu might know more.02:27
haisambut when I disabled it it didn't help02:27
haisamanyway thx02:27
andrew___Sure, sorry I couldn't be more help.02:27
Bodsdasorry for coming here for a support type question but         dpkg-reconfigure xserver-xorg         used to be able to configure video displays and devices, it no longer does that,.,. is there a new command for this or how can i reconfigure my display drivers when i cannot use a gui session?03:45
RAOFYou should be _always_ able to use a GUI session.03:46
BodsdaRAOF, what about when my display drivers are 'missing' and i dont know the package name to set them nor can i connect to the internet to download anything -- is there another command for reconfiguring display?03:48
RAOFIf you can't, it means that the vesa driver is broken on your system.03:49
BodsdaRAOF, so what would i do then -- besides reinstall?03:49
RAOFI'm not quite sure what your question is.  Or, rather, I'm not sure that the conditions in your question ever trigger.03:50
Bodsdaok il rephrase03:50
BodsdaRAOF, in Gutsy when i ran         dpkg-reconfigure -phigh xserver-xorg        i could reconfigure my display settings things like drivers and screen res, in Hardy this is not available with the same command,. is there another command that does the same thing or how can i make the command do what it did in Gutsy?03:52
RAOFRight.  The answers there are 'no' and 'no', respectively.03:53
BodsdaRAOF, why was the command changed?03:53
RAOFBecause X no longer needs that configuration.  Most of the time.03:53
RAOFAnd writing _wrong_ information in xorg.conf is bad :)03:54
RAOFThe only time you should need to specify a driver is in the restricted-drivers case, since these don't seem to hook into X's autodetect.03:54
BodsdaRAOF, and what should i do if i need to reconfigure my display settings and i dont know what conf files to look in nor do i have a useable gui session (because there is loads of lines accross my screen & my screen is overlapping itself 5 times)03:54
RAOFBodsda: You can delete /etc/X11/xorg.conf :)03:55
RAOFBodsda: Or, better, move it out of the way.03:55
BodsdaRAOF, how does that help?03:55
ScottKAnother option is to reboot and pick the recover option.  It's got a try to fix X option.03:56
RAOFSo, that makes X do it's funky autodetection thang, which should work.  If it doesn't, it's going to be a driver bug.03:56
RAOFScottK: Which uses VESA, right?03:56
Bodsdaok so the nifty little tool to fix screen probs has been deleted -- why? and is it at all possible to get it back?03:57
ScottKRAOF: I'm not sure.  So far everytime I broke my xorg (and I did it a bunch patching displayconfig) it got me back to working.03:57
RAOFWhy? A: Because it no longer fixes screen problems.  Not possible to get it back, at least easily.03:57
RAOFYou'd have to look at the pre-Xorg-1.4 packages and merge the old debconf information with the new packages.03:58
Bodsdawhy would it no longer fix screen probs ?? it choose drivers and screen res03:58
RAOFBoth of which can be accurately autodetected.03:59
ScottKBodsda: X changed the way it deals with stuff a lot recently.  A lot of tools just don't work anymore.03:59
BodsdaScottK, can we expect a similar tool in the future?03:59
RAOFProbably not, since the goal is to make such a tool unnecessary.04:00
ScottKBodsda: I'm not sure what tool you're talking about.  If you want to fix a broken X config do the reboot to the recover option and pick the fix X choice.04:00
Bodsdaok, thankyou both -- ScottK doesnt the recover mode just give u a prompt?04:01
ScottKBodsda: No.  It gives you choices and you can fix X and then reboot normally.04:02
BodsdaScottK, ok cheers -- il let the guys in #ubuntu know --  cheers04:02
=== gnomefre1k is now known as gnomefreak
fabbionehmmm perl still broken?04:43
dholbachgood morning06:43
pittiGood morning07:31
dholbachhi pitti07:35
* pitti hugs dholbach07:35
fabbionehi pitti08:02
pittifabbione: Rocking the penguin cluster? :-)08:02
fabbionepitti: indeed :) getting ready for a new release today08:03
StevenKTheMuso: Hardy kernel?08:24
TheMusoStevenK: Only just upgraded this box to hardy.08:24
StevenKTheMuso: Ahh08:27
gesergood morning08:28
pittifabbione: oh, FC9 o'clock?08:30
fabbionepitti: there was an announce, but no.. it's not related to f908:30
fabbionepitti: i am preparing 2.99.01 (that will eventually be 3.0) for f1008:30
fabbionebut you might have noticed that the build-deps for 2.99.01 are already in intrepid :=)))08:33
=== cpro1 is now known as cprov
mathiazseb128: hello :)08:59
seb128lut mathiaz09:00
mathiazseb128: re bug 228061 - I guess this is a duplicate of a nautilus bug - which bug number should I use ?09:00
ubottuLaunchpad bug 228061 in samba "Samba doesn't display the shared stuffs" [Undecided,Incomplete] https://launchpad.net/bugs/22806109:00
mathiazseb128: or should I just reassign it to the nautilus package ?09:01
seb128mathiaz: bug #20707209:01
ubottuLaunchpad bug 207072 in nautilus "nautilus does not display samba shares for machines inside an ADS network." [Undecided,Invalid] https://launchpad.net/bugs/20707209:01
mathiazseb128: great - thanks09:01
seb128you are welcome09:01
pittihey seb12809:11
seb128hello pitti09:19
mrechi, how can I get a package included in Ubuntu?09:23
mrectvtime with audio support might be a good candidate, as well as my em28xx drivers (compiled for 32/64bit ontop of the lum modules, including firmware)09:24
ChipzzI think #ubuntu-motu may be a good start09:25
mathiazmrec: ^^ + https://wiki.ubuntu.com/UbuntuDevelopment/NewPackages09:26
Chipzzthough I'm not sure about the dirver09:26
Chipzzdriver possibly should go into -restricted-drivers09:27
mrecI think it's better to keep the drivers out of the linux-ubuntu-modules package since I'll update it more frequently09:27
Chipzzwhich wouldn't be a seperate package per se09:27
mrecit's completly opensource and supported by the manufacturer09:27
Chipzzwell even then; I'm not sure what the policy is on shipping drivers in seperate packages as opposed to in the big package09:28
mathiazmrec: if you wanna take the path to maintain out of tree kernel modules, have a look at the virtualbox-ose-* packages09:32
mathiazmrec: I'd suggest you to get your driver included in lum - it will be much easier to maintain and things won't break whenever there is a new kernel published.09:33
mrecmathiaz: the only thing is that there will be weekly updates again09:34
mrecI'm working at the driver and application side to provide best possible support for those devices (while not affecting/(breaking) other things)09:34
mathiazmrec: make sure you push them in the lum git tree09:34
Chipzzmrec: I'm thinking, updating your driver frequently may not be a good idea anyway; well, at least not for stable releases09:35
Chipzzand for the development cycle, new kernels get pushed often enough09:35
Chipzzthough maybe not as much as you want09:35
mathiazmrec: the problem is that if you maintain your driver out of the tree, whenever there is a new kernel published things will break09:35
mrecmathiaz: I thought about that too the package could have a direct dependency to the lum package version, so upgrading the lum package would remove the driver09:36
Chipzzat least not for stable releases >> it simply will not happen for stable releases09:36
mrecI already have a Ubuntu build system for it09:36
mathiazmrec: for ex, if you install virtualbox-ose-modules-*, which are in universe, you have to wait for the virtualbox-ose-* maintainer to uploader a new version of the vbox-ose-modules- when a new kernel is published.09:36
mrecI'm aware of something like that yes09:37
mathiazmrec: so it's easier to get your module in the lum tree.09:37
mathiazmrec: your module will be part of the standard kernel upload.09:38
Chipzzmrec: uhm, first of all, you would need to manually track the lum version. and second, how is it any good for the user (who may depend on your driver) that it gets removed when stuff breaks?09:38
mrecmathiaz: ok, well sounds like a reasonable way to go09:38
mrecChipzz: the module overall has no dependency on something else it just adds stuff09:39
mathiazmrec: if you still wanna maintained your own kernel-modules packages, you should have a look at the virtualbox-ose package.09:39
mrecI think the way you propose is fine09:40
mrecI could still provide packages on the webserver for those who want to test the bloody edge work09:40
Chipzzmrec: btw, one more thing... doing weekly updates will make bugtracking hell I think09:40
mrecChipzz: it doesn't, it usually adds support for newer devices and newer chipdrivers09:41
geserpitti: Hi, is it ok to ask for give-backs to get to build order right or is some huge give-back planned?09:45
pittigeser: sure, just tell me; I guess infinity will do some more mass-givebacks, but it doesn't hurt to do some more coordinated ones manually10:10
=== sjoerd__ is now known as sjoerd
pittihi sjoerd10:15
geserpitti: do we need the cpio-win32 binary deb? it makes currently cpio depwait on mingw32 (universe)10:15
sjoerdpitti: morning :)10:15
Riddellpitti: KDE 4 MIRs available when you're able10:35
pittigeser: erk, does that come from cpio proper? no, we certainly don't want that in main10:38
pittiRiddell: ok, thanks10:38
geserpitti: cpio builds cpio and cpio-win32. according to the description cpio-win32 is used in the win32-loader of D-I10:40
sorenogra: I have a few questions about ltsp server, if you have a minute?10:41
sorenogra: I see that the standalone package depends on dhcp3-server.10:42
sorenI'm curious about how you handle configuration file changes in there.10:42
ograsee dhcpd's initscript ;)10:42
sorenI suppose ltsp fiddles around with it to offer kernel images to clients.10:42
sorenOh, ok.10:42
ograwe have an override file so we dont touch existing configs10:43
sorenSo installing ltsp effectively disables any currently running dhcp server?10:43
ograif an admin wants to use his existing file he just a) deletes ours or b) only installs ltsp-server10:43
sorenIs the user notified about this when installing ltsp-server-standalone?10:44
ogra-standalone assumes you want ltsp to handle everything10:44
ograltsp-server is freely adjustable in all directions10:44
ograwell, only by the package description, we dont notify separately10:44
ograsoren, if you have any better sugestion how to handle the situation, i'm all open for a beer in prague to discuss it over ;)10:46
sorenogra: :)10:47
=== Lamego_ is now known as joaopinto
sorenogra: I'm really just working on something that'll need to do almost the same thing, so I was just looking for inspiration as to how to handle this.10:48
sorenogra: ...but let's have beer anyway :)10:48
ograsoren, we do a similar thing with syslog, if you need such overrides as well, we should consider generalizing on a /etc/overrides dir or so10:49
ogracurrently its bound to /etc/ltsp and the files in there10:49
sorenogra: Yup.10:50
sorenpitti: re: https://bugs.edge.launchpad.net/ubuntu/+source/ifenslave-2.6/+bug/223759.. Can't we just copy over ifenslave-2.6 from hardy-updates to intrepid?10:53
ubottuLaunchpad bug 223759 in ifenslave-2.6 "ifupdown integration broken" [Medium,In progress]10:53
=== davmor2 is now known as davmor2_away
pittisoren: no10:53
pittisoren: we need a different version, since we have a different toolchain10:53
sorenEr.. Yeah, but if this bug had been fixed before hardy released, the packages would have just been copied to intrepid anyway. We don't rebuild every package because we update the tool chain?10:54
pittisoren: right, but we still usually do it10:55
pittican't hurt to test it properly in intrepid10:55
soren*shrug* Ok.10:55
* pitti finishes testing of virt-manager and copies to -updates10:55
pitti^ same case, btw, should be uploaded to intrepid10:55
sorenpitti: Not entirely the same case. intrepid will have a new upstream version, too. But yeah, it's in my list :)10:58
geserhas someone some time to sponsor bug #229877?10:59
ubottuLaunchpad bug 229877 in cpio "[intrepid] cpio build-depends on mingw32" [Undecided,New] https://launchpad.net/bugs/22987710:59
ograKeybuk, why is ltsp showing up on MOM but ldm isnt ? debian added an epoch to the ldm versioning, could that cause MOM to ignore it ?11:00
dholbachogra: it's on http://merges.ubuntu.com/main-manual.html11:01
ograoh, i only looked at main.html, thanks dholbach11:01
Keybukogra: no common base version between the two11:02
ograwell, just different versioning, the code i pretty much the same .... (in the new ltsp wold each distro decides on its own how to call the tarballs :/ )11:03
ogratkamppeter, a big "thank you" from my mother ! (i brought her a new printer this weekend and she was massively impressed that she could intsall it herself (well or that it installed itself on its own rather :) ))11:09
=== sjoerd_ is now known as sjoerd
=== chand is now known as chand[aw]
=== illovae_ is now known as illovae
jordidoes anyone here use vnc4server loaded in xorg.conf and get X crashes as soon as a client connects?11:40
jordiin hardy11:40
geserpitti: a first batch for give-back: antlr axis hsqldb jakarta-log4j javacc jcommon-serializer jsch libbsf-java libcommons-collections3-java libcommons-lang-java libformula liblayout libloader libjaxp1.3-java libjakarta-poi-java librepository libpgjava liboro-java libmx4j-java libxerces2-java libxml-commons-resolver1.1-java libxml-java mysql-connector-java sacjava libxalan2-java11:45
ograpitti, you have to use "sudo hal-disable-polling --enable-polling --device /dev/scd0" if something diabled cdrom polling (i.e. powertop has such an option) couldnt we make that command a wee bit more intuitive in its naming ?11:46
pittigeser: hm, wierd, I get 403 forbidden on those now; yay LP rollout11:46
pittiah, seems my stored cookie was invalidated11:47
pittidarn, how do I get one back now, with Firefox 3?11:48
pittiogra: anything you have to type on the CLI is unintuitive...11:48
pittiogra: the UI you used to switch it off should also allow you to switch it back on11:48
ograpitti, true, but calling a command disable-foo with such a switch seems weird11:48
geserpitti: http://people.ubuntu.com/~kees/scripts/cookies-sql2txt11:48
pittigeser: \o/11:49
pittihm, still forbidden11:50
pittigeser: no luck; I cannot even do it in the web ui11:52
pittiI'm still in lp-buildd-admins, but I don't even see the 'retry build' option any more :/11:52
pitticprov: ^ any idea?11:52
tkamppeterogra, great to hear this positive feedback. Which printer model did you give to her?12:03
ograa HP photosmart 53xx (forgot the exact namimg, sorry)12:04
=== sjoerd_ is now known as sjoerd
tkamppeterogra, this one is really completely supported. Connected to USB it sets up by iteslf and you can print and scan (if it has a scanner) immediately. If you were running Windows it would take you hours to get HP's CDs installed and you would need to reboot.12:08
ograyeah, indeed i slightly ceated by buying a HP since i know its well supported :) but it was very impressing :)12:10
wgrantI had the painful experience of installing an HP PSC .* on a Windows box last week. Could they really make it any worse/12:16
cprovpitti: what's the problem ?  you use to be allowed to retry any builds and now you are not ?12:19
pitticprov: right12:19
cprovpitti: even l.n not in edge.l.n ?12:20
pitticprov: let me try12:20
pitticprov: ah, lp.net still works12:21
pittigeser: ok, disabled redirection and gave back your packages12:22
geserpitti: thanks12:23
pittisoren: FYI, (LP #223759) does not work; you have to use LP: #; so please close the ifenslave bug manually12:28
ubottuLaunchpad bug 223759 in ifenslave-2.6 "ifupdown integration broken" [Medium,In progress] https://launchpad.net/bugs/22375912:28
sorenpitti: Ah, yes. Force of habit. I remove the colon on purpose when doing merges (to not try to close the bugs /again/), but this time that was clearly wrong. Thanks for catching that.12:29
pittisoren: btw, IIRC LP does not try to close the bugs again, that was fixed12:30
sorenpitti: Ah, lovely.12:30
ograLP will make us all jobless some day12:30
pittisoren: (I do the same, though)12:30
=== chand[aw] is now known as chand
jordicjwatson: omg13:19
cjwatsonjordi: ?13:19
jordicjwatson: remember my partman-auto-raid troubles?13:19
cjwatsonsort of :)13:20
jordiI was composing a detailed email to you and Simon13:20
jordiI thought it was very suspicious that the only error message I got was "No root partition defined", invariably of what I tried, and no debug messages13:20
jordiwell, partman-auto-raid is in universe in Ubuntu13:21
cjwatsonyes, stuff in universe won't get used ...13:21
jordiyeah, it's not even in the CD13:22
jordinow, I've tried so many things that I don't know what's the correct config :)13:22
=== ryu2 is now known as ryu
jordicjwatson: *sigh*, the basic expert_recipe works13:32
jordiI'll try the more elaborate setup now. I can't understand why -raid isn't in main though13:32
cjwatsonnever got reviewed and promoted ...13:32
jordicjwatson: what can I do to get this reviewed and promoted?13:33
cjwatsonjordi: could you mail ubuntu-devel@ about it?13:34
jordisure thing13:34
jordifrom your partman-auto knowledge, do you think creating a "/ on raid1, two independent swaps and /srv/backup on ext3 on a single PATA disk" would be problematic?13:35
fabbioneSCORE!!!!! WOWOWOWOOWOW13:52
fabbioneSubject: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator13:52
cjwatsonaware, work in progress13:52
fabbionecjwatson: yeah i know...13:53
stgraberfabbione: scary title isn't it ? :)13:55
virtuald<random theobsd rant />13:57
ScottKRecovery looks to be a bit painful.13:57
loolSo we will have to regenerate all our SSH keys?13:59
fabbionenot all of them no14:00
loolOnly DSAs?14:00
siretartwhat ubuntu releases of openssl are affected?14:00
loolsiretart: >= 0.9.8c-1 I think14:00
fabbionesiretart: wait for the USN14:00
siretartlool: which would mean all later and including dapper :/14:01
loolThis would translate to anything post dapper if I understand correctly14:01
siretarterr, s/dapper/feisty/14:01
ograsiretart, hey, i dont see you on the UDS attendees list, you dont come this time ?14:03
siretartogra: oh, I do!14:03
siretartogra: is that on launchpad?14:04
ogragreat to hear :)14:04
siretartogra: thanks for notice, fixed :)14:04
=== davmor2_away is now known as davmor2
\shpitti: I filed a new sync request for phpgroupware, where your sync script was not able to sync it last time...could you check if it does now succeed? (bug #229942)14:30
ubottuLaunchpad bug 229942 in phpgroupware "Please sync phpgroupware 1: (universe) from Debian unstable (main)." [Wishlist,Confirmed] https://launchpad.net/bugs/22994214:30
=== hwilde_ is now known as hwilde
=== Shely_ is now known as Shely
pitti\sh: yes, I'll have a look next time15:58
=== mathiaz_ is now known as mathiaz
tjaaltonok, so the openssl bug is quite severe.. does it really mean that every key used on a buggy system should be changed? even if not generated there?16:29
ogracheck the keys with the tool :)16:31
ogra(ssh-vulnkey that is)16:31
jdongtjaalton: quite severe is an understatement.16:32
jdongtjaalton: all we need now is for GPG to be compromised and the galaxy will implode.16:32
thomopenssh-server template parse error: Template #4 in /tmp/openssh-server.template.326872 has a duplicate field "template" with new value "ssh/vulnerable_host_keys". Probably two templates are not properly separated by a lone newline.16:33
tjaaltonjdong: actually I was asked about the possibility16:35
Hobbseeogra: ssh-vulnkey?16:37
ograHobbsee, yes16:37
keesHobbsee: see http://www.ubuntu.com/usn/usn-612-2 for details16:37
cjwatsonthom: gutsy> argh16:38
cjwatsonjdstrand: ^--16:38
ograkees, hmm, it would be clever if the first page of the USN somehow indicated there is a second one i guess16:38
tjaaltonogra: I know the hostkeys are fine, since they are generated on a rhel cluster during installation, but the debian report said that all keys used during authentication are compromised..16:39
pittiTheMuso, imbrandon, jdong: any chance somebody could approve my fakechroot SRU? (bug 228534)16:39
ubottuLaunchpad bug 228534 in fakechroot "Does not wrap *at() functions which makes fakechroot fail badly with Hardy" [High,In progress] https://launchpad.net/bugs/22853416:39
ograkees, if you dont guess that by url ...16:39
cjwatsontjaalton: all *DSA* keys16:40
cjwatsontjaalton: RSA keys are only broken if generated on a buggy system16:40
keesogra: it isn't explicit, you're right, but the 612-1 url is in the top header16:40
tjaaltoncjwatson: argh16:41
keescjwatson: the non-default DSA breakage requires traffic capture and additional computational expense to crack, though?16:41
jdongpitti: sorry, lemme take a look; been scrambling the morning with the SSL fun16:41
cjwatsonkees: correct, though perhaps not actually all that much additional computational expense (maybe)16:41
pittijdong: it's not utterly urgent, but it's sitting there for a week or so16:41
cjwatsonthe DSA one is not fully analysed yet, we just know that there is a weakness there16:41
Hobbseeogra: which package is it in?16:42
jdongpitti: you've got it :)16:42
pittijdong: wow, that was fast. thanks :)16:42
Hobbseeahhh, more upgrades here now.16:42
ograHobbsee, openssh-server16:42
Hobbseewhich probably means i have to regenerate again.  sigh.16:42
Hobbseewait, no.16:43
jdongHobbsee: the upgrade is apparently just Ubuntu sauce...16:43
jdongHobbsee: i.e. regen vulnerable hostkeys on postinst, reject authenication from users with weak keys16:43
cjwatsonthom: feisty and hardy are fine, for the record16:46
cjwatsonjdong: Debian too16:46
jdongcjwatson: oh. what's the scope then?16:47
cjwatsonjdong: err, sorry, not sure exactly what you're asking?16:47
cjwatsonscope of what?16:47
jdongcjwatson: USN 61216:48
jdongcjwatson: I thought feisty and hardy are affected?16:48
cjwatsonoh, you misunderstood me16:48
jdongcjwatson: sorry, seems like I did :)16:48
thomjdong: cjwatson was responding to my comment that the gutsy packages are bust16:48
cjwatsonthom was pointing out a problem with the upgrades in gutsy-security16:48
cjwatsonI noted that feisty-security and hardy-security don't have that upgrade problem16:48
jdongcjwatson: thansk for the clarification.16:50
=== Shely_ is now known as Shely
no0ticI confirm what thom said16:53
cjwatsonyep, we're working on it with all possible speed16:54
tjaaltoncjwatson: so all DSA keys used (!) on a buggy system should be changed, not just those that were generated there?16:54
cjwatsontjaalton: it's a somewhat arguable case as yet; for complete safety, yes16:55
cjwatsoncompromising a DSA key used on a buggy system requires capturing a network trace, and it's not clear yet whether user keys are susceptible except by a malicious sshd16:55
cjwatsonme? I've regenerated my DSA key16:55
jdongerring on the side of caution seems prudent when dealing with these matters :)16:56
tjaaltonok, maybe it's time to write an announcement for 20000 students :P16:57
maswanugh. I'm happy that almost all our servers are still on dapper. :)16:58
maswanalso, kerberos meaning no ssh key auth. :)16:59
jdongmaswan: yeah kerberos is saving my life right now16:59
jdongmy campus server keys don't need any additional work atm16:59
jdongbut on my personal system I need to regenerate some IMAPS/HTTPS certs later today :)16:59
tjaaltonwe are still fighting whether to use MIT or AD or both17:00
maswantjaalton: heimdal! :)17:00
tjaaltonmaswan: that too :)17:00
=== ember_ is now known as ember
tjaaltonmaswan: we actually have MIT already set up, but it's "unofficial"17:00
jdonguse MIT </unbiased joking opinion> ;-)17:00
tjaaltonand no trust between MIT <-> AD17:01
jcastroanyone seeing that with the ssh update?17:07
Ngjcastro: gutsy?17:07
Nga new version is being prepared for gutsy17:08
jcastro(not my machine, just got asked by someone who did this)17:08
Mithrandirssh update?  You mean openssl or do you actually mean ssh?17:10
cjwatsonMithrandir: ssh17:10
cjwatsonjcastro: known, in progress17:10
Mithrandirmaswan: heimdal seems to be linked with openssl here.  Are you sure it's safe?17:11
maswanMithrandir: no, it's likely broken just like mit kerberos. our kdcs etc are on dapper. :)17:11
Mithrandirah, ok17:12
VolansHi all, I have a problem with the update of openssh-server on Gutsy 64bit. I know that you are working on it, if I can help with some test feel free to ask me (output of apt-get -f install: http://pastebin.ubuntu.com/11878/)17:16
cjwatsonVolans: known, we're on it17:17
jcastroVolans: I just asked the same question, it's being worked on17:17
cjwatson(you're number four ...)17:17
emgenthehehe :D17:18
cjwatsonthe fix is in the works17:18
Volansok, better! :) just in case we can help you with some test17:18
l3onHi all :)17:25
kirklandcjwatson: the ideal output of a "fixed" system when running "sudo ssh-vulnkey -a" is an exit code of 0?17:33
cjwatsonno, the opposite17:33
cjwatsonthe exit code semantics are a bit tricky I'm afraid17:33
cjwatsonbut ssh-vulnkey exits 0 if it finds at least one vulnerable key17:33
kirklandcjwatson: interesting, okay.  output of "Not blacklisted" is optimal?17:34
cjwatson"Unknown (no blacklist information)" means it's a key type/length for which we don't have a blacklist17:34
cjwatson"COMPROMISED" means regenerate the bugger now17:34
sdhanybody help me out with this related error please?17:34
kirklandcjwatson: yup17:34
kirklandcjwatson: thanks.17:35
sdhlooks like a package problem17:35
cjwatsonsdh: we're on it17:35
Volanssdh: have you gutsy?17:35
sdhcjwatson: ah, it's known about?17:35
sdhVolans: yep, server17:35
cjwatsonyes, this is gutsy only17:35
thomcjwatson: worth topic'ing?17:35
sdhi just update/upgraded to fix the ssl nightmare :)17:36
sdhs/fix/help start to fix/ :)17:36
Volansthey are working on it, only Gutsy have this update problem on openssh-server due to the USN-612-1 fix17:36
sdhok, cool, thanks17:36
cjwatsonit's a single sodding blank line *sigh*17:36
sdhi'll hold off and keep an eye on here... then update/upgrade later17:36
=== gnomefre1k is now known as gnomefreak
cjwatsongutsy-security is fixed18:05
Volansthanks cjwatson :)18:05
cjwatsonthom,no0tic,jcastro,Volans,sdh: ^--18:05
jcastrocjwatson: thanks, I'll let people know18:05
Volanscjwatson: just updated all worked fine18:07
Picithanks, /me informs #ubuntu18:08
stgraberopenssh upgraded correctly18:08
stgraberbut not openvpn18:08
stgraberopenvpn: Depends: openssl-blacklist which is a virtual package.18:08
[reed]kees, jdstrand, cjwatson: ping... looks like the openssl/openssh packages are wrong18:08
geserpitti: please give-back: libapache-htpasswd-perl libcrypt-hcesha-perl libcrypt-openssl-dsa-perl libhtml-fromtext-perl libgnome-java18:09
[reed]so, this was the "fix" Debian made in 200618:09
[reed]and this was the back out 5 days ago:18:09
[reed]I see a problem!18:09
cjwatson[reed]: nah18:09
[reed]why not? PURIFY isn't used for compiling18:09
cjwatson[reed]: the first change to rand/md_rand.c was wrong - that was in 0.9.8b-118:09
[reed]that code is still compiled18:09
[reed]cjwatson: that code is still there18:10
cjwatson[reed]: the PURIFY bit does not matter18:10
cjwatsonok, sorry, I thought you were asking about the filename difference, but in any case18:10
cjwatson[reed]: no, it's fine - one of those two diffs was acceptable, one was incorrect18:10
cody-somervilleWould this vulnerability affect a red hat server if I used Ubuntu to generate the key?18:10
cjwatsoncody-somerville: yes18:11
pittigeser: done18:11
[reed]cjwatson: why wasn't the entire change backed out?18:11
cjwatsonbecause it didn't need to be18:11
[reed]looking at ssleay_rand_bytes() in Debian's svn repo, that other change is still there18:11
[reed]#ifndef PURIFY18:11
[reed]#if 0 /* Don't add uninitialised data. */18:11
[reed]MD_Update(&m,buf,j); /* purify complains */18:11
jcastrooops, sorry18:12
jdongjcastro: you sure held that right arrow key for a convincing period of time ;-)18:12
cjwatson[reed]: yes. we know. but that's ok.18:13
[reed]cjwatson: well, it doesn't make me feel very safe18:13
cjwatson[reed]: "buf" is something completely different there than in the other chunk.18:13
jcastrojdong: the new package apparently doesn't fix ssh lag. :)18:13
[reed]it's still a wrong change that Debian should have never made18:13
cjwatson[reed]: in the other chunk, buf is actual real initialised data18:13
cjwatsonI don't dispute that18:13
[reed]so it doesn't make sense why somebody doesn't back it out now and submit new packages just to appease everybody that there isn't still some remnants left18:14
[reed]because when an openssl team member is pointing it out on his blog, I worry18:14
cjwatson[reed]: because there was actually a reason for the other bit - it made it more difficult to use automated tools to assure the correctness of other software that used openssl18:14
cjwatsonI have read the blog entry in question, yes18:15
[reed]cjwatson: sure, that's what the PURIFY define is for18:15
[reed]you can define it if you want18:15
cjwatsonlet me explain18:15
[reed]instead of commenting out the code18:15
cjwatson(or you could go and read the original bug log!)18:15
cjwatsonbut if you don't want to read the original log, the reason why -DPURIFY wasn't used was that that would have to be applied to the non-debug build as well, otherwise the utility of the -dbg build just being separated symbols so that you can use it to investigate core dumps produced by the regular build would be lost18:16
cjwatsonnow, I'm not sure why PURIFY wasn't used across the board, because I haven't looked at what else it does to openssl18:17
cjwatsonbut if you have questions there you should address them to the Debian maintainer18:17
cjwatsondivergence between Debian and Ubuntu here is unlikely to be helpful, and we've taken quite a lot of care to coordinate here18:17
[reed]I read http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516, which doesn't mention PURIFY18:17
[reed]which bug # is this you're speaking of?18:17
ubottuDebian bug 363516 in openssl "valgrind-clean the RNG" [Wishlist,Closed]18:17
cjwatsonthat's the one18:17
cjwatsonit discusses it, even if not by name18:18
cjwatsonas it happens, it looks like the only thing PURIFY does now is to compile out that code which is commented out18:18
cjwatsonso what we have now is equivalent to (and uglier than) building with -DPURIFY18:18
[reed]ok, so, why did this take 5 days (at least) to go public?18:18
cjwatsonbecause we needed to take care to get mitigation measures in place18:19
[reed]such as what?18:19
[reed]the script?18:19
cjwatsonI do not wish to give people information on how to write an exploit just at the moment, I'm afraid18:19
cjwatsondowkd.pl was written by a member of the Debian security team; I wrote ssh-vulnkey18:20
[reed]cjwatson: well, I think you should at least mention somewhere publicly why Debian/Ubuntu/etc. didn't back out the entire bad change18:20
cjwatsonbut the aim of both was the same; help people to lock down use of compromised ssh keys as soon as possible18:20
cjwatsonI think you should address your concern to the Debian developer who made the change18:21
cjwatson(as I said above018:21
cjwatsonwe have put a good deal of time into assisting with the job of mitigating this, but ultimately it is more valuable to Ubuntu not to diverge from Debian on critical issues such as this so that at least we share problems18:22
cjwatsonwe certainly aren't going to make the essentially cosmetic change of switching to using -DPURIFY18:22
[reed]do you recommend regenerating all keys made since the bad change was live, or just ones that are vulnerable?18:22
cjwatsonnow, personally, I think that would be the correct change to make18:22
cjwatsonbut it should be made in Debian18:22
Chipzzhow does this affect ubuntu? http://www.debian.org/security/2008/dsa-157118:22
cjwatsonhttp://www.ubuntu.com/usn/usn-612-2 has detailed instructions18:23
Chipzz(OpenSSL vulnerability)18:23
cjwatsonChipzz: please see the corresponding Ubuntu security updates18:23
jdongChipzz: USN 612-218:23
Chipzzmaybe best to put a warning in the topic?18:23
cjwatson[reed]: five days ago, we also didn't know the scope of the problem (e.g. whether it affected session keys), and needed time to investigate before the storm broke18:23
cjwatsonfive days is not an especially long embargo period for this sort of thing; in fact it was shorter than would have really been convenient to get everything ready18:24
[reed]I agree18:24
[reed]and my other question and regenerating keys?18:24
=== cjwatson changed the topic of #ubuntu-devel to: Regenerate your SSH keys! http://www.ubuntu.com/usn/usn-612-2 | Ubuntu 8.04 LTS released! | Development of Ubuntu (not support, not application development on Ubuntu) | #ubuntu for support and general discussion for dapper/feisty/gutsy/hardy, #ubuntu+1 for intrepid | #ubuntu-motu for getting involved in development | http://wiki.ubuntu.com/UbuntuDevelopment | See #ubuntu-bugs for http://wiki.ubuntu.com/HelpingWithBugs
sdhhmm, i guess this affects https keys too?18:24
sdhas generated using openssl for apache18:24
cjwatsonsdh: yes18:25
sdhthat's unfortunate, given that people pay to get them signed18:25
cjwatson[reed]: for 2048-bit RSA keys or 1024-bit DSA keys, we have blacklists of compromised keys, and you can refer to those18:25
cjwatson[reed]: for other keys, I would advise regenerating unless you are confident that they were generated on non-vulnerable systems18:25
cjwatsonsdh: yes18:25
=== juliux_ is now known as juliux
winjerwe've regenerated our server keys using the new ssl, and they're being reported as weak by the tool18:27
winjerany idea what's going on there?18:27
cjwatsonwinjer: which keys, which tool?18:28
winjerdowkd.pl, server host keys18:28
cjwatsonI did not write dowkd.pl and can't support it; try ssh-vulnkey?18:28
cjwatsonwhat does it say?18:28
winjer"weak key"18:29
winjeri'll keep digging18:29
cjwatsonssh-vulnkey doesn't say "weak key" :-)18:29
winjeroh sorry18:29
stgrabercjwatson: is the openvpn security update supposed to work with gutsy ?18:30
cjwatsonstgraber: I believe so, though I haven't looked at it ... what's wrong?18:30
stgraberThe following packages have unmet dependencies: openvpn: Depends: openssl-blacklist which is a virtual package.18:30
cjwatsonopenssl-blacklist may be in NEW or something18:31
cjwatsonI'll check it out18:31
cjwatsonyes, it is18:31
sdhgood time to be a CA :)18:37
norsettocan someone please give back wsjt?18:39
psusiI do not understand the purpose of the watershed wrapper used by udev... could anyone explain?18:40
cjwatsonhttps://wiki.ubuntu.com/UdevLvm was where it was introduced18:40
psusiI just read that ;)18:41
psusinot getting it for some reason18:41
psusiit says if 100 events come in, it will run the command at least twice, but probably not 100 times...18:42
Mithrandirpsusi: in some cases, you have a process which takes a long while to finish and it holds a lock, but it's stateless and you just need it to run after a certain event.18:42
psusiif there are 100 events, then shouldn't the command be run 100 times?18:42
cjwatsonno, because one run of the program is sufficient to clear all pending events18:42
Mithrandirnot necessarily.18:42
cjwatsonbut what happens if an event arrives after the program started?18:42
psusiright... since you are telling it to scan ALL devices, if 12 devices come in, you don't need 12 scans18:42
cjwatsonthat's what watershed is for18:42
psusijust 1 scan after the last device18:42
Mithrandirpsusi: correct.18:42
psusiwhy isn't lvm told only to scan the device which has arrived though?18:43
cjwatsonin lvm's case, it may take several block devices to build up a full volume18:43
cjwatsonbasically it's a race fix IIRC18:43
psusiyea... but if you vol_id them as they come in, and you identify which volume they are a part of, then you can tell lvm exactly which devices have been identified as part of that volume so it can scan them and activate that volume18:44
psusiwithout disturbing any unrelated devices18:44
sdhcjwatson: is there a ssh-vulnkey equivalent for generic SSL keys ?18:44
sdhnot sure im making sense18:45
cjwatsonsdh: it's not possible for all keys18:45
sdhthe sort of key that openssl spits out for use in apache18:45
Mithrandirpsusi: theoretically, there's nothing wrong with that approach, apart from the fact that lvm doesn't work that way, I believe.18:45
cjwatsonsdh: but I believe one is either done or in progress for some simple cases, in one of the other security updates18:45
sdhcjwatson: thanks18:45
psusiis the output of the scripts run by udev logged anywhere?  I'm trying to figure out why this server won't activate the root raid at boot18:46
Keybukpsusi: not normally18:56
psusiKeybuk: is there a switch or boot parameter you can throw to make it?18:56
Keybukpsusi: no18:56
Keybuknot to mention that syslog starts a long time after udev anyway18:57
psusiI was thinking just redirect to /var/udev.log instead of /dev/null ;)18:58
Keybukudev.log is something else18:58
Keybukit logs udevmonitor output18:58
psusiit's a shame that you no longer see the output of mdadm on the boot screen18:59
RainCTuhm.. I can't install libssl0.9.8_0.9.8g-4ubuntu3.1_i386.deb19:00
cjwatsonRainCT: what is the problem?19:00
RainCTdpkg-deb (subprocés): llegida curta en buffer_copy (s'ha produït un error en escriure al conducte en la còpia)19:00
RainCTdpkg-deb: el subprocés paste retornà el codi d'eixida d'error 219:00
RainCTcjwatson: translated that would be +/-: short read in buffer_copy (there was an error writing to the copy conduct)19:01
cjwatson"failed to write to pipe in copy" in fact19:01
cjwatsonthat's usually transient, or possibly out of disk space19:01
cjwatsoncheck that you have enough free disk space? otherwise try again19:01
cjwatsonbut basically that's internal in dpkg, and not usually a problem with the package19:01
cjwatsonunless there are other nearby errors which are more specific19:02
RainCTwhat can it be beside disk space (/ has 2.2GB free)19:04
ograwith /var on the same partition ?19:04
RainCT /usr is in a different partition though, and has 12 GB free19:05
RainCT(yeh, I know I should repartition ^^)19:05
cjwatsonwould need an strace of dpkg really to see what's actually going wrong19:05
cjwatsonerrno 2 is no such file or directory19:06
cjwatsonvery weird19:06
cjwatsonis anyone else seeing this problem?19:06
cjwatsonRainCT: and could you put the entire output from dpkg somewhere?19:06
* ogra had proper upgrades everywhere19:06
* RainCT is trying with aptitude full-upgrade, hadn't noticed the new packages are already in the repos19:07
cjwatsonRainCT: could you provide the full output, before you lose it?19:07
RainCTcjwatson: sure, but there's not much more19:08
RainCTcjwatson: http://paste.ubuntu.com/11906/plain/19:09
cjwatsonout of interest, does the directory /usr/lib/i586 exist?19:10
RainCTcjwatson: yes, it contains the files libcrypto.so.0.9.8 and  libssl.so.0.9.819:11
cjwatsonvery strange19:11
ograoh, same here19:11
cjwatsonof course you're doing a downgrade19:11
cjwatsonwhich is not a great plan19:11
cjwatsonso, while I can't imagine why, it could be something to do with that19:11
ograwhats the reason for that special dir ?19:12
ograseems very libssl specific19:12
* stgraber wonders why one of his 3 routers don't seem to accept the new OpenVPN key ... all three are dd-wrt with the exact same custom firmware :( let's wait and see if things improve by themselves :)19:13
geserisn't that dir used by packages with cpu-optimsation?19:13
cjwatsongeser is correct19:13
cjwatsonit is not openssl-specific, AFAIK; the linker looks at it19:13
stgraberogra: btw, I guess italc is also concerned by the SSL thing no ?19:13
ograstgraber, for sure :(19:13
stgraberok, one more thing to add to the long list of keys to rebuild ...19:14
ograah, debian bug #139783 explains the dir thing apparently19:14
ubottuDebian bug 139783 in openssl "openssl: debian version very slow" [Important,Closed] http://bugs.debian.org/13978319:14
l3onHi, is it solved open-ssh problem in gutsy release?19:14
cjwatsonl3on: in gutsy-security, yes19:15
l3onsomeone said me that it was impossible install it forum security, apt returns an error19:15
l3onis it right?19:15
cjwatsonl3on: that's fixed now19:16
l3onok, tnx cjwatson19:16
andrew___cjwatson: what should I do if one of my public keys is listed as "COMPROMISED"?  Is there a page that goes into more details about this stuff?19:17
cjwatsonandrew___: http://www.ubuntu.com/usn/usn-612-219:17
andrew___But no special action beyond that?19:17
stgraberandrew___: revoke and generate a new one, that's basically it19:17
awalton__did launchpad autoreap the bad keys?19:18
cjwatsonawalton__: not so much of the "auto", but I gather action has been taken there19:19
=== thekorn_ is now known as thekorn
andrew___Fair enough - FWIW, the use of upper case lead me to assume there was something extra to be doing with that.  If anyone else is as jumpy as me, you might want to consider putting it in the man page/downcasing the message.19:19
awalton__cjwatson, all I needed to know. just wanted to know if it was going to take care of it or if I would have to.19:20
awalton__cjwatson, thanks.19:20
cody-somervilleDoes this mean I'm okay? Unknown (no blacklist information): <key stuff here> /home/cody-somerville/.ssh/id_rsa.pub ?19:22
ScottKcody-somerville: As I understand it, that's a don't know response.19:22
andrew___In anticipation of more panicky people, is there somewhere good to put together a FAQ?19:23
* ScottK redid all his keys before the new SSH packages hit, so doesn't actually know.19:23
stgrabercody-somerville: yep, that's ok19:23
cjwatsonandrew___: COMPROMISED absolutely deserves to be upper-case19:23
cjwatsonandrew___: any such key must be regenerated19:23
stgrabercody-somerville: COMPROMISED: 2048 isn't19:23
cjwatsonandrew___: http://www.ubuntu.com/usn/usn-612-2 is meant to be the FAQ, pretty much ...?19:23
cjwatsoncody-somerville: that means there's no blacklist for that key type/size combination; you'll have to figure out from things like key generation time whether that key is vulnerable19:24
andrew___Well, there's already two Qs not explicitly A'd.  For panicky people, I don't mind putting in a bit of time to repeat the answer for peace of mind.19:24
cjwatsonandrew___: it wouldn't hurt, but I'm exhausted and not able to set one up19:26
cjwatsonhowever, I'd rather there not be a semi-official FAQ filled with possible misinformation19:26
cjwatsoncan this wait until tomorrow?19:26
andrew___If you'd rather I not do it, sure.19:26
cjwatsonwell, I'd rather the person that does it have authoritative information19:26
andrew___Fair enough.  In the mean-time, the standing advice is to regenerate your keys if there's any doubt, and not to do anything else?19:27
andrew___Okay, thanks.19:28
cjwatsonfor paid-for SSL keys, I would understand people not wanting to regenerate them frivolously, but for SSH keys there's really little reason not to regenerate them if in doubt19:28
cody-somervillegah,  almost all my keys are compromised :(19:29
LaserJockssh keys are rather cheap, at least compared to signed gpg keys19:29
Keybukgpg keys are cheap :)19:30
cjwatsongpg, fortunately, is not affected19:30
andrew___I'll pass that on if anyone asks, with the appropriate I'm-not-worthy's :)19:30
cjwatsonandrew___: I didn't mean to imply unworthiness, BTW, I'm just very conscious of how Chinese whispers tends to work19:31
Keybukgpg --gen-key ... "lamont, sign my key" ... "gpg --send-key" - et voila, new gpg key and back in the well-connected set ;)19:32
RainCTcjwatson: (the debs from the repos worked)19:32
MithrandirKeybuk: except when nine-tenths of the WoT is gone.19:32
lamontKeybuk: heh19:32
KeybukMithrandir: FIRESALE!19:32
Mithrandirsince nearly all of them (well, except lamont) has DSA keys. :-P19:32
stgraberKeybuk: hmm, and if lamont's key would also be compromised ? :)19:33
philsnowcjwatson: i had never heard that term ('chinese whispers') until one of the latest episodes of dr who19:33
Keybukstgraber: then o/~ with just a handful of men / we'll start / we'll start all over again19:33
Keybuk<fx: guitar solo>19:33
andrew___cjwatson: Yeah I completely agree.  I've no problem admitting I'm not a security professional, it's just a fact that needs to be passed on because of the aforementioned whispers.19:34
* jdong is still unfamiliar with the term :)19:34
andrew___Chinese Whispers it's a game schoolchildren play, where they each whisper a message to the next.19:35
jdongare any non-mozilla browsers affected?19:35
jdongandrew___: is it like telephone?19:35
andrew___I don't know, I've not played that game :s19:35
jdongandrew___: n whispers to n+1, at the end the message is garbled?19:35
andrew___Yeah, that's the one.19:35
LaserJockI thought that was called Telephone19:35
jdongandrew___: ok so I guess I only know the politically castrated terminology then ;-)19:36
jdongLaserJock: ^^ :)19:36
* andrew___ becomes old19:36
LaserJockI guess maybe the Chinese were whispering before the telephone was invented19:36
cody-somervillecjwatson, Should I put something on the fridge?19:37
jdongcody-somerville: yeah stock up on milk, we're running low19:37
cjwatsoncody-somerville: if you do, please refer to the USN19:37
* cody-somerville nods.19:37
cjwatsoncody-somerville: we may be updating the web copy of the USN with more information19:37
ogracjwatson, hmm, looks to me like that broken pipe dpkg error occurs if something tries to overwrite conflicting files, there was just a mail to ubuntu-de with the same error where a third party package claimed an already owned file19:40
cody-somervillePosted to the fridge.19:48
[reed]cjwatson: does ssh-vulnkey have a blacklist for 2048 keys?19:49
LaserJockcjwatson: the USN has no information on regenerating system keys, is there anything special that has to be done for that?19:49
[reed]2048 bit keys, that is19:49
geser[reed]: look into /etc/ssh/19:50
cjwatson[reed]: RSA 2048-bit, yes (DSA is only valid for 1024-bit, technically)19:50
cjwatsonLaserJock: vulnerable 2048-bit RSA and 1024-bit DSA keys will be regenerated automatically if necessary19:50
[reed]cjwatson: true, but that change to ssh-keygen for DSA is fairly recent!19:50
[reed]so, I'm seeing conflicting results19:50
cjwatsonLaserJock: though not other keys; they're just ssh-keygen with empty password though19:50
cjwatsonslangasek: ^--19:50
[reed]between ssh-vulnkey and dowkd.pl19:51
cjwatson[reed]: 1024-bit DSA has never been valid, FYI; the standard prohibits it19:51
[reed]cjwatson: you mean 204819:51
[reed]I hope19:51
cjwatson[reed]: err, yes, I do19:51
cjwatsonI mean any more than 1024 bits19:51
[reed]true, but for a long time, ssh-keygen would allow people to make >1024 bit keys19:51
cjwatson[reed]: you're welcome to mail me about it; I'm going to do other things now19:51
cjwatsonor file a bug report19:51
slangasekcjwatson: ack19:52
[reed]so, I'm finding it weird that ssh-vulnkey is warning about them while dowkd.pl is checking them and passing them19:52
LaserJockcjwatson: ok, I just noticed that on one of my machines the openssh-server upgrade regerated the system keys, but on the other it didn't. Should I assume if it didn't regenerate I'm ok?19:52
cjwatson[reed]: I need output from both in order to help19:52
cjwatsonLaserJock: ssh-vulnkey will tell you the status of the host keys19:52
[reed]cjwatson: what's your e-mail address?19:52
LaserJockcjwatson: k, I guess I'll just go with that. I was just going to regenerate them all anyway.19:53
winjerdowkd.pl gives loads of false positives, and some false negatives too i think19:53
cjwatson[reed]: cjwatson@ubuntu.com19:54
[reed]cjwatson: which do you personally recommend? high-number of bits RSA key or a 1024-bit DSA key?19:56
cjwatsonfor high-security single-use keys, I use 4096-bit RSA keys19:57
cjwatsonfor routine use I normally use 2048-bit RSA, although I may change that19:57
[reed]and why RSA over DSA?19:57
cjwatsonI don't think DSA is fundamentally broken though - it just happens to be weak in the presence of a weak RNG19:57
cjwatson^- only reason19:57
cjwatsonI don't think use of DSA is insecure in general, at the moment19:58
cjwatsonbut at the moment I think ssh-keygen's default of 2048-bit RSA is fairly reasonable19:58
[reed]the DSA vs. RSA debate is almost as bad as the vi vs. emacs debate19:59
psusiis it as silly as the MD5 hash collision "attack"?20:02
cjwatsonpsusi: is what as silly?20:03
psusithe DSA/RSA debate you were talking about20:03
cjwatsonerr, apples and oranges? I'm not sure debates and cryptanalysis are comparable20:04
psusithe "debate" is whether MD5 is "broken"20:05
psusibecause you can carefully craft two documents that differ but give the same hash.... still can't create a second document with the same hash as an existing one ( that you didn't carefully create )20:06
cjwatsonpsusi: it is broken in one sense, but not in another sense20:11
cjwatson(the debate is no doubt by people who don't understand a lot of crypto)20:11
cjwatsonpsusi: the collision attack is real, but as you observe it is not as bad as it could be; the name for the second case is a second-preimage attack20:11
cjwatsonpsusi: however, a demonstration of a collision attack is good evidence that a second-preimage attack is not all that far off, so there's no grounds for complacency either20:12
k0phi all20:12
cjwatsonpsusi: similarly, the flaw in DSA in the presence of a weak RNG is real; grounds for not being too complacent, but not grounds for panic - except in the case of an advisory such as this20:15
zulI updated an apache2 to hardy-proposed but didnt get an email back can someone check on it?20:50
andrew___RainCT: do you actually use reportbug-ng to send bugs to Debian?20:57
seb128jwendell: <mneptok> for those with GNOME access and personal keys they no longer trust, please update your system, re-generate keys, and send mail to accounts@gnome.org with the subject "replace Debian/Ubuntu key"21:05
seb128jwendell: replying there since that was mentioned on the ubuntu chans ;-)21:05
jwendellseb128, thanks21:06
seb128you are welcome21:06
jwendellseb128, should I attach my id_rsa.pub file?21:07
seb128mneptok: ^21:07
jwendellwill do..21:08
seb128jwendell: I guess so, id_rsa.pub or id_dsa.pub anyway21:09
jdongjwendell: also send a copy of id_dsa and $500 to paypal jdong@ubuntu.com21:10
jwendelljdong, ah, you're not the guy who found out the issue...21:10
RainCTandrew___: no :P21:11
jdongjwendell: nah, I'm not nearly close to that skill level and I will likely not make it up there21:11
andrew___RainCT: Good, then you won't freak out about suggestions for having it removed :)21:12
jwendellwe should take that money from the guy who patched ssh in the first place21:12
jdongjwendell: so much for the idea of code policing pedantic warnings in the first place :)21:12
RainCTandrew___: I still disagree with removing the option to use it to send bugs to Debian, though21:13
jwendellwhat make debian devs think they should patch upstream code in the first place?21:13
andrew___RainCT: if it stays in, I agree.  I just don't think it should be the default.21:13
jdongjwendell: they saw a valgrind "memory leak" and figured it's a good idea to patch it.21:14
RainCTandrew___: yeh, I don't mind wheter it's the default or not :)21:14
jwendellthis is a good moment to rethink about patching upstream code at all...21:14
andrew___seb128: presumably accounts@gnome.org requires that all e-mail be PGP-signed?  (Sorry if that's a silly question)21:14
jwendellandrew___, nope21:14
andrew___So what's to stop me from saying I'm Miguel de Icaza and handing over my id_rsa.pub?21:15
jdongandrew___: your mail client is not Novell/Ximian evolution.21:16
jwendelljdong, you're so funny today :P21:16
andrew___Also, I'm guessing he speaks better Spanish than me :p21:16
=== xerakko_ is now known as xerakko
slangasekzul: you would have not gotten an email because the publisher was down in deference to the openssl security updates; you should have gotten an email by this point, I think?22:10
zulslangasek: ok thanks22:24
* mneptok waits for jwendell to answer e-mail22:34
RainCTgood night22:44
Riddellevand: how come d-i asks if the time is set to UTC but ubiquity doesn't?23:37
KeybukRiddell: u6y doesn't ask silly questions23:42
Riddellneither should d-i23:45
Keybukd-i can get away with asking any that it likes ;)23:45
Riddellwho has powers to close specs that people have randomly created?  e.g. https://blueprints.launchpad.net/ubuntu/+spec/kmilo-controls-kmix-selected-sound-card23:45
Keybukmore correctly23:46
Keybuku6y knows whether or not you have a windows partition23:46
Keybukso can make an intelligent judgement as to what your system clock should be23:46
Keybukd-i doesn't have that knowledge in the right place, so has to ask23:46
Riddellah, clever old ubiquity23:46
Keybukand since it assumes a more expert user, it's safe to do so23:46

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!