[00:01] <hads> bitsbam: That would depend on the POP/IMAP server. I'm not sure if they would have a defined order though they may.
[00:02] <hads> At a guess you'd probably either need to read the source of the particular server of test it and see to find out.
[00:02] <bitsbam> we are running a pop server. now if i make a request to fetch all unread emails, they come in order that they hit the server?
[00:02] <bitsbam> yeah
[00:02] <bitsbam> is cool
[00:02] <bitsbam> thans
[00:02] <hads> You'd think it would be FIFO but I guess that depends on the POP server.
[00:08] <bitsbam> yeah, i am reading the site docs for our pop server now.
[00:08] <bitsbam> will let you know
[00:48] <mathiaz> sommer: I've written some instructions about updating the Ubuntu Server Guide : https://wiki.ubuntu.com/ServerTeam/KnowledgeBase#serverguide
[00:48] <mathiaz> sommer: let me know what you think about it
[00:48] <kirkland> mathiaz: hey, i did a few more init script patches
[00:48] <kirkland> mathiaz: the list is up to date on https://wiki.ubuntu.com/InitScriptStatusActions
[00:49] <kirkland> mathiaz: any of those you'd like to review/sponsor?  :-)
[00:49] <mathiaz> kirkland: noticed a couple of bugs you've filed coming in :)
[00:49] <kirkland> mathiaz: yessir
[00:49] <mathiaz> kirkland: will take a look at it - but we have to wait until alpha3 is out as we're in a soft freeze for the archive for now
[00:50] <kirkland> mathiaz: i understand that
[00:50] <kirkland> mathiaz: i decided to go ahead and do the services that i personally run and want status on :-)
[00:51] <kirkland> mathiaz: and the ones in universe are not frozen, right?
[00:52] <mathiaz> kirkland: nope - universe is open for business
[00:52] <mathiaz> kirkland: the soft freeze only applies to packages that are included on cds
[00:52] <kirkland> mathiaz: right
[00:52] <kirkland> mathiaz: can MOTU upload to multiverse?
[00:52] <mathiaz> kirkland: yes
[00:52] <kirkland> mathiaz: ie, who do I subscribe to a patch against a multiverse package?
[00:52] <kirkland> ubuntu-universe-sponsors?
[00:52] <mathiaz> kirkland: multiverse is the same thing as restricted for main
[00:53] <mathiaz> kirkland: correct - ubuntu-universe-sponsors is the correct team to subscribe
[00:53] <kirkland> mathiaz: perfect
[01:57] <sommer> mathiaz: awesome, the page looks good to me
[01:57] <sommer> mathiaz: I really need to learn some more bzr... I didn't know you can use it to send emails, that's really cool
[02:05] <mathiaz> sommer: yes - and the good part is that you don't an LP account to do so
[02:05] <mathiaz> sommer: you can even the email adress to send merge request to in the public branch
[02:06] <mathiaz> sommer: so the last step can be reduced to : bzr send
[02:06] <sommer> cool, the doc team really isn't using bzr to it's fullest potential :-)
[02:06] <sommer> but then again there aren't that many commits
[02:07] <sommer> it would be better if there were though, heh
[03:31] <RoAkSoAx> kirkland, ping
[04:13] <unewbie> has anyone copy DVD repo to HDD?
[08:05] <kraut> moin
[08:23] <unewbie> has anyone copy DVD repo to HDD?
[08:34] <afief> How can I configure NetworkManager to work on a static IP?
[13:14] <sommer> morning all
[13:48] <frippz> is there anyone else who suddenly has gotten into permission problems with apache after the latest update?
[13:48] <frippz> all my websites that uses password protection suddenly spits out "Permission denied: Could not open password file"
[13:51] <sommer> frippz: I haven't noticed any issues... are the permissions on the password files correct?
[13:52] <frippz> sommer: they haven't changed. everything worked just fine this morning. the after the latest Ubuntu Security Notice, I ran a safe-upgrade with aptitude
[13:53] <sommer> frippz: have you restarted apache?  also is "Permission denied: Could not open password file" that from the apache log or a prompt?
[13:54] <sommer> frippz: apache should be restarted with the update but...
[13:54] <frippz> sommer: yes, I have restarted apache and the error message is from one of the website logs
[13:54] <frippz> actually, any website that uses password protection would be spitting this out in the log
[13:55] <frippz> it would take a tremendous amount of time to track down what has changed, so I was hoping that someone here would be familiar with the situation
[13:56] <sommer> frippz: someone else may know, but I haven't heard of a similar issue
[13:56] <sommer> frippz: what are the permissions of the password files?
[13:57] <frippz> sommer: they are owned by a regular user and have permissions 644
[13:57] <frippz> the folders containing them has permission 755
[13:58] <sommer> frippz: I'd try changing the ownership to www-data user, at least for a test
[13:59] <frippz> sommer: wow, I really hope I don't have to move all those files to another place where www-data can access them. we're talking about over 50 websites :/
[13:59] <frippz> but I will give this a try
[13:59] <frippz> oh, I see the problem now
[14:00] <frippz> for some reason the regular users home folder has gotten a permission setting of 700
[14:00] <sommer> frippz: heh, that'd probably cause an issue :)
[14:01] <frippz> yes, since both the password files and the document roots reside in there, that was the whole cause :D
[14:01] <sommer> party!
[14:02] <frippz> I really need my vacation now...
[14:03] <lukehasnoname> sudo chmod -R 777 /
[14:04] <frippz> lukehasnoname: a windows user would solve the issue that way :P
[14:05] <lukehasnoname> true.
[14:12] <lukehasnoname> http://www.iht.com/articles/ap/2008/07/24/america/Road-Rage-Killing.php
[14:12] <lukehasnoname> I know it's off topic, just think about it.
[16:02] <gouki> Does anyone know of a solution like MS Terminal Server, but for Ubuntu?
[16:03] <lukehasnoname> LTSP
[16:04] <lukehasnoname> ?
[16:04] <lukehasnoname> Looks like Terminal server is MS's version of thin clients
[16:06] <gouki> lukehasnoname, I have no idea. I never worked with Terminal Server. But a friend of mine just asked me if there is an alternative to MS TS for ~10 users (on a MS Windows) network.
[16:06] <lukehasnoname> I know nothing about MS TS either, I just googled it
[16:07]  * gouki does the same
[16:13] <soren> mdz: The bug from yesterday, by the way: https://bugs.edge.launchpad.net/ubuntu/+source/kvm/+bug/251480
[16:33] <soren> mathiaz: Hi!
[16:34] <soren> mathiaz: I figured out why you couldn't use virtio in the installer. The virtio_pci and virtio_ring drivers have been moved to different udeb's and are not available by default in the installer. I'm trying to get it worked uot.
[16:34] <mathiaz> soren: great - I guess it won't be fixed for alpha3 then
[16:35] <soren> Unlikely.
[16:43] <leucos> anyone has done tests with the bind9 update to verify that VU#800113 is fixed ? (https://www.kb.cert.org/CERT_WEB\services\vul-notes.nsf/id/800113)
[16:44] <leucos> I did, and it seems that port randomization is not working
[16:44] <leucos> if anyone can confirm this (I've found a workaroud with iptables though)
[16:44] <soren> leucos: Tell me about this workaround. It sounds fascinating.
[16:45] <leucos> see http://cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html
[16:50] <soren> I'm not convinced that'll work.
[16:51] <leucos> it seems to work
[16:51] <leucos> tcpdump output says so
[16:51] <leucos> while without it, the sourport for queries never changes
[16:51] <leucos> source port*
[16:52] <soren> I don't see how iptables can know when it's ok to change it and when it's not.
[16:52] <leucos> it does it for all traffic
[16:52] <soren> these are UDP connetions. They have no state.
[16:52] <soren> So how does iptables know that a given packet is part of a new DNS request?
[16:53] <leucos> conntrack
[16:53] <leucos> but as the guys says on his site
[16:53] <soren> conntrack inspects dns requests?
[16:54] <leucos> mmmm, dunno, but I don't think so
[16:54] <soren> Then it can't know.
[16:54] <leucos> src ip/port/dst port/dst ip + timing
[16:54] <soren> ..and then it can't randomize the source port without risking breaking connections.
[16:55] <soren> So what if the "timing" thing changes in between your sending your request and the server responding?
[16:55] <leucos> it times out conntrack entries
[16:55] <ScottK> Depending on timing in UDP replies seems pretty broken by design.
[16:56] <ScottK> Particularly in DNS where some legit servers can be REALLY slow.
[16:56] <leucos> yeah but timings are pretty long
[16:56] <ScottK> How long?
[16:56] <soren> leucos: I don't know how long UDP "connections" live in iptables' conntrack, but I doubt it's less than a few minutes.
[16:56] <leucos> this is why for some entrys with the same key you'll get the same source port for 30 seconds
[16:57] <leucos> but for the bind9 problem, anyone checked port randomization in the update ?
[16:57] <soren> This might be sufficient, though. I don't know the details of the vulnerability.
[16:57] <leucos> since the fix is released for the DNS flaw reported by Kaminsky, I'm surprised that PR doesn't work
[16:58] <leucos> soren: the timing things and mitigation solution requires some indepth analysis that I am not really able to produce as of now :p
[16:59] <kees> soren: the attack is generating queries that result in an NXDOMAIN reply, and then racing those replies with additional RRs for the same domain.  It only really takes a few thousand packets.
[16:59] <kees> since it's an NXDOMAIN, there's no upper limit to the attempts.  and as soon as one wins, the extra RRs are added to the local cache.
[17:00] <kees> (since the domain matches)
[17:00] <soren> kees: How is the source port of any significance?
[17:00] <kees> soren: by randomizing src port, the race becomes several orders of magnitude more difficult to win.
[17:00] <leucos> it's harder to spoof replies
[17:01] <soren> kees: Um... /me doesn't get it
[17:01] <kees> without src port randomization, you just send 1000 packets with guessed TXIDs for each request that you make.
[17:01] <soren> kees: I send out a request to my ISP's nameserver..
[17:01] <ScottK> kees: Do you have a recommendation on a Python native source of randomization that would be sufficient for that?
[17:02] <kees> ScottK: I don't -- I haven't looked closedly at how python handles it.
[17:02] <soren> kees: Er.. No, I can't even finish my sentence. :)
[17:02] <ScottK> kees: OK.
[17:02] <kees> soren: here's the attack:
[17:02] <kees> while not winnar:
[17:02] <leucos> guys, ty for listening, gtg
[17:02] <kees>   send request for a12345.cnn.com to a recurssive name server
[17:03] <kees>   send 1000 forged replies that contain NXDOMAIN as the answer plus additional RR for www.cnn.com at 1.3.3.7
[17:03] <kees> next time through, request a123456, then 7, 8, 9, etc
[17:03] <kees> keep cycling until you win the txid guessing game.
[17:04] <kees> when you win the race, the name server will also add your additional RR to it's cache, overwritting prior information.
[17:04] <soren> So even though the responses come from me, the recursive nameserver accepts them as coming from its "upstream"?
[17:04]  * delcoyote hi
[17:04] <kees> well, that's just a matter of sending the right UDP packets with a matching TXID.
[17:05] <kees> it has no idea where the packet actually came from.
[17:05] <soren> Hmm.. Right, I suppose it is.
[17:05] <kees> and the only thing (prior to srcport randomization) protecting the communication is the txid.
[17:06] <soren> Right. This seems very simple. I'm surprised noone thought of it.
[17:06] <kees> if you wanted to be really slow, you just hold your txid at a single value and wait for the 16 bits to run out.  ;)
[17:06] <soren> ..until now.
[17:06]  * kees nods
[17:06] <kees> no one was thinking about the additional RR part, and no one was thinking about NXDOMAIN replies.
[17:09] <soren> Ok, so again... I don't think I get the significance of the source port.
[17:10] <soren> Are we changing from a static to a random souce port, or from a predictabe to a random source port?
[17:10] <soren> predictable, even.
[17:13] <soren> kees: ^ ?
[17:13] <soren> Tjah..
[17:13] <soren> Whoops
[17:17] <kees> soren: changing from static to random.
[17:17] <kees> without the correct srcport, the UDP packet will just be ignored.
[17:17] <soren> Sure, sure.
[17:18] <soren> I just thought the source port changed now, but according to what the kernel hands you (which is usually use previously_handed_out_portnr+1).
[17:18] <soren> and you just kept firing until you were lucky enough to hit it.
[17:19] <soren> If that was the case, I just wanted to hit someone over the head with my "Statistics and probability theory" book :)
[17:21] <kees> they were basically static in most implementations.
[17:21] <soren> Lovely.
[17:21] <soren> --
[17:22] <kees> as soon as it's random, we can hit them with your book.  :)
[17:22]  * soren calls it a day
[17:22] <soren> Bye all.
[17:22] <ScottK> My question still is how random is random enough?
[17:33] <heno> soren: could you look at bug 251473 ? It's making CD testing difficult
[20:16] <ScottK> lamont: Do you have an opinion on "How random is random enough" for the DNS cache poisoning attack?
[20:19] <lamont> ScottK: I know what the patch did for bind9
[20:19] <lamont> in terms of what algo they switched to
[20:19] <fujin> cripes it's hard to get an answer in #ubuntu. I've got an Edgy server which I need to upgrade, preferably to LTS. do-release-upgrade won't take me to feisty
[20:19] <lamont> rather, that's clear from the source - dunno off the top of my head
[20:19] <fujin> as the feisty source appears dead, too
[20:19] <lamont> fujin: sure it will.
[20:19] <lamont> you just have to beat it hard
[20:20] <fujin> oh?
[20:21] <ScottK> fujin: With the exception of when software RAID was involved, I've never had manually changing sources.list to the next release and then apt-get update && apt-get dist-upgrade cause any problems.
[20:21] <ScottK> It's totally unsupported however.
[20:21] <fujin> mm, was hoping to avoid that
[20:21] <fujin> ScottK: it's also worth nothign that the Edgy /and/ Feisty apt sources are dead now
[20:21] <ScottK> Feisty should still be fine.
[20:22] <lamont> 1) with old-releases.ubuntu.com in sources.list, wait until it asks you the question about "couldn't find any mirrors, do you want me to pretend yours are real?", then switch to another window and point sources.list at archive.u.c
[20:22] <fujin> getting a 404
[20:22] <fujin> because do-release-upgrade wants to munge my sources.list and puts in the default feisty ones, instead of old-releases feisty ones
[20:23]  * lamont sees feisty on archive.u.c
[20:23] <lamont> and I expect to keep seeing them until october
[20:23] <fujin> lamont: http://pastie.org/240537
[20:24] <lamont> right.  that's the point where you go change old-releases.u.c -> archive.u.c in sources.list in another window
[20:24] <fujin> ah.
[20:24] <kirkland> mathiaz: looks like we got an init script volunteer :-)  RoAkSoAx patched gdm
[20:24] <lamont> and before you run do-r-u, you make it be old-releases.u.c edgy
[20:25] <fujin> sorry, missed the "do that manually" step
[20:25] <fujin> thanks
[20:27] <fujin> that's pretty magical
[20:27] <fujin> god damn the previous sysadmin
[20:27] <fujin> installing point releases on boxes that should have lts
[20:28] <RoAkSoAx> kirkland, yes indeed!! my first contribution for the Server Team :)
[20:29] <RoAkSoAx> s/for/to
[20:29] <fujin> lamont: thanks a bunch dude, got it upgradin'
[20:30] <mathiaz> well - gdm is not really used on server....
[20:30]  * mathiaz is picky
[20:30] <mathiaz> RoAkSoAx: thanks for the help ! :)
[20:31] <kirkland> mathiaz: true, but the patch looks good, and is useful, though not a server package
[20:32] <RoAkSoAx> mathiaz, yeah i know is not used in server... but at least i've found something where i can contribute with th server team
[20:32] <kirkland> RoAkSoAx: right, fixing these init scripts is a Server Team initiative
[20:33] <kirkland> RoAkSoAx: perhaps you can ask mathiaz to choose his favorite server init script from the wiki page, and you can work on that one next?
[20:33] <RoAkSoAx> sure
[20:34] <RoAkSoAx> since i just started my MOTU Mentoring process is good to have easy things to do :)
[20:36] <mathiaz> RoAkSoAx: any init script will do - server or not ;)
[20:45] <RoAkSoAx> mathiaz, i'm already working on openvpn :)
[20:47] <RoAkSoAx> kirkland, got one question, openvpn seems to create multiple pid files for each VPN. Should the status action be added for each VPN or just to know if the service is running?
[20:48] <kirkland> RoAkSoAx: good question
[20:48] <kirkland> i wonder if anyone here is an openvpn expert....
[20:48]  * kirkland pulls the source
[20:48] <mathiaz> IIRC there will be multiple openvpn daemons for each config
[20:49] <mathiaz> but the init script supports starting multiple daemons
[20:49] <mathiaz> since the init script is supposed to start multiple services, using status should report if all of the daemons are running
[20:49] <kirkland> RoAkSoAx: right, i suggest looping over the set of pid's
[20:50] <RoAkSoAx> ok cool, will do :)
[20:50] <kirkland> RoAkSoAx: elsewhere in that init script, there's a loop over all pids
[20:54] <RoAkSoAx> kirkland, yeah, i was thinking to do something similar to this: http://pastebin.ubuntu.com/30066/ but i'll have to set a couple of configs and try it out
[20:56] <kirkland> RoAkSoAx: consider something more like http://pastebin.ubuntu.com/30067/
[20:56] <kirkland> RoAkSoAx: 2 changes....
[20:57] <kirkland> RoAkSoAx: awk instead of cut
[20:57] <kirkland> RoAkSoAx: and, more importantly, set status=$? if the return is not 0
[20:57] <kirkland> such that you continue over all pids
[20:57] <kirkland> and not exit immediately
[20:57] <nhandler> I am interested in helping to add a status functino to init scripts. Is there an updated list that shows what packages still need this function added? I know there is a wiki page as well as a LP bug. But I don't know which of these I should be looking at
[20:58] <kirkland> nhandler: the wiki page
[20:58] <kirkland> https://wiki.ubuntu.com/InitScriptStatusActions
[20:58] <RoAkSoAx> nhandler, https://wiki.ubuntu.com/InitScriptStatusActions
[20:58] <RoAkSoAx> kirkland, ok will do thanks :)
[21:11] <RoAkSoAx> kirkland, one more question (i'm also working on dhcdbd) and i was wondering why it shows the open: Permission denied: http://pastebin.ubuntu.com/30071/ (of course it doesn't when using sudo)
[21:12] <kirkland> RoAkSoAx: I've seen this in several places
[21:12] <nhandler> When running the tests on the wiki page, after we run the 'sudo sh debian/FOO.init start' (replacing FOO.init with the actual file) script, shouldn't the status action return 1?
[21:12] <kirkland> RoAkSoAx: elsewhere in the init script a file is being read that the current user doesn't have permission to read
[21:12] <kirkland> let me grab the source...
[21:14] <RoAkSoAx> kirkland, becuase, i believe this also happens with openssh-server (im doing it on intrepid alpha2) downloaded openssh-server source and tried it.. and it shows that aswell
[21:14] <kirkland> yes
[21:15] <kirkland> RoAkSoAx: ah, it has to do with permissions on the pidfile
[21:16] <RoAkSoAx> kirkland, so i just don't pay attention to it
[21:16] <RoAkSoAx> ?
[21:16] <kirkland> RoAkSoAx: you can use "sh -x" when testing
[21:16] <kirkland> RoAkSoAx: that'll print every line to the screen as it executes, in a debug mode
[21:17] <kirkland> RoAkSoAx: yes, non-root users will just have to cope with the error message
[21:17] <RoAkSoAx> kirkland, ok cool, I was just intrigued by that :)
[21:18] <kirkland> RoAkSoAx: it's a good question
[21:18] <kirkland> RoAkSoAx: and it would be nice if we could silence it
[21:19] <RoAkSoAx> kirkland, yeah, but we will limit the status action only for root users... right?
[21:19] <kirkland> i disagree.... i think anyone should be able to check the status of a service
[21:19] <kirkland> they just might have to endure other messages related to their not being root :-)
[21:20] <kirkland> RoAkSoAx: ultimately, status is just a really clean way of ps -ef | grep FOO
[21:22] <RoAkSoAx> kirkland, yes indeed, but may be kinda annoying having that message all the time... I wouldn't be surprised if someone files a bug related to that
[21:22] <RoAkSoAx> :)
[21:22] <kirkland> RoAkSoAx: actually, i'm seeing the bug right now....
[21:22] <kirkland> it's in /etc/lsb-base-logging.sh
[21:23] <nhandler> Could someone review this patch for brltty? I want to make sure I am actually patching this before I upload it to LP. Here is my debdiff: http://paste.ubuntu.com/30075/
[21:23] <kirkland> nhandler: why the Standards-Version: 3.8.0 bump?
[21:25] <nhandler> kirkland, Because 3.7.3 is outdated. Since we are already making a change to the package, I've been told we should bump the standards-version
[21:25] <kirkland> nhandler: interesting, okay, that's news to me
[21:25] <mathiaz> nhandler: did you check that the package complies to the 3.8.0 policy ?
[21:26] <ScottK> nhandler and kirkland: Only bump the standards version if you comply with the newer version of the policy.
[21:26] <nhandler> ScottK: By any chance do you have a list of changes between 3.7.3 and 3.8.0?
[21:26] <mathiaz> nhandler: ie that all changes that have been added in 3.8.0 version of the policy have been implemented in the package ?
[21:26] <mathiaz> nhandler: it's in the changelog usually
[21:27] <ScottK> The biggest one is the requirement for README.source in most cases if you've patched the upstream code.
[21:27] <kirkland> nhandler: fwiw, your patch looks good, minus the standards version bit.  i'll let ScottK and mathiaz advise you on that one...
[21:27] <nhandler> kirkland: Could you maybe explain what the tests on the wiki page are meant to output?
[21:28] <nhandler> ScottK: By that, do you mean that the source package must provide a readme?
[21:28] <kirkland> nhandler: one sec, i'll add them to the wiki page
[21:28] <nhandler> Thanks kirkland
[21:29] <ScottK> In most cases if there's a patch system in use, but read Debian Policy for details.
[21:29] <RoAkSoAx> kirkland, could you please take a look at: https://bugs.launchpad.net/ubuntu/+source/dhcdbd/+bug/251624 ? thanks! :)
[21:30] <mathiaz> nhandler: http://lists.debian.org/debian-devel-announce/2008/06/msg00001.html - for an overview of the changes in 3.8.0
[21:32] <mathiaz> nhandler: there is also a upgrading-checklist.txt.gz file in the debian-policy package
[21:36] <nhandler> Thanks a lot mathiaz. After reading through the changes, it looks to me like this package complies with the 3.8.0 policy.
[21:37] <kirkland> nhandler: done.  refresh that wiki page
[21:39] <nhandler> Well, I guess I did something wrong. I get no output when I run the start/stop commands. When I run 'sh debian/FOO.init status; echo $?', I get '0' as output
[21:40] <RoAkSoAx> nhandler, change FOO.init with the app init script name
[21:40] <nhandler> I did RoAkSoAx
[21:46] <kirkland> RoAkSoAx: btw, I have a fix for the open: error
[21:46] <kirkland> RoAkSoAx: it's in lsb
[21:46] <kirkland> RoAkSoAx: I'll file a bug and try to get it accepted
[21:47] <RoAkSoAx> kirkland, ok cool :) so no more annoying open: error :D
[21:47] <kirkland> nah, we'll get it fixed ;-)
[21:51] <RoAkSoAx> kirkland, i just suscribed dhcdbd to you and ubuntu-main-sponsors and updated the wikipage aswell. I'll work on openvpn later on.. now i gtg.. Thanks for your help :)
[21:51] <kirkland> RoAkSoAx: cool, thanks!
[21:52] <RoAkSoAx> np, I'm glad i finally had the change to contribute with the Server Team :)
[21:52] <RoAkSoAx> later
[21:52] <nhandler> So, any ideas why the tests are failing for me?
[22:01] <n-iCe> hello, I am installing ubuntu server, is there anyway to protect a ssh login? I mean to add the userlogin in a group and give him just access in one directory?
[22:01] <n-iCe> I don't want them to surf in the whole system
[22:08] <n-iCe> nobody?
[22:11] <ScottK> n-iCe: The short anwser to your question is yes.  The long answer of how, I don't have time to answer (and I'd have to research it in any case).
[22:11] <Kirill> I need to connect two locked down offices with Ubuntu servers through a Wide Area Network and allow file sharing -> Any ideas?
[22:12] <gouki> Kirill, VPN
[22:12] <Kirill> gouki -> Can you be on multiple VPNs at once?
[22:13] <gouki> Kirill, yes
[22:13] <n-iCe> ScottK: or any tutorial, or name, something? :D
[22:14] <Kirill> gouki -> Thank you, I'll go read up on that :)
[22:14] <ScottK> n-iCe: No.  Sorry.  I just know something like that can be done.
[22:14] <n-iCe> ScottK:  ok
[22:14] <n-iCe> thanks
[22:15] <gouki> Kirill, check openvpn
[22:15] <nhandler> Should I just upload the debdiff (http://paste.ubuntu.com/30075/) even if I can't get the tests to produce output?
[22:16] <Kirill> gouki -> Hmm, Vista support included with that one. That's +1 to Ubuntu vs. Windows SBS in the proposal
[22:17] <gouki> Kirill, that's good. Never worked with SBS though, even though I heard good things about it.
[22:17] <Kirill> gouki -> Can't live without Exchange and I can't get a good argument to try and use Linux alternatives for clients
[22:19] <gouki> Kirill, haven't used Exchange in 3 or 4 years. As for the clients, try 'money'. Licenses + DRM seems like a good argument.
[22:20] <Kirill> gouki -> That's always part of it but most Exchange alternatives aren't free and fall short in terms of functionality. Things like BlackBerry support for Linux (lack thereof) is also a deciding factor.
[22:20] <Kirill> BlackBerry Server*
[22:21] <gouki> Kirill, I understand
[22:22] <gouki> I never had specific needs that free software or open source couldn't fix.
[22:25] <Kirill> gouki -> I hope to be at that point one day (where I have a good list of polished open-source alternatives)
[23:09] <tacone> hello, I have some question about best practices in ssh automating.
[23:11] <tacone> I am writing a program to automatically connect to an ssh server. would be acceptable, under the security profile, to generate a certificate to avoid password request when making the ssh connection ?
[23:12] <soren> ScottK: From what I understand about the vulnerability, almost *any* amount of randomness is fine. As long as it's not static, I think you'll be fine.
[23:16] <ScottK> soren: Thanks.
[23:26] <Kirill> is it a good idea to have a firewall between a Ubuntu server and the open Internet?
[23:26] <Kirill> or can I just use the firewall in Ubuntu?
[23:29] <hads> Kirill: Yes it's a good idea to have a firewall but what's built in (IPTables) will do fine.
[23:29] <n-iCe> can anyone help me wih chroot?