=== freaky[t] is now known as fReAkY[t] | ||
cotton | hello, is there a posibility to install X and pekwm on ubuntu server? is it too complicated? thanks. | 00:19 |
---|---|---|
kgoetz | yes its posible, and you should probably ask #ubuntu how | 00:28 |
soren | pschulz01: What are you trying to do? | 00:32 |
pschulz01 | soren: Putting together a question now :-) | 00:36 |
pschulz01 | https://answers.launchpad.net/ubuntu/+question/43886 | 00:36 |
pschulz01 | soren: Does that make sense? | 00:36 |
soren | pschulz01: Yes. | 00:38 |
soren | pschulz01: Did you take a look at the always_bcc option? | 00:38 |
soren | pschulz01: Alternatively, recipient_bcc_maps might be of use. | 00:38 |
pschulz01 | Oooo.... sound's useful :-) | 00:39 |
pschulz01 | Should be more robust if I can move it to 'postfix'. | 00:39 |
soren | pschulz01: You could probably abuse postfix-pcre to do the mapping. | 00:59 |
pschulz01 | soren: yeah. The 'really' painful thing about this is that I need to keep 'procmail' as the local delivery agent, as a couple of users are using it. | 01:01 |
soren | pschulz01: Is that a problem? | 01:07 |
soren | pschulz01: I'm a bit sleepy, so please bear with me :) | 01:07 |
pschulz01 | soren: Um.. just means that I can't just disable procmail delivery and let postfix do it.. 'cause my users want their procmail rules to work. | 01:12 |
pschulz01 | soren: The main problem with the second option, is that procmail barfs on some emails.. and I haven't been able to work out why. | 01:13 |
pschulz01 | soren: I'm goin gto just do som reading for a while... no huge rush. | 01:14 |
soren | I've never seen procmail fail like that, and I've filtered quite a few e-mail with procmail in my time :) | 01:18 |
soren | Just for my one of my own e-mail accounts I've filtered about a million e-mails since January 2006, and that has never happened to me. | 01:20 |
pschulz01 | soren: That's what's confusing me as well.. | 01:22 |
pschulz01 | soren: I was inially seeing things like.. | 01:23 |
pschulz01 | Command | 01:23 |
pschulz01 | died with signal 11: "/usr/bin/procmail". Command output: procmail: | 01:23 |
pschulz01 | Exceeded LINEBUF | 01:23 |
pschulz01 | .. but I've up the LINEBUF variable, and it still happens. | 01:23 |
soren | Do you have an e-mail that reliably reproduces it? | 01:24 |
pschulz01 | soren: No.. that's the next step, but it's a little tricky.. cause they get bounced. | 01:26 |
soren | pschulz01: Set soft_bounce = yes. | 01:27 |
pschulz01 | soren: Looks like I can get users to make use of their '.forward' file to run their procmail scripts.. rather than running a global one.. | 01:27 |
soren | pschulz01: Yeah, that's the way it was done back in the ol' days. :) | 01:28 |
pschulz01 | soren: .. takes me back. | 01:28 |
soren | Yeah, me too. | 01:29 |
soren | ...to the pain and suffering of being an HP-UX admin. | 01:29 |
* soren is never going back there | 01:29 | |
nxvl | soren: why? | 01:44 |
soren | Why what? Why I'm not going back to HP-UX? | 01:45 |
pschulz01 | nxvl: belive me... we live in a much better time. | 01:45 |
nxvl | soren: oh! i didn't know what you were taking about, but found funny to ask | 01:45 |
soren | :) | 01:46 |
nxvl | i'm kind of bored in a software engineering class | 01:46 |
soren | The *only* positive thing I have to say about HP-UX is that it's where LVM came from. | 01:46 |
soren | Gerh, I should really go to bed. | 01:46 |
pschulz01 | soren: Ever hav to deal with AIX? | 01:46 |
pschulz01 | soren: go go go | 01:46 |
nxvl | pschulz01: i have use solaris on a sparc machine | 01:46 |
soren | pschulz01: Never had the "pleasure", no. | 01:46 |
pschulz01 | soren: :-) | 01:47 |
* soren wanders off for bed. | 01:47 | |
soren | Take care, folks. | 01:47 |
nxvl | soren: sleep tight! | 01:47 |
nxvl | soren: see you at "the office" | 01:47 |
nxvl | :P | 01:47 |
D3RGPS31 | Where do I place library files for LAMP webserver? (eg, libgd.so.2.0.0) | 03:11 |
kgoetz | why do you want to install the file by hand? | 03:12 |
D3RGPS31 | I just switched from xampp to lamp, I just assume that's how it's done | 03:13 |
* kgoetz googles xampp | 03:14 | |
kgoetz | D3RGPS31: i suggest you install one of the packages listed on here: http://packages.ubuntu.com/search?searchon=contents&keywords=libgd.so.2.0.0&mode=exactfilename&suite=hardy&arch=any | 03:14 |
kgoetz | assuming you run 8.04 of course | 03:14 |
D3RGPS31 | If that package was installed before switching to lamp, should I reinstall it? | 03:15 |
kgoetz | if you installed it from the ubuntu repositories you shouldnt have to, no | 03:15 |
D3RGPS31 | Would install by tasksel be the same? | 03:17 |
kgoetz | yes, tasksel should use the ubuntu repos | 03:18 |
D3RGPS31 | Then they're both installed through the repository | 03:18 |
D3RGPS31 | So, what can I do? | 03:22 |
lukehasnoname | How's UFW integration coming? Is it completed? | 03:34 |
=== lamont` is now known as lamont | ||
Derander | I'm using postfix/dovecot. I'm authenticating off of a fake users file in /etc/dovecot/users. Users are like 'name@domain.tld'. Is there a way to alias a user between two domains? I'd like name1@domain.com to deliver to name1@domain2.com | 08:15 |
D3RGPS31 | Can I use htaccess password authentication with SSL? | 08:40 |
kgoetz | yes | 08:41 |
D3RGPS31 | Does it require anything different from the norm? | 08:41 |
kgoetz | for what value of 'norm'? | 08:42 |
kgoetz | you'll need ssl certs at least | 08:42 |
D3RGPS31 | have SSL setup, but my htacces doesn't work now (after I set SSL for a certain web folder) | 08:44 |
kgoetz | what does "doesnt work" mean exactly? | 08:44 |
Derander | Alright, I'm confused. I'm running a mailserver with postfix/dovecot and ssl. I have an ssl cert that works for domain1, for some reason it also works for domain2 but it does not work for domain3 | 08:44 |
D3RGPS31 | I'm not prompted to type in a name//password | 08:44 |
D3RGPS31 | but I was when it didn't have SSL set on it | 08:45 |
kgoetz | ... are we talking htaccess or email here? | 08:45 |
D3RGPS31 | htaccess | 08:45 |
kgoetz | how did the email come into it? | 08:45 |
D3RGPS31 | email? | 08:46 |
Derander | kgoetz I think you're confusing me with him. | 08:46 |
D3RGPS31 | Derander is talking about email >.> | 08:46 |
D3RGPS31 | xD | 08:46 |
kgoetz | Derander: so i am :) | 08:46 |
kgoetz | :x | 08:46 |
D3RGPS31 | sorry for not going into decent detail, been drinking coffee for once, kinda clouding my thoughts | 08:47 |
* kgoetz is currently fighting apache, so not in the greatest mood himself ;) | 08:49 | |
D3RGPS31 | Let's say I used htaccess for a http virtualhost on port 70, then i switched that to https, would the htaccess require something different >.> | 08:51 |
kgoetz | D3RGPS31: 'switched to https' how? | 08:53 |
kgoetz | using a virtualhost to redirect? | 08:53 |
D3RGPS31 | I don't know if redirect is the right word | 08:55 |
D3RGPS31 | eg. port 80 with just http set to /var/80, port 70 with SSL to port /var/80? | 08:57 |
* kgoetz suspects that didnt come out right ...? | 08:57 | |
D3RGPS31 | port 70 set to /var/80? * | 08:57 |
kgoetz | D3RGPS31: pastebin your vhost configuration. i cant work out what your doing | 08:58 |
D3RGPS31 | http://pastebin.com/d5430cc9b for non-SSL; http://pastebin.com/d7d74936a for SSL; I use two seperate vhost files | 09:02 |
kgoetz | i dont see a redirect taking place *g* | 09:05 |
D3RGPS31 | I didn't understand what was meant by redirect | 09:06 |
kgoetz | D3RGPS31: http://www.maincontent.net/examplehttpd.txt look at this for an example | 09:08 |
D3RGPS31 | so port 80 and port 443 point to the same directory? | 09:11 |
kgoetz | 80 doesnt point to a directory at all | 09:11 |
kgoetz | it just points to port 443 | 09:11 |
D3RGPS31 | ah! | 09:12 |
D3RGPS31 | but, what's stopping an authentication prompt from popping up under my SSL connection | 09:15 |
kgoetz | i didnt see a prompt for it | 09:15 |
D3RGPS31 | it's in the htaccess file, that's in my /var/70 directory | 09:15 |
kgoetz | then its probably an error in your htaccess file. have you checked your logs? | 09:16 |
D3RGPS31 | checking! | 09:16 |
* delcoyote hi | 09:18 | |
moldy | hi | 09:21 |
kraut | moin | 09:23 |
moldy | can i avoid that .gvfs stuff somehow? when root tries to read it, he gets permissions errors. that crap is making my cronjobs fail... | 09:23 |
D3RGPS31 | I see nothing about htaccess in the logs, it works without SSL but not with SSL | 09:25 |
broonie | siretart: Not specifically; bug 252499 is probably the nearest | 10:00 |
uvirtbot` | Launchpad bug 252499 in nis "When nis server is not reachable during startup, system gets very slow and HAL fails to initialise" [Undecided,New] https://launchpad.net/bugs/252499 | 10:00 |
soren | moldy_: You have cronjobs failing because root can't read .gvfs? What exactly are these cronjobs trying to do? | 10:15 |
jpds | How can I find out what my gateway ip is from the terminal? | 10:25 |
DiesIrae | jpds: /sbin/ip route show 0/0 | 10:29 |
jpds | DiesIrae: Thanks! | 10:30 |
DiesIrae | you're welcome | 10:32 |
moldy_ | soren: different stuff | 10:35 |
moldy_ | soren: doing backups (rsnapshot), and other maintenance stuff on users' homedirs | 10:36 |
moldy_ | i know how to work around it, but i would like a solution instead of a workaround | 10:36 |
moldy_ | what is the rationale of root not being able to read stuff? | 10:36 |
soren | That's the way fuse works. | 10:37 |
moldy_ | hmm, that sucks. | 10:37 |
soren | moldy_: https://bugs.edge.launchpad.net/ubuntu/+source/rsnapshot/+bug/247777 | 10:38 |
uvirtbot` | Launchpad bug 247777 in rsnapshot "the .gvfs directory in a user's home directory causes rsnapshot to take an incorrect backup (dup-of: 225361)" [Undecided,Invalid] | 10:38 |
uvirtbot` | Launchpad bug 225361 in gvfs "Superuser cannot access ~/.gvfs folder when mounted " [Medium,Triaged] | 10:38 |
soren | uvirtbot`: nick uvirtbot | 10:39 |
=== uvirtbot` is now known as uvirtbot | ||
moldy_ | what does "triaged" mean? | 10:39 |
moldy_ | anyway, i guess i have to adjust my cronjobs and just wait for a fix... | 10:41 |
hads | Triaged as in; looked at, noticed and prioritised. | 10:44 |
moldy_ | ok, thanks | 10:45 |
soren | moldy_: What is your workaround? "--exclude .gvfs"? | 10:47 |
soren | moldy_: -x, perhaps? | 10:47 |
moldy_ | soren: yep | 10:51 |
moldy_ | soren: for rsync/rsnapshot, i use exclude | 10:51 |
moldy_ | other scripts do similiar stuff, or they unmount the thing | 10:51 |
moldy_ | i have one script that deletes and recreates certain home directories every hour | 10:51 |
soren | Is it really your intention to backup stuff under .gvfs? | 10:52 |
moldy_ | no | 10:52 |
moldy_ | for backups, i exclude it | 10:52 |
soren | Then what would be "a fix" to you? | 10:52 |
moldy_ | the proper fix IMHO is to make it accessible by root | 10:52 |
soren | Err... | 10:52 |
soren | You *just* said you don't want to back it up. | 10:53 |
moldy_ | so? | 10:53 |
soren | ...so you want to --exclude it anyway. | 10:53 |
moldy_ | yes | 10:53 |
moldy_ | but it is brain-damaged that every backup routine on the planet should be adjusted to gvfs | 10:53 |
soren | think of it this way: | 10:54 |
moldy_ | the point is not wether it is backed up or not, the point is that it makes the backup routines appear to *fail* | 10:54 |
soren | If gvfs (actually fuse) didn't act this way, you'd be backing up *anything* *any* user might have mounted using gvfs. | 10:54 |
moldy_ | that's my decision to make, not gvfs's | 10:54 |
moldy_ | and backups are not the only concern here | 10:55 |
moldy_ | if some maintenance script does e.g. a find on a user's home dir, it will get messed up because find will return an error because it cannot read gvfs | 10:56 |
moldy_ | people assume that root is able to read everything in users' home dirs | 10:57 |
moldy_ | if your system uses gvfs, you now have to special-case it everywhere | 10:57 |
soren | I know. | 10:57 |
moldy_ | the alternative is to ignore *all* such errors, which is also often undesirable | 10:58 |
soren | ...I firmly believe that that is the case anyway. | 10:58 |
moldy_ | $home is completely the wrong place to put such stuff then, imo | 10:58 |
soren | It belongs to the use? | 10:58 |
soren | user? | 10:58 |
moldy_ | so what | 10:58 |
moldy_ | put it in /tmp | 10:59 |
soren | That also sounds a bit counterintuitive. | 11:00 |
moldy_ | i think it is alot less counterintuitive than root not being able to read stuff in /home :) | 11:02 |
soren | moldy_: Perhaps. In any case, I suggest you talk to the desktop guys. gvfs is their terriroty. | 11:03 |
soren | territory, I mean. | 11:03 |
moldy_ | well, the bug is already reported, i guess i should just wait | 11:04 |
=== Bambi_BOFH is now known as Kamping_Kaiser | ||
nxvl | good morning | 12:50 |
soren | Hey, nxvl. | 12:51 |
nxvl | soren: hi! how are you? | 12:53 |
soren | nxvl: Pretty good. A bit sleepy, though. I'm trying to cut down on coffee. | 13:04 |
nxvl | soren: yeah i will go for some coffeine in a bit | 13:05 |
nxvl | :D | 13:05 |
zul | morning | 13:10 |
Dedi | LARTC - want to limit all upload from a specific ip to 20kb/s. anyone that knows it and want to save me alot of time to read into this topic? :D | 13:10 |
andrethehook | While following the perfect setup guide for 8.04LTS (http://howtoforge.org/perfect-server-ubuntu8.04-lts-p4) i get an error while installing mysql-server, you can see the output here http://pastebin.ubuntu.com/42682/ something with the initscripts.. i can not stop bind9 server either, but have to kill it :/ anyone have some tips for me? :) | 13:27 |
Dedi | andrethehook: i had to edit the mysql config and comment out a line.. just dont know which it was | 13:33 |
Dedi | something starting with p | 13:33 |
andrethehook | Dedi: thanks, i'll look into it :) | 13:39 |
andrethehook | Dedi: same problem btw? | 13:39 |
Dedi | andrethehook: hm i had something like that while upgrading. but that was with intrepid | 13:41 |
nxvl | soren: btw, did you finally manage to include the python rewrite into intrepid? | 13:53 |
nxvl | managed* | 13:53 |
soren | nxvl: The source package was accepted, but the binary is still stuck in the NEW queue. | 13:59 |
soren | nxvl: But in short: Yes, I did :) | 13:59 |
nxvl | \o/ | 13:59 |
soren | But please keep this to yourself. Otherwise I won't have anything useful to say at the meeting today. :) | 14:00 |
nxvl | heh | 14:00 |
nxvl | :D | 14:00 |
nxvl | ok | 14:00 |
ScottK | lamont: Having fun with the new postfix update yet? | 14:10 |
lamont | ScottK: ah cool, it is out. | 14:12 |
lamont | I still have a little bit of a dance to do - I just got the final version yesterday. | 14:13 |
andrethehook | While following the perfect setup guide for 8.04LTS (http://howtoforge.org/perfect-server-ubuntu8.04-lts-p4) i get an error while installing mysql-server, you can see the output here http://pastebin.ubuntu.com/42682/ something with the initscripts.. i can not stop bind9 server either, but have to kill it :/ anyone have some tips for me? :) may it be a error in the initscript? | 14:13 |
andrethehook | or maybe a bug? | 14:13 |
lamont | ScottK: now I just need to decide if intrepid cares enough to have an upload before I sync from debian... | 14:34 |
ScottK | I'd think not. | 14:36 |
ScottK | lamont: My 'fun' thing for the day was finding out at midnight lastnight that all of KDE4 needed to reuploaded and build before alpha5 and Riddell is on vacation. | 14:37 |
ScottK | There aren't many Kubuntu core-dev, so I was up a bit late. | 14:37 |
ScottK | I'm going to take a nap. | 14:37 |
byte_slave | Hi everyone! | 14:38 |
byte_slave | i don't know what i did, but ubuntu 8.04 simply doesn't accept any login and has something new in the login screen such as "Ubuntu intrepid (development branch) <mymachinename> tty1" | 14:40 |
lamont | hrm.. I guess if I request a sync, I should at least upload the package.. . :-) | 14:40 |
byte_slave | the last thing i did was playing with samba + win active directory integration | 14:40 |
lamont | byte_slave: you're not running 8.04 if it says 'intrepid' | 14:41 |
byte_slave | the base installation was 8.04 is now is Intrepoid ( the new ubuntu release right?) it was a process that made some core updates without warn me | 14:42 |
uvirtbot | New bug: #264004 in postfix (main) "Please sync postfix 2.5.4-1 (main) from Debian unstable (main)." [Wishlist,Confirmed] https://launchpad.net/bugs/264004 | 14:46 |
lamont | you upgraded from a stable long-term-support to an unsupported development release... of course things break :-( | 14:47 |
lamont | OTOH, it should work.. so bugs should be filed when you figure out why they broke | 14:48 |
byte_slave | lamont, ok. you think some process inside must be programmed to go to web and update without ask? | 14:58 |
byte_slave | because i didn't nothing, neither a single apt-get upgrade-distro ou whatever | 14:59 |
lamont | nf | 14:59 |
lamont | no ideas | 14:59 |
byte_slave | dammit, what happened why my happy box? | 15:00 |
byte_slave | well, i'll try so google for some more info.. and see if i can do a | 15:01 |
byte_slave | an easy downgrade | 15:01 |
=== S^n1x is now known as Shanix | ||
zul | meeting in 10 minutes? | 15:49 |
nijaba | zul: yes indeed | 15:53 |
=== andrethehook is now known as twoSharp | ||
soren | nijaba: Note: I'm moving the vmbuilder code. | 17:01 |
nijaba | soren: np, thanks for letting me know | 17:01 |
soren | nijaba: There. Moved from https://code.edge.launchpad.net/~ubuntu-virt/ubuntu-jeos/python-rewrite to https://code.edge.launchpad.net/~ubuntu-virt/vmbuilder/trunk | 17:02 |
_ruben | grr .. perl on this box is still "confused" .. http://paste.ubuntu.com/42739/ | 17:15 |
uvirtbot | New bug: #263178 in postfix (main) "package postfix 2.5.1-2ubuntu1.1 failed to install/upgrade: subprocess post-installation script returned error exit status 1" [Undecided,New] https://launchpad.net/bugs/263178 | 17:36 |
lamont | meh | 17:37 |
jameswf-home | okay holliday is over anyone alive? | 18:18 |
didrocks | jdstrand: around? | 18:40 |
jdstrand | didrocks: yep, hi | 18:40 |
didrocks | Hi :) | 18:40 |
didrocks | 1/ thanks for the hug :) | 18:40 |
didrocks | 2/ I am sorry, I just had the time to look at the case insensitive trick in ufw | 18:40 |
didrocks | it was quite easy I think, and I made yesterday a branch from your trunk and normally achieve it | 18:41 |
didrocks | (bzr is very cool, btw) | 18:41 |
jdstrand | didrocks: I only looked at the bug briefly a few minutes ago | 18:41 |
jdstrand | didrocks: thanks for the patch :) did you run 'run_tests.sh' after the patch? | 18:42 |
didrocks | hum, no, what is it? :) | 18:42 |
jdstrand | (or build the package-- it's run there) | 18:42 |
didrocks | oh, I just rerun it dynamically | 18:42 |
didrocks | Indeed, I have made some symlink to my branch in intrepid | 18:43 |
didrocks | python rocks for that :) | 18:43 |
jdstrand | it's a collection of tests to make sure everything is still working ok | 18:43 |
didrocks | (I just simlinked application.py and frontend.py) | 18:43 |
didrocks | Ok, I give it a try now | 18:43 |
didrocks | does ufw has to be setup or can I just run it in my branch? | 18:44 |
jdstrand | didrocks: just './run_tests.sh -s' from the top of your branch | 18:44 |
didrocks | ok, there is some fails. I have to compare it to your trink :) | 18:45 |
didrocks | (on --dry-run, specifically) | 18:45 |
didrocks | trink/trunk | 18:45 |
didrocks | jdstrand: so, I corrected the errors. I am just trying to setup my VM up again (seems to be broken) to perform some manual tests | 19:31 |
* jdstrand nods | 19:38 | |
=== p0w4h` is now known as p0w4h | ||
=== emgent`NL is now known as emgent`nl | ||
mathiaz | kees: do you have a wiki page or blog post where you've explained/tracked your PIE work ? | 20:14 |
didrocks | jdstrand: I finally got my vm work unactivating acpi. So, I made some tests and it is ok. I push a new revision in my branch | 20:14 |
jdstrand | didrocks: thanks | 20:14 |
jdstrand | :) | 20:14 |
mathiaz | kees: I'm writing up a post about what has been done in the archive in august and some of them are related to your work on PIE | 20:15 |
kees | mathiaz: well... it's a bit scattered. | 20:15 |
didrocks | jdstrand: I will have a look at your test shell to add non regression for case insensitive, if possible :) | 20:15 |
mathiaz | kees: did you try to rebuild all of the archive with PIE enabled ? | 20:16 |
kees | mathiaz: I did, yeah. that was back in hardy though. | 20:16 |
mathiaz | kees: ok - so rather than enabling pie in the default build, it has been decided at UDS at PIE would be enabled on a per package basis | 20:17 |
mathiaz | kees: ? | 20:17 |
kees | mathiaz: PIE is mentioned here... http://www.outflux.net/blog/archives/2008/01/15/full-aslr-in-hardy/ http://wiki.debian.org/Hardening | 20:17 |
kees | mathiaz: that's correct | 20:18 |
mathiaz | kees: and in order to enable PIE, a dependency on hardening-wrapper is added to the package | 20:18 |
mathiaz | kees: where as all the other hardening things have been enabled directly in the compiler | 20:19 |
kees | mathiaz: well, there is what I'd call "native" PIE (see openssh and samba), and "wrapper" PIE. In the case of the wrapper, two things are needed: the hardening-wrapper build-dep and "export DEB_BUILD_HARDENING=1" in the debian/rules file | 20:19 |
kees | mathiaz: right, which are documented here: https://wiki.ubuntu.com/CompilerFlags | 20:19 |
mathiaz | kees: and native PIE is when the upstream source code directly support PIE ? | 20:20 |
kees | mathiaz: well, either upstream directly (samba's "--enable-pie") or via the packaging which passes the options in to the native build process (openssh) | 20:21 |
mathiaz | kees: ok - thanks for your input | 20:21 |
mathiaz | kees: that should be enough for the blog post | 20:21 |
kees | mathiaz: sure! sorry I haven't kept the PIE details in a single place. :P | 20:22 |
mathiaz | kees: would you consider that PIE is the last point on your hardening list ? | 20:22 |
fReAkY[t] | hi all. i have set up an apache2 ssl cert using this guide: https://help.ubuntu.com/community/forum/server/apache2/SSL but the newly created cert is only valid for 1 month. how can i change that to be valid for 1 year? | 20:23 |
kees | mathiaz: there is one more, which is pretty minor, but is similar to PIE in that I'd like to do it on a per-package basis: "-Wl,-z,now" | 20:23 |
kees | mathiaz: but I'd like to wait until intrepid+1 for that, since it depends on the intrepid -Wl,-z,relro change | 20:23 |
=== leonel_ is now known as leonel | ||
leonel | hello .. will tomcat6 be moved to MAIN ?? | 20:28 |
mathiaz | leonel: it's the plan | 20:28 |
leonel | mathiaz: anything I can help ?? | 20:28 |
mathiaz | leonel: MIR have been written and the goal is to add a task during the installation | 20:28 |
leonel | mathiaz: ok .. | 20:29 |
mathiaz | leonel: from a development POV not really. However testing is always very welcomed. | 20:29 |
mathiaz | kees: the vast majority of package would require the use of the hardening-wrapper to enable PIE rather than native support ? | 20:30 |
kees | mathiaz: it is by far the simplest approach -- there are two complexities in doing PIE via packaging changes: a) detecting the arch and disabling PIE on arch that don't support it, b) successfully plumbing the CFLAG and final link flags down into the upstream build system. | 20:32 |
kees | mathiaz: very few upstreams have knowledge of PIE already (frankly, prior to last week, I would have said "none", but samba actually does have it) | 20:32 |
NCommander | kees, the problem is that PIE code in GCC historically has had issues | 20:39 |
NCommander | kees, especially late 2.x series and 3.x on PowerPC and m68k, -pie would sometimes generate non-working code | 20:39 |
NCommander | kees, and on x86, the performance hit is large enough that unless you have a very fast machine, it hurts :-/ | 20:40 |
kees | NCommander: ifeq (,$(findstring :$(DEB_HOST_ARCH_CPU):,:hppa:m68k:arm:)) | 20:40 |
NCommander | kees, what's that from, samba? | 20:40 |
kees | yawp. totally disabled on m68k, hppa, arm. | 20:40 |
kees | NCommander: that's from hardening-wrapper | 20:40 |
NCommander | We finally got pie fixed in the 4.x series | 20:40 |
NCommander | But PIE is slow slow | 20:40 |
NCommander | (go try gentoo with it on and off, its a notable difference on x86) | 20:41 |
kees | NCommander: PIE is only slow with arch that have very few general registers (ia32) | 20:41 |
NCommander | Right | 20:41 |
NCommander | x86 | 20:41 |
kees | NCommander: there was virtually no measurable change on x86_64. | 20:41 |
NCommander | I know | 20:41 |
NCommander | I said it was just x86 | 20:41 |
kees | yeah, totally agreed. | 20:41 |
NCommander | I was just noting GCC has a bad track record with PIE | 20:41 |
kees | GDB's is worse. ;) | 20:42 |
kees | No better way to find bugs than to use a buggy feature. ;) | 20:42 |
NCommander | My first thought when I looking at the MySQL build failures is that PIE was generating bad code, not slowing down MySQL to the point of failing its test suites | 20:42 |
kees | NCommander: I'd agree with that. When I narrowed down the mysql issue, it was segv'ing the server in exactly _1_ test. | 20:42 |
kees | which, I find to be rather scary. | 20:43 |
NCommander | Like I said, I've always been weary of PIE with GCC | 20:43 |
kees | yeah, hence this gradual approach. | 20:43 |
NCommander | And Microsoft went as far as disallowing position independent code with their compilers | 20:43 |
kees | on the other hand, lots of stuff has been PIE in RHEL/Fedora for a while now. | 20:43 |
NCommander | (its sorta amazing/scary how they implemented shared libraries without PIC code) | 20:43 |
NCommander | obviously not mysql :-) | 20:44 |
NCommander | TBH, mysql does some rather stupid code tricks, so it doesn't shock me so much that you get issues with it | 20:44 |
kees | for intrepid+1, I'm pondering enabling PIE for all of x86_64 and seeing what burns down. I suspect it will be my house, care of doko. :) | 20:46 |
NCommander | kees, I've got an Ubuntu x86_64 buildd setup | 20:47 |
NCommander | Once the archive enters final freeze, I don't mind running the entire archive compile end to end | 20:47 |
NCommander | (probably will take a week or two to finish) | 20:47 |
kees | NCommander: two people doing it is better than one. :) I've not tried doing universe, but I've done full main rebuilds in about 2 days. | 20:48 |
kees | the issue I may hit is that of space. I hadn't been saving the .debs | 20:48 |
NCommander | Its just a matter of catching build failures | 20:48 |
NCommander | But if you want, I have a 500GB hardddrive | 20:48 |
kees | this time, if I save the debs and shove the updates into a VM, it'll be interesting to see the results. | 20:48 |
NCommander | and a dak installation already on it :-) | 20:48 |
kees | heh. | 20:48 |
NCommander | Yeah, the only "fun" part with dak is setting overrides | 20:49 |
NCommander | But I can just grab the ones from Debian | 20:49 |
kees | yeah | 20:49 |
NCommander | When do we hit the freeze date? | 20:49 |
NCommander | (or would you like to rebuild the archive sooner then that ;-)) | 20:49 |
kees | last thursday. ;) | 20:49 |
NCommander | I mean final freeze/hard freeze | 20:49 |
kees | looks like oct 30 | 20:50 |
NCommander | That far away? | 20:50 |
NCommander | Damn | 20:50 |
kees | https://wiki.ubuntu.com/IntrepidReleaseSchedule | 20:50 |
NCommander | kees, do you use Soyuz as your buildd, or the Debian w-b/buildd combo | 20:50 |
kees | I actually use sbuild for local testing | 20:51 |
NCommander | for rebuilding the entire archive? | 20:51 |
NCommander | (buildd uses sbuild internally) | 20:51 |
kees | yeah. | 20:51 |
NCommander | Ouch | 20:51 |
NCommander | I'm not that crazy | 20:51 |
kees | it's a pretty simple script. | 20:51 |
NCommander | I actually use a wanna-build/buildd/sbuild combo | 20:51 |
NCommander | Yeah, but no load balancing ;-) | 20:51 |
kees | I just beat my desktop to death for a day or so. :P | 20:52 |
kees | usually start it friday night | 20:52 |
NCommander | yeah, but if you have someone helping oyu with universe ... | 20:52 |
NCommander | kees, well, its an interesting experiment at any rate which I'd like to help do ;-) | 20:53 |
NCommander | I've got to run, but we'll talk later | 20:54 |
kees | NCommander: cool, thanks, cya | 20:54 |
NCommander | kees, you still around? | 21:08 |
kees | oops, he vanished. | 21:08 |
=== mcasadevall_ is now known as NCommander | ||
NCommander | kees, you still around? | 21:09 |
NCommander | kees, :-P | 21:09 |
NCommander | -NickServ- You may not ghost yourself. | 21:09 |
NCommander | Nickserv is lagging | 21:09 |
kees | NCommander: yawp | 21:09 |
NCommander | would you like to write up a spec on building amd64 with PIE and see how the archive explodes? | 21:10 |
kees | NCommander: sure, I'll certainly do that when we start the spec-writing surge for intrepid+1 | 21:11 |
* NCommander would like to see the hardening also tested on ia64, sparc, and powerpc | 21:11 | |
NCommander | Oh, so you want to wait until after intrepid is released for this experiment? | 21:11 |
kees | NCommander: I suppose I could write the spec any time. :) | 21:12 |
kees | NCommander: I'll do it this week and blog about it. | 21:12 |
NCommander | Well, I'll write the spec, but I mean when would you want to do the experiment | 21:12 |
NCommander | (two computers could grind through main in less than a day, universe will take longer though) | 21:12 |
kees | experiment could be done any time. | 21:12 |
* NCommander pops up the wiki | 21:12 | |
* NCommander cricks neck | 21:13 | |
NCommander | I've got amd64, and powerpc hardware. Want to donate some sparc to the cause | 21:13 |
kees | I'm really only interested in amd64 myself. | 21:13 |
NCommander | I'm just noting the more common server architecturs | 21:14 |
kees | NCommander: so should I write the spec, or are you already doing it? | 21:14 |
NCommander | Assuming I can kick the wiki alive | 21:14 |
* kees nods | 21:14 | |
NCommander | kees, think we could convience Canonical to let you have intrepid+1 build with PIE/hardening on by defualt? | 21:17 |
kees | NCommander: well not specific to Canonical, but that's the goal. | 21:17 |
kees | NCommander: I'm adding the spec now.. (on LP) | 21:17 |
NCommander | I'm writing the basis of the wiki entry, you'll have to flesh it out somewhat | 21:18 |
NCommander | Maybe ask Canonical to add a new distribution - Ubuntu Hardened, with everything compiled with hardened wrapper | 21:18 |
Deeps | hardbuntu | 21:19 |
kees | NCommander: the otherhead for that is huge. besides, everything is compiled with all the hardening options (excepting PIE) in intrepid. | 21:19 |
NCommander | I didn't know that | 21:19 |
NCommander | Deeps, I think a less suggestive name would be in order ;-) | 21:20 |
kees | NCommander: yeah, that was my goal for intrepid: https://wiki.ubuntu.com/CompilerFlags | 21:20 |
NCommander | kees, it would just be additional load on the buildds , but it shouldn't be so hard to get launchpad extended in such a matter | 21:20 |
kees | NCommander: okay, BP registered: https://blueprints.launchpad.net/ubuntu/+spec/64bit-pie-by-default | 21:20 |
kees | NCommander: it would double the size of the amd64 archive. :P | 21:20 |
NCommander | What's another 20GB? | 21:21 |
NCommander | (which is the size of the amd64 archive) | 21:21 |
kees | it could be done via PPA too | 21:22 |
NCommander | yay, 1GB limitations :-) | 21:22 |
NCommander | And it would require manually tweaking each control file, I just want to install hardening-wrapper right into the chroot so I don't need to manually set it | 21:22 |
kees | oh, is there really a size limit on PPAs? | 21:22 |
arakthor | what does PIE do? | 21:22 |
NCommander | kees, 1GB | 21:23 |
NCommander | arakthor, it causes code to be position independent | 21:23 |
kees | arakthor: makes the program relocatable in memory. then combined with kernel ASLR, the program loads to different locations each time. | 21:23 |
arakthor | gotcha | 21:23 |
kees | arakthor: that makes it harder to exploit a memory corruption vulnerability. | 21:23 |
arakthor | yup | 21:24 |
NCommander | kees, https://wiki.ubuntu.com/PIEExperimentSpec#preview | 21:25 |
NCommander | The problem is PIE historically has had some issues in GCC, and due to the "design" of the x86 architecture, has a speed hit on that architecture | 21:26 |
NCommander | (x86_64 is spared from that issue by being 64 bit and having more general purpose registers) | 21:26 |
didrocks | jdstrand: you don't delete $testdir/testarea if we interrupt your test script. Is it what you want? (hum, you remove it at the end, so, ok, you don't want to push your branch it if you had to interrupt the script. That makes sense.) | 21:28 |
NCommander | kees, how fast is your amd64? | 21:28 |
jdstrand | didrocks: yes | 21:29 |
kees | NCommander: 2.40GHz 4-way with 8G RAM | 21:29 |
NCommander | kees, slaughters my box | 21:30 |
* jdstrand drools over kees' RAM | 21:30 | |
NCommander | 2.30Ghz dual core, 2G RAM | 21:30 |
kees | NCommander: my job is doing lots of compiles. :) | 21:30 |
NCommander | kees, that machine might have a qmail security bug on it ;-) | 21:30 |
* kees lucky and does not run qmail :) | 21:30 | |
NCommander | kees, well, you can use rebuildd, or if you want to load balance and get people to help buildd, setup a buildd cluster ;-) | 21:32 |
fReAkY[t] | hi all. i have set up an apache2 ssl cert using this guide: https://help.ubuntu.com/community/forum/server/apache2/SSL but the newly created cert is only valid for 1 month. how can i change that to be valid for 1 year? | 21:32 |
NCommander | kees, rebuildd gets you something nice like this: http://builder.ubuntuwire.com:9998/dist/intrepid/arch/i386 | 21:32 |
NCommander | actually, rebuildd has load balancing :-) (more than one host can build at a time) | 21:34 |
=== PrivateVoid is now known as PV_Away | ||
gegema | Is editing /etc/network/interfaces the best approach to setup my ubuntu server to use a static IP (instead of DHCP)? | 21:41 |
arakthor | I think it is | 21:43 |
jmedina | gegema: always use static in servers, if your dhcp server goes down your users are not going to be able to reach the server, unless you use a really big lease time, but it is hard | 21:43 |
gegema | Will do - Thanks! | 21:47 |
fReAkY[t] | hi all. i have set up an apache2 ssl cert using this guide: https://help.ubuntu.com/community/forum/server/apache2/SSL but the newly created cert is only valid for 1 month. how can i change that to be valid for 1 year? | 21:50 |
NCommander | fReAkY[t], you can't, you need to generate a new certificate | 22:00 |
fReAkY[t] | yea but how? | 22:04 |
fReAkY[t] | i dont know the command line - man make-ssl-cert doesnt have any -days commandline option like apache2-ssl-certificate | 22:05 |
NCommander | I don't remember off the top of my head | 22:09 |
didrocks | jdstrand: ok, I think I saw pretty much everything in your ufw test (I love reading shells). Very impressive work for testing regressions, congrats! :) (the only think I didn't understand is the dry-run option, but it is ufw intern model). I will try to make something in the few days regarding case sensitiveness testing. I think there is no much work to do as your architecture is very straightforward and flexible | 22:12 |
jdstrand | didrocks: great, thanks! :) | 22:13 |
didrocks | so, it's getting late. See you tomorrow :) | 22:13 |
jdstrand | didrocks: the --dry-run is really just to see what rules would be added to the firewall. it is useful in regression testing too (as you've seen) | 22:14 |
jdstrand | didrocks: have a great night! | 22:14 |
didrocks | jdstrand: ok, understood. Thanks a lot. You too :) | 22:14 |
NCommander | kees, I modified my pbuilder instance to use hardening wrapper, I just need to tweak it to always enable, right? | 22:17 |
kees | NCommander: do you have instructions for it? | 22:18 |
NCommander | kees, pbuilder login --keep-after-login | 22:18 |
NCommander | ;-) | 22:18 |
kees | heh | 22:18 |
NCommander | $default{'DEB_BUILD_HARDENING'}=0; | 22:18 |
kees | well you need to export DEB_BUILD_HARDENING=1 as well | 22:18 |
NCommander | I just want to set that to 1 to make it do the right thing | 22:18 |
kees | righto | 22:18 |
NCommander | PIE already set ot one | 22:18 |
* NCommander saves | 22:18 | |
kees | can you add details to https://wiki.ubuntu.com/Security/HardeningWrapper | 22:18 |
NCommander | Ok, pbuilder is updated | 22:19 |
NCommander | Now to just start rebuildd | 22:19 |
* NCommander figures out where to send the mail | 22:22 | |
* NCommander figures out how to initalized rebuildd database | 22:27 | |
Derander | Is it possible to create an ssl certificate for multiple domains? (I'm trying to set this up for a dovecot/postfix mailserver) | 22:29 |
jmedina | Derander: you can use the same cert for virtual domains, but you will get browser warnings | 22:31 |
Gargoyle | Derander: Not that I know of. But why don't you just have a single name (mail.myserver.boo)? | 22:36 |
NCommander | kees, good news, it seems ubuntuwire will do the rebuild | 22:37 |
kees | NCommander: nice. :) | 22:41 |
NCommander | kees, there hardware takes 10 days to rebuild universe | 22:41 |
=== fReAkY[t] is now known as freaky[t] | ||
NCommander | So probably 12 for main+universe | 22:41 |
kees | NCommander: that rocks! :) | 22:42 |
kees | NCommander: will you add the repo details to the wiki page? | 22:42 |
NCommander | We won't publish the repo until the rebuild is done | 22:42 |
* kees nods | 22:42 | |
NCommander | Limitation of ubuntu wire | 22:42 |
NCommander | (I'm just going to sign all the changes and shove them somewhere) | 22:42 |
=== jmedina is now known as psymedina | ||
NCommander | That being said, if there is enough interest in an intrepid-hardened, it may be worth actually maintaining it and such beyond just doing a one-shot experiment | 22:44 |
NCommander | brb/bbiab | 22:45 |
=== freaky[t] is now known as fReAkY[t] | ||
kees | NCommander: might want to call it "intrepid-pie" though, since intrepid itself is pretty well hardened (just lacks PIE) | 22:53 |
=== fReAkY[t] is now known as freaky[t] | ||
hads | Ibex pie? :) | 22:57 |
NCommander | and now I'm back | 23:07 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!