/srv/irclogs.ubuntu.com/2008/09/02/#ubuntu-server.txt

=== freaky[t] is now known as fReAkY[t]
cottonhello, is there a posibility to install X and pekwm on ubuntu server? is it too complicated? thanks.00:19
kgoetzyes its posible, and you should probably ask #ubuntu how00:28
sorenpschulz01: What are you trying to do?00:32
pschulz01soren: Putting together a question now :-)00:36
pschulz01https://answers.launchpad.net/ubuntu/+question/4388600:36
pschulz01soren: Does that make sense?00:36
sorenpschulz01: Yes.00:38
sorenpschulz01: Did you take a look at the always_bcc option?00:38
sorenpschulz01: Alternatively, recipient_bcc_maps might be of use.00:38
pschulz01Oooo.... sound's useful :-)00:39
pschulz01Should be more robust if I can move it to 'postfix'.00:39
sorenpschulz01: You could probably abuse postfix-pcre to do the mapping.00:59
pschulz01soren: yeah. The 'really' painful thing about this is that I need to keep 'procmail' as the local delivery agent, as a couple of users are using it.01:01
sorenpschulz01: Is that a problem?01:07
sorenpschulz01: I'm a bit sleepy, so please bear with me :)01:07
pschulz01soren: Um.. just means that I can't just disable procmail delivery and let postfix do it.. 'cause my users want their procmail rules to work.01:12
pschulz01soren: The main problem with the second option, is that procmail barfs on some emails.. and I haven't been able to work out why.01:13
pschulz01soren: I'm goin gto just do som reading for a while... no huge rush.01:14
sorenI've never seen procmail fail like that, and I've filtered quite a few e-mail with procmail in my time :)01:18
sorenJust for my one of my own e-mail accounts I've filtered about a million e-mails since January 2006, and that has never happened to me.01:20
pschulz01soren: That's what's confusing me as well..01:22
pschulz01soren: I was inially seeing things like..01:23
pschulz01 Command01:23
pschulz01died with signal 11: "/usr/bin/procmail". Command output: procmail:01:23
pschulz01Exceeded LINEBUF01:23
pschulz01.. but I've up the LINEBUF variable, and it still happens.01:23
sorenDo you have an e-mail that reliably reproduces it?01:24
pschulz01soren: No.. that's the next step, but it's a little tricky.. cause they get bounced.01:26
sorenpschulz01: Set soft_bounce = yes.01:27
pschulz01soren: Looks like I can get users to make use of their '.forward' file to run their procmail scripts.. rather than running a global one..01:27
sorenpschulz01: Yeah, that's the way it was done back in the ol' days. :)01:28
pschulz01soren: .. takes me back.01:28
sorenYeah, me too.01:29
soren...to the pain and suffering of being an HP-UX admin.01:29
* soren is never going back there01:29
nxvlsoren: why?01:44
sorenWhy what? Why I'm not going back to HP-UX?01:45
pschulz01nxvl: belive me... we live in a much better time.01:45
nxvlsoren: oh! i didn't know what you were taking about, but found funny to ask01:45
soren:)01:46
nxvli'm kind of bored in a software engineering class01:46
sorenThe *only* positive thing I have to say about HP-UX is that it's where LVM came from.01:46
sorenGerh, I should really go to bed.01:46
pschulz01soren: Ever hav to deal with AIX?01:46
pschulz01soren: go go go01:46
nxvlpschulz01: i have use solaris on a sparc machine01:46
sorenpschulz01: Never had the "pleasure", no.01:46
pschulz01soren: :-)01:47
* soren wanders off for bed.01:47
sorenTake care, folks.01:47
nxvlsoren: sleep tight!01:47
nxvlsoren: see you at "the office"01:47
nxvl:P01:47
D3RGPS31Where do I place library files for LAMP webserver? (eg, libgd.so.2.0.0)03:11
kgoetzwhy do you want to install the file by hand?03:12
D3RGPS31I just switched from xampp to lamp, I just assume that's how it's done03:13
* kgoetz googles xampp03:14
kgoetzD3RGPS31: i suggest you install one of the packages listed on here: http://packages.ubuntu.com/search?searchon=contents&keywords=libgd.so.2.0.0&mode=exactfilename&suite=hardy&arch=any03:14
kgoetzassuming you run 8.04 of course03:14
D3RGPS31If that package was installed before switching to lamp, should I reinstall it?03:15
kgoetzif you installed it from the ubuntu repositories you shouldnt have to, no03:15
D3RGPS31Would install by tasksel be the same?03:17
kgoetzyes, tasksel should use the ubuntu repos03:18
D3RGPS31Then they're both installed through the repository03:18
D3RGPS31So, what can I do?03:22
lukehasnonameHow's UFW integration coming? Is it completed?03:34
=== lamont` is now known as lamont
DeranderI'm using postfix/dovecot.  I'm authenticating off of a fake users file in /etc/dovecot/users.  Users are like 'name@domain.tld'.  Is there a way to alias a user between two domains?  I'd like name1@domain.com to deliver to name1@domain2.com08:15
D3RGPS31Can I use htaccess password authentication with SSL?08:40
kgoetzyes08:41
D3RGPS31Does it require anything different from the norm?08:41
kgoetzfor what value of 'norm'?08:42
kgoetzyou'll need ssl certs at least08:42
D3RGPS31have SSL setup, but my htacces doesn't work now (after I set SSL for a certain web folder)08:44
kgoetzwhat does "doesnt work" mean exactly?08:44
DeranderAlright, I'm confused.  I'm running a mailserver with postfix/dovecot and ssl.  I have an ssl cert that works for domain1, for some reason it also works for domain2 but it does not work for domain308:44
D3RGPS31I'm not prompted to type in a name//password08:44
D3RGPS31but I was when it didn't have SSL set on it08:45
kgoetz... are we talking htaccess or email here?08:45
D3RGPS31htaccess08:45
kgoetzhow did the email come into it?08:45
D3RGPS31email?08:46
Deranderkgoetz I think you're confusing me with him.08:46
D3RGPS31Derander is talking about email >.>08:46
D3RGPS31xD08:46
kgoetzDerander: so i am :)08:46
kgoetz:x08:46
D3RGPS31sorry for not going into decent detail, been drinking coffee for once, kinda clouding my thoughts08:47
* kgoetz is currently fighting apache, so not in the greatest mood himself ;)08:49
D3RGPS31Let's say I used htaccess for a http virtualhost on port 70, then i switched that to https, would the htaccess require something different >.>08:51
kgoetzD3RGPS31: 'switched to https' how?08:53
kgoetzusing a virtualhost to redirect?08:53
D3RGPS31I don't know if redirect is the right word08:55
D3RGPS31eg. port 80 with just http set to /var/80, port 70 with SSL to port /var/80?08:57
* kgoetz suspects that didnt come out right ...?08:57
D3RGPS31port 70 set to /var/80? *08:57
kgoetzD3RGPS31: pastebin your vhost configuration. i cant work out what your doing08:58
D3RGPS31http://pastebin.com/d5430cc9b for non-SSL; http://pastebin.com/d7d74936a for SSL; I use two seperate vhost files09:02
kgoetzi dont see a redirect taking place *g*09:05
D3RGPS31I didn't understand what was meant by redirect09:06
kgoetzD3RGPS31: http://www.maincontent.net/examplehttpd.txt look at this for an example09:08
D3RGPS31so port 80 and port 443 point to the same directory?09:11
kgoetz80 doesnt point to a directory at all09:11
kgoetzit just points to port 44309:11
D3RGPS31ah!09:12
D3RGPS31but, what's stopping an authentication prompt from popping up under my SSL connection09:15
kgoetzi didnt see a prompt for it09:15
D3RGPS31it's in the htaccess file, that's in my /var/70 directory09:15
kgoetzthen its probably an error in your htaccess file. have you checked your logs?09:16
D3RGPS31checking!09:16
* delcoyote hi09:18
moldyhi09:21
krautmoin09:23
moldycan i avoid that .gvfs stuff somehow? when root tries to read it, he gets permissions errors. that crap is making my cronjobs fail...09:23
D3RGPS31I see nothing about htaccess in the logs, it works without SSL but not with SSL09:25
brooniesiretart: Not specifically; bug 252499 is probably the nearest10:00
uvirtbot`Launchpad bug 252499 in nis "When nis server is not reachable during startup, system gets very slow and HAL fails to initialise" [Undecided,New] https://launchpad.net/bugs/25249910:00
sorenmoldy_: You have cronjobs failing because root can't read .gvfs? What exactly are these cronjobs trying to do?10:15
jpdsHow can I find out what my gateway ip is from the terminal?10:25
DiesIraejpds: /sbin/ip route show 0/010:29
jpdsDiesIrae: Thanks!10:30
DiesIraeyou're welcome10:32
moldy_soren: different stuff10:35
moldy_soren: doing backups (rsnapshot), and other maintenance stuff on users' homedirs10:36
moldy_i know how to work around it, but i would like a solution instead of a workaround10:36
moldy_what is the rationale of root not being able to read stuff?10:36
sorenThat's the way fuse works.10:37
moldy_hmm, that sucks.10:37
sorenmoldy_: https://bugs.edge.launchpad.net/ubuntu/+source/rsnapshot/+bug/24777710:38
uvirtbot`Launchpad bug 247777 in rsnapshot "the .gvfs directory in a user's home directory causes rsnapshot to take an incorrect backup (dup-of: 225361)" [Undecided,Invalid]10:38
uvirtbot`Launchpad bug 225361 in gvfs "Superuser cannot access ~/.gvfs folder when mounted " [Medium,Triaged]10:38
sorenuvirtbot`: nick uvirtbot10:39
=== uvirtbot` is now known as uvirtbot
moldy_what does "triaged" mean?10:39
moldy_anyway, i guess i have to adjust my cronjobs and just wait for a fix...10:41
hadsTriaged as in; looked at, noticed and prioritised.10:44
moldy_ok, thanks10:45
sorenmoldy_: What is your workaround? "--exclude .gvfs"?10:47
sorenmoldy_: -x, perhaps?10:47
moldy_soren: yep10:51
moldy_soren: for rsync/rsnapshot, i use exclude10:51
moldy_other scripts do similiar stuff, or they unmount the thing10:51
moldy_i have one script that deletes and recreates certain home directories every hour10:51
sorenIs it really your intention to backup stuff under .gvfs?10:52
moldy_no10:52
moldy_for backups, i exclude it10:52
sorenThen what would be "a fix" to you?10:52
moldy_the proper fix IMHO is to make it accessible by root10:52
sorenErr...10:52
sorenYou *just* said you don't want to back it up.10:53
moldy_so?10:53
soren...so you want to --exclude it anyway.10:53
moldy_yes10:53
moldy_but it is brain-damaged that every backup routine on the planet should be adjusted to gvfs10:53
sorenthink of it this way:10:54
moldy_the point is not wether it is backed up or not, the point is that it makes the backup routines appear to *fail*10:54
sorenIf gvfs (actually fuse) didn't act this way, you'd be backing up *anything* *any* user might have mounted using gvfs.10:54
moldy_that's my decision to make, not gvfs's10:54
moldy_and backups are not the only concern here10:55
moldy_if some maintenance script does e.g. a find on a user's home dir, it will get messed up because find will return an error because it cannot read gvfs10:56
moldy_people assume that root is able to read everything in users' home dirs10:57
moldy_if your system uses gvfs, you now have to special-case it everywhere10:57
sorenI know.10:57
moldy_the alternative is to ignore *all* such errors, which is also often undesirable10:58
soren...I firmly believe that that is the case anyway.10:58
moldy_$home is completely the wrong place to put such stuff then, imo10:58
sorenIt belongs to the use?10:58
sorenuser?10:58
moldy_so what10:58
moldy_put it in /tmp10:59
sorenThat also sounds a bit counterintuitive.11:00
moldy_i think it is alot less counterintuitive than root not being able to read stuff in /home :)11:02
sorenmoldy_: Perhaps. In any case, I suggest you talk to the desktop guys. gvfs is their terriroty.11:03
sorenterritory, I mean.11:03
moldy_well, the bug is already reported, i guess i should just wait11:04
=== Bambi_BOFH is now known as Kamping_Kaiser
nxvlgood morning12:50
sorenHey, nxvl.12:51
nxvlsoren: hi! how are you?12:53
sorennxvl: Pretty good.  A bit sleepy, though. I'm trying to cut down on coffee.13:04
nxvlsoren: yeah i will go for some coffeine in a bit13:05
nxvl:D13:05
zulmorning13:10
Dedi LARTC - want to limit all upload from a specific ip to 20kb/s. anyone that knows it and want to save me alot of time to read into this topic? :D13:10
andrethehookWhile following the perfect setup guide for 8.04LTS (http://howtoforge.org/perfect-server-ubuntu8.04-lts-p4) i get an error while installing mysql-server, you can see the output here http://pastebin.ubuntu.com/42682/ something with the initscripts.. i can not stop bind9 server either, but have to kill it :/ anyone have some tips for me? :)13:27
Dediandrethehook: i had to edit the mysql config and comment out a line.. just dont know which it was13:33
Dedisomething starting with p13:33
andrethehookDedi: thanks, i'll look into it :)13:39
andrethehookDedi: same problem btw?13:39
Dediandrethehook: hm i had something like that while upgrading. but that was with intrepid13:41
nxvlsoren: btw, did you finally manage to include the python rewrite into intrepid?13:53
nxvlmanaged*13:53
sorennxvl: The source package was accepted, but the binary is still stuck in the NEW queue.13:59
sorennxvl: But in short: Yes, I did :)13:59
nxvl\o/13:59
sorenBut please keep this to yourself. Otherwise I won't have anything useful to say at the meeting today. :)14:00
nxvlheh14:00
nxvl:D14:00
nxvlok14:00
ScottKlamont: Having fun with the new postfix update yet?14:10
lamontScottK: ah cool, it is out.14:12
lamontI still have a little bit of a dance to do - I just got the final version yesterday.14:13
andrethehookWhile following the perfect setup guide for 8.04LTS (http://howtoforge.org/perfect-server-ubuntu8.04-lts-p4) i get an error while installing mysql-server, you can see the output here http://pastebin.ubuntu.com/42682/ something with the initscripts.. i can not stop bind9 server either, but have to kill it :/ anyone have some tips for me? :) may it be a error in the initscript?14:13
andrethehookor maybe a bug?14:13
lamontScottK: now I just need to decide if intrepid cares enough to have an upload before I sync from debian...14:34
ScottKI'd think not.14:36
ScottKlamont: My 'fun' thing for the day was finding out at midnight lastnight that all of KDE4 needed to reuploaded and build before alpha5 and Riddell is on vacation.14:37
ScottKThere aren't many Kubuntu core-dev, so I was up a bit late.14:37
ScottKI'm going to take a nap.14:37
byte_slaveHi everyone!14:38
byte_slavei don't know what i did, but ubuntu 8.04 simply doesn't accept any login and has something new in the login screen such as "Ubuntu intrepid (development branch) <mymachinename> tty1"14:40
lamonthrm.. I guess if I request a sync, I should at least upload the package.. . :-)14:40
byte_slavethe last thing i did was playing with samba + win active directory integration14:40
lamontbyte_slave: you're not running 8.04 if it says 'intrepid'14:41
byte_slavethe base installation was 8.04 is now is Intrepoid ( the new ubuntu release right?) it was a process that made some core updates without warn me14:42
uvirtbotNew bug: #264004 in postfix (main) "Please sync postfix 2.5.4-1 (main) from Debian unstable (main)." [Wishlist,Confirmed] https://launchpad.net/bugs/26400414:46
lamontyou upgraded from a stable long-term-support to an unsupported development release...  of course things break :-(14:47
lamontOTOH, it should work.. so bugs should be filed when you figure out why they broke14:48
byte_slavelamont, ok. you think some process inside must be programmed to go to web and update without ask?14:58
byte_slavebecause i didn't nothing, neither a single apt-get upgrade-distro ou whatever14:59
lamontnf14:59
lamontno ideas14:59
byte_slavedammit, what happened why my happy box?15:00
byte_slavewell, i'll try so google for some more info.. and see if i can do a15:01
byte_slavean easy downgrade15:01
=== S^n1x is now known as Shanix
zulmeeting in 10 minutes?15:49
nijabazul: yes indeed15:53
=== andrethehook is now known as twoSharp
sorennijaba: Note: I'm moving the vmbuilder code.17:01
nijabasoren: np, thanks for letting me know17:01
sorennijaba: There. Moved from https://code.edge.launchpad.net/~ubuntu-virt/ubuntu-jeos/python-rewrite to https://code.edge.launchpad.net/~ubuntu-virt/vmbuilder/trunk17:02
_rubengrr .. perl on this box is still "confused" .. http://paste.ubuntu.com/42739/17:15
uvirtbotNew bug: #263178 in postfix (main) "package postfix 2.5.1-2ubuntu1.1 failed to install/upgrade: subprocess post-installation script returned error exit status 1" [Undecided,New] https://launchpad.net/bugs/26317817:36
lamontmeh17:37
jameswf-homeokay holliday is over anyone alive?18:18
didrocksjdstrand: around?18:40
jdstranddidrocks: yep, hi18:40
didrocksHi :)18:40
didrocks1/ thanks for the hug :)18:40
didrocks2/ I am sorry, I just had the time to look at the case insensitive trick in ufw18:40
didrocksit was quite easy I think, and I made yesterday a branch from your trunk and normally achieve it18:41
didrocks(bzr is very cool, btw)18:41
jdstranddidrocks: I only looked at the bug briefly a few minutes ago18:41
jdstranddidrocks: thanks for the patch :) did you run 'run_tests.sh' after the patch?18:42
didrockshum, no, what is it? :)18:42
jdstrand(or build the package-- it's run there)18:42
didrocksoh, I just rerun it dynamically18:42
didrocksIndeed, I have made some symlink to my branch in intrepid18:43
didrockspython rocks for that :)18:43
jdstrandit's a collection of tests to make sure everything is still working ok18:43
didrocks(I just simlinked application.py and frontend.py)18:43
didrocksOk, I give it a try now18:43
didrocksdoes ufw has to be setup or can I just run it in my branch?18:44
jdstranddidrocks: just './run_tests.sh -s' from the top of your branch18:44
didrocksok, there is some fails. I have to compare it to your trink :)18:45
didrocks(on --dry-run, specifically)18:45
didrockstrink/trunk18:45
didrocksjdstrand: so, I corrected the errors. I am just trying to setup my VM up again (seems to be broken) to perform some manual tests19:31
* jdstrand nods19:38
=== p0w4h` is now known as p0w4h
=== emgent`NL is now known as emgent`nl
mathiazkees: do you have a  wiki page or blog post where you've explained/tracked your PIE work ?20:14
didrocksjdstrand: I finally got my vm work unactivating acpi. So, I made some tests and it is ok. I push a new revision in my branch20:14
jdstranddidrocks: thanks20:14
jdstrand:)20:14
mathiazkees: I'm writing up a post about what has been done in the archive in august and some of them are related to your work on PIE20:15
keesmathiaz: well... it's a bit scattered.20:15
didrocksjdstrand: I will have a look at your test shell to add non regression for case insensitive, if possible :)20:15
mathiazkees: did you try to rebuild all of the archive with PIE enabled ?20:16
keesmathiaz: I did, yeah.  that was back in hardy though.20:16
mathiazkees: ok - so rather than enabling pie in the default build, it has been decided at UDS at PIE would be enabled on a per package basis20:17
mathiazkees: ?20:17
keesmathiaz: PIE is mentioned here... http://www.outflux.net/blog/archives/2008/01/15/full-aslr-in-hardy/ http://wiki.debian.org/Hardening20:17
keesmathiaz: that's correct20:18
mathiazkees: and in order to enable PIE, a dependency on hardening-wrapper is added to the package20:18
mathiazkees: where as all the other hardening things have been enabled directly in the compiler20:19
keesmathiaz: well, there is what I'd call "native" PIE (see openssh and samba), and "wrapper" PIE.  In the case of the wrapper, two things are needed: the hardening-wrapper build-dep and "export DEB_BUILD_HARDENING=1" in the debian/rules file20:19
keesmathiaz: right, which are documented here: https://wiki.ubuntu.com/CompilerFlags20:19
mathiazkees: and native PIE is when the upstream source code directly support PIE ?20:20
keesmathiaz: well, either upstream directly (samba's "--enable-pie") or via the packaging which passes the options in to the native build process (openssh)20:21
mathiazkees: ok - thanks for your input20:21
mathiazkees: that should be enough for the blog post20:21
keesmathiaz: sure!  sorry I haven't kept the PIE details in a single place.  :P20:22
mathiazkees: would you consider that PIE is the last point on your hardening list ?20:22
fReAkY[t]hi all. i have set up an apache2 ssl cert using this guide: https://help.ubuntu.com/community/forum/server/apache2/SSL but the newly created cert is only valid for 1 month. how can i change that to be valid for 1 year?20:23
keesmathiaz: there is one more, which is pretty minor, but is similar to PIE in that I'd like to do it on a per-package basis: "-Wl,-z,now"20:23
keesmathiaz: but I'd like to wait until intrepid+1 for that, since it depends on the intrepid -Wl,-z,relro change20:23
=== leonel_ is now known as leonel
leonelhello ..  will  tomcat6  be moved  to MAIN ??20:28
mathiazleonel: it's the plan20:28
leonelmathiaz:  anything I can help ??20:28
mathiazleonel: MIR have been written and the goal is to add a task during the installation20:28
leonelmathiaz:  ok ..20:29
mathiazleonel: from a development POV not really. However testing is always very welcomed.20:29
mathiazkees: the vast majority of package would require the use of the hardening-wrapper to enable PIE rather than native support ?20:30
keesmathiaz: it is by far the simplest approach -- there are two complexities in doing PIE via packaging changes: a) detecting the arch and disabling PIE on arch that don't support it, b) successfully plumbing the CFLAG and final link flags down into the upstream build system.20:32
keesmathiaz: very few upstreams have knowledge of PIE already (frankly, prior to last week, I would have said "none", but samba actually does have it)20:32
NCommanderkees, the problem is that PIE code in GCC historically has had issues20:39
NCommanderkees, especially late 2.x series and 3.x on PowerPC and m68k, -pie would sometimes generate non-working code20:39
NCommanderkees, and on x86, the performance hit is large enough that unless you have a very fast machine, it hurts :-/20:40
keesNCommander:   ifeq (,$(findstring :$(DEB_HOST_ARCH_CPU):,:hppa:m68k:arm:))20:40
NCommanderkees, what's that from, samba?20:40
keesyawp.  totally disabled on m68k, hppa, arm.20:40
keesNCommander: that's from hardening-wrapper20:40
NCommanderWe finally got pie fixed in the 4.x series20:40
NCommanderBut PIE is slow slow20:40
NCommander(go try gentoo with it on and off, its a notable difference on x86)20:41
keesNCommander: PIE is only slow with arch that have very few general registers (ia32)20:41
NCommanderRight20:41
NCommanderx8620:41
keesNCommander: there was virtually no measurable change on x86_64.20:41
NCommanderI know20:41
NCommanderI said it was just x8620:41
keesyeah, totally agreed.20:41
NCommanderI was just noting GCC has a bad track record with PIE20:41
keesGDB's is worse.  ;)20:42
keesNo better way to find bugs than to use a buggy feature.  ;)20:42
NCommanderMy first thought when I looking at the MySQL build failures is that PIE was generating bad code, not slowing down MySQL to the point of failing its test suites20:42
keesNCommander: I'd agree with that.  When I narrowed down the mysql issue, it was segv'ing the server in exactly _1_ test.20:42
keeswhich, I find to be rather scary.20:43
NCommanderLike I said, I've always been weary of PIE with GCC20:43
keesyeah, hence this gradual approach.20:43
NCommanderAnd Microsoft went as far as disallowing position independent code with their compilers20:43
keeson the other hand, lots of stuff has been PIE in RHEL/Fedora for a while now.20:43
NCommander(its sorta amazing/scary how they implemented shared libraries without PIC code)20:43
NCommanderobviously not mysql :-)20:44
NCommanderTBH, mysql does some rather stupid code tricks, so it doesn't shock me so much that you get issues with it20:44
keesfor intrepid+1, I'm pondering enabling PIE for all of x86_64 and seeing what burns down.  I suspect it will be my house, care of doko.  :)20:46
NCommanderkees, I've got an Ubuntu x86_64 buildd setup20:47
NCommanderOnce the archive enters final freeze, I don't mind running the entire archive compile end to end20:47
NCommander(probably will take a week or two to finish)20:47
keesNCommander: two people doing it is better than one.  :)  I've not tried doing universe, but I've done full main rebuilds in about 2 days.20:48
keesthe issue I may hit is that of space.  I hadn't been saving the .debs20:48
NCommanderIts just a matter of catching build failures20:48
NCommanderBut if you want, I have a 500GB hardddrive20:48
keesthis time, if I save the debs and shove the updates into a VM, it'll be interesting to see the results.20:48
NCommanderand a dak installation already on it :-)20:48
keesheh.20:48
NCommanderYeah, the only "fun" part with dak is setting overrides20:49
NCommanderBut I can just grab the ones from Debian20:49
keesyeah20:49
NCommanderWhen do we hit the freeze date?20:49
NCommander(or would you like to rebuild the archive sooner then that ;-))20:49
keeslast thursday.  ;)20:49
NCommanderI mean final freeze/hard freeze20:49
keeslooks like oct 3020:50
NCommanderThat far away?20:50
NCommanderDamn20:50
keeshttps://wiki.ubuntu.com/IntrepidReleaseSchedule20:50
NCommanderkees, do you use Soyuz as your buildd, or the Debian w-b/buildd combo20:50
keesI actually use sbuild for local testing20:51
NCommanderfor rebuilding the entire archive?20:51
NCommander(buildd uses sbuild internally)20:51
keesyeah.20:51
NCommanderOuch20:51
NCommanderI'm not that crazy20:51
keesit's a pretty simple script.20:51
NCommanderI actually use a wanna-build/buildd/sbuild combo20:51
NCommanderYeah, but no load balancing ;-)20:51
keesI just beat my desktop to death for a day or so.  :P20:52
keesusually start it friday night20:52
NCommanderyeah, but if you have someone helping oyu with universe ...20:52
NCommanderkees, well, its an interesting experiment at any rate which I'd like to help do ;-)20:53
NCommanderI've got to run, but we'll talk later20:54
keesNCommander: cool, thanks, cya20:54
NCommanderkees, you still around?21:08
keesoops, he vanished.21:08
=== mcasadevall_ is now known as NCommander
NCommanderkees, you still around?21:09
NCommanderkees, :-P21:09
NCommander-NickServ- You may not ghost yourself.21:09
NCommanderNickserv is lagging21:09
keesNCommander: yawp21:09
NCommanderwould you like to write up a spec on building amd64 with PIE and see how the archive explodes?21:10
keesNCommander: sure, I'll certainly do that when we start the spec-writing surge for intrepid+121:11
* NCommander would like to see the hardening also tested on ia64, sparc, and powerpc21:11
NCommanderOh, so you want to wait until after intrepid is released for this experiment?21:11
keesNCommander: I suppose I could write the spec any time.  :)21:12
keesNCommander: I'll do it this week and blog about it.21:12
NCommanderWell, I'll write the spec, but I mean when would you want to do the experiment21:12
NCommander(two computers could grind through main in less than a day, universe will take longer though)21:12
keesexperiment could be done any time.21:12
* NCommander pops up the wiki21:12
* NCommander cricks neck21:13
NCommanderI've got amd64, and powerpc hardware. Want to donate some sparc to the cause21:13
keesI'm really only interested in amd64 myself.21:13
NCommanderI'm just noting the more common server architecturs21:14
keesNCommander: so should I write the spec, or are you already doing it?21:14
NCommanderAssuming I can kick the wiki alive21:14
* kees nods21:14
NCommanderkees, think we could convience Canonical to let you have intrepid+1 build with PIE/hardening on by defualt?21:17
keesNCommander: well not specific to Canonical, but that's the goal.21:17
keesNCommander: I'm adding the spec now.. (on LP)21:17
NCommanderI'm writing the basis of the wiki entry, you'll have to flesh it out somewhat21:18
NCommanderMaybe ask Canonical to add a new distribution - Ubuntu Hardened, with everything compiled with hardened wrapper21:18
Deepshardbuntu21:19
keesNCommander: the otherhead for that is huge.  besides, everything is compiled with all the hardening options (excepting PIE) in intrepid.21:19
NCommanderI didn't know that21:19
NCommanderDeeps, I think a less suggestive name would be in order ;-)21:20
keesNCommander: yeah, that was my goal for intrepid: https://wiki.ubuntu.com/CompilerFlags21:20
NCommanderkees, it would just be additional load on the buildds , but it shouldn't be so hard to get launchpad extended in such a matter21:20
keesNCommander: okay, BP registered: https://blueprints.launchpad.net/ubuntu/+spec/64bit-pie-by-default21:20
keesNCommander: it would double the size of the amd64 archive.  :P21:20
NCommanderWhat's another 20GB?21:21
NCommander(which is the size of the amd64 archive)21:21
keesit could be done via PPA too21:22
NCommanderyay, 1GB limitations :-)21:22
NCommanderAnd it would require manually tweaking each control file, I just want to install hardening-wrapper right into the chroot so I don't need to manually set it21:22
keesoh, is there really a size limit on PPAs?21:22
arakthorwhat does PIE do?21:22
NCommanderkees, 1GB21:23
NCommanderarakthor, it causes code to be position independent21:23
keesarakthor: makes the program relocatable in memory.  then combined with kernel ASLR, the program loads to different locations each time.21:23
arakthorgotcha21:23
keesarakthor: that makes it harder to exploit a memory corruption vulnerability.21:23
arakthoryup21:24
NCommanderkees, https://wiki.ubuntu.com/PIEExperimentSpec#preview21:25
NCommanderThe problem is PIE historically has had some issues in GCC, and due to the "design" of the x86 architecture, has a speed hit on that architecture21:26
NCommander(x86_64 is spared from that issue by being 64 bit and having more general purpose registers)21:26
didrocksjdstrand: you don't delete $testdir/testarea if we interrupt your test script. Is it what you want? (hum, you remove it at the end, so, ok, you don't want to push your branch it if you had to interrupt the script. That makes sense.)21:28
NCommanderkees, how fast is your amd64?21:28
jdstranddidrocks: yes21:29
keesNCommander: 2.40GHz 4-way with 8G RAM21:29
NCommanderkees, slaughters my box21:30
* jdstrand drools over kees' RAM21:30
NCommander2.30Ghz dual core, 2G RAM21:30
keesNCommander: my job is doing lots of compiles.  :)21:30
NCommanderkees, that machine might have a qmail security bug on it ;-)21:30
* kees lucky and does not run qmail :)21:30
NCommanderkees, well, you can use rebuildd, or if you want to load balance and get people to help buildd, setup a buildd cluster ;-)21:32
fReAkY[t]hi all. i have set up an apache2 ssl cert using this guide: https://help.ubuntu.com/community/forum/server/apache2/SSL but the newly created cert is only valid for 1 month. how can i change that to be valid for 1 year?21:32
NCommanderkees, rebuildd gets you something nice like this: http://builder.ubuntuwire.com:9998/dist/intrepid/arch/i38621:32
NCommanderactually, rebuildd has load balancing :-) (more than one host can build at a time)21:34
=== PrivateVoid is now known as PV_Away
gegemaIs editing /etc/network/interfaces the best approach to setup my ubuntu server to use a static IP (instead of DHCP)?21:41
arakthorI think it is21:43
jmedinagegema: always use static in servers, if your dhcp server goes down  your users are not going to be able to reach the server, unless you use a really big lease time, but it is hard21:43
gegemaWill do - Thanks!21:47
fReAkY[t]hi all. i have set up an apache2 ssl cert using this guide: https://help.ubuntu.com/community/forum/server/apache2/SSL but the newly created cert is only valid for 1 month. how can i change that to be valid for 1 year?21:50
NCommanderfReAkY[t], you can't, you need to generate a new certificate22:00
fReAkY[t]yea but how?22:04
fReAkY[t]i dont know the command line - man make-ssl-cert doesnt have any -days commandline option like apache2-ssl-certificate22:05
NCommanderI don't remember off the top of my head22:09
didrocksjdstrand: ok, I think I saw pretty much everything in your ufw test (I love reading shells). Very impressive work for testing regressions, congrats! :) (the only think I didn't understand is the dry-run option, but it is ufw intern model). I will try to make something in the few days regarding case sensitiveness testing. I think there is no much work to do as your architecture is very straightforward and flexible22:12
jdstranddidrocks: great, thanks! :)22:13
didrocksso, it's getting late. See you tomorrow :)22:13
jdstranddidrocks: the --dry-run is really just to see what rules would be added to the firewall. it is useful in regression testing too (as you've seen)22:14
jdstranddidrocks: have a great night!22:14
didrocksjdstrand: ok, understood. Thanks a lot. You too :)22:14
NCommanderkees, I modified my pbuilder instance to use hardening wrapper, I just need to tweak it to always enable, right?22:17
keesNCommander: do you have instructions for it?22:18
NCommanderkees, pbuilder login --keep-after-login22:18
NCommander;-)22:18
keesheh22:18
NCommander$default{'DEB_BUILD_HARDENING'}=0;22:18
keeswell you need to export DEB_BUILD_HARDENING=1 as well22:18
NCommanderI just want to set that to 1 to make it do the right thing22:18
keesrighto22:18
NCommanderPIE already set ot one22:18
* NCommander saves22:18
keescan you add details to https://wiki.ubuntu.com/Security/HardeningWrapper22:18
NCommanderOk, pbuilder is updated22:19
NCommanderNow to just start rebuildd22:19
* NCommander figures out where to send the mail22:22
* NCommander figures out how to initalized rebuildd database22:27
DeranderIs it possible to create an ssl certificate for multiple domains?  (I'm trying to set this up for a dovecot/postfix mailserver)22:29
jmedinaDerander: you can use the same cert for virtual domains, but you will get browser warnings22:31
GargoyleDerander: Not that I know of. But why don't you just have a single name (mail.myserver.boo)?22:36
NCommanderkees, good news, it seems ubuntuwire will do the rebuild22:37
keesNCommander: nice.  :)22:41
NCommanderkees, there hardware takes 10 days to rebuild universe22:41
=== fReAkY[t] is now known as freaky[t]
NCommanderSo probably 12 for main+universe22:41
keesNCommander: that rocks!  :)22:42
keesNCommander: will you add the repo details to the wiki page?22:42
NCommanderWe won't publish the repo until the rebuild is done22:42
* kees nods22:42
NCommanderLimitation of ubuntu wire22:42
NCommander(I'm just going to sign all the changes and shove them somewhere)22:42
=== jmedina is now known as psymedina
NCommanderThat being said, if there is enough interest in an intrepid-hardened, it may be worth actually maintaining it and such beyond just doing a one-shot experiment22:44
NCommanderbrb/bbiab22:45
=== freaky[t] is now known as fReAkY[t]
keesNCommander: might want to call it "intrepid-pie" though, since intrepid itself is pretty well hardened (just lacks PIE)22:53
=== fReAkY[t] is now known as freaky[t]
hadsIbex pie? :)22:57
NCommanderand now I'm back23:07

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!