/srv/irclogs.ubuntu.com/2008/09/02/#ubuntu-server.txt

=== freaky[t] is now known as fReAkY[t]
cotton	hello, is there a posibility to install X and pekwm on ubuntu server? is it too complicated? thanks.	00:19
kgoetz	yes its posible, and you should probably ask #ubuntu how	00:28
soren	pschulz01: What are you trying to do?	00:32
pschulz01	soren: Putting together a question now :-)	00:36
pschulz01	https://answers.launchpad.net/ubuntu/+question/43886	00:36
pschulz01	soren: Does that make sense?	00:36
soren	pschulz01: Yes.	00:38
soren	pschulz01: Did you take a look at the always_bcc option?	00:38
soren	pschulz01: Alternatively, recipient_bcc_maps might be of use.	00:38
pschulz01	Oooo.... sound's useful :-)	00:39
pschulz01	Should be more robust if I can move it to 'postfix'.	00:39
soren	pschulz01: You could probably abuse postfix-pcre to do the mapping.	00:59
pschulz01	soren: yeah. The 'really' painful thing about this is that I need to keep 'procmail' as the local delivery agent, as a couple of users are using it.	01:01
soren	pschulz01: Is that a problem?	01:07
soren	pschulz01: I'm a bit sleepy, so please bear with me :)	01:07
pschulz01	soren: Um.. just means that I can't just disable procmail delivery and let postfix do it.. 'cause my users want their procmail rules to work.	01:12
pschulz01	soren: The main problem with the second option, is that procmail barfs on some emails.. and I haven't been able to work out why.	01:13
pschulz01	soren: I'm goin gto just do som reading for a while... no huge rush.	01:14
soren	I've never seen procmail fail like that, and I've filtered quite a few e-mail with procmail in my time :)	01:18
soren	Just for my one of my own e-mail accounts I've filtered about a million e-mails since January 2006, and that has never happened to me.	01:20
pschulz01	soren: That's what's confusing me as well..	01:22
pschulz01	soren: I was inially seeing things like..	01:23
pschulz01	Command	01:23
pschulz01	died with signal 11: "/usr/bin/procmail". Command output: procmail:	01:23
pschulz01	Exceeded LINEBUF	01:23
pschulz01	.. but I've up the LINEBUF variable, and it still happens.	01:23
soren	Do you have an e-mail that reliably reproduces it?	01:24
pschulz01	soren: No.. that's the next step, but it's a little tricky.. cause they get bounced.	01:26
soren	pschulz01: Set soft_bounce = yes.	01:27
pschulz01	soren: Looks like I can get users to make use of their '.forward' file to run their procmail scripts.. rather than running a global one..	01:27
soren	pschulz01: Yeah, that's the way it was done back in the ol' days. :)	01:28
pschulz01	soren: .. takes me back.	01:28
soren	Yeah, me too.	01:29
soren	...to the pain and suffering of being an HP-UX admin.	01:29
* soren is never going back there		01:29
nxvl	soren: why?	01:44
soren	Why what? Why I'm not going back to HP-UX?	01:45
pschulz01	nxvl: belive me... we live in a much better time.	01:45
nxvl	soren: oh! i didn't know what you were taking about, but found funny to ask	01:45
soren	:)	01:46
nxvl	i'm kind of bored in a software engineering class	01:46
soren	The only positive thing I have to say about HP-UX is that it's where LVM came from.	01:46
soren	Gerh, I should really go to bed.	01:46
pschulz01	soren: Ever hav to deal with AIX?	01:46
pschulz01	soren: go go go	01:46
nxvl	pschulz01: i have use solaris on a sparc machine	01:46
soren	pschulz01: Never had the "pleasure", no.	01:46
pschulz01	soren: :-)	01:47
* soren wanders off for bed.		01:47
soren	Take care, folks.	01:47
nxvl	soren: sleep tight!	01:47
nxvl	soren: see you at "the office"	01:47
nxvl	:P	01:47
D3RGPS31	Where do I place library files for LAMP webserver? (eg, libgd.so.2.0.0)	03:11
kgoetz	why do you want to install the file by hand?	03:12
D3RGPS31	I just switched from xampp to lamp, I just assume that's how it's done	03:13
* kgoetz googles xampp		03:14
kgoetz	D3RGPS31: i suggest you install one of the packages listed on here: http://packages.ubuntu.com/search?searchon=contents&keywords=libgd.so.2.0.0&mode=exactfilename&suite=hardy&arch=any	03:14
kgoetz	assuming you run 8.04 of course	03:14
D3RGPS31	If that package was installed before switching to lamp, should I reinstall it?	03:15
kgoetz	if you installed it from the ubuntu repositories you shouldnt have to, no	03:15
D3RGPS31	Would install by tasksel be the same?	03:17
kgoetz	yes, tasksel should use the ubuntu repos	03:18
D3RGPS31	Then they're both installed through the repository	03:18
D3RGPS31	So, what can I do?	03:22
lukehasnoname	How's UFW integration coming? Is it completed?	03:34
=== lamont` is now known as lamont
Derander	I'm using postfix/dovecot. I'm authenticating off of a fake users file in /etc/dovecot/users. Users are like 'name@domain.tld'. Is there a way to alias a user between two domains? I'd like name1@domain.com to deliver to name1@domain2.com	08:15
D3RGPS31	Can I use htaccess password authentication with SSL?	08:40
kgoetz	yes	08:41
D3RGPS31	Does it require anything different from the norm?	08:41
kgoetz	for what value of 'norm'?	08:42
kgoetz	you'll need ssl certs at least	08:42
D3RGPS31	have SSL setup, but my htacces doesn't work now (after I set SSL for a certain web folder)	08:44
kgoetz	what does "doesnt work" mean exactly?	08:44
Derander	Alright, I'm confused. I'm running a mailserver with postfix/dovecot and ssl. I have an ssl cert that works for domain1, for some reason it also works for domain2 but it does not work for domain3	08:44
D3RGPS31	I'm not prompted to type in a name//password	08:44
D3RGPS31	but I was when it didn't have SSL set on it	08:45
kgoetz	... are we talking htaccess or email here?	08:45
D3RGPS31	htaccess	08:45
kgoetz	how did the email come into it?	08:45
D3RGPS31	email?	08:46
Derander	kgoetz I think you're confusing me with him.	08:46
D3RGPS31	Derander is talking about email >.>	08:46
D3RGPS31	xD	08:46
kgoetz	Derander: so i am :)	08:46
kgoetz	:x	08:46
D3RGPS31	sorry for not going into decent detail, been drinking coffee for once, kinda clouding my thoughts	08:47
* kgoetz is currently fighting apache, so not in the greatest mood himself ;)		08:49
D3RGPS31	Let's say I used htaccess for a http virtualhost on port 70, then i switched that to https, would the htaccess require something different >.>	08:51
kgoetz	D3RGPS31: 'switched to https' how?	08:53
kgoetz	using a virtualhost to redirect?	08:53
D3RGPS31	I don't know if redirect is the right word	08:55
D3RGPS31	eg. port 80 with just http set to /var/80, port 70 with SSL to port /var/80?	08:57
* kgoetz suspects that didnt come out right ...?		08:57
D3RGPS31	port 70 set to /var/80? *	08:57
kgoetz	D3RGPS31: pastebin your vhost configuration. i cant work out what your doing	08:58
D3RGPS31	http://pastebin.com/d5430cc9b for non-SSL; http://pastebin.com/d7d74936a for SSL; I use two seperate vhost files	09:02
kgoetz	i dont see a redirect taking place g	09:05
D3RGPS31	I didn't understand what was meant by redirect	09:06
kgoetz	D3RGPS31: http://www.maincontent.net/examplehttpd.txt look at this for an example	09:08
D3RGPS31	so port 80 and port 443 point to the same directory?	09:11
kgoetz	80 doesnt point to a directory at all	09:11
kgoetz	it just points to port 443	09:11
D3RGPS31	ah!	09:12
D3RGPS31	but, what's stopping an authentication prompt from popping up under my SSL connection	09:15
kgoetz	i didnt see a prompt for it	09:15
D3RGPS31	it's in the htaccess file, that's in my /var/70 directory	09:15
kgoetz	then its probably an error in your htaccess file. have you checked your logs?	09:16
D3RGPS31	checking!	09:16
* delcoyote hi		09:18
moldy	hi	09:21
kraut	moin	09:23
moldy	can i avoid that .gvfs stuff somehow? when root tries to read it, he gets permissions errors. that crap is making my cronjobs fail...	09:23
D3RGPS31	I see nothing about htaccess in the logs, it works without SSL but not with SSL	09:25
broonie	siretart: Not specifically; bug 252499 is probably the nearest	10:00
uvirtbot`	Launchpad bug 252499 in nis "When nis server is not reachable during startup, system gets very slow and HAL fails to initialise" [Undecided,New] https://launchpad.net/bugs/252499	10:00
soren	moldy_: You have cronjobs failing because root can't read .gvfs? What exactly are these cronjobs trying to do?	10:15
jpds	How can I find out what my gateway ip is from the terminal?	10:25
DiesIrae	jpds: /sbin/ip route show 0/0	10:29
jpds	DiesIrae: Thanks!	10:30
DiesIrae	you're welcome	10:32
moldy_	soren: different stuff	10:35
moldy_	soren: doing backups (rsnapshot), and other maintenance stuff on users' homedirs	10:36
moldy_	i know how to work around it, but i would like a solution instead of a workaround	10:36
moldy_	what is the rationale of root not being able to read stuff?	10:36
soren	That's the way fuse works.	10:37
moldy_	hmm, that sucks.	10:37
soren	moldy_: https://bugs.edge.launchpad.net/ubuntu/+source/rsnapshot/+bug/247777	10:38
uvirtbot`	Launchpad bug 247777 in rsnapshot "the .gvfs directory in a user's home directory causes rsnapshot to take an incorrect backup (dup-of: 225361)" [Undecided,Invalid]	10:38
uvirtbot`	Launchpad bug 225361 in gvfs "Superuser cannot access ~/.gvfs folder when mounted " [Medium,Triaged]	10:38
soren	uvirtbot`: nick uvirtbot	10:39
=== uvirtbot` is now known as uvirtbot
moldy_	what does "triaged" mean?	10:39
moldy_	anyway, i guess i have to adjust my cronjobs and just wait for a fix...	10:41
hads	Triaged as in; looked at, noticed and prioritised.	10:44
moldy_	ok, thanks	10:45
soren	moldy_: What is your workaround? "--exclude .gvfs"?	10:47
soren	moldy_: -x, perhaps?	10:47
moldy_	soren: yep	10:51
moldy_	soren: for rsync/rsnapshot, i use exclude	10:51
moldy_	other scripts do similiar stuff, or they unmount the thing	10:51
moldy_	i have one script that deletes and recreates certain home directories every hour	10:51
soren	Is it really your intention to backup stuff under .gvfs?	10:52
moldy_	no	10:52
moldy_	for backups, i exclude it	10:52
soren	Then what would be "a fix" to you?	10:52
moldy_	the proper fix IMHO is to make it accessible by root	10:52
soren	Err...	10:52
soren	You just said you don't want to back it up.	10:53
moldy_	so?	10:53
soren	...so you want to --exclude it anyway.	10:53
moldy_	yes	10:53
moldy_	but it is brain-damaged that every backup routine on the planet should be adjusted to gvfs	10:53
soren	think of it this way:	10:54
moldy_	the point is not wether it is backed up or not, the point is that it makes the backup routines appear to fail	10:54
soren	If gvfs (actually fuse) didn't act this way, you'd be backing up anything any user might have mounted using gvfs.	10:54
moldy_	that's my decision to make, not gvfs's	10:54
moldy_	and backups are not the only concern here	10:55
moldy_	if some maintenance script does e.g. a find on a user's home dir, it will get messed up because find will return an error because it cannot read gvfs	10:56
moldy_	people assume that root is able to read everything in users' home dirs	10:57
moldy_	if your system uses gvfs, you now have to special-case it everywhere	10:57
soren	I know.	10:57
moldy_	the alternative is to ignore all such errors, which is also often undesirable	10:58
soren	...I firmly believe that that is the case anyway.	10:58
moldy_	$home is completely the wrong place to put such stuff then, imo	10:58
soren	It belongs to the use?	10:58
soren	user?	10:58
moldy_	so what	10:58
moldy_	put it in /tmp	10:59
soren	That also sounds a bit counterintuitive.	11:00
moldy_	i think it is alot less counterintuitive than root not being able to read stuff in /home :)	11:02
soren	moldy_: Perhaps. In any case, I suggest you talk to the desktop guys. gvfs is their terriroty.	11:03
soren	territory, I mean.	11:03
moldy_	well, the bug is already reported, i guess i should just wait	11:04
=== Bambi_BOFH is now known as Kamping_Kaiser
nxvl	good morning	12:50
soren	Hey, nxvl.	12:51
nxvl	soren: hi! how are you?	12:53
soren	nxvl: Pretty good. A bit sleepy, though. I'm trying to cut down on coffee.	13:04
nxvl	soren: yeah i will go for some coffeine in a bit	13:05
nxvl	:D	13:05
zul	morning	13:10
Dedi	LARTC - want to limit all upload from a specific ip to 20kb/s. anyone that knows it and want to save me alot of time to read into this topic? :D	13:10
andrethehook	While following the perfect setup guide for 8.04LTS (http://howtoforge.org/perfect-server-ubuntu8.04-lts-p4) i get an error while installing mysql-server, you can see the output here http://pastebin.ubuntu.com/42682/ something with the initscripts.. i can not stop bind9 server either, but have to kill it :/ anyone have some tips for me? :)	13:27
Dedi	andrethehook: i had to edit the mysql config and comment out a line.. just dont know which it was	13:33
Dedi	something starting with p	13:33
andrethehook	Dedi: thanks, i'll look into it :)	13:39
andrethehook	Dedi: same problem btw?	13:39
Dedi	andrethehook: hm i had something like that while upgrading. but that was with intrepid	13:41
nxvl	soren: btw, did you finally manage to include the python rewrite into intrepid?	13:53
nxvl	managed*	13:53
soren	nxvl: The source package was accepted, but the binary is still stuck in the NEW queue.	13:59
soren	nxvl: But in short: Yes, I did :)	13:59
nxvl	\o/	13:59
soren	But please keep this to yourself. Otherwise I won't have anything useful to say at the meeting today. :)	14:00
nxvl	heh	14:00
nxvl	:D	14:00
nxvl	ok	14:00
ScottK	lamont: Having fun with the new postfix update yet?	14:10
lamont	ScottK: ah cool, it is out.	14:12
lamont	I still have a little bit of a dance to do - I just got the final version yesterday.	14:13
andrethehook	While following the perfect setup guide for 8.04LTS (http://howtoforge.org/perfect-server-ubuntu8.04-lts-p4) i get an error while installing mysql-server, you can see the output here http://pastebin.ubuntu.com/42682/ something with the initscripts.. i can not stop bind9 server either, but have to kill it :/ anyone have some tips for me? :) may it be a error in the initscript?	14:13
andrethehook	or maybe a bug?	14:13
lamont	ScottK: now I just need to decide if intrepid cares enough to have an upload before I sync from debian...	14:34
ScottK	I'd think not.	14:36
ScottK	lamont: My 'fun' thing for the day was finding out at midnight lastnight that all of KDE4 needed to reuploaded and build before alpha5 and Riddell is on vacation.	14:37
ScottK	There aren't many Kubuntu core-dev, so I was up a bit late.	14:37
ScottK	I'm going to take a nap.	14:37
byte_slave	Hi everyone!	14:38
byte_slave	i don't know what i did, but ubuntu 8.04 simply doesn't accept any login and has something new in the login screen such as "Ubuntu intrepid (development branch) <mymachinename> tty1"	14:40
lamont	hrm.. I guess if I request a sync, I should at least upload the package.. . :-)	14:40
byte_slave	the last thing i did was playing with samba + win active directory integration	14:40
lamont	byte_slave: you're not running 8.04 if it says 'intrepid'	14:41
byte_slave	the base installation was 8.04 is now is Intrepoid ( the new ubuntu release right?) it was a process that made some core updates without warn me	14:42
uvirtbot	New bug: #264004 in postfix (main) "Please sync postfix 2.5.4-1 (main) from Debian unstable (main)." [Wishlist,Confirmed] https://launchpad.net/bugs/264004	14:46
lamont	you upgraded from a stable long-term-support to an unsupported development release... of course things break :-(	14:47
lamont	OTOH, it should work.. so bugs should be filed when you figure out why they broke	14:48
byte_slave	lamont, ok. you think some process inside must be programmed to go to web and update without ask?	14:58
byte_slave	because i didn't nothing, neither a single apt-get upgrade-distro ou whatever	14:59
lamont	nf	14:59
lamont	no ideas	14:59
byte_slave	dammit, what happened why my happy box?	15:00
byte_slave	well, i'll try so google for some more info.. and see if i can do a	15:01
byte_slave	an easy downgrade	15:01
=== S^n1x is now known as Shanix
zul	meeting in 10 minutes?	15:49
nijaba	zul: yes indeed	15:53
=== andrethehook is now known as twoSharp
soren	nijaba: Note: I'm moving the vmbuilder code.	17:01
nijaba	soren: np, thanks for letting me know	17:01
soren	nijaba: There. Moved from https://code.edge.launchpad.net/~ubuntu-virt/ubuntu-jeos/python-rewrite to https://code.edge.launchpad.net/~ubuntu-virt/vmbuilder/trunk	17:02
_ruben	grr .. perl on this box is still "confused" .. http://paste.ubuntu.com/42739/	17:15
uvirtbot	New bug: #263178 in postfix (main) "package postfix 2.5.1-2ubuntu1.1 failed to install/upgrade: subprocess post-installation script returned error exit status 1" [Undecided,New] https://launchpad.net/bugs/263178	17:36
lamont	meh	17:37
jameswf-home	okay holliday is over anyone alive?	18:18
didrocks	jdstrand: around?	18:40
jdstrand	didrocks: yep, hi	18:40
didrocks	Hi :)	18:40
didrocks	1/ thanks for the hug :)	18:40
didrocks	2/ I am sorry, I just had the time to look at the case insensitive trick in ufw	18:40
didrocks	it was quite easy I think, and I made yesterday a branch from your trunk and normally achieve it	18:41
didrocks	(bzr is very cool, btw)	18:41
jdstrand	didrocks: I only looked at the bug briefly a few minutes ago	18:41
jdstrand	didrocks: thanks for the patch :) did you run 'run_tests.sh' after the patch?	18:42
didrocks	hum, no, what is it? :)	18:42
jdstrand	(or build the package-- it's run there)	18:42
didrocks	oh, I just rerun it dynamically	18:42
didrocks	Indeed, I have made some symlink to my branch in intrepid	18:43
didrocks	python rocks for that :)	18:43
jdstrand	it's a collection of tests to make sure everything is still working ok	18:43
didrocks	(I just simlinked application.py and frontend.py)	18:43
didrocks	Ok, I give it a try now	18:43
didrocks	does ufw has to be setup or can I just run it in my branch?	18:44
jdstrand	didrocks: just './run_tests.sh -s' from the top of your branch	18:44
didrocks	ok, there is some fails. I have to compare it to your trink :)	18:45
didrocks	(on --dry-run, specifically)	18:45
didrocks	trink/trunk	18:45
didrocks	jdstrand: so, I corrected the errors. I am just trying to setup my VM up again (seems to be broken) to perform some manual tests	19:31
* jdstrand nods		19:38
=== p0w4h` is now known as p0w4h
=== emgent`NL is now known as emgent`nl
mathiaz	kees: do you have a wiki page or blog post where you've explained/tracked your PIE work ?	20:14
didrocks	jdstrand: I finally got my vm work unactivating acpi. So, I made some tests and it is ok. I push a new revision in my branch	20:14
jdstrand	didrocks: thanks	20:14
jdstrand	:)	20:14
mathiaz	kees: I'm writing up a post about what has been done in the archive in august and some of them are related to your work on PIE	20:15
kees	mathiaz: well... it's a bit scattered.	20:15
didrocks	jdstrand: I will have a look at your test shell to add non regression for case insensitive, if possible :)	20:15
mathiaz	kees: did you try to rebuild all of the archive with PIE enabled ?	20:16
kees	mathiaz: I did, yeah. that was back in hardy though.	20:16
mathiaz	kees: ok - so rather than enabling pie in the default build, it has been decided at UDS at PIE would be enabled on a per package basis	20:17
mathiaz	kees: ?	20:17
kees	mathiaz: PIE is mentioned here... http://www.outflux.net/blog/archives/2008/01/15/full-aslr-in-hardy/ http://wiki.debian.org/Hardening	20:17
kees	mathiaz: that's correct	20:18
mathiaz	kees: and in order to enable PIE, a dependency on hardening-wrapper is added to the package	20:18
mathiaz	kees: where as all the other hardening things have been enabled directly in the compiler	20:19
kees	mathiaz: well, there is what I'd call "native" PIE (see openssh and samba), and "wrapper" PIE. In the case of the wrapper, two things are needed: the hardening-wrapper build-dep and "export DEB_BUILD_HARDENING=1" in the debian/rules file	20:19
kees	mathiaz: right, which are documented here: https://wiki.ubuntu.com/CompilerFlags	20:19
mathiaz	kees: and native PIE is when the upstream source code directly support PIE ?	20:20
kees	mathiaz: well, either upstream directly (samba's "--enable-pie") or via the packaging which passes the options in to the native build process (openssh)	20:21
mathiaz	kees: ok - thanks for your input	20:21
mathiaz	kees: that should be enough for the blog post	20:21
kees	mathiaz: sure! sorry I haven't kept the PIE details in a single place. :P	20:22
mathiaz	kees: would you consider that PIE is the last point on your hardening list ?	20:22
fReAkY[t]	hi all. i have set up an apache2 ssl cert using this guide: https://help.ubuntu.com/community/forum/server/apache2/SSL but the newly created cert is only valid for 1 month. how can i change that to be valid for 1 year?	20:23
kees	mathiaz: there is one more, which is pretty minor, but is similar to PIE in that I'd like to do it on a per-package basis: "-Wl,-z,now"	20:23
kees	mathiaz: but I'd like to wait until intrepid+1 for that, since it depends on the intrepid -Wl,-z,relro change	20:23
=== leonel_ is now known as leonel
leonel	hello .. will tomcat6 be moved to MAIN ??	20:28
mathiaz	leonel: it's the plan	20:28
leonel	mathiaz: anything I can help ??	20:28
mathiaz	leonel: MIR have been written and the goal is to add a task during the installation	20:28
leonel	mathiaz: ok ..	20:29
mathiaz	leonel: from a development POV not really. However testing is always very welcomed.	20:29
mathiaz	kees: the vast majority of package would require the use of the hardening-wrapper to enable PIE rather than native support ?	20:30
kees	mathiaz: it is by far the simplest approach -- there are two complexities in doing PIE via packaging changes: a) detecting the arch and disabling PIE on arch that don't support it, b) successfully plumbing the CFLAG and final link flags down into the upstream build system.	20:32
kees	mathiaz: very few upstreams have knowledge of PIE already (frankly, prior to last week, I would have said "none", but samba actually does have it)	20:32
NCommander	kees, the problem is that PIE code in GCC historically has had issues	20:39
NCommander	kees, especially late 2.x series and 3.x on PowerPC and m68k, -pie would sometimes generate non-working code	20:39
NCommander	kees, and on x86, the performance hit is large enough that unless you have a very fast machine, it hurts :-/	20:40
kees	NCommander: ifeq (,$(findstring :$(DEB_HOST_ARCH_CPU):,:hppa:m68k:arm:))	20:40
NCommander	kees, what's that from, samba?	20:40
kees	yawp. totally disabled on m68k, hppa, arm.	20:40
kees	NCommander: that's from hardening-wrapper	20:40
NCommander	We finally got pie fixed in the 4.x series	20:40
NCommander	But PIE is slow slow	20:40
NCommander	(go try gentoo with it on and off, its a notable difference on x86)	20:41
kees	NCommander: PIE is only slow with arch that have very few general registers (ia32)	20:41
NCommander	Right	20:41
NCommander	x86	20:41
kees	NCommander: there was virtually no measurable change on x86_64.	20:41
NCommander	I know	20:41
NCommander	I said it was just x86	20:41
kees	yeah, totally agreed.	20:41
NCommander	I was just noting GCC has a bad track record with PIE	20:41
kees	GDB's is worse. ;)	20:42
kees	No better way to find bugs than to use a buggy feature. ;)	20:42
NCommander	My first thought when I looking at the MySQL build failures is that PIE was generating bad code, not slowing down MySQL to the point of failing its test suites	20:42
kees	NCommander: I'd agree with that. When I narrowed down the mysql issue, it was segv'ing the server in exactly _1_ test.	20:42
kees	which, I find to be rather scary.	20:43
NCommander	Like I said, I've always been weary of PIE with GCC	20:43
kees	yeah, hence this gradual approach.	20:43
NCommander	And Microsoft went as far as disallowing position independent code with their compilers	20:43
kees	on the other hand, lots of stuff has been PIE in RHEL/Fedora for a while now.	20:43
NCommander	(its sorta amazing/scary how they implemented shared libraries without PIC code)	20:43
NCommander	obviously not mysql :-)	20:44
NCommander	TBH, mysql does some rather stupid code tricks, so it doesn't shock me so much that you get issues with it	20:44
kees	for intrepid+1, I'm pondering enabling PIE for all of x86_64 and seeing what burns down. I suspect it will be my house, care of doko. :)	20:46
NCommander	kees, I've got an Ubuntu x86_64 buildd setup	20:47
NCommander	Once the archive enters final freeze, I don't mind running the entire archive compile end to end	20:47
NCommander	(probably will take a week or two to finish)	20:47
kees	NCommander: two people doing it is better than one. :) I've not tried doing universe, but I've done full main rebuilds in about 2 days.	20:48
kees	the issue I may hit is that of space. I hadn't been saving the .debs	20:48
NCommander	Its just a matter of catching build failures	20:48
NCommander	But if you want, I have a 500GB hardddrive	20:48
kees	this time, if I save the debs and shove the updates into a VM, it'll be interesting to see the results.	20:48
NCommander	and a dak installation already on it :-)	20:48
kees	heh.	20:48
NCommander	Yeah, the only "fun" part with dak is setting overrides	20:49
NCommander	But I can just grab the ones from Debian	20:49
kees	yeah	20:49
NCommander	When do we hit the freeze date?	20:49
NCommander	(or would you like to rebuild the archive sooner then that ;-))	20:49
kees	last thursday. ;)	20:49
NCommander	I mean final freeze/hard freeze	20:49
kees	looks like oct 30	20:50
NCommander	That far away?	20:50
NCommander	Damn	20:50
kees	https://wiki.ubuntu.com/IntrepidReleaseSchedule	20:50
NCommander	kees, do you use Soyuz as your buildd, or the Debian w-b/buildd combo	20:50
kees	I actually use sbuild for local testing	20:51
NCommander	for rebuilding the entire archive?	20:51
NCommander	(buildd uses sbuild internally)	20:51
kees	yeah.	20:51
NCommander	Ouch	20:51
NCommander	I'm not that crazy	20:51
kees	it's a pretty simple script.	20:51
NCommander	I actually use a wanna-build/buildd/sbuild combo	20:51
NCommander	Yeah, but no load balancing ;-)	20:51
kees	I just beat my desktop to death for a day or so. :P	20:52
kees	usually start it friday night	20:52
NCommander	yeah, but if you have someone helping oyu with universe ...	20:52
NCommander	kees, well, its an interesting experiment at any rate which I'd like to help do ;-)	20:53
NCommander	I've got to run, but we'll talk later	20:54
kees	NCommander: cool, thanks, cya	20:54
NCommander	kees, you still around?	21:08
kees	oops, he vanished.	21:08
=== mcasadevall_ is now known as NCommander
NCommander	kees, you still around?	21:09
NCommander	kees, :-P	21:09
NCommander	-NickServ- You may not ghost yourself.	21:09
NCommander	Nickserv is lagging	21:09
kees	NCommander: yawp	21:09
NCommander	would you like to write up a spec on building amd64 with PIE and see how the archive explodes?	21:10
kees	NCommander: sure, I'll certainly do that when we start the spec-writing surge for intrepid+1	21:11
* NCommander would like to see the hardening also tested on ia64, sparc, and powerpc		21:11
NCommander	Oh, so you want to wait until after intrepid is released for this experiment?	21:11
kees	NCommander: I suppose I could write the spec any time. :)	21:12
kees	NCommander: I'll do it this week and blog about it.	21:12
NCommander	Well, I'll write the spec, but I mean when would you want to do the experiment	21:12
NCommander	(two computers could grind through main in less than a day, universe will take longer though)	21:12
kees	experiment could be done any time.	21:12
* NCommander pops up the wiki		21:12
* NCommander cricks neck		21:13
NCommander	I've got amd64, and powerpc hardware. Want to donate some sparc to the cause	21:13
kees	I'm really only interested in amd64 myself.	21:13
NCommander	I'm just noting the more common server architecturs	21:14
kees	NCommander: so should I write the spec, or are you already doing it?	21:14
NCommander	Assuming I can kick the wiki alive	21:14
* kees nods		21:14
NCommander	kees, think we could convience Canonical to let you have intrepid+1 build with PIE/hardening on by defualt?	21:17
kees	NCommander: well not specific to Canonical, but that's the goal.	21:17
kees	NCommander: I'm adding the spec now.. (on LP)	21:17
NCommander	I'm writing the basis of the wiki entry, you'll have to flesh it out somewhat	21:18
NCommander	Maybe ask Canonical to add a new distribution - Ubuntu Hardened, with everything compiled with hardened wrapper	21:18
Deeps	hardbuntu	21:19
kees	NCommander: the otherhead for that is huge. besides, everything is compiled with all the hardening options (excepting PIE) in intrepid.	21:19
NCommander	I didn't know that	21:19
NCommander	Deeps, I think a less suggestive name would be in order ;-)	21:20
kees	NCommander: yeah, that was my goal for intrepid: https://wiki.ubuntu.com/CompilerFlags	21:20
NCommander	kees, it would just be additional load on the buildds , but it shouldn't be so hard to get launchpad extended in such a matter	21:20
kees	NCommander: okay, BP registered: https://blueprints.launchpad.net/ubuntu/+spec/64bit-pie-by-default	21:20
kees	NCommander: it would double the size of the amd64 archive. :P	21:20
NCommander	What's another 20GB?	21:21
NCommander	(which is the size of the amd64 archive)	21:21
kees	it could be done via PPA too	21:22
NCommander	yay, 1GB limitations :-)	21:22
NCommander	And it would require manually tweaking each control file, I just want to install hardening-wrapper right into the chroot so I don't need to manually set it	21:22
kees	oh, is there really a size limit on PPAs?	21:22
arakthor	what does PIE do?	21:22
NCommander	kees, 1GB	21:23
NCommander	arakthor, it causes code to be position independent	21:23
kees	arakthor: makes the program relocatable in memory. then combined with kernel ASLR, the program loads to different locations each time.	21:23
arakthor	gotcha	21:23
kees	arakthor: that makes it harder to exploit a memory corruption vulnerability.	21:23
arakthor	yup	21:24
NCommander	kees, https://wiki.ubuntu.com/PIEExperimentSpec#preview	21:25
NCommander	The problem is PIE historically has had some issues in GCC, and due to the "design" of the x86 architecture, has a speed hit on that architecture	21:26
NCommander	(x86_64 is spared from that issue by being 64 bit and having more general purpose registers)	21:26
didrocks	jdstrand: you don't delete $testdir/testarea if we interrupt your test script. Is it what you want? (hum, you remove it at the end, so, ok, you don't want to push your branch it if you had to interrupt the script. That makes sense.)	21:28
NCommander	kees, how fast is your amd64?	21:28
jdstrand	didrocks: yes	21:29
kees	NCommander: 2.40GHz 4-way with 8G RAM	21:29
NCommander	kees, slaughters my box	21:30
* jdstrand drools over kees' RAM		21:30
NCommander	2.30Ghz dual core, 2G RAM	21:30
kees	NCommander: my job is doing lots of compiles. :)	21:30
NCommander	kees, that machine might have a qmail security bug on it ;-)	21:30
* kees lucky and does not run qmail :)		21:30
NCommander	kees, well, you can use rebuildd, or if you want to load balance and get people to help buildd, setup a buildd cluster ;-)	21:32
fReAkY[t]	hi all. i have set up an apache2 ssl cert using this guide: https://help.ubuntu.com/community/forum/server/apache2/SSL but the newly created cert is only valid for 1 month. how can i change that to be valid for 1 year?	21:32
NCommander	kees, rebuildd gets you something nice like this: http://builder.ubuntuwire.com:9998/dist/intrepid/arch/i386	21:32
NCommander	actually, rebuildd has load balancing :-) (more than one host can build at a time)	21:34
=== PrivateVoid is now known as PV_Away
gegema	Is editing /etc/network/interfaces the best approach to setup my ubuntu server to use a static IP (instead of DHCP)?	21:41
arakthor	I think it is	21:43
jmedina	gegema: always use static in servers, if your dhcp server goes down your users are not going to be able to reach the server, unless you use a really big lease time, but it is hard	21:43
gegema	Will do - Thanks!	21:47
fReAkY[t]	hi all. i have set up an apache2 ssl cert using this guide: https://help.ubuntu.com/community/forum/server/apache2/SSL but the newly created cert is only valid for 1 month. how can i change that to be valid for 1 year?	21:50
NCommander	fReAkY[t], you can't, you need to generate a new certificate	22:00
fReAkY[t]	yea but how?	22:04
fReAkY[t]	i dont know the command line - man make-ssl-cert doesnt have any -days commandline option like apache2-ssl-certificate	22:05
NCommander	I don't remember off the top of my head	22:09
didrocks	jdstrand: ok, I think I saw pretty much everything in your ufw test (I love reading shells). Very impressive work for testing regressions, congrats! :) (the only think I didn't understand is the dry-run option, but it is ufw intern model). I will try to make something in the few days regarding case sensitiveness testing. I think there is no much work to do as your architecture is very straightforward and flexible	22:12
jdstrand	didrocks: great, thanks! :)	22:13
didrocks	so, it's getting late. See you tomorrow :)	22:13
jdstrand	didrocks: the --dry-run is really just to see what rules would be added to the firewall. it is useful in regression testing too (as you've seen)	22:14
jdstrand	didrocks: have a great night!	22:14
didrocks	jdstrand: ok, understood. Thanks a lot. You too :)	22:14
NCommander	kees, I modified my pbuilder instance to use hardening wrapper, I just need to tweak it to always enable, right?	22:17
kees	NCommander: do you have instructions for it?	22:18
NCommander	kees, pbuilder login --keep-after-login	22:18
NCommander	;-)	22:18
kees	heh	22:18
NCommander	$default{'DEB_BUILD_HARDENING'}=0;	22:18
kees	well you need to export DEB_BUILD_HARDENING=1 as well	22:18
NCommander	I just want to set that to 1 to make it do the right thing	22:18
kees	righto	22:18
NCommander	PIE already set ot one	22:18
* NCommander saves		22:18
kees	can you add details to https://wiki.ubuntu.com/Security/HardeningWrapper	22:18
NCommander	Ok, pbuilder is updated	22:19
NCommander	Now to just start rebuildd	22:19
* NCommander figures out where to send the mail		22:22
* NCommander figures out how to initalized rebuildd database		22:27
Derander	Is it possible to create an ssl certificate for multiple domains? (I'm trying to set this up for a dovecot/postfix mailserver)	22:29
jmedina	Derander: you can use the same cert for virtual domains, but you will get browser warnings	22:31
Gargoyle	Derander: Not that I know of. But why don't you just have a single name (mail.myserver.boo)?	22:36
NCommander	kees, good news, it seems ubuntuwire will do the rebuild	22:37
kees	NCommander: nice. :)	22:41
NCommander	kees, there hardware takes 10 days to rebuild universe	22:41
=== fReAkY[t] is now known as freaky[t]
NCommander	So probably 12 for main+universe	22:41
kees	NCommander: that rocks! :)	22:42
kees	NCommander: will you add the repo details to the wiki page?	22:42
NCommander	We won't publish the repo until the rebuild is done	22:42
* kees nods		22:42
NCommander	Limitation of ubuntu wire	22:42
NCommander	(I'm just going to sign all the changes and shove them somewhere)	22:42
=== jmedina is now known as psymedina
NCommander	That being said, if there is enough interest in an intrepid-hardened, it may be worth actually maintaining it and such beyond just doing a one-shot experiment	22:44
NCommander	brb/bbiab	22:45
=== freaky[t] is now known as fReAkY[t]
kees	NCommander: might want to call it "intrepid-pie" though, since intrepid itself is pretty well hardened (just lacks PIE)	22:53
=== fReAkY[t] is now known as freaky[t]
hads	Ibex pie? :)	22:57
NCommander	and now I'm back	23:07

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!