=== freaky[t] is now known as fReAkY[t] [00:19] hello, is there a posibility to install X and pekwm on ubuntu server? is it too complicated? thanks. [00:28] yes its posible, and you should probably ask #ubuntu how [00:32] pschulz01: What are you trying to do? [00:36] soren: Putting together a question now :-) [00:36] https://answers.launchpad.net/ubuntu/+question/43886 [00:36] soren: Does that make sense? [00:38] pschulz01: Yes. [00:38] pschulz01: Did you take a look at the always_bcc option? [00:38] pschulz01: Alternatively, recipient_bcc_maps might be of use. [00:39] Oooo.... sound's useful :-) [00:39] Should be more robust if I can move it to 'postfix'. [00:59] pschulz01: You could probably abuse postfix-pcre to do the mapping. [01:01] soren: yeah. The 'really' painful thing about this is that I need to keep 'procmail' as the local delivery agent, as a couple of users are using it. [01:07] pschulz01: Is that a problem? [01:07] pschulz01: I'm a bit sleepy, so please bear with me :) [01:12] soren: Um.. just means that I can't just disable procmail delivery and let postfix do it.. 'cause my users want their procmail rules to work. [01:13] soren: The main problem with the second option, is that procmail barfs on some emails.. and I haven't been able to work out why. [01:14] soren: I'm goin gto just do som reading for a while... no huge rush. [01:18] I've never seen procmail fail like that, and I've filtered quite a few e-mail with procmail in my time :) [01:20] Just for my one of my own e-mail accounts I've filtered about a million e-mails since January 2006, and that has never happened to me. [01:22] soren: That's what's confusing me as well.. [01:23] soren: I was inially seeing things like.. [01:23] Command [01:23] died with signal 11: "/usr/bin/procmail". Command output: procmail: [01:23] Exceeded LINEBUF [01:23] .. but I've up the LINEBUF variable, and it still happens. [01:24] Do you have an e-mail that reliably reproduces it? [01:26] soren: No.. that's the next step, but it's a little tricky.. cause they get bounced. [01:27] pschulz01: Set soft_bounce = yes. [01:27] soren: Looks like I can get users to make use of their '.forward' file to run their procmail scripts.. rather than running a global one.. [01:28] pschulz01: Yeah, that's the way it was done back in the ol' days. :) [01:28] soren: .. takes me back. [01:29] Yeah, me too. [01:29] ...to the pain and suffering of being an HP-UX admin. [01:29] * soren is never going back there [01:44] soren: why? [01:45] Why what? Why I'm not going back to HP-UX? [01:45] nxvl: belive me... we live in a much better time. [01:45] soren: oh! i didn't know what you were taking about, but found funny to ask [01:46] :) [01:46] i'm kind of bored in a software engineering class [01:46] The *only* positive thing I have to say about HP-UX is that it's where LVM came from. [01:46] Gerh, I should really go to bed. [01:46] soren: Ever hav to deal with AIX? [01:46] soren: go go go [01:46] pschulz01: i have use solaris on a sparc machine [01:46] pschulz01: Never had the "pleasure", no. [01:47] soren: :-) [01:47] * soren wanders off for bed. [01:47] Take care, folks. [01:47] soren: sleep tight! [01:47] soren: see you at "the office" [01:47] :P [03:11] Where do I place library files for LAMP webserver? (eg, libgd.so.2.0.0) [03:12] why do you want to install the file by hand? [03:13] I just switched from xampp to lamp, I just assume that's how it's done [03:14] * kgoetz googles xampp [03:14] D3RGPS31: i suggest you install one of the packages listed on here: http://packages.ubuntu.com/search?searchon=contents&keywords=libgd.so.2.0.0&mode=exactfilename&suite=hardy&arch=any [03:14] assuming you run 8.04 of course [03:15] If that package was installed before switching to lamp, should I reinstall it? [03:15] if you installed it from the ubuntu repositories you shouldnt have to, no [03:17] Would install by tasksel be the same? [03:18] yes, tasksel should use the ubuntu repos [03:18] Then they're both installed through the repository [03:22] So, what can I do? [03:34] How's UFW integration coming? Is it completed? === lamont` is now known as lamont [08:15] I'm using postfix/dovecot. I'm authenticating off of a fake users file in /etc/dovecot/users. Users are like 'name@domain.tld'. Is there a way to alias a user between two domains? I'd like name1@domain.com to deliver to name1@domain2.com [08:40] Can I use htaccess password authentication with SSL? [08:41] yes [08:41] Does it require anything different from the norm? [08:42] for what value of 'norm'? [08:42] you'll need ssl certs at least [08:44] have SSL setup, but my htacces doesn't work now (after I set SSL for a certain web folder) [08:44] what does "doesnt work" mean exactly? [08:44] Alright, I'm confused. I'm running a mailserver with postfix/dovecot and ssl. I have an ssl cert that works for domain1, for some reason it also works for domain2 but it does not work for domain3 [08:44] I'm not prompted to type in a name//password [08:45] but I was when it didn't have SSL set on it [08:45] ... are we talking htaccess or email here? [08:45] htaccess [08:45] how did the email come into it? [08:46] email? [08:46] kgoetz I think you're confusing me with him. [08:46] Derander is talking about email >.> [08:46] xD [08:46] Derander: so i am :) [08:46] :x [08:47] sorry for not going into decent detail, been drinking coffee for once, kinda clouding my thoughts [08:49] * kgoetz is currently fighting apache, so not in the greatest mood himself ;) [08:51] Let's say I used htaccess for a http virtualhost on port 70, then i switched that to https, would the htaccess require something different >.> [08:53] D3RGPS31: 'switched to https' how? [08:53] using a virtualhost to redirect? [08:55] I don't know if redirect is the right word [08:57] eg. port 80 with just http set to /var/80, port 70 with SSL to port /var/80? [08:57] * kgoetz suspects that didnt come out right ...? [08:57] port 70 set to /var/80? * [08:58] D3RGPS31: pastebin your vhost configuration. i cant work out what your doing [09:02] http://pastebin.com/d5430cc9b for non-SSL; http://pastebin.com/d7d74936a for SSL; I use two seperate vhost files [09:05] i dont see a redirect taking place *g* [09:06] I didn't understand what was meant by redirect [09:08] D3RGPS31: http://www.maincontent.net/examplehttpd.txt look at this for an example [09:11] so port 80 and port 443 point to the same directory? [09:11] 80 doesnt point to a directory at all [09:11] it just points to port 443 [09:12] ah! [09:15] but, what's stopping an authentication prompt from popping up under my SSL connection [09:15] i didnt see a prompt for it [09:15] it's in the htaccess file, that's in my /var/70 directory [09:16] then its probably an error in your htaccess file. have you checked your logs? [09:16] checking! [09:18] * delcoyote hi [09:21] hi [09:23] moin [09:23] can i avoid that .gvfs stuff somehow? when root tries to read it, he gets permissions errors. that crap is making my cronjobs fail... [09:25] I see nothing about htaccess in the logs, it works without SSL but not with SSL [10:00] siretart: Not specifically; bug 252499 is probably the nearest [10:00] Launchpad bug 252499 in nis "When nis server is not reachable during startup, system gets very slow and HAL fails to initialise" [Undecided,New] https://launchpad.net/bugs/252499 [10:15] moldy_: You have cronjobs failing because root can't read .gvfs? What exactly are these cronjobs trying to do? [10:25] How can I find out what my gateway ip is from the terminal? [10:29] jpds: /sbin/ip route show 0/0 [10:30] DiesIrae: Thanks! [10:32] you're welcome [10:35] soren: different stuff [10:36] soren: doing backups (rsnapshot), and other maintenance stuff on users' homedirs [10:36] i know how to work around it, but i would like a solution instead of a workaround [10:36] what is the rationale of root not being able to read stuff? [10:37] That's the way fuse works. [10:37] hmm, that sucks. [10:38] moldy_: https://bugs.edge.launchpad.net/ubuntu/+source/rsnapshot/+bug/247777 [10:38] Launchpad bug 247777 in rsnapshot "the .gvfs directory in a user's home directory causes rsnapshot to take an incorrect backup (dup-of: 225361)" [Undecided,Invalid] [10:38] Launchpad bug 225361 in gvfs "Superuser cannot access ~/.gvfs folder when mounted " [Medium,Triaged] [10:39] uvirtbot`: nick uvirtbot === uvirtbot` is now known as uvirtbot [10:39] what does "triaged" mean? [10:41] anyway, i guess i have to adjust my cronjobs and just wait for a fix... [10:44] Triaged as in; looked at, noticed and prioritised. [10:45] ok, thanks [10:47] moldy_: What is your workaround? "--exclude .gvfs"? [10:47] moldy_: -x, perhaps? [10:51] soren: yep [10:51] soren: for rsync/rsnapshot, i use exclude [10:51] other scripts do similiar stuff, or they unmount the thing [10:51] i have one script that deletes and recreates certain home directories every hour [10:52] Is it really your intention to backup stuff under .gvfs? [10:52] no [10:52] for backups, i exclude it [10:52] Then what would be "a fix" to you? [10:52] the proper fix IMHO is to make it accessible by root [10:52] Err... [10:53] You *just* said you don't want to back it up. [10:53] so? [10:53] ...so you want to --exclude it anyway. [10:53] yes [10:53] but it is brain-damaged that every backup routine on the planet should be adjusted to gvfs [10:54] think of it this way: [10:54] the point is not wether it is backed up or not, the point is that it makes the backup routines appear to *fail* [10:54] If gvfs (actually fuse) didn't act this way, you'd be backing up *anything* *any* user might have mounted using gvfs. [10:54] that's my decision to make, not gvfs's [10:55] and backups are not the only concern here [10:56] if some maintenance script does e.g. a find on a user's home dir, it will get messed up because find will return an error because it cannot read gvfs [10:57] people assume that root is able to read everything in users' home dirs [10:57] if your system uses gvfs, you now have to special-case it everywhere [10:57] I know. [10:58] the alternative is to ignore *all* such errors, which is also often undesirable [10:58] ...I firmly believe that that is the case anyway. [10:58] $home is completely the wrong place to put such stuff then, imo [10:58] It belongs to the use? [10:58] user? [10:58] so what [10:59] put it in /tmp [11:00] That also sounds a bit counterintuitive. [11:02] i think it is alot less counterintuitive than root not being able to read stuff in /home :) [11:03] moldy_: Perhaps. In any case, I suggest you talk to the desktop guys. gvfs is their terriroty. [11:03] territory, I mean. [11:04] well, the bug is already reported, i guess i should just wait === Bambi_BOFH is now known as Kamping_Kaiser [12:50] good morning [12:51] Hey, nxvl. [12:53] soren: hi! how are you? [13:04] nxvl: Pretty good. A bit sleepy, though. I'm trying to cut down on coffee. [13:05] soren: yeah i will go for some coffeine in a bit [13:05] :D [13:10] morning [13:10] LARTC - want to limit all upload from a specific ip to 20kb/s. anyone that knows it and want to save me alot of time to read into this topic? :D [13:27] While following the perfect setup guide for 8.04LTS (http://howtoforge.org/perfect-server-ubuntu8.04-lts-p4) i get an error while installing mysql-server, you can see the output here http://pastebin.ubuntu.com/42682/ something with the initscripts.. i can not stop bind9 server either, but have to kill it :/ anyone have some tips for me? :) [13:33] andrethehook: i had to edit the mysql config and comment out a line.. just dont know which it was [13:33] something starting with p [13:39] Dedi: thanks, i'll look into it :) [13:39] Dedi: same problem btw? [13:41] andrethehook: hm i had something like that while upgrading. but that was with intrepid [13:53] soren: btw, did you finally manage to include the python rewrite into intrepid? [13:53] managed* [13:59] nxvl: The source package was accepted, but the binary is still stuck in the NEW queue. [13:59] nxvl: But in short: Yes, I did :) [13:59] \o/ [14:00] But please keep this to yourself. Otherwise I won't have anything useful to say at the meeting today. :) [14:00] heh [14:00] :D [14:00] ok [14:10] lamont: Having fun with the new postfix update yet? [14:12] ScottK: ah cool, it is out. [14:13] I still have a little bit of a dance to do - I just got the final version yesterday. [14:13] While following the perfect setup guide for 8.04LTS (http://howtoforge.org/perfect-server-ubuntu8.04-lts-p4) i get an error while installing mysql-server, you can see the output here http://pastebin.ubuntu.com/42682/ something with the initscripts.. i can not stop bind9 server either, but have to kill it :/ anyone have some tips for me? :) may it be a error in the initscript? [14:13] or maybe a bug? [14:34] ScottK: now I just need to decide if intrepid cares enough to have an upload before I sync from debian... [14:36] I'd think not. [14:37] lamont: My 'fun' thing for the day was finding out at midnight lastnight that all of KDE4 needed to reuploaded and build before alpha5 and Riddell is on vacation. [14:37] There aren't many Kubuntu core-dev, so I was up a bit late. [14:37] I'm going to take a nap. [14:38] Hi everyone! [14:40] i don't know what i did, but ubuntu 8.04 simply doesn't accept any login and has something new in the login screen such as "Ubuntu intrepid (development branch) tty1" [14:40] hrm.. I guess if I request a sync, I should at least upload the package.. . :-) [14:40] the last thing i did was playing with samba + win active directory integration [14:41] byte_slave: you're not running 8.04 if it says 'intrepid' [14:42] the base installation was 8.04 is now is Intrepoid ( the new ubuntu release right?) it was a process that made some core updates without warn me [14:46] New bug: #264004 in postfix (main) "Please sync postfix 2.5.4-1 (main) from Debian unstable (main)." [Wishlist,Confirmed] https://launchpad.net/bugs/264004 [14:47] you upgraded from a stable long-term-support to an unsupported development release... of course things break :-( [14:48] OTOH, it should work.. so bugs should be filed when you figure out why they broke [14:58] lamont, ok. you think some process inside must be programmed to go to web and update without ask? [14:59] because i didn't nothing, neither a single apt-get upgrade-distro ou whatever [14:59] nf [14:59] no ideas [15:00] dammit, what happened why my happy box? [15:01] well, i'll try so google for some more info.. and see if i can do a [15:01] an easy downgrade === S^n1x is now known as Shanix [15:49] meeting in 10 minutes? [15:53] zul: yes indeed === andrethehook is now known as twoSharp [17:01] nijaba: Note: I'm moving the vmbuilder code. [17:01] soren: np, thanks for letting me know [17:02] nijaba: There. Moved from https://code.edge.launchpad.net/~ubuntu-virt/ubuntu-jeos/python-rewrite to https://code.edge.launchpad.net/~ubuntu-virt/vmbuilder/trunk [17:15] <_ruben> grr .. perl on this box is still "confused" .. http://paste.ubuntu.com/42739/ [17:36] New bug: #263178 in postfix (main) "package postfix 2.5.1-2ubuntu1.1 failed to install/upgrade: subprocess post-installation script returned error exit status 1" [Undecided,New] https://launchpad.net/bugs/263178 [17:37] meh [18:18] okay holliday is over anyone alive? [18:40] jdstrand: around? [18:40] didrocks: yep, hi [18:40] Hi :) [18:40] 1/ thanks for the hug :) [18:40] 2/ I am sorry, I just had the time to look at the case insensitive trick in ufw [18:41] it was quite easy I think, and I made yesterday a branch from your trunk and normally achieve it [18:41] (bzr is very cool, btw) [18:41] didrocks: I only looked at the bug briefly a few minutes ago [18:42] didrocks: thanks for the patch :) did you run 'run_tests.sh' after the patch? [18:42] hum, no, what is it? :) [18:42] (or build the package-- it's run there) [18:42] oh, I just rerun it dynamically [18:43] Indeed, I have made some symlink to my branch in intrepid [18:43] python rocks for that :) [18:43] it's a collection of tests to make sure everything is still working ok [18:43] (I just simlinked application.py and frontend.py) [18:43] Ok, I give it a try now [18:44] does ufw has to be setup or can I just run it in my branch? [18:44] didrocks: just './run_tests.sh -s' from the top of your branch [18:45] ok, there is some fails. I have to compare it to your trink :) [18:45] (on --dry-run, specifically) [18:45] trink/trunk [19:31] jdstrand: so, I corrected the errors. I am just trying to setup my VM up again (seems to be broken) to perform some manual tests [19:38] * jdstrand nods === p0w4h` is now known as p0w4h === emgent`NL is now known as emgent`nl [20:14] kees: do you have a wiki page or blog post where you've explained/tracked your PIE work ? [20:14] jdstrand: I finally got my vm work unactivating acpi. So, I made some tests and it is ok. I push a new revision in my branch [20:14] didrocks: thanks [20:14] :) [20:15] kees: I'm writing up a post about what has been done in the archive in august and some of them are related to your work on PIE [20:15] mathiaz: well... it's a bit scattered. [20:15] jdstrand: I will have a look at your test shell to add non regression for case insensitive, if possible :) [20:16] kees: did you try to rebuild all of the archive with PIE enabled ? [20:16] mathiaz: I did, yeah. that was back in hardy though. [20:17] kees: ok - so rather than enabling pie in the default build, it has been decided at UDS at PIE would be enabled on a per package basis [20:17] kees: ? [20:17] mathiaz: PIE is mentioned here... http://www.outflux.net/blog/archives/2008/01/15/full-aslr-in-hardy/ http://wiki.debian.org/Hardening [20:18] mathiaz: that's correct [20:18] kees: and in order to enable PIE, a dependency on hardening-wrapper is added to the package [20:19] kees: where as all the other hardening things have been enabled directly in the compiler [20:19] mathiaz: well, there is what I'd call "native" PIE (see openssh and samba), and "wrapper" PIE. In the case of the wrapper, two things are needed: the hardening-wrapper build-dep and "export DEB_BUILD_HARDENING=1" in the debian/rules file [20:19] mathiaz: right, which are documented here: https://wiki.ubuntu.com/CompilerFlags [20:20] kees: and native PIE is when the upstream source code directly support PIE ? [20:21] mathiaz: well, either upstream directly (samba's "--enable-pie") or via the packaging which passes the options in to the native build process (openssh) [20:21] kees: ok - thanks for your input [20:21] kees: that should be enough for the blog post [20:22] mathiaz: sure! sorry I haven't kept the PIE details in a single place. :P [20:22] kees: would you consider that PIE is the last point on your hardening list ? [20:23] hi all. i have set up an apache2 ssl cert using this guide: https://help.ubuntu.com/community/forum/server/apache2/SSL but the newly created cert is only valid for 1 month. how can i change that to be valid for 1 year? [20:23] mathiaz: there is one more, which is pretty minor, but is similar to PIE in that I'd like to do it on a per-package basis: "-Wl,-z,now" [20:23] mathiaz: but I'd like to wait until intrepid+1 for that, since it depends on the intrepid -Wl,-z,relro change === leonel_ is now known as leonel [20:28] hello .. will tomcat6 be moved to MAIN ?? [20:28] leonel: it's the plan [20:28] mathiaz: anything I can help ?? [20:28] leonel: MIR have been written and the goal is to add a task during the installation [20:29] mathiaz: ok .. [20:29] leonel: from a development POV not really. However testing is always very welcomed. [20:30] kees: the vast majority of package would require the use of the hardening-wrapper to enable PIE rather than native support ? [20:32] mathiaz: it is by far the simplest approach -- there are two complexities in doing PIE via packaging changes: a) detecting the arch and disabling PIE on arch that don't support it, b) successfully plumbing the CFLAG and final link flags down into the upstream build system. [20:32] mathiaz: very few upstreams have knowledge of PIE already (frankly, prior to last week, I would have said "none", but samba actually does have it) [20:39] kees, the problem is that PIE code in GCC historically has had issues [20:39] kees, especially late 2.x series and 3.x on PowerPC and m68k, -pie would sometimes generate non-working code [20:40] kees, and on x86, the performance hit is large enough that unless you have a very fast machine, it hurts :-/ [20:40] NCommander: ifeq (,$(findstring :$(DEB_HOST_ARCH_CPU):,:hppa:m68k:arm:)) [20:40] kees, what's that from, samba? [20:40] yawp. totally disabled on m68k, hppa, arm. [20:40] NCommander: that's from hardening-wrapper [20:40] We finally got pie fixed in the 4.x series [20:40] But PIE is slow slow [20:41] (go try gentoo with it on and off, its a notable difference on x86) [20:41] NCommander: PIE is only slow with arch that have very few general registers (ia32) [20:41] Right [20:41] x86 [20:41] NCommander: there was virtually no measurable change on x86_64. [20:41] I know [20:41] I said it was just x86 [20:41] yeah, totally agreed. [20:41] I was just noting GCC has a bad track record with PIE [20:42] GDB's is worse. ;) [20:42] No better way to find bugs than to use a buggy feature. ;) [20:42] My first thought when I looking at the MySQL build failures is that PIE was generating bad code, not slowing down MySQL to the point of failing its test suites [20:42] NCommander: I'd agree with that. When I narrowed down the mysql issue, it was segv'ing the server in exactly _1_ test. [20:43] which, I find to be rather scary. [20:43] Like I said, I've always been weary of PIE with GCC [20:43] yeah, hence this gradual approach. [20:43] And Microsoft went as far as disallowing position independent code with their compilers [20:43] on the other hand, lots of stuff has been PIE in RHEL/Fedora for a while now. [20:43] (its sorta amazing/scary how they implemented shared libraries without PIC code) [20:44] obviously not mysql :-) [20:44] TBH, mysql does some rather stupid code tricks, so it doesn't shock me so much that you get issues with it [20:46] for intrepid+1, I'm pondering enabling PIE for all of x86_64 and seeing what burns down. I suspect it will be my house, care of doko. :) [20:47] kees, I've got an Ubuntu x86_64 buildd setup [20:47] Once the archive enters final freeze, I don't mind running the entire archive compile end to end [20:47] (probably will take a week or two to finish) [20:48] NCommander: two people doing it is better than one. :) I've not tried doing universe, but I've done full main rebuilds in about 2 days. [20:48] the issue I may hit is that of space. I hadn't been saving the .debs [20:48] Its just a matter of catching build failures [20:48] But if you want, I have a 500GB hardddrive [20:48] this time, if I save the debs and shove the updates into a VM, it'll be interesting to see the results. [20:48] and a dak installation already on it :-) [20:48] heh. [20:49] Yeah, the only "fun" part with dak is setting overrides [20:49] But I can just grab the ones from Debian [20:49] yeah [20:49] When do we hit the freeze date? [20:49] (or would you like to rebuild the archive sooner then that ;-)) [20:49] last thursday. ;) [20:49] I mean final freeze/hard freeze [20:50] looks like oct 30 [20:50] That far away? [20:50] Damn [20:50] https://wiki.ubuntu.com/IntrepidReleaseSchedule [20:50] kees, do you use Soyuz as your buildd, or the Debian w-b/buildd combo [20:51] I actually use sbuild for local testing [20:51] for rebuilding the entire archive? [20:51] (buildd uses sbuild internally) [20:51] yeah. [20:51] Ouch [20:51] I'm not that crazy [20:51] it's a pretty simple script. [20:51] I actually use a wanna-build/buildd/sbuild combo [20:51] Yeah, but no load balancing ;-) [20:52] I just beat my desktop to death for a day or so. :P [20:52] usually start it friday night [20:52] yeah, but if you have someone helping oyu with universe ... [20:53] kees, well, its an interesting experiment at any rate which I'd like to help do ;-) [20:54] I've got to run, but we'll talk later [20:54] NCommander: cool, thanks, cya [21:08] kees, you still around? [21:08] oops, he vanished. === mcasadevall_ is now known as NCommander [21:09] kees, you still around? [21:09] kees, :-P [21:09] -NickServ- You may not ghost yourself. [21:09] Nickserv is lagging [21:09] NCommander: yawp [21:10] would you like to write up a spec on building amd64 with PIE and see how the archive explodes? [21:11] NCommander: sure, I'll certainly do that when we start the spec-writing surge for intrepid+1 [21:11] * NCommander would like to see the hardening also tested on ia64, sparc, and powerpc [21:11] Oh, so you want to wait until after intrepid is released for this experiment? [21:12] NCommander: I suppose I could write the spec any time. :) [21:12] NCommander: I'll do it this week and blog about it. [21:12] Well, I'll write the spec, but I mean when would you want to do the experiment [21:12] (two computers could grind through main in less than a day, universe will take longer though) [21:12] experiment could be done any time. [21:12] * NCommander pops up the wiki [21:13] * NCommander cricks neck [21:13] I've got amd64, and powerpc hardware. Want to donate some sparc to the cause [21:13] I'm really only interested in amd64 myself. [21:14] I'm just noting the more common server architecturs [21:14] NCommander: so should I write the spec, or are you already doing it? [21:14] Assuming I can kick the wiki alive [21:14] * kees nods [21:17] kees, think we could convience Canonical to let you have intrepid+1 build with PIE/hardening on by defualt? [21:17] NCommander: well not specific to Canonical, but that's the goal. [21:17] NCommander: I'm adding the spec now.. (on LP) [21:18] I'm writing the basis of the wiki entry, you'll have to flesh it out somewhat [21:18] Maybe ask Canonical to add a new distribution - Ubuntu Hardened, with everything compiled with hardened wrapper [21:19] hardbuntu [21:19] NCommander: the otherhead for that is huge. besides, everything is compiled with all the hardening options (excepting PIE) in intrepid. [21:19] I didn't know that [21:20] Deeps, I think a less suggestive name would be in order ;-) [21:20] NCommander: yeah, that was my goal for intrepid: https://wiki.ubuntu.com/CompilerFlags [21:20] kees, it would just be additional load on the buildds , but it shouldn't be so hard to get launchpad extended in such a matter [21:20] NCommander: okay, BP registered: https://blueprints.launchpad.net/ubuntu/+spec/64bit-pie-by-default [21:20] NCommander: it would double the size of the amd64 archive. :P [21:21] What's another 20GB? [21:21] (which is the size of the amd64 archive) [21:22] it could be done via PPA too [21:22] yay, 1GB limitations :-) [21:22] And it would require manually tweaking each control file, I just want to install hardening-wrapper right into the chroot so I don't need to manually set it [21:22] oh, is there really a size limit on PPAs? [21:22] what does PIE do? [21:23] kees, 1GB [21:23] arakthor, it causes code to be position independent [21:23] arakthor: makes the program relocatable in memory. then combined with kernel ASLR, the program loads to different locations each time. [21:23] gotcha [21:23] arakthor: that makes it harder to exploit a memory corruption vulnerability. [21:24] yup [21:25] kees, https://wiki.ubuntu.com/PIEExperimentSpec#preview [21:26] The problem is PIE historically has had some issues in GCC, and due to the "design" of the x86 architecture, has a speed hit on that architecture [21:26] (x86_64 is spared from that issue by being 64 bit and having more general purpose registers) [21:28]