/srv/irclogs.ubuntu.com/2009/12/14/#ubuntu-server.txt

lamontScottK: hey - got an example build for bug 495564?00:03
uvirtbotLaunchpad bug 495564 in launchpad-buildd "Depwait package fails build instead of returning to depwait if build-deps are uninstallable" [Undecided,Confirmed] https://launchpad.net/bugs/49556400:03
lamontthat you haven't already retried, that is....]00:03
ScottKNot sure.  Let me check.00:03
ScottKlamont: Maybe https://launchpad.net/ubuntu/+source/kdeutils/4:4.3.80-0ubuntu1/+build/138298800:06
lamontthat looks like the output we've never managed to parse, since it's missing stuff we kinda need00:21
ScottKlamont: If you can improve the instrumentation to get more data, we've got another KDE upload next week.  That should produce the conditions for this.00:30
lamontScottK: the issue is that "but it is not installable" doesn't tell us _why_, or what the corrective action should be.00:34
ScottKlamont: In these conditions packages used to reliably stay in depwait once they got there to begin with.  IDK what has changed recently.00:37
lamontScottK: yeah - what I need to see is what the log looks like in a build with that condition on jaunty, vs on karmic00:42
lamontrather, karmic vs lucid00:42
lamonthrm... hardy vs lucid, actually00:42
LyonJTIf i do chmod 777 {folderName} and i want all the files to have the same permissions what do i put?01:07
ZiberLyonJT: -r01:07
Ziberor /*01:07
Zibereither: chmod -R 777 foldername/01:08
Ziberor chmod 777 foldername/*01:08
twbNote that you probably don't want files to be executable.01:10
twbchmod -R a+rwX will make all three octets readable, writable and *maybe* executable.01:10
twbThe uppercase X means that executability is only applied if at least one execute bit is already set.01:11
twbFor example, directories and scripts will go from 755 to 777, but files will go from 644 to 666.01:11
LyonJTcheers Ziber01:11
twbAlso note that 777 is rarely what you want -- study the meaning of the "sticky" bit for directories, and cf. the permissions on /tmp.01:12
ChrisRuthow secure are user's passwords on Ubuntu-Server? For example is it possible for root to see (in plaintext) the passwd of users on the system?01:25
qman`no01:26
qman`passwords are hashed in either md5-crypt or sha25601:26
ChrisRutisn't md5 cracked (or crackable)?01:27
qman`sha256 support was added and made default in jaunty01:27
ChrisRutis there a way to force sha256 on Ubuntu Server 8.04 (hardy)?01:27
qman`md5 is not cracked, but it is possible to brute force the hashes through rainbow tables01:27
qman`no01:27
ChrisRutright, thats what I meant01:27
qman`it is not supported in hardy01:27
qman`however01:27
qman`md5 is still reasonably secure, and the hashes are only readable by root01:28
qman`so you would have to have a significant compromise first01:28
qman`before anyone got a shot at your shadow file01:28
qman`and then they would have to brute force it with a reasonably large cluster for a few months01:28
qman`providing your passwords are good01:28
qman`if you have weak passwords, nothing can help you01:28
qman`if you're concerned about weak passwords, I suggest you brute force it yourself with john the ripper01:30
ChrisRutk, thanks for the info qman`01:31
twbqman`: I thought LDAP used SHA101:32
twbAt least, when using exop01:33
qman`twb, I don't know about ldap, but the shadow file uses md501:34
twbqman`: I was poking re. sha25601:35
twbChrisRut: usually a rubber hose is a faster means of getting the passwords.01:35
twbChrisRut: and of course with physical access they can do whatever they want01:35
ChrisRutrubberhose?01:36
qman`oh, it's actually sha512, my mistake01:36
twbChrisRut: http://en.wikipedia.org/wiki/Rubber_hose_cryptanalysis01:37
qman`# The "sha512" option enables salted SHA512 passwords.  Without this option,01:37
qman`# the default is Unix crypt.  Prior releases used the option "md5".01:37
qman`in /etc/pam.d/common-password01:37
ChrisRutqman`: but that's still only for Jaunty and up right?01:37
qman`ChrisRut, yes01:37
ChrisRut:(01:37
ChrisRutI can't wait for 8.10 (LTS), so that I can start using that.01:38
ChrisRuterr 10.401:38
qman`yeah, a lot of great new stuff has come out since 8.0401:38
qman`definitely looking forward to lucid01:38
ChrisRutmy VPS host only provides LTS images, so 8.10 and up aren't available01:39
twb!dist-upgrade01:40
ubottuA dist-upgrade will install new dependencies for packages already installed and may remove packages if they are no longer needed. Please see !upgrade for the proper release upgrade methods.01:40
twb!upgrade01:40
ubottuFor upgrading, see the instructions at https://help.ubuntu.com/community/UpgradeNotes - see also http://www.ubuntu.com/getubuntu/upgrading01:40
ChrisRutno, can't upgrade... using Virtualmin01:41
ChrisRutVirtualmin doesn't play nice with non-LTS ubuntu01:41
twbChrisRut: sorry, I'm abusing the channel to talk to ubottu01:42
ChrisRutohh,you weren't talking to me?01:42
twbChrisRut: correct01:43
ChrisRutohh my bad01:43
ChrisRutwell, thx for the help qman I appreciate it.01:44
=== ChrisRut is now known as ChrisRut_
qman`no problem01:44
=== ChrisRut_ is now known as ChrisRut
=== ChrisRut is now known as ChrisRut_
RezagratsIs there no torrent for server 9.01 amd64 ?02:07
Rezagrats9.10*02:07
twbRezagrats: why not just do a minimal install, then use apt-bittorrent?02:08
RezagratsTwb, i was asking if there was a torrent for amd64 9.10 server edition... 'cause 30KB/s is lame.02:09
twbRezagrats: you only need to download 15MB to do the base install02:09
RezagratsFor the server ?02:09
twbFor anything.02:09
RezagratsLink...02:10
twbHm, I suppose you'd probably need another 100MB or so over pure HTTP before you could use apt-bittorrent -- I don't think it's supported within d-i.02:10
twb!mini.iso02:10
ubottuThe Minimal CD image is very small in size, and it downloads most packages from the Internet during installation, allowing you to select only those you want (the installer is like the one on the !Alternate CD). See https://help.ubuntu.com/community/Installation/MinimalCD02:10
twbWow, that even has normal links.  I usually just dig it out of dist/main/installer-$arch02:11
RezagratsWhen does 8.04's support end?02:11
twbRezagrats: different packages have different support lengths.02:11
RezagratsRight, but iirc, 8.04 was the extended support.02:12
twbhttp://bazaar.launchpad.net/%7Enijaba/ubuntu-maintenance-check/trunk/ will tell you about individual packages.02:12
twb8.04(Hardy Heron)-Maint.til:Ubuntu->2011-04,Server->2013-04,Kubuntu->2009-1002:13
twbDunno if that extends to packages in universe.02:14
twbIt appears that universe doesn't get support02:29
twbAt least according to u-m-c02:29
jmarsdentwb: That's what I thought, only main is really really officially supported.02:30
twbjmarsden: yeah, some cowboy tried to tell me different a while back02:30
uvirtbotNew bug: #496389 in dovecot (main) "package dovecot-common 1:1.1.11-0ubuntu11 failed to install/upgrade: " [Undecided,New] https://launchpad.net/bugs/49638903:06
thewrathcan someone verify that this is right and what directory taht ssl sites need to be put in? http://pastebin.com/m1851660703:10
qman`thewrath, ssl sites can be placed wherever you want them03:12
qman`I don't see anything wrong with that configuration off-hand, provided that the files and directories you've specified exist and there isn't an apparmor profile in the way03:13
thewrathk03:15
thewrathyea i have it setup that only certain directoresi are ssl03:15
LizardK|ngis there anything like DVDecrypt for Ubuntu?03:16
thewrathqman`: it just gives me the indexing03:17
qman`I don't know what that is, but if you're looking to decrypt DVDs, libdvdread is what you want03:17
thewratheven though in /var/www-ssl/html i have a index.php and /var/www-ssl i have a index.php03:17
qman`thewrath, is php installed and working otherwise?03:17
thewrathyes03:17
thewrathit does not even list any files03:18
qman`so an index.php works on another site configuration?03:22
qman`because I just tested it, and it doesn't require any special permissions03:22
thewrathgot it working03:23
thewrath how do i set up for phpmyadmin to only work in https and not http03:25
=== dendro-afk is now known as dendrobates
fbdystangHi all! I have samba working on a windows network. I have some questions about samba's print server. Where can the printer be connected? A windows computer over USB, linux server, network? How can I install the printer drivers into the server (maybe CUPS)? Thanks in advance ;)03:48
micahgIs there an easy way to make logcheck not report on cron entries like it used to not do?04:04
twbmicahg: install locheck-database?04:05
twbSet your monitoring level appropriately (e.g. workstation vs. server)?04:06
twbWrite appropriate whitelisting entries?04:06
uvirtbotNew bug: #495213 in mysql-dfsg-5.1 "Server install with LAMP asks three times for MySQL password" [Undecided,New] https://launchpad.net/bugs/49521304:06
micahgthanks twb, seems like I might have to edit the rules a little...04:08
fbdystangHow do I install an HP printer on my ubuntu server from command line? thanks04:53
twbfbdystang: sensible-browser https://127.0.0.1:631/04:55
fbdystangwhat is that? it says the connection is untrusted?04:58
AtomicSparkfbdystang: it's CUPS.05:00
AtomicSparkyou do not have a ssl cert insatlled, so it's marked untrusted.05:00
AtomicSparkview the cert, and allow it :)05:01
fbdystangI already have cups installed, but it is command line, not gnome, how do I install from command line?05:02
AtomicSparkfbdystang: that's cups web interface.05:02
AtomicSparkYou can also go to http://localhost:631/05:02
fbdystanggotcha05:03
AtomicSparkhidden cups magic <305:03
fbdystangNICE, that's local?05:03
AtomicSparkYes.05:04
AtomicSparkTo enable other computers to access the "print server" you need to edit the cups config file and allow other IP addresses.05:04
fbdystangDude, thats awesome your the man.05:04
fbdystangyea, I tried that but to no avail05:04
AtomicSparkIf you change it, you need to reload the cups configuration.05:05
fbdystangdo you mean restart cups?05:05
AtomicSparksudo /etc/init.d/cups reload05:06
AtomicSparkif that doesn't work, use restart instead.05:06
AtomicSparkreload reloads the configs without breaking connections. tis good on production servers.05:06
AtomicSparkbut i'm not sure if everything supports it. most docs just tell you to restart.05:06
fbdystangOH, this is just a little old pc that I loaded ubuntu server on to play around with05:07
AtomicSparkif you're on a newer version of ubuntu, you can 'sudo service cups reload' instead. which is handy.05:07
fbdystangnot a production server05:07
fbdystangyea, its 9.1005:07
AtomicSparkbut i belive hardy didn't have that. maybe intrepid added it.05:07
AtomicSparki actually can only get hardy installed on my proliant, which is why i'm in here. waiting for failure, so i can bug people ;)05:07
fbdystanghaha, nice05:08
AtomicSparkright now it's being silly and not showing me the keyboard shortcut to get into the array menu because it's low on battery.05:09
AtomicSparkC-m mayhaps.05:09
fbdystangOK, so it is asking for a username and password, what is it?05:09
tele9do you really have to give your correct name and address to an registrar as long as you pay? I understand that you don't technically own a domain if it's not your correct name, however, you could write to the registrar that your name/address changed at a later point in time and give them your real name, if it is really necessary. what do you think?05:09
fbdystangAtomicSpark: you there?05:12
AtomicSparkfbdystang: sort of05:14
AtomicSparktele9: depends. i'm pretty sure in the us, that would be fraud.05:14
AtomicSparktele9: a lot of domain registrars have some sort of... privacy option.05:15
AtomicSparktele9: i like nearlyfreespeech.net05:15
AtomicSparkbut it's a pain to pay. no automation.05:15
tele9AtomicSpark: I'd be also pleased with a service that takes my real name, but doesn't publish it in a whois database. I just want to have something that prevents every idiot on this planet from seeing my private address in a WHOIS. only authorities should be able to see it, no one else.05:16
fbdystangAtomicSpark: when you get a sec, i am trying to figure out how to log in with a password to CUPS. thanks05:16
AtomicSparktele9: yes, nearlyfreespeech has something like that. it costs a penny a day. i'm sure other places have a service like it.05:16
AtomicSparktele9: they basically use their info for the whois and any mail you get, they shred.05:17
tele9AtomicSpark: but I don't own the domain then anymore, do I? according to ICAN, the name in the WHOIS database owns the domain.05:17
AtomicSparktele9: you really never own it.05:17
AtomicSparktele9: late on one payment, and you're screwed :(05:18
twbtele9: trying to "hide" your email address from the internet is futile05:18
AtomicSparkfbdystang: looks like it prompts you using html auth when you try to click a button on this page http://localhost:631/admin05:18
tele9AtomicSpark: talking about experience?05:18
tele9twb: not so worried about my email...05:19
twbtele9: oh, you mean your postal address?05:19
AtomicSparktele9: Yes. They charged me $30 to "save" my domain.05:19
tele9twb: yes.05:19
twbMeh.05:19
AtomicSparktele9: i believe you can customize the whois for nearlyfreespeech. i forget.05:19
twbYou mean that people actually post shit to your apartment because you happen to have it in WHOIS?05:19
AtomicSparktele9: like you can just have their address, but keep your name.05:19
fbdystangAtomicSpark: exactly, is there a standard root password for the thing?05:20
AtomicSparkfbdystang: my administrator account works for it.05:20
AtomicSparkfbdystang: so maybe anyone with sudo access?05:20
AtomicSparkfbdystang: we dont root on ubuntu :P05:20
AtomicSparkhold on, my server keeps rebooting and it's annoying.05:21
fbdystangAtomicSpark: I know, like everything else with ubuntu though, ....ok, I tried with sudo and it didn't work :(05:21
=== nxvl_ is now known as nxvl
AtomicSparkfbdystang: tried what with sudo?05:22
AtomicSparkfbdystang: just enter in *your* username and password when it prompts you.05:22
AtomicSparkhaha! i tried to boot off a blank cd :\05:22
fbdystangAtomicSpark: yea that's what I meant, it didn't work05:22
fbdystangNICE05:22
AtomicSparkyou sidetracked me and i never got around to burning ubuntu server.05:22
fbdystanghaha sorry05:22
AtomicSparkor... it failed to burn. interesting.05:23
fbdystangwhat burner you running?05:23
tele9twb: yup, or do even more. identity theft, etc...05:24
AtomicSpark...05:24
AtomicSparkwelp, my desktop asploded. bbl.05:24
fbdystangouch05:25
twbtele9: if you can afford a domain name, you can probably afford a few more dollars for a PO box05:25
twbOr just abuse your office address or something :-)05:26
tele9twb: are PO boxes allowed? I don't think so... but a whois guard sounds good to me.05:26
twbtele9: dunno05:26
twbI stick to dyndns names because I don't give a shit about my TLD suffix05:27
twbThat and I am poor05:27
twb$1/mo would mean doing twice as much work05:27
tele9lol05:29
fbdystangI have an old HP printer connected to a windows computer which is on the network in samba. Can this printer be connected to the network and printed on by others?05:35
fbdystangI mean can it be seen by CUPS and my ubuntu server?05:36
AtomicSparkYes05:36
fbdystangREally? how?05:36
fbdystangI am in the cups webpage admin now05:37
AtomicSparkI'm not sure.05:37
fbdystangdo I have to log into the web page from that specific windows computer?05:37
AtomicSparkNo.05:37
AtomicSparkDo you have an option under "other network printers" for Windows Printer via SAMBA?05:38
AtomicSparkIf not, then samba support isn't installed by default on a server and I haven't done that before. Probably just a simple samba-client thing.05:38
fbdystangyea, "Windows Printer via SAMBA"05:38
AtomicSparkWonderful.05:39
fbdystangI have samba installed, btw did you get your desktop working correctly?05:39
AtomicSparkSo you should be able to use that to add your shared printer on your windows machine.05:39
AtomicSparkThen other computers can technically use your linux server to print.05:40
tele9now that I have found a good registrar, what are good name server hosting companies?05:40
AtomicSparkHere are the docs https://help.ubuntu.com/9.10/serverguide/C/cups.html05:40
AtomicSparktele9: i use my registrar. do you have a website? what kind of host? if it's dedicated or vps, you could set your own dns up ;)05:40
tele9AtomicSpark: setting your own dns up on your vps or dedicated is usually not a good idea. I'd like to keep registrar, name server and web hosting separate.05:41
fbdystangRight, I have read that. I just am not sure how CUPS will see it because the printer is only attached to windows through a usb, not shared05:42
AtomicSparkwell linode also provides dns. seprate from your vpn.05:42
fbdystangyet the doc says it will05:42
AtomicSparkfbdystang: get on your windows machine and share the printer! :)05:42
AtomicSparkfbdystang: just like you'd share a file or folder.05:42
AtomicSparkright click, shareing and security, etc.05:42
fbdystangOK, never done that but I will try05:43
* AtomicSpark downloads karmic iso05:43
AtomicSparkoh, by the way, where would I file a "bug" about the server info section of ubuntu.com? who maintains it?05:44
AtomicSparknot having a link to the torrent or other files is :\05:44
fbdystangI could have sworn I got it from a link a couple of days ago05:45
AtomicSparkThere is a link on the "desktop" pages.05:47
AtomicSparkcompare: http://www.ubuntu.com/GetUbuntu/download http://www.ubuntu.com/getubuntu/download-server05:48
AtomicSparkunder alternative download options of the first link, you can go to torrents, which list the server.05:48
AtomicSparkat least they had the sense to push 64bit on the server <305:50
fbdystangI noticed that :)05:50
AtomicSpark08r2 is 64bit only. :305:51
fbdystangboth pages give same options05:51
fbdystangI am not seeing what you are talking about05:51
AtomicSparkFirst link has "Other download options" section and links?05:52
AtomicSparkunder the version choices.05:52
AtomicSparksecond link just goes on about cloud computings. :P05:53
twb"Little Johnny just loves to compute his cloud!  It sure it swell!"05:55
fbdystangAtomicSpark: No, right below the download location is "alternativ download options" which you click on and get the options05:56
fbdystangthere you can switch between 64 32 and 8.04LTS and 9.1005:57
qman`yes, but there is no link to the torrents05:58
qman`that is what he's getting at05:58
fbdystangok agreed05:58
AtomicSparkfbdystang:)05:59
AtomicSparkHappy tomorrow!06:00
qman`I recall having some trouble finding what I wanted this time around, too06:00
qman`ended up finding a mirror and browsing the files manually06:01
qman`I realize they're trying to simplify the page for new users, but that's no excuse for removing important links altogether IMO06:01
AtomicSparkAnyways, hopefully the karmic server installs and I wont have to grumble about grub failures. :)06:03
fbdystangwhy not just download direct?06:03
fbdystangit has grub2 now :)06:03
AtomicSparkTorrents are good mmk.06:03
qman`this time of year, no reason not to download direct06:03
qman`but around launch time, torrents are the only way you'll ever get it06:03
AtomicSparkWell, I like saving ubuntu money :)06:03
fbdystang:)06:03
twbIMO better to download from your local university or ISP mirror06:10
AtomicSparkYeah.06:10
AtomicSparkMy ISP doesnt do that.06:11
AtomicSparkAnd neither does my college.06:11
twbReplace them06:11
AtomicSparkThis is the US, we have monopolies06:11
twbReplace your nation-state06:11
twbYour constitution even guarantees you the right to do so06:11
qman`our constitution guarantees a lot of things06:12
qman`but right now we have some socialists running the place and ignoring it06:12
qman`give it time06:12
fbdystangthere has to be a university around that does06:12
AtomicSparkAlso, there will be an option soon, i believe it's like "do you want to activate the scusi array" (at least it did in intrepix). I have a real array controller and it's setup to manage it. Do I say yes or no? What does this do exactly?06:12
AtomicSparkDebian installer isn't very... explaining.06:12
AtomicSparks/scusi/scsi06:13
=== Basso_ is now known as Basso
fbdystangHow do I connect CUPS to a shared windows printer?07:09
twbqman`: it's quaint how you consider socialism to be a BAD thing.07:14
AtomicSparkDid something change in Karmic? I have my RSA public key in authorized_keys on my server and when loging in, it still prompts for my password and not passphrase. I even recreated my key and used seahorse's wizard. :\07:29
twbAtomicSpark: ask /var/log/auth.log on the server07:39
twbAtomicSpark: probably you have incorrect permissions on a relevant file or directory07:39
AtomicSparkssh -vv claims my key is failing. not sure why. permissions are intact. debugging in -ot07:40
twbAtomicSpark: do what I told you07:40
twbAtomicSpark: the ssh client CANNOT tell you what is wrong07:41
AtomicSparkDec 14 01:41:16 proliant sshd[2317]: Error attempting to add filename encryption key to user session keyring; rc = [1]07:41
twbI don't know what that means.07:42
AtomicSparkMe either.07:42
AtomicSpark:P07:42
twbMaybe your authorized_keys file contains gibberish?07:42
twbIncrease sshd's debugging and restart it07:42
AtomicSparkOne would hope not, i used a fresh .ssh/ dir and seahorse. :\07:43
AtomicSparkNevermind, #36198407:43
AtomicSparkhttps://bugs.launchpad.net/ubuntu/+bug/36198407:43
uvirtbotLaunchpad bug 361984 in ubuntu "Can't login via ssh with public key because of encryptfs" [Undecided,New]07:43
AtomicSparkThere's a bot for that. Cute.07:44
AtomicSparkWell that bug fails, but obvious reason is obvious.07:45
AtomicSparkMy home directory is encrypted, it cant read .ssh if it's not there.07:45
AtomicSparkSo I'll have to put my key into the /etc version.07:45
AtomicSparkWell that wont work either. Nevermind.07:47
pltnhello! have anybody any advices what to read about configuring samba4 on ubuntu 9.10 as a domain controller08:12
twbSamba 4 hasn't been released by the Samba developers.08:15
pltnbut "sudo apt-get install samba4" works08:16
twbThere appear to be alpha builds in Intrepid onwards, but you'd be made to deploy alpha software in a production environment.08:16
pltnhm...08:16
=== Barre_ is now known as Barre
qman`twb, since this isn't #politics, I won't really get into it, but I hold freedom and individual rights above all else, and socialism flies in the face of that08:29
jiboumansgood monring08:31
qman`a good morning indeed, going quite nicely here :)08:33
jiboumansttx++ # fixer of bugs08:49
persiaWould this be a good forum to ask questions about etckeeper default config?09:42
jiboumanspersia: if we have the answer, we'll happily give it to you. so go ahead and ask10:12
persiaheh.10:13
persiaSo, I use lvm on most of my systems, and end up creating and destroying volumes fairly regularly (snapshots).10:13
persiaetckeeper tries to keep track of all of this, which strikes me as noise, but I'm not sure everyone would perceive it that way.10:14
persiaSo I wondered about the feasibility of dropping inclusion of /etc/lvm/backup/* or if someone had a good usecase to keep it.10:15
persia(but I'm somewhat uncertain if this is really a server thing, or more general)10:16
jiboumanspersia: i'm not sure about best practice in this case. a quick google shows this: http://groups.google.com/group/linux.debian.bugs.dist/browse_thread/thread/82dcdcac3376635910:20
persiaThere's also inherently transient stuff like /etc/resolv.conf.  The trick is making sure the default ignore list is correct.  I'm sure everyone has pet stuff they add as an admin, but I'm less confident when it comes to making a change that affects everyone.10:21
persiaAlternately, one could make the argument that some of that stuff doesn't belong there at all :)10:22
Belgarathanybody know what is the status on xen support in karmic kernels ?10:40
persiaA couple weeks ago I heard it didn't work, but that is unverified hearsay.10:41
Belgarathpersia: it is verified10:52
Belgarath:P10:52
Belgaraththere is no xen support compiled in the -virtual kernel10:52
Belgarathand you cannot use older host kernels anymore10:53
Belgarathdue to some changes in mountall10:53
Belgarathwhich require newer kernel to be present10:53
persiaBelgarath: I believe the issue was that not enough developers were working on Xen.  If you use it, and you'd be up for making sure it works, I'm sure that it could come back for lucid.10:55
Belgarathpersia: ok, I am following the bug in the launchpad10:57
Belgarathwhat more \I can do ?10:57
persiaNot being someone who understands the Xen stack, I'm not sure precisely.10:59
persiaBut submitting patches that would make it work, etc. tends to be a good place to start.10:59
persiaPerhaps someone more familiar with Xen can comment on how you can help in more detail.10:59
twbtriaging bug reports is also a good way to get started10:59
persiaIndeed.11:00
DavieyIMO Xen needs some serious QA.11:01
DavieyCurrently it recieves little, if any11:02
DavieyEspeically as most issues get raised post-release.11:02
Davieysuch as not having a usable kernel :)11:02
Davieykernel oops generating locale in chroot.11:02
BelgarathDaviey: to be honest I wouldn't even notice this11:07
Belgarathbut karmic require newer kernel than my host have\11:08
Belgarathand I wanted to use the gest kernel rahter than host to boot it up11:08
Belgarathaybe that is why this things do not get attention11:08
PC_Nerd101Hi,  I'm looking to have a number of server installations on a private network -  all running identical installations including packages etc.  Is there anyway to setup a mirror that only downloads and updates those packages which are requested through it from the LAN...ie-  it doesnt store all 220 og GB, just teh few packages that it is requested of?12:18
jiboumansPC_Nerd101: this forum thread has some great pointers: http://ubuntuforums.org/showthread.php?t=12364012:21
jiboumansbasically, 'yes you can' and that thread shows 3 or so ways that might be useful to you12:21
druhey people....this is a rtfm question: a 0700 filepermission is viewable by the user or is there something im missing here12:34
jpdsdru: It is.12:35
druim still trying to make samba users folders inaccessable to other users. accouring to the man samba inherits the filepermissions used by the system. meaning that a file with a 0700 permission shouldnt be viewable to other users. I mus be missing something12:36
sorendru: "viewable" is slightly ambiguous.12:38
sorendru: Other users can /see/ the file. They just can't open it and see its contents.12:38
=== dendrobates is now known as dendro-afk
PC_Nerd101jiboumans: Thanks - I'll look into it :)12:40
drucan I use "." to make files invisible?12:41
druk scratch that12:48
zulmornnig12:54
jiboumansmorning zul12:55
zulhey jiboumans12:55
jiboumanszul: i think we got the needed feeedback on server-lucid-improve-testcases12:55
jiboumansprobably time for a 2nd pass12:55
zuljiboumans: sure ill take a look at it today12:57
jiboumansthanks zul12:57
zuljiboumans: just trying to wake up ;)12:57
jiboumanszul.insert( coffee )12:57
zuljiboumans: dude I was surrounded by coffee fields when I grew up...hate the stuff12:58
jiboumanszul: ok, jumping face first in the snow may have the same effect, if you prefer12:58
zuljiboumans: meh...im indifferent to it12:59
jiboumanszul: let us know how the landscape code drop comes along as well please13:11
zuljiboumans: will do13:11
zulwhat do people think about putting php 5.3 in universe?13:50
sommer+113:53
sorenzul: Would that leave another version of php in main?13:58
zulsoren: yeah the 5.2.1113:59
sorenzul: There's a separate source package for php 5.3?13:59
zulsoren: i believe so I thought I would throw the idea against the wall and see what people would say14:00
sorenzul: I don't understand the proposition, then. What's so bad about php 5.3 that we prefer 5.2 over it?14:00
sorenfwiw, I don't see this other source package. What's it called?14:01
zulsoren: its still in debian experimental and its not well maintained by debian yet14:01
zuloh wait it isnt a seperate source package14:01
zulnm :)14:01
smosergood morning all.14:10
smosersoren, zul ttx, could one of you14:11
Cromulentafternoon14:11
smosera.) accept nomination for karmic for bug 49418514:11
uvirtbotLaunchpad bug 494185 in ec2-init "ec2-init selects us-east-1 mirror when running in us-west-1 region" [Medium,In progress] https://launchpad.net/bugs/49418514:11
smoserb.) sponsor it for lucid14:11
zulsmoser: i can do it14:12
=== dendro-afk is now known as dendrobates
zulbut it will cost you your first born14:12
zuljust kidding14:13
smoserzul, thanks. the lucid isn't all that important, as I expect to be working on ec2-init heavlily this week, but please accept the karmic proposal14:13
smoserzul, and be careful what you wish for on the first born thing14:13
smoseri would have thought you'd have learned in the past 2 years that that isn't that smart of a request.14:14
zulsmoser: i would have placed an advert on ebay ;)14:15
smoserah.14:16
zulsmoser: so you want that debdiff in its entirety?14:17
smoseryeah, are you questioning the 'include' ?14:17
smoser   simple-patchsys.mk ?14:17
zulno the debian/changelog14:17
smoseri added that because as it is right now there is no patch system for ec2-init in karmic.14:17
zulits still for karmic14:17
smoserand i wanted the hardy to be easily based off the karmic14:18
zulbut im uploading that for lucid14:18
smoserkarmic == lucid right now.14:18
smoserso lucid isn't htat important, but sure.14:18
zulgotcha14:18
zuldone14:22
ttx_smoser: how would the karmic SRU affect the cloud images ?14:29
=== ttx_ is now known as ttx
=== dendrobates is now known as dendro-afk
ttxsmoser: it would get caught in a future image respin ?14:31
zulsmoser: also why did you add simple-patchsys.mk?14:33
=== robbiew_ is now known as robbiew
smoserttx, yes, karmic sru affect cloud images. it would get caught in future respin by design14:43
ttxsmoser: ok14:43
smoserzul, i said why i added the patchsys.mk above, but here again... i did it because right now the hardy deb is based on the karmic and the karmic has no patchsys at all14:44
smoserso, in the hardy , i have some patches that "hardy-ify" the karmic deb, and they're done via simple-patchsys.14:44
zulsmoser: ttx and I just wanted to clear that up14:45
smoseryou can see that diff at https://launchpad.net/~ubuntu-on-ec2/+archive/ppa/+packages14:45
zulgotca14:45
smoserthe goal was that a diff of hardy and karmic debs would show only the hardy changes14:45
smoserand thosw woudl be in pathches as patchsys14:46
smoserttx, zul what do i need to do next to get it into karmic?14:48
zulsmoser: file an SRU request14:49
zullemme pull that up for you14:49
zulhttps://wiki.ubuntu.com/StableReleaseUpdates14:50
smoserok14:50
uvirtbotNew bug: #493761 in php5 (main) "php5: build from source: Patch suhosin.patch does not remove cleanly after running configure-* rules" [Wishlist,Confirmed] https://launchpad.net/bugs/49376114:54
uvirtbotNew bug: #495424 in samba (main) "Ran automatic updates. Left system for a while, on return it had tried to reboot & hung, had to recover" [Low,Confirmed] https://launchpad.net/bugs/49542414:54
uvirtbotNew bug: #496157 in php5 (main) "Update to PHP 5.3.x in Lucid" [Wishlist,Confirmed] https://launchpad.net/bugs/49615714:55
uvirtbotNew bug: #495904 in ntp (main) "package ntp 1:4.2.4p6+dfsg-1ubuntu5.1 failed to install/upgrade:  subprocess installed post-installation script returned error exit status 127" [Low,Incomplete] https://launchpad.net/bugs/49590414:56
uvirtbotNew bug: #495481 in dhcp3 (main) "package dhcp3-server 3.1.2-1ubuntu7 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1" [Low,Confirmed] https://launchpad.net/bugs/49548114:58
uvirtbotNew bug: #440685 in tomcat6 (main) "Make it clearer that JAVA_OPTS is about JSVC options" [Wishlist,Fix released] https://launchpad.net/bugs/44068514:59
uvirtbotNew bug: #494783 in dbconfig-common (main) "package bacula-director-mysql 2.4.4-1ubuntu9 failed to install/upgrade: le sous-processus script post-installation install? a retourn? une erreur de sortie d'?tat 1" [Low,Confirmed] https://launchpad.net/bugs/49478314:59
freakynlhi, can i run php 5.1.x on ubuntu 8.0.4? (is it in repository)? we upgraded a webserver and 3 sites don't run on php 5.2.x. i need to temporarily create an additional server with a php 5.1.x version15:23
=== ChrisRut_ is now known as ChrisRut
=== ChrisRut is now known as ChrisRut_
sorenfreakynl: The only currently supported version of Ubuntu that shipped with php 5.1.x is dapper.15:29
freakynlsoren: thx :) dapper is 7.04 i presume then so -server has security updates until april?15:31
freakynloe 6.06 lts then15:32
ScottKfreakynl: Server LTS support is 5 years, so until June 201115:33
freakynlthat should be plenty of time to have them update their old typo3 install... it's giving me serious headaches. restored it in the same way about 15 times and only worked twice (the front-end that is the back-end is always broken can't save new content)15:34
Doonzhey guys im trying to download VMware server 2.0 for ubuntu server. DOes anyone know of the direct download link for the file?15:34
freakynli find it extremely hmm 'surprising' the same backup only works some times. once i had it running and with no changes it just stopped a day later :/15:35
freakynlDoonz: afaik it's behind a wrapper that checks session id15:35
Doonzyeah how can i download it using elinks or wget15:35
freakynlDoonz: no session id == no download. i tried to download it with wget a couple of times15:35
Doonzfuck sakes15:35
freakynlDoonz: don't know how handy you are...15:35
freakynlDoonz: i got it working once. it wget you can pass a cookies file. i exported it from my browser and copied it over to the server then used it15:36
freakynlif they added ip check in the mean time it won't work tho'15:36
DoonzIll just bitch at their sales deparment15:36
freakynlDoonz: i don't think you'll make much of an impression as a free user :)15:37
DoonzNaw it was for proof of concept15:37
Doonzwe were looking at 3million datacenter15:37
freakynlDoonz: esxi is nicer :)15:37
Doonzyeah but i need to keep it simple15:37
Doonzi still need the ok from management who only understand buzz words15:38
freakynloh throw in some: power savings, consolidation, ha, vmotion (nice for hardware maintenance) they should be shaking hehe15:38
Doonzpretty much15:38
freakynlScottK: thx :)15:41
MatBoydamn sudo sucks for scp15:47
smoserMatBoy, why?15:50
smoser(scp in general sucks for lots of things)15:50
MatBoysmoser: I need ssh keys to copy files :S15:50
cjwatsonso use scp -i15:50
MatBoyyou just can't scp a config file with sudo15:50
MatBoyscp is nice15:50
MatBoykeys it nicer15:51
MatBoyalso with scripting15:51
smoserwhat are you trying to do ?15:51
MatBoyjust SCP-ing some files, that is possible in different ways but I need to use some script for it in the future so keys are nicer than15:52
smoserkirkland, what options do you give to the installer to do an install in console mode ? i remember you talking about driving that "blind" with cjwatson at uds15:53
cjwatsonMatBoy: you can supply a specific key to scp using the -i option15:54
rakedhello......15:54
smoserMatBoy, so 'sudo scp user@host:/path/to/file .' ? and that is not respecting keys of current user or root?15:54
cjwatsonMatBoy: this should be enough to cope with scp's default search algorithm not finding your keys because its home directory is different15:55
MatBoysmoser: your way does not has the good rights15:55
MatBoyon the target15:55
cjwatsonis the problem keys, or file permissions?15:55
cjwatsonyou're not being very clear I'm afraid15:55
kirklandsmoser: well, you have to add "fb=0" on the kernel boot line15:55
smoserMatBoy, could you give the command that you're running and whats not working ?15:56
smoserkirkland, thanks. thats what i needed.15:56
kirklandsmoser: this might help if you want that by default:15:56
MatBoycjwatson: the permissions for sure but I need to copy files anyway in the future without any password that I want to have in my scripts :) so keys are better15:56
kirklandsmoser: sed -i "s/initrd.gz quiet --/initrd.gz fb=0 -- /" foo.iso15:56
cjwatsonkirkland: technically, isn't that fb=false?15:56
kirklandcjwatson: i managed to get it working with fb=015:56
cjwatsonkirkland: undefined behaviour :)15:57
cjwatsonMatBoy: I've given you a solution to your keys problem, I believe15:57
kirklandcjwatson: heh, well, i wanted that sed line to replace an exact number of characters15:57
kirklandcjwatson: and fb=false overruns the buffer :-)15:57
kirklandcjwatson: but it seems to work15:58
=== nihe_ is now known as nihe
cjwatsonok, just don't be surprised if it breaks in the future ...15:58
kirklandcjwatson: sed'ing the ISO, though, is undefined/unsupported behavior too15:58
cjwatsonyes, but (amazingly) perhaps less so15:58
kirklandcjwatson: point me to the code, and I'll make sure that fb=0|fb=false works15:58
=== ChrisRut_ is now known as ChrisRut
cjwatsonkirkland: I'd prefer you didn't. any value other than 'true' and 'false' is firmly out of spec for debconf booleans16:02
kirklandcjwatson: okay16:02
cjwatsonit happens that currently the test is '= true', but in the future it's just as entitled to be '!= false' if that happens to be more convenient for somebody's code16:02
kirklandcjwatson: could we revisit a better mechanism for optionally turning the fb off in the server installer?16:03
cjwatsonat some point when I am doing nothing else, maybe ;)16:03
cjwatsonyou have something which works for now16:03
kirklandsmoser: okay, see cjwatson's comments, that should be fb=false, rather than fb=016:03
TeTeTis there a limit on the number of instances per cluster in UEC? Or is it infinite?16:12
TeTeTkirkland: ^ any idea?16:38
kirklandTeTeT: it's a configurable setting, function of how many cores per Node16:39
kirklandTeTeT: by default, it's 1 instance per core per node16:39
kirklandTeTeT: so if you have 10 nodes, each with 8 CPUs, it's 80 instances16:39
kirklandTeTeT: (sort of)16:39
kirklandTeTeT: you can change MAX_CORES in the /etc/eucalyptus/eucalyptus.conf on the CC16:39
kirklandTeTeT: *however* ...16:40
TeTeTkirkland: argh, wrong question, I wanted to ask about nodes per cluster, sorry16:40
kirklandTeTeT: oh16:40
kirklandTeTeT: there's technically no limit, however, you need to consider your IP address space16:40
kirklandTeTeT: if you're doing regular /24 subnets, you can't do more than 255 VM instances per cluster (CC)16:41
kirklandTeTeT: and the number of instance is a function of your CPUs (see above)16:41
kirklandTeTeT: i recommend keeping it to <255 instances per cluster16:42
kirklandTeTeT: so take 255 / #_of_cpus => that should give you the number of recommended nodes16:42
Davieykirkland: What happens if MAX_CORES=0 ?16:42
kirklandTeTeT: if you want more than that, you need to reconfigure your IP networking to handle a bigger subnet16:42
lauhello what is the purpose of the mail group in /etc/group ?16:43
kirklandDaviey: dunno ... I suspect that your cluster then serves no instances :-)16:43
Davieykirkland: awesome :)16:43
rickspencer3smoser, thanks for the desktop in the cloud work!!16:45
rickspencer3I'll check it out as soon as I get a chance16:45
smosergood deal16:45
TopKatzhello -  I using a hardware raid card.  I'm wondering how I'm suposed to handle a kernel/eader upgrade with the cards drivers.  Right now I reboot the system after update, and have to reinstall the drivers, using make install.  I feel Im doing this wrong, as the raid has to come up with no drivers first.  Can I jsut do the make install before reboot, but after header update.  Should the make install build against the new header16:45
TopKatzbefore reboot?16:45
TeTeTkirkland: thanks16:46
kirklandTeTeT: np16:46
TeTeTkirkland: is the cc issuing the wake up for powersave or the clc?16:48
kirklandTeTeT: CC16:50
kirklandTeTeT: each CC can have a different scheduling policy, actually16:50
kirklandTeTeT: ROUNDROBIN | GREEDY | POWERSAVE16:50
TeTeTkirkland: ok16:51
kirklandTeTeT: we played with this quite a bit last week; worked pretty well16:51
TeTeTkirkland: great to read :)16:54
TeTeTkirkland: would love to know how to separate the cc and clc. but i guess it will be much easier with 10.0417:04
kirklandTeTeT: hard to do in retrospect17:04
kirklandTeTeT: pretty straightforward from scratch17:04
kirklandTeTeT: you just install ubuntu servers17:04
kirklandTeTeT: and then add the eucalyptus packages17:04
kirklandTeTeT: https://help.ubuntu.com/community/UEC/PackageInstall17:05
TeTeTkirkland: I've done that in the past, but the clc refused to start then, I think I filed a bug on this, but it got converted to a question17:06
cjwatsonconverted to a question> argh bug triagers17:07
cjwatsonTeTeT: should indeed be easier in lucid since we're actively trying to support this, which we weren't previously17:08
TeTeTcjwatson: that's what I thought. But I guess it's too early for Lucid to test this?17:08
* kirkland wishes launchpad answers/questions would go away17:08
cjwatsonTeTeT: it's not quite all in place yet, but it's definitely worth a try; a good chunk of relevant code landed just after alpha 1 and is in daily builds17:09
cjwatsonassuming you have a scratch cloud, anyway17:09
TeTeTcjwatson: I have space on the disk, so I create a separate install17:10
TeTeTcjwatson: I'll probably start testing tomorrow if stuff is already in place17:10
cjwatsonin particular the foundations-lucid-uec-installer-enhancement spec is (allegedly) implemented17:11
cjwatsonsome autoregistration stuff will be in tomorrow's build17:12
MatBoyI still have the issue when I do a scp -i that I don't have permissions on the remote files17:18
smosersoren, i think we've talked about this before, or at least how we could re-use a image with a different kernel... ec2-register now takes '--kernel' and '--ramdisk' it previously did not.17:18
smoserinterestingly (to me at least) it also includes "--root-device-name ROOTDEVICENAME"... which might be a way to influence kernel command line17:19
smoserie: --root-device-name "/dev/sda1 console=/dev/null other-option-here"17:20
subso you want to use string injection as a 'feature'?17:23
=== astechgeek is now known as techgeek
smosersub, yes.17:25
smoserat least it could be.17:26
smoserwe've stuggled with 2 objectives in the past17:26
smosera.) have images that run on UEC and EC217:26
smoserb.) be able to determine which we're running on17:26
smoserif i can pass a kernel command line parameter via the above, then i could register all our images with "ec2" paramter and use that to indicate where they're coming from17:27
subIMHO that sounds like a bad idea, to rely on a "bug" to introduce functionality17:27
smosererrr where they're booting17:27
subwhat happens if that gets patched?17:28
smoseryou're probably correct. although its not really a bug.17:28
substring injection is absolutely a bug17:28
MatBoyI just think I need to set a passwordfor the root account, that will solve everything17:28
cjwatsonMatBoy: the authentication method in use has absolutely no effect on file permissions17:30
cjwatsonMatBoy: have you tried scp's -p option17:30
cjwatson?17:30
cjwatson     -p      Preserves modification times, access times, and modes from the17:30
cjwatson             original file.17:30
cjwatsonMatBoy: or you could use sftp if you want more flexible control.17:30
smosersub, i agree that its probably a bug / un-realized feature in some cases. but if the point is to specify the root device to the kernel, then using it as 'root=/ec2/sda1' would basically have to be allowed.  It wouldn't make good sense from the hypervisor platform to dictate what devices can be named in the guest.17:31
subno, that part is fine, i was more concerned about trying to add other options afterwards17:31
submaybe i misread?17:31
subwhich is entirely possible17:32
smoserwell, yes, i did imply that was probably possible.17:32
smoserbut theres no real way to differenciate in a hypervisor between "yes thats a valid root device" and "they're trying to inject stuff"17:32
smoseras you can't know what the guest is going to name things17:33
smosermaybe "/dev/sda1 ec2" is actually what my guest names the first scsi partition when running on ec217:33
subwhat if they wrap the arg you're providing in quotes?17:33
smosermostly hypothetical here. anyway.17:33
smoseri can easily enough ignore the quotes in the guest17:33
smoserand afaik the kernel command line parsers basically dont use quotes17:34
subwell17:34
smoserin fact wrapping them in quotes would probably break current behavior17:34
submy only real concern is what happens if Amazon drops support for that? unbootable VMs?17:35
smoserie: root="/dev/sda1"17:35
smoserwould probably fail in many cases17:35
smoserwell you "register" an image that is mostly permenant. so if they dropped support for reading the data that was registered to the image, they'd be breaking existing customers.17:35
smoserand changing the platform's behavior for existing images, which in general would be a bad idea.17:36
smoseryou definitely raise valid concerns though17:36
subyeah, i guess it would be bad to 'de-register' certain info17:42
=== luis__lopez is now known as luis_lopez
bepI did a fresh minimal server install and installed xorg and when I try to launch a session I get "X: user not authorized to run the X server, aborting.". Is there a group I need to be added to or something?17:49
=== ChrisRut is now known as ChrisRut_
uvirtbotNew bug: #428552 in samba (main) "samba service denies connection after reboot" [Undecided,Invalid] https://launchpad.net/bugs/42855218:21
TopKatz after you update a systems headers, if I rebuild a driver, and make install it, before I have rebooted the system.  Will the driver be built agains the new headers?18:25
=== astechgeek is now known as techgeek
resnodoes using squid for proxy and site caching make an noticeable difference in speed?18:41
resnofor users on a netowkr?18:41
arjyes18:43
arjbut you should benchmark to find out how it affects your network18:44
arjbecause it might be slower or faster18:44
zulkees: ping when you are around18:46
resnoarj: would it be enough to be worth the hassle?18:47
smoserkirkland, have you done an install of lucid into kvm ?19:14
smoseri just got through one using '-hda' and grub is hanging (used alpha1 iso)19:14
=== ChrisRut_ is now known as ChrisRut
uvirtbotNew bug: #496661 in qemu-kvm (main) "Kaspersky AV does not install under qemu-kvm windows installation" [Undecided,New] https://launchpad.net/bugs/49666119:21
keeszul: late pong, was this about the stuff in privmsg?20:12
zulkees: yep20:14
=== robbiew1 is now known as robbiew
smoserkirkland, ping20:16
obscureHey, I have 2 drives in my Ubuntu server, one is only seen in df-h, how can I format the other to be seen in the list as well?20:38
arjpartition it20:41
arjmkfs20:41
arjmounbt20:41
arjmount*20:41
arjadd to /etc/fstab20:41
kirklandsmoser: yo20:41
smoserhave you successfully booted lucid with -console in kvm ?20:41
smoseri can't seem to get parameters in grub that dont switch to 640x480 mode20:42
kirklandsmoser: I did with the Nov 27 ISO20:43
kirklandsmoser: i'll try today's20:43
smosereven after install, it just wants to switch. kvm cmdline is: kvm -drive if=virtio,boot=on,file=lucid-server-20091214.img -console.20:44
smoserkernel command line that i'm trying now is:20:44
smoserBOOT_IMAGE=//vmlinuz-2.6.32-7-server root=/dev/mapper/ubuntu-root ro quiet fb=false nomodeset20:44
obscurethank arj20:45
obscurethanks*20:45
vomjomso i'm using the ubuntu karmic image on ec2, but it doesn't seem to have ext4 support20:45
vomjomis there a simple way to get it?20:45
obscurearj: partition it with cfdisk?20:46
arjif there are no partitions yeah20:47
arjcfdisk is fine20:47
smoservomjom, you're correct that there is no ext4 support (bug 428692)20:48
uvirtbotLaunchpad bug 428692 in linux-ec2 "ec2 kernel needs CONFIG_BLK_DEV_LOOP=y and other config changes" [Medium,Triaged] https://launchpad.net/bugs/42869220:48
smoserthere isn't a lot that can be done at the moment. you could boot with a lucid kernel20:49
vomjomsmoser, ok, thanks20:49
smoser(run-instances --kernel xxx)20:49
=== robbiew is now known as robbiew_
smoserbut that may or may not have issues with the registered ramdisk for the image20:49
smoservomjom, it should be possible to build ext4 support as a module and load it, but that might be more than you're wanting20:50
smoserlucid kernels do have ext4 support20:50
smoserand we may service that bug in karmic20:51
aquariusI've tried to upgrade my Ubuntu server from jaunty to karmic, and it says "After your package information was updated the essential package 'ubuntu-minimal' can not be found anymore.". There are bugs about this, which suggest that I should try "do-release-upgrade --proposed", but that hasn't helped20:54
aquariuswhat should I try next?20:55
=== luis__lopez is now known as luis_lopez
=== dendro-afk is now known as dendrobates
uvirtbotNew bug: #496686 in samba (main) "package samba-common 2:3.4.0-3ubuntu5.1 failed to install/upgrade: subprocesso instalado o programa post-installation retornou erro do status de saĆ­da 1" [Undecided,Incomplete] https://launchpad.net/bugs/49668621:51
=== ChrisRut is now known as ChrisRut_
sorensmoser: I don't understand how that even makes sense. Did they extend the RegisterImage api call to accept kernel and ramdisk images.22:03
smoseryes22:04
smoserand 'root'22:04
smoseri know , its wierd. but its there in the documentation22:05
smoserhttp://docs.amazonwebservices.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-RegisterImage.html22:05
=== luis__lopez is now known as luis_lopez
=== robbiew_ is now known as robbiew
=== Adri2000_ is now known as Adri2000
photonwhich is the most secure ubuntu server version 8.04.2 LTS or one of the newer versions?22:52
unit3photon: that's like asking "which movie is the best". It depends on what you're trying to accomplish. Generally the security issues are more stable, known, and well defined in the LTS release, so that's probably what you're after.23:15
unit3and note that hardy is up to a .3 minor release now, I believe, not .2.23:16
photonok23:17
ScottKphoton: There has been a lot of work done on hardening since Hardy was released, so from a security perspective along, 9.10 is the best.23:17
unit3ScottK: there's also a lot of new issues in new packages that haven't been as fully tested. it's a tradeoff. 9.10 certainly isn't as bug-free as 8.04.x, and bugs can often be translated into security problems.23:25
jdstrandunit3: ScottK was speaking to proactive security features, such as compiler, libc and kernel hardeing, along with more apparmor profiles23:26
ScottKunit3: Certainly a possibility, OTOH a lot of bugs have been fixed since Hardy's release.23:26
unit3jdstrand: yep, I'm just saying that while that has taken place, there's also the opportunity for new problems that haven't been as widely documented and dealt with as in the LTS release.23:27
jdstrand9.10 is much better in terms of proactive features, and 10.04 LTS will be better still23:27
ScottKAlso as jdstrand says.  Those changes also help mitigate risk of unknown bugs.23:27
unit3for instance, on at least two of my servers, apparmor prints that it's respecting the apparmor.d/ignore and apparmor.d/complain directories, but it's lies, and you have to do a full apparmor restart manually once the system is booted to get those to take effect.23:27
unit3which leads to unpredictable results in a layer that's supposed to be securing you.23:27
unit3unpredictable = bad for security, IMO. ;)23:28
jdstrandunit3: I suggest files bugs on that23:28
unit3Will do, just haven't had much time lately. Now might be good though, since I'm thinking about it.23:29
jdstrandI've certainly not seen it23:29
jdstrandplease do, that is definitely something we would want to address23:29
unit3Yeah, I'd assume so. I'm not seeing it everywhere, so I'm assuming it must be a config conflict with something else happen at boot time.23:30
unit3but it's consistent on this system, and so it is a good example of "new proactive features vs well tested" for security, I think. :)23:31
=== ChrisRut_ is now known as ChrisRut
=== ChrisRut is now known as ChrisRut_
=== ChrisRut_ is now known as ChrisRut
unit3ok, narrowing my testing for the report, it looks like it loads "ignore" rules as "complain" on default instead of full ignore. That's less serious, but still annoying, since it fills my logs with cruft.23:45
unit349677023:53
keesinteresting. i'll try to reproduce that.23:53
unit3Please do. I suspect it's some weird config on this server, since it has been upgraded constantly since 7.something.23:57
unit3but I can't imagine what it'd be, since apparmor's pretty self contained.23:57

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!