[00:07] anyone have any idea how to start mysql? I have no errors and "start mysql" and "service mysql start" just sit there [00:08] SpamapS: yop [00:08] SpamapS: that's what we're recommending for upstart [00:09] SpamapS: upstart job should be trivial enough to edit - and not require the use of a default file anymore [00:09] mathiaz: so my box is up and running, network is running. I sshed to the box [00:09] mathiaz: when I do "start mysql" I get notning, so its not that its waiting for a requirment right? [00:09] SpamapS: default files were introduced because editing init script directly were too error prone [00:10] maek: you're correct [00:10] maek: I'd look in /var/log/daemon.log to figure out why mysql is failing to start [00:10] sorry for being dumb, im moving from rhel to ubuntu [00:16] mathiaz: /var/log/daemon and /var/log/mysql/error.log arent showing anything when I do start mysql === erichammond1 is now known as erichammond === EvilTrek is now known as CaptainTrek [01:36] How does one install Redmine using the version from apt [02:07] GhostFreeman_: /usr/share/doc/redmine contains configuration examples for lighttpd and apache2 === metcalfc_ is now known as metcalfc === dendrobates is now known as dendro-afk [02:51] hey [02:51] how likely is it that lm-sensors cpu temperatures are totally bogus? [02:56] it's 35 deg celsius here and with 100% load for 5min temp uis 27deg [02:56] is webmin the best that i can have for my server? [02:56] ..and i got no peltier cooling :D === dendro-afk is now known as dendrobates [03:01] clusty: quite possible that they're wrong [03:01] debugview: not sure what you're asking, but, afaik, webmin is not supported by ubuntu [03:01] !ebox [03:01] ebox is a web-based GUI interface for administering a server. It is designed to work with Ubuntu/Debian style configuration management. See https://help.ubuntu.com/community/eBox [03:01] giovani, seriously? [03:01] lol [03:01] okie [03:02] but i had it installed anyway [03:02] giovani: bios does not have temp meter. guess i am screwed.... [03:02] but thanks for letting me know about eBox [03:03] clusty: screwed? unlikelly -- do some research on your motherboard, see if others report the same thing, if not -- look at the other temps, see if they all seem off [03:03] giovani: lmsensors detects just the 2 core temps [03:03] what kind of board is this? [03:04] can someone help me with inverse proportions ? [03:04] needhelp: this isn't #math [03:05] for some reason it will not let me in #math [03:05] needhelp: sorry, can't help [03:06] giovani: intel 945GSE [03:06] clusty: that's a chipset -- what about the motherboard? [03:07] giovani: it's an asus atom PC [03:07] ok [03:07] http://www.newegg.ca/Product/Product.aspx?Item=N82E16883220006 [03:07] no clue how would i check exact mobo [03:08] well is this a laptop or a nettop? [03:08] nettop i guess [03:08] size of 2 hdd's [03:08] well who made it? [03:08] not too many of them [03:08] asus [03:08] model number? heh [03:09] ASUS Eee Box EBXB202-BLK-X0081 [03:09] thanks for help btw [03:10] well I'd go searching to see if other eeebox users have similar issues with lmsensors [03:10] ok thank [03:14] hey guys. I have 2 scripts in rc0.d. One is S35, and the other is K80. Which would be run first on shutdown? [03:16] giovani: curious why i don't have any stuff around thermal_zone, fan.... [03:17] and other /proc/acpi common things [03:17] clusty: maybe the board doesn't have those sensors, or they're not supported by the version of linux you have [03:18] I'm trying to figure out why my apcupsd process isn't killing the power to the UPS. I suspect that networking is going down before the killpower step is called [03:19] hmm is using mrtg an overkill for bandwidth checks? [03:20] talcite: my understanding is that the kills run first, then the starts [03:20] talcite: so, K80 should run before S* [03:20] debugview: yes [03:21] giovani, what would you recommend for bandwidth graphs? one that monitors stuff then plot graphs..daily, weekly, monthly etc.. [03:21] debugview: I'd whip something up in rrdtool, but that probably isn't the answer you want [03:22] giovani, yeah i just want a simple one [03:22] browsing through http://www.ubuntugeek.com/bandwidth-monitoring-tools-for-linux.html lots of stuff [03:22] well I don't know of anything simple that isn't overkill for a single server [03:22] giovani: ah. And I found the debian policy manual page for it. This all makes sense now. I can finally go home... [03:22] thanks! [03:23] talcite: excellent -- it's not debian-specific though === oubiwann is now known as oubiwann-away [03:24] talcite: if you'd like a definitive answer you can do what I just did -- read /etc/init.d/rc -- the actual script that executes these other scripts === needhelp is now known as new-nick [03:24] "# First run the KILL scripts." === new-nick is now known as loganhatesmath [03:24] "# Now run the START scripts" [03:25] giovani: hm, didn't know rc was the actual script. Anyways, is there any problem if I shutdown a machine without bringing down the network interface first? [03:26] the ups killpower command is called from the halt script, but the networking stop script is called before that. it's a SNMP ups, so naturally the signal never makes it there [03:26] I'm thinking of moving the networking entry to go after the halt command (effectively it will never get called) [03:27] what's the killpower script do, exactly? [03:28] giovani: it sends a snmp command to the ups to kill power to the outlets after 90s [03:28] pretty vital because the switches will drain the UPS battery dead otherwise [03:28] so when this machine is shut down [03:28] this script needs to be executed so that the UPS shuts down after 90 seconds? [03:29] why can't you run the script before shutting down the network stack, and then still have time to shut down gracefully before the 90 seconds? [03:30] giovani: it's pretty heavily integrated into the apcupsd package. I'd be ripping out a _lot_ of code if I did it that way [03:30] but you're right, it's an option. [03:30] I really don't understand why [03:32] the package wasn't designed with network UPSes in mind. It's making the assumption that we're using a usb or serial UPS (even though the binary fully supports network UPSes) [03:32] ok [03:33] actually, it's a bug that I should submit a report for. What is ubuntu's bug tracker called? [03:35] launchpad [03:35] not sure that this is a bug, but alright [03:36] https://launchpad.net/ubuntu/+bugs [03:36] thanks. [03:44] ah it fixed it! [03:44] aaaaah! Finally after 6 hours! [03:44] talcite: fixed how? [03:45] giovani: the UPS powered off =) [03:46] I removed the symlink for networking from /etc/rc0.d, and added a /etc/init.d/networking stop line in halt right after the ups shutdown command [03:46] still within the if/fi statement of course [03:46] gotcha [03:55] giovani: seems the kernel modules for my board have been buggered badly since 2.6.30 === MTeck is now known as MTecknology === loganhatesmath is now known as EliTe === EliTe is now known as LyRiczZ [07:01] New bug: #603001 in qemu-kvm (main) "Guest with user net can't access external network when host has static IP" [Undecided,New] https://launchpad.net/bugs/603001 [07:27] OK, /home is an NFS mount [07:27] Why does "mount -oremount,lock /home" complain "an incorrect mount option was specified"? [07:31] twb: is NEED_STATD=yes set in /etc/default/nfs-common ? i seem to remember needing that on at least the client [07:31] but maybe that was something else [07:31] hi [07:32] when i do ./configure for memcached package on ubuntu 8.04 hardy server i get [07:32] checking build system type... Invalid configuration `x86_64-unknown-linux-': machine `x86_64-unknown-linux' not recognized [07:32] configure: error: /bin/bash ./config.sub x86_64-unknown-linux- failed [07:32] Any clue ? [07:34] kees: no; it should default to autodetecting whether it's necessary [07:34] kees: I'll try that; if it all magically works after that, I'll be bloody pissed. [07:34] (The problem is http://paste.ubuntu.com/460510/) [07:51] kaushal: you're trying to compile memcached 1.4.5 from upstream tarball on hardy, yes? [07:55] twb: can you paste the fstab line for /home? [07:55] twb: also, I'm not familiar with casper, whats that? [07:56] casper is what makes the live CDs work [07:56] echo >>/root/etc/fstab 10.128.0.1:/home /home nfs intr,bg,nodev,noexec [07:57] ...with, or without {no,}{bootwait,lock} [07:59] twb: hmm, the "auto detecting" of needing statd seems pretty different in /etc/init/statd.conf [08:00] statd is started, but mountall(8) is retarded AFAICT [08:00] mountall is a separate daemon that doesn't know that it needs to wait for statd/retry -olock fstab entries [08:00] twb: you definitely need locking right? [08:01] Well, without locking users can log in on multiple hosts and potentially bust their files [08:01] In practice I probably don't need it [08:01] twb: right its possible that mountall-net.conf needs a 'start rpc.statd' [08:01] But all mountall-net.conf does is send a USR1 to the mountall daemon [08:03] twb: indeed, but it does that *after* networking has been configured [08:03] But networking is configured before upstart starts [08:03] err [08:03] not really [08:04] I'm booting off the network; if the network wasn't configured, it wouldn't be able to mount the root filesystem and find upstart to execute it. [08:04] right, so in this case, the 'start on net-device-up' should fire *immediately* [08:05] Right -- I think it fires before the mountall daemon is even running [08:05] ugh [08:05] race condition after race condition. ;) [08:05] At least, when I trace mountall-net, I can see it fails to find the mountall PID -- so either mountall hasn't started, or has already finished [08:07] twb: so maybe another 'start on' is necessary that makes mountall-net wait for 'mountall' to start *and* a net device to be up? [08:07] Well, I can try it [08:08] start on started mountall [08:08] it sounds quite reasonable actually [08:09] OK, that appears to have worked [08:09] w00t [08:09] My brain hurts [08:10] can you report this as a bug? [08:10] Yeah [08:10] So what I have at the moment -- I think -- is "lock,bootwait" for /home in fstab, and "start on statd" added to mountall-net.conf [08:10] its SRU worthy, if we hurry it may make 10.04.1 [08:10] I'll turn single off and try to see if GDM dtrt [08:11] wait you added 'start on statd' ? [08:11] or 'start on started statd' ? [08:12] The former [08:12] And it isn't working if I turn single off [08:12] (I was confused between "started" being there or not.) [08:14] ok, I was thinking more that mountall-net needs to wait for 'mountall' [08:14] and *possibly* statd [08:15] Without "single", neither "start on statd" nor "start on started statd" work -- it just hangs there in plymouth forever [08:15] single meaning booting into single user mode? [08:15] Single meaning I pass "single" on the boot parameter list [08:15] (And friendly-recovery isn't installed.) [08:15] yeah ok [08:16] I think you need mountall-net to wait for mountall to be started, otherwise the event it sends to mountall will be missed [08:16] I'm actually worried that mountall won't have signal handlers in place when its job is "started" though, so I wonder if you can introduce a small delay [08:17] races suck. :-P [08:17] Isn't the whole point of upstart to avoid "sleep 1" hacks? [08:17] yes [08:17] * twb gripes [08:18] the other way to do it is to have mountall emit a specific signal after it is ready to handle the USR1 [08:18] s/other/right/ [08:19] haha btw [08:19] the "auto detecte" mode of NEED_STATD.. is just "if its not no, set it to yes" [08:20] It also seems pretty weird that Keybuk wrote mountall because upstart didn't do it internally -- but keybuk maintains upstart, too. [08:21] I can't get it to work with "single" anymore, so either I accidentally had "nolock" in the ramdisk (because I forgot to update it), or that ONE TIME, I managed to miss the race [08:26] twb: did you try it with "start on started mountall" in mountall-net.conf ? [08:27] That *and* statd? [08:27] I'll try that now [08:27] Actually, as a test, why don't I just have it issue a USR1 every second forever [08:28] If that works, we can narrow down exactly when to send the USR1 [08:29] OK, that works with single! [08:31] very narrow window between when the exec will return, and the forked child handles SIGUSR1 [08:31] but still, I suspect its possible to run into it [08:31] ALRIGHTY [08:32] If I change mountall-net.conf to "start on startup" and a script of "while :; do pkill -USR1 mountall || :; sleep 1; done", it WORKS PERFECTLY -- the fourth USR1 succeeds [08:32] doh [08:32] I mean great, but DOH [08:33] this makes sense... [08:33] So either mountall-net isn't triggering on statd -- which we fixed -- of its attempt to find the mountall PID is totally wrong and broken [08:33] well more importantly, statd could be beating mountall [08:34] Well, first I'm going to change it to a single "pkill -USR1 mountall", and run that on the appropriate events. [08:35] entirely possible the fix for bug 506902 wasn't done right too [08:35] Launchpad bug 506902 in mountall "mountall-net SIGUSR1 handling can signal the wrong process by mistake" [High,Fix released] https://launchpad.net/bugs/506902 [08:35] twb: I need to get to bed, but I would at least give your script a try with 'start on started mountall' and see if it succeeds on the 1st or 2nd SIGUSR1 [08:36] I think it really needs "starting mountall && started statd" or so [08:36] i.e. statd is fully up, mountall is running and waiting for events [08:37] started === erichammond1 is now known as erichammond [08:37] starting would be too early [08:37] twb: but yeah, they probably both need to be started [08:37] * SpamapS must really go now [08:37] You really helped, thanks [08:45] Should the Ubuntu Server edition have django 1.0 SVN final installing by default, or is it a severely outdated mirror? [08:46] R3cur51v3: ask rmadison [08:46] rmadison, Should the Ubuntu Server edition have django 1.0 SVN final installing by default, or is it a severely outdated mirror? [08:46] $ rmadison python-django -uubuntu -slucid ==> python-django | 1.1.1-2ubuntu1 | lucid | source, all [08:47] ah, the douches still have Intrepid installed [08:48] figures, with a $5 vps [08:51] twb, to upgrade to Lucid, do I just change all instances of intrepid to lucid in /etc/apt/sources.list, then update? [08:51] No. [08:51] R3cur51v3: NO [08:51] !upgrade > R3cur51v3 [08:51] R3cur51v3, please see my private message [09:05] ty twb and Jordan_U [09:05] night all === lionel_ is now known as lionel [09:09] <|eagles0513875|> hey guys i am having connectivity issues on a clean install of lucid server 64bit [09:09] <|eagles0513875|> hold on [09:14] |eagles0513875|: still there? [10:24] Hey everyone. I'm running Ubuntu Server 10.04 on a dedicated host. I'm logged in via putty. I'm running a MyBB forum on it at the moment. For some reason email isn't working. It happened after I restarted the host. I think I'm using exim4, I just restarted that service and it didn't start back up. I recently installed ebox. Could someone help me troubleshoot this please? [10:34] MasterZuFu: mailservers aren't exactly the easiest components. If you don't have some setup to test and learn from I really really suggest to use a hosted mail provider. [10:35] MasterZuFu: apart from that. Check which mailserver you have installed, then check the logs (in case of exim /var/log/exim/{main,paniclog} IIRC) [10:36] serverhorror, I don't have the option of an alternate mail server. it's built into the site software to use the email server on the server itself. I'd have to edit the core files to change that. [10:37] MasterZuFu: then use nullmailer and let it forward the mails for you to a real server. [10:38] hmmmm ok, let me take a look. one moment please [10:40] serverhorror, here's what the panic log says: 2010-06-01 10:00:08 socket bind() to port 25 for address ::25 failed: Cannot assign requested address: daemon abandoned [10:40] MasterZuFu: something is listening on port 25 already [10:40] (probably) [10:40] gay. let me check ebox. [10:40] http://www.computerpowertest.com/ [10:41] MasterZuFu: netstat -plnt [10:41] ss is the new netstat [10:42] rly.. [10:42] nothing's running under port 25 [10:44] twb: thanks! :) [10:44] saves me the typos :) [10:47] I've got the following ports open: 993, 995, 389, 10023, 3306, 110, 143, 80, 22, 3128, 5432, 443, and....ummm O.o 22 whya are there two 22 running? O.o odd. Anyways..no 25. [10:47] MasterZuFu: paste the output of netstat -tulpen on some pastebin and tell us the link [10:49] http://pastebin.com/G2EQcXu4 [10:49] MasterZuFu: and are you sure that log line is the one regarding the error, because since 2010-06-01 some time has past. At least in my ~~time~~date zone... [10:50] let me check again [10:50] yeah that's the only line in it [10:52] I'd truncate the log files. restart exim and then see what the logs say. Just to make sure. But I'd also verify that it's indeed exim that is the mailserver. you said you believe you run exim, pls verify first which smtp server you are using... [10:53] ok, one sec [10:57] this restarts exim4 right? /etc/init.d/exim4 restart [10:57] I don't see any logs at all. [10:57] should I reinstall it? [11:14] nevermind, i sent my sysadmin an email. He'll look into this for me. thanks everyone. [11:14] :) [11:51] New bug: #603091 in backuppc (main) "Have an authenticated access for personnal backups" [Undecided,New] https://launchpad.net/bugs/603091 [12:09] Hi [12:09] I have a weird issue about disk space [12:21] hmmm playing around with UEC and I can't seem to connect the eucalyptus-nc to the cc. As of now I'm also blind and couldn't find some more in depth docs how I'd do that manually. Any hints/links? [12:28] .oO(is anybody even using UEC? - I have a feeling it's not really being used) [12:29] hi, what's wrong with this remounting? http://pastie.org/1035764 [12:31] phretor: sound slike /dev/sda6 isn't mounted :) [12:32] serverhorror: it's mounted to / [12:35] looks, good to me. maybe some strange ordering issue with mount options. I'd simply iterate thru the options and see where it chokes... [12:36] serverhorror: Never used UEC. Dont like the concept. [12:36] Might try it sometime. heh. [12:39] seems everybody still stays with either home-grown scripts or closed source :) [12:43] Closed source :) [12:44] heh, we run home-grown. OpenVZ with a few monitoring/management scripts on top of it [12:44] s/a few/ [12:44] probably [12:45] Well, we run somewhat home grown (due to be professionally released later this year). Its closed source however. [12:47] so you're going to sell me software, and I have to find some other professionals that can give me support? (sorry, couldn't resist it) [13:09] can someone guide me about the post on https://lists.ubuntu.com/archives/ubuntu-users/2010-July/222568.html ? [13:12] serverhorror: Haha, not at all ;) [13:23] morning all ;-) [13:25] In "apt-conf dump", I see APT::Never-MarkAuto-Sections [13:26] Does this mean I can tell apt that everything in, say, libs, is ALWAYS implicitly MarkAuto'd? [13:52] Sigh. So it looks like something happened to pam since 8.04 [13:52] It wants me to use /usr/share/pam-common [13:54] Ahahaha [13:54] I see the problem now: pam is working, but nss isn't configured anymore because I changed my "auth-client-config" call to a "pam-auth-update" call [14:02] kaushal: files that are unlinked but still opened by some program do take up disk space. Most common weirdness reason is to delete large log files, while some daemon still writes to them... [14:16] This fixed it: auth-client-config -plac_ldap -tnss [14:26] nxvl: did you ask for a sync for augeas? [14:33] i'm not sure why i'm getting this error when restarting mysql http://www.pastebin.org/386376 [14:33] oru_work: it's fully self-explanatory === Guest15330 is now known as RoyK_wrk [14:36] oru_work: The init scfript is deprecated in favor of upstart. However, init still operates as it should. (Not sure if it will in maverick though) === adamdv is now known as AdamDV [14:37] i don't get it [14:39] oru_work: service mysql restart [14:39] Try that. [14:40] Thats the new way to do it, as opposed to manually invoking a script from path [14:40] More efficient as I understand. [14:40] AdamDV, sudo service mysql restart [14:40] mysql start/running, process 1181 [14:40] Yes? [14:41] heh [14:41] heh :) [14:41] oru_work: your ability to be confused is impressive [14:41] giovani, lolz :) [14:42] so it worked / [14:42] ? [14:42] yes [14:43] but why is it still complaining when I do /etc/init.d/mysql restart ? [14:43] it's not complaining [14:43] BECUASE INIT IS DEPRECATED! [14:43] it's informing you that you're using the old method [14:43] Its telling you that, that its being deprectated for upstart, aka service. [14:43] Its not like init fails when you restart it that way, it just warns. [14:43] Its not fatal ffs. === adamdv1 is now known as AdamDV [15:00] hmm [15:00] phpmyadmin doesn't start [15:01] this is what I see when I point my browser to phpmyadmin Cannot start session without errors, please check errors given in your PHP and/or webserver log file and configure your PHP installation properly. [15:02] here is what i get. http://www.pastebin.org/386395 [15:11] ccheney: http://launchpad.net/uec-provisioning and lp:uec-provisioning [15:11] kirkland, thanks [15:15] i am trying to re-bundle an existang aws ec2 ubuntu image ami-2d4aa444 i get this same error http://developer.amazonwebservices.com/connect/message.jspa?messageID=179635 [15:15] I tried placing the new sources.list in sources.list.d but still the same error when re-bundling an ami any idea ? [15:23] ccheney: i've given you commit access on that branch [15:23] kirkland, ok [15:27] zul: i think so [15:27] nxvl: k just double checking [15:35] zul: LP: #598862 [15:45] How can I see what params were used to launch a command? [15:46] New bug: #603192 in apache2 (main) "install of libapache2-mod-php5 may not result in enabled php" [Undecided,New] https://launchpad.net/bugs/603192 [15:51] twb: still around? [15:51] Yeah [15:52] twb: https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/537133 [15:52] Launchpad bug 537133 in mountall "mountall issues with NFS root filesystem" [Medium,Confirmed] [15:52] twb: did you see that? [15:52] Looking [15:52] That sounds like my bug [15:53] yep [15:54] What's the lp equivalent of "bts subscribe NNNNNN"? [15:55] click "Subscribe" ? ;) [15:55] actually [15:55] click the little ! next to "does this bug affect you?" [15:56] I'm not logged in, because that would require me to maintain a distributed cookie database across a large number of browsers and hosts [15:56] err.. you don't have even one openid provider? [15:56] I don't understand the trust model of openid, so I can't use it [15:56] AFAICT it requires me to trust root on the openid provider's host [15:57] Even so, that wouldn't work across multiple browsers [15:58] twb: as opposed to trusting root on *everybody you log in to"'s host? [15:58] twb: OpenID would have you logging in once on each browser. [15:58] Huh? *I* am root on my own machines. [15:58] But my own machines do not run OpenID servers [15:58] twb: You're saying you never log in to any web services ever? [15:59] btw you can run your own OpenID provider [15:59] Doesn't that require me to have a public IP address? [15:59] and never give anybody your auth details. [15:59] !launchpad-- # Freezes my browser for a second of five [15:59] Error: I am only a bot, please don't think I'm intelligent :) [16:00] And last time I looked, the only OpenID server implementations were PHP, which I sure as shit aren't going to allow on my machines... [16:00] twb: yes you would need to run one server that the consumers can ask for auth tokens [16:00] twb: thats just FUD [16:00] Who needs openid if your browser can remember passwords [16:00] twb: http://wiki.openid.net/Run-your-own-identity-server [16:00] Jeeves_: my browser can't. [16:01] I don't want to sign in just once. That means if someone else somehow ever know's my password, he can do the same [16:01] Jeeves_: who needs a browser when a post it on your monitor can remember your one password that you use everywhere? ;) [16:01] twb: You're running netscape 3? [16:01] * ccheney really hates firefox, its eating my system [16:01] SpamapS: I don't use one password [16:01] Rather, they can usually parse .netrc, but that's for HTTP/SSL, not for the stupid shitty form behind it [16:02] Jeeves_: no, wget, curl, GET, w3m, emacs-w3m, html2ps, midori, opera, and if all else fails, firefox 1.5 -- in roughly that order. [16:02] I quite liked galeon back before gnome took control of it [16:02] twb: Cool. You run Gentoo right, and you love SM? :) [16:03] No, I love UIs that are consistent across multiple websites, that automatically filter out useless content like images and iframe advertisements [16:03] twb: I like that you're using a ton of software. I do think OpenID would actually work out well for you. [16:03] useless [16:03] hahahaha [16:03] The web developer isn't allowed to tell me how a page should look. [16:04] dude, serious lolz .. [16:04] twb: You also use sciccors when reading the newspaper? [16:04] Who the hell does this editor think he is! Arranging the newspaper for me! [16:04] SpamapS: btw, the solution i to send a signed mail with "subscribe trentbuck@gmail.com" to NNNNNN@bugs.launchpad.net [16:04] twb: actually you'd like the reader plugin for chromium [16:04] Jeeves_: if by "newspaper" you mean sites like lwn -- yes, I have the XSLT equivalent of greasemonkey scripts to rearrange the page for me. [16:05] twb: OpenID is a MITM attack by design, so PHP should be the least of your concerns. [16:05] twb: yeah, we definitely support people who are reluctant to take the blue pill , aka web 2.0. ;) [16:05] twb: No, I mean a newspaper. Made in a press, and with paper made of trees. You know, those brown/green things outside your window.. [16:06] Jeeves_: that would require me to have a window [16:06] ScottK: yeah, I figured it was something dodgy like that [16:07] ScottK: the local EFF weenie is into it, which is why I perhaps gave it more credence than normal [16:07] twb: All the openid coolaid drinkers claim it's not, but I think they just don't actually understand anything about security. [16:08] ScottK: interesting. I did read about the issues with the first implementations, but haven't those been solved by changing the mechanics of the system a bit to ensure you're not ever trusting a consumer site w/ your auth credentials? [16:08] twb: So I hand your web site my LP OpenID credentials and you check with LP and become I'm convinced I'm who I say I am. What prevents you from reusing those credentials to log into LP, donning my archive adminstrator hat and accepting arbitrary code into the archive? [16:09] ScottK: hum. I assumed it was at least unidirectional [16:09] SpamapS: How do I know I'm really talking to LP and not a forged replica? [16:09] i.e. more like a kerberos tgt [16:10] twb: It's slightly more complex since in theory the redirect me to LP and I give the information to LP directly, but I don't really know for sure where they are redirecting me too. [16:10] ScottK: SSL certs are the only recourse there.. but I'm more interested in your replay scenario. [16:10] We should just use Kerberos to log into websites [16:10] SpamapS: I really haven't looked at it in detail for quite some time, it may be better now. [16:11] Wikipedia was talking about some next-gen replacement for openid + some other thing [16:11] ScottK: if you put your username/pass into a site without checking to see who owns the cert, then you pwned yourself. ;) [16:12] SpamapS: Anything that depends on users reading SSL certs if full of fail. [16:12] They probably wouldn't get me, but I'm unusually careful about such things. [16:12] ScottK: its the web. What other security paradigm is there? [16:13] On that subject, is anyone else annoyed about the lack of information about the requested action in gnome's replacement for gksu? [16:13] twb: I'm not annoyed at all. [16:13] "org.gnome.dbus.rhythmbox has asked to do something!" [16:13] I can't work out how to make it say "...has asked to install ffmpeg" or so [16:13] twb: You're not using gnome, right? [16:14] SpamapS: It would be much better from a security design perspective if the user went directly to the openID provider and the openID provider contacted the site they wanted to access. [16:14] Jeeves_: I'm not, but I have to make SOEs for prisoners who do [16:14] ScottK: a lack of convenience will mean users just won't use the system. [16:14] SpamapS: Convenience over security has got us into a mess. [16:15] into what mess? [16:15] entering a user+pass per website isn't happening because of user convenience. *that* is the mess. [16:15] users hate that [16:16] and they make the wrong choice every time, reusing passwords over and over [16:16] What I hate is some fucker like launchpad requiring me to "log in" simply to provide them feedback about what isn't working [16:16] I should be able to just give my email address. If I'm lying, let the spam system handle it. [16:16] twb: Did you happen to learn about a thing called spam? [16:17] I mean, a captcha won't work for you either [16:17]