| === JanC_ is now known as JanC | ||
| === maclin1 is now known as maclin | ||
| LocutusOfBorg | xnox, interested in an ocaml transition? | 10:04 |
|---|---|---|
| Unit193 | Why and how is notification-daemon on every desktop? Xubuntu doesn't want it. | 11:56 |
| mitya57 | Unit193, it is also a virtual package and xfce4-notifyd Provides: it. | 12:06 |
| mitya57 | So the “real” notification-daemon should not be pulled in. | 12:07 |
| Unit193 | Exactly... | 12:07 |
| ahoneybun | has anyone seen this issue? gnome-software : Conflicts: sessioninstaller but 0.20+bzr150-0ubuntu4.1 is to be installed | 13:34 |
| ahoneybun | running latest Artful | 13:34 |
| TJ- | Is there a workaround for the USN-2639-1 (June 2015) change to openssl where it requires a minimum DH key size of 768 bits? This has broken access to several data-center appliances with embedded web servers using SSLv3/TLS1.0 where the firmware DH key size in the server key exchange is only 512 bits. There aren't any firmware upgrades for these aged devices. | 13:37 |
| Faux | (Oh no.) | 13:54 |
| cjwatson | If I were in that situation I'd consider installing a very restricted proxy or similar with a hacked version of openssl. | 13:57 |
| est31 | my general advice for situations like these is to a) create a sandboxed VM with outdated software that has no internet access, only to those appliances, b) use that appliance | 14:06 |
| est31 | also helps with "firefox dropped java npapi support" issues | 14:07 |
| TJ- | cjwatson: I'm assembling an openssl patch that reads an alternative minimum dh_size from the environment; that'll give the flexibilty needed on a per-use/per-application basis without downgrading the entire package | 14:33 |
| TJ- | est31: right - I'm already needing to use an old Netscape Navigator 9 instance to work correctly | 14:33 |
| est31 | wow its quite old then... | 14:34 |
| TJ- | something along these lines: https://iam.tj/projects/ubuntu/0001-allow-alternative-minimum-dh_keysize.patch | 14:35 |
| TJ- | est31: indeed; many of these devices are mid 2000s and just keep on plugging away. No reason to spend £££s replacing them for something like this. It affects stuff like iLo as well. Not to mention all the firmware embedded self-signed expired X509 certificates too | 14:37 |
| est31 | TJ-: IMO its still better to have an isolated VM appliance to access these appliances | 16:29 |
| est31 | than to patch your copy of openssl | 16:29 |
| est31 | and make your general browsing insecure | 16:29 |
| TJ- | est31: how does it make general browsing insecure? | 16:30 |
| est31 | at least curl uses openssl? | 16:30 |
| est31 | firefox and chrome I think ship their own libraries | 16:30 |
| TJ- | it makes no changes to the default behaviour of libssl UNLESS an environment variable is defined with an alternative minimum DH keysize value | 16:31 |
| est31 | oh ok | 16:31 |
| * est31 shrugs | 16:31 | |
| TJ- | So I can control when it is active and use the latest libssl packages, rebuilt with this patch applied | 16:31 |
| TJ- | It's a minimal patch, does the job, and newer releases are unlikely to require much in the way of rebasing it, so it is maintainable long-term | 16:33 |
| xnox | LocutusOfBorg, what ocaml transition? | 20:36 |
| xnox | LocutusOfBorg, Feature Freeze was on August 24th. | 20:37 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!