[10:04] <LocutusOfBorg> xnox, interested in an ocaml transition?
[11:56] <Unit193> Why and how is notification-daemon on every desktop?  Xubuntu doesn't want it.
[12:06] <mitya57> Unit193, it is also a virtual package and xfce4-notifyd Provides: it.
[12:07] <mitya57> So the “real” notification-daemon should not be pulled in.
[12:07] <Unit193> Exactly...
[13:34] <ahoneybun> has anyone seen this issue? gnome-software : Conflicts: sessioninstaller but 0.20+bzr150-0ubuntu4.1 is to be installed
[13:34] <ahoneybun> running latest Artful
[13:37] <TJ-> Is there a workaround for the USN-2639-1 (June 2015) change to openssl where it requires a minimum DH key size of 768 bits? This has broken access to several data-center appliances with embedded web servers using SSLv3/TLS1.0 where the firmware DH key size in the server key exchange is only 512 bits. There aren't any firmware upgrades for these aged devices.
[13:54] <Faux> (Oh no.)
[13:57] <cjwatson> If I were in that situation I'd consider installing a very restricted proxy or similar with a hacked version of openssl.
[14:06] <est31> my general advice for situations like these is to a) create a sandboxed VM with outdated software that has no internet access, only to those appliances, b) use that appliance
[14:07] <est31> also helps with "firefox dropped java npapi support" issues
[14:33] <TJ-> cjwatson: I'm assembling an openssl patch that reads an alternative minimum dh_size from the environment; that'll give the flexibilty needed on a per-use/per-application basis without downgrading the entire package
[14:33] <TJ-> est31: right - I'm already needing to use an old Netscape Navigator 9 instance to work correctly
[14:34] <est31> wow its quite old then...
[14:35] <TJ-> something along these lines: https://iam.tj/projects/ubuntu/0001-allow-alternative-minimum-dh_keysize.patch
[14:37] <TJ-> est31: indeed; many of these devices are mid 2000s and just keep on plugging away. No reason to spend £££s replacing them for something like this. It affects stuff like iLo as well. Not to mention all the firmware embedded self-signed expired X509 certificates too
[16:29] <est31> TJ-: IMO its still better to have an isolated VM appliance to access these appliances
[16:29] <est31> than to patch your copy of openssl
[16:29] <est31> and make your general browsing insecure
[16:30] <TJ-> est31: how does it make general browsing insecure?
[16:30] <est31> at least curl uses openssl?
[16:30] <est31> firefox and chrome I think ship their own libraries
[16:31] <TJ-> it makes no changes to the default behaviour of libssl UNLESS an environment variable is defined with an alternative minimum DH keysize value
[16:31] <est31> oh ok
[16:31]  * est31 shrugs
[16:31] <TJ-> So I can control when it is active and use the latest libssl packages, rebuilt with this patch applied
[16:33] <TJ-> It's a minimal patch, does the job, and newer releases are unlikely to require much in the way of rebasing it, so it is maintainable long-term
[20:36] <xnox> LocutusOfBorg, what ocaml transition?
[20:37] <xnox> LocutusOfBorg, Feature Freeze was on August 24th.