[01:44] <JimBuntu> one word marcoagpinto ( in the dark )... blowdarts
[02:06] <lotuspsychje> good morning to all
[06:17] <lordievader> Good morning
[10:32] <EoflaOE> Hello everyone
[10:33] <TJ-> g'morning
[10:35] <TJ-> had fun so far making 18.04 apache2 deliver SSL Labs A+ rating, adding in TLSv1.3, CAA, and CipherSuite options. Shame the 18.04 apache2 doesn't support TLSv1.3
[10:47] <marcoagpinto> hello dear brothers and sisters!
[10:47] <marcoagpinto> >:)
[11:13] <BluesKaj> Hi folks
[11:37] <marcoagpinto> BluesKaj!!!! Hi!
[11:37] <marcoagpinto> >:)
[12:38] <BluesKaj> hey marcoagpinto, was busy looking at 1TB SSD prices and reviews
[12:45] <marcoagpinto> cool
[12:45] <marcoagpinto> :)
[12:53] <BluesKaj> prices are still too high for my taste
[13:07] <pragmaticenigma> childish behavior will get you no where in life
[13:13] <marcoagpinto> pragmaticenigma: me?
[13:13] <marcoagpinto> :)
[13:13] <pragmaticenigma> in general, but in this case MJCD
[13:14] <marcoagpinto> I don't know what is "MJCD"?
[13:14] <EoflaOE> Hello everyone and marcoagpinto
[13:14] <marcoagpinto> EoflaOE: Hello
[13:14] <marcoagpinto> :)
[13:14] <pragmaticenigma> user in main... I typically don't use full handles here
[13:15] <EoflaOE> How is your day going marcoagpinto?
[13:16] <marcoagpinto> fine, thanks, I added 10 POS data into the English LanguageTool (proper names) and you?
[13:16] <BluesKaj> hey EoflaOE
[13:16] <EoflaOE> Hello BluesKaj, how was your day? | marcoagpinto: I am doing fine
[13:17] <BluesKaj> ok here
[13:20] <marcoagpinto> guys?! I guess that the green gadgets and others will come in 20.04 LTS? Maybe they were only added in 19.04 so that they get one year of testing?
[13:22] <pragmaticenigma> Don't know what you mean there marcoagpinto
[13:22] <EoflaOE> marcoagpinto: What are green gadgets? And what do they do?
[13:23] <marcoagpinto> the green buttons, such as in the login screen
[13:23] <marcoagpinto> and also different colours in the CheckBoxes gadgets
[13:23] <EoflaOE> That feature is nice, but I don't know if it will come in 20.04 LTS.
[13:24] <marcoagpinto> ohhhhhhh :(((((((((
[14:08] <marcoagpinto> [23:25] <tomreyn> maybeyou need \& or &&amp;
[14:08] <marcoagpinto> it didn't work. I have just tested it
[14:08] <marcoagpinto> :(
[15:05] <tomreyn> well, it was just blind guessing, i know nothing about purebasic. why don't you use pythong or any other open source scripting or porgramming language?
[15:10] <marcoagpinto> tomreyn: no, because coding is a hobby... so I am a lazy arse in learning other languages
[15:10] <marcoagpinto> :)
[15:11] <marcoagpinto> I do have at least one or two books of Python and Java
[15:11] <marcoagpinto> :)
[15:15] <tomreyn> IMO, when learning new languages, your goal shouldn't be to "read this book" but to "write this (non-complex) software"
[15:16] <tomreyn> (but i acknowledge that different people prefer to approach things differently.)
[15:18] <lordcirth_> I prototyped the skeleton of a game in Haskell; I really ought to get back to it
[15:18] <lordcirth_> Well, not even the skeleton; I just wanted to get a handle on how to do OO-like things without OOP
[15:18] <lotuspsychje> lordcirth_: are you a game dev?
[15:19] <lordcirth_> Nope :P
[15:19] <lotuspsychje> :p
[15:19] <lotuspsychje> i made a game in basic once
[15:19] <lordcirth_> I just had several games with bits I really liked and bits I didn't, and I wanted to learn Haskell.
[15:20] <lordcirth_> I still want to make a 4x where the tech tree is different every game, and hidden.
[15:20] <lotuspsychje> you might wanna talk to Ben64 sometime
[15:21] <lotuspsychje> mgedmin: for wishes, you can add a !bug to make a wishlist
[15:22] <pragmaticenigma> mgedmin: Also note, do-release-upgrade doesn't use apt
[15:23] <tomreyn> and runs in a GNU screen
[15:23] <tomreyn> or byobu rather
[15:24] <marcoagpinto> I have coded two games :)
[15:24] <marcoagpinto> ZX Spectrum remakes to the PC
[15:24] <marcoagpinto> but that was almost 20 years ago... not much time for that hobby right now
[15:25] <mgedmin> for context, I expressed a desire for do-release-upgrade to use apt's progress bar
[15:25] <mgedmin> because it's annoying to sit there and have no idea how far along the upgrade is
[15:25] <mgedmin> (sometimes some text like "Progress: [ 50%]" scrolls by but I rarely catch it)
[15:26] <mgedmin> and the screen instance spawned by do-release-upgrade steals my scrollback buffer and changes all the screen keybindings from defaults to I-don't-know-what
[15:28] <mgedmin> interesting detail about not using apt
[15:28] <mgedmin> yeah, pstree shows the 'bionic' process is running dpkg directly
[15:28] <pragmaticenigma> mgedmin: do-release-upgrade is more of a script, executing a bunch of other applications to perform the necessary configuration changes, package downloads, etc... It would be very difficult to gauge the progress of that, which is likely why it hasn't been included.
[15:28] <mgedmin> hey, the gui update manager has a progress bar
[15:29] <mgedmin> it's the same script with a different frontend afaiu?
[15:30] <pragmaticenigma> mgedmin: it might be, it could be a wrapper that looks for those "Progress: [ 50%]" string patterns in the log/output of do-release-upgrade
[15:30] <mgedmin> but yeah, someone would have to write some code to emit magic terminal escapes to draw the progress bar, since it cannot just ask apt to do that
[15:30] <mgedmin> (now I wonder if maybe screen's status bar could be repurposed for this? oh if I had the time)
[15:31] <pragmaticenigma> As a developer, the hard part about progress bars, is a lot of the work being done, is done asynchronously. Where a process is forked to process the command, and sometimes there are no waits to see if the process completed
[15:31] <lordcirth_> Is there any good way to see what processes are contributing to 'buffer' memory usage?
[15:38] <tomreyn> i'd think these are any which are listed with a VSZ that is above the RSS in ps output.
[15:39] <mgedmin> that seems unlikely?
[15:39] <tomreyn> actually top lists SHR
[15:39] <tomreyn> and yes, my initial statement was incorrect.
[15:39] <mgedmin> "buffers" in free have something to do with block device caches iirc
[15:40] <tomreyn>        buffers
[15:40] <tomreyn>               Memory used by kernel buffers (Buffers in /proc/meminfo)
[15:40] <tomreyn> from free(1)
[15:43] <tomreyn> i am still clueless about linux memory handling. :-/
[15:44] <pragmaticenigma> Magic!
[21:07] <TJ-> Hmmm, I have DNS-over-HTTPS server working... now what do I do with it? :)
[21:09] <akemlenovo_> Try to resolve all IPV4 adresses to see if it works properly and have some nice cache? :)
[21:10] <daftykins> i read about Firefox moving to that, does it rely on querying a static IP to resolve? o0
[21:12] <TJ-> huh? questions to confuse me!
[21:12] <TJ-> it's a DNS server using HTTPS on port 443 of apache, returms the same info as a 'dig' to port 53
[21:13] <TJ-> right now i've only got it set to allow resolving of domains I host so it can't be abused
[21:14] <TJ-> DoH currently is not distributed, there are lists of known public services the browers and other clients hard-code and use
[21:27] <tomreyn> i guess it lacks a DHCP (or equivalent for IPv6) extension for propagation
[21:28] <tomreyn> but then it may make sense to fight out these undecided fights first.
[21:30] <TJ-> DoH? that's not how it's intended to work. It's basically a resolver that can be used to prevent snooping of DNS requests by any man-in-the-middle (ISP) and hard to block since it uses HTTPS port
[21:30] <tomreyn> DoH vs DoT, Do[HT] vs DNS, 'enterprise' DNS vs Do[HT], and maybe even DNSSec vs DNS
[21:31] <TJ-> DNSSEC is different, that's a guarantee the returned record hasn't been modified (crypto hash)
[21:32] <TJ-> so a MITM could still intercept and modify (thus breaking) the query since it is not encrypted
[21:32] <tomreyn> companies will probably forbid employees from using Do[HT] since it prevents resolving LAN resources (and having those superseed those of public resolvers)
[21:33] <TJ-> Or just operate their own DoH proxy
[21:33] <tomreyn> yes, in the long term you really a combination of DNSSEC + Do[HT] but also allow for a 'trusted' third party injecting / overriding additional records
[21:35] <tomreyn> it'll probably boil down to a custom DoH proxy per company network which will do DNSSec outwards and inject custom records inwards
[21:35] <tomreyn> and clients will have a per system resolver still, which applications will be configured to use
[21:36] <tomreyn> and that'll use this company resolver.
[21:36] <tomreyn> so a similar architecture as we had so far, at least within companies
[21:37] <tomreyn> while outside of companies computers and even apps can talk directly to public Do[HT] resolvers, or local / system proxies
[21:37] <TJ-> Let's hope it goes the way of HTTPS everywhere
[21:38] <tomreyn> i'm not very much in favor of every application doing its own (remote) resolving, though. i like the idea of having it central per system
[21:38] <TJ-> I've one last job to do and that is deploy a TLSv1.3 stunnel config on 853 to ace the DoT tests
[21:38] <tomreyn> i'm fine with proper TLS everywhere.
[21:38] <tomreyn> ugh stunnel
[21:39] <TJ-> I've got SSLlabs giving an A+ for the HTTPS configs now
[21:39] <tomreyn> nice, that's not always easy
[21:39] <TJ-> I've used stunnel since the late '90s I think it was, on Windows, very useful
[21:40] <tomreyn> it is. just it should not be neccessary to use it.
[21:40] <TJ-> I'm going to publish the apache config for others since the searches I did led only to fragments without context, bad advice, or lists of ciphers that cannot be directly entered into the apache config
[21:40] <TJ-> Well once BIND adds DoT support by linking in libssl it won't be needed
[21:40]  * daftykins runs SSLlabs test for fun
[21:40] <daftykins> won't be expecting a high result here given i'm mostly stock
[21:41] <TJ-> I had fun earlier adding CAA RRs to the zone and having it break BIND's dnssec-signzone which does not know of CAA records, had to use a raw type257 record to 'fool' it
[21:41] <tomreyn> i think i read some chat around here about 18.04 ignoring cipher suites defined in service configurations for TLSv1.3 (only) and instead using those from ssl.conf, if any.
[21:42] <daftykins> huh nope got A+ right away, that's just my personal nextcloud using LetsEncrypt
[21:43] <tomreyn> hardly anyone does CAA
[21:43] <daftykins> looks like i have a tonne of weak ciphers still enabled
[21:43] <tomreyn> and still A+? :)
[21:44] <daftykins> assuming i'm interpreting the orange lines correctly that are showing up
[21:44] <tomreyn> i guess you have downgrade protections then and those are only for older TLS protocols
[21:45] <TJ-> 18.04's apache doesn't support TLSv1.3, I've deployed from a PPA that does (the PPA belongs to Ondřej Surý one of the core devs of bind9 and others and DNSSEC guru)
[21:45] <tomreyn> Let's Encrypt has achieved so much, we really should buy those folks many beers
[21:46] <daftykins> yeah mine has come back showing TLS 1.0, 1.1 and 1.2
[21:46] <daftykins> seems to be talking about android v4 handshakes being simulated for TLS 1.0
[21:46] <tomreyn> oh, i was thinking 18.04's would.
[21:48] <TJ-> we have openssl 1.1.1 in 18.04 but apache hasn't been upgraded to support TLSv1.3, whereas i think nginx was
[21:49] <tomreyn> oh ok, maybe i mixed those up.
[21:50] <TJ-> funny how ratings slip. Last time I did the exercise was about 6 years ago... rating had dropped to a low B today until I tweaked everything again
[21:50] <daftykins> shared a pic of what my test result showed in other channels you're both in
[21:52] <daftykins> maybe some homework for another time :D
[21:57] <TJ-> I'll dig out the server config when I'm less tired, tomorrow, and share it so you can compare
[21:58] <TJ-> it's only about 7 lines if that (inc. the DoH reverse proxy )
[21:58] <daftykins> thanks! sounds fun
[22:01] <tomreyn> i'll be interested, too, thanks!