| onefang | First take, this xz / lzma backdoor doesn't worry me, coz the Devuan versions I'm using / upgrading to are too old. | 00:07 |
|---|---|---|
| onefang | Second take. The sudden depth of this rabbit hole does worry me. | 00:07 |
| * gnarface sigh | 00:12 | |
| gnarface | yea, it's probably about time to fork everything | 00:13 |
| onefang | I'm reading an article and a though occurs to me. It seems to be targeting ssh sessions that have been run by systemd. Maybe someone wants to break into systemd systems and remove systemd? But that's OT. | 00:14 |
| brocashelm | all i know is testing and unstable versions reverted to 5.4.5, so it's probably safe to "upgrade" with the "really" version tag | 00:18 |
| ted-ious | How do we know how far back this particular infiltration goes? | 01:25 |
| fsmithred | Debian says it's not in the stable version. | 01:28 |
| fsmithred | which I think is 5.2 | 01:28 |
| fsmithred | nope. 5.4 in daedalus | 01:29 |
| ted-ious | I don't mean which is the newest version that doesn't have the suspicious code that people are talking about. | 01:29 |
| ted-ious | I mean how do we know that the bad guy only got these specific updates into the code? | 01:29 |
| ted-ious | People are saying that this was a 2 year attack. | 01:30 |
| onefang | That'll be why people are investigating these things now. | 01:31 |
| ted-ious | I'm a bit impatient to get more information. | 01:31 |
| ted-ious | Because this sounds like it was a major operation and we might only be seeing the tip of the iceberg. | 01:32 |
| onefang | Enough of this rabbit hole. Time to chase the Easter Bunny instead. B-) | 01:43 |
| mason | Oh, alright, https://lists.debian.org/debian-security-announce/2024/msg00057.html has already come up here. | 02:24 |
| gast0n | Hi, the util-linux package has not yet been patched in Debian, to fix the vulnerability in the wall command | 02:45 |
| djph | you mean the vulnerability that relies on (a) another local user as the attacker, (b) the non-default suggestion application when you misspell a command ... ? | 02:48 |
| gast0n | https://www.bleepingcomputer.com/news/security/decade-old-linux-wall-bug-helps-make-fake-sudo-prompts-steal-passwords/ | 02:49 |
| djph | yes, that one | 02:50 |
| djph | the one where the guy who has the proof of concept attack says that Debian is technically immune by default, since it doesn't ship with command-not-found ? | 02:52 |
| gast0n | ah ok, thanks :) Also I was seeing that util-linux is a forked package in Devuan | 02:53 |
| fluffywolf | waaaaaaay back when, I had fun creating filenames on a sunos server that sent terminal escapes to anyone who "ls"ed them... | 03:57 |
| fluffywolf | leave them in /tmp and wait... | 03:58 |
| joerg | lol | 04:00 |
| fluffywolf | it's basically the exact same thing as that wall issue... ls had absolutely no filtering, and filenames could contain anything except a null and a /. so if you could create a file that someone else would ls, you could send any arbitrary stream to their terminal, including things that made them do bad things. | 04:02 |
| joerg | that issue changed? | 04:03 |
| ted-ious | Yes nobody uses sunos anymor. :) | 04:03 |
| fluffywolf | ls has filtered things for a while now. heh. | 04:03 |
| joerg | :-D | 04:03 |
| fluffywolf | hell, now ls even provides fully escaped/quoted output. | 04:04 |
| joerg | yes :-) | 04:06 |
| joerg | let's take it to *offtopic though :-) | 04:07 |
| systemdlete2 | gnarface sigh | 04:09 |
| systemdlete2 | <gnarface> yea, it's probably about time to fork everything | 04:09 |
| ted-ious | Fork what? | 04:09 |
| systemdlete2 | funny, when I suggested this several years ago, it was met with groans and repudiation | 04:09 |
| systemdlete2 | I think gnarface meant the entire linux/gnu base | 04:10 |
| systemdlete2 | (I hope that's what he meant) | 04:10 |
| ted-ious | Since devuan is already a partial fork what else does it need besides a few more bugs fixed here and there? | 04:10 |
| systemdlete2 | entire vs partial | 04:10 |
| ted-ious | Oh. | 04:10 |
| joerg | nothing changed | 04:10 |
| systemdlete2 | so maybe this could spell the end (finally!) of this sytemd insanity? | 04:11 |
| ted-ious | Why can't a bunch of determined people take over the debian board and reverse the systemd decision? | 04:14 |
| systemdlete2 | same reason, probably, that a bunch of determined people haven't taken over the board at boeing | 04:15 |
| systemdlete2 | the engineers were replaced by marketing bots | 04:15 |
| ted-ious | For boeing you would need lots of money but for debian I think it's just finding a few people to serve on the board and then a campaign to get support. | 04:16 |
| golinux | Please take to OT. Thanks. | 04:17 |
| systemdlete2 | sorry | 04:17 |
| majekla | Hello everyone. | 11:51 |
| majekla | I wanted to congratulate and warmly thank the entire Devuan team for this clean and intelligent distribution! | 11:51 |
| majekla | Coming from the BSD world (FreeBSD, Solaris, Illumos, etc.) and being somewhat of a "conservative" computer scientist at heart (although I am young), I was genuinely surprised by Devuan and its optimization. | 11:51 |
| majekla | Being anything but a fan of Debian, and that for several years (especially because of systemd, which I really do not like), I found in your distribution a very good alternative, with which I feel "right" on Linux again. Although there are many distributions (and I must have tried a good fifty of them), some of which also have not yielded to systemd, Devuan seems to me a truly unique case. | 11:51 |
| majekla | It's very pleasant to work with your distribution. | 11:51 |
| majekla | Thank you again for all your efforts! | 11:51 |
| * joerg prints and hands out posters with ^^^ :-) | 13:16 | |
| sfox | majekla: why is devuan unique out of the non systemd distros? | 18:55 |
| majeklaTEK | Honestly, on an IRC chat, the list is likely to be long. First off, I prefer the separation of tools for administration. And above all, I prefer things to be simple. I have a problem with systemd in that sense. And if I limit myself to purely system aspects, the few trials I've done (various overloads, network requests, heavy writing on disks, etc.) have revealed greater stability than Debian. I'm sorry if I don't seem nice about Debian | 19:24 |
| majeklaTEK | (which I've been using in a corporate environment for a long time) but every time I test a Debian-based distribution in depth, I regularly encounter strange bugs that appear. This ranges from file system corruption, to shells and PATHs disappearing, regardless of the medium (VM, real hardware, etc.). That's why I prefer FreeBSD or distributions coming from RHEL for heavy loads. I haven't seen anything like this on Devuan so far. I've | 19:24 |
| majeklaTEK | witnessed temporary shell lock-ups of a few seconds, but nothing broke... I can't say the same for Debian, for which I've lost count of the countless bugs that occurred during overloads, updates, etc. I haven't had the time to look in detail at everything that's been done on this distribution, but just on that point (stability), I'm really surprised. | 19:24 |
| cousin_luigi | What's the story with the xz vulnerability on devuan? | 19:41 |
| majeklaTEK | don't know, but xz version is not the bad one. | 19:49 |
| gnarface | cousin_luigi: the vulnerability seems to be in libsystemd0, which devuan doesn't have. it has a drop-in placeholder slug which doesn't link to the compromised library | 19:52 |
| gnarface | and yea, supposedly the xz version in current stable isn't the bad one anyway | 19:55 |
| gnarface | i think debian has already rolled back the ones in testing and unstable | 19:55 |
| majeklaTEK | To conclude and put it succinctly, I also find the user experience to be particularly appealing on Devuan compared to other distributions. There has been a special care taken in the choice of the desktop theme (those shades of blue) which is very pleasant and calming. (not to mention that, on a personal note, I prefer xfce). Lastly, there's the choice between the init systems... and it's really important for me to maintain this traditional | 20:02 |
| majeklaTEK | and modular approach. Having the choice. Well done. | 20:02 |
| CueXXIII | gnarface: no, the vulnerability is in xz, which is dynamically linked into libsystemd | 20:15 |
| majeklaTEK | in liblzma | 20:15 |
| CueXXIII | yeah, that's part of xz-utils | 20:16 |
| majeklaTEK | yes | 20:16 |
| CueXXIII | it takes a long path to arrive in sshd, by design | 20:16 |
| golinux | Thanks for the kind words about the theming. All the previous custom themes are still available throuuge Daedalud | 21:09 |
| golinux | Daedalus | 21:09 |
| gnarface | three cheers for golinux! | 21:12 |
| * golinux blushes | 21:20 | |
| golinux | Sadly since I have "retired" there may not be any new ones going forward . . . | 21:21 |
| majeklaTEK | you're welcome (go linux). It's a very good job. | 22:09 |
| Bosco | Hello | 22:56 |
| Bosco | Someone else? | 22:56 |
| nemo | Bosco: hm? | 22:59 |
| Bosco | nemo: 💻😅 | 22:59 |
| Bosco | Does anyone know if anyone has a problem with version 5 of Netinstall? | 23:00 |
| nemo | haven't done an install in a long while, but my recollection is netinstall was never a good idea unless you really needed it | 23:01 |
| nemo | fsmithred here is the expert though | 23:01 |
| nemo | if they are active on a weekend | 23:01 |
| fsmithred | sure, there are always people who have problems installing, regadless of what iso they use. | 23:02 |
| fsmithred | what problem are you having? | 23:02 |
| Bosco | nemo: Version 5 netinstall gave me problems when trying to boot it from a USB | 23:03 |
| fsmithred | all the isos in the "installer iso" directories will install packages from the network (a netinstall) unless you specify not to use a mirror. | 23:03 |
| fsmithred | how did you prepare the usb? | 23:03 |
| fsmithred | and which iso, and are you booting uefi or legacy? | 23:04 |
| nemo | fsmithred: ok. I just remember being told here on #devuan to use the full image after having run into some setup issues, but maybe it was specific to an issue at that time | 23:04 |
| Bosco | fsmithred: Hello, when you start the boot of version 5 of netinstall it does not boot via USB | 23:04 |
| nemo | Bosco: huh. that sounds more like a bios config issue on your computer | 23:05 |
| Bosco | fsmithred: UEFI | 23:05 |
| nemo | like "press F2 to choose alternate boot device" | 23:05 |
| Bosco | The screen goes black when it starts and does nothing else in netinstall 5 | 23:07 |
| fsmithred | did you check the sha256sum to make sure the download was good? | 23:07 |
| fsmithred | again, how did the iso get from your download directory onto the usb? | 23:07 |
| Bosco | fsmithred: I downloaded it from a torrent and posted it there from the official torrent and the official link and in both cases I got a black screen | 23:09 |
| fsmithred | After you downloaded it, you had to do something to get it onto the usb. | 23:10 |
| fsmithred | How did you do that? dd? ventoy? something else? | 23:10 |
| Bosco | fsmithred: ventoy but, the netinstall 4 run well, but not the 5 one | 23:11 |
| fsmithred | If you have a spare usb, use dd or cat to image that with the single iso. | 23:12 |
| fsmithred | If you check on the forum, there might be instructions for getting that version to work on ventoy. I don't know wny details on that. | 23:13 |
| Bosco | fsmithred: OK thanks | 23:14 |
| fsmithred | But the bootloader on the daedalus isos is not the same as on chimaera. | 23:14 |
| fsmithred | Bosco, do you get some kind of boot menu from ventoy before it goes black? | 23:14 |
| Bosco | fsmithred: yes I have the graphical menu to choose one | 23:15 |
| fsmithred | ok, so the computer is seeing the usb and letting it do its thing. | 23:16 |
| fsmithred | Only other thing you could do is use one of the live isos, but those don't have the same installer. | 23:17 |
| Bosco | fsmithred: Live's go well, no problems white these ones | 23:19 |
| fsmithred | desktop-live will give you xfce as if you took the defaults on the installer isos. | 23:20 |
| fsmithred | but you'll need to do apt update and apt upgrade after the install to get all the latest versions. | 23:21 |
| fsmithred | are you used to using the debian installer? | 23:21 |
| gnarface | Bosco: if version 4 of the netinstaller works, you can just do a minimal install and update it to version 5 | 23:25 |
| gnarface | the desktop and stuff can be installed after just as easily | 23:26 |
| Bosco | gnarface: In fact that's what I did and it went well. | 23:28 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!