| g593 | for example, does lib XZ bug affect devuan's ssh and otherwise? some said systemd pulls in deps on XZ, so not heaving that is something that Devuan devels could check and publish confirmation | 00:00 |
|---|---|---|
| CueXXIII | yeah, i think the devuan related security issues are too small to have a whole team | 00:00 |
| g593 | so how is Devuan regarding XZ? | 00:01 |
| brocashelm | g593: https://toot.community/@devuan/112185687582188156 | 00:03 |
| brocashelm | and if you are on stable (daedalus), you are safe, because it's the version that shipped from earlier last year | 00:04 |
| g593 | great. Besides meming, shouldn't this information be on devuan's official website? | 00:04 |
| g593 | google already indexes the "devuan security: not foud lol" page - https://www.devuan.org/devuan-security - so why not post such important notifications on that page, just copy that twitter(something) posts even. good to confirm things professionally, and a nice usecase | 00:06 |
| CueXXIII | i don't see any link to /devian-security on the devuan homepage | 00:07 |
| g593 | and on top explain that debian security team should be read first since most packages in Devuan are copies from Debian with just changes to few things just to remove systemd, how ever her is list of Devuan SPECIFIC security notifications; | 00:08 |
| g593 | CueXXIII https://www.google.com/search?q=devuan+security | 00:08 |
| CueXXIII | no idea where google imagined that link from | 00:09 |
| golinux | g593: www is more of a static resource. For breaking news dev1galaxy.org and irc are you best bet. | 00:09 |
| g593 | dunno. But just is easy to set up page. copy the 1 sentence of introduction (Devuan security = Debian's mostly) plus copy the "twitter" posts, should be about it for now | 00:10 |
| g593 | golinux for me it's not really a professional look. also webforums get hacked all the time; the static page is more serious | 00:10 |
| golinux | If that | 00:11 |
| golinux | 's what you would like to see, make it spo. | 00:11 |
| golinux | spo > so. | 00:11 |
| CueXXIII | i mean, the idea is not bad per se, but taking random links from google is not very professional either^^ | 00:12 |
| golinux | It's not and we wouldn't even think to do so. | 00:13 |
| friedhelm | And unfortunately the news is not entirely true. You are affectd if you're on Ceres AND have libsystemd0 installed. | 00:14 |
| golinux | OMG. That trope again? | 00:15 |
| golinux | Why are systemd files present in Devuan? https://dev1galaxy.org/viewtopic.php?id=1925 | 00:16 |
| CueXXIII | friedhelm: there is no libsystemd0 package in devuan ceres | 00:16 |
| CueXXIII | oh wait, there is… | 00:16 |
| golinux | Duh . . | 00:16 |
| friedhelm | Up to excalibur you can use libelogind-compat instead and you are fine. | 00:17 |
| CueXXIII | ah, so only systemd is masked | 00:17 |
| friedhelm | but for ceres libelogind-compat is too old and prevents updates. So libsystemd0 is pulled in from Debian. | 00:18 |
| g593 | does that libsystemd0 link to libxz? I think just heaving that library linked is enough (but not sure) | 00:19 |
| friedhelm | yes. | 00:19 |
| golinux | Please visit the forum. This has been discussed there. | 00:19 |
| CueXXIII | g593: readelf -delV /usr/lib/x86_64-linux-gnu/libsystemd.so.0 | grep NEEDED | 00:20 |
| golinux | Also in the backlog on IRC channels if you bothered to have a look | 00:20 |
| CueXXIII | g593: btw, the backdoored library's name is liblzma | 00:22 |
| g593 | "Please wait 24 seconds and try searching again." in 2024 :P | 00:25 |
| g593 | it's https://dev1galaxy.org/viewtopic.php?id=6527 | 00:26 |
| danny_z | wow this is a lot of irc drama | 00:31 |
| gnarface | what's the difference between libelogind0 and libelogind-compat? | 00:33 |
| golinux | Devuan is not affected by the latest vulnerability caused by systemd. https://toot.community/@devuan/112185687582188156 | 00:52 |
| golinux | And https://dev1galaxy.org/viewtopic.php?id=6527 | 00:53 |
| g593 | if installing expert mode with no firmware will turn out to not work good enough (but networking/apt works) then how to later install the firmware that would be otherwise installed? | 00:58 |
| gnarface | g593: they're just regular packages, most or all of them actually have "firmware" in the package name. you can install them then reboot and they'll be loaded automatically. | 01:01 |
| gnarface | note though that as of daedalus, debian upstream has moved most of the relevant ones from non-free to the new section non-free-firmware | 01:02 |
| gnarface | (non-free still exists for regular non-firmware packages) | 01:02 |
| gnarface | if you have trouble finding one for a particular piece of hardware, just ask around here, most of us have memorized the ones we work with daily | 01:09 |
| gnarface | ... they're the same as debian's package names though, so their docs will suffice as a reference too | 01:09 |
| golinux | Here's another one just posted: https://dev1galaxy.org/viewtopic.php?pid=49314#p49314 | 01:36 |
| xrogaan | Ah, 1st April jokes. Times to move away from the internet for a day. | 02:01 |
| joerg | https://gynvael.coldwind.pl/?lang=en&id=782#stage2-ext gives me ideas for a poisoned bait in build process | 02:35 |
| joerg | prolly slightly OT in here, but honestly I don't know where else to post it. And it's in direct reply to golinux :-) | 02:36 |
| golinux | joerg: I had the same OT thought but it's not really OT either so . . . | 02:39 |
| joerg | sth like echo -e '###filler###\n#!/bin/sh\n~!:_ W \necho "XZ attack detected!" >2 \nexit 66 \n|_!{ -' | convert_to_obfuscated_archive >poisonedBait | 02:44 |
| joerg | rather sth like echo -e '###filler###\n~!:_ W \n#!/bin/sh\necho "XZ attack detected!" >2 \nexit 66 \n|_!{ -' | convert_to_obfuscated_archive >poisonedBait | 02:45 |
| joerg | >>This whole thing basically looks like an "extension/patching" system that would allow adding future scripts to be run in the context of Stage 2, without having to modify the original payload-carrying test files. Which makes sense, as modyfing a "bad" and "good" test files over and over again is pretty suspicious. So the plan seemed to be to just add new test files instead, which would have been picked up, deciphered, and executed.<< | 02:49 |
| joerg | [quote https://gynvael.coldwind.pl/?lang=en&id=782] >> I can't help but wonder (as I'm sure is the rest of our security community) – if this was found by accident, how many things still remain undiscovered.<< absolutely agree, same here | 03:03 |
| joerg | https://tukaani.org/xz-backdoor/ | 03:19 |
| ted-ious | joerg: I think you're absolutely right. | 06:11 |
| chomwitt | Has anyone tried ltps ? In the project's page it mentions it needs systemd . | 10:04 |
| chomwitt | i see ltps-client has a depdency on systemd in daedalus. | 10:16 |
| chomwitt | it says systemd | ntpdate . I wonder if that works | 10:19 |
| * chomwitt away for a couple of hours | 10:19 | |
| * h3at rite here now | 10:45 | |
| flag | probably offtopic, but: | 12:22 |
| flag | https://securityboulevard.com/2024/03/an-accidental-discovery-of-a-backdoor-likely-prevented-thousands-of-infections/ | 12:22 |
| flag | "Base OpBase OpenSSH, as delivered from the OpenSSH project, doesn’t require any third-party libraries for default functionality. Probably due to some unknown business motivations, sshd in some distributions has been linked against a universe of libraries under the guise of “increasing functionality”. Every time a dependency is linked into an application like this, the application inherits all the | 12:22 |
| flag | bugs and issues of that dependency. The presumed reason for linking xz, in this case, was to have sshd become more easily controllable by systemd. This decision is what exposed these distributions to the backdoor. As systemd slowly consumes the Linux universe, we’ll see more and more of this.enSSH, as delivered from the OpenSSH project, doesn’t require any third-party libraries for default | 12:22 |
| flag | functionality. Probably due to some unknown business motivations, sshd in some distributions has been linked against a universe of libraries under the guise of “increasing functionality”. Every time a dependency is linked into an application like this, the application inherits all the bugs and issues of that dependency. The presumed reason for linking xz, in this case, was to have sshd become more | 12:23 |
| flag | easily controllable by systemd. " | 12:23 |
| flag | ouch, wrong cut&paste sorry | 12:23 |
| joerg | very interesting musing and quotes regarding libsystemd sd_notify(), dlopen() changes in libsystemd (as of 2024-02-29): https://openwall.com/lists/oss-security/2024/03/31/9 and the conclusion >>Maybe this prompted the bad actors to act quicker<< | 13:36 |
| joerg | -> https://openwall.com/lists/oss-security/2024/03/31/9 | 13:36 |
| shohzgai | hello, i'm having some issues with the minimal cd images, i hope this is the right place to ask for help | 16:36 |
| djph | shohzgai: ask the real question, see if you get an answer | 16:36 |
| shohzgai | the problem is that the cd images don't actually fit on a standard 700MB cd | 16:37 |
| shohzgai | they're a bit over that size. they could certainly fit on a 870MB cd but i think those are less common | 16:38 |
| shohzgai | so is there a way i can make the .iso i want smaller? | 16:39 |
| djph | I don't think they were ever touted as "CD" image | 16:39 |
| djph | *CD Images | 16:39 |
| djph | just "minimal" | 16:39 |
| djph | If you want "CD Sized", I believe you're after the "netinst" image. | 16:40 |
| amarsh04 | I ended up buying a DVD-RW disc, useful for keeping the latest rescue image handy | 16:40 |
| shohzgai | Images can be written to a CD or DVD using wodim. | 16:41 |
| shohzgai | quoted from https://www.devuan.org/os/documentation/install-guides/daedalus/install-devuan | 16:41 |
| shohzgai | there are other places that mention they are indeed CD images | 16:41 |
| amarsh04 | I remember when QNX had a bootable 1.44 Megabyte floppy image that included a graphical web browser | 16:42 |
| shohzgai | amarsh04: yeah, i use DVD-R discs but I also have some CD-R ones that I'd like to put linux on, but so far only OpenBSD and NetBSD release actual CD images | 16:43 |
| djph | shohzgai: and the first bit --> Choose from (1) netinst (~480M) ; (2) server (~780M) ; or (3) desktop (~4G) [...] image. | 16:43 |
| amarsh04 | even sysrescuecd became a bit too large for CD's | 16:43 |
| shohzgai | amarsh04 that's awesome, a graphical web browser on a floppy | 16:44 |
| djph | Therefore, any further use of the word "image" isn't implcitly saying ANY choice can be written to a CD ... | 16:44 |
| shohzgai | djph: I understand, but the netinst image requires internet access, and comes with way less packages than minimal | 16:45 |
| Xenguy | A general question about sharing desktops, since I have no recent experience with this... | 16:45 |
| djph | shohzgai: so then use a DVD, or USB stick. | 16:45 |
| shohzgai | https://files.devuan.org/devuan_daedalus/minimal-live/README_minimal-live.txt | 16:45 |
| shohzgai | "The image can be burnt on a CDROM or dd-ed on a USB stick. " | 16:46 |
| djph | well, someone typo'd the readme. | 16:46 |
| shohzgai | some other places too... | 16:46 |
| djph | obviously since both images are >700M, that is no longer true. | 16:46 |
| shohzgai | i wish it could become true again | 16:46 |
| djph | chimaera was under the 700M limit | 16:47 |
| djph | so, guess they forgot to update it | 16:47 |
| amarsh04 | call me old fashioned, but using k3b to burn a CD/DVD image at least lets you verify the image in the one operation - not sure how easy that is with a USB stick | 16:47 |
| Xenguy | I have a use case where someone running Windows wants to share their PC desktop with me running Linux. Just wondering if anyone knows some good free software that runs on both Windows and Linux that would allow him to share his desktop, and then allow me to run a client that could connect up to his shared instance? | 16:47 |
| shohzgai | currently only puppy linux, dsl, and tinycore can fit on a cd | 16:47 |
| djph | amarsh04: so then use a DVD with the 800M "minimal" image :) | 16:47 |
| djph | Xenguy: "shared" like teamviewer (?) or the "share.." option in Zoom? | 16:48 |
| shohzgai | amarsh04: a bit harder but i've never used k3b before so I can't really tell. | 16:49 |
| Xenguy | djph, Hrm, I'm not really that familiar with either of those; this is sort of a new use case for me... | 16:49 |
| Xenguy | I just need to be able to see what's happening on his shared desktop. | 16:49 |
| Xenguy | (Securely of course) | 16:50 |
| shohzgai | Xenguy: I'd use tightvnc as a server on the windows machine and tigervnc client on the linux machine. if they are on the same network. | 16:50 |
| n4dir | even i fooled a bit with NoMachine, but that is ages ago. "leaving the cloud" at debian wiki might have somehint | 16:50 |
| Xenguy | shohzgai, Okay, makes sense that VNC would be one option. We are not on the same network; he is in one city and I am in another. | 16:51 |
| shohzgai | djph: i'm gonna get chimaera on a CD and take a look at it, thanks! | 16:52 |
| Xenguy | I don't recall if VNC is secure by default. | 16:52 |
| shohzgai | it's not | 16:52 |
| * Xenguy nods... | 16:52 | |
| Xenguy | (biab, I need some food) | 16:52 |
| djph | Xenguy: I'm not sure VNC will work -- that's "remote" desktop, and not necessarily "Shared" desktop ... | 16:53 |
| amarsh04 | I was trying to remember VNC | 16:53 |
| Xenguy | djph, Aha yes, there's a distinction there, that makes sense. | 16:53 |
| djph | Xenguy: I'm assuming "shared" here means "you see the exact same thing the other party sees, so you can tell them to click 'here, there, and then OKAY ...' " | 16:53 |
| Xenguy | djph, That's exactly what's going on, he's actually going to assist me with my taxes. | 16:54 |
| shohzgai | ah that makes sense | 16:54 |
| shohzgai | sorry then | 16:54 |
| shohzgai | djph: could jit.si work for this? | 16:55 |
| djph | amarsh04: well, 'one operation'. AFAIK, it'd be the same general process (burn, then read disc as input to cmp(1) the partition against the source iso) | 16:55 |
| djph | Xenguy: Zoom or Teamviewer would be my initial "easiest approach" | 16:55 |
| shohzgai | jitsi.org* i guess | 16:55 |
| djph | jitsi (least last time I used it) made 480i look hi-quality | 16:57 |
| djph | But that was 2020 ... so could simply have been seriously overloaded serverboxen :) | 16:57 |
| djph | *2021 | 16:58 |
| shohzgai | djph: burned images get a little bigger than their .isos sometimes, so you gotta take the rest of the size off and compare against that IIRC | 16:58 |
| * n4dir thinks if he did the microdosing wrong, as he sees colors | 16:58 | |
| djph | shohzgai: "general" process. | 16:58 |
| shohzgai | yeah | 16:58 |
| shohzgai | was just adding a note | 16:59 |
| shohzgai | djph: jitsi is open source though | 16:59 |
| shohzgai | ah | 16:59 |
| shohzgai | he could also use qtox | 16:59 |
| shohzgai | iirc qtox has that feature to share the desktop | 17:00 |
| shohzgai | or was it another tox client...? i can't recall | 17:00 |
| djph | shohzgai: "open source" kinda doesn't matter if it can't get the job done. | 17:01 |
| shohzgai | djph: i don't agree with that, but just mentioned it because Xenguy asked for a free software solution | 17:02 |
| djph | shohzgai: If it cannot clearly show the words on the screen; then it doesn't matter if it's open-source or not. It can't get the job done. | 17:04 |
| raub | Can I use the devuan live image as package source? | 17:07 |
| raub | I boot using it and its source.list assumes I have a network | 17:08 |
| djph | depends on the image, but I believe so, yes. | 17:08 |
| djph | /etc/apt/sources.list "should(tm)" have the deb-iso lines commented out | 17:09 |
| djph | err | 17:10 |
| djph | "deb cdrom:[CD title here] codename main contrib non-free" | 17:10 |
| shohzgai | i got so lost in the conversation that i forgot my objective | 17:11 |
| raub | I am using the desktop-live. So far I have not found the packages in that image. The source.list file I have only shows http://deb.devuan.org loinks; no deb-iso entries | 17:11 |
| debdog | !!live!! image --> not a package source | 17:11 |
| shohzgai | so, is there a way i can modify the minimal .iso file so that it fits inside a 700mb cd? | 17:11 |
| raub | I will try the desktop.iso | 17:11 |
| raub | debdog: If I cannot connect to a network because I need the right driver, the live image is useless to me | 17:12 |
| shohzgai | raub: what is the problem then? have you tried "$ sudo apt update"? | 17:12 |
| n4dir | why not just use the netinstall-iso shohzgai | 17:12 |
| djph | shohzgai: rebuild it from scratch and find some 100-odd MiB you can cut out. Chances are, this is an impossible task, hence the current "minimal live" image size | 17:13 |
| shohzgai | aaahh i got it, he wants to get the packages out of the images | 17:13 |
| debdog | raub: hmm, there're probably way around that, I am not very familiar with live systems | 17:13 |
| debdog | raub: if you're using it just to install a system, then yes, probably | 17:14 |
| djph | raub: oh, you'll need the relevant driver package (assuming *deb package) and any dependencies on a separate stick ... | 17:14 |
| shohzgai | n4dir: i'd like to have a live linux system that doesn't need connection to the internet at that size. and i happen to find the package selection on the minimal .iso to be quite wonderful. | 17:15 |
| n4dir | i don't really know the minimal iso. It comes with a GUI? | 17:16 |
| shohzgai | no | 17:16 |
| n4dir | so all you want is a CLI system ? | 17:16 |
| shohzgai | exactly | 17:16 |
| n4dir | could try refracta nox ; if that is a still a thing. i think it is | 17:16 |
| n4dir | or use the minimal iso you have and refractasnapshot to make a smaller snapshot of it | 17:17 |
| shohzgai | djph: do you happen to know where i can find the build instructions? | 17:17 |
| djph | shohzgai: for building your own custom ISO? Debian Wiki has (or well used to have) a good primer on the subject. | 17:18 |
| shohzgai | n4dir: those are nice ideas. i'll make sure to try them! | 17:18 |
| n4dir | shohzgai: i think it really has become hard to get an iso smaller than a CD size. | 17:18 |
| n4dir | was it 700 MB? | 17:19 |
| shohzgai | yds | 17:19 |
| shohzgai | yes* | 17:19 |
| n4dir | if i understand refracta correct, the amd64 wouldn't fit on a CD then, the i386 would. | 17:19 |
| djph | last <700M Devuan Minimal was Chimaera. | 17:19 |
| n4dir | https://get.refracta.org/files/daedalus/ | 17:19 |
| djph | Daedalus is ~720M (i386) | 17:20 |
| shohzgai | i just think it's not right that NetBSD and OpenBSD have their whole base system fit in a CD while no linux distribution can achieve that if they don't make it their objective to be the most minimalist distro or be extremely outdated | 17:20 |
| n4dir | something went south. | 17:21 |
| n4dir | i mean: it is not that long ago you had a DE and tools and stuff all on a CD | 17:22 |
| debdog | raub: if you intend to run a live distro on said system, the keyword you'er looking for to add rquired drivers (and other stuff) would be "persistence" | 17:22 |
| shohzgai | slitaz is extremely small but severely outdated, puppy is bigger, fits in a cd but is also outdated, dsl and tinycore, their hole thing is being small | 17:22 |
| shohzgai | i'd also call them more hobbyist OSes too, no offense | 17:23 |
| shohzgai | n4dir: i agree. | 17:24 |
| n4dir | antix has small isos. I recall, but no details | 17:24 |
| shohzgai | antix can't fit in a CD either | 17:24 |
| n4dir | they have several isos. All kind of names, core minimal and full blown and what not | 17:24 |
| n4dir | i guess your best bet is really to build one yourself, with refractasnapshot. | 17:25 |
| n4dir | i wouldn't hold my breath to suceed, but perhaps it will work | 17:25 |
| shohzgai | just checked and antix-core and antix-net(same as netinst it seems) fit inside a CD but i'm not reallly a fan of antix myself | 17:27 |
| n4dir | perhaps remove "locales" only the ones you need. Such things. | 17:27 |
| shohzgai | i'm building my image later tonight | 17:28 |
| raub | debdog: All I want is to install devuan with a gui in an old Macbook pro. I just dd'ed the desktop.iso now and am trying it. And it is barking that it needs the files for the b43 wireless. You are almost 4GB of data; can't you spare a few bytes for that package? | 17:28 |
| n4dir | good luck. Perhaps give feedback (i'll be asleep anyway, but whenever you me). Perhaps fsmithred has insight, as the "fit on a CD " was a thing in the past, so he might know why it doesn't work anymore. | 17:29 |
| n4dir | was a thing -> for refracta | 17:29 |
| raub | Last time I installed an OS in this guy it was Lubuntu; if you booted it live, it had the driver in the iso, so you could have wireless up even in live mode. | 17:29 |
| shohzgai | right now i'm gonna go take a nap. thanks for all the help n4dir, djph, everyone. see you later. | 17:29 |
| n4dir | nap well, and good luck | 17:30 |
| debdog | raub: I am sorry to hear that. | 17:31 |
| debdog | raub: mayhap what n4dir said could help. make your own live system with refracta tools (shipped with the devuan live iso) which includes the driver | 17:33 |
| debdog | raub: long term: if you report the issue the driver may be included in the next release | 17:34 |
| debdog | raub: refracta documentation https://refracta.org/documents.html | 17:36 |
| fsmithred | devuan-live isos all have wireless firmware installed | 17:38 |
| raub | debdog: If installing from the desktop.iso does not work out, that will be the next option. | 17:39 |
| fsmithred | Certain broadcom drivers are excluded. The installer package is installed, but you need to have a network connection to get the actual wireless firmware. | 17:39 |
| raub | fsmithred: hence the catch-22 I mentioned earlier | 17:39 |
| fsmithred | you have one of those broadcoms? | 17:40 |
| raub | Yep | 17:40 |
| fsmithred | and no ethernet port? | 17:40 |
| raub | I think I will get a usb wifi adapter that works natively | 17:40 |
| raub | fsmithred: not going to connect this laptop to the ethernet here. There are reasons for that | 17:41 |
| fsmithred | ok | 17:41 |
| fsmithred | If you are particular about what apps are installed (i.e. you don't like the standard destkop) then install what you want in a VM and make your own live-iso. | 17:42 |
| raub | Otherwise I would probsbly pxeboot this bastard and be done | 17:42 |
| raub | That is kina of what debdog what suggestions with refracta tools: build custom image | 17:42 |
| n4dir | doesn't the installer iso contain the firmware? | 17:47 |
| fsmithred | all but the problematic broadcoms | 17:48 |
| n4dir | oh, i see. | 17:48 |
| fsmithred | I could install them in the live, but then broadcom can hold me legally responsible if you violate their IP. | 17:48 |
| n4dir | didn't broadcom suck anyway? unstable and all? | 17:49 |
| fsmithred | I don't have any to try. | 17:49 |
| raub | Next time I pop open the laptop I will see if the wifi is a card vs built into the board like Apple loves to do. If it is a card, I will probably replace it with something sane | 17:49 |
| raub | I think I will take a break from that and go back to figuring out why the work dhcp server is handing out static IPs for the right MACs but hosts are not getting to the boot server | 17:55 |
| Xenguy | Thanks for the suggestions folks, I'll report back if I actually find some non-proprietary software that works for that use case. | 18:02 |
| Xenguy | (I have to hit the road shortly) | 18:03 |
| nemo | hm... I don't know if anyone here helped maintain https://suckless.org/sucks/systemd/ but a friend rightly pointed out it could probably use a new entry this week ☺ | 19:41 |
| mason | heh | 20:39 |
| joerg | nemo: please read https://openwall.com/lists/oss-security/2024/03/31/9 Poettering quotes and understand this isn't _really_ something you can blame to systemd | 22:51 |
| joerg | Though he probably been wrong about PAM pulling in XZ with same result, we can't blame systemd for forcing devels for linking against libsystemd since it seems that's always been deprecated, and even had been "fixed" with the libsystemd PR of 2024-02-29 where libsystemd switches to using dlopen() instead of dependencies to XZ | 22:56 |
| rwp | I blame systemd for its large code of dependencies. I know you disagree. | 22:56 |
| joerg | no, I'm all with you regarding that. Just we don't do ourselves a favor insisting in bashing systemd here since actually it seems like what caused the problem is [quote LP] >>And i tell pretty much anyone who wants to listen that they should just implement the proto on their own if thats rhe only reason for a libsystemd dep otherwise<< | 23:00 |
| DPA | There are a lot of different APIs in libsystemd0. The notify stuff, the journald stuff, the logind stuff, etc. These things should all have their own library. If they did, this wouldn't have happened. | 23:01 |
| joerg | yes, absolutely | 23:01 |
| rwp | To me this is "Monday Morning Quarterbacking". Up until this problem the linking in with libsystemd0 was the standard of care. But there is a problem there? Well then they were wrong to do it that way and should have done it differently. Hindsight is 20/20 on that one. | 23:02 |
| CueXXIII | imho systemd should just be able with sshd -D and not needing an own notification poke | 23:24 |
| joerg | rwp: a) seems they already did it differently, starting a month ago. b) they recommended e.g. the sshd devels should _not_ consider >>linking in with libsystemd0 … the standard of care<< | 23:26 |
| nemo | joerg: I'm referring specifically to this devuan statement... | 23:28 |
| nemo | https://toot.community/@devuan/112185687582188156 | 23:28 |
| nemo | joerg: which encapsulates nicely what I do feel we can blame systemd for | 23:28 |
| joerg | but, as you said, hindsight doesn't help here, so we shouldn't focus on it no matter which heading | 23:28 |
| nemo | "This is another proof that systemd is an anti-pattern for security: with its crawling and ever extending web of dependencies, it extends the surface of vulnerability to orders of magnitude" | 23:28 |
| nemo | joerg: I think we absolutely should focus on it | 23:28 |
| nemo | because it is precisely the main objection to systemd | 23:28 |
| nemo | its ever broadening, cancerous, scope | 23:29 |
| nemo | but whatever. you're certainly permitted to disagree | 23:29 |
| nemo | I'm just noting that given that (official?) no idea, devuan statement, it might be worth highlighting as (yet another) downside to systemd | 23:29 |
| joerg | this statement is pretty fuzzy, I don't think it's to the point in a number of details. That's why I think it doesn't help arguing at this level, which seems exactly the "Monday Morning Quarterbacking" rwp just blamed me for | 23:36 |
| nemo | seems apropos to me. but whatevs. I mean it perfectly encapsulates my personal distrust for it | 23:37 |
| nemo | and, well, I applaud the mastodon comment personally, and given the general flow of the rest of the suckless page, I think one more entry noting the bad idea of making everything depend on everything, especially services that are the key to the kingdom, is something worth highlighting | 23:38 |
| nemo | poettering understandably defensive though. and yeah, fact remains, libpam or not, systemd significantly worsens a trend that should not be encouraged | 23:40 |
| joerg | sorry I think I derailed this channel, I should have taken it to *offtopic, to start with | 23:40 |
| gnarface | so, i have a question | 23:40 |
| gnarface | if i have libsystemd0 installed and i want to switch it with libelogind0, do i need to in fact install both libelogind-compat and libelogind0? i think someone clarified this for me some time ago but i've forgotten the details | 23:41 |
| joerg | maybe http://reisenweber.net/irclogs/libera/_devuan/search?q=libelogind-compat helps?# | 23:43 |
| gnarface | joerg: no, that doesn't go far enough back, that's just me asking the same question yesterday | 23:44 |
| gnarface | oh, wait, maybe i'm assuming it's in the wrong order, hang on... | 23:44 |
| joerg | how far back would it need to go? the chanlog started pre-libera times | 23:44 |
| gnarface | yea, i was just reading it wrong | 23:46 |
| gnarface | but what i'm getting from this is "don't" | 23:46 |
| gnarface | a quick run of "apt-get -s --no-install-recommends install libelogind-compat" has it removing half my system | 23:46 |
| gnarface | so, it says libelogind-compat should replace, provide, and conflict with libsystemd0, but is there a way to get it to not remove all the stuff that depends on libsystemd0 first? | 23:52 |
| gnarface | theoretically if this is a drop-in replacement according to the package headers, it should be possible... | 23:52 |
| joerg | I just realized that maybe the links in the timestamps are not all that obvious. You can click timestamps to get you there | 23:52 |
| gnarface | well, i realize in the past i've given people the advice to "just let it remove everything, you can download it again" but now the shoe is on the other foot and i don't want to | 23:53 |
| joerg | right hand edge of display | 23:53 |
| gnarface | Xenguy: VNC has SSL support, it's just not on by default, but it's also a very simple single-port protocol you can easily use stunnel with instead, which was the go-to solution for securing it before SSL support was added, and still works just as well | 23:54 |
| joerg | gnarface: disclaimer: I got absolutely no clue, so just some foggy memory: I think I seen a way to uninstall one package and concurrently install another one, within one same apt command, which changes the way apt resolves dependencies | 23:56 |
| gnarface | hmm, i'll try finding something like that in the man page... | 23:58 |
| gnarface | if i can specify removes and installs all on the same line, maybe or if i just add everything it wants to remove back to the install line .... | 23:58 |
| joerg | might be completely delusional | 23:58 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!