[Dng] Devuan Alpha i386 - developers release series on Vagrant

[JeremyBekka C]

Hello,

I am trying to reply to the following message. I hope I am doing this right.

I have a question about running Vagrant in Gentoo.I am running Debian
Wheezy on two of my computers, but the one that I want to use to test
Devaun is running Gentoo. When I go to the website that is linked below the
only Linux downloads are either rpm or deb files. From what I can tell
these will not work in Gentoo. If I am not supposed to use the version of
Vagrant in the package manager, how can I get Vagrant to run in Gentoo?

I am really excited about Devaun and happy that you are not content to let
systemd take over the Linux world. I am still a noobie to Linux, but I am
working hard to learn as much as I can and hope to gain the skills
necessary to become a package maintainer one day. I would like to help with
Devaun any way I possibly can.

Thanks,

Jeremy


Message: 7
Date: Sat, 7 Mar 2015 02:11:35 +0100
From: Jaromil 
To: dng 
Subject: [Dng] Devuan Alpha i386 - developers release series on
Vagrant
Message-ID: <20150307011135.GA8357@fork>
Content-Type: text/plain; charset="utf-8"


Hi all,

This is the initial release of the Alpha series, base-system stripped at
minimum and distributed in Vagrant format (virtualbox provider), to make
the life of developers working on core components as vdev easier.

Vagrant is a very cool tool, check it out http://vagrantup.com

I'll distribute new releases of the Devuan Alpha cycle virtual machine
via Vagrant and Atlas. This is version 0.1 and can be tested on any PC
running any operating system.

To have this image running, install the latest Vagrant - not the one
from your package manager, but the updated version from the vagrant
website download section - then type into a terminal:

mkdir ~/vagrant && cd ~/vagrant

vagrant init jaromil/devuan-alpha-i386

vagrant up

This will download and start the image into an headless virtualbox
instance. From this "box" downloaded is possible to duplicate - should
we say fork :^) - more virtual machines.

To login use ssh via port  with user devuan pass devuan.
Root password is also devuan.

Sources are from git.devuan.org and from Debian Jessie.

Devuan runs on sysvinit, systemd is not the init and none of its daemons
are running, but its packages are still present because we are still
using udev.

This is the start of the Alpha release cycle, other developers may also
issue interim releases and updates will follow from packages.devuan.org
as well ftp.debian.org's jessie (pinned) and security.debian.org

happy hacking!

ciao



--
Jaromil, Dyne.org Free Software Foundry (est. 2000)
We are free to share code and we code to share freedom
Web: https://j.dyne.org Contact: https://j.dyne.org/c.vcf
GPG: 6113 D89C A825 C5CE DD02  C872 73B3 5DA5 4ACB 7D10
Confidential communications: https://keybase.io/jaromil
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Devuan Alpha i386 - developers release series on Vagrant

[Jaromil]

dear hellekin,

On Sat, 07 Mar 2015, hellekin wrote:

> On 03/06/15 22:11, Jaromil wrote:
> > 
> > vagrant init jaromil/devuan-alpha-i386
> > 
> *** Nice.  Can you add libvirt and/or lxc providers?

Ok! I'll keep that in mind for the next release.

Meanwhile one can install it using apt-get of course

> https://git.devuan.org/devuan/devuan-project/wikis/try-devuan-on-vagrant

Alltough it can be tried, I do not recommend using the vagrant found on
distributions: these are older versions of upstream software and they
may not work or have strange behavior.

Now watch out for the next ISO release for Devuan Alpha, which will be
entirely produced using Devuan. I'm also working on an SDK Vagrant
image, that is an image with a pristine and tested installation of the
same SDK environment I'm using to produce this release series.

ciao



___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[Dng] grsecurity

[Robert Storey]

Just want to say that I'm very glad that some of you are interested in
producing a grsecurity-based hardened system. When it comes to security,
I'm about as paranoid as they come. I've even decided to throw out my new
UEFI motherboard for a Supermicro server board which has BIOS firmware,
because I've recently learned what a security hole UEFI is. That's going to
cost me some money, while grsecurity has the added bonus of being free.

Look forward to the first release, as always,
Robert
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Hardened Devuan (was Re: Plan for Devuan to use Mozilla products as is)

[Jaromil]

dear Neo Futur and other members of the Devuan hardening team:

please consider the Alpha release series a minimal base you can use to
start working on the kernel patches, building them and testing them.
In fact, this release series is mostly intended to receive feedback from
developers and adjust to their needs.

Please also let me know what is the format you prefer working on. Right
now I can release virtualbox images and vagrant boxes using the SDK but
I can also add support for Docker, Qemu, AWS, Google engine,
DigitalOcean, OpenStack, Parallels etc.

In a close future Devuan's signed releases will be available in all
these formats, hoping they come handy to the sysadmins among our
audience. I'm just trying to figure out what to prioritize now in order
to facilitate your good plans.

ciao



___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Devuan Alpha i386 - developers release series on Vagrant

[KatolaZ]

On Sat, Mar 07, 2015 at 03:59:51AM -0500, JeremyBekka C wrote:
> Hello,
> 
> I am trying to reply to the following message. I hope I am doing this right.
> 
> I have a question about running Vagrant in Gentoo.I am running Debian
> Wheezy on two of my computers, but the one that I want to use to test
> Devaun is running Gentoo. When I go to the website that is linked below the
> only Linux downloads are either rpm or deb files. From what I can tell
> these will not work in Gentoo. If I am not supposed to use the version of
> Vagrant in the package manager, how can I get Vagrant to run in Gentoo?
> 

Hi, 

this is a link from Gentoo forums about using rpm/deb packages on Gentoo:

http://forums.gentoo.org/viewtopic-p-7248236.html

It's actually the very first result given by google on the query
"install a rpm on gentoo" Anyway, on any distribution you can just
use cpio/ar since rpms/debs are no more than cpio/ar archives with
some sugar around (basically, a few configure/install/uninstall
scripts).

My2Cents

KatolaZ

-- 
[ Enzo Nicosia aka KatolaZ --- GLUG Catania -- Freaknet Medialab ]
[ me [at] katolaz.homeunix.net -- http://katolaz.homeunix.net -- ]
[ GNU/Linux User:#325780/ICQ UIN: #258332181/GPG key ID 0B5F062F ]
[ Fingerprint: 8E59 D6AA 445E FDB4 A153 3D5A 5F20 B3AE 0B5F 062F ]
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Hardened Devuan (was Re: Plan for Devuan to use Mozilla products as is)

[Martijn Dekkers]

I am not sure I follow - is the plan for Devuan to be default
hardened/grsec, or is it supposed to be an optional choice somehow? As was
already pointed out, java won't run. Lots and lots of server workloads run
Java

On 7 March 2015 at 12:42, Jaromil  wrote:

>
> dear Neo Futur and other members of the Devuan hardening team:
>
> please consider the Alpha release series a minimal base you can use to
> start working on the kernel patches, building them and testing them.
> In fact, this release series is mostly intended to receive feedback from
> developers and adjust to their needs.
>
> Please also let me know what is the format you prefer working on. Right
> now I can release virtualbox images and vagrant boxes using the SDK but
> I can also add support for Docker, Qemu, AWS, Google engine,
> DigitalOcean, OpenStack, Parallels etc.
>
> In a close future Devuan's signed releases will be available in all
> these formats, hoping they come handy to the sysadmins among our
> audience. I'm just trying to figure out what to prioritize now in order
> to facilitate your good plans.
>
> ciao
>
>
>
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Hardened Devuan (was Re: Plan for Devuan to use Mozilla products as is)

[miroslav . rovis1]

On Fri, Mar 06, 2015 at 08:33:20PM +0100, Jaromil wrote:
> 
> dear Miroslav,
> 
> On Fri, 06 Mar 2015, miroslav.rov...@zg.ht.hr wrote:
> 
> > I hope to be able to continue my Grsecurity/Pax Deployment in Devuan for
> > the Newbies (or of a similar title), like I did in Debian Forums (see my
> > first message in this thread). And about the rest of non-poeterware (and
> > related like, for me, dbus). Maybe in the Wiki, sure Devuan Wiki.
> 
> yes, the gitlab on https://git.devuan.org good that you made a login.
> 
> people can contact me, Nextime or Hellekin to have groups or projects
> created and its wiki can be used for documentation.
I've taken notice, kind brother in *nix! I'll also browse more
extensively to see how things are faring. But I have to remind you that
I am only an advanced user. Capable, I think, to transfer what I know
(and what I will yet learn), to less advanced users, though. Surely,
when things call for an expert insight, I'll have to ask for help.

> I will be among the newbies following your guides: last time I've used
> grsecurity was long time ago, before I gave up the maintainance of
> dyne.org servers to more volunteers. Wondering how much has changed in
> 10 years or so.
If I'm moderated by the Elder members with insight into, and
understanding of, the code, and the architectural/programming
design/other expert aspects, where necessary (and I hope there already
are members of Devuan who can oversee my work, prior to publishing it),
then maybe I can serve the community successfully.

And we can ask for help, if more difficult issues arise, and when they
are really needed, both spender and PaX Team from grsecurity.net have
shown to be available, as are the experts for hardened from the higher
echalons of the Gentoo Foundation, such as blueness, the capable
Accademic behind Gentoo grsecurity-hardening.

A sidenote. I've already pointed to my slowliness, and it shows here:
I've been into the preparation of this e-mail if I view it since I sent
my first mail, for roughly one third of the time elapsed since then...
And have been writing this message, in which I want to reply to both
you, Jaromil, and Neo Futur, and hellekin, and others, at once. So: I am
slow... Count with it. And may Vis Major (Latin) disband other possible
hindrances to my future work.
> > If that is the space that Jaromil is talking about? (I can log in, I
> > also posted my ssh key, I hope I'll be able to contribute somewhere
> > somehow).
> > 
> > ...Aaah, the beta, we're all impatient for the beta release!
> 
> there is some more time to be waited, but I'm also impatient indeed.
> 
> thanks for your enthusiasm :^)
I dream of a successful fight of FOSS Linux for true
security/privacy/freedom.
> ciao
Mi piacerebbe scriverti in italiano, ma altri non capirebbero. Perciò...
(translation: I'd like to write to you in Italian, but others would not
understand, So...)

On Fri, Mar 06, 2015 at 03:19:29PM -0300, hellekin wrote:
> On 03/06/15 05:06, Neo Futur wrote:
> >> the Grsecurity/Pax hardening of the kernel, will you think of it,
> >> instead of SELinux, or as an option besides SELinux? It sure will be
> >> attainable in the way I got it in Debian in that Tip, but official
> >> support would be so great!
> > 
> > https://git.devuan.org/groups/hardened
> > 
> > we are a few guys planning to try and maintain a grsec kernel for
> > devuan, for now we are waiting for a bevuan beta version before
> > starting working on it.
> > anyone interested, feel free to join !
> >
> *** I'm so happy to see this group.  I've been using this kernel lately,
> running on Parabola:
> 
>   3.14.34-gnu-201502271838-1-lts-grsec-knock
> 
> GRSecurity, and Knock support.  Knock is a kernel patch that enables
> single packet port knocking [0], thwarting common scanning attacks.  I
> would love to see this running on Devuan.  Parabola GNU/Linux was the
> first distro to deploy it, and I've been using it happily with SSH.
> 
> ==
> hk
> 
> [0]: https://gnunet.org/kirsch2014knock

I left the above in my message, because I feel it is important.

> -- 
>  _ _ We are free to share code and we code to share freedom
> (_X_)yne Foundation, Free Culture Foundry * https://www.dyne.org/donate/

On Fri, Mar 06, 2015 at 07:22:16PM -0500, Neo Futur wrote:
> at the beginning we plan :
> 
> * to use only the pax options of the grsec kernel, no rbac enabled
> * to work on vanilla sources or gentoo hardened sources
I can say grsec-hardened gentoo works great on my systems, and using
their kernel could decrease the workload... But maybe only as far as
hardening goes? What I do know, from experience, and I do have a nasty
regime, against me, currenty in power in Croatia (not saying this for
politics; some of my friends have to go to jail or worse before I
mention politics in my messages here, but because of intrusions that I
suffered, for years, all findable by my name, Miroslav Rovis, in Gentoo
Fora and Grsecurity Fora, maybe some in Debian Fora --not sure for

Re: [Dng] Plan for Devuan to use Mozilla products as is

[Nuno Magalhães]

On Fri, Mar 6, 2015 at 7:06 PM, T.J. Duchene  wrote:
>
> If someone has issue with the code, it's open. Go look for yourself.  I beg
> everyone's kind indulgence and excuse me for saying this, but the conspiracy
> theories about Google and the Chromium source code come from people who have
> never actually looked at the code.   Then again, I bet they haven't looked
> at the Firefox code either.

"Go look at the code, it's open" is a common "argument" i hear from
pro-systemd advocates. Curious.

About looking at the code: have you personally audited chrome's code,
top to bottom, OpenBSD-style? 'Cos if you haven't - it is a big piece
of software -, well your argument is moot.

Some people already pointed out there are times where chromium doesn't
cut it, so hey, i bet the VUA wouldn't mind you repackaging chromium
for Devuan :)

Cheers,
Nuno
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] [bikeshedding] release names

[hellekin]

Maybe it's just me but I don't understand what you're contemplating.

Why do you think Devuan should use a more complicated set of suites than
Debian?

Ceres is aliased to `sid`, so it's not testing, but unstable.  The way
Debian handles testing, code freezes, etc. is not 1:1 with Devuan (or so
I hope), so jessie+1 in both distributions will certainly be different
(more than Jessie).  My guess is that the automation jaromil and nextime
are setting up now will ease the integration of upstream packages, in a
way that will make Devuan a faster moving target than Debian.  It's not
necessary to rush things and make anything more complicated: Debian's
release cycle has been delivering stability and we should probably keep
most of it.  If Devuan release cycle differs, it's on the pace it
integrates new packages in Ceres, not how these packages enter testing, IMO.

==
hk

-- 
 _ _ We are free to share code and we code to share freedom
(_X_)yne Foundation, Free Culture Foundry * https://www.dyne.org/donate/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Devuan Alpha i386 - developers release series on Vagrant

[hellekin]

On 03/07/15 05:59, JeremyBekka C wrote:
>
> how can I get Vagrant to run in Gentoo?
> 
*** As mentioned at [0], the way to go is to install it using Rubygems.

https://git.devuan.org/devuan/devuan-project/wikis/try-devuan-on-vagrant

==
hk

-- 
 _ _ We are free to share code and we code to share freedom
(_X_)yne Foundation, Free Culture Foundry * https://www.dyne.org/donate/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Hardened Devuan

[hellekin]

On 03/06/15 20:27, Adam Borowski wrote:
> 
> It looks like Knock breaks everything TCP SQN is used for.
> 
*** You obviously didn't read the paper and are happily FUDing like it's
Pearl Harbor.  Knock only changes the Initial Sequence Number of the TCP
packet, overriding the default MD5 hash used in the stock kernel to use
something meaningful to both the client and the server.  It doesn't
change anything about how TCP works.

I'm looking forward to see this patch packaged.

==
hk

-- 
 _ _ We are free to share code and we code to share freedom
(_X_)yne Foundation, Free Culture Foundry * https://www.dyne.org/donate/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] release names

[Klaus Hartnegg]

Am 04.03.2015 um 23:10 schrieb Robert Storey :

> Just want to say that I really like this idea of naming releases after minor 
> planets, such as Ceres. It's a way cool idea.

Cool yes, but useful? Numbers have the huge advantage that everybody knows 
their order, which is quite important when referring to versions.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] release names

[william moss]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 03/07/2015 11:16 AM, Klaus Hartnegg wrote:
> Am 04.03.2015 um 23:10 schrieb Robert Storey :
> 
>> Just want to say that I really like this idea of naming releases after minor 
>> planets, such as Ceres. It's a way cool idea.
> 
> Cool yes, but useful? Numbers have the huge advantage that everybody knows 
> their order, which is quite important when referring to versions.
> 
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> 

My 2 cents worth:
BSD uses numbers; e.g., 4.2.1, 10.0 Release #0
SUN-OS used numbers
The kernel uses number with appending text. For example, my current
Debian Wheezy kernel is 3.4.105-WMM.default

So, for any system that maintains its version Via an RCS like coding, I
would suggest something like
Dng.x.y.z-keyname
where keyname is an indication or purpose. For example, PAE-beta or
PAE-default.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlT7M5EACgkQpY/BHpBmP2pQngD+LTQMpLQbMdYMS80+JZRaE4jt
YpTioo+g6vSUovEDU4gA/2a1Qw4wzms9Vg3iDYItOIo/pT5Fmp4ZFBsODTLu3Svl
=cBXE
-END PGP SIGNATURE-
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Devuan Alpha i386 - developers release series on Vagrant

[Jaromil]

On 7 March 2015 15:48:18 CET, hellekin  wrote:
>On 03/07/15 05:59, JeremyBekka C wrote:
>>
>> how can I get Vagrant to run in Gentoo?
>> 
>*** As mentioned at [0], the way to go is to install it using Rubygems.
>
>https://git.devuan.org/devuan/devuan-project/wikis/try-devuan-on-vagrant


yep. And I for one will be doing everything possible to have third-party 
packaging systems like gem, pip, composer and others supported and preferred in 
Devuan. This is something that Debian has been fighting all the time and for 
the worst IMHO. Language specific package managers are closer to upstream and 
keep more up to date the software offered.

I haven't discussed this issue with other VUAs, but that's my agenda

ciao

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] release names

[Nuno Magalhães]

On Sat, Mar 7, 2015 at 4:16 PM, Klaus Hartnegg  wrote:
>> Just want to say that I really like this idea of naming releases after minor 
>> planets, such as Ceres. It's a way cool idea.

+1

> Cool yes, but useful? Numbers have the huge advantage that everybody knows 
> their order, which is quite important when referring to versions.

Most people will want the latest version, which will always be the
latest advertised on the site. Keeping tabs does matter, so a wikipage
could solve that.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Plan for Devuan to use Mozilla products as is

[T.J. Duchene]

> "Go look at the code, it's open" is a common "argument" i hear from 
> pro-systemd advocates. Curious.  About looking at the code: have you 
> personally audited chrome's code, top to bottom, OpenBSD-style? 'Cos if you 
> haven't - it is a big piece of software -, well your argument is moot

 Nuno, when I say this, I'm not trying to be rude, or nasty or mean.The 
fact that you don't like Google is noted, and accepted. 

 If you aren't going to make the effort to look at the code, please do not pass 
judgment on the authors or their efforts.  Otherwise, you are offering only 
second hand knowledge: hearsay and not fact.  That's not an argument associated 
with systemd, that is the whole point of open source.   It is actually about 
the level of trust.  No one can possibly argue that the code is tainted or not  
when they have not reviewed the code.  Nor has anyone on this list likely to 
have reviewed the vast majority of the code for all of a Linux distribution.  
Either Devuan trusts the community to police the code or it doesn't.   

 Just to be clear, I did not advocate "Chrome" at any point.  Chromium is not 
Chrome. A derived software is not the same as the original.  Chrome is made 
from Chromium, not the other way around.  Much  the same way, LibreOffice is 
NOT  the original OpenOffice, nor is Lotus Symphony.   


I think after this, I'm going to lessen responding to the general list.  I'm 
*not* pointing fingers at you, Nuno or anyone's behavior.  I am just as guilty 
of the same, but any time I decide to spend on Devuan could be more productive: 
better spent packaging or coding.  I "totally get" the need to vent, or just 
rant  sometimes - but the constant antagonism toward certain software, their  
authors, and the paranoia is starting to get to me. Some of the discussions 
have been great!  I especially liked the one on languages.  However, most seem 
to go nowhere.

Is there a dev list available where I can track the progress of Devuan toward 
Alpha?   

With that, I  will leave you to your devices for a while.
t.j.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Devuan Alpha i386 - developers release series on Vagrant

[Stefan Ott]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/07/2015 06:49 PM, Jaromil wrote:
> 
> yep. And I for one will be doing everything possible to have
> third-party packaging systems like gem, pip, composer and others
> supported and preferred in Devuan. This is something that Debian
> has been fighting all the time and for the worst IMHO. Language
> specific package managers are closer to upstream and keep more up
> to date the software offered.

I much prefer the Debian way, i.e. having stable, known-good versions
of all those Python modules rather than manually following upstream.
As an admin I find it rather tiresome to keep track of dozens of
installed third-party packages and their vulnerabilities and
compatibility.

That said, as long as you don't actively try to get rid of these
packages I don't see an issue with better integration of pip & friends.

- -- 
Stefan Ott
http://www.ott.net/
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBAgAGBQJU+0LaAAoJENlTbTnJZqYo2qgP/jVnUuNTJThC2eZIARPzR9pL
PDHJZ1WQ3fk4D9hQ/EPHS/chTcnNAxt7pLT6VgjJCqs4APeSg9PTtedMP/d8rYAk
OdojfO9DPcFVT+fWi2g7FFshC0AHSdfwKc/zhaIMdvhrw0IHgsuxU2UdPwrlSfxo
5whvCEFjCelyCToQAnOsx8F1lUdfl3kO5aHyObXGJsoGiwuQpT1O2vvyZ1NqkOSK
SPdUO9Hm8lOHEbJF7wKQFE30mvWy50x+WAswJet2FrLuPPVKvgJ1pYrvbzGU+au2
EfH+3qtiG7UjBWDxfVbOPdO2rVypLxZfgGmKrakrX4cVEq3w4kh4tB1hgLD9MZPW
7ThjzmnPRRibYGv/wvrHfi7yjk24jfRxrB5wBp7ggn+L/5UseaiiYEOk96pUnusz
VySHVCmxA7S1sRYzT3S9en9YzAqgxivAriOSocqfbUUbMMFJINQb/iV3kpfDR9hY
PxBiVsWuFH1u32DkrSFBJKHkn8t66gUxzkEZMpCq9rCBNi4njmMtX9kJlOgrecvG
yuVFak0Ykf2+EM4tGC1r/fElBtbIltb1cIxjNTQeJFhSJ21rl3nvp26JYdcSTc1n
PZ9WNS8irA9JOzHhmurFR7dA7RY0OOkUdB8Y/4EVzJmW/xN53CE9Xphf95GgRqcT
H/M3KuxUVObJ86mPPlCZ
=yywL
-END PGP SIGNATURE-
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Plan for Devuan to use Mozilla products as is

[Isaac Dunham]

On Fri, Mar 06, 2015 at 08:44:31PM +0100, Stefan Ott wrote:
> On 03/06/2015 08:06 PM, T.J. Duchene wrote:
> > 
> > That said, the reason I suggested Chromium as an alternative to
> > Firefox is that essentially a better piece of software. It has
> > better features, better support for Web standards, and it is more
> > actively maintained.
 
> And then there is the thing where Debian had to EOL chromium early
> because there is no security support and the latest version cannot be
> built on Debian stable anymore [1], recommending their users "to
> switch to the iceweasel web browser".
> 
> Personally I think the last point alone makes Firefox the better
> choice for a default browser -- we wouldn't want our users to suddenly
> find themselves without security updates...
> 
> [1] https://lists.debian.org/debian-security-announce/2015/msg00031.html

I think ^THIS is probably the biggest reason not to use Chromium.

Never mind whether it's affiliated with Google or whether that makes
it untrustworthy.
If you can't keep it updated for the full lifetime of the release,
it could be written by the most trustworthy vendor on Earth and it
still wouldn't qualify for a good default.

Thanks,
Isaac Dunham
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] release names

[hellekin]

On 03/07/15 14:21, william moss wrote:
>
>> Cool yes, but useful? Numbers have the huge advantage that everybody knows
>> their order, which is quite important when referring to versions.
>
*** Release *NAMES* never replaced version numbers.

Hence Debian 8 "Jessie" and Devuan 1.0 "Jessie".

==
hk

-- 
 _ _ We are free to share code and we code to share freedom
(_X_)yne Foundation, Free Culture Foundry * https://www.dyne.org/donate/



signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] release names

[Klaus Hartnegg]

Am 07.03.2015 um 19:31 schrieb hellekin:

On 03/07/15 14:21, william moss wrote:



Cool yes, but useful? Numbers have the huge advantage that everybody knows
their order, which is quite important when referring to versions.



*** Release *NAMES* never replaced version numbers.

Hence Debian 8 "Jessie" and Devuan 1.0 "Jessie".


Oh yes, they do. Often people familar with the cool names use only them. 
Many documents and discussions use only the names, omit the numbers.


This effectively locks everybody else out of the discussion, or at least 
forces them to google for a dictionary that translates the arbitrary 
names back to meaningful numbers.


Even the official release information (first google hit) does it:
https://www.debian.org/releases/jessie/index.en.html
Nowhere on that page is a version number or a release date, so people 
not familar with cool have no idea how outdated this might be.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Devuan Logo survey

[xiep]

Iep!

In my opinion, more than aggressive, the monkey is a punk. In the way of 
the underground comics (as Fritz the Cat or Transmetropolitan). 
Satirical, iconoclast... But, yes, the tone of the cartoons may not be 
the most appropriate for the project.


I appreciate the replies.

Salud!

Xiep

On 2015-03-05 18:26, Martijn Dekkers wrote:

these sketches by xiep are sweet, but I wouldn't like to follow up
on
the monkey metaphore.


Also, Ximian already did the monkey thing...

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[Dng] Plan for Devuan to use Mozilla products as is

[T.J. Duchene]

 
>> https://lists.debian.org/debian-security-announce/2015/msg00031.html

>I think ^THIS is probably the biggest reason not to use Chromium.

>Never mind whether it's affiliated with Google or whether that makes it
untrustworthy.
>If you can't keep it updated for the full lifetime of the release, it could
be written by the most trustworthy vendor on Earth and it still wouldn't
qualify for a good default.

Hi, Isaac! 

That seems very strange to me.   I see no reason why they cannot backport
patches to the Wheezy version of Chromium.  Debian has been doing that since
day one on other packages.  Any upstream project could change the build
environment could happen to any project, at any time. 

Debian has never demanded that an upstream project stay the same for their
convenience before now.  The fact that Debian chose to stop building updates
for that reason shows a lack of commitment to Wheezy.  Unless there is
something I don't know about - It's not that they can't use or generate a
patch.  They simply won't.   

t.j.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Plan for Devuan to use Mozilla products as is

[Isaac Dunham]

On Sat, Mar 07, 2015 at 02:19:43PM -0600, T.J. Duchene wrote:
> 
>  
> >> https://lists.debian.org/debian-security-announce/2015/msg00031.html
> 
> >I think ^THIS is probably the biggest reason not to use Chromium.
> 
> >Never mind whether it's affiliated with Google or whether that makes it
> untrustworthy.
> >If you can't keep it updated for the full lifetime of the release, it could
> be written by the most trustworthy vendor on Earth and it still wouldn't
> qualify for a good default.
> 
> Hi, Isaac! 
> 
> That seems very strange to me.   I see no reason why they cannot backport
> patches to the Wheezy version of Chromium.  Debian has been doing that since
> day one on other packages.  Any upstream project could change the build
> environment could happen to any project, at any time. 
> 
> Debian has never demanded that an upstream project stay the same for their
> convenience before now.  The fact that Debian chose to stop building updates
> for that reason shows a lack of commitment to Wheezy.  Unless there is
> something I don't know about - It's not that they can't use or generate a
> patch.  They simply won't.   
> 
> t.j.

Iceweasel and Chromium are both updated to the upstream-supported version
periodically (when the current version is no longer supported).
The amount of churn between versions and the number of versions means that
it would be very difficult to backport patches.

HTH,
Isaac Dunham
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] with pax flags, Java works fine - (was Hardened Devuan)

[Peter Maloney]

Just to clarify... *Java will run* with a grsecurity hardened kernel,
with pax enabled. It just needs mprotect disabled for the specific
programs that need it disabled. (and also many other things need this...
python, kdeinit4, skype, kscreenlocker_greet, thunderbird, firefox,
plugin-container, gdb, utox, grub-probe, etc. also firefox needs JIT
disabled for optimal stability). For this you need some kernel features
enabled; I recommend the one using xattrs because then the binaries
don't need modifications (or backups, and modified binaries won't run
properly in a non-grsec kernel, but they run fine with xattrs).

Set the extended file system attribute with:

setfattr -n user.pax.flags -v m Konsole output
/usr/lib*/jvm/java-*-openjdk-*/jre/bin/java

(example path, may not be right for Debian openjdk)

I have been running grsecurity kernels on my desktop at home and the
office for about a year now, with Java and everything in use.

Also, you can set pax to "soft mode" to temporarily disable those
protections.

And the kernel buffer displays errors when such things are needed, so it
is easy enough to identify why a program doesn't work, to enable those
flags:

[  477.346273] PAX: From 192.168.179.200: execution attempt in: ,
3cc7c968000-3cc7c989000 3fde000
[  477.346451] PAX: terminating task:
/usr/bin/grub-script-check(grub-script-che):7163, uid/euid: 0/0, PC:
03cc7c987cf0, SP: 03cc7c986698
[  477.346631] PAX: bytes at PC: 41 bb 30 27 40 00 49 ba e0 7c 98 7c cc
03 00 00 49 ff e3 90
[  477.346784] PAX: bytes at SP-8: 044d68d0 00404011
0001  044d6850 044d68d0
044d68d1 044d8911 044d8910 00405ca6
0002



On 03/07/2015 12:31 PM, Martijn Dekkers wrote:
> I am not sure I follow - is the plan for Devuan to be default
> hardened/grsec, or is it supposed to be an optional choice somehow? As
> was already pointed out, java won't run. Lots and lots of server
> workloads run Java
>
> On 7 March 2015 at 12:42, Jaromil  > wrote:
>
>
> dear Neo Futur and other members of the Devuan hardening team:
>
> please consider the Alpha release series a minimal base you can use to
> start working on the kernel patches, building them and testing them.
> In fact, this release series is mostly intended to receive
> feedback from
> developers and adjust to their needs.
>
> Please also let me know what is the format you prefer working on.
> Right
> now I can release virtualbox images and vagrant boxes using the
> SDK but
> I can also add support for Docker, Qemu, AWS, Google engine,
> DigitalOcean, OpenStack, Parallels etc.
>
> In a close future Devuan's signed releases will be available in all
> these formats, hoping they come handy to the sysadmins among our
> audience. I'm just trying to figure out what to prioritize now in
> order
> to facilitate your good plans.
>
> ciao
>
>
>
> ___
> Dng mailing list
> Dng@lists.dyne.org 
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>
>
>
>
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Plan for Devuan to use Mozilla products as is

[T.J. Duchene]

>Iceweasel and Chromium are both updated to the upstream-supported version
periodically (when the current version is no longer supported).
>The amount of churn between versions and the number of versions means that
it would be very difficult to backport patches.

Yes, certainly.  My point was the Debian does not typically swap out
versions, but efforts backporting security patches to existing software.  I
just find it odd that Debian has a differing standard for maintaining
browsers.  It strikes me as a side effect of the popular "rapid release"
idea with both of Mozilla and Google.  Debian clearly changed their rules in
order to take advantage of that, and this is the result.  

I personally consider rapid release to be a terrible maintenance strategy,
that does more harm than good in the area of stability.

It is the same reason that I did not advocate using Jesse for Devuan 1.0 in
past posts.  You end up compromising your principles to maintain sync with
upstream releases, as well as vetting your schedules by the schedules of
releases upstream.


T.j. 


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[Dng] release names

[Robert Storey]

>>> Just want to say that I really like this idea of naming releases after
minor planets, such as Ceres. It's a way cool idea.

>> Cool yes, but useful? Numbers have the huge advantage that everybody
knows their order, which is quite important when referring to versions.

> Most people will want the latest version, which will always be the
latest advertised on the site. Keeping tabs does matter, so a wikipage
could solve that.

I kind of like Ubuntu's system, where every release has both a name and a
number, and the number tells you the month and year of release. So right
now latest Ubuntu release is 14.10, named Utopic Unicorn (though I don't
like the double-word names, would have better to just call it "Utopic" or
"Unicorn").

cheers,
Robert
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Devuan Alpha i386 - developers release series on Vagrant

[KatolaZ]

On Sat, Mar 07, 2015 at 06:49:34PM +0100, Jaromil wrote:
> 
> 
> On 7 March 2015 15:48:18 CET, hellekin  wrote:
> >On 03/07/15 05:59, JeremyBekka C wrote:
> >>
> >> how can I get Vagrant to run in Gentoo?
> >> 
> >*** As mentioned at [0], the way to go is to install it using Rubygems.
> >
> >https://git.devuan.org/devuan/devuan-project/wikis/try-devuan-on-vagrant
> 
> 
> yep. And I for one will be doing everything possible to have third-party 
> packaging systems like gem, pip, composer and others supported and preferred 
> in Devuan. This is something that Debian has been fighting all the time and 
> for the worst IMHO. Language specific package managers are closer to upstream 
> and keep more up to date the software offered.
> 
> I haven't discussed this issue with other VUAs, but that's my agenda

Well but all of these language-specific packagers are already
available in Debian, aside with hundreds of packaged stuff that "just
fits well together", as in the case of pythor or ruby. I won't ever
"prefer" to use pip or gem if I am not forced to do so. Mixing up is
always an easy way of messing up, IMHO. You should do it only if you
know exactly what you are up to, and if you are ready to blame yourself
for any mess you will have to deal with, not your distro

My2Cents

KatolaZ

-- 
[ Enzo Nicosia aka KatolaZ --- GLUG Catania -- Freaknet Medialab ]
[ me [at] katolaz.homeunix.net -- http://katolaz.homeunix.net -- ]
[ GNU/Linux User:#325780/ICQ UIN: #258332181/GPG key ID 0B5F062F ]
[ Fingerprint: 8E59 D6AA 445E FDB4 A153 3D5A 5F20 B3AE 0B5F 062F ]
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Plan for Devuan to use Mozilla products as is

[Nate Bargmann]

* On 2015 07 Mar 16:29 -0600, T.J. Duchene wrote:
> 
> > Iceweasel and Chromium are both updated to the upstream-supported
> > version periodically (when the current version is no longer
> > supported).  The amount of churn between versions and the number of
> > versions means that it would be very difficult to backport patches.
> 
> Yes, certainly.  My point was the Debian does not typically swap out
> versions, but efforts backporting security patches to existing software.  I
> just find it odd that Debian has a differing standard for maintaining
> browsers.  It strikes me as a side effect of the popular "rapid release"
> idea with both of Mozilla and Google.  Debian clearly changed their rules in
> order to take advantage of that, and this is the result.

Unfortunately, this sort of inconsistency toward their definition of
"stable" caused problems in other areas.  During the time that Wheezy
was stable a utility used by radio amateurs was rendered out of date as
the organization that provided the utility changed cryptographic keys on
the site the utility was used for so that a newer version was required.
I entered a bug report that a backport of the newer version should be
made available to all users of Wheezy.  For various reasons it could not
be done in such a way so that the older version would be replaced
automatically.  This was a failure of policy in my opinion as while it's
fine to resist churn for the goal of stability, when a package is
unusable due to external factors it should be upgraded.

I would like for Devuan to consider this sort of corner case in the
future and resist the urge to be so beholden to policy as to make the
featured release unusable for a subset of its users.

- Nate

-- 

"The optimist proclaims that we live in the best of all
possible worlds.  The pessimist fears this is true."

Ham radio, Linux, bikes, and more: http://www.n0nb.us
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Devuan Alpha i386 - developers release series on Vagrant

[Steve Litt]

On Sat, 7 Mar 2015 02:11:35 +0100
Jaromil  wrote:

> 
> Hi all,
> 
> This is the initial release of the Alpha series, base-system stripped
> at minimum and distributed in Vagrant format (virtualbox provider),
> to make the life of developers working on core components as vdev
> easier.
> 
> Vagrant is a very cool tool, check it out http://vagrantup.com
> 
> I'll distribute new releases of the Devuan Alpha cycle virtual machine
> via Vagrant and Atlas. This is version 0.1 and can be tested on any PC
> running any operating system.
> 
> To have this image running, install the latest Vagrant - not the one
> from your package manager, but the updated version from the vagrant
> website download section - then type into a terminal:
> 
> mkdir ~/vagrant && cd ~/vagrant
> 
> vagrant init jaromil/devuan-alpha-i386
> 
> vagrant up

I follow the preceding instructions on my wheezy machine (I'm never
upgrading to jessie), and here's what happens:


slitt@mydesq2:~/vagrant$ vagrant up
VirtualBox is complaining that the installation is incomplete. Please
run `VBoxManage --version` to see the error message which should contain
instructions on how to fix this error.
slitt@mydesq2:~/vagrant$ VBoxManage --version
WARNING: The character device /dev/vboxdrv does not exist.
 Please install the virtualbox-ose-dkms package and the
appropriate headers, most likely linux-headers-amd64.

 You will not be able to start VMs until this problem is fixed.
4.1.18_Debianr78361
slitt@mydesq2:~/vagrant$


I installed Vagrant from the .deb off the website, and I installed
virtualbox-ose-dkms and linux-headers-amd64 already. I spoze I could
find some mknod command to make /dev/vboxdrv, but suspect that would
just make things worse.

Any idea how to run this on Wheezy, or how to start narrowing down this
problem I'm having?

Thanks,

SteveT

Steve Litt*  http://www.troubleshooters.com/
Troubleshooting Training  *  Human Performance

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] with pax flags, Java works fine - (was Hardened Devuan)

[Neo Futur]

yes with grsec you can allow stack exec if you dont think its a security flaw

 I just said "as a default" :

>* shipping the kernel with warnings that, as a default, java wont work
>with a secure kernel, and possibly any other graphical applications
>doing dirty stuff with memory ( buffer overflow, relocations and much
>more )


On Sat, Mar 7, 2015 at 4:48 PM, Peter Maloney  wrote:
> Just to clarify... Java will run with a grsecurity hardened kernel, with pax
> enabled. It just needs mprotect disabled for the specific programs that need
> it disabled. (and also many other things need this... python, kdeinit4,
> skype, kscreenlocker_greet, thunderbird, firefox, plugin-container, gdb,
> utox, grub-probe, etc. also firefox needs JIT disabled for optimal
> stability). For this you need some kernel features enabled; I recommend the
> one using xattrs because then the binaries don't need modifications (or
> backups, and modified binaries won't run properly in a non-grsec kernel, but
> they run fine with xattrs).
>
> Set the extended file system attribute with:
>
> setfattr -n user.pax.flags -v m /usr/lib*/jvm/java-*-openjdk-*/jre/bin/java
>
> (example path, may not be right for Debian openjdk)
>
> I have been running grsecurity kernels on my desktop at home and the office
> for about a year now, with Java and everything in use.
>
> Also, you can set pax to "soft mode" to temporarily disable those
> protections.
>
> And the kernel buffer displays errors when such things are needed, so it is
> easy enough to identify why a program doesn't work, to enable those flags:
>
> [  477.346273] PAX: From 192.168.179.200: execution attempt in: ,
> 3cc7c968000-3cc7c989000 3fde000
> [  477.346451] PAX: terminating task:
> /usr/bin/grub-script-check(grub-script-che):7163, uid/euid: 0/0, PC:
> 03cc7c987cf0, SP: 03cc7c986698
> [  477.346631] PAX: bytes at PC: 41 bb 30 27 40 00 49 ba e0 7c 98 7c cc 03
> 00 00 49 ff e3 90
> [  477.346784] PAX: bytes at SP-8: 044d68d0 00404011
> 0001  044d6850 044d68d0
> 044d68d1 044d8911 044d8910 00405ca6
> 0002
>
>
>
> On 03/07/2015 12:31 PM, Martijn Dekkers wrote:
>
> I am not sure I follow - is the plan for Devuan to be default
> hardened/grsec, or is it supposed to be an optional choice somehow? As was
> already pointed out, java won't run. Lots and lots of server workloads run
> Java
>
> On 7 March 2015 at 12:42, Jaromil  wrote:
>>
>>
>> dear Neo Futur and other members of the Devuan hardening team:
>>
>> please consider the Alpha release series a minimal base you can use to
>> start working on the kernel patches, building them and testing them.
>> In fact, this release series is mostly intended to receive feedback from
>> developers and adjust to their needs.
>>
>> Please also let me know what is the format you prefer working on. Right
>> now I can release virtualbox images and vagrant boxes using the SDK but
>> I can also add support for Docker, Qemu, AWS, Google engine,
>> DigitalOcean, OpenStack, Parallels etc.
>>
>> In a close future Devuan's signed releases will be available in all
>> these formats, hoping they come handy to the sysadmins among our
>> audience. I'm just trying to figure out what to prioritize now in order
>> to facilitate your good plans.
>>
>> ciao
>>
>>
>>
>> ___
>> Dng mailing list
>> Dng@lists.dyne.org
>> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>
>
>
>
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>
>
>
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] Devuan Alpha i386 - developers release series on Vagrant

[Martijn Dekkers]

apt-get install linux-headers-$(uname -r|sed 's,[^-]*-[^-]*-,,') virtualbox


On 8 March 2015 at 03:39, Steve Litt  wrote:

> On Sat, 7 Mar 2015 02:11:35 +0100
> Jaromil  wrote:
>
> >
> > Hi all,
> >
> > This is the initial release of the Alpha series, base-system stripped
> > at minimum and distributed in Vagrant format (virtualbox provider),
> > to make the life of developers working on core components as vdev
> > easier.
> >
> > Vagrant is a very cool tool, check it out http://vagrantup.com
> >
> > I'll distribute new releases of the Devuan Alpha cycle virtual machine
> > via Vagrant and Atlas. This is version 0.1 and can be tested on any PC
> > running any operating system.
> >
> > To have this image running, install the latest Vagrant - not the one
> > from your package manager, but the updated version from the vagrant
> > website download section - then type into a terminal:
> >
> > mkdir ~/vagrant && cd ~/vagrant
> >
> > vagrant init jaromil/devuan-alpha-i386
> >
> > vagrant up
>
> I follow the preceding instructions on my wheezy machine (I'm never
> upgrading to jessie), and here's what happens:
>
> 
> slitt@mydesq2:~/vagrant$ vagrant up
> VirtualBox is complaining that the installation is incomplete. Please
> run `VBoxManage --version` to see the error message which should contain
> instructions on how to fix this error.
> slitt@mydesq2:~/vagrant$ VBoxManage --version
> WARNING: The character device /dev/vboxdrv does not exist.
>  Please install the virtualbox-ose-dkms package and the
> appropriate headers, most likely linux-headers-amd64.
>
>  You will not be able to start VMs until this problem is fixed.
> 4.1.18_Debianr78361
> slitt@mydesq2:~/vagrant$
> 
>
> I installed Vagrant from the .deb off the website, and I installed
> virtualbox-ose-dkms and linux-headers-amd64 already. I spoze I could
> find some mknod command to make /dev/vboxdrv, but suspect that would
> just make things worse.
>
> Any idea how to run this on Wheezy, or how to start narrowing down this
> problem I'm having?
>
> Thanks,
>
> SteveT
>
> Steve Litt*  http://www.troubleshooters.com/
> Troubleshooting Training  *  Human Performance
>
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] with pax flags, Java works fine - (was Hardened Devuan)

[Martijn Dekkers]

>  Just to clarify... *Java will run* with a grsecurity hardened kernel,
> with pax enabled. It just needs mprotect disabled for the specific programs
> that need it disabled. (and also many other things need this... python,
> kdeinit4, skype, kscreenlocker_greet, thunderbird, firefox,
> plugin-container, gdb, utox, grub-probe, etc. also firefox needs JIT
> disabled for optimal stability). For this you need some kernel features
> enabled; I recommend the one using xattrs because then the binaries don't
> need modifications (or backups, and modified binaries won't run properly in
> a non-grsec kernel, but they run fine with xattrs).
>
> Set the extended file system attribute with:
>
> setfattr -n user.pax.flags -v m /usr/lib*/jvm/java-*-openjdk-*/jre/bin/java
>
> (example path, may not be right for Debian openjdk)
>

cool, thanks! I think it would be important that packages that have an
issue running under grsec all do what they need to do on installation to
make sure the correct configs are in place to actually work under grsec.
This is often left out, making proper security expensive and difficult to
track down.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] with pax flags, Java works fine - (was Hardened Devuan)

[Neo Futur]

> cool, thanks! I think it would be important that packages that have an issue
> running under grsec all do what they need to do on installation to make sure
> the correct configs are in place to actually work under grsec. This is often
> left out, making proper security expensive and difficult to track down.

 lets be clear, you d have to check for each and every new version of
each and every binary you ship to add this "allowed to skack exec or
whatever other dirty memory trick"  flag whenever the upstream added a
bug or a backdoor.

 quite a bunch of work, imo this have to be the responsibility of the
sysadmin to see the problem ( easy in the grsec log whenever something
goes wrong ) and choose to allow/trust this binary, and / or report a
bug to devuan and/or upstream.


>
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [Dng] with pax flags, Java works fine - (was Hardened Devuan)

[Neo Futur]

>  lets be clear, you d have to check for each and every new version of
> each and every binary you ship to add this "allowed to skack exec or
> whatever other dirty memory trick"  flag whenever the upstream added a
> bug or a backdoor.

 also automatically adding this flag everywhere completely defeats the
purpose of those security patches, you just say "wow this program have
a backdoor, cool its allowed, dont even log that" to your grsec
kernel, why not ship a grsec kernel with no security options enabled
then ? or just use vanilla ;)
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng