Re: [DNG] KUserFeedback
On Sun, 2021-09-05 at 12:54 +0200, tito via Dng wrote: > Hi, > I'm not very fond of apparmor for various reasons: > > 1) I experienced unexpected behavior of programs > silently failing to do something (log, run, etc) > because the apparmor profile was wrong/bugged I experienced the same, as my first introduction to AppArmor, and a couple times more before I did the same as you and purged it. > > 2) unless you study every code path in the program you want to > supervise the profiles used will not be safe but nobody really > cares > (e.g. maintainer adds a profile that works with the default > setup > of the distro (if it really works)) This is a great point and probably the biggest reason I remain unsure about it, combined with the level of permissions it controls, it's like giving another root-level program access to every bit of processing that happens. Yes all programs have code that need to be understood to be trusted, but a program with root-level authority that polices all other programsI need to understand that program a lot better, before trusting it, than I do basically any other program. Maybe there are flaws in that thinking, but unless I misunderstand the level of permission and control AppArmor has, I'm right to be weary of it. Also, the fact that it comes by default, and is enabled by default, and has those permissions and capabilities, to me, that's the kind of program that is likely to be exploited in the future, assuming it's not exploited now and that the dev's or the project are exploitable one way or another. The fact that it has such permissions and is enabled by default, and that it was introduced recently, all of those things justify suspicion as far as I'm concerned. To my unprofessional but suspicious eyes, it reminds me of systemd. Maybe we're wrong, but until we take the time to look at and understand every line of code, and get to know the project, it seems far safer to rely on things like firewalls and other trusted security tools. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] AppArmor
On Sun, 2021-09-05 at 16:21 +0200, tito via Dng wrote: > Hi, > > one stupid question that struck my mind right now could > apparmor control itself? > could you write an apparmor profile to limit what apparmor > is doing? > > Ciao, > Tito Haha "Who polices the police?" "We do." - the police ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] networking thinking
On Sun, 2021-11-28 at 07:20 -0600, o1bigtenor via Dng wrote: I've been looking at pfsense and opnsense. Sorry for reviving a month old thread but I'm just catching up on emails and thought it might be useful to share that Opnsense hasn't supported x86 for about 2 years. I use Opnsense and have for quite a while. I switched over from pfsense quite a while back though I can't recall why. I almost stopped using Opnsense when they dropped x86 but I ended up switching hardware to comply. It was probably x86 support that caused me to switch to Opnsense in the first place. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] bash / quote weirdness
I don't have anything of my own to add except that single quotes result in the same behavior as double quotes in this case. I was curious about that after reading about the difference between single and double quotes in the Advanced Bash Scripting Guide or abs guide. I'm a novice obviously. I wanted to share the abs guide in case anyone reading isn't aware of it. I found it recently while working on a script myself (rename files and folders according to a standard, all lower case, limited special characters and no spaces in case anyone finds it interesting). There's an html version and a pdf version of the abs guide available here https://tldp.org/LDP/abs/html/ or here https://tldp.org/LDP/abs/abs-guide.pdf Gabe On Wed, 2022-01-12 at 00:08 +0100, Florian Zieboll via Dng wrote: > Dear list, > > this im my 'test.sh': > > #!/bin/bash > for f in "$@" ; do > xcmd="unrar x" > $xcmd "$f" > done > > Can please somebody explain, why, if I double-quote the "$xcmd" > variable in line 4, the script fails with > > ./test.sh: line 4: unrar x: command not found > > ??? > > Commands without parameters resp. whitespace (e.g. xcmd="unzip") work > fine when double-quoted; a web search (including the "GNU Bash > manual" > [1]) did not shed any light on this mystery... > > Thank you and libre Grüße, > Florian > > > > [1] > https://www.gnu.org/software/bash/manual/html_node/Double-Quotes.html > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] bash / quote weirdness
No problem. Happy that you found it useful :D On Thu, 2022-01-13 at 10:52 -0500, Steve Litt wrote: > Thank you, thank you, THANK YOU!!! > > I've needed this for the last 23 years. Thank you! > > SteveT ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Genuine, legitimate Early Days at Bell Labs - Youtube, the systemd of video: Was: Early Days at Bell Labs - Youtube, the systemd of video
On Sun, 2022-01-16 at 15:58 -0500, Steve Litt wrote: > Now, does anybody have anything to say about the CONTENT of the video > at https://www.youtube.com/watch?v=ECCr_KFl41E ? I enjoyed the video. To be more specific, I liked his assessment of what 'ingredients' led to unix development and his assessment of whether a 'unix' could be built again. As I think about it, that question leads right to the quote from Dennis Ritchie that Brian put up at the end of his speech or presentation. That is: "What we wanted to preserve was not just a good environment in which to do programming, but a system around which a fellowship could form. We knew from experience that the essence of communal computing [...] is not just to type programs into a terminal instead of a keypunch but to encourage close communication." Pretty neat stuff. It occurs to me that what Dennis says was their goal, was to preserve the human aspects of those criteria that produced unix. Thanks for sharing. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Stability will be achieved when you spend all of your time reporting on the nothing you did.
On Mon, 2022-02-07 at 09:23 -0500, Ken Dibble wrote: > Application: firefox 78.15.0esr > > > URL: about:telemetry#home-tab > > Page contains statement: Telemetry is collecting release data and > upload > is disabled. > > > URL :about:telemetry#histograms-tab > > Page contains seemingly endless amounts of collected data. > > > If this data is supposedly not being uploaded by user preference, > > then why in the H,E,double hockey sticks is so much of it being > collected? Thanks for this headsup. I checked my firefox and noticed that, despite the warning, no data seems to have been collected. I checked about:config and apparently I changed some telemetry related entries there that stopped the data collection. I don't know which setting exactly, but if you go into about:config and search for telemetry you'll get 20 to 30 results. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Stability will be achieved when you spend all of your time reporting on the nothing you did.
One more thing to note, in about:config you'll notice one of the options is telemetry *server*. Is it possible that firefox is actually 'serving' the telemetry data to sites that request it? Sure seems like the kind of dirty underhanded trick that someone might try. The fact that the data is there leaves that open as a possibility at any point anyway. I might be wrong, but since they've taken away our ability to turn off telemetry (except for about:config), I think it's worth being suspicious of their intent. I'm going to spend a little time this morning learning about telemetry in FF 78. I'll share anything interesting I find. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Installation difficulties (Robert Parker)
Sorry for the late response. I see you've got a dual boot solution in place, but for anyone looking this up in the future I figured I'd leave my input. I've run into this issue before (more than once). For future reference, I always make sure to do a couple things (this info refers to booting into EFI/UEFI mode). 1. Prior to install, make a boot partition (format: fat32, size: I go with 256 MB) 2. Set the flags on the boot partition (using gparted you can right click on the boot partition you just created >> choose Manage Flags, and check boot. When you do that it should also check efi. Those should be the only ones checked. 3. Next there are some options on the gui installer for encrypting the boot partition and having a separate boot partition. I BELIEVE the way I've had success is to UNCHECK the option to have a separate boot partition (it seems to find it anyway unless I'm mistaken). Encryption option is up to you. If you choose to encrypt your boot partition, you'll see a prompt in the installer that says the boot partition will be part of the encrypted file system and you can just say okay there. Gabe On Sun, 2019-11-03 at 12:00 +0100, dng-requ...@lists.dyne.org wrote: > Send Dng mailing list submissions to > dng@lists.dyne.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > or, via email, send a message with subject or body 'help' to > dng-requ...@lists.dyne.org > > You can reach the person managing the list at > dng-ow...@lists.dyne.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Dng digest..." > > > Today's Topics: > > 1. Re: Installation difficulties (Robert Parker) > > > --- > --- > > Message: 1 > Date: Sat, 2 Nov 2019 19:52:32 +0700 > From: Robert Parker > To: Rick Moen > Cc: dng@lists.dyne.org > Subject: Re: [DNG] Installation difficulties > Message-ID: >.com> > Content-Type: text/plain; charset="utf-8" > > Got it installed and working at last. > > I made a successful installation of devuan-ascii onto a partitioning > scheme > of my own. > The installation worked, the grub configuration didn't. > > So I plugged in an unused 500 gig drive and installed Kali Linux on > that. > The grub configuration following that install worked so now I have a > dual > boot Kali - Devuan desktop system. > > Bob. > > > On Wed, Oct 30, 2019 at 2:09 PM Rick Moen > wrote: > > > Quoting Robert Parker via Dng (dng@lists.dyne.org): > > > > > Do questions about problems installing devuan get answered on > > > this list? > > > > When you least expect it! > > > > -- > > Cheers, "I am a member of a civilization > > (IAAMOAC). Step back > > Rick Moenfrom anger. Study how awful our ancestors had > > it, yet > > r...@linuxmafia.com they struggled to get you here. Repay them by > > appreciating > > McQ! (4x80) the civilization you inherited." -- > > David > > Brin > > ___ > > Dng mailing list > > Dng@lists.dyne.org > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > > > > ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] kernel instability 4.9.0-12 with latest update
I've had problems with my machine freezing as well, same symptoms, ever since upgrading to beowulf. The issue for me seems to happen when I run a cpu/ram heavy program, specifically a cpu cryptominer. I've had it happen a number of times, always when mining with max 2 cores, but haven't dedicated the time to report it properly. I did look through various logs in /var/logs but I didn't see anything seemed relevant to the problem. I'll try to reproduce it today and send any relevant logs. What logs specifically would be relevant to this issue? Something relevant to the spectre/meltdown mitigations, I have multithreading turned off in the bios and have had since the vuln's were revealed. Also, 64 bit intel cpu here as well. On Tue, 2020-03-17 at 03:17 +, tuxd3v wrote: > Hello Riccardo, > > > On Sat, 7 Mar 2020 12:19:52 +0100 > > Riccardo Mottola via Dng >wrote: > > Hi, > > > > > > I am using Devuan on an HP laptop with intel 64bit cpu. Everything > > worked very well, I did a lot of compilation and it is very > > stable, > > never had a freeze in months! > > > > [0.10] smpboot: CPU0: Intel(R) Core(TM)2 CPU T7200 @ > > 2.00GHz > > (family: 0x6, model: 0xf, stepping: 0x6) > > [0.10] Performance Events: PEBS fmt0-, Core2 events, Intel > > PMU > > driver. > > [0.10] core: PEBS disabled due to CPU errata > > > > Yesterday I installed a kernel upgrade, bad things happened > > > > 1) after the first reboot with the new kernel, I get up to my > > desktop, > > check out sources ad start building Arctic Fox browser, come back > > after > > a time and find the machine completely frozen - no disk activity, > > no > > mouse possible, no errors. No response to power button pressed (had > > to > > press 5 seconds) > > > > 2) at reboot, machine freezes quite early in the boot process > > > > 3) I retry and it still freezes > > > > > > I tried selecting in GRUB the older kernel and it boots. It goes > > past > > the last error, starts file system check/journal replay and the > > machine > > seems stable again. > > > > > > This is the last good kernel version: > > > > 4.9.0-11-amd64 #1 SMP Debian 4.9.189-3+deb9u2 (2019-11-11) x86_64 > > GNU/Linux > > > > > > the unstable version must be the version 4.9.210-1 installed > > > > > > What could the issue be? I read about backports of spectre > > mitigations > > being possible issues. > > > > * 'linux-image-4.9.0-12' - I believe , brings Meltdown, Spectre and > such mitigation's with it, also fix's.. > * 'linux-image-4.9.0-11' - Here , sometimes( firefox + youtube videos > ), I also have freezes, but the machine ends rebooting.. >Don't know why, never found the real > reason for it.. >If I don't go on youtube, everything > works, so focus your self on your taks, >and don't be lazy( its what my computer > tells me ) :D > > For a better understanding of the changes, you can check: > ~# zless /usr/share/doc/linux-image-$(uname -r)/changelog.Debian.gz > > > I am also in 'linux-image-4.9.0-11'..and I plan to be there for some > time.. :) > > Best Regards, > tux > > ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] kernel instability 4.9.0-12 with latest update
One more thing, I'm actually on kernel version 4.19.0.8, but again, this issue started when I upgraded to beowulf. On Tue, 2020-03-17 at 09:34 -0600, Gabe Stanton via Dng wrote: > I've had problems with my machine freezing as well, same symptoms, > ever > since upgrading to beowulf. The issue for me seems to happen when I > run > a cpu/ram heavy program, specifically a cpu cryptominer. I've had it > happen a number of times, always when mining with max 2 cores, but > haven't dedicated the time to report it properly. I did look through > various logs in /var/logs but I didn't see anything seemed relevant > to > the problem. > > I'll try to reproduce it today and send any relevant logs. > > What logs specifically would be relevant to this issue? > > Something relevant to the spectre/meltdown mitigations, I have > multithreading turned off in the bios and have had since the vuln's > were revealed. > > Also, 64 bit intel cpu here as well. > > On Tue, 2020-03-17 at 03:17 +, tuxd3v wrote: > > Hello Riccardo, > > > > > On Sat, 7 Mar 2020 12:19:52 +0100 > > > Riccardo Mottola via Dng >wrote: > > > Hi, > > > > > > > > > I am using Devuan on an HP laptop with intel 64bit cpu. > > > Everything > > > worked very well, I did a lot of compilation and it is very > > > stable, > > > never had a freeze in months! > > > > > > [0.10] smpboot: CPU0: Intel(R) Core(TM)2 CPU T7200 @ > > > 2.00GHz > > > (family: 0x6, model: 0xf, stepping: 0x6) > > > [0.10] Performance Events: PEBS fmt0-, Core2 events, > > > Intel > > > PMU > > > driver. > > > [0.10] core: PEBS disabled due to CPU errata > > > > > > Yesterday I installed a kernel upgrade, bad things happened > > > > > > 1) after the first reboot with the new kernel, I get up to my > > > desktop, > > > check out sources ad start building Arctic Fox browser, come back > > > after > > > a time and find the machine completely frozen - no disk activity, > > > no > > > mouse possible, no errors. No response to power button pressed > > > (had > > > to > > > press 5 seconds) > > > > > > 2) at reboot, machine freezes quite early in the boot process > > > > > > 3) I retry and it still freezes > > > > > > > > > I tried selecting in GRUB the older kernel and it boots. It goes > > > past > > > the last error, starts file system check/journal replay and the > > > machine > > > seems stable again. > > > > > > > > > This is the last good kernel version: > > > > > > 4.9.0-11-amd64 #1 SMP Debian 4.9.189-3+deb9u2 (2019-11-11) x86_64 > > > GNU/Linux > > > > > > > > > the unstable version must be the version 4.9.210-1 installed > > > > > > > > > What could the issue be? I read about backports of spectre > > > mitigations > > > being possible issues. > > > > > > > * 'linux-image-4.9.0-12' - I believe , brings Meltdown, Spectre and > > such mitigation's with it, also fix's.. > > * 'linux-image-4.9.0-11' - Here , sometimes( firefox + youtube > > videos > > ), I also have freezes, but the machine ends rebooting.. > >Don't know why, never found the real > > reason for it.. > >If I don't go on youtube, everything > > works, so focus your self on your taks, > >and don't be lazy( its what my computer > > tells me ) :D > > > > For a better understanding of the changes, you can check: > > ~# zless /usr/share/doc/linux-image-$(uname -r)/changelog.Debian.gz > > > > > > I am also in 'linux-image-4.9.0-11'..and I plan to be there for > > some > > time.. :) > > > > Best Regards, > > tux > > > > > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] kernel instability 4.9.0-12 with latest update
It happened again this morning after running the cpu heavy miner for about 14 hours. I don't recall it ever happening when I wasn't running that program, and having it happen now reaffirms for me that is the cause on my machine. Prior to the beowulf upgrade I had it running pretty much all the time for a few months without issue. On Tue, 2020-03-17 at 14:26 -0400, Hendrik Boom wrote: > On Tue, Mar 17, 2020 at 09:39:21AM -0600, Gabe Stanton via Dng wrote: > > One more thing, I'm actually on kernel version 4.19.0.8, but again, > > this issue started when I upgraded to beowulf. > > I've been on beowulf for months now, doing the usual upgrades every > few weeks, but only started experiencing > freezes in the past week or two. I don't know what causes them. > > hendrik@midwinter:~$ uname -a > Linux midwinter 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05- > 07) x86_64 GNU/Linux > hendrik@midwinter:~$ > > -- hendrik > > > On Tue, 2020-03-17 at 09:34 -0600, Gabe Stanton via Dng wrote: > > > I've had problems with my machine freezing as well, same > > > symptoms, > > > ever > > > since upgrading to beowulf. The issue for me seems to happen when > > > I > > > run > > > a cpu/ram heavy program, specifically a cpu cryptominer. I've had > > > it > > > happen a number of times, always when mining with max 2 cores, > > > but > > > haven't dedicated the time to report it properly. I did look > > > through > > > various logs in /var/logs but I didn't see anything seemed > > > relevant > > > to > > > the problem. > > > > > > I'll try to reproduce it today and send any relevant logs. > > > > > > What logs specifically would be relevant to this issue? > > > > > > Something relevant to the spectre/meltdown mitigations, I have > > > multithreading turned off in the bios and have had since the > > > vuln's > > > were revealed. > > > > > > Also, 64 bit intel cpu here as well. > > > > > > On Tue, 2020-03-17 at 03:17 +, tuxd3v wrote: > > > > Hello Riccardo, > > > > > > > > > On Sat, 7 Mar 2020 12:19:52 +0100 > > > > > Riccardo Mottola via Dng >wrote: > > > > > Hi, > > > > > > > > > > > > > > > I am using Devuan on an HP laptop with intel 64bit cpu. > > > > > Everything > > > > > worked very well, I did a lot of compilation and it is very > > > > > stable, > > > > > never had a freeze in months! > > > > > > > > > > [0.10] smpboot: CPU0: Intel(R) Core(TM)2 CPU T7200 @ > > > > > 2.00GHz > > > > > (family: 0x6, model: 0xf, stepping: 0x6) > > > > > [0.10] Performance Events: PEBS fmt0-, Core2 events, > > > > > Intel > > > > > PMU > > > > > driver. > > > > > [0.10] core: PEBS disabled due to CPU errata > > > > > > > > > > Yesterday I installed a kernel upgrade, bad things happened > > > > > > > > > > 1) after the first reboot with the new kernel, I get up to my > > > > > desktop, > > > > > check out sources ad start building Arctic Fox browser, come > > > > > back > > > > > after > > > > > a time and find the machine completely frozen - no disk > > > > > activity, > > > > > no > > > > > mouse possible, no errors. No response to power button > > > > > pressed > > > > > (had > > > > > to > > > > > press 5 seconds) > > > > > > > > > > 2) at reboot, machine freezes quite early in the boot process > > > > > > > > > > 3) I retry and it still freezes > > > > > > > > > > > > > > > I tried selecting in GRUB the older kernel and it boots. It > > > > > goes > > > > > past > > > > > the last error, starts file system check/journal replay and > > > > > the > > > > > machine > > > > > seems stable again. > > > > > > > > > > > > > > > This is the last good kernel version: > > > > > > > > > > 4.9.0-11-amd64 #1 SMP Debian 4.9.189-3+deb9u2 (2019-11-11) > > > > > x86
Re: [DNG] HW: Which brand and model of laptop have your successfully installed Devuan on?
I installed Devuan Ascii on a Lenovo W530 via the live desktop installer. I upgraded to Beowulf Beta a few months ago. The install and upgrade were a breeze. In general things are good. The only issue since upgrading to Beowulf is that if I run a cpu-heavy program for long periods of time, I get an unresponsive system to the extent that I have to hard-reset my machine. I've also installed and run Devuan Ascii on a Lenovo T520 for quite a while with no real issues. Installing from the desktop/live installer is quite easy. The netinst image gives more options and says it is for more experienced users. On Thu, 2020-04-09 at 18:32 +, Tim Wallace via Dng wrote: > |This is a hardware question. > |Which brand and model(s) of laptop have people successfully > installed > |devuan onto? > |How difficult was it? > | > |Thank You In Advance. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Upgrade problem [ ascii -> beowulf ] chrooted bind9 server -- /usr/share/dns/root.hints issue -- with fix
It should be. I had the same problem a little over a month ago and that fixed it for me. Been running fine since. On Mon, 2020-07-06 at 00:39 +1000, Andrew McGlashan via Dng wrote: > Hi, > > Okay, not fully fixed after reboot... apparmor gave problems as > previously discussed on the list. > > Also needed to adjust: > >/etc/apparmor.d/local/usr.sbin.named > > > Added a line: > >/var/lib/named/** rw, > > > Then restarted apparmor service: > >service apparmor reload > > > And then bind would start properly, immediately and again after > another reboot. > > > Should it be all good now? > > > Thanks > A. > > > On 6/7/20 12:04 am, Andrew McGlashan via Dng wrote: > > Hi, > > > > I just upgraded fron Devuan ascii to beowulf with the server > > running bind9 in a chroot environment and bind would not start. > > > > > > _This was the relevant error in /var/log/daemon.log_ > > > > Jul 5 23:36:43 bind9-server-name named[6476]: *could not > > configure root hints from '/usr/share/dns/root.hints': file not > > found* > > Jul 5 23:36:43 bind9-server-name named[6476]: *loading > > configuration: file not found* > > Jul 5 23:36:43 bind9-server-name named[6476]: *exiting (due to > > fatal error)* > > > > > > _Fixed as follows:_ > > > > # mkdir -p /var/lib/named/usr/share/dns > > # cp -pv /usr/share/dns/* /var/lib/named/usr/share/dns/ > > > > > > _NB: No upgrade changes were made to any config file including the > > /etc/default/bind9 file below._ > > > > # cat /etc/default/bind9 > > > > # Set RESOLVCONF=no to not run resolvconf > > RESOLVCONF=yes > > > > # startup options for the server > > #OPTIONS="-u bind" > > > > > > # Added -t ... for running of bind9 in a chroot environment > > #OPTIONS="-u bind -t /var/lib/named" > > # Added -4 to foce IPV4 lookups only > > OPTIONS="-u bind -4 -t /var/lib/named" > > > > ### NB: This symbolic link is needed for the chroot environment > > too > > #(without needing to change /etc/init.d/bind9 file) > > # > > # cd /run/named > > # ln -s /var/lib/named/run/named/named.pid . > > > > > > Kind Regards > > AndrewM > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Devuan 3.0 Orca Problem
Sorry I don't have anything helpful regarding orca, but that looks like an advertisement in your signature. Are advertisements in signatures allowed in this list? I think advertisements of any sort should be banned from this list. I don't read (and occasionally participate on) this list to be advertised a news source. I have enough people vying for my attention already, this list should be free from that kind of stuff. Gabe On Thu, 2020-07-23 at 19:04 -0700, David Hoff Jr wrote: > I have install Beowulf to a 32 > bit Acer netbook using the text > > > > > installer with > > speech. I have speech in the text console but no speech > > > > > > with Orca in the GUI desktop including the login screen. In > > the > > GUI > > > > > > Desktop terminal I can bring up the Orca preferences with > > Orca > > -r -s > > > > > > and find that in the second tab page there is nothing in > > the > > Voice > > > > > > type, Speech System or Speech synthasizer boxes. > > > > > > > > > > > > > > Any suggestions how to fix this. I do have other sounds, > > just no > > > > > > speech from Orca. > > > > > > > > > > > > > > > > > > > Top News - Sponsored By NewserSeattle Goes Deep for Name of New NHL > TeamJacksonville Convention Is OffAd With Biden, Obama Draws Trump > Rebuke > ___Dng mailing > list...@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Devuan 3.0 Orca Problem
Sorry if I sounded like a jerk, I don't intend to be one. Advertisements just tend to irritate me, like nails on a chalkboard. On Fri, 2020-07-24 at 09:08 -0500, goli...@devuan.org wrote: > It is possible to opt out of that on Juno. You'll have to dig down > to > find it though and every so often, they will try to turn it back on. > Very sneaky . . . > > On 2020-07-24 08:21, Gabe Stanton via Dng wrote: > > Sorry I don't have anything helpful regarding orca, but that looks > > like > > an advertisement in your signature. > > Are advertisements in signatures allowed in this list? > > I think advertisements of any sort should be banned from this list. > > I > > don't read (and occasionally participate on) this list to be > > advertised > > a news source. I have enough people vying for my attention already, > > this list should be free from that kind of stuff. > > Gabe > > > > On Thu, 2020-07-23 at 19:04 -0700, David Hoff Jr wrote: > > > I have install Beowulf to a 32 > > > bit Acer netbook using the text > > > > > > > > > > > > > installer with > > > > speech. I have speech in the text console but no speech > > > > > > > > > > > > with Orca in the GUI desktop including the login > > > > screen. In > > > > the > > > > GUI > > > > > > > > > > > > Desktop terminal I can bring up the Orca preferences > > > > with > > > > Orca > > > > -r -s > > > > > > > > > > > > and find that in the second tab page there is nothing > > > > in > > > > the > > > > Voice > > > > > > > > > > > > type, Speech System or Speech synthasizer boxes. > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any suggestions how to fix this. I do have other > > > > sounds, > > > > just no > > > > > > > > > > > > speech from Orca. > > > > > > > > > > > > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] "Free" email accounts: was Devuan 3.0 Orca Problem
On Fri, 2020-07-24 at 12:38 -0500, goli...@devuan.org wrote: > If you can't help him, please just be quiet. I'll continue to speak my mind when I want to, but I'll choose my words more carefully in the future (and hopefully think more about the fine points of my argument before typing). ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Advertisements to list (was: Devuan 3.0 Orca Problem)
Steve, your response illuminated a distinction I had been making without even thinking about it. I'm just pontificating about advertisements now, so feel free to not read, but personally, Steve, your advertising your site and books has never bothered me in the slightest. It's on-topic and it's your personal efforts you're advertising. Corporate, paid-for ads are really the issue for me and I never thought it out that far before. I'll look at the rules for the list again but your response actually raised a very interesting and important distinction about ads. Gabe On Fri, 2020-07-24 at 11:28 -0400, Steve Litt wrote: > Yes, I thought you were behaving like a jerk *UNTIL* I saw the volume > and content of the ad. The ad included something with American > politics, which is just sooo inappropriate for an international > technical list. Nothing jerky about objecting to *that particular* > ad. > > SteveT > > On Fri, 24 Jul 2020 09:04:38 -0600 > Gabe Stanton via Dng wrote: > > > Sorry if I sounded like a jerk, I don't intend to be one. > > Advertisements just tend to irritate me, like nails on a > > chalkboard. > > > > On Fri, 2020-07-24 at 09:08 -0500, goli...@devuan.org wrote: > > > It is possible to opt out of that on Juno. You'll have to dig > > > down > > > to > > > find it though and every so often, they will try to turn it back > > > on. Very sneaky . . . > > > > > > On 2020-07-24 08:21, Gabe Stanton via Dng wrote: > > > > Sorry I don't have anything helpful regarding orca, but that > > > > looks > > > > like > > > > an advertisement in your signature. > > > > Are advertisements in signatures allowed in this list? > > > > I think advertisements of any sort should be banned from this > > > > list. I > > > > don't read (and occasionally participate on) this list to be > > > > advertised > > > > a news source. I have enough people vying for my attention > > > > already, this list should be free from that kind of stuff. > > > > Gabe > > > > > > > > On Thu, 2020-07-23 at 19:04 -0700, David Hoff Jr wrote: > > > > > I have install Beowulf to a 32 > > > > > bit Acer netbook using the text > > > > > > > > > > > > > > > > > > > > > installer with > > > > > > speech. I have speech in the text console but no > > > > > > speech > > > > > > > > > > > > > > > > > > with Orca in the GUI desktop including the login > > > > > > screen. In > > > > > > the > > > > > > GUI > > > > > > > > > > > > > > > > > > Desktop terminal I can bring up the Orca > > > > > > preferences > > > > > > with > > > > > > Orca > > > > > > -r -s > > > > > > > > > > > > > > > > > > and find that in the second tab page there is > > > > > > nothing > > > > > > in > > > > > > the > > > > > > Voice > > > > > > > > > > > > > > > > > > type, Speech System or Speech synthasizer boxes. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any suggestions how to fix this. I do have other > > > > > > sounds, > > > > > > just no > > > > > > > > > > > > > > > > > > speech from Orca. > > > > > > > > > > > > > > > > > > > > > ___ > > > Dng mailing list > > > Dng@lists.dyne.org > > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > > > > ___ > > Dng mailing list > > Dng@lists.dyne.org > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] AppArmor and TorBrowser
On Fri, 2021-01-22 at 09:46 -0500, Haines Brown wrote: > AppArmor... Ascii didn't have AppArmor, and after upgrading to Beowulf I started getting some errors as well. A little searching told me that AppArmor errors are common and I ended up just purging AppArmor altogether. I haven't had any problems from it and it's been a while now, around 6 months IIRC. I emailed the list about it at the time (not sure if I was responding to someone else or just reporting my findings). Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Synaptics Touchpad Fn+F9
On Fri, 2021-02-05 at 13:23 +, g4sra via Dng wrote: > Sent with ProtonMail Secure Email. > ‐‐‐ Original Message ‐‐‐On Friday, February 5, 2021 11:12 AM, > Florian Zieboll via Dng wrote: > > Am 4. Februar 2021 20:13:49 MEZ schrieb g4sra g4...@protonmail.com: > > > ‐‐‐ Original Message ‐‐‐On Thursday, February 4, 2021 > > > 6:59 PM, Florian Zieboll via Dng dng@lists.dyne.org wrote:Thanks > > > for the reply Florian > > > > Am 4. Februar 2021 18:15:06 MEZ schrieb g4sra via Dng > > > > dng@lists.dyne.org: > > > > > Does anyone know how to re-enable a Synaptics Touchpad in > > > > > Linux after it has been turned off in Windows using Fn+F9 ? > > > > > > > > If this key combo really changed something "in hardware", i > > > > assume that a "hard reset" of the notebook(?!) should solve the > > > > issue...Usually, this is accomplished by removing all power > > > > sources and periphery, and then holding down the power button > > > > for 15-20 seconds. The idea is to remove any stored electricity > > > > (from ac adapter, battery, capacitors) to clear all non- > > > > persistent storage. > > > > > > That is what googling said too, unfortunately it didn't work. > > > > Your devices miles may vary, the manual should mention it. > > > > > > The manual is not much use at all, being digital it won't even > > > serve purpose in the WC. > > > > libre grüße,Florian > > > > > > By first installing Windows 7 and then the Synaptic drivers on an > > > old HDD I was able to restore touchpad functionality with the > > > Fn+F9 switching. This is a programmable multi-gesture touchpad > > > which I guess may have flash memory.There has got to be a better > > > way > > > > Hallo g4sra, > > as you replied off-list and I don't know of any better way, I bring > > the issue back to the list: > > Thanks for that. This email client will not reply to the list. It > considers to do so a security issue because of an authentication > failure. If I post directly to the list then the message thread is > lost. > I have tried something new.. it will allow me to CC, so I have done > that replying directly to you, deleted the To, and promoted the CC, > so if the message id has remained intact this may be a way around the > problem. > > > Perhaps someone has a hint on resetting the device, if you'd reveal > > its make and model? > > Laptop make is mostly irrelevant as the hardware is self-contained as > manufactured by Synaptics. I believe the communication is SMBus in > this instance, I know of no way to interrogate the touchpad itself > other than by what is reported using Synaptics drivers for Windows. > > Another idea out of thin air: Did you remove the CMOS battery - or > > does the notebook provide a button (or pins) to reset the bios > > password? > > Yes, I did a thorough cold power-up. > > > libre Grüße,Florian > > I am looking for a 'Linux software' solution to this > problem.Currently grepping the kernel source to see if any giveaways > in the DTB sources. > > > > > ___Dng mailing > list...@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Sorry if I missed it, but did you ever just boot into the bios and look for the toggle there? I know you said you're looking for a linux software solution to this, but I thought I'd mention this since I hadn't seen it mentioned. My apologies if I missed it somewhere. According to a web search about the subject (serverfault I believe) bios makers sometimes work with microsoft to provide limited api type functionality (for things like the f9 you mentioned I assume). In my case, I can turn off the touchpad through the bios under config > keyboard/mouse. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Assigning a specific subnet and address to a Devuan Beowulf Qemu guest
On Tue, 2021-02-16 at 07:55 -0500, Steve Litt wrote: > Thanks Ralph, > I had left them both out, but putting them in didn't change > thesymptom. I tried with only auto eth0, and that didn't change > thesymptom either. > Thanks, > SteveT > Steve Litt Just want to throw this out there in case it helps even a bit. I have a devuan vm running on a devuan host, I believe virt-manager handled network setup for me, but in any case, below are the contents of my /etc/network/interfaces files from both the host and the vm. (notice on the host they have br0 config'd here instead of eth0, don't know if you were referring to that file on the host or the VM.) Host: auto br0iface br0 inet dhcp bridge-ports eth0 VM:# This file describes the network interfaces available on your system# and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interfaceauto loiface lo inet loopback # The primary network interfaceallow-hotplug eth0iface eth0 inet dhcp anyway, hope that helps. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Assigning a specific subnet and address to a Devuan Beowulf Qemu guest
On Wed, 2021-02-17 at 11:26 -0700, Gabe Stanton via Dng wrote: > On Tue, 2021-02-16 at 07:55 -0500, Steve Litt wrote: > > Thanks Ralph, > > I had left them both out, but putting them in didn't change > > thesymptom. I tried with only auto eth0, and that didn't change > > thesymptom either. > > Thanks, > > SteveT > > Steve Litt > > > Just want to throw this out there in case it helps even a bit. > > I have a devuan vm running on a devuan host, I believe virt-manager > handled network setup for me, but in any case, below are the contents > of my /etc/network/interfaces files from both the host and the vm. > (notice on the host they have br0 config'd here instead of eth0, > don't know if you were referring to that file on the host or the VM.) > > Host: > > auto br0 > iface br0 inet dhcp > bridge-ports eth0 > > > > > > VM: > # This file describes the network interfaces available on your system > # and how to activate them. For more information, see interfaces(5). > > source /etc/network/interfaces.d/* > > # The loopback network interface > auto lo > iface lo inet loopback > > # The primary network interface > allow-hotplug eth0 > iface eth0 inet dhcp > > > > > anyway, hope that helps. > > Gabe > > > > > ___Dng mailing > list...@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Just to be clear, my VM ip address is as you would like yours to be, it is a dhcp address from the pool on my router. So my host is 192.168.1.x and my vm is 192.168.1.y, and the VM is accessible from the network. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Assigning a specific subnet and address to a Devuan Beowulf Qemu guest
On Wed, 2021-02-17 at 16:28 -0500, Steve Litt wrote: > Hi Gabe, > On your guest VM, what does it say your default route is when > youperform the ip route command? results of ip route: default via 192.168.1.1 dev eth0 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.75 > Did you need to do something special to get that default > route(gateway)? > Thanks, > SteveT I believe I used the below from here, as well as the 'set up a bridge' link and maybe the 'QEMU' page linked. I thought I had started keeping better notes about what I do... I must have started that after I installed this VM lol. source url (same as above label'd "here"): https://wiki.debian.org/KVM?highlight=%28%5CbCategoryVirtualization%5Cb%29#Setting_up_bridge_networking Between VM host, guests and the world In order to let communications between host, guests and outside world, you may set up a bridge and as described at QEMU page. For example, you can modify the network configuration file /etc/network/interfaces to setup the ethernet interface eth0 to a bridge interface br0 similar as below. After the configuration, you can set using Bridge Interface br0 as the network connection in VM guest configuration. auto lo iface lo inet loopback # The primary network interface auto eth0 #make sure we don't get addresses on our raw device iface eth0 inet manual iface eth0 inet6 manual #set up bridge and give it a static ip auto br0 iface br0 inet static address 192.168.1.2 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 bridge_ports eth0 bridge_stp off bridge_fd 0 bridge_maxwait 0 dns-nameservers 8.8.8.8 #allow autoconf for ipv6 iface br0 inet6 auto accept_ra 1Once that is correctly configured, you should be able to use the bridge on new VM deployments with: virt-install --network bridge=br0 [...] Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Assigning a specific subnet and address to a Devuan Beowulf Qemu guest
On Thu, 2021-02-18 at 05:30 -0500, Steve Litt wrote: > 1) Is the following /etc/network/interfaces on the guest, or on > thehost? > 2) If on the guest, do I need to have the "gateway" part of the > br0iface be an address *other* than the gateway the host and rest of > theLAN uses? > 3) Is a TAP needed anywhere? Do I need to make provisions for it > (andif so, where) > 4) If the TAP is needed, do I have to make , or does the guest make > theTAP and set it up? > > > auto loiface lo inet loopback > > # The primary network interfaceauto eth0 > > #make sure we don't get addresses on our raw deviceiface eth0 inet > > manualiface eth0 inet6 manual > > #set up bridge and give it a static ipauto br0iface br0 inet > > static address 192.168.1.2 netmask > > 255.255.255.0 network 192.168.1.0 broadcast > > 192.168.1.255 gateway 192.168.1.1 bridge_ports > > eth0 bridge_stp off bridge_fd 0 > > bridge_maxwait 0 dns-nameservers 8.8.8.8 > > #allow autoconf for ipv6iface br0 inet6 auto accept_ra > > 1Once that is correctly configured, you should beable to use the > > bridge on new VM deployments with: > > virt-install --network bridge=br0 [...] > > That last line looks like you're not using TAP at all. Is that true? > What goes between the square brackets? > Thanks, > SteveT I'm sorry for the confusion. That was not the guide I used. I did find the guide I used. It seems pretty straight forward, and I believe it clears up all the confusion and questions caused by my previous email. https://www.debian.org/doc/manuals/debian-handbook/sect.virtualization.en.html#sect.lxc.network 12.2.2.2. Network Configuration The goal of installing LXC is to set up virtual machines; while we could, of course, keep them isolated from the network, and only communicate with them via the filesystem, most use cases involve giving at least minimal network access to the containers. In the typical case, each container will get a virtual network interface, connected to the real network through a bridge. This virtual interface can be plugged either directly onto the host's physical network interface (in which case the container is directly on the network), or onto another virtual interface defined on the host (and the host can then filter or route traffic). In both cases, the bridge-utils package will be required. The simple case is just a matter of editing /etc/network/interfaces, moving the configuration for the physical interface (for instance, eth0) to a bridge interface (usually br0), and configuring the link between them. For instance, if the network interface configuration file initially contains entries such as the following: auto eth0 iface eth0 inet dhcp They should be disabled and replaced with the following: #auto eth0 #iface eth0 inet dhcp auto br0 iface br0 inet dhcp bridge-ports eth0 The effect of this configuration will be similar to what would be obtained if the containers were machines plugged into the same physical network as the host. The “bridge” configuration manages the transit of Ethernet frames between all the bridged interfaces, which includes the physical eth0 as well as the interfaces defined for the containers. In cases where this configuration cannot be used (for instance, if no public IP addresses can be assigned to the containers), a virtual tap interface will be created and connected to the bridge. The equivalent network topology then becomes that of a host with a second network card plugged into a separate switch, with the containers also plugged into that switch. The host must then act as a gateway for the containers if they are meant to communicate with the outside world. Less important but possibly relevant or helpful info is that, although the guide above is for lxc, I don't use lxc but kvm, and the kvm install instructions link back to the lxc networking section on the same page. That's why I got confused and sent the wrong guide. I'll stop with the irrelevant stuff now lol. Glad to offer any more assistance or info I can. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] How to turn off the firewall
On Mon, 2021-02-22 at 09:22 -1000, Joel Roth via Dng wrote: > I use this to remove all rules: > > iptables -P INPUT ACCEPT > iptables -P FORWARD ACCEPT > iptables -P OUTPUT ACCEPT > iptables -t nat -F > iptables -t mangle -F > iptables -F > iptables -X > > I can't speak for the provenance, but afterwards > iptables -n -L, shows ACCEPT for INPUT, OUTPUT and FORWARD, > with no other rules. > > > -- > Joel Roth I do similar. I purge any firewalls and use iptables exclusively. Steve, one thing that's definitely important is for the host to have -P FORWARD ACCEPT in order for the VM to receive traffic. This is of course because it's acting as a bridge or switch between the default gateway and the VM. I second iptables-persistent. I feel more comfortable handling IPTABLES than learning a firewall that's going to use IPTABLES (or nftables, same thing pretty much) in the background. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] How to firewall on Devuan?
On Wed, 2021-02-24 at 21:32 +0900, Olaf Meeuwissen via Dng wrote: > Do not uncomment the #allow-hotplug eth0 line. Doing so leads > to a delay when booting. Just a note about the above, allow-hotplug eth0 seems to be necessary on your VM. As for the delay in booting, I've had that ever since setting up the bridge for the VM. The delay seems to be when it is setting up your bridge interface. Relevant to that, I've noticed that if I'm not connected to the network while booting (I use ethernet so it's real clear for me) networking doesn't work on my VM (if I recall correctly, networking was also not working on the host if I wasn't connected to a network upon boot). My 2 cents on iptables is: iptables -F will flush your ruleset, setting it back to default open communications. If a firewall created other chains or rules, they may survive a flush until the firewall is removed and the machine rebooted. iptables -S will show your current ruleset. If you flushed your rules and there is no firewall that's created other chains, the output of this will usually be: iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT I typically start with iptables -P INPUT DROP iptables -P FORWARD DROP (Note, if this is set to DROP, you must have another rule in place to handle traffic that is forwarded directly to your VM. You can do so by allowing traffic to a specific destination IP) iptables -P OUTPUT ACCEPT Since we're dropping traffic on the INPUT chain, we need to ensure that we can accept traffic from connections we initiated, so we use this iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT An example of allowing traffic to a specific source IP is: iptables -A INPUT -s 192.168.1.54/32 -j ACCEPT Allowing traffic to a specific destination looks like this: iptables -A OUTPUT -d 192.168.1.54/32 -j ACCEPT Aside from that, you can setup any rule pertaining to a specific port, source IP, destination IP, range of source or destination IP's. The only thing I wish I could tack onto it would be to specify programs that are allowed or not allowed to communicate. I'm sure that's not easy though. That should give you the basics but as you go along, a websearch for your specific question will yield results. Personally I don't do web searches on ***gle for various good reasons. I'm guessing I'm not alone. Some alternatives to that are: startpage.com (uses ***gle search engine but provides a layer of anonymity between) swisscows.com (requires javascript but claims to respect privacy) duckduckgo.com (claims to offer anonymity but is hosted on amazon, so not sure how much they can backup their claim) None of those are perfect, but at least they're not trying to take over the world like be evil alphabet soup. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] How to firewall on Devuan?
On Wed, 2021-02-24 at 16:00 +0200, Lars Noodén via Dng wrote: > There is an awful lot of inertia for iptables, more than there was > for > ipchains, but iptables is rather difficult to learn and use. It has > also been succeeded by nftables, which is where the development is > happening. So even though Beowuulf seems to come with iptables, I > would > recommend removing iptables and installing with nft. > > See: > > https://wiki.nftables.org/ > > https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes > > Furthermore, nftables keeps its configuration in a single file: > /etc/nftables.conf which is then read on startup, once nftables is > activate in sysvinit or openrc. Though it is very different, I find > that nft makes a bit more sense. It is also supposed to be more > efficient. YMMV. > > /Lars If I understand correctly, the iptables cli that we use now is just a wrapper around nftables. The increased functionality of nftables is intriguing. The increased verbosity was a turnoff, but if it's necessary for increased functionality it's understandable. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] GNUPGP Web of trust
On Wed, 2021-02-24 at 15:23 +, g4sra via Dng wrote: > I don't like the way SSL Certs are managedso that only leaves > gpg. > > Recently had an issue with gpg which disturbed some grey cells and > disrupted their slumber. > > I don't get out much (lockdown understatement) so my current 'web of > trust' is zero and unlikely to expand anytime soon using the > conventional method of exchanging keys down the pub. I am also aware > that 'thinking' can be a dangerous pastime. > > Is there any mileage or interest in a Devuan web of trust where we > can exchange keys ? > > I would be interested to hear from the more security knowledgeable > members on the list as to whether this is even feasible. > > Knowing that something had been signed by the Devuan Community would > earn more trust from me than anything signed by Red Hat, IBM, > Google..ad infinitum. I think it's a great idea. I believe I've seen some users attach their public key as part of their email signature on this list. I've thought also about linking to a 'personal home page' that has my public key on it but I'm not to that point yet. Is it as simple as inviting anyone that wants to, to send their public key to this list? I'm not experienced in web of trust common/accepted practices but have been interested for some time. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] How to firewall on Devuan?
On Wed, 2021-02-24 at 18:58 +0100, Adam Borowski wrote: > On Wed, Feb 24, 2021 at 07:26:35AM -0700, Gabe Stanton via Dng wrote: > > If I understand correctly, the iptables cli that we use now is just > > a > > wrapper around nftables. > > Actually, there are two independent subsystems. They're managed by > two > userspace tools: > * iptables-legacy > * iptables-nft > > Rules set by one of them are not visible by the other. This may give > a > nasty surprise if some tool sets a rule some other way. > > /usr/sbin/iptables is an alternatives link to one of the two, you can > check > update-alternatives --display iptables > to see which subsystem you're using by default. > > > Meow! Interesting, so I just checked and when I call iptables, that calls /usr/sbin/iptables, which calls /etc/alternatives/iptables, which calls /usr/sbin/iptables-nft. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] GNUPGP Web of trust
I obviously haven't done enough reading lol. Thanks for the link. On Fri, 2021-02-26 at 22:06 +, Simon Hobson wrote: > Gabe Stanton via Dng wrote: > > > Is it as simple as inviting anyone that wants to, to send their > > public > > key to this list? I'm not experienced in web of trust > > common/accepted > > practices but have been interested for some time. > > No, it's not that simple ! > > Try this for starters : https://en.wikipedia.org/wiki/Web_of_trust > > Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any interest in a Devuan Meetup in Colorado Springs or Denver? (was "GNUPGP Web of trust")
On Sun, 2021-02-28 at 17:29 +0200, Dimitris via Dng wrote: > haven't been in any online key signing parties, only a handful of > physical ones so far (makes more sense seeing/confirming/trusting in > person...). but all that, pre-covid... > to work around the pandemic somehow, i'd probably start with > git.devuan.org. lots of authenticated devuan devs and users there, > with > some gpg keys already available.. > > jitsi meetings/online pads as public links, break the whole "trust" > thing.. how do you confirm any visitor there? > > a few more links : > > - cryptoparty.in is a helpful resource in organizing : > https://www.cryptoparty.in/organize/howto > > - signing-party package > (https://salsa.debian.org/signing-party-team/signing-party) , > contains > tools to assist in OpenGPG signing parties > > 2c, > d Thanks Dimitris. After looking at the links, and considering your input, it seems like localized devuan groups/events are a real good start to a web of trust. I've been thinking about recently. I'm guessing we devuaners are spread far and wide... but I'm in Colorado. I'd be interested in setting up or joining a general meetup in Colorado Springs or Denver if there was any interest, even one person. I even happen to know a good burger joint or two that do not require masks if that would appeal to anyone, but they're not in Denver or Springs. I'm a newb at any type of linux meetup, web of trust or otherwise, in case that's not obvious. But, if anyone is in the area and wants to meetup, talk about Devuan and get to know each other, I'm interested. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Very offtopic: 70's music
On Thu, 2021-03-04 at 16:51 +0200, Dimitris via Dng wrote: > in anycase disco would be last on my list of 70s music :P not even a little redneck disco? https://www.youtube.com/watch?v=LaK3a44BghU I admit it's from the 80's but it's still a sweet song. I tend to agree about 70's music, it's what I've listened to the most. Others include of course Pink Floyd, Steppenwolf, Janis Joplin, The Doors...so many to name. Disclaimer: I'm aware of the hypocrisy of posting a youtube link considering my stance against google. I'll find better ways in the future. It's not on bitchute though and this is a quick way to share. I doubt attaching a mp3 file would fly, I'll have to check the list rules but I have a feeling it's no bueno. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Very offtopic: 70's music
On Thu, 2021-03-04 at 19:41 +0200, Dimitris via Dng wrote: > check out invidio.us, but even better help out with peertube, an > > alternative p2p platform ;-) I'll check them out, thanks! ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Very offtopic: 70's music
On Thu, 2021-03-04 at 19:31 -0500, Steve Litt wrote: > > check out invidio.us, but even better help out with peertube, an > > alternative p2p platform ;-) > > Oh Oh: "As of September 1st 2020, invidio.us has closed down. To see > this content, please select another instance, or visit directly on > YouTube." Peertube.live is having issues as well. At first I got an expired certificate error, and then I started getting "Error 503 Backend fetch failed" ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any interest in a Devuan Meetup in Colorado Springs or Denver? (was "GNUPGP Web of trust")
On Thu, 2021-03-04 at 18:47 -0500, Steve Litt wrote: > Hi Gabe, > > Could you please be explicit about what you mean by "meetup"? If you > mean something organized by meetup.com, then you're talking about > something where you have to sign an indemnification agreement, and at > least to some extent use meetup.com's communication facilities, and > get > a lot of looky-lous. > > If you mean meetings without use of meetup.com, it would probably be > more explicit to call it a "meeting". > > From my point of view, meetup.com has inserted itself into LUG > operations as an unneeded middle man for LUGs without an effective > publicity officer. Hi Steve, Definitely a regular ol' meet n greet, no third parties involved. I'm not much aware of meetup.com, might have heard of it, but my reaction would be same as yours, no need for third parties to organize a meetup or meeting or whatever. > Anyway, I'm 1500 miles away from Denver, but if it's a meeting and > not > a "meetup", I'd like to attend via Jitsi. This is incentive for me to take another crack at getting a jitsi instance running. It will probably take me a couple months to get one working since time is limited and there are many things higher on the priorities list, but I'll work on that and get back to the list when I have that running. Once that's running I'll guage interest again. The smaller the group the less formal it's likely to be. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any interest in a Devuan Meetup in Colorado Springs or Denver? (was "GNUPGP Web of trust")
On Thu, 2021-03-04 at 18:54 -0800, Rick Moen wrote: > Here are my (raw, and I stress, _raw_) notes from setting up Jitsi > Meet > (on Amazon EC2, on Debian 10) in a tearing hurry for the 2020 World > Science Fiction Convention (the '2020 Worldcon'), which was forced by > the exploding pandemic to suddenly convert itself into a virtual > event, > instead of being in Wellington, NZ: > http://linuxmafia.com/~rick/jitsi.txt Awesome, thanks Rick! > Here's the 2020 Worldcon's (CoNZealand's) Web site. > https://conzealand.nz/ > > The Worldcon is an all-volunteer-run, all-volunteer-staffed literary > science fiction convention held annually somewhere on planet Earth > (so far ;-> ). Usual attendance is about 3000 people who fly in from > everywhere. A big Worldcon, like London's in 2014, is about 8000 > in-person attendees. Sounds wonderful and up my alley :). Checking that out for sure. > My instance of Jitsi Meet had no performance problems whatsoever for > the > usage CoNZealand made -- though I was prepared to spin up more > instances > of Jitsi Videobridge2 if necessary to share the load. Honestly, once > I > stopped making a couple of dumb mistakes in site configuration > (preserved in my raw notes), it was pretty darned easy to configure. > > There are sundry site-admin customisations that can be done, which I > didn't fully cover in my notes, but aren't that hard to find, and I > might even be able to refresh my memory about those if you need to > ask. > > As you might gather from my notes, I got directives from above that > changed during the project about whether to try to shim in an oauth2 > authentication layer (non-default) and then whether or not to > configure > an operating mode where only a list of people (staff) with > prearranged > admin credentials were permitted to create Jitsi Meet rooms. The > eventual deployment did not include the latter security controls -- > making it work pretty much like meet.jit.si . However, those > security > controls weren't difficult to do if desired. Interesting, I might try one or both of those. > Before any asks: No, I didn't do that on Devuan because I was in a > huge hurry and had a known-good Amazon EC2 AMI of Debian 10 at my > disposal. I expect that my setup instructions will work just great > on > Devuan. I'll be installing on Devuan, likely Beowulf. I'll take notes about anything specific to Devuan or my install and pass them back to the list as well. Thanks again! Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any interest in a Devuan Meetup in Colorado Springs or Denver? (was "GNUPGP Web of trust")
On Fri, 2021-03-05 at 07:05 -0500, Steve Litt wrote: > Hi Gabe, > > I'm also going to try to get a Jitsi-centric VM running. But you > needn't wait to install Jitsi on your own computer to enjoy Jitsi. > For > over a year, GoLUG (my local LUG) has met at > https://meet.jit.si/golug, > with pretty good success. Also, in December, I taught a 2 day class > over Jitsi. It worked great, and all the students liked the course. > > So while a home-grown installation is all of our goal, until then, > anything on meet.jit.si works pretty darn well, as long as your > browser > is Chromium if you're on Linux. Hey Steve, I've been hesitant to use meet.jit.si for privacy reasons, but 8x8's business model and practices are pretty convincing signs that they'd take privacy seriously, and of course their privacy policy is pretty good. I need to do some testing to see if firefox will work for me. I have to re-enable mic and cam as well and test those out, hopefully no problems thereand take the tape off the cam lol. If firefox doesn't work I can install chromium somewhere and go that route. Then the question becomes, anyone else interested? If so, we could set a date a little further back maybe on a Sunday afternoon and come up with some topics and a timeline of events just to make sure things don't go stale, but otherwise take a pretty loose and informal approach. If it's just you and me, Steve, like I mentioned before, informal is good for me if it's good for you, and maybe a Sunday afternoon soon? Mine are or can be open for the foreseeable future... Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] apparmor? (was Re: What does this remind you of?)
On Sun, 2021-03-07 at 19:39 +0100, al3xu5 wrote: > Maybe it was installed by default or maybe I had installed it ages > ago and > > it hasremained over time, a dist-upgrade after the other. > > > > So, I would like your advice: is there any sense that I keep it on > the > > system? Or can I do without quietly? For me, apparmor came with the upgrade to beowulf. I had some problem with it, I think it was killing an application that I use. After searching around on the web, I decided to just try apt purge apparmor. I did that 6 or 8 months ago or so and didn't have any issues. Although, apparmor is reinstalled with upgrades based on my experience. It's back on my machine now actually and has been for a month or so. I'll purge it again but since it was reinstalled I've been curious if it will start causing me problems again, so I've left it so far. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] web conferencing software (was Re: Any interest in a Devuan Meetup in Colorado Springs or Denver?)
On Mon, 2021-03-08 at 10:08 +0200, Dimitris via Dng wrote: > Στις 8/3/21 12:29 π.μ., ο/η Rick Moen έγραψε: > > Leaving aside my being disappointed about people willingly > > outsourcing > > their recursive DNS to the second-nosiest company on the planet[1] > > +1.1.1.1 ... don't forget cloudflare bullies.. > > > but i do forward local queries to opennic (w/ dnscrypt) and a couple > more trusted sources.. eg. libreops.cc offer a public resolver and > another DoT/DoH & i do also forward to tor-resolve occasionally... > > so, i would be interested to know, if there's a privacy issue with > opennnic? > leaving the overlord (=icann) aside, seems like a good idea to me.. I wonder the same thing. I guess what appeals to me about opennic is that they address some of the problems with the way dns is handled elsewhere. Of course running your own dns server is optimal. But it doesn't do a better job to address privacy, and it doesn't make dns into a community issue like opennic is trying to do. As a dns server operator, with opennic you also get the opportunity to invite other anonymous (to you) people to share your dns server, thus pooling your dns queries, which can be good for privacy. If you're not running your own dns server when using opennic, you're relying on the truthfulness of the dns server operator when they checked or didn't check the flags indicating if they keep logs. That's obviously not a very trustworthy indication, but it's nice that they're addressing privacy right up front. I don't know of anyone trying to do what opennic is trying to do. Are there competing ideas in the realm of dns communities? In the absence of a "community of dns server operators and users", is the optimal option to have everyone run their own recursive server? But then the upstream servers still get the birds-eye view and will very likely abuse that information like the big companies do now. I don't mean just to defend opennic, if there are competing or better ideas out there, that would be good to know. I'm just throwing out my 2 cents on the matter. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] web conferencing software (was Re: Any interest in a Devuan Meetup in Colorado Springs or Denver?)
On Mon, 2021-03-08 at 06:40 -0700, Gabe Stanton via Dng wrote: > On Mon, 2021-03-08 at 10:08 +0200, Dimitris via Dng wrote: > > Στις 8/3/21 12:29 π.μ., ο/η Rick Moen έγραψε: > > > Leaving aside my being disappointed about people willingly > > > outsourcing > > > their recursive DNS to the second-nosiest company on the > > > planet[1] > > > > +1.1.1.1 ... don't forget cloudflare bullies.. > > > > > > but i do forward local queries to opennic (w/ dnscrypt) and a > > couple > > more trusted sources.. eg. libreops.cc offer a public resolver and > > another DoT/DoH & i do also forward to tor-resolve occasionally... > > > > so, i would be interested to know, if there's a privacy issue with > > opennnic? > > leaving the overlord (=icann) aside, seems like a good idea to me.. > > I wonder the same thing. I guess what appeals to me about opennic is > that they address some of the problems with the way dns is handled > elsewhere. Of course running your own dns server is optimal. But it > doesn't do a better job to address privacy, and it doesn't make dns > into a community issue like opennic is trying to do. > As a dns server operator, with opennic you also get the opportunity > to > invite other anonymous (to you) people to share your dns server, thus > pooling your dns queries, which can be good for privacy. > > If you're not running your own dns server when using opennic, you're > relying on the truthfulness of the dns server operator when they > checked or didn't check the flags indicating if they keep logs. > That's > obviously not a very trustworthy indication, but it's nice that > they're > addressing privacy right up front. > > I don't know of anyone trying to do what opennic is trying to do. Are > there competing ideas in the realm of dns communities? > > In the absence of a "community of dns server operators and users", is > the optimal option to have everyone run their own recursive server? > But > then the upstream servers still get the birds-eye view and will very > likely abuse that information like the big companies do now. > > I don't mean just to defend opennic, if there are competing or better > ideas out there, that would be good to know. I'm just throwing out my > 2 > cents on the matter. Oh, and one more thing since you mentioned icann, one thing to note is that opennic also has their own tld system, independent of icann. As a community of operators, they can do that. Of course no one can access their tld's without pointing to an opennic server. Their main one is .glue but they continue to add them. Anyway, having their own tld's is another thing they're doing right in my opinion. If they don't end up being the best solution to the problem, I feel like they're leading the way. Of course the independent tld system is potentially problematic, but centralized icann is also a problem, so we should be looking for solutions and innovative ideas. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Opennic - (was: web conferencing software (was: something else))
Redirecting this thread back to the list. See below q and a between Steve and me. On Mon, 2021-03-08 at 09:16 -0500, Steve Litt wrote: > > On Mon, 2021-03-08 at 06:40 -0700, Gabe Stanton via Dng wrote: > > Oh, and one more thing since you mentioned icann, one thing to note > > is > > that opennic also has their own tld system, independent of icann. > > As a > > community of operators, they can do that. Of course no one can > > access > > their tld's without pointing to an opennic server. Their main one > > is > > .glue but they continue to add them. Anyway, having their own tld's > > is > > another thing they're doing right in my opinion. If they don't end > > up > > being the best solution to the problem, I feel like they're leading > > the > > way. > > Wait a minute. This could be cool. > Do iopennic TLDs conflict with icann's, or are they different? They're different for now, but if I understand correctly there is a company in the domain name arena that has requested and I believe they got, a tld from icann that already exists on opennic, thus creating the inevitable conflict. It'll be interesting to see how that plays out, but I like the approach opennic is taking, that of not asking permission. Edit: I've since found the email thread discussing the company which is selling domains on tld's that opennic also uses. The company is called Epik. The situation is interesting and could potentially set precedents for how independent dns communities, or anyone that doesn't cede all domain authority to icann, deals with icann and/or the companies that may cause conflict. The beginning of the thread is here. https://lists.opennicproject.org/sympa/arc/discuss/2020-04/msg2.html > If they are different, couldn't I just add some of opennic's root > servers to my Unbound root server file, so I can get the TLDs from > either? How cool would that be? Yep you could do that. Opennic's servers serve their own tld's as well a s icann's of course. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] I kinda sorta got opennic DNS working
On Mon, 2021-03-08 at 10:34 -0500, Steve Litt wrote: > Hi all, > > When I added four opennic root servers to my unbound's root.hints, I > couldn't resolve grep.geek on my unbound server at 192.168.0.102, > even > though I could resolve it from the opennic root servers. > > Then I commented out all the icann root servers, restarted, and now I > can resolve grep.geek as well as a bunch of .com and .org domains. > > I'd really like to have both icann and opennic root servers in my > root.hints. Does anybody know a way to do that without the opennic > root > servers being sabotaged? Is Unbound set to round-robin through your listed root servers? I wouldn't think it would query more than one of your root servers for one request. Maybe when you didn't get .geek that was because it hit a non-opennic server that time. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Opennic
On Tue, 2021-03-09 at 22:26 -0800, Rick Moen wrote: > Quoting Gabe Stanton via Dng (dng@lists.dyne.org): > > > In the absence of a "community of dns server operators and users", > > is > > the optimal option to have everyone run their own recursive server? > > But > > then the upstream servers still get the birds-eye view and will > > very > > likely abuse that information like the big companies do now. > > Please pardon my being blunt, but I don't think you have a realistic > understanding of how typical patterns of authoritative nameservice > data > and caching work. I rather suspect you haven't stopped to think > about > that. Of course using a local (or controlled by you) caching dns resolver ENHANCES privacy. That's not even a question and doesn't represent a real argument against the likelihood that, in the case of everyone running their own caching resolver, that second level nameservers would end up being a very good source of info to match dns requests to ip addresses, to be exploited just as any other big dns provider is likely to do. I'm open to any information you have that suggests sld nameservers can never be exploited the way that google dns or cloudflare dns or any other big dns provider have been exploited. > Let's say I run a local recursive DNS nameserver on my local LAN for > use > by my and all other local hosts. For the sake of discussion, let us > assume that it has what is misleadingly called an 'ICANN' root hints > file. > > At service startup time, the instance starts getting and caching TLD, > SLD, etc. authoritative data and caching it for the duration of > TTLs. > Right, now, kindly tell me where on the planet is the network node > that > provides a "birds-eye view" of query traffic processed by my > recursive > server? The root nameservers? Nope, not hardly. All they have is > the > hits where my nameserver followed the RD-bit-marked queries to find > various TLD nameservers. TLD zones' nameservers? Nope, not > hardly. > They have only analogous logfile data when my nameserver first > located > and then cached information about SLD nameservers. Right here. The SLD nameservers. Sure you're caching it, but you have to get that data at some point. SLD nameservers are the ones that can match the public IP of your resolver to the domains you request. This seems an obvious target if everyone starts cutting out the middle man. Regardless of whether that data is abused right now, if everyone started getting dns data directly from root servers, they would be the target. > In fact, the very fact that I am operating a recursive nameserver > means > that I have greatly impoverished every possible spying vantage point. If everyone ran their own caching resolver, the same parties exploiting dns now would go to the second and third level nameservers to get the data on who visits what site. It's too valuable to be left alone. Do you think the people seeking that data would just give up on everyone's data at that point? I don't think so. You're only safe now taking that approach because you're a minority, and the data of the majority is easy to get. > The best of the bad choices in places to spy on my network's port-53 > activity is thus right on the far side of my network uplink, at my > local > bandwidth provider. And, even there, because of pervasive caching, > even > my uplink has extremely poor data about what the machines on my local > LAN are looking up. > > Ideally, one has a contractual relationship with a reputable good > provider who looks after customer interests in accordance to local > business practices and law, such as (to cite the USA local legal > concept) the implied covenant of good faith and fair > dealing. However, > that contract concept is (naturally) not a shield for privacy but > rather > a cudgel to wield in civil litigation, so the best thing to do is to > limit what your immediate uplink can learn about your network > traffic. > Various crypto schemes help limit that data, but -- my point -- so > does > operating a local recursive nameserver, rather than outsourcing to > -anyone- on the other side of the uplink. You made a case for another possibly good alternative for dns providers as oppposed to opennic, but I didn't hear any rebuttal to any of my arguments in their favor. Your suggestion of a contractual relationship with a dns provider has it's good points, but also it's bad points. You still have to trust the provider, and you have to trust their security model to also ensure your privacy. Hacking is also a convenient excuse for unethical companies. So, here are the good points about opennic. 1. they are a c
Re: [DNG] web conferencing software (was Re: Any interest in a Devuan Meetup in Colorado Springs or Denver?)
On Tue, 2021-03-09 at 22:07 -0800, Rick Moen wrote: > Quoting Dimitris via Dng (dng@lists.dyne.org): > > > so, i would be interested to know, if there's a privacy issue with > > opennnic? > > I have no problem with people who decide to adopt alternate roots. > > What I was talking about upthread was outsourcing one's recursive > nameservice to OpenNIC's public recursive nameserver IPs, or any > other > stranger's. Because, well, why? Recursive service is dead-easy to > do > with one's local computing resources, protecting one's autonomy, > security, performance, and privacy just that tiny bit more. I agree actually. I run my own recursive nameserver (bind9) that points to opennic's root servers. I don't share it with opennic yet because I have yet to get doh and or dot setup yet. I got started on it but it had to take a back seat for a while. I've also been keeping logs for my own purposes and want to not keep logs when I advertise it on openvpn. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Opennic
On Wed, 2021-03-10 at 20:04 -0800, Rick Moen wrote: > Quoting Gabe Stanton via Dng (dng@lists.dyne.org): > > > Of course using a local (or controlled by you) caching dns resolver > > ENHANCES privacy. > > You really should have stopped there. > > > That's not even a question and doesn't represent a > > real argument against the likelihood that, in the case of everyone > > running their own caching resolver, that second level nameservers > > would > > end up being a very good source of info to match dns requests to ip > > addresses, to be exploited just as any other big dns provider is > > likely > > to do. > > Again, I get the impression, to be blunt, that you don't have a > realistic understanding of how typical patterns of authoritative > nameservice data and caching work. Spend some time logging and > studying your recursive nameserver's traffic to TLD nameservers given > caching and try to estimate how revealing that data is. Rick, feel free to stop reading and feel free to not respond. That's your right, it's all up to you from here. If you read on and respond, I don't want to hear anything more about wasting anyone's time. If you want to respond with something snarky just keep it to yourself. Domain name + requesting IP address, that's all I need to know to have valuable data. I'll be blunt as well. I think this argument is a strawman because you lumped opennic in with other dns providers and dismissed them, and I called out the differences. Did you not know that they also encourage people to run their own nameservers? You did not go in depth in your dismissal, I went in depth in my rebuttal and you haven't done anything to rebut my arguments but make vague comments and be insulting. I take the view that if everyone ran their own caching resolver or otherwise stopped using the big dns providers, that those people would do anything they can do get that data. That's not hard to understand or imagine I'm sure. > You seem to think "very revealing". In which case, plainly there is > no > basis for further discussion, and I wish you good luck in your > further > endeavours. > > I'm open to any information you have [...] > > Nope. > > You'll need to chew up someone else's time. Hahaha you can read or not. You can respond or not. I don't control your time, as you mention below. So stop complaining about how you spend your own time. > > You made a case for another possibly good alternative for dns > > providers > > as oppposed to opennic > > That's not what I said. Uh okay. Here's the quote. If you weren't talking about a hypothetical alternative dns provider here, then I'm not the only one here that's confused. "Ideally, one has a contractual relationship with a reputable good provider who looks after customer interests in accordance to local business practices and law, such as (to cite the USA local legal concept) the implied covenant of good faith and fair dealing. However, that contract concept is (naturally) not a shield for privacy but rather a cudgel to wield in civil litigation, so the best thing to do is to limit what your immediate uplink can learn about your network traffic. Various crypto schemes help limit that data, but -- my point -- so does operating a local recursive nameserver, rather than outsourcing to -anyone- on the other side of the uplink." > > ...but I didn't hear any rebuttal to any of my > > arguments in their favor. > > I'm sorry, but (1) I don't work for you, and (2) I clarified tnat > _all_ I said was that outsourcing recursive DNS to OpenNIC recursive > servers was a bad idea for the same reason outsourcing it to anyone > else > is. > > You ignored that, You lumped opennic in with cisco, google, and various others is what you did. I didn't ignore it, I chose to defend opennic and point out why they'r different, and I pointed out that they encourage people to run their own servers. I made good and valid points. And you setup a strawman in response and are now complaining about wasting time. > and are now wasting your time and mine. I am ending > that. Again, you control what you do. Take responsibility for it. > > So, here are the good points about opennic. > > Irrelevant to what I said. You lumped them in with others who are entirely different, and I pointed out how they're different and better, and you ignore everything good I said about them. > Which fact you are ignoring, and thus > wasting my and everyone else's time. I am ending (at least) the > former. Totally agree, trying to explain to you the difference between opennic and other dns providers was a waste of time. And apparently, trying to convince you that running a caching dns resolver isn't a long-term privacy guarantee, is also a waste of time. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Opennic
On Thu, 2021-03-11 at 13:14 +, Simon Hobson wrote: > Gabe Stanton via Dng wrote: > > > Of course using a local (or controlled by you) caching dns resolver > > ENHANCES privacy. That's not even a question and doesn't represent > > a > > real argument against the likelihood that, in the case of everyone > > running their own caching resolver, that second level nameservers > > would > > end up being a very good source of info to match dns requests to ip > > addresses, to be exploited just as any other big dns provider is > > likely > > to do. > > I think you missed that if you use an external service for > resolution, then **ALL** your queries go via one point - so there's a > single point someone can slurp that information from. Obviously, the > inclination to slurp that data and use it in ways we aren't happy > with will vary between providers. You're right that I didn't address the fact that queries to root servers don't all go to one server. My understanding of that wasn't firm when I was writing so I said 'upstream server'. But that would be a small hurdle to overcome if everyone started protecting their dns queries by running a caching resolver, because of the financial incentive for doing so. The collusion it would take to exploit all exploitable data would be minimal. I'm reminded of cloudflare and mozilla working together to send dns queries to cloudflare, of course it came with a media campaign about their using doh or dot to increase privacy, all the while ignoring the fact that they're sending your dns queries to cloudflare. That type of collusion would just move upstream if you cut out the middlemen, the big dns providers of today. > Once you run your own local resolver then important things happen. > > > The queries are now not concentrated at one point. > > Yes, you are correct that if you visit (e.g.) www.amazon.com, then > your local resolver will go to the .com tld servers to find the NS > records for amazon.com - but it will only do that once every 2 days > and so the .com tld servers will only see ONE query every two days > regardless of how often you visit anything in the amazon.com domain. > The fact that the frequency information is vastly diluted > significantly reduces the value of that information. But if everyone in the world was using a caching resolver, would not the value of that little information increase and be a target for people with the same leanings as google, cisco, cloudflare etc? That was my original point, the game changes significantly when the behavior of the masses changes, and I think another good strategy to rely on is the decentralized community model to help us fight data aggregaters, and the implementation of that model with regards to dns in opennic is pretty good. > Also, the .com tld servers will have ZERO visibility of you visiting > www.amazon.ch (or in my case, amazon.co.uk) because no query for that > will go near them. > Similarly, once your resolver has the amazon. ns records > cached, nothing other than those nameservers will see whether you > switch from (say) www.amazon.whatever to smile.amazon.whatever. > So to gather even a fraction of what you can get from clients using > one source for a resolver, someone would need to get information from > multiple different sources - run by different entities. Once anyone > tried that, then it's a lot harder for them to hide what they are > doing - if some commercial entity were to go round asking various tld > server operators for data, then it's highly likely that at least one > of them would go public with this information. > Because different domains use different servers, without getting data > from many sources, no-one can correlate your DNS lookups to work out > your path around the internet. They may be able to get snippets of > it, but not the detail they'd get by seeing all your queries and > being able to time correlate them. > > > As already mentioned, what information you do leak is limited in > volume. > Once your resolver has cached information, it will not go upstream to > request it again until it's TTL expires. So regardless of how > frequently you go somewhere, upstream will only see a small volume of > that. Those are great arguments for runnning a caching resolver, and of course that's a good thing, but there are a couple cases I outlined that potentially offer better privacy. 1. Running your own recursive server where your dns requests are pooled with others. 2. Pointing at a single resolver that doesn't keep logs and where your dns requests are pooled. Of course you never know what logs are being kept for sure, but if operators are honest and don't keep logs, and if the
Re: [DNG] Opennic
On Thu, 2021-03-11 at 17:10 +, Simon Hobson wrote: > Gabe Stanton via Dng wrote: > > > You're right that I didn't address the fact that queries to root > > servers don't all go to one server. My understanding of that wasn't > > firm when I was writing so I said 'upstream server'. But that would > > be > > a small hurdle to overcome if everyone started protecting their dns > > queries by running a caching resolver, because of the financial > > incentive for doing so. The collusion it would take to exploit all > > exploitable data would be minimal. > > I beg to differ. It would need a great deal of collusion (at least > for the root servers), involving a variety of entities from around > the world - and it only takes one of them to blow the whistle. If > anyone tied it, it would kick up quite a storm. At the very least, it > is not something that could be done without anyone realising. I'm not at all saying it would have to be done without anyone realizing, and again, my point has always been in the case that everyone runs their own resolver (caching or not). In that scenario, a lot of things would change. And in that scenario, the obvious place to go to get what data there is to be gotten, is upstream of the user, same as it is now. > > Those are great arguments for runnning a caching resolver, and of > > course that's a good thing, but there are a couple cases I outlined > > that potentially offer better privacy. > > 1. Running your own recursive server where your dns requests are > > pooled > > with others. > > 2. Pointing at a single resolver that doesn't keep logs and where > > your > > dns requests are pooled. Of course you never know what logs are > > being > > kept for sure, but if operators are honest and don't keep logs, and > > if > > they run doh, dot, or dnscrypt, then you have potentially better > > privacy because of no logs and pooled requests. > > It occurred to me (after writing my previous message) that one option > open to you is to get together with a few friends and share a > resolver that's under your own control. You could turn off query > logging and then know that there's no logs for anyone to look at. The > difficult bit is getting enough people together who all trust each > other such that you can pool enough queries as to make any data > collected by others into useless noise. Opennic is just an imperfect implementation of this exactly. I would bet you anything that's exactly how it started out. And I bet there are a core of people that know each other and trust each other, and I would be willing to bet there are some interesting innovations within that group to further increase privacy. It seems a natural enough evolution of things. > But also as mentioned earlier, none of this deals with the > eavesdropper problem. Your ISP can look at all your DNS queries just > by filtering out all port 53 traffic and copying it to their logging > servers. I suspect in some jurisdictions that's done because "the > authorities say so", and I'm sure that some will be doing it because > the law doesn't stop them and it's something they can monetise. As > Rick Moen says, the only defence against that is to deal with an ISP > that isn't run by sleaze balls. Oh so that's what he was talking about. Do they exist? Also, all you can do is believe their claim not to be sleaze balls, unless, as you mentioned about the dns situation, you know the operators of your service all personally. Even then, as I mentioned, hacking is a convenient excuse for unethical companies. If you had a contract that allowed you to sue in the event of a security breach, that would mitigate that risk some. > And that problem was behind the development of DoH - which simply > replaces one problem of trust with a different problem of trust ! Of course but that's a whole other argument, and in any case would require collusion or a party to go to the cert issuer to get the cert to decrypt the traffic. Apparently there's even dns over ssh that looks interesting, but is not perfect either, but it would seem to address the trust-model problems with DoH. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
