IRC Logs for #crux-devel Friday, 2012-11-30

*** Roooomster has quit IRC00:32
*** prologic has quit IRC01:44
*** prologic has joined #crux-devel01:44
juejaeger: yeah, good point, will remove the port01:56
frinnsti know i've asked before, but what was it used for? I cant remember :)02:01
jueit's a long time ago we really need it for the transition from gcc 3.x to 4.x02:06
jueor was it for 2.x to 3.x?02:07
juelibstdc++.so.5.0.6 is a lib from crux itself, both others are from RH or something like that, as Per told me at that time02:10
juelibstdc++.so.5.0.6 is obviously from gcc 3.x, we are now at libstdc++.so.6.0.1702:15
*** Romster has quit IRC02:27
frinnsttime flies :)02:43
*** Romster has joined #crux-devel02:50
*** mike_k has joined #crux-devel02:53
*** Romster has quit IRC03:46
*** Romster has joined #crux-devel04:01
*** Romster has joined #crux-devel04:01
jaegerwe should probably add an official ca-certificates port10:09
jueyou mean the one from mozilla?10:13
jaegerI have no idea which one, whatever works properly10:15
jaegerI haven't messed with it, myself10:15
juewell, it's the one firefox is using too, so it should be fine10:19
juebut I'm a crypt dummy, so don't take me serious here ;)10:20
teK_firefox et al. include a *lot* of dubious and crappy CAs :\10:22
jueteK_: and now?10:23
teK_there's no metric as to when a CA is not dubious so I'll shut up10:24
juelol :)10:24
teK_1~/c10:25
teK_oops..10:25
jueusing the bundle from curl is indeed a very simple solution -> curl -o /etc/ssl/cert.pem http://curl.haxx.se/ca/cacert.pem10:29
jaegerNo objections to that if it works properly10:31
juegive it a try, please10:33
jaegerwhat's a quick test?10:34
jueusing https://... with wget or curl10:35
jaegerto any site?10:36
jaegerI guess it would have to be a site with a cert signed by a CA in the bundle10:37
jaegerseems to work10:38
jaegerwell, worked for wget, not for curl10:38
jaegerworks if I manually specify --cacert=10:39
juejaeger: I've updated to curl port some minutes ago ...10:40
jaegerah, ok10:41
horrorStruckjue: any plan to start shipping cert.pem, with 3.0 maybe?12:27
juehorrorStruck: we talked about that earlier, jaeger has suggested to do so12:34
juejust using the file from curl is a bit problematic, because it is not versioned12:35
horrorStruckyes but it's so much simpler than other solutions12:36
horrorStruckmaybe it could be hosted on crux.nu12:36
horrorStruck(and renamed)12:36
*** rmull has quit IRC12:56
*** rmull has joined #crux-devel13:02
* jue hides -> http://49d0820c50e050be.paste.se/13:11
juenot sure if we really want a port like this ;)13:11
jueah, forgot a -m 64413:13
horrorStrucknice trick13:23
juemore dubious than nice, but we cannot save a file within the source array to a different name13:29
juethat's something I have missed already sometimes13:30
horrorStruckyes, happened to me not so long time ago13:30
jueIIRC I was trying to build a port for a file from gitorius13:32
horrorStruckin any case, i'd +1 the idea of shipping this by default.13:33
horrorStruckeven if my voice is a user's voice only :P13:34
juejaeger, frinnst: your opinion? do you have a better idea for such a port?13:38
jaegerjue: I would save a copy on crux.nu or something instead of always 'wget'ing it. That way the md5sum won't change upstream unexpeectedly13:39
juewhy always 'wget'ing it?13:41
jaegerthe one on curl.haxx.se has no version information attached, right?13:41
jueyep13:42
jaegerso if they change upstream the md5sum will change13:42
frinnstyeah i think we should ship it13:42
jaegereven if we watch it with ck4up there could be a period where that will cause port build failures13:42
frinnstif we just put the file on crux.nu and ck4up the file from curl, it should be ok, no?13:43
jaegerthat would be my suggestion, or even put the file directly into git if we want13:43
frinnstyeah13:43
jueyep, that's all right, but I'm not eager to host such a sensible file13:43
juethat's the reason for the 'special' port13:44
juebut well ...13:45
frinnstwell i guess its not a big deal just fetching it from curl.haxx.se13:45
frinnstwe might get a few messages on the ml and pointers on irc that the md5sum is broken13:45
frinnstbut that happens anyways with upstream silently updating tarballs13:46
frinnstis ~200k too big to host with the port itself?13:48
juenot really, we have some bigger .footprint13:49
horrorStruckBTW it's a shame that there's not even a signature for this file on curl's site13:49
frinnstwell, they do just host it to be nice :)13:49
horrorStrucknice and shameful :P13:50
frinnstits not like we sign anything :)13:51
horrorStruckyeah but like jue said, it's a special file13:51
horrorStruck132K  cert.tar.xz13:54
juefrinnst, jaeger: I'm clueless now, decide you what to do :)13:55
jaegerIf you prefer not to double the hosting work since they're already doing it, that's fine with me. We'll just have to deal with md5sum updates now and then13:56
frinnstlol! i was gonna suggest the opposite :D13:56
frinnstjust slap the file with the Pkgfile and ship it13:57
frinnsthttp://512c1d51bf861525.paste.se/13:58
frinnstor something13:58
jaegerMy personal preference would be to put the .pem file into our git but jue doesn't seem to like that idea13:58
frinnsthmm, yeah.13:59
jueno, that's fine for me if you prefer that14:00
jaegerok, guess I misunderstood14:00
jaegerI just like that idea because then we don't have unexpected md5sum mismatches14:00
jaegerif we track the upstream version with ck4up we should be set14:00
frinnstyep14:00
juemy only concern is that we, CRUX, are shipping a CA certificate14:02
rmullBecause it's political?14:02
jueno, because it's security related14:03
frinnstworried someone would replace it with a malicious file? afaik it would be very hard to do so in git14:05
frinnsthttp://sourceware.org/bugzilla/show_bug.cgi?id=1301314:06
frinnstwoot14:06
jaegerI can understand that concern though I would point out that we're already trusting curl.haxx.se admins if we wget it from them :)14:07
juethat's not the problem, but we ship a file we get from somewhere. Would you garantie for it?14:07
frinnstbut you can expand on that. we get eveything from somewhere else (well, mostly :))14:07
jueyep, that's right, maybe I'm a bit too anxious here14:07
jaegerI don't have a strong feeling on it, though I can understand your concern14:08
rmullWe can bypass haxx.se and get it directly from mozilla if desired14:08
frinnstyeah me too14:08
rmullneed to convert it with a script (in the Pkgfile?) though14:08
rmullALso I don't see that it's versioned on mozilla's site14:08
frinnstdont expect to get any information or help from mozilla..14:09
frinnstfuck i hate that project14:09
jaegerI have strong angry feelings about NFS4 and Kerberos right now :P14:09
rmullThis is what haxx uses to convert the mozilla certs: https://github.com/bagder/curl/blob/master/lib/mk-ca-bundle.pl14:09
juethe script is shipped with the curl sources too14:11
horrorStruckcandidate for 3.0? http://jaegerandi.blogspot.com/2012/11/glibc-217-on-finishing-line.html14:11
jueno, that's too late for us14:12
frinnstyeah 3.114:12
frinnstbut I do look forward to 2.17. it seems they have fixed most (all?) of the braindamage in 2.1614:13
horrorStrucknot afraid ---> Cloning into 'glibc'... :P14:13
frinnstI'm about to trash my / (probably) brb (or back much later)14:14
jaegerI have a sunfire server with 16 drives in it that I kinda want to throw btrfs on for no good reason14:15
jaegerperhaps I should visit a doctor14:15
jueQ: if we assume that cacert.pem is a versioned file would you still prefer to deliver it as part of our port?14:19
jaegerIf it were versioned I would be fine with either way since the md5sum should be consistent with the version14:19
jueok, I'm still not convinced, but as I said, decide you14:33
horrorStrucki dont think they would keep old versions in that case so that would be a 40414:35
horrorStruckgit should be pretty secure no?14:37
jueis there a reason why we should not add the ca-certificates port to 2.8?14:57
jaegerjue: I generally feel like we should agreed on core type stuff like that :) (not core as in the repo but important to overall system health)15:00
jaegerno objections here15:00
juejaeger: yeah, that's my thoughts as well and I'm pretty sure we will do :)15:02
rmullSo if you guys want versioning, maybe grab the versioned certdata.txt from mozilla here: http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/security/nss/lib/ckfw/builtins/certdata.txt&rev=HEAD&mark=1.8615:04
juefrinnst: would you mind adding your port?15:04
juefrinnst: I forgot, please add a -m 0644 to install15:04
juermull: yeah, but we need to process that data with mk-ca-bundle.pl15:09
rmullWell, curl is in core - maybe installing curl could also grab and convert the versioned certs from mozilla15:11
rmullrather than maintaining them separately15:11
rmullI dunno, ignore me15:11
rmullIt just feels weird to me to download them from a third party rather than the source15:13
jueno, we don't :) alas mk-ca-bundle.pl needs some extra perl modules15:13
rmullI suppose we don't want to use crux.nu infrastructure to do it instead of relying on haxx.se?15:14
jueif we ship the cert with our port it doesn't matter where it comes from, right?15:17
rmullYeah, I guess it makes no difference then, except someone will need to verify that what we're getting from haxx.se matches what is being sourced by mozilla15:19
rmullI can't actually find a way to get the raw text for older versions anyway15:20
rmullthrough the web interface, at least15:21
juebtw, just noticed that my port doesn't work if PKGMK_SOURCE_DIR is set to something in /etc/pkgmk.conf, because the Pkgfile is sourced before pkgmk.conf into pkgmk15:21
frinnstI cant add the port15:29
frinnsti did indeed trash my / :D15:29
frinnst*reinstall*15:29
rmullBtw, core/curl has dependencies listed even though everything is in core. Is that correct?15:30
rmullThought we were supposed to omit core deps15:32
jueno, the /usr/bin/curl binary is linked against openssl and zlib15:34
juewe omit only linkage against glibc/gcc15:36
rmullHm, I think I'm getting mixed messages then15:36
jueand everything from core that is not linked15:36
rmullSo if I'm writing a Pkgfile and it links against core/curl, I shouldn't omit it from the Depends On: list?15:37
jueyeah, lately someone said something other than what I said15:37
rmullYeah, I think that's true15:38
rmullRomster: Was it you?15:38
jueyes, if it links against libcurl you have to list it15:38
rmullOkay, thanks15:38
juenp, you can read it here -> http://crux.nu/Main/PortGuidelines15:40
juefrinnst: really? a problem with btrfs?15:41
rmulljue: I see, so I think my confusion is with the build dependencies versus linking dependencies15:42
rmullI think I understand now.15:43
frinnstwell not really15:46
frinnstI had the brilliant idea to convert to gpt and remove a couple of partitions15:46
frinnstthen i insisted on moving my big btrfs / to the beginning of the drive15:46
frinnstbut nooo, that wouldnt play15:46
frinnstso i decided to do it proper from scratch :)15:47
jue.oO hopefully you didn't lost any data?15:48
frinnstheh, no restoring from backup now15:48
jueyeah, good guy :)15:49
prologicwhat do you use as a backup strategy frinnst ?15:53
frinnstI just rsync everything at the moment. rdiff-backup currently15:54
frinnstquick & dirty15:54
prologicto another server/drives?15:55
frinnstanother box15:55
prologicyup15:55
frinnstit also runs on btrfs :>15:55
prologicI was thinking of doing that15:55
prologicbut as well as BD backups of the important stuff15:55
prologicyeah my plan is to use different hw and technologies15:56
frinnsthow much do you fit on a bluray these days?15:56
prologicZFS here at home - plain ol RAID at my mum's place15:56
prologicI think on double-sided you can fit 100G or more15:57
frinnstmy backup is 2.2TB currently. but that's everything from my desktop15:58
prologicyeah15:58
prologicas I said "important" stuff -> BD :)15:58
prologichmm15:58
prologicI can only see/find 25GB disks at pccasegear.com.au15:58
prologicbut I'm sure you can get higher capacity disks15:59
frinnst3TB drives are getting cheap15:59
frinnsta couple of those15:59
jaeger31G on a blu-ray disc16:02
*** mike_k has quit IRC16:07
Romsterrmull, i said anything that lists on finddeps foo should be listed on thoe depends on line minus gcc,glibc,binutils if it's a build time dep and not in core it should also be listed.16:08
Romsterthat http://49d0820c50e050be.paste.se/ is ugly16:17
Romsteri take it you can't download it due to some licencing issue like java is16:18
Romsternew firefox 17.0.1 the joy16:19
frinnstgood as new16:22
frinnstyeah i noticed 17.0.1esr was out16:22
Romsterlets keep releasing then realise we made a security flaw...16:32
Romsterhaven't they got beta testers16:33
frinnsthttps://www.mozilla.org/security/known-vulnerabilities/firefox.html still not updated16:35
Romsterdamn there slow16:38
Romsterwouldn't you update everything before realeasing the tarball16:38
frinnstmaintaining mozilla products is like being in an abusive relationship :)17:56
jaegeryou are the battered wife :P17:57
frinnstbut.. they can change!!17:57
jaegeruh huh... heard that one before :)17:57
*** ___mavrick61 has quit IRC21:41
*** ____mavrick61 has joined #crux-devel21:42
*** horrorStruck has quit IRC22:34
*** horrorStruck has joined #crux-devel22:41
*** horrorStruck has quit IRC23:27
*** horrorStruck has joined #crux-devel23:29

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!