IRC Logs for #crux-devel Friday, 2012-11-30

*** Roooomster has quit IRC00:32
*** prologic has quit IRC01:44
*** prologic has joined #crux-devel01:44
juejaeger: yeah, good point, will remove the port01:56
frinnsti know i've asked before, but what was it used for? I cant remember :)02:01
jueit's a long time ago we really need it for the transition from gcc 3.x to 4.x02:06
jueor was it for 2.x to 3.x?02:07 is a lib from crux itself, both others are from RH or something like that, as Per told me at that time02:10 is obviously from gcc 3.x, we are now at
*** Romster has quit IRC02:27
frinnsttime flies :)02:43
*** Romster has joined #crux-devel02:50
*** mike_k has joined #crux-devel02:53
*** Romster has quit IRC03:46
*** Romster has joined #crux-devel04:01
*** Romster has joined #crux-devel04:01
jaegerwe should probably add an official ca-certificates port10:09
jueyou mean the one from mozilla?10:13
jaegerI have no idea which one, whatever works properly10:15
jaegerI haven't messed with it, myself10:15
juewell, it's the one firefox is using too, so it should be fine10:19
juebut I'm a crypt dummy, so don't take me serious here ;)10:20
teK_firefox et al. include a *lot* of dubious and crappy CAs :\10:22
jueteK_: and now?10:23
teK_there's no metric as to when a CA is not dubious so I'll shut up10:24
juelol :)10:24
jueusing the bundle from curl is indeed a very simple solution -> curl -o /etc/ssl/cert.pem
jaegerNo objections to that if it works properly10:31
juegive it a try, please10:33
jaegerwhat's a quick test?10:34
jueusing https://... with wget or curl10:35
jaegerto any site?10:36
jaegerI guess it would have to be a site with a cert signed by a CA in the bundle10:37
jaegerseems to work10:38
jaegerwell, worked for wget, not for curl10:38
jaegerworks if I manually specify --cacert=10:39
juejaeger: I've updated to curl port some minutes ago ...10:40
jaegerah, ok10:41
horrorStruckjue: any plan to start shipping cert.pem, with 3.0 maybe?12:27
juehorrorStruck: we talked about that earlier, jaeger has suggested to do so12:34
juejust using the file from curl is a bit problematic, because it is not versioned12:35
horrorStruckyes but it's so much simpler than other solutions12:36
horrorStruckmaybe it could be hosted on crux.nu12:36
horrorStruck(and renamed)12:36
*** rmull has quit IRC12:56
*** rmull has joined #crux-devel13:02
* jue hides ->
juenot sure if we really want a port like this ;)13:11
jueah, forgot a -m 64413:13
horrorStrucknice trick13:23
juemore dubious than nice, but we cannot save a file within the source array to a different name13:29
juethat's something I have missed already sometimes13:30
horrorStruckyes, happened to me not so long time ago13:30
jueIIRC I was trying to build a port for a file from gitorius13:32
horrorStruckin any case, i'd +1 the idea of shipping this by default.13:33
horrorStruckeven if my voice is a user's voice only :P13:34
juejaeger, frinnst: your opinion? do you have a better idea for such a port?13:38
jaegerjue: I would save a copy on or something instead of always 'wget'ing it. That way the md5sum won't change upstream unexpeectedly13:39
juewhy always 'wget'ing it?13:41
jaegerthe one on has no version information attached, right?13:41
jaegerso if they change upstream the md5sum will change13:42
frinnstyeah i think we should ship it13:42
jaegereven if we watch it with ck4up there could be a period where that will cause port build failures13:42
frinnstif we just put the file on and ck4up the file from curl, it should be ok, no?13:43
jaegerthat would be my suggestion, or even put the file directly into git if we want13:43
jueyep, that's all right, but I'm not eager to host such a sensible file13:43
juethat's the reason for the 'special' port13:44
juebut well ...13:45
frinnstwell i guess its not a big deal just fetching it from curl.haxx.se13:45
frinnstwe might get a few messages on the ml and pointers on irc that the md5sum is broken13:45
frinnstbut that happens anyways with upstream silently updating tarballs13:46
frinnstis ~200k too big to host with the port itself?13:48
juenot really, we have some bigger .footprint13:49
horrorStruckBTW it's a shame that there's not even a signature for this file on curl's site13:49
frinnstwell, they do just host it to be nice :)13:49
horrorStrucknice and shameful :P13:50
frinnstits not like we sign anything :)13:51
horrorStruckyeah but like jue said, it's a special file13:51
horrorStruck132K  cert.tar.xz13:54
juefrinnst, jaeger: I'm clueless now, decide you what to do :)13:55
jaegerIf you prefer not to double the hosting work since they're already doing it, that's fine with me. We'll just have to deal with md5sum updates now and then13:56
frinnstlol! i was gonna suggest the opposite :D13:56
frinnstjust slap the file with the Pkgfile and ship it13:57
frinnstor something13:58
jaegerMy personal preference would be to put the .pem file into our git but jue doesn't seem to like that idea13:58
frinnsthmm, yeah.13:59
jueno, that's fine for me if you prefer that14:00
jaegerok, guess I misunderstood14:00
jaegerI just like that idea because then we don't have unexpected md5sum mismatches14:00
jaegerif we track the upstream version with ck4up we should be set14:00
juemy only concern is that we, CRUX, are shipping a CA certificate14:02
rmullBecause it's political?14:02
jueno, because it's security related14:03
frinnstworried someone would replace it with a malicious file? afaik it would be very hard to do so in git14:05
jaegerI can understand that concern though I would point out that we're already trusting admins if we wget it from them :)14:07
juethat's not the problem, but we ship a file we get from somewhere. Would you garantie for it?14:07
frinnstbut you can expand on that. we get eveything from somewhere else (well, mostly :))14:07
jueyep, that's right, maybe I'm a bit too anxious here14:07
jaegerI don't have a strong feeling on it, though I can understand your concern14:08
rmullWe can bypass and get it directly from mozilla if desired14:08
frinnstyeah me too14:08
rmullneed to convert it with a script (in the Pkgfile?) though14:08
rmullALso I don't see that it's versioned on mozilla's site14:08
frinnstdont expect to get any information or help from mozilla..14:09
frinnstfuck i hate that project14:09
jaegerI have strong angry feelings about NFS4 and Kerberos right now :P14:09
rmullThis is what haxx uses to convert the mozilla certs:
juethe script is shipped with the curl sources too14:11
horrorStruckcandidate for 3.0?
jueno, that's too late for us14:12
frinnstyeah 3.114:12
frinnstbut I do look forward to 2.17. it seems they have fixed most (all?) of the braindamage in 2.1614:13
horrorStrucknot afraid ---> Cloning into 'glibc'... :P14:13
frinnstI'm about to trash my / (probably) brb (or back much later)14:14
jaegerI have a sunfire server with 16 drives in it that I kinda want to throw btrfs on for no good reason14:15
jaegerperhaps I should visit a doctor14:15
jueQ: if we assume that cacert.pem is a versioned file would you still prefer to deliver it as part of our port?14:19
jaegerIf it were versioned I would be fine with either way since the md5sum should be consistent with the version14:19
jueok, I'm still not convinced, but as I said, decide you14:33
horrorStrucki dont think they would keep old versions in that case so that would be a 40414:35
horrorStruckgit should be pretty secure no?14:37
jueis there a reason why we should not add the ca-certificates port to 2.8?14:57
jaegerjue: I generally feel like we should agreed on core type stuff like that :) (not core as in the repo but important to overall system health)15:00
jaegerno objections here15:00
juejaeger: yeah, that's my thoughts as well and I'm pretty sure we will do :)15:02
rmullSo if you guys want versioning, maybe grab the versioned certdata.txt from mozilla here:
juefrinnst: would you mind adding your port?15:04
juefrinnst: I forgot, please add a -m 0644 to install15:04
juermull: yeah, but we need to process that data with mk-ca-bundle.pl15:09
rmullWell, curl is in core - maybe installing curl could also grab and convert the versioned certs from mozilla15:11
rmullrather than maintaining them separately15:11
rmullI dunno, ignore me15:11
rmullIt just feels weird to me to download them from a third party rather than the source15:13
jueno, we don't :) alas needs some extra perl modules15:13
rmullI suppose we don't want to use infrastructure to do it instead of relying on
jueif we ship the cert with our port it doesn't matter where it comes from, right?15:17
rmullYeah, I guess it makes no difference then, except someone will need to verify that what we're getting from matches what is being sourced by mozilla15:19
rmullI can't actually find a way to get the raw text for older versions anyway15:20
rmullthrough the web interface, at least15:21
juebtw, just noticed that my port doesn't work if PKGMK_SOURCE_DIR is set to something in /etc/pkgmk.conf, because the Pkgfile is sourced before pkgmk.conf into pkgmk15:21
frinnstI cant add the port15:29
frinnsti did indeed trash my / :D15:29
rmullBtw, core/curl has dependencies listed even though everything is in core. Is that correct?15:30
rmullThought we were supposed to omit core deps15:32
jueno, the /usr/bin/curl binary is linked against openssl and zlib15:34
juewe omit only linkage against glibc/gcc15:36
rmullHm, I think I'm getting mixed messages then15:36
jueand everything from core that is not linked15:36
rmullSo if I'm writing a Pkgfile and it links against core/curl, I shouldn't omit it from the Depends On: list?15:37
jueyeah, lately someone said something other than what I said15:37
rmullYeah, I think that's true15:38
rmullRomster: Was it you?15:38
jueyes, if it links against libcurl you have to list it15:38
rmullOkay, thanks15:38
juenp, you can read it here ->
juefrinnst: really? a problem with btrfs?15:41
rmulljue: I see, so I think my confusion is with the build dependencies versus linking dependencies15:42
rmullI think I understand now.15:43
frinnstwell not really15:46
frinnstI had the brilliant idea to convert to gpt and remove a couple of partitions15:46
frinnstthen i insisted on moving my big btrfs / to the beginning of the drive15:46
frinnstbut nooo, that wouldnt play15:46
frinnstso i decided to do it proper from scratch :)15:47
jue.oO hopefully you didn't lost any data?15:48
frinnstheh, no restoring from backup now15:48
jueyeah, good guy :)15:49
prologicwhat do you use as a backup strategy frinnst ?15:53
frinnstI just rsync everything at the moment. rdiff-backup currently15:54
frinnstquick & dirty15:54
prologicto another server/drives?15:55
frinnstanother box15:55
frinnstit also runs on btrfs :>15:55
prologicI was thinking of doing that15:55
prologicbut as well as BD backups of the important stuff15:55
prologicyeah my plan is to use different hw and technologies15:56
frinnsthow much do you fit on a bluray these days?15:56
prologicZFS here at home - plain ol RAID at my mum's place15:56
prologicI think on double-sided you can fit 100G or more15:57
frinnstmy backup is 2.2TB currently. but that's everything from my desktop15:58
prologicas I said "important" stuff -> BD :)15:58
prologicI can only see/find 25GB disks at
prologicbut I'm sure you can get higher capacity disks15:59
frinnst3TB drives are getting cheap15:59
frinnsta couple of those15:59
jaeger31G on a blu-ray disc16:02
*** mike_k has quit IRC16:07
Romsterrmull, i said anything that lists on finddeps foo should be listed on thoe depends on line minus gcc,glibc,binutils if it's a build time dep and not in core it should also be listed.16:08
Romsterthat is ugly16:17
Romsteri take it you can't download it due to some licencing issue like java is16:18
Romsternew firefox 17.0.1 the joy16:19
frinnstgood as new16:22
frinnstyeah i noticed 17.0.1esr was out16:22
Romsterlets keep releasing then realise we made a security flaw...16:32
Romsterhaven't they got beta testers16:33
frinnst still not updated16:35
Romsterdamn there slow16:38
Romsterwouldn't you update everything before realeasing the tarball16:38
frinnstmaintaining mozilla products is like being in an abusive relationship :)17:56
jaegeryou are the battered wife :P17:57
frinnstbut.. they can change!!17:57
jaegeruh huh... heard that one before :)17:57
*** ___mavrick61 has quit IRC21:41
*** ____mavrick61 has joined #crux-devel21:42
*** horrorStruck has quit IRC22:34
*** horrorStruck has joined #crux-devel22:41
*** horrorStruck has quit IRC23:27
*** horrorStruck has joined #crux-devel23:29

Generated by 2.11.0 by Marius Gedminas - find it at!