IRC Logs for #crux-devel Friday, 2019-06-07

ryuofrinnst, jaeger: i was reading about INTEL-SA-00213, INTEL-SA-00223, and INTEL-SA-00233. INTEL-SA-00233 can be mitigated by microcode updates it appears, but what of the other 2? i have business laptops that won't receive any ME updates to patch the issue, so is there anything else i can do besides upgrade them?00:17
jaegerI assume if there won't be microcode updates via BIOS or ME, you'll have to rely on software mitigations or replace the hardware01:07
ryuojaeger: i already have AMT disabled. what else can I do?01:09
jaegernot sure. I'm certainly not an expert :D01:15
ryuoseems most of them require physical/local access.01:16
jaegerwhat does your kernel say about the vulns?01:16
jaegerfor V in /sys/devices/system/cpu/vulnerabilities/*; do echo -n "${V##*/}: "; cat ${V}; done01:16
ryuojaeger: oh, that doesn't apply here. i already have the MDS mitigated.01:17
ryuojaeger: these are specific to ME or related firmware.01:17
ryuothose aren't covered in that API.01:17
jaegerAh. In that case I have no idea whatsoever01:17
ryuoonly the CPU flaws.01:17
ryuofair enough.01:17
jaegerI'd consider replacing the hardware if the vendor isn't going to update the ME01:17
ryuoreading it, most of them require... local access.01:17
ryuothey can't.01:17
ryuoeven if they wanted to.01:18
ryuoIntel decided not to patch older ME this time.01:18
ryuohm. only 4 of these say they can be exploited via network access.01:19
ryuothe rest are all local.01:19
ryuohonestly if they get local access... there's a lot they can do regardless of this.01:19
ryuomost firmware components require elevated privileges to interact with even so...01:20
ryuorisk seems minimal to unprivileged users.01:20
ryuo"adjacent network access" vs "network access"01:21
ryuo3 are in AMT... guess best mitigation is make sure AMT is really disabled.01:21
ryuoand the remaining one is... ME bug in 12.x.01:22
ryuoappears 10.x and 11.x are not effected so i guess i'm immune to the remaining network access bug.01:23
ryuook, somewhat serious, but most are not remotely exploitable just by being on the same network.01:25
jaegerstuff like this is why I'm glad I'm not a security dude :)02:09
*** jue has quit IRC07:27
*** Workster has quit IRC07:28
*** Workster has joined #crux-devel07:28
*** jue has joined #crux-devel07:31
*** kyaaaaaa has quit IRC10:48
*** kyaaa has joined #crux-devel10:48
*** pedja has joined #crux-devel12:52
jaeger-rc2 uploading now, ETA 3 minutes14:31
pedjaACTION removes rc1 iso14:32
*** nthwyatt has joined #crux-devel14:33
pedjahopefully, update over the weekend. not that I have a social life anyway :)14:33
jaegerrc2 is just kernel and package updates, since there were several ISO packages that got updated... but if you want to test the ISO that won't hurt my feelings :)14:35
pedjawith some luck, I'll be able to use offline upgrade, like a normal human being, and not the hacky way, this time around14:37
*** stenur has joined #crux-devel14:40
jaegercrazy talk! hehe14:45
*** nthwyatt has quit IRC14:55
*** darfo has joined #crux-devel14:55
pedjaCRUX upgrades are generally (and thankfully) boring, so it does add some spice to the procedure, tbh :)15:10
pedjamassive rebuild after is not that fun, but it sort of goes with the territory, I guess15:11
pedjajaeger, are you at all curious about ryzen 3000's, or you are set, for the time being, cpu-wise?15:15
jaegerI'm thinking about replacing my current system with a 3700x, maybe15:22
pedjano 12c temptation :) ?15:23
jaegerNot really. I have the threadripper box already15:23
pedjarumors are that 16c will be 'entry level' for tr3 :) which is...insane15:25
pedjawe shall see, next year-ish15:26
stenurInsanity seems to be a common attribute for TR, i read Matthew Dillon's (DragonFly BSD) mail in May:15:58
stenur"exec rate on TR [.static binaries.] caps out at around 450000 execs per second.  Which is an insanely high number."16:00
stenur16-bit PIDs appear very outdated.16:00
pedjaTimB_, set the full path for usermod in lxc post-install, it fails when scripts are run with 'sudo /bin/sh'16:23
TimB_pedja: thanks for the heads up, will change that16:56
pedjaI am reading man pages for lxc-*, looks interesting so far :)17:00
pedjaI'll have to see if I can use openvswitch with it17:00
jaegerAnyone have any thoughts about sifuh's runlevel/inittab issue in #crux?17:02
TimB_jaeger: not me, sorry :/17:08
jaegerIt does seem like an issue we should fix... I'm just not fully concentrating on it right now due to work17:15
jaegerTimB_: are you testing 3.5? I can't recall19:04
TimB_jaeger: in some way, yes :) I switched to the 3.5 branch in march I think?20:56
TimB_Haven't used an rc this time around20:57
jaegerthat's fine. Are you running MATE on your 3.5 install?20:59
jaegerI'm finding that no matter what version of consolekit I use I can't get consolekit and polkit stuff working properly21:00
jaegerBe it legacy consolekit or consolekit221:00
jaegerThe desktop generally works fine but the stuff that would use polkit and consolekit like disk mounting with udisks2 and power operations don't work21:00
jaegerProbably related to the switch to PAM somehow but I wondered if you'd already worked around it and had some insight21:01
jaegerI've enabled PAM where it seems to make sense (consolekit, mate-screensaver, etc.) but no luck21:01
TimB_mh, ok21:02
jaegereven simple test like running 'ck-list-sessions' don't work21:02
TimB_well it seemed like the box of pandorra to me21:02
TimB_that all works for me, although not from inside a full mate session21:03
jaegersee for an example21:03
jaegerthat one takes a few seconds to even return21:03
jaegerthere are periodically also dbus connection error messages, not sure why21:03
TimB_I can't recall running into that21:04
TimB_at some point, I nuked all folders regarding polkit, dbus, pam and I am forgetting something21:04
jaegerI get the same results on a fresh install for what that's worth21:04
TimB_let fresh packages set them up again and went with that.21:04
TimB_permissions on polkit folders are critical21:05
TimB_have you checked those?21:05
jaegernot yet, though they all worked fine in 3.4 so I hadn't thought of that being an issue21:05
jaegerWhat are you running instead of a full mate session? Do you use any polkit or consolekit stuff?21:05
TimB_some package broke them for me at some point..21:06
TimB_I call the mate session manager from within an i3 session21:06
jaegerIn your session do polkitd or console-kit-daemon run at all?21:06
TimB_they do21:06
jaegerthey aren't running for me, so I assume they don't get started properly21:06
TimB_I get an output from ck-list-sessions and polkit works fine (once permissions were fixed) too21:07
TimB_I suppose lightdm handles that for me?21:07
jaeger is the output from a debug run on console-kit-daemon21:07
jaegerMaybe it does, I don't know much about it21:07
TimB_console-kit-daemon[22275]: DEBUG: VT activated but already active: 721:08
TimB_console-kit-daemon[22275]: DEBUG: name_lost21:08
TimB_I have a port for it in my repo, if you want to give it a try?21:08
TimB_how are you starting your session otherwise? from shell?21:09
jaeger'exec start-mate' in .xinitrc, run by slim21:09
TimB_would've been my next guess :)21:09
jaegerinterestingly dbus-monitor shows nothing at all from that failed console-kit-daemon start21:10
TimB_I never had issues with dbus on crux21:10
jaegernor had I until now :)21:10
jaegerI'll give your lightdm port a try, see if anything's different21:11
TimB_I am not sure if there is much need for configuration for it. I think you have to input your user in the greeters config21:12
TimB_p.s.: you'll need the greeter too :)21:12
TimB_I am not sure if I added the dependency21:13
TimB_because in theory you can customize lightdm, there are many different greeters like gtk or qt based ones21:13
TimB_for another way though, I think there was something you could put in your .xinitrc to launch and ck session..21:16
TimB_s/exec start-mate/ck-launch-session start-mate/21:18
TimB_he, yeah, like that :D21:20
jaegerLike I said, all this stuff worked without intervention in 3.4 :/21:20
jaegerblank screen with lightdm21:20
jaegerif I start it from a shell I see some more policy errors :/21:21
TimB_ugh, weird21:21
jaegerfailed to get list of logind seats, etc.21:21
jaegerthe name org.freedesktop.login1 was not provided by any .service files21:21
TimB_I get that one too and you can disregard that21:22
TimB_I looked it up once, I think it's elogind21:22
TimB_I have to try out the rc on a clean install somewhere..21:25
TimB_polkit also never interfered with ck for me, lightdm always worked but networkmanager didn't connect for example.. no idea here :^21:31
TimB_ 21:52
*** stenur has quit IRC22:21
jaegertek__: any chance you could update vala (with graphviz as a new dep) soon?23:21

Generated by 2.14.0 by Marius Gedminas - find it at!