freenode/#devuan/ Monday, 2018-10-01

KatolaZwaydot: is http-only08:29
EHeMProblem with selectively encrypting things is it makes it obvious which data is the valuable data, thus encrypting *everything* is generally a good idea.08:36
EHeMMeanwhile, I think we've got at least two people seeing 403 Forbidden from (
KatolaZdetha: none of the mirrors actually has a cert for deb.devuan.org08:38
KatolaZand getting a cert for that is useless, since is a DNS RR08:39
dethaKatolaZ: I suspected as much. You could get a cert and distribute it along the mirror operators by some means, but meh08:40
KatolaZwaydot: you can't just "browse" a devuan mirror08:40
KatolaZat least not directly08:40
KatolaZdetha: no, we can't08:40
KatolaZit does not make any sense08:41
KatolaZand it's a real security threat08:41
dethaI didn't say it would make sense, but it is technically possible.08:43
KatolaZyes, it is technically possible08:43
KatolaZbut it's also useless08:43
KatolaZif you need https, just use one of the mirrors that provides https08:43
dethaThis same discussion happened a year or two ago in openbsd. I think eventually they gave in and put a cert on the mirrors08:44
KatolaZthe integrity of a repo is guaranteed by the fact that Release and InRelease files are signed08:45
KatolaZwith the key available in devuan-keyring08:45
* KatolaZ shrugs08:45
KatolaZthere are plenty of mirrors supporting https08:45
dethaYou understand that. I understand that. But google and co are doing a good job of conditioning people to say 'It doesn't have SSL, therefore it can not be good'08:46
KatolaZdetha: all the major distributions are conditioning people to say "It does not have systemd, therefore it can not be good"...08:47
KatolaZignorance is cured by knowledge, not by automagic candies08:48
KatolaZ(I might need a new keyboard soon, I guess... :D)08:49
dethaWhile you are here, there is no easy way to pull just the amprolla-overridden parts off a mirror is there?08:51
KatolaZsure there is08:52
KatolaZjust look at the "/devuan" section08:52
KatolaZinstead of "/merged"08:53
KatolaZdetha: ^^^08:53
KatolaZyou could also do that with debmirror, if you like08:53
KatolaZ(I posted a simple howto about that on dev1galaxy some time back)08:53
KatolaZmaybe golinux can help finding it08:54
dethaah. that might work. At the moment I have something called pmprolla which splits things so overrides come from the interwebz, and debian comes from a local rsync'ed debian mirror08:55
dethaI shall have to see if debmirror can be made to run on a non-debian system08:57
golinuxKatolaZ: I have not been able to find your debmirror howto among any of your d1g posts:
golinuxI'll try dng.09:03
golinuxKatolaZ: I did find this:
golinuxIs that what you were thinking of?  It must have been you who answered the bug report.09:09
golinuxOff to bed for me.09:10
dethathanks, that looks like a good starting point09:39
KatolaZdetha: there was another post12:51
KatolaZand there was also one on apt-mirror, IIRC12:52
dethaKatolaZ: both could probably work, just plain old rsync like all other mirrors support doesn't12:57
dethaBut since I only have to update two desktops and a base VM from behind a slow link, I never really bothered setting it up12:57
KatolaZdetha: rsync won't work12:58
KatolaZsince the Devuan repos are based on redirects12:59
KatolaZ(http redirects)12:59
dethaI know. That is what has annoyed me since day 1 of devuan. I have the same redirects that amprolla mirrors do in my local mirror server, just the other way around13:00
dethaIf there was just a rsync mirror::devuan, that would make life much easier13:01
KatolaZdetha: apt-mirror is super-easy to setup..13:04
dethaKatolaZ: on a debian-based system. However. The mirror server is not debian-based, and the last time I looked it was a pain with missing/mismatching perl modules13:05
KatolaZoh I see13:07
KatolaZwell, in principle apt-mirror does not require a debian-based system13:07
KatolaZonly apt13:07
dethaskimming through the .pl code it doesn't look like it uses anything too debian-specific, but I remember it would not run out of the box on centos613:09
dethaanyway, sometime in the next year or so that server will be converted to *bsd (with * to be decided), so I shall try again then13:10
dethathe fun bit will be finding 6TB parking space to convert the disks off LVM13:13
* man_in_shack stares at ryoch13:46
* queip clubs down ryoch13:58
nemohrm. so I'm transitioning an ubuntu 14.04 system to devuan15:49
nemoI went to devuan website, got the pubkey, ran apt-key add15:49
nemogot the OK15:49
nemodevuan repository shows up in apt-key list15:50
nemohowever, I still seem to be missing a couple of keys15:50
nemoW: GPG error: stretch InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A2F683C52980AECF15:50
nemothat one is mildly surprising but I can probably work it out with virtualbox15:50
nemoguess they use separate keys for ubuntu vs debian for some reason?15:50
nemoW: GPG error: ascii InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY BB23C00C61FC752C15:50
nemothat one seems problematic tho...15:51
nemo  there's no mention of this 2nd key here...15:51
nemooh whew. I *am* able to install devuan-keyring tho \o/15:53
nemounverified tho crap15:53
* nemo sighs15:53
nemolemme find the package on your website at least15:53
nemohm is a 404...15:54
nemoand pkginfo doesn't offer any links15:55
nemoah here we go15:56
nemohttps and on devuan.org15:56
nemothat's probably about as much security as I'll get15:56
KatolaZnemo: ?16:00
KatolaZnemo the error is in the virtualbox repo16:00
KatolaZnot in the devuan one....16:00
KatolaZ15:52 < nemo> W: GPG error: stretch InRelease: The following signatures couldn't be verified because16:00
KatolaZ              the public key is not available: NO_PUBKEY A2F683C52980AECF16:00
nemoyeah. I noted that ☺16:01
KatolaZnemo: the keyring used for ascii is reported in the ascii release notes16:01
nemoKatolaZ: well. I'm upgrading now using the one I found on the package website16:01
KatolaZwhat is the "package website"?16:01
nemo09:56 < nemo>
KatolaZthere are currently two signing keys16:01
nemo09:56 < nemo> https and on devuan.org16:01
nemoapparently so16:01
KatolaZone for packages.devuan.org16:02
KatolaZand one for and deb.devuan.org16:02
nemoI found the first one on   but had no mention of the 2nd one16:02
nemobut when I installed the package I got the 2nd key16:02
KatolaZnemo again, read the ascii release notes please :)16:02
KatolaZand, with ascii you should not use packages.devuan.org16:02
KatolaZrather deb.devuan.org16:02
nemoyeah, now that I know that's the place to look for it... but it really doesn't apply too much in this scenario. I'm going to make a mess of this machine anyway16:02
nemoyeah. I know16:02
nemoI'm using a good sources.list.d16:03
nemoer sources.list16:03
nemofrom another known good devuan laptop16:03
KatolaZnemo: is NOT pkgmaster.devuan.org16:03
KatolaZand is not
nemoKatolaZ: ok... I only settled on it because it showed up in a search for your keyring package on google, and I could get it over https and off your domain16:03
nemoit was a bit roundabout, but whatever, couldn't find the .deb anywhere else16:03
nemoas noted the os/keyring link was a 404 and pkginfo had no links16:04
KatolaZnemo: I don't understand what you are referring to16:04
nemo → links to which is 40416:05
KatolaZthe keys are listed in the link I sent you16:05
KatolaZthe link you posted is not reachable from the website16:05
KatolaZmust be dead16:05
KatolaZgolinux: ^^^^^16:05
nemook. well. it's high up on google hits when I was trying to find your keyring16:06
nemofirst hit?16:06
KatolaZnemo: just looking on devuan.org16:06
KatolaZwould have saved you time16:06 happens to know better than google about devuan-keyring :)16:06
nemoKatolaZ:  doesn't seem to make the keyring .deb or ascii armoured keys terribly discoverable either - although it does at least list them16:06
KatolaZit's at the bottom of the page16:07
nemoI just rechecked16:07
nemojust list of keys16:07
nemono package link, no armour16:07
KatolaZwhat are you looking for?16:07
KatolaZoh lord16:07
nemonothing anymore16:07
nemoI got it working 😉16:07
nemoBut, I was looking for  OR ascii armoured versions of same16:08
KatolaZI see16:09
amarsh04nice, now have xfce from Devuan running on this pc16:09
nemohuh... devuan has its own separate xfce? that's mildly surprising16:10
nemodidn't realise the cancer had spread so far16:10
amarsh04only the wallpaper is noticably different16:10
amarsh04I had forgotten about installing an alternative desktop environment on this pc (which is still running KDE 3.5) in order to upgrade to plasma without losing access to other applications like thunderbird email16:13
nemoahhh the virtualbox issue is simply 'cause ubuntu 14.04 is so old - they'd changed their signing key16:13
golinuxnemo: There are several "dead" pages on the devuan site.  That information has been moved to another area/page16:21
nemogolinux: no worries, I was just trying to find *any* link on your site to the .asc or .deb of the keys16:22
golinuxI don't know why google doesn't drop links when they are gone.16:22
nemogolinux: I more or less have that thanks to that .deb above16:22
nemobut I would have been fine with curl foo.asc | apt-key add ☺16:22
nemoin the end I kinda have to trust that the domain is under your control, at least for the first few minutes I get the key16:23
golinuxKatolaZ: have never even seen    It is not linked to anywhere on the site.  So I have no idea where he got it.16:25
KatolaZno idea either16:28
nemogolinux: I was as noted trying to find the .deb / .asc tho16:30
golinuxBut the page must be there.  Should I delete it?  I have always kept old pages around in case we ever want to reactivate them though I have never even seen this one.16:30
golinuxMaybe a redirect?16:30
nemogolinux:  for example, they include this wget line for their signing key16:30
nemowas more or less trying to find that somewhere16:30
nemoI really should have just done a clean install, but this is a trial run for my server16:31
golinuxKatolaZ: ^^^ You were opposed to redirects the last time I requested one.  This is why I think they are a good idea.  Google never forgets it seems16:31
nemoI wanna see if I can switch to devuan semi-cleanly without rebooting16:31
nemogolinux: you can forcibly remove pages from google index if you claim the site, but it's a bit tedious to do so16:31
nemogolinux: robots.txt is a little faster16:31
nemogolinux: BTW DDG has it at top of their hits too16:32
nemobut hopefully they check robots.txt too16:32
golinuxDDG is google a bit neutered16:33
golinuxNot the content though.16:33
nemoerm. AFAIK DDG outsources the crawling to bing16:34
KatolaZgolinux: I don't mind what google thinks they should index16:34
KatolaZthey are simply wrong in linking a dead link16:34
nemohow would google and bing and ddg know it is dead?16:35
KatolaZby following it?16:38
golinuxKatolaZ: It make more work for all of us when there is a dead link.16:38
KatolaZgolinux: uh?16:38
golinuxAnd pisses off users.16:38
golinuxBecause we have to explain where to find the correct info.16:39
KatolaZit's super-easy: devuan.org16:39
KatolaZguess what16:39
KatolaZI need info about devuan?16:39
KatolaZI go to devuan.org16:39
golinuxIt takes time and energy that could be funneled elsewhere.16:39
nemogolinux: frankly, I'm still not sure where the correct info is for the .asc / .deb ...16:39
nemoand, people do use search engines to try and locate stuff *on* a domain16:39
KatolaZgolinux: we should just remove that page IMHP16:40
nemofirst hit for signing keys on your domain ☺16:40
KatolaZand maybe add the armoured keys used for signing repos16:40
nemoprobably first hit for "keys anything"16:40
nemowhooo boy.16:41
nemomy ubuntu 14.04 - devuan ascii has hit its first snag16:41
golinuxI don't even know what an armored key is but I'll add it if you give me the info.16:41
nemogolinux: just the .asc version16:41
nemogolinux: like, if you look at the virtualbox wget which they pipe into apt-key add16:42
nemogolinux: it's the pubkey basically in base64 with header/footer for easy sharing16:42
nemoyour keyring will generate it automatically16:42
nemogpg --armor --export16:43
golinuxs not my "domain"16:43
golinuxI do the graphics16:43
nemowell. now that I have your pubkey I can generate the armoured versions ☺16:43
nemoif you want16:43
nemobut then, so could you16:43
KatolaZnemo: got the comment mate16:43
KatolaZno need to boast ;)16:43
golinuxNot boasting.  Trying to help I thinkj16:44
nemohm. this is fun.  Unpacking libgstreamer-plugins-bad1.0-0:amd64 (1.10.4-1) over (1.2.4-1~ubuntu1.1)  trying to overwrite '/usr/lib/x86_64-linux-gnu/', which is also in package libgstreamer-plugins-good1.0-0:amd64 1.2.4-1~ubuntu1.416:44
nemoso... I'm gonna guess that the "good" one is the old ubuntu one16:44
golinuxAnyway, I have the plumber here fixing a leak so can't deal with this any longer16:44
nemoso I'm gonna try removing that one first16:44
nemosince gstreamer is non-critical16:44
nemoaaaagh  but apt-get remove is returning a ton of errors from all the other stuff blocking16:45
nemohm. maybe just a --force-all on the /var/cache package16:51
nemothat worked16:57
nemoinvoke-rc.d: WARNING: No init system and policy-rc.d missing! Defaulting to block.17:01
nemothat's a worrying one ☺17:01
nemobut eh. this is mostly for educational purposes17:01
nemosince I couldn't find any guide online to anyone attempting this17:02
nemoif it fails horribly I'll know not to attempt it on the servers17:02
nemomostly I'm attempting dist-upgrade until I hit errors, then dpkg -i --force-all - it is usually complaining about attempting to overwrite something an ubuntu 14.04 package that it doesn't know should be removed is managing17:18
nemoand --fix-broken install17:19
nemoit seems to be making progress, although we'll see what final state of system is ☺17:19
nemomy bet is the final damage will be untracked files under /usr  - will have to run a report to pick those up and clean 'em out by hand17:20
nemohopefully nothing too system-breaking if I run some prophylactic grub update etc before rebooting17:20
nemohah. there's hedgewars - totally forgot I put it on this work laptop long ago to test the ubuntu install17:21
nemooh. and also autoremove to clean out junk as it slowly succeeds in replacing things17:22
nemowelp. it finally finished, now for cleanup, for starters gonna remove everything installed that's "ubuntu"17:33
nemohm. wonder if I should have done that first17:46
ryochClean Link : )
nemoaaand done. that wiped out a good chunk of system, so gonna try installing a few high-level things like mate18:11
golinuxryoch: Just go away18:14
bkeysIs there a Sid equivalent in devuan?18:20
MinceRit's ceres18:21
bkeysWhat is my apt.sources.list gonna look like?18:22
bkeysI just replaced jessie with ceres in the sources.list18:26

Generated by 2.17.0 by Marius Gedminas - find it at!