Guest15994 | what is a stupid simple static-only minimal attack surface webserver I can use for verifying ACME challenges in beowulf with dehydrated.sh? | 00:04 |
---|---|---|
Guest15994 | I would normally use suckless quark but that's not in the repositories | 00:04 |
Acacia | busybox httpd maybe? It was 2500 limes of C last time I checked | 00:07 |
gnarface | lighttpd and nginx are both known for being lightweight and simple to configure | 00:13 |
gnarface | personally i'd still use apache and just unload any modules i'm not using | 00:14 |
Guest15994 | all those are way too bloated for what i'm looking for | 00:14 |
gnarface | well... you can serve http pages from netcat if you want | 00:14 |
gnarface | won't get much simpler than that | 00:14 |
gnarface | but at a certain point more simple != more secure | 00:15 |
gnarface | i'm certain you can find a bash + netcat httpd script somewhere | 00:15 |
gnarface | i recall someone collected a library of really bad ideas involving netcat | 00:16 |
gnarface | i just don't remember the url | 00:16 |
gnarface | there's also a httpd built directly into the kernel now but i don't have any experience with it, so i can't tell you if it's easy or not | 00:18 |
Guest15994 | i just need a webserver in ~1000 lines of C and all it does is chroot itself, de-escalate privs, and serves static files from a directory | 00:18 |
gnarface | well the only other suggestion i have is "apt-cache search httpd" | 00:20 |
gnarface | i'm seeing several now in ceres that i haven't heard of | 00:20 |
gnarface | some of them seem to match the description of your use case | 00:21 |
gnarface | can you see webfs or micro-httpd in your version? | 00:21 |
Guest15994 | thanks | 00:22 |
Guest15994 | i might just put quark in there myself | 00:22 |
gnarface | fyi, it is "apt-cache search [regexp]" | 00:22 |
gnarface | so if you know some simple patterns you can get better search results | 00:22 |
Guest15994 | btw, gnarface check this out when you get some time | 00:22 |
Guest15994 | http://tools.suckless.org/quark/ | 00:22 |
Guest15994 | it's really good | 00:23 |
Guest15994 | super easy to modify to your needs | 00:23 |
Guest15994 | audit the whole thing in a couple of minutes | 00:23 |
gnarface | hmm, i've heard of quark, i wonder why it's not in the repo... | 00:23 |
Guest15994 | 400 lines in main.c | 00:24 |
Guest15994 | 600 lines in http.c | 00:24 |
yeti | private opinion: sucless software typically sucks more | 03:11 |
yeti | e.g. compile time configuration | 03:11 |
yeti | that does not fit well to a binary distribution | 03:11 |
yeti | a minimal htp server as plugin for (x)inetd would even be shorter and suck less | 03:13 |
yeti | :-Þ | 03:13 |
rrq | anyone daring could try https://gitea.devuan.dev/rrq/newlisp-ftw/src/branch/master/hobby-http.lsp | 03:34 |
golinux | The hobby-http is MAGIC! | 03:53 |
Guest15994 | yeti, I'm using quark in a lot of places already, including a CDN | 04:09 |
Guest15994 | it's a fine webserver | 04:09 |
Guest15994 | rrq, oh lisp | 04:10 |
rrq | well. newlisp. | 04:10 |
yeti | but e.g. for adding a new mime info it needs rcompiling | 04:11 |
yeti | it is in a header, not a config | 04:11 |
yeti | that would need a rebuild infastructue like source kernel modules in a binary distro | 04:12 |
yeti | put it in /opt or /usr/local and be happy... but it doesnt fit as *.deb | 04:13 |
yeti | hmmm... classic lisp should have been called consp | 04:35 |
yeti | if lisps were named by their most basic sructure | 04:36 |
golinux | yeti . . . you are missing the point that is an amazing tool to serve local file local files. I used it to prepare the new restructured devuan website for beowulf. | 04:48 |
golinux | Yes, you are seeing double! Sorry about that. | 04:48 |
yeti | there are gazillions of toools to serve local files | 04:49 |
golinux | In a browser? | 04:49 |
yeti | and amazing is a purely subjective attribution | 04:49 |
yeti | my autistic brain half even refuses to notice such attributions | 04:50 |
golinux | start it and open the html page like magic. | 04:50 |
golinux | It is quite compatible with my pointy, clicky brain | 04:50 |
golinux | And got the job done. | 04:51 |
yeti | a browser is a huge heap of code. I'd prefer smaller tools for that job. others have other preferences. | 04:52 |
yeti | I'm a fan of diversity | 04:52 |
yeti | but your "amazing" can be my "*cough!!!*" | 04:53 |
yeti | nothing wrong with that | 04:53 |
yeti | we are all the same: different. | 04:54 |
devuan | hello guys, | 05:05 |
devuan | I am using openbox | 05:06 |
devuan | I want my pendrive to be visible, and be able to mount it | 05:06 |
devuan | I saw 2 packages | 05:06 |
devuan | gvfs-fuse, and gvfs-backends | 05:07 |
devuan | does I will need them? | 05:07 |
devuan | thanks in advance | 05:07 |
yeti | I've no idea about clicky stuff | 05:09 |
yeti | maybe this? —> http://openbox.org/wiki/Openbox:Pipemenus:obdevicemenu | 05:13 |
aitor | hi | 08:44 |
Guest52853 | i have in mind to build a pipemenu for openbox using didier kryn's hopman project | 08:44 |
Guest52853 | https://git.devuan.org/kryn/hopman | 08:47 |
Wonka | Any idea when the chimaera-security repository will exist? | 11:54 |
gnarface | Wonka: not until after it goes stable i would think | 11:57 |
Wonka | "If you are tracking testing or the next-stable code name, you should always have a corresponding deb http://security.debian.org <"testing" or codename>-security main entry in your apt sources." says https://wiki.debian.org/DebianTesting | 12:00 |
Wonka | shouldn't Devuan follow them there? | 12:00 |
Wonka | reasoning as in https://www.debian.org/security/faq#testing | 12:00 |
gnarface | oh, well maybe i'm wrong then | 12:01 |
gnarface | but i don't think chimera has been live for long so it's probably still being set up | 12:02 |
Wonka | https://wiki.debian.org/Status/Testing says "There does exist a testing-security repository but it is empty. It is there so that people can have the line in their SourcesList to facilitate easily changing it to the next release name. To be clear, there are no security updates in this repository." | 12:02 |
Wonka | I'd like that here too, exactly because "so that people can have the line in their SourcesList to facilitate easily changing it to the next release name." | 12:03 |
Wonka | but well, for now I can comment out that line for chimaera, if there's not going to be something in it until release anyway. | 12:04 |
specing | How does one see init script execution order? | 13:51 |
specing | nvm, didn't googl | 13:52 |
specing | How does one change it? | 14:01 |
specing | There is this: https://askubuntu.com/questions/753922/how-to-change-the-order-of-execution-of-services-at-startup | 14:02 |
specing | which calls update-rc.d <service> defaults <number> | 14:02 |
specing | but the <number> is not documented in manpage and it doesen't change anything | 14:02 |
specing | (and it's an ubuntu forum, so they might have fiddled with that program as well) | 14:03 |
gnarface | if you actually want to change the order you may need to edit the lsb header in the init scripts themselves | 14:04 |
specing | gnarface: alright, how do I make a particular script execute first? | 14:04 |
gnarface | https://wiki.debian.org/LSBInitScripts | 14:05 |
gnarface | this is probably still relevant | 14:05 |
specing | > Is it possible to specify that a given script should start before another script? | 14:06 |
specing | There is no such standard-defined header, but there is a proposed extention implemented in the insserv package (since version 1.09.0-8). Use the X-Start-Before and X-Stop-After headers proposed by ?SuSe. | 14:06 |
gnarface | don't do it that way | 14:07 |
gnarface | use Required-Start and Required-Stop | 14:07 |
specing | But I want it to start before all others | 14:07 |
specing | those two tags are useless | 14:07 |
gnarface | no | 14:08 |
gnarface | you can make something else require it | 14:08 |
gnarface | like the thing that is currently starting first | 14:08 |
specing | .... | 14:08 |
onefang | Or just rename the link to S00- | 14:08 |
gnarface | he was saying that part didn't work | 14:09 |
gnarface | but if it works, then it works... | 14:09 |
gnarface | if it doesn't, then there's always the dependency approach | 14:09 |
specing | onefang: I like that approach | 14:10 |
specing | gnarface: I did not know about that part | 14:10 |
onefang | In theory the scripts are started in numeric order of their symlink name. Been a long time since i last hacked that stuff. | 14:10 |
gnarface | i think the link numbers may not be as relvant anymore due to parallel booting | 14:12 |
specing | /etc/init.d/.depend.boot has "TARGETS = mountkernfs.sh eudev keyboard-setup.sh mountdevsubfs.sh brltty bootlogd urandom mountall.sh mountall-bootclean.sh hwclock.sh mountnfs.sh mountnfs-bootclean.sh alsa-utils networking checkroot.sh hostname.sh procps checkfs.sh checkroot-bootclean.sh bootmisc.sh kmod espeakup screen-cleanup x11-common stop-bootlogd-single apparmor" | 14:12 |
specing | I want to start apparmor at start, otherwise dhclient started by networking will be unconfined | 14:12 |
specing | or, at least that is my working hypothesis for now | 14:12 |
onefang | Messing with the dependency LSB headers might be a better option then. | 14:13 |
nemo | https://news.ycombinator.com/item?id=23464965 gonna be a fun day in the distros | 14:14 |
specing | I think I'm going to install Beowulf | 14:14 |
specing | apparmor support should be better there | 14:14 |
specing | else SELinux/CentOS is still an option | 14:18 |
specing | oh well | 14:18 |
nemo | https://packages.debian.org/sid/libgnutls30 oh yay - 3.6.14 with this gaping security hole fixed is in sid | 14:36 |
nemo | so now just has to end up in backports | 14:36 |
nemo | hm. wonder what the odds are that I could install the sid package for a deep dependency. probably not high ☺ | 14:36 |
nemo | bullseye has it too... | 14:37 |
Wonka | backports? I'd expect that special fix to be put in -security | 14:42 |
Wonka | Iff anything was ever done on oldstable, this would be a case for that. | 14:43 |
nemo | ok. so 3.6.7-4+deb10u4 is what I need to find | 14:46 |
nemo | hmmm beowulf-security is updated but not ascii | 14:58 |
nemo | welloh wait no. I fail at reading | 14:59 |
Wonka | ascii is oldstable | 14:59 |
nemo | https://security-tracker.debian.org/tracker/source-package/gnutls28 | 14:59 |
nemo | 3.5.8-5+deb9u4 is the stretch fix | 14:59 |
nemo | and it is in ascii | 14:59 |
nemo | however it looks like ascii gnutls has other vulnerabilities. less serious ones | 15:00 |
brocashelm | devuan folks: thoughts on dnscrypt + libredns? | 15:29 |
nemo | brocashelm: as opposed to DoH? | 15:31 |
brocashelm | nemo: libredns does support doh | 15:35 |
brocashelm | i was just wondering what the channel's thoughts are on using these for their dns configs | 15:36 |
nemo | brocashelm: I was thinking more dnscrypt vs doh | 15:39 |
bgstack15 | i'm kinda lame; I just use bind9 and that's it | 15:58 |
humpelstilzchen[ | me too | 15:58 |
bgstack15 | and real resolv.conf; none of that weird new-fangled stuff that says resolv.conf is deprecated | 15:59 |
bgstack15 | but i fully expect the room to agree with me, because of what projects tend to "deprecate" resolv.conf... | 15:59 |
systemdlete2 | People who hate resolve.conf can deprecate it all they want. But software doesn't care if it is insulted or not ("deprecate" means to insult, not to obsolesce. "Obsolesce" means to obsolesce. I'm starting a fund to provide software developers with dictionaries.) | 16:16 |
systemdlete2 | It is far more likely that the person who wrote the software will feel insulted. | 16:18 |
systemdlete2 | I'm just sayin'. | 16:18 |
fsmithred | to pray for deliverance from | 16:21 |
MinceR | they do want software engineers to feel insulted | 16:21 |
MinceR | and praying for deliverance is totally fit for a cult like that of systemd :> | 16:21 |
fsmithred | that was my first thought | 16:21 |
systemdlete2 | fsmithred: Was your remark in reference to mine? Or someone else? (I'm confused) | 16:22 |
fsmithred | yours | 16:23 |
fsmithred | it's one of the definitions of deprecate | 16:23 |
systemdlete2 | deprecate doesn't mean to pray for deliverance... so? | 16:23 |
fsmithred | according to dictionary.com it's an archaic meaning of the word | 16:24 |
systemdlete2 | hmmm. Thanks. | 16:24 |
fsmithred | The earliest meaning of deprecate was "to pray against, as an evil," and soon after this first meaning it took on the additional sense "to express disapproval of." | 16:26 |
fsmithred | - Merriam-Webster | 16:26 |
systemdlete2 | "soon after?" | 16:26 |
fsmithred | lol, yeah probably less than 100 years | 16:26 |
systemdlete2 | But really... what was wrong with "obsolesce" | 16:26 |
systemdlete2 | Wait, I thought you said "archaic?" | 16:27 |
fsmithred | deprecated features are not obsolete - they still work | 16:27 |
fsmithred | for now | 16:27 |
systemdlete2 | Old IBM manuals, and others from that era, used the term "obsolescent" | 16:27 |
systemdlete2 | It didn't mean they disappeared. It just meant to stop using them because they would eventually stop being supported. Same as your own definition. | 16:28 |
systemdlete2 | So "obsolete" really is sufficient. | 16:28 |
systemdlete2 | But I did not know about the other defs of deprecate. | 16:30 |
systemdlete2 | fsmithred: I see the article link from the m-w.com entry. Very interesting. | 16:35 |
systemdlete2 | I am surprised, even disappointed, that neither the entry nor the linked article mentioned obsolescent. | 16:36 |
systemdlete2 | Thanks again for that info. | 16:36 |
systemdlete2 | BTW, I also note that the use of "deprecate" in respect to tech was only added in June 2018. | 16:42 |
fsmithred | no way | 16:43 |
fsmithred | that word has been used in linux for many years | 16:44 |
tomtastic | Beowulf is stable, wonderful. Chimaera however, I was expecting would have a chimaera-security repo available,... and it does not,... yet | 17:18 |
tomtastic | Is this likely to happen in the future, or should I remove that source from my apt config ? | 17:19 |
cosurgi | uh-oh. aptitude sarted giving me this error: Failed to fetch http://packages.devuan.org/merged/dists/beowulf/InRelease | 17:26 |
cosurgi | Failed to fetch http://packages.devuan.org/merged/dists/beowulf-security/InRelease | 17:26 |
cosurgi | Failed to fetch http://packages.devuan.org/merged/dists/beowulf-updates/InRelease | 17:26 |
cosurgi | any way to fix this? Or jus wait for the servers to be back online? | 17:27 |
cosurgi | hey wow: https://devuan.org/os/releases we have Chimaera ! :) | 17:28 |
fsmithred | tomtastic, there will be a chimaera-security when there is a bullseye-security, which will be when bullseye is released as stable. Maybe around a year from now. | 18:05 |
systemdlete | fsmithred: I first noticed the use (or misuse) of "deprecate" in the Perl book by John Christianson et al back in the early 90's. I had never seen it used like that prior to that. The term had always been "obsolescent" | 19:06 |
systemdlete | But that June 2018 date is when m-w added it. | 19:07 |
fsmithred | yeah, I figured that was the case | 19:07 |
systemdlete | There is no question it has been used for a long time. | 19:11 |
tomtastic | fsmithred thats clear, thank you | 19:23 |
plasma41 | cosurgi: Change the domain names to either pkgmaster.devuan.org or deb.devuan.org. I'm pretty sure packages.devuan.org doesn't exist. | 20:00 |
fsmithred | it does, but it won't last forever | 20:02 |
onefang | deb.devuan.org is preferable to pkgmaster.devuan.org, helps to spread the load. pkgmaster.devuan.org is the upstream all the other package mirrors sync to, deb.devuan.org is a DNS round robin that spreads the load to a bunch of our package mirrors. | 20:55 |
tomtastic | I like my updates to come from HTTPS though, and deb.devuan.org doesn't work for that | 21:56 |
onefang | Pick a nearby HTTPS mirror from https://pkgmaster.devuan.org/mirror_list.txt then. There's plenty. | 22:06 |
cosurgi | plasma41, onefang : thanks! It solved the problem :) | 22:07 |
* cosurgi uses deb.* now | 22:07 | |
plasma41 | cosurgi: np | 22:09 |
Guest3495 | Hello. My ZNC is currently down so I've rejoined using a shitty web client | 22:58 |
Guest3495 | I need help | 22:58 |
Guest3495 | I was the one who recently upgraded from v2 to v3 | 22:58 |
Guest3495 | I thought I resolved my depenendency hell, but now it seems I have hundreds of permission errors | 22:59 |
Guest3495 | I try to reinstall packages with apt, and it fails | 22:59 |
Guest3495 | The latest error is this | 22:59 |
Guest3495 | God damn I hate webirc | 22:59 |
Guest3495 | It was this | 22:59 |
Guest3495 | ERROR: /usr/bin/msmtp is setgid. torsocks will not work on a setgid executable. | 23:00 |
Guest3495 | So my permissions are bonked | 23:00 |
Guest3495 | I can't run cmus | 23:00 |
Guest3495 | I get a library error | 23:00 |
Guest3495 | cmus: error while loading shared libraries: libcue.so.1: cannot open shared object file: No such file or directory | 23:00 |
Guest3495 | This is despite reinstalling every dependency by hand | 23:00 |
Guest3495 | The latest kernel is broken, when my thinkpad is not on its dock init stalls on the irqloader and makes clicking sounds with the internal buzzer | 23:01 |
Guest3495 | When I boot on the previous kernel, it does not stall but presents several errors surrounding laptop mode following the irqsequencer | 23:01 |
Guest3495 | Or whatever the hell it is called | 23:01 |
Guest3495 | Is anyone avalible to aide me in fixing htis | 23:01 |
Guest3495 | I can't mail to dng, my mail setup is fucked | 23:08 |
Guest3495 | Is there anyone here who can possibly help me | 23:08 |
Guest3495 | This is a somewhat urgent issue and I do not myself know the full extent of what has gone wrong | 23:09 |
tomtastic | Restore from backup ? | 23:13 |
Guest3495 | I have no backup | 23:13 |
Guest3495 | I upgraded the system several days ago with guidence from this channel, using the dist-upgrade method | 23:13 |
Guest3495 | During that time I reached dependency hell at least 5 times | 23:14 |
Guest3495 | I believed it was rectified, but these errors continue to come up | 23:14 |
Guest3495 | Now I've discovered that the interupt sequencer is broken, I have no laptop-tools, numerous libraries are gone despite being installed and reinstalled, I can't send and recieve mail with my fetchmail+mutt+Msmtp setup | 23:15 |
Guest3495 | I can't play music with cmus due to the error, I keep running into issues as they come up | 23:15 |
Guest3495 | I do not know the full extent of damage | 23:15 |
Guest3495 | The interupt sequencer is scary enough, but when I run bleachbit to clean my swap it fails to come back up | 23:16 |
Guest3495 | I guess I have to idle here until other people see my plea | 23:20 |
plasma41 | Guest3495: Do you have aptitude installed? | 23:52 |
Guest3495 | yes | 23:52 |
plasma41 | Can you run it? It's dependency resolver is top-notch. I wouldn't dare run the crazy hybrid config I use were it not for aptitude. | 23:54 |
Guest3495 | This is broken | 23:55 |
Guest3495 | https://freespeechextremist.com/notice/9vv4wheXzrIN7lJR1U | 23:56 |
Guest3495 | plasma41 | 23:56 |
plasma41 | Guest3495: If you want to send me an image, do it without a website that requires javascript, please. | 23:57 |
Guest3495 | It's free javascript under stallmanism, but ok | 23:58 |
Guest3495 | https://freespeechextremist.com/media/44c6ab71-0aff-43e4-9756-dceb4cc905dd/2020-06-09-145442_484x602_scrot.png?name=2020-06-09-145442_484x602_scrot.png | 23:58 |
Guest3495 | https://freespeechextremist.com/media/4434ccee-9f6d-4ba6-9291-121bf1b34090/2020-06-09-145544_1366x768_scrot.png?name=2020-06-09-145544_1366x768_scrot.png | 23:58 |
Guest3495 | https://freespeechextremist.com/media/e433cc59-c05a-4846-8704-97929a39cad5/2020-06-09-145549_1366x768_scrot.png?name=2020-06-09-145549_1366x768_scrot.png | 23:58 |
Guest3495 | https://freespeechextremist.com/media/8c4455dd-7175-4c9f-9505-a8fc35b11e4a/2020-06-09-145553_1366x768_scrot.png?name=2020-06-09-145553_1366x768_scrot.png | 23:58 |
Guest3495 | https://freespeechextremist.com/media/5f9e27d4-765e-4115-9494-e343ca6e1f0c/2020-06-09-145923_484x602_scrot.png?name=2020-06-09-145923_484x602_scrot.png | 23:59 |
plasma41 | https://www.debian.org/doc/manuals/aptitude/ch02s03s03.en.html Is the best thing since sliced bread for dependency resolution. | 23:59 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!