<    March 2017    >
Su Mo Tu We Th Fr Sa  
          1  2  3  4  
 5  6  7  8  9 10 11  
12 13 14 15 16 17 18  
19 20 21 22 23 _2_4 25  
26 27 28 29 30 31
00:00 <hiro> dalias: true, there's a good reason to avoid such with known vulnerabilities.
00:01 <hiro> dalias: i'm just saying that with careful preselection you can minimize the risk of ever having to update because of such a vulnerability getting found considerably
00:01 <hiro> dalias: that's why i brought up wordpress as an example
00:01 <hiro> dalias: i don't think anybody on this world gains an advantage if wordpress is easier, faster, cheaper to install
00:02 <hiro> dalias: i wish it would be all statically linked, yes.
00:02 <hiro> dalias: because then people can see the *real costs* much more trivially
00:03 <hiro> dalias: this then *painful* size might warn them in time how much time it will cost them in the future to maintain, update, bugfix the update, etc.
00:04 blueness joined
00:04 <hiro> dalias: one more guy choosing a less horrible web framework might already make it worth all the other guys having more time for drinking coffee during the upgrade
00:07 blueness joined
00:08 <hiro> but the main reason i dislike dynamic linking is not because of the incentive it gives to people to be reasonable, but because of the needless complexity it brings to all programs
00:46 fekepp joined
01:27 mdillon joined
01:35 arenstar joined
01:37 fekepp joined
01:42 grrrkit joined
01:49 dirac1 joined
01:57 gopar joined
01:59 n11cky joined
02:01 <n11cky> hey. I've always known alpine as the docker operating system, I wasn't aware that it was even really able to be ran on bare metal. Then I learned you guys don't use glibc. Then I learned you guys ship grsec kernels. I'm really interested in using this instead of pfsense as my router.
02:01 <n11cky> What's the difference between linux-grsec and linux-virtgrsec?
02:01 s33se_ joined
02:02 <n11cky> On the downloads page, is the Xen image meant to be ran paravirtualized, or is it meant to be used as a dom0?
02:11 <kaniini> n11cky: well
02:11 <kaniini> n11cky: grsec is on it's way out, because of various reasons (we will keep pax though)
02:11 <kaniini> n11cky: the virtgrsec is for VMs
02:11 <kaniini> n11cky: and, the xen image is a boot to dom0 livecd
02:12 <n11cky> Aww, too bad to hear that. What's the main reason?
02:12 <n11cky> Are the PaX patches still distributed by anyone except the guy who maintains grsecurity? you guys might have to manually decouple that
02:13 <kaniini> n11cky: they are separately available
02:13 <kaniini> n11cky: we only really use PaX features of grsec kernels anyway, and plan to use AppArmor as a replacement for the non-pax features
02:13 <kaniini> n11cky: allowing us to simplify between "pax or not" verses "giant grsec blob of patching or not"
02:14 <n11cky> that's completely reasonable.
02:14 <kaniini> n11cky: the reality is we are not even shipping grsec kernels today -- we basically have forked grsec due to the availability situation and it's not really sustainable
02:15 <n11cky> i run grsec kernels on a couple of boxes, i can only imagine the constraints you guys have maintaining a distribution with it
02:15 <kaniini> note the website refers to "grsec", not "grsecurity"
02:15 <kaniini> we also want to do things with pax, that spender do not care about
02:16 <kaniini> so the reality is something like
02:16 <kaniini> we basically are owning the fact that we forked grsec anyway
02:16 <kaniini> and are going to redo it properly
02:16 <kaniini> in a way that is more suitable to the distribution
02:17 <kaniini> and allowing us to share hardening between PaX and non-PaX kernels (via apparmor)
02:17 <kaniini> as for what we want to do with PaX
02:17 <kaniini> we want to be able to apply PaX restrictions to specific cgroups (or remove them from specific cgroups)
02:18 <kaniini> thus allowing for things like
02:18 <kaniini> lxd/docker/whatever containers that have PaX or not
02:19 <kaniini> to accomplish that, we basically have to do something better than what we are doing with the 'grsec' kernels right now :)
02:20 <n11cky> it's unfortunate that grsec patches kind of... get in the way of newer kernel features.
02:20 <kaniini> grsec is really obsolete these days
02:20 <n11cky> particularly with containers.
02:20 <kaniini> the reason why people buy the grsecurity patchset is really to fund PaX
02:20 <n11cky> well ever since he decided to close the source up i just feel like things really took a turn for the worse
02:21 <n11cky> grsecurity has always been obsolete since linus decided he didn't want to merge it
02:21 <n11cky> and really, it was dead when they decided they didn't want to try to merge any parts of it individually and decided it had to be all or nothing
02:21 <kaniini> i wonder how much of the grsecurity revenue the PaX guy gets
02:21 <kaniini> maybe someone in the alpine ecosystem should give the PaX guy a job
02:22 <kaniini> ;)
02:22 <n11cky> haha, i hope someone does!
02:22 <bougyman> where is PaX?
02:22 <bougyman> I don't even see him in my backscroll
02:23 <kaniini> PaX is a kernel patch that is included in grsecurity
02:23 <kaniini> maintained by an anonymous person called "the PaX team"
02:23 <n11cky> https://www.grsecurity.net/~paxguy1/?C=M;O=D
02:23 <kaniini> it is possible to get PaX separate from grsecurity though
02:23 <n11cky> paxguy1
02:25 <kaniini> beyond that, the grsec kernels distract from a lot of the other hardening we do in alpine
02:25 <kaniini> so we would like to highlight the fact that it's really a holistic approach
02:25 <kaniini> PaX + fortify + PIE, and soon AppArmor
02:28 <n11cky> wow this is awesome
02:28 <n11cky> http://git.2f30.org/fortify-headers/file/README.html
02:28 <n11cky> I had never heard of this. What an awesome idea
02:29 grrrkit joined
02:29 <grrrkit> hello.
02:30 <grrrkit> I updated a package in testing, now I just need to send a pull request to aports?
02:32 <tmh1999> kaniini : wow. Thank you for shedding some light on this matter !
02:33 <tmh1999> kaniini : from the beginning of my Alpine experience I just thought Alpine takes all grsecurity patches
02:34 <tmh1999> kaniini : so, PaX + fortify headers + PIE + AppArmor + something else would be the new "grsec", you say ?
02:36 <n11cky> tmh1999: the grsec patches rely on PaX, and I believe you guys already have fortify in your kernel. PIE isn't in-kernel.
02:37 <n11cky> so it wouldn't be the "new" grsec, but they'd be removing some features of the grsec patches that aren't used so that they can enable some features that grsecurity doesn't currently include and/or doesn't turn on
02:37 blueness joined
02:38 <n11cky> AppArmor is to be added to replace some of the features that removing grsecurity patches would produce.
02:38 <n11cky> though that's really not a one-to-one type mapping at all
02:39 <n11cky> kaniini: i'm curious, what pushes you guys towards apparmor versus selinux?
02:39 <n11cky> not that I don't understand what you're going after. selinux policy is in a sorry state anywhere that isn't RHEL/Fedora/CentOS
02:41 <n11cky> i wish i knew a bit more about apparmor, i don't feel like I know much at all about it. I know it's path based
02:41 <n11cky> how does that play out when you're doing something with overlayfs / etc?
02:47 <tmh1999> n11cky : if I am not wrong fortify is a separated package in Alpine. Well, by "new grsec" I mean, PaX feature taken from grsecurity (or grsec???), + fortify + AppArmor.
02:47 <tmh1999> n11cky : Is it even correct ?
02:50 <n11cky> tmh1999: you're definitely right that fortify isn't in the kernel
02:50 <n11cky> yeah that's all correct
02:51 <tmh1999> n11cky : Thank you !
02:51 <n11cky> does alpine ship eudev or udev by deafult?
02:51 <n11cky> i see that you package both!
02:52 Kruge joined
02:53 <n11cky> ahh nevermind, eudev for both.
02:54 <nwmcsween_> so grsec is going closed source?
02:58 <n11cky> nwmcsween_: https://lwn.net/Articles/655721/
02:59 s33se joined
03:10 ahrs joined
03:13 <kaniini> n11cky: apparmor is simpler
03:14 <kaniini> n11cky: notably, it does not have to do with labeling everything in the FS :P
03:14 <kaniini> grrrkit: yes, absolutely that is a way to go
03:15 <kaniini> n11cky: as for overlayfs -- i think it is fine, because it is based on pathname
03:21 <kaniini> tmh1999: the goal is to wind up at two primary kernel packages (and two virt derivatives), -hardened (and -hardened-virt) / -vanilla (and -virt)
03:22 <tmh1999> kaniini : yeah -hardened is what I mean "new grsec"
03:23 <kaniini> tmh1999: -hardened will start as PaX + Yama + AppArmor (-vanilla is already Yama and soon AppArmor)
03:23 t0mmy joined
03:24 <kaniini> tmh1999: once -hardened is ready, it will provides=linux-grsec
03:24 <kaniini> so apk upgrade --available will upgrade you to hardened kernel from grsec (which is different than what spender ships)
03:25 <tmh1999> kaniini : I see
03:27 <kaniini> in future, some kernel based on spender's test patches may be also available in community or such repo
03:27 <tmh1999> kaniini : I should have known vanilla comes with Yama, so I would have submitted config-vanilla.s390x with Yama yesterday ...
03:27 <kaniini> it's a recent change for 3.6
03:28 <kaniini> the overall goal is to enable the same security features for userspace across all kernel options
03:28 <kaniini> so
03:28 <kaniini> userspace -- PIE, fortify, AppArmor, Yama
03:29 <kaniini> kernelspace -- maybe kASLR on vanilla, PaX on hardened
03:30 <kaniini> in future for the hardened kernel, we would want to have cgroup-level control of PaX features since PaX itself does effect userspace too
03:30 systo joined
03:30 <kaniini> that's basically it for future plans right now
03:30 <tmh1999> cool, is there any way/start point I can start to contribute on it ?
03:30 <kaniini> well, right now for 3.6 i hope to have this grsec transition sorted
03:31 <kaniini> once that is done, then we can work on the cgroups integration for pax
03:31 <kaniini> there's other things we need to solve too, like keeping kernel configs in sync across variants
03:32 <kaniini> the hardened kernel profile should have the same drivers/features as vanilla, the only difference should be PaX
03:33 <tmh1999> I see
03:33 <tmh1999> well I am on s390x arch, so I will try to keep it in sync
03:35 <kaniini> that leads me to the other major change i am trying to get done -- allowing proper team maintainance of core packages such as the kernel
03:35 <kaniini> ;)
03:37 <tmh1999> I also concern about it. I was expressing about having s390x packages to be available on Alpine repo alongside x86, x86_64, aarch64, armhf
03:38 <tmh1999> I understand that letting me build the packages and put it on the repo is a major change since I am not even close to the core team
03:39 <tmh1999> I would love to hear from Alpine core team, ncopa has access to s390x VM so he could build s390x packages
03:39 <tmh1999> so for now it would be great if he does so and put packages online
03:39 <tmh1999> guess too much work for him
03:40 <tmh1999> in the meanwhile I am trying to build all s390x packages on main, given that base packages are all good (gcc, musl, go, openjdk, python, ruby, etc.)
03:40 <tmh1999> patches are being submitted for review
03:55 <kaniini> it really comes down to whether or not you want to be the architecture maintainer for alpine/s390x
03:56 <kaniini> if you do, then in general, i don't think there is any objection to that -- it's a new architecture and it is best to have someone with domain expertise maintaining it
03:57 <kaniini> tmh1999: so really, it comes down to what you want to do :)
03:58 <kaniini> tmh1999: if that is what you want to do, then it is just a matter of going through the appropriate steps with the infrastructure team to give upload rights for your builder(s)
04:00 <kaniini> beyond that -- in general -- i am of the opinion that someone with demonstrated domain expertise concerning alpine on a specific architecture (such as the primary porter of said architecture) should likely be on the core team *anyway*
04:01 <kaniini> a core team which represents all stakeholders is most effective
04:02 <tmh1999> kaniini : I am committed to maintain alpine/s390
04:03 <tmh1999> as you said, I should have shown expertise on s390x arch
04:03 <kaniini> then the next step is to build an image + repo somewhere accessible with apk-tools
04:03 <kaniini> i believe you already have that though
04:03 <tmh1999> I already have a repo. An image is in progress
04:03 <kaniini> so it's just a matter of getting the builder hooked up and uploading the master archive
04:04 <kaniini> clandmeter should be able to facilitate that
04:04 manacit joined
04:04 manacit joined
04:04 <tmh1999> thanks, I will try to get most packages online (properly patched) this week
04:04 <kaniini> :)
04:05 <kaniini> even if we ultimately do not cut a s390x release for 3.6, having it in edge is reasonable as a starting point
04:05 <kaniini> but there's plenty of time to get that sorted
04:05 <tmh1999> yes, being in edge asap is my primary goal
04:06 <tmh1999> I hope if s390x lands on 3.6 without an image, it would be acceptable since aarch64 also follows that path
04:07 <tmh1999> tbh I am pretty novice on that matter (mkinitfs, scripts/mkimage, etc.)
04:07 <tmh1999> but I am picking it up
04:11 <kaniini> i think in general, s390x just needs a filesystem image since the kernel and ramdisk are supplied directly to the VM layer
04:14 <tmh1999> yes, s390x does not need full fledge ISO image. I run mkinitfs to create a ramdisk on a chroot, use it with the kernel to boot in KVM, and currently fails. Trying to figure it out.
04:24 <kaniini> mkimage part isnt needed then :)
04:26 <TemptorSent> er Working on it.
04:54 gopar joined
04:58 <TemptorSent> tmh1999: are all appropriate devices existent/
05:11 <TemptorSent> kaniini: mkimage doesn't just build the image itself now, it also handles building the initramfs, sorting the firmware and modules, etc, that update-kernel othewise would provide.
05:13 <TemptorSent> kaniini: In other words, it can build a FS layout for any rootfs content you want.
05:15 <TemptorSent> kaniini : All that should be needed to support a new arch as far as mkimage is concerned is the arch and which imagetype to generate.
05:15 <TemptorSent> kaniini: It sounds as though no bootloader is required.
05:19 ryonaloli joined
05:30 <ryonaloli> a head's up: grsecurity is going private soon. this is going to affect alpine linux, so it sucks hard :/
05:49 <_ikke_> ryonaloli: You mean private also for the test/unstbale branch?
05:49 <ryonaloli> yes, for all branches
05:49 <ryonaloli> stable and testing
05:51 <ryonaloli> (source: #grsecurity on oftc)
06:13 cyborg-one joined
06:15 <kaniini> ryonaloli: we are aware, and are working on a solution for it
06:15 <ryonaloli> is the solution just "drop grsec"?
06:15 <kaniini> no
06:16 <ryonaloli> then you'll be trying to maintain your own branches of grsecurity :/
06:16 <ryonaloli> that's going to be dangerous
06:16 <kaniini> also no
06:17 <ryonaloli> wait what. ok now i'm genuinely curious. all i could think of other than that would be to get spender to give you access, which i strongly doubt he'd allow (he said he would not do that for gentoo, at least)
06:18 <kaniini> ultimately, we plan on replacing grsec kernel with our own patchset based on the current PaX testing patches
06:18 <kaniini> spender can do what spender wants to do
06:19 <kaniini> and if you don't like that solution, i am sure you can buy his patches
06:19 <ryonaloli> pax is also being taken away
06:19 <ryonaloli> pipacs is onboard with spender's plan :/
06:19 <kaniini> that sucks
06:20 <kaniini> well, the PaX patch that presently exists, is much smaller than grsecurity patch
06:20 <ryonaloli> i will buy his patches most likely, but only for my servers and workstation. problem is it's $500/month minimum for a single installation. i use alpine w/ grsec on more than 15 computers.
06:20 <ryonaloli> so that'd be expensive heh
06:20 <kaniini> and is likely not impossible to rebase
06:21 <ryonaloli> people have tried :P
06:21 <kaniini> we already basically forked grsec anyway
06:22 <kaniini> what we ship is not the same as what spender is putting out
06:22 <ryonaloli> i know. it's resulted in quite a few quietly released features to mitigate 0days not being in alpine.
06:22 <kaniini> if you are talking about the gcc plugin, we have it
06:22 <ryonaloli> nah
06:22 <kaniini> you are not talking about RAP?
06:22 <ryonaloli> no
06:23 <ryonaloli> it's not in the menuconfig interface because spender doesn't want the bugs fixed in the upstream kernel because he has a beef with hkspp
06:23 <ryonaloli> *kspp
06:23 <ryonaloli> slub-related stuff
06:23 <ryonaloli> well slab too
06:23 blueness joined
06:23 <kaniini> and people wonder why we just (admittedly by side effect) forked it instead
06:23 <kaniini> ;)
06:24 <ryonaloli> that's one of the only ones which i happened to be made aware of by accident. there are quite a lot more it seems.
06:24 <kaniini> i mean, our options are limited
06:24 <kaniini> if they are closing all patch access as has been noted by many people over past few weeks
06:24 <ryonaloli> the sad thing is, unless you know enough about the intricate workings of kernel security, to keep up with all the latest bugs and mitigations, such a fork will always end up being inferior, adding more bugs, or simply resulting in less coverage :P
06:24 <kaniini> then they close it
06:25 <kaniini> ryonaloli: to be honest, the grsec kernel is not 100% of alpine's security story
06:25 <ryonaloli> i know. it also uses the neat fortify source thing.
06:25 <ryonaloli> (i gotta get that into musl sooner or later)
06:26 <kaniini> even musl itself is part of the security story
06:26 <ryonaloli> what else is there, other than hardening for the toolchain, musl, the extra strong fortify source?
06:27 <kaniini> we are working on integrating apparmor which should help contain the packages we ship
06:27 <kaniini> and as mentioned, we are going to look at maintaining our own version of PaX
06:28 <kaniini> in reality, we mainly use grsec sources for PaX
06:28 <ryonaloli> that will be... scary
06:28 <kaniini> if it scares you, buy spender's patches
06:28 <ryonaloli> (well grsec's pax is pax)
06:28 <kaniini> it's the best we can do
06:28 <asie> eh, grsecurity is not perfect either
06:28 <asie> remember marcan vs. grsec?
06:28 <kaniini> however, keep in mind that spender is not really the most honest person on the planet
06:29 <ryonaloli> asie: you mean when he simply found a DoS :P
06:29 <asie> yes, but the reaction is the important part
06:29 <ryonaloli> asie: nothing is perfect, but i've come across quite a few 0days for linux, and they are cheap. i know of one rumored and mostly confirmed 0day for grsec used by VUPEN (Zerodium), which likely does not even work anymore
06:29 <kaniini> and he has a goal of selling you a grsecurity subscription
06:29 <asie> yes, and alpine is effectively ruining that for him
06:29 <asie> because everyone gets a (less stable, in theory) grsec
06:30 <kaniini> yes, well, that's on him now isn't it
06:30 <asie> but a bit more stability is not worth $500/month/machine to most people
06:30 <asie> there are some enterprises in which it is but that's hardly "most"
06:30 <ryonaloli> apparently a lo of people do that
06:30 <kaniini> we are doing the nice thing and renaming our kernel to -hardened
06:30 <ryonaloli> which is a *lot* of money
06:30 <kaniini> since we have not shipped actual grsecurity since 2015
06:30 <kaniini> when he cut us off
06:31 <kaniini> along with everyone else
06:31 <kaniini> but by all means, if you need the absolute security guarantees of grsecurity, you should have already signed up :)
06:31 <asie> ryonaloli: since you seem to be aware of the security world more than i do, what's the truth about openbsd?
06:31 <asie> just curious
06:32 <kaniini> crap by default
06:32 <asie> some people say its security record and standards are massively overhyped
06:32 <asie> some people say otherwise
06:32 <kaniini> it is
06:32 <ryonaloli> openbsd is pretty good but yeah, way overhyped.
06:32 <kaniini> few security holes in 'default install'
06:32 <ryonaloli> it's nice for low-maintainence routers.
06:32 <ryonaloli> but just look at their errata page.
06:32 <kaniini> default install is basically equivilant to alpine-base
06:32 <ryonaloli> kernel panics (DoS), privesc (occasionally)
06:32 <ryonaloli> had a recent privesc to root when using xorg.
06:32 <ryonaloli> (well, their version of xorg)
06:32 <ryonaloli> xenocara
06:33 <asie> the biggest joke i think was pushing everyone onto the openbsd httpd, quickly hacked up in /two weeks/, which had so many issues on first release
06:33 <ryonaloli> i mean it's not bad, it's better than freebsd or netbsd.
06:33 <asie> netbsd seems to have the friendliest community, at least in poland
06:33 <ryonaloli> but it's not the perfect flawless system.
06:33 <ryonaloli> well netbsd has some RCEs in their services.
06:33 <ryonaloli> still out there.
06:33 <ryonaloli> if a friend of mine is to be believed.
06:33 <kaniini> spender? ;)
06:33 <ryonaloli> no lol
06:34 mdillon joined
06:34 <kaniini> ryonaloli: so what is the backstory on why grsecurity testing patches are going private too
06:35 <asie> i feel pretty sure it's "too many people are realizing the testing patches aren't that bad after all"
06:35 <ryonaloli> kaniini: spender is fed up with the kspp taking his work and contributing nothing back, all the while boasting about how amazingly secure the kspp is, even though they are introducing *new* bugs in the process of porting his mitigations, and turning them into half-baked pseudo-mitigations that are trivial to bypass.
06:36 <kaniini> 'his' work
06:36 <asie> 'contributing nothing back'
06:36 <asie> why would they want to contribute back to a for-profit project without being compensated?
06:36 <ryonaloli> they weren't contributing anything back
06:36 <ryonaloli> and it was his work (his and pipacs, with some from ephox)
06:36 <asie> grsecurity is, for all means and purposes, a for-profit project,and should be considered such
06:37 <kaniini> asie: not to mention a project that is arguably violating kernel GPLv2 (stallman's interpretation anyway)
06:37 <asie> it isn't, it's just very clever about it
06:37 <kaniini> i would say in theory it is not
06:37 <asie> grsec itself doesn't violate GPLv2
06:37 <kaniini> but in spirit, it is
06:37 <asie> yes, it does in spirit
06:37 <asie> but violating something in spirit is a bit more complicated than violating something obviously
06:38 <ryonaloli> how does it violate it in spirit?
06:38 <ryonaloli> because you make someone pay for something before giving it to them?
06:38 <asie> no
06:38 <ryonaloli> or the RAP thing?
06:38 <kaniini> because you get punished for redistributing
06:38 <asie> the spirit of GPLv2 is to ensure projects under it can benefit from *all* changes made to them
06:38 <asie> that are out in the public
06:38 <ryonaloli> kaniini: huh? there are a lot of projects which do that.
06:38 <kaniini> if someone buys a grsecurity patch,
06:38 <ryonaloli> a company i work for does that.
06:38 <kaniini> and gives it to alpine
06:38 <kaniini> they would be punished
06:39 <asie> and "a lot of projects which do that" doesn't mean "a lot of project don't violate the GPL's spirit"
06:39 <kaniini> if spender says i am wrong, i will happily give him $500/month for the patches
06:39 <asie> move on to BSDs if you don't like it
06:39 <kaniini> i want it in writing though
06:40 <ryonaloli> kaniini: well, you can distribute it to people, *but* the price goes up the more people you distribute it to
06:40 <ryonaloli> that's something i asked him myself
06:40 <kaniini> and that is the punishment
06:40 <kaniini> voila :)
06:40 <ryonaloli> so yeah you could put it in alpine, but if you gave it to 5k people, it would be insanely expensive
06:40 <asie> ryonaloli: how can Alpine determine the amount of people to pay spender
06:40 <asie> download counts?
06:40 <ryonaloli> probably
06:40 <asie> should Alpine pay $500/month/IP? or maybe $500/month/user?
06:40 <kaniini> we could bring back popularity-contest
06:40 <asie> yes, but the price of maintaining every single user then becomes absurd
06:40 <ryonaloli> i imagine it'd go down to like, the low low price of $400 per user :P
06:40 <asie> ryonaloli: and the problem is
06:41 <asie> someone downloads alpine's grsec kernel and mirrors it
06:41 <asie> what now?
06:41 <asie> they mirror it in, let's say, China, so spender's magic is ineffective there
06:41 <ryonaloli> asie: that's in their right, and spender would not revoke your access
06:41 <asie> yes, but that implies no reproducible builds
06:41 <asie> because distributing the patchfiles alone is punishable
06:41 <ryonaloli> even distributing the patch files
06:41 <ryonaloli> however, he'll only give you the patch files for your specific configuration
06:42 <asie> yes, which, again, is enough for most people
06:42 <ryonaloli> with all the configuration you don't need stripped and replaced with #error
06:42 <ryonaloli> er, wait, no
06:42 <kaniini> but this doesn't violate the GPL in spirit ;)
06:42 <ryonaloli> he just strips other architectures
06:42 <ryonaloli> similar
06:42 <asie> alpine does x86, x86_64, arm and aarch64
06:42 <asie> i think that covers almost every usebase
06:42 <asie> except maybe openpower
06:43 <kaniini> asie: ppc64le, s390x, mips all coming on board for 3.6
06:43 <asie> okay let me fix that
06:43 <kaniini> sooo
06:43 <asie> i think that covers every usebase not exclusive to netbsd
06:43 <ryonaloli> so you'd have to pay extra for all those, for each person who downloads it from you. if people mirror it, you're not liable.
06:43 <kaniini> 7 x $500/mo
06:43 <ryonaloli> nah not 7x
06:43 <ryonaloli> like, 7 x 10000 x $500/mo
06:43 <asie> ryonaloli: okay, so
06:43 <ryonaloli> minus a discount
06:43 <kaniini> ya
06:43 <kaniini> 1% discount amirite
06:43 <ryonaloli> so yeah
06:43 <kaniini> anyway
06:43 <asie> what stops me from creating an appliance with a production count of 7
06:43 <asie> (for each architecture)
06:43 <asie> selling them to kaniini and giving him the source as requested by the GPLv2?
06:44 <ryonaloli> asie: what do you mean?
06:44 <kaniini> haha
06:44 <asie> i make 7 devices
06:44 <asie> each one of them is on a different architecture
06:44 <asie> i use grsecurity on each of them
06:44 <asie> i pay spender $3500/month, as requested
06:44 <asie> then i sell all 7 devices to kaniini, for said $3500/month
06:44 <kaniini> then i request the GPL sources
06:44 <asie> he is not bound to any contract with spender *and* he has GPLv2 grsecurity kernels
06:44 <asie> yes
06:44 <ryonaloli> yeah nothing stops you from doing that.
06:44 <asie> except spender would probably say no
06:45 <ryonaloli> i imagine spender might make an exception if he knows that you are intentionaly doing it...
06:45 <kaniini> anyway, all of this is moot -- the official grsec patches do not meet alpine's free software guidelines
06:45 <ryonaloli> rather than some dude who got a router from a huge company mirroring the source...
06:45 <asie> as i keep re-iterating: i believe grsecurity is abusing the spirit of the gplv2 and the linux kernel for monetary gain
06:46 <kaniini> we would not want a crazy bipolar person showing up at some company who uses alpine demanding money
06:46 <kaniini> it is just bad for us
06:46 <ryonaloli> it's not monetary gain. it's entirely ego.
06:46 <ryonaloli> he hates the kspp.
06:46 <ryonaloli> he makes money now, he has for a while.
06:46 <kaniini> it's both
06:46 <asie> ryonaloli: the thing is
06:46 <kaniini> it's money and bipolar
06:46 <asie> if the kspp gets access to the patches via some appliance
06:46 <asie> he has accomplished zero
06:46 <asie> nothing, null, void
06:46 <asie> he just makes it harder for them, but not impossible
06:46 <kaniini> the reality he hates kspp
06:46 <ryonaloli> asie: kspp will just work on the old grsec patches
06:46 <kaniini> because
06:46 <kaniini> it cuts into his potential customers
06:46 <asie> i mean one of the devs could just pay the $500/month
06:46 <ryonaloli> work for many many years trying to upstream it
06:47 <asie> and even not redsitribute a single patch
06:47 <asie> just explain how the patch works to others who then reimplement it, and he wouldn't even have to know this is happening
06:47 <ryonaloli> asie: i think he wants to spite them
06:47 <asie> yes, it's messed up
06:47 <ryonaloli> not actually find an effective way to stop the problem
06:47 <ryonaloli> even though it causes real harm
06:47 <ryonaloli> i mean i've worked my ass off trying to get Tails to upstream grsec
06:47 <ryonaloli> and i was *this close*
06:47 <asie> this is exactly why projects like kspp are needed
06:47 <ryonaloli> well, something like kspp maybe...
06:47 <kaniini> stop believing the spender hype
06:47 <ryonaloli> kspp itself is crappy. really ineffective, upstreaming half-assed mitigations that don't work
06:48 <asie> and?
06:48 <kaniini> how do you know
06:48 <asie> they're trying
06:48 <ryonaloli> kaniini: this is stuff which i've verified myself.
06:48 <asie> that's what matters
06:48 <kaniini> asie: i think we are talking to spender right now even
06:48 <ryonaloli> i know enough about security to understand that :P
06:48 <kaniini> ;)
06:48 <asie> ultimately, a person who tries to help the world but isn't very good at it is better than a person who is great at having an ego
06:48 <asie> one of them learning will benefit the world, the other one already knowing doesn't really do as much good
06:48 <asie> even if projects like kspp are half-assed, i believe such efforts should be aided, not laughed at
06:49 <asie> maybe they're not malicious, maybe they're just genuinely unaware of some problems
06:49 <kaniini> ryonaloli: i think kspp is very early in it's infancy, and it is just kees cook right now really driving it
06:49 <kaniini> but i know kees has done good work driving security in debian/ubuntu for years
06:49 <ryonaloli> kees seems to be the only person who isn't deserving of blame even
06:49 <kaniini> so i think it is worth giving some time
06:50 <ryonaloli> i think it would be, in theory, if it were not hyped up
06:50 <kaniini> and grsecurity isn't hyped? :)
06:50 <ryonaloli> it's hyped up more than grsecurity among kernel devs
06:50 <ryonaloli> way more than grsecurity
06:50 <asie> yes, because, unlike grsecurity, they have a hope of getting them into the project they love?
06:50 <kaniini> sounds like it will be a success
06:50 <kaniini> spender's just jelly
06:50 <asie> grsecurity is a walled garden, why should they be hyped about it
06:50 <ryonaloli> yeah, a success like KASLR :P
06:50 <asie> it's against their itnerest
06:51 <kaniini> ASLR isn't really meant to be a security measure as much as it is meant to make attackers have to work harder
06:51 <ryonaloli> talking about KASLR, not ASLR
06:51 <asie> supporting grsecurity is against the interest of the linux kernel mainline
06:51 <ryonaloli> which does not make attackers work harder
06:51 <ryonaloli> you know there's an unprivileged instruction on x86 which defeats KASLR
06:51 <kaniini> haha
06:51 <ryonaloli> a single unprivileged instruction
06:51 <ryonaloli> not even kidding
06:51 <ryonaloli> SIDT
06:52 <ryonaloli> no timing attack
06:52 <kaniini> we do not use kASLR on -vanilla
06:52 <ryonaloli> called once. provides you with the IDT, which can be used, indirectly, to break KASLR.
06:52 <kaniini> yep
06:52 <ryonaloli> and UMIP is not in any modern processors yet.
06:52 <ryonaloli> (UMIP disables SIDT)
06:52 <kaniini> but x86 is a security disaster anyway
06:52 <kaniini> PaX is a giant hack to try to solve the problem :p
06:53 <ryonaloli> PaX is an approach to mitigating classes of bugs. it's not just a marketing term, it actually does that.
06:53 <ryonaloli> UDEREF it's superior to SMEP/SMAP, for example.
06:53 <kaniini> what PaX originally did
06:53 <ryonaloli> architecture independent, and came long before
06:53 <kaniini> is a giant hack
06:54 <ryonaloli> not talking about the old, old original stuff
06:54 <ryonaloli> back when stacks were all executable
06:54 <ryonaloli> and solar was so proud about his no exec stack patch
06:54 <ryonaloli> i'm talking about modern PaX
06:54 <ryonaloli> (and grsecurity)
06:55 Keverw joined
06:55 <kaniini> for someone who claims to not be spender, you sure do talk a lot like him ^_^
06:55 <ryonaloli> man i wish i was spender
06:55 <asie> i'm pretty sure i saw this nickname before not being spender
06:55 <asie> i'm just not sure where
06:55 <asie> but "anyone who supports spender is spender" is a silly argument tbh
06:56 <kaniini> that's not what i mean
06:56 <kaniini> spender is very much a winners/losers kind of guy
06:56 <kaniini> much like the current US president
06:56 <ryonaloli> spoiler: i'm actually pipacs
06:56 <ryonaloli> and ephox combined
06:56 <kaniini> how much is your salary from grsec then? ;)
06:56 <asie> $500/month
06:56 <asie> -$500/month*
06:57 <kaniini> shit $500/mo is ballin money in hungary
06:57 <kaniini> actually i do not know if it is or not
06:57 <asie> eh, memes aside, grsec is a tough subject
06:58 <ryonaloli> honestly i don't think it should be. i wish spender just did his thing, and linux foundation did its thing. spender/pipacs could keep putting up their mitigations and fixes, and LF could keep doing what they do best (nothing^Wtimproving performance, adding good driver support, calling bugs bugs, etc)
06:58 <kaniini> haha linux foundation
06:58 <ryonaloli> people who really want good security can patch -p1 < ../grsecurity.patch, people who don't can just use regular linux
06:59 <ryonaloli> and meanwhile, people slowly make grsec more and more accessable, like Corsac's linux-grsec
06:59 <asie> ryonaloli: "people who really want good security can pay $500/instance/month and patch -p1 < ../grsecurity.patch, people who don't or can't afford it or run linux distros can just use regular linux"
06:59 <ryonaloli> asie: yeah, and then get pwnt by cheap $20k sploits
07:00 <ryonaloli> to put it into perspective, an apache exploit goes for arround $1m, same with IIS
07:00 <asie> ryonaloli: i can't afford $500/month for my $10/month VPS
07:00 <* ryonaloli> hopes no one realizes that those two are the most expensive to buy
07:00 <asie> apache? really?
07:00 <asie> huh.
07:00 <ryonaloli> apache is $1-2m when selling to gov't. apache core is *really* fucking hardened.
07:01 <ryonaloli> raytheon si can sit down for months not finding any bugs.
07:01 <ryonaloli> whereas nginx?
07:01 <kaniini> look we know nginx is crap
07:01 <ryonaloli> nginx prides itself on not having many assert()s :P
07:01 <kaniini> anyone who looks at nginx code
07:01 <asie> isn't lighttpd worse though?
07:01 <kaniini> will know immediately it is crap
07:01 <asie> at least that's what i heard
07:01 <ryonaloli> i dunno much about lighttpd. i've heard conflicting things.
07:01 <kaniini> i had the 'pleasure' of hacking in syslog support into nginx once
07:01 <asie> i suppose this explains why openbsd wrote their own httpd, and botched it by forcing it in two weeks after the project started into mainline
07:01 <kaniini> it took quite a bit of booze
07:01 <kaniini> to make it happen
07:02 <ryonaloli> my co-admin wants to switch to node.js
07:02 <ryonaloli> to replace both php and lighttpd all together
07:02 <kaniini> co-admin for what
07:02 <ryonaloli> a website of mine
07:02 <kaniini> which is?
07:02 <ryonaloli> he does the software dev work
07:02 <kaniini> i need to have an idea of what type of website needs this mission critical security work
07:02 <ryonaloli> a rather nsfw website which i won't post here
07:02 <ryonaloli> so it's not that important
07:03 <ryonaloli> but i still want to keep it secure since i use it as a testing ground for some things
07:03 <kaniini> > security
07:03 <kaniini> > using PHP
07:03 <kaniini> :D
07:03 <ryonaloli> well there's always suhosin :P
07:03 <ryonaloli> (and it should be better than node :P)
07:03 volleyper joined
07:03 <ryonaloli> but still
07:03 <ryonaloli> i haven't looked into node too much anyway
07:03 <kaniini> its a shitshow
07:04 <kaniini> hope that helps
07:04 <ryonaloli> yeah not surprised
07:04 <ryonaloli> i imagine quite a bit worse than lighttpd
07:04 <ryonaloli> but we're switching from nginx to lighttpd due to having far less code
07:04 <kaniini> ryonaloli: i mean, dont get me wrong -- i wish spender would be chill
07:04 <ryonaloli> and a smaller binary even with the lightest configuration
07:04 <ryonaloli> kaniini: the smartest people seem to be the ones with the biggest ego
07:05 <ryonaloli> spender, theo, literally anyone who works for the intelligence community and who speaks in public
07:05 <kaniini> ryonaloli: not always, i know plenty of people who are very smart and quite humble
07:05 <asie> ryonaloli: the correlation only works one way and it's flawed at best
07:06 <ryonaloli> asie: that's probably true, correlation bias and all.
07:06 <kaniini> i mean
07:06 <kaniini> up until august 2015
07:06 <ryonaloli> solar, comex, etc.
07:06 <ryonaloli> but then there's kernelbof, grugq, halvar? those are some big egos.
07:06 <kaniini> we were quite happy with grsec being the go-to kernel patch of choice for people needing a hardened environment
07:07 <kaniini> it was good
07:07 <kaniini> alpine users were quite happy
07:07 <kaniini> we gave back fixes to spender
07:07 <kaniini> including in pax
07:10 <kaniini> ryonaloli: i wouldn't write off the alpine hardened kernel quite yet. there are good people who work on the kernel around here who have a reasonable idea of what they are doing -- maybe we are not spender, but we have managed to keep a fork of grsec going for the past year and a half without serious incident :)
07:11 <ryonaloli> well aside from not upstreaming important mitigations to 0day which get silently rolled out :P
07:11 <kaniini> well, that is on spender. personally i would not want that on my conscience, but he seems to not care
07:11 <ryonaloli> (which sucks because spender not wanting the kspp to know causes alpine to not know either)
07:11 <asie> yes, alpine is slightly, um
07:12 <asie> understaffed to read every single grsec update every hour of every dya
07:12 <asie> day*
07:12 <asie> they do their best but they can only do so much
07:12 <ryonaloli> asie: it'd work out if the changelogs were descriptive
07:12 <kaniini> we havent looked at grsecurity since august 2015 except to import RAP :)
07:12 <ryonaloli> but he loves keeping things to himself
07:12 <ryonaloli> oh dear
07:12 <ryonaloli> you should diff each update
07:12 <ryonaloli> you will find neat things
07:12 <asie> "should"
07:12 <kaniini> we have in the past
07:12 <asie> that won't last for long will it eh
07:12 blahdodo joined
07:12 <ryonaloli> yeah :/
07:13 <ryonaloli> well, at least rebase on 4.9.9
07:13 <ryonaloli> there have been a lot of improvements that landed in there
07:13 <ryonaloli> (not talking about RAP)
07:13 <kaniini> we can't
07:14 <kaniini> the current grsecurity patches, even the 'free' ones violate our free software guidelines
07:14 <asie> really? how so?
07:14 <asie> aren't they just GPLv2?
07:14 <kaniini> well, i should rephrase
07:14 <kaniini> in theory, they do not
07:14 <asie> *can* they be anything but just GPLv2?
07:14 <asie> no, the free ones
07:14 <asie> can they be anything but "just GPLv2"?
07:14 <kaniini> in practice, we don't really want spender causing us trouble
07:14 <asie> unless your FSG includes "no code from spender"
07:14 <asie> he can say literally nothing about what you do
07:15 <asie> with stuff that's out there in public
07:15 <kaniini> i mean, like i said
07:15 <kaniini> we take a look at them
07:15 <ryonaloli> how wouldspender cause troubles if you put the free, testing version in alpine?
07:17 <kaniini> as you discuss earlier: he is revoking that
07:17 <kaniini> at any rate, looks like we rebased on 4.9.14 a few days ago
07:17 <ryonaloli> he's only not releasing anything new
07:17 <ryonaloli> ah
07:18 <ryonaloli> ok well that solves the problem
07:18 <kaniini> it solves it for now
07:19 kvda joined
07:20 <kaniini> ryonaloli: maybe the KSPP will get some additional help from alpine devs now :)
07:28 Ayyad joined
07:33 orbiter joined
07:56 consus joined
07:56 <consus> Hi guys
07:57 <consus> Maybe someone has an APK package for gitlab-ce?
07:58 fekepp joined
08:07 sparklyballs joined
08:13 <ryonaloli> kaniini: does alpine have frame pointers enabled?
08:13 <ryonaloli> in the kernel, i mean
08:24 zhasha joined
08:28 kvda joined
08:35 blueness joined
08:39 royger joined
08:40 newbz joined
08:40 <newbz> is php7 already implemented for alpine?
08:41 rollniak joined
08:43 <_ikke_> newbz: https://pkgs.alpinelinux.org/packages?name=php7&branch=&repo=&arch=&maintainer=
08:43 <newbz> oh its in the edge repo
08:44 <newbz> thanks
08:44 <_ikke_> also in 3.5/community
08:52 t0mmy joined
08:54 <consus> Hm...
08:54 <consus> Is there a way to ask apk to install -doc packages to every package I install?
08:55 <consus> I can tell apk install gdb gdb-doc for sure but gdb wants python2 and I also want a manual page for that thing.
08:55 <consus> *Can I
08:58 <consus> Also where can I find a debug symbols for smtpd? I have a segfault with the default config in 3.5.2 :(
08:59 <consus> And for libcrypto
08:59 <consus> segv in RAND_pseudo_bytes()
09:09 t0mmy joined
09:14 consus__ joined
09:16 rabrux[m] left
09:16 Jarrah[m] left
09:20 <yGweSm1OzVHe> consus__: you might want to install the -dbg packages for the debugging symbols
09:21 <consus__> Yes
09:21 <consus__> But there is no -dbg package for opensmtpd
09:21 <consus__> Or libasr
09:21 <consus__> But I've already found this bug in bugzilla
09:21 <consus__> It marked as fixed so I guess I'll just wait for the next release
09:22 <yGweSm1OzVHe> you can easily build one by adding a -dbg to subpackages in the APKBUILD file and doing an `abuild -r` afterwards
09:22 <consus__> :(
09:23 <consus__> Well of course I am
09:23 <consus__> But it would nice to have it in stock
09:23 <consus__> Why some packages do have a -dbg and some don't?
09:23 <consus__> *would be
09:24 <yGweSm1OzVHe> would be nice indeed to have -dbg automatically generated - agreed.
09:24 <yGweSm1OzVHe> i guess for lots of pkgs it doesnt make sense, like all the non-c/c++ pkgs
09:24 <consus__> Of course
09:24 <consus__> But we have a file utility
09:25 <consus__> That can tell us if we have any binaries in a package
09:25 <consus__> And if we do have it would be nice to have -dbg
09:25 <consus__> Patches welcome?
09:25 <yGweSm1OzVHe> binaries are also produced by stuff like go
09:25 <consus__> Why not
09:26 <consus__> Maybe it would help to debug stuff
09:26 <consus__> It heps with perl xs module a lot
09:26 <consus__> *modules
09:37 kvda joined
09:42 fekepp joined
09:58 blueness joined
10:01 kvda joined
10:02 fekepp joined
10:04 fekepp joined
10:09 <ncopa> ryonaloli: do you have url or reference that grsecurity testing patches will go dark?
10:09 <ryonaloli> ncopa: nope, not out yet. go ask spender on #grsecurity on oftc.
10:09 t0mmy joined
10:09 <ryonaloli> or ask perfinion in #gentoo-hardened here, who is also there and overhead some of it
10:11 <ryonaloli> oh i see you're already on #grsecurity
10:12 <ryonaloli> just read the scroll log then
10:12 Wizzup joined
10:25 <TBB> pardon my French but this backlog is some heavy sh*t
10:26 <TBB> sets many things I do daily in an entirely new light...
10:26 <ryonaloli> re. grsec?
10:28 <yGweSm1OzVHe> i asked someone close to the grsec people and the answer was "possibly"
10:29 <ryonaloli> yGweSm1OzVHe: possibly what?
10:29 <^7heo> TBB: care to paste
10:29 <^7heo> ?
10:30 <TBB> I meant the backlog on this channel, the entire grsec conversation
10:30 <^7heo> ah
10:30 <clandmeter> yes its an interesting read.
10:31 <yGweSm1OzVHe> ryonaloli: "possibly going dark"
10:31 <ryonaloli> yGweSm1OzVHe: oh, it's nearly certain
10:31 <^7heo> I'll read that from a real screen tho
10:31 <ryonaloli> spender was ranting and raving about it
10:31 <Wizzup> ryonaloli: he does tend to rant sometimes
10:31 <ryonaloli> i mean, from his own mouth, saying it's a certainty
10:31 <Wizzup> let's just hope it won't happen :)
10:32 <clandmeter> ryonaloli, do you have a paste from it?
10:32 <ryonaloli> Wizzup: has he done this before, saying there's nothing that will change his mind, but having enough people going to him being upset about it actually changing?
10:32 <ryonaloli> clandmeter: maybe, one sec
10:33 <TBB> I can understand him in a way, it's not nice to work on something passionately for years only to see no compensation for it
10:35 <ryonaloli> https://bpaste.net/show/8764af42e0ad
10:36 avih joined
10:37 <yGweSm1OzVHe> so we all stop working on free software now?
10:37 <clandmeter> ryonaloli, thx
10:37 <ryonaloli> yGweSm1OzVHe: yup. we all install windows me
10:37 <ryonaloli> and grape ape
10:45 consus joined
10:45 <ryonaloli> Wizzup: well, if it does happen... at least he's not dropping the whole *project*...
10:45 <ryonaloli> you can still pay $500/month
10:45 <ryonaloli> for a single computer
10:45 leprechau joined
10:45 <asie> "pay $500/month for a single computer" yet you keep saying it with a straight face
10:45 <asie> you know very well most people in here do not represent businesses with budgets sizeable enough to afford this
10:45 Ayyad joined
10:45 <ryonaloli> asie: that's kind of the point
10:46 <consus> Hmm
10:46 <asie> i am aware most people who would need grsec *are* businesses with budgets sizeable enough to afford the grsec patches
10:46 <ryonaloli> "oh don't worry, you can just do this thing that's extremely difficult for the average person to afford"
10:46 <asie> eh. poe's law strikes again
10:46 <ryonaloli> i don't know if it was someone here, but i remember someone saying "i'm not going to pay $500/month for my $10/month vps"
10:46 <asie> me!
10:46 <ryonaloli> that was you? :P
10:46 <asie> it was actually me.
10:46 <asie> yes
10:47 <ryonaloli> it was perfect
10:47 <ryonaloli> even the $10/month vps deserves to be protected
10:47 <asie> yes
10:47 <ryonaloli> not just the expensive $2000/month 1 TiB RAM quad xeon monster
10:48 <asie> i understand spender. he doesn't like it when his work is abused, misused, stolen or applied incorrectly.
10:48 <asie> such is the fate of a passionate developer
10:48 <asie> but his answer, while the only answer, is also not the correct answer
10:48 <ryonaloli> which is very unfortunate
10:48 <asie> there /is/ no solution. his work will still be abused, misused, stolen and applied incorrectly, just with more spite/hoops
10:48 <ryonaloli> because it's an answer pushed upon all of us
10:49 <asie> until he blacklists everyone
10:49 <asie> at which point, what's the point?
10:49 <ryonaloli> at least to me, it seems like it doesn't directly affect him heavily
10:49 <ryonaloli> it seems to be, to a large extent, just drama
10:49 <ryonaloli> personal drama
10:49 <consus> Hm..
10:49 <asie> no, he's passionate
10:50 <asie> i'm pretty sure one of the initial reasons for him locking down was companies slapping grsec on their hardware mindlessly
10:50 <asie> no?
10:50 <ryonaloli> well that's still drama, even if it's a result of passion from someone who has an understanding of his field that precious few people do
10:50 <consus> How often do you guys have a bugfix releases?
10:50 <asie> that counts as "abused, misused"; stolen, to him, is people using his work without the respect he demands
10:51 <asie> however, this is the ideal picture, painting spender as a passionate developer constantly attacked and harmed by the world as it stands
10:52 <asie> but then we get the picture of spender's aggression over the marcan thing
10:52 <consus> I need the most recent opensmtpd package
10:52 <asie> and the image becomes a bit less ideal
10:52 <consus> because the one in the main repo crashes with sigsegv :D
10:52 <asie> in fact, i'd argue it shows the true motive: it's not strictly passion, but pride
10:52 <ryonaloli> ego and passion are intimately related
10:52 <asie> not necessarily
10:53 <darkfader> well, if you give out something under a generous license because you want the world to be better, and you see someone to use it to rip off the world a bit
10:54 <asie> you will not stop evil people
10:54 <darkfader> it could even be valid to go ballistic
10:54 <ryonaloli> darkfader: he didn't choose the license
10:54 <asie> in the minecraft modding scene, i saw a lot of modders put their work under a restrictive license because they didn't want anyone to steal their work
10:54 <darkfader> yeah but you can run around for a year and shout fucking assholes, i'm ok with that
10:54 <asie> the end result was that those modders never got external contributions
10:54 <asie> while people who wanted to steal their work did so anyway
10:54 <ryonaloli> it's a derivative work of the linux kernel, which is GPLv2
10:55 <TBB> I wonder how nobody's even considered hiring him with a generous salary to do his development work. Oracle, for example, could well afford it and would gain a competitive advantage
10:55 <ryonaloli> TBB: "i don't take mony from LF"
10:55 <darkfader> TBB: they did that with ksplice, worked ok
10:55 <asie> why couldn't we fund him for alpine?
10:55 <ryonaloli> granted, that was after a lot of this shit went down
10:55 <ryonaloli> but still
10:55 <darkfader> solaris now has full hotpatching thanks to that
10:55 <ryonaloli> asie: does alpine have that kind of money?
10:55 <asie> ryonaloli: can we crowdfund?
10:55 <TBB> I was wondering about that possibility too, asie
10:55 <darkfader> i would love to
10:55 <asie> there are some companies slowly becoming interesting in alpine
10:55 <darkfader> if you look at /names
10:55 <ryonaloli> you got the kind of dough to pay someone like him?
10:56 <asie> one person? no
10:56 <darkfader> we can definitely hire people on the community
10:56 <asie> the entire community?
10:56 <TBB> I'm not sure if the Alpine community could afford the amount of money he's talking about
10:56 <asie> we can expand our community
10:56 <darkfader> part-time? :)
10:56 <ryonaloli> to *hire* him, you'd effectively be paying his entire salary
10:56 <ryonaloli> or near it
10:56 <asie> $500/month/every machine grsec is used on, correct?
10:56 <darkfader> well that is ofc not gonna happen
10:56 <ryonaloli> that's if you buy access to the patches
10:57 <asie> no you don't understand
10:57 <TBB> I'm pretty sure it's impossible to pay that much, however, "volume licensing" of some sort could be done
10:57 <asie> that's his entire salary, no?
10:57 <ryonaloli> that's not the same as subcontracting from him
10:57 <asie> TBB: impossible, because the moment he gives us stable patches
10:57 <asie> paying $500/month/machine becomes redundant
10:57 <asie> we'd effectively have to cover ALL of it
10:57 <asie> also, "Sponsorship is a critical source of stable funding for grsecurity that has allowed our work to continue over the past 15 years and make it available for free to the public." <- will this be changed? :)
10:57 <ryonaloli> plus, the community can't pay that... i mean you expect everyone who uses alpine with grsec to cough up $500/month?
10:57 <ryonaloli> $6400/year?
10:58 <ryonaloli> asie: after 4.9, when he finally closes it
10:58 <asie> ryonaloli: you don't understand
10:58 <asie> unless you do actually mean everyone using alpine with grsec, or rather everyone using grsec from alpine
10:58 <asie> that'd probably quickly jump to millions of dollars a month
10:58 <ryonaloli> i mean if you think the alpine community is gonna pay him, say, $100k a year
10:58 <asie> that'd be doable, takes a company using alpine on what
10:59 <asie> 16 machines?
10:59 <asie> think about it: if it cost a company $100k a year to pay spender for working on alpine-grsec
10:59 <asie> the moment that company has 16 or more machines using grsec it's savings
10:59 <ryonaloli> that's assuming it doesn't go down at all
10:59 <ryonaloli> i imagine $6400/year is the base rate
11:00 <ryonaloli> it likely drops significantly, to the point where 16 machines is far less
11:00 <asie> i still think $100k a year is not at all impossible
11:00 <ryonaloli> possibly, but do you have any such company in mind? and why would they use alpine, and not just directly go through spender as they already have?
11:01 <asie> that is a good and hard question
11:01 <asie> but it's the only route going forward, unless gentoo-hardened folk or someone enters an effective arms race with spender
11:01 <asie> and we really really really really really don't need that
11:01 <ryonaloli> an arms race to do what?
11:01 <ryonaloli> no one can compete with him on this front
11:02 <TBB> I'm pretty sure there are a couple of people in the Linux community who can
11:02 <ryonaloli> you'd be surprised
11:02 <ryonaloli> no one understands the internals like he does
11:02 <TBB> however, those guys too want to pay their rent and eat something
11:02 <ryonaloli> the people who do break thigns
11:02 <ryonaloli> *things
11:02 <asie> ryonaloli: i disregard most arguments which start in "no one"
11:02 <ryonaloli> comex, halvar, etc.
11:02 <asie> because that goes down to experience
11:03 <asie> there are definitely people as talented as spender, if not more; they lack experience in the linux kernel specifically
11:03 <ryonaloli> asie: well get solar designer to get familar with grsec then
11:03 <ryonaloli> get him back in the game and maybe it'll work out
11:03 <asie> but we can consider spender a lost cause at this point
11:03 <ryonaloli> then get halvar on our side
11:03 <ryonaloli> and comex
11:03 <ryonaloli> i mean good luck with all it
11:03 <ryonaloli> but it just won't happen
11:03 <asie> his work is no longer available for usage by the alpine linux team in any rational manner
11:03 <asie> in other words, spender does not exist in this context anymore
11:03 <asie> name a second
11:04 <ryonaloli> a second what?
11:04 <asie> also, apparently the price does go down at volume: "Also they've asked us (a Russian hosting company) for $17000+ a year for access their stable patches. $17k is quite a lot for us. A question about negotiating a lower price was completely ignored. Twice."
11:05 <asie> "a second what?" - a person not as good as spender but one whose work could still be valuable, obviously
11:05 <asie> "nobody" is not an answer - security is important and something has to be done
11:05 <ryonaloli> solar designer
11:05 <asie> assuming a defeatist "only spender can save us!" attitude means that we all have lost
11:06 <ryonaloli> halvar flake
11:06 <yGweSm1OzVHe> you are ignoring paxteam is as essential as spender to this
11:06 <ryonaloli> yGweSm1OzVHe: he's onboard with spender
11:06 <yGweSm1OzVHe> i am aware
11:06 <ryonaloli> unfortunately
11:06 <yGweSm1OzVHe> but just pointing out it's not only spender who's doing this
11:06 <asie> there's two routes now:
11:06 <asie> - find a way to work with spender, and we tried for a long time
11:06 <ryonaloli> i believe pipacs is simply following spender's lead
11:07 <asie> - effectively boycott spender by assembling a new, even if less experienced, security team
11:07 <yGweSm1OzVHe> forking is always an option indeed
11:07 <ryonaloli> asie: not one of the people i mentioned would be willing to do that
11:07 <asie> ryonaloli: then find new people and give them a chance
11:07 <yGweSm1OzVHe> but you cannot fork people quickly, takes more than a decade and is of questionably success probability
11:07 <asie> do you see another option?
11:08 <asie> it's either fork it or give up
11:09 <ryonaloli> or switch to a different system
11:09 <asie> like what?
11:09 <ryonaloli> openbsd, hardenedbsd. maybe linux with quarkslab's capsulse. those are not nearly as good as grsec, but they're better than vanilla linux, or anything another team could assemble with a fork.
11:10 <asie> OpenBSD as far as I recall has serious problems for non-security activities
11:10 <asie> did they finally solve the biglock?
11:10 <ryonaloli> for networking-related kernel code
11:10 <ryonaloli> but that's all, so far
11:10 <asie> oof, not enough. i kept running into stutter issues in desktop usage
11:12 <TBB> as I expressed my opinion at the project coffee space a moment ago... I think it's time for a better Unix :)
11:12 <TBB> I know, I know... "now there are 15 competing standards" (xkcd)
11:12 <asie> TBB: there was an attempt, killed by lawyers
11:12 <ryonaloli> hurd!
11:12 <TBB> hurd will save us!
11:12 <asie> no hurd was killed by everyone but lawyers
11:12 <ryonaloli> we need a microkernel!
11:12 <ryonaloli> haha
11:13 <asie> was thinking more about plan 9
11:13 <TBB> how did lawyers kill that one?
11:13 <asie> they refused to release the source code when the project died under any sane licensing terms for a long time
11:13 <TBB> ah, okay
11:13 <asie> we got a mixture of Lucent Public License for one release and, since 2013, GPLv2 for another
11:14 <asie> and before that the license was even worse
11:14 volleyper joined
11:14 <TBB> p9 had some good ideas, some of which have been brought over to Linux... but we could do so much more than just that
11:14 <ryonaloli> well there could have been solaris :/
11:14 <asie> yes
11:14 <ryonaloli> if oracle didn't kill opensolaris
11:14 <asie> well, Plan 9 invented UTF-8
11:14 <asie> we all benefit from it now
11:14 <royger> ryonaloli: they re-enabled the big-lock before release, weren't completely sure it would work 100% and preferred to stay on the safe side
11:15 <TBB> yeh, and it took the concept of "everything is a file" a lot further than any other unixlike back then
11:15 <ryonaloli> royger: the biglock for the networking code?
11:15 <asie> TBB: which most unixlikes are now moving away from
11:15 <asie> well, not really moving away
11:15 <TBB> yes oh yes, I'm in support of the new unix revolution!
11:15 <asie> rather "everything is a file in a special binary format only our tool understands"
11:15 <asie> "unless it isn't a file"
11:16 <asie> i always wanted to work on my own hobbyist OS, just for fun
11:16 <TBB> asie, well, /proc and /sys are good examples on Linux of how that concept has been adopted
11:16 <asie> TBB: yes
11:16 <ryonaloli> is it openbsd which has those weird binary sysctls
11:16 <asie> no i was thinking systemd log format
11:17 <ryonaloli> no not that
11:17 <ryonaloli> there's some OS with i think some sysctls that are totally binary
11:17 <consus> sys has binary attrs to
11:17 <consus> *too
11:17 <asie> eh, even plan9 has some binary data, like /dev/audioctl
11:17 <asie> there's reasons for it - binary is much faster to parse
11:17 <asie> and parsing is not cheap
11:17 <asie> but in that case a good answer would be to have a common binary serialization format
11:17 <asie> which can be translated to text and back on the UI level
11:17 <consus> Err
11:18 <royger> ryonaloli: well, they are doing it in small parts, I think it's the forwarding path that still under the gian-lock, plus drivers and something else
11:18 <royger> pf also it's single-threaded IIRC
11:18 <consus> E.g. SysFS has binary attrs in order to allow you to push some binary crap without formatting
11:18 <consus> Like a firmware
11:18 <ryonaloli> royger: oh so atm pretty much everything
11:18 <royger> drivers I guess it's on a drive-by-drive basis, and whether someone has converted it.
11:19 <ryonaloli> well i run openbsd on a single core system anyway so it's not a real blocker for me.
11:19 <ryonaloli> it will be if i switch my 48 core system to openbsd though...
11:19 <consus> Still
11:19 <ryonaloli> that i really really need linux on
11:19 <consus> Is there a way to fetch newer binary packages while sitting on main?
11:20 <TBB> yup, apk add package@tag
11:20 <consus> Hm
11:20 <royger> ryonaloli: right, I think the scheduler is also a bit crappy on SMP, since it doesn't know anything about topology, so it tends to burn the cache
11:20 <consus> And how soon there will be another 3.5.x?
11:21 <consus> Crashing apps seem like a valid reason to release another one :)
11:21 <TBB> at some point, sure, there have been what, 3 releases of the 3.5 series already
11:21 <TBB> ahh, that reminds me, I should be debugging that bloody hplip bug that I'm by no means skillwise equipped to debug :/
11:22 <consus> What's wrong with hplip?
11:22 <TBB> asie: speaking of binary data and data in general, it's been my dream for years to get userland tools that would give me their output in both human-readable and machine-readable formats
11:22 <asie> I use hplip by piping foo2zjs-wrapper to /dev/usb/lp0 :/
11:22 <asie> wait, no, not hplip
11:22 <asie> i use foo2zjs, yeah
11:22 ogres joined
11:22 <asie> because it just seems to work more reliably for me, heh
11:23 <TBB> consus: in my setups one specific shared library encounters an illegal instruction trap
11:23 <consus> Gear up the gdb!
11:23 <TBB> asie, I'll have to consider that as a solution too unless one of our better coders can figure out what causes that crash
11:23 <consus> Or systemtap
11:24 <consus> It will give you enough info
11:24 <TBB> consus, not quite that simple, grsec makes using gdb pain
11:24 <consus> systemtap then
11:25 <TBB> I'll look into that, thanks for the tip :)
11:25 <consus> It works in kernel via the kernel API
11:25 <consus> It should work fine with grsec
11:26 <TBB> overall I'll have to get a lot deeper into Linux in general, I'm already balls deep but I'm currently simply not man enough to fill it all :/
11:26 <TBB> *cough* did I just type that?
11:26 cyteen joined
11:26 <consus> Oh yeah
11:27 <TBB> maybe if I got some of those "enlarge your linux" pills ...
11:27 <consus> Eh
11:27 <consus> It's not that hard
11:28 <consus> It took me five or six month to learn how to work with Linux kernel code
11:28 <TBB> well it's one of those things, you know... the good old "the more you know the better you know how little you know" kind of scenario
11:28 <consus> block/ and kernel/ mostly, but nevertheless
11:29 <consus> Well yeah
11:29 <TBB> and I've got a serious problem with regards to this in general as I've got an attitude problem with C :D
11:30 <consus> Eh?
11:30 <TBB> I'm allergic to C
11:30 <consus> Why?
11:30 <consus> It dead simple
11:30 <consus> *It's
11:30 <asie> TBB: What languages do you like?
11:31 <consus> Well I'd prefer to write my shit in Haskell, but performance is the issue so it's C =/
11:31 <TBB> I think the root of that was that even though I've even coded in assembly for over two decades I never quite felt that knowledge transferred over to C
11:32 <TBB> the whole notation of it feels repulsive to me; it's probably just that I didn't spend enough time at it to acquire the taste for it
11:33 <TBB> asie, I'm not a programmer so what few programming needs I have I can handle with Bash and (laugh if you want to) TCL
11:33 <asie> What's so funny about Tcl?
11:34 <TBB> I've always had my priorities elsewhere really, I quite early in my professional life came to the realisation that coding is not what I want to do for a living
11:34 <asie> I'm honestly scared that I will realize that as well
11:34 <asie> I'm sitting here at uni
11:34 <TBB> I don't know asie, I've grown to quite like it and today marks my 20th year with TCL
11:34 <asie> but I do not have a plan B
11:34 <hiro> i already know i won't try to be coding
11:34 <hiro> i always avoided it as much as possible
11:35 <hiro> and i'm proud of that
11:35 <asie> I don't have a plan B
11:35 <TBB> I basically try to be a "general specialist", in other words, have a wide picture of things, which is why I change my professional focus once every 5 years or so
11:35 <asie> and I'm mildly scared
11:35 <zhasha> asie: you can probably find a Plan B iso somewhere
11:35 <hiro> TBB: my professional focus is life
11:35 <asie> I wish I had a Plan @
11:35 <hiro> TBB: so far it's working just fine
11:35 <hiro> and i use plan 9, so all is good
11:36 <TBB> if it were entirely up to me, I would be working with pool billiards instead of IT, but there's no money in it
11:36 <zhasha> https://lsub.org/ls/planb.html
11:36 danci1973 joined
11:36 <hiro> i'm gonna stay in it but not program
11:36 <danci1973> Hello...
11:36 <TBB> and IT has taken so much of my time especially in the last couple of years that I had to give up my national ranking ...
11:36 <asie> wait is this #alpine-linux or #cat-v
11:36 <asie> i'm mildly confused
11:37 <consus> Huray!
11:37 <consus> alpine can do ruby
11:38 <consus> So I can try to install gitlab
11:38 <danci1973> I have a router with alpine 3.2.3 and I'm trying to implement a Nagios check 'check_procs'. But this commands doesn't 'see' all of the processes - using '-vvv' option it seems it runs just '/bin/ps' with no additional arguments which only shows processes from my current login session.
11:38 <zhasha> Alpine has reminded me that my T61 is, in fact, a supercomputer
11:38 <asie> i mean, i always wanted to get into art, and writing sometimes
11:38 <asie> i wanted to do a lot of other hobbyist coding etc
11:38 <asie> but somehow i got stuck working on minecraft mods in java
11:39 <asie> what did i do wrong
11:39 <TBB> danci1973: grsecurity limits that
11:39 <danci1973> TBB: Can I do something about it?
11:39 blueness joined
11:39 <TBB> asie, you were afraid of the starving artist lifestyle, that's what happened
11:40 <zhasha> be root
11:40 <asie> TBB: no
11:40 <danci1973> TBB: i.e. allow chec_procs to 'see' all processes?
11:40 <asie> actually, no
11:40 <asie> i have actively refused free money multiple times at this point
11:40 <TBB> danci1973, I'm not sure exactly how grsec limits it, just a sec
11:41 <asie> by which i mean rejecting the usage of mod hosting services providing payouts per download (higher than the usual ad-based URL shortener, as the funding is a bit different)
11:41 <asie> or, rather, one service in particular
11:41 <asie> more that every time i tried doing anything outside of coding i was so dissatisfied with the results and frustration i just went back to doing what i'm already decent at
11:42 <TBB> asie: ah. I came to a crossroads 10 years ago where I had to decide which two of IT, pool and music production I can continue with
11:42 <asie> i'm just horrible at anything which is not coding at this point
11:42 <asie> this possibly includes survival
11:42 kvda joined
11:42 <hiro> just make easy money in IT and fund music hobby
11:42 <hiro> music never makes money so this is the way to combine it
11:44 <asie> i should sell my small collection of retro hardware, but i don't have the heart to
11:45 <hiro> don't then? :)
11:45 <hiro> hardware is the only thing that didnt disappoint me from technology
11:46 <hiro> software is always shit, special purpose hardware doesnt even loose much value
11:46 <hiro> so i wish i had gotten more music gear even earlier
11:47 <hiro> especially when i still had more space! :)
11:49 <TBB> in my case, IT ate all the time for both pool and music
11:49 <TBB> and what it didn't was consumed by women, wine and song...
11:49 blueness joined
11:55 fredrikhl joined
11:57 <fredrikhl> What are flagged packages on pkgs.alpinelinux.org? They don't seem to be included in either of the APKINDEX-es
11:58 <TBB> danci1973: seems grsec limits visibility to kernel processes at least; not sure if it can be sysctl'd away, but I'm pretty sure the 'see only your own processes' mechanism is sysctlable
12:03 cyborg-one joined
12:03 <Kruge> Well. That was a pretty intense scroll buffer.
12:06 blueness joined
12:13 farosas joined
12:36 Kruppt joined
12:38 <hiro> TBB: sounds still kinda healthy
12:38 <^7heo> moin hiro
13:02 mbentley joined
13:09 t0mmy joined
13:11 cartwright joined
13:17 ppisati joined
13:23 <hiro> moin moin :)
13:24 <dalias> hmm, someone pointed me to this: https://bugzilla.mozilla.org/show_bug.cgi?id=1345661
13:24 <dalias> any idea what alpine's way of handling it is? or does this just affect prebuilt binaries from moz?
13:40 wicoa joined
13:46 CcxWrk joined
13:56 blueness joined
14:04 hairyhenderson joined
14:12 <odc> dalias: look at http://git.alpinelinux.org/cgit/aports/tree/testing/firefox/APKBUILD
14:12 <odc> --disable-pulseaudio
14:13 <asie> until FF54 exclusive
14:14 <odc> asie: is that official? They said they would not delete the alsa code
14:18 <asie> as far as i know FF54 introduces a sandbox which simply doesn't work with alsa
14:18 <asie> so someone'd have to fix it
14:18 <avih> they said for now they're not removing alsa and patches will still be accepted, but they won't push further fixes on their own. my interpretation is that unless someone steps up and takes ownership of alsa in firefox, it will break completely sooner rather than later
14:18 <asie> yes
14:18 <asie> FF54 will break it at least
14:19 <avih> iirc someone at that bug (or another related one) offered to take ownership of alsa, but i don't recall public followups
14:22 <avih> (fwiw, i was working for mozilla for some years till recently)
14:26 preyalone joined
14:29 CcxWrk joined
14:34 <odc> if i understand correctly, all we need to make sandboxing work is to allow firefox to access to the alsa devices in /dev right?
14:39 <odc> actually that's already the case https://dxr.mozilla.org/mozilla-central/source/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp#118
14:39 <algitbot> Bug #118: Cannot join samba via web interface - Alpine Linux - Alpine Linux Development: http://bugs.alpinelinux.org/issues/118
14:39 <odc> look at line 149
14:39 <odc> lol @ stupid bot
14:40 ryanlelek joined
14:43 andor2007 joined
14:46 <hiro> 15:18 asie as far as i know FF54 introduces a sandbox which simply doesn't work with alsa
14:46 <hiro> asie: what about oss?
14:55 Skele joined
14:56 <avih> pa would need to escape the sandbox too, it's just that it will, and unless someone does it for alsa, alsa won't, as far as i understand
15:01 <dalias> ncopa, it would be helpful for alpine maintainers to comment on that bug report in a manner that sounds intelligent and aimed at fixing things
15:02 andor2007 joined
15:03 <ncopa> hi dalias been busy with other stuff this morning. some grsecurity drama...
15:03 <kaniini> yes, if grsecurity goes dark
15:03 <kaniini> this is problematic for us in the short term
15:03 <ncopa> wow, that firefox alsa bug on bugzilla is long
15:04 <kaniini> if pax is included in that going dark, that is even worse
15:04 <ncopa> kaniini: it will likely happen
15:04 <ncopa> and yes, it will include pax
15:05 <ncopa> i think the core of the problem is this: <spender> just tired of being disrespected and exploited
15:05 <kaniini> he is not exactly the easiest person to get along with though
15:05 <ncopa> i know
15:06 <ncopa> co-operating with humans and kernel security are different skill sets
15:07 <kaniini> dalias: --disable-pulseaudio
15:07 <kaniini> dalias: is pretty much how we solve it iirc
15:11 <ncopa> oh the firefox issue is drama too
15:11 <dalias> supposedly alsa is going to break
15:11 <dalias> because of the sandbox model
15:11 <ncopa> intentionally break (from what i understand at quick look at it)
15:12 <kaniini> yay drama
15:12 <ncopa> i dont know if i have energy for more drama today
15:12 <dalias> in order to keep working it probably needs some special handling to hook it up to the sandbox
15:12 <dalias> :(
15:12 <kaniini> well i will start working on drafting a -hardened APKBUILD as previously discussed
15:13 <kaniini> i think PaX on its own will be easy enough to rebase
15:13 <ncopa> pax will go dark too
15:13 <kaniini> yes, hince rebase
15:13 <kaniini> although that only buys us time :/
15:13 <kaniini> because eventually it will break
15:14 <ncopa> i suspect thinkgs will stop at next kernel upgrade
15:14 <ncopa> 4.9 -> 4.$next
15:15 <ncopa> that they upstream some of the grsec feature does not make it easier
15:15 <kaniini> with PaX going dark, i'm not sure what we can do really
15:15 <ncopa> same
15:16 <ncopa> i dont know what we can do
15:16 <kaniini> we can either try to fork PaX, or drop it and tell people if they really want the grsecurity to go buy a patch from spender
15:16 <ncopa> the problem is at people level
15:16 <kaniini> i don't think forking grsec is a viable way to go, it is too monolithic
15:16 <ncopa> i doubt we can fork grsecurity
15:16 <kaniini> imo, PaX is doable though
15:17 <kaniini> right, that is what i am saying
15:17 <kaniini> worst case we just have -vanilla provides=linux-grsec
15:18 <kaniini> but i think PaX itself is maintainable
15:18 <kaniini> i looked at it, it is not very invasive
15:18 <kaniini> well, i mean, it is, but
15:22 <asie> i'd argue alpine should just create its own patchset and build it up slowly and modularly, while keeping linux-grsec around for as long as 4.9 is supported
15:23 <asie> (as in, by the kernel devs)
15:23 <danci1973> I have an interface that needs to be setup via DHCP, but it must not get default GW from it... Is there a way I can setup /etc/network/interfaces to achieve that?
15:24 <kaniini> asie: yes, that seems likely
15:25 <kaniini> asie: however, we may not wish to keep 4.9 for many release cycles
15:25 <asie> and i believe linux-alpine should then supersede both linux-vanilla and linux-grsec, being a "middle way" between the two
15:29 <avih> while i don't have any stakes in this, i'd think that if alpine devs decide to roll out their own security system, it should not carry the name "alpine" in it. this way i think it could attract more attention and contribution for not having the image of being alpine specific
15:30 <danci1973> Or to ask in a different way - can I add 'dhcpcd' options for specific interface(s) in /etc/network(/interfaces ?
15:30 lesion joined
15:32 czart joined
15:32 <dalias> danci1973 has a good question; i don't know the answer tho
15:43 Ganwell joined
15:44 dfgg joined
15:44 black_rez joined
15:47 igitoor joined
15:47 rkm joined
15:48 <rkm> hello, anyone there building linux kernel on alpine from source
15:48 <rkm> ?
15:48 <rkm> i have a asm/types.h not found error.
15:48 <kaniini> apk add build-base
15:48 <rkm> I already install alpine-sdk
15:49 <kaniini> you want build-base, alpine-sdk is for something else :P
15:49 <rkm> ah. okay. thanks @kaniini i am trying right away..
15:50 <TBB> right. I've been doing alpine packaging and stuff for a year now, and now I find out about build-base :D
15:50 <kaniini> alpine-sdk is for "i want to run abuild or master a cd image"
15:50 <kaniini> build-base is for "i just want to run a compiler"
15:51 <rkm> seems like build-base is already installed
15:51 <kaniini> weird
15:51 <kaniini> where do you see asm/types.h error then
15:51 <rkm> is there anyway i check for build-base installation like an existence of file perhaps?
15:52 <rkm> apk add build-base "\n" OK: 892 MiB in 181 packages
15:52 <kaniini> danci1973: and no, i am pretty certain /etc/network/interfaces does not support dhcpcd options :(
15:53 <rkm> here is the error from make on kernel
15:53 <rkm> https://paste.debian.net/920076/
15:55 <kaniini> hmm
15:55 James_T joined
15:58 tmh1999 joined
15:59 tmh1999 joined
16:00 igitoor joined
16:00 TemptorSent joined
16:12 mmlb joined
16:29 SirCmpwn joined
16:30 jackmcbarn joined
16:30 doppo joined
16:53 blueness joined
16:59 LouisA joined
17:36 biax joined
17:37 <preyalone> Can Alpine's Valgrind run musl binaries, or glibc or what?
17:43 blueness joined
17:45 <dalias> it can run musl binaries. not sure about others
17:47 jackmcbarn joined
17:48 betawaffle left
18:01 dplummer joined
18:04 orbiter joined
18:05 <nmeum> kaniini rkm: build-base doesn't include the linux-headers package you need to install that
18:06 volleyper joined
18:12 <kaniini> nmeum: that seems like a bug in build-base
18:14 <nmeum> not really, if you want to installl the build dependency for linux-vanilla just go into the abuild directory and run abuild deps
18:22 gromero joined
18:26 Berra joined
18:33 blackwind_123 joined
18:34 danci1973 joined
18:53 sergey joined
19:02 cyborg-one joined
19:14 czart_ joined
19:16 eugo joined
19:18 Emperor_Earth joined
19:41 eugo joined
19:42 gopar joined
19:48 mbentley joined
20:01 myrrd joined
20:04 Nilium joined
20:05 blueness joined
20:06 <Nilium> Anyone noticing errors when fetching the main 3.5 APKINDEX?
20:06 <Nilium> Seems like I've seen more temporary errors lately.
20:06 <myrrd> yes, here too
20:07 <kaniini> from which mirror?
20:07 <kaniini> it could be a broken mirror
20:07 <kaniini> or maybe some DNS problem
20:07 <Nilium> Unfortunately don't know since the VM for it went down
20:08 <myrrd> http://dl-cdn.alpinelinux.org/alpine/
20:08 <Nilium> It's definitely not consistently failing, anyway
20:10 <Nilium> I guess I could go prod the different mirrors and see if it's just one
20:10 <Xe> Nilium: when i have those dns errors, i usually reboot the host
20:10 <Nilium> Well, that's basically what it's trying to do
20:10 <Xe> it's kind of annoying, but it resolves the problem quickly
20:10 <Xe> no i mean
20:10 <Xe> if a guest sees it, i reboot the host machine
20:11 <Nilium> That said, don't know if it's a DNS error
20:12 <kaniini> what do the errors look like
20:12 <scv> ~reboot to fix~
20:12 <* scv> pukes
20:12 <kaniini> i do not think rebooting has any effect
20:12 <scv> this isn't windows
20:12 <kaniini> i suspect what we see here is temporary DNS issue
20:12 <kaniini> ;)
20:12 <kaniini> like some sort of DNS micro-outage
20:12 t0mmy joined
20:13 <tmh1999> dl-8 works for me in NY
20:13 <Nilium> kaniini: "WARNING: Ignoring http://dl-cdn.alpinelinux.org/alpine/v3.5/main/x86_64/APKINDEX.tar.gz: temporary error (try again later)" is unfortunately all I ahve
20:13 <Nilium> *have
20:13 <tmh1999> Nilium : try dl-8
20:13 <kaniini> that is a dns error i think
20:13 <Nilium> I'll switch it around later. It's up now.
20:13 <myrrd> I'm consistently getting 503 response for that file
20:13 <myrrd> http://dl-cdn.alpinelinux.org/alpine/v3.4/main/x86_64/APKINDEX.tar.gz
20:13 <scv> i do get that from time to time
20:14 <scv> and it is just lack of dns response
20:14 <scv> usually works fine 2nd attempt
20:14 <Xe> scv: i only really reboot the machine if it continues to fail to work, it usually fails from inside a separate network namespace yhough
20:15 <Xe> (and usually only if it fails over a course of 30+ minutes with different repos and DNS settings)
20:16 <myrrd> https://paste.ofcode.org/TGAtQRqM6EMw7cxEPEA9ab
20:16 <tmh1999> so much paste service...
20:16 <myrrd> lol
20:16 <myrrd> better that than paste it directly
20:17 <tmh1999> anyone know any good/easy to setup paste service on GAE/python ? scrunge.us works but pretty complicated ...
20:17 <Xe> do it using s3
20:17 <Xe> much easier and cheaper
20:17 <tmh1999> s3 ?
20:17 <tmh1999> Xe : s3 ?
20:18 <Xe> tmh1999: AWS s3
20:18 <Xe> it will cost you $0.00/month with low usage for a single person
20:18 <avih> reboot is a great solution for temporary dns issues, as it's a good time waster as anything else. plus, it takes the os out, freshen it up a little, and put it back in. perfect. or like.. leave the system for few mins. this would work too..
20:19 myrrd left
20:19 <tmh1999> Xe: does it take long to setup AWS , with/without CC ?
20:19 <Xe> avih: not to mention if you had updated the kernel on the disk but haven't rebooted for it yet
20:19 <avih> see. all the birds with one stone!
20:19 <Xe> tmh1999: it takes less effort than having this conversation
20:20 <tmh1999> Xe : well I am hosting my email at Google Apps. jjust skeptical to use another cloud provider service ...
20:20 <Xe> (i've had to make separate AWS accounts for several jobs now, it only takes 5 minutes w/ the phone verification step)
20:20 <tmh1999> Xe : so no CC, and free for 1 year ?
20:20 <Xe> you need a CC
20:21 <tmh1999> Xe : Amazon has email service you think ?
20:21 rafalcpp joined
20:21 <Xe> they do, but i personally use google apps for my email because it's good enough
20:21 <Xe> and aws workmail is kinda weird
20:22 <tmh1999> I see. Thanks. I will give aws s3 a try. Yeah for mail I just need something with best availability. last time zoho sucked really hard
20:24 radhus joined
20:42 <* kaniini> is making good progress on splitting out each PaX feature
20:43 <_ikke_> kaniini: ^5
20:43 <TBB> awesome
20:43 <TBB> and I don't use that word lightly
20:45 <kaniini> however, i think that this patchset should be standalone like apk-tools, so maybe we should come up with some name for it
20:45 <kaniini> :D
20:51 <felixjet> if its not one thing is another...
20:52 <felixjet> alpine repos are down
20:53 <kaniini> seems it is a fastly DNS issue
20:55 <avih> i had dns/access issues recently too, but then it got fixed
20:55 <avih> (the main(?) apk repo)
20:58 ymvunjq_ joined
20:59 Topic for
21:00 <ymvunjq_> hello, I would like to known if it is possible to boot alpine linux from an iso image stored on a USB stick. I saw lot of examples, but it seems that it does not work
21:03 <kaniini> mileage varies
21:03 <kaniini> if it is an EFI-only system, may have problems
21:04 <ymvunjq_> it is not en EFI system
21:05 <ymvunjq_> the nlplug-findfs program in initrd seems to look for something
21:05 <kaniini> ohh
21:05 <kaniini> try mounting
21:06 <kaniini> the USB to /media/usb
21:06 <kaniini> or perhaps /media/cdrom
21:06 <kaniini> :)
21:06 <kaniini> then just type
21:06 <kaniini> exit
21:06 <kaniini> and it should continue
21:06 <ymvunjq_> hum
21:06 <ymvunjq_> I will try :)
21:12 bob_ joined
21:13 kbielefe joined
21:18 nanohest joined
21:21 <ymvunjq_> kaniini: i confirm that it works now. I have to first mount the USB key, then the iso file inside the USB key.
21:22 <ymvunjq_> Is there something I can configure inside grub2 to avoid those manipulations ?
21:28 vicsy joined
21:31 <vicsy> hello:-D8-)
21:34 <tmh1999> kaniini : you know why all is in this line ? http://git.alpinelinux.org/cgit/aports/tree/main/lua-sqlite/APKBUILD#n24
21:34 <tmh1999> kaniini : it causes ~/package/main/all/lua*sqlite*.apk to be there
21:34 <tmh1999> kaniini : caused by _package() function in APKBUILD
21:35 <kaniini> i dont know, seems like a bug perhaps. but youd have to ask a lua person ;)
21:35 <kaniini> actually
21:35 <kaniini> that is definitley a bug
21:35 <vicsy> Hi I do not understand you
21:36 <tmh1999> kaniini : should I just strip off _package thing ?
21:36 <kaniini> the :all part i think
21:37 <tmh1999> I want to strip off _package:all and move _package() into package()
21:37 <tmh1999> _package() sounds like ...
21:38 vicsy left
21:41 atomi joined
21:42 <tmh1999> kaniini : you are right, only :all part
21:46 <tmh1999> kaniini : I wish I had a teacher in college who is actually a programmer, so that he would teach his students some shell, perl, lua or at least python, rather than diving in how to OOP-ing java or MIPS hello world.
21:48 <kaniini> :)
21:48 <Xe> tmh1999: find whatever teacher teaches Operating Systems
21:49 <Xe> they usually got connections like that
21:50 <ymvunjq_> kaniini: Is there something I can configure inside grub2 to avoid those manipulations (mount usb, then mount iso) ?
21:51 <kaniini> i never got around to debugging that part or i would just fix it :P
21:51 <ymvunjq_> ok :p
21:51 <ymvunjq_> thank you :)
21:52 shadowshell joined
21:54 kbielefe left
21:56 femme joined
21:58 laj joined
22:07 <tmh1999> Xe : what a shame that my *national* school does not have anyone does OS class (or I was unlucky) then the department assigned a guy who does SoftwareEngineering to do OS class
22:07 <tmh1999> xe : I mean, really? SE for OS class.
22:08 <tmh1999> Xe : I should call the dean and tell him to do a degree in OSS
22:12 c_ joined
22:13 <femme> tmh1999, titles arent everything though
22:40 grrrkit joined
23:04 jkemp101 joined
23:20 kunev joined
23:22 gopar joined
23:25 <ericnoan> does alpine-linux have "binary-blobs" or firmware in the repo?
23:27 mouthbreather joined
23:42 ghavil left
23:45 ghavil joined
23:46 biax left
23:59 <kaniini> ericnoan: there is linux-firmware
23:59 <ericnoan> alright thx