<    April 2017    >
Su Mo Tu We Th Fr Sa  
                   1  
 2  3  4  5  6  7  8  
 9 10 11 12 13 14 15  
16 17 18 19 20 21 22  
23 24 25 26 27 28 29  
30
00:12 mdillon joined
01:20 s33se joined
01:28 preyalone joined
01:41 Nobabs27 joined
01:44 ogres joined
01:49 <Nobabs27> ngircd https://pastebin.com/ewa0PwgZ "bad password" ??
01:59 babs_ joined
02:17 Emperor_Earth joined
02:33 kl3_ joined
02:40 blueness joined
02:45 mughal56 joined
03:04 mguentner joined
03:09 babs__ joined
03:12 Nobabs27 joined
03:14 mguentner2 joined
03:15 karim__ joined
03:20 babs_ joined
03:49 babs_ joined
03:55 kn330 joined
03:56 snappy joined
03:56 <snappy> q: is there any information on how zfs on root for alpine works?
04:27 kn330 joined
05:02 kvda joined
05:26 pickfire joined
05:32 blueness joined
05:43 blueness joined
05:51 snappy joined
05:51 snappy joined
05:53 leah2 joined
05:54 greguu joined
05:55 grayhemp joined
06:44 sirnaysayer joined
06:51 sirnaysayer joined
06:52 mdillon joined
06:52 <Sandlayth> hi
06:53 <Sandlayth> i'm trying to install php7
06:53 <Sandlayth> and i get
06:53 <Sandlayth> ERROR: unsatisfiable constraints:
06:53 <Sandlayth> so:libwebp.so.7 (missing):
06:53 <Sandlayth> i tried to apk add --no-cache --repository http://dl-cdn.alpinelinux.org/alpine/edge/main --repository http://dl-cdn.alpinelinux.org/alpine/edge/community docker
06:53 <Sandlayth> as described in https://forums.docker.com/t/docker-apk-package-for-alpine-linux-has-an-unresolved-dependency-to-libseccomp/9604/3
06:53 <Sandlayth> or even in https://bugs.alpinelinux.org/issues/5377
06:54 <Sandlayth> any idea?
07:05 <_ikke_> Sandlayth: Seems like a dependency is missing, try installing the libwebp package
07:07 <Sandlayth> uh
07:08 <Sandlayth> it works
07:08 <Sandlayth> but, apk should install the dependency by itself, shouldn't it?
07:08 <_ikke_> yes, if the dependency was declared properly
07:08 <_ikke_> but apparently it isn't
07:09 <Sandlayth> i should open an issue
07:09 greguu joined
07:09 <snappy> going to repeat question from earlier since there's activity: is there any information on using alpine with zfs on root - i saw an article that as of 3.5 it is supported
07:10 <Sandlayth> wth
07:10 <Sandlayth> on https://pkgs.alpinelinux.org/package/edge/community/x86_64/php7-gd libwebp seems to exist
07:11 <_ikke_> subpackages can have different dependencies
07:12 <_ikke_> snappy: Sorry, don't know much about it
07:13 <Sandlayth> i don't understand
07:13 <Sandlayth> if i previously got this error:
07:13 <snappy> all good, thnaks
07:13 <Sandlayth> ERROR: unsatisfiable constraints:
07:13 <Sandlayth> so:libwebp.so.7 (missing):
07:13 <Sandlayth> required by:
07:13 <Sandlayth> php7-gd-7.0.17-r4[so:libwebp.so.7]
07:13 <Sandlayth> it only concerns php7-gd, right?
07:46 grayhemp joined
07:48 slappymcfry joined
08:01 luxio joined
08:01 <luxio> Are there any nonfree components of Alpine?
08:07 greguu joined
08:09 sergey_ joined
08:18 kvda joined
08:51 Berra joined
08:57 <hiro> i'm using a bunch of nonfree packages
09:02 andor2007 joined
09:02 blueness joined
09:02 <clandmeter> hiro, which are?
09:03 <hiro> the iwl firmware and opera
09:03 <hiro> sorry, i forgot opera is just chrome, which is basically "free", lol
09:03 <hiro> though nobody ever managed to read the code.
09:04 <clandmeter> Other then FW most of the non free are going based am mostly useless
09:05 <clandmeter> Glibc based...
09:05 <hiro> yeah
09:05 <hiro> but real freedom comes from within, from clarity of code and small size.
09:06 <hiro> so it's not like it matters really
09:08 <clandmeter> We have exception's like flash player on chrome
09:09 <clandmeter> It's in our non free repo
09:09 <hiro> ah yeah, i forgot about flash!
09:10 <hiro> probably other stuff, too, but i must have forgotten
09:10 <hiro> also i keep on confusing my multiple installed OS, especially since nowadays i sometimes even use them at the same time through chroots
09:16 greguu joined
09:30 kvda joined
09:57 Madgod joined
10:02 leah2 joined
10:08 Madgod joined
10:11 grayhemp joined
10:22 blueness joined
10:25 greguu joined
10:26 LouisA joined
10:27 <ryonaloli> >opera is just chrome
10:27 <ryonaloli> yeah without the security :P
10:33 <hiro> ryonaloli: security?!
10:33 <hiro> i mean the web browser...
10:34 <ryonaloli> yeah i mean the web browser
10:35 <ryonaloli> chrome == secure. opera == extremely insecure.
10:35 <hiro> ryonaloli: wtf
10:35 <hiro> ryonaloli: is this some kind of in-joke that i don't get?
10:35 <ryonaloli> no?
10:35 <hiro> ryonaloli: well, how do you back up your claim?
10:36 <ryonaloli> you could sell a chrome 0day for $300,000. you could sell an opera 0day for maybe $10,000 or less.
10:36 <hiro> hahaha, so because of market size?
10:36 <ryonaloli> easy to back it up. look at the internals and how chrome does mitigations using its memory allocator (partitionalloc), sandboxing, etc.
10:36 <hiro> oh my fucking...
10:36 <ryonaloli> as well as how google does 24/7 fuzzing on hundreds of cores, is looking into CFI.
10:36 <hiro> hahahahaha
10:37 <hiro> you're fucking insane
10:37 <ryonaloli> heh
10:37 <hiro> there's nothing less insecure than all this complex web shit
10:37 <ryonaloli> i'm talking about which is more secure
10:37 <ryonaloli> i'm not saying that one of them is perfectly secure :P
10:37 <hiro> this is so stupid
10:37 <ryonaloli> lol ok
10:37 <hiro> if you aren't saying it you're leaving away the crucially important disclaimer that both are still nearly just as insecure
10:38 <hiro> fucking googletroll
10:38 <ryonaloli> they're miles apart in terms of insecurity
10:38 <hiro> hahaha
10:38 <hiro> MILES
10:38 <hiro> RISC miles or CISC miles?
10:38 <ryonaloli> oh i get it, you're just one of those people who doesn't like chrome/chromium because of the origin, and is willing to commit a genetic fallacy for your only argument.
10:39 <ryonaloli> regardless of how the browsers actually work.
10:39 <ryonaloli> do note that i am talking exclusively about security, not privacy defaults.
10:39 <hiro> ryonaloli: no. i just hate all browsers that have the size of the linux kernel and do mostly nothing useful for me.
10:39 <ryonaloli> that's fair
10:39 <ryonaloli> it's fine to say that all browsers are vulnerable and all browsers are pieces of shit
10:40 <hiro> as i said, you're dilluting this fact.
10:40 <ryonaloli> some are just a good bit more shit than others
10:40 <Nycatelos> It's just that some of them are bigger pieces of shit
10:40 <ryonaloli> precisely
10:40 <hiro> 12:40 ryona some are just a good bit more shit than others
10:40 <hiro> totally irrelevant
10:40 <hiro> there's no way adding more paint to the webkit turd is gonna improve anything
10:40 <ryonaloli> hiro: were you under the impression that i was trying to say that chrome/chromium could not be compromised?
10:41 <hiro> ryonaloli: you were marketing it's security "technology"
10:41 <hiro> ryonaloli: there's nothing secure about that 'technology", and still you dare to use words like security
10:41 <ryonaloli> its security "technology" are techniques which are not at all unique to chrome, and are used pretty ubiquitously.
10:41 <ryonaloli> nothing to market there.
10:41 <hiro> ryonaloli: pretending there's any way to weigh any more a metric amount of "security"
10:42 <ryonaloli> there's no pretending. that's how infosec works.
10:42 <hiro> ryonaloli: then why do you sound like some google advertisement
10:42 <ryonaloli> it's all about raising the bar.
10:42 <hiro> "how browsers work"
10:42 <ryonaloli> maybe because you have an irrational hatred for google.
10:42 <hiro> "how infosec works"
10:42 <ryonaloli> and anything it creates, you hate it due to google being unethical.
10:42 <Nycatelos> dude everything is just as bad and we should just use unpatched webkit
10:42 <hiro> i don't care about google's ethics
10:43 <hiro> as if you had any amount of meaningful understanding how these browser work apart from the shitty tech journalist articles that you skipped over that made you catch a couple buzzwords
10:44 <hiro> you're pretending you know something about a topic, that every programmer that works on has to admit he knows nothing about.
10:44 <ryonaloli> hiro, i'm a security consultant and i work for a small defense contractor. i've done exploit brokering. i understand how browsers work without reading shitty tech journalist articles.
10:44 <hiro> hahahahaha
10:44 <hiro> a consultant
10:44 <ryonaloli> do you know what a security consultant is?
10:44 <ryonaloli> you would pay me $200 an hour for my consultation.
10:45 <hiro> ryonaloli: fucking condescending piece of shit
10:45 <ryonaloli> try looking in a mirror.
10:45 <ryonaloli> i only respond in kind.
10:46 <ryonaloli> < hiro> as if you had any amount of meaningful understanding how these browser work apart from the shitty tech journalist articles that you skipped over that made you catch a couple buzzwords
10:46 <ryonaloli> ^ i'm such a condescending piece of shit :)
10:46 <hiro> ryonaloli: you're fucking retarded.
10:46 <ryonaloli> kk
10:47 <hiro> ryonaloli: as if i would care about your fucking security business partners with their fucked up market which only exists because of insane people stacking turd software on top of turd software
10:47 <ryonaloli> Nycatelos: why unpatched webkit? let's just go back to early netscape with a totally broken prng :D
10:47 <hiro> ryonaloli: when we talk about security on #alpine-linux we are not talking about webkit memory allocators.
10:47 <Nycatelos> ryonaloli: I need to run my javascript faster :p
10:47 <hiro> ryonaloli: it's about low complexity.
10:47 <ryonaloli> hiro: infosec *promotes* low complexity.
10:48 <hiro> ryonaloli: if you want *actual* security, not what your stupid tribe tries to sell us, you make it possible to HANDLE the code, directly.
10:48 <ryonaloli> you see the infosec community constantly lambasting antivirus companies for their high complexity.
10:48 <hiro> ryonaloli: like my granny complaining about windows changing her background image
10:49 <ryonaloli> this is why it's a core goal to reduce the trusted computing base of applications with a large attack surface area (which chrome/chromium does, IE/edge does, firefox will eventually do, and opera does not do at all)
10:49 <ryonaloli> hiro: what are you talking about?
10:50 <hiro> ryonaloli: nothing is gonna change the fact that nobody is able to handle the amount of complexity that is *already there*
10:51 <hiro> ryonaloli: all this security snakeoil technology is not gonna fix the broken architecutral decisions that made webkit a piece of shit
10:51 <ryonaloli> are you just talking about UX related stuff?
10:51 <hiro> no
10:51 <hiro> i'm talking about overall complexity
10:51 <ryonaloli> so code/architecture complexity
10:51 <hiro> a concept anybody can understand without having to look at the detail of this fucking browser
10:51 <hiro> ryonaloli: yes.
10:52 <hiro> just because infosec trolls antivirus companies doesn't mean chrome is more secure.
10:52 <ryonaloli> what makes chrome more secure is the smaller TCB
10:52 <ryonaloli> the reduced complexity in the TCB
10:53 <ryonaloli> now sure, crap like libnss not being sandboxed is an issue, because libnss is a piece of shit
10:53 <ryonaloli> but you still have imlib2, webkit, the javascript engine, etc. all sandboxed.
10:55 <ryonaloli> all it means is, if a target of mine is using opera, i say "phew!", if they are using firefox, i say "well i guess i'll have to ask around", and if they are using chrome/chromium, i say "god dammit, let's try to find another angle of attack"
10:55 <ryonaloli> (unless i was working for raytheon or leidos or some shit, in which case i might just use part of my budget to buy a chrome exploit :P)
10:56 <ryonaloli> so yes, it *is* more secure. is it absolutely secure? no, it's a giant fucking browser with insane complexity. but is it more secure than firefox or opera? definitely.
10:56 <ryonaloli> and no amount of saying "everything is too complex i wish things were more simple" is gonna change that
10:59 <hiro> ryonaloli: i don't care about targeted attacks
10:59 <hiro> ryonaloli: i care about actual security AND STABILITY
10:59 <hiro> ryonaloli: if people can gather up 10k to attack me it's already too late
10:59 <ryonaloli> then you still want chrome. its isolation allows it to isolate faults in individual tabs.
10:59 <^7heo> talking about targeted attacks
11:00 <^7heo> chrome is closed source.
11:00 <ryonaloli> ^7heo: chromium is not, though. and chrome is 99.99% open, with the RLZ beacon being the only closed source part.
11:00 <ryonaloli> and the mp4 decoder and flash if you count that.
11:00 <^7heo> therefore it is totally impossible to know what "additions" google (or any party with the needed legislative power) might have done to it.
11:01 <hiro> ryonaloli: i don't think that *everything* is too complex.
11:01 <^7heo> ryonaloli: chromium has much LESS of a market share than opera.
11:01 <ryonaloli> ^7heo: i generally recommend chromium
11:01 <^7heo> ryonaloli: your argument then doesn't stand.
11:01 <^7heo> it's valid for CHROME
11:01 <hiro> ryonaloli: just your stupid mainstream shitsoftware that you can find on your stupid infosec marketplaces
11:01 <^7heo> not chromium.
11:01 <ryonaloli> ^7heo: chromium's source code is identical in terms of what makes it a browser
11:01 <^7heo> how do you know?
11:01 <hiro> ryonaloli: it's shit i explicitly want to avoid
11:01 <^7heo> chrome is closed source...
11:01 <^7heo> how CAN you know?
11:01 <ryonaloli> ^7heo: because you can look at how much is added?
11:01 <^7heo> you just assume.
11:01 <ryonaloli> you see that the RLZ code is added
11:01 <^7heo> assuming makes for GREAT security.
11:01 <^7heo> great chat man.
11:01 <ryonaloli> and you can see plugins are added
11:01 <^7heo> great chat.
11:01 <ryonaloli> lol
11:02 <ryonaloli> ^7heo: you realize chrome is built from chromium, right?
11:02 <ryonaloli> all the actual development from chrome is done in chromium
11:02 leah2 joined
11:02 <ryonaloli> there is close to 0 development that is chrome-specific.
11:02 <^7heo> I realize that I don't know in what measure chrome is built from chromium; and neither do you.
11:02 <^7heo> I realise that I'm not assuming anything in that regard; but you are.
11:02 <ryonaloli> yes i do lol
11:03 <^7heo> s/se/ze/
11:03 <ryonaloli> ok you need to look into how the build process works
11:03 <^7heo> I realize that I'm happy to avoid ANY web interaction anyway.
11:03 <^7heo> No I do not.
11:03 <^7heo> I'm not using any product labelled google.
11:03 <ryonaloli> but you can happily use chromium if you don't trust the RLZ beacon
11:03 <^7heo> and while I will have to, soon, I can at least try to keep it to a bare minimum.
11:03 <ryonaloli> ah another genetic fallacy~
11:04 <ryonaloli> it's a shame, because a good portion of the linux kernel is written by google
11:04 <ryonaloli> especially many of the security features
11:04 <^7heo> I know. I try to avoid it where I can.
11:04 <ryonaloli> you can't. they aren't configurable
11:04 <ryonaloli> i'm not talking about android :P
11:04 <^7heo> Oh sorry, I didn't realize that BSD was derived of Linux...
11:04 <ryonaloli> what
11:04 <ryonaloli> oh
11:04 <^7heo> I guess you know what you're talking about.
11:04 <^7heo> I'll leave you then.
11:04 <ryonaloli> i assumed you were using linux, given the channel you were in
11:05 <^7heo> Assumed.
11:05 <^7heo> Mr Assumer.
11:05 <^7heo> Yeah.
11:05 <^7heo> Be secure ;)
11:05 <^7heo> But not too close to me please.
11:05 <^7heo> o/
11:05 <ryonaloli> mm more fallacies~
11:05 <ryonaloli> making a safe assumption now implies i use assumptions rather than checking the actual development process of a major browser. that's not a good way to go about logical thinking.
11:05 ^7heo left
11:06 <ryonaloli> heh
11:06 <hiro> ryonaloli: look. let's be less insulting for a last time, and explain just as a summarry the problem here: #alpine-linux is concerned with making a small base that throws away heavy baggage like glibc, particularly for love of simplicity and fear of needless complexity. You on the other hand are trying to promote the thoughts of a *business* that inherently profits from needless complexity, which gives
11:06 <hiro> it attack vectors for *lots* of simple exploits, and a whole market of security-snakeoil countermeasures. We are not part in this whole scharade.
11:07 <ryonaloli> hiro: the infosec community is strongly against complexity. i think you're misrepresenting the snakeoil industries for the infosec community.
11:07 <hiro> ryonaloli: no, infosec is not aligned with your opinion.
11:07 <hiro> ryonaloli: which otoh doesn't matter, because this is not #infosec
11:07 <ryonaloli> we profit off of reducing complexity. i develop a custom operating system which may be switching to modified musl, even.
11:07 <hiro> ryonaloli: i have no wish to find out more about them on this channel.
11:07 <ryonaloli> specifically because it is easier to audit and modify.
11:08 <hiro> ryonaloli: but as chrome is a part of alpine linux it deserves the warning i gave here.
11:08 <ryonaloli> well then, you will continue to have your false believe that infosec tries to profit off of reducing security and adding complexity.
11:08 <ryonaloli> s/believe/belief/
11:10 <hiro> ryonaloli: as i said, i wish to remain completely ignorant of infosec in terms of this channel.
11:10 <hiro> ryonaloli: it's a stupid, boring topic.
11:10 <ryonaloli> then i sure hope you are not using alpine linux for anything security-critical, and i sure hope you do not try to give advice to anyone in this channel without explicitly asking them if they care one bit about security with their use of alpine linux.
11:10 <ryonaloli> otherwise you are doing yourself and others a great disservice.
11:10 <hiro> i give loads of security advice here
11:11 <ryonaloli> oh dear
11:11 <hiro> for example i tell people all the time not to use computers to discuss sensitive issues
11:11 <ryonaloli> i better add your nick to my highlight list
11:11 <hiro> the fix is so much easier than creating an account on your secret forums
11:11 <hiro> hell, it's even easier than installing TOR
11:11 <hiro> ryonaloli: i sure hope so.
11:13 <hiro> 13:04 ryona i assumed you were using linux, given the channel you were in
11:13 <hiro> nowadays it's easy and cheap to have multiple computers and VMs
11:13 <hiro> i don't know any computer geeks that only use one OS
11:13 <ryonaloli> indeed, but it seems he meant he was not using linux at all.
11:14 <ryonaloli> all i cared about was if he used linux at all, even if his primary OS was HP-UX or TempleOS :P
11:14 <hiro> "checking the actual development process of a major browser."
11:14 <hiro> nobody can follow that pace
11:14 <ryonaloli> that's what ESR is for
11:14 <ryonaloli> (for firefox at least)
11:14 <hiro> no, it's still too much code.
11:15 <ryonaloli> plenty of people can follow it. that's how browser forks are maintained.
11:15 <ryonaloli> i mean you have to be dedicated if you want to follow it very well, but you can have a pretty good idea.
11:15 <hiro> so you're telling me i have to trust "plenty of people"?
11:15 <hiro> no, you can't
11:15 <ryonaloli> have you ever tried?
11:15 <hiro> you *feel* like you have a pretty good idea.
11:15 <hiro> and that was my main complaint here from th ebeginning
11:15 <hiro> you are wrong.
11:16 <hiro> how about you start with downloading the source code of fucking chromium and doing a wc -l ?
11:16 <hiro> then read 10 lines of code
11:16 <hiro> and interpolate how long it would take to read all of them
11:16 <ryonaloli> i've grepped through the entire chromium source and read every memmove() and looked at how it interacted with the rest of the code.
11:16 <ryonaloli> (yes it was painful)
11:17 <hiro> ryonaloli: that's just the low hanging fruits
11:17 <ryonaloli> but who said you had to read it all? i'm talking about following the progress of a browser, not knowing the entire codebase like the back of your hand.
11:17 <hiro> ryonaloli: which is btw the other complaint that i keep on making about infosec: there is NO VALUE in picking low hanging fruits, if the whole stem is completely rotten inside out
11:17 <ryonaloli> there's value to the people selling them :P
11:18 <hiro> ryonaloli: cause if you kick the stem one time really hard you get the whole tree falling with all those infosec duddes falling out the branches trying to pick their stupid fruits
11:18 <hiro> it's worthless.
11:18 <ryonaloli> (it's true though. there is no value in picking low hanging fruits. it's better to create entire mitigations which destroy all those low hanging fruits at once)
11:18 <ryonaloli> e.g. UDEREF
11:18 <hiro> ryonaloli: abstraction isn't successful
11:18 <ryonaloli> takes out all NULL ptr deref-based attacks at once. no need to hunt down every NULL ptr deref in the kernel.
11:19 <ryonaloli> er, vm.mmap_min_addr
11:19 <ryonaloli> UDEREF does more
11:19 <ryonaloli> hiro: i'm not talking about abstraction, i'm talking about mitigations that take out classes of bugs.
11:20 <ryonaloli> instead of hunting individual bugs.
11:20 <hiro> also
11:20 <hiro> 13:15 ryona plenty of people can follow it. that's how browser forks are maintained.
11:20 <hiro> then how come all those browsers are completely buggy all the time
11:20 <hiro> and crash every five minutes
11:20 <ryonaloli> i'm talking about things like tor browser that follow ESR
11:20 <hiro> doesn't sound very "maintained" to me
11:20 <ryonaloli> not like iron broser crap which split off
11:20 <ryonaloli> and go their own way
11:21 <ryonaloli> forks that go their own way are gonna have a tough time. forks that pull in from ESR or a stable tree are gonna have better luck.
11:21 <hiro> "but who said you had to read it all?" -> that's the only way to know that something is even moderately well designed, and thus whether it has *any* chance in being secure.
11:22 <ryonaloli> you talking about just knowing whether or not it's well designed? not talking about a full audit?
11:22 <ryonaloli> because you really don't need to read the whole thing to get an idea of how good it is. just read a bit of imlib2 and you'll understand how bad it is :P
11:23 <hiro> i don't care about *classes of bugs*
11:23 <hiro> again: these are just low hanging fruits
11:23 <hiro> they don't concern me.
11:23 <hiro> firefox is also too big
11:23 <hiro> tor browser includes JAVASCRIPT via firefox
11:24 <ryonaloli> that's why you use noscript to disable javascript, if you want to reduce your attack surface.
11:24 <ryonaloli> a nice little security slider lets you turn it off, and more (like svg images)
11:24 <hiro> totally great idea, running somebody else's, who i explicitly don't trust thus using TOR browser, program, on my computer
11:24 <hiro> then yo uget shit like webgl
11:24 <hiro> intrinsically insecure.
11:24 <ryonaloli> also disabled on tor browser (and yeah, webgl is a disgusting monster)
11:24 <hiro> and how do you teach people not to use it?
11:24 <hiro> it's useless
11:25 <hiro> whatever snakeoil they put will never make up for all the thousands of ways you can trick your users into helping you execute untrusted code
11:25 <hiro> which is normally not needed, cause javascript is typically enabled BY DEFAULT
11:25 <ryonaloli> well and even with the slider on high, you got nasty image decoders running
11:26 <hiro> 13:22 ryona you talking about just knowing whether or not it's well designed? not talking about a full audit?
11:26 <hiro> i know that shit is not designed well if it does nothing for me, has millions of lines of code, and crashes under my ass all the fucking time
11:26 <hiro> i don't need a full audit
11:26 <ryonaloli> firefox/chrome crashes for you all the time?
11:26 <hiro> though i'd like one just for the sake of argument against you
11:26 <hiro> YOU should make a full audit, personally.
11:26 <hiro> and then come back here
11:27 <hiro> (i hope it gives me some time to do something more useful in the meantime)
11:27 <ryonaloli> oh dear, i could never audit a major browser. no one can. those things are horrific.
11:27 <hiro> imlib2 is my smallest concern.
11:27 <hiro> it's REALLY small in comparison
11:27 <ryonaloli> imlib2 is one of my biggest, because i know it has a 0day for tor browser that doesn't need js :P
11:27 <ryonaloli> (well imlib2 and/or its constituent decoders)
11:28 <ryonaloli> s/has/suffers/
11:28 <hiro> the DOM got complex enough i'd bet there's less bugs in imlib2 even
11:28 <hiro> i know you have a *feeling* that decoding images should be more complex than displaying text
11:29 <hiro> but sadly... it's not.
11:29 <ryonaloli> i know
11:29 <hiro> because of... the software you're trying to support here.
11:29 <ryonaloli> fun fact: it's easier to pwn firefox with text/plain than it is to pwn a fully loaded apache server
11:29 <hiro> 13:27 ryona oh dear, i could never audit a major browser. no one can. those things are horrific.
11:29 <hiro> see
11:29 <hiro> now you agree
11:29 <ryonaloli> i never said that browsers weren't horrific :P
11:30 <ryonaloli> again, all i want to bring home is that some are far worse than others, not that browsers aren't nasty things.
11:31 <hiro> metaphorically you tried to put them onto a scale without showing the algorithm you used for scaling the axis, also you left away the zero.
11:31 <ryonaloli> the scale is >, <, or =
11:31 <ryonaloli> (or >> or <<)
11:31 <hiro> like there's all kinds of normal software near 1000 suck, all kinds of random shit between 1000 and 10000 suck, and you're somewhere at 1000^1000 suck and pretend that a +1 difference there is meaningful in any way
11:32 <ryonaloli> it's extremely meaningful
11:32 <ryonaloli> in many real-life scenarios
11:32 <hiro> nope
11:32 <ryonaloli> the difference between chrome and firefox security has caused me a *lot* of trouble
11:32 <hiro> because in real-life average people like us #alpine-linux members aren't actually targetted by people that want to fuck our lifes over if only they could spend 10k on that act.
11:33 <hiro> it's just NOT the realistic median attack scenario
11:33 <hiro> if you belong to the most targetted, it's easy to get by without computer altogether
11:33 <hiro> while otoh most other people just want certain minimum quality standards, which BRING SECURITY as a SIDEEFFECT
11:34 <hiro> you think average people really care how secure their browser is? they just don't want it to crash every 5 minutes, that's all, they want to get their fucking work done.
11:34 <ryonaloli> you realize that first, paying the money is a one-time thing. i have exploits worth more than that, and it's not like i have to go and waste $100k each time i use it. many people don't even *buy* exploits, they find them or trade for them.
11:34 <hiro> and right now that's impossible, because instead of fixing the mess at the root most companies are polishing their turds
11:35 <ryonaloli> second of all, having a less secure browser means you're more likely to be caught up in between the time a massive vulnerability is found in public and the time you upgrade.
11:35 <ryonaloli> or because insecure browsers have many unfixed but mild public bugs that can be chained together to make a bigger, nastier bug (firefox ESR has that issue)
11:36 <hiro> ryonaloli: you're just bragging about your stupid exploits, there's enough people with better proven background that have written about the market.
11:36 <hiro> i don't want to hear from you AGAIN.
11:36 <hiro> i don't believe your anecdotal "evidence"
11:36 <ryonaloli> nothing here is bragging. these came from my job. i did not any of the valuable bugs myself.
11:37 <hiro> 13:35 ryona second of all, having a less secure browser means you're more likely to be caught up in between the time a massive
11:37 <hiro> vulnerability is found in public and the time you upgrade.
11:37 <hiro> total bullshit
11:37 <ryonaloli> the point is to show that there is not necessarily money involved for each use of an exploit.
11:37 <ryonaloli> hiro: that's not at all true. compare the time it tags for a bug to be reported on, e.g. full-disclosure and to be fixed for various browsers.
11:37 <ryonaloli> chrome and firefox tend to fix bugs quite quickly.
11:38 <ryonaloli> IE/Edge can be pretty slow at fixing bugs, same with opera.
11:38 <hiro> ryonaloli: money, time, ressources
11:38 <hiro> ryonaloli: i don't care as long as they are interchangeable
11:38 <hiro> ryonaloli: if you need to register on the infosec forums first, that also takes time
11:39 <ryonaloli> sometimes all you have to do is get a core impact subscription. then even if you're not a target, you become low hanging fruit.
11:39 <ryonaloli> or a script kiddie manages to get a cracked version of core impact.
11:39 <ryonaloli> or CANVAS or something.
11:39 <ryonaloli> they're written in python. easy to extract exploits from.
11:40 <hiro> i don't care how long it take the browsers to fix low-hanging fruits
11:40 <ryonaloli> even if it's an RCE?
11:40 <ryonaloli> or a severe infoleak?
11:40 <hiro> it's *trivial* to close the browser
11:41 <hiro> i care more about services that are always turned on on servers
11:41 Kirra joined
11:41 <hiro> also, while for most this is probably difficult, i can still choose what websites i visit
11:41 <ryonaloli> most people with computers do not run servers. securing a server is a totally different matter.
11:41 <hiro> exactly
11:41 <hiro> which is a good opportunity to remind you that this is #alpine-linux
11:41 <hiro> not #infosec
11:41 <ryonaloli> choose what websites you visit, eh? tell that to XSS :P
11:41 <hiro> i don't XSS
11:42 <ryonaloli> or are you the first person who only uses websites which set anti-xss headers and use proper csp?
11:42 <hiro> wtf, no, i just plain out don't run everybody's javascript on my computer
11:42 <hiro> as i said, i'm not your average attack vector. to pwn me you have to use different tricks than just add me on facebook
11:43 <hiro> you have to apt-get your debian rootkit-installation-wizard
11:43 <ryonaloli> right, like use that image exploit that was used in the wild in actual advertisements against the masses like what, 6 months ago?
11:43 <ryonaloli> 4 months?
11:44 <hiro> look, there's the big problem, summarized for you again: most people have javascript enabled on most websites, half of them uses NO ADBLOCKER, half of them can be tricked to allow webgl, flash, and half of those again even freaking outdated JAVA!
11:44 <hiro> the reason this state exists is because they are not fucking freaked out about running completely insecure, complex, unmaintainable machines
11:44 <ryonaloli> so tell them to use a browser that auto-updates, has a small TCB that even sandboxes webgl, which is cracking down hard on flash and java, etc.
11:45 <hiro> the other reason is that browser vendors and their mates keep on making useless changes that only increase complexity and do nothing for the user.
11:45 <ryonaloli> one which is objectively harder to attack than another.
11:45 <ryonaloli> simple as that.
11:45 <hiro> 13:44 ryona so tell them to use a browser that auto-updates, has a small TCB that even sandboxes webgl, which is cracking down hard on
11:45 <ryonaloli> who cares that some people use IE8?
11:45 <hiro> that's not helping
11:45 <ryonaloli> those people are fucked anyway
11:45 <hiro> there's still javascripts run
11:45 <hiro> on mostly any website they visit
11:45 <hiro> even if i managed to teach them how to install an adblocker (normally fails)
11:45 <ryonaloli> javascript increases attack surface, but it's not game over.
11:45 <hiro> it's just an example
11:46 <hiro> all the rest is getting more complex, too, probably you can identify many other components that are always active and turing complete by now
11:46 rk324 joined
11:46 <ryonaloli> yeah HTML5+CSS3
11:46 <hiro> isn't CSS for example turing complete already?
11:46 <ryonaloli> only when combined with HTML5
11:46 <hiro> so not, ok.
11:46 <hiro> but whatever, it wouldn't have surprised me, and *that's* the point.
11:47 <hiro> so this is the median attack vector
11:47 <hiro> the root of insecurity is plain obvious
11:47 <hiro> we on #alpine have a tendency to avoid all of this
11:48 <ryonaloli> i still don't get what you have against recommending using something that is objectively more secure, even if the popular options are all not ideal.
11:48 <hiro> if people here need security i'm sure they're able to setup their adblocking in a more adjusted method
11:48 <ryonaloli> setting up adblock doesn't mean they know that chrome is more secure than firefox. most people think it's the other way around, which is unfortunate.
11:48 <hiro> ryonaloli: your "objective wisdom" is more harmful than saying nothing.
11:49 <ryonaloli> there's no wisdom in here. this is a fact which, if someone wants to avoid exploitation, is something people need to know.
11:49 <hiro> i don't care that exploits on YOUR stupid infosec forums are more expensive for chrome.
11:49 <ryonaloli> when people are looking for anonymity, i direct them to tor browser. when someone is looking for security and a generic day to day browser, i say chrome (well, chromium)
11:50 <ryonaloli> this is not about market price (and there are no forums involved)
11:50 <hiro> i do care though not to send google telemetry about me
11:50 <hiro> so, why should i assume other people don't have the same issue when i were to recommend them a browser?!
11:50 <ryonaloli> you know, you *can* just turn off the checkmarks for "enable predictive searches", right?
11:50 <hiro> i have a very simple way of teaching all my non-IT friends.
11:50 <hiro> i tell them: if you have a lot of money, don't do transactions on the internet
11:50 <ryonaloli> whenever i recommend chromium, i tell people that they can turn off predictive searches and such if they don't want the urls they put into the omnibar to go to google.
11:50 <hiro> don't trust your computer.
11:51 <hiro> case closed.
11:51 <ryonaloli> do note that firefox actually does the same thing.
11:51 <ryonaloli> that's how mozilla gets money.
11:51 <hiro> now, we more technical people should treat things mildly different.
11:51 <hiro> but what you add is completely worthless imo.
11:51 <hiro> it's non-technical buzzword bingo.
11:51 <ryonaloli> what i add provides both security, and privacy.
11:52 <hiro> you should just say *nothing* about practical security in (l)unix environments
11:52 <ryonaloli> what you add provides reduced security, and a false impression of privacy (with the exception of the recommendation to avoid computers for important things, which is good)
11:52 <hiro> "when people are looking for anonymity, i direct them to tor browser." -> wrong.
11:52 <hiro> you shouldn't give them any false hopes
11:52 <hiro> you're just making it worse.
11:52 <hiro> you're increasing their trust in the broken technology.
11:52 <ryonaloli> so are you one of those people who just tell everyone to give up?
11:53 <ryonaloli> leading them to continue using IE/Edge or chrome for their most sensitive communications with people in other countries?
11:53 <hiro> 13:49 ryona there's no wisdom in here. this is a fact which, if someone wants to avoid exploitation, is something people need to know.
11:53 <hiro> this otoh i can subscribe
11:53 <hiro> 13:50 ryona you know, you *can* just turn off the checkmarks for "enable predictive searches", right?
11:53 <hiro> ryonaloli: are you so clueless?
11:53 <hiro> ryonaloli: have you never snooped on what chrome does on the network when you do nothing?
11:54 <ryonaloli> yes, i have :/
11:54 <hiro> ryonaloli: even with all the bullshit features turned off?!
11:54 <ryonaloli> and again, i have
11:54 <hiro> there's *always* bullshit happening.
11:54 <ryonaloli> the only thing it does is use google dns
11:54 <ryonaloli> and check for updates
11:54 <ryonaloli> the google dns is only for updates and such, at that.
11:54 <hiro> and yes, i have to say i don't like google auto updates.
11:54 <hiro> it's the same principle
11:54 <ryonaloli> good thing they don't work on linux when installed via apt-get or another package manager.
11:54 <ryonaloli> they only apply on windows (and i don't do microsoft consultation or help with windows users in general)
11:55 <hiro> the whole idea that this is even necessarry is enough proof that browsers are inherently insecure and useless for any security topic.
11:55 <hiro> 13:50 ryona whenever i recommend chromium, i tell people that they can turn off predictive searches and such if they don't want the urls
11:55 <hiro> they put into the omnibar to go to google.
11:55 <hiro> too much work for my granny
11:55 <hiro> she wouldn't get it anyway
11:55 <ryonaloli> granny is not gonna be my target audience
11:55 <ryonaloli> you have to tell them to do that for firefox too
11:55 <hiro> if the default isn't what those people want, then the whole product is rotten.
11:55 <ryonaloli> so it wouldn't work whether it's chrome or firefox
11:56 <ryonaloli> and i notice you are only answering my older answers so you cannot respond when i respond
11:56 <ryonaloli> either you're being intellectually dishonest, or you're scroll log is very small.
11:56 <ryonaloli> try to get in sync
11:57 <hiro> 13:52 ryona so are you one of those people who just tell everyone to give up?
11:57 <hiro> no, the opposite
11:57 <ryonaloli> because pretty much everything you've said so far has been either incorrect, a misunderstanding, or already applies to all other browsers.
11:57 <hiro> i'm saying people like you with infosec, picking low hanging fruits, selling security snakeoil, YOU have given up
11:57 <hiro> i demand more productive activities from you
11:57 <hiro> 13:53 ryona leading them to continue using IE/Edge or chrome for their most sensitive communications with people in other countries?
11:58 <hiro> i tell them specifically not to do that
11:58 <ryonaloli> 1) i do not pick low hanging fruit for these purposes. 2) i do not sell security snake oil. that is what antivirus companies do. and 3) you were clearly referring to people who use tor browser, not to me.
11:58 <ryonaloli> sigh
11:58 <ryonaloli> i think you're doing this on purpose
11:58 <ryonaloli> stay in sync. if you're answering something and i'm moving on, tell me that. don't start answering backlog or i'll respond to that answer and we'll get farther and farther out of sync.
11:58 <hiro> 13:56 ryona try to get in sync
11:59 <hiro> patience
11:59 <ryonaloli> and you, unlike me, will only respond once to each line, in an attempt to get the last word.
11:59 <hiro> "or already applies to all other browsers." -> i'm not saying firefox or others are better in any meaningful way.
12:00 <ryonaloli> this line for example, i have a feeling you will respond to it without allowing an actual back and forth conversation to occur. you will see it, respond to it, i will respond to your respond, and you will have already moved on to the next line, not seeing my response and leaving it hanging.
12:00 <hiro> 13:58 ryona i think you're doing this on purpose
12:00 <hiro> no, i have to multitask here. time is limited.
12:00 <ryonaloli> if you have to multitask and are slow to answer, then answer the latest thing on your scroll log.
12:01 <hiro> ryonaloli: i admit i mix up things from the first and the last lines still visible on my scroll buffer
12:01 <ryonaloli> you can't just tell that the bottom line is the most recent?
12:01 <hiro> ryonaloli: there is an intrinsic asynchronous nature in irc conversations sadly
12:02 <hiro> cause you will not wait for me to finish my thought, and i won't wait for you either.
12:02 <hiro> i don't want to miss out on calling you out for previous misunderstandings
12:02 <ryonaloli> you're trying to answer every single line, in such a way that i would have to go back up and answer lines out of order to respond to them.
12:02 <hiro> else you will sneak in some obscene misinformation again and then force me to ignore it by blabbering too fast.
12:02 <ryonaloli> that's not just asynchronous. that's an out of order conversation.
12:03 <ryonaloli> there is no misinformation being presented here.
12:03 <hiro> correct.
12:03 <hiro> it's out of order :)
12:03 <hiro> that's why i used the word "admit". i recognize the confusion it results in now.
12:04 <ryonaloli> so then we agree that both firefox and chromium have privacy issues and send data back to google.
12:04 <ryonaloli> and we both agree that chromium is better for resisting exploitation.
12:04 <hiro> but it's ok, I decided at this point extreme confusion and hilarious performance is the only thing that will result in meaningful closure about this topic
12:04 <hiro> 14:04 ryona so then we agree that both firefox and chromium have privacy issues and send data back to google.
12:04 <hiro> yes
12:04 <ryonaloli> we both agree that you can mitigate the privacy issues on both browsers, but it may not be possible for granny.
12:04 <hiro> 14:04 ryona and we both agree that chromium is better for resisting exploitation.
12:04 <hiro> not really
12:05 <hiro> *significantly*
12:05 <ryonaloli> hiro: i'm saying that it's relatively better, not that it's objectively *good*
12:05 <hiro> it's not even objectively, relatively better
12:05 <ryonaloli> compared to, say, a patched up elinks with a custom sandbox in a tight selinux policy.
12:05 <hiro> because there are *many* differences on unrelated layers
12:05 <ryonaloli> hiro: you ever seen it compete in pwn2own? :P
12:05 <hiro> i don't care about such events
12:05 <ryonaloli> or read the phrack analysis on presarena?
12:06 <ryonaloli> no? then why do you say that it is not objectively better?
12:06 <hiro> i sometimes skimmed over and nothing gave me confidence that any single browser figured out a way to maximize security
12:06 <hiro> there's the crucial and only solution: lowered complexity
12:06 <ryonaloli> that's irrelevant
12:06 <hiro> i don't care about benchmarks, staged fights, etc.
12:07 <hiro> i don't trust nobody in the browser business
12:07 <hiro> they're all working together to what it's worth to me
12:07 <ryonaloli> still irrelevant. this isn't about whether or not a browser is truly secure.
12:07 <hiro> mainly against my interests.
12:07 <ryonaloli> because no browser is truly secure. even links/lynx/elinks/w3m are nasty pieces of shit.
12:07 <ryonaloli> (mostly because no one cares about securing them though, tbh)
12:07 <hiro> 14:04 ryona we both agree that you can mitigate the privacy issues on both browsers, but it may not be possible for granny.
12:07 <hiro> not sure
12:08 <hiro> you can prevent *some* telemetry being sent
12:08 <ryonaloli> well try it out, and analyze what is actually happening
12:08 <hiro> not sure if it's all.
12:08 <ryonaloli> because on chromium, you can prevent 100% of private information from being sent.
12:08 <hiro> there is *so much* being sent i can't keep an overview
12:08 <ryonaloli> (chromium, not chrome)
12:09 <hiro> i don't trust it.
12:09 <_ikke_> no software is secure
12:09 <ryonaloli> indeed
12:09 <hiro> but that's beside the point: because i don't *need* to trust it enough.
12:10 <ryonaloli> _ikke_: i'm only talking about relative security
12:10 <hiro> ryonaloli: there is no such thing as relative security
12:10 <ryonaloli> _ikke_: (also, you can formally verify software, so within certain constraints...)
12:10 <ryonaloli> hiro: what are you talking about? like i said before, security is *all about* raising the bar
12:10 <hiro> ryonaloli: the only valid topic is *practical* security against *practical* attack vectors
12:10 <ryonaloli> yes, and that's all relative
12:11 <hiro> nope. there is no single scale with just two axis.
12:11 <hiro> there are too many orthogonal features, all compromising security in different ways.
12:11 <ryonaloli> hiro: are you claiming that product X cannot be more or less secure than product Y, when they both have the same threat model and process the same type of data?
12:12 <ryonaloli> "same threat model" negates "compromising security in different ways"
12:12 <hiro> ryonaloli: i'm saying there cannot be a meaningful *definition* of what should be considered more secure in the first place.
12:12 <ryonaloli> and "processing the same types of data" negates "too many orthoganal features"
12:12 <ryonaloli> hiro: of course there is. that's what threat modeling is all about.
12:12 <hiro> ryonaloli: more buzzword bingo
12:12 <ryonaloli> people spend hours, days, weeks doing threat model analysis.
12:12 <ryonaloli> you realize that threat modeling is a real thing, right?
12:12 <ryonaloli> it's not just a buzzword.
12:13 <hiro> i dont care about *their* threat model.
12:13 <hiro> it doesn't take me into account...
12:13 <hiro> if it even barely managed to at least cover average interest perhaps i'd be more curious.
12:13 <ryonaloli> a program's threat model is a formal thing, unrelated to the term you might be familiar with in layman's opsec.
12:13 <hiro> but for example it doesn't include the demand that i and most people share that a browser should be simple, lightweight, stable.
12:14 <_ikke_> that has nothing to do with security per-se
12:14 <ryonaloli> a program's threat model is expressed in call flow graphs and mathematics. it has nothing to do with you wanting to use specific sites.
12:14 <ryonaloli> or with your own opsec and desires.
12:14 <hiro> for me one of the most concrete threats to my personal security is software bloats
12:14 <hiro> (as long as i'm sitting in front of the computer)
12:14 <ryonaloli> why?
12:14 <hiro> because i can understand simple software.
12:14 <ryonaloli> are you allergic to it?
12:14 <_ikke_> bigger attack surface
12:14 <hiro> i get confused when i use complex software.
12:14 <ryonaloli> _ikke_: i understand what he's getting at
12:15 <hiro> *I* make errors.
12:15 <hiro> ryonaloli: i can't read the manual if it's too long.
12:15 <ryonaloli> i want to see if he is able to understand that that's not part of a threat model
12:15 <hiro> ryonaloli: my admin might not be able to read *his* manual if it's too long
12:15 <hiro> ryonaloli: my programmer might not be able to understand the function API of the shitty lib he's using if it's too long.
12:16 <_ikke_> software is inherently complex, if you like it or not
12:16 <ryonaloli> hiro: it sounds like you don't actually know what this term means. yes, more code complexity can increase attack surface. what does that have to do with threat model? what does that say about the adversary, the assets, the resources?
12:16 <ryonaloli> does that tell you if you're using biba? bell lapadula? no ACL?
12:16 <ryonaloli> RBAC? ABAC?
12:16 leah2 joined
12:16 <hiro> 14:13 hiro i dont care about *their* threat model.
12:17 <ryonaloli> hiro: again, a program's threat model is *not* what you might think about when you think "threat model"
12:17 <ryonaloli> it's a very specific, formal thing, and yes, you do care about it (or you should)
12:18 <hiro> 14:16 _ikke software is inherently complex, if you like it or not
12:18 <hiro> of course, but i want no *unnecessarry* complexity
12:18 <hiro> 14:16 ryona does that tell you if you're using biba? bell lapadula? no ACL?
12:18 <hiro> more name-dropping
12:18 <_ikke_> hiro: The only way to get that is to build all software yourself
12:18 <hiro> what's the point of this discussion for you?
12:19 <_ikke_> hiro: then you only get the amount of complexity that you require
12:19 <ryonaloli> hiro: to see why you think the way you think. that is the point.
12:19 <ryonaloli> and these are things you can look up on wikipedia. these aren't complex terms.
12:19 <hiro> _ikke_: or use practical metrics that reduce the chances of having to deal with bad quality software
12:19 <hiro> _ikke_: you can try software and count how often it crashes during a typical preselected testing task
12:19 <ryonaloli> the point of that "namedropping", fwiw, was to bring home the point that a program's threat model has nothing at all to do with your personal threat model as it applies to your own opsec.
12:19 <_ikke_> hiro: simple software can still be bad quality, and complex software can still be good quality
12:20 <hiro> _ikke_: i'm not making an argument against complexity.
12:20 <ryonaloli> _ikke_: yup, compare netscape and chromium :P
12:20 <ryonaloli> *cough* tls key gen *cough*
12:20 <hiro> _ikke_: i'm making an argument about complexity that is used to solve simple problems in extremely useless complex ways
12:20 <hiro> s/about/against/
12:20 <ryonaloli> hiro: is anyone disagreeing with you?
12:21 <ryonaloli> on that matter, at least
12:21 <_ikke_> hiro: how are you determining if it's useless complexity or necessary complexity?
12:21 <_ikke_> hiro: Doesn't that depend on usecases?
12:21 <hiro> _ikke_: sure, let's say i want to read a piece of text
12:21 <ryonaloli> your argument was that there is no such thing as relative security, which i disagreed with. that chromium and firefox and opera did not differ in terms of which was more secure in any meaningful way (which is completely bogus). if you said that they were all exploitable, i'd agree. if you said that they were all too complex, i would agree.
12:22 <hiro> _ikke_: do I need to allocate 3GB of memory for reading 10kB of text?
12:22 <ryonaloli> curl -s "${url}" | less
12:22 <ryonaloli> :P
12:22 <hiro> _ikke_: or might that be a sign of horrible software quality?
12:23 <_ikke_> hiro: Well, that's a very limited usecase
12:23 <hiro> sure.
12:23 <_ikke_> ryonaloli: something with netcat would be even more simple
12:23 <hiro> but this is obviously just an example
12:23 <ryonaloli> _ikke_: yeah but then you don't get tls
12:23 <ryonaloli> and openssl s_client needs an annoyingly long flag if you want to secure it
12:23 <hiro> experience can show you how defined tasks/features have been solved/provided in the past and what ressources that needed
12:24 <_ikke_> right, so if security is a requirement, it adds complexity
12:24 <ryonaloli> yay heartbleed
12:24 <_ikke_> hiro: but your requirements may differ from someone elses requirements
12:24 <ryonaloli> hiro: nothing is stopping you from using curl/wget/nc/telnet/s_client/CM-MX-butterfly for viewing plain text
12:24 <hiro> i don't have a formal procedure to determining this, but for many common use cases that most people agree in how they should look it's quite obvious for most people without any formal prior definitions
12:25 <hiro> ryonaloli: who's telling you i'm not already doing this?
12:25 <_ikke_> hiro: You seem to think the web is only to display text
12:25 <ryonaloli> hiro: your complaints make it seem that way
12:25 <hiro> ryonaloli: that's precisely why i'm here on #alpine-linux
12:25 <hiro> _ikke_: nope
12:25 <ryonaloli> you ever seen that unix koan?
12:25 <hiro> _ikke_: and wget can also download images.
12:25 <ryonaloli> with awk vs sed?
12:26 <hiro> i'm not interested in this topic. i use both awk and sed.
12:26 <ryonaloli> http://www.catb.org/esr/writings/unix-koans/shell-tools.html
12:27 <hiro> "no such thing as relative security" -> i admit that's a bold claim.
12:27 <hiro> it might be utterly wrong indeed, but i wanted to provoke the thought nonetheless :)
12:27 <_ikke_> hiro: people expect certain features from web browsers. More features is more complexity
12:28 <ryonaloli> snippet: "Why, then, are there several tools with similar capabilities in text processing: sed, awk and Perl? With which one can I best practice the Unix way?" "Master Foo asked the novice: If you have a text file, what tool would you use to produce a copy with a few words in it replaced by strings of your choosing?" "When you are hungry, eat; when you are thirsty, drink; when you are tired, sleep.
12:28 <ryonaloli> " "Upon hearing this, the novice was enlightened."
12:28 <ryonaloli> ^ use the tools you need for the job
12:28 <_ikke_> while you might not need all those features, browsers cannot be tailored to one specific type of user
12:28 <hiro> _ikke_: actually most people don't explicitly demand all those features
12:28 <ryonaloli> if you need extreme security, use curl and less, and don't complain that browsers exist and do too much
12:28 <ryonaloli> when you need javascript, use a browser
12:28 <hiro> _ikke_: it's a small elite that gets to decide on what the rest of the world has to bear with in the browsers
12:28 <_ikke_> hiro: not all people require the same feaures
12:29 <hiro> _ikke_: correct. which is why 99% of those features are useless bloat to me personally, and >50% are probably bloat to anybody else who thought about it.
12:29 <ryonaloli> some things i agree are absolutely stupid
12:29 <ryonaloli> webgl, asmjs
12:29 kallenp joined
12:30 <ryonaloli> the insane complexity added to javascript and HTML5
12:30 <ryonaloli> but we can all agree that simplicity is a good thing for security. you won't find anyone sane who disagrees.
12:30 <_ikke_> people want the web to be a complete platform
12:30 <ryonaloli> you can find people who argue about the merit of having a complex browser because it is featureful, sure.
12:31 <ryonaloli> but this all started because i said that chromium was more secure than firefox.
12:31 <kallenp> Hi all from Czech Republic. Does anyone have any idea howto configure/setup Alpine linux on Raspberry PI to stream only the picture from USB connected webcam ? I am need any tips for software. Verry thanks, Petr Kallen
12:31 <ryonaloli> not because i said that we need more complexity (which i obviously don't believe)
12:32 <hiro> 14:28 ryona ^ use the tools you need for the job
12:32 <hiro> this only works if the tools are *seperated*
12:32 <hiro> into individual tools
12:32 <hiro> orthogonal concepts, that interlock well to create one bigger solution to even complex problems
12:32 <ryonaloli> websites tend to need a lot at once :P
12:33 <kallenp> ?
12:33 <hiro> yeah, but as in your complaint from esr the components web sites are built from do not provide orthogonal features
12:33 <ryonaloli> i do wish to separate things like webgl (just download a trusted program and use opengl), asmjs is... well fuck it, that's what the x86 ISA is for.
12:33 <hiro> 14:28 ryona if you need extreme security, use curl and less, and don't complain that browsers exist and do too much
12:34 <hiro> i'll complain as much as i feel like
12:34 <hiro> and i'm joining in with many other people who do the same, so you don't really have much hope not to hear about this topic
12:34 <ryonaloli> hiro: that's fair, i complain a fair amount about browsers and other software too.
12:34 <ryonaloli> but at least don't try to claim that chromium is not more secure than firefox (which was my original and only main point)
12:35 <ryonaloli> well, opera was my main point, but it applies to ff too
12:35 <hiro> 14:30 _ikke people want the web to be a complete platform
12:35 <hiro> not really
12:35 <hiro> they wanna lick google's ass
12:35 <_ikke_> hiro: ...
12:35 <ryonaloli> most people don't give a shit about who makes the browser
12:35 <hiro> we had great ideas about the web in the 90s
12:35 <hiro> now all the progress has been reversed
12:35 <hiro> it's completely inaccessible horrible shit
12:36 <hiro> the majority will decide, over and over again, completely ill-informed.
12:36 <_ikke_> The majority does not care
12:36 <hiro> most decisions by the majority are not based on rational thinking
12:37 <hiro> and even so, they have nothing to say.
12:37 <hiro> the only people who can do something useful with complaints would be developers
12:38 <hiro> but hopefully they are busy selling snake-oil themselves to finance a roof above their heads :)
12:39 <ryonaloli> i think you have too much hatred for google to actually understand what goes into writing a browser or what influences the web.
12:40 <ryonaloli> the developers and even the people in charge of the majority of the direction chromium goes do not get involved in silly "web 3.0" bullshit
12:40 <hiro> 14:34 ryona but at least don't try to claim that chromium is not more secure than firefox (which was my original and only main point)
12:40 <hiro> lets settle on this: i won't claim the *opposite*
12:40 <ryonaloli> then you are asking to settle on something which is not true
12:40 <hiro> i'm asking to settle on a refusal of claim
12:41 <hiro> i'm not claiming your opinion, nor the opposite.
12:41 <_ikke_> How do you determine if software is more or less secure than other software?
12:41 <hiro> it should be easy to accept :)
12:41 <ryonaloli> i mean you can say "agree to disagree", but that doesn't change the facts. it's better to just say "i don't want to discuss this" than to try a petty copout like that.
12:41 <hiro> _ikke_: yeah, that was my point.
12:41 <ryonaloli> _ikke_: many ways. in the case of chromium, there is the memory allocator, the sandboxing, the multiprocess architecture.
12:41 <ryonaloli> the 24/7 fuzzing of all components involved (from the core of chromium to things like ffmpeg)
12:41 <ryonaloli> there's the lack of 2 MiB heaps caused by jemalloc.
12:41 <hiro> noooooooo, it starts from 0 again.
12:42 <hiro> 14:39 ryona i think you have too much hatred for google to actually understand what goes into writing a browser or what influences the web.
12:42 <ryonaloli> and, of course, you can just look at how easy it is to compromise firefox compared to chromium, whether in real-life, in competitions, or through the market (either through the monetary value of 0days, or how difficult it is to get them)
12:42 <hiro> ryonaloli: i can't hate google.
12:42 <hiro> ryonaloli: i only hate *individuals*
12:43 <_ikke_> funny, often it's the other way around
12:43 <ryonaloli> hiro: i'm the other way around. i prefer to hate corporations than individuals.
12:43 <hiro> ryonaloli: when i say i hate software i imagine actual people sitting there and writing that crap.
12:43 <ryonaloli> _ikke_++
12:43 <ryonaloli> even something like oracle. i despise it with every bone in my body and want burned to the ground, but i would give the ceo nothing more than a mean look.
12:44 <_ikke_> To ben honest, I'm more pragmatic in these things
12:44 <ryonaloli> and maybe not even that.
12:44 <ryonaloli> hiro: i hate imlib2, but i think the author is just an idiot. i don't hate him.
12:44 <hiro> ryonaloli: yeah, i understand defining hatred is hard.
12:45 <hiro> ryonaloli: it's just a feeling, i can't explain it :)
12:45 <ryonaloli> sometimes there are individuals i can strongly dislike because of their personality. i dislike both systemd (the software) and lennart and kay (the people)
12:45 <ryonaloli> but not because they wrote systemd
12:46 <_ikke_> I'm probably in a minority here to like systemd :-)
12:46 <hiro> i have no problem with systemd if it was just a software as opposed to the political project it is in reality that manages to install the software on MY COMPUTER
12:46 <ryonaloli> _ikke_: well i admit it can do good things, and if it were only an init, i'd like it!
12:46 <hiro> it's the summated action of individuals to me
12:46 <ryonaloli> because sysv *does* have problems, and openrc isn't for everyone.
12:46 <hiro> they all fucked up, together.
12:46 <ryonaloli> if only using it didn't make journald mandatory, and pull in crap like their own buggy ntpd etc.
12:47 <ryonaloli> and their own cron and udevd ad nauseum.
12:47 <ryonaloli> hiro: but it's the sum, still.
12:47 <_ikke_> Most of those services are not required (I can stop them at will and use alternatives(
12:47 <ryonaloli> each individual didn't do much.
12:47 <ryonaloli> _ikke_: not journald
12:47 <ryonaloli> it's one of the things i have the biggest problems with, and it's mandatory.
12:48 <ryonaloli> not to mention, you have to configure your kernel specifically for systemd. i cannot use a lightweight custom kernel. i would have to use ugly, bloated configuration features that i otherwise would disable.
12:48 <hiro> 14:47 ryona each individual didn't do much.
12:48 <hiro> ryonaloli: i do admit that
12:48 <hiro> ryonaloli: and i also complain about it a lot!
12:48 <_ikke_> well, it's those features that make systemd what it is, isn't it?
12:49 <_ikke_> not sure which exact feature you are talking about
12:49 <hiro> 14:46 ryona if only using it didn't make journald mandatory, and pull in crap like their own buggy ntpd etc.
12:49 <ryonaloli> _ikke_: nah, things like cgroups? i mean it can be useful for some people, but why should systemd segfault when it's not enabled? what if i just want to be able to not use sysv init scripts and instead use systemd as an init?
12:49 <ryonaloli> or what about things like mqueue?
12:49 <hiro> "if only chrome didn't pull in webgl"
12:49 <hiro> i see an analogy here.
12:49 <ryonaloli> or posix message queues
12:50 <_ikke_> ryonaloli: Doesn't systemd use cgroups to track processes?
12:50 <hiro> "I can stop them at will and use alternatives" -> I can't practically.
12:50 <ryonaloli> hiro: if there were something analogous to chrome which did not pull in webgl, i would jump to it immediately.
12:50 <ryonaloli> _ikke_: yes but i don't see why it would need to.
12:51 <hiro> ryonaloli: :)
12:51 <hiro> web browsers take *all choice*
12:51 <ryonaloli> but i'm one of the old school guys who wants to be able to: kill -9 `cat /var/run/somedaemon.pid` if i need
12:51 <_ikke_> ryonaloli: because it allows systemd to accurately see what process was started for a particular daemon (which other init systems often have difficulty to do)
12:51 <hiro> you guys said that it's SUPPOSED to be a "platform"
12:52 <ryonaloli> hiro: yeah i agree, they're too bloated
12:52 <ryonaloli> they do too much. a race to the bottom, as i heard someone put it.
12:52 <hiro> 14:50 _ikke ryonaloli: Doesn't systemd use cgroups to track processes?
12:52 <hiro> i think they might be fixing that.
12:52 <hiro> they learned from... android hahaha
12:52 <ryonaloli> oh nice
12:53 <hiro> but that's just one curious detail.
12:53 <hiro> the rest is probably just as fucked as before :P
12:53 <_ikke_> hiro: How are they fixing that? (curious)
12:53 <hiro> _ikke_: by using users
12:53 <hiro> _ikke_: user seperation...
12:53 <hiro> _ikke_: no need for cgroups
12:53 <_ikke_> ah ok
12:54 <_ikke_> a separate uid per service?
12:54 <ryonaloli> neato
12:54 <hiro> that's my guess
12:54 <hiro> i only skimmed over
12:54 <hiro> been quite a while i've read that.
12:54 <_ikke_> right
12:54 <hiro> google for it :) cgroups systemd android user seperation
12:55 <_ikke_> hiro: cannot seem to find anything related
12:56 <hiro> perhaps it was docker and not systemd?
12:56 <hiro> i can't find it either :(
12:57 <_ikke_> systemd also uses cgroups to allow to set limits
12:57 <hiro> yeah, but perhaps you could get rid of most cgroups code in the kernel by setting the limits per user and not having a seperate group abstraction for something that's completely the same anyway
12:58 <hiro> i wish i had pointers still
13:21 <hiro> The Android platform takes advantage of the Linux user-based protection as a means of identifying and isolating application resources. The Android system assigns a unique user ID (UID) to each Android application and runs it as that user in a separate process. This approach is different from other operating systems (including the traditional Linux configuration), where multiple applications run with
13:21 <hiro> the same user permissions.
13:21 <hiro> from https://source.android.com/security/overview/kernel-security
13:32 <_ikke_> Right, that I already knew
13:37 <Shiz> sp many words
13:37 <Shiz> yet for the part i cared to read, ryonaloli was more right
13:39 <hiro> sorry, i didn't add a single useful, new information during all this talk. i feel like it was all a complete failure oO
13:40 <hiro> mainly just repetition, confusion and misunderstanding
13:40 <hiro> nobody learned anything news
13:40 <hiro> *new
13:42 <_ikke_> hiro: I still found it an interesting discussion
13:43 <hiro> that's a relief then :)
14:15 leah2 joined
14:21 Marc_M joined
14:22 Marc_M left
14:29 rollniak joined
14:33 Sachiru joined
14:41 blueness joined
14:42 snappy joined
14:42 snappy joined
14:45 igitoor joined
14:50 cyborg-one joined
14:57 atomi joined
15:00 igitoor joined
15:01 Marc_M joined
15:17 kallenp_ joined
15:18 kallenp joined
15:19 kallenp left
15:27 mdillon joined
15:38 kallenp joined
15:38 kallenp left
15:44 <atomi> happy easter lol
15:56 Skele joined
16:03 mdillon joined
16:10 Zucca joined
16:18 kallenp joined
16:19 <kallenp> Hi all. Please, what's I'm doing wrong ? I'm need install motion on Alpine Linux
16:20 <kallenp> alpine:~# apk update
16:20 <kallenp> fetch http://dl-cdn.alpinelinux.org/alpine/v3.5/main/armhf/APKINDEX.tar.gz
16:20 <kallenp> 3.5.2 [/media/mmcblk0p1/apks]
16:20 <kallenp> v3.5.2-45-g70721263c1 [http://dl-cdn.alpinelinux.org/alpine/v3.5/main]
16:20 <kallenp> OK: 5597 distinct packages available
16:20 <kallenp> alpine:~# apk upgrade
16:20 <kallenp> OK: 17 MiB in 34 packages
16:20 <kallenp> alpine:~# apk add motion
16:20 <kallenp> ERROR: unsatisfiable constraints:
16:20 <kallenp> motion (missing):
16:20 <kallenp> required by: world[motion]
16:20 <kallenp> alpine:~#
16:25 <luxio> kallenp: use a pastebin next time please
16:27 <kallenp> luxio: I'm sorry. I'm "novice" in IRC. What's it pastebin ?
16:28 <kallenp> luxio: OK, I found it on google. Sorry again...
16:31 <kallenp> 1 alpine:~# apk update
16:31 <kallenp> 2 fetch http://dl-cdn.alpinelinux.org/alpine/v3.5/main/armhf/APKINDEX.tar.gz
16:31 <kallenp> 3 3.5.2 [/media/mmcblk0p1/apks]
16:31 <kallenp> 4 v3.5.2-45-g70721263c1 [http://dl-cdn.alpinelinux.org/alpine/v3.5/main]
16:31 <kallenp> 5 OK: 5597 distinct packages available
16:31 <kallenp> 6
16:31 <kallenp> 7 alpine:~# apk upgrade
16:31 <kallenp> 8 OK: 17 MiB in 34 packages
16:31 <kallenp> 9
16:31 <kallenp> 10 alpine:~# apk add motion
16:31 <kallenp> 11 ERROR: unsatisfiable constraints:
16:31 <kallenp> 12   motion (missing):
16:31 <kallenp> 13     required by: world[motion]
16:31 <kallenp> 14 alpine:~#
16:32 <pickfire> kallenp: curl ix.io
16:33 <pickfire> Please don't flood the irc channel.
16:34 <pickfire> kallenp: That error happens probably because motion is not in the package index.
16:34 <pickfire> I think it is in the repo community instead of main.
16:35 <kallenp> OK and thanks for your answer. I am need stream video from my USB webcamera to web. I found "motion".
16:39 <kallenp> motion is in testing repo, thanks
17:08 kallenp left
17:11 mdillon joined
17:28 fabled joined
17:42 wonton left
17:47 dirac1 joined
17:49 Nobabs27 joined
18:17 babs_ joined
18:33 babs__ joined
18:38 babs_ joined
18:39 emacsomancer joined
18:57 <shodan45> Any recommendations for web based kvm admin front-end?
18:57 babs__ joined
18:58 <shodan45> Or any virtualization tech, really
18:58 <shodan45> libvirt stuff
19:00 babs_ joined
19:05 babs__ joined
19:07 <emacsomancer> any tips for installing alpine w/ a zfs root?
19:11 <dirac1> If i want to recover my system from a full system backup, what i have to do?
19:20 <_ikke_> how was this backup created?
19:20 grayhemp joined
19:21 babs_ joined
19:24 Nobabs27 joined
19:27 Nobabs27 joined
19:34 babs_ joined
19:36 grayhemp joined
19:37 babs__ joined
19:47 grayhemp joined
19:48 babs_ joined
19:49 mortis304 joined
19:51 babs__ joined
19:59 ogres joined
20:04 letoram joined
20:22 kjsaihs joined
20:24 <kjsaihs> how can i allow non local bind on Alpine linux?
20:30 <kjsaihs> fixed - forgot to reload
20:43 blueness joined
20:43 czart__ joined
20:48 grayhemp joined
20:53 greguu joined
20:54 grayhemp joined
21:04 nixdork joined
21:07 sirnaysayer joined
21:34 emacsoma` joined
21:35 cyborg-one joined
21:44 d0t joined
21:44 <d0t> hi. I can't start openntpd on alpine because of the following: /usr/sbin/ntpd: unrecognized option: N
21:44 <d0t> there's an error in the init script
21:47 Tsutsukakushi joined
21:49 `jpg joined
21:49 Janhouse joined
22:01 <Shiz> d0t: this doesn't seem to be set by the init script
22:01 <Shiz> you sure you don't set NTPD_OPTS= to anything containing -N in /etc/conf.d/openntpd ?
22:01 chris| joined
22:02 <d0t> Shiz: nope, it's a fresh install
22:03 <d0t> rpi image
22:03 <d0t> i haven't done anything other than run apk add openntpd and setup-ntp
22:04 <Shiz> d0t: right
22:04 <Shiz> you should use # service openntpd start, not # service ntpd start
22:04 <Shiz> (or /etc/init.d/openntpd vs /etc/init.d/ntpd)
22:04 <d0t> oh
22:04 <d0t> thanks
22:04 <d0t> i thought those were the same
22:04 <Shiz> ntpd is busybox ntpd :)
22:05 <d0t> alright then
22:07 tdtrask left
22:19 grayhemp joined
23:06 Emperor_Earth joined
23:31 blueness joined
23:49 grayhemp joined
23:51 biax left