<    April 2017    >
Su Mo Tu We Th Fr Sa  
 2  3  4  5  6  7  8  
 9 10 11 12 13 14 15  
16 17 18 19 20 21 22  
23 24 25 26 27 28 29  
00:12 <Shiz> vectr0n: no
00:14 <vectr0n> ive tried a few with no luck, what one can be installed w/o internet access? stupid ovh and their failover ips lol
00:16 <vectr0n> better question.. if networking is configured before setup-alpine will the installer know that and skip the ip/subnet/gw/etc?
00:17 minimalism joined
00:30 <Shiz> i think it will, eys
00:31 <Shiz> i dont think you need internet access at all to install
00:38 <vectr0n> all 3 isos ive tried so far do, when you get to the ssh and ntp options, fails to install
00:40 afics joined
00:42 mdillon joined
00:44 armin joined
00:45 <Shiz> vectr0n: simply select none for ssh and busybox for ntp
00:45 <vectr0n> but i dont want to ;p
00:45 <vectr0n> so i will try bringing networking up first
00:45 <vectr0n> thx for the tips/info :)
00:46 <Shiz> (which isos did you try, btw?)
00:51 MuffinMedic joined
00:59 brucewang joined
01:00 robtec joined
01:02 BlackIkeEagle joined
01:04 afics joined
01:09 s33se joined
01:14 czart__ joined
01:14 BlackIkeEagle joined
01:15 atomi joined
01:19 nixdork joined
01:38 koollman joined
01:40 Janhouse joined
01:43 grayhemp_ joined
01:47 DLange joined
01:48 ryonaloli joined
01:49 ryonaloli joined
01:49 arenstar joined
02:09 grayhemp joined
02:21 kl3_ joined
02:25 <vectr0n> Shiz, standard, vanilla, and virtual
02:26 <Shiz> i think -extended may have helped you better
02:26 <Shiz> lol
02:26 <vectr0n> "Runs from RAM" doesnt really fit my environment tho lol
02:27 <Xe> vectr0n: the standard iso doesn't netinstall
02:27 <vectr0n> well when you want the non-default ssh/ntp.. sure do it seems
02:27 <Xe> yeah
02:27 <Xe> the default packages are baked into the standard iso
02:27 <vectr0n> i know now..
02:27 <Shiz> vectr0n: i mean they all run from RAM
02:27 <Shiz> if you want to
02:27 <Shiz> its a bit of a weird description since it's not a difference
02:28 <Shiz> -extended just has more packages on-iso
02:28 <Shiz> that's the only difference
02:28 <vectr0n> so its a dual type thing? maybe the desc should be updated a bit lol, super confusing
02:28 <Shiz> you can still do a regular old sys install with it
02:28 <Shiz> yeah every alpine iso can be installed to disk or setup to run from ram
02:28 <vectr0n> ok makes more sense now :)
02:28 <Xe> vectr0n: wait i'm a moron, they made the old "standard" into the new extended
02:28 <Xe> you want extended
02:29 <Shiz> :p
02:29 <vectr0n> nah to bring up networking first is the easier lol
02:29 <vectr0n> easiest*
02:29 <Xe> ya
02:29 <vectr0n> anyone who has used ovh over the years will understand, lol
02:29 <vectr0n> and i dont have a box w/ nat on the host
02:29 <Xe> i use ovh for my main personal server
02:29 <Xe> trust me i know the pain
02:30 <vectr0n> i have a whole bunch lol
02:30 <Shiz> i use online.net
02:30 <vectr0n> ew
02:30 <Shiz> i know the pain too
02:30 <vectr0n> ya its the same
02:30 <vectr0n> gets frustrating after awhile for some things, even after years and years of using them lol
02:30 <vectr0n> thx guys/gals for more info :) lol
02:30 <Xe> np
02:30 <Shiz> dont get me started on ipv6...
02:31 <vectr0n> theirs really SUCKS
02:31 <Xe> Shiz: you ain't had an ipv6 headache until you've had a comcast ipv6 headache
02:31 <vectr0n> ok i agree on that, have some friends on the us on comcast.. lol
02:31 <Xe> it's the kind of insanity where you have to use intentionally wrong settings to get it to work
02:31 <vectr0n> in*
02:32 <vectr0n> im glad rogers (canada) is fully native and works as expected lol
02:32 <Shiz> at least you've got domestic ipv6....
02:32 <vectr0n> even the cell towers are native v6
02:32 <Shiz> i'm still stuck with a HE tunnel
02:32 <Xe> vectr0n: ipv6 being the only supported ip stack on LTE kinda forced this
02:32 <Xe> most carriers do 6to4
02:33 <vectr0n> i was surprised they did real native v6 on the cell network
02:33 <Xe> yeah
02:33 <Xe> probably only because the standards mandated it hard stop lol
02:33 <vectr0n> lol
02:34 <vectr0n> it was only a day or two once the "landlines" got v6 that the cell towers got it as well (and makes sense totally)
03:00 grayhemp joined
03:01 kvda joined
03:01 <kvda> yo how do i change the keyboard layout?
03:01 <Shiz> setup-keymap
03:19 cyteen joined
03:21 grayhemp joined
03:48 MuffinMedic joined
04:31 czart_ joined
04:41 felixjet joined
05:03 cyborg-one joined
05:12 fabled joined
05:37 luxio joined
05:37 <luxio> Xe: Anything on Tor yet?
05:38 <Xe> i have been on a buisiness trip
05:38 <luxio> ah
06:06 grayhemp joined
06:07 grayhemp joined
06:20 orbiter joined
06:28 tomothy joined
07:06 grayhemp joined
07:11 <ScrumpyJack> morning climbers
07:15 royger joined
07:17 kvda joined
07:21 grayhemp joined
07:41 t0mmy joined
07:44 grayhemp joined
08:06 mwak joined
08:09 grayhemp joined
08:09 fekepp joined
08:25 svx joined
08:30 ams__ joined
09:01 grayhemp joined
09:25 consus joined
09:27 consus joined
09:43 grayhemp joined
09:45 grayhemp_ joined
10:05 <xsteadfastx> is thre a way to abort udhcpc on boot? it looks like it never times out and tries and tries and tries to obtain a ip of eth0 (which is not connected)
10:35 blueness joined
10:37 <ryonaloli> https://grsecurity.net/passing_the_baton.php grsecurity closed
10:37 <ryonaloli> (private)
10:37 <ryonaloli> rip
10:42 grayhemp joined
10:47 blueness joined
10:53 <xsteadfastx> what package do i need to install to get lbu?
10:53 <_ikke_> ahttps://pkgs.alpinelinux.org/contents?file=lbu&path=&name=&branch=&repo=&arch=
10:59 LouisA joined
11:03 rollniak joined
11:06 <Shiz> ryonaloli: aaand they removed the testing patch
11:07 grayhemp joined
11:08 <xsteadfastx> _ikke_: thanks
11:09 <xsteadfastx> the docs for the rpi are wrong about lbu... when following the docs the cache is on a read only partition
11:17 <itsfemme[m]> Shiz: get it from a scraper on github
11:29 <Shiz> already done so
11:29 <Shiz> it's still a shitty move
11:38 <itsfemme[m]> Shiz: https://grsecurity.net/~spender/grsecurity-3.1-4.9.24-201704252333.patch
11:38 <itsfemme[m]> still up there
11:39 <Shiz> that's something i guess
11:39 <Shiz> although something tells me you had to be in the grsec irc to know that one
11:51 grayhemp joined
11:54 gromero joined
11:57 czart joined
12:02 <_ikke_> xsteadfastx: probably because the fs is iso9660?
12:03 <xsteadfastx> _ikke_: its fat32
12:04 <xsteadfastx> ah ok... sorry
12:04 <xsteadfastx> there is a wiki article about it
12:05 <xsteadfastx> my bad
12:07 blueness joined
12:20 <xsteadfastx> i cant get openssh working with root account on a fresh alpine
12:20 <xsteadfastx> it tells me the root account is expired
12:20 <xsteadfastx> but i cant find anything about it online
12:21 <Shiz> have you set PermitRootLogin to yes or key-only (or whatever it was)
12:22 <IcePic> expired doesnt sound like an sshd_config thing, rather something in the passwd or pam
12:22 <IcePic> ssh will only ever say "you cant get in" or let you in, it won't tell you why you wont get in at a certain time.
12:23 <xsteadfastx> ok but PermitRootLogin yes did the job
12:24 <xsteadfastx> but still strange /v/l/m message
12:24 <IcePic> where did you see "account is expired", the sshd logs or on the client side?
12:25 <xsteadfastx> server side
12:41 lesion joined
12:44 scadu joined
13:05 blueness joined
13:11 dave0x6d joined
13:11 MDrights joined
13:42 Sofia__ joined
13:42 <Sofia__> Hello, Are CoreOS and Alpine Linux comparable ?
13:43 grayhemp_ joined
13:44 <_ikke_> comparable in what way?
13:47 aw1 joined
13:48 <Sofia__> @_ikke_: in any way, but specially as a linux distro. Because I was need to create some environment to deploy docker containers. I gave a go to CoreOS and now I was looking for alternatives
13:48 <IcePic> and what should that alternative bring?
13:48 <IcePic> or remove, for that matter
13:48 <Sofia__> ease of use, I found CoreOS super difficult
13:49 <Shiz> coreos and alpine differ in a number of ways
13:49 <Shiz> in my opinion, CoreOS is not actually particularly light
13:50 <Shiz> it also doesn't seem to have particular interest in security, but that may be my lack of research
13:50 <Shiz> and well... alpine has a package manager :P
13:50 <Shiz> Sofia__: if you're asking whether you can use alpine for a container host system, yes, you can do that just fine
13:50 <Shiz> in fact, that is one of my deployments of it
13:51 <Sofia__> Shiz: well yes, but I wonder whether CoreOS or Alpine Linux is better
13:51 <Sofia__> (this is going to be to sell docker hosting)
13:51 <Shiz> well you're asking the salesman here :P
13:51 <Shiz> in my opinion alpine is vastly better, but you may get better commercial support with CoreOS
13:52 <_ikke_> right, alpine does not have a support team available
13:52 <Sofia__> Shiz: Probably yes since they charge between 5.000 and 10.000 USD a day of training hahah
13:52 <Sofia__> but I can not afford that
13:53 <_ikke_> alpine imo is pretty simple
13:53 <Shiz> brb
13:53 <Sofia__> do you use alpine with kubernetes ?
14:00 <Shiz> not personally, but I know it's packaged :)
14:00 <Shiz> I run straight Docker myself
14:01 <Sofia__> Shiz, but how many containers do you have to manage at the same itme ?
14:01 <Sofia__> *time
14:01 <Shiz> currently running about 20, it's a personal Docker host, not a public service
14:02 <Shiz> so my use case is somewhat different
14:05 <kahiru> hey, how would I go about creating an initramfs for another arch?
14:14 <Shiz> kahiru: don't think that's really possible right now as it simply copies files from the host
14:14 <Shiz> kahiru: you might be able to cross-install alpine packages into a chroot and pass that as the -b argument to mkinitfs
14:14 <Shiz> no guarantees though :)
14:15 <kahiru> hmm, sounds doable
14:16 <kahiru> some background: I'm trying to get alpine working on odroid c2 which requires 3.14.something kernel with loads of patches from hardkernel. So I guess I could run another distro on it, set up alpine chroot, copy the current kernel and its modules and generate the initramfs there and then try booting it
14:17 Emperor_Earth joined
14:17 <Shiz> kahiru: i'll get something for you in a sec
14:17 <Shiz> it's not actually that hard turns out
14:17 <Shiz> :P
14:18 fabled joined
14:19 <kahiru> O.o
14:21 <Shiz> kahiru: https://txt.shiz.me/N2QxYTk3OT
14:21 <Shiz> something like this should work
14:22 <Shiz> make chroot, init apk database, copy over repos and keys, update apk database, add base files
14:22 <kahiru> well, it still needs the custom kernel and its modules need to be in the initramfs, right?
14:23 <Shiz> you can copy over /lib/modules to that chroot
14:24 <Shiz> the kernel isn't needed as file
14:24 <kahiru> right
14:30 Skele joined
14:50 nerdix joined
14:54 blueness joined
14:56 <kahiru> Shiz: if you take let's say the rpi image, how is the /boot/apks generated? Is it just the output of apk cache?
15:06 sparklyballs joined
15:07 zopsi joined
15:14 grayhemp joined
15:24 NIN101 joined
15:37 NIN101 joined
15:37 grayhemp joined
15:51 tmh1999 joined
15:58 <armin> so what's a good way to ensure a custom VPN daemon i installed is always running (e.g. restart it when it dies)? i consider supervisord to be a good pointer here, but is there something even easier maybe?
15:59 Tsutsukakushi left
15:59 <kahiru> never used supervisord, but I occasionally use s6 if I need something being kept alive
15:59 <armin> what's s6? any pointers?
15:59 <kahiru> this suite http://www.skarnet.org/software/s6/
16:00 <armin> okeh.
16:01 <armin> ok supervisord doesn't seem like the worst at least. :)
16:01 fekepp joined
16:01 <armin> also the fact that s6 supports socket activation scares me.
16:02 <kahiru> well, noone forces you to use all of its parts :)
16:03 <arch3y> Id use something like monit for that but just a preference of mine
16:03 <armin> i admit there was some irony to this. :)
16:04 <arch3y> lol love the securitybreaches page on skarnet
16:04 <arch3y> I guess s6 would replace daemontools
16:18 firebird1 joined
16:19 dlaube joined
16:20 <BitL0G1c> armin - openrc also has supervise-daemon built in - nginx-naxsi / elasticsearch / logstash use it
16:21 <BitL0G1c> I've started switching from runit to supervise-daemon - it also works for exim
16:27 <kahiru> BitL0G1c: any docs on that?
16:28 <BitL0G1c> yes hold on
16:29 <BitL0G1c> kahiru - see https://github.com/OpenRC/openrc/blob/1edb5f6fd9c4827e5d4ed5c854bc322ba8a7df73/supervise-daemon-guide.md
16:32 <BitL0G1c> kahiru - see also https://github.com/itoffshore/aports/blob/master/testing/nginx-naxsi/nginx.initd
16:36 fabled_ joined
16:38 <armin> BitL0G1c: consider me a noob, what's nginx-naxsi? would i get an initscript that uses that functionality when doing an "apk add nginx" so i can crib how to implement that for my own daemons?
16:39 <armin> oh you just pasted 2 links about that.
16:39 <armin> BitL0G1c: thanks!
16:39 <BitL0G1c> nginx doesn't use it - nginx-naxsi is my version in testing - it does not disable PaX
16:39 <BitL0G1c> np
16:41 <armin> ok so from what i see, supervise-daemon is already installed by default on a fresh alpine installation so i could just write my own initscript that makes use of it, right?
16:42 <armin> that seems quite convenient and i don't even have to fiddle around with supervisord.
16:45 grayhemp joined
16:46 grayhemp joined
17:14 blueness joined
17:27 orbiter joined
17:33 unatco_0451 joined
17:34 gopar joined
17:40 satcom_0451 joined
17:45 cyborg-one joined
17:46 grayhemp joined
18:04 grayhemp_ joined
18:08 sergey_ joined
18:15 minimalism joined
18:22 sergey__ joined
18:28 grayhemp joined
18:33 consus joined
18:42 <vectr0n> when it comes to net-snmp and grsec, its clearly not grabbing all the info due to some of the grsec protections, without recompiling the kernel to add the snmpd user in the grsec part, is there another way?
18:44 <consus> There is a vanilla kernel in Alpine
18:44 <_ikke_> Isn't there a group you can add the snmpd user too to give it more access?
18:44 <vectr0n> consus, im aware, dont want it
18:45 <consus> There is a procfs setup
18:45 <consus> AFAIR
18:45 <vectr0n> _ikke_, not sure how the kernel was compiled or where to look for the options it uses
18:45 <_ikke_> Me neither
18:45 <vectr0n> i know in the past on deb ive had to recompile a grsec kernel to exempt the snmp user
18:45 <vectr0n> ill keep digging, ty :)
18:45 <consus> https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#GID_exempted_from_.2Fproc_restrictions_2
18:45 <consus> Here
18:45 <consus> This GID may also be chosen at boot time
18:45 <consus> via "grsec_proc_gid=" on the kernel commandline.
18:46 <consus> The group you select may also be chosen at boot time
18:46 <consus> via "grsec_proc_gid=" on the kernel commandline.
18:46 <vectr0n> all depends on the kernel compile options..
18:46 <_ikke_> there is the readproc group
18:46 <consus> Yes
18:46 <consus> # grep GRKERNSEC_PROC_USERGROUP /boot/config-grsec
18:47 <consus> And this option is enabled in Alpine kernel
18:47 <vectr0n> sorry im not as advanced as you.
18:47 <consus> So there is absolutely no need to recompile the kernel
18:47 <_ikke_> addgroup snmpd readproc
18:47 <consus> Yes
18:47 <consus> _ikke_ is right
18:47 <vectr0n> _ikke_, i will give that a try, ty
18:48 <consus> BTW
18:48 <consus> grsec folks realeased a communique today
18:48 <_ikke_> yes,
18:48 <_ikke_> has been linked here
18:49 <consus> So any roadmap on this?
18:49 <_ikke_> consus: iirc, alpine well no longer use grsec
18:49 <_ikke_> will*
18:50 <dalias> good riddance
18:50 <kpcyrd> is there nobody who feels like maintaining it?
18:50 <consus> There is another way around this
18:50 <consus> Someone large enough could just buy a subscription
18:50 <consus> And then share the code
18:51 <consus> I heard that Gentoo folks are considering this
18:51 <_ikke_> consus: when they share the code, they loose access
18:51 <consus> =/
18:51 <kpcyrd> _ikke_: ehm, isn't this GPL after all?
18:51 <consus> Well
18:51 <consus> You got the code
18:52 <consus> :D
18:52 <consus> The one you paid for
18:52 <_ikke_> Right, but you want to be able to use newer kernels
18:52 fekepp joined
18:52 <consus> Yep
18:52 <consus> So no sharing
18:53 <consus> A shame
18:53 <consus> What a wonderful day to migrate my infrastructure to alpine -_____-
18:53 <kpcyrd> in theorey somebody who knows how to write kernel patches could try to upstream some of the patches of the existing patchset so at least those aren't lost
18:53 <consus> Eh
18:54 <consus> They had 16 years to do it
18:54 <consus> And AFAIR they've tried a lot
18:54 <_ikke_> kpcyrd: I think the reason why grsec exists is because the main kernel did not accept these kinds of patches
18:54 <kpcyrd> yeah, but now is a good day to retry
18:54 <consus> No
18:54 <consus> Who will maintain it?
18:54 <consus> The kernel guys?
18:55 <consus> It's like reiser4 thing
18:55 <kpcyrd> well, so openbsd it is then?
18:55 <consus> I use it on routers
18:55 <consus> Works for me
18:55 <consus> The best OS for a router/vpn in my experience
18:56 <consus> And since they now have sysupdate... :D
18:56 <consus> There is m:tier of course, but it's nice to have native stuff
18:56 <kpcyrd> half my devices run grsec, I don't really feel like migrating back to vanilla and openbsd is the only alternative
18:58 <kpcyrd> another idea: some of those linux foundations take some money and buy an extra pricey grsec subscription that allows distribution?
18:59 <consus> Do they have one?
18:59 grayhemp joined
18:59 <koollman> probably cheaper to integrate part of the code :)
19:00 <dalias> <@_ikke_> consus: when they share the code, they loose access
19:00 <dalias> if that happens to anyone, there'll be a giant lawsuit and the asshats at grsec will be pummeled
19:01 <consus> Why?
19:01 <dalias> because it's infringing the terms of the gpl
19:01 <consus> Really?
19:01 <consus> How?
19:01 <dalias> yes
19:01 <dalias> imposing additional requirements
19:02 <consus> Well I need to consult a lawyer
19:02 <dalias> you can't get around that just by making the additional requirements silent threats that aren't written down
19:02 <dalias> "of course you have your rights under the gpl, but if you exercise them we'll stop doing business with you" is not going to fly
19:03 <kpcyrd> let's ask rms about this
19:03 <dalias> there's no need to ask on a case by case basis
19:03 grayhemp joined
19:03 <consus> hmm
19:03 <dalias> this kind of threat was discussed 3 decades ago
19:03 <consus> You have a link?
19:03 <koollman> dalias: that's what redhat does, and have been doing for quite a while
19:04 <dalias> not offhand, i'd have to dig up stuff
19:04 <dalias> koollman, no
19:04 <kpcyrd> koollman: isn't redhat all about support only?
19:04 <dalias> that's utter misrepresentation
19:04 <_ikke_> how does GPL work if you aren't offering any product? just code..
19:05 <_ikke_> (patches)
19:05 <kpcyrd> _ikke_: isn't the gpl all about code?
19:05 <consus> not exactly
19:05 <consus> It covers stuff like distribution
19:05 <koollman> now I have to dig up stuff to back my claim
19:05 <dalias> koollman, or just admit that it was wrong
19:05 <koollman> https://lwn.net/Articles/431854/ and https://lwn.net/Articles/432012/
19:06 <koollman> old. but relevant. when the policy changed to "some of our modifications are really just for us and our customers"
19:06 <kpcyrd> consus: yeah, but due to copy left the GPL applies to their patches
19:06 <consus> Of course
19:06 <consus> BUT
19:06 <_ikke_> kpcyrd: from what I understood is that GPL requires you to provide the code to the users of the code, you are not required to make it generally available
19:06 <consus> They share the code with you. No additional restrictions. Yout paid -> here the code.
19:07 <dalias> koollman, the first of those links does not back up your claim at all; rather it refutes it
19:07 <consus> And I have no idea about support cancellation
19:07 <dalias> moreover..
19:07 <consus> I really need to consult my lawyers
19:07 <koollman> dalias: it makes an argument about why redhat is wrong in their move
19:07 <koollman> dalias: implying they did
19:07 <kpcyrd> _ikke_, consus: that made sense at first, but I think dalias has a very good point with "imposing additional requirements"
19:08 <dalias> even what RH does shipping a giant tarball of source with no documentation of which patches are applied and how is likely infringing
19:08 <_ikke_> "merely because the GPL is silent on whether or not you must keep someone as your customer""
19:08 <dalias> because GPL requires that you document the date and authorship of _each change_
19:08 <koollman> dalias: absolutely correct. Yet, redhat is still happily around
19:08 <dalias> because kernel folks don't care about strict enforcement of minor details
19:09 <vectr0n> _ikke_, thx your suggestion worked perfectly :)
19:09 <dalias> that's why the busybox lawsuits happened
19:09 <dalias> because busybox was the wedge that could be used on vendors when kernel copyright holders refused to go after infringement
19:10 <koollman> dalias: so ... how is that different from another set of kernel patches (grsecurity/pax) ?
19:10 <dalias> just because someone is infringing doesn't necessarily mean they'll be forced to stop; the copyright holders have to care
19:10 <kpcyrd> _ikke_: I think you need a good reason to cancel a subscription somebody paid for?
19:11 <dalias> making effectively closed-source derivatives where you threaten your customers into not exercising their rights is a lot different, and more likely to be litigated, than just failing to document changes in exactly the way gpl said you need to
19:11 <consus> Errr
19:11 <consus> Nobody threatens anyone
19:11 <dalias> yes they do
19:11 <consus> Err
19:11 <consus> No
19:12 <_ikke_> kpcyrd: depends on the contract I guess
19:12 <dalias> the claim is that there's an implicit threat you'll no longer be able to get grsec (contract not renewed) if you release the source
19:12 <kpcyrd> _ikke_: you mean the GPL?
19:12 <dalias> that is a threat
19:12 <dalias> and it's a clear gpl violation
19:12 <consus> Again, what part? It does not impose additional restriction on getting the code.
19:12 <dalias> the gpl requires you to make parties who receive copies from you fully aware of their rights under the gpl and not to impede their ability to exercise those rights
19:13 <consus> It imposing additional restriction on getting the next release
19:13 <dalias> no
19:13 <consus> How so?
19:13 <dalias> "You may not impose any further
19:13 <dalias> restrictions on the recipients' exercise of the rights granted herein."
19:14 <consus> They do not.
19:14 <consus> On getting *this* version of code
19:14 <dalias> you're missing the point
19:14 <dalias> it has nothing to do with versions
19:14 <kpcyrd> consus: "you have the right to do X, Y, Z but we're making sure you aren't doing anything of that"
19:14 <consus> kpcyrd: nope
19:14 <dalias> if they said "if you share the source, we'll shame on on twitter" that's a restriction on the recipient's exercise of the rights granted"
19:15 <dalias> any retaliation, regardless of whether it pertains to obtaining this or a future version of the sw, is a restriction on the exercise of those rights
19:15 <_ikke_> dalias: is that actually tested, or is that a desired interpretation?
19:15 <kpcyrd> can we all agree for a moment that grsec is GPL software?
19:15 <consus> I do not think that this is the right interpretation
19:15 <koollman> dalias: I offer you my new release. you can do what you want with it. however, I decide to distribute releases only to the people I like. you may or may not be in this group for the next release.
19:16 <consus> So again, I will consult my pet lawyers as I'm really interested in this grey area :D
19:16 <koollman> dalias: I am not limiting your rights. just chosing not to distribute in the future
19:16 <consus> I do not have the full picture to continue the discussion
19:16 <dalias> this is stupid libertard fantasy-land
19:16 <koollman> kpcyrd: agreed
19:17 <dalias> courts are not fond of retaliation against parties for exercising their contractual rights
19:17 <kpcyrd> somebody should seriously email rms about this
19:17 <consus> rms reads mail?
19:17 <_ikke_> he does
19:18 <koollman> dalias: and if it goes to court, yes, the argument can be made. but the question really is 'will it go there'
19:18 <consus> Well... we do have a bunch of GPL fanatics
19:18 <dalias> imagine an employment contract says you get N days of personal time off, but every employee who uses them gets fired
19:18 <consus> That will go in court
19:18 <consus> But the thing is
19:18 <dalias> if you can show the court such a pattern
19:18 <dalias> the court will almost surely determine breach of contract
19:19 <consus> Why are we even here? The major security suite that was not included in Linux kernel for SIXTEEN goddamn years.
19:19 <dalias> same if every grsec customer who shares the source gets denied contract renewal
19:19 <consus> So maybe the real problem lies here
19:19 <dalias> consus, because it's crap
19:19 <dalias> and it's always been crap
19:19 <dalias> a _very few_ ideas in grsec were useful and innovative
19:19 <dalias> most of them just break stuff randomly
19:19 <consus> So why bother then
19:20 <koollman> pax ideas are pretty nice, and the implementation do work
19:20 <dalias> because gpl infringers deserve a smackdown
19:20 <consus> Nah
19:20 <consus> Nobody wants to waster their time on this
19:20 <koollman> some do :)
19:20 <dalias> lots of people do
19:20 <consus> Well yeah
19:20 <consus> We do have a couple of fruitcases
19:20 <consus> Still
19:20 <dalias> the value isn't keeping grsec source available
19:21 <dalias> the value is in demonstrating that you can't make up stupid loopholes to make closed-source linux kernels
19:21 <consus> Someone on the Internet is not right. Let's waste our time instead of writing the really good security for the Kernel :D
19:22 <koollman> writing security is way harder than arguing on the internet. Even worse for good security ;)
19:22 <dalias> "you have all the rights the gpl says, but of course i'll cut you off if you use them, and of course i'm not writing that down anywhere because it would obviously be illegal if i wrote it down" is utter bullshit
19:22 <dalias> and everybody knows it
19:24 <consus> Sigh
19:24 <consus> Okay
19:24 <kpcyrd> consus: "I sell you 4k chicken nuggets I made from free chicken for $1. You can buy as many additional 4k chicken nuggets for $1 and since this is free chicken, I'm legally required to allow you eating your nuggets, but if you actually do, I won't sell you any more chicken nuggets while keeping the free chicken"
19:24 <consus> Back to the ground
19:25 <consus> kpcyrd: *YOU* can use the code. You just can't give it to anyone else without losing the ability to update.
19:26 <consus> As simple as that
19:26 <_ikke_> But do you have the right to get updates?
19:26 <dalias> it's not that you have a right to get updates
19:26 <consus> GPL does not say anything about updates :)
19:26 <dalias> that's a distraction
19:27 <kpcyrd> consus: I can't use the code if the only usecase is distribution which is allowed by their own license
19:27 <dalias> it's that you have a right not to be discriminated against on the basis of having exercised your rights under the gpl
19:27 <consus> kpcyrd: Distribute as much as you want
19:27 gopar joined
19:29 <dalias> because this happening, or even the threat that it might happen, imposes a restriction on the exercise of the rights that were nominally granted
19:29 <consus> What if I put an ASCII hitler in the code?
19:29 <consus> Will it violate GPL?
19:29 <consus> Because sharing the code will bring SJWs around
19:30 <consus> And you will be punished for an ASCII Hitler
19:30 <dalias> i'm going to go even further and say that, even if they didn't refuse to renew any real customers' subscriptions...
19:30 <consus> Hence restrictions
19:30 blueness joined
19:31 <dalias> if they made up a bunch of fake customers and posted fake stories by those fake customers saying their subscription renewal had been denied on the basis of sharing source...
19:31 <dalias> (to make real customers scared to do so)
19:31 <consus> Yeah-yeah, but what about Hitler?
19:31 <dalias> that would constitute a violation of the requirement
19:31 <dalias> i'm not even going to acknowledge that idiotic question or continue to talk to you
19:31 <consus> This is a nice GPL paradox
19:31 <dalias> because you've shown yourself to be a troll aligned with deplorable people
19:31 <dalias> good day
19:34 <consus> Aw come on
19:34 <consus> Don't be like that
19:36 <kpcyrd> unrelated to gpl: does anybody know how much a grsec subscription costs if I want to keep my personal devices on grsec? Is it affordable for regular people?
19:36 <consus> https://grsecurity.net/purchase.php
19:36 <consus> You can write them
19:37 <kpcyrd> "you can write them" is usually "you can't afford it"
19:38 <_ikke_> Right, I don't think they cater to small users
19:38 <dalias> kpcyrd, if it were available at prices where they'd have significant sales volumes, this wouldn't even be a question, since it would be easy to just keep making new customers to get and share each new version...
19:41 <consus> > Grsecurity (pricing begins at $200/month)
19:41 <consus> That's affordable
19:41 <kpcyrd> consus: depends on your budget
19:42 <consus> Of course
19:42 <consus> Still it's not $3000 per machine
19:42 <kpcyrd> true
19:42 fisuk joined
19:43 <darkfader> rhel subsription is like $600/y and that also just gets you updates and lets you look at the tech notes where they describe their regressions
19:43 <darkfader> $200 is quite overpriced IMO but also not horrible
19:44 <darkfader> easily saved on panic mode if it's a web platform
19:45 <consus> Does alpine support virtio disks?
19:46 <consus> Seems likely
19:46 <kpcyrd> grsec is still officially dead for appliances?
19:47 <consus> Huh?
19:47 <xentec> consus, CONFIG_VIRTIO_BLK=m
19:47 <consus> Yeah
19:47 <consus> I'm talking about the installer and stuff
19:47 lesion joined
19:47 t0mmy joined
19:47 <consus> Maybe it's ignored in disk chooser etc
19:47 <darkfader> consus: i only migrated after install :/
19:48 <consus> Well I'm going to find out lol
19:48 <darkfader> :)
19:48 <consus> Not that it will take enormous time
19:48 <kpcyrd> consus: if I ship appliances using grsec I'm legally required by the gpl to share my source with my customers which you put my subscription on risk
19:48 <consus> Ah
19:48 <kpcyrd> s/you put/would put/ sry
19:48 <consus> Yeah, something like that
19:48 <consus> If it's true
19:48 <consus> That you will lose the subscription
19:49 <consus> I'm not aware of such restriction, my knowledge of grsec is very limited
19:50 <kpcyrd> I'm not a lawyer in the end. I'm just sad that grsec in distros is not going to be a thing in the future.
19:57 <consus> darkfader: Yep
19:57 <consus> darkfader: Works fine with vda
19:57 <consus> ^^
19:57 <consus> Alpine is very sweet
19:57 <consus> Though musl sometimes sucks
19:57 <consus> Like with that utmp/wtmp thing
20:02 aw1 joined
20:06 <consus> And now I have fully ansible-provisioned git server ^^
20:07 <consus> Damn I like alpine much
20:08 MuffinMedic joined
20:22 kahiru joined
20:43 <Shiz> kahiru: it's from the alpine-iso project
20:51 gopar joined
20:53 <BitL0G1c> has anyone got gpg-agent's ssh-support working in alpine ?
21:11 mmlb joined
21:19 <bougyman> how does https://grsecurity.net/passing_the_baton_faq.php affect alpine?
21:20 <Shiz> there is currently no solid decision on how to move forward afaik
21:20 <Shiz> it's too early for that
21:21 <bougyman> sad day for linux security
21:21 <consus> Well
21:21 <consus> Depends
21:22 <Shiz> it could turn out to be either way
21:22 <Shiz> for all you know this is the day a beautiful community-maintained open hardening kernel patch project is born
21:22 <Shiz> ;)
21:22 <consus> Or kernel guys will start to think about security more
21:23 <Shiz> well, they already do to a degree -- see also KSPP
21:23 <Shiz> the argument from others is that its inadequate, but at least they care a bit more
21:23 <consus> :D
21:27 duncaen joined
21:31 terran joined
21:32 gattuso joined
21:49 <TBB> well, we already know grsecurity's opinion on the matter: "good luck with whatever you attempt because you sure as hell aren't getting anywhere near what we can do"
21:49 <consus> :D
21:49 <darkfader> hm
21:50 <darkfader> it's more like "because you sure as hell are just gonna pretend you got as far and not walk the walk"
21:50 <consus> For folks who were not able to push their stuff mainline FOR SIXTEEN GODDAMN YEARS this is a pretty strong opinion
21:50 <darkfader> mainline has often enough set back development for years
21:50 <darkfader> see all the praise on removing locks vs. what they said about it in end-90s
21:51 <consus> Well
21:51 <consus> No BKL anymore
21:51 <darkfader> "no issue now, low impact, hard to code, blah"
21:51 <darkfader> yeah
21:51 <consus> Since 2008
21:51 <consus> AFAIR
21:51 <darkfader> but it was a BIG decision to keep it and years were spent saying it's ok
21:51 <darkfader> and pushing back on attempts to do something about it
21:52 <consus> Yes
21:52 <consus> Still
21:52 <darkfader> so any major arch improvement in linux needs willingless to go against windmills for 10y+, or (or!) you have just to be the guy they love
21:52 <consus> Sixteen years is more than a half of the Linux kernel lifetime
21:52 <darkfader> yeah
21:52 <darkfader> but it's not surprise
21:52 <consus> Hmm
21:53 <darkfader> linux "core" is a one of the worst and hostile groups humanity has ever grwon
21:53 <darkfader> not for us techs who are used it
21:53 <consus> > hostile
21:53 <darkfader> but imagine you showed and fully explained it to someone outside of tech
21:53 <consus> Wha?
21:53 <consus> > So set --with-path-mbox=/var/spool/mail to fix spoll path
21:53 <consus> Dammit
21:53 <darkfader> :))
21:53 <consus> It's the other way around
21:53 <* darkfader> goes back to wring docs
21:53 <consus> /var/mail should replace it
21:54 <consus> Gotta whine in #alpine-devel some more
22:00 <consus> Okay, whined
22:09 grayhemp joined
22:13 gopar joined
22:20 gopar_ joined
22:38 gopar joined
22:41 dave0x6d joined
22:43 <vectr0n> ncopa, https://bugs.alpinelinux.org/issues/6997 appears someone already posted one beginning of march
23:03 frew joined
23:14 p3rmagriN joined
23:16 MH0815 joined
23:16 grayhemp joined