From arekm at maven.pl Tue Oct 6 09:57:00 2015 From: arekm at maven.pl (Arkadiusz =?utf-8?q?Mi=C5=9Bkiewicz?=) Date: Tue, 6 Oct 2015 09:57:00 +0200 Subject: [packages/openssh] allow dsa keys also client side, enable by default In-Reply-To: <0c97474bafebbdc86d13d41624a85cccc55c02e0_refs_heads_master@pld-linux.org> References: <7b7580be04c239a974d16f43adbdcf5861bdced0_refs_heads_master@pld-linux.org> <0c97474bafebbdc86d13d41624a85cccc55c02e0_refs_heads_master@pld-linux.org> Message-ID: <201510060957.00819.arekm@maven.pl> On Tuesday 06 of October 2015, glen wrote: > commit 0c97474bafebbdc86d13d41624a85cccc55c02e0 > Author: Elan Ruusam?e > Date: Tue Oct 6 10:04:54 2015 +0300 > > allow dsa keys also client side, enable by default > > openssh-config.patch | 6 ++++-- > openssh.spec | 2 +- > 2 files changed, 5 insertions(+), 3 deletions(-) That change is harmful. With this change people won't notice that DSA is to be dropped, won't migrate from DSA keys and will end up with big problem when finally openssh team drops DSA support. Please revert it (at least revert on client side; server side could enable DSA keys for a while), so people WILL notice and will migrate to RSA/ECDSA keys. > @@ -22,7 +22,7 @@ > +PermitEmptyPasswords no > + > +# Allow DSA keys > -+#PubkeyAcceptedKeyTypes +ssh-dss > ++PubkeyAcceptedKeyTypes +ssh-dss > ++ # Allow DSA keys > ++ PubkeyAcceptedKeyTypes +ssh-dss > +# Send locale-related environment variables, also pass some GIT vars -- Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org ) From glen at pld-linux.org Tue Oct 6 10:08:15 2015 From: glen at pld-linux.org (=?UTF-8?B?RWxhbiBSdXVzYW3DpGU=?=) Date: Tue, 06 Oct 2015 11:08:15 +0300 Subject: [packages/openssh] allow dsa keys also client side, enable by default In-Reply-To: <201510060957.00819.arekm@maven.pl> References: <7b7580be04c239a974d16f43adbdcf5861bdced0_refs_heads_master@pld-linux.org> <0c97474bafebbdc86d13d41624a85cccc55c02e0_refs_heads_master@pld-linux.org> <201510060957.00819.arekm@maven.pl> Message-ID: <5613816F.8030804@pld-linux.org> On 06.10.2015 10:57, Arkadiusz Mi?kiewicz wrote: > On Tuesday 06 of October 2015, glen wrote: >> commit 0c97474bafebbdc86d13d41624a85cccc55c02e0 >> Author: Elan Ruusam?e >> Date: Tue Oct 6 10:04:54 2015 +0300 >> >> allow dsa keys also client side, enable by default >> >> openssh-config.patch | 6 ++++-- >> openssh.spec | 2 +- >> 2 files changed, 5 insertions(+), 3 deletions(-) > That change is harmful. With this change people won't notice that DSA is to be > dropped, won't migrate from DSA keys and will end up with big problem when > finally openssh team drops DSA support. > > Please revert it (at least revert on client side; server side could enable DSA > keys for a while), so people WILL notice and will migrate to RSA/ECDSA keys. shouldn't it be opposite? a) allow in server b) disable in client then user will notice key does not work, but CAN do something about it clientside, log in with dsa key and add new rsa key there. when server side disabled, user can't do anything without ssh server admin access. i'll assume here password auth is already off. -- glen From arekm at maven.pl Tue Oct 6 10:12:39 2015 From: arekm at maven.pl (Arkadiusz =?utf-8?q?Mi=C5=9Bkiewicz?=) Date: Tue, 6 Oct 2015 10:12:39 +0200 Subject: [packages/openssh] allow dsa keys also client side, enable by default In-Reply-To: <5613816F.8030804@pld-linux.org> References: <7b7580be04c239a974d16f43adbdcf5861bdced0_refs_heads_master@pld-linux.org> <201510060957.00819.arekm@maven.pl> <5613816F.8030804@pld-linux.org> Message-ID: <201510061012.39545.arekm@maven.pl> On Tuesday 06 of October 2015, Elan Ruusam?e wrote: > On 06.10.2015 10:57, Arkadiusz Mi?kiewicz wrote: > > On Tuesday 06 of October 2015, glen wrote: > >> commit 0c97474bafebbdc86d13d41624a85cccc55c02e0 > >> Author: Elan Ruusam?e > >> Date: Tue Oct 6 10:04:54 2015 +0300 > >> > >> allow dsa keys also client side, enable by default > >> > >> openssh-config.patch | 6 ++++-- > >> openssh.spec | 2 +- > >> 2 files changed, 5 insertions(+), 3 deletions(-) > > > > That change is harmful. With this change people won't notice that DSA is > > to be dropped, won't migrate from DSA keys and will end up with big > > problem when finally openssh team drops DSA support. > > > > Please revert it (at least revert on client side; server side could > > enable DSA keys for a while), so people WILL notice and will migrate to > > RSA/ECDSA keys. > > shouldn't it be opposite? > It should be exactly like that: > a) allow in server > b) disable in client revert on client side means go back to default on client == dsa disabled -- Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org ) From mike at altlinux.org Mon Oct 12 15:56:20 2015 From: mike at altlinux.org (Michael Shigorin) Date: Mon, 12 Oct 2015 16:56:20 +0300 Subject: [packages/iceweasel] - up to 40.0 (compilation errors, needs fix) In-Reply-To: <55CB1350.3090105@pld-linux.org> References:

<55CB1350.3090105@pld-linux.org> Message-ID: <20151012135620.GA617@imap.altlinux.org> On Wed, Aug 12, 2015 at 12:35:12PM +0300, Elan Ruusam?e wrote: > On 11.08.2015 22:56, adwol wrote: > > # - consider --enable-libproxy > > +# - fix compilation errors: > > +# `error: 'PRLogModuleInfo' does not name a type' > > +# and similar > likely related that it requires newer nspr or nss. > just guessing. Found this email when searching for what appears to be https://bugzilla.mozilla.org/show_bug.cgi?id=1129718, just in case. -- ?---- WBR, Michael Shigorin / http://altlinux.org ??------ http://opennet.ru / http://anna-news.info From baggins at pld-linux.org Tue Oct 13 18:50:15 2015 From: baggins at pld-linux.org (Jan =?utf-8?Q?R=C4=99korajski?=) Date: Tue, 13 Oct 2015 18:50:15 +0200 Subject: [packages/iceweasel] - up to 40.0 (compilation errors, needs fix) In-Reply-To: <20151012135620.GA617@imap.altlinux.org> References:

<55CB1350.3090105@pld-linux.org> <20151012135620.GA617@imap.altlinux.org> Message-ID: <20151013165014.GA3929@home.lan> On Mon, 12 Oct 2015, Michael Shigorin wrote: > On Wed, Aug 12, 2015 at 12:35:12PM +0300, Elan Ruusam?e wrote: > > On 11.08.2015 22:56, adwol wrote: > > > # - consider --enable-libproxy > > > +# - fix compilation errors: > > > +# `error: 'PRLogModuleInfo' does not name a type' > > > +# and similar > > likely related that it requires newer nspr or nss. > > just guessing. > > Found this email when searching for what appears to be > https://bugzilla.mozilla.org/show_bug.cgi?id=1129718, > just in case. I already fixed this in 295b2940926fa09755ddefbdbcf969ce82b1239e -- Jan R?korajski | PLD/Linux SysAdm | bagginspld-linux.org | http://www.pld-linux.org/ From glen at pld-linux.org Thu Oct 15 20:52:12 2015 From: glen at pld-linux.org (=?UTF-8?B?RWxhbiBSdXVzYW3DpGU=?=) Date: Thu, 15 Oct 2015 21:52:12 +0300 Subject: [packages/syslog-ng] - cron daemons log through syslog - syslog packages own cron log file and rotate it In-Reply-To: <6d64ef6a3709b876f9d60bc6ac30695de645b167_refs_heads_master@pld-linux.org> References: <3718169383b5759349c86af1b1f671203aad979d_refs_heads_master@pld-linux.org> <6d64ef6a3709b876f9d60bc6ac30695de645b167_refs_heads_master@pld-linux.org> Message-ID: <561FF5DC.7050403@pld-linux.org> On 15.10.2015 16:16, bszx wrote: ... > -%attr(640,root,root) %ghost /var/log/syslog > -%attr(640,root,root) %ghost /var/log/user > -%attr(640,root,root) %ghost /var/log/xferlog > +%attr(640,root,logs) %ghost /var/log/cron ... > +%attr(640,root,logs) %ghost /var/log/secure > +%attr(640,root,logs) %ghost /var/log/spooler > +%attr(640,root,logs) %ghost /var/log/syslog ... > > --- a/syslog-ng.conf > +++ b/syslog-ng.conf > @@ -43,7 +43,7 @@ destination d_authlog { file("/var/log/secure"); }; > destination d_mail { file("/var/log/maillog"); }; > destination d_uucp { file("/var/log/spooler"); }; > destination d_debug { file("/var/log/debug"); }; > -destination d_cron { file("/var/log/cron" owner(root) group(crontab) perm(0660)); }; > +destination d_cron { file("/var/log/cron"); }; correct me if i'm wrong, but you kind of conflicting setup you have here: - in rpm you have 640,root,logs, - but in syslog.conf your have 644,root,root? -- glen From bszx-pld at bszx.eu Thu Oct 15 21:36:20 2015 From: bszx-pld at bszx.eu (Bartek Szady) Date: Thu, 15 Oct 2015 21:36:20 +0200 Subject: [packages/syslog-ng] - cron daemons log through syslog - syslog packages own cron log file and rotate it In-Reply-To: <561FF5DC.7050403@pld-linux.org> References: <3718169383b5759349c86af1b1f671203aad979d_refs_heads_master@pld-linux.org> <6d64ef6a3709b876f9d60bc6ac30695de645b167_refs_heads_master@pld-linux.org> <561FF5DC.7050403@pld-linux.org> Message-ID: <56200034.8000409@bszx.eu> On 10/15/15 20:52, Elan Ruusam?e wrote: > On 15.10.2015 16:16, bszx wrote: > > > > ... >> -%attr(640,root,root) %ghost /var/log/syslog >> -%attr(640,root,root) %ghost /var/log/user >> -%attr(640,root,root) %ghost /var/log/xferlog >> +%attr(640,root,logs) %ghost /var/log/cron > ... >> +%attr(640,root,logs) %ghost /var/log/secure >> +%attr(640,root,logs) %ghost /var/log/spooler >> +%attr(640,root,logs) %ghost /var/log/syslog > ... > >> --- a/syslog-ng.conf >> +++ b/syslog-ng.conf >> @@ -43,7 +43,7 @@ destination d_authlog { file("/var/log/secure"); }; >> destination d_mail { file("/var/log/maillog"); }; >> destination d_uucp { file("/var/log/spooler"); }; >> destination d_debug { file("/var/log/debug"); }; >> -destination d_cron { file("/var/log/cron" owner(root) >> group(crontab) perm(0660)); }; >> +destination d_cron { file("/var/log/cron"); }; > > correct me if i'm wrong, but > > you kind of conflicting setup you have here: > > - in rpm you have 640,root,logs, > - but in syslog.conf your have 644,root,root? Default owner, group and permissions are set earlier in options: options { ... owner(root); group(logs); perm(0640); .... }; Bartek From glen at pld-linux.org Sun Oct 18 00:36:32 2015 From: glen at pld-linux.org (=?UTF-8?B?RWxhbiBSdXVzYW3DpGU=?=) Date: Sun, 18 Oct 2015 01:36:32 +0300 Subject: m4 in autofoo Message-ID: <5622CD70.9060708@pld-linux.org> hi + libtoolize --copy --force --install libtoolize: error: One of these is required: libtoolize: gm4 gnum4 m4 libtoolize: error: Please install GNU M4, or 'export M4=/path/to/gnu/m4'. shouldn't libtool require m4 package? our template.spec does not have "m4" in BR sample, but automake,autoconf,libtool are there. in fact, automake should require autoconf package? + aclocal -I m4 sh: autom4te: not found aclocal: error: echo failed with exit status: 127 ? which aclocal autom4te|xargs rpm -qf automake-1.15-2.noarch autoconf-2.69-3.noarch -- glen From glen at delfi.ee Thu Oct 29 13:52:45 2015 From: glen at delfi.ee (=?UTF-8?B?RWxhbiBSdXVzYW3DpGU=?=) Date: Thu, 29 Oct 2015 14:52:45 +0200 Subject: crontab pam broken Message-ID: <5632169D.203@delfi.ee> $ crontab -l You (glen) are not allowed to access to (crontab) because of pam configuration. this fails becase in syslog: Oct 29 14:51:19 glen crontab[16154]: pam_unix(crond:account): unix_chkpwd abnormal exit: 11 Oct 29 14:51:19 glen crontab[16154]: (glen) PAM ERROR (Authentication failure) any ideas? Tue Aug 4 20:34:35 2015 cronie-1.5.0-1.x86_64 Mon May 25 11:04:54 2015 pam-1.1.8-8.x86_64 Mon May 25 11:04:54 2015 pam-libs-1.1.8-8.x86_64 # cat /etc/pam.d/crond #%PAM-1.0 auth include system-auth account include system-auth session include system-auth #session required pam_loginuid.so # cat /etc/pam.d/system-auth #%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/security/blacklist onerr=succeed auth required pam_env.so auth required pam_tally.so deny=0 file=/var/log/faillog onerr=succeed auth required pam_unix.so try_first_pass account required pam_tally.so file=/var/log/faillog onerr=succeed account required pam_time.so account required pam_unix.so #password [success=1 ignore=reset abort=die default=bad] pam_pwgen.so upper=1 digit=1 password required pam_cracklib.so try_first_pass difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password required pam_unix.so try_first_pass sha512 shadow use_authtok #password required pam_exec.so failok seteuid /usr/bin/make -C /var/db #password required pam_exec.so failok seteuid /usr/bin/make -C /var/yp session required pam_env.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_mkhomedir.so skel=/etc/skel session required pam_unix.so -- glen From glen at pld-linux.org Thu Oct 29 13:53:54 2015 From: glen at pld-linux.org (=?UTF-8?B?RWxhbiBSdXVzYW3DpGU=?=) Date: Thu, 29 Oct 2015 14:53:54 +0200 Subject: [packages/apache] - use default mutext (depends on apr default) instead of forcing file mutex In-Reply-To: <13e66b8201ce6b058ee4e04a014e42d47863d039_refs_heads_master@pld-linux.org> References: <4e5e777ffca2c6a8787f314cf9911ed46ac999ec_refs_heads_master@pld-linux.org> <13e66b8201ce6b058ee4e04a014e42d47863d039_refs_heads_master@pld-linux.org> Message-ID: <563216E2.1070204@pld-linux.org> what's the background of this change? just general cleanup? or that solves some common crash issues? On 29.10.2015 13:38, arekm wrote: > commit 13e66b8201ce6b058ee4e04a014e42d47863d039 > Author: Arkadiusz Mi?kiewicz > Date: Thu Oct 29 12:38:01 2015 +0100 > > - use default mutext (depends on apr default) instead of forcing file mutex > > apache-mpm.conf | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > --- > diff --git a/apache-mpm.conf b/apache-mpm.conf > index 51cd43d..5a1b75c 100644 > --- a/apache-mpm.conf > +++ b/apache-mpm.conf > @@ -15,10 +15,14 @@ LoadModule mpm_prefork_module modules/mod_mpm_prefork.so > # > PidFile /var/run/httpd.pid > > +# Mutex: Allows you to set the mutex mechanism and mutex file directory > +# for individual mutexes, or change the global defaults > # > -# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. > +# Uncomment and change the directory if mutexes are file-based and the default > +# mutex file directory is not on a local disk or is not appropriate for some > +# other reason. > # > -Mutex file:/var/run/httpd/ > +# Mutex default:/var/run/httpd/ -- glen From arekm at maven.pl Thu Oct 29 18:00:13 2015 From: arekm at maven.pl (Arkadiusz =?utf-8?q?Mi=C5=9Bkiewicz?=) Date: Thu, 29 Oct 2015 18:00:13 +0100 Subject: [packages/apache] - use default mutext (depends on apr default) instead of forcing file mutex In-Reply-To: <563216E2.1070204@pld-linux.org> References: <4e5e777ffca2c6a8787f314cf9911ed46ac999ec_refs_heads_master@pld-linux.org> <13e66b8201ce6b058ee4e04a014e42d47863d039_refs_heads_master@pld-linux.org> <563216E2.1070204@pld-linux.org> Message-ID: <201510291800.13520.arekm@maven.pl> On Thursday 29 of October 2015, Elan Ruusam?e wrote: > what's the background of this change? > just general cleanup? > or that solves some common crash issues? General cleanup. It's upstream default (we were using default from 2005). -- Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )