[prev in list] [next in list] [prev in thread] [next in thread]
List: secure-desktops
Subject: Re: [Secure Desktops] dbus, gnunet (was: unstable dnssec-root)
From: Miroslav Rovis <miro.rovis () croatiafidelis ! hr>
Date: 2017-02-20 14:46:05
Message-ID: 20170220144605.GA17393 () g0n ! xdwgrp
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
I'll now try and reply to both of lynX emails, so two parts I make.
( Pls also bear in mind that I'm trying to give, to my abilities,
complete information for a casual reader from the web, as well. )
First part is actually
In-Reply-To: <20170219173105.GA19845@lo.psyced.org>
( https://secure-os.org/pipermail/desktops/2017-February/000174.html )
On 170219-18:31+0100, carlo von lynX wrote:
> Hello!
>
> I admit I've taken a works-for-me type of approach with gentoo
> making an overlay to handle what we need and gentoo can take
> what they like of it or ignore it...
>
> On Sat, Feb 18, 2017 at 03:21:21PM +0000, ng0 wrote:
> > > > > >>> Emerging (1 of 8) net-dns/dnssec-root-20150403::gentoo
>
> This particular version of dnssec is the problem:
>
> * net-dns/dnssec-root
> Available versions: 20110630^m (~)20150403 {test}
> Homepage: https://www.iana.org/dnssec/
> Description: The DNSSEC root key(s)
>
> As you see the stable version is from 2011 and whoever
> made a new one in 2015 didn't make it stable enough to
> have it become the official current version (the tilde).
> So if you managed to pull in net-dns/dnssec-root-20150403
> you might have experimented with ACCEPT_KEYWORDS or
> package.accept_keywords... simply make sure that the
> net-dns/dnssec-root-20110630 and the problem should go
> away. Also, it isn't even obvious how dnssec got into
> the dependencies.. probably through USE 'dane' which is
> optional. GNUnet doesn't need it at all to be fully
> operational, it's just a perfectionist extra or a
> tribute to the friends that happen to have designed
> dane/dnssec.. IMHO.
>
Maybe just to add (as I also posted on:
https://bugs.gentoo.org/show_bug.cgi?id=609740#c7
)
that portage, in some of my previous tries at "emerge gnunet" had added:
# cat /etc/portage/package.use/package.use.file
...
# required by net-misc/gnunet-0.10.2_rc1::youbroketheinternet[httpd]
# required by gnunet (argument)
>=net-libs/libmicrohttpd-0.9.52 messages
# required by net-misc/gnunet-0.10.2_rc1::youbroketheinternet[dane]
# required by gnunet (argument)
>=net-libs/gnutls-3.5.9 dane
> > > > In any case, I no longer maintain the ybti overlay (contrary to the
> > > > contact info, that was just a public choice for Gentoo reasons from the
> > > > start of not being .onion exclusive anymore), that's the task of another
> > > > person.
>
> I suggested ng0 to take a look at Guix for maybe we can
> migrate away from gentoo someday.. and so here I am alone
> on gentoo while ng0 is having fun on guix ;)
I'm sure there will be lots of Gentoo users coming over to gnunet, and
I'm not somebody who can move around and learn fast, so pls. keep it
available in Gentoo as well!
> > That bug is dnssec related, not gnunet. The only relevant bugtracker is
> > Gentoo Bugzilla. But others involved in GNUnet will tell you probably
> > the same.
>
> With a buggy package from 2015 it sure looks like dnssec
> isn't exactly supermaintained at gentoo. But it's probably
> also true that the importance of the dnssec root server
> list is minimal. Seeing you blocked from moving on with
> GNUnet because of dnssec root servers hurts as it is like
> not sending children to school because we ran out of
> pencil sharpeners.
Yeah!
> > > No! C'mon. It needs to be updated, not removed! IIUC. And I hope to
> > > understand correctly once I start using gnunet ;-) (and onion et cetera).
>
> gentoo users are used to having all information within
> the ebuild or doc folders after installation, so there
> should not be an instruction manual lost on some webpage
> in outer space.. i think, since ng0 enhanced the ebuild a
> lot, that page indeed makes little sense keeping. It was
> a useful starting point and we are thankful to the guy
> who did the first version of the ebuild.
I see!
> > > Sure. But now that I posted on gnunet bugzilla, maybe, I'll wait a
> > > little if I get any replies there. Or try Gentoo bugzilla even in the
> > > meantime... Never mind...
>
> Sorry, I was nasty enough to just close the bug since it
> really has little to do with us ;) I hope you figured
> out how to revert to the safe version of dnssec-root.
> Since I don't have user accounts on the other platforms
> where you reported the problem, please add a notice to
> what fixed it for you.
I only reported it on Gentoo, and that's you there:
lynX@youbroketheinternet.<...>.de IIUC, such as, e.g.:
https://bugs.gentoo.org/show_bug.cgi?id=609740#c6 aren't you?
> > > There are social problems in Gentoo, there are... E.g. I'm still banned
> > > from Gentoo Forums, and for invented reasons... But there are also
> > > really great folks in Gentoo as well...
>
> After 20 years of being open to the general public, the
> Internet has learned the importance of Code of Conduct
> documents. Now give it another 10 years to learn how to
> have them be respected... ;) Until then it is no
> surprise that all somewhat large projects are a mess with
> people striking the wrong tones in social interaction.
> I wouldn't blame it on Gentoo.
Neither would I. There are great people in Gentoo... And there are the
less great and also folks who are downright not great at all... (and
it's niceties and euphemisms saying only like that)
>
> > > preparing for 33c3, I found https://media.ccc.de and watched a lot of
> > > videos from the Chaos 33c3 but found none of you!
>
> Hehe, ours are at youbroketheinternet.cheettyiapsyciew.onion
>
> > > > > I hope Pragma makes it and becomes great tool of Freedom!
>
> no idea what pragma is, but if all developers had a gnunet or
> at least a tor router running on their computers or homeservers,
> then it would be totally natural to use git the way it was
> originally intended: i clone your repository, make my chances
> to it, put it onto my tor/gnunet-based git server and message
> you my pull request. no need for github.
>
> and miro, i'm honored you spent so much time reading our websites! ;)
> hope to keep seeing you around as we kickstart the secushare network.
But the batteries can produce only so much power... ;-)
All the new stuff is draining my energy, and it's a lot of new stuff for
a 60 yr old (but don't worry, I'm feeling young).
>
> --
> E-mail is public! Talk to me in private using encryption:
> http://loupsycedyglgamf.onion/LynX/
> irc://loupsycedyglgamf.onion:67/lynX
> https://psyced.org:34443/LynX/
I hope I'll be using the above... But let me first make yet another
note, which shouldn't be off-topic either, like the dnssec-root was, and
dbus isn't (I'll reply about dbus more in the second part below)...
Pls. keep GNUnet available in Gentoo as well. The good thing about
Gentoo is that it has brought the grsecurity-hardening pretty strong
into the world of FOSS GNU Linux. I see grsecurity has been proposed
even for the NSA Linux- (sorry, I meant SELinux-) entrenched Tails! See:
grsecurity in Tails
https://tails.boum.org/blueprint/grsecurity_in_Tails/
Publish next steps to get Grsecurity in Tails
https://labs.riseup.net/code/issues/10040
Also finally Corsac brought grsecurity into Debian mainstream:
ITP: linux-grsec -- Linux kernel with grsecurity patch
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605090
( I haven't yet, but will, move to Devuan, the fork, because of
systemDestruction, but I can see people are now using grsec a lot in
Debian derivatives, such as in a reply to my:
Libvirt virtualization policies
https://forums.grsecurity.net/viewtopic.php?f=5&t=4675#p16948
)
Even the incomplete grsec (only demo RAP, not complete Reuse Attack
Protection), the non-paid-support one, I believe is far far better than
NSA Linux (can't talk about AppArmor; but are there such genii there too
like spender and PaX Team, maybe?)...
However, for projects like the ones in the SecureOS, I believe both
spender and PaX Team are collaborative, and there shouldn't be
incomplete grsecurity... How is it for Subgraph I wonder?
But must not be writing more than my low competence should justify.
What I dream of doing next, is to try and build RBAC policies for
deployment of GNUnet in Gentoo, and of course it shouldn't differ much
from deployment in other Linuces.
(
But first I have to start using GNUnet...
And I did check my installation. I first checked it while still offline:
"gnunet-arm -s" does start a lot of binaries! Then I quit with
"gnunet-arm -e". My gnunet-9999 very likely is working fine!
)
So, my dream is for you guys to get grsecurity for the SecureOS family
deployed, and get spender and PaX Team to find their way around license
issues and provide free *and complete* grsecurity testing again for the
world...
(Maybe Richard Matthew Stallman could think about fixing the gcc-plugins
license --whatever that it's called-- instead of supporting anything in
the world SELinux, as I saw on his pages, years ago, some emacs plugin
with selinux or so in its name, and got angry with him.)
My take on the politics that led to the current state of affair with
kernel and grsecurity can be read at:
https://forums.whonix.org/t/whonix-on-gentoo-issues/3188/15
(also some views about dbus in that topic, so I'll be back to it again in
the second part)
But, to a person with sane logic, why SELinux can not be right for a
privacy OS, it should even suffice to understand what testifies still
today about rootkits in the Linux Security Module which Linus Torvalds
built for SELinux, an article that every newbie to FOSS GNU Linux should
read:
Developer Raps Linux Security
http://www.crmbuyer.com/story/39565.html
==================
Now the second part.
On 170220-12:20+0100, carlo von lynX wrote:
> I guess our thread was mostly off-topic for this list so far,
> but the dbus aspect should be interesting for secure-os devs.
More about dbus (or d-bus they also call it, remember, I'm writing also
for readers that read this later from online) below.
> On Mon, Feb 20, 2017 at 12:00:34PM +0100, Miroslav Rovis wrote:
> > I'll reply to lynX email directly, but first I need to,
>
> bring it up :)
I'm doing it, as you can see.
> > But, I'm obsessively overwhelmed (it's very interesting!) to start using
> > GNUnet, or gnunet (whatever the prevalent naming will be)... I only just
>
> good timing.. just this week all the cadet, vpn, pubsub and file sharing
> functionality is magically starting to actually work.. we had a long
> period of ripped up sidewalks, as they say in Germany...
( I'm a bit of a fan of Teutonic culture, just a bit, I re-started
learning German, but ran out of time available... Ah, the whole world is
anglicized these days, what can you... )
> > managed to install it, and I have to go the harder way, because I run a
> > useflag -dbus Gentoo, and gtk+ to install gnunet-gtk requires dbus, so
> > no gnunet-setup for me...
>
> It's not essential.. it's just that getting used to the gnunet config
> syntax takes time.. we hope that our USB sticks will come with a
> setup that *just works*
I hope so too. I dream of my people also in Croatia breaking censorship
and control of ugly and shady castes of our society and organize a
better freer lives for themselves... It's pretty ugly here too...
> But the question that might interest other people in here as well
> as me is the reasoning behind rejecting dbus. I am not very familiar
> with it, the only thing I was disturbed by was its use of XML but
> since I was told that the XML is compiled into some binary format
> and the process actually exchange efficient binary messages I
> stopped bothering... I did however hear that the openwrt bus
> replacement is more efficient than dbus somehow.
I'm not an expert. However, time has proven me right in some of my,
intuitive more than knowledge-based, claims.
WARNING: readers pls. discern for yourself, discern the results from the
searches; parts of the content of these links are TL;DR, so discern to
find the worthy parts.
Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
https://forums.gentoo.org/viewtopic-t-992146.html
Updating and keeping your Gentoo non-poetterized
https://forums.gentoo.org/viewtopic-t-1012022.html
The thing about dbus in Gentoo is: there is the useflag -dbus which is
supported very well for non-huge-desktop systems!
This is the beauty of Gentoo, its default OpenRC installation is
dbus-free:
https://wiki.gentoo.org/wiki/Comparison_of_init_systems
( and other systems are using it; I know also Devuan have expressed
intention to port OpenRC to their infrastructure )
I managed to get me a Tails with a non-dbus Virt-Manager and
Virt-Viewer, but I haven't reproduced that successful deployment later
(because, among other reasons, I got engrossed in this discussion, and
on Whonix, and on the forums.grsecurity.net Libvirt virtualization
policy development linked above). But I hope I will...
And also I might be close to running Whonix on my Gentoo, also without
dbus (in my host system), as per the discussion (link already given
above, repasting it, with different local link):
https://forums.whonix.org/t/whonix-on-gentoo-issues/3188/12
I used to suffer very ugly intrusions, just skim through this 2011 topic
of mine:
System attacked, Konqueror went on window-popping spree!
https://forums.gentoo.org/viewtopic-t-905472.html
and look up a video or two (
Schmoog the Schmoogle's Youtube banned my whole 5 yrs work, 500+ videos
account in 2014 for rigged copyright issues --for political dissent in
all reality, very likely a bought service to the above mentioned shady
castes in Croatia--, but search for "vimeo", those were also banned, but
were later restored
)
If only I was able to record into my $SSLKEYLOGFILE back then! If only!
I now do so in with a shell script program of mine (on github, because I
know no better yet): https://github.com/miroR/uncenz ... Maybe I would
have been able to publish what and who did that intrusion!...
But see also this one report of mine, to understand what dbus is
actually invented for (
by the report of my kind Gentoo fellow SteveL in the link already given
-- repeating it here, for the readers who missed it:
Updating and keeping your Gentoo non-poetterized
https://forums.gentoo.org/viewtopic-t-1012022.html
--search for "steveL", and just to whet your appetite, a quote:
> Yeah, that's exactly why we [his company] love dbus: because we can
> ignore the GPL."
)
[but see also this one report of mine to understand what dbus is
actually invented for] in practice (year 2014):
How to avoid stealth installation of systemd?
http://forums.debian.net/viewtopic.php?f=20&t=116770&start=45#p552566
PASTING, for clarity:
This is currently running on my system, this one that I connect to
internet with:
$ ps aux | grep ssh
root 2184 0.0 0.0 54976 1004 ? Ss Sep06 0:00 /usr/sbin/sshd
mr 2447 0.0 0.0 10592 32 ? Ss Sep06 0:00
/usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session x-session-manager
mr 15141 0.0 0.0 19980 1796 pts/9 S+ 21:48 0:00 grep ssh
$
PASTED.
There you can see how an encrypted session was running in my Debian, behind
my back! What would happen if dbus was used like that on, say future
PragmaOS, or Whonix, or Subgraph, or Tails (if it isn't already), users?
How would it feel?
Dbus is bad, IMO. But I'm not competent to technically prove it, I'm at
best, just a tester.
So, following, and very gladly, because I'm the one who is honored here,
as you guys are experts, and I am, at best, a tester (and maybe just an
occasional tester), on carlo von lynX's advice to "bring it up", I spoke
a lot of what I had.
I checked all the links before pasting, but allow for later ERRATA anyway.
Regards!
--
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr
["signature.asc" (application/pgp-signature)]
[Attachment #6 (text/plain)]
_______________________________________________
Desktops mailing list
Desktops@secure-os.org
https://secure-os.org/cgi-bin/mailman/listinfo/desktops
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic