Re: [gentoo-dev] Re: RFC: News item for net-firewall/shorewall all-in-one package migration

Hi, thank you all for the feedback. I read through the news archive and most previous news items don't use the package category in the title. I'll propose > Title: shorewall is now a single package I filled a bug for the news item request: https://bugs.gentoo.org/show_bug.cgi?id=546952 -Th

[gentoo-dev] RFC: News item for net-firewall/shorewall all-in-one package migration

nd 'net-firewall/shorewall-lite' to unmerge." because they didn't have shorewall-lite installed. 3) The last paragraph should indicate that the new shorewall ebuild is "stable" and that they don't have to react immediately but within the next 30-60 d

Re: [gentoo-dev] rfc: add-on files handling improvements

Hi, William Hubbs wrote: > I believe, back in the day we started this practice, portage did not > support --newuse or --changed-use, so there was no way to only update > packages that had changed or new use flags. In that situation, I > understand why we installed all of these add-on files uncondi

Re: [gentoo-dev] Should Gentoo do https by default?

Hi, Hanno Böck wrote: > Right now a number of Gentoo webpages are by default served over http. > There is a growing trend to push more webpages to default to https, > mostly pushed by google. I think this is a good thing and I think > Gentoo should follow. +1 > Right now we seem to have a mix:

RE: [gentoo-dev] Figuring out the solution to in-network-sandbox distcc

Hi, Michał Górny wrote: > I see two generic approaches possible here: > > 1. proxying distcc from within the build environment, or > > 2. moving distcc-spawned processes back to parent's namespace. > > > distcc client/server solution > - > > The most obvious soluti

Re: [gentoo-dev] Re: RFC: enabling ipc-sandbox & network-sandbox by default

Hi, Ciaran McCreesh wrote: > Sandboxing isn't about security. It's about catching mistakes. >From Wikipedia (http://en.wikipedia.org/wiki/Sandbox_%28computer_security%29): > In computer security, a sandbox is a security mechanism for > separating running programs. It is often used to execute unt

Re: [gentoo-dev] Re: RFC: enabling ipc-sandbox & network-sandbox by default

Hi, Ryan Hill wrote: > Probably best to make FEATURES=distcc disable network-sandbox > then. People enabling it are explicitly saying they want to access > the network. Do you really think it is a good behavior to automatically disable something you can call a "security feature"? At least there s

Re: [gentoo-dev] Possibility of overriding user defined INSTALL_MASK from an ebuild?

Hi, Ian Stakenvicius wrote: > That said, what we could do (if this isn't done already) is have > portage automatically elog or ewarn what files are excluded from > the system on merge time due to the INSTALL_MASK. At least that > way, users would be able to see in the log what files were removed

Re: [gentoo-dev] News draft #2 for the udev-210 upgrade (was: 209 upgrade)

Hi, I like your (Alex) new proposal, but I have the following annotations: > As of sys-fs/udev-210, the options CONFIG_FHANDLE and CONFIG_NET > are now required in the kernel. A warning will be issued if they > are missing when you upgrade. See the package's README in > /usr/share/doc/udev-210/ f

Re: [gentoo-dev] News draft #2 for the udev-210 upgrade (was: 209 upgrade)

Hi, Rich Freeman wrote: > On Tue, Feb 25, 2014 at 6:39 AM, Thomas D. wrote: >> Also, I cannot belief that I cannot overwrite >> "/lib/udev/rules.d/80-net-setup-link.rules" via "/etc/udev/rules.d"... > > I don't see why not - from the news item: >

Re: [gentoo-dev] News draft #2 for the udev-210 upgrade (was: 209 upgrade)

Hi, line 16 ("renamed the file to /lib/udev/rules.d/80-net-setup-link.rules") and line 18 ("you can override in /etc/systemd/network/") doesn't end with punctuation. Did I get this right? I am using udev to give my interfaces custom names and I am not a systemd user but to keep my setup working

Re: [gentoo-dev] News item draft for >=sys-fs/udev-209 upgrade

Hi, not everyone is using systemd. On my systems for example, I don't have "/lib/systemd/" (INSTALL_MASK). The current news item draft raises question like "When the 'actual configuration' is in /lib/systemd/network/99-default.link... what will happen to people without systemd (and a INSTALL_MASK

Re: [gentoo-dev] Re: RFC: Hosting daily gx86 squashfs images and deltas

Hi, Michał Górny wrote: > Now, does anyone have an old portage-YYZZ.tar.{bz2,xz} snapshot? I > need the official one from our mirrors, preferably 3-4 months old.

Re: [gentoo-dev] friendly reminder wrt net virtual in init scripts

Hi, Michael Orlitzky wrote: >> If you are aware about any other know attacks, please share. > > Replay attacks, mentioned in the RFC (or Google). These could be > mitigated, but no one has bothered. The OCSP response is signed. The signature contains a time stamp. If your clock is right, replay

Re: [gentoo-dev] OCSP Was: friendly reminder wrt net virtual in init scripts

Hi, Duncan wrote: > Meanwhile, another question for Thomas. Is this "certificate stapling" > the same thing google chrome is now doing for the google site, that > enabled it to detect the (I think it was) Iranian and/or Chinese CA > tampering, allowing them to say a "google" cert was valid tha

Re: [gentoo-dev] friendly reminder wrt net virtual in init scripts

Hi, mingdao wrote: > Now, if any one of us turned off OCSP as Michael suggested, what should one do > after turning it back on? Could there now be certificates trusted there which > should not be? Well, only your current browser session can be affected. For Firefox: History -> Clear Recent His

Re: [gentoo-dev] friendly reminder wrt net virtual in init scripts

Hi, Michael Orlitzky wrote: > You should disable OCSP anyway. In Firefox, it's under, > > Edit -> Preferences -> Advanced -> Encryption -> Validation > > The OCSP protocol is itself is vulnerable to MITM attacks, which is cute > when you consider its purpose. > > Moreover, it sends the addres