Suggestions

Arch based Porteus community project
Post Reply
aus9

Re: Suggestions

Post#76 by aus9 » 11 Nov 2015, 22:19

One question as I am not totally familiar with how iana works. Will this affect a user on a local network with no outside line that uses an app that parses the iana database?
Can't claim to be an expert here, but recently I had an issue with my gpg and remembered that I had disabled the router port 11371. Now for those who have a more permissive firewall in their router, gpg should work for them out-of-the-box.

Anyone stuck with no outside line is unlikely to know how to punch a hole thru any sofware/hardware firewall but if they do, then have an outside line and so becomes irrelevant?

Altho I have never used your Kiosk edition, maybe you thinking something along those lines?

User avatar
brokenman
Site Admin
Site Admin
Posts: 5503
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: Suggestions

Post#77 by brokenman » 12 Nov 2015, 01:16

Ok thanks. I will test it and find out. Also I think I have sorted the locales issue too. :)
How do i become super user?
Wear your underpants on the outside and put on a cape.

aus9

Re: Suggestions

Post#78 by aus9 » 12 Nov 2015, 02:37

yes I am keen to test locales as still have unresolved issues with it.

aus9

Re: Suggestions

Post#79 by aus9 » 12 Nov 2015, 11:06

Ok I have resolved a certificate issue I was having with your current certificates.

I am posting in suggestions even tho, its more a question so forgive my arrogance.

I have started a build script but this test

Code: Select all

git clone https://code.google.com/p/setuid-sandbox/
Cloning into 'setuid-sandbox'...
Unpacking objects: 100% (89/89), done.
Checking connectivity... done.
Is now a PASS while it was a FAIL with your current ISO certificates.

If you have not already resolved this, can I start a new post in this Nemesis forum and post my first XZM.
Its not yet built but your feelings may be hurt that in my build I do these terrible things

here is a snip of build subject to verification later

Code: Select all

rm -rf /etc/ssl/certs/*
rm -rf usr/share/ca-certificates/*
# this removed brokenman's trusted stuff as well so be warned

cp -R mozilla /usr/share/ca-certificates/
ln -s /usr/share/ca-certificates/mozilla/* /etc/ssl/certs/

cd /etc/ssl
CERTS=`ls certs  | sed -r -s 's/.{4}$//' `
cd certs
for Z in $CERTS
do
mv $Z.crt $Z.pem
done
c_rehash 

cd /tmp
cp -f ca-certificates.crt  /etc/ssl/certs/
ln -s /etc/ssl/certs/ca-certificates.crt /etc/ssl/cacert.pem
Naturally you can't stop me doing the actual build and using it privately but I prefer to share if you agree my test is a good test?

OOPS no idea how they make mtree at this stage.

User avatar
brokenman
Site Admin
Site Admin
Posts: 5503
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: Suggestions

Post#80 by brokenman » 12 Nov 2015, 20:25

Fine by me. The certificates are not mine. They are the defaults that come with the ca-certificates package. What problem were you having with them?
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
brokenman
Site Admin
Site Admin
Posts: 5503
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: Suggestions

Post#81 by brokenman » 12 Nov 2015, 23:32

Is now a PASS while it was a FAIL with your current ISO certificates.
Did you run: update-ca-trust to update the certificates before running your test?
How do i become super user?
Wear your underpants on the outside and put on a cape.

aus9

Re: Suggestions

Post#82 by aus9 » 12 Nov 2015, 23:40

Did you run: update-ca-trust to update the certificates before running your test?
No will try again later as I have booted into changes with a live injection of my stuff which I will need to remove from changes.

EDIT rebooted now with update-ca-trust

Code: Select all

ls -al /etc/ssl/certs  (snip)
drwxr-xr-x 2 root root  4096 Nov 13 07:56 java
lrwxrwxrwx 1 root root    64 Nov 13 07:56 thawte_Primary_Root_CA.pem -> ../../ca-certificates/extracted/cadir/thawte_Primary_Root_CA.pem
snip

ls -al /etc/ssl | grep pem
lrwxrwxrwx  1 root root    46 Apr  3  2015 cert.pem -> ../ca-certificates/extracted/tls-ca-bundle.pem
Now to try my test again

Code: Select all

git clone https://code.google.com/p/setuid-sandbox/
Cloning into 'setuid-sandbox'...
fatal: unable to access 'https://code.google.com/p/setuid-sandbox/': error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
Having opened my big gob and put my foot in it with some effort, I observe that to my my eyesight etc this test is a FAIL but your settings appear to allow it to be a PASS?

And that of course can be excused by my lack of knowledge of Porteus/Nemesis but feel free to share what else I need to do please.

ahh found one issue there is no such file

Code: Select all

ls /etc/ssl/certs/ca*  -> returns no target ca-certificates.crt

Code: Select all

ln -s /etc/ssl/cert.pem /etc/ssl/certs/ca-certificates.crt
root /tmp # git clone https://code.google.com/p/setuid-sandbox/
Cloning into 'setuid-sandbox'...
Unpacking objects: 100% (89/89), done.
Checking connectivity... done.
Maybe on rebuild you can do the update and make that sym link?

User avatar
brokenman
Site Admin
Site Admin
Posts: 5503
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: Suggestions

Post#83 by brokenman » 13 Nov 2015, 01:02

/etc/ssl/cert.pem -> ../ca-certificates/extracted/tls-ca-bundle.pem

This file is created after running the update. I will include the files in the next release. Thanks for sniffing it out.
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
brokenman
Site Admin
Site Admin
Posts: 5503
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: Suggestions

Post#84 by brokenman » 13 Nov 2015, 01:26

This may be an upstream bug as the ca-certificates packages should contain the /etc/ssl/certs/ca-certificates.crt.
This is also breaking other packages like pacaur and curl over https. Thanks again.
How do i become super user?
Wear your underpants on the outside and put on a cape.

aus9

Re: Suggestions

Post#85 by aus9 » 13 Nov 2015, 05:37

Thanks for checking that out. I now feel no pressure to honour my earlier request to build a certs XZM at this stage.
I have yet to find how the mtree is created, looks like I can read this at my later
https://gist.github.com/Earnestly/bebad057f40a662b5cc3
Last edited by aus9 on 13 Nov 2015, 06:02, edited 1 time in total.

User avatar
francois
Contributor
Contributor
Posts: 4984
Joined: 28 Dec 2010, 14:25
Distribution: kde xfce porteus manjaro kubun
Location: Enfin l'été, le changement climatique attendu: le soleil.

Re: Suggestions

Post#86 by francois » 13 Nov 2015, 06:00

We will have to find a way to simplify installation upgrades which will have some AUR packages on them. It seems that these AUR packages have to be reinstalled. Maybe keeping a copy of the package before installation could do the trick.

Not sure. :(
Voltaire: Le mieux est l'ennemi du bien.

aus9

Re: Suggestions

Post#87 by aus9 » 13 Nov 2015, 06:38

@brokenman

At the risk of flogging a dead horse, as its not yet the weekend can I give you some pointers based on files you can compare in Porteus that might help you?
I currently have installed on Porteus ca-certificates-20150426-noarch-2_slack14.1.xzm

Code: Select all

ls -al /usr/share/ca-certificates/mozilla/
Should return real files, not sym links of the kind Common_Name.crt

Code: Select all

ls -al /etc/ssl/certs
Shoud show sym links from Common_Name.pem to /usr/share/ca-certificates/mozilla/Common_Name.crt or some other root authority

The c_rehash command then creates new sym links in /etc/ssl/certs so
string.crt sym links to Common_Name.pem within the same dir.

This has to be done before you add the bundle to the /etc/ssl/certs. ....ca-certificates.crt must be found in /etc/ssl/certs as you already know a lot of software/domains look here first. If you try to do it early, which I have done, :oops: you will get a false output because c_rehash only reads the top hash value in each pem file and you have 2, the top part of ca-certificates.crt and one called something_Common_Name.pem

The sym link to its bundle-name.pem can be anywhere.

Forgive me for sucking eggs, I have actually built this package on another distro but am no longer a member of that distro. And that is why my build script a few posts above is written in that way. Naturally I will volunteer to test this on next rebuild whether they are modules or the fulll iso

good luck

fullmoonremix

Re: Suggestions

Post#88 by fullmoonremix » 14 Nov 2015, 15:26


aus9

Re: Suggestions

Post#89 by aus9 » 14 Nov 2015, 23:41

@brokenman
for some later rebuild, include the man pages for pacman.

Code: Select all

pacman -h 
works for me but is so short on details and examples I think I can handle a little extra bloat.

Looks in mirror....err maybe not. :D

found the webpage
https://www.archlinux.org/pacman/pacman.8.html

fullmoonremix

Re: Suggestions

Post#90 by fullmoonremix » 16 Nov 2015, 20:38

Salutations... :good:

Instead of aufs? AlienBob has chosen this for his Slackware Live.
OverlayFS

Best Regards... :beer:

Post Reply