K. Ryabitsev π
@monsieuricon
Moderator
Posts
1904Following
226Followers
2423This account is for Linux/Kernel/FOSS topics in general: #linux, #kernel, #foss, #git, #sysadmin, #infrastructure.
For my personal account, please follow @monsieuricon@castoranxieux.ca.
MontrΓ©al, QuΓ©bec, Canada π¨π¦πΊπ¦
K. Ryabitsev π
monsieuricon
Man, centos is so hostile to mirror admins. Instead of just requiring a username/password for mirroring, they restrict primary mirror access by IP, and to make any changes they require that mirror admins open a ticket on some very slow webby thing.
1
0
5
K. Ryabitsev π
monsieuricon
Every time someone claims that they have replaced OpenPGP with "something easier," I always look to see how they handle key management and trust delegation, and usually discover that it's just handwaved away.
Questions like this are a reminder that key management and trust delegation are the exact thing that makes OpenPGP "too hard" in the eyes of most people.
https://www.reddit.com/r/linuxquestions/comments/16c16fu/how_can_i_verify_the_pgp_keys_for_linus_torvalds/
Questions like this are a reminder that key management and trust delegation are the exact thing that makes OpenPGP "too hard" in the eyes of most people.
https://www.reddit.com/r/linuxquestions/comments/16c16fu/how_can_i_verify_the_pgp_keys_for_linus_torvalds/
2
4
6
K. Ryabitsev π
monsieuricon
The first of each month works as a regular reminder of how many mailman-2 servers there still are out there.
1
12
27
K. Ryabitsev π
monsieuricon
Did you ever wonder how those kernel releases make it to a mirror near you? Wonder no more, I've documented the process of delivering the latest set of stable kernels.
https://youtu.be/_MnZdrBJOwI?si=kfzFgfjr_yi8F4md
https://youtu.be/_MnZdrBJOwI?si=kfzFgfjr_yi8F4md
1
3
11
K. Ryabitsev π
repeated
repeated
Greg K-H
gregkh
Edited 1 year ago
Here is a hopefully-useful notice about Linux kernel security issues, as it seems like this knowledge isn't distributed very widely based on the number of emails I get on a weekly basis:
- The kernel security team does not have any "early notice"
announcement list for security fixes for anyone, as that would only
make things more insecure for everyone.
- The kernel community does not assign CVEs, nor do we deal with them
at all. This is documented in the kernel's security policy, yet we
still have a number of people asking for CVE numbers even after
reading that policy. See my longer "CVEs are dead..." talk for full
details about how the CVE process is broken for projects like Linux:
https://kernel-recipes.org/en/2019/talks/cves-are-dead-long-live-the-cve/
- You HAVE to take all of the stable/LTS releases in order to have a
secure and stable system. If you attempt to cherry-pick random
patches you will NOT fix all of the known, and unknown, problems,
but rather you will end up with a potentially more insecure system,
and one that contains known bugs. Reliance on an "enterprise"
distribution to provide this for your systems is up to you, discuss
it with them as to how they achieve this result as this is what you
are paying for. If you aren't paying for it, just use Debian, they
know what they are doing and track the stable kernels and have a
larger installed base than any other Linux distro. For embedded,
use Yocto, they track the stable releases, or keep your own
buildroot-based system up to date with the new releases.
- Test all stable/LTS releases on your workload and hardware before
putting the kernel into "production" as everyone runs a different %
of the kernel source code from everyone else (servers run about
1.5mil lines of code, embedded runs about 3.5mil lines of code, your
mileage will vary). If you can't test releases before moving them
into production, you might want to solve that problem first.
- A fix for a known bug is better than the potential of a fix causing a
future problem as future problems, when found, will be fixed then.
I think I need to give another talk about this issue to go into the above in more detail. So much for me giving a technical talk at Kernel Recipes this year...
- The kernel security team does not have any "early notice"
announcement list for security fixes for anyone, as that would only
make things more insecure for everyone.
- The kernel community does not assign CVEs, nor do we deal with them
at all. This is documented in the kernel's security policy, yet we
still have a number of people asking for CVE numbers even after
reading that policy. See my longer "CVEs are dead..." talk for full
details about how the CVE process is broken for projects like Linux:
https://kernel-recipes.org/en/2019/talks/cves-are-dead-long-live-the-cve/
- You HAVE to take all of the stable/LTS releases in order to have a
secure and stable system. If you attempt to cherry-pick random
patches you will NOT fix all of the known, and unknown, problems,
but rather you will end up with a potentially more insecure system,
and one that contains known bugs. Reliance on an "enterprise"
distribution to provide this for your systems is up to you, discuss
it with them as to how they achieve this result as this is what you
are paying for. If you aren't paying for it, just use Debian, they
know what they are doing and track the stable kernels and have a
larger installed base than any other Linux distro. For embedded,
use Yocto, they track the stable releases, or keep your own
buildroot-based system up to date with the new releases.
- Test all stable/LTS releases on your workload and hardware before
putting the kernel into "production" as everyone runs a different %
of the kernel source code from everyone else (servers run about
1.5mil lines of code, embedded runs about 3.5mil lines of code, your
mileage will vary). If you can't test releases before moving them
into production, you might want to solve that problem first.
- A fix for a known bug is better than the potential of a fix causing a
future problem as future problems, when found, will be fixed then.
I think I need to give another talk about this issue to go into the above in more detail. So much for me giving a technical talk at Kernel Recipes this year...
11
223
240
K. Ryabitsev π
monsieuricon
Dear Qatar Airlines. Everything was great, but providing "Avengers: Infinity Wars" without "Avengers: Endgame" in your entertainment options is just _mean_.
1
0
5
K. Ryabitsev π
monsieuricon
On the upside, COVID 19 tests still work. On the downside -- everything else. :(
2
1
7
K. Ryabitsev π
monsieuricon
De retour Γ MontrΓ©al!
I need a nap and a long break from air travel.
I need a nap and a long break from air travel.
0
0
5
K. Ryabitsev π
monsieuricon
What are you doing, frog, are you nuts? Get inside. Turn on the AC. Take a cold bath.
1
1
8
K. Ryabitsev π
repeated
repeated
K. Ryabitsev π
monsieuricon
Looks like I get to spend a day in Doha because they overbooked our flight to Montreal. No big, I've never actually been to the middle east.
0
0
0
K. Ryabitsev π
monsieuricon
βοΈ ALA > DOH > YUL
I spent a great week in Almaty visiting my KZ cousins and meeting up with my parents. Now it's time to head back.
I spent a great week in Almaty visiting my KZ cousins and meeting up with my parents. Now it's time to head back.
0
0
2
K. Ryabitsev π
monsieuricon
Hopping on an airplane to go home soon. Here are some horses from a walk earlier.
Any guesses where I have been?
Any guesses where I have been?
3
0
5
K. Ryabitsev π
monsieuricon
Me: orders a delivery once while visiting Portugal in 2019
Routinely, for the next 4 years: "Atualização dos termos e condiçáes"
Routinely, for the next 4 years: "Atualização dos termos e condiçáes"
0
0
7