**** BEGIN LOGGING AT Thu Feb 11 02:59:58 2016 Feb 11 03:05:01 They're basically "threads". Feb 11 06:18:25 KotCzarny: Other than more connectors, is there any disadvantage to using an mSATA card on an mSATA ↔ 2.5-inch SATA adapter board instead of using a 2.5-inch SATA SSD? Feb 11 06:26:01 Theoretically, an mSATA SSD installed on an mSATA ↔ 2.5-inch SATA adapter board is functionally equal to a 2.5-inch SATA SSD. However, I know from my personal experience that a CompactFlash (not CompactMagnetic) card installed on a CompactFlash card ↔ PATA adapter board is often not a drop-in replacement for a PATA HDD while a PATA SSD (not CompactFlash) is a drop-in replacement for a PATA HDD. Feb 11 06:59:56 brolin_empey: if you see at the benchmarks of the same model of ssd, they are the same for ssd and msata (because connectors are just sata pins) Feb 11 07:01:03 one thing to note, if you install in pata--(m)sata adapter there is always controller chip issue Feb 11 07:02:21 but as i said, msata allows you to choose almost any drive model, and ssd with pata interface is almost always old and/or overpriced (2-3x) Feb 11 07:02:38 freemangordon: please help jonwil with certificates :) Feb 11 07:02:58 my daily N900 can no longer open https sites. Feb 11 07:04:47 i remember you did some certificate magic for nokia supl server. maybe you would know what's going on here. by the way, the maemosec packages he produced work just fine for a user with cssu-thumb, work fine on my cssu-testing n900, but not on my thumb device, nor on jonwil's device. Feb 11 07:06:23 Sicelo: it was more than 2 years i played with that. However, what I remember is that certificate order is very important Feb 11 07:08:32 also, I don't understand what he does and why so many problems, iirc what one needs is essentially - use cmcli to import or remove the certificates, then copy the result in the source tree and rebuild Feb 11 07:10:18 well, he learns on-the-go Feb 11 07:12:49 ok, here is what a certificate change commit looks like https://github.com/community-ssu/maemo-security-certman/commit/2cbd96e89d7529e1ce25801824fb76f39b05b836 Feb 11 07:12:53 I see nothing specia Feb 11 07:12:56 l Feb 11 07:13:33 see https://github.com/community-ssu/maemo-security-certman/commit/0be038825a98dae2d80fd411a02cb4c86ed1b36a too Feb 11 07:13:45 he updated certificates, and all is good. but microb won't "see" them Feb 11 07:14:02 does openssl see them? Feb 11 07:14:24 openssl s_client that is Feb 11 07:14:27 let me check. what's the command-u for that? Feb 11 07:14:53 search google fro openssl s_client connect Feb 11 07:15:09 also, make sure to give CApath to openssl Feb 11 07:16:41 what should that be? Feb 11 07:16:56 /etc/$something Feb 11 07:17:02 the certificates location Feb 11 07:18:43 https://packages.debian.org/sid/ca-certificates perhaps this is somehow useful? Feb 11 07:18:50 I am not sure if the took the certificates from there? Feb 11 07:19:10 working Feb 11 07:22:12 hmm,testing microsoft.com says "unable to get issuer certificate" .. so i guess that means not working? Feb 11 07:22:30 sicelo, i get that message also on stock n900 Feb 11 07:22:49 and also on my laptop i think Feb 11 07:25:48 hmm, well 2nd N900 does not return such message. Feb 11 07:26:03 freemangordon: so looks like openssl not happy with them either :/ Feb 11 07:26:31 it might be that my cert store on laptop is broken too Feb 11 07:26:45 is your 2nd n900 stock? Feb 11 07:27:25 Sicelo: could you tell openssl to be verbose and pastebin the output? Feb 11 07:27:42 jonwil: hi! Feb 11 07:28:00 hi Feb 11 07:28:11 jonwil: which gdb do you use for debugging microb? Feb 11 07:28:30 jonwil: also, read the backscroll Feb 11 07:29:08 Sicelo: also tell openssl to dump the certificate chain Feb 11 07:29:39 got to go see man page. no idea about those things haha Feb 11 07:30:05 gdb -v sayhs " Feb 11 07:30:13 hmm? Feb 11 07:30:18 gdb -v says "6.8.50.20090417-debian" Feb 11 07:30:30 try 7.1 from extras-devel Feb 11 07:30:39 I put it there on a reason :( Feb 11 07:30:43 ok Feb 11 07:31:12 jonwil: also, see my comment on certman commit Feb 11 07:33:02 FYI, cmcli -T verifies the chain of trust properly Feb 11 07:33:17 jonwil: and what about openssl? Feb 11 07:33:21 I mean cmcli -T common-ca -v www.blah.com:443 Feb 11 07:33:26 and yes openssl s_client does work Feb 11 07:33:34 so that means the certificates themselves are correct Feb 11 07:33:48 hmm, "( 9,26,03) Sicelo: freemangordon: so looks like openssl not happy with them either :/" Feb 11 07:34:03 though he might be using incorrect cmd Feb 11 07:34:07 yeah probably Feb 11 07:34:34 jonwil: do you use openssl from cssu? Feb 11 07:35:35 jonwil: what's the correct openssl cmd? Feb 11 07:35:46 If I run openssl s_client -CApath /etc/certs/common-ca -connect www.blah.com:443 it works for the sites that fail in microb Feb 11 07:36:10 that's same command i ran. doesn't work for my 'bad' N900, but works on 2nd one Feb 11 07:36:22 what does it say when you run it on your failing N900? Feb 11 07:36:59 unable to get local issuer certificate Feb 11 07:37:06 let me try with cmcli Feb 11 07:37:22 yeah try cmcli -T common-ca -v www.blah.com:443 Feb 11 07:37:52 35ce3296a4a08fe1aa8d09650a9b3acb2cc1da64 www.entrust.net Verification failed: unable to get local issuer certificate Feb 11 07:38:02 weird Feb 11 07:38:41 so you are doing cmcli -T common-ca -v www.entrust.net:443 and its giving that error? Feb 11 07:38:50 yes Feb 11 07:39:06 Ok can you grab the entire contents of /etc/certs and /etc/secure on your N900 and get them to me? Feb 11 07:39:17 I can see if they match my device (where that command I just typed works) Feb 11 07:40:22 Or I can help you undo all your changes and go back to what you had before you fiddled with maemo-security-certman earlier Feb 11 07:40:32 http://paste.debian.net/379881/ .. this is output of Feb 11 07:40:33 Then you have a 100% working N900 again Feb 11 07:40:44 openssl s_client -connect www.entrust.net:443 -CApath /etc/certs/common-ca/ -showcerts > MyDocs/openssl.txt Feb 11 07:41:39 i can help a bit more :) will let you know when i can't take it anymore, haha. just this is my daily device where certs refused to work. Murphy's law Feb 11 07:42:03 Ok so get me the contents of /etc/certs and /etc/secure and I will see how that differs from what it should be Feb 11 07:42:24 Once we get cmcli working correctly then at least we know that that bit is working again Feb 11 07:43:59 Wizzup: the certificates came from the Mozilla certdata.txt file (the mozilla root CA store) and were updated following instructions and other bits given to me by Juhani Mäkelä (original Nokia author of maemo-security-certman package) Feb 11 07:44:17 tar'red them up. where can i upload? Feb 11 07:45:02 You could post in http://talk.maemo.org/showthread.php?t=96433 and attach to the post? Feb 11 07:45:04 That would work Feb 11 07:45:37 jonwil: in case you, or i, disappear for some reason ... please document the 'recovery' method for whenever i may need it Feb 11 07:46:35 Its not something that can be easily documented since at various points in the process it would require you to do certain things then me to make decisions on what to do next based on certain information you give me :) Feb 11 07:46:50 jonwil: ah, ok Feb 11 07:47:07 dont worry I wont be leaving IRC for houors (even if I go afk for a bit to e.g. have food) Feb 11 07:47:10 hours Feb 11 07:47:11 jonwil: I was just wondering because it seems many linux distros take the certs from that package (including gentoo) Feb 11 07:47:34 but they may just take it from mozilla as well Feb 11 07:49:49 Yep they do Feb 11 07:50:33 Lots of places get it from Mozilla because they trust the vetting process Mozilla uses Feb 11 07:50:34 jonwil: posted to tmo Feb 11 07:50:56 Not sure where Chrome gets its root certificates from Feb 11 07:55:58 ok so do you want me to help you get your system back to a functional state or do you want me to help you get the certificates to the same "working with cmcli etc but failing with microb" state I am in? Feb 11 07:56:26 jonwil: one question, are all, or only some certificates failing with microb Feb 11 07:56:31 only some Feb 11 07:56:45 And might that be related to perhaps using stronger crypto/hashes that are not supported by nss at that time Feb 11 07:56:56 like some old browser having trouble with sha2 Feb 11 07:57:16 Yes thats why I am looking into updating NSPR and NSS Feb 11 07:57:16 that is, perhaps it will only be fixed by upgrading nss Feb 11 07:57:19 Okay Feb 11 07:57:27 Just wanted to point that possibility out :) Feb 11 07:57:34 Just need to deal with some microb-local patches to NSPR somehow Feb 11 07:57:43 I see Feb 11 07:57:59 Sicello: Which option do you want? Feb 11 07:58:12 Wizzup: no way, microb supports sha-256 signatures Feb 11 07:58:34 kerio: okay, well, I'm guessing something out there may be missing Feb 11 07:58:35 Back to fully working or up to "works with cmcli but not with microb"? Feb 11 07:58:43 Updating NSS cant hurt anyway Feb 11 07:58:44 I guess my sha2 example was a bad one :) Feb 11 07:58:48 jonwil: indeed! Feb 11 07:58:50 and we need to do it if we want TLS1.2 etc Feb 11 07:58:51 is there a more specific error message? Feb 11 07:58:56 jonwil: +1 Feb 11 07:58:57 jonwil: +1 Feb 11 07:59:02 :) Feb 11 07:59:03 and yes, we DEFINETELY want tls 1.2 Feb 11 07:59:36 "This seems like a good moment to reiterate that everything less than TLS 1.2 with an AEAD cipher suite is cryptographically broken." -- agl Feb 11 07:59:58 In terms of what we enable and disable there, we should trust Mozilla on that one Feb 11 08:00:11 jonwil: out of which options? :) Feb 11 08:00:26 well we know Mozilla turns off SSL3 Feb 11 08:00:29 and doesn't support it anymore Feb 11 08:00:37 so we should do the same when we update NSS Feb 11 08:00:58 But for example we should trust Mozilla when it comes to which versions of TLS to turn on and which to turn off Feb 11 08:01:18 yeah just go with what firefox does Feb 11 08:01:58 I suspect trusting Firefox on issues related to SSL/TLS/HTTPS/CAs/etc is probably a fairly safe and sane thing to do Feb 11 08:01:58 i mean, there's something to be said about disabling aes-256 ciphersuites Feb 11 08:02:07 Especially if we are using all their codebase for this stuff :) Feb 11 08:02:11 because we're kinda lacking in... everything Feb 11 08:02:21 okay. hmm, can't make up my mind. part of me wants to go on with the testing, but this is my daily device, so maybe let's just get it back to working state Feb 11 08:02:41 Ok so you are running what version of CSSU on this device? Feb 11 08:03:44 ? Feb 11 08:04:04 cssu thumb Feb 11 08:09:11 latest version of cssu-thumb? Feb 11 08:09:42 what version of mp-fremantle-community-pr does the system say you have? Feb 11 08:12:20 ? Feb 11 08:18:30 Looks like Sicelo went AFK :P Feb 11 08:22:26 sorry Feb 11 08:22:29 at work Feb 11 08:22:33 oh ok Feb 11 08:22:43 but yeah what version of mp-fremantle-community-pr do you have? Feb 11 08:23:35 *** 21.2011.38-1Tmaemo11+thumb0 Feb 11 08:24:27 Ok so that's the most recent Feb 11 08:24:37 What you want to do is to open a root terminal Feb 11 08:24:54 sure Feb 11 08:25:02 You want to do dpkg -r mp-fremantle-community-pr Feb 11 08:25:08 then dpkg -P libmaemosec-certman0 Feb 11 08:25:14 then dpkg -P libmaemosec0 Feb 11 08:25:21 then dpkg -P maemosec-certman-common-ca Feb 11 08:25:27 then dpkg -P maemosec-certman-tools Feb 11 08:25:39 Then tell me what, if anything, is left in /etc/certs or /etc/secure Feb 11 08:26:24 You will be reinstalling all those packages including mp-fremantle-community-pr in a sec, don't worry Feb 11 08:26:48 dependency problems with that .. wants to remove almost everything, due to mp-fremantle* Feb 11 08:27:15 hmmm ok Feb 11 08:27:24 dpkg: error processing libmaemosec-certman0 (--purge): dependency problems - not removing Feb 11 08:27:29 ok Feb 11 08:27:32 you can always do find /etc/certs -exec dpkg -S {} \; Feb 11 08:27:42 and then compare it with the output of find /etc/certs Feb 11 08:27:50 Ok so remove /etc/certs completly Feb 11 08:27:54 and also /etc/secure Feb 11 08:28:23 Then download the .deb files in this paste Feb 11 08:28:24 http://pastebin.com/CSzTrD61 Feb 11 08:28:30 and install them with dpkg -i in the order listed Feb 11 08:28:46 it may complain about certain packages being a downgrade but it should install them anyway Feb 11 08:32:10 ok. doing it now Feb 11 08:36:50 hold on why are those in community-thumb Feb 11 08:36:53 instead of community-devel Feb 11 08:36:54 :| Feb 11 08:38:48 I think he wants to rollback to a working state Feb 11 08:38:55 (on a thumb device) Feb 11 08:39:09 They are in community-thumb because there is no thumb specific version of those Feb 11 08:39:24 oooh i see Feb 11 08:39:25 and yes he wants to back to what he had before he started Feb 11 08:39:32 hence the need to go back to those packages Feb 11 08:39:49 talking about certs, i think yappari registration is failing due to non compatible ciphering between WA servers and n900 supported protocols Feb 11 08:40:00 why 0.2.2 though? why not 0.2.3 Feb 11 08:40:14 ceene: compile it with a static, more-recent openssl? Feb 11 08:41:15 0.2.2 is what cssu-thumb shipped Feb 11 08:41:24 and what mp-fremantle-community-pr for thumb points to Feb 11 08:41:48 why 0.3.2 isn't in cssu-thumb you will have to ask the maintainer of that Feb 11 08:42:04 I mean 0.2.3 Feb 11 08:43:10 kerio: i'm on it... i've already created an openssl deb package for n900, backported from debian Feb 11 08:43:19 qt is smart enough to use latest installed openssl Feb 11 08:43:22 hm, that would mess up with things tho Feb 11 08:43:29 it won't Feb 11 08:43:40 i've got both openssl packages installed on my n900 right now Feb 11 08:43:45 ok Feb 11 08:43:47 have you removed the symlink between libssl.so and libssl.so.yourversion Feb 11 08:43:51 without any problem in a couple months or so Feb 11 08:44:39 the thing is, most apps will search for the exact version of the library they were compiled against Feb 11 08:44:55 but QT searches for all libssl.so* versions and dlopen()s it Feb 11 08:44:57 kerio: qt dlopens Feb 11 08:45:38 D: Feb 11 08:45:43 that sounds like a horrible way to do things Feb 11 08:45:50 qt inside. Feb 11 08:46:12 lol Feb 11 08:47:02 horrible or not, it's just what we need :) Feb 11 08:47:14 i've still got to do a couple things Feb 11 08:47:16 to disable ssl3 Feb 11 08:47:32 so i may have to patch qt itself Feb 11 08:51:37 Sicelo: Does your system work again now? Feb 11 08:54:06 ceene: how does qt know how to use all the versions of openssl, though? Feb 11 08:56:50 jonwil: mp-fremantle-community-pr depends on maemosec-certman-tools (>= 0.2.3); however: Version of maemosec-certman-tools on system is 0.2.2. Feb 11 08:57:09 kerio: by finding /lib/libssl* and parsing the filename Feb 11 08:57:14 i mean Feb 11 08:57:19 you have to add support to the functions it will use Feb 11 08:57:29 if there's some api change, then it has to implement it Feb 11 08:57:31 crazy stuff going on here, lol. you found that we should be having 0.2.2? Feb 11 08:58:50 ok, try http://repository.maemo.org/community-testing/pool/fremantle/free/m/maemo-security-certman/libmaemosec-certman0_0.2.3_armel.deb http://repository.maemo.org/community-testing/pool/fremantle/free/m/maemo-security-certman/libmaemosec0_0.2.3_armel.deb http://repository.maemo.org/community-testing/pool/fremantle/free/m/maemo-security-certman/maemosec-certman-common-ca_0.2.3_all.deb... Feb 11 08:58:52 ...http://repository.maemo.org/community-testing/pool/fremantle/free/m/maemo-security-certman/maemosec-certman-tools_0.2.3_armel.deb Feb 11 08:59:07 That should work Feb 11 08:59:24 can i just use apt-get install :) specifying version? Feb 11 08:59:37 no since you already have a more recent version Feb 11 08:59:48 I dont know if apt-get can downgrade a package Feb 11 08:59:52 if it can, feel free to try it Feb 11 09:00:03 it can Feb 11 09:05:04 few certs in /etc/certs/common-ca/ Feb 11 09:05:11 less than 10 Feb 11 09:05:32 nothing in /etc/certs/trusted Feb 11 09:08:44 can you find /etc/certs/common-ca/ -exec dpkg -S {} \; ? Feb 11 09:08:51 I'm curious as to what is kept ther Feb 11 09:08:55 *there Feb 11 09:18:53 They only come from maemosec-certman-common-ca Feb 11 09:19:04 what do you see if you dpkg -L maemosec-certman-common-ca? Feb 11 09:19:53 Also you may want to try manually downloading the deb files and installing them with dpkg, that will probably restore the missing files Feb 11 09:20:08 i did Feb 11 09:20:11 apt-get may not install the files when downgrading for some reason Feb 11 09:20:27 dpkg -L lists all of the certs, but they are definitely not there Feb 11 09:20:32 now that's crazy Feb 11 09:20:52 Very weird Feb 11 09:21:22 I am out of ideas Feb 11 09:21:39 even the install process doesn't show the rest being installed Feb 11 09:21:49 re-doing it make no difference Feb 11 09:22:20 lemme reboot Feb 11 09:29:40 freemangordon: ping Feb 11 09:38:41 dpkg -L is likely just spitting out contents of /var/lib/dpkg/info/maemosec-certman-common-ca.list even though the files themselves aren't there. let me extract the deb Feb 11 09:40:48 ok Feb 11 09:43:34 so i dpkg -x the package, and manually ran its postinst. cmcli is happy now. Feb 11 09:43:41 let me check microb Feb 11 09:47:52 seems okay. loading entrust website successfully. Feb 11 09:48:01 yhansuthanks for the help :) Feb 11 09:48:11 bad typing :( Feb 11 09:48:44 i'll play with your 0.2.4 stuff in the evening :) Feb 11 09:53:24 ok, great :) Feb 11 09:54:45 Might help if I download the armel version of gdb 7.3.1 and not the i386 version :) Feb 11 09:54:48 Lets try that agaon Feb 11 09:54:50 again Feb 11 09:54:54 this is going to be 'fun' one to debug i guess, as there is no consistency of behaviour Feb 11 09:55:28 Not really, once I actually get GDB working I should be able to see whats up Feb 11 09:56:29 right now if I visit www.entrust.com I get a SEC_ERROR_UNKNOWN_ISSUER error from microb Feb 11 09:57:03 so I intend to break on the function that spits out the error (PORT_SetError in nss) and from there work backwards Feb 11 09:57:13 and eventually I will be at some function I can single step or trace and see just what is going on Feb 11 09:58:03 :) Feb 11 09:59:29 hmmm. newer version of GDB doesn't help Feb 11 10:15:34 installed 0.2.4 again .. now i'm at least in same situation as you. no worse Feb 11 10:16:48 openssl and cmcli both happy Feb 11 10:22:11 jonwil: does https://nethack.dank.ninja/ work Feb 11 10:23:31 yes Feb 11 10:23:33 That works for me Feb 11 10:26:47 hmmm, I wonder if there is some sort of way to run microb-engine but not browserd Feb 11 10:27:23 Let me see what these other packages I get when building microb-engin edo Feb 11 10:28:22 ? Feb 11 10:28:52 microb-engine builds a bunch of packages that aren't installed in the phone Feb 11 10:29:29 how would you run microb-engine without browserd? Feb 11 10:30:15 I dont mean using the browser UI Feb 11 10:30:25 browserd links to several libraries Feb 11 10:30:38 which contain the actual rendering engine and stuff Feb 11 10:31:25 There are things built from the microb-engine source package that might provide a way to load that actual gecko code and pull web pages and stuff without going through browserd, browser-neteal or the normal browser UI Feb 11 10:33:24 There's microb-xulrunner already in the repository fwiw Feb 11 10:33:53 It's able to run things like an old version of Conkeror. Feb 11 10:34:30 or maybe a newer one having manually added some promises library, iirc Feb 11 10:35:10 Yeah thats what I mean, getting microb-xulrunner and things from my microb-engine tree Feb 11 10:41:47 http://maxdamantus.eu.org/c900.png Feb 11 10:42:13 It's reasonably usable tbh Feb 11 10:42:50 The issue I had with Conkeror on my desktop is that the UI is convenient enough to have hundreds of tabs open. Feb 11 10:43:42 which was kind of okay while I only had 3 GiB of RAM, since once it got to 120 or so tabs I'd just close a bunch of them to avoid unnecessary swapping. Feb 11 10:44:31 now with 32 GiB of RAM it bottlenecks on the CPU at around 500 tabs, and cbf cleaning up 500 tabs. Feb 11 10:44:45 Don't really want to have that issue on my phone. Feb 11 10:58:24 o.o Feb 11 10:58:33 i usually have ~10-20 tabs at most Feb 11 10:59:03 if i want to read the site but dont want the tab i just bookmark it into 'to read' folder Feb 11 11:00:52 ok, the plot thickens... Feb 11 11:01:07 hm? Feb 11 11:03:50 nobody expected spanish inquisition Feb 11 11:05:10 If I access https://www.entrust.net/ in microb, it gives an error. If I access the same domain via microb-refui (built alongside the microb-engine bits I am using) the URL loads just fine Feb 11 11:05:29 by "in microb", I mean in the standard Maemo web UI Feb 11 11:09:39 moin Feb 11 11:38:51 still doesn't answer why microb in other devices doesn't mind the new certs :/ Feb 11 11:56:48 HOLY CRAP I found the problem Feb 11 11:57:19 ? Feb 11 11:57:31 making a forum post now Feb 11 11:57:42 suspens... Feb 11 11:58:09 ;) Feb 11 12:00:17 woop Feb 11 12:01:01 http://talk.maemo.org/showthread.php?t=96433&page=2 Feb 11 12:02:25 jonwil: i strongly doubt anyone actually uses personal certificates in microb Feb 11 12:02:55 so you can probably just delete it Feb 11 12:03:06 ? Feb 11 12:04:10 some people add exceptions, I guess (?) Feb 11 12:04:12 how did they end up being stale, though? Feb 11 12:06:24 No idea Feb 11 12:06:33 hold on gimme the debs Feb 11 12:06:56 I suspect they are intermediate certificates chaining off a specific root that is not in the new root CA store Feb 11 12:07:05 makes sense Feb 11 12:07:18 but when the intermediates aren't in cert8.db, microb uses some newer intermediates chaining off a newer root that is in the new root CA store Feb 11 12:07:48 as for the debs of the new root CA stuff, http://talk.maemo.org/showthread.php?t=96430 has what you need Feb 11 12:08:36 yeah but gimme some links i can wget Feb 11 12:09:11 I dont have the files uploaded anywhere you can wget Feb 11 12:09:22 unless you can wget forum attachements Feb 11 12:09:32 i do use personal cert in microb Feb 11 12:09:37 i think you can Feb 11 12:10:38 ;-; Feb 11 12:10:48 At least I have the cause now Feb 11 12:11:06 Although that doesn't mean I wont keep trying to update NSS, we do want TLS1.2 support after all :) Feb 11 12:11:39 \m/ Feb 11 12:12:05 jonwil: quick fix available? Feb 11 12:12:38 quick fix for what? Feb 11 12:12:43 the cert8.db problem? Feb 11 12:12:47 no, I dont have a fix yet Feb 11 12:12:50 okay Feb 11 12:12:54 other than deleting the file and risking problems Feb 11 12:13:09 We need to find a proper way to clean out the crap without deleting anything important Feb 11 12:13:17 agreed Feb 11 12:14:46 how do i verify that jonwil's package isn't backdoored Feb 11 12:15:51 You cant really, but you have to trust the people who wrote CSSU for example didn't backdoor things Feb 11 12:16:06 or for that matter that original Nokia packages dont have backdoors Feb 11 12:16:16 Not that I would intentionally backdoor something Feb 11 12:16:21 I think backdoors are bad Feb 11 12:16:23 suuuuuuure ;) Feb 11 12:16:35 kerio: does his package contain machine code? Feb 11 12:16:40 isn't it just certificates? Feb 11 12:16:47 yes, it's "just" certificates Feb 11 12:16:58 """just""" ;] Feb 11 12:17:06 what if now my n900 is trusting "jonwil's super legit root CA" Feb 11 12:17:17 i use personal certto access Outlook Web Access for work emails. can't use exchange activesync due to provisioning, and no imap/pop enabled Feb 11 12:17:24 oh god i have to update like 8 billion things Feb 11 12:17:40 it isn't worse than, say, states CA :) Feb 11 12:17:41 Sicelo: you should most definetely not delete cert8.db Feb 11 12:18:12 :) Feb 11 12:18:15 why not? Feb 11 12:19:13 because it's likely that he has a client certificate stored there Feb 11 12:19:36 do we have certutil? Feb 11 12:20:22 yep, cert8.db has the certificates, key3.db has the keys Feb 11 12:20:33 The set of root certificates in my updated maemo-security-certman is an unchanged set from mozilla certdata.txt as of http://hg.mozilla.org/mozilla-central/rev/64df3815df9c Feb 11 12:21:15 did you do a conversion to it, or do the package scripts do that? Feb 11 12:21:36 Or rather its that set of certificates minus whichever ones cmcli decided not to import (would need to dig deep into openssl source code to find out exactly the criteria for rejecting a certificate for import) Feb 11 12:21:42 :| Feb 11 12:21:51 This commit https://github.com/community-ssu/maemo-security-certman/commit/9076865275fb4e78578276afdff45f6f47389872 contains a backport of a fix from Harmattan Feb 11 12:21:58 plus a new set of root CA certificates Feb 11 12:22:24 plus the tool and instructions for importing mozilla certdata.txt file Feb 11 12:23:06 kerio: i still have the original pfx files ;) Feb 11 12:23:54 You can thank Juhani Mäkelä (original author of maemo-security-certman) for their help in getting all this working Feb 11 12:24:56 They provided the parse-certdata-txt.c file and some very useful info on how to get things going (including the right cmcli commands to run and the right stuff to backport from Harmattan) Feb 11 12:25:19 I dont know enough about finnish names to tell if that is a man or a woman :P Feb 11 12:27:12 entrust.com worksforme Feb 11 12:27:16 or rather Feb 11 12:27:19 i think it works for me Feb 11 12:27:22 the page is very slow to load Feb 11 12:27:42 you must not have whatever bogus certificates are in my cert8.db file then Feb 11 12:27:53 does ib.boq.mobi work for you? Feb 11 12:27:57 do we have a package with the nss certutil in Feb 11 12:28:15 I haven't figured out how to build the nss command line tools although I would really like to do that Feb 11 12:30:00 anyhow, my phone is running out of juice after all this testing, better go plug it in to charge up :) Feb 11 12:33:09 jonwil: libnss3-tools in debina? Feb 11 12:33:10 debian Feb 11 12:33:58 certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. Feb 11 12:34:10 We need to build the tools from the same nss source tree we have in microb-engine Feb 11 12:34:10 this makes things a bit harder Feb 11 12:34:44 I am sure there is a way to modify the microb-engine build tree to build libnss3-tools or something similar Feb 11 12:34:47 Do that and we are golden Feb 11 12:47:51 * Maxdamantus wonders why he wasn't able to copy his bootloader from one N900 to another by just reading/writing from/to /dev/mtd3 Feb 11 12:50:40 maybe it was something else broken too Feb 11 12:51:10 What sort of thing? Feb 11 12:51:34 fs corruption? kernel corrupted? config partition corrupted? Feb 11 12:51:38 Everything worked the first time once it was able to load by u-boot build. Feb 11 12:51:40 dont know what were you doing Feb 11 12:52:04 Copying my existing setup to another N900 I acquired. Feb 11 12:52:29 hmm, different revisions? Feb 11 12:52:48 I just zeroed out the eMMC and emptied ubifs, repartition the eMMC and copied a backup of the main filesystem in. Feb 11 12:53:13 and copied my boot directory and ubifs as it currently was on my existing one. Feb 11 12:53:37 Who needs flasher? Feb 11 12:54:02 why do we care about ubifs anyway? Feb 11 12:54:10 it eats cycles and memory Feb 11 12:54:48 i remember using overlay fs long time ago on ancient 586 200mhz box, and it was noticably slower in disk operations Feb 11 12:54:50 I'm still using kernel-power, which doesn't have built-in support for omap-hsmmc or ext4. Feb 11 12:55:04 Don't really want to bother with an initramfs. Feb 11 12:55:11 ubifs is basically my initramfs. Feb 11 12:55:20 who needs initramfs Feb 11 12:55:30 nah, don't dd from one device to another - it doesn't handle the bad blocks quite right Feb 11 12:55:59 Hm. That'd probably explain it. Feb 11 12:56:08 :) Feb 11 12:56:10 you should prolly use "flasher --local" Feb 11 12:56:11 :3 Feb 11 12:56:33 * Maxdamantus also noticed a bunch of messages about ECC when doing `rm -rf *` in the ubifs. Feb 11 12:57:13 * Maxdamantus should probably have just recreated the filesystem, though he's not really familiar with ubifs/mtd. Feb 11 12:58:37 (( but QT searches for all libssl.so* versions and dlopen()s it)) now that explains some nasty effects. e.g. why Silego GreenPack3 software mostly works on my OpenSuse system but simply blows chunks on "Save as..." Feb 11 12:59:08 now, off to go and find myself another N900. Feb 11 12:59:30 * Maxdamantus is meant to be getting a third one soon too. Feb 11 12:59:46 then I'll have five N9* devices. Feb 11 12:59:54 :) Feb 11 13:00:00 i have 3.5 Feb 11 13:00:03 I have just the one although I wish I had a second one for if/when this one stops working Feb 11 13:00:09 mine croaked aaaaaaageeees ago, but it was way, way more useful than pretty much any other mobile device I have now Feb 11 13:00:26 but right now I dont have the funds for anything even vaguely related to tech stuff Feb 11 13:00:31 if only I could find one on eBay that wasn't a refurb for $200... Feb 11 13:00:33 I haven't confirmed that the $2 N97 works yet though .. I think the guy mailed the battery in a separate package. Feb 11 13:01:05 and it seems like it's in fairly bad condition. Feb 11 13:01:17 came with a 16 GB microSD card though. Feb 11 13:02:12 * Maxdamantus sleeps. Feb 11 13:17:12 https://en.wikipedia.org/wiki/Juhani Feb 11 13:17:22 male Feb 11 13:18:59 ok Feb 11 13:20:40 didn't someone offer you N900 jonwil? :) Feb 11 13:20:45 possibly Feb 11 13:20:52 but I never followed it up Feb 11 13:23:58 around the time you had bad USB port Feb 11 13:24:09 yeah that Feb 11 13:24:36 My phone works at the moment so I have no urgency to worry about replacing it or dealing with it Feb 11 13:25:48 if one would setup usb-fixing shop, there would be a lot of good n900s Feb 11 13:26:37 KotCzarny: why shouldn't we care about ubifs? Feb 11 13:26:49 the mtd is the fastest storage unit in the n900 Feb 11 13:27:10 kerio, use nand only for booting part and move everything else to emmc/sd Feb 11 13:27:21 which makes things waaaaaay slower Feb 11 13:28:55 does it? Feb 11 13:29:05 the slowest part is swapping Feb 11 13:29:09 not fs Feb 11 13:31:46 also, i run bpi/opi from sd card, and its fast enough (stride/stripe helps) Feb 11 13:32:34 * jonwil wishes it wasn't so hard to find people who actually understand the inner workings of the Gecko rendering engine... :( Feb 11 13:34:25 kerio: indeed I always wondered how much sense it would make to have a - say - 200MB swap on mtd and move the whole rootfs (modulo a stub pivotroot aka "initrd" of sorts) to mmc Feb 11 13:34:48 it would probably make a lot of sense for the purpose of convenience Feb 11 13:34:53 but it *is* a performance hit Feb 11 13:35:20 kerio, did you measure it? Feb 11 13:35:34 nah, fast swap (particularly on write) way better for system performance on a system starving on RAM than a faster rootfs Feb 11 13:35:40 not personally but i don't remember who did Feb 11 13:35:51 someone did, tho Feb 11 13:36:01 10%? 50%? Feb 11 13:38:35 * DocScrutinizer05 suspects a nasty global-action TBIC button on jonwil's devices Feb 11 13:38:58 how else comes he never says bye Feb 11 13:39:32 ~greetings Feb 11 13:39:32 greetomgs! Feb 11 13:39:41 ~hello Feb 11 13:39:42 Howdy Bub Feb 11 13:39:52 ~internet time Feb 11 13:44:25 for some of you geeks this is possibly a nice read: http://www.dwheeler.com/essays/fixing-unix-linux-filenames.html Feb 11 13:44:39 ~ugt Feb 11 13:44:40 methinks ugt is Universal Greeting Time. Created in #mipslinux, it is a rule that states that whenever somebody enters an IRC channel it is always morning, and it is always late when the person leaves. The local time of any other people in the channel, including the greeter, is irrelevant. http://www.total-knowledge.com/~ilya/mips/ugt.html Feb 11 13:45:40 and the links like http://www.dwheeler.com/essays/filenames-in-shell.html Feb 11 13:46:05 this guy actually knows what he's talking about Feb 11 14:58:12 hi, I was happily browsing site in the afternoon (talk.maemo.org) and reviving my old n900. I haven't posted or done anything at all, just browsing the forum. And, now it says my ip is blocked. Can anyone help please? Feb 11 14:58:23 also, would like to know the reason why it was blocked. Feb 11 14:59:10 as for reviving: Feb 11 14:59:12 ~flashing Feb 11 14:59:17 no. Feb 11 14:59:19 well, maemo-flashing is http://wiki.maemo.org/Updating_the_tablet_firmware, or - on linux PC - download&extract http://maemo.cloud-7.de/maemo5/patches_n_tools/maemo-my-private-workdir.tgz, cd into it, do sudo ./flash-it-all.sh Feb 11 14:59:39 I mean, I need to unblock my ip, such that I can visit the forums. :) Feb 11 15:00:04 reviving = using it as server :D Feb 11 15:00:53 ~unbanip Feb 11 15:00:53 unbanip is probably please contact techstaff maemo org with your request, or see ~techstaff Feb 11 15:01:25 sure, thanks. Feb 11 15:01:44 it said to contact staff in #maemo too, don't know who is the staff here though. Feb 11 15:01:48 and most likely your ip is in some spam db Feb 11 15:02:00 Sorry, it seems that you are using an IP address or a proxy that is listed in the forum anti spam blacklist. Feb 11 15:02:03 Feel free to contact our staff on irc freenode #maemo channel. Feb 11 15:02:07 change into @ and into . Feb 11 15:02:17 sure, understood that. Feb 11 15:03:12 was browsing around 30 mins earlier, and next time trying to check a post about python 2.75 and it gets blocked. :( Feb 11 15:03:21 and if you are on dynamic ip try reconnecting modem Feb 11 15:46:51 Avasz: please ping chem|st, your IP is on some anti-sorum-spam blacklist Feb 11 15:46:58 forum even Feb 11 15:47:47 chem|st: staff (for all that matters to talk.maemo.org Feb 11 15:48:45 it's a pretty weird concept to have forum block users from *reading* stuff, but it seems nobody is willing to implement a better approach to only block login Feb 11 15:51:16 Avasz: anyway not your fault Feb 11 15:57:22 !ipunblock Feb 11 15:58:15 ? Feb 11 15:59:08 ~ Feb 11 15:59:10 DocScrutinizer05: it is not only login, we got ddos'ed, and registration spammed, you cannot prevent a crowd attack from asia as those are real people Feb 11 15:59:15 ~ipunblock Feb 11 15:59:29 ~+bosnack Feb 11 15:59:34 ~botnack Feb 11 15:59:42 nvm Feb 11 15:59:52 I did not set it and do not remember Feb 11 15:59:56 ~unbanip Feb 11 15:59:57 methinks unbanip is please contact techstaff maemo org with your request, or see ~techstaff Feb 11 16:00:06 ~techstaff Feb 11 16:00:06 it has been said that techstaff is techstaff(AT)maemo.org - the folks that keep your maemo infra running. Devotion to Duty http://xkcd.com/705/ Feb 11 16:01:27 and that is what the block page should read too Feb 11 16:02:37 xes: maybe you can setup a nicer notification to the blocking, incl mentioning that most bigger TOR nodes are blocked for obvious reasons Feb 11 16:03:10 hi Feb 11 16:03:28 capitanocrunch: hi Feb 11 16:03:56 on unrelated OT sidenote: deadbeef is an awesome music player Feb 11 16:04:02 i noticed issue for navit packages in maemo repos when apt-upgrade Feb 11 16:04:07 iled to fetch http://repository.maemo.org/extras-devel/pool/fremantle/free/n/navit/navit_0.5.0+dfsg.1-1maemo1-6563_armel.deb Size mismatch Feb 11 16:04:11 Failed to fetch http://repository.maemo.org/extras-devel/pool/fremantle/free/n/navit/navit-data_0.5.0+dfsg.1-1maemo1-6563_all.deb Size mismatch Feb 11 16:04:52 size mismatch? Feb 11 16:05:04 that's what they saud Feb 11 16:05:09 said* Feb 11 16:05:25 do you need to update your catalogue? Feb 11 16:05:46 apt upgrade is *strongly* deprecated Feb 11 16:06:09 PARTICULARLY from maemo-devel Feb 11 16:06:32 almost sure bet to bork your system Feb 11 16:06:34 im using apt-get update and then apt-get upgrade Feb 11 16:06:46 see ^^^^ Feb 11 16:07:17 why deprecated? Feb 11 16:08:56 so we have to use fapman? Feb 11 16:09:24 top ten things to know about maemo: #1 maemo is almost a plain debian #2 maemo is NOT a plain debain #3 NEVER do apt-get upgarde or apt-get dist-upgrade when you got any but the basic repos enabled #4 never do apt-get upgrade at all #5... $yourcall Feb 11 16:09:34 ~fapman Feb 11 16:09:34 hmm... fapman is Faster Application Manager, a frontend for apt which uses own repositories catalog, and shouldn't be used to do system upgrades (like CSSU), or actually for anything since ~speedyHAM. It also does "apt-get autoremove" after every operation, by default. In short, it's been identified as source of system corruption and thus deprecated, or see ~hamvsfam Feb 11 16:10:00 ~speedyham Feb 11 16:10:01 hmm... speedyham is 30 times faster than HAM http://maemo.merlin1991.at/cssu/community-devel/pool/free/h/hildon-application-manager/hildon-application-manager_2.2.73-2_armel.deb Feb 11 16:10:34 infobot: speedyham is also SpeedyHAM is included in CSSU now Feb 11 16:10:34 DocScrutinizer05: okay Feb 11 16:11:11 nope, not in -stable Feb 11 16:11:17 ok Feb 11 16:11:25 ~literal speedyham Feb 11 16:11:25 "speedyham" is "30 times faster than HAM http://maemo.merlin1991.at/cssu/community-devel/pool/free/h/hildon-application-manager/hildon-application-manager_2.2.73-2_armel.deb. SpeedyHAM is included in CSSU now" Feb 11 16:12:59 infobot: no, speedyham is SpeedyHAM is 30 times faster than HAM http://maemo.merlin1991.at/cssu/community-devel/pool/free/h/hildon-application-manager/hildon-application-manager_2.2.73-2_armel.deb. SpeedyHAM is included in CSSU-testing now Feb 11 16:12:59 okay, DocScrutinizer05 Feb 11 16:17:59 never knew of speedyham Feb 11 16:19:05 since im on cssu-stable, should i dpkg install the deb and give it a try? Feb 11 16:19:42 sure, go ahead Feb 11 16:20:15 I guess you can't, it has dependency to a newer glib Feb 11 16:20:21 dang Feb 11 16:20:26 iirc I had to rebuild Feb 11 16:20:30 :nod: Feb 11 16:20:39 I might have it around Feb 11 16:20:44 maybe bencoh could hand you the .deb Feb 11 16:20:52 but wait, you say testing has new glib, stable doesn't? Feb 11 16:20:57 :nod: Feb 11 16:21:14 capitanocrunch: move to testing ;-) Feb 11 16:21:17 new revision Feb 11 16:21:21 it's the new stable :-P Feb 11 16:21:37 or pester merlin1991 to issue a new -stable Feb 11 16:21:53 "testing is the new stable" being a common meme in all $FOSS Feb 11 16:22:04 it is about time already Feb 11 16:22:09 indeed Feb 11 16:22:13 indeed :) Feb 11 16:22:41 hmm, I wonder where it comes from, I cant find it on my server or my sb Feb 11 16:22:49 lol Feb 11 16:23:05 maybe it didn't depend on newer glib in the end Feb 11 16:23:48 well, I'd strongly hope new glib wouldn't breal $all-old-packages Feb 11 16:24:09 break even Feb 11 16:24:23 dpkg-deb -I shows "libglib2.0-0 >= 2.20.0" Feb 11 16:24:44 DocScrutinizer05: it is in -testing for umm... 2 years? Feb 11 16:24:46 wouldn't make much sense to give a new lib to cssu-testing that renders all closed stuff borked and needs recomile for all open stuff Feb 11 16:25:15 btw the top 10 things to know about maemo seem to be five not ten :0 and what $yourcall stands for? Feb 11 16:25:30 capitanocrunch: I suggest you give the .deb link a try Feb 11 16:25:38 it's a vebose elipsis Feb 11 16:25:48 you know how to use dpkg/apt-get in case of trouble anyway ;p Feb 11 16:26:16 DocScrutinizer05: https://github.com/community-ssu/glib/commit/c197df81ced094816f116ccd8d63d5fc507bf1ac Feb 11 16:26:30 just rename the ham binary and copy the new one into place Feb 11 16:26:44 yuk Feb 11 16:26:47 hrhr Feb 11 16:27:13 quick&dirty, easy to revert Feb 11 16:27:54 iirc it is not that easy Feb 11 16:27:57 well, maybe not THAT easy, HAM might be under maemo-launcher Feb 11 16:28:08 there are more binaries Feb 11 16:28:20 plus a few other unexpected little fancies Feb 11 16:28:23 like apt-worker Feb 11 16:28:29 :nod: Feb 11 16:29:11 the correct method would prolly be to temporarily add cssu-testing repo and then do an apt-get install Feb 11 16:30:00 you'd need to do some apt-pinning for that to work Feb 11 16:30:07 otherwise, you're doomed Feb 11 16:30:21 or move to cssu-testing right away. it's really stable enough, as long as you can live with stock camera and a few other getting replaced by FOSS versions without real need for such update Feb 11 16:31:08 bencoh: hiuh? why? isn't that supposed to only install 'new' version of HAM? Feb 11 16:31:45 NB I didn't suggest apt-get upgrade but apt-get install $HAM Feb 11 16:32:31 of course it *might* pull in dependencies you don't want, but then... what are your options, other than moving to cssu-t anyway Feb 11 16:32:36 I wouldn;t recommend that, it will pull newer glib and there are some packages which are known to be broken (fixed in -testing) Feb 11 16:33:22 so MEH, upgrade to testing, by simply installing cssu-testing over the cssu-stable version on your device Feb 11 16:33:55 :] Feb 11 16:34:21 the instructions on ~cssu apply Feb 11 16:35:22 ok, im going for testing Feb 11 16:35:30 ~cssu Feb 11 16:35:30 i guess cssu is http://wiki.maemo.org/Community_SSU, or (Community Seamless Software Update) Feb 11 16:35:49 one click and you're basically done ;-) Feb 11 16:36:44 ~hamvsfam Feb 11 16:36:44 somebody said hamvsfam was https://mg.pov.lt/maemo-irclog/%23maemo.2013-10-28.log.html#t2013-10-28T10:44:33, or http://talk.maemo.org/showthread.php?t=93227 Feb 11 19:07:59 02:44:25 < DocScrutinizer05> for some of you geeks this is possibly a nice read: http://www.dwheeler.com/essays/fixing-unix-linux-filenames.html Feb 11 19:08:19 You should be able to easily pass around arbitrary strings from shells to programs without it interpreting them in special ways. Feb 11 19:08:28 anyway, gtg Feb 11 19:08:40 * Maxdamantus has been thinking of writing a more sensible shell recently. Feb 11 19:35:33 I want to name my files with carriage returns and beeps so they stand out in ls -l ... Feb 11 19:48:13 ecc3g: not far from reality, with path names like >>file:///home/jr/Musik/King Crimson/King Crimson - 40th Anniversary Series/1974 - King Crimson - Red (2009, 40th Anniversary Series, CD+DVD-A, Discipline Global Mobile, UK, KCSP7)/DVD-A/KC_RED/KC_RED.iso<< Feb 11 19:48:54 I got stuff with +;,{}()*?!$% in it Feb 11 19:50:42 yes, *generally* you get away just with proper quoting Feb 11 19:51:03 but proper quoting easily gets annoyingly complicated Feb 11 19:51:40 particularly when you want to parse filenames, e.g. for a scripted renaming Feb 11 19:52:59 at times even regex in sed turn into gibberish Feb 11 20:12:25 :xa Feb 11 20:12:33 :xa Feb 11 20:12:38 :xa Feb 11 20:13:00 Not and editorcommand Feb 11 20:13:22 (huhu, looks like I cant type) Feb 11 20:41:12 hi Feb 11 20:59:07 hi jonwil :) Feb 11 22:26:58 * jonwil is still no closer to getting the NSS tools to build for maemo microb-engine :( Feb 11 22:27:16 what's wrong? Feb 11 22:31:24 It seems like the build process for microb-engine just doesn't compile them and I cant find anything in the build system to indicate why Feb 11 22:31:38 or how to get the build system to compile them Feb 11 22:33:41 it doesn't help that the microb-engine/mozilla build system isn't exactly easy to understand Feb 11 22:34:15 you could fetch nss and build them from there Feb 11 22:34:27 (a fresh independant copy of nss) Feb 11 22:34:50 and yeah, mozilla build system is a mess ... probably a joke Feb 11 22:34:58 something to make us feel bad after using it Feb 11 22:35:56 We need them to build from the micro-engine source (which is a specific revision of the mozilla tree with a bunch of local patches) and not just some random nss source from somewhere Feb 11 22:36:52 only way to get tools that will actually run on-device Feb 11 22:37:25 why? Feb 11 22:37:50 are there that many patches to the nss utils themselves? Feb 11 22:38:15 there are patches to the way the build system builds stuff Feb 11 22:38:31 There is no gaurantee that something build elsewhere will work the way we need it to Feb 11 22:39:07 Plus there is no gaurantee that if I took the unmodified mozilla code matching microb-engine and built that, I would get a set of nss tools out of that either Feb 11 22:39:22 And we need it to be the same codebase as the nss version we are using otherwise it wont be compatible Feb 11 23:18:34 KotCzarny: I know what mSATA is. Which “controller chip issue” do you mean? Feb 12 00:05:29 (( on unrelated OT sidenote: deadbeef is an awesome music player)) OH WOW!! >> What other portable devices does Deadbeef run on? --- People succeeded to build and run it on Pandora and N900.<< Feb 12 01:57:15 * DocScrutinizer05 sends some gravitational waves through the channel **** ENDING LOGGING AT Fri Feb 12 02:59:58 2016