Install Gentoo via Floppy

Okay, so here are the files I generated for it:

Some people might be wondering why I did this: Well, I saw this blogpost of cramming Windows 3.1 + some extra in the coreboot virtual floppy. And looking at how my kernel images where relatively well stripped down (5 MB for the kernel of my VPS and about the same size for my other machines) and that busybox is damn small (~700 Kilobytes), yet has all the neccesarry userspace tools required to install gentoo (iproute2, udhcpc, fdisk, mkfs, wget, …).

Also while the floppy version isn’t very useful nowadays, the kernel+initramfs is quite useful for netbooting or installation on a VPS which already has a Linux Install but doesn’t have a good enough ISO, which I basically never have since I use ZFS and interestingly Alpine Linux, which can be used for that, isn’t much present (I already had a quite generic kernel+initrd but 4 times bigger).

It was quite fun to do, even if I needed to launch the VM quite a lot of time until I got all the drivers for QEMU to work. And so, here is what is present in the kernel:

Note: The permissions for the /dev files are wrong, which is probably why udhcpc is broken. And it requires you to put FEATURES="-userfetch" in /etc/portage/make.conf. I guess this will make me fix some stuff in make-initrd.

btw I managed to not hit the floppy limit (except when I tried without XZ on the initramfs), but I didn’t find a way to see the occupied size on the floppy. I would probably have tried to cram more stuff in it like tinyx / tinyxserver and/or useful recovery tools. Such a floppy-based linux was Basic Linux from 2005 but it’s apparently dead and it used either DOS for booting or two floppies.

Fediverse post for comments, published on 2019-04-10T15:21:04Z, last updated on 2019-04-10T15:52:20Z

My email setup

NightmareMoon

OpenSMTPd config

pki minion.the-delta.net.eu.org cert "/srv/certs/minion.the-delta.net.eu.org_rsa.crt"
pki minion.the-delta.net.eu.org key  "/srv/certs/minion.the-delta.net.eu.org_rsa.key"

queue encryption [REDACTED]

smtp max-message-size 4M

listen on enp3s0 port 25  tls         pki minion.the-delta.net.eu.org hostname minion.the-delta.net.eu.org
listen on lo

table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
# Lines with <cloudsdale> are legacy because of libasr-1.0.2 under musl, now fixed
#table cloudsdale { 2a01:4f8:1c17:4b6d::1, 138.201.117.120 }

action "local" mbox alias <aliases>
action "relay"        relay helo minion.the-delta.net.eu.org host smtp+tls://cloudsdale.the-delta.net.eu.org
#action "relay"        relay helo minion.the-delta.net.eu.org tls no-verify
action "backup_relay" relay helo minion.the-delta.net.eu.org backup mx minion.the-delta.net.eu.org

match from local for local action "local"
match from local for any   action "relay"
#match from src <cloudsdale> for any action "relay"
match from any for domain <domains> action "backup_relay"

For now minion/NightmareMoon doesn’t store my emails but this is what is expected at some point, thus inverting backup and main too. It is configured to be a backup MX and to send internet emails to cloudsdale (because of the broken rDNS).

Cloudsdale

OpenSMTPd config

pki cloudsdale.the-delta.net.eu.org cert "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.crt"
pki cloudsdale.the-delta.net.eu.org key  "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.key"

queue encryption [REDACTED]

smtp max-message-size 4M

# internet
listen on eth0 port 25  tls         pki cloudsdale.the-delta.net.eu.org hostname cloudsdale.the-delta.net.eu.org tag IN no-dsn
listen on lo tag IN

# If you edit the file, you have to run "smtpctl update table aliases"
table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains

action "deliver" maildir alias <aliases>
action "relay"   relay tls no-verify
# Legacy: libasr-1.0.2 tarball is broken with musl, use git
#action "relay"   relay host smtp+tls://hacktivis.me

match from any   for domain <domains> action "deliver"
match from local for local            action "deliver"
match from local for any              action "relay"

DNS Records

This is what I have in all my zones (I use a $INCLUDE, which supported by nsd):

@       86400   MX      1 cloudsdale.the-delta.net.eu.org.
@       86400   MX      10 minion.the-delta.net.eu.org.
@       86400   TXT     "v=spf1 a mx ?all"
_dmarc  86400   TXT     "v=DMARC1; p=none; rua=mailto:root+dmarc@hacktivis.me; ruf=mailto:root+dmarc@hacktivis.me; fo=s; adkim=r; aspf=s"
_smtp._tls 86400        TXT     "v=TLSRPTv1; rua=mailto:root+tlsrpt@hacktivis.me"

Choices

Fediverse post for comments

Pretty Bad Privacy

This article is in early drafting process, made public so I get comments and more people can be aware
OpenPGP
Pretty Good Privacy standard, derives from the original PGP implementation. "PGP", "Pretty Good", and "Pretty Good Privacy" are trademarks of PGP Corporation. The term "OpenPGP" refers to the protocol described in this and related documents.
GnuPG / GPG
Gnu Privacy Guard, main/only implementation of OpenPGP

OpenPGP standard

Compression

   Furthermore, compression has the added side effect that some types of
   attacks can be thwarted by the fact that slightly altered, compressed
   data rarely uncompresses without severe errors.  This is hardly
   rigorous, but it is operationally useful.  These attacks can be
   rigorously prevented by implementing and using Modification Detection
RFC4880, November 2007

Not sure about this one, I’ll go check but this cause few issues in SSH and TLS, so I wouldn’t be surprised that it was also the case for OpenPGP.

Ciphers

The OpenPGP standard mandates that some ciphers must be present in the implementation, they are broken and well known to be.

9.1.  Public-Key Algorithms

ID           Algorithm
--           ---------
1          - RSA (Encrypt or Sign) [HAC]
2          - RSA Encrypt-Only [HAC]
3          - RSA Sign-Only [HAC]
16         - Elgamal (Encrypt-Only) [ELGAMAL] [HAC]
17         - DSA (Digital Signature Algorithm) [FIPS186] [HAC]
18         - Reserved for Elliptic Curve
19         - Reserved for ECDSA
20         - Reserved (formerly Elgamal Encrypt or Sign)
21         - Reserved for Diffie-Hellman (X9.42,
             as defined for IETF-S/MIME)
100 to 110 - Private/Experimental algorithm

Implementations MUST implement DSA for signatures, and Elgamal for
encryption. […]
9.2.  Symmetric-Key Algorithms

ID           Algorithm
--           ---------
0          - Plaintext or unencrypted data
1          - IDEA [IDEA]
2          - TripleDES (DES-EDE, [SCHNEIER] [HAC] -
             168 bit key derived from 192)
3          - CAST5 (128 bit key, as per [RFC2144])
4          - Blowfish (128 bit key, 16 rounds) [BLOWFISH]
5          - Reserved
6          - Reserved
7          - AES with 128-bit key [AES]
8          - AES with 192-bit key
9          - AES with 256-bit key
10         - Twofish with 256-bit key [TWOFISH]
100 to 110 - Private/Experimental algorithm

Implementations MUST implement TripleDES. […]
9.4.  Hash Algorithms

ID           Algorithm                             Text Name
--           ---------                             ---------
1          - MD5 [HAC]                             "MD5"
2          - SHA-1 [FIPS180]                       "SHA1"
3          - RIPE-MD/160 [HAC]                     "RIPEMD160"
4          - Reserved
5          - Reserved
6          - Reserved
7          - Reserved
8          - SHA256 [FIPS180]                      "SHA256"
9          - SHA384 [FIPS180]                      "SHA384"
10         - SHA512 [FIPS180]                      "SHA512"
11         - SHA224 [FIPS180]                      "SHA224"
100 to 110 - Private/Experimental algorithm

Implementations MUST implement SHA-1.  Implementations MAY implement
other algorithms.  MD5 is deprecated.
RFC4880, November 2007

Some additionnal ciphers got added later on, but this basically mean that you cannot be sure that a OpenPGP message you sent wasn’t done in more-or-less plaintext. DES was broken by the EFF in 199x, 3DES is basically now on about the same size (NIST: 80 bits of security) but computing power got much better, SHA1 was probably still known as okay but could be better (as SHA2 was already a thing), DSA was probably not now enough as good to be hardcoded, no idea for Elgamal.

I tried few years ago to build a GnuPG without support for theses broken ciphers, and I failed doing so. One can note that SSH requires 3DES-CBC, but it can be disabled or non-implemented (tinyssh).

13.4.  Plaintext

   Algorithm 0, "plaintext", may only be used to denote secret keys that
   are stored in the clear.  Implementations MUST NOT use plaintext in
   Symmetrically Encrypted Data packets; they must use Literal Data
   packets to encode unencrypted or literal data.
RFC4880, November 2007

I guess this one is related to SigSpoof

14.  Security Considerations

   * As with any technology involving cryptography, you should check the
     current literature to determine if any algorithms used here have
     been found to be vulnerable to attack.
[…]
   * There is a somewhat-related potential security problem in
     signatures.  If an attacker can find a message that hashes to the
     same hash with a different algorithm, a bogus signature structure
     can be constructed that evaluates correctly.

     For example, suppose Alice DSA signs message M using hash algorithm
     H.  Suppose that Mallet finds a message M' that has the same hash
     value as M with H'.  Mallet can then construct a signature block
     that verifies as Alice's signature of M' with H'.  However, this
     would also constitute a weakness in either H or H' or both.  Should
     this ever occur, a revision will have to be made to this document
RFC4880, November 2007

$ gpg --version
gpg (GnuPG) 2.2.10
libgcrypt 1.8.3
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/haelwenn/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

“LOL”

It leaks a pile of metadata (time, implementation name+version, …)

There is no deniability possible, there is quite a difference between no-authentication and deniability, to be elaborated on

Your public key/identity will end up on the keyservers at some point, no exception.

There is no forward secrecy

OpenPGP in real life

Real Name policy and other stuff that should be optionnal in the Public Key Verification process (An ID card? Seriously?).

Bonus: Keybase is a fuck

Keybase is what you get when you want crypto (just the math), but you do not care about security (they are called secrets for a reason) or privacy (social-media with a cryptographically verified graph that lives forever…).

As an alternative (and if you still want OpenPGP), I think putting your fingerprint everywhere you can and putting you minimal public key on your blog is a much better way, and it can be automatised a bit (OPENPGPKEY DNS record, IndieWeb rel="openpgp", …).

See also

Fediverse post for comments

AtlAASian: The Bullshit factory

This is a port of a loose-thread I made on the Fediverse while trying to delete an account on codacy.com that was supposely linked to BitBucket (Atlassian service).

Start of this bullshit: 2019-02-15 17:28

So after trying to log into Codacy via BitBucket via Atlassian while not remembering either the email nor the password (yeah it was already a huge mess), I guessed the email would be the same as the one Codacy send me the notification.

So I go to account recovery, it sends me a email with a overly large link (~1180 characters) to reset my password, google recaptcha greeting, fill the password, omit filling the Full Name, “Submit”, help train the Google AIs, “Full name must not be empty” (at this point I’m quite aware that they are fucking noobs at doing web), fill it, “Submit”, “I’m not a Robot”

Screenshot: Page headed “Are you using the right account?” and choosing for either Signing for BitBucket or using a different account
Wait… did they just send me a password reset link while my account is non-existent?

Whatever, I end up on https://id.atlassian.com/manage-profile, which goes into a redirection loop (noobs). Well let’s see if there is another way to delete the account. Search for “GDPR Atlassian Delete”, after a bit I end up on a heavily bugged webpage headed “Request deletion of personal data”.

Screenshot: Functionality is not ready yet (it’s broken) Screenshot: Form to request deletion of your personnal data (it works)
First image is without accepting launchdarly in uMatrix, second is why accepting it. Enjoy the non-sensical error message.

So once their widget works: There was an error during form submission. Please try again later. Well I try right away (with google recaptcha allowed in the meantime): it works

And few seconds later I receive this in my emails:

*****************************************
Your request to delete your personal data
*****************************************

We received a request to delete your personal data. Because you have an Atlassian account, you need to delete your account, which will delete your personal data along with it. To do so, log in to your account and go to the
*Delete account* tab. If your organization manages your account, ask an organization admin to delete the account for you.
Log in to your Atlassian account ( https://id.atlassian.com/manage-profile/close-account )
If you didn't make this request, you can ignore this email. We won't delete your personal data. Report this email. ( https://support.atlassian.com ) Thanks, The Atlassians

( https://www.atlassian.com )

So back where I was…

I fiddle a bit with uMatrix on the loop-redirecting id.atlassian.com, end up creating a clean firefox profile, disable referer spoofing on it and it finally loads.

Screenshot: We’ll permanently delete your account Screenshot: Firefox pop-up about “How tracking protection works”
Finally… Extra: Enjoy this mozilla pop-up.

End of this bullshit: 2019-02-15 18:17 so about 45 minutes.

Fediverse post for comments

I’m removing defaults to eternal cryptographic signatures

Quick Notes on how to

Why?

It’s something that weirdly doesn’t seems very popular in cryptonerds circles. Long-term signatures in a computer world basically is that everything that you send can and will be used against you and people you interacted with or wrote about and there is absolutely no deniability about it.

For example with DKIM: The content of the message is known to not be modified and to have been send by the right provider. What is required? The email and a DNS record (which is usually not changed). No interception whatsover is required. Also this standard absolutely doesn’t help against receiving unwanted messages (aka SPAM), so in my opinion it’s a waste of human time(configuration) and computing power.

Did you ever send a message that can be used against you or someone else? Probably (I surely did, please do not continue on this). Also if it can’t be used against you right now, it might be later.

Post for comments and sharing on the fediverse.

Email to graphics-dev@chromium.org about nouveau blacklisting

Date: Sun, 6 Jan 2019 01:54:46 +0100
From: Haelwenn Monnier <contact@hacktivis.me>
To: graphics-dev@chromium.org
Subject: Nouveau blacklisting
Message-ID: <20190106005446.GA22465@cloudsdale.the-delta.net.eu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)

Hello,

I would like to complain about the blacklisting of nouveau in the
chromium graphics stack, nouveau is a useful replacement to the proprietary
driver and linked tools from NVidia, notably, because of the following cases:

- Ethics/Choice, nvidia being a proprietary driver, that litterally gets
about everything graphics related passed to it, it can be very sensible, be it
for privacy or politics (they could ban applications or some API).

- Wayland, as the nvidia driver wrongfully provides their own API that only
a very few compositors provide. wlroots, created for usage in Sway for example
will never support their API[1].

- Up-to-date software, the proprietary driver has quite the history of lagging
behind on the software it depends on, for example the 304.xx legacy branch
needs a vulnerable Xorg branch(1.19.x) and when spectre/meltdown arrived a
legacy branch was incompatible with the stable branch of the linux kernel
at that time.
Which honeslty is quite funny considering that you apparently banned it
because of outdated mesa builds[2], which just cannot be fixed with the legacy
branch. Something which I think will probably get even worse if WebGL will have
to use the slow and power-hungry software rendering.

I do not think that chromium is very liked in a lot of the linux community,
probably because of the overly large codebase and the link to Google, but doing
this will probably raise quite a large and visible flag to even non-maintainers.

1: https://drewdevault.com/2017/10/26/Fuck-you-nvidia.html
2: https://www.phoronix.com/scan.php?page=news_item&px=Chrome-Blacklisting-Nouveau

--
Haelwenn (lanodan) Monnier
https://hacktivis.me/

Post for comments and sharing on the fediverse.

Few updates about this website

Atom syndication

I finally added a syndication feed, using the Atom format (and xHTML for the articles)! (seriously after all theses years?) I’m pretty sure the URL for it isn’t backward-compatible with what I had a long time ago, so you’ll have to update.

The link is available on the navbar and have proper metadata so it should show up in your browser, but here it is for completeness sake:

New colorscheme for this website

Few weeks ago I changed the colorscheme of my terminal from solarized (which has quite too much blue even with redshift) to gruvbox (by the way here is a commit to patch st-0.8.1 with switch from light and dark), which also has better contrast and something I wanted for a long time: all the colors are viewable nicely, unless you set the same color on fg and bg and maybe few similar things.

And having a colorscheme which has poor contrast even for my probably good eyes on a website is totally not something I wanted to keep. And so with this colorscheme default foreground with the soft background nicely passes the WCAG AAA level with a ratio of 9.57:1.

Screenshot of the colors of gruvbox dark in my terminal

Anyway if you don’t like it, use the atom feed. 😜

Post for comments and sharing on the fediverse.

My issue with Github (and Microsoft buying it)

Embrace; Extend; Extenguish

Microsoft and similar Corporations are well-known for doing this kind of thing, we cannot have permanent links or main forges based on something like that. Also microsoft may like Open-Source (and probably not GPL), but the same goes to Google, do we all trust Google with our and others data? Also Google Code created a pile of dead links.
And this post will probably evolve as Microsoft apparently haven’t finished aquiring Github.

Lack of Transparency / OpenData

Currently all the tickets aren’t available in a open manner (I know gitlab can import them, but AFAIK you need a Github account for that and control over the repository).
One true alternative to this that is used in real life is debbugs (used at debian) by using emails, and bugzilla with their RSS feeds.

I also see some projects and their owner from time to time being removed from GitHub with no messages at all on their side. And looking at their Terms of Service there is a bunch of ways you can be banned. (search for "suspen" and "terminat")

Centralisation of Power

Never put all your eggs in the same basket

/usr/portage $ cat metadata/timestamp.commit
932f2215d9f814c7ef2dd8de6593af58e2c16048 1537662482 2018-09-23T00:28:02+00:00
/usr/portage $ grep -l 'github' -r */*/metadata.xml | wc -l
5194
/usr/portage $ find */*/metadata.xml | wc -l
19549
/usr/portage $ bc -l
(5194/19549)*100
26.56913397104711238400

So if I didn’t mess up the math there is at least over 26% of software in gentoo ports/packages that are more-or-less hosted on github. I think a better version could be obtained by incrementing one package if there is github in the metadata or the latest ebuild. It would be awesome if repology.org could have some stats on VCS providers usage btw.

Github is a bad interface

(This parts also applies to most git-based Forges)

Pull Requests shouldn’t be the only way to send modifications, they are meant to maintainers/frequent contributors, not someone that send patches from time to time. (I love sending months of commits to github…).
Pull Requests also puts more burden on the contributor than on the maintainer, it means that whatever modification often have to be done by the contributor otherwise it’s not mergeable, which may know nothing about your coding policies. I’m pretty sure this is how you have long-standing PRs that became broken because other stuff came in.

Also GitHub is very inpopular with designers and others non-coders, and for a good reason, git is meant for versioning code/text files and it does that well. But for other stuff? No, it’s basically a hack and every contributor shouldn’t have to learn git. (note: coders don’t all know git and not having PRs would just mean knowing how to use diff(1)).
And one of my favorite thing from coders is but GitHub allows you to edit with a web browser. Yeah, but where is rebase, ammending commits, …? There is just only one commit and a broken push. Could be acceptable for a patch, not really acceptable in most cases for something that is made to be directly merged in a branch.

GitHub is a registered trademark of Github Inc. ; Microsoft is a registered trademark of Microsoft Corporation.

False Security

I posted about this on the fediverse before, probably on social.hacktivis.me (RIP). So here github with their dark pattern (Update is highlighted, so not enough privacy given?) is randomly asking me to confirm my account recovery settings. And it is actually bad for security because here it means that Facebook could gain access to Github Accounts. What could go wrong? (Note: I do have a bit of write access to few projects on github).

Also I use the TOTP token regularly and I have recovery codes in case I would lose it (actually all stored and encrypted with pass, maybe I should change that).

Github asking me to confirm my account recovery settings, I could risk getting locked out of my account Same but tooltips extended to see that “Recovery Tokens” is actually a sign-in with facebook in disguise

One thing I wonder is: Is github putting a similar thing to people not using token?. 2FA is quite useless in my case so I could remove tokens, and I could quite imagine other people doing that but on which 2FA actually increases security. Woops, less people being secure because of a bad design. (Also security ≠ usability is bullshit, but that will be for a later time)

Post for comments and sharing on the fediverse.

Multi-posting on micro-blogging is a nightmare

As a user of micro-blogging platform, I see people doing a pile of micro-posts that are probably already redacted elsewhere. I’m calling it multi-posting and it’s also known under the name of “thread” (which I’m not using because it could be confusing). I want to ask y’all to stop doing theses things and ask you to use stuff like a blog or even just a pastebin/twitlonger. Here is few of the reasons I don’t like theses:

And this is just without the social part of it, with the social part you can have stuff like:

I know this will probably not stop the whole thing as it have been going for quite a long time, but it will allow me (and you too, I hope) to easily link to this post from time to time and so I can avoid yelling at people or repeating myself.

Published on the

I changed my OpenPGP keys

The keyset(not OpenPGP vocabulary I know) I had before was becoming quite a mess, I had lost my subkeys quite often or sometimes they were not reachable (available on desktop but being on the laptop for few weeks and the desktop is ~200 km away). This keyset should be quite state of the art for late-2017. Terminal output with some modifications so I’m sure I don’t leak stuff.
$ gpg -K
/mnt/gentoo/home/haelwenn/.gnupg/pubring.gpg
--------------------------------------------
sec   rsa2048/0xC87384794BBEBBAD 2014-03-15 [SC] [expires: 2018-06-09]
      Key fingerprint = 8E4B AA5E E6FB D5A8 D04F  3BE5 C873 8479 4BBE BBAD
uid                   [ultimate] Haelwenn Monnier (lanodan, forwarded) 
uid                   [ultimate] Haelwenn Monnier (lanodan) 
uid                   [ultimate] Haelwenn Monnier (lanodan) 
uid                   [ultimate] lanodan 
uid                   [ultimate] Haelwenn Monnier (lanodan) 
uid                   [ultimate] Haelwenn [elwenn] (OStatus) 
uid                   [ultimate] Haelwenn[elwenn] Monnier (Friendica;Ostatus;Diaspora) 
ssb   elg4096/0x5FD41C2FFDDC88D7 2016-12-16 [E] [expires: 2018-06-09]
ssb   rsa4096/0x01969693A30C8732 2016-12-16 [S] [expires: 2018-06-09]

sec#  ed25519/0x90D93ACCFEFF61AE 2017-12-11 [C] [expires: 2018-06-09]
      Key fingerprint = DDC9 237C 14CF 6F4D D847  F6B3 90D9 3ACC FEFF 61AE
uid                   [  full  ] Haelwenn Monnier (lanodan; 2nd key) 
ssb>  ed25519/0xD5B7A8E43C997DEE 2017-12-11 [S] [expires: 2018-06-09]
ssb>  cv25519/0x473C9CA78949B492 2017-12-11 [E] [expires: 2018-06-09]
$ gpg --card-status

Version ..........: 2.0
Name of cardholder: Haelwenn Monnier
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : https://hacktivis.me/key.asc
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: F85B DC63 FD9B 4AF4 4BF6  B812 D5B7 A8E4 3C99 7DEE
      created ....: 2017-12-11 12:36:31
Encryption key....: 2DBA EF5E F602 78FE 28CE  F33B 473C 9CA7 8949 B492
      created ....: 2017-12-11 12:37:04
Authentication key: F85B DC63 FD9B 4AF4 4BF6  B812 D5B7 A8E4 3C99 7DEE
      created ....: 2017-12-11 12:36:31
General key info..: sub  ed25519/0xD5B7A8E43C997DEE 2017-12-11 Haelwenn Monnier (lanodan; 2nd key) 
sec#  ed25519/0x90D93ACCFEFF61AE  created: 2017-12-11  expires: 2018-06-09
ssb>  ed25519/0xD5B7A8E43C997DEE  created: 2017-12-11  expires: 2018-06-09
                                  card-no: FFFE 67082019
ssb>  cv25519/0x473C9CA78949B492  created: 2017-12-11  expires: 2018-06-09
                                  card-no: FFFE 67082019
Also I have moved my previous public key to https://hacktivis.me/oldkey.asc so the current one stays at https://hacktivis.me/key.asc. To verify this is I have detached-signed this file with my old key and my current key.

Lojban×dotsie alphabet

I readed about dotsies which is a way to map a to z to letters of 5 horizontal bits. It felted a bit nice even if way too cybre and not human enough (a bit like our current keybaords are for entities with 10 tentacles and not 2 hands/arms that aren’t parallel on such a space).

But well, I though about lojban, a logical neutral language. This language only uses 28 non-blankspace characters(abcdefgijklmnoprstuvxyz,.') which makes it fully fit in 5 bits(25=32 possibilities).

My proposition is:

Having this would make a machine-human-? language work on a machine-human-? writing system. OCR on current human writings is horrible, this would allow more accurate OCR I guess as it’s barcode alike, and well we could add checksumming as we still haven’t used the whole address-space. 4 characters are left if I didn’t screw up the Math, we could totally have checksum-start/checksum-end and maybe text-start/text-end.

www-client are broken

So after saying that (it still is). Chrom* became broken too :

Basically I have no web browser anymore… or well no. I have even more web browser installed than when I was doing/learning web development, because I have several whatever around engines.

Anyway let’s put what I need in a web browser:

As my findings of 2017-07-06, the web browsers (Gui;engine;style/inspiration) that are almost compliant to my needs are, without much sorting/ordering:

Disk identification

Introduction/Why?

So the one for network interface is now okay-ish. I done a quick look at how it works for… disks. So most of it was done under Linux, but I know this nightmare under OpenSolaris(I recommend 20% of Solaris Knowledge that solves 80% of your needs; but only 8 slices/partitions, non-intuitive, no file hierarchy… why), Plan9front(a bit better, at least partitions are under a directory).

And as you’re probably using lsblk and/or blkid or even fdisk -l(I use that when I’m on a non-Linux Unix) to identify as a human your disks, I done a quick look for fun at disk identifiers… (intended more for machines I guess) and… oh noes.

$ lsblk -oTRAN,NAME,SIZE,FSTYPE,PARTUUID,UUID,WWN
TRAN   NAME        SIZE FSTYPE      PARTUUID                             UUID                                 WWN
usb    sdf           2G
       └─sdf1        2G vfat
usb    sdd       931.5G
       └─sdd1    931.5G ntfs-3g     874ddc9f-01                          FEBC2BA2BC2B5505
sata   sdb         1.8T zfs_member                                       15625953673200575561                 0x11804586289146122240x
sata   sdg       111.8G crypto_LUKS                                      7979cfc6-568f-4b3a-bfc4-301c92316767 0x17202986447841742850x
sata   sdc       189.9G
       ├─sdc2    189.9G crypto_LUKS caadf50b-7419-4379-b34e-6cbdb9fb9e17 86106360-90e8-425e-b37e-33131b23a6b0
       │ └─root1 189.9G zfs_member                                       2052176674175130762
       └─sdc1        2M             d3e52e3c-2c83-48e5-af2f-8c3ce10131aa
sata   sda       189.9G
       ├─sda2      256M             b585598d-8b2c-4db8-b58c-65bfe314d57e
       ├─sda3      248M crypto_LUKS d4d61264-c2c9-4953-8c59-3ac265d986e3 9877c105-252e-4141-97df-358f14daa2a8
       └─sda1    189.4G crypto_LUKS a359857c-49eb-44c0-936c-464c150d20a0 1c578f43-6f16-497c-ba88-986609ffa1d6
         └─root  189.4G
$ blkid
/dev/sda1: UUID="1c578f43-6f16-497c-ba88-986609ffa1d6" TYPE="crypto_LUKS" PARTLABEL="encrypted" PARTUUID="a359857c-49eb-44c0-936c-464c150d20a0"
/dev/sda3: UUID="9877c105-252e-4141-97df-358f14daa2a8" TYPE="crypto_LUKS" PARTLABEL="boot-efi" PARTUUID="d4d61264-c2c9-4953-8c59-3ac265d986e3"
/dev/sdb: LABEL="seagate" UUID="15625953673200575561" UUID_SUB="11105316071247026470" TYPE="zfs_member"
/dev/sdc2: UUID="86106360-90e8-425e-b37e-33131b23a6b0" TYPE="crypto_LUKS" PARTUUID="caadf50b-7419-4379-b34e-6cbdb9fb9e17"
/dev/sdd1: LABEL="TOSHIBA EXT" UUID="FEBC2BA2BC2B5505" TYPE="ntfs" PARTUUID="874ddc9f-01"
/dev/mapper/root: LABEL="zroot" UUID="2052176674175130762" UUID_SUB="12007847542772910046" TYPE="zfs_member"
/dev/sdg: UUID="7979cfc6-568f-4b3a-bfc4-301c92316767" TYPE="crypto_LUKS"
/dev/mapper/root1: LABEL="zroot" UUID="2052176674175130762" UUID_SUB="5697203163307082646" TYPE="zfs_member"
/dev/sda2: PARTLABEL="boot" PARTUUID="b585598d-8b2c-4db8-b58c-65bfe314d57e"
/dev/sdc1: PARTUUID="d3e52e3c-2c83-48e5-af2f-8c3ce10131aa"
/dev/sdf1: SEC_TYPE="msdos" TYPE="vfat"

If you look enough at it… NONE of them works and wtf is UUID_SUB printing out of nowhere. So as you’re probably not LABEL’ing all your hard-drives because your system sucks… The only thing I found so far that is the least broken under linux(+(e)udev) is /dev/disk/by-id.

Proposition

So quick list of things that are nice/works:

Here is an example of a file hierarchy of my idea, based on that:

Know things

Also anyway I think findfs(8) should be modified to add at least the DISK ID in it

Note: Turns out Haiku uses almost exactly my idea, I think I can make mine compatible with it (because I think that can be how good standards are made)

Gitter sucks

Yeah, very imaginative title… But well, here is why gitter just sucks compared to all chat things I saw:

I’m really glad I’m more of a sysadmin/netadmin than a developer… at least it doesn’t tries to please my kind. Seriously with all this DevOp shit don’t make it more hard for cypherpunks/privacy-nerds.

ed

You may have noticed if you’re following me on @lanodan@pouet.it that I’m posting quite a bit of honest post about the goodness of ed, and let me say why, sometimes I prefer ed

Note: From ed, with love; Also, I’m not trolling here, appart from the "standard editor" part

My git server setup

So after having problems with gitlab.com (not being able to push to your own repository for example). I decided to have a very simple git setup, inspired by git.linkmauve.fr. I putted all my git repos into /git.

started with just nginx and ssh

This one is dead-simple when you know the trick, simply put git update-server-info into hooks/post-update or hooks/post-receive of your git repo (they have to be bare repo, that’s done with --bare)

Added git-daemon

That one was even more simple, just had to point to where the git repositories are stored

Wanted a better interface

While searching for alternatives to GNU I saw stagit, a static git generator (I don’t like CGI, specially when it could have access to my git repos), to use it I added theses lines to the post-update-hook

repo=$(pwd)
cd "$(pwd | sed s/.git$//)" && stagit -c "$repo.cache" "$repo"
cd /git && stagit-index *.git > /git/index.html

Garbage Collector

It’s not like my repos were getting big, git is supposed to do that itself but it seems like it doesn’t, so I’m doing git gc each time, which isn’t very optimised.

Final Hook code (deploy, stagit, …)

This can be seen in my /git/utils repo, in the git-hooks folder.

Also the blog is a symlink to /git/blog.work which are the raw files done by that hook.

USA asking social-network password

TL;DR: it’s stupid, it’s often the worse “I have nothing to hide” thing and a (dis-united) state wants to to it. A password is meant to be hidden, even/specially to governments.

Other questions

What is a social network, is it what’s allowing humans to communicate or more specific thing like Twitter or Facebook

How can you verify that you gave all your social accounts, or even not a fake account which is created just for that (like recycling a _ebook bot)

Fighting Harrassement

After reading this post(in french). I noticed that theses new techniques are basically the same as for fighting spam years ago, and there the definition of spam by [Pirate Bay Member] makes even more sense. Basically spam got defined by “unwanted messages”, which is true for most commercial-messages and harassement.

And so I think we can actually reuse anti-spam software/code to make it more diverse and able to block not only commercial/weird messages but all unwanted messages.

I’ll code something I can use for most of my messaging software as I do also receive unwanted messages not flagged as traditionnal spam.

Type of programs and example that can be useful for inspiration: Requirements for the code:

Also I think accounts like @SaferBlueBird are mostly bad because it’s managed by few people and actually censors things they doesn’t want to, also it’s totalitarist/oligarchist, only one/few people are needed to start the storm of reports. I follow it because at the moment it’s the best solution we have…

Warning: It’s a concept, useable software might not exist at the end, feel free to contact me if you want to participate in it (even if you don’t know how to code, everyone can be useful)

30 Ways of Pride Challenge

It’s based on the 30 Days of Pride Challenge. I like the concept but I’m too lazy to keep it for 30 days, so instead I answer 30 questions, and as it’s originaly for 30 days it’ll be updated live. (Yay, more edits in prod’)

  1. Share your name, age, and identity. Share a picture of yourself.

  2. Haelwenn (lanodan) Monnier, currently 18 years old. And currently define myself as a nerdy non-binary/Quantuum aromantic pan-demisexual. And I won’t share a picture of my face, but my anti-face !

    Picture of my back, showing my long hair while wearing a black hoodie
  3. How old were you when you first discovered you were LGBTQ?

  4. Wow, too much back in time, I can’t really remember when but I think self-identified as not-really a boy when I was 5. Identification as a queer is way later (I think age 12~14) but I have a very bad memory of time (I think it’s because I don’t care which year/month/day/hours it is unless I have to wait / be on time).

  5. Who was your first (real-life AFK) crush?

  6. Uuuh… *tries to define to theyself what is a crush* Well, probably no if it’s AFK and real-life I forgot the nickname. I’m aromantic, seriously, I should better pass this question.

  7. Who was your first celebrity crush?

  8. NOPE ! (I can’t even really be a fan so no crush on a celebrity)

  9. Are you out? How did you come out?

  10. I’m out with my friends and other people which are open-minded, I’m not out with my family, but I give them clues and I’m not really closed except to few of them which I don’t know enough about their potential reaction (I’m a nerd, remember)

    I’m also out online for 2 or 3 years but I was mostly open.

  11. Who was the first person you came out to?

  12. Uuh, well I can’t remember who it was online, probably on a IRC chatroom or to my ex on LINE®/Skype(when it wasn’t owned by MS)/IRC. But AFK it was probably my friends which were very supportive (and already had queer friends ;3) and few days later the whole class because I misgendered my ex because of stress. (I was so sorry for doing it)

  13. Share something about your family.

  14. Uuuh… well I don’t want to, they’re very nice but I can’t stay with people for a long time and have issues talking to them because it’s not like I can redo and asociability doesn’t help. (Which probably explains why I haven’t come out to them)

  15. Who is your greatest supporter?

  16. I don’t really know but it’s one of my friends or my dad even if I haven’t come out to him and can’t talk about it and seriously the net is sometimes very great

  17. Do you identify with a certain ‘tribe’? Which one?

  18. Uuh, the weirdos? The Queers? The Whatever-people which aren’t in a tribe but fit in about half and neither of them? « Les seuls en groupe » (the lones/only/asocial in a group).

  19. What’s the most influential LGBTQ event you’ve attended?

  20. The 2015 pride of Rennes, all the classes where I learn to me and others(Freinet high school ;3) about ABGILPQT+, … I don’t know. I think the classes were the most efficient one because there was few outed queers.

  21. When was the first time you fell in love? Who was it with?

  22. What is love ? Baby don’t hurt me… no more

  23. Name your favorite fictional LGBTQ character.

  24. That moment when you try to force yourself not to be totally shameless and name your own characters. XD Jocelyn Samara

    Oh noes… Uh I’d say for the sake of "Safe For Work": Rain LGBT characters (specially Rain and Ky’) and El Goonish Shive main characers, Steven Universe, …

    But seriously if I find a nerdy-genderqueer there is very high chances it would be my all time favorite (Tyrell and his Boyfriend in Mr. Robot is nice and have huge potential but anyway this serie is awesome.), Lisbeth Salander from Millenium is one of them but I really want to read the 3 books to avoid “examinating” the nerdy part of it.

Entire Disk Encryption with LUKS and ZFS

Note: this is done from my current system, notes and my mind.

This tutorial is for people that know how to install gentoo. By Entire Disk Encryption I mean that even the /boot is encrypted. (but grub isn’t I think I’d need UEFI which too much hard and risky to setup and I don’t have hardware compatible with coreboot)

Setup the disk

cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --verify-passphrase luksFormat /dev/sda
cryptsetup luksOpen /dev/sda cryptrpool

zpool create -f -m none -R /mnt/gentoo rpool /dev/mapper/cryptrpool
zfs create -o mountpoint=none -o compression=lz4 rpool/ROOT

zfs create -o mountpoint=/ rpool/ROOT/default

zfs create -o mountpoint=/home rpool/HOME
zfs create -o mountpoint=/root rpool/HOME/root
zfs create -o mountpoint=/home/haelwenn rpool/HOME/haelwenn

zfs create -o mountpoint=none rpool/GENTOO
zfs create -o mountpoint=/usr/portage rpool/GENTOO/portage
zfs create -o mountpoint=/usr/portage/distfiles -o compression=off rpool/GENTOO/distfiles
zfs create -o mountpoint=/usr/portage/packages -o compression=off rpool/GENTOO/packages

Configuring

USE flags:

sys-boot/grub libzfs device-mapper
sys-fs/zfs rootfs
sys-fs/zfs-kmod rootfs
sys-kernel/genkernel cryptsetup

Now you need: sys-boot/grub sys-fs/zfs sys-fs/zfs-kmod sys-kernel/genkernel. You can also replace genkernel with dracut.

Configuring ZFS for boot-up: rc-update add zfs-import boot && rc-update add zfs-mount && rc-update add zfs-zed

initramfs (genkernel)

sed -i 's/.*LUKS=.*/LUKS="yes"/' /etc/genkernel.conf
sed -i 's/.*ZFS=.*/ZFS="yes"/' /etc/genkernel.conf
sed -i 's/.*DISKLABEL=.*/DISKLABEL="yes"/' /etc/genkernel.conf
genkernel --luks --zfs --disklabel initramfs

GRUB

As grub-mkconfig is a piece of crap which does unreadable config, I do it myself. Here it is:

#/boot/grub/grub.cfg
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_sha512
insmod zfs

cryptomount -u 1c578f43-6f16-497c-ba88-986609ffa1d6
set root=(crypto0)
set prefix=(crypto0)/ROOT/default/@/boot/grub

insmod gzio

menuentry 'Gentoo Hardened 4.4.2' {
	linux /ROOT/default/@/boot/vmlinuz-4.4.2-hardened root=ZFS=rpool/ROOT/default crypt_root=UUID=1c578f43-6f16-497c-ba88-986609ffa1d6 rd.luks.uuid=1c578f43-6f16-497c-ba88-986609ffa1d6 dozfs rootfstype=zfs
	initrd /ROOT/default/@/boot/initramfs-genkernel-x86_64-4.4.2-hardened
}

And that should be all !

I fucking hate RULES

Tagged by Toot6

Rules

  1. Choose 13 people
  2. Tag-backs are allowed
  3. You have to post All the Rules
  4. You Can’t say you don’t do tags
  5. You have to legitimately tag 13 people
  6. Be creative with the title.No titles like: “I got tagged”
  7. Each person has to share 13 things about themselves
  8. You must make a journal entry. No comments... Unless you’re talking about the entry I HATE YOU
  9. Answer 13 questions asked to you and invent 13 questions the people you tag will have to answer
  10. You have to finish within a week.If you don’t finish in time, you have to do what-ever the creator tells you

Facts about myself

  1. I’m a librist
  2. I hate rules
  3. I’m queer
  4. I’m breton
  5. I mostly eat pasta, noodles and rice
  6. I don’t like hierarchy
  7. I didn’t forgot a whole part of this
  8. I love to use retro/deprecated but still awesome things (floppy disks and IDE mwhahaha)
  9. I hate obselecence (corrected by using Free Software anyway ;3)
  10. When I say free software I think about BSD and not GNU
  11. Beeing a Metalhead used to be my cloak as a queer, I’m now out and still a metalhead
  12. I don’t like talking so sometimes I make sounds instead
  13. I’m done with that

Q&A

  1. Favourite band/musician ?

    Vladimir Bozar

  2. Play video games much ? If yes, what's your favourite game/franchise ?

    Not that much… but I love .hack project

  3. Would you kiss a dragon ?

    uh… yeah

  4. Do you have any pets ? Can I pet them

    Nope

  5. If you could have a superpower, which would it be ?

    Time travel

  6. If you could go into another word or universe, which would you wanna go to ?

    still My Little Pony (without transphobia) I guess or maybe No Game/Hack/Source, No Life

  7. Do you play Monster Hunter ? Do you play Smash ? Wanna have a go ?

    Nope. Maybe for fun

  8. What's the best advice you can give regarding art ?

    Use all the tools you have in every way you can think of

  9. What's your favourite movie monster/creature ? Why ?

    Currently sadako, because she are an esper/magician and lived 30 years into a well, but is still alive in emotional form into electronics and people

  10. Doth thou even hoist ?

    Yes, I have musl installed on my server ;P

  11. Are you a dirty yiffer ?

    Dirty -> yes, yiffer -> not tested yet

  12. What are your favourite songs for relaxing ?

    Dark ambient

  13. Aliens ? Discuss

    They can transform you into a magical girl and grant one wish but it cost your life… meh. I prefer the genius of Aladin. :P

Question for tagged peers

  1. What is your name?
  2. Where do you live?
  3. What is your favorite color?
  4. What is a spallow?
  5. Where is SPARTA‽
  6. Do you like waffles?
  7. What are your favorite styles of fine arts(drawings, painting)
  8. What are your favorite styles of music
  9. What are your favorite styles of litterature
  10. What are your favorite styles of films
  11. What’s your favorite animal?
  12. What’s your favorite character?
  13. Do you think I’m a lazy shit?

Mozilla is Broken

I’m quitting Mozilla, not that I have been really been into the community(mostly because they want me to do one thing, apply this to programs, not humans) but I was using and enjoying it for a long time(like since 2008). Also in about 2014 I switched from Thunderbird to mutt because I wanted something simple which does GPG, hard time to switch but I love it. And now it seems like Mozilla is killing Firefox for years :

And there is potentially way more shit (just look and the old but still open tickets)

Current solution: None, all browsers sucks and none sucks less, so I’m in a constant change of web browser everyday. See:

BTW if everyone have to use a LTS/ESR/real-stable version of a browser even if they are actual developers… well why is the Developer Edition based on Nightly ? For badly supported things like H.264 ? gstreamer works(can be an interface to ffmpeg). For brand new stuff ? Well most web-smiths have to support old browsers like IE6 or IE7. For marketing because we are the browser with tons of features ? Well I think so. I think Netscape did the same mistake in the browser-war, why change things?

Apparently since like… middle-late 2016 Mozilla Firefox is now better in Nightly than ESR. Whatever, it’s still broken for me.

Lennart Poettering merged “su” command replacement into systemd: Test Drive on Fedora Rawhide

“Original” Article

Well, there have been long discussions about this, but the problem is that what "su" is supposed to do is very unclear. On one hand it's supposed to open a new session and change a number of execution context parameters (`uid`, `gid`, `env`, ...), and on the other it's supposed to inherit a lot concepts from the originating session (`tty`, `cgroup`, `audit`, ...). Since this is so weakly defined it's a really weird mix&match of old and new paramters.

Pretty clear, it ask for root or specified user password, launches a shell. If -, -l, --login is put it starts a new environement before starting the shell.

To keep this somewhat managable we decided to only switch the absolute minimum over, and that excludes `XDG_RUNTIME_DIR`, specifically because `XDG_RUNTIME_DIR` is actually bound to the `session/audit` runtime and those we do not transition. Instead we simply unset it.

Ah, of course desktop crap in the userland… And crappy explanation, maybe you should patent and copyreich that in case. ᕕ(ᐛ)ᕗ

$ cat /etc/os-release
NAME=Fedora VERSION="24 (Workstation Edition)"
ID=fedora
VERSION_ID=24
PRETTY_NAME="Fedora 24 (Workstation Edition)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:24"
HOME_URL="https://fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=Rawhide
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=Rawhide
PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
VARIANT="Workstation Edition"
VARIANT_ID=workstation

$systemctl --version
systemd 225
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN

Okay here’s the same shit from a non voided system. Let’s share. ;D


% cat /etc/os-release
ID=gentoo
PRETTY_NAME="Gentoo/Linux"
ANSI_COLOR="1;32"
HOME_URL="http://www.gentoo.org/"
SUPPORT_URL="http://www.gentoo.org/main/en/support.xml"
BUG_REPORT_URL="https://bugs.gentoo.org/"
% rc --version
rc (OpenRC) 0.17 (Gentoo Linux)

Anyway, let’s continue

$ machinectl shell Connected to the local host. Press ^] three times within 1s to exit session.

Okay even worse binding than Escape-Meta-Alt-Control-Shift(EMACS), fuck stty eof(^D), fuck POSIX, fuck quick and intuitive commands(shell for login, hell yeah), yes rude mode is activated.

It works! We can work as superuser. And isn’t end: we can also set shell and host: $ machinectl shell root@.host /bin/bash

Wait… ssh is crap too? Why is there a dot before the host(maybe fuck localhost too…)?

Login as non-root user and set variable of shell environment: #1000 - UID of user `paul` #SYSTEMD_TEST - test variable of user environment $ machinectl shell --uid 1000 --setenv="SYSTEMD_TEST=777"

’Kay so starting another $SHELL and export VAR=VARIABLE too ?

$ sudo systemd-run -p CPUQuota=50% -p PAMName=login -t /bin/bash -c '/usr/bin/stress -c 4'

Ah! So after saying cgroups is awesome… you goes with quota on the CPU… well maybe that’s called evolution… ? Why are you using login, you created machinectl for nothing? Why are you using -p options like a replacement to args… o_O
Well this command is full of fuck(not the very great program which among other thing uses… sudo with the last command :D)

I wonder when you will eat Emacs(meta-OS), build your own kernel because fuck UNIX so we can 🖖“live long an prosper” with (GNU/)Linux and BSD and you with SystemDOS.