* Posts by Dazed and Confused

2393 publicly visible posts • joined 12 Sep 2007

Windows 11 continues slog up the Windows 10 mountain

Dazed and Confused

Re: Not all HW W11 compatible

> "W10 needed UEFI and so BIOS based PCs were stuck"

I haven't found this to be the case. W10 works fine on my PCs without UEFI enabled.

That's what I said, it needed UEFI and then in order to move older machines to W10 they changed things so that it would run on legacy BIOS boxes without secure boot.

Dazed and Confused

Not all HW W11 compatible

I'm not sure where MS managed to come up with a figure of 88% of systems out there being W11 compatible. Perhaps they carefully chose sites that regular update their systems.

Many organisations don't. Where I am we have a mix of systems where some are ready for 11 and some aren't, even when the desktop boxes are what the vendor describes as being the same "generation" of machine. If we update the systems which are W11 ready it means that the behaviour of systems varies from one machine to another and that is not a tenable situation.

So the plan is to stay on W10 for as long as possible.

Only when all systems have reached their natural end of life will the HW be replaced.

When MS tried to strong arm everyone from W7 to W10 there are a similar situation, W10 needed UEFI and so BIOS based PCs were stuck, MS were sufficiently keen to get people to W10 they relented and allowed the OS to work on the older boxes.

If MS are keen to see us move to W11 they'll have to do the same thing again.

Alternatively, if they really want, they can buy us a whole load of new PCs, but we don't intend to.

Microsoft's Patch Tuesday borks dual-boot Linux-Windows PCs

Dazed and Confused

Re: We Fixed the Problem Which is Important to Us

The Linux community could do with get manufactures to include another key apart from the Microsoft ones so that there are alternative CAs for secure boot, there is no inherent reason for MS being the only one.

HP/HPE include SUSE in the factory default secure boot keystore.

They include their own key as the main "Platform Key"

[daz@test1 ~]$ sudo mokutil --pk | grep -e "^[[]" -e Subject:

[key 1]

Subject: CN=HPE UEFI Secure Boot 2016 PK Key, OU=CODE-SIGN, C=US, O=Hewlett Packard Enterprise Company

[daz@test1 ~]$

They then provide their own key and the keys from MS & SUSE as "Key Exchange Keys".

[daz@test1 ~]$ sudo mokutil --kek | grep -e "^[[]" -e Subject:

[key 1]

Subject: CN=HPE UEFI Secure Boot 2016 KEK Key, OU=CODE-SIGN, C=US, O=Hewlett Packard Enterprise Company

[key 2]

Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011

[key 3]

Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de

[daz@test1 ~]$

Then in the main key database there are the two MS keys, the Windows one and the one they use for other OSs and two VMWare keys.

[daz@test1 ~]$ sudo mokutil --db | grep -e "^[[]" -e Subject:

[key 1]

Subject: CN=HPE UEFI Secure Boot 2016 DB Key, OU=CODE-SIGN, C=US, O=Hewlett Packard Enterprise Company

[key 2]

Subject: O=Hewlett-Packard Company, OU=Long Lived CodeSigning Certificate, CN=HP UEFI Secure Boot 2013 DB key

[key 3]

Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011

[key 4]

Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011

[key 5]

Subject: CN=SUSE Linux Enterprise Secure Boot Signkey, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de

[key 6]

Subject: C=US, ST=California, L=Palo Alto, O=VMware, Inc.

[key 7]

Subject: C=US, ST=California, L=Palo Alto, O=VMware, Inc., CN=VMware Secure Boot Signing

[daz@test1 ~]$

I'd much rather see someone like SUSE acting as the CA for Linux secure boot keys.

What can be done to protect open source devs from next xz backdoor drama?

Dazed and Confused

Re: necessary to hand assemble a proc structure

I had said "Unix kernels" for reference see the McKusick book on 4.4BSD page 504.

I can't share the code I have in front of me, its from a proprietary version of Unix.

As for the Linux kernel, I don't know my way around the code that well but in the Linux kernel there is an init_task of type struct task and this has

init_task.pid set to 0

init_task.comm set to "swapper"

just like the legacy Unix kernels, only there it's a proc structure.

Take a look at init/init_task.c

But this wasn't my comment about naivety, where I was referring to earlier versions of the systemd assuming that device enumeration starts at 1 when some systems start at 0. Please don't get me started on systems which don't start at either zero or one.

Dazed and Confused

Re: I was think about the assumption in earlier versions that computers start counting from 1.

> Don’t understand what you mean. Linux PIDs, for example, start from 1, there being no PID 0.

I thought we'd been discussing device enumeration, so what do PIDs have to do with it?

As for PID 0, Unix kernels used to have a PID 0, the argument going that it is necessary to hand assemble a proc structure before you can run fork to create others. They'd make PID 0 then they could fork & exec init so that it would work like any normal userland process. As others have pointed out, Linux uses 0 as a PPID.

Dazed and Confused

Re: developers are very naive about a lot of the areas

I was think about the assumption in earlier versions that computers start counting from 1.

Dazed and Confused

Re: developers are very naive about a lot of the areas

For example where they need to interact with system firmware environments and have assumed how enumeration is likely to be implemented. It's improved over the years, but they'd clearly not researched the field widely enough. But then why would the designers of a service manager be experts in such things as ACPI?

Dazed and Confused

Re: if systemd is so bad why is everyone using it?

> The ones complaining are, shall we say, most charitably described as “armchair programmers”.

These days I'm definitely an armchair programmer. But there have been times when I've ended up delving into the systemd code, lets be charitable here, lets just say that the developers are very naive about a lot of the areas they've ended up dabbling in.

I don't have an issue with having a single service manager rather than several different ones.

Personally I don't like binary config files or log file, but that a small matter. I'd prefer to do a lot of these things from scripts, but again - not a major issue.

Perhaps if the developers of systemd had followed the normal Unix/Linux guideline of do one thing and do it well then they wouldn't keep having all the issues they have got. But rather than following decades of good practice they've branched out in all sorts of different directions and no one can be an expert at everything. So they've coded up areas where they don't have enough real world experience and have just said, hey this works on my laptop so it must be fine.

They've also not followed good practice with compartmentalizing things and this leads to potentially opening the system up to security weakness unnecessarily, more experience developers probably wouldn't have made the same design mistakes.

In this case we have an issue that a distribution is trusting systemd and is therefore including it into other bits of SW and since systemd has a huge number of dependencies its inclusion is exposing other code to weakness far away from the core of the application.

A path out of bloat: A Linux built for VMs

Dazed and Confused

Re: The really clever thing about IBM mainframe VM/CMS was...

> Do any x86/*nix virtualisation solutions use shared read-only boot disks?

When I have multiple VMs running the same OS I use a shared backing store image with COW R/W layer on top, this means you get instant deploys. This is on KVM/QEMU, Works really well, Seems very cache efficient on the host, so the performance it good. The KSM stuff then seems to de-dupe the memory pretty well so we end up using a lot less RAM than we'd initially estimated.

Want to feel old? Ethernet just celebrated its 50th birthday

Dazed and Confused

Re: Commodore Pet

Gosh, that awoke some long dormant grey cells. Most of my early programming was on HP85s which used IEEE-488 (HP-IB) and I wrote SW to let them communicate together via an HP-IB interface.

Shame I can't remember why, or any other details.

Rocky Linux claims to have found 'path forward' from CentOS source purge

Dazed and Confused

Re: It is a violation, please read

Alma's latest statement can be found at

https://almalinux.org/blog/our-value-is-our-values/

Dazed and Confused

Re: It is a violation, please read

I know Rocky LInux has stated they have figured out "their path".... they just didn't give any detail about that.... but I figured Red Hat may have reached out (??) to discuss the "new path" if the old path is now restricted.

They have now, see https://rockylinux.org/news/keeping-open-source-open/

Inclusive Naming Initiative limps towards release of dangerous digital dictionary

Dazed and Confused

Re: And by "solving" a non-problem ...

> I've yet to hear of, say, a black USAmerican, whose ancestors were subjected to actual slavery, taking offence at the technical usage of the words. As others have written, context is everything.

Well that might be your experience but I frequently run training classes for students from the southern states in the USofA and I've found this has changed over the last few years. Most of the people I'm training are not young they often have 20-30 years experience in their jobs and the terms master and slave now raise hackles. One of the places where the terminology came up was with BIND. The posting on their choice to switch over to primary and secondary on their mailing list makes a sensible case for the switch. Personally I find the terms primary and secondary for the functionality to be a better description of what is going on.

Red Hat releases RHEL 9.2 to customers, with buffet of rebuilds for the rest of us

Dazed and Confused

& 8.8 too

RHEL 8.8 has come out this week too, I know, Alma told me their 8.8 clone was ready for download.

Microsoft's Lennart Poettering proposes tightening up Linux boot process

Dazed and Confused

Re: *I* propose ...

> Lennart Poettering proposes tightening up Linux boot process ...

Given Lennart Poettering's history when it comes to security he's hardly a good one to lecture us is he. This is the man who invented systemd and moved us from the classic init model with a tiny attack surface to the monster systemd with a massive attack service. He's clearly never heard of "least privileges" he's clearly never heard of modularization or he'd never have included network functions into the orphan catcher, let us remind ourselves that PID 1 is so critical that if you can kill it the kernel dies! Systemd is much bigger than a classic init and therefore will contain a lot more potential bugs and possible ways of dying.

I know he's now departed from RH but has he forgotten everything he ever knew about RHEL? You need to be able to build your own initrd files. Just look at how many config files are on there and are acted upon before we perform the pivot to the "real" root disk. You want to set load time options on drivers (I know drivers should use SYSFS and udev for tuneables but they don't all do it and some are a pain to implement that way) then you need to write a modprobe.d/*.conf file and you then need to get that onto your initrd as the driver is loaded from there and not from the real root. Even the bloody hostname is read from the initrd, look at your logs file in the first week after boot FFS!

Then there is the issue that system vendors often provide "tweaked" versions of drivers. For example HPE have drivers on the SPP, for RHEL8 these are digitally signed but not by MS they're signed by HPE and since they produced the FW they've loaded their own secure boot public keys into the FW's keystore. BTW they've also loaded the SUSE public keys, not just the MS ones.

Since these drivers are signed for secure boot there is no problem with using them with secure boot enabled.

NASA builds for keeps: Voyager mission still going after 45 years

Dazed and Confused

Re: Technology Perspective

> Although I don't think the Golden Record can be beat.

By the time an alien civilization finds the golden disk it will probably a bit too late to ask for more Chuck Berry.

Cars in driver-assist mode hit a third of cyclists, all oncoming cars in tests

Dazed and Confused

Re: So technology works as intended...

and Tesla should probably install a separate computer to track emergency vehicles, which they seem drawn to like moths...

I thought they had fitted a separate tracking system for them, I thought that explained there success rate in hitting the buggers.

At last, Red Hat Enterprise Linux 9.0 slips out

Dazed and Confused

Re: Downstream?

Not 9, but Alma have shipped 8.6 today, so still managing the 48 hour target.

Well done to the team involved.

Dazed and Confused

Re: How do you like them apples?

Sign up for the dev account, it's free as in beer and these days you can run quite few systems on it.

Dazed and Confused

Re: Downstream?

Alma aim for 48 hours, I've not seen them miss that yet, they've shipped 9beta for a while so they've got the process in place. Rocky aren't normally far behind. So far both have been light years ahead of where CentOS were with 7 or 8 releases.

Looking on Red Hat's site I can't see the download for 9 being available, just a "we've announced 9" and they're still offering 9Beta for download.

What I did notice is the release of 8.6 today. So the clock is ticking to see whether Alma manage Thursday, again they've been offering 8.6 beta for a short while so I guess they've got the process in place.

BOFH: Something's consuming 40% of UPS capacity – and it's coming from the beancounters' office

Dazed and Confused

Re: A possible solution

I occasionally used to visit a site in an old fashioned manufacturing company. They had a policy of using very obviously non-standard plugs for any important kits to stop cleaners and maintenance staff unplugging kit. If it don't look like a 13amp plug they ignore it.

Microsoft points at Linux and shouts: Look, look! Privilege-escalation flaws here, too!

Dazed and Confused

Re: OFTF

> Yes, I just made up that term

You might have just invented but it has now been adopted as the official term for the period

Skipping CentOS Stream? AlmaLinux 9 Beta is here

Dazed and Confused

Re: Why not CentOS?

I think your point about it being good practice for the Alma (& Rocky) teams is the key. If we want these things to exist for 9 in a timely fashion they need to get their processes in place and have them tested and that means we need to test them.

Dazed and Confused

Re: Other Improvements?

Since both Alma & Rocky aim to be bug for bug compatible with RHEL then it sounds like the inclusion of systemd is part of their design objectives :-)

Zlib crash-an-app bug finally squashed, 17 years later

Dazed and Confused

Re: Zlib in embedded

What you mean like every singe old phone which isn't receiving updates any more?

Debugging source is even harder when you can't stop laughing at it

Dazed and Confused

Re: Customer management objection to offensive code comment...

Be careful what you ask programmers to change

Back when the original PA-Risc systems were get close to release some marketing zeeb complained that the status LEDs inside the 840 read 0000 when the machine was lightly loaded. Not sexy enough, sure said one of the engineers we'll just flip the status bits and leave the load counter as it is.

The comment clearly when several miles over the head of the zeeb but happy he was being listened to the change was agreed.

On the 840 this status panel was hidden away inside the machine.

On the super duper 850 which followed it the status panel was proudly displayed on a thing which looks like a calculator on top of the system where everyone could read

F0FF

Dazed and Confused

Try a high pressure job where even notes could be read out in court. That will ensure things are kept at a formal level.

Sadly this results in comments not being kept in the notes that it would have been better to have kept. Notes are so often censored (self-censored) and this results in their not being complete.

I don't think I ever knew anyone who reached for the resus kit without swearing at least under their breath.

AlmaLinux OS Foundation welcomes AMD to the fold

Dazed and Confused

Claims?

and claimed to have released AlmaLinux 8.5 within 48 hours of the latest Red Hat Enterprise Linux release.

I'm pretty sure that I'd pulled the Alma 8.5 ISO within 48 hours of the RHEL release.

RH's release date page shows that 8.5 was released on the 9th Nov 2021, but they're not very good at telling their customers about such things. So I didn't get my download until the morning of the 11th.

The timestamp on my Alma ISO file is mid afternoon on the 11th.

The guys at Rocky weren't far behind. They both appear to be getting their releases out the door much more promptly than the team producing the CentOS releases were managing. I'm not critising the guys who were doing CentOS (I'm not paying them so I have no right to :-) but I want to doff my cap to the teams behind Alma and Rocky who really seem to have their S**t together.

Now to get around to getting a Pi to pop Alma onto as they've got a release out for that too.

400Gbps is the new normal for biz networks

Dazed and Confused

Re: The eternal questions

This applies to connections within their network, and connections to their upstream Internet providers.

I was working on a bunch of servers in the Atlanta area a few weeks back and everything was really sluggish, their routers won't respond to pings, but traceroute -T was showing over 250ms average times, twice what I'd expect.

Link from home to ISP, about 7ms which is better than average

The hop over the pond to New York, also looking good at about 75

New York to Atlanta over AT&T's back bone - EEEeeeks! WTF.

Times from there to the customer OK

Can't recall when I last saw that sort of congestion on an exchange to exchange part of the route.

There's someone who could use more bandwidth on their core network.

You should read Section 8 of the Unix User's Manual

Dazed and Confused

Re: % in email addresses?

You could use multiple "@" signs in an address and they were read right to left. The need for "%" was so that you could mix SMTP and UUCP hops in one address.

The precedence was that @'s are processed before UUCP's ! so if you needed to have a UUCP hop followed by an SMTP one you used the lower precedence % format.

I also benefited because the IP network wasn't rolled out in the company I was working for by their IT network but rather by the companies research division who then allowed the rest of us techies to come on board and play too. You learn so much more when you need to do stuff for real.

Hello Slackware, our old friend: Veteran Linux distribution releases version 15.0 at last

Dazed and Confused

Re: No Sendmail?!

> with the complete Sendmail reference manual

You had a sendmail reference manual. Bloody luxury

When I first came across it you had learn at the feet of the upstream gateway admin whilst he simultaneously tried to rip your head off down the phone coz your box wasn't handling things properly.

Me, I never bothered to learn this M4 macro stuff once I'd been beaten within an inch of my life I never had another problem writing cf files and spent many happy years teaching it to people. The language wasn't too bad, the crazy bit was the order it ran the rulesets in :-).

I always just assumed that Eric was obsessed with $$$$$$ like most poor students.

Epoch-alypse now: BBC iPlayer flaunts 2038 cutoff date, gives infrastructure game away

Dazed and Confused

Next you will be wanting the Itanium processors NaM flag to indicate the difference between a zero and a "Not a Number" like the difference between a NULL string and a string of length zero.

OK, boomer? Gen-X-ers, elder millennials most likely to name their cars, says DVLA

Dazed and Confused

Always named my cars

My Dad didn't, so I don't get it from there.

My elder brother did, no idea if he still does.

My wife named her cars before I met her too, The younger kid named his car as soon as we bought it, when we recently got one for the older of the kids she wasn't interested, but their brother named it anyway and that's stuck.

China's Yutu rover spots 'mysterious hut' on far side of the Moon

Dazed and Confused

Re: It's a film set

:-)

Except if Kubrick was faking the tea, it would be indistinguishable from the real thing.

Dazed and Confused

Re: It's a film set

I was going to say it was the refreshment hut for Kubrick's film crew from when they faked the moon landings. I wonder if they're still serving tea?

Alma and Rocky Linux release 8.5 builds, Rocky catches up with secure boot

Dazed and Confused

This has been great to see

Both Alma and Rocky have managed to get their releases out within a few days of the release of RHEL 8.5.

All seems to be working well so far.

FYI: If the latest Windows 11 really wants to use Edge, it will use Edge no matter what

Dazed and Confused

Re: Great plan

RPMs are CPIO balls despite RHEL's man page for cpio(1) saying it is obsolete and other archiving tools should be used.

Nobody cares about DAB radio – so let's force it onto smart speakers, suggests UK govt review

Dazed and Confused

Re: Early adopter

they are perfectly in sync on FM, but due to the chip technology decoding the DAB signal are often several seconds out of sync

Making the time signal completely pointless.

Dazed and Confused

Re: Don't touch FM!!!!

granted it sounds nicer than FM but...

But unlike FM it doesn't fade out gracefully when the signal is shit it goes from working to garbled and being unlistenable to.

To get it work at all I had to install a loft mounted aerial and an amp.

On the other hand my analogue radio in the bathroom manages quite happily with a few inches of wire dangling out the back.

The other advantage of analogue is its paltry power consumption. I think the batteries in the bathroom set have a life time roughly equal to their shelf life. The same can't be said for digital radio.

Software Freedom Conservancy sues TV maker Vizio for 'GPL infringement'

Dazed and Confused

Re: Signed binaries

> The boot software will not boot an owner installed OS kernel.

That's also true with UEFI based systems with secure boot enabled, the firmware will only boot signed software. Of course you can normally get a choice of signed software and you can normally disable secure boot.

With newer kernels it can even be a problem loading non standard kernel modules, so for example loading ZFS on an RHEL 8 box doesn't work with secure boot enabled.

[root@m10vm8 ~]# modprobe zfs

modprobe: ERROR: could not insert 'zfs': Required key not available

[root@m10vm8 ~]#

PCIe 6.0 spec just months away from completion, doubles max data transfer rate

Dazed and Confused

Great but

Why are PCIe specifications only available to PCI-SIG members?

The nosy amongst us would love to be able to ready through all the output of lspci and be able to look up what it all means.

The likes of SMBIOS and UEFI are all open docs these days, why is PCI secret?

Microsoft's problem child, Windows 11, is here. Will you run it? Can you run it? Do you even WANT to run it?

Dazed and Confused

Re: Easy ways to avoid Windows 11

Why disable secure boot if you're planning to run Linux?

My Linux systems run quite happily with secure boot.

tz database community up in arms over proposals to merge certain time zones

Dazed and Confused
Trollface

Re: Do we need two timezone databases?

CET WET

Reminds me of a conversation with the lab engineers of a certain Unix vendor back in the 80s. Can't remember how the conversation started but

Me: Why do you call the timezone for the UK, WET

LabEng: Coz that's what you call it

Me: No we don't

LabEng: you do

Me: I live there I should know

LabEng: Well what do you call it

Me: GMT

LabEng: that's not its name.

Me: Well what do you call your timezone.

LabEng: MST

Me: What's the full TZ= variable setting?

LabEng: sounding exasperated TZ=MST7MDT

Me: And the 7 is?

LabEng: still sounding exasperated the 7 hours after GMT

Me: precisely, and where is the Greenwich in Greenwich Mean Time? Let's face it, we're not talking about the one in New Your are we.

LabEng: Ah... So you actually use GMT time as your own time too

Me: Errr Yes, well at least in winter, in the summer we have British Summer Time, which is just another phrase for "it's raining again"

As the man page for spell used to warn

Warning! the British spelling was also done by an American.

UK altnet CityFibre's boss on its hopes to capitalise on market churn as fibre broadband rolls out

Dazed and Confused

Re: There are counting people twice

That's probably to balance out all the people who aren't being counted at all as they have no options and no one seems to be publishing any maps of their plans.

A practical demonstration of the difference between 'resilient' and 'redundant'

Dazed and Confused

A large customer I used to deal with had been trying to get three way mirroring for a few years and head bean counter wouldn't sign it off. So certain key servers had a downtime window in the wee small hours for backups. Head bean counter then exploded at the IT director one day when he was in the far east and couldn't access his email. The third set of disks were ordered that day.

Moral of the story?

Make sure the bean counters suffer from their own decisions.

Dazed and Confused

We used to find people building HA clusters out of their fault tolerant systems. After all, if someone blows up the data centre where the FT box is, it's still dead, FT or not.

Virtual machines with live migration allow work loads to be moved without an interruption to service for planned down time events. Which reduces some of the issues that hot plugging helped with. It's been too many years to remember how the FT version of the OS coped with double bit memory errors, I suspected they caused a panic. But if you're getting lots of more normal single bit errors it's easy enough to migrate away the VMs to another node and then take the HW down to swap out the suspect DIMMS.

Dazed and Confused

How redunant do things need to be?

Years back I went to do some work on a customer of a customer's site.

They'd built themselves a cluster without much if any input from the manufacturer. They had:

2 servers, a primary and secondary Check

A disks array running RAID5 Check (but only one power supply)

but then things went down hill.

Each server only had one link to the array.

Each server only had one network link (apparently their network guy didn't hold with a server having more than one link)

But the piesta resistance was that the whole cluster, that is both servers and the array, were powered from one 4 way extension lead which was plugged into a socket in the ceiling above the rack.

So they'd managed to have two of the most expensive component and pretty much failed on everything else that could be thought of.