Posts by Dazed and Confused

Re: I'm curious...

The GPIB, originally known as the HP-IB (Hewlett Packard Interface Bus), was invented to tie automated test equipment together. Later, it was bastardized into a peripheral bus for small computer systems. I've seen it used on everything from Mainframes to the Commodore PET.

HP used it for sorts of things including for the disks. For the interfaces which followed the standard (IEEE-488) they were limited to 350kB/s but as you say they bastardised the handshaking to get a fast version so they had a disk interface version which could manage the heady realms of 1MB/s :-) but then we were talking about the days when a 7908 was a 16MB disk which was about the height and depth of your desk and about a foot wide IIRC. Ha, guess I'm getting old coz I can remember things like that but not what I had for lunch yesterday.

HP used it as their disk interface for ages until it was killed off by SCSI. They did have their own fibre based disk interface as well towards the end which offered the same performance as SCSI but much longer "cabling".

I bet I've still got some HP-IB cables somewhere.

Re: Not all HW W11 compatible

> "W10 needed UEFI and so BIOS based PCs were stuck"

That's what I said, it needed UEFI and then in order to move older machines to W10 they changed things so that it would run on legacy BIOS boxes without secure boot.

Re: We Fixed the Problem Which is Important to Us

The Linux community could do with get manufactures to include another key apart from the Microsoft ones so that there are alternative CAs for secure boot, there is no inherent reason for MS being the only one.

HP/HPE include SUSE in the factory default secure boot keystore.

They include their own key as the main "Platform Key"

[daz@test1 ~]$ sudo mokutil --pk | grep -e "^[[]" -e Subject:

[key 1]

Subject: CN=HPE UEFI Secure Boot 2016 PK Key, OU=CODE-SIGN, C=US, O=Hewlett Packard Enterprise Company

[daz@test1 ~]$

They then provide their own key and the keys from MS & SUSE as "Key Exchange Keys".

[daz@test1 ~]$ sudo mokutil --kek | grep -e "^[[]" -e Subject:

[key 1]

Subject: CN=HPE UEFI Secure Boot 2016 KEK Key, OU=CODE-SIGN, C=US, O=Hewlett Packard Enterprise Company

[key 2]

Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011

[key 3]

Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de

[daz@test1 ~]$

Then in the main key database there are the two MS keys, the Windows one and the one they use for other OSs and two VMWare keys.

[daz@test1 ~]$ sudo mokutil --db | grep -e "^[[]" -e Subject:

[key 1]

Subject: CN=HPE UEFI Secure Boot 2016 DB Key, OU=CODE-SIGN, C=US, O=Hewlett Packard Enterprise Company

[key 2]

Subject: O=Hewlett-Packard Company, OU=Long Lived CodeSigning Certificate, CN=HP UEFI Secure Boot 2013 DB key

[key 3]

Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011

[key 4]

Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011

[key 5]

Subject: CN=SUSE Linux Enterprise Secure Boot Signkey, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de

[key 6]

Subject: C=US, ST=California, L=Palo Alto, O=VMware, Inc.

[key 7]

Subject: C=US, ST=California, L=Palo Alto, O=VMware, Inc., CN=VMware Secure Boot Signing

[daz@test1 ~]$

I'd much rather see someone like SUSE acting as the CA for Linux secure boot keys.

Re: necessary to hand assemble a proc structure

I had said "Unix kernels" for reference see the McKusick book on 4.4BSD page 504.

I can't share the code I have in front of me, its from a proprietary version of Unix.

As for the Linux kernel, I don't know my way around the code that well but in the Linux kernel there is an init_task of type struct task and this has

init_task.pid set to 0

init_task.comm set to "swapper"

just like the legacy Unix kernels, only there it's a proc structure.

Take a look at init/init_task.c

But this wasn't my comment about naivety, where I was referring to earlier versions of the systemd assuming that device enumeration starts at 1 when some systems start at 0. Please don't get me started on systems which don't start at either zero or one.

Re: The really clever thing about IBM mainframe VM/CMS was...

> Do any x86/*nix virtualisation solutions use shared read-only boot disks?

When I have multiple VMs running the same OS I use a shared backing store image with COW R/W layer on top, this means you get instant deploys. This is on KVM/QEMU, Works really well, Seems very cache efficient on the host, so the performance it good. The KSM stuff then seems to de-dupe the memory pretty well so we end up using a lot less RAM than we'd initially estimated.

Re: Commodore Pet

Gosh, that awoke some long dormant grey cells. Most of my early programming was on HP85s which used IEEE-488 (HP-IB) and I wrote SW to let them communicate together via an HP-IB interface.

Shame I can't remember why, or any other details.

Re: It is a violation, please read

Alma's latest statement can be found at

https://almalinux.org/blog/our-value-is-our-values/

Re: And by "solving" a non-problem ...

> I've yet to hear of, say, a black USAmerican, whose ancestors were subjected to actual slavery, taking offence at the technical usage of the words. As others have written, context is everything.

Well that might be your experience but I frequently run training classes for students from the southern states in the USofA and I've found this has changed over the last few years. Most of the people I'm training are not young they often have 20-30 years experience in their jobs and the terms master and slave now raise hackles. One of the places where the terminology came up was with BIND. The posting on their choice to switch over to primary and secondary on their mailing list makes a sensible case for the switch. Personally I find the terms primary and secondary for the functionality to be a better description of what is going on.

Re: *I* propose ...

> Lennart Poettering proposes tightening up Linux boot process ...

Given Lennart Poettering's history when it comes to security he's hardly a good one to lecture us is he. This is the man who invented systemd and moved us from the classic init model with a tiny attack surface to the monster systemd with a massive attack service. He's clearly never heard of "least privileges" he's clearly never heard of modularization or he'd never have included network functions into the orphan catcher, let us remind ourselves that PID 1 is so critical that if you can kill it the kernel dies! Systemd is much bigger than a classic init and therefore will contain a lot more potential bugs and possible ways of dying.

I know he's now departed from RH but has he forgotten everything he ever knew about RHEL? You need to be able to build your own initrd files. Just look at how many config files are on there and are acted upon before we perform the pivot to the "real" root disk. You want to set load time options on drivers (I know drivers should use SYSFS and udev for tuneables but they don't all do it and some are a pain to implement that way) then you need to write a modprobe.d/*.conf file and you then need to get that onto your initrd as the driver is loaded from there and not from the real root. Even the bloody hostname is read from the initrd, look at your logs file in the first week after boot FFS!

Then there is the issue that system vendors often provide "tweaked" versions of drivers. For example HPE have drivers on the SPP, for RHEL8 these are digitally signed but not by MS they're signed by HPE and since they produced the FW they've loaded their own secure boot public keys into the FW's keystore. BTW they've also loaded the SUSE public keys, not just the MS ones.

Since these drivers are signed for secure boot there is no problem with using them with secure boot enabled.

Re: Technology Perspective

> Although I don't think the Golden Record can be beat.

By the time an alien civilization finds the golden disk it will probably a bit too late to ask for more Chuck Berry.

Re: So technology works as intended...

and Tesla should probably install a separate computer to track emergency vehicles, which they seem drawn to like moths...

I thought they had fitted a separate tracking system for them, I thought that explained there success rate in hitting the buggers.

Re: Downstream?

Not 9, but Alma have shipped 8.6 today, so still managing the 48 hour target.

Well done to the team involved.

Re: A possible solution

I occasionally used to visit a site in an old fashioned manufacturing company. They had a policy of using very obviously non-standard plugs for any important kits to stop cleaners and maintenance staff unplugging kit. If it don't look like a 13amp plug they ignore it.

Re: OFTF

> Yes, I just made up that term

You might have just invented but it has now been adopted as the official term for the period

Re: Why not CentOS?

I think your point about it being good practice for the Alma (& Rocky) teams is the key. If we want these things to exist for 9 in a timely fashion they need to get their processes in place and have them tested and that means we need to test them.

Re: Zlib in embedded

What you mean like every singe old phone which isn't receiving updates any more?

Re: Customer management objection to offensive code comment...

Be careful what you ask programmers to change

Back when the original PA-Risc systems were get close to release some marketing zeeb complained that the status LEDs inside the 840 read 0000 when the machine was lightly loaded. Not sexy enough, sure said one of the engineers we'll just flip the status bits and leave the load counter as it is.

The comment clearly when several miles over the head of the zeeb but happy he was being listened to the change was agreed.

On the 840 this status panel was hidden away inside the machine.

On the super duper 850 which followed it the status panel was proudly displayed on a thing which looks like a calculator on top of the system where everyone could read

F0FF

Re: The eternal questions

This applies to connections within their network, and connections to their upstream Internet providers.

I was working on a bunch of servers in the Atlanta area a few weeks back and everything was really sluggish, their routers won't respond to pings, but traceroute -T was showing over 250ms average times, twice what I'd expect.

Link from home to ISP, about 7ms which is better than average

The hop over the pond to New York, also looking good at about 75

New York to Atlanta over AT&T's back bone - EEEeeeks! WTF.

Times from there to the customer OK

Can't recall when I last saw that sort of congestion on an exchange to exchange part of the route.

There's someone who could use more bandwidth on their core network.

Re: % in email addresses?

You could use multiple "@" signs in an address and they were read right to left. The need for "%" was so that you could mix SMTP and UUCP hops in one address.

The precedence was that @'s are processed before UUCP's ! so if you needed to have a UUCP hop followed by an SMTP one you used the lower precedence % format.

I also benefited because the IP network wasn't rolled out in the company I was working for by their IT network but rather by the companies research division who then allowed the rest of us techies to come on board and play too. You learn so much more when you need to do stuff for real.

Re: No Sendmail?!

> with the complete Sendmail reference manual

You had a sendmail reference manual. Bloody luxury

When I first came across it you had learn at the feet of the upstream gateway admin whilst he simultaneously tried to rip your head off down the phone coz your box wasn't handling things properly.

Me, I never bothered to learn this M4 macro stuff once I'd been beaten within an inch of my life I never had another problem writing cf files and spent many happy years teaching it to people. The language wasn't too bad, the crazy bit was the order it ran the rulesets in :-).

I always just assumed that Eric was obsessed with $$$$$$ like most poor students.

Next you will be wanting the Itanium processors NaM flag to indicate the difference between a zero and a "Not a Number" like the difference between a NULL string and a string of length zero.

Re: It's a film set

:-)

Except if Kubrick was faking the tea, it would be indistinguishable from the real thing.

Re: Great plan

RPMs are CPIO balls despite RHEL's man page for cpio(1) saying it is obsolete and other archiving tools should be used.

Re: Early adopter

they are perfectly in sync on FM, but due to the chip technology decoding the DAB signal are often several seconds out of sync

Making the time signal completely pointless.

Re: Signed binaries

> The boot software will not boot an owner installed OS kernel.

That's also true with UEFI based systems with secure boot enabled, the firmware will only boot signed software. Of course you can normally get a choice of signed software and you can normally disable secure boot.

With newer kernels it can even be a problem loading non standard kernel modules, so for example loading ZFS on an RHEL 8 box doesn't work with secure boot enabled.

[root@m10vm8 ~]# modprobe zfs

modprobe: ERROR: could not insert 'zfs': Required key not available

[root@m10vm8 ~]#

Re: Easy ways to avoid Windows 11

Why disable secure boot if you're planning to run Linux?

My Linux systems run quite happily with secure boot.

Re: There are counting people twice

That's probably to balance out all the people who aren't being counted at all as they have no options and no one seems to be publishing any maps of their plans.

A large customer I used to deal with had been trying to get three way mirroring for a few years and head bean counter wouldn't sign it off. So certain key servers had a downtime window in the wee small hours for backups. Head bean counter then exploded at the IT director one day when he was in the far east and couldn't access his email. The third set of disks were ordered that day.

Moral of the story?

Make sure the bean counters suffer from their own decisions.