1 |
Author Mike Gilbert <floppym@g.o> |
2 |
Posted 2015-07-25 |
3 |
Revision 1 |
4 |
|
5 |
Python 3.4 is now enabled by default, replacing Python 3.3 as the |
6 |
default Python 3 interpreter. |
7 |
|
8 |
PYTHON_TARGETS will be adjusted to contain python2_7 and python3_4 by |
9 |
default via your profile. |
10 |
|
11 |
PYTHON_SINGLE_TARGET will remain set to python2_7 by default. |
12 |
|
13 |
If you have PYTHON_TARGETS set in make.conf, that setting will still be |
14 |
respected. You may want to adjust this setting manually. |
15 |
|
16 |
Once the changes have taken place, a world update should take care of |
17 |
reinstalling any python libraries you have installed. You should also |
18 |
switch your default python3 interpreter using eselect python. |
19 |
|
20 |
For example: |
21 |
|
22 |
eselect python set --python3 python3.4 |
23 |
emerge -uDv --changed-use @world |
24 |
|
25 |
2015-08-13-openssh-weak-keys |
26 |
Title OpenSSH 7.0 disables ssh-dss keys by default |
27 |
Author Mike Frysinger <vapier@g.o> |
28 |
Posted 2015-08-13 |
29 |
Revision 1 |
30 |
|
31 |
Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has |
32 |
been disabled by default at runtime due to their inherit weakness. If |
33 |
you rely on these key types, you will have to take corrective action or |
34 |
risk being locked out. |
35 |
|
36 |
Your best option is to generate new keys using strong algos such as rsa |
37 |
or ecdsa or ed25519. RSA keys will give you the greatest portability |
38 |
with other clients/servers while ed25519 will get you the best security |
39 |
with OpenSSH (but requires recent versions of client & server). |
40 |
|
41 |
If you are stuck with DSA keys, you can re-enable support locally by |
42 |
updating your sshd_config and ~/.ssh/config files with lines like so: |
43 |
PubkeyAcceptedKeyTypes=+ssh-dss |
44 |
|
45 |
Be aware though that eventually OpenSSH will drop support for DSA keys |
46 |
entirely, so this is only a stop gap solution. |
47 |
|
48 |
More details can be found on OpenSSH's website: |
49 |
http://www.openssh.com/legacy.html |
50 |
|
51 |
2015-10-21-future-support-of-hardened-sources-kernel |
52 |
Title Future Support of hardened-sources Kernel |
53 |
Author Anthony G. Basile <blueness@g.o> |
54 |
Posted 2015-10-21 |
55 |
Revision 3 |
56 |
|
57 |
For many years, the Grsecurity team [1] has been supporting two versions of |
58 |
their security patches against the Linux kernel, a stable and a testing |
59 |
version, and Gentoo has made both of these available to our users through the |
60 |
hardened-sources package. However, on August 26 of this year, the team |
61 |
announced they would no longer be making the stable version publicly |
62 |
available, citing trademark infringement by a major embedded systems company |
63 |
as the reason. [2] The stable patches are now only available to sponsors of |
64 |
Grsecurity and can no longer be distributed in Gentoo. However, the team did |
65 |
assure us that they would continue to release and support the testing version |
66 |
as they have in the past. |
67 |
|
68 |
What does this means for users of hardened-sources? Gentoo will continue to |
69 |
make the testing version available through our hardened-sources package but we |
70 |
will have to drop support for the 3.x series. In a few days, those ebuilds |
71 |
will be removed from the tree and you will be required to upgrade to a 4.x |
72 |
series kernel. Since the hardened-sources package only installs the kernel |
73 |
source tree, you can continue using a currently built 3.x series kernel but |
74 |
bear in mind that we cannot support you, nor will upstream. Also keep in mind |
75 |
that the 4.x series will not be as reliable as the 3.x series was, so |
76 |
reporting bugs promptly will be even more important. Gentoo will continue to |
77 |
work closely with upstream to stay on top of any problems, but be prepared for |
78 |
the occasional "bad" kernel. The more reporting we receive from our users, |
79 |
the better we will be able to decide which hardened-sources kernels to mark |
80 |
stable and which to drop. |
81 |
|
82 |
Refs. |
83 |
[1] https://grsecurity.net |
84 |
[2] https://grsecurity.net/announce.php |
85 |
|
86 |
2016-01-08-some-dhcpcd-hooks-are-now-examples |
87 |
Title Some dhcpcd hooks are now examples |
88 |
Author William Hubbs <williamh@g.o> |
89 |
Posted 2016-01-08 |
90 |
Revision 2 |
91 |
|
92 |
In dhcpcd-6.10.0, the following hooks are no longer installed in |
93 |
/lib/dhcpcd/dhcpcd-hooks by default: |
94 |
|
95 |
10-wpa_supplicant |
96 |
15-timezone |
97 |
29-lookup-hostname |
98 |
|
99 |
These are now installed in /usr/share/dhcpcd/hooks, which is an example |
100 |
directory. |
101 |
|
102 |
If you were using these hooks before you upgrade to 6.10.0, you will |
103 |
need to copy them back to the /lib/dhcpcd/dhcpcd-hooks directory after the |
104 |
upgrade. |
105 |
|
106 |
>>> Building file list for distfiles cleaning... |
107 |
>>> Cleaning distfiles... |
108 |
[ 1.0 M ] LVM2.2.02.88.tgz |
109 |
[ 119.7 K ] MAKEDEV-3.23-1.tar.gz |
110 |
[ 2.1 M ] busybox-1.20.2.tar.bz2 |
111 |
[ 994.6 K ] cpio-2.11.tar.bz2 |
112 |
[ 227.3 K ] dmraid-1.0.0.rc16-3.tar.bz2 |
113 |
[ 493.5 K ] fuse-2.8.6.tar.gz |
114 |
[ 276.3 K ] genkernel-3.4.52.3.tar.xz |
115 |
[ 381.8 K ] genpatches-4.1-16.base.tar.xz |
116 |
[ 15.8 K ] genpatches-4.1-16.extras.tar.xz |
117 |
[ 6.2 K ] gentoo-headers-4.3-1.tar.xz |
118 |
[ 3.7 M ] gentoo-headers-base-4.3.tar.xz |
119 |
[ 3.2 M ] gnupg-1.4.11.tar.bz2 |
120 |
[ 79.2 M ] linux-4.1.tar.xz |
121 |
[ 285.8 K ] mdadm-3.1.5.tar.bz2 |
122 |
[ 1.8 M ] nano-2.4.3.tar.gz |
123 |
[ 879.0 K ] open-iscsi-2.0-872.tar.gz |
124 |
[ 21.9 K ] openssh-7.1p2-hpnssh14v10.tar.xz |
125 |
[ 1.4 M ] openssh-7.1p2.tar.gz |
126 |
[ 407.3 K ] sandbox-2.10.tar.xz |
127 |
[ 29.7 K ] unionfs-fuse-0.24.tar.bz2 |
128 |
=========== |
129 |
[ 96.4 M ] Total space from 20 files were freed in the distfiles directory |
130 |
passwd: password expiry information changed. |
131 |
passwd: password expiry information changed. |
132 |
removing /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp/cloud-prep.sh from the chroot |
133 |
removing /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp/chroot-functions.sh from the chroot |
134 |
18 Jan 2016 06:02:56 UTC: NOTICE : --- Running action sequence: preclean |
135 |
Copying stage4-preclean-chroot.sh to /tmp |
136 |
copying stage4-preclean-chroot.sh to /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp |
137 |
copying chroot-functions.sh to /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp |
138 |
Ensure the file has the executable bit set |
139 |
Running stage4-preclean-chroot.sh in chroot: |
140 |
chroot /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118 /tmp/stage4-preclean-chroot.sh |
141 |
>>> Regenerating /etc/ld.so.cache... |
142 |
Skipping depclean operation for stage4 |
143 |
Skipping removal of world file for stage4 |
144 |
removing /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp/stage4-preclean-chroot.sh from the chroot |
145 |
removing /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp/chroot-functions.sh from the chroot |
146 |
18 Jan 2016 06:02:57 UTC: NOTICE : --- Running action sequence: rcupdate |
147 |
Copying rc-update.sh to /tmp |
148 |
copying rc-update.sh to /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp |
149 |
copying chroot-functions.sh to /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp |
150 |
Ensure the file has the executable bit set |
151 |
Running rc-update.sh in chroot: |
152 |
chroot /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118 /tmp/rc-update.sh |
153 |
Adding acpid to default |
154 |
* service acpid added to runlevel default |
155 |
Adding cloud-config to default |
156 |
* service cloud-config added to runlevel default |
157 |
Adding cloud-final to default |
158 |
* service cloud-final added to runlevel default |
159 |
Adding cloud-init-local to default |
160 |
* service cloud-init-local added to runlevel default |
161 |
Adding cloud-init to default |
162 |
* service cloud-init added to runlevel default |
163 |
Adding cronie to default |
164 |
* service cronie added to runlevel default |
165 |
Adding dhcpcd to default |
166 |
* service dhcpcd added to runlevel default |
167 |
Adding net.lo to default |
168 |
* service net.lo added to runlevel default |
169 |
Adding netmount to default |
170 |
* rc-update: netmount already installed in runlevel `default'; skipping |
171 |
Adding sshd to default |
172 |
* service sshd added to runlevel default |
173 |
Adding syslog-ng to default |
174 |
* service syslog-ng added to runlevel default |
175 |
removing /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp/rc-update.sh from the chroot |
176 |
removing /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp/chroot-functions.sh from the chroot |
177 |
18 Jan 2016 06:02:57 UTC: NOTICE : --- Running action sequence: unmerge |
178 |
Copying unmerge.sh to /tmp |
179 |
copying unmerge.sh to /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp |
180 |
copying chroot-functions.sh to /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp |
181 |
Ensure the file has the executable bit set |
182 |
Running unmerge.sh in chroot: |
183 |
chroot /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118 /tmp/unmerge.sh |
184 |
>>> Regenerating /etc/ld.so.cache... |
185 |
emerge --quiet --usepkg --buildpkg --newuse -C sys-kernel/genkernel sys-kernel/gentoo-sources |
186 |
|
187 |
--- Couldn't find 'sys-kernel/genkernel' to unmerge. |
188 |
|
189 |
--- Couldn't find 'sys-kernel/gentoo-sources' to unmerge. |
190 |
18 Jan 2016 06:02:59 UTC: ERROR : CatalystError: cmd() NON-zero return value from: Unmerge script failed. |
191 |
18 Jan 2016 06:02:59 UTC: ERROR : Exception running action sequence unmerge |
192 |
Traceback (most recent call last): |
193 |
File "/usr/lib64/python2.7/site-packages/catalyst/base/stagebase.py", line 1413, in run |
194 |
getattr(self, x)() |
195 |
File "/usr/lib64/python2.7/site-packages/catalyst/base/stagebase.py", line 1452, in unmerge |
196 |
env=self.env) |
197 |
File "/usr/lib64/python2.7/site-packages/catalyst/support.py", line 55, in cmd |
198 |
print_traceback=False) |
199 |
CatalystError |
200 |
18 Jan 2016 06:02:59 UTC: NOTICE : Cleaning up... Running unbind() |
201 |
|
202 |
|
203 |
|
204 |
Full build log at /home/release/tmp/run/catalyst-auto.oO2hD4/log/hardened_stage4-cloud.log |