| 1 |
Author Mike Gilbert <floppym@g.o> |
| 2 |
Posted 2015-07-25 |
| 3 |
Revision 1 |
| 4 |
|
| 5 |
Python 3.4 is now enabled by default, replacing Python 3.3 as the |
| 6 |
default Python 3 interpreter. |
| 7 |
|
| 8 |
PYTHON_TARGETS will be adjusted to contain python2_7 and python3_4 by |
| 9 |
default via your profile. |
| 10 |
|
| 11 |
PYTHON_SINGLE_TARGET will remain set to python2_7 by default. |
| 12 |
|
| 13 |
If you have PYTHON_TARGETS set in make.conf, that setting will still be |
| 14 |
respected. You may want to adjust this setting manually. |
| 15 |
|
| 16 |
Once the changes have taken place, a world update should take care of |
| 17 |
reinstalling any python libraries you have installed. You should also |
| 18 |
switch your default python3 interpreter using eselect python. |
| 19 |
|
| 20 |
For example: |
| 21 |
|
| 22 |
eselect python set --python3 python3.4 |
| 23 |
emerge -uDv --changed-use @world |
| 24 |
|
| 25 |
2015-08-13-openssh-weak-keys |
| 26 |
Title OpenSSH 7.0 disables ssh-dss keys by default |
| 27 |
Author Mike Frysinger <vapier@g.o> |
| 28 |
Posted 2015-08-13 |
| 29 |
Revision 1 |
| 30 |
|
| 31 |
Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has |
| 32 |
been disabled by default at runtime due to their inherit weakness. If |
| 33 |
you rely on these key types, you will have to take corrective action or |
| 34 |
risk being locked out. |
| 35 |
|
| 36 |
Your best option is to generate new keys using strong algos such as rsa |
| 37 |
or ecdsa or ed25519. RSA keys will give you the greatest portability |
| 38 |
with other clients/servers while ed25519 will get you the best security |
| 39 |
with OpenSSH (but requires recent versions of client & server). |
| 40 |
|
| 41 |
If you are stuck with DSA keys, you can re-enable support locally by |
| 42 |
updating your sshd_config and ~/.ssh/config files with lines like so: |
| 43 |
PubkeyAcceptedKeyTypes=+ssh-dss |
| 44 |
|
| 45 |
Be aware though that eventually OpenSSH will drop support for DSA keys |
| 46 |
entirely, so this is only a stop gap solution. |
| 47 |
|
| 48 |
More details can be found on OpenSSH's website: |
| 49 |
http://www.openssh.com/legacy.html |
| 50 |
|
| 51 |
2015-10-21-future-support-of-hardened-sources-kernel |
| 52 |
Title Future Support of hardened-sources Kernel |
| 53 |
Author Anthony G. Basile <blueness@g.o> |
| 54 |
Posted 2015-10-21 |
| 55 |
Revision 3 |
| 56 |
|
| 57 |
For many years, the Grsecurity team [1] has been supporting two versions of |
| 58 |
their security patches against the Linux kernel, a stable and a testing |
| 59 |
version, and Gentoo has made both of these available to our users through the |
| 60 |
hardened-sources package. However, on August 26 of this year, the team |
| 61 |
announced they would no longer be making the stable version publicly |
| 62 |
available, citing trademark infringement by a major embedded systems company |
| 63 |
as the reason. [2] The stable patches are now only available to sponsors of |
| 64 |
Grsecurity and can no longer be distributed in Gentoo. However, the team did |
| 65 |
assure us that they would continue to release and support the testing version |
| 66 |
as they have in the past. |
| 67 |
|
| 68 |
What does this means for users of hardened-sources? Gentoo will continue to |
| 69 |
make the testing version available through our hardened-sources package but we |
| 70 |
will have to drop support for the 3.x series. In a few days, those ebuilds |
| 71 |
will be removed from the tree and you will be required to upgrade to a 4.x |
| 72 |
series kernel. Since the hardened-sources package only installs the kernel |
| 73 |
source tree, you can continue using a currently built 3.x series kernel but |
| 74 |
bear in mind that we cannot support you, nor will upstream. Also keep in mind |
| 75 |
that the 4.x series will not be as reliable as the 3.x series was, so |
| 76 |
reporting bugs promptly will be even more important. Gentoo will continue to |
| 77 |
work closely with upstream to stay on top of any problems, but be prepared for |
| 78 |
the occasional "bad" kernel. The more reporting we receive from our users, |
| 79 |
the better we will be able to decide which hardened-sources kernels to mark |
| 80 |
stable and which to drop. |
| 81 |
|
| 82 |
Refs. |
| 83 |
[1] https://grsecurity.net |
| 84 |
[2] https://grsecurity.net/announce.php |
| 85 |
|
| 86 |
2016-01-08-some-dhcpcd-hooks-are-now-examples |
| 87 |
Title Some dhcpcd hooks are now examples |
| 88 |
Author William Hubbs <williamh@g.o> |
| 89 |
Posted 2016-01-08 |
| 90 |
Revision 2 |
| 91 |
|
| 92 |
In dhcpcd-6.10.0, the following hooks are no longer installed in |
| 93 |
/lib/dhcpcd/dhcpcd-hooks by default: |
| 94 |
|
| 95 |
10-wpa_supplicant |
| 96 |
15-timezone |
| 97 |
29-lookup-hostname |
| 98 |
|
| 99 |
These are now installed in /usr/share/dhcpcd/hooks, which is an example |
| 100 |
directory. |
| 101 |
|
| 102 |
If you were using these hooks before you upgrade to 6.10.0, you will |
| 103 |
need to copy them back to the /lib/dhcpcd/dhcpcd-hooks directory after the |
| 104 |
upgrade. |
| 105 |
|
| 106 |
>>> Building file list for distfiles cleaning... |
| 107 |
>>> Cleaning distfiles... |
| 108 |
[ 1.0 M ] LVM2.2.02.88.tgz |
| 109 |
[ 119.7 K ] MAKEDEV-3.23-1.tar.gz |
| 110 |
[ 2.1 M ] busybox-1.20.2.tar.bz2 |
| 111 |
[ 994.6 K ] cpio-2.11.tar.bz2 |
| 112 |
[ 227.3 K ] dmraid-1.0.0.rc16-3.tar.bz2 |
| 113 |
[ 493.5 K ] fuse-2.8.6.tar.gz |
| 114 |
[ 276.3 K ] genkernel-3.4.52.3.tar.xz |
| 115 |
[ 381.8 K ] genpatches-4.1-16.base.tar.xz |
| 116 |
[ 15.8 K ] genpatches-4.1-16.extras.tar.xz |
| 117 |
[ 6.2 K ] gentoo-headers-4.3-1.tar.xz |
| 118 |
[ 3.7 M ] gentoo-headers-base-4.3.tar.xz |
| 119 |
[ 3.2 M ] gnupg-1.4.11.tar.bz2 |
| 120 |
[ 79.2 M ] linux-4.1.tar.xz |
| 121 |
[ 285.8 K ] mdadm-3.1.5.tar.bz2 |
| 122 |
[ 1.8 M ] nano-2.4.3.tar.gz |
| 123 |
[ 879.0 K ] open-iscsi-2.0-872.tar.gz |
| 124 |
[ 21.9 K ] openssh-7.1p2-hpnssh14v10.tar.xz |
| 125 |
[ 1.4 M ] openssh-7.1p2.tar.gz |
| 126 |
[ 407.3 K ] sandbox-2.10.tar.xz |
| 127 |
[ 29.7 K ] unionfs-fuse-0.24.tar.bz2 |
| 128 |
=========== |
| 129 |
[ 96.4 M ] Total space from 20 files were freed in the distfiles directory |
| 130 |
passwd: password expiry information changed. |
| 131 |
passwd: password expiry information changed. |
| 132 |
removing /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp/cloud-prep.sh from the chroot |
| 133 |
removing /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp/chroot-functions.sh from the chroot |
| 134 |
18 Jan 2016 06:02:56 UTC: NOTICE : --- Running action sequence: preclean |
| 135 |
Copying stage4-preclean-chroot.sh to /tmp |
| 136 |
copying stage4-preclean-chroot.sh to /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp |
| 137 |
copying chroot-functions.sh to /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp |
| 138 |
Ensure the file has the executable bit set |
| 139 |
Running stage4-preclean-chroot.sh in chroot: |
| 140 |
chroot /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118 /tmp/stage4-preclean-chroot.sh |
| 141 |
>>> Regenerating /etc/ld.so.cache... |
| 142 |
Skipping depclean operation for stage4 |
| 143 |
Skipping removal of world file for stage4 |
| 144 |
removing /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp/stage4-preclean-chroot.sh from the chroot |
| 145 |
removing /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp/chroot-functions.sh from the chroot |
| 146 |
18 Jan 2016 06:02:57 UTC: NOTICE : --- Running action sequence: rcupdate |
| 147 |
Copying rc-update.sh to /tmp |
| 148 |
copying rc-update.sh to /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp |
| 149 |
copying chroot-functions.sh to /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp |
| 150 |
Ensure the file has the executable bit set |
| 151 |
Running rc-update.sh in chroot: |
| 152 |
chroot /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118 /tmp/rc-update.sh |
| 153 |
Adding acpid to default |
| 154 |
* service acpid added to runlevel default |
| 155 |
Adding cloud-config to default |
| 156 |
* service cloud-config added to runlevel default |
| 157 |
Adding cloud-final to default |
| 158 |
* service cloud-final added to runlevel default |
| 159 |
Adding cloud-init-local to default |
| 160 |
* service cloud-init-local added to runlevel default |
| 161 |
Adding cloud-init to default |
| 162 |
* service cloud-init added to runlevel default |
| 163 |
Adding cronie to default |
| 164 |
* service cronie added to runlevel default |
| 165 |
Adding dhcpcd to default |
| 166 |
* service dhcpcd added to runlevel default |
| 167 |
Adding net.lo to default |
| 168 |
* service net.lo added to runlevel default |
| 169 |
Adding netmount to default |
| 170 |
* rc-update: netmount already installed in runlevel `default'; skipping |
| 171 |
Adding sshd to default |
| 172 |
* service sshd added to runlevel default |
| 173 |
Adding syslog-ng to default |
| 174 |
* service syslog-ng added to runlevel default |
| 175 |
removing /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp/rc-update.sh from the chroot |
| 176 |
removing /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp/chroot-functions.sh from the chroot |
| 177 |
18 Jan 2016 06:02:57 UTC: NOTICE : --- Running action sequence: unmerge |
| 178 |
Copying unmerge.sh to /tmp |
| 179 |
copying unmerge.sh to /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp |
| 180 |
copying chroot-functions.sh to /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118/tmp |
| 181 |
Ensure the file has the executable bit set |
| 182 |
Running unmerge.sh in chroot: |
| 183 |
chroot /home/release/buildroot/amd64-dev/tmp/hardened/stage4-amd64-hardened+cloud-20160118 /tmp/unmerge.sh |
| 184 |
>>> Regenerating /etc/ld.so.cache... |
| 185 |
emerge --quiet --usepkg --buildpkg --newuse -C sys-kernel/genkernel sys-kernel/gentoo-sources |
| 186 |
|
| 187 |
--- Couldn't find 'sys-kernel/genkernel' to unmerge. |
| 188 |
|
| 189 |
--- Couldn't find 'sys-kernel/gentoo-sources' to unmerge. |
| 190 |
18 Jan 2016 06:02:59 UTC: ERROR : CatalystError: cmd() NON-zero return value from: Unmerge script failed. |
| 191 |
18 Jan 2016 06:02:59 UTC: ERROR : Exception running action sequence unmerge |
| 192 |
Traceback (most recent call last): |
| 193 |
File "/usr/lib64/python2.7/site-packages/catalyst/base/stagebase.py", line 1413, in run |
| 194 |
getattr(self, x)() |
| 195 |
File "/usr/lib64/python2.7/site-packages/catalyst/base/stagebase.py", line 1452, in unmerge |
| 196 |
env=self.env) |
| 197 |
File "/usr/lib64/python2.7/site-packages/catalyst/support.py", line 55, in cmd |
| 198 |
print_traceback=False) |
| 199 |
CatalystError |
| 200 |
18 Jan 2016 06:02:59 UTC: NOTICE : Cleaning up... Running unbind() |
| 201 |
|
| 202 |
|
| 203 |
|
| 204 |
Full build log at /home/release/tmp/run/catalyst-auto.oO2hD4/log/hardened_stage4-cloud.log |
Archives