Download | Devuan.org | Git | Bugs | Packages

The officially official Devuan Forum!

You are not logged in.

Pages: 1 2 3 7

#1 Re: Hardware & System Configuration » Help needed to enable secure boot. » 2025-07-13 18:46:12

chomwitt

@s1mple  thanks for the reply.
- There is /sys/firmware/efi/efivars with dozen of efivars.
- mokutils report pm, kek and db keys.

Before i reinstall grub-efi  i want to search a little more and understand : If my initial Daedalus installtion was uefi secure boot compatible (with the shim) why then uefi cant boot to grub ?

For context :

@Daedalus installation guide.

@ debian installation manual / 3.6.3. Systems with UEFI firmware

#2 Hardware & System Configuration » Help needed to enable secure boot. » 2025-07-13 08:45:27

chomwitt
Replies: 4

Distro: Devuan Daedalus

Enabling the secure boot from my motherboard's UEFI setup utility my PC can not boot.
Early in the booting , before i see the GRUB's menu, i see a error message from the UEFI
'Secure Boot violation , Invalid signature detected. Check secure policy in setup'.

Disabling 'secure boot' i can again boot as usual.

I posted my issue here because my first explanation i can think is that somehow my grub image
is not signed correctly.

But i see :

$ sudo dpkg -l | grep shim
ii  shim-helpers-amd64-signed                      1+15.7+1                                amd64        boot loader to chain-load signed boot loaders (signed by Debian)
ii  shim-signed:amd64                              1.39+15.7-1                             amd64        Secure Boot chain-loading bootloader (Microsoft-signed binary)
ii  shim-signed-common                             1.39+15.7-1                             all          Secure Boot chain-loading bootloader (common helper scripts)
ii  shim-unsigned

         

So how should i proceed?

#3 Re: Hardware & System Configuration » [SOLVED] Help with signing nvidia's driver with secure boot enabled » 2025-07-12 21:06:56

chomwitt

@g4stra thanks . That worked.

$ sudo dpkg -l | grep nvidia
..
ii  nvidia-persistenced 
..

#4 Re: Hardware & System Configuration » [SOLVED] Help with signing nvidia's driver with secure boot enabled » 2025-07-12 15:52:40

chomwitt

shim source deb packages has an issue #990311 that although is reported again an older version of shim it's related to nvidia gpu driver.

The timing issue is the reverse of what i say. I have trouble using mokutil of the shim and not enrolling the keys from inside the uefi setup utility.

#5 Re: Hardware & System Configuration » [SOLVED] Help with signing nvidia's driver with secure boot enabled » 2025-07-11 20:57:54

chomwitt

In my rinit system I tried by 

# runscvchdir single

and then :

# cd /var/lib/dkms
# mokutil --import mok.pub 
Failed to enroll new keys

#6 Re: Hardware & System Configuration » [SOLVED] Help with signing nvidia's driver with secure boot enabled » 2025-07-11 12:31:48

chomwitt

[SOLVED] by enroll-ing the nvidia pub key from inside the bios.
         

  • 1. we move  nvidia-modsign-crt-89A7BE16.der in /boot/efi/EFI/debian

  • 2. we start uefi setup

  • 3. advanced / menus / boot / secure boot / keymanagement / append default db

But i still havent figured why  sudo mokutil --import nvidia-pubkey.der  didnt work neither the error with the persistent nvidia daemon.

#7 Hardware & System Configuration » [SOLVED] Help with signing nvidia's driver with secure boot enabled » 2025-07-07 09:18:34

chomwitt
Replies: 7

Release: Daedalus 5 (debian bookwarm 12)

@ devuan wiki / nvidia gpus

@Debian Secure Boot: To be, or not to be, that is the question!  . Nov 29, 2024  by Anna. A detailed view on signing nvidia drivers in bookwarm.

@ debian wiki / NvidiaGraphicsDrivers.

@ deb / nvidia-driver / bugs

related workflows : Display current status of gpu accelaration. If nvidia-driver is not installed Daedalus rollbacks in using software rasterizer . Lower analysis and in order of ten more slow.

Current understanding : deb package nvidia-kernel will try to build the driver and sign it. But with secure boot enabled those keys created during that process must be 'rolled'. A process that i understand to mean that those keys must get known by the UEFI in order to allow during boot the nvidia driver to load. That process doesnt proceed in Daedalus.

$ mokutil --sb-state
SecureBoot enabled

$ sudo apt install nvidia-driver firmware-misc-nonfree

$ ls /var/lib/dkms/
mok.key  mok.pub

$ sudo mokutil --import /var/lib/dkms/mok.pub 
[sudo] password for chomwitt: 
input password: 
input password again: 
Failed to enroll new keys

A related issue during nvidia-driver installation :

$ sudo apt install nvidia-driver firmware-misc-nonfree
 Processing triggers for initramfs-tools (0.142+deb12u3) ...
update-initramfs: Generating /boot/initrd.img-6.1.0-33-amd64
Errors were encountered while processing:
 nvidia-persistenced
E: Sub-process /usr/bin/dpkg returned an error code (1)
...

$ dpkg -l nvidia-persistenced 
iF  nvidia-persistenced 535.171.04-1~deb12u1 amd64        daemon to maintain persistent software state in the NVIDIA driver

/var/log/syslog during nvidia-driver installation:

2025-07-07T15:17:03.921569+03:00 enousold nvidia-persistenced: Started (10510)
2025-07-07T15:17:03.921732+03:00 enousold nvidia-persistenced: Failed to open libnvidia-cfg.so.1: libnvidia-cfg.so.1: cannot open shared object file: No such file or directory
2025-07-07T15:17:03.921749+03:00 enousold nvidia-persistenced: Shutdown (10510)

But libnvidia-cfg1 is pulled by nvidia-driver and contains 

/usr/lib/x86_64-linux-gnu/nvidia/current/libnvidia-cfg.so.535.247.01
/usr/lib/x86_64-linux-gnu/nvidia/current/libnvidia-cfg.so.1

I found a 2017 bug report on fedora that includes a strace session that resembles mine.

I found also a test for whether efivars are writeable:
# echo -n "test" > test.data
# efivar -f test.data -w -n 605dab50-e046-4300-abb6-3dd810dd8b23-MokTest

#8 Off-topic » The need for cooperation as central motivation in Unix and GNUproject » 2025-07-06 02:33:10

chomwitt
Replies: 8

For computer science at Bell Laboratories, the period 1968-1969 was somewhat unsettled. The main reason for this was the slow, though clearly inevitable, withdrawal of the Labs from the Multics project.From the point of view of the group that was to be most involved in the beginnings of Unix (K. Thompson, Ritchie, M. D. McIlroy, J. F. Ossanna), the decline and fall of Multics had a directly felt effect. We didn’t want to lose the pleasant niche we occupied, because no similar ones were available; even the time-sharing service that would later be offered under GE’s operating system did not exist.

What we wanted to preserve was not just a good environment in which to do programming, but a system around which a fellowship could form.We knew from experience that the essence of communal computing, as supplied by remote-access, time-shared machines, is not just to type programs into a terminal instead of a keypunch, but to encourage close communication.

The Evolution of the Unix Time-sharing System , Dennis M. Ritchie

RMS:The AI Lab of the 1970s was by all accounts a special place. It was a bit like the Garden of Eden,It hadn’t occurred to us not to cooperate.
The demise of ITS, and the AI Lab hacker community which had sustained it, had been a traumatic blow to Stallman. As a programmer used to working with the best machines and the best software, however, Stallman faced what he could only describe as a “stark moral choice”: either swallow his ethical objection for “proprietary” software – the term Stallman and his fellow hackers used to describe any program that carried copyright terms or an end-user license that restricted copying and modification – or dedicate his life to building an alternate, nonproprietary system of software programs.

RMS:I asked myself: what could I, an operating-system developer, do to improve the situation? It wasn’t until I examined the question for a while that I realized an operating-system developer was exactly what was needed to solve the problem.

Free as in Freedom (2.0): Richard Stallman and the Free Software Revolution

#9 Re: Off-topic » To shell or not to shell everything ? » 2025-07-03 11:24:44

chomwitt

The purpose of the X Session Management Protocol (XSMP) is to provide a uniform mechanism for users to save and restore their sessions. A session is a group of clients, each of which has a particular state. The session is controlled by a network service called the session manager. The session manager issues commands to its clients on behalf of the user. These commands may cause clients to save their state or to terminate.

   XSMP

So an X session manager wants(can?) to kill. But how do you get a a license to kill ? In a personal pc a user could be both system admin and user(s). And that means managing a system manager(init) , a per-user service manager and a session manager ? Should we not have a ring to rule them all ?

#10 Re: Off-topic » To shell or not to shell everything ? » 2025-07-03 10:26:38

chomwitt

I guess you refer to the XSMP. Another 'manager' of clients !.. It's getting crowded. Too many managers for the petites processes... I wonder if XSMP is a 'manager' that should be also managed by the 'system service manager' or by a user service manager..

It seems a petite process could grow big to become 'manageable' by many managers.
I guess a 'manager' could start feel lonely if no one responds to it's calls...

#11 Re: Off-topic » To shell or not to shell everything ? » 2025-07-02 16:17:04

chomwitt

ralph.ronnquist my questions initially began regarding emacs as a service (dng list).

Then the idea of 'user' services stack in my mind.

Can we consider emacs a 'user' service even if it's a non-automated service?  Or we could imagine emacs performing automated text processing from text streams generated somewhere. Or emacs poses as a 'deamon' (a longlasting , always needed service) to project it's ambitions ?

Anyway in that case should we have a service manager per user ?  That seems logical if similar needs arise. But in that point i thought.. isnt the shell the main way that a user 'composes' & sets up her/his work ?  So could we say that already a user has it's service manager ? (but possibly lacking user gui daemons? Like a maestro lacking an orchestra?) . And how does a user program like emacs , gimp etc become managable by a service manager ? I guess by offering automation of tasks in a permanent way  .  So my inquiry looks at two sides. A service manager manages programs that 'grow' facilities that beg to be managed by a service manager

So its not just a question of daemonizing wrappers . What would  be  a related API , needed to be implemented by a process,  in order for that process to be admissible to the "orchestra" of a computer system playing the symphony of a service manager?

If broadly speaking a sysadm is a kind of a user  why his/her service manager should be fundamentally different ? Adm creates the ground of the userspace. But likewise a 'user' could create the ground for higher lever users.

Interestingly 'shed' user service manager mentioned by EDX-0 seem a sysvinit for each user.

#12 Re: Off-topic » To shell or not to shell everything ? » 2025-07-02 16:02:43

chomwitt

EDX-0   'shed' you mention used the scripted way. But i dont understand the problems that you refer to and why they would be related intrinsically to an interpreted service manager .

Also i find it interesting that you refer (in the shed project site) to efforts of other projects to make programs demonized.  It seems that the different service managers are creating pressure for user apps to have various perhaps incompatible 'APIs' to be 'manageable' by the various service managers.

#13 Re: Off-topic » To shell or not to shell everything ? » 2025-07-01 19:51:32

chomwitt

Interestingly reading about the various service depedency models and what is supported by each system it reminds me of similar discussions regarding apt dependencies. A package A depends on B. So B is installed with A. Now A is gone, what apt should do with B ?
I guess the answer could be fuzzy and elusive.

Which makes me think. Is APT scripted or not? And maybe then my initial question could be better rephrased as : Should a service manager be implemented in a certain programming language or in a scripted (interpreted) language?  And a similar question : Is BASH (a shell) a specialized interpreter suited for that kind of job (service-system supervisor) or another interpreter could be better suited ?

#14 Re: Off-topic » To shell or not to shell everything ? » 2025-07-01 14:47:13

chomwitt

ralph.ronnquist i should study more sysvinit and runit  i guess. My idea was that by using a scripted service-system supervisor you make the system less complex (in comparison to having a another -hardcoded- supervisor). But you argue that shell-scripted control leads to less coherence due to more offered flexibility. So as a metaphore ,the system's services supervisor should be a brick to hold the userspace and not a quicksand ?

#15 Re: Off-topic » To shell or not to shell everything ? » 2025-06-30 23:01:39

chomwitt

So.. if it could .. wouldnt a shell by being more flexible and powerfull be more good at it ?

#16 Off-topic » To shell or not to shell everything ? » 2025-06-30 22:14:12

chomwitt
Replies: 13

Why a shell (by interpreting a sysadm's script) couldnt do what a service manager does ?

#17 Re: Other Issues » nfs4 no_root_squash strange behavior » 2025-06-27 20:15:43

chomwitt
(root@client-~/importedshare)$ chattr +i test.txt
chattr: Operation not supported while reading flags on test.txt

But i changed 'test.txt's attribute in the server.

Thanks for reminding me that UNIX 'quirk' .

#18 Other Issues » nfs4 no_root_squash strange behavior » 2025-06-27 14:18:51

chomwitt
Replies: 3

According to $ man exports :   

root_squash
Map requests from uid/gid 0 to the anonymous uid/gid. Note that this does not apply to any other uids or gids that might be equally sensitive such as user bin or group staff.
no_root_squash
Turn off root squashing. This option is mainly useful for diskless clients.

And assuming my server /etc/exports is :
/home/chomwitt/NFSExport     192.168.2.44(rw,sync,no_subtree_check,no_root_squash)

It happens that a client/root user can create a file in the nfs share.
(root@client-~/importedshare) # touch test.txt

And in the client we will indeed see that a file was created:
(chomwtt@server-~/exportedshare) # ls
-rw-r--r--  1 root     root             0 Jun 27 17:01  test.txt

Now logically chomwitt@server should not be able to delete that test.txt . But i can.

Is that a bug?

#19 Re: Desktop and Multimedia » Error in an effort to run an X client in a remote X Display. » 2025-06-09 18:10:34

chomwitt

@PedroReina How will i restart the X server in xdm or another display manager?
For the moment i try using network transparency without using ssh.

#20 Re: Desktop and Multimedia » Error in an effort to run an X client in a remote X Display. » 2025-06-09 11:51:09

chomwitt

@ralph.ronnquist  I was off for a while so unfortunately i couldnt sync to your proposed X conf race :-) 
but thanks for the solution.

It worked but only to one of my host where i start X from a tty shell with startx.
In the other xfce host with xdm as display manager it didnt work.

I will try to read to xdm conf.
I think it's : 

/etc/X11/xdm/Xservers
:0 local /usr/bin/X :0 vt7 -nolisten tcp

Changing -nolisten to -listen it'll be effective after restarting the whole system.Logging out from XDM and
llogginh again in didnt work.

Also it seem's appropriate since i started that thread to quote the security note from /etc/X11/xdm/Xservers
and remind to fellow devuan readers that what drives me is the curiosity to learn some basic of how network
trasnaperncy works with X.

# - SECURITY NOTE: Always pass the "-nolisten tcp" option to the X
#   server, as shown in the examples below, unless you know you
#   need the X server listening on a TCP port.  Omitting this
#   option can expose your X server to attacks from remote hosts.
#   Note also that SSH's X11 port-forwarding option works even with
#   X servers that do not listen on a TCP port, so you do not need
#   to remove the "-nolisten tcp" option for SSH's benefit.

Speaking of 'security' in the context of X can have more finegrained control than xost + that i tried for experimentation's sake.
So i think that ssh forwarding could 'overdone it' for a home lan. I guess having access restricted inside the lan hosts could be a far more better and less computational intesive approach. Last, i prefer the term 'workflow isolation' than security. Security make me think of badass criminals and police. But when i work on my table for me 'security' is not allowing other family members messing with my workspace. On the other hand i may have set a space to allow someone to laydown a snack or water.. (i wonder if that is a part of the desktop metaphor that was missed in the 80s..)

#21 Desktop and Multimedia » Error in an effort to run an X client in a remote X Display. » 2025-06-09 09:27:54

chomwitt
Replies: 7

Home Lan:  hostname: enous (192.168.2.75)  / user : chomwitt
                    hostname : familypc  (192.168.2.11) / user : alex
                    Both run devuan/daedalus.

We'll need deb package : x11-apps for xeyes (@)

(chomwitt/enous) $ xhost +
access control disabled, clients can connect from any host
(alex/familypc) $ xeyes -display 192.168.2.75:0.0
Error: Can't open display: 192.168.2.75:0.0

The same happens trying to start xeyes in enous and use as X Display familypc.

#22 Re: Off-topic » What is X ? » 2025-06-09 08:34:17

chomwitt

Project Athena was a joint project of MIT, Digital Equipment Corporation, and IBM to produce a campus-wide distributed computing environment for educational use. @wkp

So you see @camtaf the priorities of the organization that lead to X wasnt just a graphical gui.

#23 Off-topic » What is X ? » 2025-06-09 07:27:01

chomwitt
Replies: 2

In a funny twist of a personal perspective of a very influential dark shadow of politics ,cultural differences on libreland (with various recent  news tending to reinforce that view leading to the collapse of the meritocracy camp :@1) here a is quote from a 2000 book on X giving an initial description that has a Unix philosophy aura :
   

X is a method for representing graphics operations as a stream of data . suitable for use as a network protocol.  The concise guide to XFree86 for linux by Aron Hsiao

Contrast with an even older book 1993  The Joy of X (hitting the all time high ceiling of catchy promoting titles!!) that starts the introduction to X by focusing to the window nature of X :

X lets you run many simultaneous applications on your display , each with one or more windows of its own.

So forgetting for a moment that is named X, the question is ,is that idea (the networked graphic ops stream :-) )  worth existing as a libre alternative ? (if yes why is the least forkable idea in libreland?) .And is Wayland an incarnation of the same core idea and if not what is the Wayland's core idea ?

Later addition :
According to XLibre maintainer and initial forker Wayland's core focus was the composition component of the display server stack.

Note that Wayland itself is only about surface composition, nothing more (plus a little bit input routing). It was created as an experiment to explore how future composition component in the Unix/X11 stack could perhaps look like – the idea of building whole desktop directly ontop of it (without X) came much late. Enrico Weigelt's interview by Felipe Contreras,  (06/2025)

--------------

@Question of  Felipe Contreras on X11 future on Xorg mailing list (7/6/25)

@How X started. (An effort of mine to see the development of X from the view of the influence of bigger organizations.)

@Wayland''s creator interview in 2012 fosdem.

@Wkp/Wayland (protocol)

#24 Re: Off-topic » Hospitals and the irc#devuan » 2025-06-04 19:48:51

chomwitt

Thanks @fsmithred @ralph.ronnquist @golinux  for giving us feedback on the core devuan infrastructure. .

So there are:
core:

  • pkgmaster.d.o

  • git.d.o

  • files.d.o

  • keyring.d.o

  • bugs.d.o

  • ci.d.o (jenkins)

  • devuan.o

  • pkgs search

  • forum

  • wiki

  • newsgroups

outerim :

  • mirrors

  • dns service?

  • irc channels

#25 Re: Off-topic » Hospitals and the irc#devuan » 2025-06-04 16:20:24

chomwitt

Is jenkins.devuan.dev part of the 'core' Devuan infrastructure? And what does it do?
Also i think keyring.d.o is in the core.

Pages: 1 2 3 7

Board footer

Forum Software