You are not logged in.
Pages: 1
I was testing a new installation from an old Jessie 8.2 image to transform to Devuan
Everything was going unexpectedly well and then I switched to https and tor repositories and all hell broke loose. When I updated and asked to see if there were upgrades it went ballistic. It removed stuff, it brought weird new stuff in, like lxqt crap which my installation had nothing to do with, it even removed all kernels (all, Debian 3.16 and 4.14) things are now broken, and most essential stuff to the system can not be reinstalled as they seem as missing dependencies.
I reverted back to plain http: (as it seems as the only reliable access to the repository) and it has been stuck for the past 20' waiting for headers.
I wish there was someone responsible enough to throw some light into this LONG term problem with accessing repositories other than with http and all this flaky behavior of working the one minute breaking up the next.
Everytime I have brought up the topic there seems nothing but silence coming up from "devuan".
If it is not working and there is nobody around knowing how to fix it just unplug the damn thing!
And take that silly address with the .onion off your first page, as there seems no intention to make it work, rather than discourage anyone for ever using it.
Offline
That's because you're posting in the wrong place. Try posting to DNG.
Offline
I want nothing to do with DNG premadonas and their tolerance to neonazis and intolerance to those who tried to block neonazi propaganda and got the boot from the list!!!! REMEMBER! We do not forget we don't forgive, easily!
I am sure your consciousness will not keep this a secret from them, as it has been YOU and Katolaz who have come here and ensured us that pkgmaster is fully bug-free and the onion address had for a while being identical to http-pkgmaster.
IT ISN"t
http pkpmaster was showing 0 upgrades, 0 to be removed, 0 to be installed.
Only change was https and onion address part in source.list .... then it all went to hell like I had changed distributions.
This has been identified and reported here on the forum several times already and YOUR response was something done wrong by me.
What was that stupid term you used about something between the chair and the terminal error?
Go ask for me to be unblocked on the list and I will happily copy paste this in their face!
And the neonazi polak propagandist better not be there!
Offline
I am sure your consciousness will not keep this a secret from them, as it has been YOU and Katolaz who have come here and ensured us that pkgmaster is fully bug-free and the onion address had for a while being identical to http-pkgmaster.
IT ISN"t
http pkpmaster was showing 0 upgrades, 0 to be removed, 0 to be installed.
Only change was https and onion address part in source.list .... then it all went to hell like I had changed distributions.
This has been identified and reported here on the forum several times already and YOUR response was something done wrong by me.
Easy there... peace.
Neither golinux nor KatolaZ are your enemy. Both of them want you, and all users, to succeed with Devuan.
Thank you for your problem report.
I am hearing you say: Switching sources.list entries from HTTP to HTTPS and/or TOR causes package instabilities.
We don't want any user to experience package instabilities, so our first step is to try to reproduce what you observed.
If we can make it happen again, we can figure out how to make it NOT happen again. :-)
Can you remember more details about what your exact steps were?
Your original post said upgrading from Jessie 8.2.
Did you start with Debian Jessie?
What was your sources.list there?
And then did you switch to Devuan Jessie or Ascii? Via HTTP?
What was your sources.list after that change?
And then the switch that caused problems.
Was that to HTTPS without TOR first?
Did the problems show up here, or not until you switched to the onion address?
You don't have to provide full 100% details on everything, but any information you have is very helpful.
Again, thank you for the problem report, fungus.
And thank you in advance for any additional information you can provide.
Offline
I want nothing to do with DNG premadonas and their tolerance to neonazis and intolerance to those who tried to block neonazi propaganda and got the boot from the list!!!! REMEMBER! We do not forget we don't forgive, easily!
Links or it didn't happen.
Offline
I want nothing to do with DNG premadonas and their tolerance to neonazis and intolerance to those who tried to block neonazi propaganda and got the boot from the list!!!! REMEMBER! We do not forget we don't forgive, easily!
Then you will have a miserable life, my friend. Aren't you now Fungal-net on DNG?
I am sure your consciousness will not keep this a secret from them, as it has been YOU and Katolaz who have come here and ensured us that pkgmaster is fully bug-free and the onion address had for a while being identical to http-pkgmaster.
IT ISN't
http pkpmaster was showing 0 upgrades, 0 to be removed, 0 to be installed.
Only change was https and onion address part in source.list .... then it all went to hell like I had changed distributions.
This has been identified and reported here on the forum several times already and YOUR response was something done wrong by me.
Then file a bug report with the needed information.
Go ask for me to be unblocked on the list and I will happily copy paste this in their face!
And the neonazi polak propagandist better not be there!
I don't even see you on the DNG member list anymore.
Maybe go take a nap and get out of the other side of the bed when you wake up.
Offline
fungus wrote:I want nothing to do with DNG premadonas and their tolerance to neonazis and intolerance to those who tried to block neonazi propaganda and got the boot from the list!!!! REMEMBER! We do not forget we don't forgive, easily!
Links or it didn't happen.
Offline
go search the archives for fungilife and you will find out.
I am ignoring golinux ironical questioning. I am actually also sick and tired of it!
It is really simple to reproduce if it is still a problem
First you will need apt-transport-http and apt-transport-tor
If you don't have these packages then you explain to us how do you know that your installation is Devuan and not uncle Tom's version of Devuan.
Whether I went from jessie to jessie or wheezy to ceres is IRRELEVANT to what I am saying so bare with me!
let's say we have
http://pkgmaster.devuan.org/merged ascii main contrib non-free
Do apt update,
then do apt-get dist-upgrade
if it says 0 up 0 rm 0 ins nothing to do you are OK
Then edit sources.list
deb https://pkgmaster.devuan.org/merged ascii main contrib non-free
See if you get all 0 0 0 again
deb tor://devuanfwojg73k6r.onion/merged/ ascii main contrib non-free
If you 0 0 0 again then it is fixed
If you get a whole bunch of different numbers of things to remove, upgrade, install, then you reproduced the problem I have been having ever since Katolaz announced the existence of pkgmaster amprolla3, and maybe slightly before as well. It was at that time I asked whether pkgmaster had a different onion address than the original one and he returned (and here through golinux) that the onion is on pkgmaster
This crap didn't happen 3 months ago but yesterday where I spent for a 3rd time in a month half a day and ended up with a broken installation. Which was fine with http repositories and 0 to do on upgrade.
Which meant that onion.addresses were on pkgmaster from before it was announced and users were used as beta testers without being notified!!! Nor did they have an option to avoid being beta-testers (which I don't mind, I am always pushing the limits to sid ever since Debian 5 or 6).
Go try it all out and then tell us your findings.
PS 1 If only http is "reliable" in Devuan, then Devuan can no longer be trusted!
PS 2 And heads I wouldn't touch again with an 9ft pole after I pointed out that what they had packaged as tor-browser in it couldn't possibly be a real tor-browser!!! I got NO RESPONSE!!!
PS 3 Don't dare come out and tell me that in light of meltdown and spectre all this is meaningless! It is all we got!
Offline
Tom is Sam's brother
If you are on Jessie and you try it with ascii in all three tries you should get the same numbers, x to remove, y to upgrade, z to install.
where x1 = x2 = x3
y1 = y2 = y3
z1 = z2 = z3
http 1
https 2
tor 3
You can also split 3 into two tries
one will say tor://pkgmaster.devuan.org the other tor://dev.....onion
Another way is to put the same repository in the same source list, just one ascii main for example, and give the three different addresses and see when they update if the amount of the release, (the size of the directory) is the same for all. I flipped yesterday when I tried it and it was coming out as a different amount! Then I knew I was right all along.
Last edited by fungus (2018-01-26 20:06:50)
Offline
The devs working on pkgmaster don't frequent this forum so you are the sound of one hand clapping. If you don't post the info elsewhere - DNG, bugs.devuan.org or irc channels - those who should be seeing it never will. That's what you'll need to do if you actually want to contribute instead of just complaining . . .
Offline
Oh dear...
Some people should at least stick to software ideologies.
As you know, I'm not a Devuan user (or a Debian or Linux user) and you've known my opinions on this project from day one (so once again, thank you for tolerating my continued presence), but any project founded on "anti" sentiment is pretty much doomed from the start. This forum seems to be keeping it technical, it's getting it right thus far, it surprises me that such crap is being posted on the mailing lists...
Political and ideological opinions mean absolutely nothing in the world of software development. The person who made your morning coffee could be racist, xenophobic and homophobic - it's in their head and there's actually fuck all you can do about it. Hans Reiser killed his wife, so some people don't use his FS. You have no idea about the beliefs of the rest of the developers of any given FOSS code / OS - however extreme they may be (my personal worry has always been that there may be a few Elton John fans in the mix, sneaking references into the code here and there...).
You'll also find that more than 50% of Linux fans are clueless when it comes to the origins of free software, the ideology of FSF/RMS and the permissive approach as pioneered by UC Berkeley. They will rant and foam at the mouth at having one piece of Poettering crap installed, while not necessarily knowing where the rest of the software comes from, whether it's "good code", who developed it and to what end.
The birth of systemd has all come about on RMS' watch. It's yet more freedesktop.org shite, which sets out to emulate "what Apple are doing" or "what MS are doing". The Linux foundation sold out to fortune 500 companies years ago, every bit of work done there is at the behest of IBM, Alphabet, HP, Oracle, et al and now even MS have joined in the gang bang.
Red Hat developed systemd, because they're in the business of enterprise support and what better way to secure that business model than to create that which has to be supported from scratch? MS made a business out of this for decades as have others, it's nothing new.
Distributions adopted it, because those pushing it gained sufficient "mind share". Amazingly developers, supposedly smart people, were convinced that a large mass of complex and poorly written code is the answer to everything. Because it's so widely accepted, the fallacy of popularity comes into play. systemd "works". I have to use MS Windows for a living and I can assure you that "it works". But systemd works for those that want the functionality it provides. People are fickle and it's easy to cater for laziness or inability and a need for convenience. At a certain point when those are in abundance, code correctness, simplicity, robustness - and above all security goes out the window - mainly because it's making somebody somewhere's life (job) a lot easier (for now).
In a distance future the cycle will begin anew and the replacement for systemd/Linux will be born, as GNU and Linux were.
GPL's code can't be just closed off and re-purposed, RMS put a lot of time and energy into that, but it's developers can be bought off, put on the payroll or just convinced and that's what has happened - over the last two decades. The developers can also write bad code, code which doesn't follow "UNIX Philosophy", isn't POSIX compliant, mainly because someone will convince someone else that all of that has gone out of fashion.
But when all is said and done, software development is about doing... whining on a mailing list won't achieve anything good. Personally if I didn't like an OS and if I had the choice, I would just stop using it. As someone once said: "shut up and hack".
BSD, GNU, Linux and other FOSS projects used to all about "by hackers for hackers" - for Linux and associated projects, all of that is past. The gulf between the developer and the user has widened to the extent that, to Linux users, contacting a developer is unthinkable (and in certain cases - not possible).
There is a huge difference however in *BSD land. For example, I had a short but interesting exchange with a well known developer (of OpenBSD) some years ago while (unsuccessfully) trying to resolve a device driver problem. It was an enlightening experience.
In *BSD land emailing the developer is the norm, conversing with developers on the mailing lists is the norm. Doing it yourself is the norm.
In Linux land, complaining and whining and posting "me too" against every bug report is the norm. Complaining that Linux distro abc doesn't do what you want it to do is the norm, complaining that Linux distro x is not the same as Linux distro y is the norm. In fact posting all manner of noise and very little signal is now, very much, the norm.
Last edited by cynwulf (2018-01-26 21:46:56)
Offline
golinux wrote:Oh dear...
Some people should at least stick to software ideologies.
As you know, I'm not a Devuan user (or a Debian or Linux user) and you've known my opinions on this project from day one (so once again, thank you for tolerating my continued presence)
You are always welcome in this house. Your experience and ability to see the big picture as in this post adds real value to our collective effort.
. . . but any project founded on "anti" sentiment is pretty much doomed from the start.
We try to frame it otherwise but have no control over others' views and opinions.
This forum seems to be keeping it technical, it's getting it right thus far
Thanks. We're trying our best.
. . .it surprises me that such crap is being posted on the mailing lists...
Since that meltdown there has been almost none of that. The moon must have been in a weird phase or something. These days there is an occasional snipe but most discussion is technical and cordial.
Offline
Cynwulf, I don't disagree with much of what you say, but there has been evidence on systemd being a little more than just not "as functional as it claims", or becoming a monolyth mediator between linux and all other software. It is about security. And that becomes automatically political, whether it relates to user and big corporations or the user and the state.
On the whining part the fault is not always on the user side but how users are treated by developers and the distance they form between themselves and users.
When the repository is malfunctioning there is not much a user "can" do, it is not a technical problem or a bug. If it keeps happening time and time again and either there is no feedback, or there is a 'I don't see a problem with it" eventually whining and complaining is all one can do. I like to think that I am not the only user using this repository, I am just the one talking about it, open and in public.
But why go off-topic on all those other issues and not talk about the problem. No matter what version of devuan you (not cynwulf the resto of you all) you don't have to upgrade anything, just hit the repository like I am saying and update. See whether it checks out. Even trying ceres should make no difference. If things that are meant to be identical and are different is where the problem begins.
Golinux: I am tired of dealing with autistic people. When I say A you say go to DNG. When I say I am blocked by DNG you change the subject. Then I talk about the subject and you come back telling me to go to DNG! The one day you say that is where the developers are, the next day you get offended and call me clueless because I say that you are not a developer!
If you don't think the matter is serious, just say so! If you think the matter IS serious then I believe you have an obligation to convey the message since you are larking on there all day anyway.
http: repositories are like buying insulin from a street smuggler.
The way you are dealing with the repeated report of the problem is what gets me overly suspicious!
And you know I will not let it rest
A month ago I was testing Refracta 9, I reported the problem I was having (installing OpenRC) to fsmithred and he couldn't reproduce it. The only difference was the tor address of the repository. The next day, without changing the source list at all the missing dependencies all of a sudden reappeared and were available,.
I had shown the output of all the missing pkgs that magically reappeared the day after.
I may have done more installations of Devuan than probably anyone in the forum. Ask me if I really use it to do any work on it! Ask me why wouldn't I trust to do any work on it.
Offline
@fungus . . . you live in your own world and think it is reality. It is YOUR reality but don't assume it is the one commonly shared by others. You proclaim judgmental conclusions and are convinced they are fact and ramble on about constructs that only exist in your head. It is not my job (or anyone else's here to "report" what your issues are. How can one possibly do that without having personally experienced the problem. Only YOU can do that. So man up and just report what you are dealing with through more appropriate channels where it will get attention. Your rather self-defeating approach reminded me of this:
Someone was searching for something on the ground. “What have you lost?” a passerby asked. “My key,” said the searcher. So they both went down on their knees and looked for it. After a time the other man asked: “Where exactly did you drop it?” “In my own house.” “Then why are you looking here?” “There is more light here than inside my own house.”
PS. Are you or are you not Fungal-net on DNG.
Offline
As I understand it, the thing that prevents you from installing rogue packages is the signing key. It shouldn't matter if the package comes in an envelope or on a postcard. The key has to fit.
Https will prevent your ISP, government and other snoops from knowing what packages you install.
Tor will prevent them from even knowing that you're connecting to a devuan server and also prevent the devuan server from knowing where you are.
Anyway, here are some test results.
Plain http:
deb http://pkgmaster.devuan.org/merged ascii main
deb http://pkgmaster.devuan.org/merged ascii-updates main
deb http://pkgmaster.devuan.org/merged ascii-security main
apt-get dist-upgrade
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
The following packages were automatically installed and are no longer required:
libseccomp2 tor tor-geoipdb torsocks
Use 'apt autoremove' to remove them.
The following packages will be upgraded:
curl dbus dbus-x11 firefox-esr libcolord2 libcurl3 libcurl3-gnutls
libdbus-1-3 libdns-export162 libisc-export160 libpoppler-qt5-1 libpoppler64
poppler-utils refractainstaller-base tasksel tasksel-data
16 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Installed apt-transport-https and edited sources.list:
deb https://pkgmaster.devuan.org/merged ascii main
deb https://pkgmaster.devuan.org/merged ascii-updates main
deb https://pkgmaster.devuan.org/merged ascii-security main
apt-get update
apt-get dist-upgrade
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
The following packages were automatically installed and are no longer required:
libseccomp2 tor tor-geoipdb torsocks
Use 'apt autoremove' to remove them.
The following packages will be upgraded:
curl dbus dbus-x11 firefox-esr libcolord2 libcurl3 libcurl3-gnutls
libdbus-1-3 libdns-export162 libisc-export160 libpoppler-qt5-1 libpoppler64
poppler-utils refractainstaller-base tasksel tasksel-data
16 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
I tee'd the output of both commands above to files and ran a diff on the files. They were identical.
Installed apt-transport-tor and edited sources.list:
deb tor+https://devuanfwojg73k6r.onion/merged ascii main
deb tor+https://devuanfwojg73k6r.onion/merged ascii-updates main
deb tor+https://devuanfwojg73k6r.onion/merged ascii-security main
apt-get update
Err:1 tor+https://devuanfwojg73k6r.onion/merged ascii InRelease
Can't complete SOCKS5 connection to 0.0.0.0:0. (5)
Err:2 tor+https://devuanfwojg73k6r.onion/merged ascii-updates InRelease
Can't complete SOCKS5 connection to 0.0.0.0:0. (1)
Err:3 tor+https://devuanfwojg73k6r.onion/merged ascii-security InRelease
Can't complete SOCKS5 connection to 0.0.0.0:0. (5)
Reading package lists... Done
W: Failed to fetch tor+https://devuanfwojg73k6r.onion/merged/dists/ascii/InRelease Can't complete SOCKS5 connection to 0.0.0.0:0. (5)
W: Failed to fetch tor+https://devuanfwojg73k6r.onion/merged/dists/ascii-updates/InRelease Can't complete SOCKS5 connection to 0.0.0.0:0. (1)
W: Failed to fetch tor+https://devuanfwojg73k6r.onion/merged/dists/ascii-security/InRelease Can't complete SOCKS5 connection to 0.0.0.0:0. (5)
W: Some index files failed to download. They have been ignored, or old ones used instead.
I guess I did that wrong.
root@testascii:/home/user# torsocks --shell
/usr/bin/torsocks: New torified shell coming right up...
root@testascii:/home/user# apt-get update
0% [Working]1517069573 WARNING torsocks[7635]: [connect] Connection to a local address are denied since it might be a TCP DNS query to a local DNS server. Rejecting it for safety reasons. (in tsocks_connect() at connect.c:192)
Err:1 tor+https://devuanfwojg73k6r.onion/merged ascii InRelease
FailReason: ConnectionRefused
0% [Working]1517069573 WARNING torsocks[7635]: [connect] Connection to a local address are denied since it might be a TCP DNS query to a local DNS server. Rejecting it for safety reasons. (in tsocks_connect() at connect.c:192)
Err:2 tor+https://devuanfwojg73k6r.onion/merged ascii-updates InRelease
FailReason: ConnectionRefused
0% [Working]1517069573 WARNING torsocks[7635]: [connect] Connection to a local address are denied since it might be a TCP DNS query to a local DNS server. Rejecting it for safety reasons. (in tsocks_connect() at connect.c:192)
Err:3 tor+https://devuanfwojg73k6r.onion/merged ascii-security InRelease
FailReason: ConnectionRefused
Reading package lists... Done
W: Failed to fetch tor+https://devuanfwojg73k6r.onion/merged/dists/ascii/InRelease FailReason: ConnectionRefused
W: Failed to fetch tor+https://devuanfwojg73k6r.onion/merged/dists/ascii-updates/InRelease FailReason: ConnectionRefused
W: Failed to fetch tor+https://devuanfwojg73k6r.onion/merged/dists/ascii-security/InRelease FailReason: ConnectionRefused
W: Some index files failed to download. They have been ignored, or old ones used instead.
That didn't work, either. What am I doing wrong?
Offline
Cynwulf, I don't disagree with much of what you say, but there has been evidence on systemd being a little more than just not "as functional as it claims", or becoming a monolyth mediator between linux and all other software. It is about security. And that becomes automatically political, whether it relates to user and big corporations or the user and the state.
If it's about security, then don't use it. If you don't trust the software or the developers, you look elsewhere, it's that simple (and no security is not "automatically political").
NSA or whoever, don't need crap like systemd, they have backdoors in all major OS, there are exploits, hidden for decades in common software and even in the silicon itself. A specific backdoor in a specific "init system" (thingie) for a specific OS and only a subset of distributions at that, is not that useful.
One could say that systemd is "just business".... makes a lot more sense than the alternative conspiracy shit. And that's my take on systemd, always has been - it's a business move for Red Hat Inc.
When you have the likes of Intel and AMD building in the IME/PSP to all new chips, security on x86 becomes nothing more than a token thing ( and as most should know from recent revelations at least, security was never a focus there anyway (never mind that numerous experts warned about it's general crappiness over a decade ago).
"Security" in most fields of computing can in fact be complete and utter bullshit. Looks at Windows AV software. You don't need to make something secure, you just have to convince enough people that 'retroactive security' is viable, get them to open the wallets and bend minds accordingly...
My point is, that if you don't like this Linux distribution or how it's developed, then you have a choice.
Last edited by cynwulf (2018-01-27 19:01:20)
Offline
"http: repositories are like buying insulin from a street smuggler."
…
Not exactly. Using http is like getting clothes (and other stuff) while in public naked; even if many others do, it's bad practice, but as long as you depend on others to supply your clothing (or this is the only way they will supply clothing), likely you will do it. Sure, you may try to beg or buy clothes from some street smuggler (or some charity) while clothed … but blindly trusting such a source will be just as problematic in its own way.
Offline
Well, I got it to work last night with some help from Blinkdog. I had to drop the s from https. This works:
deb http://pkgmaster.devuan.org/merged
It works with jessie and with ascii., In ascii, I compared it to using the https repo (non-tor) and they both wanted to upgrade the same packages. I will keep an eye on it.
Cynwulf, Fungus asked me to let you know that he is unable to reply at this time.
Offline
Pages: 1