# Air-Gapped Gentoo Install, Tentative

## miroR

EDIT START Sun Apr 20 21:28:35 BST 2014

As introduced here:

https://forums.gentoo.org/viewtopic-p-7539048.html#7538138

I think this thread should be renamed:

Air-Gapped Gentoo Install, Tentative

simply because that is what all this is about.

WARNING Pls. bear with me. My ideas weren't at all clear when I started this

thread. However, not out of brazenness, and if you skim faster through the

unclear parts in the beginning,  you will notice that later on my understanding

of the matters starts to come into shape.

Thank you!

EDIT END

EDIT START Fri Mar 28 18:24:38 UTC 2014

The title was previously wrong: 

Offline Install, use emerge-webrsync to check and log?

Pls. see here:

https://forums.gentoo.org/viewtopic-t-987268.html#7525726

why that was wrong... Sorry again. Consistently with the wrong title, lots of my

understanding was unclear and plain wrong, when I opened this topic... Clearing out slowly...

EDIT END

Offline Install, how to use emerge-webrsync to check and log every package in

the distfiles?

Well, at least check and log them as they are installed.

(( to some extent, I am continuing on some issues from:

https://forums.gentoo.org/viewtopic-t-984066.html ))

I've already collected a few packages, and I don't want to redownload them.

I'm not an expert to feel like a fish in the water online, and am aware how

little it takes to break into systems, for experts...  My main defence is

having a clean backup, reverting to when things were clean. dd dumps are

images to the bit of the device they dumped, and I know how to backup my

systems. I wrote already about it on Gentoo Forums, and will give the links

here, if I get less strapped with time, i.e. succeed in my reinstalling of

Gentoo for one of my boxes, which then I will easily clone onto other of my

systems, as I have a few same MBO, similar hardware boxes...

My idea is to use emerge-webrsync to check packages...

I couldn't easily come to terms with the explanations in the Handbook (we're

talking AMD Handbook here

http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?full=1

at the time of writing this post

) on emerge-webrsync, and it took me time and some searching to figure out

some of, but not all of these issues. Namely that if you use emerge-webrsync

then you don't do any more of emerge --sync ...  But, to be able to do that,

proper configuration is needed.

I found somewhere that putting into /etc/portage/make.conf:

SYNC=""

that is, an empty string, would disable the rsyncing but am yet to learn if it

will really do so for me. I guess it will.

After deploying the stage3 tar ball, somewhere around here in the Handbook:

( Pulling Validated Portage Tree Snapshots )

http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?full=1#webrsync-gpg

those:

```

sync-type = rsync

sync-url

```

that are mentioned in that section, can only be found in:

/usr/share/portage/config/repos.conf

so I don't think that needs commenting out, but somebody correct me if I'm

wrong.

Also, it took me a while to figure out these changes should accomodate better

my needs. I mean, I like the emerge-webrsync to keep what it downloads, and

I'd like it to be, oh, so much more talkative...

I'm writing offline... (a preemptive remark: look up this link if anyone

considers that paranoid, attacks on my machines are documented and

undeniable...:

grsec: halting the system due to suspicious kernel crash

http://forums.grsecurity.net/viewtopic.php?f=3&t=3709

)

I'm not writing from LiveCD Box, but from sysresccd running from RAM, but I

can copy my sed lines that I intend to run on /usr/bin/emerge-webrsync before

I use it, by hand:

```

sed -i.bak 's/do_verbose=0/do_verbose=1/' | sed 's/keep=false/keep=true/'

```

For the less initiated that would give you a /usr/bin/emerge-webrsync that

has:

do_verbose=1 instead of do_verbose=0

and

keep=true instead of keep=false

and it'll hold those till the next upgrade of itself... (as that is not a conf file)

But it is not sufficient for my needs to just make it verbose by default and

make it keep the portage snapshot by default...

I have already tried and failed in installing, with some strange errors, and I

can't tell whether I did someting wrong or other reasons were for the

failure... I don't keep logs of everything, I just remember that it looked a

little suspicious, and so... 

I don't keep logs of everything, esp. when I can't do so... I like when it is

possible to do so, and would like to see how much of the logs I could possibly

get, on the verification of the packages. Such as, I like the logs that I can

get with Grsecurity, they often tell interesting stories, although more to

experts than me. Again, look up the link on Grsecurity Forums I gave above,

where Grsecurity hardened Gentoo shines just fine, defeating intrusion in my

systems, to some extent. 

Isn't it useful to users and developers, having such logs to report?

Let me give you my plan and a few ideas, I hope if I get good advice, this

could be useful to others (or am I the only one having hard time with

surveillance?  :Wink:  )

What I intend to do, as well as what I have already done (rewriting this for

an umptiethe time) is as follows.

Boot with Gentoo official LiveCD. 

Set the time to the right hour in the past when the portage that I kept with

```
(chroot) livecd # emerge-webrsync -k
```

was first deployed (at the time of running that command, deployed by the run

of that command). I want to do so, lest it don't complain of wrong timing

(that's non-intrinsic, but may prove the right thing to do)...

The portage snapshots are (with the -k given) kept in /usr/portage/distfiles/

such as:

/usr/portage/distfiles/portage-20140323.tar.xz

/usr/portage/distfiles/portage-20140323.tar.xz.gpgsig

/usr/portage/distfiles/portage-20140323.tar.xz.md5sum

What I did is:

followed the Handbook up to unpacking the stage3 tarball, and some way

further, somewhere around connecting to the internet, but instead of

connecting to internet this time around, using this time that which was

downloaded the last time.

First the portage snapshot:

```
cd /usr

tar xJvf portage-20140323.tar.xz

```

Of course it is

tar xJvf /somewhere-where-I-stored-it/portage-20140323.tar.xz

and there, the portage tree is installed, complete, and what is important,

trustful, trustful so far.

But here comes the challenge. How do I do the next step?

It doesn't have to be as tedious as is threatened  :Wink:  to be, here:

https://wiki.gentoo.org/wiki/FAQ#I_have_only_slow_modem_connection_at_home._Can_I_download_sources_somewhere_else_and_add_them_to_my_system.3F

 *Quote:*   

> 
> 
> ...[snip]...
> 
> Put the sources into /usr/portage/distfiles/ and then simply run emerge
> ...

 

Namely HDDs, are not so very expensive if they're not the latest huge ones,

and I can easily zero some of my HDD, and apply the same GPT table as

previously, mke2tfs the partitions and such...

But I want to be able to do more than is mentioned in that FAQ.

The packages I have already collected, they were downloaded according to what

use flags I set into make.conf, they would have to be fine if I were to run

the same command as the last time, to emerge those same packages, wouldn't

they?

But I want to be able to check them with emerge-webrsync, and I would like to

log every single package as it is being checked.

This:

```
# equery b emerge-webrsync
```

will reveal to you that emerge-webrsync is part of portage package.

I see there no special flags on emerge-webrsync if I run:

```
# emerge -pvt portage
```

Also:

```
# emerge-webrsync -h
```

gives very scant information.

I found no special tutorial on emerge-webrsync on the Wiki or in the Forums...

I want to be certain that what I install from this point on is only that which

is signed with Gentoo signatures.

I don't mind having to do used zeroed HDDs to recreate the existing systems

from backup, I want to get cloneable privacy-viable Gentoo installation for my

machines on my SOHO at any cost. Other then "good good bullsh*t" cost (Pink

Floyd, 1970s I believe, "Money"). That I don't have. The Regime currently in

power in my country ruined my investments and I am poor.

So I want to be certain of all and any packages that I install from this point

on. I know there is no absolute certainty. But currently I have almost no

certainty at all... 

I don't want any rogue packages, and since it is so easy for experts to break

into systems, within fractions of a second once you're online, a program ready

for you can play at least a few tricks on your system, can't it, especially

since GNU/Linux has long been disregarding security wholesale... few

exceptions there...

This is not easy what I want, is it?

Any ideas?

I can read bash code (emerge-webrsync is in bash), but I take soo loong to

understand it, so much research...

If I don't get a quicker advice, I'll probably be back but not very soon...

I might also be off for a few hours starting at imprecise time soon from now,

for unrelated other obligations I have. But I will be back, God willing. Pls.

bear that in mind if anyone replies here. Thank you!

Miroslav Rovis

Zagreb, Croatia

www.CroatiaFidelis.hrLast edited by miroR on Sun Apr 20, 2014 8:37 pm; edited 5 times in total

----------

## miroR

 *miroR wrote:*   

> 
> 
> I couldn't easily come to terms with the explanations in the Handbook (we're
> 
> talking AMD Handbook here
> ...

 

Pls. have a look at how the following comply with each other.

/mnt/gentoo/usr/lib/portage/bin/emerge-webrsync

on my so far deployed Gentoo which I started installing, but also the same can

be found on

/usr/lib/portage/bin/emerge-webrsync on any current system with

regularly emerged emerge-webrsync

The script is 524 lines, and lines 505-513 are (manual copy, for reasons given

above):

```

if [[ -n ${repo_sync_type} && ${repo_sync_type} != rsync ]] ; then

echo "The current sync-type attribute of repository 'gentoo' is not set to

'rsync':" >&2

echo >&2

echo " sync-type=${repo_sync_type}" >&2

echo >&2

echo "If you intend to use emerge-webrsync then please" >&2

echo "adjust sync-type and sync-uri attributes to refer to rsync" >&2

echo "emerge-webrsync exiting due to abnormal sync-type setting" >&2

exit 1

fi

```

The above, and the following:

http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?full=1#book_part2_chap3__chap6

3.f. Pulling Validated Portage Tree Snapshots

...[snip]...

```

Code Listing 6.3: Updating repos.conf

# Make sure sync-type and sync-uri are commented out

# sync-type = rsync

# sync-uri = ...

```

In the code in the emerge-webrsync says do it, and in the book says don't do

it...

Or is there something I am missing here?

It must be only an apparent conflict. The repos.conf is something

non-developers don't even use, do they?

Miroslav Rovis

Zagreb, Croatia

www.CroatiaFidelis.hr

EDITED Fri Mar 28 09:28:39 UTC 2014, replaced the incomplete lines from emerge-webrsync 509-512 with full if statement copyLast edited by miroR on Fri Mar 28, 2014 9:31 am; edited 1 time in total

----------

## TomWij

SYNC is the old deprecated way, repos.conf is the new way; see https://forums.gentoo.org/viewtopic-t-969972-start-0.html

----------

## miroR

 *TomWij wrote:*   

> SYNC is the old deprecated way, repos.conf is the new way; see https://forums.gentoo.org/viewtopic-t-969972-start-0.html

 

Thanks!

I sure am already looking into it   :Razz: 

----------

## miroR

I'm not completely certain, and so I'll watch be around to revert it, but I made changes to:

https://wiki.gentoo.org/wiki/Mirrorselect

I replaced the deprecated:

```
mirrorselect -i -r -o >> /etc/portage/make.conf
```

with the new:

```
mirrorselect -i -r -o >> /etc/portage/repos.conf
```

IIUC, the same should be done in the XML doc:

http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?full=1#book_part1_chap6__chap1_sect1

 but that is different kind of editing, wouldn't know how to do it now:

----------

## miroR

 *miroR wrote:*   

> I'm not completely certain, and so I'll watch be around to revert it, but I made changes to:
> 
> https://wiki.gentoo.org/wiki/Mirrorselect
> 
> I replaced the deprecated:
> ...

 

Ermmhh. It's a mess.

There is, and I thought at first that was correct:

https://wiki.gentoo.org/wiki/SYNC

such a line there.

But looking at man 5 portage, the repos.conf section, repos.conf does not have any SYNC variable, but  sync-type and sync-uri.

Also man mirrorselect mentions no repos.conf

So I don't know.

Anyway, with emerge-webrsync, as I mentioned I would try and do checking on stout and logged of all the packages that are being installed, downloaded earlier, I think it must be possible to do it by either changing the source in the way I explained above, or making sure not to forget the -k -v flags when I run it...

I think I'll try and run

```
(chroot) livecd $ emerge-webrsync -k -v 2>&1 >> /somewhere/emerge-webrsync_check-n-log-pkgs.log

```

Miroslav Rovis

Zagreb, Croatia

www.CroatiaFidelis.hr

----------

## miroR

 *miroR wrote:*   

> 
> 
> I think I'll try and run
> 
> ```
> ...

 

Wrong. But I think it's slowly dawning on me which way to check packages and make trustworthy and safe install.

The emerge-webrsync download is safe already.

And how I deployed it is correct.

But the emerge-webrsync downloads are the equivalent of of just the ebuilds and things, not the tar.bz2 and such files with the acutal programs. Sorry for lay terms I'm using. Don't know better yet.

It's the "digest" in make.conf and in ebuild, and in repoman manpages, as well as emerge manpage itself, that I am studying now, and I believe I'm closer ti what I want.

Also I need to change the title of this topic, because it is misleading.

Sorry!

----------

## vaxbrat

You might look into using btrfs and its snapshot ability.  Create subvolumes that you mount on /usr/portage, /var/db/pkg and /usr/portage/distfiles.  Take a snapshot before each emerge activity and then you can do a directory comparison between the snapshot and the subvolume after the activity has finished.  The snapshotting is almost instantaneous since it only copies extent pointers and thus doesn't take much additional storage either.

----------

## miroR

 *vaxbrat wrote:*   

> You might look into using btrfs and its snapshot ability.  Create subvolumes that you mount on /usr/portage, /var/db/pkg and /usr/portage/distfiles.  Take a snapshot before each emerge activity and then you can do a directory comparison between the snapshot and the subvolume after the activity has finished.  The snapshotting is almost instantaneous since it only copies extent pointers and thus doesn't take much additional storage either.

 

It's not the snapshots that would help in safety, but only in speed.

And it's not the few dumping and restoring that aches here, that's relatively little.

It's how to evaluate the already downloaded distfiles, because

emerge-webrsync's portage is safe already.

It is the way of the digest, how to check every package by its manifest in the

ebuild.

I'll go slowly. Package by package, to learn how to manually do it, or which

command to use, on a per package basis.

I want a privacy-viable Gentoo, and the only option in my view, is Grsecurity

Hardened, but on a system that has all the packages checked for consistency,

right from the beginning of the instlall.

I am no fish for that water, to be able to stay online and emerge things and

feel safe anymore, for the reasons I explained above, giving links to actual

attacks on my system that I suffered, documented, and I feel this is the only way.

But it will be time consuming, since this certainly requires some advaced skills...

Anyway, vaxbrat, surely thank you for caring!

Miroslav Rovis

www.CroatiaFidelis.hr

----------

## miroR

I still hope I can do a safe offline Gentoo install.

Similarly to the method of installing Debian on now-unacceptably-slow-for-

Gentoo-style-compilations old machines of mine, completely offline. Because

I did manage to achieve safe and secure offline install there. My Debian

systems, once cloned from the master offline-installed box, now break only

once they go online, after some time online, that is, after exposure to

intrusions which in my case, a homeland-living strong dissenter and critic

( 460d21cf0df780a9652d95baaa5f779b (note *1*) )

of the Regime of neo-commie bloodthirsty traitors' progenie criminal crony

capitalists in power in Croatia, which in my case is almost guaranteed.

But I was speaking about the method that I posted about on Tips and Tricks

pages on Debian Forums. Here:

How to Install Debian Offline from Your Local Mirror

http://forums.debian.net/viewtopic.php?f=16&t=111904

Of course, it'd be comparing "apples and eggs", comparing Gentoo and Debian

https://forums.gentoo.org/viewtopic-t-971348.html#7409042

and I don't intend to make a comparison in anything but how the distribution

is fetched for one and for the other of the two. Any other comparison btwn

these two would make little sense if any. The differences btwn these GNU/Linux

flavors are huge in almost any aspect.

To install Debian offline, is actually very easy, and with such safe install

evade any potential attack, any intrusion, in fact almost potentially any

surveillance whatsoever, sure only while offline, through the complete

non-exposure to the internet of such system.  If you are doubtful or curious

of the truthfulness of that statement, you can validate it for yourself by

reading through the links I gave.

But Debian is OTOH certainly less reliable. They don't even digitally sign the

checksums of the ISOs containing their weekly bleeding edge distro! I'm not

talking behind their backs, I wrote about that openly on Debian Forums (I

did't find it in a quick search, but maybe somewhere here:

Grsecurity/Pax installation on Debian GNU/Linux

http://forums.debian.net/viewtopic.php?f=16&t=108616

)

Why did I mention the method of Debian offline install? What comparison is

there to make?

Because I think I can achieve a similar offline install with Gentoo, as with

Debian, in the sense that there exist such options, similar in result only,

to get all the package distfiles, all the distribution sources, and have

emerge use the local mirror for installation.

```

# man emirrordist

EMIRRORDIST(1)                      Portage                     EMIRRORDIST(1)

NAME

       emirrordist - a fetch tool for mirroring of package distfiles

...[snip]...

       
```

My question here is, can I get all the packages (or would I maybe anyway get

only those), for just my arch, with this command? How?

I actually reread just now that manpage, and it's a few more things that are

not at all clear, such as 'whitelist', such as where do I find what can go

into EMIRRORDIST_DEFAULT_OPTS, presumably in make.conf, and other things.

I read, by now, a few times, with increased understanding every next time, but

still far from complete understanding certainly, the fundamental reading

manuals of Gentoo:

# man make.conf

# man emerge

# man portage

# man 5 ebuild

# man 1 ebuild

and others... 

The local mirror is talked about in man 5 portage, in the section repos.conf,

subsection sync-uri, not in Sysresccd Gentoo docs (still browsing with it), so

manually copying:

```

sync-uri

    Specifies URI of repository used for synchronization performed by `emerge

    --sync'.

    This attribute can be set to empty value to disable synchronization of

    given repository. Empty value is default. (note *2*)

    Syntax:

        cvs: ...[snip]...

   git: ...[snip]...

   rsync:    (rsync|ssh)://[username@]hostname[:port]/path

    Examples:

        rsync://private-mirror.com/portage-module

   rsync://rsync-user@private-mirror.com:873/gentoo-portage

   ssh://ssh-user@192.168.0.1:22/usr/portage

   ssh://ssh-user@192.168.0.1:22/\${HOME}/portage-storage

    ...[snip]...

```

I understand those in bottom are private-only adresses, such as, among other

purposes, for a SOHO like mine. And that is what eventually the emerge on my

some-time-not-long-from-now-in-the-future install should be drawing it's

package distfiles from... I feel I undestand closer that part... I've managed

my SOHO for quite a number of years.

Anyway, it's not just my asking for help that I post this topic here for, but

I hope it's also going to be useful for others.

I remember I heard on Russia Today, months ago now, which channel since their

agression on Ukraine's Crimea...

It's in the link already given above, along with the title of:

How to Install Debian Offline from Your Local Mirror

where I wrote also in support of Ukraine, find: 

```

Спава Укrаине!

Glory to Ukraine!, Yanukovich out!

```

And that was before he was ousted, ousted by the kind of people my friends

are, who love their country above their own lives.

I lost almost any taste anymore for watching RT, Russians are really a

delusion to me, I feel compassion and pray that the American Edward Snowden

will not have hard times now that he is confined to live in Russia, for just

being American, and am proud of Russians like Khodarkovsky and like the guy,

Maxim Kamerer, IIRC, who made the great Liberté Linux, based on

Grsecurity-hardened Gentoo, but strong sanctions on Russia should be

imposed... And so I also approve of many packages having LINGUA="-ru" set.

But I know from exactly Russia Today, months ago they reported that Guardian

experts suggested no use of any of your really private data on a computer that

you are connected to internet with. And not to connect a computer that should

be private to any online computer in such way as wire or wireless, but the

data to say post publically, once you decide them out of some private stash,

transfer phisically into the online computer, such as with DVDs or USB sticks.

And so, what else, but complete offline install is in the order of the day, if

you simply care to not be surveilled?

I mean, if your system is backdoored right from the start, what chance do you

have of any privacy?

And there is no such Constitution of no such Democratic country, especially

not in the West, that does not guarrantee their own citizens freedom and

privacy!

I still hope, no I'm not overly confident, but I still hope that Gentoo will

remain privacy viable, and I believe it still is.

So I truly believe more of Gentoo users should try and think about this,

because Gentoo is GNU, and GNU may have lost some of its shine through the

years, but GNU is still the fundament of freedom, of good programs that belong

to all the good ( note *3*) people of the world.

GNU is still the licence that keeps GNU/Linux free, secure (surely only in the

Grsecurity way, not any NSA SELinux way. I mean, could anyone really ever

trust any spy agency for their privacy?), and I believe that Gentoo will

remain, but only through that freedom and that real  security which

Grsecurity/Pax patched kernel is: privacy-viable. 

GNU/Linux is really the only truly free and potentially surveillance-free

option in the world of computing. Apple? Microsoft? Google?... Heh, heh!

C'mon!

So, before I post the notes for *1* *2* and *3* above, more work on me, or not

so much if I find answers in my search of www.gentoo.org, and I guess, the

most of the work is now clearly cut: understand that difficult emirrordist, as

well as, I forgot to mention, maybe the '-F' option, that's uppercase F from

emerge itself...

Miroslav Rovis,

Zagreb, Croatia

www.CroatiaFidelis.hr

=====================

note *1* to be expanded later

EDIT START Tue Apr  1 11:30:15 UTC 2014

Here's some more hints:

Really Happened? 15e5510744048dc5473d05bfc028fbc2

https://forums.gentoo.org/viewtopic-p-7527616.html#7527616

EDIT END

EDIT START Tue Apr  1 20:41:59 UTC 2014

If at the time you try and click the link above you don't get a post that is readable,

i.e. if you see "links are disabled in the dustbin" instead of links, than see here:

https://forums.gentoo.org/viewtopic-p-7527914.html#7527694

EDIT END

note *2* So what I found somewhere on www.gentoo.org (surely not on official

pages), is wrong. 

From:

https://forums.gentoo.org/viewtopic-t-987268.html#7524170

which is this topic, start of it, this:

 *miroR wrote:*   

> I found somewhere that putting into /etc/portage/make.conf:
> 
> SYNC=""
> 
> that is, an empty string, would disable the rsyncing but am yet to learn if it
> ...

 

was all wrong!

note *3* ...and sufficiently knowledgeable, let's face it, GNU/Linux isn't easy, I

mean real GNU/Linux, not the commercialized backdoored flavors

==================

783bfc8aecba5dca95aa71d79f15fa4cLast edited by miroR on Tue Apr 01, 2014 8:45 pm; edited 2 times in total

----------

## miroR

Here:

Project:Infrastructure/Mirrors/Distfile Mirroring System

http://wiki.gentoo.org/wiki/Project:Infrastructure/Mirrors/Distfile_Mirroring_System

I found some answers on the whitelists I mentioned in my previous post.

But it seems, reading there, that the emirrordist:

http://wiki.gentoo.org/wiki/Project:Infrastructure/Mirrors/Distfile_Mirroring_System#master_private_distfile_mirror

is for some other purposes, much more advanced.

And that this:

Project:Infrastructure/Rsync

http://wiki.gentoo.org/wiki/Project:Infrastructure/Rsync

is where I see how to set up my own local (rsync) mirror.

http://wiki.gentoo.org/wiki/Project:Infrastructure/Rsync#Setting_up_a_community_rsync_server

But that's not completely what I want, at all. Because I very much like the

emerge-webrsync because it is strongly digitally verifiable, and while no

movement in the world there existed where in which traitors never ever came in

from the outside, or outright grew to betray from in between the very ranks, I

hope I can still trust the Gentoo teams who sign the daily snapshot, and for

me, the portage snapshot is a great substitution for any other syncing. This

last statement is IIUC. Somobody correct me it I'm wrong.

Besides, the /etc/rsyncd.conf has:

```
exclude=distfiles/ packages/
```

It's how to get, and then in a routine of reasonable periods from there on,

update the distfiles/, in a way that is safe, which is the cause of my concern

and headache since I opened this topic that you are reading.

So that article about local rsync mirror is no solution for my headache there

at all.

This:

/etc/portage/mirrors

http://wiki.gentoo.org/wiki//etc/portage/mirrors

containing:

```

# local private mirror used only by my company

local ftp://192.168.0.3/distfiles

```

looks like somewhere where the distfiles can be used on a SOHO from centralized.

So I'm inching closer.

And I posted on rsync:Talk

https://wiki.gentoo.org/wiki/Project_Talk:Infrastructure/Rsync

about it.

----------

## miroR

Here's a preliminary review how I'll try and install Gentoo safely offline. I

don't live and don't work only for me. GNU/Linux also has grown from a

sense of common good wired deep in it. No one is going to be able to gut

it out of it, regardless of attempts growing...

But I won't repeat how I reached to some of the points, just I will accept

help from more knowledgeable people.

1) follow regular (AMD64 in my case) guide, up to (point to more precisely

define later)

**important** but use the hardened stage3 tarball, not the regular

2) Use -kv switches with emerge-sync to keep the snapshots (and if I revisit

the installation later reset the time to the time appox of the snapshot's

download)

3) forget about SYNC="" or keep it empty (still not completely in the

clear), but create

/etc/portage/repos.conf (and put the commented sync-type and sync-uri

in it --still not clear what exactly to do here either)

4) try and download distfiles with:

```
emerge -F
```

if that would do the downloading that we need for ofline install, because it

looks so:

```

--fetch-all-uri (-F)

      Instead of doing any package building, just perform fetches for all packages (fetch everything

      in SRC_URI regardless of USE setting).

```

If that works, there should be a rather voluminous stash of distfiles/ of at least

maybe 20GB or more, I'm really guessing here. Debian 12 DVD testing branch

containing entire installation is some 40-50GB, for example.

Save all, dd-dump all.

5) Recreate some of the system. Basically going from the beginning, but this

time completely offline. Completely new disk, same all, or cloned. Do all same

as before, except what needs online connection.

6) Copy or move the distfiles to a system where it will be served from. How to

serve files with Apache server is out of the scope of my research here, guides

on it widely available in different places.

7) On the offline system, among other things (what needs precise mentioning?),

set:

/etc/portage/mirrors:

as explained, not very verbosely, in:

https://wiki.gentoo.org/wiki//etc/portage/mirrors

```

# local private mirror

local http://192.168.x.x/distfiles

```

which needs to be the exact address where the downloads are available from for

the SOHO, as in 6) above

8 ) do the proper configuration for checking and logging of all that will next be installed

With this I mean some of the options such as strict in the FEATURES in make.conf

It looks to me that emerge wouldn't anyway install a package whose sizes let alone

sums do not correspond with the hashes in the manifest.

The portage system, the ebuilds and things look pretty confident to me. We'll see if

I fathom how to use them to keep my master installation good out of which I can easily

clone systems that can go online, because they can be restored completely from the

master install... 

We'll see if I fathom how to use porage and its mechanisma to keep my systems

reliably trusty.... (similar to the method that I use with Debian, as I demonstrated

in Debian forums, links in previous posts) 

Lots of work still ahead...

Now these points above, contain some completely (by me) not yet tested

assumptions, and it's all new territory for me...

Anyone tried something like that?

Any ideas?

M.R.

----------

## miroR

In short, I'm still on this, top priority.

Just, it took loong to get entire distfiles/, 180G, and I took care to not

overload any server, and how could I anyway, when although I pay the 5Mbs

internet access to iskon dot hr (that is a Croatian provider), they keep me at

640Kbs.

However, again in brief, I stumbled upon a montain and am mustering faith to

move it into the sea.  Joking, this time.

Half joking, I mean. Because it's big as a mountain to me. It's stranglingly

big (and I don't care it's not called after the strangler snake, because it is

strangling me  :Twisted Evil:  ). It's called Python.

What I am trying to say, is, all is there, in the code, all the checking, all

the logs to be produced for a really safe system, but this is my first real

encounter with this strangler language...

And I'll probably have to revamp my bash too.

Because those manuals that I mentioned above (portage, emerge, make.conf ...),

none of those can you really come to terms with without looking into the code.

The /usr/lib/portage/pym/portage/checksum.py

openly says:

```

$ head -1 /usr/lib/portage/pym/portage/checksum.py

# checksum.py -- core Portage functionality

$

```

and it's all written in that strangling language.

And the strangler shamelessly claims:

"Python is easy to learn, powerful programming language..."

(I emerged the python-docs and that is a quote.)

Easy?

I don't know, I'll give it a few days if necessary, I'll study the docs, and

if I make it to start understanding a little faster than the slowest turtle on

Earth can run, I'll patiently keep at it.

Miroslav Rovis

Zagreb, Croatia

www.CroatiaFidelis.hr

----------

## miroR

I'll try and expose the striking discrepancy that I found upon updating my

local mirror last night.

BTW, once you have your local mirror, you are no longer such a burden to

community for your updating of it, it looks to me, because for an update after

a period of, if my recollection serves me well, more than 10 days it took

downloading of only less than 3 GB to be done.

But I did an rsync dry run on a mirror, like so:

```

 rsync -nav rsync://some-mirror/gentoo/distfiles/ distfiles/

```

where distfiles/ is my complete mirror (sure I'm cd'd in the

storage/partition/wherever where it is)

which showed me what it would download, which was a fraction to add to what I

already got from the first mirror creation that I explained before, and then

did the real run:

```

 rsync -av rsync://some-mirror/gentoo/distfiles/ distfiles/

```

which still took long, but because of my slow (I explained exactly why in the

previous post) connection, but it's still much less time 2.9 GB vs 180 GB

download.

However, I also decided to compare in the same fashion, with an rsync dry run,

how the new updated mirror would update one of two other clones of that mirror

(having spent days to download the mirror, I really don't want to lose all

that effort, it would feel bad losing your work when you are to blame, than

when you are innocent, as in me vs Google terminating my account of 5 ys work,

500+ videos, where I have the sole, but shiny, consolation of clear

conscience).

And I ran, cd'ing into one of the clone-mirrors, something to this effect:

```

 rsync -nav /my-local-updated-mirror/distfiles/ distfiles/ > rsync-nav_delta.txt

```

That gave me a list to be updated, and I cleaned it from introducing lines and

finishing lines, which are not names of files that need to be rsync'd over,

and ran:

```

for i in `cat rsync-nav_delta_CLEAN-LIST.txt` ; do ls -l \

   /my-local-updated-mirror/distfiles/$i distfiles/$i ; read FAKE ; done ;

```

(read FAKE is just a way for me to make the script wait till I see what it

did, and till I hit Enter for it to continue)

But then the script asked to overwrite some files. Didn't accept at the time.

Rather I took care to see which files and why.

And here is the files that would be overwritten, and also the new files that

overwrite the old without asking in a regular rsync run:

distfiles_CHEK_overwrite.txt:

```

GeoIPASNum.dat.gz 

GeoIP.dat.gz 

GeoIPv6.dat.gz 

GeoLiteCity.dat.gz 

GeoLiteCityv6.dat.gz 

timestamp.dev-local 

timestamp.mirmon 

VirtualBox-4.3.10.tar.bz2

```

Of course, timetamp-whatever is not the problem.

But, really why does the GNU free world accept only Google and Oracle

(I see Larry's mark on www.VirtualBox.org) forgo the naming conventions, and

esp. in the way that in this case two actually different versions of

VirtualBox-4.3.10.tar.bz2 have same version names?

Because I checked (will report if I find it to be different in the third of

the three different mirror archives, but I doubt it, read on why) and both the

"old" and the "new" VirtualBox-4.3.10.tar.bz2 unpack faultlessly, and would

probably install faultlessly (I don't want to use anything Oracle ever, if I

don't have to, but this is a matter of GNU principle).

```

mybox somewhere # for i in `cat  distfiles_CHEK_overwrite.txt` ; do ls -l distfiles/$i /mnt/sde1/distfiles/$i ; done ;

-rw-r--r-- 1 miro miro 1938996 Feb 17 17:20 distfiles/GeoIPASNum.dat.gz

-rw-r--r-- 1 miro miro 1947575 Apr  3 04:09 /mnt/sde1/distfiles/GeoIPASNum.dat.gz

-rw-r--r-- 1 miro miro 353106 Feb  5 16:59 distfiles/GeoIP.dat.gz

-rw-r--r-- 1 miro miro 383542 Apr  2 20:17 /mnt/sde1/distfiles/GeoIP.dat.gz

-rw-r--r-- 1 miro miro 560268 Feb  5 16:59 distfiles/GeoIPv6.dat.gz

-rw-r--r-- 1 miro miro 597350 Apr  2 20:17 /mnt/sde1/distfiles/GeoIPv6.dat.gz

-rw-r--r-- 1 miro miro 11049198 Feb  5 16:55 distfiles/GeoLiteCity.dat.gz

-rw-r--r-- 1 miro miro 10636449 Apr  2 20:49 /mnt/sde1/distfiles/GeoLiteCity.dat.gz

-rw-r--r-- 1 miro miro 11263430 Feb  5 16:49 distfiles/GeoLiteCityv6.dat.gz

-rw-r--r-- 1 miro miro 10854343 Apr  2 20:01 /mnt/sde1/distfiles/GeoLiteCityv6.dat.gz

-rw-r--r-- 1 miro miro 49 Apr  6 07:00 distfiles/timestamp.dev-local

-rw-r--r-- 1 miro miro 49 Apr 13 20:00 /mnt/sde1/distfiles/timestamp.dev-local

-rw-r--r-- 1 miro miro 11 Apr  6 07:53 distfiles/timestamp.mirmon

-rw-r--r-- 1 miro miro 11 Apr 13 20:53 /mnt/sde1/distfiles/timestamp.mirmon

-rw-r--r-- 1 miro miro 90336343 Mar 25 16:52 distfiles/VirtualBox-4.3.10.tar.bz2

-rw-r--r-- 1 miro miro 90333712 Mar 26 20:23 /mnt/sde1/distfiles/VirtualBox-4.3.10.tar.bz2

mybox somewhere # 

[code]

Just in case, so we know what we are talking about (in Larry's "possession"'s

case):

[/code]

mybox somewhere # for i in `cat  distfiles_CHEK_overwrite.txt|grep VirtualB` ; \

   do sha256sum distfiles/$i /mnt/sde1/distfiles/$i ; done ;

8152fcc959565fee63855dffb9731a1585563f01b4756def0a644de1223af37e  distfiles/VirtualBox-4.3.10.tar.bz2

739835aee3274a663b23eeb748bd0430e8a5d8ba2f4d0eae5dc47ff2c485e23b  /mnt/sde1/distfiles/VirtualBox-4.3.10.tar.bz2

mybox somewhere #

```

I hope this will be looked into by people who know and can do more to make

these matters better. Because like _this_ is not good.

Without devoting more research into the matter, how is it distinguished the

previous and the new Google archives in the mirror, when they hold the same

name. Just as a sidenote. I need to go back to what I started this topic for,

can't spend much time on GeoIP and comrades.

I haven't, otherwise, with my offline install reached much further.  Such as,

I sill need to read (again) those man pages, and it really takes me time

discovering these and those mechanisms, so I can eventually figure out how to

configure my system to be certain it installs safely without intrusion and

other non-free problems...

Miroslav Rovis

Zagreb, Croatia

www.CroatiaFidelis.hr

----------

## miroR

Further progress and further issues.

These are a few lines, with comments and questions along, from my make.conf

```

# These lines should get me some logs for some period saved for troubleshooting:

# However, not solved yet how to change the -mtime +7 (7+ days old are deleted)

# to longer period. I want to keep all logs for longer (see the emerge --info)

# Ah, I think I figured out that line from man make.conf, see the last line of

# this paragraph with PORT_LOGDIR_CLEAN command, it's from man make.conf

PORTDIR="/usr/portage"

PORT_LOGDIR="/var/log/portage_logs"

PORTAGE_ELOG_CLASSES="info warn error log"

PORTAGE_ELOG_SYSTEM="save"

PORT_LOGDIR_CLEAN="find "${PORT_LOGDIR}" -type f ! -name "summary.log*" -mtime +90 -delete"

# yes 90 days, because text is cheap, and it's expensive when it's missing

DISTDIR="${PORTDIR}/distfiles"

PKGDIR="${PORTDIR}/packages"

PORTAGE_GPG_DIR="/etc/portage/gpg"

# allegedly disables 'emerge --sync', not clear to me, but not a hindrance:

SYNC=""

FEATURES="webrsync-gpg candy strict"

EMERGE_DEFAULT_OPTS="--keep-going --with-bdeps=y --autounmask-write --ask --verbose"

# grub wouldn't boot unless properly installed, for my PC this is needed:

GRUB_PLATFORMS="pc multiboot"

# For regular no mirror URIs fetching (lots of ebuild contain RESTRICT="mirror"

# and so those sources are not available from official mirrors), that will be a

# problem to solve how to safely get those, sieve off the potential

# intruder/attacker, check the system for freedom from all those and clone it

# as necessary

# But I'm inconsistent here. I don't get it... This neither is needed, since I

# now, upon update, have all what official mirrors have in my local mirror...

# No! I'll uncomment it. Not needed.

# GENTOO_MIRRORS="[some regular mirrors here]"

# because the packages with the RESTRICT="mirror" are anyway gotten from the

# devs' own websites or their sponsors', no variable needed in here for that.

# Instead of the usual GENTOO_MIRRORS line from the handbook, we go for the local

# mirror, but the local mirror is not written here, but in:

# /etc/portage/mirrors with a line such as:

# local http://192.168.N.N/gentoo/distfiles

# where N.N. will be according to where I put the mirror on my SOHO.

```

I have one more issue left to solve. I want to have it logged where I fetched what

package from. Because there will be offending packages. The most interesting is

when you figure out where they're from. Of course they're not usually

maliciously put there by the owners...

But the default for emerge-fetch.log is reflected by what we have in the man 

emerge:

```

FILES

...[cnip]...

/var/log/emerge-fetch.log

   Contains a log of all the fetches in the previous emerge invocation

```

And that means once you fire up a new emerge invocation, the previous logs were

fed for dinner to your cat. No more there!

I don't like that. How do I change this? That is the sole relevant mention in

connection to the evasive fetch logs in man (emerge|make.conf|portage), if I

wanted to keep those logs by virtue of the portage configuration, is it at all

possible, or do I need to learn Python and make my own portage overlay, next

year when I'm done studying it, and change some obscure portage program from

/usr/lib/portage to have those logs, which is great, only I wouldn't be able

to do it in even more than that long time, probably, not with my free time

available...

Or do I need to combine a shell script. Or is there some way to run some script

exactly when emerge is called... I mean, is there a way here elegantly, with

the tools of the system. I sure could copy the previous emerge-fetch log from

the command line before running emerge. But that's a nuissance having to do

that.

Because anyway, I want those logs. Where I got what from...

I won't build my master system too often. Once a month has been less then my

average in between the emerge resyncing and compiling...  But I want to know

what it is built from, as best I can.

I just looked up, and:

```

grep -rIl 'emerge-fetch' /usr/lib/portage/

/usr/lib/portage/pym/_emerge/Scheduler.py

/usr/lib/portage/pym/_emerge/EbuildBuild.py

/usr/lib/portage/pym/_emerge/Binpkg.py

```

and the Scheduler.py that calls the logging module at start, all is way beyond

my grasp.

M.R.

----------

## miroR

I ran Clamav antivirus on my local mirror.

I deem it is useful for the community to point at issues (or non-issues that

appear as such) that Clamav screamed some about. Clamav FAQ should be a stop

(for not-much-initiated in the viri business like me).

Again, I can't dwell in here, I am a man in my early old age, and work slowly,

and my systems are long, long overdue to have been updated.

But, that is a long list of archives that potentially, or not at all if we hold

to the millions of users and developers who already used and viewed the code (a

rough paraphrase of:

NSA SELinux Support???

https://forums.gentoo.org/viewtopic-t-984066.html#7500374

((But I am not on that agency's topic here. Sick from the blowback.))

 and found it impeccable):

...But that is too long a list of archives that Clamav potentially has some

problems with, and don't fit on the forums (some 270K). So:

http://www.croatiafidelis.hr/gnu/gentoo/clamscan_on_my-local-Gentoo-mirror_140414_16.txt.gz

http://www.croatiafidelis.hr/gnu/gentoo/clamscan_on_my-local-Gentoo-mirror_140414_16.txt.sig

As I said, I'm not dwelling here either. We, the community, others now, not me,

I am about done with the freetime for that, would need to do more.

Thanks to anyone who kindly considers my efforts.

Miroslav Rovis

Zagreb, Croatia

www.CroatiaFidelis.hr

P.S. 

It's a rather long file,

```

 cat  clamscan_on_my-local-Gentoo-mirror_140414_16.txt | wc -l

3157

```

and subtract only 20 lines for the head and 10 lines for the summary in the tail,

so 3127 lines of Clamav's complaints in the sense, let's give some lines, just so

the DuckDuckGo can find it (if some more of free speech persist around):

grep gnome clamscan_on_my-local-Gentoo-mirror_140414_16.txt | head -5

```

/my-archive/distfiles/gnome-applets-2.16.2.tar.bz2: Heuristics.Structured.SSN FOUND

/my-archive/distfiles/gnome-applets-2.18.0.tar.bz2: Heuristics.Structured.SSN FOUND

/my-archive/distfiles/gnome-applets-2.20.0.tar.bz2: Heuristics.Structured.SSN FOUND

/my-archive/distfiles/gnome-applets-2.20.1.tar.bz2: Heuristics.Structured.SSN FOUND

/my-archive/distfiles/gnome-chess-3.10.2.tar.xz: Heuristics.Structured.CreditCardNumber FOUND

```

grep kde clamscan_on_my-local-Gentoo-mirror_140414_16.txt | head -5

```

/my-archive/distfiles/kdeaddons-3.5.0.tar.bz2: Heuristics.Structured.CreditCardNumber FOUND

/my-archive/distfiles/kdeaddons-3.5.10.tar.bz2: Heuristics.Structured.CreditCardNumber FOUND

/my-archive/distfiles/kdeaddons-3.5.4.tar.bz2: Heuristics.Structured.CreditCardNumber FOUND

/my-archive/distfiles/kdeaddons-3.5.5.tar.bz2: Heuristics.Structured.CreditCardNumber FOUND

/my-archive/distfiles/kdeaddons-3.5.6.tar.bz2: Heuristics.Structured.CreditCardNumber FOUND

```

But there are whole lots of other PUA.Win32.Packer, PUA.Script, PUA.HTML, and other stuff.

----------

## miroR

 *miroR wrote:*   

> ...
> 
> I have one more issue left to solve. I want to have it logged where I fetched what
> 
> package from. Because there will be offending packages. The most interesting is
> ...

 

I try and remember newbier beginners than me, so I'll just repropose here,

if anyone is trying to solve similar issues like (some of) these that I have

been solving here, that there is the hard-to-read-but-indispensable:

```
/usr/share/portage/config/make.conf.example
```

that upon a reread I figured out the solution to the emerge-fetch.log-fed-to-

your-cat issue.

The fetch command, not the new portage source overlay, is the solution for me

(of course I am joking against my own self, I am not Daniel Robbins, who gave

to the world this great portage architecture, for which he really deserves

credit. Sadly, things went as they went...)

The default is (you can see it if you issue 'emerge --info' is:

```
FETCHCOMMAND="wget -t 3 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""
```

All I will do, is I'll simply change it to, but in the make.conf there's

backslash-escaping to do:

```
FETCHCOMMAND="wget -t 3 -T 60 --passive-ftp -O \"\${DISTDIR}/\${FILE}\" \"\${URI}\" -a \"\${PORT_LOGDIR}/wget_fetches.log\""
```

man wget has that append-logging option. Will report if that doesn't work. Won't bother if it does.

M.R.Last edited by miroR on Mon Apr 21, 2014 2:25 am; edited 1 time in total

----------

## krinn

I'm sorry i didn't read it.

So that post would be useless, but in fact, i honestly don't think it's a useless one.

Your thread should be selected for the "The thread nobody would like to read" award...

Really, try open another thread if you need help, but WOW !!! Make it smaller !!! And i mean really smaller.

You would get more help with a small question on a clear define goal. You even quote yourself in it. It's impressive, but too much impressive for anyone to actually read it.

----------

## miroR

Hi, krinn.

 *krinn wrote:*   

> 
> 
> ...[snip]...
> 
> Make it smaller !!! And i mean really smaller.

 

Gladly if I knew. But some of the things, most of the things actually, I figured out as I went.

 *krinn wrote:*   

> 
> 
> You would get more help with a small question on a clear define goal.

 

I believe the goal I have clearly defined. The method(s) I am figuring out and very painstakingly. Really can't do better.

 *krinn wrote:*   

> 
> 
>  You even quote yourself in it. It's impressive, but too much impressive for anyone to actually read it.

 

Yes I do because the FETCHCOMMAND line, a post or two previous to this, is the solution for what I really needed, and which I'm happy if I finally solved that knot. Also, maybe other users could use that command too.

Thanks for reading it, however doesn't help much,

M.R.

----------

## miroR

Here tiny small hours in Europe.

But how could I have gone to sleep before rebooting into my completely offline installed system?

Oh no, I had to do it.

The local mirror works like a charm.

Basically I did figure it all out (minor corrections, but minor, here and there, but I'\m too tired now to systematically show which of them), in the last couple of posts.

I'm dumping the partitions now, it'll be a breeze (what's restoring 70G onto another HDD with exactly same partition table and size, on another same MBO but a breeze in comparison to all this research in this thread?).

Of course, I am on hardened-sources (as of course I used stage3  hardened).

Hardened sources of course, of freaking course in my case mean Grsecurity/Pax!

But one thing is missing, I think with the new LiveCD (but haven't tried it, this time I went with the SysrescCD -- www.SysrescCD.org just in case, really good!), but I know was missing in the LiveCD of 2014-02-27, and that is the gnupg is missing, I mean can't do emerge-webrsync really at all, before either emerge --sync to get also gnupg, or manually copying the gnupg packages via other means... 

For a really safe system, manually getting the packages needed is what I did. And emerge-webrsync is incredibly much better than plain syncing.

Also, my assumptions of installing portage snapshot by hand, without emerge-webrsync, what I probably suggested can be done maybe two weeks ago (meaning: doing the emerge-webrsync's job of unpacking only, because the portage snapshots aloo can be gotten manually), that manual unpacking  which I suggested in this thread (can go search, really tired), was completely correct. Just don't forget the p switch, as when unpacking stage3.

I'm also going with the:

ACCEPT_LICENSE="-* @FREE"

And this is basically the biggest hurdles are past now.

I reached up to Finalizing the installation in the handbook.

Ah, not to forget, the line for the FETCHCOMMAND for some reason didn't recognize the "$PORT_LOGDIR" variable that I gave it, but it is a minor issue, I just used simply /var/log instead, and wget is logging all.

There are bound to be other things to solve.

Will update, and will check if anyone is using this way and needs help. (Can't promise to be able, too many other potential problems unrelated to here, in my life, but will try. But patience is needed if anyone will wait for my reply here, I work slowly, am somewhat old)

Thank you!

Miroslav Rovis

Zagreb, Croatia

www.CroatiaFidelis.hr

----------

## miroR

I'm having problems installing, actually starting X after installing it, here:

Installing X; but X can't see what's wrong, only won't start

https://forums.gentoo.org/viewtopic-t-988956.html

----------

## vaxbrat

On a somewhat related requirement, I would be interested in something that looked at your world list and pulled distfiles for all ebuild versions that were in portage.  This would be for a scenario where the target systems are airgapped, and it would be useful to pull only incremental updates that are brought over via sneakernet.  The btrfs snapshotting would help in figuring out the incremental parts.

----------

## miroR

 *vaxbrat wrote:*   

> On a somewhat related requirement, I would be interested in something that looked at your world list and pulled distfiles for all ebuild versions that were in portage.  This would be for a scenario where the target systems are airgapped, and it would be useful to pull only incremental updates that are brought over via sneakernet.  The btrfs snapshotting would help in figuring out the incremental parts.

 

Your suggestions are now being considered. Meaning:" ...[snip]... airgapped...[snip]... sneakernet...[snip]... " and possibly other things I need to get myself more familiarized with, through ddg-going (I don't google at all, down with the surveillors).

Thanks! Pls. allow some time.

On another note, I just solved:

Installing X; but X can't see what's wrong, only won't start

where admins who write the handbook, could look up my suggestion here:

https://forums.gentoo.org/viewtopic-p-7538416.html#7538416

M.R.

----------

## miroR

I studied some of (it's huge...) this good page:

https://www.schneier.com/blog/archives/2013/10/air_gaps.html

 *vaxbrat wrote:*   

> This would be for a scenario where the target systems are airgapped,

 

So, people moving against surveillance, and it's growing! Good to see. And I see lots of stuff that I came to in my own somewhat flawed but hardworking and honest researches, such as can be seen on forums.grsecurity.net , if one searches for Miroslav Rovis, there is a lot there. Schneier is worth of respect, and many people there!

Yes, actually this topic that I started is about airgapping. Yes.

 *vaxbrat wrote:*   

> and it would be useful to pull only incremental updates that are brought over via sneakernet.  The btrfs snapshotting would help in figuring out the incremental parts.

 

I believe that btrfs only adds so much more complexity. I'm pretty sure that it does.

No, I wouldn't add it into the methods to use, doesn't help in airgapping.

The fact that is makes finding what to update on the offline system faster, well the rsync is there for that, and rsync, the program started by Andrew Tridgell, an Australian (IIRC) of the Samba fame, is pretty solid and I really like things by shiny honest developers like him, than any Larry Oracle's stuff... Larry ruined Java, didn't he? Put Oracle onto once truly free MySQL... Not an insider, but doesn't smell good.

 *vaxbrat wrote:*   

> On a somewhat related requirement, I would be interested in something that looked at your world list and pulled distfiles for all ebuild versions that were in portage. 

 

I see your point, but believe me, I actually relax when I see compilations and movements of files, I mean, the brunt of the work of these methods that I'm trying to figure, and of this howto not yet made, is in the understanding of how to use what is already there, the emerge, portage, ebuild checking (that is only here so perfect, thanks Daniel Robbins and all the devs, no other GNU/Linux has that much of perfection as portage!), and stuff, the great Pytthon put to such grandiose work, that is what needs to be phathomed and use for airgapping Gentoo!

I have to go back towards, hopefully, finshing my installation, because I'm long overdue using, and not building, my Gentoo boxes!

Pls. Gentoo devs, keep it privacy-viable and feasibly surveillance-free!

Miroslav Rovis

Zagreb, Croatia,

www.CroatiaFidelis.hrLast edited by miroR on Mon Apr 21, 2014 2:26 am; edited 1 time in total

----------

## miroR

I'm now grappling with how to install LXDE without frills:

LXDE replacement question [SOLVED]

https://forums.gentoo.org/viewtopic-p-7538796.html#7538754

What is most important there, is I got rid of dbus consolekit and policykit flags, and I will add here that another flag that can be seen in my emerge, which I won't clobber with here, change being too little yet for posting, here:

( Installing X; but X ... freezes [SOLVED] )

https://forums.gentoo.org/viewtopic-p-7538746.html#7537924

is also I added

-introspection

into the USE bunch. Why? adds "support for GObject based introspection" (do grep introspection /usr/portage/profiles/use.desc), and it's default for lxde packages, not in mine anymore. Good when you can disable things. Problems if things not really needed are there, and you can't go without them...

I'm also trying to use AIDE, I have already initialized its database, and what I would like to do, is use it continually from now, such as first thing learning to update it once I install lxde in the way yet to devise.

I'd like to actually use AIDE in the way described in the Handbook:

http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?full=1#book_part3_chap6__chap3_sect2

It'll possibly take me long to correctly use those pieces of advice, so it's really not like I can write brief and exact (simple) enquiry as krinn suggested ia couple of post age, no. It's I just can't be more precise, for flat lack of clear grasp on the matters.

But the air-gap Gentoo install has to be feasible, and for non-expert users like me.

Miroslav Rovis

www.CroatiaFidelis.hr

Happy Easter to everybody!

----------

## miroR

If you look into my make.conf file, still basically:

https://forums.gentoo.org/viewtopic-p-7539048.html#7535952

there is the line:

PORT_LOGDIR_CLEAN="find "${PORT_LOGDIR}" -type f ! -name "summary.log*" -mtime +90 -delete"

# yes 90 days, because text is cheap, and it's expensive when it's missing

Yes, but I'm afraid that won't gzip my /var/log/messages file in 7 days as is default, but only every three months.

And that is not acceptable either.

I installed dcron, will look through what docs it has and for guides and talk in the forums, but I am slow to grasp...

Because I want to keep the logs, but get things gzipped that grow out of proportions (grsecurity amply logs things in my config setup of the kernel).

And this is a concrete, short  and precise question in this very post you are reading. (You can see I still have the critique in mind that I received from krinn a few posts earlier.)

Any help appreciated, and as usual, if I solve it, others will know.

M.R.

Happy Easter for one last time! (soon to be Monday)

----------

## miroR

In the last post I was barking up the wrong tree.

An excerpt follows from my:

 /var/log/portage_logs/elog/app-admin:syslog-ng-3.4.7:20140417-084329.log

```

LOG: postinst

For detailed documentation please see the upstream website:

http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guides/en/syslog-ng-ose-v3.4-guide-admin/html/index.html

It is highly recommended that app-admin/logrotate be emerged to

manage the log files.  syslog-ng installs a file in /etc/logrotate.d

for logrotate to use.

```

And now follows a peep into:

```

mybox ~ # ls -l /etc/logrotate.d/

total 24

-rw-r--r-- 1 root root 221 Apr 19 15:51 apache2

-rw-r--r-- 1 root root 135 Apr 17 12:40 dcron

-rw-r--r-- 1 root root 272 Apr 20 00:15 elog-save-summary

-rw-r--r-- 1 root root  71 Apr  3 14:14 openrc

-rw-r--r-- 1 root root 105 Apr 20 01:19 rsyncd

-rw-r--r-- 1 root root 357 Apr 17 10:43 syslog-ng

mybox ~ # date

Mon Apr 21 00:17:07 CEST 2014

mybox ~ #

```

And sure, what we're most interested now, is:

```

mybox ~ # cat /etc/logrotate.d/syslog-ng

# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.logrotate.in,v 1.1 2014/01/22 04:25:35 mr_bones_ Exp $

#

# Syslog-ng logrotate snippet for Gentoo Linux

# contributed by Michael Sterrett

#

/var/log/messages {

    missingok

    sharedscripts

    postrotate

        /etc/init.d/syslog-ng reload > /dev/null 2>&1 || true

    endscript

}

mybox ~ #

```

My problem, of course, is not yet having installed logrotate. That is why I

wouldn't get my /var/log/messages and other files gzipped, and not for the

reason I initially thought above.

Namely:

```

mybox ~ #  emerge -s logrotate

Searching...

[ Results for search key : logrotate ]

[ Applications found : 2 ]

*  app-admin/logrotate

      Latest version available: 3.8.7

      Latest version installed: [ Not Installed ]

      Size of files: 57 kB

      Homepage:      https://fedorahosted.org/logrotate/

      Description:   Rotates, compresses, and mails system logs

      License:       GPL-2

...[snip]...

mybox ~ #

```

but, of course that is being fixed now. If logs don't start being gzipped I'll

be back to report. I won't bother if that problem is now fixed by installing

logrotate.

Sorry!

M.R.

----------

## miroR

Somewhat related to this air-gapped Gentoo install:

Safe reinstall of Sysresc on USB stick that was exposed online

http://www.sysresccd.org/forums/viewtopic.php?f=25&t=5305

----------

## miroR

I lost some valuable time with so little benefit:

Libav (Avconv) Imposition on Users who want FFmpeg

https://forums.gentoo.org/viewtopic-p-7539612.html

From that discussion, if you are installing Gentoo (air-gapped or not), take

out just how to evade libav before it imposes itself, if you like the (so far,

in years) much better real ffmpeg.

Sorry for allowing myself to be inadvertently pushed into ruining that thread.

With installing LXDE, withoutl the bloat, I'm still at weighing options.

My choice I'll be posting next.

----------

## miroR

This time around I am late to report how I fared with my air-gapped install due

to a few reasons, but the most important one is that I was able to put two of

my new installs (two machines) to full use and therefore I was busy.

No, the install isn't complete, but I am able to run long sessions of ffmpeg

video sonversions without a hitch and with usual Gentoo-style superior

performance that I've been used to for years now.

I would like to round this up with clear instructions for beginners newer than

me, who might need this kind of install as I do now have some experience, but I

believe it is still better, when I find time, to first solve the remaining

issues, which are:

The X, for some reason still misterious to me, is unable to use the radeon

driver, but only plain VESA, some diagnostics is here:

Installing X; but X ... freezes

https://forums.gentoo.org/viewtopic-t-988956.html

The X works, so it is solved in that regard, but works only at inferior VESA

level, so it isn't completely solved...

and

The audio. Works in a similar sketchy manner. Reasons being, I decided to veer

off the supported path, and add the regular user on the machine to audio group,

because I don't want to go neither Consolekit not Systemd way, as can be found

in the X link a few lines above and in this link:

LXDE replacement question

https://forums.gentoo.org/viewtopic-t-973802.html

So it looks like unchartered territory. Not really in the Wiki (only the

Consolekit or the Systemd way there, although the adding user to audio group is

described in the Gentoo Wiki Alsa page (so not fully off all routes...).

(I really don't know for certain, but it could be the ACCEPT_LICENSE="@FREE",

see my emerge --info:

https://forums.gentoo.org/viewtopic-t-988956.html#7537924

that might have caused some configuration to be missing in terms what some

binary blobs somewhere need, and so that something misconfigured or missing I

now can't get the radeon driver to really work.

Seems @FREE is not sufficiently supported in Gentoo. There was an attempt by

the Argentinian based Gentoo offshoot Ututo to make a completely free really

GNU distro, but the free mankind not really being so free, to not say more and

suffer consequences again, I think they're stranded now... Sadly maybe I

shouldn't have ventured trying that make.conf line... Really don't know.)

Those two issues however, are not really related to the air-gapped install

topic, so don't belong there. So once I solve them, I'll probably report in the

two topics just listed.

Regarding the air-gapped install, it is so much harder than with Debian, which

I mentioned earlier that I was perfectly able to air-gapped install, here is

the link local to this topic:

https://forums.gentoo.org/viewtopic-t-987268.html#7527310

It's much more stuff, some 180G, the Gentoo local mirror, compared to 40+G or

80+G with sources with Debian, but the dedicated local compiling is what makes

for Gentoo's generally superior performance when compared to any binary

installs, at possibly huge cost in ease of use.

But once you have your mirror it's easy to update, not any more huge

downloading to do. My yesterday's update of my local mirror that I rsync'd two

weeks ago the previous time took some 7GB of download only.

Living air-gapped, however, is soo much more expensive in labor and

circumvention than living online and, well, exposed, which is absolutely worse,

thank you. So it might pay off. Surely my data is safe as far as that exposure

goes...

As I said, I would like to, can't promise, but will really try, revisit this

topic, and make a quick and easy to understand resumé, with all the necessary

links to Gentoo documentation, such as Wikis and man pages, where it is

(sometimes barely sufficiently) documented, for those who need a quick howto

and are (even) less experienced than I am in these matters.

Of course, if anybody manages to do this manner of install, and there are so

many around with so much better grasp on these matters than me, it'll be great

if you make a final easy-to-read resumé!

Cheers!

Miroslav Rovis

Zagreb, Croatia

www.CroatiaFidelis.hr

----------

## jonathan183

I think your main issue for the initial install is being unable to trust information you are able to download from the net without being able to complete some form of additional verification.

If I were in this situation then my approach to the initial install would be:-

To use trusted, read only media to boot from (a CD - not an image on a hard drive or usb pen drive), for which I think the SystemRescue CD is most appropriate.

I'd verify the SystemRescue CD after download and after burning to CD, if you don't have a CD drive on the system exposed to the net then buy one even if it's a usb CD/DVD drive.

The system exposed to the net will need storage connected to it (either hard drive, pen drive or dvd writer) to store downloaded information.

Boot the system to expose to the net from the SystemRescue CD and partition/format (including secure erasure) the storage (hard drive/pen drive) and then mount the storage. I'd set iptables to block incoming (except established connections), and only allow outgoing ports you require - feel free to make this more difficult to defeat by creating rules that only allow outgoing connection for a certain group with a name and groupid you select at random.

Connect to the net and download an all on one page version of the handbook to be able to refer to later, also download (section 5 of one of the older handbook copies for instructions for portage snapshot install).

Download and verify the integrity of the appropriate stage3 tarball (section 5 of the handbook) - using the mirror of your choice. Redirect output of verification to a .txt file so it can be checked later.

Download and verify the integrity of the a portage snapshot - using the mirror of your choice. Again redirect the output of verification to a .txt file so it can be checked later.

Now check the stage3 and portage snapshot against a few other gentoo mirrors in various locations (selected at random  :Wink:  ).

Disconnect the system from the net, shut it down and power off, then reboot it using the SystemRescue CD and check the intergrity of the downloaded information, comparing the output you get with the .txt files saved while the system was online. Assuming the same results, you can be as sure as your going to be that what you have are good copies of a stage 3 and portage snapshot to complete the install of the air gapped system(s).

Boot air gapped system from the SystemRescue CD, partition/format its storage and mount the partitions for the install and copy and untar the stage3 and portage snapshot, setup locale and make.conf as you want it on your target system. Before you can build the kernel, install a bootloader or sync we require net access again.

At this point you can start identifying url of individual files and download them. Personally at this point I'd copy the install of the air gapped system back across to the system with a net connection, boot the net exposed system using the SystemRescue CD (setup IP tables as above then connect to the net) and chroot and pull kernel and bootloader files using emerge -avf your_selected_kernel_sources your_boot_loader. Then disconnect from the net and compare the air gapped system with the copy which should now have kernel and bootloader downloaded. I think copying the kernel_sources and your_boot_loader related files in usr/portage/distfiles to the air gapped system will be sufficient (copy the minimum required - start with distfiles only eg grub and gentoo-sources) to allow chroot in and finish off the install by emerging the kernel and bootloader, configure and compiling the kernel and installing the bootloader. Taking this approach does not risk compromising the air gapped system but allows identification of any modifications made to the net connected system.

I'd check the air gapped system boots and then copy it back to the net system, and do an emerge -avfe world to pull source packages for the entire system. Do a diff and copy the information to the air gapped system (I think distfiles only).

After that I'd pull apps, xorg-server and other things I want then diff and copy across to the air gapped system in a similar way to the kernel and bootloader above.

There are several options in terms of maintaining an air gapped system after that, with pulling a snapshot and then downloading files for the update similar to the above being one approach. Booting from the SystemRescue CD each time will help protect against boot sector issues but will offer no protection against BIOS issues. Protection against something like badBIOS would need a bit more thinking about - and is one reason I'd us CD/DVD rather than a pen drive if I were so concerned about a compromised system.

The above does not really require any knowledge of the internal workings of portage, but you can streamline what needs to be synchronised to portage affected tree only rather than an entire system. I suspect setup of a build server using webrsync-gpg feature which you periodically connect to the net (random times/day of week) locked down and setup with cli only would be a better approach to maintaining systems. But then I don't know what sort of information you want to protect, how sensitive it is, what the consequences are for a system being compromised or how determined individuals/group of people are to gain access to your systems. I also don't know if using cli and framebuffer applications like links are sufficient for systems you do connect to the net which would allow a reduction of attack vectors.

----------

## miroR

jonathan183, sorry for being this late in my reply. It's not recklessness, but slowliness in doing these GNU/Linux things, I just employ time really, and have already mentioned that I can't do things quickly.

 *jonathan183 wrote:*   

> I think your main issue for the initial install is being unable to trust information you are able to download from the net without being able to complete some form of additional verification.
> 
> If I were in this situation then my approach to the initial install would be:-
> 
> To use trusted, read only media to boot from (a CD - not an image on a hard drive or usb pen drive), for which I think the SystemRescue CD is most appropriate.
> ...

 

I think I can grasp you basic idea how to do the air-gapped install. And I guess that may be a fine way to reach the same goal.

But my approach differs quite a lot.

There is no need for checking of any individual urls anymore for my approach, but a wholesale check of the entire local mirror.

( individual urls only need to be checked/downloaded separately for non-GNU packages, but I shun from those anyway )

And I explained that it isn't any more much of a fuss updating it (so I won't repeat it here). Only the initial download is really a lot of work, not the updating it.

 *jonathan183 wrote:*   

> 
> 
>  Personally at this point I'd copy the install of the air gapped system back across to the system with a net connection, boot the net exposed system using the SystemRescue CD (setup IP tables as above then connect to the net) and chroot and pull kernel and bootloader files using emerge -avf your_selected_kernel_sources your_boot_loader. Then disconnect from the net and compare the air gapped system with the copy which should now have kernel and bootloader downloaded. I think copying the kernel_sources and your_boot_loader related files in usr/portage/distfiles to the air gapped system will be sufficient (copy the minimum required - start with distfiles only eg grub and gentoo-sources) to allow chroot in and finish off the install by emerging the kernel and bootloader, configure and compiling the kernel and installing the bootloader. Taking this approach does not risk compromising the air gapped system but allows identification of any modifications made to the net connected system.
> 
> I'd check the air gapped system boots and then copy it back to the net system, and do an emerge -avfe world to pull source packages for the entire system. Do a diff and copy the information to the air gapped system (I think distfiles only).
> ...

 

Yup! The BIOS can be attacked when system is exposed online. Or even through intermediaries (such as pendrive) which were exposed). Sure, CD is better.

 *jonathan183 wrote:*   

> 
> 
> The above does not really require any knowledge of the internal workings of portage, but you can streamline what needs to be synchronised to portage affected tree only rather than an entire system. I suspect setup of a build server using webrsync-gpg feature which you periodically connect to the net (random times/day of week) locked down and setup with cli only would be a better approach to maintaining systems. But then I don't know what sort of information you want to protect, how sensitive it is, what the consequences are for a system being compromised or how determined individuals/group of people are to gain access to your systems. I also don't know if using cli and framebuffer applications like links are sufficient for systems you do connect to the net which would allow a reduction of attack vectors.

 

I just want true privacy (TM). Half-joking, sure, but I just don't want anybody being able to poke anywhere, or at least almost anywhere. Regardless what kind of information it was...

Anyway, talking of all the updating, believe me, once you have the local mirror, it's close to a breeze updating it, and it's just the distfiles/ folder that takes a few minutes or not much more (or maybe half hour if your access is turned down for political reasons like I am kept at miserable access by the regime in my country), say once in a week, and just the latest portage snapshot.

Then I run clamscan on it, as I showed previously, and then once I serve the mirror with apache for all (just a few in my case) the Gentoo systems on the SOHO, the rest of the checking is the portage itself doing.

I still trust Gentoo devs to great extent. Nobody can you trust fully, can you? Only trying to say that GNU Linux itself is not anymore fully trustworthy ever since SELinux is default in a number of distros.

Basically I wouldn't use your approach now that I have the local mirror, but it could be a fine shortcut for people with too little patience to build this version of the air-gapped Gentoo install that I have used here for myself.

Miroslav Rovis

www.CroatiaFidelis.hr

----------

## jonathan183

The method outlined would be my approach to being unable to trust information downloaded from the net without further verification/integrity checks in order to achieve a clean air gapped installation of Gentoo.

The method means I need to trust the SystemRescueCD which I can boot from, and the Gentoo teams producing the stage3 and portage snapshot to not be attacking me as an individual.

I'm also relying on the supply chain and people who made the PC are not attacking me as an individual (but that would apply equally to any OS I choose to install), Free BIOS https://www.fsf.org/campaigns/free-bios.html would help with this  :Wink: 

The air gapped system need have no network connection, it only needs to be able to read information saved from the net connected system and be able to write information that can subsequently be read by the net connected system - but this could be CD/DVD media.

My approach allows portage verification plus the use of diff tools plus any other verification you may want to do before changes are made live on the air gapped system (including portage tree updates).

You can trade some reduction in security for convenience and use USB drives, a network share or a private file/web server to get information to and from the air gapped system or not have an air gapped system at all.

You can have a local mirror, build servers or take other approaches to ongoing maintenance of the system after installation, as I said in the title of my previous post it only really dealt with the initial install of an air gapped system.

I work on the basis that the people attacking have greater knowledge and time to dedicate to the activity than I do to defence, so try to keep things fairly simple and minimise the things I have to trust.

I'm not expecting a knock on the door at 2am by armed police based on something I have on my computer, if I were then I would be using air gapped systems or better still not storing such information on a computer in the first place.

I don't claim to know more than you (or anyone else) about installing or maintaining a Gentoo system, I just provided my thoughts on an initial install for an air gapped system if unable to trust downloaded information without additional verification. If you have experience of systems being compromised after several hours on the net (which I get that impression from some of your previous posts) I would be cautious about connecting a system which has been on the net with an air gapped system at some point in the future even if this occurs over a private network connection.

----------

## miroR

 *jonathan183 wrote:*   

> The method outlined would be my approach to being unable to trust information downloaded from the net without further verification/integrity checks in order to achieve a clean air gapped installation of Gentoo.
> 
> The method means I need to trust the SystemRescueCD which I can boot from, and the Gentoo teams producing the stage3 and portage snapshot to not be attacking me as an individual.
> 
> I'm also relying on the supply chain and people who made the PC are not attacking me as an individual (but that would apply equally to any OS I choose to install), Free BIOS https://www.fsf.org/campaigns/free-bios.html would help with this 

 

Helpful it looks. When I get free time (busy, overwrought actually wrt to my abilities, at this time), I'll enjoy reading it! The link.

EDIT START Wed May 14 02:42:47 CEST 2014

I just did. Really important link. Next, I should see if my MBO is supported with FreeBIOS. No. Neither Asrock Extreme4 nor Abit AT8 can I find on:

http://www.coreboot.org/Supported_Motherboards

But I do run almost only AMD64.

EDIT END

Regarding Gentoo, of course it is fair assumption that our great minds who gave us Gentoo are not attacking us! But on another note, even a historical person named Jesus had a traitor right among his closest friends, and every movement, association, you name it had theirs.

All other OSs but GNU/Linux are known to have sold their users. Just think M$, Apple. It's a known, no wish to delve deeper.

One needs to be ware of rotten apples. I don't think anyone can honestly find anything wrong with that.

 *jonathan183 wrote:*   

> The air gapped system need have no network connection, it only needs to be able to read information saved from the net connected system and be able to write information that can subsequently be read by the net connected system - but this could be CD/DVD media.
> 
> My approach allows portage verification plus the use of diff tools plus any other verification you may want to do before changes are made live on the air gapped system (including portage tree updates).
> 
> You can trade some reduction in security for convenience and use USB drives, a network share or a private file/web server to get information to and from the air gapped system or not have an air gapped system at all.
> ...

 

Your way is a fine shortcut of mine which is closer to true air-gapping.

I confirm that it may be a fine shortcut, but now that I have my local mirror, my way to install, actually only maintain my air-gapped Gentoo looks to me so much better to keep than to revert to your way.

We are not in conflict with our statements.

Cheers!

Miro

www.CroatiaFidelis.hr

Here the work that is taking all of my time, all of my capabilitites to fulfill:

http://www.croatiafidelis.hr/gnu/Flowstamp/

----------

## miroR

EDIT START 2014-10-31:

I have pointed to this post from the latest topic of mine:

Mutt without Portage/in Local Overlay, for Air-Gappers

https://forums.gentoo.org/viewtopic-t-1002146.html

And it is good to point out to the occasional reader that this whole issue is pondered over in more precise terms, and will possibly produce more lean and mean ways for us to install gnupg-1 and, in this case, the great Mutt program, where gnupg-1 cat be put to exceptional use.

This long text below is still a good read, containing issues not discussed anywhere else.

EDIT END

I have just solved a problem. And I don't agree that verbosity like mine can be

really regarded as a problem (well not in most of the instances where I wear

and tear my keyboard copiously, I'm sorry for where I did exaggerate).

And this is why: it is because it wasn't anywhere really obvious how to solve

this problem.

Also, in some other places, not on Gentoo Forums to my knowledge, the

discussion on this problem that follows and which is easily solved in Gentoo

was, in all probability, censored (I will try and substantiate my claims in due

course).

And so it took me about a day, about some maybe 15 (fifteen) hours of wake, to

solve this problem for myself.

For that reason I argue to krinn (who was quite helpful and kind in a few

occasions with me, and that further above from him in this topic is not anger,

just advice), and to others who either write too cryptically or do things in

such way as to make those things hard to grasp, that mine is a good way to say

things, certainly in this case.

Namely, the less advanced users who read this will get what I grasped in such

long research, in maybe a half hour, plus maybe reading general manpages, wikis

and docs, if they're too new. So bear up with me. Thank you.

I'll first post the problem as if I hadn't found the solution yet.

It's about GnuPG funcionality that is getting disabled in some dev circles for

reasons of inclusions of GUI things and other layers on top of pure GnuPG.

[ I believe everybody understands that GnuPG as the paramount privacy program

fits well into this topic on Air-Gapped Gentoo install. ]

This is the normal behavior that I have been used to thus far, and that all of

a sudden I found was missing (real output, it's from a Debian box of mine where

the good old version is still the default):

```
me@DebianBox:somewhere$ gpg -s -a -b --output stdin_msg.sig -

You need a passphrase to unlock the secret key for

user: "Miroslav Rovis (consecrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"

4096-bit RSA key, ID 4FBAF0AE, created 2014-01-16

gpg: problem with the agent - disabling agent use

Enter passphrase: 

I can try writing the message and see.

me@DebianBox:somewhere$
```

Just, for the avarage users like me to have the whole story, at the point the

GnuPG program (version 1.4.16 in this case) itself (and not any popup gui

little window) asked right there on the terminal:

```
Enter passphrase: 
```

it waited for my input, and once I typed it, left a black open whitespace for

me to type more, and then I typed in the message above as shown, which message

I terminated with an Enter (Enter is equivalent of typing a LN, newline

character), and a Ctrl-D, upon receiving which signal the good old GnuPG  gave

me back the command prompt and deleted from view the lines:

```
Enter passphrase: 

I can try writing the message and see.
```

But I'm showing them above so non-advanced users can get a chance to understand

more easily too. In my opinion, teaching is better way of rendering GNU/Linux

more usable than GUIs and stuff.

Now I go and see that the plain text file stdin_msg.sig that GnuPG just created

in my directory will verify the same taxt as the one that is signed.

```
me@DebianBox:somewhere$ gpg --verify stdin_msg.sig -
```

At this point the GnuPG 1.4.16, the current default in Debian, waited for my

input, which had to be the exact same as what I entered previously. So I typed:

```
I can try writing the message and see.

gpg: Signature made Wed 14 May 2014 10:10:03 AM CEST using RSA key ID 4FBAF0AE

gpg: Good signature from "Miroslav Rovis (consecrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"

me@DebianBox:somewhere$ 
```

Because anything else other than that exact line doesn't verify.

```
me@DebianBox:somewhere$ gpg --verify stdin_msg.sig -

I can try writing anything else and see.

gpg: Signature made Wed 14 May 2014 10:10:03 AM CEST using RSA key ID 4FBAF0AE

gpg: BAD signature from "Miroslav Rovis (consecrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"

me@DebianBox:somewhere$ 
```

The GnuPG 1.4.16 where it worked on my Debian distro still has in its manual:

 *Quote:*   

> --use-agent
> 
>        --no-use-agent
> 
>               Try to use the GnuPG-Agent.  With this option, GnuPG first tries to  connect  to
> ...

 

while the GnuPG 2.0.22 on my freshly air-gapped installed Gentoo has in its

man page:

 *Quote:*   

> --use-agent
> 
>        --no-use-agent
> 
>                This is dummy option. gpg2 always requires the agent.

 

I so much like the working --no-use-agent option, and don't want the latter. I

don't want to need Qt or other GUI yet on top of another tool, this gpg-agent

already on top of GnuPG, to remember my most important password data in my

stead, I will be happy with GnuPG 1 till doomsday.

I have searched for gnupg, and here's abbreviated output:

```
gbn miro # emerge -s gnupg | grep -A1 'app-crypt'

*  app-crypt/gnupg

Latest version available: 2.0.22

--

...[snip]...

gbn miro # 
```

No GnuPG 1 available in Gentoo. gpg2 won't work without gpg-agent and Qt or Gtk

or whatnot.

Have a look. This is the whole output if I try with a similar line:

```
me@GentooBoxPREVIOUSLY ~ $ gpg -s -a -b --output stdin_msg.asc -

You need a passphrase to unlock the secret key for

user: "Miroslav Rovis (consecrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"

4096-bit RSA key, ID 4FBAF0AE, created 2014-01-16

gpg-agent[30889]: can't connect to the PIN entry module: IPC connect call failed

gpg-agent[30889]: command get_passphrase failed: No pinentry

gpg: problem with the agent: No pinentry

gpg: no default secret key: Operation cancelled

gpg: signing failed: Operation cancelled

me@GentooBoxPREVIOUSLY ~ $
```

Doesn't look nice.

So, short of abandoning all things in my life and studying the source, to not

say more, because my opinions are often too strong not to ruffle feathers (pls.

note that I am not saying anything that is in anyway overly critical here)...

So... short of working the GnuPG 2 source and portage the sole thing in my

life for at least a year (only joking, I can not do that)... so what are my

options?

I don't want gpg-agent and guis here...

Is it that the sole option for me is then, in Gentoo, compiling the GnuPG 1

source myself (even that is huge work for avarage users like me)?

Miroslav Rovis

www.CroatiaFidelis.hr

That was the problem on my hands that I had before I found the solution. The

thing is, again, the solution isn't obvious, and it is likely that many

non-advanced but GNU/Linux real lovers like me will like to know it, and I

don't want them stuck in this status that I was for the fifteen (15) waking

hours.

I'm back in just a few minutes, Vis Major allowing (Latin, not English: read

maayawr, only pronounce vowels pretty short, like in stun, goggles, not like in

talk, are).

Miroslav Rovis

www.CroatiaFidelis.hrLast edited by miroR on Fri Oct 31, 2014 9:37 pm; edited 2 times in total

----------

## miroR

I tried to find what portage holds to tell on the matter.

```
GentooBox me # emerge -s gnupg | grep -A1 'app-crypt'

*  app-crypt/gnupg

      Latest version available: 2.0.22

--

...[snip]...
```

Also

```
GentooBox me # emerge -S gnupg
```

gives similar results only.

And here I went and searched ddg.gg (That the shortcut address you can type in

the address bar to search the DuckDuckGo engine. I don't use Google. The

Schmoogle hates me, they terminated my account of over 500 (five hundred)

videos on Youtube on their own falsehood, so I don't use that Surveillance

Engine, and this is a note that also fits here, because here in the Air-Gapped

install we don't want surveillance.).

I searched a lot, and read a lot, and I finally stumbled upon the end of two

exact cryptic enough to not be readily perceived, and that is a fault as well,

but of course I don't blame it on the good developer in question further on,

but on the community. What I mean is, all of us should care to spread the good

information to the less advanced than we are. And why not e.g. make it possible

to find that information somehow in the emerge -s or at least emerge -S

output? Or was it in the eselect news? I don't think so.)

So, finally, this is where the information is:

security risk with gpg

https://forums.gentoo.org/viewtopic-t-987174.html#7534990

how to disable (sanitize) gpg2 GUI features (pinentry)?

https://forums.gentoo.org/viewtopic-t-639272-postdays-0-postorder-asc-start-25.html#7534996

It does look obvious now, but it's easy to say that once you are underneath

that tree in the forest, but the forest that tree is in is huge...

I solved this issue for myself, and I can post more on it next, but the main

purpose of this post is giving those two links above, so this is enough for

this post.

Also next, I will try and substantiate the claim on how a particular

information on some of the related development issues is somewhat mysteriously

unavailable, I used a bad word: possibly censored. Again, not on these forums.

Elsewhere. But that is not so urgent, if I don't properly prepare the text soon,

bear withm e longer..

Miroslav Rovis

www.CroatiaFidelis.hr

----------

## miroR

The first link given is the post in the topic "security risk with gpg" with

this exact address local to topic:

https://forums.gentoo.org/viewtopic-t-987174.html#7534990

where this is the information for us:

 *khayyam wrote:*   

> ... that said,

 

which doesn't interests those who want to use password verification on the

command line straight by GnuPG, which is explained above. Of course no one is

saying Thunderbird with Enigmail, and other GUI based applications are bad, but

I will prefer to be spending more weeks again, like I already spent numerous

weeks earlier, to use Mutt with GnuPG, again in this new Air-Gapped install (on

a system cloned from it in a renewable/clonable environment from the master

--to not leave what I just said unclear to beginners, I clone systems, and that

can be done most easily say btwn two exact same MBO, and similar if not same,

other hardware. 'man dd' and other docs, wikis and forums, I wrote about that

somewhere too--).

The master Air-Gapped will always remain air-gapped from the world, as long as

there isn't a knock on the door, followed by some tortureous conditions

/persecution that some of my friends --about whom not here-- already were

subjected, very very early some morning on my door as well...

This is of interest to us:

 *khayyam wrote:*   

> I've masked > gpg-1 as the who pinentry thing is broken IMO. 

 

EDIT: 2014-12-02 there was a "/" lacking in the closing quote above, was very unreadable

but we can only understand it because of:

https://forums.gentoo.org/viewtopic-t-639272.html#7059670

 *khayyam wrote:*   

> As gnupg has no native method, and uses pinentry, this means
> 
> there is no current method of escaping one or other "interface". If you were
> 
> happy with how it once was, when a command line interface was an 'option', then
> ...

 

Nothing can I allow myself to add there.

Other than, dear air-gappers, that we, the real users, need to keep the

requirement alive to have the old way available that  *khayyam wrote:*   

> a command
> 
> line interface

  must remain  *khayyam wrote:*   

> an 'option'

  in

GNU/Linux _forever_.

Here is the solution that, as I said, and I surely never ever tried to blame

the actually clear sight of this tree in the Gentoo forest (but in the huge

forest as explained earlier), but the community, even other users like me who

take the good news and don't care to spread it.

And the second link given is the post in the topic "how to disable (sanitize)

gpg2 GUI features (pinentry)?" with this exact address local to topic:

https://forums.gentoo.org/viewtopic-t-639272-postdays-0-postorder-asc-start-25.html#7534996

 *khayyam wrote:*   

>  *gw wrote:*   How can I disable this new "feature", that is: simply enter the passphrase from within my terminal application, or how can I at least make pinentry accept copy and paste? 
> 
> gw, et al ...
> 
> I got *so* fed up with pinentry screwing up the tty when editing with vim I decided to do something about it, and so I'm bumping this just to say getting the old behavior is infact possible.
> ...

 

This is actually complete explanation, newbies only need 'man emerge' and

associates here.

I'd like to add how I got the signing in git working on Gentoo the old GnuPG

way, though, as another good example, while, and that's the bad example, how I,

again, couldn't sign with GnuPG (even though it was GnuPG 1) from git, in

Debian.

Why? Because it is, and this is not an exaggeration, I quoted above khai's

opinion which you cannot disregard in that matter, it is probably what is lying

in wait for us, in most any distro of GNU/Linux, unless we oppose it, we the

real users who want True Privacy and Freedom which GNU/Linux still has strong

and proud running in its veins.

The example will be what I only mentioned here:

Scripts to automate jigdo download

http://forums.debian.net/viewtopic.php?f=16&t=110503&p=540691#p540691

but then I veered off and explained what did work in Debian, instead of

explaining what didn't, so this:

gpg-agent now forced upon users of GnuPG

http://forums.debian.net/viewtopic.php?f=3&t=114427

is not complete, as of the time of this writing.

(and neither can I give the example that I meant first there, and now meant to

give it here, in this post, now, but hope to give it in the next post. I can

see that I can't because I'm giving a last proofreading to this text now...)

Having given the link to "gpg-agent now forced upon users of GnuPG" that I will

take an excerpt just next further on too, I believe I also substantiated my

claims about possible censorship that I mentioned two posts ago, and repeated

in the last post.

For a quick revision of what could be censorship, and whithout cross-posting,

but only extracting the precise information, that I would like to put forth a

few comments/quests for further insights/opinions about, I would like to quote

just this part of what I wrote there (why would I need to repeat those same

facts in new words?):

 *miroR_on_Debian wrote:*   

> http://www.gossamer-threads.com/lists/gnupg/users/58785
> 
> [[ still looks like having been cut short, because there are issues that cry so
> 
> loud in there, so loud, they break from in between the lines very forcefully,
> ...

 

Of course it could be an error, but I chose my words appropriately: probably it

is not error, but censorship, because, some people somewhere just don't want

users to know all that is going on.

That is, thanks to http://www.gossamer-threads.com , who IIUC also host Gentoo

on their servers, the information that can be gleaned from the thread on

gossamer-threads (but not from the archives on

http://lists.gnupg.org/pipermail/gnupg-users/ .

Pls. be quick in checking the links above, because when some people notice that

the possible censorship is discovered, they rearrange things to control the

"damage"!

In case this has already been done following the posting of my now offtopic'ed

post on Debian Forums:

gpg-agent now forced upon users of GnuPG

http://forums.debian.net/viewtopic.php?f=3&t=114427

I'll see what I can do, but I don't expect that it has been. If it already has,

I'll expand the next plan onto previous screencast/dumpcaps that I take when I

go online (see...

But just in case, after this post, I will put to some use my modest

(beginners/immediate-level) understanding of cryptography and give the sums of

both the screencast and the dumpcap that I will take, as soon as I try to post

this online, of that my next, soon to be, time online (I almost always write

offline, and then post entire prepared text(s) quickly).

I then could, whenever in the future, not necessarily while this matter is hot,

work the Screencast taken with my Flowstamp program, some day, like here an

example of its use:

http://www.croatiafidelis.hr/gnu/Flowstamp/

[ * ] read in bottom of this post on that

Because I'm here above limiting my talk to the possibly censored gpg-agent

inposition on users, for some marketing purposes.

So I'll now try and take screencast/dumpcap of Gossamer kept mailing list topic

"pipe passphrase to unlock key", and same topic "pipe passphrase to unlock key"

being lost on http://lists.gnupg.org/pipermail/gnupg-users/ , archive them and

transfer them in the air-gapped way safely first:

[[ another useful advice is growiso line in this article on Debian Forums:

Poor User's Defences, Basic Anti-Surveillance for Debian

http://forums.debian.net/viewtopic.php?f=3&t=111906&p=540730#p540730

[ but the subtopic is: "How to transfer files the air-gapped way" and yes it

works great on Debian sure, just search for growisofs there ] ]]

then only I'll give their SUMS here, and probably only then continue with the

more important topic of gpg-agent and guis imposition on GnuPG users, but

probably in the next post, Vis Major (see pronounciation in some previous post)

allowing.

[[ Not later, but before the posting the sums, because nothing changed nor on

gossamer nor on gnupg-users proper:

```
f5d649af5ca4935ce90b5193e08cd53c955d173e9c122458418820ea1f2ab8da  dump_140515_032910_naibd6.pcapng

0318a42acce3e71ce085db3a11f9b38840af4dbd34bbc8f898fa7ce3976ca86a  Screen_140515_032907_naibd6.mkv
```

and I hope I won't need to use them. ]]

There, I gave all what I planned in the previous posts, and promissed the git

in Debian not allowing GnuPG one to sign, and git on Gentoo signing proud and

well my jigdo-automate-scripts local git repo, which is a promise I intend to

keep.

And also I said how I would like to put forth a few comments/quests for further

insights/opinions about that thread extant on gossamer-threads (but not from

the archives on http://lists.gnupg.org/pipermail/gnupg-users/ That thread is

worth of careful perusal.)

But let's first wait and see if there are feathers ruffled here again.

There shouldn't be, as far as GNU/Linux nature of freedom goes, but...

I would actually like I could finish this sooner, but thei gpg-agent and guis

imposition where passwords are is driving me a little angry...

I'll be sleepless tonight again. Because, this third post of this sequence of

the last, what, already some twelve hours maybe, is done, but the finishing

talk, the analysis what is at stake and why the precious information is not

very available at all in regard to the imposition of agent and gui around where

the passwords go, has to be done in the hot, as soon as possible.

Vis Major allowing,

Miroslav Rovis

www.CroatiaFidelis.hr

All links screencast/dumpcap captured/checked and alive except 

or the intermittently showing/not showing one:

Libav (Avconv) Imposition on Users who want FFmpeg

https://forums.gentoo.org/viewtopic-t-7539612.html

b3d84c55395f4a9ff4960953c50dfb1c5db652430e7b3e4d71abbd6bc79e86e6  dump_140515_034426_naibd6.pcapng

906ef32aefefde02e9608b616f9e124955350def0879c6efda9df04f4657a4dd  Screen_140515_034422_naibd6.mkv

############ pls. what follows is of difficult explanation ####################

############ skip it altogether as soon as you start suspecting ###############

############# it might be of no interest to you, boring, or simply ############

#############               too complex             ###########################

On the example which can be studied and should be easily accessible on:

http://www.croatiafidelis.hr/gnu/Flowstamp/

Here anyone can see the video is showing:

Libav (Avconv) Imposition on Users who want FFmpeg

(currently --I'm proofreading the next last time, no, it started showing again

on the original address too-- only at:)

https://forums.gentoo.org/viewtopic-t-989196.html

(but the addresses changed for some erroneous conditions, as can be studied

from same name topic on FFmpeg-users list archives, that was originally:

https://forums.gentoo.org/viewtopic-t-7539612.html

and that changed quite a few different addresses which is unusual

(I just tried, and from my Flowstamp page ffmpeg-users list archives were not

accessible to me at all, just a while ago, ddg.gg as a try to see if I had a

different error, was accessible and searcheable, luckily I learned exactly on

FFmpeg-users list, and this is also something useful to Air-Gappers, to use

isup.me and it was not just me:

http://www.downforeveryoneorjustme.com/ffmpeg.org the site looked down from

there too --no, I don't blindly believe isup.me is truthful..)

I was trying to post that:

Libav (Avconv) Imposition on Users who want FFmpeg

https://forums.gentoo.org/viewtopic-t-7539612.html

was originally the  address of that topic. The very first one. It can be

seen that that address was alive at the time the topic was started:

[ missing that exact address at the time of even next last proofreading no more

reading, but link alive to find, it's the second post of the thread, not the

first: https://ffmpeg.org/pipermail/ffmpeg-user/2014-April/021023.html ]

Libav (Avconv) Imposition on Users who want FFmpeg

which start was not available for me to find now on the good ole FFmpeg

original list, but, the linked from my Flowstamp page above to a later time in

that topic:

https://ffmpeg.org/pipermail/ffmpeg-user/2014-April/021052.html

shows the SHA256SUMS of the screencast demo and the accompanying dumpcap, and

they were taken obviously at the time of that post in April, the same one

SHA256SUM of the screencast being the one flowstamped onto the demo video

[[ if at least two persons want to check that I have that video, and to

publically confirm or deny here, within reasonably short time (say, certainly

not hours after my posting of it,, that the sum is correct, I can post the 20M

original screencast for readers' confirmation on CroatiaFidelis.hr as well ]]

and on the Flowstamp demo you can see around 0:00:42 seconds from beginning,

and at that exact time you can see the title nicely, but also around that time

you can see that the address:

https://forums.gentoo.org/viewtopic-t-7539612.html

was alive and well also at that later time.

Today, e.g., the address was intermittently on and off, and I still have that

screencast how that original address was off, and how from Portage and

Programming the link to that topic is instead:

https://forums.gentoo.org/viewtopic-t-989196.html

[[ server should be fixed in this respect ]]Last edited by miroR on Tue Dec 02, 2014 1:09 pm; edited 1 time in total

----------

## miroR

No, the night has been sleepless, and I started some analysis as I said in the

immediately preceding post, but I am growing sick tired.

Good day (night is over in Europe)!Going to sleep,

Miro

----------

## miroR

I believe I am entitled to, by mere fact of being user of it, and having some

plain human logic avilable in my mind, on the thread extant, but is it

incomplete?, on gossamer-threads (but unavailable from the archives on  gnupg-users

lists), say my finishing analysis on the obvious facts, those that I said on

Debian that cry out forcefully in betwwen the lines.

But is is incomplete? Ciprian, the contributor Ciprian Craciun (if that is his

complete first and last name) judging from the address ciprian.craciun at gmail

(probably doc com or some other extension) just doesn't look like someone who

would want to bail out just after that, last extant for the public, mail by

Werner Koch, which certainly does not make for any kind of logical conclusion

in the topic, any kind of settlement to the issue exposed.

If some kind reader was subscribed to gnupg-users at the time of the (possibly

stumped) discussion in question and have the archives, they can look up and see

if there are any more messages, and I believe it is in the public interest of

GNU/Linux community that the (possibly) remaining messages be re-published, for

all of us to read.

On the careful perusal, I am not knowledgeable enough to figure out all the

scripts that are there without delving for numerous hours in Bash, and I don't

have another half day time now for that purpose. If anyone is willing, and so

many people here can figure out these scripts in a breeze, what am I saying,

can read scripts like drink water, that would be great (but I know, devs are

often too busy).

But upon another reread of that thread, I'd like to comment on a few places.

Most of the following discussion was held on Jul 31, 2012 and the

mailing list archives on Gossamer are the sole source, where you can correct

me if I made any mistakes as I reproduced it here. The following are all plain

copy-pastes, and it's a reconstruction adapted for forums view.

Some parts are visible in only one place, and weren't (or it seems now that

they weren't, but they were) replied to, most notably the Ciprian's mention how

"double forking is very bad, and should be done only in exceptional cases...

(And the GnuPG or SSH agents aren't one of those cases...)" at the very end.

Typoes are kept as they were mistyped (such as: "no-user-agent" instead of

"no-use-agent").

 *Werner Koch wrote:*   

> 
> 
>  *Ciprian Craciun wrote:*   
> 
>  *Werner Koch wrote:*   
> ...

 

Now, in my strong opinion, and for strong opinions I am becoming notorious for

 :Wink:  , while the forking (which is plain for perusal just above here in this

text that you're reading) I can only leave to big guys if they wish to

enlighten us mere mortals or fractions of programmers, just somewhat

programmers like me, there is, not many lines above from this place in this

text of mine, these statements, and by Werner Koch.

Werner implemented the new changes, IIUC, that the marketing requires to make

GNU/Linux "usable", and there is, not many lines above in this text, the

admission, and I believe him...

Sincerity is always good, honesty is always good, even when it sheds light in

such a way that leads to understand that what you programmed was, well, wrong

thing to do... 

Sincerity is so much better than lying, in all but the cases where, such as

saving Jews in WWII, you lie that they weren't in your basement... 

And Werner, I hope you'll be reading this some day, in the first place I thank

you for your sincerity and honesty.

That you were taken to do programming for such stupid purposes is a matter for

your thinking how to revert it, even against the tide of the insane drive for

marketing (and I don't want to say what is obviously deeper yet inside that

drive in this post Edward Snowden revelations era).

But your sincerity and honesty recovers your clean face here in great ways.

This is that statement:

 *Werner Koch wrote:*   

> 
> 
> The agent is not for the passphrase. The passphrase handling code is
> 
> only a minor function block. 

 

A minor funcion block, but I'd need all that stupid little password intaking

GUI (huge code programs by definition) on top of an agent with all the other

huge code (of which the passphrase handling code is a minor fraction), which

agent would lie around with my passwords all the time, because, why?, GnuPG

couldn't do that anymore on its own, got old and senile for some reason?

C'mon, all you marketeers, give us users with some logic still running a little

in our minds, a break!

I want to end this fourth post, in this sequence on gpg-agent imposition, which

is part of Air-Gapped Gentoo Install, Tentative topic, on that note.

I think now I have unfinished only on the git on Debian not intaking password

for GnuPG 1 when trying to sign a tagged release, and Gentoo doing the same

correctly, cases.

But I am somewhat tired here. I'll see how I should deal with that yet. I've

been busy on this sole topic of gpg-agent and guis taking away the simple

password handling work from GnuPG bully-style for more than one day (24

hours) by now... 

Of course now I need to be available in more hours from now and reply back

within relatively short time if I receive any replies on this topic.

A caveat: I did notice some errors (too tired to analyze, though), not much, on

the Debian system that I use to connect and post. If I were not to reply, it

could be a successful attack on that my sole exposed system (attacks on my

systems did happened, just a note for readers who jumped in here from

elsewhere, read and find links to Grsecurity Forums with undeniable attacks on

my systems; find them somewhere roughly at the beginning of this very topic

on Air-Gapped install, here on Gentoo Forums.

Miroslav Rovis,

Zagreb, Croatia

www.CroatiaFidelis.hr

----------

## miroR

I've got something pretty much fairly connected to this topic, but it's not

ready at all. It should be, because I'm very interested to understand more

about it.

It's really coonected to the topic right in the root, because surveillance is

the reason for air-gapping.

Here:

```
e34f22f720275434128e9b26d70f8040cd742bca2918d230ce8386fbcb6e9201

dump_140516_1xxxxx_naibd6_XXXXXX_xx_XXXXXX.pcapng

b52cb6238640df0870bbea659db1d07f05abb5ce7a6a392beb8766cffc4790a4

Screen_140516_1xxxxx_naibd6_XXXXXX_xx_XXXXXX.mkv
```

I'm dead serious. You will probably enjoy the analysis. However, if i make it,

because it's not ready at all, and it'll take probably days, and if Vis Major

(Lat.) be of help.

It's not at all connected to anything close to the errors on Gentoo server

that

I pointed at, so they be corrected, not at all, because I never reached

anywhere near in this short, poignant, getting proverbial in our circles,

story.

Patience,

EDIT START: Wed  4 Mar 19:20:46 CET 2015

And the mystery is now plain for everybody to scrutinize:

< this same topic, same page you're reading >

https://forums.gentoo.org/viewtopic-t-987268-start-25.html#7712012

EDIT ENDLast edited by miroR on Wed Mar 04, 2015 6:22 pm; edited 1 time in total

----------

## jonathan183

 *miroR wrote:*   

> It's really coonected to the topic right in the root, because surveillance is
> 
> the reason for air-gapping.

 

I don't think the pgp issue is air-gapped system specific, I think it's better as a separate thread that mentions pgp specifically. People may have different reasons for an air-gapped system, including having a PC with no network interface. Someone wanting to deal with pgp would also not necessarily look at a thread with title air-gapped systems. Also just because someone is running an air-gapped system does not mean that a gui interface is a problem.

Masking individual packages is not unique to air-gapped systems, and has little impact on the overall approach either IMO ...

if you don't want the gtk or qt4 agent frontends building then use something like 

```
echo 'app-crypt/pinentry -gtk -qt4' >> /etc/portage/package.use
```

if you don't want an agent at all then use something like

```
echo '>=app-crypt/gnupg-2.0.2'  >> /etc/portage/package.mask
```

The wiki page for https://wiki.gentoo.org/wiki/GnuPG#Final_thoughts_and_Credits might be a better place for this sort of thing  :Wink: 

----------

## miroR

 *jonathan183 wrote:*   

>  *miroR wrote:*   It's really coonected to the topic right in the root, because surveillance is
> 
> the reason for air-gapping. 
> 
> I don't think the pgp issue is air-gapped system specific, I think it's better as a separate thread that mentions pgp specifically. People may have different reasons for an air-gapped system, including having a PC with no network interface. Someone wanting to deal with pgp would also not necessarily look at a thread with title air-gapped systems. Also just because someone is running an air-gapped system does not mean that a gui interface is a problem.

 

You are simply right. It did dawn on me, but most of it was already posted by the time it dawn on me.

In my defence, I have to say that I was very much annoyed with this kind of behavior:

A case of actual protection of my Gentoo box by Grsecurity

https://forums.gentoo.org/viewtopic-t-967806.html

[ * ]

where the case for Grsecurity is undeniable really...

and where the same, even much stronger opinions, as well as the same link, on my side were not at all off-the-walled here:

NSA SELinux Support???

https://forums.gentoo.org/viewtopic-t-984066-highlight-grsecurity.html

 *jonathan183 wrote:*   

> Masking individual packages is not unique to air-gapped systems, and has little impact on the overall approach either IMO ...
> 
> if you don't want the gtk or qt4 agent frontends building then use something like 
> 
> ```
> ...

 

You do bring a little new here, in a minor way, and, you repeat some that is already stated, and at least twice, some also in great detail because I often have newbies in mind, in the previous posts, but you are expanding a topic that we agree doesn't belong here.

However, air-gap principally is done for countering surveillance on oneself, because install on a PC with no network is simply an offline install.

But pls, let's not dwell on this, pls. Let's agree to differ in some points.

I'm sorry for having damaged the thread and not created a separate on gpg-agent marketeering imposition! I'll try and not diverge this much again here.

 *jonathan183 wrote:*   

> The wiki page for https://wiki.gentoo.org/wiki/GnuPG#Final_thoughts_and_Credits might be a better place for this sort of thing 

 

Absolutely right! That crossed my mind too! But I am so slow at doing these things (I'm an older man).The information ought to be included there for all clear and easy to find! Absolutely right!

Miroslav Rovis

www.CroatiaFidelis.hr

[ * ] what I was incoherently trying to say, is sometimes I am a little fearful of opening new topics, such misbehavior like those poeple's, hurt.

----------

## miroR

Today, I will first start with the assumption that the majority of the readers

undestand like me, that air-gapped install doesn't just mean simply an offline

install when you don't have something like a network card on a particular

system, right?

No, air-gapped install means an install offline with the purpose of countering surveillance.

It means installing in such way as to be defended.  Say, to retain defence such

as what the Iranians unsuccessfully believed they did, when they attempted to

hide their nuclear plants infrastructure, but which air-gapped systems of

theirs were straddled into by Israelis' (whose nuclear plant at Demona location

the "International Community" tacitly allow) and U.S. of A.'s Stuxnet virus

nevertheless.

I gave the example for the figurative purpose to hit your imagination well.

Those were air-gapped systems. And by top hackers of one capable state. And

they were broken into. Remotely!

Of course in our case, it's just defending your own, by your own country's

Constitution guarantied:

privacy

and no weapons/other bad things/anything illicit to hide.

In fact, if I knew, I would help discover bad people, and never help them hide.

I mean really bad people, not good people like (most of) the anonymous when

they, for morally justified purposes, deface Visa  and other institutions

because those institutions commited, well, very arguably in the least, crimes

or immoral acts (such as preventing people to contribute to Wikileaks).

I hope I can assume that it's anti-surveillance in protection of your privacy

the meaning of this topic here, the "Air-Gapped Gentoo Install".

If that is so, then maybe the broad excursion into GnuPG in the previous posts,

is not such incompatible digression, not so very much out of place, although a

separate topic and a link to it would have been a better solution.

I mean, why would you be wasting your time building Air-Gapped Gentoo, if the

most valuable little information, your password, that protects you with your

encrypted or other communication is then much more easily guessed/leaked

because you introduced more programs that unnecessarily "guard", fork, convey

around your password?

But I stumbled upon one other thing that evades most users, and many devs

refuse to see it, and surely not all programmers are like Gentoo developer khay

whom I quoted and thanked, in the previous posts on GnuPG, for saving GnuPG 1

for us in Gentoo distro for some more time into the future.

Really there are strange things going in GNU/Linux, which are not good for

users, and are not done for the sake of users, but other reasons.

I was having a break, a week or two now, from struggling with my Gentoo. I was

using it, not building it, for a while...

What I did, is, I managed to get cgit deployed on apache, so I could have my

git sources available on my SOHO, and got into git enough to shape, somewhat,

my two really simple (but still useful, and used by some Debian circles)

programs, the only two currently on:

https://github.com/miroR/

after which I was now into preparing the real prerelease of my Flowstamp

program, as I announced:

http://www.croatiafidelis.hr/gnu/Flowstamp/

preparing its source for publishing on github.com.

But then I noticed that I needed to make a sensible demo, because the hastily

made one currently available on the link immediately above was too

unrepresentative...

And I was preparing various videos for a compilation, during which time I

understood that I needed to record a voiceover, and tried recording on my new

Gentoo system...

But, pulseaudio, alsa and things are still not sorted.

And so I went on and tried to fix those things.

Not easy at all.

But in the process I acquired some insight about some ways and ... *kits

relatively recently introduced into Gentoo.

And that is what, again, I feel somewhat titubant to post here, but (I'm in the

proofreading phase, where else does this possibly fit so well, other than in

this surveillance-aware topic?).

...So I kindly ask you to bear with me a little longer, because my point is not

at all easily made in just a few sentences.

I want to start with other contributors' points made elsewhere. The focus of

your attention as you seek to understand why I claim it has a lot to do with

building a good Air-Gapped system, in this story should be on the following

one:

Tips and tricks for ConsoleKit, PolicyKit, and udev helpers

https://forums.gentoo.org/viewtopic-t-858965-postdays-0-postorder-asc-start-325.html#7164546

That was in response to:

Tips and tricks for ConsoleKit, PolicyKit, and udev helpers

https://forums.gentoo.org/viewtopic-t-858965-postdays-0-postorder-asc-start-325.html#6960232

And, to not clog this post on top of my never terse nor short writing, just the

point (I allowed myself the freedom to introduce only spacing, actually quite a

few newlines, the words are verbarim):

 *miket wrote:*   

> 
> 
> ...[snip]...They force us to go through all of this just so they can support a very specialized usage case.
> 
> How many people do you know who run computers with multiple keyboards and monitors
> ...

 

Now, I'll try and make the right point, for us, who don't want to allow

surveillance on us.

Did you notice the term "seat" above? You did because I put it prominently.

That it may be more easily understood what it is, on top of what can be gleaned from the page which I will give here only the title "Tips and tricks for ConsoleKit, PolicyKit, and udev helpers", because there are alreadly three different links to it in the text (obviously I'm at proofreading), I can try and offer those who want to venture and understand more precisely what it is:

http://www.manpagez.com/html/PolicyKit/PolicyKit-0.9/polkit-polkit-seat.php

where it states:

Seat — Represents a ConsoleKit Seat.

EDIT START Thu May 29 02:00:21 CEST 2014

or much better yet:

http://www.freedesktop.org/software/ConsoleKit/doc/ConsoleKit.html

where there is the precise definition:

A seat is a collection of sessions and a set of hardware (usually at least a

keyboard and mouse). Only one session may be active on a seat at a time.

EDIT END

But I don't have the time, nor I want to go into those. I only want to post

what I can not agree with, because it it not in the interest of the users,

because it is not Free progamming for good people which is what GNU/Linux has

always been...

Because...

Because consolekit/polkit, dbus and stuff can well be programmed so that, added

more infrastructure (that us users sure will not be told about, other than in

leaks like Edward Snowden's, whom my thanks go), some seat(s) on a user's

machine can well be remote and for a less knowledgeable user, completely

unnoticed by him/her!

Some seats can well work remotely on a poor Joe user's computer even while he's

sitting at it.

Pls. bear in mind that NSA got it's SELinux in so many computers, thanks to

dear leader Linus accomodating for it.

Read here about that genius:

NSA SELinux Support???

https://forums.gentoo.org/viewtopic-t-984066.html#7501068

which creaker's wise words I repeat later on in the same thread 

(

so while you're there, take notice of the mention of Grsecurity, the sole true

counter measure against spying-under-pretence-of-security which SELinux is...

===

A note within this note in parenthesis: basically, Grsecurity fixes what Linus

leaves open and unprotected for whichever reason in the GNU/Linux kernel, and

that seems to annoy the genius very much... It's a real though subdued war out

there, and Grsecurity had a moment of mild failure for a few days, exactly

after a major contribution by, wait, wait!... by the Dear Leader himself...

Find more from me on that failure after that contribution here:

Grsecurity/Pax installation on Debian GNU/Linux

http://forums.debian.net/viewtopic.php?f=16&t=108616&p=541906

)

You found "If Grsecurity were not viable in Gentoo, Gentoo will become just

nice looking crap, nothing else."? That is my strong conviction.

Now something to give you a broader picture for how those seats (with, let's

call them, shadows sitting on them), who you won't know about, can work in your

computer..

...Have a look at another infrastructure introduced in the GNU/Linux kernel

back in late 2010, as it appears in this article by Brad Spender Spengler:

False Boundaries and Arbitrary Code Execution

https://forums.grsecurity.net/viewtopic.php?f=7&t=2522

Difficult read for non-advanced users, and I myself still don't understand

occasional details in that article, and only vaguely understand some other

of the points.

But, the suggested 'man capabilities' a stop to fuel up your understanding, and

it's not so hard to get the gist of it. C'mon!

And you don't even have to go very deep into it. Search for "catch-all" and

take a while to figure that one paragraph out. I'll reproduce it here in its

entirety (I'll take liberty to add only newlines, the text will remain

verbatim):

 *spender wrote:*   

> 
> 
> CAP_SYS_ADMIN: generic: among many other things (it's a sort of catch-all capability choice), CAP_SYS_ADMIN grants the ability to mount/unmount filesystems.
> 
> So you have the ability to bind mount a new filesystem over an existing one to backdoor any binary on the system.
> ...

 

Did you just read how CAP_SYS_ADMIN can give [*] a (shadow sitting on a) seat(that the user isn't neven aware is rummaging in his machine) the:

"ability to bind mount a new filesystem over an existing one to backdoor any

binary on the system"

( [*] Spender talks to them straight. He says: "...you have the ability to bind

mount...". He can confront them. I can't. My defenses work, but they are yet so

very primitive, only based on backup and restore. I'm very much still learning

all the time. )

And no one really can dismiss what Spender writes (well they haven't ever

really done it successfully).

The problem is, almost all the wikis and documentation, tell you you have to

install those kits.

So, esp. if you disagree with me for some reason, go ahead and deploy the

*kits, the consolekit/dbus/polkit and things... 

I will try and follow what creaker and Anon-E-Moose suggested here:

LXDE replacement question

https://forums.gentoo.org/viewtopic-t-973802.html

and which didn't really completely understand back when I first posted in

there, and it was because back then I didn't know about these seats.  I

Only now I understand and will go this way, as in this post of the thread

already cited above (but this is the last referral to that page in this post,

and this in parens is me proofreading):

Tips and tricks for ConsoleKit, PolicyKit, and udev helpers

https://forums.gentoo.org/viewtopic-t-858965.html#6544053

But, on my system, some of those *kits got pulled in by some of the around 700

packages that I currently have installed in my system, and I think I now first

need to try and figure out how much possibly remote influence on my system I

would have, if I cloned this system to use it online on a non-master (not the

main Air-Gapped system) box...

To find out if if I have not managed to evade some of the infrastructure as is

programmatically offered to remote seats by those *kits and associate

infrastructure...

As usual, I'm exhausted at this point. Really complex to explain these things.

Let us please get the option of the free no-remote seats GNU/Linux viable!

Miroslav Rovis

www.CroatiaFidelis.hr

all links checked to be live and as intended at the time of posting

----------

## miroR

After having written the immediately previous post on those weird programs, which

are becoming mainstream and imposed all over GNI/Linux-land, I have successfully

(judging by the end result) ventured into ridding myself of them.

Pls. look up:

Uninstalling dbus and *kits (to Unfacilitate Remote Seats)

https://forums.gentoo.org/viewtopic-t-992146.html

I recommend mdev-like-a-boss as a good choice.

People have had difficulty installing it due to incomplete (from the user's point of view) documentation.

While that topic is thorough and pretty comprehensive, it might be a little hard to read. Sorry!

There was really lots of wondering, but eventually khayyam helped me overcome the last obstacle, which I think is exactly the one lots of users left their skin at.

----------

## miroR

I have a new topic:

Postfix smtp-tls-wrapper, Bkp/Cloning Mthd, A Zerk Provider

https://forums.gentoo.org/viewtopic-t-999436.html

which actually very much deals in Air-Gapped stuff.

I believe some fine advice there for people seeking how to free gnu/linux (that's a verb). At least I really tried hard.

Miroslav Rovis

www.CroatiaFidelis.hr

----------

## miroR

People are interested in this method, described in this topic, and all I can really tell you is still only that it does work.

I have no time to present it from scratch which this topic would require.

While a probably good alternative to full air-gapping may really be what jonathan183 suggested here:

( same topic that you are reading )

https://forums.gentoo.org/viewtopic-t-987268-start-25.html#7546202

I did not go for it, I went for the full air-gapped install, that is, with a local mirror (or private mirror).

On issues (not necessarily connected to failure of the method, actually probably not(, and the possibly nascent method of verifying the mirror, you can read here:

Broken Pipe on Air-Gapped (& Portage Snapshots off Mirrors)

https://forums.gentoo.org/viewtopic-t-1001706.html

And you should know what I previously wrote, and is certainly very connected to success of our air-gapping on:

Why is Gentoo not switching to systemd?

https://forums.gentoo.org/viewtopic-t-998108-start-300.html#7624044

Miroslav Rovis

Zagreb, Croatia

www.CroatiaFidelis.hr

----------

## miroR

What this topic on Air-Gapping can not offer you currently, and that is an systematic guide to build your Gentoo the air-gapped way, you may get in my Debian Forums tip, for that other FOSS Linux flavor:

Air-Gapped Debian Install for Newbies

http://forums.debian.net/viewtopic.php?f=16&t=119648

I was able to reach to solution there almost in a straightforward manner because I had the experience with building my Air-Gapped Gentoo. Here I started from imperfect concept about where I needed to get, and for that reason I have wandered so much in this topic.

----------

## miroR

And if you are considering mailing programs for you Air-Gapped, you can read this stub:

Postfix smtp-tls-wrapper, Bkp/Cloning Mthd, A Zerk Provider

https://forums.gentoo.org/viewtopic-t-999436.html#7696102

----------

## miroR

I have to say, this is what I like! Everything adds up on these Forums, as expected in a FOSS institution.

Ten months ago,  I promised I would show something that looked interesting to me... and I was hoping to understand what it was...

This is today's little event from my terminal:

```

ukrainian@mybox /some/where $ sha256sum *_140516_164150_naibd6_Schmoog_intrusion.*[pv] | \

egrep 'e34f22f720275434128e9b26d70f8040cd742bca2918d230ce8386fbcb6e9201|b52cb6238640df0870bbea659db1d07f05abb5ce7a6a392beb8766cffc4790a4'

e34f22f720275434128e9b26d70f8040cd742bca2918d230ce8386fbcb6e9201 dump_140516_164150_naibd6_Schmoog_intrusion.pcap

b52cb6238640df0870bbea659db1d07f05abb5ce7a6a392beb8766cffc4790a4 Screen_140516_164150_naibd6_Schmoog_intrusion.mkv

ukrainian@mybox /some/where $

```

And the egrep'ing was for the numbers which could be seen, and if they don't ban me from my beloved Gentoo Forums, or worse things happen, will be seen for more time to come in the future.

Here's where those same numbers feature.

 *previously in this page wrote:*   

> 
> 
> ```
> e34f22f720275434128e9b26d70f8040cd742bca2918d230ce8386fbcb6e9201  dump_140516_1xxxxx_naibd6_XXXXXX_xx_XXXXXX.pcapng
> 
> ...

 

That's a quote from this same page of this topic, from the post which is further above. This exact post:

[ this same topic you're reading, this same page of the topic ]

https://forums.gentoo.org/viewtopic-t-987268-start-25.html#7552466

So I obviously still got those same files, and they are now very close for anyone to check on what itched me back then...

Just go and download:

wget http://www.CroatiaFidelis.hr/gnu/.hm/.dump_140516_193521_naibd6++.pcap

Rename it:

```

mv -iv .dump_140516_193521_naibd6++.pcap dump_140516_193521_naibd6++.pcap

```

lest it remain invisible for `ls -l' without the `-a', such as: `ls -la'.

It's all in that packet capture file... But...

But it's not in the file you see, that's unimportant. I mean, in the file you can see the packets of in Wireshark

Just if you do open it in Wireshark, it should tell you that some of the data is corrupted.

Well, is it really corrupted I'll leave it as moot point for now, but do go and, if you can:

1) find the exact bytes that are corrupted

2) say if those bytes contain anything or are random corruption?

C'mon go ahead! Do try it!

Will post all my explanations just next. And if you're reading later when all is posted and no secrets remain (well some do, but those are the usual survellors-control-and-users-are-controled society secrets).

----------

## miroR

EDIT Sat  2 May 17:57:47 CEST 2015: Read this too, but be aware of issues with this post, as I explain in the next one:

https://forums.gentoo.org/viewtopic-t-987268-start-50.html#7741670

---

...[And if you're reading later], do try to understand how easy it is to hide things in computing...

Make a directory:

```

mkdir ukrainian.d/

```

(the name is just an example, and because of my love and support for a related nation to us Croats)

Copy the file you downloaded into that dir.

```

cp -iav dump_140516_193521_naibd6++.pcap ukrainian.d/

```

Enter in it.

```

cd ukrainian.d/

```

Make this little script. Just paste this content into a file recov.sh.

(recov for recover [those "corrupted?" no!, hidden] data)

```

#!/bin/bash

cat dump_140516_193521_naibd6++.pcap \

   | split -d -b4295443 - dump_140516_193521_naibd6++.pcap

cat dump_140516_193521_naibd6++.pcap01  \

   | split -d -b2045043 - dump_140516_193521_naibd6++.pcap01

mv -iv dump_140516_193521_naibd6++.pcap0100  \

   Screen_140516_164150_naibd6_Schmoog_intrusion.gg

cat dump_140516_193521_naibd6++.pcap0101  \

   | split -d -b49822 - dump_140516_193521_naibd6++.pcap0101

mv -iv dump_140516_193521_naibd6++.pcap010100  \

   dump_140516_164150_naibd6_Schmoog_intrusion.gg

cat dump_140516_193521_naibd6++.pcap00 dump_140516_193521_naibd6++.pcap010101  \

   > dump_140516_193521_naibd6.pcap

```

So select and copy that code, and paste it like so:

```
cat > recov.sh

< here paste that code >

< and issue Ctrl-D >

```

And:

```

chmod 755 recov.sh

```

and run it (you're in ukrainian.d all the time):

```

./run.sh

```

Of what that gets you, you only need two files, the *.gg ones:

So you can:

```

mkdir DEL

mv -iv * DEL/

```

and:

```

mv -iv DEL/*.gg .

```

And now you should have:

```

ukrainian@mybox /some/where/ukrainian.d $ ls -l

total 2056

drwxr-xr-x 2 ukrainian ukrainian    4096 2015-03-03 18:09 DEL

-rw-r--r-- 1 ukrainian ukrainian   49822 2015-03-03 18:09 dump_140516_164150_naibd6_Schmoog_intrusion.gg

-rw-r--r-- 1 ukrainian ukrainian 2045043 2015-03-03 18:09 Screen_140516_164150_naibd6_Schmoog_intrusion.gg

ukrainian@mybox /some/where/ukrainian.d $ 

```

It would still be no freaking use having those files for you.

Just like what will remain, after you see the data that I will hereby reveal to you, is the freaking cowardly encrypted data against the use, against us users who are controled, by our surveillors who control us! It's easy hiding things, you freaking Schmoog!

But it's so dishonest and filthy way to live, you ugly octopus of the internet!

Those two files are encrypted symetrically with gpg. Here's the password:

```

X0pho5m1r0

```

So what you need to do is:

```

gpg -d dump_140516_164150_naibd6_Schmoog_intrusion.gg  > dump_140516_164150_naibd6_Schmoog_intrusion.pcap

```

and:

```

gpg -d Screen_140516_164150_naibd6_Schmoog_intrusion.gg >Screen_140516_164150_naibd6_Schmoog_intrusion.mkv

```

And there you can see still only as much as an inquisitive user like me, can get to understand about what the intruder, in this case the Schmoog the Surveillance Engine, did, and no more.

It takes an expert to decrypt what data, or what ploy, or what ever-else, the Schmoog did in these some half a minute that I tried to connect to DuckDuckgo.com, but the Schmoog, the Goog, the Phfloog the Octopus of the internet, intruded on my machine.

I may correct this post some, tired now... Will only make sure the password above is correct. (Still checking that. If I'm not back in a little while, the whole procedure works. Still no warranties. Try it at your own risk.).

Checked it. All is well here. And rare is corruption on Gentoo Forums, but do tell if things don't add up, because I may have overseen some part of the tips here above...Last edited by miroR on Sat May 02, 2015 3:58 pm; edited 1 time in total

----------

## miroR

I misposted this (checked it in my records, the screencasts and packet dumps: mea cupla) on:

Posted: Fri Apr 17, 2015 1:16 am

https://forums.gentoo.org/viewtopic-t-999436.html#7733646

(and I'm vacating it from there)

---

There are, currently, some strangely-induced, possibly by phpBB, possibly by other causes, spaces, and not exactly plain blanks, in the script above....

Anyway, unfinished, but probably better way to study this case for which the Air-Gapped Install is the remedy, is from:

A Schmoog Intrusion

http://www.croatiafidelis.hr/foss/cap/cap-140516_SchI/

and also, how I made the video that you should be able to see it there in HTML5, is what you can, soon, finishing the upload of files (oh but I'm never sure under my dear censors in Croatia...)... hopefully finishing the upload, so also this might be of some worth:

EDIT: Should all be uploaded properly, pgp-signed and all.

A Demo with a Few Tips on Simple Video Manipulation

http://www.croatiafidelis.hr/foss/cap/cap-140516_SchI/howto.php

Cheers!

----------

## miroR

I would really like to point readers here to a Gentoo Tip that made my day today.

It is in indirect relation with the issues here, and I don't care that some would question that relation.

It's someone got lots of newbies to install Larry the Big Guy Oracle's Java, and I don't like that.

People building Air-Gapped can have lots of their defences hollowed out or worse by intrusive programs like Larry's, who took over also Mysql and some other FOSS stuff...

So this is the tip:

How to avoid Oracle's JAVA

https://forums.gentoo.org/viewtopic-t-1015568.html

Thanks, my folks!

----------

## miroR

I have been using this method that I have, with a lot of struggling and imperfections on my part, successfully put together, and explained, in this topic that you are reading (

Air-Gapped Gentoo Install, Tentative

https://forums.gentoo.org/viewtopic-t-987268.html

)

.

There are a few additional sub-methods that ought to be followed, to have your own mirror updated without too many unnecessary packages. And also these methods relieve the servers you download from.

For true Air-Gapped, you need a local mirror only as complete as you might in some probability need. You don't need all the 180GB or more that it be.

It's easy to rsync-download with some packages set in an exclusion list and in such way not downloaded. Which ones depends on your personal preferences.

E.g. I don't like anything Google, anything at all, and when I can, I live without Schmoog the Schmoogle. So one of my choices will generally be to put all the chrom* in the exclusion list to give to rsync on the command line.

But I'll show it to you with the (primitive) scripts that I will use this morning as I update my Gentoo mirror.

Surely you need to choose your own mirror, unless you live, like me, in relative proximity of Germany, in which case you could probably use the scripts literally.

But whichever the way, please don't even try doing it unless you do it at your own responsability. I give no warranties. I only say that these methods work for me.

So, if you need to, consult the Gentoo mirror list and replace 'de-mirror.org' with the mirror more appropriate for your side of the world.

In the bottom command, the file files-exclude.ls-1 is what I already put in the list the last time I updated my local mirror. The ls-1 (that's a '1', one) is there because it is a listing just like what you get when you:

```

$ ls -1

```

Here is the command to list the remote mirror and save the listing into a timestamped file:

```

#!/bin/bash

rsync -nav --exclude-from=files-exclude.ls-1 rsync://de-mirror.org/gentoo/distfiles/ 2>&1 | tee /mnt/sde1/rsync_de-mirror.org-nav_`date +%y%m%d_%H%M`.txt

```

See 'man rsync' (and 'man date'). What the above does, is it gives you the listing, in a file like this:

(Pls. notice the string 'receiving incremental file list' in it. We'll need that later.)

```

$ cat rsync_de-mirror.org-nav_160125_0648.txt >> /Cmn/mr/Gen_160125_Air-Gap_rsync_mirror.txt

  _  ___   _   ___       _                       _     ____  _____ 

 / |( _ ) / | |_ _|_ __ | |_ ___ _ __ _ __   ___| |_  / ___|| ____|

 | |/ _ \/\ |  | || '_ \| __/ _ \ '__| '_ \ / _ \ __| \___ \|  _|  

 | | (_>  < |  | || | | | ||  __/ |  | | | |  __/ |_   ___) | |___ 

 |_|\___/\/_| |___|_| |_|\__\___|_|  |_| |_|\___|\__| |____/|_____|

Welcome to mirror.eu.oneandone.net, a service provided by 1&1 Internet SE

--------------------------------------------------------------------------

This mirror is available via HTTP, FTP and RSYNC at:

  * <http://mirror.eu.oneandone.net/>

  * <ftp://mirror.eu.oneandone.net/>

  * <rsync://mirror.eu.oneandone.net/>

... [ 44 lines snipped here ] ...

receiving incremental file list

drwxr-xr-x      3,325,952 2016/01/25 05:52:01 .

-rw-r--r--        104,051 2014/11/29 14:52:55 0.3.tar.gz

-rw-r--r--      1,555,942 2013/06/21 21:50:20 0.8-b3.tar.gz

-rw-r--r--        174,494 2013/01/28 09:51:39 0.9.2.tar.gz

-rw-r--r--            736 2015/03/20 16:13:40 0001-x86-Put-COPY3_IF_LT-under-HAVE_6REGS.patch.gz

-rw-r--r--        161,749 2013/05/30 16:37:46 010FC8BD229B7F68C8C4D5BDE399475373096601-non-schema.jar

-rw-r--r--        359,397 2015/02/11 15:02:16 01CD242F06F6F7E4E61C9E05ABBE07318E501D51-org.eclipse.mylyn.wikitext.core_1.9.0.20131007-2055_nosignature.jar

-rw-r--r--         24,444 2015/10/04 22:58:52 03-infinality-2.6-2015.10.04.patch.xz

-rw-r--r--         27,056 2015/11/29 15:49:40 03-infinality-2.6.2-2015.11.28.patch.xz

-rw-r--r--          6,424 2014/01/19 12:05:52 034-0010-module-setup.sh-add-comments.patch.bz2

... [ 74687 lines snipped here ]...

-rw-r--r--        339,898 2003/03/24 17:22:04 zssh-1.5a.tgz

-rw-r--r--        344,964 2003/09/24 05:39:17 zssh-1.5c.tgz

-rw-r--r--        245,592 2010/09/20 14:36:12 zsync-0.6.2.tar.bz2

-rw-r--r--        195,927 2012/07/08 09:09:33 zukini-20120806.zip

-rw-r--r--        220,148 2013/12/17 14:43:38 zukitwo-2013.12.10.tar.xz

-rw-r--r--        436,590 2015/04/28 01:03:34 zukitwo-2014.10.22.zip

-rw-r--r--        582,120 2015/06/01 09:10:01 zuluCrypt-4.7.6.tar.bz2

-rw-r--r--        550,309 2015/09/01 06:56:52 zuluCrypt-4.7.7.tar.bz2

-rw-r--r--        769,209 2006/05/31 06:09:39 zvbi-0.2.22.tar.bz2

-rw-r--r--      1,047,761 2013/08/28 17:06:14 zvbi-0.2.35.tar.bz2

-rw-r--r--     15,256,377 2014/02/03 02:04:30 zygrib-6.2.3.tgz

-rw-r--r--     15,287,496 2015/03/25 03:11:23 zygrib-7.0.0.tgz

-rw-r--r--        517,620 2013/05/21 15:20:18 zygrib-cities_0-300.txt.gz

-rw-r--r--        495,119 2013/05/21 15:20:18 zygrib-cities_1k-3k.txt.gz

-rw-r--r--        512,733 2013/05/21 15:20:19 zygrib-cities_300-1k.txt.gz

-rw-r--r--            851 2013/06/01 10:34:55 zygrib-icon.png

-rw-r--r--    105,735,981 2013/05/21 15:52:01 zygrib-maps2.4.tgz

-rw-r--r--      4,185,453 2015/02/26 01:38:10 zynaddsubfx-2.5.0.tar.gz

-rw-r--r--      4,214,568 2015/07/04 21:17:16 zynaddsubfx-2.5.1.tar.gz

-rw-r--r--      4,572,973 2015/11/14 04:01:41 zynaddsubfx-2.5.2.tar.gz

-rw-r--r--        654,842 2007/03/18 18:19:10 zziplib-0.13.49.tar.bz2

-rw-r--r--        685,418 2010/12/30 10:01:48 zziplib-0.13.60.tar.bz2

-rw-r--r--        685,770 2012/03/12 00:57:44 zziplib-0.13.62.tar.bz2

-rw-r--r--         11,370 2010/03/02 21:10:14 zzuf-0.13-zzcat-zzat-rename.patch.bz2

-rw-r--r--        461,498 2010/01/31 13:30:00 zzuf-0.13.tar.gz

sent 2,753 bytes  received 1,995,000 bytes  363,227.82 bytes/sec

total size is 182,543,535,057  speedup is 91,374.43 (DRY RUN)

```

It is neither: not too heavy on the server, nor such long downloading time, to take out of the above huge listing just those that are larger than 100,000,000 that is: which are of size greater than 100MB, and pick among those just what you still do need, and delete from there (i.e. exempt them from the files-exclude.ls-1 of the files not to be downloaded). And to let rsync update whichever smaller files, whether you need them or not (It's some 75,000 files! Who wants to pick from every single one among that many?)... And anyway only the big ones really take time to download!

```

$ grep -A1000000 'receiving incremental file list' rsync_de-mirror.org-nav_160125_0648.txt | wc -l

74726

$ grep -A1000000 'receiving incremental file list' rsync_de-mirror.org-nav_160125_0648.txt | head -74723 | tail -74721 > rsync_de-mirror.org-nav_160125_0648.txt.ls-l

$

```

That's 'ls-l' (lowercase L), for 'long listing', just like in 'ls -l'.

I hope you remember the string we used here. And now notice that 74726-3=74723. And then 74723-2=74721. See 'man head' and 'man tail' if unclear.

That gets us the long listing of files to be updated without the talk in top and bottom.

Out of all the listing, we are really interested only in lines like (near the bottom of that listing):

```

-rw-r--r--    105,735,981 2013/05/21 15:52:01 zygrib-maps2.4.tgz

```

And this:

```

cat rsync_de-mirror.org-nav_160125_0648.txt.ls-l | egrep '[0-9]{3},[0-9]{3},[0-9]{3}' >  rsync_de-mirror.org-nav_160125_0648.txt.ls-l-S

```

will make such a list for us. "-S" is for size. See 'man egrep'.

```

$ cat rsync_de-mirror.org-nav_160125_0648.txt.ls-l-S

-rw-r--r--    571,228,108 2015/03/13 23:05:02 0ad-0.0.18-alpha-unix-data.tar.xz

-rw-r--r--    102,215,680 2010/12/20 18:54:40 6.2.2.0-TIV-TSMBAC-LinuxX86.tar

... [ 38 lines snipped here ] ...

-rw-r--r--    155,616,187 2015/01/13 00:36:39 amd-catalyst-omega-14.12-linux-run-installers.zip

-rw-r--r--  1,023,118,640 2015/11/20 03:56:27 amd64-debug-libreoffice-5.0.3.2.tar.xz

-rw-r--r--    475,584,701 2015/11/20 04:10:43 amd64-debug-libreoffice-gnome-java-5.0.3.2.xd3

-rw-r--r--    258,628,239 2015/06/04 19:00:00 android-studio-ide-141.1980579-linux.zip

-rw-r--r--    100,065,044 2014/10/18 13:25:34 appliance-1.28.1.tar.xz

-rw-r--r--    207,172,456 2008/07/12 17:10:22 axiom-may2008-src.tgz

-rw-r--r--    129,694,711 2013/08/17 22:59:22 basemap-1.0.7.tar.gz

-rw-r--r--    123,217,291 2013/07/05 15:52:22 bndlib-2.1.0.tar.gz

-rw-r--r--    138,928,992 2014/07/04 09:11:50 calligra-2.8.5.tar.xz

-rw-r--r--    138,966,248 2014/12/04 15:52:31 calligra-2.8.7.tar.xz

-rw-r--r--    194,239,580 2015/08/19 18:56:06 calligra-2.9.6.tar.xz

-rw-r--r--    194,348,264 2015/08/29 22:55:16 calligra-2.9.7.tar.xz

-rw-r--r--    125,697,465 2014/12/19 18:41:04 charm-6.6.1.tar.gz

-rw-r--r--    432,281,684 2016/01/20 21:25:25 chromium-48.0.2564.82.tar.xz

-rw-r--r--    452,249,352 2016/01/16 09:27:34 chromium-49.0.2623.0.tar.xz

-rw-r--r--    122,543,145 2006/07/21 03:54:46 cpma-mappack-full.zip

... [ 20 lines snipped here ] ...

-rw-r--r--    202,964,824 2015/03/11 17:18:41 fglrx-installer_15.200.orig.tar.gz

-rw-r--r--    146,418,413 2011/01/10 23:01:55 fillets-ng-data-1.0.0.tar.gz

-rw-r--r--    181,383,793 2015/11/02 14:39:36 firefox-38.4.0esr.source.tar.bz2

-rw-r--r--    181,371,970 2015/12/15 17:13:06 firefox-38.5.0esr.source.tar.bz2

-rw-r--r--    175,414,296 2015/12/14 20:29:06 firefox-43.0.source.tar.xz

-rw-r--r--    134,835,922 2008/11/30 22:14:31 fluid-soundfont_3.1.tar.gz

... [ 40 lines snipped here ] ...

-rw-r--r--    123,706,294 2007/02/23 11:08:17 legends_linux-0.4.1.42.run

-rw-r--r--    123,964,866 2007/09/17 02:08:37 legends_linux-0.4.1.43.run

-rw-r--r--    164,742,068 2015/10/27 22:34:09 libreoffice-4.4.6.3.tar.xz

-rw-r--r--    167,009,360 2015/10/24 20:26:06 libreoffice-5.0.3.2.tar.xz

-rw-r--r--    167,305,516 2015/12/13 14:09:27 libreoffice-5.0.4.2.tar.xz

-rw-r--r--    117,081,330 2009/08/28 01:44:03 libstdcxx-39.tar.gz

-rw-r--r--    113,132,379 2015/04/07 20:31:04 libvpx-testdata-1.4.0.tar.bz2

... [ 105 lines snipped here ] ...

-rw-r--r--    159,265,180 2015/06/19 08:26:32 xmind-portable-3.5.3.201506180105.zip

-rw-r--r--    984,854,761 2015/10/08 10:50:15 xonotic-0.8.1.zip

-rw-r--r--    105,735,981 2013/05/21 15:52:01 zygrib-maps2.4.tgz

```

Do you see the chromium there, which I would only be interested to install if I needed to see how my pages work (if I had time to write web pages)? But otherwise I tell everybody: Dillo is the safest, but really minimal browser, incomplete. And Mozilla seems to have truly started to care for the privacy of its users, unless I've mistaken to have started trusting them. But I do trust them again!, and so: Firefox I recommend. See why here (warning: useless and, at least some, false accusations against me there is best for the reader to skip; go for the information provided in the links therefrom, to what Mozilla developers told me):

More non-Decryptables (from Mozilla Cloud)

https://forums.gentoo.org/viewtopic-t-1034140.html#7847998

.

And so, e. g. firefox-<...> I do need to update. Also libreoffice-<...> I need (except I don't need the amd64-debug-libreoffice-<...> debugging packages).

```

$ cp -iav rsync_de-mirror.org-nav_160125_0648.txt.ls-l-S rsync_de-mirror.org-nav_160125_0648.txt.ls-l-Sr

```

('r' in <...>-Sr is for real. Meaning we'll really use that one, not the one without r. Have to make your abbreviations on some mnemonic principle.)

So after the libreoffice-<...> and firefox-<...> I manually removed from that listing in the copied file rsync_de-mirror.org-nav_160125_0648.txt.ls-l-Sr, see:

```

$ diff rsync_de-mirror.org-nav_160125_0648.txt.ls-l-S rsync_de-mirror.org-nav_160125_0648.txt.ls-l-Sr

79,81d78

< -rw-r--r--    181,383,793 2015/11/02 14:39:36 firefox-38.4.0esr.source.tar.bz2

< -rw-r--r--    181,371,970 2015/12/15 17:13:06 firefox-38.5.0esr.source.tar.bz2

< -rw-r--r--    175,414,296 2015/12/14 20:29:06 firefox-43.0.source.tar.xz

125,127d121

< -rw-r--r--    164,742,068 2015/10/27 22:34:09 libreoffice-4.4.6.3.tar.xz

< -rw-r--r--    167,009,360 2015/10/24 20:26:06 libreoffice-5.0.3.2.tar.xz

< -rw-r--r--    167,305,516 2015/12/13 14:09:27 libreoffice-5.0.4.2.tar.xz

```

we, next, awk for the column $5 of each line (the fifth column contains the name of the file.

See 'man awk'. We can awk that straight into the already existing (in my case) or new (but will exist the next time if you start using this Aid-Gapped method), files-exclude.ls-1:

```

$ cat rsync_de-mirror.org-nav_160125_0648.txt.ls-l-Sr | awk '{ print $5 }' >> files-exclude.ls-1

```

And now I can start updating my system and it'll take much less then it would if I hadn't done that exclusion list. And I will still very probably have all that I need for my minimalist [*], but pretty safe, and cloneable[**], Air-Gapped Gentoo system.

I use a script like:

```

#!/bin/bash

rsync -nav --exclude-from=files-exclude.ls-1 rsync://de-mirror.org/gentoo/distfiles/ distfiles/ 2>&1 | tee /mnt/sde1/rsync_de-mirror.org-nav_`date +%y%m%d_%H%M`.txt

echo "Enter for real rsync'ing"

read FAKE

rsync -av --exclude-from=files-exclude.ls-1  rsync://de-mirror.org/gentoo/distfiles/ distfiles/ 2>&1 | tee /mnt/sde1/rsync_de-mirror.org-av_`date +%y%m%d_%H%M`.txt

```

(The read FAKE is just to give me time to check how the script fared, and hit Enter; it doesn't read anything. Well it could, but I don't use it for reading anything  :Wink:  .)

And once I'm done, I use the little used nowadays, but probably the safest way to transfer data when they are not too sizeable: BluRay data discs. I use them to copy the new files over into another mirror which is always offline, and which my real Air-Gapped system accesses, which is the system that I update and rebuild, and which I clone off. Where I'm writing and posting this from is always a cloned system, never the Air-Gapped master.

And the Air-Gapped master of mine is not courious about internet, it couldn't even care to go there. It cares only for my security, and it gets everything from its clones anyway  :Wink:  .

And just one more thing. In case there are any problems with the scripts, see if you have, by error of some kind, in the system, or wherever that it be from, some:

phpBB Strange White Space problem

https://forums.gentoo.org/viewtopic-t-1032010.html

Cheers!

---

[*] The best way to describe it is: minimalist, because I don't use a system with systemd's best friend: dbus. See:

Uninstalling dbus and *kits (to Unfacilitate Remote Seats)

https://forums.gentoo.org/viewtopic-t-992146.html

And also see how among the people that understand the horror unleashed by systemd against the true Unix nature of FOSS Linux, there is a growing interest for such minimal, no-dbus no-poetterware installation at:

Upgrade to Devuan and minimalism

https://git.devuan.org/dev1fanboy/Upgrade-Install-Devuan/wikis/Upgrade-to-Devuan-and-minimalism

[**] See:

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion

https://forums.gentoo.org/viewtopic-t-999436.html#7613044

----------

## steveL

Hey miroR,

Just wanted to say I found spender's post on capabilities illuminating.

The article on securebits linked there, is good too.

The topic on avoiding Oracle JDK is useful, and it was fun to catch up with Devuan.

I still think you need to cut down on the excess chit-chat, but apart from that: keep up the good work. :-)

Thanks for the links,

steveL.

----------

## gentoo-freak

 *steveL wrote:*   

> Hey miroR,
> 
> Just wanted to say I found spender's post on capabilities illuminating.
> 
> The article on securebits linked there, is good too.
> ...

 

#JFR

----------

