Fresh lunar install

Zbigniew Luszpinski zbiggy at o2.pl
Sat May 18 15:29:56 CEST 2013 

On Monday 06 of May 2013 11:15:20 Jean-Michel Bruenn wrote:
> Hey,
> 
> I just installed Lunar Linux again on my box and noticed a few things:
> 
> 1) ca-certificates should be installed by default _or_ made an
> required dependency of I-Don't-Know, because if you're doing the
> initial lunar renew and you're answering everything with the default
> answers (which is ca-certificates "no" everywhere) you end up without
> ip routing stuff and a few other things. The package iproute2 can't
> be installed - Because it's on https.

This bug is already known since Sun Feb 12 10:23:32 CET 2012:
http://foo-projects.org/pipermail/lunar/2012-February/008836.html

It is not about ca-certificates. The problem lies in wget module:
optional_depends "%SSL"    ""      ""              "for SSL support"

On fresh install wget builds itself without this optional ssl so no 
https:// or ftps:// is possible. You may end up with broken box because 
some important modules like Linux-PAM uses https for download.

See  /var/lib/lunar/plugins/download-generic.plugin to understand why ca-
certificates are not used by moonbase wget at all for https.

> 2) ca-certificates throws some interesting messages and I really have
> no clue if we should care - But since https is about security I think
> we should care:
> 
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "TURKTRUST
> Mis-issued Intermediate CA 1"
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "TURKTRUST
> Mis-issued Intermediate CA 2"
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!
> 
> What is it trying to tell me?

That these certs are untrusted. They are not blacklisted so you can go in 
but get wartning that site using such certificate is not trusted.

> That feels like rather not use
> ca-certificates.

See answer above. You are warned so not a big problem. imo.

> 4) I'm not sure but I think the description of mesa-lib is wrong (or is
> it my english?). It states that you should say no to vdpau if you're
> using the nvidia proprietary driver - But the NVIDIA driver can use
> vdpau for hw acceleration for example in mplayer - So actually you
> should say "yes" to vdpau if you're using NVIDIA.

This warning was added by me. If you have nvidia binary driver it installs 
vdpau driver which uses dedicated hardware to do decoding with low cpu/gpu 
use. If you select y for mesa-lib vdapu mesa-lib will build generic shader 
acceleared vdpau (not gpu vendor dependent, just GPU needs to have 
shaders) which will make your GPU hot. So it is better to not build it at 
all if you have nvidia driver to preserve better vdpau from nvidia driver. 
Indeed message looks confusing. It should be removed and block mesa's 
vdpau build if nvidia driver is installed or question should be rewritten 
to not confuse. e.g. "enable mesa vdpau shader based acceleration for any 
GPU haning shaders? say no if nvidia binary driver is installed because it 
already installed better vdpau" y/n

> Apart from the above and a problem to compile iproute2 and xchat
> everything works as it should (trying to solve those two myself/ with
> v4hn). I'm really happy to have a running lunar linux again :-)
> 
> Jean // wdp

More information about the Lunar-dev mailing list