Postings by Alice Wonder

get unicode ranges from a TTF ???

Hello list,

Is there a command line tool I run on a ttf font and get a list of the
Unicode Ranges for that that font that would be compatible with the
unicode-range: parameter in a CSS @fontface declaration?

I'm guessing something in the python world probably exists...

Hopefully something that works in CentOS 7

I need something like that for a FLOSS font server project that doesn't
track users.

I don't feel a need to split up a font by unicode range, but a lot of
fonts are already split by their upstream developers according to
language support - e.g.

Thunderbird in CentOS 7.4

With the current Thunderbird I can not connect to one of my IMAP servers
that uses a self-signed cert.

7.4 network issues

Two onboard nics, Intel, eno1 and eno2

If either of them is set to onboot then network won't start.

one error message says :bad vendor preset disabled

Another error message (in red) says Failed to start LSB

If I can find a USB key there is an updated kmod-wl src.rpm that *may*
bring up my wifi, but I am not sure I have access to a USB key at the

The motherboard is supermicro and the onboard nics are Intel which I
thought were well supported, but I do remember going from 7.2 to 7.3 on
a server IPv6 was bricked because of changes to how the /sbin/ifconfig
scripts were configure

Bricked my system

Updated to CentOS 7.4

No wifi.

Extreme frustration with GIMP

I am not a graphics person.

Simple OCSP server ??

Hello list,

I'm contemplating running my own CA to implement the new proposed ISP
for validation of S/MIME certificates via DANE.

I already use self-signed for my MX servers (with 3 1 1 dane records on
TCP port 25) but I don't want to use self-signed for S/MIME for user
specific x.509 certs because

A) That's potentially a lot of DNS records
B) That requires a hash of the e-mail addresses in DNS

Instead, I will be using a wildcard in DNS with an intermediary that
signs the user x.509 certificates.

Using an intermediary to sign their certificates though means I can't
just revoke their

Network Manager / CentOS 7 / local unbound

Hello list -

<a href="" title=""></a>

That says it works for CentOS 5 and I *suspect* the methods there (3
listed) would work, but what is the best way with NetworkManager to set
it up to use the localhost for DNS ?

I'm paranoid about DNS spoofing and really prefer to have a local
instance of DNSSEC enforcing unbound running on my CentOS 7 virtual
machines (e.g.

Quick DANE / self-signed question

I *think* the answer to this is that I am fine.

Last year I only used CA issued certificates.

This year, I am wanting to move to self-signed for SMTP and for
infrastructure domains that are not intended for the public where DANE
can validate. I am convinced DANE does a better job at validating a host
is who it says it is than CA certs do.

I just updated one of my mail servers to self-signed. The signed
certificate expires in few weeks so I can switch back if I did something

<a href="" title=""></a>

That gives a red flag for Unknown Authority.

M.2 PCI-E card

Hello list,

My instinct says the vast majority will "just work" but I'll ask anyway.

I need a low profile PCI-E card that allows for up to 2 M.2 SSD drives
that is known to work with the stock kernel in CentOS 7.

Can anyone recommend one?


Python search path


Working on a project to create clean spec files for libbitcoin for
CentOS 7 (and eventually I want them to work in Fedora 25+ too)

These spec files must work with the user defines an alternate %{_prefix}
before building them.

This means that python components would be installed in /opt/libbitcoin
(or whatever) instead of in /usr so %{python2_sitelib} and
%{python2_sitearch} no longer would apply.

sys.path.append looks like the way to tell python about a new path to
look for stuff, but I'm guessing there are guidelines somewhere for how
that is suppose to properly done from wit

Would this be considered a packaging bug?

<a href="" title=""></a>

The source RPM there uses

%if 0%{?rhel}
# not upstreamed
Patch500: 0001-disable-libe-book-support.patch
Patch501: 0001-fix-build-of-bundled-libzmf-with-boost-1.56.patch
Patch502: 0001-allow-to-build-bundled-libzmf-on-aarch64.patch
Patch503: 0001-impl.-missing-function.patch

(and more than just those) resulting in those patches not being included
in the src.rpm because the rpm was not built on rhel/centos.

My understanding was that platform specific patches were suppose to have
the %if macro where the patch is applied, bu

RHEL 8 speculation ???

Is there any blog that has information on a potential RHEL 8 release date?

boost in 7 is now too old for some things, in addition to gcc. There are
solutions in 7 to those issues but it's starting to feel like 6 felt
shortly before 7 came out, so I wonder if it is getting near to time.

I'm working on a major project bitcoin related and it would be
frustrating to deploy a bunch of CentOS 7 virtual machines only to have
8 come out fairly soon afterwards.

IPv6 broken on Linode

<a href=";t=14570&amp;p=72785" title=";t=14570&amp;p=72785">;t=14570&amp;p=72785</a>

I can not figure out what I need to do.

Apparently according to linode support, the VM is trying to grab an IPv6
address with some privacy stuff enabled by default causing it to not
grab the IPv6 address that is assigned to me.

Nothing I have tried seems to work, and it seems that Linode support are
far more familiar with Ubuntu than CentOS.

I know CentOS follows Red Hat so I'm not suggesting this is CentOS's
fault, but stuff like this really is why I am a much bigger fan of KISS
with simple key=value configuration files that



ran into a problem w/ linode hosted VM where IPv6 address changed after
they migrated it to a different host.

They claim I can fix it with

sed -i 's/slaac private/slaac hwaddr/' /etc/dhcpcd.conf

However there appears to be no dhcpcd.conf on any of my CentOS 7 systems.

What is the CentOS 7 equivalent?

GCC 4.9 in CentOS 7 ??

The following features of the C++11/C++14 standards are not supported by
* std::make_unique function (C++14)
* digit separators (C++14)
* binary literals (C++14)
* generic lambdas (C++14)
If you are using the GNU C compiler collection (gcc) then you need
at least v4.9.x.
configure: error: support for required C++11/C++14 features incomplete

Is there by chance a compat package for gcc 4.9.x available?

I didn't see it in a yum list.

I'm trying to build the latest mkvtoolnix and it looks like CentOS 7 gcc
is just barely too old :-/

Mate and USB headphones

Logitech H540 headphones were working fine.

Suddenly stopped.

Sound Preferences says they are disabled but gives no hints on how to
enable them, or how they became disabled.

Tried rebooting, unplugging them, etc.

Anyone know what is going on?

This motherboard doesn't have onboard sound, this USB is my only option.

Avoiding spam blacklists

Virtual machine for a web application, it is still in testing.

reverse DNS is properly set up.
Postfix only listens on the local host.
Linux firewall drops anything not to port 80, 443, or a custom high
number port I use for SSH.

This postfix is not an open relay, or a relay for anything on the
Internet, it only exists so the web application can send e-mail.

SPF for the domain is correctly set up, DKIM for the host is correctly
set up, when it sends an e-mail and I inspect it - it passes the rDNS,
SPF, and DKIM checks.

So far it has only sent e-mails to addresses I control as the web

quick DANE question

When an SMTP server publishes a TLSA record, will DANE enforcing SMTP
servers refuse to connect if the TLSA record matches the certificate but
the certificate has expired?

spec file frustration (rant)

I'm getting spec files from centos git which is really convenient when
the related source is easy to find. But some things - e.g.

7.3 sources ???

Looking at <a href="" title=""></a> and not seeing them.

I need to rebuild krb5

At I can get the spec file, patches, etc.

Why the Internet is so insecure

<a href="" title=""></a>

Major flaw in how the specification for window.opener() works resulting
in a major phishing vulnerability that is cake to pull off.

The right solution isn't considered because it would break compatibility
with the few number sites that depend upon the broken specification even
though it would be simple for those sites to implement a secure method.

So instead the entire web is left with an extremely poor default and a
crappy solution that won't be implemented by a large number of sites.

And that's why the Internet will remain a playground for c

Modern FireFox on CentOS 7

No idea who this will be useful for, but starting with FireFox 49 I have
been running a modern FireFox with CentOS 7.

I needed to in order to play with the new Service Worker based Push API
but it has other things FireFox 45 ESR doesn't have - such as working
html5 details/summary tags - which I make us when a page needs a Table
of Contents, for example.

Anyway I start with Fedora src.rpm and build it in mock on my system.

JavaScript and ServiceWorkers in FireFox

This is a bit off-topic but the question exists due to the FireFox in
CentOS 7.

Few websites I have visited (e.g.

httpd-filesystem in 7.3 ??

Does anyone know if the Apache httpd in CentOS 7.3 rebase is going to
use the httpd-filesystem that Fedora is now using?

I understand it has some advantages to some people with how PHP is run.

I'm not advocating for it I just would like to know as I maintain a
LibreSSL LAMP stack and need to know if I need to look at the Fedora
packaging to update my own packaging so I can remain as close to 7.3
style as reasonably possible.

FireFox and Plugins

While doing a browser fingerprinting survey, I was quite surprised to
see I actually have a FireFox plugin installed.

The culprit is


It appears that whoever maintains the rhythmbox RPM has chosen not to
package the browser plugin separately like it probably should be.

Stupid vim question

on very large files, vim will condense display - e.g.

+-- 8 lines: static inline void php_openssl_rand_add_timeval()

+-- 29 lines: static int php_openssl_load_rand_file(const char * file,
int *egdsocket, int *seeded)
+-- 22 lines: static int php_openssl_write_rand_file(const char * file,
int egdsocket, int seeded)

Disabling sound chip

01:00.1 Audio device [0403]: NVIDIA Corporation High Definition Audio
Controller [10de:0be3] (rev a1)

I don't want that seen by the sound software.

That's the sound chip on my video card, probably there for the HDMI output.

For some reason, that sound device takes preference over my USB
headphones and it is really annoying

I tried creating /etc/modprobe.d/blacklist with the following :

blacklist snd_hda_intel
blacklist snd_hda_codec_hdmi

That didn't work.

Those are not CentOS specific instructions, the only CentOS specific
instructions I found are related to nVidia and are rather com

blacklist audio device ???

SuperMicro server board being used as workstation.

Board has no audio itself.

I have USB headphones I sometimes plug in.

Unfortunately every time I plug them in I have use to use audio control
panel and choose them.

Python and LibreSSL Patch

One of my hobbies (I need a life) is working on getting stuff to build
against LibreSSL in CentOS 7

Part of that involves some test (not production) machines where openssl
has been removed.

Discovered some issues with Python built again LibreSSL - it passes the
test suite in %check if you just change the BuildRequires but the result
is some modules have some unresolved symbols the test suite oddly didn't
catch (e.g.

porting spec files

An rpm intended for a bleeding edge Fedora builds perfectly for me when
I comment two macros apparently not in CentOS 7 -




Looks like they operate similar to %post and %postun but are different.

Is a simple way to do what they do in CentOS 7 or do I have to change
the packaging logic to build in CentOS 7 and have things work properly?