/srv/irclogs.ubuntu.com/2012/06/24/#ubuntu-uk.txt

bigcalm	Boo Beep	09:18
christel	morning	09:18
bigcalm	christel: my darling :) hugs	09:19
* christel hugs bigcalm		09:21
bigcalm	\o/	09:21
christel	IT IS NOT THAT LONG UNTIL RAT! \o/	09:21
bigcalm	Sunday morning hugs are the best!	09:21
bigcalm	Sweeeeeet	09:21
bigcalm	I look forward to getting drunk with you :D	09:22
bigcalm	Remind me to buy your train tickets, I still owe you	09:22
bigcalm	Mmmmm, tea	09:25
brobostigon	good morning everyone.	09:25
bigcalm	Howdy	09:26
brobostigon	hi bigcalm	09:26
christel	:D	09:30
bigcalm	Poptarts munched, tea slurped. Shower time!	09:33
popey	morning	09:36
brobostigon	morning popey	09:36
daubers	How	09:37
christel	omnom	09:39
christel	popey: your new kitty is very cute	09:39
popey	:)	09:40
MartijnVdS	Nyancat!	09:43
daubers	christel: Did you just eat the popeycat?	09:45
christel	haha	09:45
christel	sssh! ;)	09:45
Neoti_Laptop	hey peeps... can anyone recommend a good SIP Router, what i mean by router is something like opensips thats takes the SIP messages and routes them to an asterisk server based on load etc.... i have asterisk set up in the back end but on the front end i want some thing to load balance requests to differant servers.... i dont want the router to get involved in media just sip set up etc.....?	09:56
bigcalm	I want a kitten!	09:59
MartijnVdS	Neoti_Laptop: so.. a SIP load balancer?	09:59
MartijnVdS	bigcalm: talk to popey :)	09:59
Neoti_Laptop	<MartijnVdS> Yes. :)	10:00
bigcalm	MartijnVdS: I have a feeling that he won't want to give up the kitten he's just aquired	10:00
MartijnVdS	bigcalm: he might be able to hook you up with a kitten provider	10:01
MartijnVdS	a purveyor of felines	10:01
SuperEngineer	nomnom - kitten & chips!	10:01
bigcalm	MartijnVdS: kittens aren't hard to find	10:01
SuperEngineer	bigcalm: but they are hard to cook!	10:02
SuperEngineer	[morning peeps]	10:02
christel	they are? i can't say i've tried	10:06
MartijnVdS	christel: they won't stay put	10:07
christel	ah yes.. weigh them down perhaps?	10:07
* SuperEngineer imagines popeycat now running to a hiding hole		10:11
gord	getting replacement keys for my thinkpad is really tricky... i thought i'd be able to go on amazon and get a bag of random keys for a few quid or something	10:11
MartijnVdS	gord: replacement keys? you locked yourself out?	10:11
gord	of my thinkpad house?	10:11
MartijnVdS	well a "pad" is a name for a house	10:13
MartijnVdS	"This is my think-pad"	10:13
MartijnVdS	"But I misplaced the keys"	10:14
gord	this joke isn't really working is it? ;)	10:14
* gord sounds the abandon joke alarm		10:14
MartijnVdS	:(	10:15
SuperEngineer	darn! just as I was about to do the "lost private key" becoming a "found public key" front door joke!	10:16
MartijnVdS	:)	10:17
* SuperEngineer cancels facebook party invite to gord's house		10:17
AlanBell	morning all	10:19
AlanBell	oh come round to my house instead then	10:20
AlanBell	no failed jokes here	10:20
jacobw	morning AlanBell	10:20
AlanBell	http://loco.ubuntu.com/events/ubuntu-uk/1824/detail/	10:20
Seeker`	AlanBell: careful, someone might turn up!	10:20
AlanBell	yes, please do!	10:20
Seeker`	AlanBell: you're one of the crazy hampshire people?	10:21
AlanBell	nonononono	10:21
AlanBell	surrey	10:21
AlanBell	and crazy, yes	10:21
Seeker`	thats no closer :P	10:22
SuperEngineer	AlanBell - "still crazy after all these years"	10:22
gebbione	what is a good way to see if a program is running and with what options?	10:27
MartijnVdS	gebbione: 'ps' can do it	10:27
gebbione	true i ll run a watch	10:27
MartijnVdS	but programs can change the string ps shows	10:27
gebbione	yea the string is plain :/	10:29
MartijnVdS	gebbione: what are you trying to do?	10:29
gebbione	MartijnVdS, as a linux user i have problems with silverlight streams on akamai, and most important dont know a way to save the streams into a file for later viewing	10:36
gebbione	one of the sites that uses silverlight is rai.tv	10:36
MartijnVdS	that's sort of the point of using silverlight -- making saving harder :)	10:36
gebbione	there is a firefox plugin that uses mplayer	10:36
gebbione	but it does not give a save option	10:37
gebbione	sure, i agree with that only if the streams worked well natively	10:37
gebbione	the problem is that they dont	10:37
gebbione	and i have to look for workarounds for watching them and with these workaround sometimes they dont work	10:38
MartijnVdS	gebbione: do you have the URL of the stream? (mms probably?)	10:40
gebbione	the html that builds the video object is not so straight forward to read	10:46
gebbione	in the network i see. ..	10:46
gebbione	http://adlev.neodatagroup.com/ad/sipra.jsp?loc=rtv_societa^rtv_ballaro_3_1_rect^300x100^^jquery&bt=n&wt=n&jsfuncno=bf1340534699705523(true)&jsfunc=bf1340534699705523(false)&rnd=901161413710&_=1340534699706	10:46
jacobw	~500ms latency today :(	10:57
jacobw	hey hamitron	11:01
hamitron	hi :)	11:01
SuperEngineer	see you all later folks. Formula1 brmmm brmmms coverage started ;)	11:11
hamitron	ty for reminder	11:12
hamitron	bbl	11:12
hamitron	:)	11:12
SuperEngineer	hamitron: np enjoy	11:12
MartijnVdS	F1!	11:26
Seeker`	HD F1!	11:27
MartijnVdS	yay	11:31
=== Lcawte\|Away is now known as Lcawte
mattt	afternoon	12:08
Seeker`	MartijnVdS: see that pit stop? 2.9 seconds?!	12:27
MartijnVdS	Seeker`: when? :)	12:29
MartijnVdS	I saw a 6.x second one	12:29
Seeker`	MartijnVdS: Hamiltons	12:32
MartijnVdS	ah	12:32
MartijnVdS	yeah McLaren are quick	12:32
MartijnVdS	whoa	12:38
Seeker`	MartijnVdS: whoa at senna?	12:43
MartijnVdS	yea	12:43
MartijnVdS	can someone bring some valium to the commentary box please? :P	13:06
* nperry waves bye to Vettel.		13:09
MartijnVdS	Grosjean winning would rock :)	13:10
nperry	He'll come with the white flags soon.	13:10
MartijnVdS	who? Teflonso?	13:10
nperry	Grosjean.	13:11
MartijnVdS	Incident #5232	13:12
nperry	He has the white flags out there :D	13:18
MartijnVdS	What's up with cars breaking	13:19
MartijnVdS	Vettel, Grosjean	13:19
nperry	Alternator failed on Grosjean	13:19
nperry	Vettel, we prob wont hear until after the race.	13:20
MartijnVdS	nperry: well BBC have Lee, she gets news out of everyone :)	13:21
MartijnVdS	nperry: See?	13:24
nperry	The stewards are being kept busy...	13:32
nperry	HAHAHAHAA	13:45
nperry	That would teach him	13:45
MartijnVdS	Bye bye Hami	13:46
Seeker`	ouch	13:46
Seeker`	that wasn't his fault	13:46
nperry	Seeker`, Hamilton forced him off the track..	13:47
Seeker`	nperry: no he didn't	13:47
Seeker`	Maldinardo tried to go round the outside of him in to the corner, and ended up off the track, and then turned in to hamilton	13:48
nperry	I believe he did. Hamilton had some room to move over.	13:48
Seeker`	He could have moved over, but he didn't leave the racing line	13:49
nperry	But then again I'm not a fan of Hamilton.. I don't like his driving attitude.	13:49
Seeker`	He has no obligation to move off the racing line to let someone else in	13:49
Seeker`	Hamilton has been far more mature this year	13:49
nperry	Yeah but i still remember last year, I give him that this year has been better.	13:50
Seeker`	he's been a different person this year imo	13:52
s-fox	Hi :)	13:58
jacobw	hey fox	14:09
jacobw	lo SuperEngineer	14:11
SuperEngineer	lo2u jacobw	14:15
SuperEngineer	Microsoft Blocks FSF Donation Website As a 'Gambling Site'	14:20
SuperEngineer	http://yro.slashdot.org/story/12/06/24/1325241/microsoft-blocks-fsf-donation-website-as-a-gambling-site?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29	14:20
SuperEngineer	[sorry - should have short-url'd that]	14:20
penguin42	haha	14:21
gord	more realisticly, automated bot makes mistake, slashdot puts another layer of tinfoil on their crazy hats	14:25
RaycisCharles	SuperEngineer: another example of how Slashdot trolls for pageviews.	14:25
RaycisCharles	gord, exactly.	14:25
RaycisCharles	Accidentally blocking sites happens all the times when maintaining content filter blacklists.	14:25
SuperEngineer	slashdot = slashtrot ;)	14:25
SuperEngineer	keep an eye on newsfeed few the occasional gem tho - like that little foopah	14:26
RaycisCharles	Also, who cares about the FSF anyway? It's like finding out the cops busted a lemonade stand.	14:26
SuperEngineer	RaycisCharles: now who's the troll!!!	14:26
SuperEngineer	RaycisCharles: u?	14:27
RaycisCharles	I'm a Windows/VMWare sys architect, what do you expect?	14:27
* SuperEngineer guffaws		14:27
SuperEngineer	[& passes on his pity]	14:28
RaycisCharles	Yes, I wish I knew how to architect technologies as usable, capable and popular as Ubuntu and KVM.	14:31
s-fox	Hi jacobw , sorry didn't see ping because missed the s on my irc nick :)	14:53
s-fox	How is everyone?	14:53
AlanBell	hi s-fox	14:53
s-fox	Hi AlanBell :)	14:53
* penguin42 is rather sleepy today		15:06
* bigcalm returns		16:15
mgdm	o/	16:15
daubers	Lawn mowed with only one medical incident!	16:23
penguin42	to whom?	16:24
mgdm	the grass :(	16:24
daubers	Me. Burnt myself on the exhaust while changing the cutting height	16:24
mgdm	eep	16:24
penguin42	daubers: You know the problem there don't you?	16:25
daubers	penguin42: No?	16:25
penguin42	daubers: You've got a mower with an exhaust	16:25
daubers	penguin42: Heh :) I borrowed one as it was a bit of a jungle! Leccy mower would have struggled	16:26
bigcalm	mgdm: ta for the single char last night. It allowed me to write a script for updating a WordPress database after it has been moved to a new domain (bloomin' serialised arrays as table variables)	16:33
mgdm	bigcalm: cool - glad it helped	16:34
DJones	Afternoon all	16:41
alexcockell	Hi all...	17:28
* bigcalm throws his code onto his ranty blog for people to mock :)		17:39
DJones	Hows the new phone bigcalm	17:42
mgdm	bigcalm: show me :)	17:43
bigcalm	mgdm: http://www.myrant.net/2012/06/24/updating-a-wordpress-database-with-new-domain-details/	17:53
bigcalm	DJones: very pleasing :)	17:53
DJones	I'm jealous, probably going with that one in November, unless something better comes along	17:54
bigcalm	mgdm: it requires a lot of refactoring, but it works :)	17:54
bigcalm	Afternoon, popey	17:57
bigcalm	DJones: Hayley doesn't like me having a new phone. She's now looking to replace hers	17:58
popey	hello	17:59
DJones	bigcalm: We're the same, Emma has been looking at phones for the last 6 months despite our contracts running until November	18:00
mgdm	afternoon popey	18:00
bigcalm	mgdm: no mocking? :P	18:01
mgdm	bigcalm: not reafd yet, on the phone :)	18:01
bigcalm	Fair enough :)	18:02
bigcalm	Yikes, it's gone 7pm	18:06
mgdm	every time I go to write a blog post I end up fiddling with the CSS instead	18:07
mgdm	bah	18:07
bigcalm	Hehe	18:07
bigcalm	One of the reasons why I use an existing CMS and theme	18:08
mgdm	Mine's all custom now	18:08
bigcalm	I started out that way	18:08
mgdm	well, the HTML is - it's generated by Jekyll, which I didn't write	18:08
mgdm	it entertains me to have to type 'make' to rebuild my blog	18:08
bigcalm	o.O	18:09
alexcockell	Curious as to why IRC throws me out..	18:10
bigcalm	Maybe it wants you to have a productive life ;)	18:11
mgdm	Yeah, that 'peer' guy is big on productiviy	18:11
bigcalm	Question	18:12
mgdm	Answer	18:12
bigcalm	Retort	18:12
mgdm	Counter Retort	18:12
bigcalm	Which will make me more productive tonight? a) ale, b) wine	18:12
mgdm	Observation that you create a vacuum	18:13
bigcalm	I'd have to trawl bash.org to find more of that conversation	18:13
mgdm	hehe	18:13
mgdm	and as to your question, I have no idea	18:13
bigcalm	Och	18:13
mgdm	Aye the noo?	18:14
bigcalm	If you insist :)	18:14
* bigcalm goes to eat left over enchiladas instead		18:14
bigcalm	Old Elpaso make it look as though I'm a really good cook	18:15
alexcockell	LOL	18:15
alexcockell	Oh - who else is unaffected but watching the Natwest debacle?	18:15
DJones	alexcockell: I'm affect at work, can't access info on our accounts for the last 2 working days	18:16
alexcockell	Ah.	18:17
alexcockell	Been reading the followign Register thread about it - http://forums.theregister.co.uk/forum/4/2012/06/22/rbs_natwest_outage_fourth_day/	18:17
penguin42	someone there must have been having an awful week	18:20
alexcockell	yup..	18:23
ubuntuuk-planet	[Iain Cuthbertson] Updating a WordPress database with new domain details - http://www.myrant.net/2012/06/24/updating-a-wordpress-database-with-new-domain-details/	18:23
DJones	Has the wendyball finished yet?	18:43
penguin42	don't think so yet	18:45
DJones	Damm	18:45
penguin42	TV this summer is mostly going to be complete balls	18:45
penguin42	footballs, tennis balls, and various types of olympic balls	18:46
* bigcalm returns		18:46
* DJones wonders at times if he's the onle male in the UK that couldn't give a monkey's about football		18:48
DJones	s/onle/only/	18:48
penguin42	DJones: Well, there are at least 2 of us	18:48
Seeker`	a monekys about what?	18:48
Seeker`	never heard of this 'football' :P	18:48
DJones	yay, I'm not alone	18:48
alexcockell	BBC4's got a Julius Caesar variant running	19:02
MartijnVdS	alexcockell: set in "a modern African state", according to the website	19:03
ali1234	the UEFI specification makes no sense and contradicts itself :(	19:04
MartijnVdS	ali1234: it was written by a committee and Microsoft. What did you expect?	19:05
ali1234	i didn't expect any different	19:05
MartijnVdS	ali1234: what's your complaint specifically?	19:07
ali1234	section 27.5 says that "The authenticated UEFI variable that stores the key exchange keys (KEKs) can always be read but	19:09
ali1234	only be written if: The platform is in user mode and the provided variable data is signed with the current PKpriv;	19:09
ali1234	or if The platform is in setup mode."	19:09
mgdm	'KEKs' snigger	19:09
ali1234	but section 7.2.1 says "If the variable is the global PK variable or the global KEK variable, verify that the signer's	19:10
ali1234	certificate chains to the Platform Key."	19:10
penguin42	most security docs are like that	19:10
ali1234	additionally	19:10
ali1234	27.7.3 says "authenticated UEFI variables that store the signature databases (db, or dbx) can always be read but can only be written if: The platform is in user mode and the provided variable data is signed with the private half of a previously enrolled key exchange key (KEKpriv), or the platform private key (PKpriv);"	19:12
MartijnVdS	ali1234: assume the most restrictive one is true	19:13
MartijnVdS	or whatever windows does	19:13
ali1234	windows does not have PK or KEK keys	19:13
ali1234	it just has certs that are trusted	19:13
ali1234	and revoked certs that are not	19:13
MartijnVdS	then good luck with this :)	19:13
MartijnVdS	don't expect bios builders to build this	19:14
penguin42	ali1234: Looked at the code?	19:14
ali1234	wait i understand it. "global KEK variable" means the KEK database as a whole	19:14
ali1234	yes, i've looked at the code. it follows the less restrictive interpretation	19:15
daubers	fds	19:24
daubers	stupid ssh sessions	19:24
Azelphur	ali1234: did you see ASIC just hit	19:29
MartijnVdS	hmm	19:30
MartijnVdS	if I watch TV on the same transponder/sat as I'm tuned to from my PC, the PC loses 5% signal strength	19:30
alexcockell	Ummm - ASIC???	19:30
Azelphur	alexcockell: tis bitcoin stuff	19:30
MartijnVdS	Azelphur: mining asic?	19:31
alexcockell	Ah; never been anywhere near that stuff.	19:31
Azelphur	MartijnVdS: yea	19:31
Laney	can someone try www.nwolb.com please?	19:34
Laney	I don't think it is down, but there is something up with SSL here.	19:35
Azelphur	Laney: wfm	19:35
Laney	on which browser?	19:35
Laney	"Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error."	19:35
Azelphur	chromium	19:35
popey	chrome is fine here	19:36
Laney	hmmmmmmmm	19:36
mgdm	WFM	19:36
Laney	broken on both FF and chromium for me	19:36
Laney	quantal.	19:37
* Laney sees a ca-certificates update		19:37
popey	fine in chromium on quantal here too	19:37
Laney	[5674:5695:101097611225:ERROR:ssl_client_socket_nss.cc(1534)] handshake with server www.nwolb.com:443 failed; NSS error code -5938, net_error -107	19:38
Laney	get it on both of my machines :(	19:50
* Laney fires up a vm		19:50
Laney	O_O	19:52
MartijnVdS	o_O	19:52
popey	O_O	19:54
mgdm	ಠ_ಠ	19:57
MartijnVdS	(╯°□°)╯︵ ┻━┻	20:01
dogmatic69	how can I run tcpdump on a remote machine and not have all the stuff showing from the ssh connection streaming the tcpdump	20:02
popey	:)	20:02
popey	http://www.cyberciti.biz/faq/linux-monitor-all-network-traffic-except-ssh-port-22/	20:02
popey	first hit for "tcpdump exclude ssh" on google :)	20:02
dogmatic69	eh	20:02
dogmatic69	that site comes up for anything linux related	20:03
Daviey	ettercap is another tool that supports regex style limiting	20:25
MartijnVdS	tshark/wireshark++	20:26
MartijnVdS	capture everything, then ignore the ssh strea	20:26
MartijnVdS	m	20:26
Daviey	Laney: confirmed, FF and Chrome, up-to-date Quantal.. works here.	20:27
Laney	yeah I tried loading it in The Cloud and it worked, but broken on both of my machines	20:28
Laney	weird eh	20:28
* Laney remembers there is a cheeky macbook air running precise		20:33
Laney	… which is also broken in the same way …	20:35
* Laney gets suspicious		20:35
Daviey	"The Cloud"... i love it.	20:38
Daviey	Laney: do a proxy check..	20:38
Laney	how?	20:39
Laney	I do indeed now suspect skulduggery from vM	20:39
Laney	VM	20:39
Daviey	Laney: google for "proxy check" :)	20:40
Daviey	I've started VPN'ing all my traffic, as i don't really trust my ISP.	20:41
Daviey	</paranoid>	20:41
Laney	Daviey: I see, you mean like that. Apparently not. I did think that virgin had one, but this site is SSL.	20:42
* Laney should do the VPN thing		20:42
Daviey	Laney: Squid recently added support for SSL MITM'ling.. whic freaks me out.	20:49
Daviey	http://wiki.squid-cache.org/Features/SslBump	20:49
Laney	Huh, that is scary	20:51
Laney	I wonder if employers would have to inform you if they're doing that	20:51
ali1234	you can just look at your certificate store	20:52
ali1234	if you see "FooCorp certificate for SSL snooping" then you know they are doing it	20:53
Laney	yes, most people definitely know to do that	20:53
ali1234	if you don't, and they try it, you'll get a big fat "untrusted certificate" warning on any SSL website	20:53
ali1234	most people don't understand https to start with and either assume all traffic is secure by default no matter what, or all traffic is insecure by default no matter what	20:54
Laney	oh, that's ok then	20:55
ali1234	if people don't understand certificates, then they wouldn't understand if the employer told them either	20:56
ali1234	so yeah it would be nice of them, but largely pointless	20:56
Laney	wtf	20:56
Laney	you think it is impossible to express it in a simple way?	20:56
ali1234	yes	20:56
ali1234	it's impossible to make it simple enough that people would understand it in combination with all the other "simple" guides to internet security out there	20:57
ali1234	ie it's impossible to simplify it without making it contradict everything people have previously been told about security	20:57
ali1234	the only way to understand it is to actually really understand it properly	20:58
Daviey	"To maintain corporate internet useage policy (filtering), and to make best use of our bandwith; we intercept https connections. This means that we can technically see your 'secure' content - such as online banking"	20:58
Daviey	sans typos	20:58
dogmatic69	ok, my issue I have been having with server dropping out all the time seems to not be the server but rather my pc :(	20:58
ali1234	Daviey: "but the help screen in internet explorer says that https connections cannot be intercepted"	20:59
dogmatic69	Tracking traffic with tcpdump, when its breaks there is nothing being sent at all.	20:59
daubers	Daviey: YOU'RE screening my interwebz?	20:59
Daviey	daubers: Indeedy	21:00
daubers	Daviey: So thoes Ninjas... I didn't mean to send them to you....	21:00
Daviey	daubers: And i'd share with the rest of the channel what you had been recently looking at.. but it's not family friendly.	21:01
Daviey	Those poor goats, is all i can say.	21:01
daubers	Daviey: That's your browser history! Not mine	21:01
Daviey	daubers: next you'll be saying it was for 'research purposes'.	21:02
daubers	Daviey: Maybe it was.....	21:02
daubers	Bah, why can't all circuit boards have 0.1mm seperated headers. Would make my life a lot easier	21:03
daubers	or 1mm even	21:03
daubers	**OUT OF TEA ERROR**	21:03
ali1234	because the standard is 0.1 inched	21:04
Daviey	Laney: TBH, if it's a 'work maintained' machine.. i'd expect them to have vnc (or equivalent).. making https almost as insecure.. so it's no massive change.	21:04
daubers	ali1234: In this house we respect the laws of thermodynamics and the metric system	21:04
Laney	Daviey: Indeed (and that does have to be in a computer code of use AFAIK). It just makes it easier to automate.	21:05
Laney	(and to process the results)	21:07
ali1234	http://al.robotfuzz.com/playing-with-uefi-secure-boot-part-2-basic-authenticode-signing-with-ms-tools/	21:08
em	aren't you guys watching the football?	21:09
Laney	sure am	21:09
ali1234	NO	21:09
daubers	Whatball?	21:10
popey	cricket without bats daubers	21:11
daubers	popey: Surely that's not legal?	21:11
daubers	(although it's been some time since I listened to the cricket I have to admit)	21:11
bigcalm	Git people who run private local repos! What's your favourite web interface?	21:22
ali1234	gitweb	21:22
bigcalm	ali1234: for personal use only, or do you protect bits for members to view stuff?	21:22
ali1234	i don't share proprietary code	21:23
ali1234	let me put that another way	21:24
ali1234	i only share code publicly or not at all	21:24
bigcalm	OK	21:24
bigcalm	I'm sure I can lock things down with a .htaccess file	21:25
jacobw	and england are out :)	21:25
diddledan	true to form	21:25
diddledan	so is that hodgson out of a job now? :-p	21:26
popey	looks like bed time	21:34
bigcalm	Is there a web interface to manage merge requests in git?	22:16
AlanBell	like github?	22:18
bigcalm	AlanBell: yes, like it for privately hosted git repos	22:18
AlanBell	http://stackoverflow.com/questions/438163/whats-the-best-web-interface-for-git-repositories	22:18
bigcalm	AlanBell: just been there	22:18
AlanBell	I was looking there the other day	22:19
bigcalm	I have gitweb running, but it only lets you view. Doesn't offer management tools	22:19
AlanBell	went with redmine which isn't quite the same thing	22:19
bigcalm	gitorious looks nice	22:20
bigcalm	Ug, getting tired	22:23
ali1234	hmm you know i just noticed that tiano doesn't actually follow the EFI specification	22:25
ali1234	quote "If the image’s signature is not found in the authorized database, or is found in the forbidden database, the image will not be started and instead"	22:27
ali1234	that isn't true. OVMF will run an image if it is signed with the KEK certificate, even if it's signature is not present in the authorized database (DB)	22:27
ali1234	however, it won't run it if it is signed with PK	22:27
ali1234	either PK or KEK should allow signatures to be added to the DB	22:28
ali1234	the spec says nothing about allowing an image to run if it is signed by an enrolled KEK	22:29
ali1234	it also says nothng about disallowing an image that is signed by PK but not KEK	22:29
ali1234	it does however say that DB updates may be signed with either KEK or PK	22:30
ali1234	so if signing the image with KEK implicitly allows it to run because the signer could have added the sig to DB, then signing it with PK should have the same effect	22:31
ali1234	but in the implementation it does not	22:31
AlanBell	ali1234: I think it might be a good thing to send some of your investigations to the ubuntu-devel@lists.ubuntu.com list	22:39
ali1234	i will do, when i've got everything straight	22:40
AlanBell	great	22:40
ali1234	i'm building a set of batch files to automatically generate the keys, certificates, and binaries for the tests	22:40
ali1234	you can help by following along and checking i have not made any obvious mistakes	22:41
AlanBell	great, but now I am off to bed. Night all o/	22:42
=== Lcawte is now known as Lcawte\|Away
bigcalm	Beddybies time :) o/	22:55
ali1234	LOL	23:10
ali1234	so on page 40 of the efi signing document they attempt to show what happens if you try to run an unsigned efi binary with a screenshot	23:10
dogmatic69	Ok, I keep getting something like '192.168.0.3 > 192.168.0.2: ICMP 192.168.0.3 udp port 2032 unreachable'	23:10
ali1234	except that the screenshot clearly gives the "command not found error" rather than the "access denied" error you get when you actually try it	23:11
dogmatic69	after that I can not load web pages from the box via chrome	23:11
ali1234	dogmatic69: that's crazy	23:12
dogmatic69	anyone know what ICMP is?	23:12
ali1234	yes	23:12
dogmatic69	:/	23:12
dogmatic69	what?	23:12
ali1234	it's the packet type used to establish a connection	23:12
dogmatic69	ah ok	23:12
ali1234	like if you try to connect to an unopen port, the server sends back a "connection refused" message, right?	23:13
ali1234	well that message can't be sent over tcp or udp because those require a port	23:13
dogmatic69	192.168.0.2 is a blade server I use for web dev at home, its running bind9 catching *.dev and passing anything else	23:13
ali1234	and since there is no port, that won't work	23:13
dogmatic69	every now and then the site is unavaiable	23:13
dogmatic69	and that seems to happen at the exact moment	23:13
ali1234	so it is sent using ICMP instead	23:13
dogmatic69	ok	23:14
dogmatic69	once this connection drops no amount of F5 does anything. there is no tcp traffic at all	23:14
dogmatic69	or udp, tcpdump is just quiet	23:14
ali1234	i don't use chrome	23:14
dogmatic69	then it seems I get http://bin.cakephp.org/view/2003453668	23:15
dogmatic69	and it works again	23:15
dogmatic69	well the bit after un reachable	23:15
ali1234	look at that ARP stuff	23:15
dogmatic69	its normally down for 10 20 seconds	23:15
dogmatic69	ARP?	23:15
ali1234	your blade server is disappearing off the netwrk for no good reason	23:15
dogmatic69	well ssh still works	23:16
ali1234	who knows?	23:16
dogmatic69	I can ls in another terminal	23:16
ali1234	also why do you have a blade server in your house?	23:16
dogmatic69	for dev	23:16
ali1234	what's wrong with just using a normal computer?	23:16
ali1234	btw if ARP goes away for some reason established connections persist, just new ones break	23:17
dogmatic69	takes up much more space, blades are cheap and its closer to the real deal come deploy time	23:17
ali1234	there's a lot of ways that can happen	23:18
dogmatic69	hmm	23:18
ali1234	and they all involve misconfigured networks	23:18
dogmatic69	I have been apt-get removing everything possible	23:18
ali1234	for example, mac address conflict or ip address conflict can cause weird stuff like this to happen	23:18
ali1234	it won't be caused by a package	23:18
dogmatic69	I have mostly everything on a fixed IP	23:18
ali1234	it will be caused by something specific that you did, either that or the hardware is faulty	23:19
dogmatic69	will look for some conflicts	23:19
dogmatic69	Ill try reboot the router then	23:19
ali1234	i doubt that will help	23:20

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!