=== Lcawte is now known as Lcawte|Away === lap_ is now known as Guest42206 [00:56] join #ubuntu [08:12] Morning all [08:25] mornin' [08:37] orning :) [08:37] er morning perhaps [08:37] * dwatkins hands christel an 'm' [08:37] thank you! i've been looking for one of those! :D [08:38] I'd have put it on toast, but there's no bread here. [08:38] \o [08:39] o/ [08:39] \\o \o/ o// [08:39] hehe [08:39] (" ) ( ") (" ) [08:39] dwatkins: gangnam style? [08:40] haha, never thought of that - I was thinking of arcade games, possibly Pengo. [08:45] morning [08:45] a bit cheesy, but as safety breifings go quite clever http://www.youtube.com/watch?v=cBlRbrB_Gnc [08:46] I am form the ubuntu-loco ae , can someone help me with the wordpress theme that you have used on your loco site [08:48] ZAKhan: I think AlanBell is your man [08:48] he is away i guess [08:50] ZAKhan: he's here most days [08:51] danfish, I have messaged him.. i hoep when he is here he will get back to me [08:51] danfish, thanks [08:51] hi ZAKhan [08:51] oh there you are :) [08:51] where is ae then? [08:51] can anyone please tell me the website used to share specs of a PC being selected/built? [08:52] United Arab Emirates [08:52] oh cool [08:52] AlanBell, can you help me with the wordpress theme? [08:53] maybe, just looking for the theme on launchapd === TheOpenSourcerer is now known as theopensourcerer [08:53] I have installed the theme and its working , I am unable to find out how to set up the menus [08:54] check http://ubuntu-loco.ae [08:54] good morning [08:54] oh right, I am about to pop out ZAKhan, I will log on to our one later and get back to you [08:55] ok i am onoine you can msg me anytime [08:55] online [08:59] grurgh [08:59] blurgohgeoh [08:59] and other similar noises [09:02] ugh [09:03] getting up. going into copenhagen to explore. [09:03] * Laney drags self around [09:27] ZAKhan: menus are not in theme [09:28] poor Laney [09:36] \o/ Managed to connect a extra 5 port hub/switch to my router to give more ethernet connections in the office [09:37] Achievement unlocked? [09:37] Its amazing what you find in the loft after 10 years and moving into a house [09:38] Yep, I'd tried it once before & never got it to work, should bitthe bullet originally and read the manual [09:38] Connecting a switch isn't rocket surgery though [09:38] 2 achievements unlocked, bloke reads electronic manual and suceeded in getting it working [09:40] MartijnVdS: You tell that to the people running network commerical isps that keep going downm BT/virgin failures springs to mind :) [09:40] 3rd achievemnt unlocked, dog didn't like the noise of the loft ladder and was brave enough to come upstairs on his his own [09:41] Hmmh, maybe even 4th achievement unlocked, dog decides its bring yourself to owners work day [09:41] he has his own loft ladder? [09:41] I think he might start thinking about it [09:42] Did have his front paws on the 2nd rung [09:42] daubers: What are you building? ( Ref : G+ ) [09:42] My dad's cat used to use the loft ladder coming out as an excuse to shoot up into the loft and wee in a corner. I'm stull surprised every time I find myself in a loft that doesn't smell faintly of catt wee [09:44] good morning everyone. [09:45] BigRedS: Easily solved, get yourself a cat === Lcawte|Away is now known as Lcawte [09:52] DJones: :) [09:52] diplo: RepRap Prusa [09:54] 3d printer ? [09:58] I saw online that 12.10 is slower than 12.04. The articles fail to mention how much slower it actually is. Should I pick 12.04 or 12.10 to run on a 2.1 GHz dual core? [10:05] kvarley: it depends on your graphics mostly [10:06] ali1234: It's an AMD A6-4455M APU so I have reasonable graphics performance [10:06] if you previously used unity-2d then it 12.10 will be much slower for you [10:07] It's a new laptop so I haven't compared [10:07] should be fine then IF you can get the drivers working [10:07] :) [10:07] i heard there's a lot of problems on 12.10 with that [10:07] =/ [10:07] I'll give it a go and see how it goes [10:08] i haven't bothered trying to upgrade yet because there's simply nothing of interest in it [10:08] If all else fails I'll just fallback to 12.04. Thanks for the help :) [10:08] ali1234: In which case I may just do 12.04. Only new features are previews and shopping lens? [10:08] and webapps but they don't work properly [10:10] also a load of third party indicators are broken too [10:13] diplo: Yup :) [10:18] anyone remember from the gnome2 days being able to add time locations from the date/time dropdown menu in the top panel? [10:18] yes [10:18] using gnome-shell and wondering whether there is an application I need to dl to regain that functionality [10:19] no. it's just gone [10:19] dang [10:19] you can still add times in other locations to that menu in unity [10:19] but that was so cool [10:19] yeah, I spent a while trying to do that in Gnome [10:19] gord: how [10:20] date time settings -> clock -> time in other locations [10:20] yeah, i have multiple locations on my calendar in unity [10:20] you can also set it to auto detect your current location [10:20] which is awwweeesoome [10:20] when i click "time & date settings" it just opens "all settings" [10:20] there is no "clock" [10:20] the other tab [10:20] oh [10:21] iruno whats going on with your system then [10:21] there are no tabs [10:21] You want 'time and date settings' then the 'clock' tab, then the 'choose locations' button on the right [10:21] doesn't unity use gnome control enter any more? [10:21] Certainly neither Gnome or Unity on my laptop appear to recognise the existence of the power button, but gnome under Debian does [10:22] so I've assumed that's some 'optimisation' somewhere in a common component, and I've presumed that extends to all the config [10:23] it does use the gnome control centre [10:23] well my gnome control centre does not have a "clock" tab [10:23] your system be funky, i suggest you defunkify it [10:23] How about the calendar. Is it possible for that to link to google calendar - I have no use for evolution at all [10:23] can you show me a screenshot of what it is supposed to look like? [10:24] livingdaylight: as far as I know you can only do that with evolution, 'cause that's the gnome-sanctioned way of using calendars [10:24] ali1234, its called time and date [10:24] http://lotphelp.com/wp-content/uploads/2011/08/Time-Date_002.png [10:24] I keep meaning to do something with pal and /etc/profile... [10:25] no, not that window, the screenshot of gnome control center showing an icon labelled "time and date" [10:25] i see it at the bottom under "system" [10:26] also that clearly isn't g-c-c because i doesn't have "all settings" button at the top [10:26] i did a search for unity control centre on google images and just got back images of ccsm -_- [10:26] BigRedS, that's disappointing. I'd like to integrate my calendar but don't use evolution or stand alone calendar. Presumably, lots of people use google's calendar to organize their schedule. Cloud computing and syncing over many apps is kinda way to go. Sounds like gnome devs are stuck in 20th century [10:27] popey: system has "date and time" not "time and date" [10:27] not here [10:27] so what packages do you have installed which mess with gnome control center?? [10:27] livingdaylight, http://www.my-guides.net/en/guides/linux/310-how-to-display-google-calendar-events-in-unity-without-evolution work for you? - if there is one thing i've learnt, its there is probably an indicator for everything by now [10:27] I've got "Date and Time Settings" [10:27] livingdaylight: I thought "cloud" in that sense meant "In a web browser" [10:28] gord, thx, will look at that [10:29] BigRedS, you probably know better than me. I just mean in the sense that its stored in the cloud-space; hence synced over a lot of apps. i.e. I can schedule something on my desktop and be reminded about it, when I'm about through my Android phone [10:30] livingdaylight: haha, I was being facetious [10:30] ah here's the problem [10:30] BigRedS, [10:30] :) [10:31] indicator-datetime doesn't work [10:31] so instead of displaying the configuration panel extension it just does nothing [10:31] ** (gnome-control-center:14468): WARNING **: Could not find settings panel "indicator-datetime" [10:32] livingdaylight: that's not really 'cloud'. That's just 'online' - calendars have done that for _years_ [10:32] (I know that's true of almost all of the 'cloud') [10:32] ah, if i remove the crappy broken indicator-datetime from my panel, and use the gnome one, locations is back [10:34] ali1234, the gnome one? [10:34] I've got indicator-datetime too [10:34] the gnome panel applet clock [10:35] installed gworldclock but find it sux basically [10:37] right, fixed [10:38] ali1234, are you in unity or gnome shell? [10:38] no [10:40] http://i.imm.io/K76r.png === Hornet- is now known as Hornet [10:44] ali1234, what DE are you in? [10:45] ali1234, http://imgur.com/ZgHvn [10:46] popey, nice [10:47] is that only possible in Unity, still? [10:47] anywhere you can use indicators [10:52] no idea, it works for me [10:52] i dont use any other desktops [10:58] you can use indicators under gnome panel however it does not work [10:59] so yeah this only works under unity [11:00] Morning all [11:00] livingdaylight: i use gnome classic [11:00] ali1234: what only works under unity? [11:00] indicator-datetime [11:01] ali1234: that should work under gnome classic all the indicators should [11:01] well it doesn't [11:02] if you are not running unity: ** (gnome-control-center:14468): WARNING **: Could not find settings panel "indicator-datetime" [11:04] ali1234: what version of Ubuntu is that on? [11:04] 12.04 [11:06] and it works if you log into unity? [11:07] no. i cannot log in to unity because it is not installed [11:08] then how can you say foo only works in unity, its likely your system is just misconfigured [11:08] maybe an essential package didn't get brought in that is brought in with the ubuntu-desktop package [11:09] nope [11:09] in that case the dependencies on indicator-datetime are broken [11:10] could be, ubuntu is a big and complicated system, but that doesn't mean omgeveryoneelseisterrible. just figure out what it is, install the package and file a bug against the packaging [11:11] considering that i have every package installed from ubuntu desktop except for ones that conflict with others [11:11] i cannot install any more packages to make indicator-datetime work [11:11] and it is highly unlikely that this is the problem [11:11] ubuntu-desktop brings in unity [11:11] yes [11:11] so if indicator-datetime requires unity [11:12] then it requires unity and does not work under other desktops, and therefore my original statement was correct [11:12] no, i'm saying log into unity, you said its not installed, so either your lying, or it conflicted with a gnome thing, which means who knows what else conflicted [11:12] yes, unity does conflict with compiz [11:12] because unity requires an incompatible fork of compiz which is not supported by upstrem [11:13] therefore in order to have a working version of compiz installed i cannot have unity installed [11:14] okay you obviously have a crazyily configurated system, i'm just going to step outside this because its not worth my effort [11:14] like most things it seems [11:15] bug #1071001 [11:15] Launchpad bug 1071001 in alsa-driver (Ubuntu) "Sound Card not detected NM10/ICH7 Intel HDA Internal" [Undecided,New] https://launchpad.net/bugs/1071001 [11:15] i love how you have plenty of time to argue with me, but fixing bugs is not worth your time [11:15] Sort of found a fix for the above [11:15] blacklist edac [11:15] Sound now works, but Output in Sound settings is still empty [11:17] ali1234: fwiw indicator-datetime works fine in gnome-classic session with unity installed [11:19] apt-get wants to install these packages for unity: compiz compiz-core compiz-gnome compiz-plugins-default compiz-plugins-main-default compizconfig-backend-gconf libcompizconfig0 unity [11:20] so yeah, probably is an unspecified dependency [11:20] yup [11:20] so you're telling me it depends directly on unity or compiz? [11:20] unity is a plugin for compiz 0.9 as you well know [11:20] indicator-datetime? [11:21] so that means indicator-datetime does depend on unity [11:21] well I don't know (and can't see why it should either) [11:21] so the assertion that it works "anywhere you can use indicators" is false [11:21] at some point I might try uninstalling unity in a vm to see if it breaks indicator-datetime [11:27] right i am in unity and it works now [11:27] ali1234: got a bug number? [11:27] for? [11:28] this issue? [11:28] no, i only just found it [11:28] reporting it nopw [11:28] ok [11:31] did unity start using the virtualbox passthrough driver or is it using llvmpipe still? [11:32] bug 751175 [11:32] Launchpad bug 751175 in indicator-datetime (Ubuntu) "Time and Date Settings don't load" [Medium,Fix released] https://launchpad.net/bugs/751175 [11:35] bug 1074314 [11:35] Launchpad bug 1074314 in indicator-datetime (Ubuntu) "indicator-datetime configuration panel does not work if unity/compiz is not installed" [Undecided,New] https://launchpad.net/bugs/1074314 [11:35] now testing exactly which package causes this [11:37] AlanBell, virtualbox is broken [11:37] well the virtualbox guest driver is [11:37] what do people at Canonical use then? [11:37] i use vmware [11:37] for what? [11:38] well, for VMs of ubuntu on an ubuntu host [11:38] for testing or whatever [11:39] https://forums.virtualbox.org/viewtopic.php?f=3&t=51727&sid=36c95f58983d1295a120092fe6b8c85c&start=45 [11:39] *sigh* [11:39] Can't connect to MySQL server on '192.9.178.5' (110) [2003] [11:41] gord: does the host HUD grab the alt key from vmware guests? [11:41] we have a known bug about the capture of alt/super in vms [11:41] will do on ubuntu [11:42] its not a vm issue, its, well really its an X issue [11:42] O.o [11:42] * czajkowski tickles gord you never came and said hi [11:42] yeah Bug #741869 [11:42] Launchpad bug 741869 in OEM Priority Project precise "Unity/compiz intercepts Super and Alt keypresses from grabbed windows like VMs." [High,Confirmed] https://launchpad.net/bugs/741869 [11:42] thats the badger [11:43] czajkowski, i was only in the same building ;) not really at uds [11:43] :( [11:47] gord: so I guess you turn off the shortcuts on the host or something to work in VMs? [11:48] i just tend not to use them on hosts, i don't development "live", i built standalone versions of all the unity components that work outside of compiz [11:49] another month, another DE [11:49] *boggle* [11:49] gnome shell was nice but suffered same problems [11:49] maybe the problem is the apps i use [11:49] it's certainly not my hardware [11:50] cos i've changed it compltely [11:50] sure, I am just puzzled how we managed to set a shortcut key for HUD that means you can't alt-tab in a guest [11:50] sometimes i think it's just me :( [11:51] hurm, is there any kind of fake rootkit on the web I can use to check security software? [11:51] liek an eicar? [11:52] yes, I guess [11:55] SuperMatt: I've heard of backtrack linux being used for that sort of thing [11:56] oh right, I see how that works [11:56] cool [11:56] * SuperMatt installs another vm [11:58] \o/ vms [11:58] LUNCH [11:58] * mungojerry is back to lxde [11:58] + xcompmgr [11:59] I have no idea how we managed to test the crap out of things until we had vms [11:59] 5 pcs [11:59] I was tempted to switch to xpde, but then I realised that development of it stopped years ago. [12:00] the screenshots of xpde look remarkably like windows 8 [12:00] Perhaps I should just use fvwm95... [12:00] SuperMatt: heh, I think it's supposed to look like Windows 95 or 2000. [12:00] Possibly XP with the old-style theme enabled, considering the background. [12:02] AlanBell: I use Vbox but I need my vm's for very specific tasks so open them fullscreen, the only thing I have to worry about then is hitting enter before I type in the hud but the dash shortcuts work as expected because you can't see the main desktop one open. It is annoying though but not the end of the world [12:03] * BigRedS shudders at the thought of interacting with a gui vm [12:06] BigRedS: likewise, I prefer using ssh/screen [12:06] ah, ok it does work a bit better fullscreened [12:06] I just don't know if my brain would manage [12:24] right, i have ubuntu-desktop^ installed and still exactly the same situation [12:25] the panel works in unity, does not work in gnome classic no effects, and i cannot test in gnome classic /w compiz because of the compiz bugs [12:26] (ie the reason i uninstalled compiz in the first place) [12:27] so it looks like compiz is the common factor here [12:29] i'm going to try fresh installs in VMs [12:29] will test 12.04 and 12.10 [12:29] hmm... 12.04.1 right? [12:34] ali1234: yeap [12:35] AlanBell: Glad I could partially help for a change :) [12:36] AlanBell: Of course now I need to be evil for a month to make up for it [12:49] naturally davmor2 [12:50] AlanBell: you in London at all from the 12-16? [12:50] erm, probably could be [12:51] no set plans, but could get there [12:51] I'm down for a canonical sprint that week :) [12:51] ok, so which type of sprint is that? [12:52] is it the "yay, lets party" type, or the "go away, we are busy" type [12:55] AlanBell: it's the impolite version of UFO this is stupidly mentally busy, but we are pretty much on our own for evening meals so I thought I might try and catch up with people in the Sowff rather than eating by myself :) [12:56] ok, cool we should do something then [12:56] I know there was a sprint in Dublin where a bunch went out for beers with the loco team [12:59] AlanBell: well I think there will be a couple of team meals one will be the Tuesday 13 iirc and there might be a second that is made up of what was our old team but that is a maybe [13:00] I can't do the wednesday [13:03] so Monday Thursday or Friday, I'm thinking Thursday might be best freeing up friday for you to go to a local pub :) [13:09] Thursday is good, so that is the 15th [13:10] AlanBell: Yeap looks like it [13:11] AlanBell: now to find out if Uncle popey will be free [13:11] yeah, just have to wait for him to sober up I guess ;) [13:13] AlanBell: Sober up, he has to stop being drunk recover from the hangover and get a new liver before he can sober up :D ahh UDS if the UBUFLU doesn't kill you the alcohol poisoning will :) [13:15] yeah, shocking. I think more people should follow the abstemious example set by czajkowski [13:17] Maybe the alcohol helps fight UBUFLU. It would explain why I got sickest at the UDS where I didn't drink at all [13:20] I suspect it does [13:21] hi all! [13:23] hi bb15 [13:25] hello bb15 [13:34] ISOs downloaded and now installing the VMs... [13:43] wow, 12.10 is unbelivably slow in virtualbox [13:44] opening the dash takes over 10 seconds [13:45] ah i see you still get loads of adult content from the amazon search... i thought that was fixed [13:46] ali1234: what did you look up? [13:46] "fuc" [13:47] also, $swearword = no result, $swearword + ' ' = full results [13:47] just like how appending space completely changes HUD results. i guess both systems were implemented by the same person. [13:49] let's suppose i'm looking for a "cock soup" recipe [13:50] "coc" -> irrelevant but harmless results [13:50] "cock" -> nothing at all [13:50] "cock " -> lots of highly offensive content [13:50] cock a leekie [13:50] well known soup [13:51] basically this filter is implemented in the worst way possible [13:52] anyway that's a problem for another time. back to testing this panel thing [13:52] patches welcome [13:52] hahaha [13:52] why would i send a patch when this bug does not affect me since a) i don't use this software and b) i'm not offended by adult content [13:53] I don't think it is implemented in the worst way possible [13:53] I could do it much worse if I tried [13:53] how would you do it worse? [13:53] whatever you search for you get a Rick Astley CD [13:53] ali1234, you seem to care enough to try it and break it [13:53] accidentally reverse the test so it only returns potentially offensive content? [13:54] ali1234: well like it was before where it displayed anything no matter what was typed [13:54] davmor2: that would not be an implementation [13:55] so, puzzle for the day, if I write a lens to search your OpenERP server for stuff, should it honour the don't serve internet results privacy setting? [13:56] what does "dont serve internet results" mean? [13:56] i suspect it should do [13:56] it is an undocumented feature that was rushed in to fix complaints about the amazon search results in the dashs [13:56] Oh [13:57] it is epically broken in concept, however it is what it is [13:57] i thought it was a setting on the openerp server, like robots.txt kind of thing [13:57] no, in the privacy settings in system settings [13:57] yeah i know what you mean now [13:57] well [13:57] it sets a key somewhere and the shopping/photo/music/video lenses have been hacked to look for that setting and turn themselves off [13:57] does your lens integrate into the top level dash search, or does user have to click on the specific icon to get it? [13:58] could do both [13:58] well if the former then honour the setting. if the latter then don't [13:58] AlanBell: if you are writing a full lens then why not make it a toggle switch. IE at the office you can search everything, on a site you only search the stuff the internet sees [13:59] no, you have the same confusion i did [13:59] davmor2: this is about the thing in the privacy settings [13:59] it's not about the scope of the results it returns [13:59] it's about whether it works *at all* [14:00] i think the only sensible answer is to tell you not to bother writing lenses until they sort this stuff out [14:00] the shipping lenses turn themselves off altogether davmor2 [14:00] well turn off their internet searches [14:00] ali1234: that is a very fair point [14:00] AlanBell: ah right I have no idea then [14:02] tbh it isn't documented how one is supposed to comply with the privacy settings anyway [14:02] that is a feature that couldn't have been implemented any worse I feel [14:02] does the openerp search require a login? [14:02] yes, it does [14:02] like, on the server? if so then you agreed to privacy policy when making an account [14:02] and I need to figure out how to do that bit still [14:03] hmm [14:03] you know this could be real bad [14:03] if employer gives you a laptop with this lens [14:03] openerp is something you would install on your own infrastructure, kind of like owncloud etc [14:03] now they can see EVERYTHING you search for [14:03] AlanBell: it's something your eployer would install or have installed for them [14:03] heh, true [14:04] so now when you are searching monster.com in the dash your employer can see in the openerp log [14:04] that's HORRIBLE [14:04] so in this case, the lens must absolutely honour that setting [14:04] yeah, it is, but that is the lens infrastructure [14:04] at the very least when returning results from multiple lenses [14:04] as we know, its impossible for them to know if you go to monster.com in your browser [14:05] if you can't distinguish where the search came from then disable it everywhere [14:05] gord: yes, it is [14:05] I am not too bothered by the OMG logs!!! stuff really [14:05] why are you even asking this question then? [14:06] because I am wondering what the behaviour should be when the checkbox is checked [14:06] the only sensible answer is the lens stops working [14:06] I suspect you are right [14:07] the shipping lenses only search local content when you have that checked [14:07] of course it isn't even just a problem of web browsing [14:07] they get logs of everything you search for not just websites [14:08] I was just wondering whether people thing that checkbox means "don't search on SaaS websites of companies that might be evil" [14:08] nope [14:08] or "don't search on anything that is an http request away" [14:09] it means don't perform any searches that go over the internet [14:09] technically it means *nothing whatsoever* [14:09] but I don't think anyone wants to know that right now [14:09] ali1234: but my local network != t'internet [14:09] it means "act as if all networks were disconnected" [14:10] MartijnVdS: that is exactly what I was pondering [14:10] AlanBell: It could search my mounted SMB shares.. that would rock [14:10] there is no way to distiguish the internet from any other lan [14:10] (gvfs-mounted) [14:11] the bottom line is that the checkbox is horrifically implemented and it should be a per-lens setting to say whether they can read global_search_change events or not [14:11] basically this type of confusion is what happens when you rush through unfinished features [14:11] and trying to figure out a workaround is just going to encourage more of the same [14:11] ali1234: Nah it wasn't rushed. You just weren't "in the loop"! [14:12] ;) [14:12] it was rushed [14:12] ali1234: you could use a link-local address to determine what's on-LAN and what's not on-LAN 8-) [14:12] so as a developer i recommend you say "no, i'm not implementing any lenses for this until it is fixed" [14:12] Amazon search was pushed out at feature freeze and this was written and put in after freeze [14:12] ali1234: it's not perfect. but better than nothing [14:13] https://lists.launchpad.net/unity-dev/msg00536.html [14:13] I have raised the issue itself [14:14] I think I am coming round to your way of thinking ali1234 [14:14] "If I want to buy stuff on Amazon I want to click on the shopping lens in the lens bar and use 100% of the dash for the shopping search results." [14:14] ... or even better just open a web browser and go to amazon.com [14:14] and not have to deal with poorly implemented profanity filters [14:15] I actually like the way the lens searches amazon [14:15] search as you type, plus it doesn't help amazon track me quite so much [14:16] but meh, it isn't that exciting, sure a browser to amazon.com works well too [14:16] I think the privacy thing is just a liability at the moment for lens writers [14:17] I can publish the lens written to the API and it won't comply with the checkbox (so I am "wrong" and probably "evil") [14:18] search as you type is super slow though [14:18] the only system that does it and isn't super slow is google [14:18] or I can read the source of a shipping lens and figure out how to comply with a feature I know to be a bad system [14:18] search as you type is fine for me, but I have 70Mbit broadband [14:18] that said, now that I have turned off internet results it is a fraction more responsive [14:20] it's not slow because of network speed, it's slow because it redraws the screen every time you press a key === Kieran is now known as Guest18644 [14:20] quite impressed that the shopping lens is still working, I figured Amazon would blacklist products.ubuntu.com fairly quickly [14:20] and i can type faster than llvm-pipe can redraw the dash [14:20] oh, right [14:22] actually my mother can type faster than this [14:24] hmm 30mb of updates for Q and 220mb for P [14:26] hmm so the follow up makes the argument that "if you can run a program as a user..." [14:26] which is the same as the "we already have root" argument [14:26] that's a poor argument and here is why [14:27] if you can run any program as the user you can install some malware but that can be detected [14:27] however on ubuntu if you can run any program as a user you can install some malware right from the repositories and it looks legit, and nobody would ever know what you've done [14:28] for example if you release this openerp lens then mr bad guy doesn't need to write his own invisible lens, he can just use yours and it won't seem out of place [14:29] * mgdm is going to install OpenERP at the weekend and have a play [14:29] it might suit someone I know [14:29] yup [14:29] mgdm: cool, go for version 7 [14:29] I shall, ta [14:29] not release yet, but is getting close now [14:29] mgdm: I can let you have a login on one of our dev boxes or something if you like [14:30] I have it with HUD integration now [14:30] AlanBell: thanks, though I'll probably just put it on my laptop so I can have a poke around inside [14:31] Here's a good one - my 12.04 resume/suspend didn't work, and after 4 shutdown resets I still have no pointer control, not via the touchpad or even when plugging in an external mouse [14:32] mgdm: also there is the #openobject channel [14:34] AlanBell: cool [14:46] ah that'll be my fault then, for using an rc1 kernel....works on 3.2. Panic over. [14:58] Just installed proprietary drivers on 12.10 (Samsung 535U3C A02UK) and now it just shows me a flashing _ on the screen. Any ideas? [14:59] k, confirmed. indicator-datetime settings does not work in gnome classic or gnome classic no effects on a fresh fully updated install of 12.04.1 or 12.10 [15:02] also compiz still crashes when using gnome classic on 12.10 [15:06] Ubuntu used to be rock solid [15:06] A bit of a pain to setup right but then it'd just work [15:06] Nowadays it seems to be the opposite [15:08] debian is still solid [15:14] I'm having to use two scripts, one to get brightness control and one to get sound. It's like I'm using Ubuntu 8.04 again [15:16] Do vendor graphics drivers handle brightness control? [15:16] normally, yes [15:16] I might manually install the graphics drivers then [15:17] which vide card [15:17] AMD A6-4455M APU [15:19] kvarley: i told you not to use 12.10 :) [15:19] just revert to 12.04 it works much better [15:19] ali1234: reckon this stuff will work on 12.04? [15:19] Oh yeah, you mentioned driver issues lol [15:19] Ok, reverting [15:19] try a live cd [15:20] My SSD is not having a happy birth [15:20] Been formatted twice already lol [15:20] is it pure SSD or SSD accelerator [15:20] ? [15:20] ali1234: It's a Crucial M4 [15:20] SSD accelerator = HDD with SSD cache [15:20] Ah no, pure SSD [15:20] pure SSD then, should be ok [15:21] I know the key probably won't work but I'd like the silent mode function key to work in ubuntu. If it did then it'd be perfect [15:21] right now I'll settle for brightness control and sound tho [15:29] ali1234: Does 1204 work with UEFI? [15:29] i dunno [15:29] Just got invalid signature [15:29] Might be bad usb installer [15:29] it won't work with secure boot [15:29] Dammit [15:29] unless you whitelist it [15:29] or disable secure boot entirely [15:29] Do I need secure boot? [15:30] no, it doesn't do anything useful [15:30] Ok :) [15:30] actually that's not true [15:30] if you manually whitelist all the binaries you run then it does something useful [15:30] if you install without enabling setup mode using 12.10 which has been signed, you get virtually no benefits at all [15:31] basically under a securely configured UEFI system the 12.10 image wouldn't work either until you whitelisted it [15:34] ali1234: It installs ok, but when I did graphics drivers it failed [15:34] The bios settings are stupid [15:34] "Standard" or "Custom" mode [15:34] Why not just a disable? [15:34] Will windows 7 install on a machine with UEFI on? [15:34] Would be funny if it wouldn't [15:34] no fair, fvwm95 fails to compile on Ubuntu. [15:35] good, good. [15:35] dwatkins: fvwm1 - Old version of the F(?) Virtual Window Manager [15:35] kvarley: windows 7 won't install on a secure boot windows 8 system [15:35] ali1234: hehe [15:36] MartijnVdS: I can use fvwm or fvwm2, but fvwm95 and fvwm98 fail to compile completely, the taskbar module gives an error compiling. [15:36] it will install if you whitelist it or turn off secure boot however [15:36] Was it Microsoft who came up with secure boot? [15:36] yes [15:36] I hate them even more now [15:36] and it is microsoft who decides which software is allowed to run [15:37] The BIOS is confusing [15:37] in the default configuration that is [15:37] No disable options [15:37] you don't do it in the bios [15:37] Oh? [15:37] they dont even have a bios [15:37] Oh [15:37] what does the screen you are on look like? [15:38] I'm in the BIOS on the Security page which has an option for Secure Boot mode [15:38] ok? [15:38] Secure Boot Mode - Standard or Custom [15:38] When I select Custom loads of options come up [15:38] well yeah [15:38] i'm not going to attempt to tell you how to fix it [15:38] lol [15:38] instead you should return the laptop and when they ask why say "because i can't install ubuntu" [15:39] then buy a laptop that is't windows 8 [15:39] I installed ubuntu on it tho [15:39] and it didn't work [15:39] And it ran [15:39] so say "because i can't install ubuntu LTS" [15:39] Until I did proprietary drivers [15:39] This is the 3rd laptop model I've had now [15:40] like i said before, if you figure out a workaround you just encourage more of this [15:40] Bah :/ [15:40] the only thing they understand is "we lost $$$ because of secure boot" [15:40] This is annoying as hell, installed an SSD in here today as well [15:40] btw i highly recommend lenovo ultrabook with windows 7 [15:41] they come with SSD already fit and no secure boot [15:41] I spent £498 on this ultra thin laptop [15:41] How much are the lenovos? [15:41] about the same [15:42] every single page on lenovo website is 404 except for the top index [15:42] This is annoying [15:43] I hate Microsoft [15:43] And hate laptops [15:43] laptops are pretty rubbish when you think about it [15:43] True [15:43] spending loads of money on one is pointless. i mean how much do you really use it? [15:44] if you only use it in the same place you should have got a desktop [15:44] I'm increasingly not using three different desktops, and just use my laptop [15:45] I don't think I'll bother getting another desktop in future, really, just get a laptop and, if I particularly fancy it, a couple of docking stations [15:45] I don't understand what secure boot does [15:45] If it's not in the BIOS [15:45] the trouble with that is that a laptop that is as powerful as a desktop costs about twice as much as a desktop and a cheap laptop [15:45] It prevents unsigned binaries being booted from [15:46] kvarley: it's only "not in the bios" because it's in EFI which replaces the bios [15:46] So with secure boot on Ubuntu shouldn't run at all [15:46] it's in the same sort of place as the bios was/is [15:46] Ah [15:46] This is a headache [15:46] no, with secure boot on ubuntu 12.10 will run because it has been blessed by microsoft [15:46] ali1234: I don't remember the last time I needed more power out of my PC [15:46] It's the first layer of interface between the hardware and the software of the operating system [15:46] but uubuntu 12.04 will not [15:46] Actually, I do, it was 2004 [15:46] fedora latests will run, windows 7 will not [15:47] but in the custom menu you can allow unsigned software to run [15:47] ali1234: if you are me, all day every week day ref how often do you use a laptop [15:47] So I should technically be able to install 12.10? [15:47] kvarley: There's a good deal of explanations from at least Fedora and several kernel types about how it works and what it does [15:47] which are probably easier to follow than IRC [15:47] davmor2: is that a question? [15:48] kvarley: yes you can install 12.10. but it doesn't work because it is incredibly buggy [15:48] I don't know what to do now then [15:48] kvarley: There should be a menu option to disable running signed bootloaders [15:48] spending loads of money on one is pointless. i mean how much do you really use it? my reply is ali1234: if you are me, all day every week day ref how often do you use a laptop [15:48] kvarley: Although the menu is vendor specific, so there's no real standard guide [15:48] yeah, and it's not *required* [15:48] davmor2: you use a laptop as a desktop replacement? [15:49] * BigRedS does/has done [15:49] ali1234: I use 2 laptops and 4 desktops [15:49] einonm: I see: Platform Key; Key Exchange Database; Authorized Signature Database; Forbidden Signature Database. [15:49] As soon as I find my third laptop power lead I'll be sticking my docking station at work [15:49] davmor2: so you use multiple computers at the same time? [15:49] and then, now that I've worked out how to make the network work under Windows, I'll basically not use desktops [15:50] kvarley: One way is to add your own key to the DB, but there should be a disable option too. Are there any super menus / sub menus? [15:51] ali1234: yeap but my 2 main are my main desktop and my main laptop the rest are basically test boxes for different scenarios that you can't properly replicate with a vm [15:51] personally i avoid using multiple computers at the same time by using virtual machines. something which is painful on a laptop because: tiny screen, not enough ram, not enough cpu cores, and probably no hardware vx [15:51] or you could buy a laptop that does all that, but it would cost about 4x an equivalent desktop [15:51] I have £1k of laptop [15:51] ^ exactly [15:52] and it does what I'd use 2 desktops a laptop and a machine somewhere on the interent for [15:52] ali1234: I do on this laptop, it's an I3 3 gig of ram more than enough [15:52] lol [15:52] since I can't boot up a VM on my work PC and then take it home [15:52] no, 3 gig is not even enough to run ONE copy of ubuntu these days [15:52] perhaps if you run the 32 bit version it might be [15:52] I have 4GB RAM and I frequently run a Ubuntu and a few VMs [15:52] Unity, to boot [15:53] I think it's only got a couple of cores, too [15:53] ali1234: I'm the same as BigRedS [15:53] what do you do in those VMs btw? [15:53] i'm guessing the answer is not "open firefox" [15:53] No [15:53] they don't have UIs [15:54] einonm: These are my options http://kvarley.co.uk/tmp/secureboot.custom.menu.jpg [15:54] ali1234: I open Software Center a lot [15:54] I used to have a couple that did gui things, thinking about it. When it was a Debian machine and I wanted to confirm bugs under Ubuntus [15:55] But, no. Mostly it's for testing packages and scripts for installing/configuring things [15:55] I get that it's not enough for *you*, but I absolutely don't think it's the general case that a laptop can't work as a desktop replacement [15:55] i have a VM that i need to build a firmware image on fedora. it peaks out at about 4GB memory usage, with no UI [15:56] oh sure. a laptop can replace a desktop for most people. however most people do not hang around in this IRC channel [15:57] I'm not even going to begin to guess at this demographic, it keeps surprising me [15:57] I haven't had a desktop since 2004 [15:57] kvarley: Hmm, ok. What options are there for the 'Default Key Provisioning' option? [15:57] kvarley: "delete the PK" is the option you need [15:58] but if you do this and mess up the computer it isn't my fault, ok? [15:58] einonm: "Enabled" or "Disabled" [15:58] ali1234: I will get the key to file first :) [15:58] deleting the PK will disable secure boot entirely [15:58] kvarley: DONT delete any keys at this point [15:58] einonm: Ok [15:58] you will at least need to back it up first [15:58] w/e. deleting the PK is the way you disable secure boot according to the spec [15:59] what you can also do is go to "authorized signature database" and "append signature to DB" and then add the signaure of ubuntu 12.04 [15:59] and then it will be allowed to run even though it isn't signed [15:59] Where do I get that signature? [15:59] this is called whitelisting [16:00] well that's a good question [16:00] it might be able to calculate it for you [16:00] Is it not easier to get the PK from file [16:00] Save it to an SD card [16:00] Then delete the PK all together [16:00] see that option "install default secure boot keys" [16:00] A signature is a hash of an image encrypted by a key [16:00] can you guess what that does? [16:01] ali1234: Oh, Microsofts way of staying on your pc? [16:01] so you'll need to have the private and public parts of any key in order to create a signature [16:01] false [16:02] ali1234: Wipes all keys? [16:02] kvarley: no, it puts back the microsoft key [16:02] That's what I meant by microsofts way of staying on your pc ;) [16:02] einonm: you dn't need key pairs to whitelist a binary because it only checks the hash of the binary [16:03] if you had a key pair you could just enroll it as a KEK instead, and the authorized signature database would not be needed [16:03] ali1234: I have got the PK file on my SD and now it's being backed up [16:03] So am I *theoretically* safe to delete the PK file? [16:03] incidentally all of this is documented quite well in the UEFI spec, which is publicly available if you just enter any fake email address [16:04] http://www.uefi.org/specs/ [16:04] you can also play around with it in qemu by following the guides on my website [16:04] Ok, thanks [16:04] http://al.robotfuzz.com/playing-with-uefi-secure-boot-part-1-ovmf/ [16:05] secure boot is only a tiny part of the UEFI spec [16:05] * BigRedS notes that down [16:05] All my exposure to UEFI so far has been mjg ranting about it [16:05] yeah well his ranting inspired me to find out for myself [16:05] not just him [16:05] But basically if I delete the Platform Key file I should be able to boot anything? [16:06] ah, it put me off ever going anywhere near it :) [16:06] basically nobody seemed to really know what they were talking about [16:06] kvarley: yes [16:06] kvarley: if you boot a windows setup disk it will probably lock down the machine again [16:07] ali1234: Do I also need to delete the Key Exchange DB, Authorized Sig DB and Forbidden Sig DB? [16:07] no [16:07] Ok [16:07] ali1234: How do you know deleting the PK will disable secure boot? [16:07] I have no windows 8 disc to boot anyway [16:07] einonm: because the spec says it will [16:07] it doesn't actually disable it, it puts it into setup mode [16:07] that's effectively the same thing though [16:07] In my experience, there is both a hardware switch and a key required for secure boot. [16:08] Ah, ok. That makes more sense [16:08] in setup mode anything can run, anything can enroll keys, etc [16:08] A bit crap though, as physical access to the machine means that you can always circumvent it [16:08] I didn't think it was possible but I actually hate Microsoft even more. They're killing one of the good things about PCs [16:08] yes, that's a requirement of UEFI [16:08] for windows 8 logo certification on x86 secure boot MUST be able to be circumvented if you have physical access [16:09] UEFI spec says that if secure boot may be circumvented the user must prove they have physical access ie by pressing a key on the physical keyboard... doesn't need to be a key switch. just the action f using the menus is enough. [16:10] That sounds like it could be easily hacked in software [16:10] however the spec doesn't define it it should be possible to disable it or not [16:10] not really [16:10] the whole point of UEFI is to prevent any usigned sofware running [16:10] Surprised Microsoft just didn't lock it down totally [16:10] for ARM they have done. the logo requirements there require that secure boot cannot be disabled at all [16:10] In theory I can see why they thought it was good [16:10] It's not really their spec to do that, is it? [16:10] wo's spec? [16:10] MS's [16:10] no [16:11] however logo certification for windows 8 is [16:11] I suppose the Windows logo is, but none of UEFI is [16:11] well MS did design large parts of UEFI [16:11] like the signature format [16:11] is MS authenticode [16:11] and UEFI executables are windows PE [16:12] on MAC UEFI the executables can also be mac binaries but nothing supports that but macs [16:12] and it's not in the spec [16:16] so are MS only allowing signed apps to run nowadays as well? [16:17] einonm: not apps. just drivers and anything that can run in kernel mode [16:17] kvarley: i think "default key provisioning" might be useful to you. i found a manual for your bios but it's in chinese [16:17] What does that do? [16:17] that works provided that there's no security holes in your kernel. Which I doubt is true [16:19] kvarley: trying to find out. i *think* it might automatically add the hash of unsigned exes to the authorized database, thus allowing you to install any OS you want without disabling secure boot [16:21] kvarley: "This item enables or disables you to force OEM default secure boot keys if system is in setup mode." [16:21] that's not what you want at all :( [16:23] kvarley: so where are you up to? [16:31] It looks like the 'custom' secure boot mode allows you to add your own key to the KEK...which then allows you to add a signature to the DB (a hash of an executable signed by your key) [16:31] That's well tricky for your average user. [16:32] anyone know about the online accounts tool? [16:32] i've seen it. i have no idea what it does [16:33] though i think it is somehow related to webapps [16:33] well not entirely, but it does the oauth stuff with twitter/google/etc then desktop things can use that (like gwibber/empathy etc) [16:34] but they all seem to be consumer identity providors [16:35] einonm: not quite. the PK controls access to the KEK. any exe signed by a key in the KEK will run. the DB and DBX are whitelist/blacklist with exceptions/overrides and the physical user can edit them at any time. person who already has a key in KEK can edit the DB/DBX without physical presence, but if they've got a key in KEK already then they only really need this power to blacklist known bad exes that they've previously signed (ie revoke signatures) [16:36] einonm: or in other words, updates to the KEK must be signed by PK. updates to DB/DBX must be signed by KEK or PK, and exes must be signed by KEK or PK BUT if the user is physically present they can override all that on win8 certified x86 machines [16:36] ali1234: I read it as the custom mode disables the check of keys in the KEK - which I assume are signed by the PK [16:37] einonm: no, that's not right [16:37] custom mode doesn't do anything except let the user override everything iff they are physically present [16:37] * AlanBell likes the word iff [16:37] whether secure boot is applied or not is controlled by the presence or not of a PK [16:38] yes it was not a typo :) [16:38] so what does custom mode entail? [16:38] nothing [16:38] it's just a menu where you can enroll your own keys [16:39] basically selecting the "custom mode" menu item is a way that the user proves they are physically present [16:39] then they can do whatever they want [16:41] That sounds suspect, as it looks like you can edit the DB and KEKs without removing the PK [16:41] you can if you are physically present [16:41] custom mode appears to disable the KEK hash checking using the PK, without removing the PK [16:42] yes [16:42] yes, it does [16:42] in fact that hash check does not exist [16:42] the KEK must be signed by the PK in order for it to be enrolled automatically by software updates [16:42] ie not physically present user [16:42] however, once the KEK is enrolled the hash is not checked [16:43] so if physical user manually enrolls their own KEK using custom mode, then can then exit custom mode and the KEK will still work [16:44] that's quite bad, and leaves the KEK DB open to abuse if so [16:44] but again this only applies to physically present users, who can override everything anyway, including removing or replacing the PK any time they want [16:44] it's open to abuse by physically present users [16:44] if you can call that abuse [16:44] ali1234: I'm now booting from USB - Ubuntu 12.04 [16:45] ali1234: No gui shown, just command prompt [16:45] ali1234: A shell with ubuntu@ubuntu [16:45] kvarley: yeah sounds like it's working [16:45] lol [16:45] no idea why it's dumped you at a shell [16:45] I did live mode [16:45] I'll try install [16:46] you need to check for specific instructions for UEFI installs [16:46] there is a chance that if the KEK is stored open and unhashed, it can be accessed remotely. Only a keyladde rwith root at the PK would be secure [16:46] like there's a special ISO for UEFI i think [16:46] einonm: reading from the KEK is not a problem it only contains public keys, as with the PK [16:47] since the KEK and the PK are stored in the same keystore, a chain of trust doesn't even help you, since if they can change the KEK they can change the PK [16:47] ali1234: doing install instead of live got me a gui [16:47] ...but if you can put any public key, bare, in the KEK, you've won. [16:47] einonm: yes. that is true [16:48] the PK would be stored in on-chip storage, and never accessed directly once in [16:48] einonm: in order to do that you would have to break UEFI platform security [16:48] ..but it's an attack vector that you don;t need to have [16:48] the PK and the KEK are stored exactly the same way, and accessed at the same times (since either can be used to sign executables) [16:49] literally anything that applies to one applies to the other [16:49] also, how are you proposing to hack the keystore when the computer won't let you run any unsigned code in kernel mode? [16:49] I doubt that. There is a reason why there is only one PK, and that's because it's the root key and should only be used once. Generally, it's value is never seen outside of the chip [16:50] the reason there is only one PK is because you only need one PK [16:50] ?? [16:51] the PK is a public key [16:51] it's value is known everywhere [16:51] knowing the value gets you absolutely nothing [16:51] That's not the way MIPS or ARM chips work, AFAIK [16:51] MIPS and ARM chips do not use UEFI [16:52] no, but they do secure boot - and the theory is the same [16:52] they are not implemented the same way [16:52] but this is irrelevant [16:53] the spec makes all this very clear [16:53] the only things you put into the secure boot keystore are public keys and signatures [16:53] yes - with the signatures signed by the root key [16:54] yes, the root key which is stored in an extremely secure environment at microsoft [16:54] and absolutely does not go anywher near your computer [16:54] ali1234: Ubuntu 12.04.1 installed. Landed me at a shell. [16:54] the root private key, sure. The root public key is this PK [16:54] yes [16:54] and the public key is public [16:55] in detail it works like this [16:55] "16:50 < ali1234> the reason there is only one PK is because you only need one PK" - the reason is because Microsoft only need one PK [16:55] that's also not true [16:55] microsoft only needs one KEK [16:55] anyway this is th way it works [16:56] UEFI has an API just like how the BIOS has an API [16:56] operating systems can access it [16:56] when an operating system wants to change what is in the KEK database it must use this API [16:56] any calls to this API must be signed by the PK private key or the UEFI will reject it [16:56] thus, only the holder of the PK may update the KEK remotely [16:57] if you want to modify the DB or DBX then your API calls can be signed by PK private key, or KEK private key [16:57] how ever, if the user can go into the custom menu they can do whatever they want, by design [16:58] none of this compromises the security of the device unless you are worried about physical theft etc [16:58] it's also worth noting that if the keystore is compromised this will compromise ANY system which uses code signing [16:58] where compromise = someone puts something in it that shouldnt be [16:59] reading the keystore is not a problem as it's all public keys [16:59] the whole thing actually works exactly the same way as SSL websites [16:59] your computer throws up an error if it does not recognise the certificate [17:00] (of the website) [17:00] if an attack could put the website certificate into your keystore then their attack site would not display that warning [17:00] but if they can do that you've already lost anyway [17:01] attacker can also compromise the certificate authority who holds the private key [17:02] so as i said, the UEFI has an API for accessing the databases, and the spec is quite clear that the DB must be stored in a secure manner. it's not just stored on the hard drive or anything like that [17:03] ali1234: there is a secret key in the chip as well, I guess that they don't need to tell you about this. That's the root key I was assuming that PK is. Makes more sense. [17:03] secret key in what chip? [17:03] any chip that needs to create a secure keychain. [17:03] not at all [17:04] that is absolutely not how public key cryptography works [17:04] there may be secret keys involved with the security of the keystore but that is not defined by the spec [17:05] there are crypto devices that have an on-chip key, but they are for signing things, not reading signatures [17:05] yes, private key smart card [17:05] those are the things that microsoft keeps in a locked safe in redmond [17:06] So how does the chip verify that the PK is correct? Are you assuming that in a particular place in flash mem, whatever number is there is the PK? [17:06] what do you mean? [17:06] "correct" [17:06] so how messed up is the world if Microsoft forget where they put the keys? [17:07] the hardware doesn't verify that PK is correct [17:07] it does not verify PK at all in fact [17:07] that's why the only way to change it is by a physically present user [17:08] it's the root of the chain of trust [17:08] in fact that's why you have to delete it to disable secure boot [17:08] Hello, I've got a LaCie disk that is FAT fomratted that I know works with a mac. I'd like to use it with my ubuntu laptop (running GNOME 3), but when I plug it in, it doesn't mount and fdisk -l doesn't list it. Any ideas what I should do? [17:08] because it is only possible to load a PK if there is not aready a PK loaded [17:09] and only a physical present user can delete the PK [17:09] celesteh: how does it plug in? [17:09] and yeah it is stored in a piece of flash somewhere, but the CPU can't access it. only the UEFI bios chip can access it. the CPU must use UEFI API [17:09] USB. I know the USB connection works, since I mounted it that way on a mac [17:10] and obviously that does not have "read PK" function [17:10] i mean "write PK" [17:10] celesteh: is there anything odd about LaCie disks or is it a regular USB hard drive? [17:10] celesteh: lsusb might show something interesting [17:10] celesteh: also dmesg should show it being added [17:10] AlanBell lsusb does show it. I thought they were normal, but rugged hard drives. I have a different one and it works fine. [17:11] AlanBell when I unplug it, it doesn't seem to get unlisted from lsusb [17:11] ali1234: Blimey. Not very secure then, is it? I assume the ARM version is different [17:12] einonm: it depends on your definition of "secure" [17:12] if your definition is "the owner of the device cannot ever modify anything in the keystore" then you need to buy windows 8 ARM to get that [17:13] don't be silly [17:13] Windows 8 ARM doesn't exist [17:13] it lives under the less confusing name: Windows RT [17:13] celesteh: have a look at bug 875523 [17:13] Launchpad bug 875523 in linux (Ubuntu) "LaCie usb storage doesn't mount" [Undecided,Fix released] https://launchpad.net/bugs/875523 [17:14] einonm: i'd be interested to hear how you think you will break UEFI secure boot on x86 without being physically present at the machine [17:15] how does it define physically present? [17:16] ali1234: Knowing that physical presence is all that's needed, I'd probably work on sorting that out without resorting to hacking the thing. [17:16] the user has to press a physical buttn on the device [17:16] alanbell: thanks! I don't suppose there's a work around? I got this disk in order to backup my linux machine so I could go to the new LTS! [17:16] oh, I guess "able to type at the keyboard prior to any peripherals being turned on" [17:16] einonm: so in order to install some malware on user's machines, you are going to break into all the users houses and install it [17:16] celesteh: well apart from upgrading . . . [17:16] AlanBell: yes exactly [17:17] AlanBell: a physical sliding switch like chromebooks have is another possibility [17:17] AlanBell: haha, I got this to enable the upgrade. lol. alas. [17:18] I think you will have to be brave then celesteh :) [17:19] I'm used to secure boot being a bit more...secure. On some systems, breaking into one is all you need to do. TV STB's for example - once you have the content or content encryption keys, you're free to broadcast on the internet and make lots of money. So physical access should not be a barrier to security. [17:19] AlanBell: thanks for your help. I could not figure this out! [17:20] einonm: remember that UEFI spec does not specify whether physical user is allowed to override. MS win8 certification for x86 does [17:20] einonm: those are decryption keys, not encryption keys [17:21] MS win8 certification for ARM says exactly the opposite, physical user must NOT be allowed to override [17:21] AlanBell: yes, your point being...? If you have them from compromising a STB, you can broadcast them and allwo everyone to decrypt [17:21] and then you have your stb style locked down system [17:22] ali1234: my assumption was that x86 secure boot was as good. Obviously not. [17:22] so keys come in two halves, and can be used for encrypting, decrypting, signing and verifying signatures [17:22] you mean x86 windows 8 [17:22] and you need the right end of the key for the operation you are trying to perform [17:22] if the device isn't sold with windows 8 you can do whatever you want [17:23] including burning the PK in a mask ROM [17:23] AlanBell: only if it's asymmetric encryption [17:23] on secure boot the thing you are trying to do is verify signatures. The secret bit is in Microsoft, the public bit is everywhere and not a secret. [17:23] yeah, this is assuming public/private keys mostly [17:23] the bootloaders that run on UEFI are not even encrypted [17:24] so for broadcast it gets encrypted with a key and the decription key is widely distributed but is still kept secret by hardware so that other people can't decrypt stuff with it [17:24] the goal of secure boot is not to hide anything. it'snot to protect content with DRM [17:24] AlanBell: no sure, but an extra step that can be taken is to store a hash of your public key in the chip, and not allow boot unless presented by the right trusted PK [17:24] the goal is to allow the hardware to verify that the software is trustworthy [17:24] that would be tivoish, yes [17:25] einonm: you just described exactly what secure boot does [17:25] "hash of your public key" this makes no sense [17:26] but except for that, the rest is right [17:27] I know what you mean einonm, you are expecting the PK to be burned into the silicon [17:27] storing a hash of the public key doesn't add any security unless it is signed by another key [17:27] then that other key needs to be hashed and signed by another key [17:27] it just doesn't need to be burned in to perform the task of signature verification [17:27] and then it's just signatures all the way down [17:28] pfft..yes, anyway. Put at least the root key in the chip and everything goes from there [17:29] the root key is what the PK is [17:29] we are going in circles [17:29] that would explain the dizziness [17:33] I think the only difference to systems I've been used to is that the PK isn't in OTP flash, and can be removed. [17:34] which is then an obvious way to try and attack the system [17:35] http://ubingo.libertus.co.uk/cam/pad.html pumpkin \o/ [17:49] Someone's coming in the door Alan ! [17:50] bootlkjgf: yes, they are :) [17:50] there will be more turning up soon [17:51] Nice pumpkin anyway ! [17:52] einonm: nothing in UEFI spec says the PK cannot be in OTP [17:52] AlanBell: does the light stay light or only when the camera is being viewed? [17:52] * AlanBell files Bug #1074440 [17:52] Launchpad bug 1074440 in quickly-lens-templates (Ubuntu) "does not support the privacy preference for no online results " [Undecided,New] https://launchpad.net/bugs/1074440 [17:52] davmor2: what light? [17:53] AlanBell: did the camera not have a light on it? [17:53] it is infra red, and yes, they are on all the time in the dark [17:53] and they draw about 1w [17:53] so it is 3w during the day and 4w at night (measured at the plug) [17:53] AlanBell: nice [17:54] There's no way that car going past was doing 30 m.p.h. ! [17:54] ali1234: ok...but if it were, and you can't change the PK, would you be able to add any new exe signatures without the PK private key? [17:55] * bootlkjgf wonders why there is no 'donate' button on the webcam page ? [17:55] einonm: http://mjg59.dreamwidth.org/ lots of info about secure boot [17:56] bootlkjgf: well because it is just my page for looking at my front door, nothing of interest there really [17:57] bootlkjgf: http://ubingo.libertus.co.uk/cam/ you can get your own camera using that amazon affiliate code if you want [17:57] 'my page' ... I've just bookmarked it, sorry. [17:57] will do [17:57] oh, look more people loitering [17:57] AlanBell: Thanks...I have scanned through that before. I think that talks about the bit of code that's booted once the sigs have all checkout out OK [17:58] knock knock [17:59] oh dear, looks like a sony phone (dunno) // definately not andriod afaik [17:59] zachary left the gate open [18:00] Must get *bill* to shut it for you ;) [18:02] That tree looks like the gnewsense tree .. you must put it on your google plus image page ! [18:02] AlanBell: You mean you haven't fitted the retractable arm to it yet [18:04] einonm: that is also not defined in the spec. on a windows 8 ARM certified machine the answer is no. [18:04] AlanBell, That dustybin looks full near the gate .. Do you get billed by the weight where you live, then ? [18:05] no, we have a regular bin, a full size one for recylable stuff and a small green bin for food waste [18:05] oh ok [18:06] and yeah, it is a pretty cool tree, it is a japanese maple with red leaves [18:07] so, given that I have this camera, which can pan/tilt and take videos and snapshots, what interesting things should I do with it? [18:08] v. cool BTW I tried to save an image of it on chrome ... and it wants to save in a .cgi file .. can i use ?program to view it ? [18:09] ali1234: So if PK is used to add new KEK keys only, and this mechanism can only be disabled by removing PK, we can't add any new KEK keys? Or does setting custom mode also crap over those checks? [18:09] einonm: you;ve missed the point. the custom menu is not required to be present [18:10] http://ubingo.libertus.co.uk:9090/snapshot.cgi is a single image (it is a jpeg) [18:10] interesting things to-do list ... No. 1 Where are the penguins ? Tell a story about their adventures . [18:10] the the video stream is mjpeg [18:10] the reason there have the database with different types of keys is for software like "ubuntu installer" [18:11] the idea is if the machine is in setup mode then the ubuntu installer enrolls the PK and the KEK (possibly locking the machine to only run ubuntu forever more, but that's implementation specific) [18:11] AlanBell, Can you do the same one of the tree in the day time and email me ? [18:11] the ubuntu installer being a normal piece of software like it is currently [18:11] it accesses UEFI through a hardware API [18:11] E: 3rdwiki@gmail.com [18:11] like ACPI, or BIOS etc [18:11] or UPNP or any of those [18:11] bootlkjgf: sure :) [18:12] the key checks apply when software is manipulating the key database [18:12] the custom menu trumps everything because it runs at a lower level [18:12] but nothing says that custom menu even has to exist [18:12] ali1234: Ok, but there is a signed hash of the installer/shim/exe that's signed using a key in the KEK? [18:12] if it does not exist and there is no way to delete the PK, then your machine is locked down in the way you're used to [18:13] einonm: yes and that signed hash is appended to the exe [18:13] it's signed using the private half of the KEK (which user does not have) and then verified using the public half (which is stored in the UEFI keystore on user's machine) [18:14] the signature, if not appended to the exe, can also be stored in the DB [18:14] the signature can also be put into the DBX to ban that exe from running even though it's signed [18:14] all this can be done from the operating system, provided all the API requests are signed with the PK or the KEK private half, ass appropriate [18:15] again, the custom menu ovverrides everything [18:15] so Microsoft has a remote kill switch for ubuntu (if you dual boot) [18:15] yeah pretty much [18:15] they have a remote killswitch for everythnig [18:15] lovely [18:15] ali1234: so if the PK is in OTP, and you don't have the private part of the PK, you can't add any KEK and therefore add any valid sigs in the DB...so no booting your exe's [18:16] einonm: as long as the UEFI menu system does not have that "custom" menu, which all windows 8 x86 machines are required to have in some form [18:16] but then, windows 8 x86 machines aren't allowd to have PK in OTP either [18:16] but the point is this is defined by microsoft, not UEFI spec [18:17] and even the way it's set up for x86 still prvides useful security if you self sign everything [18:17] ali1234: ok. But I'm confused now. I'm sure you said there's nothing in the spec about OTP PK's [18:17] einonm: there isn't [18:17] there's the UEFI spec, and there's the microsoft windows 8 certification program for x86 laptops. these are two entirely different documents [18:17] ali1234: contradicts "ali1234: but then, windows 8 x86 machines aren't allowd to have PK in OTP either"? [18:18] AlanBell, Oh Wait .. I've got it ::: Where are the Wombles ???????? [18:18] ;) [18:18] in order to achieve windows 8 logo certification, a x86 laptop must: 1. follow all of the UEFI spec. 2. allow the PK to be cleared by a physically present user [18:19] ah, right. [18:19] and a bunch of other conditions [18:19] for windows 8 ARM hardware it is exactly the opposite [18:19] it must 1. follow UEFI spec, 2. NOT allow user to clear the PK [18:20] that would do it. How to make a machine completely useless. [18:20] yeah, the ARM windows machines come pre-bricked [18:21] the point is UEFI isn't particularly bad [18:21] And you got to pay for the privilege :) [18:21] it's all about the implementation [18:22] the multi-signature issues are a bit bad but that could be fixed and can definitely be worked around in way that satisfy everyone [18:23] in particular the claim that everyne needs the MS key is not true on compliant x86 hardware [18:24] it's possible to self sign everything [18:24] it's a lot of work but if you need that kind of security it's not going to be a big problem for you [18:24] ali1234: would that mean you can't use graphics cards that are signed or something? [18:25] No, the only problem seem to be with those who want to run another OS on it. [18:25] no, that's precisely not the problem [18:25] some claim that you need the other OS signed by microsoft, or turn off security all together. neither is true [18:25] the third option of self signing everything with your own PK pair is entirely possible, but a lot of work [18:26] you have to self sign not just the OS software but also your video card bios etc (what AlanBell was talking about) but even these things are possible using the DB [18:27] I disagree. It is a problem if you don't understand computers, and just want to run another OS - having taken that particular decision. [18:27] you don't need this level of security unless you are the IT architect for a large banking institution or something [18:28] if you are that, and you "don't understand computers" then you have bigger problems [18:28] if you just want to run another OS you can run ubuntu signed by microsoft or turn off UEFI entirely [18:29] the point is that some people claimed these things would be impossible. but they are not. they are just hard. like all security. it is a tradeoff between security and convenience [18:29] i have a dicital recorderthat records sound in wma how to convert or transcode to one of the following formats .mp3, .aiff, .wav, .flac, .aac, or .ogg files? [18:29] dubac0: first step is to PLAY it on ubuntu. i suggest mplayer for that [18:29] i can play it [18:29] in what software? [18:30] dubac0: I would import it to audacity, chop it to length and export it from there [18:30] vlc [18:30] do you need a batch solution for mutiple files or a simple GUI for just a couple of files? [18:30] The scenario I'm talking about is the one where I give a Linux USB stick and tell someone to just try it. That's not possible anymore. People with 'problems' should be able to use Linux too [18:31] einonm: it's fine if you give them a ubuntu 12.10 stick it will work. or fedora. or opensuse [18:31] just one [18:31] AlanBell, tack [18:32] im doing a language course and so this is important (need feed back on my alfabet [18:33] yeah try audacity i guess [18:34] according to forums VLC has a menu option to "convert/save as" [18:36] AlanBell, http://soundcloud.com/sara-griffin-1/alphabetet-20121102 this can be seen by you? [18:37] yup [18:38] dubac0: you can use dir2ogg if you want ogg vorbis file which in turn uses vlc backend [18:38] why hello st pancras [18:39] AlanBell, thanks [18:41] it's Bond time! [19:35] interesting. so the indicator-datetime only shows in unity by design, and the limitation is set in the .desktop. and all those people who swore it worked for them earlier today were just confused. [19:40] http://people.ubuntu.com/~alanbell/screenshots/indicatorclassic.png [19:41] what does that prove? [19:41] click on time & date settings, notice that it doesn't work the way it does in unity... [19:42] takes you to the overall settings page, and if you go to time and date you don't get the controls for the indicator [19:42] exactly [19:43] but if you turn on the calendar when in a unity session it shows up in a classic session [19:43] in the indicator itself [19:43] yes, if you load up unity, run the settings panel, log out, log in to classic, the settings are preserved [19:44] you can also force the right settings panel by doing XDG_CURRENT_DESKTOP=Unity gnome-control-center [19:44] then you get Time & Date instead of Date and Time [19:45] so you do [19:45] so is this a gnome problem? [19:45] no [19:45] well, yes [19:46] as in a gnome saying "no we won't accept your code" [19:46] no [19:46] in as much as it's a problem of canonical doing exactly the same thing [19:46] it looks likely to be a political problem than a technical one [19:46] the problem is that nobody wants to see two time and date icons in the control panel [19:47] indeed, or two online account settings things [19:47] gnome shell uses Date and Time, Unity uses Time & Date, so they just hide the other one respectively [19:47] gnome panel, being the best desktop evar, lets you choose [19:47] or two desktop shells [19:47] but the .desktop way of hiding one or the other fails here [19:47] since it doesn't know which one yu've put on your panel (indeed you could have both) [19:47] gah [19:48] and they don't match in functionality [19:48] indeed [19:48] or store the settings in the same place [19:48] so basically i blame gnome shell and unity [19:48] yup, me too [19:48] then copy the .desktops into ~/.local/ and remove the stupid hacks, and have two icons [19:49] canonical announce they are doing something, gnome go off and develop the same thing but different and broken in different ways and we end up with two nearly OK results [19:49] the indicators are clearly better than the applets [19:49] of that there is no question [19:52] having two applets isn't the problem though [19:52] the problem is the way they are hidden [19:52] and that gnome shell and gnome classic both have the same name [19:53] yeah, so that should turn up in unity and gnome classic with indicators [19:53] but not gnome-shell because of NIH [19:53] "gnome classic with indicators" isn't a thing though [19:53] by default it has indicators but you can put the old applet back too [19:54] yup [20:04] turns out gnome-control-center doesn't respect overridden .desktop in .local so i have to edit the one in /usr [20:06] i'd just like to mention at this point that this is why people switch to entirely different distro rather than just install a different desktop from the repositories [20:07] this is a classic example where fixing a bug in one desktop will break something in another one [20:07] obviously on ubuntu unity is going to win that fight [20:08] so if i want to use the other desktop it's never going to work right for me unless i go to another distro === nothingspecial is now known as angela-android === angela-android is now known as nothingspecial [20:45] evening all [21:40] diplo: where's docus? [21:40] :) [22:05] woo, chromebook is here! :) [22:10] myself, i am somewhat sceptical, about a system, like chromiumos, which will basically only run cloud apps inside chrome, and basically, no real true client side apps. however the chromebook and chromiumos is not designed for that normal market, which doesnt require what i just described. so it would be somewhat pointless. [22:10] don't say cloud apps [22:10] say websites [22:10] that's what they are [22:10] don't play their game [22:10] ali1234: fair point. yes. [22:11] the chromebook is a nice hardware though [22:11] just put ubuntu on it [22:11] quite, yes. [22:12] there is a large market for a laptop that just does email websites chat and so on [22:13] yo dawg, I heard you liked writing cloud code so we put a code editor in the cloud so you can code while you cloud http://www.eclipse.org/orion/ [22:13] it won;t cut into windows market share but it will apple [22:13] ali1234: it always reminds me, after i first tried an ipad , many years ago, and thought, hmm, this would be so much better, with a more capable OS. [22:13] well yeah [22:14] AlanBell: it's not even the first one. github has a cloud IDE [22:14] and it's probably better than anything made by eclipse foundation [22:14] ali1234: true enough [22:14] https://c9.io/ [22:14] but this one can run locally and point at various back ends [22:14] well so can one that uses git [22:15] you can also edit your code in any other IDE you like [22:16] IDEs suck anyway [22:16] yeah, I never really got into eclipse, I use text editors [22:17] I do like geany, but I use it as a decent text editor rather than the full IDE stuff [22:17] although,i would be happier if android did c++, insted of java. java makes little sense to me, whereas c++, makes perfect sense. [22:17] geany is good, yes. [22:17] android NDK? [22:18] c++ makes more sense than java? [22:18] ali1234: to me, yes. [22:19] which part? [22:19] seriously. [22:19] i guess the build system is nicer for C++ [22:19] you can continue to use makefiles [22:19] ali1234: i read java, and feel clueless, it seems illogical. whereas c++ seems logical and makes more logical sense. [22:20] they read almost exactly the same [22:20] there are languages with semicolons at the end of the line and languages without. [22:20] true [22:20] ali1234: well, they dont to me. in all reason. [22:20] other than that, they are all much of a muchness [22:20] i thought c++ was in now [22:20] perhaps i missed a memo :( [22:21] oh except pointer arithmetic. That should die in a fire. [22:21] all the semicolon languages descend from BCPL [22:21] jacobw: the cool kids are using vala [22:21] cool, they reinvented objective c 10 years too late :p [22:21] python ftw [22:22] or not since BCPL doesn't have semicolons [22:22] so i guess C started that one [22:22] ohwell, my perception is inaccurate then. [22:23] maybe you are confusing C++ with C [22:23] maybe people do [22:23] ali1234: i have used both, yes, [22:23] a lot of people write basically C with classes [22:23] because it's a lesser evil [22:23] real C++ is much harder to read than real java [22:23] (a lot of of people write C with classes in java too) [22:24] ali1234: my first, was with c, doing basic electrical controls. when i went to college, [22:25] ali1234: it was maybe, the arduino's combination of both, which has confused my mind abit. [22:25] or blurred it. [22:26] arduino C++ is just... wrong [22:26] it's not C++ at all. it's not even C with classes [22:27] C++ standard lib would melt an AVR [22:27] did you look at the due stuff? [22:27] is it any different at all? [22:28] i havent looked at that yet, [22:28] thats arm, insted of avr. [22:29] doesn't matter if you're going to use C or higher level languages [22:29] agreed. [22:29] i like the simplicity of the AVR [22:29] i never looked at it that closely. [22:30] it's possibly to understand how every part of it works at the logic level [22:30] everything is documented [22:30] :) [22:30] good design there, yes. [22:30] you could take the docs and build a functionally equivalent design. in fact it has been done. [22:31] many times, yes. [22:31] it's a good platform for learning assembly language too, because the instruction set is so simple [22:32] i havent touched assembly, since college. 12 years. [22:53] I completley forgot this channel even existed :P