[01:48] blackflow: I'm okay with trusting the software, but it sucks I also have to trust my ISP, anyone else on my wlan and my DNS server. [01:49] VPN's? [01:49] use mirrors? [01:49] unclefoo: and your motherboard with that IME chip [01:50] it runs a full Minix installation, y'know. [01:50] We'll have to deal with Intel later, RISC-V maybe. [01:51] but indeed, this ubuntu key verification is a bit..... insufficient. it basically assumes you once obtained the key, trusted it, nothing bad happened, and now you have it for future verification. [01:51] leftyfb: Then I've got to trust the VPN runner. [01:51] Shipping the key with the installation is sensible, but it doesn't help me get the key if I'm not running Ubuntu. [01:51] unclefoo: then turn off your computer and go find a nice big rock to live under [01:52] but one could argue that whatever method you chose, unless you walked over to canonical offices yourself and got the key on read-only cdrom or something, any method is subject to chicken and the egg problem in setting up a trust chain. [01:52] Well, for now I'm definitely going to be trusting the CA people. [01:52] I use them for all of my online services. [01:52] So I'd prefer that Ubuntu just piggybacked on that? [01:53] There's no reason to do something worse. [01:53] blackflow: The Canonical office in the U.S. would just get them from the mirror ;) [01:55] Some of the mirrors use TLS, ie https://mirror.hmc.edu/ubuntu-releases/ [01:56] oh, shi- it's 4am.... I have to scram. [01:57] leftyfb: So you just navigate to the HTTP site, download the ISO then install it. [01:58] keep in mind that all Ubuntu packages are signed, and installation will abort if the package signature does not match [01:58] unclefoo: crazy right? [01:58] hggdh: but the lizard people! [01:59] hggdh: unless your ubuntu is trojaned, which is teh whole point, trusting that initial installation because ISOs are obtained over http and checksums too. [01:59] leftyfb: but the children! Who will protect the children? [01:59] Elon Musk! [02:00] if the signing key have been compromised, there is not much that can be done. Trojaning the repository is secondary [02:00] hggdh: I don't understand what you mean. You're talking about the collections of packages that ship with the ISO? [02:01] if the *sources* are compromised... then there will be a good signature, and there is nothing HTTPS will do to solve it [02:02] unclefoo: the ISO carries also the public keys, so there is a chance of compromising it, yes. It will always boil down to one critical path, somewhere [02:03] So, I understand that we're fucked if the Ubuntu devs all get compromised, or their release boxes do or anything like that. [02:03] turn off computer, find large rock to live under. That's the only solution [02:03] I just want to verify the ISO I install is the one signed by some dev. [02:03] aye [02:03] unclefoo: then use the md5 available on the site [02:03] you have a series of hashes to compare with [02:04] But the md5 comes over HTTP [02:04] hggdh: no, see the problem here is that the official Ubuntu documentation on verifying the checksums is by using gpkg hpk to download the key, which is NOT over TLS or verified with another key first. [02:04] So the attacker just going to change that too. [02:04] * leftyfb sigh [02:04] the problem is that Ubuntu doesn't display prominently on, say, ubuntu.com, over https, what the signature of that key is. that per se would be "good enough". [02:04] oh, so we are also talking about DNS poisoning? [02:05] and how HTTPS solves it? [02:05] Right, if Ubuntu announced "THESE ARE THE RELEASE PUBLIC KEYS", I would be kind of happy. [02:05] like gentoo does it: https://www.gentoo.org/downloads/signatures/ [02:05] please do not get me wrong. HTTPS *is* important [02:05] hggdh: https at least offers _some_ protection against threat actors who don't have the resources to corrupt a CA and mitm you. [02:05] Right. [02:05] any skiddie with a wifi sniffer can MITM your http connection [02:05] Like someone who knows my wifi password. [02:05] exactly [02:06] blackflow: and I hijacked your DNS, which now servers *my* gentoo page... [02:06] Doesn't matter because you don't have the cert. [02:06] well the corresponding private key at lesat. [02:06] hggdh: AND you also have a valid cert on that? [02:06] Unless you use your DNS poisoning to attack the CA domain validation. [02:06] unclefoo: but I have also created my own keys. AND I have re-packaged everything [02:06] But my user agent will refuse the connection. [02:07] Because it can't verify the cert chain. [02:07] right. and with HSTS it will even refuse temporary override on bad cert. [02:07] also, keep in mind that cert validation is done by the root, not by the user cert [02:07] blackflow: That would require the "kiddie" created their own custom malicious ubuntu iso and serving it up to you .... you are targeted. At that point, you've got bigger problems to deal with [02:08] . I created, once, this very attack. I had all certs in the root chain "redone". Validation was perfect [02:08] the point is, users have no way to verify those keys with "reasonable level of trust". [02:08] leftyfb: yeah but no if it were offered over https [02:09] blackflow: you go to *my* site, with *my certificates, with *my* root chain. I server it over HTTPS, and validation is correct. [02:09] blackflow: anyone can get a cert and service it up if you're hijacking DNS [02:09] hggdh: no [02:09] service/serve [02:09] You can't change the root certs in my browser. [02:09] blackflow: again. I h*have* done that as a PoC [02:09] sounds like you don't know how that works. your root chain would need to be installed on my computer first. [02:09] Exactly. [02:09] but I am NOT changing your roots. I am using the same CA [02:09] uh [02:09] hggdh: which one? one of the public ones in ca-certificates? [02:10] this is 100% possible [02:10] I buy a cert from Verisign [02:10] you are no wiser [02:10] For your domain [02:10] and I got in [02:10] Or for ubuntus domain? [02:10] it's possible alright, but how likely? back to the original statement of "having resources to corrupt a CA", or to buy unauthorized but valid cert from a bad one. [02:11] again how likely [02:11] we can play this game all niht [02:11] night* [02:11] "but what if" [02:11] yep [02:11] then let's drop https completely. [02:11] just download the damn iso like millions of others and get over it [02:11] or don't [02:11] In 5 years going to hear about the Ubuntu-ISO-Botnet-Variant-88XX [02:11] this is one of the reasons (among a truckload of them) I have *very* wary of X.509 [02:12] unclefoo: and I'll track you down and apologize [02:12] you are saying that just because SOME threat actors have the ability to obtain a valid but illegal cert, then EVERY actor can too [02:12] leftyfb: We'll get beers. [02:12] I don't drink beer [02:12] why not. Microsoft found it the hard way [02:12] too many chemtrails in it ;) [02:12] (as many others) [02:12] security is not a switch, not black and white, its'a process. there are levels, probabilities. using https solves a number of intrusion vectors. not all, but non-zero also. [02:13] even more the amount of CAs that come embedded is... absolutely amazing. *any* CA would do the trick [02:13] Right, but we're getting Certificate Transparency. [02:13] yup. any one of them in ca-certs can be used [02:13] blackflow: correct. And security is layered, so you end up with (sigh) protection in depth [02:14] unclefoo: file a bug on launchpad against ubuntu to host the signatures publicly behind https like gentoo does [02:14] the question is. Can Kremlin do it to plant racy Stormy Daniels pics on your computer? sure. Can Herp Derp, the kid down the street, do it? Probably not. Can that kid sniff your wifi and mitm your http (no s) connections? probably yes. [02:15] I do contract work -- I am a consultant. I can count on my fingers the number (out of, probably, the low hundreds) of companies I have been in that I would trust my data [02:15] leftyfb: Maybe. Good to talk about it before making a ruckus though. [02:15] some routers STILL are not patched for KRACK. I had a live demo to a company the other day. [02:15] oh routers are another bascket of worms [02:16] as are, pretty much, all IoT crap [02:16] exactly. so it's so easy to plant a trojaned ISO to someone in your network doing it over wifi. :) with a bit of effort, and no need to corrupt a CA, that someone will have no means to verify the ISO because the key is obtained over http that you're mitm-ing, too ;) [02:17] blackflow: NOW this is more realistic. You did not download from the official repos, you are using an ISO laying around [02:20] no you used KRACK to break into the wifi network, guessed the router panel password which was, believe it or not, "admin", or the factory sticker with the admin password is still on the back side of it, you changed the DNS and anyone in that wifi network is loading the iso from your laptop, even though they're accessing http://ubuntu.com ;) [02:20] the whole thing ends up with what is usually called "due diligence". If no due diligence performed, then nothing can be guaranteed [02:21] put in a different way: how many of us *always* check the received cert in an HTTPS session? [02:21] and ubuntu does no due diligence, by not offering https downloads. that's the whole point. [02:21] hggdh: My browser always does. [02:21] And I always verify the domain. [02:22] no. Your browser always check that the certificate CN matches the FQSN, and that the browser's sotred CA chain is verified [02:23] which is, already, a corruption of the standard. [02:23] now enters unicode, and bets are off [02:23] depends. browsers have protection against mixed charsets. [02:24] blackflow: oh, OK. So you are going to trust something that may, or may not, be correct? It depends, right? [02:24] (I'm assuming you're talking about IDN homograph attack) [02:24] I think we all agree that security is a spectrum. [02:24] among others, yes [02:24] unclefoo: thank you. This is indeed the point [02:24] all I'm saying is, since having https offers MORE protection thatn not having https, why not have https. [02:24] Serving your distros installation media over HTTP seems like far down the insecure side of the spectrum. [02:25] Would you check your email over an HTTP connection? [02:25] exactly. or at least serving the keys, which also happens over HTTP it appears. [02:25] blackflow: I agree with you there. HTTPS does not solve the world's problem, but helps [02:26] it doesn't help against Kremlin, but it sure denies Herp Derp, the kid down the street, from MITM-ing your pr0n ;) [02:26] the thing is if the ONLY validation you have is HTTPS, then you are dead anyways. [02:26] again, I like multiple layers [02:27] I would like to have HTTPS on the repos as well. [02:27] hggdh: I agree, but..... which of the multiple layers is offered here by Ubuntu? The download is over HTTP, the keys are obtained over HTTP. nowhere is any due diligent attempt to offer _some_ level of connection encryption when fetching those. [02:27] (and this has been discussed ad nauseam within Ubuntu) [02:28] Any links to the discussions? [02:28] you have the keys off a key server; you have the keys in a signed package; you have the kernel signed with a different key [02:29] hggdh: the keys from the key servers are obtained over http [02:29] How do I know which key from the key server? [02:29] It doesn't so much matter that the key is obtained over HTTP if I know what the right public key is. [02:30] But since I don't know, HTTPS is nice. [02:30] the packages are signed, you need to grab the signing key from them [02:30] I see. [02:30] gpkg --keyserver hkp://keyserver.ubuntu.com ... see that hkp there? [02:30] *gpg (lol) [02:31] unclefoo: I do not remember there, I think at least one of the discussions was on a ML. ubuntu-devel? [02:31] don't remember [02:31] hggdh: the issue here, and this whole discussion, was about that first step of gettin ubuntu installed, and veryfing the ISO to begin with. If that's verified and you have it installed, with keys and all, then it's no problem. but that first verification is a problem. [02:32] it is always a problem, a known issue with distribution (where is the key, who has the key) [02:32] this is why off-channel validation is important (and almost never done) [02:32] right, and my whole point is that, *some* level of trust can be established if the keys were offered on a page over https, like that gentoo link above. [02:33] and I'll take *some* over *none* any day ;) [02:33] Right, that's a good summary I think. [02:33] blackflow: I absolutely agree. The Ubuntu public keys should be published in a clear, HTTPS-encapsulated site [02:34] and clearly pointed to in many different places [02:35] (I thought we had something like that somewhere, but wiki.u.c is very slow) [02:35] precisely. I mean, y'all have been joking earlier about lizard people and conspiracies, but let's look at the facts: snaps are being trojaned because they can be. gentoo github was compromised because some herpderm didn't use 2FA. mint's ISOs were trojaned. Arch AUR packages were trojaned. there's a LOT of incentive to compromise linux distros infrastructure. let's not kid ourselves with [02:35] lizzard people and conspiracy theories, the threat is _very_ real. [02:37] The fingerprints in this tutorial https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#3 (pointed out by blackflow) are in fact the fingerprints for the keys that signed by Ubuntu ISO. [02:37] But it doesn't do a good job advertising that they are the legit keys, imo. [02:38] agree [02:39] but I am being called now for a movie [02:39] I've read somewhere that Cosmic will be all about increasing security. Cheers to that, let's make it better! now I really have to scram. it's now 5am and the sun is coming out. I can see the horizon line changed from pitch black to black / deep blue line :) [02:39] cya guys [02:39] o/ [02:48] blackflow, hggdh Here we go, https://wiki.ubuntu.com/SecurityTeam/FAQ [02:48] Towards the bottom. [04:00] good morning to all [04:11] WB lotuspsychje . [04:27] tnx Bashing-om [04:31] nice job on uwn Bashing-om [04:34] lotuspsychje: tnx .. "WE" do try . Do better with better word smiths :) [04:34] :p [05:11] 2 jimbuntus [05:12] hmm whats a logbot [05:41] GN all ..laters \o [06:21] good morning [06:22] Good morning [06:23] hi lordievader - all well today? [06:23] Yeah, doing good. [06:24] lots to do today? [06:24] Yeah, as usual. [06:25] You? [06:26] i'm about to start the last artful->bionic upgrade, since it goes eol tomorrow - have kept postponing. also a couple of routeros upgrades to do. [06:29] I believe most of my machines are quite up to date. Lets see. [06:30] Oldest is Debian 9.2. [06:34] that's not too old, afaik? i should also do something about my fileserver, but i'll do that when i'm ready to swap out the system disk - do a fresh install. [06:35] Nope, current stable. Wonder why not all are 9.5 though. [06:38] dunno, haven't run debian in ages. thinking of spinning up a machine with testing or sid, though, just to get familiar with it again. [07:37] I like Debian more for vms than Ubuntu. [07:40] as host or guest? [07:46] Guests [07:46] My hypervisors are mostly Gentoo with one Ubuntu exception. [09:14] morning :-) [09:18] * tsimonq2 spits out drink [09:18] Gentoo?! [09:22] Y U HATE GENTOO! let's hear it. [09:24] never ran gentoo [09:25] Gentoo makes your computer a freaking space heater. :P [09:25] fedora, suse, ubuntu, debian .. [09:25] ^ [09:25] fedora got the nicest visual boot [09:26] no resolution change at all [09:30] gentoo taught me all I know about linux distros, how they work inside, how to fix things when they break. it completely demystified it. it's a very valuable distro. [09:31] i wasted so many hours trying suse without internet/docs... [09:32] only when a professional helped me in 2008, i got started [09:39] hah I got started with linux around that time as well. and with OpenSuSE. 10.3 was my first ever linux distro as a full daily driver (ditched windows xp). [09:41] i feel silly when i say all my hardware since then is pretty good recognised, all the problems in #u i never experienced myself [09:42] so i think the number of users are huge, if they have no issues too [09:45] the part I disliked about OpenSuSE is, incredibly, YaST. it's not really optional, as it introduces a lot of config abstraction in the backend so even if you wanted to change things without a panel, using those abstractions anyway was the only way, or you risk breakage on next update of something. [09:46] the first magical line on fedora: yum install yumex [09:46] I agree, through the well documented installation procedure of Gentoo you learn a lot about Linux. [09:47] then installing the good-bad-ugly [09:47] gentoo and arch, seems like i have to try this too [10:34] after thos, linux from scratch. (I have yet to try it) [11:29] Hi folks [11:31] heya \o [11:31] hi daftykins [11:31] hot weather continuing over there? [11:32] no, it's gone, 26 today [11:32] oh that'd be plenty to me xD [11:32] hot out west again tno [11:35] cold here last night, 10C [11:39] mm had a cool couple of nights where i had to close the windows again [11:40] yup [11:40] i'm off to London on Friday, bit concerned as there's meant to be an ongoing heatwave so it'll heat up to the 30s up there [11:40] i'd rather hide from the heat back home :D [11:41] same [11:42] guess the ocean moderates the temps there a lot [11:43] mmm the tides coming up the English Channel i think [11:43] and coming back down from the North sea probably [11:43] I'm 25 km from one of the Great Lakes here and that helps somewhat [11:45] if i remember right a friend said they factor in hugely for your snowfall too, we might see a light dusting of snow one night every few years, super mild weather [11:49] i should be packing tools for this trip, hmm [11:49] bermuda current makes all the difference for the British Isles and Europe ...no such thing here [11:53] mmm that's the one, i can't remember what it was that causes it, but in the winters lately it all changes direction and we end up with siberian air that brought us snow [11:57] yeah, you guys in the UK mainland are actually much further north in latitude than we are , even here in "Northern Ontario" [11:59] well i'll be flying up there on Friday :D the island of mine is quite southern in comparison - https://goo.gl/maps/Y7p8wreLMNu [11:59] yeah, I'm familiar with your location [12:00] ah my mistake :) just checking [12:01] I'm, a bit of geography nut [12:01] I like to know where people I chat with are located [12:02] :D [12:26] good afternoon to all [12:29] atariOs ! [12:29] lol [12:34] hey lotuspsychje [12:35] hey BluesKaj [12:35] painted the shutters today [13:00] * tomreyn waves [13:00] hey there tomreyn [13:00] ah you heard about all the painting i was doing and got jealous eh lotus? :D [13:00] hey lotus [13:01] yeah lol [13:03] !info libinput bionic [13:03] Package libinput does not exist in bionic [13:06] there's a whole lot of them, from the "libinput" source package [13:06] https://launchpad.net/ubuntu/+source/libinput [13:06] so if cosmic has it, its not in backports? [13:07] backports aren't made for all packages [13:08] so ppa it is then cause proposed might give a new nightmare [13:09] how do you actualy tlel what's in proposed? neither packages.ubuntu.com nor rmadison can tell. [14:19] use launchpad for proposed ppas [14:22] one can search in launchpad, tomreyn [14:55] thanks, i assumed that's possible. not sure convenient, though ;) [14:55] s/sure/super/ [14:56] or would apt-cache say, once enabled in repos? [14:56] but then its too late of course [15:08] this hans__ dude is not even running ubuntu [15:08] troll [15:09] yeah he was offensive yesterday [15:10] one to keep an eye on [15:15] hans_ lotuspsychje, wrong, 32bit ubuntu will run just fine on 64bit hardware [15:20] welcome Android361abc [15:21] Android should be added to bug 1 [15:21] bug 1 in Ubuntu Malaysia LoCo Team "Microsoft has a majority market share" [Critical,In progress] https://launchpad.net/bugs/1 [15:21] *hips* [15:21] lol [15:25] bbl chicken wok a la lotus [15:25] why did the chicken cross my pan? [15:31] is this wr dude hans_ _ sidekick ? lolz [16:22] # [16:32] lotuspsychje: to get to the inner side of your mouth? :D [16:42] :p [16:43] zesle .. format C: and reinstall [16:45] zesle... sounds like nestle and thus like some toy you get packaged up in the cereal box... Zesle(r) - Web Panels for Linux Kids! [16:45] lol [16:45] web panels are such a terrible idea [16:46] if someone really needs one, there's really just one way to go for sure. centos + cpanel. [16:46] everything else, with the exception of plesk that I don't recommend for other reasons, is toys, broken, insecure, and more mess than there should be. [16:47] (mind you, cpanel is a HUGE mess of things, it starts with "Disable SELinux" ffs -- but of all panels, it works best) [16:48] cockpit is nice [16:48] isn't that just web interface for systemd? [16:49] its a all-in-one app [16:49] anyway, he had problems to begin with when he installed zesle. If he had Apache installed previously, then zesle would only install with a --force-overwrite [16:49] blackflow: but yes, manages also systemd [16:49] hggdh: unless they did an evil version bump [16:49] I mean, does it just manage services and containers, or does it set up the whole hosting environemnt with httpd + email + accounts + domains + dns? [16:50] usually people craving for panels need that, one-click full stack deployment. [16:50] nacc: indeed. Still, he should --purge zesle, god knows what it brought in [16:50] one for you hggdh [16:50] hggdh: yep [16:53] nacc: actually, no evil version bump. If he first installed apache, then zesle installation would fail with a similar conflict; if, conversely, he first installed zesle, then apache install would fail with a conflict (as would any updates) [16:54] hggdh: ah ok, i hadn't looked closely yet [16:54] no matter what, nobody knows what changes were introduced, so I would consider his current web install as tainted [16:54] yeah [16:54] and i wouldn't ever trust some repo that wants its own apache [16:54] +1 [16:55] blackflow, system-config-printer ... but i dont see why one needs this to run from commandline [16:58] oerheks: they're not even using ubuntu.... just want that utility, I guess [16:59] cups cli is what he needs [16:59] anyway, i am off, biking with Drabber [17:04] lol i thought ive read bikini [17:10] we're getting a lot of them these days huh? [17:11] yeah leftyfb [17:11] user count seem to increase last days [17:11] and i think we have a nice volunteers team active at this time too [17:14] stable and professional crew :p [17:16] I mean the .... challenging users [17:17] though 18.04 does seem to have a lot of problems with video drivers with all the questions/issues that have been coming up [17:17] leftyfb: hmm dont you think compared to unity, graphics issues have reduced? [17:18] Unity really shouldn't made much difference in video driver issues, it's just a DE [17:19] well, the real deal will be at .1 [17:19] then we might know whats top priority [17:24] leftyfb: in your opinion what would be top issue on bionic graphics? [17:24] drivers [17:24] on random cards? [17:24] people seem to have a lot of issues installing drivers for both nvidia and ati [17:25] more than usual [17:25] at least from what I've seen [17:25] 390 seems to be pretty stable doesnt it? [17:26] i think bionics top issue on .1 will be gnome3 overall on my opinion [17:27] unless they release some good changes [17:28] oh well, 1 week patience :p [17:28] !17.10 [17:28] Ubuntu 17.10 (Artful Aardvark) was the 27th release of Ubuntu. Download at http://releases.ubuntu.com/17.10/ - Release Info: https://wiki.ubuntu.com/ArtfulAardvark/ReleaseNotes [17:29] did you upgrade ducasse [17:29] yep, but got disk problems [17:29] whats up [17:30] zfs? [17:30] i suspect it's a btrfs thing [17:30] didnt know you are playing with btrfs? [17:30] hey evening pragmaticenigma [17:31] i'll look more at it tomorrow [17:31] kk [17:31] 'alo [17:31] pragmaticenigma: 1724 and rolling well [17:34] hey all [17:34] hey EriC^^ [17:34] hey lotuspsychje [17:35] whats up EriC^^ [17:35] ?? [17:35] not much [17:35] whats that pragmaticenigma [17:35] confusion [17:36] you seem to confuse alot pragmaticenigma :p [17:36] only coffee or alcholo? [17:36] oh dear [18:09] we might need a new !qemu 2011 [18:14] ?? [18:15] !qemu [18:15] qemu is an emulator you can use to run another operating system - see https://help.ubuntu.com/community/WindowsXPUnderQemuHowTo [18:15] its dated pragmaticenigma [18:16] Because it references Windows XP? [18:16] no, you can see last edited on the wiki's at bottom of page pragmaticenigma [18:17] I guess I don't understand why it needs updating... qemu is still a hardware emulation provider [18:18] and there are newer more mainstream emulators that have been released since 2011 that are probably favored over qemu... since I'm not certain qemu isolates the guest OS away from the host OS [18:20] actually on that page lotuspsychje is a note that it will not work under 10.04 (which was probably the last edit) and I would assume it still does not work on newer editions [18:20] https://www.unixmen.com/how-to-install-and-configure-qemu-in-ubuntu/ [18:20] something like this [18:20] how did you even find this? [18:26] my best friend google! [18:33] yeah, but that implies you went looking for it [18:33] yes? [18:33] what inspired you to go looking for it [18:33] i just dont like seeing old ubuntu versions on wiki's [18:34] even if its still relevant [18:34] i also help alot to improve the ubuntu factoids [18:34] hence why i mentioned [18:35] +1 [18:35] the wiki needs some serious work [18:36] indeed. For quite some time I worked on (mostly) the bug triage pages. Then... I lapsed... [18:37] we all do what we can :p [19:23] Hey! It's TJ- !!! [19:23] look what the cat throws in [19:24] ready for .1 :p [19:25] G'evening :) [19:25] No, just here for LineageOS build failures! [19:25] \o TJ- [19:30] \o [19:30] welcome back :> [19:33] whats happening with that build TJ- [19:34] lotuspsychje: what's happening is it... isn't! build failure for strange build tooling related reasons [19:35] got some errors? [19:35] TJ-'s back! [19:38] lotuspsychje: yeah, weird stuff like ninja timing out talking to jack-server. I'm currently trying adding JACK_EXTRA_CURL_OPTIONS="--max-time 7200" [19:39] I've upped Java VM heap to 6GB, reduced parallel instances to 1, changed the garbage collector [19:40] https://forum.xda-developers.com/android/software/aosp-cm-los-how-to-fix-jack-server-t3575179 [19:42]