lotuspsychjegood morning01:31
=== Droid is now known as Mekaneck
ducassegood morning06:43
bewees[16:39] <fffffbeweesHow secure does Ubuntu safe their infrastructure keys and is Ubuntu obligated to share them with governmental juridictions?09:44
Mekaneckbewees: seriously, why bring up something that happend 5 years ago?10:07
Mekaneckit has been discussed more that enough10:07
Mekaneckand the reason that the Mint iso's were compromised had been explained10:08
Mekaneckthis belongs on the Mint channels or offtopic since it has nothing to do with Ubuntu10:09
beweesOh I found that article after I asked. My question is unrelated to Mint. Iam curious if for example Ubuntu maintainers use hardware key storages such as Nitrokey. Also if for example Ubuntu has to work with government like Google, Microsoft and Apple have to10:19
beweesMekaneck: 10:19
daftykinsyou should ask directly if you want to know10:29
beweesI think maintainers need a lot security requirements, besides being obliged by law to allow access, I imagine all powerful states in the world try to gain access to the infrastructure keys as it allows them to access in system using ubuntu in the world. The MITM on the repository or the CA if https is used should be the smaller problem for the attack10:53
tomreynbewees: maybe that's a question for #ubuntu-security - looks like a relevant question to me.13:09
marcoagpintoI had to reinstall my Ubuntu 20.04.2 machine since now and then the OS would crash14:02
marcoagpintothe app to watch videos was always crashing14:02
marcoagpintoI will also reinstall the other two VMs someday14:02
lotuspsychjemarcoagpinto: 'the app'?14:03
marcoagpintoit is called "Videos"?14:03
marcoagpintoI believe14:03
marcoagpintoyou double-click in an MP4 and it opens the file with it14:03
marcoagpintowho is Totem?14:04
marcoagpintoI will delete the 18.04 VM after PureBasic 6.0 is released and then will replace my second 20.04 with it14:05
marcoagpintowill have PureBasic in 20.0414:06
marcoagpintothe problem is that the dependencies are no longer installable using one line of SUDO14:06
marcoagpintoin 18.04 I would copy/paste the line into terminal and it would install everything14:06
marcoagpintonow I need to copy/paste each command14:06
marcoagpintosudo apt-get install gcc g++ libc6-dev libsdl1.2-dev libgtk-3-dev unixodbc-dev libgnome2-dev libxine2-dev libwebkitgtk-3.0-dev libxxf86vm-dev libwebkitgtk-dev libwebkitgtk-3.0-dev14:07
marcoagpintothis line no longer works in 20.0414:07
marcoagpintoI need to cut each command by hand14:07
marcoagpintothis is an abuse14:15
marcoagpintoit crashed!!!!!14:15
marcoagpintoI installed it hours ago and it crashed14:15
marcoagpintoI only had Firefox running14:16
beweestomreyn: Thank you, asked over there 😊15:19
=== Sven_vB_ is now known as Sven_vB
tomreynbewees: i guess teward is right, this is a question for canonicals' legal team rather than the security team.19:49
teward(what tomreyn is referring to is my post in ubuntu-security which I'll copy here)19:50
tewardI think this is one of those impossible questions you'll never get a public forum answer to.  IT fits into the category of "Is X secretly doing Y?" and that type of question never gets answered in a public forum.19:50
tewardthis is also a legal question and probably if anywhere would be directed to Canonical Legal, not the Ubuntu Security Team19:50
tewardalso, corporate entities are not required to disclose if they are or are not doing something if it's in accordance with a law.19:50
tomreynteward: sorry for channel hopping, i just didn't want to keep folks in -security busy with htis19:51
tomreyni guess there can be reasons why companies would like to make a public statement on their practices in this regard. but probably a lot more where they would prefer not to.19:52
beweestomreyn: Yes :-)19:55
tewardtomreyn: yep.  but it probably wouldn't be made in the public forum fieldspace19:55
tewardtomreyn: and no worries, I'm in many channels but context to referring to statements is usually needed ;)19:55
TJ-this is one reason for reproducible builds. Then it doesn't matter who signs binaries if you can verify the source and the resulting binaries match what the archives have20:11
JanCstill matters who signs the sources then  :)20:28
tomreynand who reproduces the builds20:30
tomreynit's still good to have, though, even if it's any *other* party reproducing those builds (or you're doing it yourself).20:32
TJ-no it doesn't; the point is YOU get the source YOU verify it has nothing unwanted and YOU build it, then compare its hashes with those of the archive20:32
tomreynbut that (almost) eradictes the benefit of binary archives20:34
tomreyni mean, sure, it's fine, if you have the processing power to do local builds for everything you install and update.20:34
TJ-but that isn't the point. If someone is SO security conscious and suspicious then they don't trust any other entity, so have to do the assurance themselves.20:35
TJ-the pretext of the original question(s) in -security was about not trusting (Debian)/ Ubuntu archive binaries but to my mind if you've got governments as a concern then you won't trust anything pre-built by definition20:36
tomreyni was rather thinknig of a notary-like scenario where you get something in-between. i.e. one or more third parties doing the rebuils, comparing their results to the main binary package mirrors, altering the community if they differ.20:38
TJ-for most mere mortals it isn't a concern, but when people present these false-flag arguments they want their cake and eat it too, as the saying goes. They want all the convenience of binary builds without having to do their own verification and try to externalise their supposed lack of trust onto the publisher. If that trust is lacking, then its on them to verify20:38
TJ-tomreyn: yes, that's one way but there's little demand for it amongst those who would be prepared to fund it in both money, resources, and time20:39
TJ-Debian have done great things with the reproducible builds project20:40
tomreynTJ-: i agree, also i'm glad they have sponsors enabling this. i also agree about the need to build yourself from source if you consider the governmentally funded threat actor executing targetted attack as part of your threat model20:44
TJ-meantime, some of us are trying to figure out why dhclient isn't sending the hostname in requests! that is far more important !20:45
TJ-aha, yet more neglience for IPv6. Bug #194048121:04
=== nhaines_ is now known as nhaines

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!