[00:33] <francisco> quit
[00:33] <francisco> quit
[00:33] <francisco> quit
[01:31] <lotuspsychje> good morning
[06:43] <ducasse> good morning
[09:44] <bewees> [16:39] <fffffbeweesHow secure does Ubuntu safe their infrastructure keys and is Ubuntu obligated to share them with governmental juridictions?
[10:03] <bewees> https://www.linkedin.com/pulse/linux-mint-iso-images-compromised-peter-gamache-cissp
[10:07] <Mekaneck> bewees: seriously, why bring up something that happend 5 years ago?
[10:07] <Mekaneck> it has been discussed more that enough
[10:07] <Mekaneck> that/than
[10:08] <Mekaneck> and the reason that the Mint iso's were compromised had been explained
[10:09] <Mekaneck> this belongs on the Mint channels or offtopic since it has nothing to do with Ubuntu
[10:19] <bewees> Oh I found that article after I asked. My question is unrelated to Mint. Iam curious if for example Ubuntu maintainers use hardware key storages such as Nitrokey. Also if for example Ubuntu has to work with government like Google, Microsoft and Apple have to
[10:19] <bewees> Mekaneck: 
[10:29] <daftykins> you should ask directly if you want to know
[10:53] <bewees> I think maintainers need a lot security requirements, besides being obliged by law to allow access, I imagine all powerful states in the world try to gain access to the infrastructure keys as it allows them to access in system using ubuntu in the world. The MITM on the repository or the CA if https is used should be the smaller problem for the attack
[10:53] <bewees> S/in/all/
[13:09] <tomreyn> bewees: maybe that's a question for #ubuntu-security - looks like a relevant question to me.
[14:02] <marcoagpinto> I had to reinstall my Ubuntu 20.04.2 machine since now and then the OS would crash
[14:02] <marcoagpinto> :)
[14:02] <marcoagpinto> the app to watch videos was always crashing
[14:02] <marcoagpinto> :)
[14:02] <marcoagpinto> I will also reinstall the other two VMs someday
[14:02] <marcoagpinto> :p
[14:03] <lotuspsychje> marcoagpinto: 'the app'?
[14:03] <marcoagpinto> it is called "Videos"?
[14:03] <marcoagpinto> I believe
[14:03] <marcoagpinto> you double-click in an MP4 and it opens the file with it
[14:04] <lotuspsychje> totem
[14:04] <marcoagpinto> what?
[14:04] <marcoagpinto> who is Totem?
[14:05] <marcoagpinto> I will delete the 18.04 VM after PureBasic 6.0 is released and then will replace my second 20.04 with it
[14:05] <marcoagpinto> :)
[14:06] <marcoagpinto> will have PureBasic in 20.04
[14:06] <marcoagpinto> the problem is that the dependencies are no longer installable using one line of SUDO
[14:06] <marcoagpinto> in 18.04 I would copy/paste the line into terminal and it would install everything
[14:06] <marcoagpinto> now I need to copy/paste each command
[14:07] <marcoagpinto> sudo apt-get install gcc g++ libc6-dev libsdl1.2-dev libgtk-3-dev unixodbc-dev libgnome2-dev libxine2-dev libwebkitgtk-3.0-dev libxxf86vm-dev libwebkitgtk-dev libwebkitgtk-3.0-dev
[14:07] <marcoagpinto> this line no longer works in 20.04
[14:07] <marcoagpinto> I need to cut each command by hand
[14:15] <marcoagpinto> Buaaaaaaaa
[14:15] <marcoagpinto> this is an abuse
[14:15] <marcoagpinto> it crashed!!!!!
[14:15] <marcoagpinto> https://www.dropbox.com/s/pe66ihmm9kxwci9/ubuntu20_04_02_crash_20210818.png?dl=0
[14:15] <marcoagpinto> I installed it hours ago and it crashed
[14:16] <marcoagpinto> I only had Firefox running
[15:19] <bewees> tomreyn: Thank you, asked over there 😊
[19:49] <tomreyn> bewees: i guess teward is right, this is a question for canonicals' legal team rather than the security team.
[19:50] <teward> (what tomreyn is referring to is my post in ubuntu-security which I'll copy here)
[19:50] <teward> I think this is one of those impossible questions you'll never get a public forum answer to.  IT fits into the category of "Is X secretly doing Y?" and that type of question never gets answered in a public forum.
[19:50] <teward> this is also a legal question and probably if anywhere would be directed to Canonical Legal, not the Ubuntu Security Team
[19:50] <teward> also, corporate entities are not required to disclose if they are or are not doing something if it's in accordance with a law.
[19:51] <tomreyn> teward: sorry for channel hopping, i just didn't want to keep folks in -security busy with htis
[19:52] <tomreyn> i guess there can be reasons why companies would like to make a public statement on their practices in this regard. but probably a lot more where they would prefer not to.
[19:55] <bewees> tomreyn: Yes :-)
[19:55] <teward> tomreyn: yep.  but it probably wouldn't be made in the public forum fieldspace
[19:55] <teward> tomreyn: and no worries, I'm in many channels but context to referring to statements is usually needed ;)
[20:11] <TJ-> this is one reason for reproducible builds. Then it doesn't matter who signs binaries if you can verify the source and the resulting binaries match what the archives have
[20:28] <JanC> still matters who signs the sources then  :)
[20:30] <tomreyn> and who reproduces the builds
[20:32] <tomreyn> it's still good to have, though, even if it's any *other* party reproducing those builds (or you're doing it yourself).
[20:32] <TJ-> no it doesn't; the point is YOU get the source YOU verify it has nothing unwanted and YOU build it, then compare its hashes with those of the archive
[20:34] <tomreyn> but that (almost) eradictes the benefit of binary archives
[20:34] <tomreyn> i mean, sure, it's fine, if you have the processing power to do local builds for everything you install and update.
[20:35] <TJ-> but that isn't the point. If someone is SO security conscious and suspicious then they don't trust any other entity, so have to do the assurance themselves.
[20:36] <TJ-> the pretext of the original question(s) in -security was about not trusting (Debian)/ Ubuntu archive binaries but to my mind if you've got governments as a concern then you won't trust anything pre-built by definition
[20:38] <tomreyn> i was rather thinknig of a notary-like scenario where you get something in-between. i.e. one or more third parties doing the rebuils, comparing their results to the main binary package mirrors, altering the community if they differ.
[20:38] <tomreyn> *alerting
[20:38] <TJ-> for most mere mortals it isn't a concern, but when people present these false-flag arguments they want their cake and eat it too, as the saying goes. They want all the convenience of binary builds without having to do their own verification and try to externalise their supposed lack of trust onto the publisher. If that trust is lacking, then its on them to verify
[20:39] <TJ-> tomreyn: yes, that's one way but there's little demand for it amongst those who would be prepared to fund it in both money, resources, and time
[20:40] <TJ-> Debian have done great things with the reproducible builds project
[20:44] <tomreyn> TJ-: i agree, also i'm glad they have sponsors enabling this. i also agree about the need to build yourself from source if you consider the governmentally funded threat actor executing targetted attack as part of your threat model
[20:45] <TJ-> meantime, some of us are trying to figure out why dhclient isn't sending the hostname in requests! that is far more important !
[21:04] <TJ-> aha, yet more neglience for IPv6. Bug #1940481