| === genii is now known as genii-core | ||
| === pizzaiolo is now known as pizza | ||
| === genii is now known as genii-core | ||
| cpaelzer | rbasak: yeah - those suggestions (e.g. not fetching that refs) is why I asked what the exact pain point is. To avoid suggesting solutions not addressing the problem mwhudson has with it. | 06:21 |
|---|---|---|
| cpaelzer | and BTW there already is a bug asking for something like a shallow clone to be faster in the many cases you just want it to behave like pull-lp-source | 06:22 |
| cpaelzer | that might (or not) resolve these current issues as well | 06:22 |
| mwhudson | cpaelzer: it's not really that painful since 1TiB nvme drives got cheap i guess :) | 08:43 |
| cpaelzer | hehe | 08:54 |
| cpaelzer | mwhudson: but so I assume it is both then, time to clone AND local disk space - or anything else on top of that? | 08:55 |
| mwhudson | cpaelzer: it's also just that pristine-tar basically doesn't work at all with go upstream tarballs | 08:55 |
| mwhudson | i mean, it works but it saves 0% space | 08:55 |
| cpaelzer | maybe we could make git-ubuntu export-orig learn how to fetch from alternative places. That way the "works the same every time" would not be broken | 09:01 |
| cpaelzer | I'm sure rbasak will have more detailed thoughts ... | 09:02 |
| cpaelzer | Still I'd think a bug would be better than chat messages, we only get to work on GU every once in a while | 09:02 |
| cpaelzer | and things occuring in between withotu tracking can forgotten too easily | 09:02 |
| schopin | o/ any core dev available to sponsor LP: #1955026 ? :) | 11:44 |
| ubottu | Launchpad bug 1955026 in openssl (Ubuntu) "Upgrade openssl to 3.0.1 on Jammy" [High, New] https://launchpad.net/bugs/1955026 | 11:44 |
| seb128 | schopin, hey, uploaded | 12:24 |
| schopin | seb128: thank you :) | 12:25 |
| seb128 | np! | 12:25 |
| === cpaelzer_ is now known as cpaelzer | ||
| === genii-core is now known as genii | ||
| hallyn | hey xnox - you very familiar with sbat? i have a noob question. | 22:31 |
| hallyn | (or maybe juliank would have the answer) : who is supposed to write the definitive version info that shim compares against? | 22:33 |
| hallyn | https://github.com/rhboot/shim/blob/main/SBAT.md talks about "UEFI CA will do an update". | 22:33 |
| hallyn | I don't get how that works in practice. | 22:33 |
| vorlon | hallyn: the UEFI CA in question is Microsoft | 22:57 |
| hallyn | yes but how is it inolved in setting sbat versions ? | 23:00 |
| hallyn | if i'm going to be running my own kernelinitrd.efi, i can set an sbat variable on it but how do i specify on the host what the min accepted version of it is? | 23:00 |
| hallyn | or if there's a grub update that claims the last version is revoked, how does the new revocation get registered? | 23:01 |
| vorlon | hallyn: the min accepted version is specified by a UEFI variable update, that has to be signed by a key in KEK | 23:02 |
| hallyn | I havent' found a document that describes that. can anyone woh's root on my system update the uefi db variable for it? | 23:02 |
| vorlon | this is what's meant by "UEFI CA" | 23:02 |
| hallyn | Is there an efivars command to load such a signed update? | 23:02 |
| hallyn | ok so if my own key is in the KEK then i can write my own sbat-versions i assume | 23:02 |
| vorlon | er there are commands for it but I never remember without looking them up | 23:02 |
| vorlon | basically it's the same commands used in the secureboot-db package | 23:03 |
| hallyn | ok but it can be done from userspace? (don't have to be before exitbootservices in efi or anything) | 23:03 |
| hallyn | ok - thanks vorlon ! | 23:03 |
| vorlon | correct | 23:03 |
| hallyn | i think that's all i need to find the rest :) \o | 23:03 |
| vorlon | mind you I'm not conversant with the details of the variable name / UUID / format | 23:03 |
| vorlon | so hopefully that's documented :) | 23:03 |
| hallyn | the GUID is documented at least | 23:04 |
| jmbl | hi vorlon, hallyn, i had been looking at shim code... and if that uefi sbat var is not set, shim sets it with a default value and attributes, which make it persistent and only available before exitbootservices... is that just a default thingy and a vendor will not use those attributes if setting himself? | 23:21 |
| vorlon | that's definitely a default thingy, the goal is to have it set by the CA so that we have information across all shim vendors | 23:22 |
| jmbl | ahhhhhhh that is good to know. | 23:22 |
| hallyn | ah so that's why it was working despite my never having set such a thing :) gotcha. | 23:25 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!