=== genii is now known as genii-core === pizzaiolo is now known as pizza === genii is now known as genii-core [06:21] rbasak: yeah - those suggestions (e.g. not fetching that refs) is why I asked what the exact pain point is. To avoid suggesting solutions not addressing the problem mwhudson has with it. [06:22] and BTW there already is a bug asking for something like a shallow clone to be faster in the many cases you just want it to behave like pull-lp-source [06:22] that might (or not) resolve these current issues as well [08:43] cpaelzer: it's not really that painful since 1TiB nvme drives got cheap i guess :) [08:54] hehe [08:55] mwhudson: but so I assume it is both then, time to clone AND local disk space - or anything else on top of that? [08:55] cpaelzer: it's also just that pristine-tar basically doesn't work at all with go upstream tarballs [08:55] i mean, it works but it saves 0% space [09:01] maybe we could make git-ubuntu export-orig learn how to fetch from alternative places. That way the "works the same every time" would not be broken [09:02] I'm sure rbasak will have more detailed thoughts ... [09:02] Still I'd think a bug would be better than chat messages, we only get to work on GU every once in a while [09:02] and things occuring in between withotu tracking can forgotten too easily [11:44] o/ any core dev available to sponsor LP: #1955026 ? :) [11:44] Launchpad bug 1955026 in openssl (Ubuntu) "Upgrade openssl to 3.0.1 on Jammy" [High, New] https://launchpad.net/bugs/1955026 [12:24] schopin, hey, uploaded [12:25] seb128: thank you :) [12:25] np! === cpaelzer_ is now known as cpaelzer === genii-core is now known as genii [22:31] hey xnox - you very familiar with sbat? i have a noob question. [22:33] (or maybe juliank would have the answer) : who is supposed to write the definitive version info that shim compares against? [22:33] https://github.com/rhboot/shim/blob/main/SBAT.md talks about "UEFI CA will do an update". [22:33] I don't get how that works in practice. [22:57] hallyn: the UEFI CA in question is Microsoft [23:00] yes but how is it inolved in setting sbat versions ? [23:00] if i'm going to be running my own kernelinitrd.efi, i can set an sbat variable on it but how do i specify on the host what the min accepted version of it is? [23:01] or if there's a grub update that claims the last version is revoked, how does the new revocation get registered? [23:02] hallyn: the min accepted version is specified by a UEFI variable update, that has to be signed by a key in KEK [23:02] I havent' found a document that describes that. can anyone woh's root on my system update the uefi db variable for it? [23:02] this is what's meant by "UEFI CA" [23:02] Is there an efivars command to load such a signed update? [23:02] ok so if my own key is in the KEK then i can write my own sbat-versions i assume [23:02] er there are commands for it but I never remember without looking them up [23:03] basically it's the same commands used in the secureboot-db package [23:03] ok but it can be done from userspace? (don't have to be before exitbootservices in efi or anything) [23:03] ok - thanks vorlon ! [23:03] correct [23:03] i think that's all i need to find the rest :) \o [23:03] mind you I'm not conversant with the details of the variable name / UUID / format [23:03] so hopefully that's documented :) [23:04] the GUID is documented at least [23:21] hi vorlon, hallyn, i had been looking at shim code... and if that uefi sbat var is not set, shim sets it with a default value and attributes, which make it persistent and only available before exitbootservices... is that just a default thingy and a vendor will not use those attributes if setting himself? [23:22] that's definitely a default thingy, the goal is to have it set by the CA so that we have information across all shim vendors [23:22] ahhhhhhh that is good to know. [23:25] ah so that's why it was working despite my never having set such a thing :) gotcha.