[00:06] arraybolt3: only your system is attempting to connect to iv[.]ggtyler[.]dev, docs[.]invidious[.]io, and linux.org from Discourse [00:07] so either you or Vivaldi have some weird crap it's trying to do [00:07] that's... really weird [00:07] how on earth were you able to find that out? [00:07] I didn't send you a screenshot of Vivaldi's guts AFAIK [00:07] [telegram] arraybolt3: your system isn't blocking Content-Security-Policy reports [00:08] is this from the Chrome screenshot I sent earlier? [00:08] [telegram] those report to my Sentry instance for analysis and helps me ID if someone's breaking the site, or such [00:08] [telegram] arraybolt3: it's from whenever you connected to Discourse before the screenshot [00:08] oh, you have Sentry telling you what's happening, ok [00:08] [telegram] hence why i asked for your IP address so i can see if it came from you or not [00:08] [telegram] and it did so [00:08] so yeah, that was Vivaldi [00:08] hang on one sec, can you see if I connect to Discourse again real quick? [00:08] [telegram] ye, Sentry reports when Content-Security-Policy headers are violated or not [00:09] [telegram] if you connect again and it triggers the same issue it'll update the timestamp on the observations in sentry es [00:09] [telegram] yes* [00:09] ok, just did so from Chrome [00:09] anything pop up? [00:09] [telegram] yup [00:09] if you see crud related to ggtyler or invidious again, it's not Vivaldi's fault and I can rest easy [00:09] [telegram] but do ctrl+shift+f5 or such to refresh [00:09] I just did a ctrl+shift+r [00:09] [telegram] i see a connect failure for browser.sentry-cdn.com but the error it triggered is already added in the CSP header [00:10] [telegram] known issue of discourse-cdn.lubuntu.me [00:10] if you don't see that in the most recent connection, then perhaps Vivaldi is doing something creepy in which case... sigh... then what? [00:10] [telegram] the other errors didn't come up again [00:10] [telegram] ye Vivaldi's doing SOMETHING with your request [00:10] [telegram] this is how CSP can be helpful on my end to determine if something is browser-based or site-based [00:10] great, the whole reason I switched to Vivaldi was just so that I could evade Chrome's invasive "privacy" practices [00:11] [telegram] do me a favor though `curl -I https://discourse.lubuntu.me` and DM me the Content-Security-Policy header. [00:11] and now it's connecting to creepy sites in the background [00:11] [telegram] send it via pastebin if you have to [00:11] one moment [00:11] [telegram] arraybolt3: i can set up a Vivaldi in a sandbox and poke it but i want to make sure you're seeing the CSP header up-to-date [00:11] [telegram] the browser.sentry-cdn.com error is fixed yet yours complained so Chrome doesn't have the right header [00:12] teward: if there's some way you could try Vivaldi in a sandbox, that would be much appreciated. I really don't want to take all of the measures involved in a full malware cleanup unless I really have to [00:12] [telegram] ok ye so Chrome is ignoring connect-src for some reason and triggering a 'regression' where there isn't one (it reopens issues if a regression happens) [00:12] [telegram] i'll have ot set up a system to test with (read: VM) [00:13] [telegram] there's one thing I can fix now but it doesn't explain the odd connects [00:13] (i.e., changing tons of passwords, replacing SSH and GPG keys, reinstalling Kubuntu, etc., etc., ad nauseum) [00:13] [telegram] you use kubuntu. ok. [00:13] [telegram] *installs Ubuntu since he has that around* [00:14] Vivaldi was popular enough I trusted it... [00:14] [telegram] rule 1 of software: never "trust software" blindly [00:14] [telegram] rule 1 of security: you're likely to screw yourself at some point, and learn from it [00:14] [telegram] but lets see what happens after I spin the sandbox [00:14] I didn't trust it blindly though :P [00:15] [telegram] by "blindly" i mean without auditing source ,etc. [00:15] [telegram] BUT WE'LL SEE WHAT I FIND [00:15] [telegram] and if i find it's replicated behavior, then I get to file a security bug! [00:16] if they are running some sort of malware racket it's the most intricate one I've ever seen, going so far as to set up an entire Mastodon server, forums, an email client, Android and iOS apps, etc., etc., to advertise their stuff [00:17] hopefully it'll just be some sort of security misconfiguration and we'll be able to move on, and then I'll use nothing but Chrome and Firefox for the rest of my life and maybe even switch to Qubes OS [00:18] [telegram] you don't have any plugins installed do you :P [00:18] nope [00:18] there's a built-in adblocker, that's it [00:18] (well, built-in ad and tracker blocker which I enabled, but no, I don't use any plugins) [00:18] [telegram] *waits for sandbox to build* [00:23] teward: I think I only just now figured out what you were saying - Vivaldi is leaking info about what it's doing in the background to you. Granted I didn't know that Vivaldi was accessing some random person's YouTube frontend (Invidious) in the background, so why that was happening is a bit of a mystery, but I'm no longer so paranoid :P [00:23] [telegram] well that sounds like a security flaw [00:24] [telegram] if i can reproduce i'll report a bug [00:24] [telegram] they won't like me when i do though [00:24] right, but if it's a security flaw I can be like "meh, bad developers! oh well". As opposed to thinking Vivaldi is itself malware which is an "oh great, now what?" scenario [00:25] [telegram] well it's still technically a security issue but i'll deep dive [00:26] thanks :) [00:26] and I'll be extra-careful what links I click on in the mean time [00:29] teward: to be clear, what does a content-security-policy report even do? [00:30] is it basically just reporting what things the browser is fetching code from? [00:30] potentially leaking across websites? [00:30] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy [00:30] Reporting directives control the reporting process of CSP violations. [00:30] See also the Content-Security-Policy-Report-Only header. (Same site) [00:30] CSP allows us to limit cross site script attacks or embedding attacks [00:31] If so, I probably know where the weird Invidious thing is coming from - I have Mastodon open in another tab and I'm subscribed to a ton of hashtags related to Linux, so probably someone linked their Invidious instance on Mastodon, and then somehow that info got leaked through a CSP report. [00:31] "The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks" [00:31] yeah what i think is happening is there's data leakage [00:31] which IS a security concern [00:31] but i'm going to confirm it on my end [00:31] send me privately a list of pages so i can populate examples on my end [00:31] sure [00:31] i have a sandbox VM to not pollute my main system ;) [00:31] but real quick, do me a favor and tell me if those weird things are showing up in the latest access of Discourse from my IP [00:32] I just closed all tabs except Discourse and then did a full refresh of that same page again [00:32] was it 30 seconds ago? [00:32] somewhere around that yeah [00:32] fifteen or thirty seconds [00:32] ye the other URLs aren't showing up in the reports [00:32] YAY [00:32] only the stuff Discourse and Sentry plugin reports to [00:32] so it's just content leakage. [00:32] (Sentry plugin is on our DIscourse) [00:32] Thanks for catching that :) [00:32] yes, but i want to reproduce and show reproduction steps BEFORE throwing a security flaw warning out there [00:33] agreed [00:33] because if I do *that* I'm going the CVE route [00:33] and submitting the security flaw to MITRE [00:33] heh, sounds fun [00:36] ok so [00:36] i would suggest nuking Vivaldi and doing a new install/update [00:36] because I can't reproduce this on latest Vivaldi stable [00:37] hmm, make one of the tabs Mastodon maybe? [00:37] I mean I'm on the latest Vivaldi Stable and I didn't tweak any weird settings that I know of [00:37] I did enable the built-in mail client [00:38] who knows, maybe I accidentally hit a keyboard shortcut that made things go berzerk :P === arraybolt31 is now known as arraybolt3_wc [00:38] switching to WeeChat since I'm using IRC via The Lounge via Vivaldi [00:39] ye no worries it could be a weird leak issue [00:39] but i can't replicate with a few different pages open [00:40] meh, if it only happens sometimes, I don't want to use Vivaldi anymore :P [00:40] just finished nuking it, going back to Chrome and Thunderbird I guess [00:40] [telegram] *sips coffee* [00:40] did anything get leaked that could be password-related? [00:40] [telegram] Vivaldi has some good things going for it but [00:41] [telegram] arraybolt3: not from the CSP no [00:41] good, then I don't have to go through and change all my passwords \o/ [00:41] * genii twitches [00:41] [telegram] but i can't guarantee something else was leaked [00:41] [telegram] genii: go make me coffee damn it! [00:41] hehe [00:41] [telegram] you did the evil of showing up, now you must pay me in coffee xD [00:41] *hisses* [00:41] ANYWHO [00:41] teward: well obviously not, but... gah, I should just stop being lazy and do a full password overhaul just in case. [00:41] *continues sipping on the deliciousness* [00:42] at least I didn't open any private keys so my GPG and SSH keys should be OK [00:42] teward: Actually I'm drinking beer now and watching hockey, I just have "coffee" on my highlight list of course... [00:42] genii: i know you do [00:42] coffee for me is an all-the-time drink xD [00:42] especially on this upcoming Friday [00:42] it's veterans day but i must work i3wqngt98q43bq4htq348thq3tq43ht3[hg43q[g\ [00:42] * arraybolt3_wc runs that through uudecode [00:43] hmm, teward wants some pancakes and eggs [00:43] * arraybolt3_wc makes a note of that [00:43] alright, wish me luck, I now have to reset every single password in both KeePassXC and in Chrome itself and migrate them all to KeePassXC [00:44] * arraybolt3_wc tries to not get a headache [00:46] [telegram] https://matterbridge.lubuntu.me/071bd31d/noo_god_no.mp4 [00:46] [telegram] https://matterbridge.lubuntu.me/71de51ef/you_sure_about_that_i_think_you_should_leave_with_tim_robinson.mp4 [00:51] well hey, at least my migration to KeePassXC will be complete after this :D [00:55] [telegram] /me takes a shot every time arraybolt3 changes his nickname [00:56] [telegram] Jk... does that fit in IRC rules XD [00:56] [telegram] !language [00:56] [telegram] you mean a shot to the nuts right? :P [00:56] [telegram] *cracks knuckles* [00:56] [telegram] hahahahah yeah sure if it lets me skirt right around that one 😆 [00:57] [telegram] :P [00:58] better to have a bruised groin than being hospitalized with booze poisoning :P [01:00] why does Discourse *require* that you use a password reset email to change your password *grumble* [01:01] [telegram] i can force it if i have to :P [01:01] not our instance [01:01] [telegram] ah [01:01] I'm signed up for at least three Discourse instances [01:01] [telegram] because Discourse [01:01] KDE, GNOME, and Lubuntu [01:01] [telegram] and Ubuntu [01:01] [telegram] so four [01:01] right [01:01] though technically that uses my Ubuntu One account so :P [01:01] [telegram] and probably LXQt back in the day, so maybe even 5 😆 [01:02] [telegram] ~ federation time ~ [01:02] LXQt has a Discourse? [01:02] [telegram] had :) [01:04] ah [01:04] yeah I don't think I ever used that [01:04] thanks KeePassXC for stealing focus so now I just typed *something* into it, no clue what [01:22] and now I get to think of a new Google password. Yay. [01:22] sigh, I have a decent passphrase memorized but it will take way too long to type on my Chromebook's touchscreen [01:23] [telegram] password is "ItIsS1monsFault@lw@y$!", FIDO U2F 2FA key [01:23] lol, I actually have a 2FA key... [01:23] and it's applied... [01:24] but the idea of leaving the password unchanged is a bit worrying [01:28] alright, came up with a new password that was better than my old one [01:28] so that's good [01:29] somewhat ironic that the account I need to stay secure the most is the only one using a memorized password which is by nature less secure than the monsters KeePassXC comes up with [01:30] but that's what U2F is for I guess [01:49] teward: change my password on notes.lubuntu.me and DM it to me if you would please, thanks and here have some coff ee [01:51] [telegram] Ouch I dont have a password for notes.. :p [01:58] [telegram] Looks like @teward001 fixes everything now :P [01:59] *cough* ^ Amy's account btw, setting it up for her, but bringing her here because ¯\_(ツ)_/¯ [02:00] Eickmeyer: I thought she had just shown up and was excited for a bit :) [02:00] She's prepping dinner. [02:00] *sigh* you don't realize just how many accounts you have until you have to change the passwords for all of them [02:01] I figured I'd bring her in here for familiar face reasons, namely tsimonq2 and teward (to a lesser extent, only because she's seen him on the screen). [02:10] [telegram] Eickmeyer: Where's her Membership app? Surely the head of Edubuntu should have membership already 😁 [02:10] [telegram] After dinner, right? ;) [02:10] membership... app? [02:10] I think you mean cloak :P [02:10] [telegram] Application [02:10] oh right [02:10] * Eickmeyer bonks @tsimonq2 with a mallet [02:10] [telegram] this is true :P [02:11] I heard "app" and thought "since when is there an app involved in applying for Ubuntu Membership? Where do you install it from?" [02:11] She has a life you know. [02:11] unlike us [02:11] [telegram] I know, I know XD [02:11] /s [02:11] [telegram] LMFAO [02:11] [telegram] Okay okay let's be fair, some of us have lives ;) [02:12] And we did only get back from Riga yesterday evening. [02:12] seriously though, most of my life is working on the computer, whether I'm doing some Bible related project, packaging, coding, chatting, technical support, whatever. I think I probably type more than I talk in real life. [02:13] and my keyboard shows it :P I'm wearing through the top layer of black... stuff... on my laptop keyboard [02:13] (dunno what coating it is but it's partially missing on my E, S, D, C, and N keys) [02:13] its called "paint" [02:13] lol [02:13] bingo [02:13] 😂 [02:14] * arraybolt3_wc grabs a vial of acrylic and fixes the problem [02:14] Sometimes it's epoxy, but you're not so lucky. [02:14] hy why dosn't my ai ky prss anymor [02:14] Sounds like a hardware problem to me. [02:14] that's a joke [02:15] as if I painted my keys and got some stuck under the key [02:15] I know. [02:15] I know. [02:15] lol, you take jokes very matter-of-fact'ly. [02:15] I know. [02:15] * arraybolt3_wc removes the record from the record player [02:15] thats erich :P [02:15] grumpy just like me xD [02:16] More just dry than grumpy. [02:24] alright, password fixing complete. [02:24] gah, and I have a headache. [07:51] no fallback numbat pictures available at nosplash... [10:42] [telegram] So, I actually brought this point up at the Ubuntu Summit, and we should address this here as well. [10:42] [telegram] [10:42] [telegram] Last cycle, we received SVGs from the Community Team only two weeks before UI freeze. This isn't an issue for a team our size, after actually realizing this weekend we're one of (if not the largest) current active flavor contributor teams. I worry about the smaller flavors, the ones who don't really have the time to make a cool wallpaper with the design. Sure, they could always use some default, but it should have a little flavor [10:42] [telegram] [10:42] [telegram] They agree that it should be pushed back quite a bit, so we get the wallpapers early. Additionally, there seems to be a little early support for a unified cross-flavor support team to help with artwork. [10:42] [telegram] [10:42] [telegram] We shouldn't worry as much about the wallpaper quite yet, I'd say. If it were solely up to me, I'd say throw in a classic LXDE wallpaper just to troll. I'll keep you posted, but I don't see myself -1ing any rational placeholder wallpaper. [10:43] [telegram] Also, we should be very intentional about what the final wallpaper should be, and fix whatever wallpaper caching issues exist, because this is the face of Lubuntu for the next two years [10:46] [telegram] I actually like this a lot as a placeholder, thoughts? : https://matterbridge.lubuntu.me/62833895/file_10093.jpg [10:48] [telegram] This is my ironic pick, our first wallpaper for our first release XD : https://matterbridge.lubuntu.me/e0657486/file_10094.jpg [10:49] [telegram] wxl: https://git.launchpad.net/ubuntu/+source/lubuntu-artwork/tree/src/usr/share/lubuntu/wallpapers?h=applied/ubuntu/xenial [10:50] [telegram] Votes on whether we should package those old wallpapers in its own binary start now :P [11:15] [telegram] That is a bunch to digest this early in the morning :P [11:16] [telegram] I like the idea of a separate binary. `lubuntu-classic-wallpaper` or something. [11:17] [telegram] The LTS seems like a good time to be retrospective. [11:19] [telegram] Your suggestion for a placeholder is a good one and one of my all-time favorites. There are a couple of others that are not release specific that could also serve in the placeholder position. [14:22] [telegram] https://github.com/AzumaHazuki/lxqt-themes-lubuntu-box (re @tsimonq2: This is my ironic pick, our first wallpaper for our first release XD) [14:24] [telegram] Ironic lxqt theme :p [17:27] I was just going to take the photo of a numbat from Wikipedia, blow it up with Upscayl, and use that as the placeholder :P [17:28] The photo is CC-BY-SA(?) 3.0. (Can't remember if it's SA or not) [17:28] Roberalz: hah, that theme is awesome [17:30] tsimonq2: I like the idea of a retro-looking wallpaper, but don't like the idea of a 4:3 wallpaper (top and bottom will get cut off once wallpaper scaling is fixed), and don't like the idea of reusing an older wallpaper. If there was a 16:9 edition of the second one you linked, that would be awesome. [17:30] Also I found the option to fix our scaling issues 😎 [17:35] oh, lol, I didn't realize the second one was the first wallpaper we ever used [17:36] that might not be a bad idea if we could remake it in full HD or better [17:42] [matrix] https://matterbridge.lubuntu.me/8bae5123/image.png [17:43] teward: ^ IRC bridge bot built without Unicode support? [17:44] no, it has unicode support [17:44] i might have to tell it to enforce UTF but one thing to keep in mind though is not all platforms are UTF-enabled [17:44] 🤷 [17:44] so you might be seeing a transcoding error [17:44] esp. when using EMOJI keyboards [17:44] because that's like UTF-16 or such that a lot of things don't support yet [17:44] oh maybe, the second emoji went through but the first one came in corrupted. [17:45] Weird, nvm [17:45] i mean i don't *see* a second or third emoji here [17:45] only one [17:45] that might've come throug hweird because UTF-16 -> UTF-8 and such is pain === teward changed the topic of #lubuntu-devel to: Lubuntu Development | Current dev version: Noble Numbat (24.04) | Schedule: https://ubottu.com/y/mm | Testing: http://iso.qa.ubuntu.com/qatracker | Support: #lubuntu | Offtopic: #lubuntu-offtopic | Telegram: https://telegram.lubuntu.me/development | Discourse back online, expect bumps as it restabilizes. [17:46] bleh, guess I should use a real computer and IRC client rather than a tablet and The Lunch [17:46] *Lounge [17:46] (though an IRC client that came with free food might not be a bad idea)