| lotuspsychje | good morning | 03:16 |
|---|---|---|
| === JanC_ is now known as JanC | ||
| marcoagpinto | lotuspsychje: heya, are you there? | 07:56 |
| marcoagpinto | :) | 07:56 |
| lotuspsychje | bug #2047778 | 12:13 |
| -ubottu:#ubuntu-discuss- Bug 2047778 in update-manager (Ubuntu) "Software Updater unable to cancel Ubuntu Pro upgrade" [Undecided, Confirmed] https://launchpad.net/bugs/2047778 | 12:13 | |
| lotuspsychje | getting some calls from customers already about this on jammy, jeez | 12:13 |
| lotuspsychje | i fully agree with #2 adam | 12:17 |
| === EriC^ is now known as EriC^^ | ||
| marcoagpinto | lotuspsychje: where is the beta of 24.04? | 13:15 |
| lotuspsychje | !next | marcoagpinto | 16:37 |
| ubottu | marcoagpinto: Noble Numbat is the codename for Ubuntu 24.04. For technical support, see #ubuntu-next. For testing and QA feedback and help, see #ubuntu-quality. | 16:37 |
| marcoagpinto | ahhhhhh | 16:37 |
| marcoagpinto | lotuspsychje: :) | 16:37 |
| marcoagpinto | Buaaaaaaaa | 16:41 |
| marcoagpinto | the files there all have the date of 2021 | 16:41 |
| marcoagpinto | ahhhhhh | 16:42 |
| marcoagpinto | it was the bug tracker blah blah link that had them from 2021 | 16:42 |
| marcoagpinto | lotuspsychje: the screen keeps flashing during instalation | 17:27 |
| leftyfb | marcoagpinto: installation of what? | 17:28 |
| marcoagpinto | the daily | 17:29 |
| marcoagpinto | 24.04 | 17:29 |
| marcoagpinto | in a VM on Windows 11 | 17:29 |
| leftyfb | marcoagpinto lotuspsychje via ubottu gave you the channel for support for unreleased versions of ubuntu | 17:29 |
| marcoagpinto | ahhhhh | 17:30 |
| marcoagpinto | damn... I am not running it again, it froze windows 11 | 17:33 |
| marcoagpinto | luckily task manager worked by pressing crt + alt + del | 17:33 |
| JanC | lotuspsychje: got "panic calls" too :-( | 18:37 |
| JanC | from my dad & such | 18:41 |
| lotuspsychje | JanC: to be expected with greyed out update manager | 18:53 |
| JanC | I don't use update-manager so I hadn't seen it myself yet :-/ | 18:54 |
| === EriC^^_ is now known as EriC^^ | ||
| JanC | I'm not even sure Ubuntu Pro is worth bothering for most desktop users at this point, except when they use VLC? | 22:16 |
| leftyfb | or any of the other thousands of other packages in the universe repo | 22:18 |
| leftyfb | JanC: Ubuntu Pro is free for personal use | 22:18 |
| arraybolt3 | I don't use it - everything I need to be security-sensitive is in Main already | 22:18 |
| arraybolt3 | or I build it from source in some rare instances | 22:18 |
| JanC | leftyfb: I know it's free, but that doesn't mean people want to subscribe to it :) | 22:19 |
| leftyfb | let them decide | 22:19 |
| JanC | and for desktop use specifically, it seems like only VLC is the only somewhat commonly used application that got an update | 22:20 |
| JanC | and "let them decide" is a bit of the problem when people get panicking phone calls from family members or customers because of an update-manager change :) | 22:21 |
| daftykins | i think of it as a gameshow now, what packages can i win? yep, goodbye to this noise - much rather a simpler life where updates available are black or white | 22:21 |
| leftyfb | what I don't agree with is the manner in which they are advertising it with apt | 22:22 |
| JanC | leftyfb: they do that even worse with update-manager now apparently :) | 22:24 |
| leftyfb | I've heard | 22:25 |
| leftyfb | I also don't use a GUI to update any machine anywhere | 22:25 |
| daftykins | same, always a guaranteed worse experience | 22:25 |
| daftykins | <GUI updater> i left things mostly done... mostly... why don't you attempt a reboot and see how i did? 8D | 22:26 |
| JanC | but my remark was that Ubuntu Pro seems to be about developer & server packages mostly, not a lot of GUI/desktop applications (outside developer tools) | 22:29 |
| leftyfb | to be fair, it is all about security | 22:30 |
| JanC | mainly there is updates for VLC, xrdp (if you don't use Gnome's built-in remote desktop), libopenexr25 (if you use GIMP or Krita or such) | 22:36 |
| JanC | at least thousand other security updates are missing, I think :) | 22:37 |
| leftyfb | JanC: you know pro has been a thing for 6+ months right? | 22:37 |
| leftyfb | there's been other updates | 22:37 |
| JanC | but most are for server/development stuff | 22:37 |
| JanC | so I wonder if they are planning more updates for desktop software | 22:40 |
| ogra_ | if there are critical or high CVEs there should be fixes ... note that this is only about CVEs | 22:44 |
| ogra_ | ... not generic updates or bugfix stuff | 22:44 |
| ogra_ | (not sure how many CVEs for vlc there are ... or for openrexr ... but i'd expect these to be rare) | 22:46 |
| JanC | most projects probably wouldn't even know how to get a CVE... | 22:46 |
| ogra_ | if someone opens one at i.e. mitre.org and it shows up in the db, the security team will apply the fix and release a new package | 22:48 |
| sarnold | https://ubuntu.com/security/cves?q=&package=vlc&priority=&version=&status= and indeed nothing for openrexr https://ubuntu.com/security/cves?q=&package=openrexr&priority=&version=&status= | 22:48 |
| sarnold | but of course if openrexr uses libraries, those might have CVEs assigned, but not visible through the name of the leaf package | 22:49 |
| JanC | CVE-2022-41325 for VLC / CVE-2021-3933 & CVE-2021-3941 for openexr25 according to the package changelogs? | 22:52 |
| -ubottu:#ubuntu-discuss- An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or execute code under some conditions. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41325> | 22:52 | |
| -ubottu:#ubuntu-discuss- An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3933> | 22:52 | |
| -ubottu:#ubuntu-discuss- In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3941> | 22:52 | |
| ogra_ | 3.0.17 ? i dont see 3.0.17 in any LTS | 22:53 |
| ogra_ | (vlc that is) | 22:53 |
| ogra_ | 22.04 has 3.0.16 ... 24.04 isnt out yet | 22:53 |
| JanC | *through* 3.0.17 | 22:54 |
| JanC | which means all or many earlier versions too, I suppose | 22:55 |
| sarnold | oh hah maybe our website needs a better "package does not exist" error message! https://ubuntu.com/security/cves?q=&package=openexr&priority=&version=&status= | 22:55 |
| ogra_ | https://ubuntu.com/security/CVE-2022-41325 | 22:55 |
| -ubottu:#ubuntu-discuss- An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or execute code under some conditions. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41325> | 22:56 | |
| ogra_ | and look ! "available with ubuntu pro" for jammy, focal, bionic | 22:56 |
| JanC | like I said, it's pretty much the only one | 22:57 |
| ogra_ | either way, if there are any, they will be fixed in pro ... that is the whole purpose | 22:57 |
| JanC | <JanC> most projects probably wouldn't even know how to get a CVE... | 22:58 |
| JanC | so all those will never get fixed? | 22:58 |
| JanC | or is there some other way? | 22:58 |
| ogra_ | if they are not security issues, no | 22:58 |
| JanC | I mean security issues | 22:58 |
| ogra_ | pro is all about security | 22:58 |
| leftyfb | [17:30:03] <leftyfb> to be fair, it is all about security | 22:59 |
| ogra_ | 🙂 | 22:59 |
| JanC | lots of open source projects fix security issues without going through all the red tape of CVEs... | 23:00 |
| sarnold | quite often whoever finds the issue will request a cve | 23:00 |
| JanC | I guess distros can request those too... | 23:00 |
| sarnold | because that helps them promote themselves | 23:00 |
| leftyfb | and if they don't, then Canonical will probably fix it for them | 23:00 |
| leftyfb | Pro subscribers benefit | 23:00 |
| ogra_ | how would anyone know it is/was a security issues if it simply is not logged as that ? | 23:01 |
| JanC | it's often mentioned in bug reports and/or changelogs, of course | 23:02 |
| ogra_ | indeed, canonicals security team does not sit and watch every changlog of every possible deb in the world grepping for "security fix" ... there s a proces around security, if yu dont stick to it, you are on your own | 23:02 |
| sarnold | as are the users, alas :( | 23:03 |
| JanC | too much "process" is probably why they don't get CVE numbers :) | 23:03 |
| ogra_ | well, it is the standard process | 23:03 |
| ogra_ | across all software in fact ... not even limited to linux | 23:04 |
| ogra_ | opening a CVE isnt harder than opening any bug | 23:05 |
| sarnold | the cve process really isn't that bad for most people; references to bug reports, fixes, the name of the software, version numbers it's fixed in, ideally a version number when it was introduced; and a quick description of the problem | 23:06 |
| ogra_ | any did you notice that launchpad actually has a checkbox "tis is a security issue" you cn use when reporting bug | 23:06 |
| ogra_ | *a bug | 23:06 |
| sarnold | dealing with one once in a while is no big deal. i whinge mightily when i've got a dozen of them to do in a day :) but one once in a while is easy | 23:06 |
| JanC | ogra_: yes, but will they get fixed then? (assuming a fix is available etc., but there is no CVE) | 23:07 |
| ogra_ | either way, pro is about known security issues being fixed ... if there is no public report about them, how would anyone know | 23:08 |
| ogra_ | JanC, thats someting sarnold might be able to answer ... that LP tickbox makes it actually go into the security team queue, so i guess if appicable the security team might open a CVE on your behalf | 23:09 |
| JanC | I assume Ubuntu/Canonical is a CNA? | 23:09 |
| JanC | as mentioned here https://cve.mitre.org/CVEIDsAndHowToGetThem.pdf | 23:09 |
| sarnold | yeah, the ubuntu security team is a CNA | 23:09 |
| sem | i guess you can get ubuntu pro on WSL? | 23:13 |
| ogra_ | sure | 23:13 |
| sem | according to https://www.videolan.org/vlc/download-ubuntu.html the apt version of VLC is supposed to have "all security and critical bug fixes" | 23:15 |
| sem | but it also links to "apt://vlc" which, afaik, isn't a valid URL | 23:16 |
| ogra_ | it used to be, not sure it still is though | 23:16 |
| ogra_ | we once had a browser handler for "apt://" to fire up the SW center | 23:17 |
| JanC | there also was a separate tool before that (probably still is?) | 23:17 |
| ogra_ | gdebi ? | 23:17 |
| ogra_ | (and its gui version) | 23:18 |
| sem | oh, that's cool | 23:18 |
| JanC | yes, gdebi probably, and I also see AptUrl | 23:18 |
| sem | also according to videolan.org, 18.04 was the latest supported ubuntu release | 23:18 |
| JanC | ubuntu-mate & xubuntu use that | 23:18 |
| ogra_ | well, i guss they are a bit out of date 🙂 | 23:19 |
| ogra_ | *guess | 23:19 |
| ogra_ | might also be related that they started to provide a snap directly from upstream | 23:20 |
| sem | yeah | 23:20 |
| ogra_ | $ snap info vlc|grep publisher | 23:20 |
| ogra_ | publisher: VideoLAN** | 23:20 |
| sem | latest stable there is 3.0.19 | 23:20 |
| ogra_ | (and it is at 3.0.19 currently ... way newer than the version apt provides to me on 22.04) | 23:21 |
| JanC | VLC not as popular as it used to be also | 23:22 |
| sem | :o | 23:23 |
| JanC | but that's unrelated :) | 23:24 |
| sem | #discuss-vlc | 23:24 |
| sem | :p | 23:24 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!