[03:16] good morning === JanC_ is now known as JanC [07:56] lotuspsychje: heya, are you there? [07:56] :) [12:13] bug #2047778 [12:13] -ubottu:#ubuntu-discuss- Bug 2047778 in update-manager (Ubuntu) "Software Updater unable to cancel Ubuntu Pro upgrade" [Undecided, Confirmed] https://launchpad.net/bugs/2047778 [12:13] getting some calls from customers already about this on jammy, jeez [12:17] i fully agree with #2 adam === EriC^ is now known as EriC^^ [13:15] lotuspsychje: where is the beta of 24.04? [16:37] !next | marcoagpinto [16:37] marcoagpinto: Noble Numbat is the codename for Ubuntu 24.04. For technical support, see #ubuntu-next. For testing and QA feedback and help, see #ubuntu-quality. [16:37] ahhhhhh [16:37] lotuspsychje: :) [16:41] Buaaaaaaaa [16:41] the files there all have the date of 2021 [16:42] ahhhhhh [16:42] it was the bug tracker blah blah link that had them from 2021 [17:27] lotuspsychje: the screen keeps flashing during instalation [17:28] marcoagpinto: installation of what? [17:29] the daily [17:29] 24.04 [17:29] in a VM on Windows 11 [17:29] marcoagpinto lotuspsychje via ubottu gave you the channel for support for unreleased versions of ubuntu [17:30] ahhhhh [17:33] damn... I am not running it again, it froze windows 11 [17:33] luckily task manager worked by pressing crt + alt + del [18:37] lotuspsychje: got "panic calls" too :-( [18:41] from my dad & such [18:53] JanC: to be expected with greyed out update manager [18:54] I don't use update-manager so I hadn't seen it myself yet :-/ === EriC^^_ is now known as EriC^^ [22:16] I'm not even sure Ubuntu Pro is worth bothering for most desktop users at this point, except when they use VLC? [22:18] or any of the other thousands of other packages in the universe repo [22:18] JanC: Ubuntu Pro is free for personal use [22:18] I don't use it - everything I need to be security-sensitive is in Main already [22:18] or I build it from source in some rare instances [22:19] leftyfb: I know it's free, but that doesn't mean people want to subscribe to it :) [22:19] let them decide [22:20] and for desktop use specifically, it seems like only VLC is the only somewhat commonly used application that got an update [22:21] and "let them decide" is a bit of the problem when people get panicking phone calls from family members or customers because of an update-manager change :) [22:21] i think of it as a gameshow now, what packages can i win? yep, goodbye to this noise - much rather a simpler life where updates available are black or white [22:22] what I don't agree with is the manner in which they are advertising it with apt [22:24] leftyfb: they do that even worse with update-manager now apparently :) [22:25] I've heard [22:25] I also don't use a GUI to update any machine anywhere [22:25] same, always a guaranteed worse experience [22:26] i left things mostly done... mostly... why don't you attempt a reboot and see how i did? 8D [22:29] but my remark was that Ubuntu Pro seems to be about developer & server packages mostly, not a lot of GUI/desktop applications (outside developer tools) [22:30] to be fair, it is all about security [22:36] mainly there is updates for VLC, xrdp (if you don't use Gnome's built-in remote desktop), libopenexr25 (if you use GIMP or Krita or such) [22:37] at least thousand other security updates are missing, I think :) [22:37] JanC: you know pro has been a thing for 6+ months right? [22:37] there's been other updates [22:37] but most are for server/development stuff [22:40] so I wonder if they are planning more updates for desktop software [22:44] if there are critical or high CVEs there should be fixes ... note that this is only about CVEs [22:44] ... not generic updates or bugfix stuff [22:46] (not sure how many CVEs for vlc there are ... or for openrexr ... but i'd expect these to be rare) [22:46] most projects probably wouldn't even know how to get a CVE... [22:48] if someone opens one at i.e. mitre.org and it shows up in the db, the security team will apply the fix and release a new package [22:48] https://ubuntu.com/security/cves?q=&package=vlc&priority=&version=&status= and indeed nothing for openrexr https://ubuntu.com/security/cves?q=&package=openrexr&priority=&version=&status= [22:49] but of course if openrexr uses libraries, those might have CVEs assigned, but not visible through the name of the leaf package [22:52] CVE-2022-41325 for VLC / CVE-2021-3933 & CVE-2021-3941 for openexr25 according to the package changelogs? [22:52] -ubottu:#ubuntu-discuss- An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or execute code under some conditions. [22:52] -ubottu:#ubuntu-discuss- An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths. [22:52] -ubottu:#ubuntu-discuss- In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with... [22:53] 3.0.17 ? i dont see 3.0.17 in any LTS [22:53] (vlc that is) [22:53] 22.04 has 3.0.16 ... 24.04 isnt out yet [22:54] *through* 3.0.17 [22:55] which means all or many earlier versions too, I suppose [22:55] oh hah maybe our website needs a better "package does not exist" error message! https://ubuntu.com/security/cves?q=&package=openexr&priority=&version=&status= [22:55] https://ubuntu.com/security/CVE-2022-41325 [22:56] -ubottu:#ubuntu-discuss- An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or execute code under some conditions. [22:56] and look ! "available with ubuntu pro" for jammy, focal, bionic [22:57] like I said, it's pretty much the only one [22:57] either way, if there are any, they will be fixed in pro ... that is the whole purpose [22:58] most projects probably wouldn't even know how to get a CVE... [22:58] so all those will never get fixed? [22:58] or is there some other way? [22:58] if they are not security issues, no [22:58] I mean security issues [22:58] pro is all about security [22:59] [17:30:03] to be fair, it is all about security [22:59] 🙂 [23:00] lots of open source projects fix security issues without going through all the red tape of CVEs... [23:00] quite often whoever finds the issue will request a cve [23:00] I guess distros can request those too... [23:00] because that helps them promote themselves [23:00] and if they don't, then Canonical will probably fix it for them [23:00] Pro subscribers benefit [23:01] how would anyone know it is/was a security issues if it simply is not logged as that ? [23:02] it's often mentioned in bug reports and/or changelogs, of course [23:02] indeed, canonicals security team does not sit and watch every changlog of every possible deb in the world grepping for "security fix" ... there s a proces around security, if yu dont stick to it, you are on your own [23:03] as are the users, alas :( [23:03] too much "process" is probably why they don't get CVE numbers :) [23:03] well, it is the standard process [23:04] across all software in fact ... not even limited to linux [23:05] opening a CVE isnt harder than opening any bug [23:06] the cve process really isn't that bad for most people; references to bug reports, fixes, the name of the software, version numbers it's fixed in, ideally a version number when it was introduced; and a quick description of the problem [23:06] any did you notice that launchpad actually has a checkbox "tis is a security issue" you cn use when reporting bug [23:06] *a bug [23:06] dealing with one once in a while is no big deal. i whinge mightily when i've got a dozen of them to do in a day :) but one once in a while is easy [23:07] ogra_: yes, but will they get fixed then? (assuming a fix is available etc., but there is no CVE) [23:08] either way, pro is about known security issues being fixed ... if there is no public report about them, how would anyone know [23:09] JanC, thats someting sarnold might be able to answer ... that LP tickbox makes it actually go into the security team queue, so i guess if appicable the security team might open a CVE on your behalf [23:09] I assume Ubuntu/Canonical is a CNA? [23:09] as mentioned here https://cve.mitre.org/CVEIDsAndHowToGetThem.pdf [23:09] yeah, the ubuntu security team is a CNA [23:13] i guess you can get ubuntu pro on WSL? [23:13] sure [23:15] according to https://www.videolan.org/vlc/download-ubuntu.html the apt version of VLC is supposed to have "all security and critical bug fixes" [23:16] but it also links to "apt://vlc" which, afaik, isn't a valid URL [23:16] it used to be, not sure it still is though [23:17] we once had a browser handler for "apt://" to fire up the SW center [23:17] there also was a separate tool before that (probably still is?) [23:17] gdebi ? [23:18] (and its gui version) [23:18] oh, that's cool [23:18] yes, gdebi probably, and I also see AptUrl [23:18] also according to videolan.org, 18.04 was the latest supported ubuntu release [23:18] ubuntu-mate & xubuntu use that [23:19] well, i guss they are a bit out of date 🙂 [23:19] *guess [23:20] might also be related that they started to provide a snap directly from upstream [23:20] yeah [23:20] $ snap info vlc|grep publisher [23:20] publisher: VideoLAN** [23:20] latest stable there is 3.0.19 [23:21] (and it is at 3.0.19 currently ... way newer than the version apt provides to me on 22.04) [23:22] VLC not as popular as it used to be also [23:23] :o [23:24] but that's unrelated :) [23:24] #discuss-vlc [23:24] :p