[03:16] <lotuspsychje> good morning
[07:56] <marcoagpinto> lotuspsychje: heya, are you there?
[07:56] <marcoagpinto> :)
[12:13] <lotuspsychje> bug #2047778
[12:13] -ubottu:#ubuntu-discuss- Bug 2047778 in update-manager (Ubuntu) "Software Updater unable to cancel Ubuntu Pro upgrade" [Undecided, Confirmed] https://launchpad.net/bugs/2047778
[12:13] <lotuspsychje> getting some calls from customers already about this on jammy, jeez
[12:17] <lotuspsychje> i fully agree with #2 adam
[13:15] <marcoagpinto> lotuspsychje: where is the beta of 24.04?
[16:37] <lotuspsychje> !next | marcoagpinto 
[16:37] <marcoagpinto> ahhhhhh
[16:37] <marcoagpinto> lotuspsychje: :)
[16:41] <marcoagpinto> Buaaaaaaaa
[16:41] <marcoagpinto> the files there all have the date of 2021
[16:42] <marcoagpinto> ahhhhhh
[16:42] <marcoagpinto> it was the bug tracker blah blah link that had them from 2021
[17:27] <marcoagpinto> lotuspsychje: the screen keeps flashing during instalation
[17:28] <leftyfb> marcoagpinto: installation of what?
[17:29] <marcoagpinto> the daily
[17:29] <marcoagpinto> 24.04
[17:29] <marcoagpinto> in a VM on Windows 11
[17:29] <leftyfb>  marcoagpinto lotuspsychje via ubottu gave you the channel for support for unreleased versions of ubuntu
[17:30] <marcoagpinto> ahhhhh
[17:33] <marcoagpinto> damn... I am not running it again, it froze windows 11
[17:33] <marcoagpinto> luckily task manager worked by pressing crt + alt + del
[18:37] <JanC> lotuspsychje: got "panic calls" too  :-(
[18:41] <JanC> from my dad & such
[18:53] <lotuspsychje> JanC: to be expected with greyed out update manager
[18:54] <JanC> I don't use update-manager so I hadn't seen it myself yet  :-/
[22:16] <JanC> I'm not even sure Ubuntu Pro is worth bothering for most desktop users at this point, except when they use VLC?
[22:18] <leftyfb> or any of the other thousands of other packages in the universe repo
[22:18] <leftyfb> JanC: Ubuntu Pro is free for personal use
[22:18] <arraybolt3> I don't use it - everything I need to be security-sensitive is in Main already
[22:18] <arraybolt3> or I build it from source in some rare instances
[22:19] <JanC> leftyfb: I know it's free, but that doesn't mean people want to subscribe to it  :)
[22:19] <leftyfb> let them decide
[22:20] <JanC> and for desktop use specifically, it seems like only VLC is the only somewhat commonly used application that got an update
[22:21] <JanC> and "let them decide" is a bit of the problem when people get panicking phone calls from family members or customers because of an update-manager change  :)
[22:21] <daftykins> i think of it as a gameshow now, what packages can i win? yep, goodbye to this noise - much rather a simpler life where updates available are black or white
[22:22] <leftyfb> what I don't agree with is the manner in which they are advertising it with apt
[22:24] <JanC> leftyfb: they do that even worse with update-manager now apparently  :)
[22:25] <leftyfb> I've heard
[22:25] <leftyfb> I also don't use a GUI to update any machine anywhere
[22:25] <daftykins> same, always a guaranteed worse experience
[22:26] <daftykins> <GUI updater> i left things mostly done... mostly... why don't you attempt a reboot and see how i did? 8D
[22:29] <JanC> but my remark was that Ubuntu Pro seems to be about developer & server packages mostly, not a lot of GUI/desktop applications (outside developer tools)
[22:30] <leftyfb> to be fair, it is all about security
[22:36] <JanC> mainly there is updates for VLC, xrdp (if you don't use Gnome's built-in remote desktop), libopenexr25 (if you use GIMP or Krita or such)
[22:37] <JanC> at least thousand other security updates are missing, I think  :)
[22:37] <leftyfb> JanC: you know pro has been a thing for 6+ months right?
[22:37] <leftyfb> there's been other updates
[22:37] <JanC> but most are for server/development stuff
[22:40] <JanC> so I wonder if they are planning more updates for desktop software
[22:44] <ogra_> if there are critical or high CVEs there should be fixes ... note that this is only about CVEs 
[22:44] <ogra_> ... not generic updates or bugfix stuff
[22:46] <ogra_> (not sure how many CVEs for vlc there are ... or for openrexr ... but i'd expect these to be rare)
[22:46] <JanC> most projects probably wouldn't even know how to get a CVE...
[22:48] <ogra_> if someone opens one at i.e. mitre.org and it shows up in the db, the security team will apply the fix and release a new package 
[22:48] <sarnold> https://ubuntu.com/security/cves?q=&package=vlc&priority=&version=&status=  and indeed nothing for openrexr https://ubuntu.com/security/cves?q=&package=openrexr&priority=&version=&status=
[22:49] <sarnold> but of course if openrexr uses libraries, those might have CVEs assigned, but not visible through the name of the leaf package
[22:52] <JanC> CVE-2022-41325 for VLC / CVE-2021-3933 & CVE-2021-3941 for openexr25 according to the package changelogs?
[22:52] -ubottu:#ubuntu-discuss- An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or execute code under some conditions. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41325>
[22:52] -ubottu:#ubuntu-discuss- An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3933>
[22:52] -ubottu:#ubuntu-discuss- In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3941>
[22:53] <ogra_> 3.0.17 ? i dont see 3.0.17 in any LTS 
[22:53] <ogra_> (vlc that is)
[22:53] <ogra_> 22.04 has 3.0.16 ... 24.04 isnt out yet
[22:54] <JanC> *through* 3.0.17
[22:55] <JanC> which means all or many earlier versions too, I suppose
[22:55] <sarnold> oh hah maybe our website needs a better "package does not exist" error message! https://ubuntu.com/security/cves?q=&package=openexr&priority=&version=&status=
[22:55] <ogra_> https://ubuntu.com/security/CVE-2022-41325
[22:56] -ubottu:#ubuntu-discuss- An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or execute code under some conditions. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41325>
[22:56] <ogra_> and look ! "available with ubuntu pro" for jammy, focal, bionic 
[22:57] <JanC> like I said, it's pretty much the only one
[22:57] <ogra_> either way, if there are any, they will be fixed in pro ... that is the whole purpose
 most projects probably wouldn't even know how to get a CVE...
[22:58] <JanC> so all those will never get fixed?
[22:58] <JanC> or is there some other way?
[22:58] <ogra_> if they are not security issues, no 
[22:58] <JanC> I mean security issues
[22:58] <ogra_> pro is all about security 
[22:59] <leftyfb> [17:30:03] <leftyfb> to be fair, it is all about security
[22:59] <ogra_> 🙂
[23:00] <JanC> lots of open source projects fix security issues without going through all the red tape of CVEs...
[23:00] <sarnold> quite often whoever finds the issue will request a cve
[23:00] <JanC> I guess distros can request those too...
[23:00] <sarnold> because that helps them promote themselves
[23:00] <leftyfb> and if they don't, then Canonical will probably fix it for them
[23:00] <leftyfb> Pro subscribers benefit
[23:01] <ogra_> how would anyone know it is/was a security issues if it simply is not logged as that ? 
[23:02] <JanC> it's often mentioned in bug reports and/or changelogs, of course
[23:02] <ogra_> indeed, canonicals security team does not sit and watch every changlog of every possible deb in the world grepping for "security fix" ... there s a proces around security, if yu dont stick to it, you are on your own
[23:03] <sarnold> as are the users, alas :(
[23:03] <JanC> too much "process" is probably why they don't get CVE numbers  :)
[23:03] <ogra_> well, it is the standard process 
[23:04] <ogra_> across all software in fact ... not even limited to linux 
[23:05] <ogra_> opening a CVE isnt harder than opening any bug 
[23:06] <sarnold> the cve process really isn't that bad for most people; references to bug reports, fixes, the name of the software, version numbers it's fixed in, ideally a version number when it was introduced; and a quick description of the problem
[23:06] <ogra_> any did you notice that launchpad actually has a checkbox "tis is a security issue" you cn use when reporting  bug 
[23:06] <ogra_> *a bug
[23:06] <sarnold> dealing with one once in a while is no big deal. i whinge mightily when i've got a dozen of them to do in a day :) but one once in a while is easy
[23:07] <JanC> ogra_: yes, but will they get fixed then? (assuming a fix is available etc., but there is no CVE)
[23:08] <ogra_> either way, pro is about known security issues being fixed ... if there is no public report about them, how would anyone know
[23:09] <ogra_> JanC, thats someting sarnold might be able to answer ... that LP tickbox makes it actually go into the security team queue, so i guess if appicable the security team might open a CVE on your behalf
[23:09] <JanC> I assume Ubuntu/Canonical is a CNA?
[23:09] <JanC> as mentioned here https://cve.mitre.org/CVEIDsAndHowToGetThem.pdf
[23:09] <sarnold> yeah, the ubuntu security team is a CNA
[23:13] <sem> i guess you can get ubuntu pro on WSL?
[23:13] <ogra_> sure
[23:15] <sem> according to https://www.videolan.org/vlc/download-ubuntu.html the apt version of VLC is supposed to have "all security and critical bug fixes"
[23:16] <sem> but it also links to "apt://vlc" which, afaik, isn't a valid URL
[23:16] <ogra_> it used to be, not sure it still is though
[23:17] <ogra_> we once had a browser handler for "apt://" to fire up the SW center 
[23:17] <JanC> there also was a separate tool before that (probably still is?)
[23:17] <ogra_> gdebi ?
[23:18] <ogra_> (and its gui version)
[23:18] <sem> oh, that's cool
[23:18] <JanC> yes, gdebi probably, and I also see AptUrl
[23:18] <sem> also according to videolan.org, 18.04 was the latest supported ubuntu release
[23:18] <JanC> ubuntu-mate & xubuntu use that
[23:19] <ogra_> well, i guss they are a bit out of date 🙂
[23:19] <ogra_> *guess
[23:20] <ogra_> might also be related that they started to provide a snap directly from upstream
[23:20] <sem> yeah
[23:20] <ogra_> $ snap info vlc|grep publisher
[23:20] <ogra_> publisher: VideoLAN**
[23:20] <sem> latest stable there is 3.0.19
[23:21] <ogra_> (and it is at 3.0.19 currently ... way newer than the version apt provides to me on 22.04)
[23:22] <JanC> VLC not as popular as it used to be also
[23:23] <sem> :o
[23:24] <JanC>  but that's unrelated  :)
[23:24] <sem> #discuss-vlc
[23:24] <sem> :p