[10:20] 👍🏻 (re @IrcsomeBot: Frameworks green. See you all tomorrow.) [10:20] https://paste.ubuntu.com/p/mpWdkF237F/ [10:24] updated the fw .. till come up later .. conflicted packages (re @myfenris: https://paste.ubuntu.com/p/mpWdkF237F/) [10:25] for full-upgrade === mamarley_ is now known as mamarley [10:39] hmmm, ok, looking into it. I don't know of any new packages that would cause that. [13:37] Hi all [13:42] hello [18:16] sgmoore: potentially odd question, but how do we feel about /boot *always* being a separate partition even on unencrypted systems? [18:17] Background: Out of the box, Calamares always encrypts the /boot partition when LUKS is enabled, whether it's the same as the root partition or not. This results in the use of potentially insecure codepaths in Ubuntu's GRUB, and is therefore unsupported (not to mention having some strange behaviors that are arguably bugs). To replicate the way Ubuntu does disk encryption, we need to... [18:18] ... have a method of *not* encrypting /boot. After discussion with the Calamares devs, the current intended way to do this is by specifying a partition layout in the Calamares configuration and mark certain partitions (in our instannce /boot) as not-to-be-encrypted. [18:18] The trouble is you can't specify separate layouts for when LUKS is in use and when LUKS is not in use. So if we specify a separate /boot partition and set it as always unencrypted, it will be there regardless of whether LUKS is enabled or not. (This is as opposed to how Ubiquity did it, where it would make a separate /boot partition only when LUKS was enabled.) [18:19] Theoretically this would be overcomeable by patching Calamares, but I'm trying to go with an all-upstream solution where I get the support for specifying unencrypted partitions into upstream Calamares and then we use it downstream. So I'm wondering if just always having a separate /boot partition is an agreeable solution to you. [18:19] (I'm going to be experimenting with things that way for now, and if it's not agreeable we'll figure something else out. [18:37] I would be willing to help justify this decision to upstream ifneedbe. [18:37] tsimonq2: I'm already discussing it with them, they have some good points and I'll have to do some experimentation to see what all needs to be done for an ideal solution to be found. [18:38] In my *opinion* (for future ref, hats off), we should just follow what the rest of the flavors do. The argument I heard against all-in-one from the Security Team was quite compelling. [18:39] right. Upstream's already very receptive to having the ability to disable encryption for some partitions and even helped me find an ideal way to do it. [18:39] The thing I'm struggling with is the fact that Ubuntu's installers generally only make a separate /boot partition if LUKS is enabled. [18:40] That's something Cala is not yet equipped to do, and my initial idea for it (allowing the specification of two partition layouts, one with LUKS and one without) has technical issues with it that we're working through. [18:46] What is this for?: [18:46] https://invent.kde.org/teams/distribution-kubuntu/to-do-24.04 [19:10] ahoneybun https://invent.kde.org/teams/distribution-kubuntu/to-do-24.04/-/boards [19:12] It's a bit odd the setup fpr boards. You have to create a project that has a repo you can [19:12] 't push to lol [20:37] sadly it looks like the Launchpad fiasco might keep me from working on Calamares much today, depending on how soon they get it sorted. [20:44] oh dear [20:46] To my understanding they're working hard at it, I'm sure it will be back up shortly [23:07] I'm actively working on adding support for unencrypted /boot to Calamares (got the initial "final" code compiling now) and am going to prototype it on Kubuntu. Wish me luck! [23:07] btw, tsimonq2: you have the needed Powers to reach into casper and tweak things if need be for the swap to Cala to work, right? [23:07] * arraybolt3 thinks perhaps I should write the patch myself and have Simon review it [23:08] just to get a little bit of Core Dev work under my belt in preparation for gaining those privileges eventually [23:35] Full ack, let's do that :) [23:39] hey unencrypted /boot + Calamares is working :D [23:39] now I just have to submit the patch for it upstream [23:40] but I just got a working encrypted Kubuntu installation (but with /boot unencrypted) using Cala as the installer. [23:41] 🎉