| wxl[m] | So on bug 2064909 they manually set up a single ext4 partition mounted to / with a boot flag and with the encryption box checked and the end result: wrong passphrase. Any clues? | 00:37 |
|---|---|---|
| -Ubottu[m]:#lubuntu-devel- Launchpad Bug #2064909 (https://bugs.launchpad.net/bugs/2064909) in calamares "Lubuntu and Kubuntu 24.04 fail to decrypt on boot when installed on encrypted partition" [Undecided, New] | 00:37 | |
| AaronRainbolt | oof, he's circumventing the "always leave /boot unencrypted" changes we made | 00:40 |
| wxl[m] | right so really he should have a separate partition for boot then, eh? | 00:41 |
| AaronRainbolt | that's specifically not supported by Canonical. | 00:41 |
| AaronRainbolt | according to mkukri | 00:41 |
| AaronRainbolt | so yes, he should be making a separate /boot partition. Why this broke is anyone's guess, but this isn't something that probably should be fixed I don't think. | 00:42 |
| wxl[m] | i don't think we can limit what people can do with manual partitioning, right? | 00:44 |
| AaronRainbolt | Correct. | 00:44 |
| wxl[m] | So there's no way to prevent this other than mentioning it in the manual | 00:45 |
| AaronRainbolt | right | 00:46 |
| wxl[m] | ^ there's a fun one for you lynorian | 00:46 |
| AaronRainbolt | I'm going to give him a workaround that might let him do this anyway, and also warn him that this is a bad idea. | 00:46 |
| wxl[m] | oh i was going to reply and mark it won't fix | 00:48 |
| AaronRainbolt | ope, I just replied... | 00:49 |
| AaronRainbolt | I think what broke his stuff was that I changed us from using LUKS1 to using LUKS2 when we changed to unencrypted /boot. | 00:49 |
| AaronRainbolt | Pretty sure GRUB doesn't support LUKS2 (yet). | 00:50 |
| wxl[m] | I think it’s best to just stick with unencrypted /boot anyways if not for any other reason but because we can’t ever have an encrypted EFI partition from what I understand | 02:26 |
| arraybolt3 | true | 02:27 |
| arraybolt3 | *if* you have Secure Boot set up and *if* it works right for your system and *if* there isn't some catastrophic vulnerability that lets you bypass it and *if* the user doesn't scream at the sight of the words "Secure" and "Boot" next to each other and turn it off, you can theoretically/hopefully keep tampering of /boot/efi from being a problem. | 02:28 |
| wxl[m] | As for LUKS, it’s apparent to me that 2 is more secure | 02:28 |
| arraybolt3 | If any of those fail (like on my system where Secure Boot is off and I like it that way), then there's really not much point in encrypted /boot from a theoretical standpoint - getting the key from the user and exfiltrating it becomes harder but not impossible at all. | 02:29 |
| wxl[m] | ⚠️ if-count level high | 02:29 |
| arraybolt3 | really, if someone malicious gets physical access to your computer for more than a few seconds, you should just reinstall from scratch and restore from backups. Some people can do a lot of damage even in just a few seconds. | 02:30 |
| arraybolt3 | So IMO the security benefits of LUKS2 are worth the problems with unencrypted /boot (not to mention the fact that encrypted /boot is a security *hazard* according to Canonical, so probably there's some way to bypass Secure Boot with a specially crafted passphrase or some other insanity there) | 02:30 |
| wxl[m] | But we really should put something in the manual about this. Namely:... (full message at <http://localhost:8008/_matrix/media/v3/download/chat.staging.ubuntu.com/uRgTxsTndUWyrGgmsGQnbLlt>) | 02:31 |
| AaronRainbolt | That seems like a good idea to me. | 02:32 |
| wxl[m] | Yeah the security issues with encrypted /boot are not intuitive. Again, it may be worthwhile to explain | 02:32 |
| AaronRainbolt | Also, welcome to my chat system straddling again | 02:32 |
| wxl[m] | It might also be a good addition to the manual to warn people against using manual partitioning, namely that there are no mechanisms in place to keep the user from doing something that just doesn’t work | 02:33 |
| wxl[m] | Shoot we might even want to provide some examples. Maybe we could do this in the doc section of discourse and link to it | 02:34 |
| wxl[m] | Speaking of discourse, I really wish we could move to the main one. The support issue is a sticky wicket, though. I see why they want to promote askubuntu but it’s really got poor categorization. I almost feel like there should be an askbuntu for every flavor | 02:36 |
| AaronRainbolt | askbuntu - for those who can't be bothered to hit u three times | 02:36 |
| wxl[m] | s//\*/, s//\*/ | 02:36 |
| AaronRainbolt | but yeah I see what you're saying | 02:37 |
| wxl[m] | Discourse is just so much more powerful. That’s why we keep wanting to jam everything in there | 02:37 |
| ChrisGuiver[m] | <wxl[m]> "So there's no way to prevent..." <- We could always create a page on Lubuntu discourse in the documentation section... I've been wondering about that since I read Aaron's reply (Thanks arraybolt3 for reply on bug report by the way) | 02:51 |
| ChrisGuiver[m] | (I don't think many users will encounter it, thus I see discourse.doco as suitable.. but that's just me) | 02:52 |
| * ChrisGuiver[m] catches up on reading and finally noticed Walter already suggested ^ | 03:08 | |
| ChrisGuiver[m] | Thanks too to wxl | 03:12 |
| wxl[m] | <ChrisGuiver[m]> "catches up on reading and..." <- > * <@guiverc:ubuntu.com> catches up on reading and finally noticed Walter already suggested ^ | 06:41 |
| wxl[m] | Great minds think alike 🤣 | 06:41 |
| tsimonq2[m] | <AaronRainbolt> "according to mkukri" <- and the Ubuntu Security Team if that helps your case in the future :P | 12:55 |
| tsimonq2[m] | <AaronRainbolt> "Pretty sure GRUB doesn't support..." <- It does, it just isn't secure | 12:56 |
| -Ubottu[m]:#lubuntu-devel- Builds: Lubuntu Desktop amd64 [Jammy 22.04.4] has been updated (20240508) | 17:17 | |
| AaronRainbolt | Simon Quigley: I guess you got tired of the methodical bootstrapping and decided "meh, throw it all at the archive" :P | 18:11 |
| tsimonq2[m] | AaronRainbolt: precisely 😛 | 18:11 |
| AaronRainbolt | Maybe you can assign me something I should actually be working on when I have free time. It feels a bit bad to think that syncing things bit by bit was my job and then every morning to wake up and it's already been done or the plan changed :P | 18:12 |
| tsimonq2[m] | AaronRainbolt: did the Matrix update eat my PM | 18:16 |
| AaronRainbolt | looks like it | 18:16 |
| tsimonq2[m] | Well, this was the easy part | 18:16 |
| tsimonq2[m] | Next step is no-change rebuilds, and getting it to migrate | 18:16 |
| tsimonq2[m] | I planned on letting you do that part completely - this will be the easiest Qt 6 transition we'll ever do | 18:17 |
| tsimonq2[m] | get you some practice for when we get to a million rdeps | 18:17 |
| tsimonq2[m] | apologies for pulling the rug out from under you more than once during this thing... heh | 18:21 |
| AaronRainbolt | np | 18:23 |
| tsimonq2[m] | Aaron Rainbolt: welp, we're waiting on binNEW | 21:11 |
| tsimonq2[m] | You're welcome to strategically NCR only those reverse dependencies that do not need something from binNEW | 21:12 |
| AaronRainbolt | sounds good | 21:15 |
| AaronRainbolt | Attempting my first ncr using doko's rebuild-for script | 21:40 |
| AaronRainbolt | fcitx-qt5 | 21:41 |
| AaronRainbolt | which I always assumed was called fctix rather than fcitx, so :P | 21:42 |
| wxl[m] | "Flexible Context-aware Input Tool with eXtension support" | 21:43 |
| wxl[m] | aka stupid name | 21:43 |
| AaronRainbolt | that's a long name | 21:45 |
| wxl[m] | acronyms over three words long tend to be kind of problematic | 21:46 |
| wxl[m] | and even five word long ones (SCUBA) are ok, as long as there aren't words in it that aren't part of the acronym | 21:47 |
| tsimonq2[m] | Aaron Rainbolt: looks like binNMU has been cleared, the baton is yours 🙂 | 21:53 |
| AaronRainbolt | neato! | 21:53 |
| AaronRainbolt | ooooh, qcoro just went belly-up on symbols | 21:53 |
| AaronRainbolt | oh lots and lots of symbols! | 21:54 |
| AaronRainbolt | cracks knuckles and prepares for a painful update session | 21:54 |
| AaronRainbolt | nice thing is I already uploaded to the archive so I don't need to upload to a PPA to get all the symbols. Just throw a new upload at the archive with the symbols fixes. | 21:54 |
| AaronRainbolt | or maybe even sync from Debian if they have it fixed already | 21:54 |
| tsimonq2[m] | I doubt it heh | 21:55 |
| tsimonq2[m] | We're actually doing this transition before Debian, so all the FTBFS you are seeing is probably unique | 21:55 |
| AaronRainbolt | probably fix symbols in Debian first and then sync for least effort? | 21:56 |
| AaronRainbolt | I'll need help with that | 21:56 |
| tsimonq2[m] | Either solution works, if you're asking for my opinion let's do Ubuntu first then sync whatever necessary changes up to Debian, iff it can be reproduced with an unstable chroot + 6.6.2 from experimental | 21:58 |
| tsimonq2[m] | sometimes we do carry a delta just for symbols changes... although that's fairly rate | 21:58 |
| tsimonq2[m] | s/rate/rare/ | 21:58 |
| tsimonq2[m] | Either way, if the package in question is either in Debian Qt/KDE or in Debian KDE Extras, just ping me, I'll do a team upload to experimental | 21:59 |
| AaronRainbolt | kk | 21:59 |
| AaronRainbolt | I'll do Ubuntu then since I lack many needed powers in Debian | 21:59 |
| AaronRainbolt | and you have things like porterboxes for working on that | 21:59 |
| tsimonq2[m] | "bah, just iterate in experimental" 😛 | 22:00 |
| AaronRainbolt | haha, yeah that too | 22:01 |
| AaronRainbolt | just upgraded my build system VM to Oracular | 22:02 |
| teward | arraybolt3 / Aaron: how goes the universe? Anything interesting that isn't on Simon's plate as a "don't touch it"? | 22:47 |
| arraybolt3 | teward: Things seem OK on my end, waiting for a couple more qcoro builds to hurry up and crash so I can get the symbols logs for them. | 22:48 |
| teward | nice | 22:48 |
| arraybolt3 | I could start NCR'ing some more things in the mean time | 22:48 |
| teward | yeah if you need NCRs queued I'd queue those up earlier than later if you need nochange rebuilds because that's coming | 22:49 |
| arraybolt3 | btw is it generally a good idea to NCR in a PPA and *then* throw it at the archive, or is simply hurling things at the builders at Mach speeds and fixing the fallout thereafter acceptable? | 22:49 |
| teward | i mean | 22:49 |
| teward | it depends? | 22:49 |
| teward | reducing initial fallout is best | 22:49 |
| teward | but since we're in the Debian Sync states and stuff we're probably going to be having a lot of things in the builders | 22:49 |
| arraybolt3 | it's going to result in an FTBFS with loooooong riscv64 builds either way | 22:50 |
| teward | so i always NCR in local sbuild just to make sure there isn't any major nasty hardcrashes I don't expect but | 22:50 |
| teward | yeah riscv64 is evilpain | 22:50 |
| arraybolt3 | makes sense | 22:50 |
| arraybolt3 | and the last of the qcoro builds finally went up in flames so I can start fire extinguishing now. | 22:53 |
| arraybolt3 | now I get to enjoy the mental gymnastics of remembering the right syntax for pkgkde-symbolshelper | 22:54 |
| * AaronRainbolt sent a code block: http://localhost:8008/_matrix/media/v3/download/chat.staging.ubuntu.com/QQhkSmsBisMYjcNdXwnhHJUk | 22:56 | |
| AaronRainbolt | I think time_t64 may be rearing its head again | 22:58 |
| AaronRainbolt | or the archive is messed up | 22:58 |
| AaronRainbolt | looks like a combination of a messed up archive plus bad pinning settings. | 23:07 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!