@vbabka That said, definitely going to check Heiko's work. i don't know him personally but often seems to have interesting takes on topics, and perhaps these tools might support better different workflows.

@vbabka https://archlinux.org/download/ this is where I found about sq. one large volume using it for signature checks instructions is a relevant ref for long-term applicability. And it seems to be already somewhat well defined product.

@vbabka thanks ill check it out. Would me nice to have fresh take on openpgp. E.g. something like export/import of whole database with clean primitives would be nice.

sq is #openpgp implementation: https://sequoia-pgp.org/

I wonder if sequoia can git tag -s?

Also need to test if smartcard support is already working https://sequoia-pgp.org/blog/2021/12/20/202112-openpgp-card-ci/

And most importantly has a gpg-agent implementation: https://lib.rs/crates/sequoia-gpg-agent. But have to check how stable that is.

These three are minimum set of features that any OpenPGP implementation needs to fully support in order to be compatible with kernel development workflows.

#gnupg

Temporary password is less secure because it usually allows SSH in default configuration.

In most distributions the best default for user account password would be empty password because the default configuration for SSH does not allow login with it anyway. Still sometimes validation often even prohibits it :-)

@ljs @lkundrak @pony Maybe a bit pointless but working image preview is a thing for me in kitty :-) There's also standard called Sixels for showing images on terminal but kitty's own protocol as widely supported (because it is the precursor of doing this) and generally just works better and is more efficient and glitch-free.

It even has tool called icat for raw shell.

@triskelion first that is both untrue argument.

second, it takes me less time to modify sbsign than mkosi for testing the features in question (e.g. tests tweak mok signing procedure).

sometimes, if you don't have anything constructive to say, it is best to say nothing.

two of the best feelings when programming are:
1. figuring out a really clever way to solve a problem
2. figuring out a really stupid way to solve a problem

@pid_eins I want to expirement at least with mok signing key stored as tpm2 private key asn1 blob to the drive and signing operation done tpm2_key_rsa instead of OpenSSL. Thus need to upscale from BuildRoot testing to something with packages 🙂

Kun juhannusyönä pistät seitsemän yrttiä ja kukkaa tyynyn alle, niin Kela määrittelee sinut maatalousyrittäjäksi ja näet unta presidentti Väyrysestä

@pid_eins I was setting up systemd with UKI manually for the first time and mixed up systemd and arch specific configuration :-) So I’m spreading FUD apparently…

Where this spins of has a legit motivation: I’m trying to get my host desktop and VM guests to be in par with latest systemd with UKI kernel so that I can debug keyring and TPM related issues in a relevant environment [1]. I’m co-maintainer for both keyring and TPM, and if you think those kernel subsystems, today systemd is the substantial user for both, and thus a great user space QA target. It is always using the latest stuff that we are delivering.

In arch specific mkinitcpio.conf there’s an array MODULES=(<list of modules>), and all examples I’ve seen put like MODULES(tpm_tis) there. A script (unsurpsingly) called `mkinitcpio then takes that description and includes them to the final initrd. Even being distro specific, that does not calculate tho, I mean any possible use case for TPM requires it to be initramfs (e.g. IMA). It is pretty much a brick unless that is the case :-) So without testing I’d guess that those examples must be wrong and I’ll try first not to add anything to MODULES… Yep, and obviously they are autoloaded, when initramfs has them. [1] https://codeberg.org/jarkko/archest-linux

Non-productive #feature extra-ordinaire in #systemd: you have to list #TPM kernel module names. Why not instead sd-tpm that would copy them all? They don’t cost much space.

EU Commission: “End encryption!”

Internet users: “End-to-end encryption!”

Mozilla is an advertising company now.

This seems completely normal and cool and not troublesome in any way.

Mozilla has acquired Anonym, a [blah blah blah] raise the bar for the advertising industry [blah blah blah] while delivering effective...
https://jwz.org/b/ykVg

Text editors of my life: 1. qedit (MS-DOS) 2. vim 3. nvim

@mikebabcock and had no other choice than arch as ext4 is not favoured with this oddball combination choice of modern and legacy features. I do e.g. use snapshots but for that I use incremental backups to my NAS rather than pile them all over the place 🤷‍♀️💣🥲

@mikebabcock Yep, breakin' the law I guess 😅 But you know this WFM me best...

WiP: Archest Linux (EXT4 + LUKS2 - LVM2): https://codeberg.org/jarkko/archest-linux/src/tag/0.1.0-rc1 Boots to login and only minor glitches still left to fixup before tagging 0.1 🐳

I like how unlayered this is, i.e. at most two subsystems layered and stack is at its heaviest a file system + LUKS2 volume (i.e. no one to many relationships). Less risk of busy file systems that cannot be unmounted at least :-)

There’s first time for everything and this my first time with UKI :-)

==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
==> Using default configuration file: '/etc/mkinitcpio.conf'
  -> -k /boot/vmlinuz-linux -U /efi/EFI/Linux/arch-linux.efi --splash /usr/share/systemd/bootctl/splash-arch.bmp
==> Starting build: '6.9.5-arch1-1'
  -> Running build hook: [base]
  -> Running build hook: [systemd]
  -> Running build hook: [autodetect]
  -> Running build hook: [modconf]
  -> Running build hook: [kms]
  -> Running build hook: [keyboard]
==> WARNING: Possibly missing firmware for module: 'xhci_pci'
  -> Running build hook: [sd-vconsole]
  -> Running build hook: [sd-encrypt]
==> WARNING: Possibly missing firmware for module: 'qat_420xx'
  -> Running build hook: [block]
  -> Running build hook: [filesystems]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image
  -> Early uncompressed CPIO image generation successful
==> Initcpio image generation successful
==> Creating unified kernel image: '/efi/EFI/Linux/arch-linux.efi'
  -> Using cmdline file: '/etc/kernel/cmdline'
==> Unified kernel image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
==> Using default configuration file: '/etc/mkinitcpio.conf'
  -> -k /boot/vmlinuz-linux -U /efi/EFI/Linux/arch-linux-fallback.efi -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: '6.9.5-arch1-1'
  -> Running build hook: [base]
  -> Running build hook: [systemd]
  -> Running build hook: [modconf]
  -> Running build hook: [kms]
==> WARNING: Possibly missing firmware for module: 'ast'