When looking at #Github's front page, which looks like a shoot 'em up video game to me, I'm glad that I've consolidated my self-created active repositories to #Codeberg. Forks to stuff that I contribute to remain in #Github and #Gitlab obviously, and that is an acceptable compromise.

For me it feels sometimes that quite many commercial web sites reached their tip point maybe about 10-12 years ago. Since then they've started to add stuff that I don't want, and sometimes even quite controversial features, which I need to then proactively disable.

It's a bit same as with yogurt based food products. Yogurt is a product that does not really develop anymore but still food companies have new versions of this product for every season with supplements added and stuff like that.

So I guess I can draw the conclusion that commercial web reached the "yogurt state" around 2012 :-)

Would it be unorthodox for sbsign to use kernel crypto API (optionally) instead of OpenSSL?

One use case for this would be MOK private key that is encrypted while at rest with TPM, and never exposed to CPU.

This would be a great application for the kernel feature that I’m working on i.e. an asymmetric TPM2 key (patch set is slowly getting together, right now at iteration seven).

Just to name an example, this is how Ubuntu manages that key as of today: https://wiki.ubuntu.com/UEFI/SecureBoot/Signing. [for the record, Ubuntu is not doing worse job in this than anyone else, they just have awesome documentation, thus the example]

#linux #kernel #tpm

@mikebabcock I also realized that it makes sense to have swap as LVM2 volume because I have essentially two different swap configurations depending on use and purpose: 2GB (non-hibernate) and 60-80GB (hibenate). LVM2 will help in this case later on tune between these choices a bit...

@mikebabcock I’m going to use lvm2 after all. There is a useful commands depending on it: e2scrub. So it is a constraint then.

@vbabka That said, definitely going to check Heiko's work. i don't know him personally but often seems to have interesting takes on topics, and perhaps these tools might support better different workflows.

@vbabka https://archlinux.org/download/ this is where I found about sq. one large volume using it for signature checks instructions is a relevant ref for long-term applicability. And it seems to be already somewhat well defined product.

@vbabka thanks ill check it out. Would me nice to have fresh take on openpgp. E.g. something like export/import of whole database with clean primitives would be nice.

sq is #openpgp implementation: https://sequoia-pgp.org/

I wonder if sequoia can git tag -s?

Also need to test if smartcard support is already working https://sequoia-pgp.org/blog/2021/12/20/202112-openpgp-card-ci/

And most importantly has a gpg-agent implementation: https://lib.rs/crates/sequoia-gpg-agent. But have to check how stable that is.

These three are minimum set of features that any OpenPGP implementation needs to fully support in order to be compatible with kernel development workflows.

#gnupg

Temporary password is less secure because it usually allows SSH in default configuration.

In most distributions the best default for user account password would be empty password because the default configuration for SSH does not allow login with it anyway. Still sometimes validation often even prohibits it :-)

@ljs @lkundrak @pony Maybe a bit pointless but working image preview is a thing for me in kitty :-) There's also standard called Sixels for showing images on terminal but kitty's own protocol as widely supported (because it is the precursor of doing this) and generally just works better and is more efficient and glitch-free.

It even has tool called icat for raw shell.

@triskelion first that is both untrue argument.

second, it takes me less time to modify sbsign than mkosi for testing the features in question (e.g. tests tweak mok signing procedure).

sometimes, if you don't have anything constructive to say, it is best to say nothing.

two of the best feelings when programming are:
1. figuring out a really clever way to solve a problem
2. figuring out a really stupid way to solve a problem

@pid_eins I want to expirement at least with mok signing key stored as tpm2 private key asn1 blob to the drive and signing operation done tpm2_key_rsa instead of OpenSSL. Thus need to upscale from BuildRoot testing to something with packages 🙂

Kun juhannusyönä pistät seitsemän yrttiä ja kukkaa tyynyn alle, niin Kela määrittelee sinut maatalousyrittäjäksi ja näet unta presidentti Väyrysestä

@pid_eins I was setting up systemd with UKI manually for the first time and mixed up systemd and arch specific configuration :-) So I’m spreading FUD apparently…

Where this spins of has a legit motivation: I’m trying to get my host desktop and VM guests to be in par with latest systemd with UKI kernel so that I can debug keyring and TPM related issues in a relevant environment [1]. I’m co-maintainer for both keyring and TPM, and if you think those kernel subsystems, today systemd is the substantial user for both, and thus a great user space QA target. It is always using the latest stuff that we are delivering.

In arch specific mkinitcpio.conf there’s an array MODULES=(<list of modules>), and all examples I’ve seen put like MODULES(tpm_tis) there. A script (unsurpsingly) called `mkinitcpio then takes that description and includes them to the final initrd. Even being distro specific, that does not calculate tho, I mean any possible use case for TPM requires it to be initramfs (e.g. IMA). It is pretty much a brick unless that is the case :-) So without testing I’d guess that those examples must be wrong and I’ll try first not to add anything to MODULES… Yep, and obviously they are autoloaded, when initramfs has them. [1] https://codeberg.org/jarkko/archest-linux

Non-productive #feature extra-ordinaire in #systemd: you have to list #TPM kernel module names. Why not instead sd-tpm that would copy them all? They don’t cost much space.

EU Commission: “End encryption!”

Internet users: “End-to-end encryption!”

Mozilla is an advertising company now.

This seems completely normal and cool and not troublesome in any way.

Mozilla has acquired Anonym, a [blah blah blah] raise the bar for the advertising industry [blah blah blah] while delivering effective...
https://jwz.org/b/ykVg

Text editors of my life: 1. qedit (MS-DOS) 2. vim 3. nvim