Jarkko Sakkinen
Posts
4401Following
315Followers
467Entrepreneur at Siltakatu Solutions Oy
OpenPGP: 3AB05486C7752FE1
@tusooa @monsieuricon Off-topic but international version of TikTok is banned also in mainland China... Just sayin'
0
0
1
Jarkko Sakkinen
repeated
repeated
Kai Engert 🔑✉️ (:KaiE)
kaiengert@mastodon.socialThat was a little scary. I asked ChatGPT, how would I best do X ? It responded, why don't you use thing Y that you have? I had told it in the past that I have thing Y, in a different chat session. That means we have arrived at the state where it's keeping track of what I said in the past.
1
1
0
@vathpela @kernellogger @securepaul pretty interesting discussion this came to be. but yeah, it is essentially a flaw in developer experience.
for more complex patch sets it would be beneficial to be able to do such thing with low barrier, i.e. it could also have positive effect on quality for stuff sent to LKML in the end. you always end up doing fairly narrow and targeted testing without this feature in the distribution, which means in practice missing bunch of "side-channel bugs".
for more complex patch sets it would be beneficial to be able to do such thing with low barrier, i.e. it could also have positive effect on quality for stuff sent to LKML in the end. you always end up doing fairly narrow and targeted testing without this feature in the distribution, which means in practice missing bunch of "side-channel bugs".
1
0
0
@vathpela @kernellogger @securepaul One ugly but totally working hack my kernel testing project: I don't use cmake as a build system. I use it to download source code and get away using Git submodules :-)
https://codeberg.org/jarkko/linux-tpmdd-test/src/branch/main/CMakeLists.txt
It's ugly but solid ;-)
https://codeberg.org/jarkko/linux-tpmdd-test/src/branch/main/CMakeLists.txt
It's ugly but solid ;-)
0
0
0
Jarkko Sakkinen
jarkko
@vathpela @kernellogger @securepaul
This came up in the thread but here we go again :-)
I have my polished framework for testing kernel patches for any possible Git tree:
https://codeberg.org/jarkko/linux-tpmdd-test
You can point it to any tree (by using LINUX_OVERRIDE_SRCDIR) and it will build kernel, rootfs and disk.img and wrapper scripts for QEMU. The disk.img EFI boots on real hardware. The base system is grub + systemd (grub gives option to not use systemd thus the choice) and has all tracing include like bpftrace for instance.
Sometimes, however, one would like run a kernel that is packaged like the real one in the distro but with a different git tree base and/or patches. This could e.g. some issue that does not easily pop up with normal testing. Artificial images have their limits.
I think distributors are making mistake by not taking this seriously and making it robust to do cool stuff with the distro kernel or like make any kernel packaged and signed like the one in the distro. Canonical used to have this asset but the feature I'm interested in are available only in the recent'ish snap packaged kernel.
Or they might think exactly like "why you use RPM's anyway for kernel development". There's good reasons to do that. Also one use case has been few times in the past that you have user space project, which requires tailored kernel. In such case you would like to "emulate" as they were part of the distribution.
This came up in the thread but here we go again :-)
I have my polished framework for testing kernel patches for any possible Git tree:
https://codeberg.org/jarkko/linux-tpmdd-test
You can point it to any tree (by using LINUX_OVERRIDE_SRCDIR) and it will build kernel, rootfs and disk.img and wrapper scripts for QEMU. The disk.img EFI boots on real hardware. The base system is grub + systemd (grub gives option to not use systemd thus the choice) and has all tracing include like bpftrace for instance.
Sometimes, however, one would like run a kernel that is packaged like the real one in the distro but with a different git tree base and/or patches. This could e.g. some issue that does not easily pop up with normal testing. Artificial images have their limits.
I think distributors are making mistake by not taking this seriously and making it robust to do cool stuff with the distro kernel or like make any kernel packaged and signed like the one in the distro. Canonical used to have this asset but the feature I'm interested in are available only in the recent'ish snap packaged kernel.
Or they might think exactly like "why you use RPM's anyway for kernel development". There's good reasons to do that. Also one use case has been few times in the past that you have user space project, which requires tailored kernel. In such case you would like to "emulate" as they were part of the distribution.
2
0
0
@vathpela @kernellogger @securepaul OK so how would you sign RPM's? I don't have a preferred way.
It's not a priority question tho because I've not yet after 2-3 days of trying produced successfully RPM's even without signing...
It's not a priority question tho because I've not yet after 2-3 days of trying produced successfully RPM's even without signing...
1
0
0
@vathpela @kernellogger @securepaul Why is it in one of many Fedora's "how to build a kernel" pages? This the one where I grabbed it:
[1] https://docs.fedoraproject.org/en-US/quick-docs/kernel-build-custom/
That is not even wiki, it is official documentation. Not slandering just pointing out. Deprecated stuff that gets stagnated over time if totally normal!
Also, why nobody talks about fedpkg which is contained to the only page, which *specifically* talks about kernel patch testing:
[2] https://docs.fedoraproject.org/en-US/quick-docs/kernel-testing-patches/
And finally, I'm now a bit lost how do I get pesign to use my cert and key created following [1] to sign RPM packages (which I don't know how I should build it)? I'm don't actually know what pesign is but I guess it is something that signs a PE/COFF binary? I.e. UKI signing perhaps?
[1] https://docs.fedoraproject.org/en-US/quick-docs/kernel-build-custom/
That is not even wiki, it is official documentation. Not slandering just pointing out. Deprecated stuff that gets stagnated over time if totally normal!
Also, why nobody talks about fedpkg which is contained to the only page, which *specifically* talks about kernel patch testing:
[2] https://docs.fedoraproject.org/en-US/quick-docs/kernel-testing-patches/
And finally, I'm now a bit lost how do I get pesign to use my cert and key created following [1] to sign RPM packages (which I don't know how I should build it)? I'm don't actually know what pesign is but I guess it is something that signs a PE/COFF binary? I.e. UKI signing perhaps?
1
0
0
@nobodyinperson @idnorton I've excluded subscription based tools since that does not work for me.
One that comes to mind is SmartDraw which used to be great and a boxed software product when I last used it back in 2005 :-) If it was like that today, I could even have bought it. There's also bunch of web tools like that.
LibreOffice Draw is not so I've used that (or even better it is open source). Not sure what is your argument here?
One that comes to mind is SmartDraw which used to be great and a boxed software product when I last used it back in 2005 :-) If it was like that today, I could even have bought it. There's also bunch of web tools like that.
LibreOffice Draw is not so I've used that (or even better it is open source). Not sure what is your argument here?
1
0
1
Jarkko Sakkinen
jarkko
@Aissen Most distributions (including Fedora) provide reasonable ways to integrate your own additional MOK key, and get the build sign everything with that. And ubiquitos way to make shim to recognize that is "mokutil --import".
For Fedora I found the way it manages extra MOK keys from here: https://docs.fedoraproject.org/en-US/quick-docs/kernel-build-custom/
And the extra flag I need to add to file called "kernel-local" is %define pe_signing_cert "Machine Owner Certificate", so that RPM build shenanigans will pick it up.
For Fedora I found the way it manages extra MOK keys from here: https://docs.fedoraproject.org/en-US/quick-docs/kernel-build-custom/
And the extra flag I need to add to file called "kernel-local" is %define pe_signing_cert "Machine Owner Certificate", so that RPM build shenanigans will pick it up.
1
0
0
Jarkko Sakkinen
jarkko
@Aissen it does not fulfill the test case i'm lookin for. using the distro kernel as it was meant to be. and e.g. integrating properly on how a distribution has chosen to integrate with secure boot, which is essential in my case.
for ad-hoc testing i have already a solution, which does the job perfectly generating both image for USB stick and scripts for running same payload in QEMU: https://codeberg.org/jarkko/linux-tpmdd-test
What you are suggesting would be a worse version of this, contaminating my rootfs.
for ad-hoc testing i have already a solution, which does the job perfectly generating both image for USB stick and scripts for running same payload in QEMU: https://codeberg.org/jarkko/linux-tpmdd-test
What you are suggesting would be a worse version of this, contaminating my rootfs.
1
0
1
Jarkko Sakkinen
jarkko
@securepaul @kernellogger does not matter. i could grab some ideas. so far i don't have RPM packages that i'd be happy with using any method.
this is exactly why i was so committed to ubuntu even when i hated most of their decisions. only when they put kernel to snap my marriage ended.
for any distro, i still think, would be optimal to find a way to describe the build using a kernel tree with extra patches adding the packaging shenanigans on top. i think all major distributions fail misserably serving upstream kernel developers :-)
this is exactly why i was so committed to ubuntu even when i hated most of their decisions. only when they put kernel to snap my marriage ended.
for any distro, i still think, would be optimal to find a way to describe the build using a kernel tree with extra patches adding the packaging shenanigans on top. i think all major distributions fail misserably serving upstream kernel developers :-)
1
0
0
@idnorton of all i've tried i've ended up using LibreOffice Draw. Also, it is the only app that i use from LibreOffice. Why? I get the shit done.
i still want something that i can run in my own computer, not a subscription. and after trying "programming approach" like mermaid, it kind of disabled me being fuzzy and drawing random stuff. i write my diagrams as code when i actually implement them in a real programming language :-)
i've never thought that "oh i love libreoffice draw so much" but it is more like exclusion based choice.
i still want something that i can run in my own computer, not a subscription. and after trying "programming approach" like mermaid, it kind of disabled me being fuzzy and drawing random stuff. i write my diagrams as code when i actually implement them in a real programming language :-)
i've never thought that "oh i love libreoffice draw so much" but it is more like exclusion based choice.
3
0
1
Jarkko Sakkinen
jarkko
@kernellogger @securepaul OK, this I've done successfully in the past but being ablet to do local builds is an asset :-)
For instance I use these sometimes just so that I can pre-check anything I push to Gitlab/Github just to check locally what CI will do:
- Gitlab: https://github.com/firecow/gitlab-ci-local
- GitHub: https://github.com/nektos/act
For instance I use these sometimes just so that I can pre-check anything I push to Gitlab/Github just to check locally what CI will do:
- Gitlab: https://github.com/firecow/gitlab-ci-local
- GitHub: https://github.com/nektos/act
1
0
0
Jarkko Sakkinen
repeated
repeated
