| al1r4d | Before: Upgrading: 743, Installing: 88, Removing: 0, Not Upgrading: 3 | 14:29 |
|---|---|---|
| al1r4d | After: Upgrading: 0, Installing: 0, Removing: 0, Not Upgrading: 3 | 14:30 |
| al1r4d | Feels great :D | 14:30 |
| Nrml | Is @rrq still around? Can he (or anyone here) confirm this is indeed his valid GPG key? https://pastebin.com/HyihWSxQ | 18:23 |
| Nrml | (I'm trying to validade the Devuan Daedalus ISO I just downloaded) | 18:24 |
| fsmithred | Nrml, gimme a minute | 18:27 |
| Nrml | fsmithred: thanks! | 18:29 |
| fsmithred | Nrml, sorry, I'm not finding that key. I get a different one. | 18:42 |
| Nrml | fsmithred: that's what I've been fearing | 18:44 |
| Nrml | Perhaps there are trojaned ISO images around | 18:44 |
| Nrml | what I did was: | 18:44 |
| Nrml | 1) Downloaded https://files.devuan.org/devuan_daedalus.torrent and use it to download just devuan_daedalus/installer-iso/SHA256SUMS.txt, devuan_daedalus/installer-iso/SHA256SUMS.txt.asc, devuan_daedalus/installer-iso/devuan_daedalus_5.0.1_amd64_netinstall.iso | 18:47 |
| Nrml | 2) Tried to check SHA256SUMS.txt GPG signature as per the pastebin above. | 18:47 |
| fsmithred | hang on, I'm still working on it. | 18:48 |
| Nrml | OK | 18:48 |
| Nrml | I'm doing some additional checks here | 18:48 |
| Nrml | Hummrmrmrmr.... the SHA256SUMS.txt.asc file that I downloaded using the torrent, is *exactly* the same as the one currently at https://files.devuan.org/devuan_daedalus/installer-iso/SHA256SUMS.txt.asc | 18:50 |
| Nrml | So, either it's not a trojan, or the attacker compromised files.devuan.org too. | 18:51 |
| debdog | dang, removed the torrent a couple of weeks ago (needed the space and it hadn't had any leechers | 18:51 |
| debdog | ) | 18:51 |
| rwp | JFTR but my copy of that file that I downloaded "Sep 14 2023" is 722af7905595d9a1417f48f783d43dd40fe7da7a2e1d7998a8ea47df2d26941b | 18:51 |
| Nrml | rwp: it checks with the ISO I just got via the torrent: devuan_daedalus/installer-iso$ sha256sum * | 18:52 |
| Nrml | b27e0334d0a9dbfa11eb2e683a2bdd37f5eee21e94f152c3cf91e0ef96791957 README.txt | 18:52 |
| Nrml | 868acfcfbe4bbe1f2657eb062edb9c192b1f1fd42f8a171dec5f7e78a858c881 SHA256SUMS.txt | 18:53 |
| Nrml | e911c6a24f9d3fb58283f080dfc022e5eb10af8196cbe187d0998b4bdda1d5a7 SHA256SUMS.txt.asc | 18:53 |
| Nrml | 722af7905595d9a1417f48f783d43dd40fe7da7a2e1d7998a8ea47df2d26941b devuan_daedalus_5.0.1_amd64_netinstall.iso | 18:53 |
| Nrml | BRB | 18:54 |
| fsmithred | I checked the sha256sum in the SHA256SUMS.txt on files.devuan.org matches the checksum on the 5.0.1 amd64 netinstall isos, one I downloaded about six weeks ago and the other last april. And the 5.0.1 i386 netinstall iso I downloaded over a year ago also matches the checksum file. | 18:58 |
| fsmithred | I don't know what's up with his key, and he probably won't be here for a few more hours. | 18:58 |
| rwp | It looks like it is a key that is not known to the public key servers. It flummoxes me too. | 19:02 |
| fsmithred | it should be known to me - we should both be in the devuan-keyrings | 19:03 |
| rwp | So for example here is my current key: https://pgp.surfnet.nl/pks/lookup?op=vindex&fingerprint=on&search=0x421AFA26387F9A8E | 19:03 |
| Nrml | back | 19:03 |
| Nrml | fsmithred: thanks for the time and effort to check | 19:04 |
| rwp | But if I search for 0x680B5A1F661ECDBC that key is not found. | 19:04 |
| rwp | I can download it from the public keyservers but no signatures. | 19:04 |
| Nrml | fsmithred> it should be known to me - we should both be in the devuan-keyrings -> I confirm that it's not in devuan-keyrings. I manually imported all .gpg files from that package into my personal keyring and did not find the key used in SHA256SUMS.txt.asc | 19:06 |
| Nrml | I think it's probably a false alarm, but let's wait for @rrq to log back in and ask them | 19:07 |
| Nrml | I need to go AFK, will come back in a few hours too. Thanks everyone for your responses. | 19:07 |
| rwp | Of course the problem is one of "alert fatigue" and if we get in the habit of ignoring false alarms then we also ignore positive alarms too. :-( | 19:08 |
| fsmithred | I need to go beat up a horse. rrq will be back in a couple hours. Me too. | 19:10 |
| rwp | Nrml, (fsmithred), If we trust keyring.devuan.org as containing authoritative information and not contain false then the key can be downloaded from there and the iso verifies with it: https://paste.debian.net/plain/1333623 | 19:16 |
| rwp | I will BBIAB | 19:17 |
| fsmithred | wget https://files.devuan.org/devuan-devs.gpg | 19:53 |
| fsmithred | gpg --import devuan-devs.gpg | 19:53 |
| fsmithred | gpg --list-sigs rrq | 19:54 |
| Xenguy | Survey says? | 19:58 |
| fsmithred | it's real. One of the sigs on that key (Boian's) was signed by my key. | 19:58 |
| fsmithred | we all know each other. | 19:58 |
| fsmithred | Xenguy, thanks for chiming in. This gpg stuff always kicks my ass. | 20:01 |
| Xenguy | So conclusion = crisis averted? | 20:01 |
| fsmithred | yeah | 20:01 |
| Xenguy | So mote it be | 20:01 |
| fsmithred | I didn't actually verify the iso, but I see the web of trust on that key. | 20:01 |
| fsmithred | (I'm in it) | 20:01 |
| Xenguy | I'm sure rrq can verify if there are any issues also, once he wakes up | 20:02 |
| fsmithred | yup | 20:02 |
| Xenguy | Good man fsmithred , thanks for checking | 20:02 |
| fsmithred | yeah, I figured I'd just pull up that key on my computer, but I found a different one. | 20:03 |
| fsmithred | And then that extended to searching on four computers. | 20:03 |
| Xenguy | Phew | 20:03 |
| fsmithred | you saved the day. | 20:03 |
| Xenguy | Just an all-round average hero = ) | 20:03 |
| Nrml | back | 20:14 |
| Nrml | so false alarm after all. But better to spend time chasing down a thousand false alarms, than let a true alarm go by unchecked. | 20:15 |
| Nrml | I'm importing that file and cross-checking here | 20:16 |
| fsmithred | yeah, and I really should have a current version of the devuan-devs keyring since I'm in it. | 20:16 |
| Nrml | So this is what I see: https://pastebin.com/B0N9RqKe | 20:21 |
| Nrml | Is it good? | 20:21 |
| Xenguy | Nrml, re: "But better to spend time chasing down a thousand false alarms, than let a true alarm go by unchecked.": Definitely, yes | 20:21 |
| Xenguy | Thank you | 20:21 |
| fsmithred | yeah, that's good. If you want to check that further, you can check sigs on Boian's key and you'll see I signed it. | 20:22 |
| fsmithred | so they keys are good. | 20:22 |
| fsmithred | You can verify the iso. i didn't do that part, but I do know the sha256sum is right. | 20:23 |
| fsmithred | I'm going outside while it's still warm. | 20:25 |
| fsmithred | bbl. | 20:25 |
| Nrml | fsmithred: devuan_daedalus/installer-iso$ grep devuan_daedalus_5.0.1_amd64_netinstall.iso SHA256SUMS.txt | sha256sum -c - | 20:29 |
| Nrml | devuan_daedalus_5.0.1_amd64_netinstall.iso: OK | 20:29 |
| Nrml | So I guess everything is good. | 20:29 |
| Nrml | thanks again everyone. | 20:30 |
| Nrml | Xenguy: \thank *you* and fsmithred and all the great Devuan folks. If it wasn't for you, I would have moved to one of the *BSDs, because systemd is simply unbearable. | 20:39 |
| Xenguy | It really is unbearable, I think we all feel this way | 20:40 |
| Xenguy | My pleasure, just trying to eat my own dog food | 20:41 |
| Xenguy | If people believe in the Devuan project, please consider lending a hand, if you can | 20:42 |
| Xenguy | This is how DIY projects keep on truckin | 20:42 |
| Nrml | heh :-) I wish I could find food as good as Devuan for my dog when she was alive. Devuan is prime time gourmet food :-) | 20:42 |
| Nrml | Better than Debian, and that's saying something. | 20:43 |
| * Xenguy thinks Indian for dinner : -) | 20:43 | |
| rwp | Yay! Crisis averted. | 20:44 |
| Nrml | re: lending a hand, I wish I had the leisure. I can't name any project more worthy than Devuan. | 20:44 |
| rwp | Engineering to save lives here no doubt. Or at least sanity. :-) | 20:45 |
| Nrml | rwp: indeed. | 20:46 |
| Nrml | I try and convince my friends to use Devuan, but they are all in denial. | 20:46 |
| Nrml | The other day, when systemd opened up sshd for remote attack, I talked to one of them about it, and he said, "ah, but that isn't really systemd's fault" WTF?! | 20:47 |
| Xenguy | I think maybe technically it was Debian's fault due to their configuration, but still, systemd had a role in that | 20:49 |
| Nrml | And the other day the main developer in a project I participate simply said, "systemd isn't the monster you think it is". WTF again... | 20:49 |
| Nrml | Xenguy: I think systemd and its policy of incorporating everything in itself was instrumental in that issue. | 20:50 |
| Xenguy | It's a huge attack vector, and it goes against the principles of 'do one thing and do it well'. I've decided that people either get it or they don't | 20:50 |
| Nrml | Exactly! The original Unix designers had very good reasons for their philosophy of separating the OS in many small parts and making every one of them as simple and as interoperable as possible. Systemd just throws all of that out the window. | 20:51 |
| Nrml | Security is just one thing to go out the window with that principle. | 20:52 |
| Xenguy | Yes, a violation of design principles if you will... | 20:52 |
| Xenguy | Devil's advocates will reply by saying, yeah but what about ... ? | 20:52 |
| Nrml | That's "whataboutism" for you | 20:52 |
| Xenguy | And sure, there are already exceptions before systemd... | 20:52 |
| Xenguy | Yes | 20:53 |
| Xenguy | But systemd is the most egregious violation of the whole lot, and we're talking about the *init* system here | 20:53 |
| Nrml | When people start arguments with "what about", it's the moment I decide I'm wasting my time and move on to some other thing | 20:53 |
| Nrml | Most egregious by quite a few orders of magnitude, we should say. | 20:54 |
| Xenguy | I think so, it's akin to the windows'ification of linux, to my mind | 20:56 |
| Nrml | oh man | 20:56 |
| Nrml | exactly | 20:56 |
| Nrml | the joke stating that "Windows is the operating system of the future, because in the future all operating systems will be like Windows" is a sad reality, I think | 20:57 |
| Nrml | I can only hope I'll be long dead by then :-/ | 20:57 |
| Xenguy | Well as you (or someone) stated, if we can't defend the integrity of Linux, then we'll be forced to retreat to the BSD realm (there is nothing wrong with BSD of course, don't get me wrong, I have the highest respect for it) | 20:59 |
| Xenguy | While I respect BSD, I *prefer* to run Linux if I can | 20:59 |
| Xenguy | So here we are | 20:59 |
| Xenguy | Contribute or die : -) | 21:00 |
| Nrml | I love BSD. But Linux is simply better (better supported, better drivers, larger community, etc) | 21:05 |
| Xenguy | A quirk of history, involving law suits as I recall | 21:07 |
| Nrml | yeah AT&T *had* to eff it up with their BSD4.4 lawsuit | 21:08 |
| Nrml | My first opensource *BSD was 386BSD, and it rocked. | 21:08 |
| Xenguy | The lawsuit drama offered Linux the time and opportunity to get a leg up, IIUC | 21:09 |
| Nrml | exactly. | 21:09 |
| Nrml | Anyway, here we are | 21:09 |
| Xenguy | "Wherever you go..." | 21:09 |
| Nrml | I just hope you folks can keep Devuan alive for a long time | 21:09 |
| Nrml | LOL "... there you are" ;-) | 21:10 |
| Xenguy | We all die eventually, and need youth to continue; that's the reality of everyone's situation | 21:10 |
| Xenguy | Thanks for the chat, I'm off hunting for grub | 21:11 |
| Nrml | you are more than welcome, Xenguy. Good grub hunting for you, I also have some chores to attend to | 21:11 |
| * Nrml waves | 21:11 | |
| Xenguy | o/ | 21:12 |
| systemdlete | apt update is failing with bad certificates. I am running withOUT the cacher server. | 23:26 |
| systemdlete | I changed the sources back to https: and tried apt update | 23:26 |
| systemdlete | are certs being updated atm? If so, I can wait until it is done. | 23:27 |
| systemdlete | (oh, and disabled the apt-proxy in the apt config) | 23:27 |
| rrq | only a few mirror servers support https and you then need to use their exact domain name | 23:54 |
| rrq | they don't have certificates for the domain "deb.devuan.org" becaus that certificate owner doesn;t want to share their key | 23:55 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!