#archlinux32 | Logs for 2021-03-19
Back
[00:28:21] -!- drathir_tor has quit [Remote host closed the connection]
[00:42:44] -!- drathir_tor has joined #archlinux32
[00:44:06] -!- MrBIOS_ has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
[00:50:16] -!- drathir_tor has quit [Remote host closed the connection]
[00:50:44] -!- drathir_tor has joined #archlinux32
[00:57:42] <buildmaster> pentium4/grafana is broken (says nlopc46): https://archlinux32.org
[01:02:02] <buildmaster> i686/grafana is broken (says eurobuild6-1): https://archlinux32.org
[02:18:27] -!- drathir_tor has quit [Remote host closed the connection]
[02:37:22] -!- drathir_tor has joined #archlinux32
[03:30:13] <sunshavi> guys: https://lists.archlinux.org
[03:30:13] <phrik> Title: [arch-dev-public] Arch Linux partners with Nitrokey to equip its staff with USB keys (at lists.archlinux.org)
[03:35:00] -!- sunshavi has quit [Read error: Connection reset by peer]
[03:36:03] -!- sunshavi has joined #archlinux32
[04:58:35] <buildmaster> i486/wpebackend-fdo is broken (says eurobuild6-7-i486): https://archlinux32.org
[05:57:09] <girls-> sunshavi: unfortunately none of our devs are also arch staff :-(
[05:58:04] <sunshavi> girls: email them and let they know about arch32 and archlinux-arm
[05:58:20] <girls-> whom? nitrokey?
[05:58:27] <sunshavi> sure
[05:59:25] <girls-> question also is, how we integrate the nitrokey into our workflow
[05:59:32] <girls-> because most stuff is done automatically
[05:59:46] <girls-> and the *really* important keys are cold anyways :-)
[05:59:58] <sunshavi> then it is not going to help arch32 :()
[06:00:35] <girls-> might be good for signing some git commits, though
[06:00:59] <girls-> I have to ponder this a while
[07:08:44] <buildmaster> i486/linux is broken (says nlopc46-i486bs1): https://archlinux32.org
[07:35:31] -!- yans has quit [Ping timeout: 265 seconds]
[07:36:49] -!- abaumann has joined #archlinux32
[07:36:49] <buildmaster> Hi abaumann!
[07:36:49] <buildmaster> !rq abaumann
[07:36:50] <phrik> buildmaster: <abaumann> the world would be a better place if less would be programmed in C, or at least by people knowing C :-)
[08:08:10] <abaumann> deep42thought: I cleaned up index.php a little bit more. :-)
[09:24:33] <abaumann> https://repology.org
[09:24:33] <phrik> Title: Repology (at repology.org)
[09:24:50] <abaumann> really nice place for checking out packages and their build instructions for all distributions.
[09:25:23] <abaumann> We could register Archlinux32 there. :-)
[09:29:51] <buildmaster> i486/yggdrasil is broken (says nlopc46-i486bs1): https://archlinux32.org
[09:31:08] -!- drathir_tor has quit [Remote host closed the connection]
[09:34:31] -!- drathir_tor has joined #archlinux32
[09:55:40] -!- deep42thought has joined #archlinux32
[09:55:40] <buildmaster> Hi deep42thought!
[09:55:40] <buildmaster> !rq deep42thought
[09:55:41] <phrik> buildmaster: <deep42thought> db-update --fuck-up
[09:55:43] <deep42thought> Hi abaumann!
[09:55:51] <deep42thought> repology sounds good
[09:56:19] <deep42thought> abaumann: do you think, we could make (sane) use of nitrokeys in archlinux32?
[09:58:28] <deep42thought> archlinux is not on repology either
[09:58:29] <deep42thought> why?
[10:17:40] <abaumann> Arch
[10:17:44] <abaumann> AUR
[10:17:55] <deep42thought> yeah, on one list, they appear, on the other, they don't
[10:18:05] <abaumann> mmh. strange.
[10:18:08] <abaumann> hi, btw. :-)
[10:18:12] <abaumann> nitrokeys, nice.
[10:18:13] <deep42thought> Hi!
[10:18:20] <abaumann> they would replace signing keys, I suppose.
[10:18:26] <deep42thought> question is, if we really *need* nitrokeys :-)
[10:18:30] <deep42thought> well
[10:18:35] <deep42thought> we can't use them on the build slaves
[10:18:43] <deep42thought> we could start signing git commits
[10:18:51] <deep42thought> or we could place the master keys on nitrokeys
[10:19:05] <deep42thought> (I use a gpgcard for that, currently)
[10:19:16] <abaumann> ah, ok.
[10:19:25] <deep42thought> *gnupg card
[10:19:50] <abaumann> master keys is maybe a good idea, so Archlinux upstream is vouching for the sanity of downstream
[10:20:03] <abaumann> (not the mental sanity, this one cannot be mended that way ;-) )
[10:20:18] <deep42thought> I don't understand
[10:20:31] <deep42thought> why (and how) would archlinux upstream vouch for us?
[10:20:37] <abaumann> basically, what poli and eli are doing, they are signing our master keys.
[10:20:54] <abaumann> could they do that via nitrokeys?
[10:21:09] <deep42thought> they probably already *have* nitrokeys
[10:21:18] <deep42thought> because arch obtains them for their staff
[10:21:52] <abaumann> but at some point you have to create "normal" keys anyways and sign them with nitrokeys.
[10:21:56] <deep42thought> regarding repology: I need to re-learn the alphabet - arch is on both lists, but of course not before "Alpine linux" ...
[10:22:03] <deep42thought> yes
[10:22:10] <deep42thought> so what would we change?
[10:22:31] <deep42thought> we would put the master keys on nitro keys (if not yet on smartcards yet)
[10:22:37] <deep42thought> and we could start signing our git commits
[10:22:47] <deep42thought> and make the build master and slave only accept signed commits
[10:23:50] <abaumann> so we are accepting contributions only via patches@
[10:24:00] <abaumann> which is not completely different from now. :-)
[10:24:02] <deep42thought> we do, currently
[10:24:07] <deep42thought> and I would keep it that way
[10:24:15] <abaumann> yep, fine with that.
[10:24:26] <deep42thought> question is: what do we gain from signing commits?
[10:24:41] <abaumann> trust :-)
[10:24:45] <deep42thought> mitm attack on the slave's `git pull`
[10:25:04] <deep42thought> well, the repo is published via https on one of our domains
[10:25:22] <abaumann> yeah, and the slave have to be quite secured anyway.
[10:25:44] <abaumann> basically we can protect against malicios commits and injections.
[10:25:50] <deep42thought> yes
[10:26:06] <deep42thought> hmm
[10:26:09] <abaumann> nitrokey is a fancy way to put your private key on a USB stick :-)
[10:26:15] <deep42thought> occasionally, I commit from a remote maching
[10:26:17] <deep42thought> *machine
[10:26:33] <deep42thought> that would not work anymore with nitro keys
[10:27:12] <deep42thought> If commit *x* is signed, also all its parents are considered "good", right
[10:27:16] <abaumann> you could have a private repo between all your machines and then push to the nitrokey protected one in one place where you have the key
[10:27:19] <deep42thought> so it would not really be useful
[10:27:47] <abaumann> I don't use signing commits on a regular basis, so I cannot judge.
[10:27:48] <deep42thought> hmm, the private-repo approach sounds cumbersome
[10:28:03] <deep42thought> I do sign the iso and devtools commits
[10:28:16] <deep42thought> but this is different from our packages32 repo
[10:28:22] <deep42thought> because it *really* is a release
[10:28:26] <deep42thought> not just some change
[10:29:05] <deep42thought> if I sign something in packages32, I would need to verify the previous signature, first - else it would be useless, because I would also sign all forged previous commits
[10:29:30] <deep42thought> so *I* would vouch for *your* signature, too
[10:29:33] <deep42thought> which sounds wrong
[10:29:53] <abaumann> do you know how exactly upstream is going to use it?
[10:30:00] <deep42thought> no
[10:30:07] <abaumann> or are they also signing commits already now?
[10:30:14] <deep42thought> I dont think so
[10:30:20] <abaumann> they just might have a plan. :-)
[10:30:28] <deep42thought> I think, they use signatures for verifying packages in [testing] and such
[10:30:28] <abaumann> so we could ask them
[10:30:34] <abaumann> ah
[10:35:56] <deep42thought> as nice, as a nitrokey seems, I don't really see its use for our distribution :-/
[10:37:07] <deep42thought> well, we *could* put the packaging key(s) on nitrokeys, which we must plug into the build slaves ...
[10:37:39] <deep42thought> ah, stupid /me: arch will use the nitrokey for the packager keys, of course
[10:45:45] -!- KeiraT has joined #archlinux32
[10:48:11] <abaumann> "A Nitrokey Guide will be made available on the Arch Linux Wiki with FAQ
[10:48:12] <abaumann> & instructions for integrating Nitrokeys into our workflow.
[10:48:13] <abaumann> "
[10:48:46] <deep42thought> https://wiki.archlinux.org :-(
[10:48:47] <phrik> Title: Search results for "nitrokey" - ArchWiki (at wiki.archlinux.org)
[10:48:55] <abaumann> Can you use them alongside existing chains, just to secure them more?
[10:49:07] <deep42thought> yes
[10:49:13] <deep42thought> you can put any gpg key onto them
[10:49:46] <abaumann> what happens, if they break physically?
[10:49:55] <deep42thought> as long as your trust chain used gnupg keys, you can use nitrokeys (they need to match some criteria, though, e.g. not be too large, etc.)
[10:50:04] <deep42thought> you use your paper backup
[10:50:12] <abaumann> I'm a guy who once lost my master PGP key..
[10:50:16] <deep42thought> you do have backed up your keys on paper, right?
[10:50:18] <abaumann> this is a pain..
[10:50:37] <abaumann> I have copies on a USB stick in a safe place
[10:50:44] <deep42thought> I have a nice sticker on my backup computer: "kein Backup, kein Mitleid"
[10:50:45] <abaumann> but yes, printing them, is a nice idea
[10:50:51] <deep42thought> yes, cold usb backup is also good
[10:50:55] <abaumann> lol
[10:51:05] <deep42thought> actually, I prefer digital backups, myself
[10:51:46] <deep42thought> that said, I think, I do *not* have a backup of my arch32 master key
[10:51:59] <deep42thought> the trouble of replacing this key is pretty low
[10:52:15] <deep42thought> I just need cross signatures from you guys and publish it in the keyring and on the website ...
[10:52:32] <deep42thought> ... and convince Eli, that I really lost it ;-)
[10:52:50] <abaumann> true.
[10:53:03] <deep42thought> losing an email key is worse
[10:53:12] <deep42thought> *loosing
[11:02:13] <deep42thought> cu later
[11:02:20] -!- deep42thought has parted #archlinux32
[11:03:21] <abaumann> cu
[11:06:07] -!- KeiraT- has joined #archlinux32
[11:08:26] -!- KeiraT has quit [Remote host closed the connection]
[11:08:56] KeiraT- is now known as KeiraT
[11:36:10] -!- abaumann has quit [Quit: leaving]
[11:55:33] -!- doskoi has quit [Quit: Je m'en vais comme un prince !]
[11:55:59] -!- doskoi has joined #archlinux32
[11:56:11] -!- drathir_tor has quit [Ping timeout: 268 seconds]
[12:07:41] -!- drathir_tor has joined #archlinux32
[12:32:44] -!- drathir_tor has quit [Remote host closed the connection]
[12:33:57] -!- drathir_tor has joined #archlinux32
[13:12:39] -!- drathir_tor has quit [Ping timeout: 268 seconds]
[13:26:32] -!- drathir_tor has joined #archlinux32
[13:38:00] -!- sunshavi has quit [Remote host closed the connection]
[13:42:03] -!- sunshavi has joined #archlinux32
[13:52:38] <buildmaster> i686/exa is broken (says nlopc46): https://archlinux32.org
[13:53:44] <buildmaster> pentium4/exa is broken (says nlopc46): https://archlinux32.org
[14:28:30] -!- bill-auger_ has joined #archlinux32
[14:29:06] -!- prurigro- has joined #archlinux32
[14:33:53] -!- bill-auger has quit [*.net *.split]
[14:33:54] -!- prurigro has quit [*.net *.split]
[14:37:51] prurigro- is now known as prurigro
[15:18:08] <buildmaster> i686/broot is broken (says rechenknecht): https://archlinux32.org
[16:20:31] <buildmaster> i686/haskell-doclayout is broken (says rechenknecht): https://archlinux32.org
[16:21:28] <buildmaster> pentium4/haskell-doclayout is broken (says nlopc46): https://archlinux32.org
[16:39:12] -!- rcf has quit [Quit: WeeChat 2.9]
[16:49:34] -!- rcf has joined #archlinux32
[16:51:20] -!- drathir_tor has quit [Remote host closed the connection]
[17:01:53] -!- drathir_tor has joined #archlinux32
[17:14:55] -!- rcf has quit [Quit: WeeChat 2.9]
[17:15:27] -!- rcf has joined #archlinux32
[17:27:44] -!- yans has joined #archlinux32
[17:51:55] -!- MrBIOS_ has joined #archlinux32
[17:58:21] -!- yans has quit [Ping timeout: 256 seconds]
[18:10:19] -!- drathir_tor has quit [Remote host closed the connection]
[18:11:50] -!- drathir_tor has joined #archlinux32
[18:27:09] -!- drathir_tor has quit [Ping timeout: 268 seconds]
[18:36:38] -!- drathir_tor has joined #archlinux32
[19:31:25] <buildmaster> i686/haskell-jira-wiki-markup is broken (says eurobuild6-1): https://archlinux32.org
[19:34:09] <buildmaster> pentium4/haskell-jira-wiki-markup is broken (says eurobuild6-2): https://archlinux32.org
[20:46:56] -!- rcf has quit [Ping timeout: 240 seconds]
[20:48:27] -!- rcf has joined #archlinux32
[20:53:16] -!- rcf1 has joined #archlinux32
[20:54:22] -!- rcf has quit [Remote host closed the connection]
[20:54:41] -!- rcf has joined #archlinux32
[20:59:03] -!- rcf1 has quit [Ping timeout: 260 seconds]
[21:05:42] <buildmaster> i486/libavif is broken (says nlopc46-i486bs1): https://archlinux32.org
[22:09:52] <buildmaster> i686/pycharm-community-edition is broken (says nlopc46): https://archlinux32.org
[22:14:17] <buildmaster> pentium4/pycharm-community-edition is broken (says rechenknecht): https://archlinux32.org
[22:21:35] <buildmaster> i486/opencc is broken (says eurobuild6-7-i486): https://archlinux32.org
[22:31:13] <buildmaster> any/firefox-tridactyl is broken (says eurobuild6-2): https://archlinux32.org
[22:32:43] <buildmaster> any/jedi-language-server is broken (says nlopc46): https://archlinux32.org
[22:37:27] <buildmaster> any/python-setuptools are broken (says eurobuild6-2): https://archlinux32.org
[23:38:53] -!- torv has quit [Quit: torv]
[23:43:29] -!- torv has joined #archlinux32