rrq | note: at https://ido.rrq.id.au/download you will find trial upgraded installer ISOs for ascii, beowulf and chimaera, only amd64; please pick one or a few for testing and report back about success or badness. | 11:08 |
---|---|---|
onefang | I had not seen any ASCII updates for some time. https://www.debian.org/releases/stretch/ - "However, stretch benefits from Long Term Support (LTS) until the end of June 2022." So EOL for ASCII / stretch? | 11:58 |
rwp | I just wanted to say that I appreciate the ASCII images. Thanks rrq! | 19:50 |
rwp | Just in the last month I had to re-create a legacy ASCII image to recreate a known good working state for something here. | 19:50 |
rwp | Which is greatly annoying to me but that's the last working combination and now I need to figure out how to move forward and yet not have this showstopper bug breaking me. | 19:50 |
fsmithred | rwp, you could use refractasnapshot to make a bootable and installable live iso of your fully configured system. | 20:16 |
fsmithred | and unlike a backup, it's not specific to one machine. | 20:16 |
rwp | fsmithred, I didn't. That's a feature I haven't used yet but I want to use. For various purposes. | 20:41 |
rwp | In my case I could at that time plug in a different disk, boot the old ISO, install all from scratch all over again. Copy data from the old drive. Recreating the original ASCII image. | 20:42 |
rwp | It was an older system that I thought I could upgrade. I upgraded it. And then hit this problem with things broken after the upgrade. Had to go back. | 20:43 |
rwp | I only hit the problem after I had hit the problem and at that time did not have a refracta snapshot of the previous system. Didn't know I would need it. | 20:44 |
rwp | I did have backups. But actually doing a pristine installation fixed another unrelated nag that had been broken, so..., win on that part. | 20:44 |
rwp | The breakage is unrelated to Devuan anything. | 20:45 |
lts | Hello, on #devuan there was discussion about considering a postmortem report regarding the expiration incident. Here is a draft using the basic postmortem structure, please feel free to use it for basis. Items marked with ??? are those for which I did not have all the details. https://paste.debian.net/plainh/dcb5d82a | 21:13 |
lts | Up to you whether you want to publish such a report, but it would be good PR, show management maturity, and demonstrate that you have identified the root cause and taken corrective actions which should prevent similar incidents | 21:15 |
fsmithred | lts, THANK YOU | 21:16 |
fsmithred | After some discussion it seems that the key was created in 2017 for ascii. | 21:18 |
lts | np, and btw, https://www.devuan.org/os/keyring still has the details of the old key at the bottom | 21:18 |
fsmithred | until you refresh your page | 21:19 |
lts | Yup I interpreted the gpg output as 2017 as well, but thought that you had some lifetime extend method in use which I did not know about | 21:19 |
lts | I did refresh, still says "rsa4096 2017-09-04 [SC] [expires: 2023-09-03]" | 21:20 |
lts | ....I am blind. | 21:20 |
lts | Apologies. :- | 21:20 |
fsmithred | no, and I think what happened was that we got hit by a bus. The person who was mainly responsible for getting ascii out the door has gone on to other things. | 21:20 |
lts | ) | 21:20 |
fsmithred | and the guy who used to send out emails telling everyone that their key was about to expire stopped doing it a couple years ago. | 21:21 |
fsmithred | Paul M. Furley | 21:22 |
lts | So, for the root cause part, perhaps something like "The Primary Devuan Signing Key had been created for an earlier Devuan release in 2017, and given the lifetime of five years. Since then, the developer mainly responsible for key management has left the project, and no expiry reminder mechanism had been set up by the active developers." | 21:25 |
bb|hcb | lts: Thank you for the effort. Sounds professional :) | 21:27 |
lts | I leave it to you devs now, please feel free to edit and thanks for the work you do | 21:28 |
lts | Cheers -> | 21:29 |
bb|hcb | Besides fact checking to be completed, it would be nice to add some words about risk/impact analyses. My opinion is that the incident have brought inconvencience and hassle, but did not compromise the security because the same key was extended and one of the solutions provided a way to verify that the trust chain is not broken | 21:32 |
bb|hcb | I'll be afk shortly | 21:32 |
Xenguy | Maybe get this starter text somewhere everyone can edit it? | 21:33 |
rwp | It won't have immediately impacted security since it was not a vulnerability. However if users do not take manual action to correct the situation then they will stop getting security upgrades from now forward. Which may in a future setting cause a future security problem. | 21:33 |
Xenguy | Something quick and simple (can't do it myself right now) | 21:33 |
Xenguy | Or maybe just comments here, and someone has to run with the ball | 21:34 |
bb|hcb | rwp: true :( | 21:38 |
bb|hcb | maybe make it a pad? or a file somehwere in git? | 21:39 |
Xenguy | pad has easiest access to all, but no idea how to create one | 21:40 |
bb|hcb | https://pad.dyne.org/pad/#/2/pad/edit/F60FJw-uI4Y5kRzQhGMVe2Vw/ | 21:41 |
Xenguy | rrq probably needs to look at this too | 22:39 |
golinux | He probably isn't even awake yet! | 22:57 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!