libera/#devuan-dev/ Tuesday, 2022-09-06

rrqnote: at https://ido.rrq.id.au/download you will find trial upgraded installer ISOs for ascii, beowulf and chimaera, only amd64; please pick one or a few for testing and report back about success or badness.11:08
onefangI had not seen any ASCII updates for some time.  https://www.debian.org/releases/stretch/ - "However, stretch benefits from Long Term Support (LTS) until the end of June 2022."  So EOL for ASCII / stretch?11:58
rwpI just wanted to say that I appreciate the ASCII images.  Thanks rrq!19:50
rwpJust in the last month I had to re-create a legacy ASCII image to recreate a known good working state for something here.19:50
rwpWhich is greatly annoying to me but that's the last working combination and now I need to figure out how to move forward and yet not have this showstopper bug breaking me.19:50
fsmithredrwp, you could use refractasnapshot to make a bootable and installable live iso of your fully configured system.20:16
fsmithredand unlike a backup, it's not specific to one machine.20:16
rwpfsmithred, I didn't.  That's a feature I haven't used yet but I want to use.  For various purposes.20:41
rwpIn my case I could at that time plug in a different disk, boot the old ISO, install all from scratch all over again.  Copy data from the old drive.  Recreating the original ASCII image.20:42
rwpIt was an older system that I thought I could upgrade.  I upgraded it.  And then hit this problem with things broken after the upgrade.  Had to go back.20:43
rwpI only hit the problem after I had hit the problem and at that time did not have a refracta snapshot of the previous system.  Didn't know I would need it.20:44
rwpI did have backups.  But actually doing a pristine installation fixed another unrelated nag that had been broken, so..., win on that part.20:44
rwpThe breakage is unrelated to Devuan anything.20:45
ltsHello, on #devuan there was discussion about considering a postmortem report regarding the expiration incident. Here is a draft using the basic postmortem structure, please feel free to use it for basis. Items marked with ??? are those for which I did not have all the details. https://paste.debian.net/plainh/dcb5d82a21:13
ltsUp to you whether you want to publish such a report, but it would be good PR, show management maturity, and demonstrate that you have identified the root cause and taken corrective actions which should prevent similar incidents21:15
fsmithredlts, THANK YOU21:16
fsmithredAfter some discussion it seems that the key was created in 2017 for ascii.21:18
ltsnp, and btw, https://www.devuan.org/os/keyring still has the details of the old key at the bottom21:18
fsmithreduntil you refresh your page21:19
ltsYup I interpreted the gpg output as 2017 as well, but thought that you had some lifetime extend method in use which I did not know about21:19
ltsI did refresh, still says "rsa4096 2017-09-04 [SC] [expires: 2023-09-03]"21:20
lts....I am blind.21:20
ltsApologies. :-21:20
fsmithredno, and I think what happened was that we got hit by a bus. The person who was mainly responsible for getting ascii out the door has gone on to other things.21:20
lts)21:20
fsmithredand the guy who used to send out emails telling everyone that their key was about to expire stopped doing it a couple years ago.21:21
fsmithredPaul M. Furley21:22
ltsSo, for the root cause part, perhaps something like "The Primary Devuan Signing Key had been created for an earlier Devuan release in 2017, and given the lifetime of five years. Since then, the developer mainly responsible for key management has left the project, and no expiry reminder mechanism had been set up by the active developers."21:25
bb|hcblts: Thank you for the effort. Sounds professional :)21:27
ltsI leave it to you devs now, please feel free to edit and thanks for the work you do21:28
ltsCheers ->21:29
bb|hcbBesides fact checking to be completed, it would be nice to add some words about risk/impact analyses. My opinion is that the incident have brought inconvencience and hassle, but did not compromise the security because the same key was extended and one of the solutions provided a way to verify that the trust chain is not broken21:32
bb|hcbI'll be afk shortly21:32
XenguyMaybe get this starter text somewhere everyone can edit it?21:33
rwpIt won't have immediately impacted security since it was not a vulnerability.  However if users do not take manual action to correct the situation then they will stop getting security upgrades from now forward.  Which may in a future setting cause a future security problem.21:33
XenguySomething quick and simple (can't do it myself right now)21:33
XenguyOr maybe just comments here, and someone has to run with the ball21:34
bb|hcbrwp: true :(21:38
bb|hcbmaybe make it a pad? or a file somehwere in git?21:39
Xenguypad has easiest access to all, but no idea how to create one21:40
bb|hcbhttps://pad.dyne.org/pad/#/2/pad/edit/F60FJw-uI4Y5kRzQhGMVe2Vw/21:41
Xenguyrrq probably needs to look at this too22:39
golinuxHe probably isn't even awake yet!22:57

Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!