| - cwebber (PART: ERC 5.6.0.30.1 (IRC client for GNU Emacs 30.2)) (~Christine@user/cwebber) | 00:23 | |
| - cobra (QUIT: Ping timeout: 240 seconds) (~cobra@user/Cobra) | 00:29 | |
| - AnimaInvicta (PART: !!unknown attribute: msg!!) (~AnimaInvi@88-120-179-216.subs.proxad.net) | 00:29 | |
| - mjw (QUIT: Ping timeout: 240 seconds) (~mjw@gnu.wildebeest.org) | 00:32 | |
| josch | okay, i'm done with my rework of all u-boot blobs for MNT SoMs | 00:36 |
|---|---|---|
| josch | imx8m+ is ready and just needs a new tag | 00:36 |
| josch | rk3588 needs a minimal MR accepted: https://source.mnt.re/reform/reform-rk3588-uboot/-/merge_requests/14 | 00:36 |
| josch | imx8mq, ls1028a and a311d each have rather big MRs still waiting to get merged: https://source.mnt.re/reform/reform-boundary-uboot/-/merge_requests/21 https://source.mnt.re/reform/reform-ls1028a-uboot/-/merge_requests/4 https://source.mnt.re/reform/reform-a311d-uboot/-/merge_requests/4 | 00:37 |
| josch | minute: after all five u-boots have a new release, i'd make a new reform-tools release with the updated checksums | 00:38 |
| minute | wow | 00:39 |
| minute | josch: thanks for all this detail work! can you ping me tomorrow @ daytime to review everything? | 00:40 |
| josch | minute: i can ping you tomorrow no problem -- or any other day, depending on your availability :) | 00:40 |
| josch | i think the biggest user-facing change is the version reporting | 00:40 |
| josch | /proc/device-tree/chosen/u-boot,version now contains the version in the same format everywhere | 00:41 |
| - pomel0 (QUIT: Ping timeout: 240 seconds) (~pomel0@user/pomel0) | 00:42 | |
| + pomel0 (~pomel0@user/pomel0) | 00:43 | |
| + cobra (~cobra@user/Cobra) | 01:49 | |
| - pomel0 (QUIT: Ping timeout: 252 seconds) (~pomel0@user/pomel0) | 01:54 | |
| + pomel0 (~pomel0@user/pomel0) | 01:54 | |
| - pomel0 (QUIT: Ping timeout: 265 seconds) (~pomel0@user/pomel0) | 02:04 | |
| + pomel0 (~pomel0@user/pomel0) | 02:04 | |
| + bkeys (~Thunderbi@98.19.131.193) | 02:23 | |
| - paperManu (QUIT: Ping timeout: 264 seconds) (~paperManu@107.159.15.124) | 02:34 | |
| - mlarkin (QUIT: Ping timeout: 252 seconds) (~mlarkin@syn-076-081-194-027.biz.spectrum.com) | 02:34 | |
| + paperManu (~paperManu@107.159.15.124) | 02:54 | |
| + mlarkin (~mlarkin@syn-076-081-194-027.biz.spectrum.com) | 03:05 | |
| - bkeys (QUIT: Quit: With every step we take, danger will follow closely) (~Thunderbi@98.19.131.193) | 03:10 | |
| - pomel0 (QUIT: Remote host closed the connection) (~pomel0@user/pomel0) | 03:23 | |
| - paperManu (QUIT: Ping timeout: 260 seconds) (~paperManu@107.159.15.124) | 04:29 | |
| + potatoespotatoes (~quassel@130.44.145.181) | 04:59 | |
| - potatoespotatoes (QUIT: Changing host) (~quassel@130.44.145.181) | 04:59 | |
| + potatoespotatoes (~quassel@user/potatoespotatoes) | 04:59 | |
| - potatoespotatoes (QUIT: Ping timeout: 264 seconds) (~quassel@user/potatoespotatoes) | 05:06 | |
| + potatoespotatoes (~quassel@130.44.145.181) | 05:06 | |
| - potatoespotatoes (QUIT: Changing host) (~quassel@130.44.145.181) | 05:06 | |
| + potatoespotatoes (~quassel@user/potatoespotatoes) | 05:06 | |
| + pomel0 (~pomel0@user/pomel0) | 05:06 | |
| + kxtells (~kxtells@user/kxtells) | 08:42 | |
| - kxtells (QUIT: Read error: Connection reset by peer) (~kxtells@user/kxtells) | 08:51 | |
| + jogu (~jogu@user/jogu) | 08:54 | |
| - jogu (QUIT: Remote host closed the connection) (~jogu@user/jogu) | 09:20 | |
| + jogu (~jogu@user/jogu) | 09:20 | |
| + gidzit (~gidzit@gidzit.org) | 09:33 | |
| - jogu (QUIT: Remote host closed the connection) (~jogu@user/jogu) | 09:40 | |
| + jogu (~jogu@user/jogu) | 09:44 | |
| ch | <3 | 10:30 |
| + mjw (~mjw@gnu.wildebeest.org) | 11:01 | |
| + jordi (~jordi@79.117.156.55) | 11:48 | |
| - jordi (QUIT: Changing host) (~jordi@79.117.156.55) | 11:49 | |
| + jordi (~jordi@user/kxtells) | 11:49 | |
| - RandyK (QUIT: Remote host closed the connection) (~RandyK@user/randyk) | 12:01 | |
| + RandyK (~RandyK@user/randyk) | 12:01 | |
| + andreas-e (~Andreas@2a02-8434-b6a3-e901-facc-8e87-8e54-890e.rev.sfr.net) | 12:05 | |
| - gidzit (QUIT: Ping timeout: 244 seconds) (~gidzit@gidzit.org) | 12:47 | |
| + paperManu (~paperManu@107.159.15.124) | 12:49 | |
| + erle (~erle@user/erle) | 12:59 | |
| + gustav25 (~gustav@c-78-82-53-204.bbcust.telenor.se) | 13:02 | |
| josch | minute: this table says that i.MX8M+ uses S1 for serial: https://mntre.com/documentation/reform-handbook/advanced.html#serial-console I didn't get any output on S1 so I tried S2 and there it works. Is it me or are the docs wrong? | 13:14 |
| - pomel0 (QUIT: Ping timeout: 252 seconds) (~pomel0@user/pomel0) | 13:26 | |
| + pomel0 (~pomel0@user/pomel0) | 13:26 | |
| josch | aha, it is correct in the pocket-reform-handbook: https://mntre.com/documentation/pocket-reform-handbook/advanced.html#serial-console | 13:39 |
| josch | probably just a copypaste error. Fixed here: https://source.mnt.re/reform/reform-handbook/-/merge_requests/20 | 13:43 |
| + gidzit (~gidzit@gidzit.org) | 13:59 | |
| - paperManu (QUIT: Ping timeout: 264 seconds) (~paperManu@107.159.15.124) | 14:10 | |
| - pomel0 (QUIT: Read error: Connection reset by peer) (~pomel0@user/pomel0) | 14:13 | |
| + pomel0 (~pomel0@user/pomel0) | 14:14 | |
| josch | minute: could you enable the gitlab CI runner for https://source.mnt.re/josch/reform-handbook/ please? | 14:16 |
| josch | I'd like to prepare another MR with porting over the information which recently got removed from the pocket-reform-handbook so that it does not get lost. | 14:16 |
| - jogu (QUIT: Remote host closed the connection) (~jogu@user/jogu) | 14:17 | |
| - pomel0 (QUIT: Ping timeout: 244 seconds) (~pomel0@user/pomel0) | 14:18 | |
| + pomel0 (~pomel0@user/pomel0) | 14:21 | |
| + jogu (~jogu@user/jogu) | 14:24 | |
| - GNUmoon2 (QUIT: Remote host closed the connection) (~GNUmoon@gateway/tor-sasl/gnumoon) | 14:32 | |
| + GNUmoon2 (~GNUmoon@gateway/tor-sasl/gnumoon) | 14:32 | |
| + paperManu (~paperManu@modemcable141.205-200-24.mc.videotron.ca) | 14:37 | |
| * jordi -> kxtells | 14:44 | |
| - andreas-e (QUIT: Quit: Leaving) (~Andreas@2a02-8434-b6a3-e901-facc-8e87-8e54-890e.rev.sfr.net) | 14:48 | |
| + andreas-e (~Andreas@2a02-8434-b6a3-e901-facc-8e87-8e54-890e.rev.sfr.net) | 14:54 | |
| mhoye | FYI: NPM is on fire today. Avoid. | 15:15 |
| erle | mhoye you could be a *bit* more specific. any package or CVE that's an issue? | 15:33 |
| - jogu (QUIT: Remote host closed the connection) (~jogu@user/jogu) | 15:34 | |
| + jogu (~jogu@user/jogu) | 15:35 | |
| mhoye | https://www.koi.ai/incident/live-updates-sha1-hulud-the-second-coming-hundred-npm-packages-compromised | 15:57 |
| frickler | mhoye: is there any 2nd hand information on this? I mean, avoid NPM, always, but this looks a bit ai-y to me | 16:11 |
| + wielaard (~mjw@gnu.wildebeest.org) | 16:12 | |
| - mjw (QUIT: Ping timeout: 255 seconds) (~mjw@gnu.wildebeest.org) | 16:14 | |
| * wielaard -> mjw | 16:43 | |
| ^alex | schloppe | 17:23 |
| UsrBinAnnika | https://socket.dev/blog/shai-hulud-strikes-again-v2 | 17:27 |
| chorc | frickler: this is legit, our appsec team is having a busy day | 17:42 |
| chorc | also, "No Way To Prevent This" Says Only Package Manager Where This Regularly Happens :facepalm: | 17:43 |
| josch | minute: apologies for having failed on pinging you today but I was again going through all the u-boot platforms to make sure things check out and discovered an inconsistency/omission on i.mx8m+. Fix is here: https://source.mnt.re/reform/reform-imx8mp-uboot/-/merge_requests/7 | 17:51 |
| josch | minute: could you enable gitlab CI for https://source.mnt.re/josch/reform-imx8mp-uboot/ please? | 17:51 |
| - mjw (QUIT: Ping timeout: 240 seconds) (~mjw@gnu.wildebeest.org) | 17:52 | |
| * Guest3190 -> mjw | 18:03 | |
| - gidzit (QUIT: Ping timeout: 244 seconds) (~gidzit@gidzit.org) | 18:20 | |
| erle | chorc it's easy to hate on NPM, but why would such a supply chain problem not be an issue, with, say, rust, where people regularly require a gazillion metric tons of crates? | 18:30 |
| erle | chorc IIRC the ecosystems where this *doesn't* happen usually have one of several things in common – either a large standard library that is enough for many things keeping dependencies down (e.g. python), a culture of vendoring dependencies (e.g. C, C++, lua), or gatekeeping by package managers like debian's because they don't have their own popular solution. | 18:35 |
| josch | in the end there is no silver bullet -- Debian was also affected by the XZ supply chain attack. I understand how no Debian maintainer would read binary blobs from the upstream tarball... | 18:37 |
| bremner | cargo is like npm with pretensions | 18:38 |
| bremner | ACTION hides | 18:38 |
| ^alex | i think point 1 has a lot of weight behind it | 18:42 |
| ^alex | needing `left-pad` to come from the internet instead of the language sure is symptomatic of something | 18:42 |
| erle | josch shouldn't binary blobs in an upstream tarball make it a contrib package though? | 18:45 |
| erle | ^alex AFAIK something like bottle.py (a single file python web framework that includes basic templating) can simply not exist in rust because the standard library may not give you e.g. HTTP communications | 18:47 |
| chorc | erle: you are absolutely right, I'm just tired... there's no clean perfect solution, sadly | 18:47 |
| josch | erle: if i remember correctly these blobs were inputs for the test suite | 18:55 |
| josch | and since these inputs were files which are odd/broken in one way or the other, they are the "source" | 18:55 |
| + TechnoWizard (~TechnoWiz@user/TechnoWizard) | 18:55 | |
| josch | a PNG file is also a binary blob and can still be "source" | 18:56 |
| josch | if you manage to inject malicious things into software by exploiting the PNG format then you are in the same situation | 18:56 |
| - TechnoWizard (QUIT: Remote host closed the connection) (~TechnoWiz@user/TechnoWizard) | 19:05 | |
| mhoye | erle: Pulling directly from developer/main is the mistake. I used to recommend that companies self-host all their dependencies and update them a few weeks behind current, but I think the smart play these days is to use the default cooldown windows that most ecosystems provide. | 19:19 |
| mhoye | (we got so unbelievably lucky with xz-utils....) | 19:19 |
| erle | if you want to have “fun” writing malware, do “apt-file search /usr/share/thumbnailers” and check out what file formats can be processed by just viewing a folder in a file manager if a package is installed | 19:22 |
| + wielaard (~mjw@gnu.wildebeest.org) | 19:23 | |
| erle | i once had fun writing a thing where if wine was installed, an attacker could execute visual basic code … because wine contains a thumbnailer :D | 19:23 |
| - pomel0 (QUIT: Ping timeout: 244 seconds) (~pomel0@user/pomel0) | 19:50 | |
| + pomel0 (~pomel0@user/pomel0) | 19:50 | |
| * mjw -> Guest1058 | 19:55 | |
| - Guest1058 (QUIT: Killed (uranium.libera.chat (Nickname regained by services))) (~mjw@2001:1c06:2486:a800:7602:5eff:dc71:a72c) | 19:55 | |
| * wielaard -> mjw | 19:55 | |
| + Guest1058 (~mjw@2001:1c06:2486:a800:7602:5eff:dc71:a72c) | 19:55 | |
| - pomel0 (QUIT: Remote host closed the connection) (~pomel0@user/pomel0) | 20:05 | |
| - erle (QUIT: Quit: K-lined) (~erle@user/erle) | 20:46 | |
| - kxtells (QUIT: Ping timeout: 260 seconds) (~jordi@user/kxtells) | 21:44 | |
| + TechnoWizard (~TechnoWiz@user/TechnoWizard) | 21:53 | |
| - TechnoWizard (QUIT: Remote host closed the connection) (~TechnoWiz@user/TechnoWizard) | 21:58 | |
| + pomel0 (~pomel0@user/pomel0) | 22:00 | |
| - gustav25 (QUIT: Quit: Quit) (~gustav@c-78-82-53-204.bbcust.telenor.se) | 22:15 | |
| - andreas-e (QUIT: Quit: Leaving) (~Andreas@2a02-8434-b6a3-e901-facc-8e87-8e54-890e.rev.sfr.net) | 23:08 | |
| - paperManu (QUIT: Ping timeout: 260 seconds) (~paperManu@modemcable141.205-200-24.mc.videotron.ca) | 23:11 | |
| + paperManu (~paperManu@107.159.15.124) | 23:27 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!