| 00:10.40 | *** join/#maemo-ssu jonwil (~jonwil@27-33-137-199.static.tpgi.com.au) |
| 00:31.55 | *** join/#maemo-ssu joshgillies (~josh@hobart.office.squiz.net) |
| 00:56.33 | *** join/#maemo-ssu andre__ (~andre@wikimedia/aklapper) |
| 01:50.50 | *** join/#maemo-ssu Skry (~skry@77.109.215.222) |
| 02:04.03 | *** join/#maemo-ssu kolp_ (~quassel@212.255.234.217) |
| 02:08.30 | *** join/#maemo-ssu jon_y (~enforcer@2002:af8e:1abb::af8e:1abb) |
| 03:27.15 | *** join/#maemo-ssu amiconn_ (amiconn@rockbox/developer/amiconn) |
| 04:03.51 | *** join/#maemo-ssu DocScrutinizer05 (~HaleBopp@openmoko/engineers/joerg) |
| 04:45.13 | *** join/#maemo-ssu Mihanizat0r (~Miranda@83.149.37.34) |
| 06:39.16 | *** join/#maemo-ssu _xnt14 (~xnt14@xceleo.us) |
| 06:51.15 | *** join/#maemo-ssu _xnt14 (~xnt14@xceleo.us) |
| 09:00.05 | *** join/#maemo-ssu Martix_ (~martix@ip-62-245-106-78.net.upcbroadband.cz) |
| 09:37.17 | *** join/#maemo-ssu Pali (~pali@Maemo/community/contributor/Pali) |
| 10:27.13 | *** join/#maemo-ssu lizardo (lizardo@nat/indt/x-xkguszvksbaivngy) |
| 10:27.51 | *** join/#maemo-ssu kolp (~quassel@212.255.234.217) |
| 10:48.00 | *** join/#maemo-ssu arcean (~arcean@aacu168.neoplus.adsl.tpnet.pl) |
| 11:06.11 | *** join/#maemo-ssu Milhouse (~Milhouse@Maemo/community/contributor/Milhouse) |
| 11:13.25 | DocScrutinizer05 | [2013-01-24 12:11:42] <Pali> DocScrutinizer05, nokia should not change gpg key on their repository |
| 11:13.26 | DocScrutinizer05 | [2013-01-24 12:11:49] <Pali> it can be bigger problem |
| 11:13.27 | DocScrutinizer05 | [2013-01-24 12:11:57] <DocScrutinizer05> please discuss it with other guys, I don't want to send Nokia incomplete info |
| 11:13.29 | DocScrutinizer05 | [2013-01-24 12:11:59] <freemangordon> Pali: why? |
| 11:13.30 | DocScrutinizer05 | [2013-01-24 12:12:12] <DocScrutinizer05> can we move that to ssu chan please? |
| 11:13.32 | DocScrutinizer05 | [2013-01-24 12:12:19] <Pali> freemangordon, because updating HAM config file is hard |
| 11:13.33 | DocScrutinizer05 | [2013-01-24 12:12:39] <Pali> but in HAM are no expiration dates |
| 11:13.35 | DocScrutinizer05 | [2013-01-24 12:12:47] <DocScrutinizer05> can we move that to ssu chan please? |
| 11:13.36 | DocScrutinizer05 | [2013-01-24 12:12:47] <freemangordon> Pali: we have a non-expired key on the devices, why resigning the repo with it should bring problems? |
| 11:13.38 | DocScrutinizer05 | [2013-01-24 12:12:49] <Pali> only fingerptints of gpg keys |
| 11:14.05 | Pali | each gpg key in HAM is associated with some apt repo |
| 11:14.19 | Pali | and extras gpg key is for extras repository |
| 11:14.22 | freemangordon | Pali: "MaemoSW Admin <admin@maemo.research.nokia.com>" is the key we talk about |
| 11:14.27 | Pali | no |
| 11:14.31 | freemangordon | yes |
| 11:14.33 | Pali | that key not used |
| 11:14.53 | freemangordon | it is not used now |
| 11:15.01 | Pali | Nokia repository signing key 4v2 |
| 11:15.02 | freemangordon | but why it can't be used? |
| 11:15.05 | freemangordon | I know |
| 11:15.08 | DocScrutinizer05 | *could* it get used? |
| 11:15.18 | Pali | freemangordon, because that key is not in HAM |
| 11:15.27 | DocScrutinizer05 | hah! |
| 11:15.28 | Pali | you can use it, if you update HAM deb package |
| 11:15.28 | merlin1991 | Pali: it is |
| 11:16.01 | Pali | really? |
| 11:16.08 | Pali | I can look at that deb package |
| 11:17.00 | merlin1991 | its the D2272FB7...4510B055 key |
| 11:17.46 | merlin1991 | Pali: the only repo not covered by the key is extras |
| 11:18.09 | kerio | and extras doesn't have a problem, yet |
| 11:18.24 | merlin1991 | ovi, nokia-system and nokia-certified domains all have that key (even as first) |
| 11:19.09 | kerio | the question is, does nokia have that private key? |
| 11:19.58 | Pali | look here: http://pastebin.com/vePUvER7 |
| 11:20.07 | Pali | keys stored in ./usr/share/hildon-application-manager/keys/variant-keys.gpg |
| 11:20.17 | Pali | in package hildon-application-manager-settings-standard_16+0+0m5_all.deb |
| 11:20.53 | Pali | there is no "MaemoSW Admin <admin@maemo.research.nokia.com>" |
| 11:20.56 | Pali | key |
| 11:21.12 | merlin1991 | oh ffs sake, it's in /usr/share/hildon-aplication.manager/domains/variant-domains.xexp but not in the gpg file |
| 11:21.14 | merlin1991 | jesus |
| 11:21.23 | merlin1991 | because the fingerprint is in the domain file :/ |
| 11:21.39 | merlin1991 | slaps nokia |
| 11:21.49 | Pali | here is domain file: http://pastebin.com/ATH23z9Y |
| 11:22.03 | Pali | ./usr/share/hildon-application-manager/domains/variant-domains.xexp from package hildon-application-manager-settings-standard_16+0+0m5_all.deb |
| 11:22.43 | merlin1991 | <key>D2272FB7FD2F9633EC90DF4A34385C4D4510B055</key> that's the key |
| 11:22.55 | merlin1991 | but the gpg does not contain it, silly nokia |
| 11:24.57 | freemangordon | so, the only thing that could work is fmtx-enabler? |
| 11:25.39 | merlin1991 | basically anything in extras that installs another set of keys |
| 11:25.52 | merlin1991 | (together with domain info, ...) |
| 11:26.04 | Pali | so better is to not change key |
| 11:26.10 | DocScrutinizer05 | sorry for spamming... |
| 11:26.16 | DocScrutinizer05 | If I may, one additional question: As GPG supports expiration date |
| 11:26.17 | DocScrutinizer05 | extension, is it possible to just update the GPG key expiration date in |
| 11:26.19 | DocScrutinizer05 | the N900 device as well? |
| 11:26.20 | DocScrutinizer05 | In other words, if we'd update the key in the Akamai/SSU end (this is |
| 11:26.21 | DocScrutinizer05 | already done), and then we'd update the key in the N900 device, would |
| 11:26.23 | DocScrutinizer05 | that still keep the trust chain intact so stuff could be downloaded to |
| 11:26.24 | DocScrutinizer05 | the device from the SSU? |
| 11:26.26 | DocScrutinizer05 | All the best, |
| 11:26.27 | DocScrutinizer05 | -Matti |
| 11:26.57 | Pali | GPG expiration date can be changed by adding new signature to main gpg key |
| 11:27.09 | Pali | so you need to import new signature to gpg keyring |
| 11:27.17 | *** join/#maemo-ssu M4rtinK (~M4rtinK@mail.melf.eu) |
| 11:27.30 | Pali | signature can create only owner of private key |
| 11:28.38 | DocScrutinizer05 | yes, so we're again back to "deploy a key update via extras, or by other means" |
| 11:28.43 | Pali | so I think that Nokia do not need to update apt signatures on ssu server |
| 11:28.45 | DocScrutinizer05 | "or reflash" |
| 11:28.53 | Pali | nokia only need to publish new signature |
| 11:29.03 | Pali | and we need to import it into n900 |
| 11:30.41 | Pali | DocScrutinizer05, yes reflash or user input will be always needed |
| 11:30.52 | Pali | I wrote that in mail too |
| 11:31.03 | DocScrutinizer05 | yes, I know, and I agree |
| 11:31.07 | Pali | this is reason why update via PCSuite should be |
| 11:31.18 | DocScrutinizer05 | even with this |
| 11:31.52 | *** join/#maemo-ssu jonwil (~jonwil@27-33-137-199.static.tpgi.com.au) |
| 11:31.55 | kerio | hold on |
| 11:32.00 | DocScrutinizer05 | your arguments why we should do PCsuite reflash are better than mine why we shouldn't |
| 11:32.06 | kerio | maemosw admin *is* checked by apt and ham |
| 11:32.15 | kerio | and the key is in /usr/share/keychains or something |
| 11:32.50 | kerio | hm, now i actually don't know if HAM will accept that |
| 11:33.40 | Pali | kerio, that key is not in HAM |
| 11:33.44 | Pali | read irc log |
| 11:33.46 | Pali | and pastebin |
| 11:34.05 | kerio | Pali: apt-key list |
| 11:34.06 | jonwil | so basically we are stuck with no way to push anything to N900s to solve this key mess? |
| 11:34.26 | Pali | kerio, key is missing in /usr/share/hildon-application-manager/keys |
| 11:34.27 | DocScrutinizer05 | (irclog) I mailed >> http://mg.pov.lt/maemo-ssu-irclog/%23maemo-ssu.2013-01-24.log.html#t2013-01-24T13:13:24 << to Nokia |
| 11:34.29 | freemangordon | can't we try it? i.e. remove CSSU-testing-testing key from HAM (whatever that means) and push an update to cssu-testing-testing |
| 11:34.34 | kerio | Pali: is that the only directory that's checked? |
| 11:34.51 | Pali | kerio, I do not know |
| 11:34.53 | kerio | (i can't, for the life of me, figure out where's the source to apt-worker) |
| 11:35.00 | Pali | HAM is really really **** SW |
| 11:35.01 | kerio | oh, here it is |
| 11:35.03 | freemangordon | (on a CSSU device that is) |
| 11:35.31 | freemangordon | Pali, merlin1991: ^^^ ? |
| 11:36.05 | kerio | there's no mention of gnupg in the apt-worker file |
| 11:36.08 | kerio | there's a bunch of apt-pkg |
| 11:36.13 | jonwil | ok, so if apt-key (which is a shell script) displays the MaemoSW Admin key, it should be possible to read apt-key script and find out where it gets that key from |
| 11:36.18 | kerio | so maybe it uses the key checking mechanism of apt |
| 11:36.34 | kerio | jonwil: it's stored in /etc/apt/trusted.gpg |
| 11:36.37 | freemangordon | I guess HAM could just issue a warning, instead of refusing to ise the repo |
| 11:36.44 | kerio | but it's actually in the maemointernal-keyring package |
| 11:36.53 | freemangordon | *use |
| 11:37.08 | kerio | maemointernal-keyring - The keys for apt-secure for maemo.research.nokia.com. |
| 11:37.51 | jonwil | ok, so the 2 questions we have are firstly whether HAM would accept the core repos again if the right files were signed with the MaemoSW Admin key and secondly whether Nokia has the private half of that key or not |
| 11:38.00 | kerio | jonwil: yep |
| 11:38.44 | jonwil | ok, so has someone asked Nokia if they do in fact have the private half of that key anywhere? |
| 11:38.59 | DocScrutinizer05 | jonwil: why shall we ask them? |
| 11:39.03 | kerio | if i'm reading this correctly, apt-worker is using debReleaseIndex |
| 11:39.24 | kerio | DocScrutinizer05: because if they do, their effort will be "use a different key for the repo" |
| 11:39.31 | kerio | which is trivial |
| 11:40.37 | jonwil | If they can sign the official repos with that MaemoSW Admin key, that should make them work again and they dont need to do anything more |
| 11:40.45 | DocScrutinizer05 | if that's feasible then they will check if they have access to that key. If it doesn't work, like Pali claims, there's no use in searching each drawer of a 10k+ company for the private key |
| 11:40.50 | DocScrutinizer05 | simple as that |
| 11:40.59 | DocScrutinizer05 | for us it doesn't make any difference |
| 11:41.15 | jonwil | ok, question, will HAM work if the repository has no signature at all? |
| 11:41.27 | jonwil | I dont know how HAM and APT works on that score |
| 11:41.29 | DocScrutinizer05 | *sigh* |
| 11:41.45 | jonwil | assumes he should have read the chanlog first :P |
| 11:41.48 | DocScrutinizer05 | Pali: could you pastebin your mail please? |
| 11:42.09 | DocScrutinizer05 | it been the best answer so far |
| 11:42.46 | freemangordon | merlin1991: could you test what I proposed ^^^? |
| 11:43.15 | jonwil | btw, I am still getting nowhere with the GPRS stuff I was working on :( |
| 11:43.17 | kerio | Pali: i think that apt-worker uses apt's verification |
| 11:43.20 | freemangordon | that test will make it clear if it makes sense for Nokia to search the drawers |
| 11:44.31 | kerio | the test will only make sense if there's no .gpg file for that key in /usr/share/hildon-application-manager/keys but the key is still in trusted.gpg |
| 11:44.39 | Pali | mails: http://pastebin.com/r73YzXDh |
| 11:44.41 | freemangordon | sure |
| 11:45.22 | freemangordon | kerio: the same situation, but with a different repo we have the control on |
| 11:45.58 | Pali | so maemo intrnal gpg key is in apt keyring (added in postinst script) and fingerprint is in HAM domain file |
| 11:46.08 | Pali | only gpg key is missing in HAM keys dir |
| 11:46.32 | Pali | so ask nokia if has private key of that maemo internal |
| 11:46.48 | Pali | and ask if can create some testing repository |
| 11:46.52 | Pali | and sign it |
| 11:46.59 | freemangordon | Pali: we have that, no need to ask nokia |
| 11:47.05 | Pali | then we can test if key is accpted by nokia |
| 11:47.17 | Pali | freemangordon, how? |
| 11:47.25 | freemangordon | by using CSSU repos |
| 11:47.45 | freemangordon | remove CSSU-devel gpg key from HAM |
| 11:47.47 | Pali | note that cssu gpg key is in HAM key dir |
| 11:47.55 | freemangordon | and push some test package in -devel |
| 11:47.58 | Pali | ah, ok |
| 11:48.04 | freemangordon | :) |
| 11:48.19 | Pali | ok, remove directory /usr/share/hildon-application-manager/keys (backup it) |
| 11:48.21 | Pali | and test |
| 11:48.31 | Pali | what you can |
| 11:48.35 | Pali | downgrade package |
| 11:48.39 | Pali | remove dir |
| 11:48.45 | Pali | and try to update via HAM |
| 11:49.01 | Pali | you need to downgrade metapackage which is visible in HAM |
| 11:49.11 | freemangordon | who will do that? |
| 11:49.30 | freemangordon | is not ia a mood right now as he had an accident yesterday :( |
| 11:51.08 | DocScrutinizer05 | freemangordon: hope you're ok |
| 11:51.26 | freemangordon | so-so :) |
| 11:51.35 | DocScrutinizer05 | get well soon, pal |
| 11:51.56 | freemangordon | some sew work on my head, otherwise I am fine |
| 12:35.12 | DocScrutinizer05 | Pali: you got mail? |
| 12:37.49 | Pali | yes I got it |
| 12:39.10 | DocScrutinizer05 | please keep me on CC but don't expect me to do further moderation if not needed (IOW I'd like to keep this running on own feet, dedicating my time to some other issue) Do you think this will fly? |
| 12:42.24 | DocScrutinizer05 | Pali: also please check back with your peers here, to confirm your statements you send to them |
| 12:42.54 | Pali | I'm going to check with cssu-testing if key must be in ham dir |
| 12:43.30 | Pali | if not, then we can ask if nokia has that internal private key... |
| 12:43.45 | DocScrutinizer05 | great! freemangordon at least will love to hear about the results as well |
| 12:44.52 | DocScrutinizer05 | Pali: please understand that these guys are external, and Nokia is a huge company. It might get difficult to even find out what's possible or not |
| 12:45.12 | Pali | I understand |
| 12:45.27 | Pali | but this solution can be ideal |
| 12:45.45 | Pali | no need to update n900 device, no need to change repository |
| 12:45.52 | Pali | only generate new file Release.gpg |
| 12:45.54 | DocScrutinizer05 | sure, so if it's confirmed to work, it's for sure worth the effort to try and find that key |
| 12:45.55 | Pali | nothing more |
| 12:46.24 | Pali | aaaah I cannot downgrade :-( 21.2011.38-1Tmaemo7.2 is slow/not working... |
| 12:46.43 | Pali | repository.maemo.org |
| 12:47.12 | DocScrutinizer05 | shit |
| 12:47.23 | Pali | I need some cssu-testing mirror |
| 12:47.30 | jonwil | Do we know if anything requires that the repository be signed? (was this discussed earlier?) |
| 12:47.47 | Pali | I belive that this will work: http://maemo.merlin1991.at/apt-mirror/community-testing/pool/fremantle/free/m/mp-fremantle-community-pr/ |
| 12:47.50 | DocScrutinizer05 | yes, it is all been discussed |
| 12:47.53 | jonwil | ok |
| 12:48.06 | jonwil | so it does have to be signed? |
| 12:48.27 | DocScrutinizer05 | please read Pali's mail he pastebin'ed |
| 12:48.40 | DocScrutinizer05 | or read that wiki page |
| 12:48.53 | Pali | jonwil, we should have signed repositories |
| 12:50.44 | jonwil | ok, well if re-signing the files with the MaemoSW Admin key will work, we should definatly pursue that angle as its the best solution IMO |
| 12:53.00 | jonwil | otherwise it seems like the "plan B" is to push updates to anyone who has CSSU or can update via PC-Suite (or who finds out about the update and can manually install it) |
| 12:53.10 | jonwil | which if its the only option seems like a good one :) |
| 12:55.07 | jonwil | in any case I will continue to look into what I can (and cat) reverse engineer (so far, all my attempts to try and reverse engineer the GPRS bits have come up with nothing useful) |
| 13:06.50 | *** join/#maemo-ssu LaoLang_cool (~LaoLang_c@219.136.31.84) |
| 13:08.03 | Pali | DocScrutinizer05, it is possible to update CSSUT without gpg keys in ham dir /usr/share/hildon-application-manager/keys/ |
| 13:08.14 | Pali | now I started updating |
| 13:08.53 | jonwil | Pali, is that good news or not? |
| 13:09.10 | Pali | (btw Maemo-Upgrade-Description: really replace Description: in package list - not in details) |
| 13:09.19 | Pali | I will fix this in cssu metapackage |
| 13:09.25 | Pali | jonwil, it is good news |
| 13:09.35 | jonwil | ok |
| 13:10.01 | Pali | if nokia find somewhere that internal repo private key, they can fix ssu without any user interaction |
| 13:10.06 | jonwil | great |
| 13:10.11 | jonwil | Someone needs to mail nokia then... |
| 13:10.14 | jonwil | :) |
| 13:10.15 | Pali | they only need to find that key and regenerate Release.gpg file |
| 13:10.17 | Pali | notthing more |
| 13:10.45 | jonwil | yeah |
| 13:10.54 | jonwil | seems easy enough if they still have that key somewhere |
| 13:11.11 | jonwil | if not, we move to plan B, whatever that ends up being :) |
| 13:11.44 | Pali | DocScrutinizer05, I will ask in that email tread |
| 13:14.06 | DocScrutinizer05 | that's why they sent you that mail - to answer their question and help with further suggestions |
| 13:14.49 | *** join/#maemo-ssu freemangordon_ (~freemango@130.204.50.168) |
| 13:15.28 | freemangordon_ | Pali: is ham in cssu the same as stock re gpg keys? |
| 13:16.54 | Pali | freemangordon_ yes it should be |
| 13:17.13 | freemangordon_ | Ok. Great news :-) |
| 13:22.22 | *** join/#maemo-ssu M4rtinK2 (~M4rtinK@mail.melf.eu) |
| 13:33.22 | *** join/#maemo-ssu M4rtinK (~M4rtinK@mail.melf.eu) |
| 13:34.20 | merlin1991 | freemangordon_: the ham gpg keys come from a different package |
| 13:34.38 | freemangordon | merlin1991: so? |
| 13:35.16 | freemangordon | I guess once we have the repos back, Nokia can push an update ti fix that in a proper way |
| 13:35.21 | merlin1991 | we can patch the ham binary a billion times without touching the keys .) |
| 13:35.22 | freemangordon | *to |
| 13:36.01 | freemangordon | merlin1991: we can't, as we don't have a tool to push anything on non-cssu device :) |
| 13:36.38 | freemangordon | Or I am missing your idea? |
| 13:37.24 | merlin1991 | your totally missing the base of my statement :D |
| 13:37.44 | merlin1991 | I meant to say that key wise cssu is identical to stock maemo, it only adds keys in other places |
| 13:39.09 | freemangordon | sorry, I am and will be stupid for a couple of days, would you elaborate? (toldya I had an accident and my head was hit ;) ) |
| 13:48.05 | freemangordon | merlin1991: aah, got it now :D. That is why I asked someone (and pali did) to remove CSSU gpg kay from HAM and to see what will happen |
| 13:48.16 | freemangordon | *key |
| 13:53.03 | freemangordon | wonders why HAM has gpg keys if they are not used |
| 13:57.23 | *** part/#maemo-ssu freemangordon_ (~freemango@130.204.50.168) |
| 13:57.32 | kerio | freemangordon: what have you checked, btw? |
| 13:57.50 | kerio | HAM will refresh the repos correctly, it'll just refuse to consider the package as a system package |
| 13:57.53 | freemangordon | me? nothing, it was Pali |
| 13:58.00 | kerio | Pali: same question |
| 13:58.39 | Pali | freemangordon, I looked into HAM source and I did not found any code which touching "keys" folder |
| 13:58.45 | freemangordon | kerio: BTW read the backscroll |
| 13:58.48 | Pali | so I think that folder is only for sotrage of keys |
| 13:58.52 | kerio | i did, it's just not clear enough |
| 13:58.59 | Pali | and in postinst they are imported into apt keyring |
| 13:59.04 | kerio | Pali: yay |
| 13:59.23 | kerio | so... what about using /usr/share/keyrings for community-ssu-enabler? :) |
| 13:59.43 | Pali | ubuntu using /usr/share/keyrings/ for its keys |
| 13:59.48 | kerio | debian too |
| 14:00.01 | freemangordon | kerio: AIUI Pali proved that if Nokia still keeps "SW Admin" key, we are back in the game |
| 14:00.12 | kerio | ^_^ |
| 14:00.15 | freemangordon | well, the repoas are :D |
| 14:00.22 | Pali | kerio, cssu path of keys are not irrelevant |
| 14:00.30 | kerio | Pali: exactly, so why not use the correct place? |
| 14:00.47 | Pali | kerio, because Maemo and HAM not using correct places too :D |
| 14:00.53 | kerio | just the nokia keys |
| 14:01.04 | kerio | which are irrelevant, except for the extras one |
| 14:01.21 | kerio | (and maemosw, ofc) |
| 14:01.50 | kerio | well, now let's just hope that the guys who asked for our help have the power and the will to look for the secret key |
| 14:01.59 | freemangordon | yep |
| 14:02.08 | kerio | what's maemo.research.nokia.com, btw? |
| 14:02.20 | kerio | or what was it? |
| 14:06.35 | kerio | what the hell, no screen on the repos |
| 14:07.37 | kerio | oh, it's in sdktools, isn't it |
| 14:08.09 | *** join/#maemo-ssu xes (~xes@unaffiliated/xes) |
| 14:08.10 | kerio | meh, tmux is better |
| 14:22.10 | Pali | merlin1991, freemangordon, DocScrutinizer05: GPG key for CSSU repositories will expire 2013-10-25 |
| 14:22.25 | Pali | key is: pub 1024D/2E6D6F9A 2010-10-26 maemo.org community repositories (fremantle) <repositories@maemo.org> |
| 14:22.49 | Pali | sub 2048g/9F185A1A 2010-10-26 [expires: 2013-10-25] |
| 14:22.59 | freemangordon | Pali: well, there is a plenty of time to fix it |
| 14:23.11 | Pali | we should start discussion about it |
| 14:23.31 | freemangordon | once we have the infra back, yes |
| 14:23.42 | Pali | becase we need to release STABLE CSSU and make sure that everybody will update CSSU *before* that day |
| 14:24.00 | Pali | and that stable cssu must have updated GPG key |
| 14:24.39 | kerio | Pali: we could just fix HAM |
| 14:24.43 | kerio | well, we should do both |
| 14:25.25 | kerio | Pali: actually, we can just (ab)use merlin1991's key |
| 14:25.27 | kerio | i'm sure he won't mind |
| 14:25.39 | Pali | I'm for deteting expiration date from that key |
| 14:25.42 | merlin1991 | kerio: not for stable/ testing |
| 14:25.50 | kerio | merlin1991: pleeeeeeeeeeeeeeeeeeeeeease |
| 14:25.56 | kerio | :3 |
| 14:26.00 | merlin1991 | the key is only valid for thumb |
| 14:26.02 | kerio | Pali: +1, actually |
| 14:26.10 | Pali | merlin key is without expiraion date |
| 14:26.40 | kerio | merlin1991: nope |
| 14:26.58 | kerio | <PROTECTED> |
| 14:26.59 | kerio | <PROTECTED> |
| 14:26.59 | kerio | <PROTECTED> |
| 14:27.02 | Pali | now from cssu domain file I see that we can exchange merlin and "maemo.org community repositories (fremantle)" key |
| 14:28.00 | Pali | so the worse situation will be to include merlin private key to repository.maemo.org server for signing... |
| 14:29.39 | kerio | Pali: that's a kludge though |
| 14:30.33 | kerio | however, i agree that we can remove the key expiration date |
| 14:30.39 | Pali | so better is to update above key and include it in cssu ASAP |
| 14:31.14 | merlin1991 | hm stable doesn't have the updated cssu enabler yet |
| 14:31.28 | kerio | merlin1991: so cssu stable users don't have any problem with the nokia repo, hah |
| 14:32.01 | kerio | in fact, anyone who passed through the old cssu-enabler doesn't have problems, aiui |
| 14:32.04 | merlin1991 | kerio: nope cssu-stable users don't have my key on their device |
| 14:32.07 | Pali | what about pushing cssu enabler to extras (when autobuilder start working)? |
| 14:32.15 | *** join/#maemo-ssu xes (~xes@host22-224-dynamic.5-87-r.retail.telecomitalia.it) |
| 14:32.15 | *** join/#maemo-ssu xes (~xes@unaffiliated/xes) |
| 14:32.27 | kerio | because the domain information is discarded if you disable the domain check, or something like that |
| 14:32.34 | merlin1991 | yep |
| 14:32.39 | merlin1991 | cssu-stable users simply ignore domains |
| 14:33.02 | kerio | merlin1991: yeah but even reenabling the check will only set the information for new packages that get upgraded |
| 14:33.15 | kerio | anyway, can we just disable HAM's domain bullshit? |
| 14:33.39 | kerio | do the equivalent of red-pill-ignore-wrong-domains 0 |
| 14:34.32 | merlin1991 | well check what the old cssu-enabler does to apt-worker |
| 14:34.34 | merlin1991 | it's that easy :D |
| 14:34.51 | kerio | merlin1991: that's a kludge |
| 14:35.54 | kerio | Pali: debian's key for wheezy expires in 2019 |
| 14:36.20 | Pali | I'm for deleting expire date |
| 14:36.41 | kerio | Pali: what if the key gets leaked and someone does a MITM attack on rmo? |
| 14:36.43 | Pali | In 2019 maybe nobody will remember how to extend expiration... |
| 14:36.55 | kerio | ...it could happen! |
| 14:37.23 | Pali | kerio, and what happen if we have set expiration? |
| 14:37.36 | freemangordon | nothing :D |
| 14:37.40 | kerio | well, they'll only be able to do the attack until the key expires! |
| 14:37.48 | Pali | for sure MITM attack will not happen day before expiration |
| 14:38.12 | Pali | one week for attack is enought... |
| 14:38.19 | kerio | i say that we steal merlin1991's key |
| 14:38.35 | kerio | :D |
| 14:39.13 | Pali | kerio, you need: still some key from zone and upload it to server from that zone |
| 14:39.19 | kerio | indeed |
| 14:39.37 | kerio | using merlin1991's key would mean that we don't have to do anything, though |
| 14:39.37 | Pali | so you need to hack nokia server and add here maemosw key :D |
| 14:39.45 | kerio | oh, not the nokia servers ofc |
| 14:39.58 | kerio | those MUST use "maemosw admin" at this point |
| 14:40.04 | Pali | or you need to hack maemo.org server, download maemo key, hack merlin server and add to merlin server maemo.org key |
| 14:40.08 | kerio | if they want to ship updates to current vanilla n900s that don't know about cssu |
| 14:41.02 | Pali | so if sombody hack servers, why on the earth he will hack another for MITM attack?? |
| 14:41.19 | Pali | he can directly push hacked packages on hacked server... |
| 14:41.52 | kerio | not necessarily |
| 14:42.07 | kerio | send a couple of hookers to merlin1991's house |
| 14:42.18 | kerio | they "distract" him, you then enter and steal the key |
| 14:42.22 | merlin1991 | :D |
| 14:42.30 | kerio | see? he'll be happy about it |
| 14:43.40 | kerio | merlin1991: nowhere i said that we'll pay the hookers enough for you to finish, though |
| 14:44.23 | merlin1991 | bastard :D |
| 14:48.19 | kerio | Pali: do we have the secret key for the maemo community repo? |
| 14:48.57 | Pali | merlin has merlin key (I belive :-) |
| 14:49.20 | DocScrutinizer05 | Pali: thanks for the mail! :-) |
| 14:49.33 | kerio | no, i mean 2E6D6F9A ("maemo.org community repositories (fremantle) <repositories@maemo.org>") |
| 14:49.44 | Pali | and key for community repo on repository.maemo.org must be on maemo.org because it signing Release file every update |
| 14:50.07 | Pali | so we need to ask maemo.org maintainer where is... |
| 14:50.47 | kerio | pushing the same key but without an expiration date would work fine i suppose |
| 14:50.57 | kerio | but are the keyservers going to complain? |
| 14:51.25 | Pali | how tou want to generate same key?? |
| 14:51.58 | Pali | kerio, do you know how to hack RSA, DSA or Elgamal? |
| 14:52.11 | kerio | Pali: gpg --edit-key |
| 14:52.13 | kerio | and then "expire" |
| 14:52.28 | Pali | this generating new signature to key |
| 14:52.28 | kerio | but you need the secret key |
| 14:52.35 | kerio | of course :) |
| 14:52.44 | Pali | and you are exporting new signature to keyservers |
| 14:52.59 | kerio | yeah, but will they accept the new key, overwriting the old one? |
| 14:53.06 | kerio | it feels dirty |
| 14:53.14 | kerio | like editing the history in a dvcs after you've pushed it somewhere |
| 14:53.23 | Pali | keyserver accept *any* key, signature, ... |
| 14:53.45 | Pali | kerio, changing expiration is only creating new signarue |
| 14:54.05 | Pali | you are not overwrting key... |
| 14:55.00 | Pali | then you will see two (or more) signatures: one that key expires at XYZ and second (with newer timestamp) that key expiring at ABC (or never) |
| 14:55.12 | kerio | i see |
| 14:55.26 | Pali | when you downloading gpg key, you will download all subkeys and singatures |
| 14:55.29 | kerio | so the most recent one is the one that's downloaded from the keyserver? |
| 14:55.32 | Pali | and then you decide when key expire |
| 14:55.39 | Pali | kerio, yes |
| 14:56.39 | kerio | so there's no way to leave the keyservers in an "inconsistent" state, i see |
| 14:57.48 | Pali | and you never can delete anything pushed to keyserver |
| 14:58.27 | Pali | you can only create new signature which changing last state... (e.g. submit revocation) |
| 15:20.57 | Pali | freemangordon, now when kernel-power is ready we could start to use wiki for cssu kernel patches |
| 15:21.06 | Pali | but wiki is again not working :-( |
| 16:03.46 | *** join/#maemo-ssu toxaris (~toxaris@s83-180-246-172.cust.tele2.se) |
| 16:15.42 | *** join/#maemo-ssu jade (~jade@unaffiliated/jade) |
| 16:26.16 | *** join/#maemo-ssu iDont (~iDont@ip4da305b4.direct-adsl.nl) |
| 18:07.16 | *** join/#maemo-ssu dhbiker (~dhbiker@95.87.145.172) |
| 18:20.20 | *** join/#maemo-ssu arcean_ (~arcean@aaep122.neoplus.adsl.tpnet.pl) |
| 18:53.16 | *** join/#maemo-ssu Mihanizat0r (~M13@170.133-224-87.telenet.ru) |
| 19:20.53 | *** join/#maemo-ssu NIN101 (~NIN@p5DD292E3.dip0.t-ipconnect.de) |
| 19:25.07 | *** join/#maemo-ssu luf (~luf@ip-89-102-208-114.net.upcbroadband.cz) |
| 19:40.57 | *** join/#maemo-ssu lizardo (lizardo@nat/indt/x-lspbhwswutrwusnh) |
| 19:52.56 | *** join/#maemo-ssu lizardo (lizardo@nat/indt/x-xoqotyblsoimpadb) |
| 20:06.53 | *** join/#maemo-ssu futpib (~futpib@89.106.198.84) |
| 20:10.48 | *** join/#maemo-ssu Martix_ (~martix@ip-62-245-106-78.net.upcbroadband.cz) |
| 21:21.42 | *** join/#maemo-ssu arcean (~arcean@aaep122.neoplus.adsl.tpnet.pl) |
| 21:24.52 | *** join/#maemo-ssu Estel_ (~Estel@d56-215.icpnet.pl) |
| 21:24.52 | *** join/#maemo-ssu Estel_ (~Estel@Maemo/community/contributor/Estel-) |
| 22:40.52 | *** join/#maemo-ssu nox- (noident@freebsd/developer/nox) |
| 23:29.06 | Pali | merlin1991, when you have a time look at this destructive merge request too: https://gitorious.org/community-ssu/microb-engine/merge_requests/1 |
| 23:29.12 | Pali | https://gitorious.org/~pali/community-ssu/pali-microb-engine |
| 23:29.35 | Pali | (like with alarmd) |
| 23:30.13 | Pali | it should be ok, but rewriting git history should be check by more people because it is destructive |