gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
wildtrees has quit [Quit: Leaving]
drakonis has quit [Quit: WeeChat 2.6]
<cole-h> This `pull` bot on GitHub is super annoying
<cole-h> I want to see the original PR (if any) in the current repository, not in some random fork
<samueldr> yes
<infinisil> GitHub's new notification system (in beta) is neat
<infinisil> In general at least. I just submitted some feedback pointing out some issues or potential improvements
<infinisil> Anything is better than the previous notification system though :)
<cole-h> It is really nice not having to go back multiple times before reaching the inbox again
jasongrossman has joined #nixos-chat
jasongrossman has quit [Client Quit]
<gchristensen> [5987500.555687] dhcpcd[19031]: segfault at 100cc ip 000000000042982e sp 00007ffe2994aaa0 error 4 in dhcpcd[407000+32000]
<gchristensen> heh...
<cole-h> You seem to be breaking everything recently, gchristensen
<cole-h> :D
<joepie91> o_O
<joepie91> run `ffplay --help`
<joepie91> and marvel
<samueldr> 7.5k lines
<gchristensen> cole-h: this is my home system which I back everything up to, with evidently failing hardware
<gchristensen> truly the ideal destination for all my important data
<andi-> ha, backups… just reduce the amount of state ;)
<gchristensen> my failing hardware is trying its best to reduce the amount of state I have :)
<andi-> cooperative state reduction
<gchristensen> "systemd[1]: systemd-machined.service: Current command vanished from the unit file, execution of the command list won't be resumed" ....what?
<samueldr> I love writing extremely out of my comfort zone exploratory code
<samueldr> but whew that'll need a big rewrite with all the pitfalls now understood :/
<gchristensen> nice! what'd you do and learn?
<samueldr> working on automating bindings, binding some sizeable lib to a runtime
<samueldr> though it's layered new things, like *actually* learning to implement a depper DSL in ruby, then learning how bindings in mruby are made, then how to fit all of this in an ergonomic thing
<gchristensen> nice
<samueldr> fun note: using `cpp`'s output it's more trivial to badly parse the C to extract enums
<gchristensen> wow
* gchristensen eyes those new ryzens
<samueldr> is that why your hardware is failing?
<gchristensen> hehe
<gchristensen> this system is from early 2011 ... I'm not sure it owes me anythig
<samueldr> respect while it still lives under your roof
<gchristensen> no doubt, I am not wanting to replace it. Ogden and I have a long history
<gchristensen> I don't really like to buy computers
<gchristensen> too stressful
drakonis has joined #nixos-chat
<cransom> the ryzens have been good to me. i still enjoy my threadripper.
<samueldr> I don't see any ryzen to splurge for a new computer
<samueldr> (I only did it for the pun)
<gchristensen> :|
<samueldr> maybe in 2-3 years it'll be worth it compared to what I rock... not that it's particularly good, but that it's good for what I do
<gchristensen> yeah
<drakonis> what do you rock?
<gchristensen> cransom: why threadripper vs. ryzen?
<samueldr> https://www.zotac.com/lk/product/mini_pcs/ei730 as a "thick" client where the browsers and apps run
<cransom> the cooler ryzens weren't around quite yet when got into this 16 core thing, iirc
<samueldr> and a xeon E5-1660 machine for builds
<gchristensen> samueldr: oh I thought you were talking about your xeon :P
<samueldr> I like having a "thick client" situation
<samueldr> I can laze around with the noisy machine suspended
<gchristensen> that is nice
<samueldr> still, i5-4xxx is what's in my main x86_64 laptop and my daily use computer, funnily enough
<gchristensen> pcpartpicker.com: «choose all these individual components» next: "Choose A Laptop"
waleee-cl has quit [Quit: Connection closed for inactivity]
<gchristensen> I don't like reading motherboard descriptions with military names
<drakonis> sounds like gamer motherboards?
<gchristensen> feels like most of them are GAMER in some way or another
<drakonis> do they come with flashy blinky leds?
<gchristensen> I'm sure they do
<drakonis> hm, fun.
<samueldr> gchristensen: maybe look at server motherboards?
<samueldr> though might be more expensive
<drakonis> dont buy intel server motherboards, they charge you up the wazoo
<clever> samueldr: take note of the [solved] in the title of the thread ... :D
<samueldr> clever++ !
<{^_^}> clever's karma got increased to 333
<samueldr> I like how the "engineer" basically said crap :/
<clever> samueldr: they did follow up with more, in a reply further down
<clever> and did link to vc4boot, which was massively helpful (at both general dev, and cracking it :P)
<clever> samueldr: once i knew it was an hmac, i looked for the magic 0x5c and 0x36, and quickly found a function that was definitely computing opad and ipad
<samueldr> that's amazing
<clever> after several hours of studying that, i discovered that the master key was at a certain address in sram
<clever> so i booted up a start4.elf little-kernel, and dumped it, nada
<clever> the bootcode.bin had over-written it
<clever> then i dumped more sram, and i found the opad value, 64 bytes long
<clever> the first 20 bytes, being the key xor'd with 0x5c
<clever> undo the xor, solved
<samueldr> meanwhile I'm here in my corner eating paste^W^W writing code that writes more code so I can write less code
<gchristensen> samueldr: yeah I think it'd be a better fit. I should look at those discount-ey workstation sites
<clever> samueldr: now the problem is more about what the legal ramifications are, if i share this key...
<samueldr> oh, I was thinking new ryzen or threadripper or w/e but on server hw, so you can get full ECC working
<samueldr> not sure if ECC works on "consumer" boards
<samueldr> (never looked)
<samueldr> but sure, reusing is also good, rather than making new future ewaste yours
<samueldr> clever: you could... make a dumper :)
<samueldr> though this discussion is probably fine for most people that know what to do with what you said
<clever> i didnt mention the address or byte order of the key
<clever> but this does :P
<samueldr> hahaha
<samueldr> this might have further reaching consequences for things including that broadcom SoC
<clever> in just one day, i went from not knowing how hmac works, to cracking an hmac key
<clever> there is a 16 byte OTP field, that docs claim is the key
<clever> but it doesnt match what i recovered
<clever> and what i recovered is 20 bytes
<samueldr> that OTP would be unique per-machine, right?
<samueldr> or not necessarily
<clever> unique per product
<clever> programmed at the factory
<samueldr> right, so less useful to sign a binary blob you'd flash on all products
<clever> the key i have, only works on rpi4's
<samueldr> so to me it makes sense that the OTP is now the key you need for the blob
<clever> and if they want to avoid confusion for users, every rpi4 should have this key, including future models
<clever> i just dont know how the 16 bytes in OTP, turns into the 20 bytes for hmac-sha1
<samueldr> maybe some part of the 20 bytes is not part of that OTP and a constant?
<clever> i skipped a step
<clever> the code is clearly getting those 20 bytes from ram
<clever> if it was a constant, it would have read the rom directly
<drakonis> wow wtf
<drakonis> this guy's twitter is a goldmine
<gchristensen> lol
<clever> samueldr: i fixed my linker script, and now little-kernel can half run, from recovery.bin
<clever> something in the early init is breaking it
<samueldr> what's the other half doing?
<samueldr> ah
drakonis has quit [Quit: WeeChat 2.6]
<Church-> samueldr: Yeah that was a thing alright
<DigitalKiwi> if i were larry i'd fire matthew
endformationage has quit [Ping timeout: 272 seconds]
<DigitalKiwi> have you seen the post on the orange site from an (anonymous, iirc) developer at oracle explain how horrific their codebase is
<DigitalKiwi> now you can
<DigitalKiwi> that took a lot less time than i expected to find
* DigitalKiwi thought i wouldn't be able to
<clever> samueldr: i was setting the ram size based on pi model, not the boot stage
<clever> samueldr: so i claimed the rpi4 with dram offline, had 20mb of usable ram, and the heap system imploded
<samueldr> hmm, I guess ram isn't initialized yet?
<clever> once i fixed that, and claimed 128kb of ram, it works perfectly
<samueldr> nice!
<clever> if i want to do anything useful with this stage, i need to figure out the ddr4 controller
<clever> but at least now i have the ability to try
<clever> when broadcom was trying to deny me even that :P
<clever> "I don't believe that will be made public, I suspect it would create a massive security hole"
<samueldr> security of?
<samueldr> :)
<clever> to exploit that, i would need to put a malicious recovery.bin file on your /boot partition
<clever> if i have that kind of access, your already screwed
<samueldr> good rootkit possibilities though
<clever> and the official recovery.bin can undo any malware in the SPI chip
<clever> yeah, in theory, the SPI chip (which has ~256kb free i heard), could contain a patch for start4.elf and a patch for linux
<clever> and each stage, would read it, and patch the next
<clever> but, you can clean such things, by just running the official recovery.bin on a known-good SD card
<samueldr> yep
<clever> the only other real harm that could be done, is to over-volt the chip too hard
<clever> but even root could already have done that, via /dev/mem
<samueldr> yeah
<clever> same for scrambling OTP
<clever> any harm i could do here, could have already been done by root
<clever> now that LK recovery.bin works, i can dump the sram
<clever> and i can see different values from before, so the SPI bootcode.bin overwrote things
<clever> but, the field for the master key, is oddly 0'd out
<clever> they clearly tried to hide it
<clever> but they forgot that the hmac routine leaves an xor'd copy behind
<samueldr> a classic mistake
<DigitalKiwi> https://youtu.be/EZSx3zNZOaU?t=256 specifically around here
<clever> DigitalKiwi: :D
<clever> and even if they didnt do that mistake, i just have to spent another dozen hours going further up the call-stack
<clever> to figure out how this value got generated
noonien has quit [Quit: Connection closed for inactivity]
lovesegfault has joined #nixos-chat
drakonis has joined #nixos-chat
drakonis has quit [Quit: WeeChat 2.7]
cole-h has quit [Ping timeout: 265 seconds]
buckley310 has quit [Quit: The Lounge - https://thelounge.chat]
buckley310 has joined #nixos-chat
* colemickens another one
<colemickens> looks like xorg-server is non-trivial to build from actual source (and not a release tarball)
<colemickens> autogen + custom m4 macros in a separate package, oh joy
* colemickens is it worth it?
siers has joined #nixos-chat
__monty__ has joined #nixos-chat
jared-w has quit [Ping timeout: 245 seconds]
savanni has quit [Read error: Connection reset by peer]
jared-w has joined #nixos-chat
savanni has joined #nixos-chat
__monty__ has quit [Quit: leaving]
claudiii has joined #nixos-chat
averell has joined #nixos-chat
<yorick> colemickens: I think xwayland is made from that too
<yorick> so we may still need it in the future
endformationage has joined #nixos-chat
drakonis has joined #nixos-chat
cole-h has joined #nixos-chat
waleee-cl has joined #nixos-chat
__monty__ has joined #nixos-chat
<evanjs> Crazy idea and don’t know how I would do it — but {home-}configuration.nix on zeal, or better yet, dash. Automatically updating after each rebuild, which I already have scheduled for every 6 hours. Hrmmm
<evanjs> I am now sad. And maybe a good time to get into iOS dev... if my MacBook wasn’t so old... (2011 / can’t install Catalina 🙃)
<infinisil> Wow, twitch now has subscriber-exclusive streams, not sure how I feel about that
nckx has quit [Quit: Updating my GNU Guix System — https://guix.gnu.org]
<evanjs> infinisil: they didn’t before? I don’t use twitch much but can’t say I’m too surprised, TBH
<infinisil> First time I'm seeing it at least, previously I only saw commenting or emotes being subscriber-exclusive
nckx has joined #nixos-chat
<drakonis> gotta boost up that subscriber moolah, yeah?
<drakonis> i wonder what was the thought process behind such a thing
<cole-h> $$$
<drakonis> wonderful.
<drakonis> ah and i'm back to nix, nothing like not having to janitor things, i suppose its why people use it
<drakonis> wonderful when things work
<gchristensen> "noone needs more than 16k of ram"
<gchristensen> oooh nice, joepie91!
<drakonis> nice.
<joepie91> tired of all the "just use this magical boilerplate generator to set up your project" and "just read the source code of webpack/browserify for 3 hours" approaches to this problem
<joepie91> it's all so totally unnecessary :P
<gchristensen> :D
<drakonis> are you still at 36c3? :V?
<viric> I was looking for some programming thing for children. So far I liked most the things around microbit.
<viric> But I wish there was something for children that were typing-programming and not drag-and-drop-blocks programming.
<__monty__> We recently started using those at coderdojo.
<__monty__> You can switch to writing code in makerblock (the microbit recommended IDE).
<viric> then it's js
<__monty__> Yep.
<viric> I started with a BASIC prompt and I think that was far easier to grasp than js
<joepie91> drakonis: so long as I don't remove it I can pretend that 36C3 hasn't ended yet!
<__monty__> You can also use python iirc but no makerblock support for that.
<drakonis> heh
<viric> also tinygo builds for microbit. Or C, or anything
<viric> I like that they don't focus it to motors, motors, motors. How are motors fun? They are not.
<viric> I wish there was something like this but programmable: http://mouse.latercera.com/wp-content/uploads/2017/12/tetris4_800x.jpg
<gchristensen> I think motors are fun because they let you affect the real world
<viric> gchristensen: but it's an axis that moves forward and backward. Very limiting.
<__monty__> There's displays you can hook up to a microbit.
<gchristensen> slap a couple motors on a dustpan with a couple mason jar lids + rubberbands as wheels and you're off to the dustpan races
<viric> You can have LEDs, pixels, a speaker, a light sensor, an accelerometer, ...
<__monty__> Oh, and the simple communication makes having 2 microbits definitely worth it btw.
<viric> RIGHT, and communication!
<viric> microbit is by far the best I found for children
<viric> But when I was young I didn't want to program a microcontroller - I wanted to program a computer. I think this should be easier, but somehow children "computer" workshops are directed towards these devices.
<viric> (motors, robots, etc. all MCUs)
<viric> With the Amstrad I started with I had 1) a screen 2) a speaker, 3) I/O (Sega-like joystick), 4) a keyboard
<viric> that's better than motors
<samueldr> is this the kind of thing that may be relevant? https://murray2.com/threads/commander-x16-faq-from-david-murray-on-facebook.184/
<samueldr> making a "new" "old computer"
<viric> :) I'll watch it
<viric> At university we had boards for FPGA design that were basically an FPGA and pins that went to a PS/2 port and a VGA. We could build anything with the FPGA between the PS/2 and the VGA.
<samueldr> might not be exactly kid-friendly
<__monty__> viric: We use scratch heavily.
<__monty__> It's just that the step from scratch to "real" programming is really big.
<viric> scratch is not very FOSS
<viric> samueldr: definitely
<viric> microbit has a 5x5 LED matrix + two buttons. That's almost a display and a keyboard. :)
CRTified has quit [Quit: Gateway shutdown]
CRTified has joined #nixos-chat
noonien has joined #nixos-chat
clever has quit [Ping timeout: 260 seconds]
clever has joined #nixos-chat
<gchristensen> wow! you can use ssh keys for signing data now!
<__monty__> Using the ssh cli? Or, what's new about this? Haven't they always been asymmetric keys?
claudiii has quit [Quit: Connection closed for inactivity]
<gchristensen> "OpenSSH v8 introduced new functionality for creating signatures using SSH keys"
<rycee> Another alternative is to generate an ssh key from your gpg identity.
* gchristensen is trying to get rid of his gpg identity
<cole-h> Curious as to why
<gchristensen> I'm not competent enough to use it
<rycee> Hehe, I become an expert every 5 years or so when I create new keys for whatever reason. Now I've doubled down on gpg by getting a yubikey and putting the keys on it.
<cole-h> I'm planning on getting a SoloKey when they release their rev 2
<__monty__> gchristensen: If you move all the things you use gpg for now into ssh you'll end up not competent enough to use ssh. Stop this madness before you're relegated to telneting all over the place!
<samueldr> minicom is where it's at
<rycee> cole-h: Neat, do you know if it's possible to use solokey as a gpg smart card?
<gchristensen> __monty__: the things I do with GPG are not complicated
<cole-h> When I was researching them a while ago, I'm pretty sure yes
<cole-h> Lemme check
<gchristensen> GPG has an impenetrable coating of accidental complexity for no reason
ravndal has quit [Quit: WeeChat 2.7]
<cole-h> rycee: Appears they're working on it: https://github.com/solokeys/openpgp
<cole-h> So, soon™
ravndal has joined #nixos-chat
<elvishjerricco> gchristensen++
<{^_^}> gchristensen's karma got increased to 209
<elvishjerricco> Using gpg is a nightmare.
<__monty__> I've heard sequoia pop up a number of times. Let's hope that improves the situation.
<joepie91> gpg--
<gchristensen> oh it has a cli now
<__monty__> gchristensen: That's not ready for primetime yet. At least according to the people in #hagrid.
<gchristensen> what do you call gpg ...
<rycee> cole-h: Nice! I guess my yubikey will last for a few years but it would be nice to have something more open in the future.
<cole-h> That's the main reason I'm waiting -- I don't want my key calling out to Yubico's servers :P
<emily> yubikeys don't do that...?
<gchristensen> the keys don't have network access anyway :)
<emily> if you don't use the ancient keyboard-imitating passphrase mechanism they don't have anything to do with yubico at all
<emily> and even in that case they certainly don't make network connections
<emily> (that cc[line noise] stuff trusts yubico somehow, I forget exactly how, but there's no reason to use it anyway)
<__monty__> gchristensen: Well I explicitly asked whether it supported my workflow yet. Which is stupid simple gpg use, just adding a new subkey every so often and signing releases and they said no.
<cole-h> I must have mis-interpreted something along the way then. Thanks for correcting me. Either way, it's still more open than a yubikey AFAICT :)
<emily> it is, yeah. I believe the hardware security properties are also worse, though I haven't looked at their newer models
<gchristensen> gotcha __monty__ I don't do those things really
<emily> (as in, solo's is worse than yubikey's)
<gchristensen> I only decrypt mail when someone is rude enough to send me gpg-encrypted mail
<emily> part of the problem is that most of the "secure element" chips come with draconian NDAs.
<gchristensen> oh, and signing git commits :(
<joepie91> brb sending encrypted line noise to gchristensen
<joepie91> :P
<gchristensen> go for it
<gchristensen> make sure it has a good subject like "critical rce in nix"
<cole-h> Critical RCE in lorri 👀
<joepie91> lol
<__monty__> UNFIXABLE exploits in openssh signing implementation, guess you're stuck with gpg after all, details in the encrypted body! (Tagged important.)
* gchristensen moves to spam
<colemickens> I think I've seen people describe ways to sign git commits without involving gpg tooling.
<joepie91> lol
<gchristensen> the execlp("gpg"...) isn't the bad part, it is the times I have to do maintenance with on my key
* colemickens nods
<__monty__> No one stops you from having a forever-valid key though.
<colemickens> I just meant, depending on how much you wanted to get rid of gpg, you could potentially widdle down use-cases maybe
<gchristensen> yeah
<gchristensen> maybe I'll start signing my commits with s/mime :)
<__monty__> And if you act responsibly with gpg expiry then wouldn't you act equally responsible with other methods and incur the same amount of maintenance.
* colemickens has flashes of trying to wrangle x509 in Go many years ago. yay for security tooling.
<cole-h> (colemickens: sorry to be a pedant, but it's 'whittle')
<gchristensen> the maintenance is not the problem, GPG is the problem
<colemickens> Am I allowed to dislike gpg purely because of the UX? I don't even mind the "burden" of maintenance.
<gchristensen> colemickens: yes
<gchristensen> the UX is actively dangerous and the UX is literally a reason to not use it
<colemickens> cole-h: happy to be corrected, I feel pretty silly now actually, haha
<gchristensen> you basically can't have a secure system which is hard to use
<cole-h> "Look how cute that widdle puppy is!" :D
<viric> gpg is very hard to use.
<viric> I'm amazed how some people write gpg things for Android
<gchristensen> btw colemickens I sent you PMs :) (I think matrix makes them harder to see?)
<viric> I didn't know matrix had anything to do with encryption, btw - today I read it may have.
<__monty__> viric: Matrix has support for e2ee. And upcoming(?) support for some sort of encrypted group chat.
<viric> Isn't it compulsory?
<__monty__> Nope.
<__monty__> May be default though.
<viric> I liked ideas (not implementations) like tox or that mail over tor thing I can't remember anymore
<__monty__> Matrix is far more than just a protocol for instant messaging. Forcing OTR encryption doesn't necessarily make sense for all the applications of the protocol.
<viric> I don't like the "run your server" approach
__monty__ has quit [Quit: leaving]
<viric> pond. Pond was a thing
<viric> why is there so much trust in Signal?
* joepie91 considers GPG insecure because of the UX
<DigitalKiwi> <3 Signal
<joepie91> viric: you can use someone elses matrix homeserver if you don't want to run your own :P
<joepie91> viric: combination of pioneering and marketing
<DigitalKiwi> ...but it's a <3 </3 relationship
<joepie91> Signal genuinely improved things a ton with its encryption protocol/setup, but it's also banking off Moxie's reputation quite a lot, even where not really appropriate
<joepie91> and as an organization, they've been... less than good-faith in their behaviour overall, IMO
<joepie91> Moxie in particular
<DigitalKiwi> it'd be nice if it like...worked reliably :( since it's the only one that even seems to try to put security as high of priority as it can and still be useable...
<DigitalKiwi> signal-desktop especially falls flat
andi- has quit [Ping timeout: 240 seconds]
* DigitalKiwi needs to finish/correct/split into 2 posts https://myfriendshate.me/files/signal.html
<DigitalKiwi> I hope you like novels
<joepie91> DigitalKiwi: cheap tip: cut it into paragraphs of about 3-4 visual lines each, ideally addressing at most 1 subtopic per paragraph
<joepie91> fairly quick to do, improves readability massively
<DigitalKiwi> it started off as a text
<DigitalKiwi> that I then typed on my phone for 12 hours straight
<joepie91> (5 is okay too, but ideally no longer than that)
<DigitalKiwi> the <h2> will be "It started off as a text, how did it end up like this? it was only a text, it was only a text"
<joepie91> lol
<DigitalKiwi> and for anyone without good taste in music and therefor (or otherwise) didn't catch that reference https://www.youtube.com/watch?v=gGdGFtwCNBE&
<DigitalKiwi> oh and the last thing that person said to me was "I need you to stop contacting me"
<DigitalKiwi> like I say, my friends hate me
andi- has joined #nixos-chat
<DigitalKiwi> the third post will be "Why I hate Signal" and it's just a list of every complaint/problem everyone I know has told me about
* DigitalKiwi goes to spray a bit of Black 3.0
<gchristensen> wooo
drakonis has quit [Quit: WeeChat 2.7]
drakonis has joined #nixos-chat
<worldofpeace> oooh, goth lambda
<DigitalKiwi> it's top sekrit don't tell anyone