* joepie91
is deploying a new NixOS system once again \o/
<cole-h>
\o/
<joepie91>
replacing one of my remaining aging OpenVZ Debian boxes
<joepie91>
machine-konjassiem-02.cryto.net is now officially alive!
drakonis has joined #nixos-chat
drakonis2 has joined #nixos-chat
drakonis_ has quit [Ping timeout: 265 seconds]
<joepie91>
aaaaaand it has been assimilated into my morph cluster!
<joepie91>
tomorrow: actually setting up services on it :P
drakonis has quit [Ping timeout: 260 seconds]
drakonis_ has joined #nixos-chat
drakonis2 has quit [Ping timeout: 272 seconds]
<Gaelan>
ugh, google needs to hire actual file system engineers for google drive
<Gaelan>
google drive supports hard links, but *DELETES THE FILE EVERYWHERE IF YOU DELETE IT ANYWHERE* (unless you explicitly use a separate unlink button on their website)
<Gaelan>
which means deleting a folder can cause random files in unrelated places to disappear
<Gaelan>
ugh
<danderson>
It's slightly less surprising if you think of folders as labels attached to a bag of files. The filesystem abstraction is wedged on top of a much simpler object store, and the semantics are all borked
<danderson>
(not defending the design, mind you, it's hilariously broken)
<gchristensen>
ouch
<drakonis1>
hmm, i've been picking up c++
<drakonis1>
what's the recommended way to get code completion on editors with it?
<ldlework>
I am thinking of writing up some nix config
<JJJollyjim>
bad idea
<ldlework>
To give you everything you need to start playing Go with AI and nice clients etc
<JJJollyjim>
:P
<ldlework>
JJJollyjim: hehe
drakonis1 has quit [Quit: WeeChat 2.8]
parsley936 has joined #nixos-chat
evanjs has quit [Read error: Connection reset by peer]
evanjs has joined #nixos-chat
<sphalerite>
drakonis_: are you running clangd from a nix-shell?
__monty__ has joined #nixos-chat
<manveru>
ldlework: a wiki page would be enough :)
averell has joined #nixos-chat
<eyJhb>
Anyone knows how Chromium autocompletes URLs?
<eyJhb>
Like does it use a cache, or just files from .config/chromium etc.
<viric>
eyJhb: an AI predictor based on your google preferences profile
<eyJhb>
viric: seems correct :p
<viric>
I have no idea about these things but I always mistrusted "a browser from google"
<eyJhb>
But then Edge is untrusted as well? :|
<viric>
I use simply firefox, and maybe it is no better, but to the layman like me, it feels better
<eyJhb>
I just hate how FF looks and works
<viric>
I use the tridactyl and it's fine and got used to it I guess
<viric>
MichaelRaskin is more a master of this things, for whom the web is still "that http GET and POST thing on URLs"
<eyJhb>
I normally use surfingkeys
<__monty__>
Well the looks can be customized fairly hardcore.
* adisbladis
removed all the looks from firefox
<adisbladis>
It's literally just a web page without decorations
<eyJhb>
No menu bar etc.?
<viric>
I'm not that creative.
<adisbladis>
eyJhb: Exactly
<eyJhb>
adisbladis: screetshot
<adisbladis>
Menus are a waste of space
<eyJhb>
But what if you need the menu bap?!
<eyJhb>
bar**
<__monty__>
adisbladis: I agree, but the location bar popup thing was always so hideous. Do you have a way to unhide the regular location bar when focused?
<eyJhb>
__monty__: Like do as it won't hide?
<__monty__>
That doesn't parse.
<eyJhb>
Make the location bar always visible
<__monty__>
No, that's not what I want. It's what I'm stuck with.
<gchristensen>
lies, damn lies, and USB write speeds 541MiB 0:00:00 [ 970MiB/s]
<bqv>
adisbladis: you know, maybe you're right, maybe I should just ban myself from using a shell directly, see how I do
<bqv>
Got nix repl in comint now
waleee-cl has joined #nixos-chat
Jackneilll has quit [Read error: Connection reset by peer]
Jackneill has joined #nixos-chat
drakonis_ has quit [Read error: Connection reset by peer]
drakonis has joined #nixos-chat
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 265 seconds]
Jackneill has quit [Ping timeout: 260 seconds]
feepo has joined #nixos-chat
Jackneill has joined #nixos-chat
<bqv>
oh i missed the docking
<bqv>
rip
<MichaelRaskin>
Reject the notion of simultanuity of events not able to affect each other directly, and watch the recording
<bqv>
fair point
<bqv>
i only watched the launch live cause i was hoping to see it in the sky
<MichaelRaskin>
That indeed makes sense.
Deknos has joined #nixos-chat
endformationage has joined #nixos-chat
Jackneill has quit [Ping timeout: 272 seconds]
drakonis has joined #nixos-chat
drakonis_ has quit [Read error: Connection reset by peer]
drakonis1 has joined #nixos-chat
drakonis has quit [Ping timeout: 265 seconds]
Jackneill has joined #nixos-chat
drakonis has joined #nixos-chat
drakonis_ has joined #nixos-chat
drakonis1 has quit [Ping timeout: 256 seconds]
drakonis has quit [Quit: WeeChat 2.8]
buckley310 has joined #nixos-chat
drakonis has joined #nixos-chat
<sphalerite>
gchristensen: dd oflag=direct :)
<sphalerite>
iirc the semantics aren't actually defined, but in practice it bypasses the write cache if writing to a block device directly. If not writing to a block device directly, it's Filesystem Dependent™
<joepie91>
lol gchristensen
<ashkitten>
holy crap the ibm thinkpad a30 is such a well built machine
<ashkitten>
everything is replaceable with like 2 or fewer screws
<ashkitten>
i can just pop out the entire floppy drive without unscrewing anything
<ashkitten>
the hard drive comes out the side super easily with one screw
<ashkitten>
i could use this as my laptop if my wrists weren't so bad
<samueldr>
turns out glue and weird proprietary microscopic screws are harmful at users servicing the hardware they own
<joepie91>
ashkitten: yeah the older Dell Latitudes are similar
<joepie91>
I miss that in newer laptops
<ashkitten>
honestly, i might use this as my laptop if my friend sends me that voice control hardware she's working on
<samueldr>
it's the main reason I haven't got a new laptop (excluding the PBP) since early 2015
<samueldr>
serviceability, combined with the fact that they ship with ridiculous specs
<ashkitten>
pbp isn't nearly as good as this
<samueldr>
I meant that the PBP is a laptop I bought
<ashkitten>
oh
<samueldr>
not that it was serviceable
<ashkitten>
right
<samueldr>
though it is *more*
<ashkitten>
like, the pbp is more serviceable than most laptops these days
<samueldr>
well, more than its contemporaries
<ashkitten>
but it's nowhere near an old ibm thinkpad
<samueldr>
yeah
<ashkitten>
plus i have a dock!!
<samueldr>
I bought a "lower end" laptop for 700$CAD shipped in 2015, which had 8GB of ram, 1080p display, 2-in-1 13"
<joepie91>
it was also a consideration in my buying an x270 instead of the newer x280
<samueldr>
these days I'm lucky to find one that is a 2-in-1, with 8GiB of ram for less than 1200 before taxes and shipping
<joepie91>
still not fantastically serviceable, but better than the newer model
<ashkitten>
hmmmm i should get a battery for this thing if i'm going to be using it
<samueldr>
but the kicker is that I want more than 8GiB, as that was the lower end in 2015! but now most laptop designs have soldered-on RAM with no upgrade slot
<ashkitten>
excuse me, 8 GIGABYTES?
<ashkitten>
who needs more than 256 megs?
<samueldr>
Gibibytes even
<__monty__>
ashkitten: The Lenovo T400 had toolless optical drive and single screw HDD access too.
<ashkitten>
:o
<samueldr>
last time I looked I was looking at upwards of 2000$CAD for a 16GB laptop that was a 2-in-1, as it seems no one makes 2-in-1 360° hinge laptops that isn't just a cheap toy :(
<ashkitten>
i'd like a tablet, honestly
<ashkitten>
i don't want to have a laptop because it'll destroy my wrists by tempting me to type on it
<samueldr>
hah, I would like that too, but that's even harder to really find a tablet with good specs
<ashkitten>
yeah ;-;
<adisbladis>
I'd like a powerful tablet too tbh
<ashkitten>
what if i just get one of the ones with a detachable keyboard and then sell the keyboard part so it won't tempt me
<samueldr>
360° hinges are great, fold it back, prop it into a stand and there you are
<adisbladis>
The thing is I hate every non-thinkpad laptop keyboard
* sphalerite
for some reason pictures an imac with a touch screen and battery
<danderson>
adisbladis: one of us! One of us!
<samueldr>
heh
<ashkitten>
i hate every keyboard
<joepie91>
I hate every current-gen laptop keyboard
<adisbladis>
So it would be nice to buy something _without_ a keyboard and use an external usb thinkpad keyboard on the go
<joepie91>
thinkpad included
<danderson>
I tried a Dell XPS 15 for some time. It's a nice machine, but (a) garbage firmware (b) I hate the keyboard
<ashkitten>
except the ergonomic ones i've tried
<joepie91>
I want my damn old-style Latitude keyboard back
<danderson>
give me my thinkpad and my trackpoint <3
<samueldr>
sphalerite: if the ipads respected your intellect by allowing you to run your own code at the operating system level, maybe they'd be good
<samueldr>
though a bit lower ended specs-wise
<adisbladis>
danderson: <3
<ashkitten>
it's not about intellect, i think
<ashkitten>
everyone should be able to run their own code
<samueldr>
yeah
<adisbladis>
I paid way too much for my thinkpad 25... But considering it's the last laptop I'd want for a long, long time..
<samueldr>
I don't know how else to characterize that patronizing behaviour
<danderson>
Apple behave completely consistently with their objectives
<danderson>
they want to sell appliances, not computers
<danderson>
very fancy appliances, that can do a lot of stuff... But appliances nonetheless
<adisbladis>
danderson: Donglebook Pro
<samueldr>
they are irrespectful of *some quality* in people
<adisbladis>
sphalerite: Yes, that's why I want a tablet ;)
<adisbladis>
But I can't find one that's powerful enough
<danderson>
it's currently the console keyboard for my server rack
<sphalerite>
adisbladis: aww
<danderson>
because I want quality typing even when I'm hunched over fixing a borked BIOS
<sphalerite>
hehe, at least half my colleagues have these
<samueldr>
I have *some* hope that at some point a chrome-based tablet will be powerful enough
<adisbladis>
I use one of those bluetooth ones as my smart-tv remote
<samueldr>
now, at what price?
<sphalerite>
danderson: isn't that what KVM bridges are for? So you can do it from the comfort of your desk? :p
<danderson>
samueldr: the way chrome's memory habit is going, soon chromebooks will be more powerful than regular computers
<samueldr>
that's just a tired old meme
<sphalerite>
^
<danderson>
sphalerite: my servers all have remote management and networked consoles... But sometimes when I'm fixing hardware and such, I have to be physically there
<sphalerite>
why has it been resurfacing?
<samueldr>
because it's cool to hate on $thing for any reason, true of misconstrued
<samueldr>
and memes are extremely powerful
<sphalerite>
danderson: fair enough, I had a surprise trip to a different city yesterday to replace a failed SSD so that everyone will be able to work on Tuesday x)
<qyliss>
samueldr: they said they're not going to make any more Chrome OS tablets
<danderson>
Sounds like your lived experience and mine don't match.
<qyliss>
because the last one was so unsuccessful
<samueldr>
qyliss: aww
<qyliss>
But 2-in-1s are good enough for me
<samueldr>
hopefully they'll push more 2-in-1s
<samueldr>
though that acer one *was* pretty good
<sphalerite>
samueldr: still, I've been hearing more of this recently, I have the impression it died down for a couple of years
<samueldr>
I'm still torn about sending it back
<danderson>
sphalerite: my hypothesis: complaints about memory hogging die down periodically, when the standard RAM loadout on consumer machines doubles.
<adisbladis>
danderson: It'l like having vendor lock-in in your hands :3
<samueldr>
I didn't need it, since I stopped having a job that required me to move around, and it was money that I could spend elsewhere... but dang it it was the best laptop I had found since a good while
<samueldr>
danderson: [citation needed]
<sphalerite>
samueldr: a citation? for a hypothesis?
<samueldr>
oh
<sphalerite>
:D
<samueldr>
skipped the hypothesis word
<sphalerite>
danderson: or maybe all the hate was redirected to electron for a while :D
<samueldr>
I need gaze tracking so the lines won't shift up when I read them
<danderson>
thankfully this isn't debate club, so I'm allowed to have uninformed opinions about my personal experience :)
<danderson>
adisbladis: it's quite annoying, when lenovo miss the mark and make a meh round of laptops, because that keyboard :(
<qyliss>
samueldr: the Galaxy Chromebook looks pretty great
<qyliss>
although apparently battery life is bad
<samueldr>
sphalerite: maybe it merged back into chromium, the hate of *different chromiæ* all taking ram from different libraries and binaries not being able to share memory pages?
<danderson>
but they've been doing okay recently (inb4 old thinkpad keyboard fans smack me about the head)
<adisbladis>
danderson: I think I'll be stuck on my thinkpad 25 for at least five more years, then we'll see what the landscape looks like..
<sphalerite>
danderson: I was very confused about why a keyboard needs cooling for a second
<samueldr>
qyliss: had it with 16GiB ram and i5-8250U
<danderson>
adisbladis: good thing incremental improvements are slowing down year over year. Laptops last a really long time without becoming obsolete these days
<danderson>
(assuming you don't need fancy new ports, or new features)
<adisbladis>
i have 32G RAM and can't imagine any new feature I'll need =)
<samueldr>
oh, to all I said about finding a laptop, add the "being in Canada" difficulty... there are brands that just don't sell here, and brands that sell often sell a limited assortment :(
<adisbladis>
samueldr: I miss living in Hong Kong for that aspect
<danderson>
ugh, not looking forward to that after I move
<sphalerite>
samueldr: what do you think of the pinebook? I've been constantly tempted to buy one, but always held back by my already having an rk3399 laptop
<adisbladis>
danderson: Oh, you're moving to CA?
<danderson>
you'd think the north america market would be just one block
<danderson>
adisbladis: as soon as papers come through and *waves generally at everything* all this calms down
<samueldr>
sphalerite: haven't had that much experience "driving" it
<samueldr>
sphalerite: so I can't say as a replacement for a laptop
<samueldr>
sphalerite: but as a nice piece of hardware, it's really good, though not sure it'd be better than any other rk3399 platform
<adisbladis>
danderson: I was on my way to move countries, ended up without my old flat and not allowed in to my prospective new country for the time being...
<adisbladis>
Currently stuck in purgatory
<danderson>
ugh, that sucks
<samueldr>
danderson: if you live on the west coast, or southern ontario, going to the US to get to a brick and mortar shop is probably going to alleviate some of that pressure
<samueldr>
(not sure about cities and states bordering the prairies provinces...)
<danderson>
yeah, I hear there's a cottage industry of PO boxes along the border that can receive packages
<samueldr>
I was thinking even just a US mall lol
<danderson>
going to B.C., so a ferry ride or so away
<danderson>
and will still have family in the US, so we'll probably go back and forth regularly
<samueldr>
yeah, I don't think it'll affect you as much
<sphalerite>
samueldr: well it does have 1920x1080 instead of 1366x768
<samueldr>
sphalerite: but lacks 2-in-1 ability and touch display
<adisbladis>
danderson: Hehe, have you heard of Pirate Joe's?
<danderson>
but either way, "shopping is slightly less convenient" is a tradeoff I'll gladly make
<samueldr>
I'd trade the PBP for a chromebook which had a 2-in-1, even with half the memory
<danderson>
adisbladis: hah, no. TIL
<samueldr>
(but only as a toy, productivity wise it might not be the best choice)
<sphalerite>
samueldr: I'm not sure I get what theb ig deal is with 2-in-2
<sphalerite>
s/2$/1
<danderson>
but still really confused as to why Canada ends up being _such_ a separate market from the US. Obviouly some difference makes sense, but to the point where your best option is "cross an international border for shopping"...
<samueldr>
danderson: limited segments for smaller population I guess
<adisbladis>
danderson: You should come to northern europe
<samueldr>
danderson: add to that that there are language restrictions
<__monty__>
danderson: What were the firmware issues?
<samueldr>
__monty__: yes, see the price argum ent
<danderson>
samueldr: ah, yeah, I guess there's a baseline cost to set up logistics and distribution...
<danderson>
ah yes, Quebec ruining it for everyone ;P
<adisbladis>
Where the norwegians go to sweden to shop everything, swedes go to denmark (for alcohol), the danes go to germany and the germans go to poland :P
<samueldr>
danderson: it's only when you start checking "unpopular" segments of product lines that it gets harder
<danderson>
__monty__: oh boy, where do I even start
<danderson>
for one, the chipset gets confused by thunderbolt docks that offer power, but not enough power to charge the laptop under load
<samueldr>
sphalerite: one thing I really like about 2-in-1s is how they save space on a desk
<danderson>
my TB dock can do 65W, the XPS's AC adapter delivers 105W
<danderson>
so, no problem, right? Plug in Thunderbolt and the AC adapter?
<samueldr>
sphalerite: it's more about "be the change you want to see", I want *every* laptop to use a 360° hinge
<samueldr>
sphalerite: so it's not even a separate category, but a standard feature
<danderson>
except the laptop gets confused by this strange concept of "I can get power from 2 places"
<danderson>
and keeps bouncing the thunderbolt link to renegociate power delivery
<danderson>
"hey, you offer power! Let me disconnect your display and peripherals to negotiate power delivery!"
<danderson>
"oh, you only have 65W, that's not enough. Hey but look, I have an AC adapter! Let me disconnect your display and peripherals to renegotiate without power delivery!"
<danderson>
"hey, you offer power! ..."
<sphalerite>
samueldr: how does it save space?
<sphalerite>
ooooh
<sphalerite>
in tent mode
<sphalerite>
with an external keyboard
<samueldr>
sphalerite: or even with a setup like I had during nixcon
<sphalerite>
Never thought of that x)
<danderson>
gets worse under load. If the power draw is less than 65W, it sticks with thunderbolt PD. Then you power up the GPU for something, and it starts flaking constantly.
<samueldr>
sphalerite: a stand where it's put vertically and flat into
<danderson>
the firmware also routinely gets into a broken state where it locks the CPU at 700MHz across all cores (the lowest frequency setting)
<sphalerite>
samueldr: you could do something like that with a 180° hinge as well though, right?
<samueldr>
those are rare-ish too
<danderson>
and you have to disconnect+reconnect the AC adapter to persuade it that "oh, look at all these GHz I have!"
<samueldr>
so many laptops now open to like 100-120° max
<sphalerite>
samueldr: standard issue on T thinkpads I believe :)
<sphalerite>
probably also X
<samueldr>
180° is acceptable, I'd live with the concession, but it's not ideal as it disallows vertical orientation stand :)
<sphalerite>
ah, true
<danderson>
__monty__: so, there you go. My recommendation for XPS 15 is: don't use the thunderbolt port at all and you might be okay. Oh except when the CPU locks itself to 0.7GHz and requires physical intervention to fix.
<sphalerite>
ok yes 360° hinges are cool :p though definitely more mechanically complex, maybe also more prone to breaking?
<danderson>
eventually mine "fixed the glitch" by killing the thunderbolt controller completely, a few weeks after warranty expired.
<samueldr>
sphalerite: no idea, maybe
<danderson>
Now it just spews errors in dmesg about PCIe lanes failing to come up, and I have a dead port.
<sphalerite>
samueldr: I feel like there must be a reason beyond artificial market segmentation that not all laptops have it
<samueldr>
sphalerite: probably cost
<danderson>
It's a pity, because the XPS 15 is a nice machine, if you're okay with nvidia GPU and the weirdness that comes with hybrid graphics
<samueldr>
sphalerite: a penny saved on production is a million in the bank
<sphalerite>
:)
<danderson>
(e.g. the DisplayPort output is connected to the nvidia GPU, so if you want external display the power hungry nvidia GPU must be on all the time)
<sphalerite>
danderson: how power hungry is it when mostly-idle?
<danderson>
(in theory that shouldn't be necessary, but it requires support for "Reverse PRIME", which allows the intel GPU to output via the nvidia framebuffer... but reverse prime doesn't work on linux)
<danderson>
sphalerite: like 90 minutes of battery doing basic browser+terminal stuff?
<danderson>
really bad :/
<samueldr>
that's another issue, I really don't want nvidia stuff in my laptop, so some of the market is out, but thankfully it's also the segment which is pricier
<sphalerite>
danderson: oh ok, I didn't consider mobile use with an external display
<samueldr>
ideally it'd be a ryzen 2-in-1 with 16 GiB or better, upgradable storage
<danderson>
if you force nvidia off (you have to do it in BIOS, because linux fails to power down the GPU on this laptop, because it's wired up weird), it's more like 5-6 hours
<samueldr>
and coreboot!
<sphalerite>
danderson: which xps 15 is it?
<danderson>
sphalerite: 9570, so the "previous" model
<sphalerite>
samueldr: yes, same, nvidia is a pain
<samueldr>
hopefully more than the asus g14 will end up being good ryzen laptop choices
<sphalerite>
danderson: oh ok, I had the 9560 for a while. had some funkiness with the graphics there too
<danderson>
after the thunderbolt controller died, I replaced the XPS 15 with a Thinkpad T495, and I <3 it
<sphalerite>
danderson: there were some weird kernel parameters I passed which made powering the GPU on/off work just fine
<danderson>
AMD CPU+GPU, works perfectly with the open source driver, super light on power consumption, but the iGPU is also powerful enough for some light gaming
<sphalerite>
hm, I'm waiting impatiently for the AMD T14 or T14s to come out to get it as a new work laptop
<danderson>
no coreboot though, AMD is just as stupidly protective of their platform initialization code as intel :(
<sphalerite>
(still undecided on T14s vs T14)
<danderson>
(on AMD, it's "AGESA", the proprietary blob they give to motherboard manufacturers for CPU+chipset init)
<samueldr>
danderson: I don't know that is "protective of initialization code", but rather than in a big chunk of the market the cpu validates the firmware with built-in keys
<samueldr>
reducing the user's agency
<sphalerite>
we need ryzen chromebooks :D
<samueldr>
I mean, you can have modern intel-based platforms with intel
<samueldr>
oops
<samueldr>
with coreboot*
<danderson>
same result, I'd argue: AMD is just as hostile to open firmware as intel is
<samueldr>
(and amd, but they're in the lower end)
<danderson>
difference being, someone found a ROM vulnerability in intel chips that let you break firmware security completely :)
<samueldr>
oh, they are hostile to *their* parts being open, but coreboot can and does use their closed parts
<danderson>
right. As a motherboard manufacturer, you could choose to use coreboot alongside AGESA or intel's platform support blobs
<danderson>
chromebooks I'd almost consider a separate platform at this point. It's great work, but not generalizable
<danderson>
system76's work is pretty great though!
<samueldr>
hm?
<samueldr>
they still are x86_64 platforms, but they don't boot using a UEFI payload by default
<samueldr>
though their design enables the full AGENCY (thanks) of the user, and they can be flashed freely and safely
<danderson>
sorry, I mean: chromebooks have a great boot path story, but it's tied strongly to the OS. AFAIK, if you flip the switch to let you install anything, it disables all boot path security
<samueldr>
(and securely!)
<samueldr>
not all, but it breaks assumptions
<danderson>
unless you can reenable it with custom keys? I thought it was just "turn off all the safeties", with the only way to reenable being "powerwash back to ChromeOS"
<samueldr>
I don't remember what it was with custom keys enrollment status
<danderson>
in general, I'd love for ChromeOS's general architecture to be how we boot all linux laptops, it's a really strong architecture
<danderson>
... as long as I can control the keys.
<samueldr>
qyliss: I think you have fresher research on that, what's the status for that?
<samueldr>
I believe since the cr50 this can be done securely
<samueldr>
but I'm not 100% positive
<qyliss>
Well, you can install all your own firmware and stuff
<qyliss>
so it's definitely possible
<danderson>
can you reenable all the boot path security once you're done? (i.e. write protect, secure boot, all that jazz)
<qyliss>
oh yeah I think so
<samueldr>
the cr50 mediates writing, and you can lock it with a passphrase IIRC
<samueldr>
and it's, by design, supposed not to unlock in any way if you can't recall the passphrase
<samueldr>
(not 100% sure about the last part)
<samueldr>
(and obviously, bugs are not by design)
<qyliss>
All the Coreboot stuff on Chromebooks absolutely generalizes though
<danderson>
looking around, looks like there's been a lot of changes since I last looked. I was still at the "remove the write protect screw" stage
<qyliss>
You can run Coreboot with SeaBIOS OOTB on a Chromebook
<danderson>
but now there's ccd and whatnot
<samueldr>
yeah, it evolved quite a bit
<samueldr>
with the screw, yes, screw the security, pardon the pun
<qyliss>
There's not a lot in Coreboot (if anything) specific to depthcharge
<sphalerite>
samueldr: idk, IMO the screw is still a well-thought-out model where you know what the weaknesses are
<samueldr>
sphalerite: I do tend to agree, but it seems that point of view is mostly verboten security wise :/
<sphalerite>
samueldr: I don't think there's any particular protection in cr50 models against it being disassembled and the flash chip clipped for firmware replacmeent?
<samueldr>
I don't think there is
<danderson>
standard security rant: "it depends on your threat model, what is your threat model?"
<samueldr>
exactly
<samueldr>
I was trying to write those words for a while: all of this starts crumblin down the moment the device can be disassembled and the chip reflashed from the outside
<sphalerite>
yes, and my argument is that the write protect screw isn't worse than the cr50 assuming a threat model of "someone can have enough access to actually unscrew the screw"
<danderson>
sphalerite: it looks like cr50 is designed to be a security intermediate, so it might be validating firmware before allowing execution?
<samueldr>
that's the part I'm unsure, if there is a way to enroll keys with cr50 or not
<qyliss>
edef might know
<sphalerite>
the cr50 is definitely a lot more _convenient_ for the legitimate user, and I think it's just as secure under the same model
<samueldr>
I think it all depends on whether the cr50 can enroll or not
<samueldr>
though I will say that the screw is just a tad bit more insecure
<sphalerite>
I think it won't prevent anything from running on the AP, but will deny access to encryption keys it controls
<sphalerite>
if set up appropriately
<samueldr>
you can remove *1* screw to get access, while cr50 can be locked with a passphrase, that is analogous to that screw
<sphalerite>
so I highly doubt you can get to a chrome os user's data by disassembling and reflashing the firmware
<sphalerite>
and you can build that same level of assurance for yourself, but it's tricky.
<sphalerite>
At least as far as I know
<danderson>
afaict the cr50 acts as the system's TPM, so switching modes should be equivalent to blowing away the TPM's keys
<sphalerite>
switching modes?
<danderson>
which, if CrOS is designed properly (I'm sure it is), would render inaccessible any user data cached on the device
<samueldr>
yeah, sorry, I was operating under the assumption of a non-chromeos system
<danderson>
what the wiki calls "ccd open" mode
<samueldr>
and with a custom firmware payload e.g. tianocore
<sphalerite>
danderson: ah, yes
<danderson>
which is the mode where you get complete control over firmware flashing and other security knobs
<sphalerite>
danderson: well, sort of. You need to enter developer mode to get there, which wipes the keys _and_ the data
<danderson>
but part of that process seems to reset the cr50's TPM into an unlocked developer mode - which should nuke any keys issued by the TPM to secure the rest of the platform
<sphalerite>
danderson: but I think reflashing the firmware is typically still possible without any use of that — just that at that point the firmware verification on the cr50 will fail and even if it allows booting it won't allow access to the keys
<sphalerite>
not sure if it will actually wipe them
<sphalerite>
danderson: that is, reflashing it in hardware, bypassing the cr50.
<danderson>
yeah, can't figure that part out yet. There's indications that the cr50 is battery-powered and keeps asserting the write-protect lines of the chips even when the laptop is powered off
<danderson>
but a supported way of unlocking is to open the case and disconnect the battery
<gchristensen>
I took the NixOS challenge, ldlework, and it took about 15 minutes of work and 4h of data transfer
<sphalerite>
worst case you can lift the chip off to unassert the write-protect lines
<ldlework>
gchristensen: nice!!!
<ldlework>
did you record any of it?
<sphalerite>
danderson: wait, unlocking the cr50 by removing its power?
<gchristensen>
ldlework: nah...
<ldlework>
doh
<gchristensen>
it was just `git clone` then figuring out how to pass the right flags to zFS then nixos-install and reboot
<sphalerite>
while I like the idea of the nixos challenge, the name reminds me way too strongly of the tide pod challenge :x
<danderson>
sphalerite: by cracking open the case and removing battery power from the cr50
<samueldr>
danderson, sphalerite: I think it makes sense, with early cr50 you *had* to unpower the device by unpluggin the battery IIRC
<danderson>
so, same security level as the write protect screw
<danderson>
basically: if you have physical access and time to open the laptop, you can do whatever you want.
<sphalerite>
I'm not convinced, that seems like an avoidable scenario.
<danderson>
the main thing newer cr50s bring to the table is "closed case debugging", where you can do all this stuff without opening the case, given a special cable and procedures
<danderson>
(which actually makes me wonder about tamper evidence... If I take a suzyQ cable to your chromebook, unlock it and flash a malware'd firmware... how would you know?)
<cole-h>
gchristensen: The NixOS challenge?
<gchristensen>
cole-h: erase your computer and get back to your work env as quick as possible
<cole-h>
Oh. I've been waiting on that for the past few days... x)
<joepie91>
oof
<sphalerite>
danderson: well, because the regular unlock method wipes all the data
<sphalerite>
danderson: I'm still unsure you can unlock it without wiping it.
<gchristensen>
it took 15 minutes :) (4h to restore my homedir data... but only because my backup server isn't feeling well.)
<danderson>
oh no, you can't, it'll be wiped. But isn't the point of chromebooks that there's nothing important locally anyway?
<gchristensen>
but now I'm off of LUKS and on to zfs-encrypted rot
<gchristensen>
root*
<cole-h>
Oh, you were on luks before?
<gchristensen>
yea
<cole-h>
Cool, welcome to the encrypted root team :D
<cole-h>
ZFS-encrypted* root
__monty__ has quit [Quit: leaving]
<sphalerite>
danderson: absolutely. That would require a system which can verify itself to the user via OTP
<sphalerite>
danderson: which is possible with the cr50, just not implemented in chromeos
<sphalerite>
danderson: but if you have adversaries who are going to these lengths, you're probably screwed anyway :/
<sphalerite>
If that's your threat model maybe you should just not use any computers
<danderson>
sphalerite: there's a googler who did a great demo of that actually
<sphalerite>
danderson: samueldr: also, it's terrible how long it took me to discover that my chromebook may have CCD, but it also has a write protect screw.
<danderson>
with tpm2 attestation over bluetooth
<sphalerite>
over bluetooth? ok…
<sphalerite>
it took me so much frustration to discover that I also had to remove the screw to be able to flash the firmware via the cr50, no matter how open it may be
<danderson>
the idea being: the system boots until the initrd, with secure boot. The initrd brings up bluetooth and sends an attestation to your phone, which proves that yes, the TPM verified that yes, all firmware, bootloader, kernel and initrd are what you expected
<danderson>
so you can verify that everything is authentic before you type your disk unlock passphrase
<sphalerite>
yeah
<sphalerite>
just, I wouldn't have thought of bluetooth for that
<sphalerite>
more like it displays a TOTP and you verify it manually
<danderson>
by requiring remote attestation to a different device, you remove the problem of "maybe I can't trust this computer at all"
<sphalerite>
yeah
<danderson>
yeah the problem with that is that if your firmware is compromised, what stops it from displaying the "correct" verification info
<sphalerite>
it not knowing the correct verification info
<energizer>
where are people putting their github ssh keys these days?
<danderson>
by forcing an attestation through the TPM, you elevate the attack to "must compromise the TPM"
<sphalerite>
danderson: yes, I mean an attestation by the TPM, just not via bluetooth
<danderson>
which... you know, isn't as hard as it should be, thanks Infineon vulnerabilities
<samueldr>
energizer: on my public dropbox /s
<sphalerite>
energizer: Ha, nice try! :p
<danderson>
sphalerite: problem with that is you have to do a signature verification, which is hard on a display
<danderson>
that's why the bluetooth bit - the phone can verify the cryptographic signature for you
<danderson>
I guess you could display the attestation as an ascii art QR code
<danderson>
"scan to verify"
<qyliss>
That's what Heads does
<qyliss>
oh wait no not for the otp bit
<sphalerite>
danderson: it depends on the capabilities of the TPM, but there's no technical reason the secret store in it can't be a TOTP secret and it spits out the 6-digit code
<sphalerite>
danderson: which should be pretty easy to verify manually with a phone/one of those hardware TOTP thingies
<danderson>
hm. Not sure how that would work. You have to compare the PCR values against the expected known-good ones
<danderson>
and even tpm2 doesn't give you a totp primitive afaik
<qyliss>
TOTP doesn't have to be a primitive
<danderson>
the best you get is "only allow crypto ops on key X if PCR state is Y"
<qyliss>
You just store a secret
<qyliss>
Then you ask the TOTP for the secret, which you only get if the state is correct
<qyliss>
Like, this exists and I'm using it on the computer I'm typing this on
<sphalerite>
of course, TOTP being a primitive would be even cooler :p
<danderson>
hrm. That's not ideal, in that the secret leaves the TPM
<danderson>
but again, depending on the threat model, sure, that works
<qyliss>
Only on an uncompromised firmware though
<sphalerite>
Yes, if malicious RAM is part of your threat model that's bad.
<qyliss>
So as long as you can vouch for your firmware not doing anything bad with that secret, it shouldn't matter
<MichaelRaskin>
Well, only if firmware compromise status is the same as TPM compromise status
<danderson>
I guess as long as the initrd or whatever then alters the TPM state so it can't be read again after the verification phase, that's fine
<qyliss>
You'd want to do that before initrd probably
<danderson>
the thing I'm thinking through is a combined attack where you get a non-persistent access to the unlocked machine (so you can exfil the secret), then replace the firmware
<danderson>
it's clearly cranking up the difficulty and probability of the attack :)
<sphalerite>
qyliss: jw, what do you use to verify it against?
<qyliss>
phone
<danderson>
but if you ratchet the TPM state after verification so that the secret can't be read again by the rest of the system, LGTM
<sphalerite>
danderson: non-persistent access to the unlocked machine is a bit of a pain anyway :p
<danderson>
(although then that opens questions of how you update stuff, etc.)
<qyliss>
but I'd like to have this do a pubkey signature and produce a QR code instead
<qyliss>
So I didn't have to keep a copy of the secret on the phone
<sphalerite>
yeah that sounds good
<danderson>
sphalerite: I dunno, 0days aren't _that_ hard to come by. Persistence without getting detected is still tricky though, but a drive-by exfiltration is a bit easier
<danderson>
but again, this is all raising the difficulty significantly for the attacker
<sphalerite>
I should really have a go at putting at least some of this into practice x)
<danderson>
at this point you're constructing a custom attack for that one specific target
<sphalerite>
do I even have a TPM on my main laptop? x)
<danderson>
... and if you've become that interesting to someone with the capability of executing that attack, you're probably screwed already
<sphalerite>
^
<sphalerite>
and you're lucky if they still have to stick to covert methods.
<sphalerite>
yep, that's exactly what I mean by not-covert methods >_<
<sphalerite>
I like the alt-text though
<danderson>
yeah. The unfortunate tongue in cheek joke about gmail reading all your email was "I've read your email, you're not that interesting"
<sphalerite>
Anyway, I still appreciate that chromeos pushes the envelope of the level of security available to the consumer while also making it possible for tinkerers to have the same assurance while having control over the code that's running.
<danderson>
yup. The industry _should_ be raising the baseline difficulty of attacks to "every attack is a customized attack".
<sphalerite>
(modulo the code running on the cr50, which can be updated with a signed image and I'm pretty sure would be the weapon of choice of, say, US intelligence agencies.)
<danderson>
and unlike intel, they seem to be doing it such that the end user still retains control if they want it.
<sphalerite>
exactly
<danderson>
... oh. I thought cr50 would have non-updateable firmware
<sphalerite>
hah no
<danderson>
yeah, that's a pretty large "still have to trust google" hole in the system
<danderson>
but yay for reducing the trust surface, I guess.
<sphalerite>
http://www.loper-os.org/?p=2433 for a somewhat paranoid and foul-mouthed but AFAICT technically competent analysis
<danderson>
"NSA-imposed atrocity" okay...
<danderson>
yeah okay, so, standard "verify firmware before flashing" combined with a non-replaceable key. Pity.
<qyliss>
I would like to try to reproduce the cr50 firmware
<danderson>
that would definitely be a great alternative to having write access
<sphalerite>
I mean, on the one hand it's good to be able to patch potential security holes in the cr50 firmware. On the other, as stanislav mentions it's a power differential.
<sphalerite>
danderson: doesn't help with verifying its integrity.
<danderson>
sphalerite: at that point we're assuming hardware compromised at manufacturing time, and it's time to abandon all computers
<danderson>
if you can't trust the chip to write and use the firmware you give it, you're fundamentally screwed
<danderson>
and the only fix to that is "make your own hardware", which, :/
<danderson>
(or at least build up the capability to analyze modern chips and find unexpected things within - but that's still extremely difficult)
<sphalerite>
I mean in terms of an attacker being able to write it too
<sphalerite>
anyway
<sphalerite>
all this is very theoretical, I should start by getting on qyliss's level :p
<danderson>
I assumed qyliss's goal was to verify that the provided binary blob matches the source code, or at least provide a small auditable diff in the binary
<danderson>
rather than have to audit a multi-megabyte blob in its entirety
<sphalerite>
I mean getting on qyliss's level in the sense of actually having some evidence that my laptop's firmware remains unchanged when I type my passphrase in
<gchristensen>
hrm. something doesn't work correctly when my home directory has spaces in it
<infinisil>
I wonder how much it would break things if your home dir had newlines in it
<gchristensen>
might make it easier to figure out the problem
<gchristensen>
is there still a search engine for ... all ... the oss?
<sphalerite>
danderson: lol "asciilifeform: one interesting observation, is that the update mechanism lets you flash in arbitrary crapola into 'rw' section ( it simply won't jump to it if it doesn't pass rsa(sha256(payload)) ) . so theoretically could put a nop sled there, ending with jump into the magic half of unlock routine. and then expose the thing to beta/gamma, and perhaps in a few months it will Do
<sphalerite>
The Right Thing"
<sphalerite>
gchristensen: what do yo umean?
<gchristensen>
ohhh I see what's going on.
<gchristensen>
"No directory, logging in with HOME=/" then "Cannot execute /Documents and Settings/grahamc:/run/current-user/sw/bin/zsh" having a : in my home directory is breaking teh passwd parsing
<aminechikhaoui>
seems for example for both python's requests lib and curl just using nix-shell to grab a more recent version fixes the problems with host using Sectigo for certificates
<aminechikhaoui>
I though most of the libraries would go through the global /etc/ssl/cets ? or does openssl does some different magic ?
<gchristensen>
samueldr: thanks for the tip, that was needed: [grahamc@Petunia:~]$ pwd
<gchristensen>
/C∶/Documents and Settings/grahamc
<samueldr>
heh
<gchristensen>
I just need to fix one final thing
<samueldr>
though I'm just a bit sad how full colon didn't work
<gchristensen>
grahamc needs to be Administrator
<samueldr>
time to patch whatever parses passwd!
<emily>
as I understand it certificate validation logic was changed in several libraries like openssl 1.1
<sphalerite>
emily: cool, thanks for the link!
<samueldr>
gchristensen: out with root, in with SYSTEM
<sphalerite>
aah samueldr beat me to it :p
<emily>
and it's not about trusted CAs per se (because the certificates also tend to chain up to other trusted certificates). but I might be misunderstanding, this is just what I read online
<sphalerite>
I do wonder how well a uid0 not named root would work
<gchristensen>
haha
<samueldr>
it does IIRC
<samueldr>
IIRC gobolinux has gobo?
<samueldr>
or had?
<sphalerite>
I think I had a router at one point which had "admin" as uid0
<sphalerite>
(consumer stuff)
<aminechikhaoui>
emily oh, that might explain why just using newer packages through nix-shell work as it pulls openssl 1.1 I think
<sphalerite>
samueldr: I mean how well it would work on nixos as is :)
<emily>
gchristensen: rename root to SYSTEM too
<gchristensen>
:)
<sphalerite>
emily: samueldr beat us to that one :p
<emily>
oh no
<gchristensen>
oh shoot lol firefox is VERY upset with me right now
<samueldr>
gchristensen: spaces?
<samueldr>
if it's upset at spaces, it's... not good
<sphalerite>
emily: I like the added suggestion from pgeorgi "[edit to add: would a mechanism to disable the update mechanisms, at the price of "no warranty" since RMA becomes impossible be acceptable to you? Or would you suspect that there's another update mechanism anyway?]"
<sphalerite>
danderson: ^
<gchristensen>
samueldr: maybe just $HOME changing underneath its config
<emily>
matrix lag totally ruined my comedic timing
<samueldr>
ah, possible
<samueldr>
emily: matrix is for business, IRC is for shitposting
<emily>
worst bouncer
<sphalerite>
and the bridge between the two is for being late to the party
<sphalerite>
wait wtf when did it become 00:25
<samueldr>
probably I'd say about a minute ago
<sphalerite>
gchristensen: I don't think it will break anything that your previous suggestions don't already break, but I think a backslash for good measure wouldn't hurt
<sphalerite>
samueldr: I guess I walked right into that one.
<sphalerite>
Anyway, I think it's about time for me to walk right into bed.
<sphalerite>
Night night folks!
<samueldr>
'night!
<gchristensen>
I *was* thinking about using C:\Documents and Settings\Administrator
<joepie91>
I have deployed the same tinc configuration to three servers.
<joepie91>
two of them have a working VPN. the third does not.
<joepie91>
🤔
<joepie91>
relatedly: my kingdom for VPN software that will actually tell you what's wrong
drakonis_ has quit [Read error: Connection reset by peer]
<joepie91>
in its logging or error messages or whatever
<joepie91>
"Failed to verify SIG record from" -- great, what's a SIG record, why did it fail to verify
drakonis_ has joined #nixos-chat
<gchristensen>
samueldr: I think if I use C:\Documents and Settings\Administrator for $HOME, no need to fix the perms on intermediary dirs, since my home dir is a child of /
<joepie91>
this has, for I'm pretty sure the third time, cost me two days of my sanity
<joepie91>
coming soon: a PR to disable the tinc service's key gen
<joepie91>
(option to disable it, that is. or maybe default, I don't know)
<joepie91>
it makes it incredibly difficult to debug deployment failures when you manage your secrets externally and don't realize that the key on the server isn't actually the deployed secret but some randomly-generated one
<joepie91>
not really sure what the point of the keygen is anyway, VPNs are necessarily multi-system setups, so it doesn't make much sense to have the service auto-generate a key...
<gchristensen>
is it a preshared key?
<joepie91>
gchristensen: nop, keypair
<joepie91>
so you're expected to fish out the generated public key and put it on other servers, which makes any deployment of tinc through Nix necessarily a two-rebuild process minimum
<joepie91>
(per system)
<samueldr>
gchristensen: using backslashes is plain evi
<samueldr>
evil*
<joepie91>
which isn't really practical, it's easier to just give people a command to generate a keypair first and then let the user put it in the right place in whatever their management setup is
<joepie91>
without making that somehow weirdly dependent on doing a rebuild with the service enabled - and failing - first?
<gchristensen>
samueldr: yeah, I'm not sure I want to tempt that fait
<gchristensen>
...fate...*logs off*
buckley310 has quit [Quit: Connection closed for inactivity]
<gchristensen>
tbh I am considering undoing. a few things have broken justfrom the new home dir, and I'm not really ready to deal with the fallout
<cole-h>
F.
<samueldr>
ln -s ?
<gchristensen>
yeah but it gets increasingly complicated given each reboot
<samueldr>
or a fuse fs mount that binds mount with tracking and maybe even slowness?
<gchristensen>
it is erased
parsley936 has quit [Remote host closed the connection]
<ldlework>
what's a nixlang thing for permutations?