the-mentor has quit [Quit: Ping timeout (120 seconds)]
thestr4ng3r has joined #asahi-dev
odmir has joined #asahi-dev
the-mentor has joined #asahi-dev
snalty has joined #asahi-dev
Gaelan_ has joined #asahi-dev
Gaelan has quit [Read error: Connection reset by peer]
maor26 has joined #asahi-dev
<j`ey>
arnd: how does linux-next know which branches to pull from your soc.git?
<arnd>
j`ey: the process is to send an email to sfr to ask him to add a branch. What I did specifically is to have a 'for-next' branch and I merge all of my branches into that
<j`ey>
arnd: ah ok, so you'll just merge the new branch into for-next
<j`ey>
I have a patch in will's for-next, so I guess that will be in 5.12
<arnd>
marcan: do you have a git tree somewhere other than github.com that you can use for sending pull requests? For the initial merge, separate patches will be fine, but in general, I prefer pull requests, and github is slightly annoying: it's often really slow for pulling kernel trees for some reason, and its generally less trusted than an tree on kernel.org or one you host yourself
<marcan>
I can set something up real quick; I have git.marcan.st but that's on the wrong continent, I can make git.asahilinux.org happen :)
<arnd>
marcan: note that you can ask for a kernel.org account that allows you to host git trees and one email alias there once you are listed in the MAINTAINERS file and have a sufficiently connected gpg key
<marcan>
that works too, though my gpg key isn't terribly well connected (and honestly I should probably rethink that thing and make a new one, it's kind of old)
<arnd>
marcan: ok either one of those is fine for pull requests, or you keep using separate patches until you have a kernel.org account
<arnd>
if the gpg key is really old, it might be too short, I think the minimum is now 2048 bits
<j`ey>
arnd: is the mailing list process still the same with pull requests? just that you also have a branch on git somewhere?
<arnd>
j`ey: yes, you just send an email with the subject containing [GIT PULL] instead of [PATCH], and the body generated by 'git request pull', and pointing to a tag with gpg signature and a description
<marcan>
oh, it's 4K, it's not *that* old, but I've never been terribly happy with the security of it, especially considering I do better in other places these days (e.g. yubikeys)
<marcan>
but SSH and U2F let me use many yubikeys, while I can only have one gpg key... and I don't want to mix GPG and SSH usage...
<j`ey>
arnd: I see, I'd only seen that (so far) for requesting Linus to pull, not indudvidual series that needed review
<arnd>
j`ey: review is always by email on the list, the pull request is what you'd send once the series is fully reviewed and ready to be merged. I usually do some final checks on the pull request to make sure the contents match up with the description, and the signature is valid then
<arnd>
I assume yubikey works the same
<marcan>
yeah, for signing kernel tags honestly that's probably the easiest way, it would just be a key dedicated-ish to that; I just don't want to make that "my" gpg key for email/etc, because then that ties me to the physical thing
<marcan>
I should dig up that ROCA-vulnerable yubikey from a drawer somewhere; those are fine if you import keys externally, which I would want to do to keep an offline backup anyway (I don't mind having a backup, I have a pretty safe place for that stuff, as long as I don't have to access it normally)
<marcan>
hm, maybe I can use the subkeys stuff to make this more sensible
<arnd>
marcan: regarding signatures on the key, the document I linked to says you need at least one signature from someone who is connected to torvalds, but IIRC the requirement for getting a kernel.org account is three such signatures. If you have trouble finding kernel folks to sign your kernel locally, we can probably arrange for me to sign your kernel through some video chat
<marcan>
locally might be tricky, especially with the pandemic :-)
<marcan>
arnd: this isn't blocking for the v2 review, right?
<arnd>
marcan: no, I'm happy to apply the patches from email, or by applying with the same amount of care when I get a pull request
<marcan>
I'll send out v2 shortly then, and spend some time this week giving a bit of thought to this
<arnd>
and once I pulled from you once, I would generally also assume it's fine if future pull requests are signed by the same key. The 'one connected signature' requirement is specifically if you send a pull request to torvalds yourself
<marcan>
ah, right
<marcan>
and for the account stuff
<arnd>
having signatures on the does give a better feeling about it of course
<arnd>
for the account, I don't think there is a way around the minimum three signatures
<arnd>
maybe check if any of the people that signed your old key are already on the kernel keyring
<marcan>
unlikely, but I'll check :)
<marcan>
anyway, I'll probably wind up with a new key, this has been on my TODO list for a while
bgb has joined #asahi-dev
bgb has quit [Ping timeout: 240 seconds]
<maximus64>
I also used yubikey for my gpg key and I keep my master key offline on air gap computer. Downside to this is everytime you need to renew or sign other keys, I have to do it on the offline computer
bgb has joined #asahi-dev
Necrosporus has quit [Ping timeout: 246 seconds]
bgb has quit [Ping timeout: 264 seconds]
bgb has joined #asahi-dev
bgb has quit [Ping timeout: 265 seconds]
bgb has joined #asahi-dev
bgb has quit [Ping timeout: 240 seconds]
bgb has joined #asahi-dev
bgb has quit [Ping timeout: 265 seconds]
<modwizcode>
I've tried a few times to maintain a key and I always lose it, but I don't have much reason to use it for anything.
<modwizcode>
I think my current key is actually safe, when keybase came out I setup everything so that worked. So keybase has an encrypted copy of my key and I think I have a backup printout and the password I actually remember.
<modwizcode>
I think that's how that all works
<modwizcode>
GPG is kind of meaningless without signatures on your key and people to use it with
bgb has joined #asahi-dev
bgb has left #asahi-dev [#asahi-dev]
marcan_ has joined #asahi-dev
marcan_ has quit [Client Quit]
Necrosporus has joined #asahi-dev
maor26 has quit [Ping timeout: 265 seconds]
<sven>
I have an offline master key with subkeys on yubikeys (signing/authentication ones generated on the device, encryption key imported with an offline backup). the only two things I used it for are ssh and encrypted backups
<Glanzmann>
marcan: If you have a yubikey with the broken random number generator, you could apply for a new. This is how I got two new yubikeys for free.
<Glanzmann>
marcan: I had for a very long time my gpg key, and still have, but no longer use it, on a yubikey. I did with three keys, one master, one for authentication, one for signature. I still use it for ssh also. I sometimes have to work on windows. where there is no good gpg agent forwarding, so I can't use gnupg remotely. If I should send you my notes, let me know.
<Glanzmann>
If you guys need help with mutt, let me know. I wrote 17 years ago or so the mutt header cache and I'm a mutt power user. I also configured vim to strip consecutive empty lines out and do other stuff that is helpful for inline answering.
<marcan>
Glanzmann: I did, I just still have the old one
<Glanzmann>
Nitrokeys are nice, I read about them earlier, I think, but they did not support 4Kbit RSA which I sue for quite a while.
<Glanzmann>
marcan: I see. :-)
<marcan>
but it makes sense to use it for a master key with a backup, because then you're generating keys externally anyway, so the bug does not matter
<marcan>
it's not a broken RNG, it's a broken algorithm :)
<Glanzmann>
My old one broke down, so I replaced it with a new one. the one that you put in the usb slot and does not look out.
<Glanzmann>
marcan: Oic.
<Glanzmann>
I only remeber, that when you gernate keys on it, they're weak. But I would never do it, because devices break or get lost.
<marcan>
well, it's fine for ssh keys, which is what I use yubikeys for
<marcan>
since I have a bunch of them
<marcan>
I also use them for OATH TOTP and for that, I always put the seeds into two, so I have a backup
<Glanzmann>
Same for me. :-)
<Glanzmann>
And of course, I have an offline backup as well.
VinDuv has joined #asahi-dev
<marcan>
Glanzmann: re nitrokey, it's not fully open source; not the proper secure element ones anyway
<marcan>
same proprietary NDA'd SE as everything else, also the open code for the SE is written in... BASIC.
nkaretnikov has quit [Ping timeout: 264 seconds]
eric_engestrom has quit [Ping timeout: 272 seconds]