2024-11-01 02:46:47 <orchardstreet22> how do you check what the release version is of the installed kernel on Alpine?
2024-11-01 03:44:29 <WhyNotHugo> orchardstreet22: 'apk info linux-edge' or 'linux-lts', depending on what you're using
2024-11-01 03:45:02 <WhyNotHugo> You can also check the _running_ kernel with 'uname -r'
2024-11-01 06:47:42 <tuzu> Hello, is there any way I can make udhcpc start faster during boot? Right now it spends couple seconds with the message "udhcpc: broadcasting discover" 4 times until it starts. I read on the wiki that you can add async run level which I did and moved chronyd to it which made my boot faster, but when I did the same with networking it still starts as if it was in boot, any way I
2024-11-01 06:47:44 <tuzu> can make udhcpc start faster?
2024-11-01 07:06:51 <tuzu> OK moving it to async run level solves it but it still prints the output and I need to press enter to get to login prompt after wich it continues to print to my tty. Is there a way to supress the output and get swtraight to login prompt?
2024-11-01 10:42:21 <donoban-woops> I'm getting this error on firefox 'Cannot play media. No decoders for requested formats: application/vnd.apple.mpegURL' , any idea if I could fix installing some package?
2024-11-01 12:11:28 <frag> is unrar in repo? only find it in the bash-complertion package
2024-11-01 12:11:50 <ikke> It is not, since it's not free to redistribute 
2024-11-01 12:12:03 <ikke> bsdtar can handle rar files though 
2024-11-01 12:14:32 <frag> thanks!
2024-11-01 12:26:18 <q66> ikke: unrar is redistributable
2024-11-01 12:26:24 <q66>  it's just non-free
2024-11-01 12:27:03 <q66> bsdtar can handle a subset of rar files
2024-11-01 12:27:11 <q66> a lot of them don't work in practice
2024-11-01 12:36:36 <j_v> is there a way to get gpg-agent to forget previous successful pinentry, without killing it?
2024-11-01 12:42:02 <j_v> nvrmnd, found it
2024-11-01 15:03:16 <frag> damn, epr from repo is nice epub reader, so cozy
2024-11-01 15:04:40 <hodapp_> cozy?
2024-11-01 18:12:18 <vkrishn> hi, i have current months' irc log (html version) available here, https://m.insteps.net/irclogs/alpine/ , will move to better named domain soon, suggestion to improve welcomed
2024-11-01 20:04:52 <f_> vkrishn: looks really cool
2024-11-01 20:12:34 <orchardstreet22> WhyNotHuge: I'm so confused, uname -r returns linux-lts-6.6.58-r0, I thought I was supposed to be on r1 on Alpine 3.20.03 as of now
2024-11-01 20:12:47 <orchardstreet22> i mean WhyNotHugo
2024-11-01 20:14:54 <scorpion2185[m]> there is not enough space 😂
2024-11-01 20:19:15 <vkrishn> :)
2024-11-01 21:40:28 <eddsalkield> I'm having issues with fusermount3 when running a flatpak. It seems to be to do with the desktop portal
2024-11-01 21:41:05 <eddsalkield> I'm getting `fusermount3: failed to access mountpoint /tmp/xdg_runtime_dirs/1001/doc: Permission denied
2024-11-01 21:41:40 <eddsalkield> I can't seem to chmod this `doc` directory, I assume it's been made and is managed by the portal
2024-11-01 21:41:47 <eddsalkield> any ideas on how to debug this?
2024-11-01 22:58:20 <zcrayfish> orchardstreet22: did you reboot after installing the update?
2024-11-02 01:37:08 <tokyovigilante> hey, is anyone using QEMU with a Windows host? I can't get a standard network (QEMU bridge to tuntap guest device) to work and wonder if I'm missing something
2024-11-02 02:02:42 <durrendal> Did you install the virtio drivers in the windows VM?
2024-11-02 02:03:50 <durrendal> http://www.linux-kvm.org/page/Virtio <- these to be more specific. 
2024-11-02 04:35:31 <tokyovigilante> durrendal: thanks, I did.
2024-11-02 04:36:06 <tokyovigilante> Turns out it was a nftables issue, the default NAT setup needs these extra rules -> https://forums.gentoo.org/viewtopic-p-8752687.html?sid=993eeba614dd1db9d8dce9c0eb625bf6#8752687
2024-11-02 04:36:28 <tokyovigilante> Needs more setup, but Alpine really is a great desktop distro
2024-11-02 12:58:58 <lrvick> Hey, I am currrently trying to understand the supply chain risks in Alpine Linux to understand the threat model and the use cases it is and is not appropiate for. Currently it seems builds are made with registry.alpinelinux.org/alpine/infra/docker/alpine-gitlab-ci:latest
2024-11-02 13:00:28 <ikke> lrvick: That's just for CI purposes
2024-11-02 13:00:47 <lrvick> But doesn't the CI sign the builds?
2024-11-02 13:02:06 <lrvick> and the keys are just made with abuild-keygen on each CI node, so they are extractable keys and not stored in a TPM or TEE unless I missed something?
2024-11-02 13:04:57 <ikke> Our builders are separate from our CI infra
2024-11-02 13:05:04 <ikke> CI is just for testing merge requests before merging them
2024-11-02 13:05:35 <lrvick> Ah, that is helpful. Is there any transparency on the builders and how they are managed then?
2024-11-02 13:06:24 <lrvick> E.g what build images they use, how they are hash locked, etc?
2024-11-02 13:07:00 <ikke> We do not use docker for the builders
2024-11-02 13:08:31 <ikke> They are lxc containers
2024-11-02 13:08:39 <ikke> https://pkgs.alpinelinux.org/package/edge/main/x86_64/aports-build
2024-11-02 13:12:38 <lrvick> If I am asking questions that are well documented somewhere please by all means RTFM me, but to clarify...
2024-11-02 13:13:07 <lrvick> So the build machines run aports-build, which in turn build and sign all packages, including new copies of aports-build.
2024-11-02 13:14:18 <lrvick> presumably these machines are themselves running alpine, which then run alpine lxc-containers, which then run aports-build?
2024-11-02 13:14:38 <lrvick> is this setup maintained by hand, or via automation of some kind?
2024-11-02 13:16:26 <ikke> lrvick: maintained by hand
2024-11-02 13:19:09 <lrvick> Okay. Is it then accurate to say build-machine maintainers ssh to the build machines, and thus have plaintext access to the global package signing keys from their personal workstations?
2024-11-02 13:26:26 <lrvick> I guess to ask bluntly, are there are any mitigations in place today (or even planned) to prevent the compromise of a personal ssh key of an alpine build-machine maintainer being able tamper with any alpine package without detection?
2024-11-02 13:36:22 <ikke> lrvick: At the moment, there are not a lot of controls in place, except that the people having access is very limited (2 or 3, depending on the arch). 
2024-11-02 13:36:34 <ikke> We do have plans to redesign the builder architecture
2024-11-02 13:40:01 <durrendal> This conversation is fascinating. Does there exist any monitoring or out of band logging and alerting that would catch such tampering?
2024-11-02 13:40:49 <ikke> I am working on exporting syslog, but not in place everywhere yet
2024-11-02 13:41:00 <durrendal> Is MFA enforced on the SSH keys that access the build systems? (Such as the use of ed25519-sk with yubikey presence?)
2024-11-02 13:41:27 <lrvick> So this is stemming from an article that came out comparing the distro I founded for supply chain integrity (stagex) to other distros. Given that we are OCI-native, comparisons to Alpine being the most popular distro in corporate containerized environments are unavoidable, but I do want to make sure they are accurate and fair to alpine.
2024-11-02 13:41:43 <aktina> hello, is there any recomendded way to have per user services in alpine ?
2024-11-02 13:42:11 <lrvick> Stagex is also musl based, so we borrow a lot of patterns from alpine.
2024-11-02 13:42:33 <ikke> aktina: not at the moment, openrc is working on implementing it
2024-11-02 13:43:19 <ikke> durrendal: no
2024-11-02 13:43:28 <lrvick> But we are 100% bit for bit reproducible, and we mitigate single points of failure in our supply chain by ensuring all packages are reproduced by 2-3 people independently, and each signed by 2-3 maintainers as proof of this, so there is no SPOF in any single computer or person.
2024-11-02 13:44:07 <lrvick> but it is unlikely stagex will ever be as popular or widely deployed as alpine, so if there is a way to get similar protections into alpine that would be a major win for the internet at large which heavily depends on it.
2024-11-02 13:44:08 <ikke> lrvick: How does that scale?
2024-11-02 13:44:22 <lrvick> ikke heavy automation
2024-11-02 13:44:32 <ikke> We receive 60 merge requests per day
2024-11-02 13:44:50 <ikke> We build for 8 architectures
2024-11-02 13:45:09 <ikke> The latter is the most challenging for verifying reproducability
2024-11-02 13:45:45 <lrvick> well if builds were reproducible, then every PR could build by 2-3 build machines in paralell, which could be immutable machines with non-extractable TPM based keys with remote attestation.
2024-11-02 13:46:04 <lrvick> granted that woudld be more expensive, but I don't see it being a slowdown if running in paralell
2024-11-02 13:46:14 <ikke> We are limited in the HW that we have
2024-11-02 13:46:26 <durrendal> Which is all donated to the project right ikke?
2024-11-02 13:46:29 <ikke> Yes
2024-11-02 13:46:55 <lrvick> If companies knew how vulnerable they were based on the setup they just described, I bet getting hardware donated would not be that big of a problem
2024-11-02 13:48:14 <lrvick> Currently stagex already has quite a bit of donated hardware from 4 orgs because we made it clear supply chain integrity is a hard requirement for merging packages, but in total fairness we only have about 300 packages and one architecture. We also only do the expensive reproduction step at release time, not PR merge time
2024-11-02 13:48:16 <ikke> lrvick: what if the machine with the tpm keys broke? Do you loose your signing keys?
2024-11-02 13:48:53 <ikke> TPM backed keys*
2024-11-02 13:49:45 <lrvick> Well you have a couple of options for that. If it is truly an immutable remotely attestable machine, then you could generate keys on first boot, load them into the TPM and PCR lock them, then export the keys via a shamirs-secret-sharing split, each share encrypted to a different maintainer
2024-11-02 13:50:08 <lrvick> so when you bring online a new build machine, a quorum of maintainers must submit their shares to the machine to reconstitute the key
2024-11-02 13:50:11 <lrvick> but no single party controls it
2024-11-02 13:50:38 <lrvick> this is how an OS I desgined, quorumos works, and keyfork, an open source project by my org, Distrust.
2024-11-02 13:51:33 <lrvick> if the OS of the build machine is reproducible, then any maintainer could locally build the same machine image, and verify the hash of the PCR that the TPM is certifying, matches the hash you get locally
2024-11-02 13:51:49 <lrvick> thus all maintainers can prove the machine is running the image they expect and that it has no means to exfiltrate the key
2024-11-02 13:52:08 <lrvick> thus you have a system that can only be controlled by a voting quorum, vs a single person.
2024-11-02 13:53:03 <lrvick> Though in stagex we opted not to do this, and instead have a 1/1 pairing of build machine and signing key, and just require a minimum number of build machines (controlled by different people) reproduce and sign the packages
2024-11-02 13:53:19 <ikke> I think that that scales better
2024-11-02 13:53:20 <lrvick> but we only get away with that because we are 100% reproducible and full source bootstrapped
2024-11-02 13:53:30 <ikke> lrvick: how do you bootstrap gcc?
2024-11-02 13:53:42 <ikke> and rust
2024-11-02 13:53:45 <lrvick> from 256 bytes of x86 assembly
2024-11-02 13:53:51 <lrvick> all the way up
2024-11-02 13:53:58 <ikke> Probably takes a lot of time
2024-11-02 13:54:14 <lrvick> about 2 days to bootstrap everything from source
2024-11-02 13:54:24 <lrvick> but once 2-3 people have reproduced the bootstrap packages
2024-11-02 13:54:29 <lrvick> we do not have to touch them or revisit them often
2024-11-02 13:54:47 <ikke> We bootstrap each release (every 6 months)
2024-11-02 13:55:28 <ikke> lrvick: how many arches are you building for
2024-11-02 13:55:30 <ikke> ?
2024-11-02 13:55:30 <lrvick> I didn't realize alpine had full source bootstrapping?
2024-11-02 13:55:36 <ikke> not full source
2024-11-02 13:56:12 <lrvick> right now only x86_64, though once we get our new ReprOS build automation system underway, we plan to add arm64 and riscv next.
2024-11-02 13:56:28 <lrvick> but because of paralell builds, we don't expect this to slow us down
2024-11-02 13:56:32 <ikke> The problem is I don't see that approach scaling if you have to redo that for a lot of arches
2024-11-02 13:57:06 <lrvick> the bootstap path for various arches already exists thanks to the Gnu Mes, Stage0, and live-bootstap projects
2024-11-02 13:57:15 <lrvick> we just containerize their bootstrapping work for each arch
2024-11-02 13:58:11 <lrvick> stage0-1 can stay x86 even, but stage2 is where we pivot to x86 -> x86_64 cross compiler to bootstrap the rest of the distro
2024-11-02 13:58:25 <lrvick> but we can pivot to making that a multiarch image at that point with a cross compiler for each arch
2024-11-02 13:58:30 <lrvick> should be no problem. just more wall time
2024-11-02 13:59:16 <lrvick> Also, nothing stopping alpine from using our stage0-2 images, they are distro agnostic. Our ReprOS and AirgapOS images are also distro agnostic.
2024-11-02 13:59:30 <lrvick> you could bootstrap alpine with stagex if you wanted
2024-11-02 14:00:27 <lrvick> or copy our approach. We copy plenty of stuff from alpine so no shame there :)
2024-11-02 14:02:01 <lrvick> but imo, without reproducible builds bootstrapping does not really solve any trust problems
2024-11-02 14:02:26 <lrvick> and it seems with your number of packages and arches, getting to 100% reproducibility as a retrofit woudl be a massive effort
2024-11-02 14:02:33 <ikke> yes, it would
2024-11-02 14:03:51 <ikke> We could start with main just to make it tracktable
2024-11-02 14:04:00 <lrvick> I would then circle back and suggest that the biggest value thing you could do is sign commits, sign reviews, and do quorum administration of the build machines and build keys so no single human can tamper with them, and make those remote attestion proofs public.
2024-11-02 14:04:17 <lrvick> that is something that could be done as a standalone project in a vacuum
2024-11-02 14:04:21 <lrvick> in much shorter time 
2024-11-02 14:04:33 <lrvick> then can start the long tail of reproducibiltiy
2024-11-02 14:04:51 <lrvick> and then others can use the same image as the builders to reproduce alpine. more the better
2024-11-02 14:05:55 <ikke> One thing we certainly want to do is separate the signing keys from the builders
2024-11-02 14:06:27 <lrvick> what is the threat model there?
2024-11-02 14:07:55 <ikke> Not all HW has TPM
2024-11-02 14:08:59 <lrvick> There is absolutely no path to removing single human points of trust without either remote attestation, or reproducibility. You have to pick one, ideally both
2024-11-02 14:09:05 <lrvick> but that order is probably the most within reach
2024-11-02 14:09:27 <lrvick> -most- hardware has TPM2 in it thesedays
2024-11-02 14:09:45 <lrvick> as Windows requires it now, which was a fun forcing function
2024-11-02 14:10:39 <lrvick> But even if the hardware does not have a TPM, but has a USB port, you could get away with using a Nitrokey etc and people physically provisioning the machine in person into a tamper evidient storage
2024-11-02 14:11:20 <lrvick> but having deployed servers in bank vaults with multi-party physical controls a few times... I promise a TPM is a much cheaper option and much easier to prove the integrity of at a distance.
2024-11-02 14:12:26 <lrvick> most server motherboards have TPMs, though most baremetal server providers like hetzner disable them by default
2024-11-02 14:12:37 <lrvick> but you can order a crash cart, get bios access, and turn it back on in many cases
2024-11-02 14:13:01 <ikke> We use donated HW. And not all archictectures provide TPM
2024-11-02 14:14:17 <lrvick> You could emulate or cross compile in those cases, or simply start by providing the high integrity path for the architectures most widely used in high risk environments: x86_64/arm64
2024-11-02 14:17:12 <lrvick> The number one thing I would put on a risk register for you guys would be the fact that someone could threaten a single person on your team to tamper with a rust binary, and tamper with the firmware and binaries that gate access to billions of dollars. Now, you could say it is insane that alpine is used for use cases like this, and it is, but it is also sadly a reality. There is
2024-11-02 14:17:14 <lrvick> a -massive- target on alpine, and a lot of major supply chain attacks recently, some of them involving coercion.
2024-11-02 14:17:20 <lrvick> do it to protect yourselves personally, if for no other reason.
2024-11-02 14:18:56 <lrvick> I for one would be happy to help unblock this if I can. If keyfork or repros or bootproof can be useful to you guys, great. Or happy to discuss design decisions and see what you come up with independently.
2024-11-02 14:20:23 <ikke> Feel free to add some comments to https://gitlab.alpinelinux.org/alpine/tsc/-/issues/82
2024-11-02 14:21:55 <lrvick> https://docs.distrust.co/qkm/ may be useful. This is how we do ceremonies (with 100% reproducible OS images verified by the whole team) to generate critical signing/encryption keys ensuring no single person an ever acess them, but also ensuring we have offline ways to backup and recover.
2024-11-02 14:22:43 <lrvick> then we can collaborate to load these keys onto airgap laptops we purchase and provision with witnesses locally, or remote enclaves we all verify remotely
2024-11-02 14:23:16 <lrvick> but then we have reasonably proof no single human can tamper with or extract the keys, or tamper with the software that controls the keys
2024-11-02 14:23:50 <lrvick> these tactics should be very general purpose and apply to a broad set of use cases. Feel free to rip them off, use them as-is, or use them for reference for your own designs
2024-11-02 14:24:05 <lrvick> but would like to see more distros applying these sorts of tactics if possible
2024-11-02 14:25:31 <lrvick> will take a look at that issue. Indeed I have comments I ant to make already :)
2024-11-02 14:27:33 <ikke> Note that as a project, we don't have any capital. Any purchose must by covered by individual members, which limits our options
2024-11-02 14:30:07 <ikke> But I'm certainly interested in improving our posture
2024-11-02 14:38:16 <lrvick> As a reference our tactic for getting most of our capital was pointing to companies that build mission critical software, that their supply chain has single points of failure in single computers or humans, and that if they pay us, we could dramatically reduce that risk. That resulted in stagex being funded from 3 orgs from day one, including paying for reproduction machines
2024-11-02 14:38:18 <lrvick> hosted/donated by several different individuals/orgs.
2024-11-02 14:38:20 <vkrishn> is there a rough sketch diagram flow how signing is done ?
2024-11-02 14:38:34 <lrvick> When no one wants to trust each other by design, then we all have to bring our own hardware and pay for it
2024-11-02 14:38:37 <lrvick> or have our employers do it
2024-11-02 14:39:11 <lrvick> asking me?
2024-11-02 14:39:39 <vkrishn> it could be added to issues/82
2024-11-02 14:41:51 <lrvick> We only get away with our tactics because we are reproducible, which dramatically simplifies things. One person makes a release PR with every package they generated on their own hardware, and the digests they got for every package in the tree. A second maintiner builds/bootstraps from 0 and gets the same set of digests for every container, and adds a second set of signatures.
2024-11-02 14:42:26 <lrvick> we try to have 3+ though 2 is always a hard minimum
2024-11-02 14:42:40 <lrvick> so we never had a single human trusted at any point from the first release
2024-11-02 14:43:17 <lrvick> but for alpine a retrofit tactic is required, so in that instance something like keyfork is probably a major accelerator.
2024-11-02 14:43:54 <lrvick> keyfork can generate a key, split it into m-of-n shares, and encrypt each share to a different yubikey or nitrokey, which can be distributed to each administrator.
2024-11-02 14:44:29 <lrvick> then any time you generate a new signing key or something on an immutable machine, you can have the generation routine encrypt a copy to that split key before it loads it into a TPM
2024-11-02 14:44:34 <lrvick> so you have a disaster recovery story
2024-11-02 14:44:57 <lrvick> then any M members of the admin team could come together to restore the same key to a new TPM as needed to bring online a new build machine
2024-11-02 14:45:21 <lrvick> while having strong evidence no single admin has ever had plaintext access to the keys
2024-11-02 14:45:48 <lrvick> for this scheme to work, you don't need the whole distro to be reproducible
2024-11-02 14:45:51 <ikke> I assume this must run on the builder?
2024-11-02 14:45:59 <ikke> To have access to the TPM chip
2024-11-02 14:46:00 <lrvick> but you -do- need the OS image that runs the builder to be reproducible
2024-11-02 14:46:08 <lrvick> yes ideally
2024-11-02 14:46:37 <ikke> And the yubikeys?
2024-11-02 14:46:41 <ikke> or nitrokeys
2024-11-02 14:46:56 <lrvick> each member of the admin team would provision those in advance
2024-11-02 14:47:03 <lrvick> and contribute their public keys to the ceremony machine
2024-11-02 14:47:16 <lrvick> ceremony machine boots up, generates quorum key, and encrypts shares to each admin public key it was born with
2024-11-02 14:47:41 <lrvick> so each admin only controls one share via the nitrokey they set up themselves
2024-11-02 14:48:35 <lrvick> total hardware cost for the ceremony could be a $150 laptop purchased at a retail store with witnesses, or running a TPM capable cloud machine remote for a few minutes. + cost of nitrokeys/yubikeys
2024-11-02 14:48:40 <lrvick> can be very very cheap
2024-11-02 14:49:32 <lrvick> doing it on the TPM capable cloud machine would require you implement a tpm2 remote attestation, and have a reproducible OS image on that machine, but stagex has you covered there if you wanted.
2024-11-02 14:50:03 <lrvick> though bootproof, the remote attestation story, is still early. Though we do ship tpm2 tools so yu cuold get away with a shell script calling those + keyfork if you wanted
2024-11-02 14:50:36 <lrvick> QuorumOS would make this much easier but that is not open source yet (soon, putting pressure where needed ;)
2024-11-02 14:51:43 <ikke> lrvick: say I have a baremetal machine, no cloud provider. How do you attest that it's running a specific image?
2024-11-02 14:52:19 <lrvick> That is tricky, but solvable
2024-11-02 14:52:27 <lrvick> you need to confirm the root of trust with other people somehow
2024-11-02 14:52:33 <lrvick> the TPM2 endorsement key
2024-11-02 14:52:36 <ikke> Because that's 99% the case for us
2024-11-02 14:52:52 <lrvick> maybe multiple people visit that machine in person or confirm the endorsement key of that TPM out of band and pgp sign it
2024-11-02 14:53:01 <lrvick> but you will need a one time trust bootstrapping with multiple people for baremetal
2024-11-02 14:53:06 <ikke> That's also challenging
2024-11-02 14:53:15 <ikke> Physically visiting the HW
2024-11-02 14:53:56 <lrvick> with a machine in a datacenter none of you have access to, you could each visit an admin panel for the machine remotely and confirm the EK yourselves
2024-11-02 14:54:10 <lrvick> or you all independently verify the EK with the hardware seller or provisioner
2024-11-02 14:54:18 <lrvick> but you need some method to confirm that EK
2024-11-02 14:54:42 <lrvick> with cloud providers, they all have endorsement key APIs now, so it is actually much easier with cloud
2024-11-02 14:54:46 <ikke> But you do see the challenge
2024-11-02 14:54:50 <ikke> It's not trivial
2024-11-02 14:54:50 <lrvick> since they own all the hardware and know what hardware they own
2024-11-02 14:55:30 <lrvick> its trivial with cloud, but with baremetal hosted physically by people this is really suboptimal without reproducible builds
2024-11-02 14:56:14 <lrvick> without reproducible builds you are forced to trust a single system somewhere. It is easiest to form trust if no admin has physical access to that system, and it is hosted by a neutral third party
2024-11-02 14:56:17 <lrvick> say hetzner, etc
2024-11-02 14:56:21 <ikke> Yes, our build HW is not provided by cloud providers. We used to have ARM servers hosted ad a baremetal provider, but that arrangement has ended and now we are hosting it soemwhere at a sponsored location
2024-11-02 14:56:50 <lrvick> can you get a neutral third party, say a datacenter tech, to confirm the EK out of band to multiple people?
2024-11-02 14:56:51 <ikke> For x86_64, it's easy to get resources from could providers, for aarch64 doable, but other arches are nearly impossible
2024-11-02 14:57:23 <ikke> No cloud provider provides s390x, ppc64le, loongarch64, riscv64
2024-11-02 14:57:46 <lrvick> but zooming out to your actual problem
2024-11-02 14:57:52 <lrvick> if you sacrificed a bit of performance for security
2024-11-02 14:57:58 <lrvick> you could do builds of those in qemu
2024-11-02 14:58:23 <ikke> We prefer native hw as much as possible
2024-11-02 14:58:41 <ikke> not just for performance
2024-11-02 14:59:58 <lrvick> threat modeling is a series of tradeoffs. What security win does running on native hardware give you that outweighs removing single human points of failure?
2024-11-02 15:02:43 <lrvick> even if there is a compelling argument there, which I am doubtful of, that forces you to have no remote attestation solution those architectures, 99.999% of your risk comes from real world high risk deploymentts of alpine in public and private infrastructure, which use overwhelmingly x86_64, and sometimes aarch64.
2024-11-02 15:03:14 <lrvick> so again even if you only had high accountability deployments for just those two, that is a very very worthwhile effort
2024-11-02 15:04:33 <lrvick> then you can decide if you want to deal with the rest via reproducibile builds over time, or emulation
2024-11-02 15:08:32 <witcher> I haven't found anything, but just to be sure: does alpine take monetary donations?
2024-11-02 15:09:47 <ikke> witcher: We do not have an entity that can take donations. Individual members may take donations
2024-11-02 15:10:13 <witcher> ikke: is there by any chance a list of who takes donations?
2024-11-02 15:10:15 <lrvick> I would note that TPM2 is not the only hardware mechanizim available to you for remote attestation. PPC64 and others have tamper evidient secure boot hardware available that can be used to unlock keys in a nitrokey or similar
2024-11-02 15:10:50 <lrvick> or some hardware can let you burn a hash of a key into a fuse array, and that hardware will refuse to use anything not signed by that key, etc
2024-11-02 15:10:55 <witcher> i roughly know who works on alpine but i'm sure there are people i'm unaware of
2024-11-02 15:11:10 <lrvick> then you can have any remote attestation logic you want in your boot rom using coreboot or similar
2024-11-02 15:11:35 <lrvick> anyway, if there is any arch you struggle with after x86_64 an aarch64 and really need baremetal, I can possibly help
2024-11-02 15:12:49 <lrvick> afk for a while
2024-11-02 15:14:14 <q66> qemu build performance is garbage and saying you sacrifice "a bit of it" is being disconnected from reality 
2024-11-02 15:15:20 <q66> it has tons of other drawbacks too such as not being able to reliably run tests for things 
2024-11-02 15:16:30 <q66> i actually maintain a distro that does build one architecture in qemu (riscv64) and it really sucks to deal with it and i'm looking forward to when I can put it on baremetal
2024-11-02 15:18:20 <durrendal> ikke: is there currently a way for people to volunteer to help maintain the various bits of infrastructure that Alpine uses? I assume that's probably something the TSC would promote someone for and then vote on, but I'm not aware of the process outside of what is done for promoting maintainers to developer access. Does something like this exist already?
2024-11-02 15:25:25 <ikke> clandmeter is lead of the infra team]
2024-11-02 15:25:46 <ikke> We don't have a pre-defined workflow for that
2024-11-02 15:26:27 <durrendal> Ah gotcha. So it's more of an as needed by appointment directly from clandmeter then. That makes sense.
2024-11-02 15:26:51 <ikke> We could use help, but it also takes time
2024-11-02 15:31:33 <lrvick> q66: even if the performance is half, it would still be worth it to wait a few extra hours for a build, than to blindly trust a build has not been tampered with.
2024-11-02 15:32:39 <durrendal> I would be very interested in helping if I can, and if that offer is of interest/use to the team. Happy to discuss further!
2024-11-02 15:32:50 <ikke> durrendal: feel free to discuss in #alpine-infra
2024-11-02 15:36:11 <q66> lrvick: so as i said, disconnected from reality
2024-11-02 15:36:35 <q66> not only it is far less than that while burning the full power of a beefy x86 box, it also has the other drawbacks 
2024-11-02 15:37:10 <q66> sure love waiting 2 days for kernels to build when they update basically weekly
2024-11-02 15:39:59 <q66> not only is emulation not worth it and introduces random bugs into the result while preventing tests from being run as at least a basic correctness check, they are also environmentally irresponsible, on top of being annoying to wait for 
2024-11-02 15:40:21 <q66> no amount of security clownery will outweigh that
2024-11-02 15:45:38 <nickersonm> I updated this morning (latest-stable) and the `netmount` service now causes a kernel panic. Specifically it seems to be the CIFS module: https://tpaste.us/oxaR (see 13.232497 ). Changing to linux-virt or linux-lts in edge or v3.19 did not help, but linux-lts@v3.18 works for now, although I would prefer a more recent kernel.
2024-11-02 15:50:07 <lrvick> q66: Well, to be clear, I would only be suggesting doing what it takes for release builds, and only on architectures where it counts the most initially.
2024-11-02 15:50:30 <lrvick> but also, there are many different forms of hardware remote attestion, other than TPMs
2024-11-02 15:50:44 <lrvick> emulation would be a last resort
2024-11-02 15:51:16 <ikke> I think focusing on reproducable builds would make individual servers less important
2024-11-02 15:51:16 <lrvick> I am just saying if I -must- choose abysmal build performance, and having to sale up to compensate, or having builds I can trust
2024-11-02 15:51:20 <lrvick> the latter is more important
2024-11-02 15:51:54 <lrvick> I am currently running full source bootstraps of rust on 2 systems to make sure it reproduces as 1.82. Yes, its hard
2024-11-02 15:52:03 <lrvick> but for high risk applications there is no alternative
2024-11-02 15:52:09 <lrvick> and it takes 2 days every time
2024-11-02 15:52:38 <lrvick> when you are doing reproducible builds, take anything you are doing and triple it. Security is expensive.
2024-11-02 15:52:47 <lrvick> I agree that is reality.
2024-11-02 15:53:35 <q66> well enjoy
2024-11-02 15:53:40 <lrvick> if alpine was reproducible, then you don't have to trust any one server. They could each have their own keys, and all is well. This is what we do on stagex
2024-11-02 15:53:53 <lrvick> however without reproducibility you don't have many options other than remote attestation
2024-11-02 15:53:59 <lrvick> both options are expensive, you have to pick a poison
2024-11-02 15:54:22 <lrvick> doing nothing is going to create more problems that slow builds though, I am sure of that.
2024-11-02 15:55:02 <q66> fwiw decoupling signing from the builder is useless from security perspective because regardless you gotta trust the output of the builder, if it's tampered with you won't be able to tell and you will just get tampered-with packages that were signed without leaking the private key 
2024-11-02 15:55:13 <q66> which has no security benefit whatsoever, it's worse if anything 
2024-11-02 15:55:29 <lrvick> We are musl based and 100% reproducible, so I don't imagine alpine is that far off if CI blocked all new updates that were not reproducible as a fourcing function
2024-11-02 15:55:43 <q66> because at least if you know your builder is compromised and therefore the key is too, you can revoke the key and invalidate everything
2024-11-02 15:56:18 <lrvick> q66: on this we totally agree. I think you might as well keep the key on the build node.
2024-11-02 15:56:32 <lrvick> whatever is trusted enough to compile might as well be trusted to sign
2024-11-02 15:56:49 <q66> yes i thought about whether I should do this in my case and came to the conclusion that there is no way to separate the key and gain anything from it
2024-11-02 15:56:57 <lrvick> though a non-extractable key and an immutible build system that can't be changed after deployment should be the first two steps imo
2024-11-02 15:57:08 <lrvick> those alone give you a massive reduction in attack surface
2024-11-02 15:57:31 <ikke> q66: what you gain from it is that it's harder to compromise the key when you lack some sort of hardware enclave
2024-11-02 15:57:31 <lrvick> if you can't put a key in a TPM, put it on a nitrokey and plug it into a usb drive
2024-11-02 15:57:35 <lrvick> non extractable keys are cheap
2024-11-02 15:57:47 <lrvick> usb port*
2024-11-02 15:58:23 <lrvick> the goal should not be preventing key extraction though. That by itself is not that useful
2024-11-02 15:58:31 <lrvick> the goal should be preventing the key from signing something malicious
2024-11-02 15:59:06 <ikke> If the key is extracted, nothing prevents actors from signing malicious things
2024-11-02 15:59:39 <lrvick> it is of non zero value, however if anyone can ask the key to sign anything blindly
2024-11-02 15:59:44 <lrvick> then you are not in that much different of a situation
2024-11-02 15:59:48 <ikke> You are
2024-11-02 15:59:51 <lrvick> lot of effort for very very little reduction in attack surface
2024-11-02 16:00:18 <ikke> You can ditch the server, remove the compromised packages, and continue
2024-11-02 16:00:30 <ikke> If you need to revoke the key, everyone is impacted
2024-11-02 16:00:37 <lrvick> but the damage is already done. The world is already compromised.
2024-11-02 16:00:42 <lrvick> bigger problems thatn key revocation at that point
2024-11-02 16:02:29 <lrvick> let me put it in a concrete situation so we stay grounded. Companies like coinbase build everything with Alpine. Billions and billions of dollars are trusted to binaries built with alpine from just that one company. There are hundreds more examples.
2024-11-02 16:02:48 <lrvick> if a single malicious binary is singed by an alpine build server even once
2024-11-02 16:03:16 <lrvick> it could cause an exfiltration of insane amounts of value to some pretty bad actors to fund war machines.
2024-11-02 16:03:52 <ikke> With key extraction, they could do it without us even having a clue
2024-11-02 16:04:08 <lrvick> without key extraction, they could still do it without you having a clue.
2024-11-02 16:04:12 <ikke> Remote signing includes auditing
2024-11-02 16:04:40 <lrvick> let me be clear, I agree solving for non-extractable keys is then right first step
2024-11-02 16:04:48 <lrvick> I just think that is like a 5% solution
2024-11-02 16:04:52 <q66> i'll always approve of coinbase getting screwed over so you just gave me a good argument to keep things as they are :P
2024-11-02 16:06:07 <lrvick> q66: I hate most of these companies, and I don't care if they get ripped of. I do care that the people ripping them off are using them to fund dictators.
2024-11-02 16:06:30 <lrvick> lots of money being stolen by dangerous people is bad for everyone, even if we dont' like the people being stolen from
2024-11-02 16:09:58 <lrvick> I once audited a crypto firm that had a billion dollars in doge sitting on a server the whole team had access to. Honor system. Now we can say, doge is stupid, I agree. But you can trade it for real money, which means it is dangerous and worth protecting (or deleting).
2024-11-02 16:11:01 <lrvick> Anyway point is, IMO, maintaining software the world depends on is a big responsibility. You can't just think about your own use cases.
2024-11-02 16:12:28 <lrvick> Now if you want to say boldly "we are just a hobby distro, we don't have the funding to take security seriously" you should do that if it is true. But if it is not true, then there is some real responsibility to seek out funding if required, and do it right.
2024-11-02 16:13:51 <q66> idk about alpine but i literally don't care about the needs and wants of some stupid scam corporate
2024-11-02 16:14:02 <q66> i won't take their money, i want to have 0 to do with them 
2024-11-02 16:14:36 <q66> all i care about is my community
2024-11-02 16:14:38 <lrvick> But you do realize public infrastructure, governments, hospitals... all anchor their security to alpine
2024-11-02 16:15:21 <lrvick> now again, I think that was irresponsible of all those decision makers to not verify a distro like alpine has no human or system single points of failure before electing it into those positions
2024-11-02 16:15:26 <lrvick> but they did, and here we are
2024-11-02 16:16:03 <lrvick> I think the choice is convince all those parties to stop using Alpine, loudly, or close the risks.
2024-11-02 16:16:11 <lrvick> I am very happy to help support either path.
2024-11-02 16:57:45 <as400> Irvick: I do agree that security should be taken seriously. Yet, if you know what happens within cloud providers infra... 
2024-11-02 16:59:29 <as400> Alpine as it is right now is the last thing to worry about.
2024-11-02 17:05:47 <lrvick> Most of my client are running immutable appliance-like production infrastructure already.
2024-11-02 17:06:02 <lrvick> trusted and reproducible binaries are the next layer down
2024-11-02 17:09:19 <as400> That's great if you have your own infra. If you don't then it's like building a house from roof to bottom.
2024-11-02 17:13:38 <SyntheticBird[m]> Hello, are packages in repositories statically link to musl ? or dynamically ? I'm wondering in what condition can the LD_PRELOAD be used for switching allocator. Also if LD_PRELOAD would work with gcompat dependent software
2024-11-02 17:14:13 <ikke> SyntheticBird[m]: In Alpine Linux, packages are built dynamically
2024-11-02 17:14:25 <ikke> at least, c(++) based ones
2024-11-02 17:17:01 <SyntheticBird[m]> I see thanks.
2024-11-02 17:43:23 <vkrishn> lrvick: "We are musl based and 100% reproducible", which distro is it ?
2024-11-02 17:56:57 <lrvick> https://codeberg.org/stagex/stagex
2024-11-02 17:58:03 <lrvick> Blog post written about us recently: https://quorum.tkhq.xyz/posts/reproducible-builds-made-easy-introducing-stagex/
2024-11-02 17:58:19 <lrvick> Though per the discussion above I think the comments about alpine are probably not quite accurate and need adjustment
2024-11-02 18:00:44 <rdbo> SyntheticBird i think LD_PRELOAD will work anyways, no matter if it's dynamic or static
2024-11-02 18:02:45 <vkrishn> comparsion could include void
2024-11-02 18:03:50 <lrvick> it could include 1000 other distros, but I think the goal was just to cover the ones typically on the short list for container/build/release use cases which is the topic at hand here.
2024-11-02 18:04:06 <lrvick> stagex in particular has no package manager, and no ambition of being a desktop linux distribution
2024-11-02 18:04:23 <lrvick> its goal is just to make reasonably secure reproducible builds easy.
2024-11-02 18:04:53 <lrvick> to not take us too far off topic though, probably best to direct most stagex questions to #stagex :)
2024-11-02 18:05:11 <lrvick> (sorry alpine devs, he asked!)
2024-11-02 18:05:41 <ikke> no worry
2024-11-02 18:05:54 <vkrishn> ok, nice to read
2024-11-02 18:11:00 <lrvick> btw our musl patch to mrustc covered in that post should cover alpine as well, if you want to fully build rust from source
2024-11-02 18:11:34 <lrvick> Though, I warn you, it takes about a day on 32 threadripper cores
2024-11-02 18:11:59 <lrvick> though mrustc 1.72 is very close which should cut this down to a few hours
2024-11-02 18:12:28 <vkrishn> oh, not trying to discredit the/your work, just trying to get more info on reproducible builds
2024-11-02 18:13:09 <lrvick> Didn't think you were. Was just trying to avoid hijacking the channel to shill my own solution ^_^
2024-11-02 18:16:20 <vkrishn> its linux channel and "reproducible builds" is common to al too
2024-11-02 21:40:40 <SyntheticBird[m]> As there been any attempt or information about supporting enabling SELinux on Alpine ? I see their is a fairly updated version of libselinux and its utils in edge repository. I've also compiled my kernel with SELinux enabled. I know there is probably not a compatible policy for it but i'm wondering whats the state of things
2024-11-02 21:42:55 <Ermine> SyntheticBird[m]: afaik you need also to recompile userspace software to make it selinux-aware
2024-11-02 21:43:16 <ikke> It takes a lot of work to get SELinux right
2024-11-02 21:46:36 <Ermine> seems like selinux is not something you can just enable or disable
2024-11-02 21:47:21 <SyntheticBird[m]> OOOOH right I forgot about userspace part
2024-11-02 21:47:34 <SyntheticBird[m]> I thought it was just a systemd thing
2024-11-02 21:47:46 <ikke> selinux has nothing to do with selinux
2024-11-02 21:47:54 <SyntheticBird[m]> ?
2024-11-02 21:47:54 <ikke> systemd has*
2024-11-02 21:47:58 <SyntheticBird[m]> ah
2024-11-02 21:48:21 <SyntheticBird[m]> I just remember that Arch linux required SELinux recompilation of base
2024-11-02 21:48:34 <SyntheticBird[m]> and it was all systemd packages recompiled with selinux flag
2024-11-02 22:08:37 <SyntheticBird[m]> I don't see what software would need selinux aware recompilation
2024-11-02 22:08:42 <SyntheticBird[m]> tbh
2024-11-02 22:08:50 <SyntheticBird[m]> ig that cost nothing to try
2024-11-02 22:10:45 <ikke> selinux requires a lot of work
2024-11-02 22:11:04 <ikke> it's not for nothing that the most common advise people give when running into selinux issues is to disable it
2024-11-02 22:11:40 <ikke> Without proper care, applications stop working because they are denied access to things they need
2024-11-02 22:12:27 <invoked> i worked on gentoo hardened back in the day, but i'm not sure what's changed since then. libselinux should be enough but gentoo afaik still asks people to use hardened. but yeah, the audience is limited.
2024-11-02 22:13:04 <invoked> the main upside is limiting stuff that runs as root.
2024-11-02 22:14:18 <invoked> even amongst sysadmins the # of people who really understand selinux well is, in my view, small
2024-11-02 22:53:16 <SyntheticBird[m]> ikke: yes I'm aware of the challenge and I really want to learn it.
2024-11-02 22:53:55 <SyntheticBird[m]> invoked: on some chat platform I meet a Fedora engineer and its bio was: *SELinux wiped my soul.* I think this is an accurate representation.
2024-11-02 22:55:37 <invoked> it takes some work
2024-11-03 03:16:17 <aleksi> it really sucks that I had to register in order to access this channel. from my logs I can see it wasn't like this up to the 31st of the last month. what happened? spam?
2024-11-03 03:18:05 <mason> Alpine... "Enter ssh key or URL for foo changed by root" - does this want to populate authorized_keys for the user?
2024-11-03 03:20:44 <mason> So far the installer is pretty straightforward. Other than that one brief puzzlement it's pretty droolproof so far.
2024-11-03 03:21:49 <mason> Nice, that was amazingly quick, and it did indeed install my ssh public key from the URL I gave it.
2024-11-03 07:41:49 <frag> if i buy a 512G disk i cant fit 512G onto it, but if i created a +2G partition with fdisk, i can fit 2G onto it after formating it?
2024-11-03 08:58:51 <quinq> Most likely not
2024-11-03 09:25:07 <frag> hmm there is some problem with st in repo, when pasting or navigating history, it seem to force longer than the screen lines to overlap upon itself so it stays on one like ...
2024-11-03 09:25:22 <frag> *line
2024-11-03 10:43:13 <quinq> Hummm, there's no “history” in st
2024-11-03 12:39:47 <frag> quinq oh, its ash!? even just holding down a key till it it reaches the end of the screen, it starts overwriting the same line, instead of starting a new line...
2024-11-03 12:41:22 <frag> is a too large hd more durable since, iiuc, it can stop using bad sectors and still have plenty of space?
2024-11-03 12:41:44 <quinq> I'm not sure what history you're talking about, if it's about command history, then yes that's $SHELL
2024-11-03 12:42:01 <frag> yeah same problem in xterm/ash
2024-11-03 12:42:14 <quinq> hum
2024-11-03 12:42:49 <frag>  damn, then i guess it will never be fixed ;/
2024-11-03 12:43:28 <frag> if i open a termianl with ash and type untill i read EOL it starts overwriting the line instead of wrapping to a new line
2024-11-03 12:43:51 <quinq> I think that things can be fixed most of the time :)
2024-11-03 12:44:04 <frag> busybox ash
2024-11-03 12:44:05 <quinq> It just has to be annoying enough to motivate you ^^
2024-11-03 12:44:16 <quinq> Yeah, I can reproduce the issue
2024-11-03 12:44:38 <frag> i reported some bugs to busybox, and looked over the bugs there, lots of old old bugs
2024-11-03 12:45:06 <frag> its a new bug tho
2024-11-03 12:45:22 <frag> been using ash many years now with no/little problem
2024-11-03 12:47:05 <quinq> Is that the first time in those many years you wrote a long command line? ^^
2024-11-03 12:47:26 <frag> hehe, no, thats what im saying, its a new bug
2024-11-03 13:04:58 <quinq> ohhh ok
2024-11-03 13:17:39 <frag> oksh/mksh seems nice, basic, mksh seem to have some more features, you just delete /bin/sh and make a new symlink?
2024-11-03 13:18:26 <quinq> I'm using loksh
2024-11-03 13:18:31 <quinq> But no, don't do that
2024-11-03 13:18:43 <quinq> /bin/sh is the portable shell, called by scripts
2024-11-03 13:18:49 <frag> quinq whats loksh like?
2024-11-03 13:19:20 <frag> i also use /bin/sh as the default shell
2024-11-03 13:19:45 <quinq> If you want to use an alternative shell, just set it in /etc/passwd
2024-11-03 13:20:24 <quinq> (check its valid path in /etk/shells)
2024-11-03 13:20:29 <quinq> s/etk/etc/
2024-11-03 13:26:40 <frag> loksh seem very similar to oksh
2024-11-03 13:26:54 <frag> slightly smaller
2024-11-03 13:35:52 <quinq> Sure, they're both ports of OpenBSD ksh, but Alpine provides loksh, worksforme
2024-11-03 14:07:28 <frag> alpine also has oksh
2024-11-03 14:12:19 <frag> theres also mrsh, which together with mrsh-libs is slightly smaller still..
2024-11-03 14:40:24 <frag> mksh doesnt support 'sleep 1h', mrsh kills background processes when it itself is killed, i think i prefer oksh/loksh yeah
2024-11-03 14:51:14 <quinq> sleep $((60*60))
2024-11-03 14:51:36 <frag> hehe, yeah
2024-11-03 14:53:38 <frag> probably posix... i guess its not a big deal anyway..
2024-11-03 14:54:48 <frag> oh mksh also kills background jobs when exiting..
2024-11-03 15:54:02 <sertonix[m]> frag: the busybox ash bug is not a bug in a alpine patch and not budybox itself. I have already created a MR to fix this: https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/74526
2024-11-03 15:54:31 <sertonix[m]> *is a bug in an alpine patch and not busybox itself
2024-11-03 15:55:48 <frag> sertonix oh, great!
2024-11-03 15:56:17 <sertonix[m]> frag: Also if you encounter issues in alpine linux prefer creating issues on the alpine linux bugtracker. Especially with busybox issues.
2024-11-03 15:58:28 <frag> why is that sertonix? is it this url? https://gitlab.alpinelinux.org/groups/alpine/-/issues
2024-11-03 15:59:21 <scorpion2185[m]> is alpine dinit doable atm?
2024-11-03 15:59:56 <pj> iirc, someone is driving dinit on alpine
2024-11-03 16:00:02 <sertonix[m]> @scorpion2185:matrix.org Yes but you probably want to write your own service files.
2024-11-03 16:00:26 <scorpion2185[m]> no service in the repo?
2024-11-03 16:00:26 <sertonix[m]> *need to
2024-11-03 16:00:59 <scorpion2185[m]> does alpine some "bootstrap" option or do you need to remove openrc and add dinit?
2024-11-03 16:01:09 <scorpion2185[m]> *does alpine have
2024-11-03 16:02:37 <quinq> Why are those busybox patches not upstreamed instead?
2024-11-03 16:02:55 <quinq> This would avoid this kind of issue
2024-11-03 16:03:18 <quinq> s/avoid/limit/
2024-11-03 16:04:40 <frag> kinda like how oksh/loksh stays doesnt wrap the commandline...
2024-11-03 16:04:49 <sertonix[m]> frag: Alpine has some uncommon things which means developers sometimes have a hard time to reproduce an issue in a different environment. For busybox the reason is that reported issues aren't check that often.
2024-11-03 16:04:52 <frag> s/stays//
2024-11-03 16:05:30 <frag> sertonix indeed, thats nice
2024-11-03 16:09:50 <sertonix[m]> quinq: I fixed an issue with tab completion and send the patch upstream. To fix the issue more quickly for everyone using alpine I added the patch to alpine. Otherwise the issue would stay until the next busybox release (which isn't often)
2024-11-03 16:10:18 <quinq> But it hasn't been merged, has it?
2024-11-03 16:10:38 <quinq> This isn't about waiting for release, but rather for having review
2024-11-03 16:10:58 <quinq> Once the patch has been reviewed and deemed fine by authors, then you can apply it locally
2024-11-03 16:11:51 <pj> By that logic, alpine would be very broken constantly
2024-11-03 16:12:18 <quinq> Yeah, like it is
2024-11-03 16:13:22 <pj> But less so
2024-11-03 16:13:31 <quinq> Do you have metrics?
2024-11-03 16:13:38 <quinq> Or just an opinion
2024-11-03 16:13:57 <pj> You can count amount of patches in aports
2024-11-03 16:14:47 <quinq> That's not a good metrics
2024-11-03 16:15:05 <quinq> As having patches isn't exclusive to either “logic”
2024-11-03 16:15:19 <quinq> Maybe you misunderstood
2024-11-03 16:15:26 <quinq> It's not about having to wait for upstream release
2024-11-03 16:15:42 <quinq> It's about having patches validated from upstream
2024-11-03 16:15:49 <quinq> As in discussion, review, test
2024-11-03 16:17:18 <pj> Is sending patches upstream not that?
2024-11-03 16:17:29 <quinq> No, that's just sending
2024-11-03 16:17:51 <pj> I find it unfair that quite an amount of fixes in busybox comes from Alpine
2024-11-03 16:18:00 <pj> which is usually found, tested, fixed here
2024-11-03 16:18:12 <pj> and that's not considered "good enough"
2024-11-03 16:18:16 <quinq> Yeah, busybox is… What it is ^^
2024-11-03 16:22:47 <sertonix[m]> @scorpion2185:matrix.org: There were service files packaged but no one maintained them so they were dropped again. When you want to try dinit I recomment keeping openrc installed so you can switch back to it.
2024-11-03 16:22:47 <sertonix[m]> It is also possible to install alpine linux without installing openrc before but you probably can't use the setup-alpine scripts in that case. You can install alpine linux similar to the arch installation guide and then manually install all packages and files. I don't think I can provide a full guide for this but I can tell you that it is possible.
2024-11-03 16:28:52 <scorpion2185[m]> how do you install manually like arch? there is no alpine-chroot and no basestrap equivalent afaik
2024-11-03 16:29:28 <sertonix[m]> quinq: Downstream patches can exist for various reasons. Some are upstream dead, upstream slow, upstream using old dependencies TM, upstream doesn't care about alpine, new build toolchain breaks build, urgent/annoying issue and so on. As mentioned above it is worse to always wait for upstream.
2024-11-03 16:30:06 <quinq> In which of those categories does busybox fall in?
2024-11-03 16:33:01 <ikke> Upstream is slow probably
2024-11-03 16:34:25 <quinq> Who decided this?
2024-11-03 16:34:36 <quinq> That this patch couldn't wait
2024-11-03 16:34:44 <quinq> Just curious
2024-11-03 16:35:34 <pj> busybox maintainers
2024-11-03 16:35:37 <pj> package
2024-11-03 16:35:43 <pj> which in this case is probably ncopa
2024-11-03 16:36:02 <sertonix[m]> quinq: I proposed it and ncopa merged it.
2024-11-03 16:38:30 <quinq> ok, thanks :)
2024-11-03 16:39:39 <quinq> I suppose that for edge it's more something along “break things, fix fast”
2024-11-03 16:39:59 <quinq> Then in time it makes it into a release
2024-11-03 16:40:07 <quinq> And edge people test
2024-11-03 16:40:19 <ikke> yes, that's literally what edge is for
2024-11-03 16:40:58 <ikke> We try not to break it, but at the same time, things breaking from time to time should be expected
2024-11-03 16:41:27 <quinq> Yeah
2024-11-03 17:18:39 <frag> quinq ^R for searching history and if you type in something that has no match, every char you type in produces a new line? is that another bug? in loksh
2024-11-03 17:19:28 <quinq> frag, I wouldn't call that as a bug per se as there's no specification and your shell doesn't crash
2024-11-03 17:19:43 <quinq> Maybe an annoyance at best ^^
2024-11-03 17:21:38 <frag> hehe, its weird
2024-11-03 17:23:04 <sertonix[m]> @scorpion2185:matrix.org: I put together some notes about installing alpine through a chroot. I probably forgot some things but it should get you started at least.
2024-11-03 17:23:04 <sertonix[m]> https://paste.sr.ht/~sertonix/8bc2ba573118f4f63b62d71968e9b9a48ef34768
2024-11-03 17:24:23 <quinq> frag, something else, that I would call a bag, is that with some filenames, it behaves differently in tab-completion
2024-11-03 17:25:50 <quinq> Prepare for the spamming tide!
2024-11-03 17:26:48 <frag> quinq hmm, okok, i like the nowrap commanline but will probably revert back to ash when its ok again, nice with shared history too..
2024-11-03 17:27:36 <frag> i see oksh ^r behaves the same
2024-11-03 17:27:58 <quinq> It's the same shell
2024-11-03 17:28:03 <quinq> Just built slightly differently
2024-11-03 17:40:35 <frag> indeed
2024-11-03 18:38:27 <frag> its nice that ^Y ++ works in ksh
2024-11-03 20:00:05 <frag> ash fixed in repo, thanks!
2024-11-03 20:06:04 <MajorAnon> Bonjour.
2024-11-03 20:08:10 <scorpion2185[m]> if somebody registered via gitlab instead of diectly in https://gitlab.alpinelinux.org does that avoid the cloudfare and 2fa?
2024-11-03 20:08:18 <scorpion2185[m]> can somebody move my account?
2024-11-03 20:11:52 <MajorAnon> Move it where ?
2024-11-03 20:12:52 <scorpion2185[m]> when I log in i use gitlab account instead i'd like to sing in directly
2024-11-03 20:13:04 <scorpion2185[m]> i manged to log in so i can delete may account
2024-11-03 20:13:43 <ikke> What is your account?
2024-11-03 20:13:58 <scorpion2185[m]> i just commented here https://gitlab.alpinelinux.org/alpine/aports/-/issues/14941#note_452285
2024-11-03 20:14:19 <scorpion2185[m]> https://gitlab.alpinelinux.org/realroot
2024-11-03 20:14:35 <scorpion2185[m]> could you move it?
2024-11-03 20:15:36 <ikke> Can you DM me the e-mail address associated with the account?
2024-11-03 20:15:57 <scorpion2185[m]> yes
2024-11-03 21:33:20 <j_v> is anyone running neovide on x11? i'm trying to get it working, but so far it seems to get on input handling, though that may be wrong since it is just a guess.
2024-11-03 21:35:46 <j_v> get *stuck on input handling
2024-11-03 21:49:48 <j_v> might be neovide doen't work right with my window manager, bspwm. nvim is plenty good enough from terminal, so i guess this is a non-issue for me really.
2024-11-04 06:09:13 <pabs> ikke: btw there are some cloud-ish things (some gratis, some paid) for some of the arches you mention as not having cloud https://wiki.debian.org/Hardware/Wanted#Other 
2024-11-04 06:51:18 <JohannesJacobs[m]12> Scaleway even sells alpine based risc-v servers :) i see 
2024-11-04 07:06:00 <fossdd[m]> yeah alpine already uses scaleway runners for ci ig
2024-11-04 07:23:21 <JohannesJacobs[m]12> nice. I'm gonna look into risc-v next year, probably get me some boards
2024-11-04 08:29:29 <targetdisk> hey :)  Was wondering if there is a straightforward way to bake-in a command line to the standard linux-lts kernel that I installed from apk.
2024-11-04 08:34:04 <targetdisk> I'm working on bootstrapping and installing large numbers of Alpine installs from systems that may not necessarily be the ones booting them.  The post-install hooks for the grub-efi package are currently ruining my day (likely not an Alpine-specific problem), which is something I suspected might happen, so I was thinking the easiest way to have a kernel that boots the first time would just be to 
2024-11-04 08:34:10 <targetdisk> have a stubby kernel (like the linux-lts one in APK with EFISTUB) named bootx64.efi or whatever in my ESP with a hardcoded command-line
2024-11-04 08:36:38 <targetdisk> My bootstrapper I'm building is written entirely in declarative gmake (fast and easier to debug than a shell script, cause no side-effects) ;)
2024-11-04 08:40:40 <dwfreed> makefile is just a fancy shell script...
2024-11-04 08:41:46 <targetdisk> yes, but each step in your target gets its own shell ;)
2024-11-04 08:41:53 <targetdisk> very fancy indeed
2024-11-04 08:42:36 <targetdisk> https://github.com/targetdisk/alpstrap
2024-11-04 08:42:46 <dwfreed> I mean, you can do that in regular shell too
2024-11-04 08:42:57 <dwfreed> it's just dumb to do it that way :P
2024-11-04 08:43:32 <targetdisk> I need to be able to have something that boots on another system from my bootstrapper, and GRUB is pissing me off
2024-11-04 08:44:15 <targetdisk> also some people absconded with gummiboot after already taking our udev...
2024-11-04 08:44:24 <dwfreed> https://wiki.archlinux.org/title/EFI_boot_stub#Using_a_startup.nsh_script
2024-11-04 08:44:33 <targetdisk> oh yeah
2024-11-04 08:44:39 <targetdisk> forgot about thems
2024-11-04 08:45:23 <targetdisk> dwfreed: this is exactly the sort of thing I'm looking for!!
2024-11-04 08:45:27 <targetdisk> thank you
2024-11-04 08:46:11 <dwfreed> always check the arch wiki
2024-11-04 08:46:40 <targetdisk> I am using some of their tools in addition to the alpine tools in my script as well ;)
2024-11-04 08:47:07 <targetdisk> their chroot helper and their fstab generator are coming in clutch for my little project
2024-11-04 08:48:53 <targetdisk> I've read a little bit of the UEFI specification documents but totally forgot about these little scripts!
2024-11-04 08:51:58 <targetdisk> yeah other than GRUB being itself the rest of writing my thingy has been pretty fun so far.  May write a tool or some M4 shrek that makes the partitioning setup a little less rigid so friends of mine can use my stuff more better ;)
2024-11-04 08:54:09 <targetdisk> dwfreed: probably going to credit you in a future commit message for reminding me that those EFI startup scripts were a thing
2024-11-04 10:04:33 <frag> quinq and others, why dont you use busybox ash? does anyone else use it?
2024-11-04 10:14:20 <frag> what web browsers are stable in repo now? qutebrowser/firefox/chromium?
2024-11-04 10:15:48 <frag> and ofc links-graphic <3
2024-11-04 10:16:22 <quinq> frag, not comfy enough for me :)
2024-11-04 10:17:02 <mebious> what makes a shell comfy?
2024-11-04 10:17:05 <frag> quinq what do you lack?
2024-11-04 10:17:14 <quinq> frag, to be honest, not sure :D
2024-11-04 10:17:19 <frag> haha
2024-11-04 10:17:39 <quinq> I have a set of tab-complete things in kshrc
2024-11-04 10:17:55 <quinq> But that's not a very big thing
2024-11-04 10:19:51 <frag> ash works well without config imo (although i do have some conf in .profile)
2024-11-04 10:21:38 <cyclisme24[m]> frag: have a look at librewolf. Hopefully in 3.21 stable
2024-11-04 10:22:17 <frag> oh i didnt mean as in stable release, i just meant stable to use/workable
2024-11-04 10:22:36 <frag> but will test it out!
2024-11-04 10:22:58 <pj> I'm a fish enjoyer
2024-11-04 10:29:46 <orchardstreet22> zcrayfish: yea I did, what should `uname -r` be returning right now on latest stable alpine?  Mine says 6.6.58-0-lts, I thought it would be 6.6.58-1-lts?
2024-11-04 10:31:13 <orchardstreet22> also `apk info linux-lts` returns `linux-lts-6.6.58-r0`, I thought it should be `linux-lts-6.6.58-r1` 
2024-11-04 10:39:59 <mebious> orchardstreet22: it should be 6.6.59-r0 as of two days ago (commit e3be418f)
2024-11-04 11:56:26 <orchardstreet22> mebious: `cat /etc/os-release` returns `VERSION_ID=3.20.3`.  I upgraded system muiltiple times since then with `doas apk update && doas apk upgrade`. Do you know why I might be on an incorrect kernel version?
2024-11-04 11:58:58 <orchardstreet22> wait, upgrading just now turned it to 6.6.59-r0.  I think I might be fine
2024-11-04 11:59:12 <orchardstreet22> this was a convo about an issue I had a week ago, ignore this I guess
2024-11-04 11:59:48 <mebious> that's fine, good to see that it was resolved :)
2024-11-04 12:00:25 <orchardstreet22> i thought for sure I updated yesterday though, maybe I didn't
2024-11-04 12:52:16 <ncopa> i pushed 6.6.59 today
2024-11-04 12:55:06 <orchardstreet22> ncopa, I found the page that shows when apport commits are made, is there a page that shows when pushes are made?
2024-11-04 12:55:11 <orchardstreet22> thx
2024-11-04 12:58:34 <mebious> not natanael but you can find them here: https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests
2024-11-04 17:40:33 <jonesv> I am trying to build v4l2loopback, which says it needs the "kernel headers" to build (https://github.com/umlaeute/v4l2loopback#DEPENDENCIES). I have the package `linux-headers` installed, but the build still fails. Is there something else I need to build a kernel module?
2024-11-04 17:40:47 <jonesv> I am getting this error at build time: `make[1]: *** /lib/modules/6.6.58-0-lts/build: No such file or directory.  Stop.`
2024-11-04 17:41:16 <jonesv> (which is correct: /lib/modules/6.6.58-0-lts/ does exist, but there is no `build/` inside)
2024-11-04 17:44:18 <jonesv> And while I'm here, I don't understand the purpose of the Alpine package "v4l2loopback-src". Is it made just to download the sources? Isn't that unusual?
2024-11-04 18:27:48 <pjs_> is there a package that provides libpkcs11-helper.so.1? I have openssl installed but still seems some items are missing
2024-11-04 18:28:19 <ikke> Apparently not: https://pkgs.alpinelinux.org/contents?file=libpkcs11-helper.so*&path=&name=&branch=edge&repo=&arch=
2024-11-04 18:28:31 <pjs_> for ops that depend on pkcs11 I get these: "pkcs11h_certificate_create: symbol not found" but I can't seem to find where this is provided
2024-11-04 18:28:36 <pjs_> ikke: yea, I tried that too :(
2024-11-04 18:28:53 <pjs_> I'll keep digging around
2024-11-04 18:28:55 <pjs_> thanks!
2024-11-04 19:05:27 <pjs_> ended up building and installing the library manually. Seems to have resolved the issues
2024-11-04 21:01:12 <holgersson> "doas: a tty is required"
2024-11-04 21:01:12 <holgersson> Hi! Running ansible from a Gentoo to configure an alpine with privilege escalation using doas fails for me:
2024-11-04 21:01:12 <holgersson> Search for this string I found only old ansible bug reports on github.com so far. Any ideas how I can fix this?
2024-11-04 21:04:47 <ikke> How are you planning to authenticate?
2024-11-04 21:09:46 <holgersson> ikke: with ansible-playbook -K <playbook>, so with "become" and "become_method" doas plus password
2024-11-04 21:10:44 <ikke> doas expects a tty to ask for a password, but apparently ansible does not provide one. I'm not too familiar with Ansible, so not sure how it's supposed to work
2024-11-04 21:11:58 <invoked> sudo should work
2024-11-04 21:12:12 <invoked> (without a tty, but i can't remember what the defaults are)
2024-11-04 21:12:26 <holgersson> any issues with sudo on alpine that I should be aware of? 
2024-11-04 21:12:41 <holgersson> invoked: was about to ask for sudo the moment I received your message ;)
2024-11-04 21:13:22 <invoked> doas is simpler and thought to be more secure, is all
2024-11-04 21:13:32 <holgersson> OK
2024-11-04 21:13:36 <invoked> sudo definitely supports more use cases.
2024-11-04 21:14:24 <holgersson> probably - I've got no problem with sudo at all, using it on every other distro :)
2024-11-04 21:15:20 <ikke> We moved it to community so that we do not have to support it for 2 years
2024-11-04 21:15:35 <ikke> But it means it's only supported on the latest stable release
2024-11-04 21:16:45 <holgersson> hm
2024-11-04 21:17:02 <holgersson> but aynways, if doas does not work for me I've not really a choice
2024-11-04 21:17:15 <holgersson> thanks for the input! 
2024-11-04 21:17:24 <invoked> good luck :)
2024-11-04 21:19:58 <holgersson> invoked: thanks, works now ;)
2024-11-04 22:38:40 <wizzard> Has anyone started working on porting alpine linux to the new x elite laptops?
2024-11-04 22:41:24 <xulfer> Does it not work already?  
2024-11-04 22:46:45 <fossdd> wizzard: pmos did a lot in that direction
2024-11-04 22:47:08 <fossdd> #aarch64-laptops are also other x elite enjoyer
2024-11-04 22:47:48 <xulfer> Would have thought the gpu would be the only possible holdup there, but I've only given it a glance really.
2024-11-04 22:50:24 <wizzard> At least these  (https://github.com/anonymix007/x1e-alarm) packages are missing, as well as the device tree stuff. 
2024-11-04 22:50:24 <wizzard> I wish I had more time to get my hands dirty and do the port. 
2024-11-04 22:50:24 <wizzard> @fossdd thanks for the tip. I will reach out to the pmos people
2024-11-04 22:50:24 <wizzard> I was not able to boot the alpine installer on a x elite chip. 
2024-11-04 22:55:59 <xulfer> Qualcomm says it should work out of the box
2024-11-04 22:56:16 <ptrc> qualcomm also says they have a license for making consumer ARM chips
2024-11-04 22:58:02 <xulfer> Heh fair enough
2024-11-04 23:00:22 <xulfer> I do like their official image bit in their linux compat boast.  We have a debian image here... that works on the reference SoCs... and some of the firmware is still binary blobs.
2024-11-04 23:00:26 <xulfer> How very TI of them.
2024-11-04 23:10:53 <invoked> qualcomm is like a cartoon villain
2024-11-05 07:40:22 <DaeDae[m]> Maybe this is the correct one.
2024-11-05 07:40:22 <DaeDae[m]> I'm having trouble installing Alpine Linux if anyone is willing to help
2024-11-05 07:40:58 <DaeDae[m]> * Maybe this is the correct one.
2024-11-05 07:40:58 <DaeDae[m]> .
2024-11-05 07:40:58 <DaeDae[m]> I'm having trouble installing Alpine Linux if anyone is willing to help
2024-11-05 07:43:01 <mebious> what are you having trouble with?
2024-11-05 07:43:12 <DaeDae[m]> Wifi
2024-11-05 07:43:20 <mebious> can you be more specific?
2024-11-05 07:43:40 <DaeDae[m]> My device came with an rtl8811cu (or so it is called for my knowledge) and it isn't recognized as a wifi device (it's a USB chip)
2024-11-05 07:44:19 <DaeDae[m]> It's recognized for what I know as... (full message at <https://matrix.org/oftc/media/v1/media/download/ATOXJMVCRJxqs2Mqn_7LnPQ5RBvFLzOhmKFEMcdaZlpiz3V3zGnkXuCAOhFCoIqxTxMN_PdDfzn6vrTH0bHWtT5CeTQ2EgfAAG1hdHJpeC5vcmcvTUpKWGxZWkNZbWlTVGR2R2dJa3dlV2lU>)
2024-11-05 07:48:03 <DaeDae[m]> I'm not capable of using Ethernet for multiple reasons at this time, and require wifi. If I can't do anything I'll simply have to remain with Arch Linux instead since I'm out of options
2024-11-05 07:50:33 <DaeDae[m]> @mebious 
2024-11-05 07:50:33 <DaeDae[m]> .
2024-11-05 07:50:33 <DaeDae[m]> * I'm not capable of using Ethernet for multiple reasons at this time, and require wifi. If I can't do anything I'll simply have to remain with Arch Linux instead since I'm out of options
2024-11-05 07:51:30 <DaeDae[m]> You'll need to allow me time to reboot into the installer if you do provide other information on this, I have other things I simply must be doing at this time. Thanks either way though
2024-11-05 08:09:19 <wizzard> > You'll need to allow me time to reboot into the installer if you do provide other information on this, I have other things I simply must be doing at this time. Thanks either way though
2024-11-05 08:09:19 <wizzard> If you need internet to download the drivers for wifi, you can connect your Android or iPhone and share Internet over USB.
2024-11-05 08:09:46 <DaeDae[m]> Are you sure that's functional by default?
2024-11-05 08:09:54 <DaeDae[m]> A lot of the time it's not
2024-11-05 08:14:59 <wizzard> Has always worked for me.
2024-11-05 08:15:15 <DaeDae[m]> Alright, I'll be sure to try that. Thanks
2024-11-05 08:17:01 <mebious> DaeDae[m]: rtl8811cu isn't officially supported in the linux kernel and arch linux uses out-of-kernel modules for it from what i'm seeing
2024-11-05 08:17:11 <wizzard> https://github.com/fastoe/RTL8811CU
2024-11-05 08:17:11 <wizzard> If setup-alpine does not work, due to no internet you could copy this over via a second USB stick to manually install the drivers:
2024-11-05 08:17:56 <DaeDae[m]> That's for Ubuntu
2024-11-05 08:17:56 <DaeDae[m]> As well as it is or at least was supported first at 5.12 and had gone up as far as 6.11. I'm unaware of its status afterwords though
2024-11-05 08:18:07 <DaeDae[m]> .
2024-11-05 08:18:07 <DaeDae[m]> * That's for Ubuntu
2024-11-05 08:18:07 <DaeDae[m]> As well as it is or at least was supported first at 5.12 and had gone up as far as 6.11. I'm unaware of its status afterwords though
2024-11-05 08:18:31 <mebious> AUR packages rtw88-dkms-git uses https://github.com/lwfinger/rtw88 and rtl8821cu-git points to https://github.com/morrownr/8821cu for its sources
2024-11-05 08:18:31 <DaeDae[m]> Even Ubuntu, fedora, Garuda, etc have support for it.
2024-11-05 08:19:24 <DaeDae[m]> You don't get aur packages my default when installing arch Linux. It's fully reliant on kernel what you can and can't do it you don't have wifi (and the pre-existing system files and such)
2024-11-05 08:19:31 <DaeDae[m]> s/my/by/
2024-11-05 08:19:47 <DaeDae[m]> * You don't get aur packages by default when installing arch Linux. It's fully reliant on kernel what you can and can't do if you don't have wifi (aside from the pre-existing system files and such)
2024-11-05 08:23:34 <DaeDae[m]> Ubuntu uses 6.8 I believe, which is definitely newer than both 6.6 and 6.1 (6.11) so support definitely wasn't dropped from what I can tell. Otherwise, it's probably something to do with the configuration used for the installer
2024-11-05 08:23:48 <DaeDae[m]> * Ubuntu 24.04 uses 6.8
2024-11-05 08:24:28 <mebious> could you confirm that the model is rtl8811cu? i'm not seeing any available drivers for it in the linux kernel
2024-11-05 08:25:05 <DaeDae[m]> I'm not sure if that's the model or not at this point. All I know is that's what the packaging says as well as windows
2024-11-05 08:25:52 <DaeDae[m]> Realtek 8811CU Wireless LAN 802.11ac USB NIC
2024-11-05 08:26:35 <DaeDae[m]> And it did actually receive updates in the last few months through windows, originally the driver was from 2018 but was updated sometime back in October I believe twice.
2024-11-05 08:29:25 <DaeDae[m]> Maybe it's actually 8821cu not 8811cu?
2024-11-05 08:30:54 <mebious> 8821cu is equivalent to 8811cu based on this commit message i found: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/drivers/net?id=41a7acb7dde8395f52a707bbba7712a898dfafb0
2024-11-05 08:31:23 <mebious> and 8821cu is officially supported so i'd imagine probing 8821cu should work
2024-11-05 08:31:39 <DaeDae[m]> Yes, I did that, and no luck
2024-11-05 08:32:13 <mebious> were there any relevant messages in your dmesg logs?
2024-11-05 08:32:42 <DaeDae[m]> Not that I know of aside from DRM relating to my GPU (AMD Radeon RX550)
2024-11-05 08:38:25 <DaeDae[m]> But that's firmware things
2024-11-05 08:41:05 <mebious> to backtrack a bit, what error message were you getting for the device and what program did it come from?
2024-11-05 08:43:06 <DaeDae[m]> No error message, simply isn't recognized as a wifi device. Only a USB device (lsusb only)
2024-11-05 08:44:15 <mebious> what program is failing to recognise it as a wifi device?
2024-11-05 08:44:38 <DaeDae[m]> Entire system. Ip link, setup-alpine, everything
2024-11-05 08:51:41 <ikke> So either firmware, kernel module or both are missing 
2024-11-05 08:53:23 <DaeDae[m]> I got it to work over USB with my phone for wifi, but the configuration part is extremely weird and it won't/can't install tzdata and doesn't specify any actual errors either
2024-11-05 08:53:30 <mebious> it seems that most people who's had similar issues with the rtl8811cu resolved it by installing an out-of-tree module via dkms
2024-11-05 08:57:26 <DaeDae[m]> I'm not sure what's up. It's extremely weird and finnicky. I wish people would leave support instead of removing itz even if not updated. I understand not a lot of people use it, but that's better than a 10 year old device absolutely nobody uses. Keep the support until it's extremely outdated or nobody uses it at all
2024-11-05 08:57:38 <frag> in a diskless setup, if i download a new tarball, go to the /apk/ dir and run `apk fetch -R extra-packages-i-want` would it probably work without apk cache? or is there an easier way to add/upgrade the /apk/? also i see there are two options for raspberry aarch64 on the download page now, probably a mistake
2024-11-05 08:58:04 <frag> have to use the correct repo ofc...
2024-11-05 09:00:01 <mebious> DaeDae[m]: realtek usb wifi drivers seem to be a pain to troubleshoot in general from the posts i've read about it
2024-11-05 09:01:34 <DaeDae[m]> That makes sense, it is a Chinese company after all
2024-11-05 09:03:21 <mebious> frag: `apk fetch -R` in the /apk/ directory would dump all the packages in that directory, which i assume isn't what you want
2024-11-05 09:03:54 <DaeDae[m]> DaeDae[m]: Sorry sorry, they're a Taiwanese company.
2024-11-05 09:04:20 <frag> mebious that is what i want to have them available at bootup and/or if no internet, not sure if all the packages will be compatible then tho or slight version differences etc..
2024-11-05 09:06:16 <mebious> what i was referring to is that `apk fetch` will download the packages to your current working directory (/apk/ in this case) unless you specify a location with the `-o` flag
2024-11-05 09:07:07 <frag> yes, so they are available for install on diskless
2024-11-05 09:08:27 <mebious> i assume it would work with `--no-cache`
2024-11-05 09:12:20 <DaeDae[m]> Correction
2024-11-05 09:12:21 <DaeDae[m]> .
2024-11-05 09:12:21 <DaeDae[m]> Official support for rtl8811cu (probably via another driver of the same type but not model) was introduced in 6.2 and should still be there. This most likely specifically comes down to a kernel configuration problem
2024-11-05 09:17:46 <mebious> DaeDae[m]: do you have a source for that? i couldn't find anything that specifies official support for rtl8811cu
2024-11-05 09:18:34 <mebious> aside from rtl8821cu being an equivalent model to rtl8811cu, which does have an in-tree kernel module
2024-11-05 09:18:56 <ikke> DaeDae[m]: if you still have the arch setup, you could check what modules are loaded
2024-11-05 09:19:11 <DaeDae[m]> That's what I meant by "another driver of the same type but not model"
2024-11-05 09:21:43 <DaeDae[m]> The driver is added to kernel 6.2 and newer.... (full message at <https://matrix.org/oftc/media/v1/media/download/AY_X72QpP6dIx4HJ4EWRIh4edybSbexTbCTCFYMNoXy0OfGLew_HlLLalw7zTSf2tJERKs7nNmg3IWbn5aAs7-dCeTQ7pL-QAG1hdHJpeC5vcmcvYmJSR1R3cWNwcUxIb3RMT1BwVktjY2NW>)
2024-11-05 09:22:10 <DaeDae[m]> As well as, like I stated before, arch Linux, Ubuntu, fedora, Garuda, etc, do not have such an issue and it works perfect without issue
2024-11-05 09:23:10 <DaeDae[m]> I could probably just install, and change the kernel from it's default LTS release to a different one
2024-11-05 09:23:19 <ikke> That's why I suggested looking at what modules are e loaded 
2024-11-05 09:32:42 <PureTryOut> DaeDae: since this is an IRC-first channel (unlike the pmOS ones) you should try to refrain from using non-IRC features like replies and multiline messages
2024-11-05 09:36:58 <DaeDae[m]> Ah, right. Sorry
2024-11-05 09:37:56 <mebious> DaeDae[m]: i was confused as to what you were referring to as replies are rendered on irc as media download links
2024-11-05 09:38:51 <mebious> fortunately the links do show the plain text output of the message
2024-11-05 09:39:32 <DaeDae[m]> I'm unsure when I used a "reply" function though. That requires me to swipe on or hold and select options to be able to "reply" in my application.
2024-11-05 09:40:27 <mebious> there sohuld be a clear indicator if you're using replies or not in your matrix client. as far as i know, most matrix clients have that
2024-11-05 09:40:30 <mebious> should*
2024-11-05 09:41:13 <DaeDae[m]> I didn't use the reply function for my knowledge, only what I assume is considered a "multiline" message. Maybe it was the url I added?
2024-11-05 09:41:27 <mebious> i'm not sure but that's besides the point
2024-11-05 09:41:33 <DaeDae[m]> Right
2024-11-05 09:41:46 <mebious> with the 6.2 release you're referring to, rtl8821ce-dkms is an out-of-tree module as it uses dkms to build it
2024-11-05 09:42:39 <DaeDae[m]> rtl8821cu is supposed to exist in the kernel by default is the issue, and from what I found, is also the proper module/driver for rtl8811cu as well because of its chipset
2024-11-05 09:43:34 <mebious> i also just noticed that the link you referenced is for rtl8821ce, not rtl8821cu
2024-11-05 09:44:22 <DaeDae[m]> Huh, that's odd. The title specifically states "8811CU" not "8811CE"
2024-11-05 09:44:34 <DaeDae[m]> Oh well, can't be helped
2024-11-05 09:44:56 <mebious> it could be that the rtl8821ce-dkms package in ubuntu inclueds 8821cu drivers
2024-11-05 09:46:24 <DaeDae[m]> This is especially confusing because nearly all modern distros have proper support for it out of the box.
2024-11-05 09:46:39 <DaeDae[m]> There's a large list of them, and it's all because of the kernel.
2024-11-05 09:48:27 <mebious> what release and architecture are you using?
2024-11-05 09:49:20 <PureTryOut> DaeDae: you never used a reply here, I just mentioned it as an example of a Matrix feature IRC doesn't support. You mostly used multiline messages
2024-11-05 09:49:47 <DaeDae[m]> Yeah, it's bad habit. Terribly sorry for that
2024-11-05 09:50:12 <DaeDae[m]> Arch: x86_64 release: latest available (unsure how to check that)
2024-11-05 09:53:09 <mebious> alright i think i found the issue. rtl8821cu support corresponds to the CONFIG_RTW88_8821CU kernel compile option and that isn't present in alpine's repos
2024-11-05 09:54:02 <mebious> you can check here for linux-lts: https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/linux-lts/lts.x86_64.config
2024-11-05 09:54:11 <mebious> and here for linux-edge: https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/community/linux-edge/config-edge.x86_64
2024-11-05 09:54:37 <DaeDae[m]> It says LTS (6.6.59 when installed, 6.6.49 from installer image)
2024-11-05 09:58:02 <mebious> your kernel version matches the current LTS version so that's fine
2024-11-05 09:58:37 <DaeDae[m]> Well I mean there is rtw88_8821c and rtw88_8821ce but that's it
2024-11-05 10:00:54 <mebious> i assume they aren't compatible or equivalent to the rtl8821cu/rtl8811cu
2024-11-05 10:01:29 <DaeDae[m]> The only thing I can say that's possible is they simply excluded/removed it.
2024-11-05 10:02:26 <mebious> that is the case. you'll need to ask the developers about that if you're interested
2024-11-05 10:05:43 <DaeDae[m]> Yeah, the only firmware available is strictly 81xx and 84xx.
2024-11-05 11:35:45 <frag> in /etc/ files ending with - are backups? can be deleted? eg "group-"
2024-11-05 11:40:14 <mebious> they are backups but is there a particular reason that you want to delete them?
2024-11-05 12:24:01 <frag> no, just like to keep it clean :] `lbu ls` lists them
2024-11-05 19:06:23 <cow123> does alpine Linux run on ampere altra systems? I’m thinking about buying one to use as my main virtualization server.
2024-11-05 19:30:37 <scorpion2185[m]> it runs mainline i was told but no idea
2024-11-05 19:30:46 <scorpion2185[m]> any suggestion to how use unl0kr?
2024-11-05 19:34:01 <socksinspace> i think this was meant to go to the postmarketos room?
2024-11-05 19:50:37 <scorpion2185[m]> no in pmos you can easiyl use it i mean on alpine
2024-11-05 19:54:14 <socksinspace> ahh, i didn't connect the "it uses mainline" with the ampere system, so the combination with unl0kr made me think pmOS
2024-11-05 20:33:47 <ikke> cow123: our arm-based builders run on ampere altra, and they do run mainline
2024-11-05 20:38:43 <ericonr> Linking an executable with gcc -static-libasan doesn't work because it complains about a missing libsanitizer.spec file, which I couldn't find anywhere 
2024-11-05 20:39:00 <ericonr> Is it expected that Alpine's GCC is built like that?
2024-11-05 23:29:03 <cow123> ok thanks ikke, that is good to know
2024-11-06 06:48:53 <Guest8588> can someone point me to a deatiled and clear documentation on how to manually install alpine on multiple usb sticks with zfs file system
2024-11-06 06:50:55 <ikke> That assumes documentation exists for such a specific usecase
2024-11-06 06:51:37 <pj> there might be a wiki page for zfs install but I doubt there will be anything about USB sticks
2024-11-06 06:52:58 <Guest8588> okay guys thanks. I will try to do it myself then, if i could manage of course.
2024-11-06 09:16:14 <donoban> hmm.. it seems that my problem with bridge setup on /etc/network/interfaces is that I've missed the package 'bridge', it's just an 'if-host-down.d' script of 141 lines... is it worth to have an additional pacakge for it?
2024-11-06 12:27:05 <telmich> texlive-full is still the killer... every time I setup new system (notebook), it's the one thing taking ages
2024-11-06 12:29:55 <ikke> donoban: what does your interfaces file look like?
2024-11-06 12:41:23 <telmich> Regarding the "missing" light utility, did someone actually find a good replacement? I'm setting up a new notebook and I still have the light binary on old ones before it was removed and I am looking for something simple that can replace it
2024-11-06 12:54:29 <wyk72> hi ppl
2024-11-06 12:54:46 <wyk72> need help with mariadb setting up a galera cluster
2024-11-06 12:55:19 <wyk72> it seems the binary command "galera_new_cluster" is missing from ditribution
2024-11-06 12:55:30 <wyk72> and I cant' bootstrap the first cluster
2024-11-06 12:55:43 <wyk72> how can I find this binary ?
2024-11-06 12:56:16 <wyk72> it's mentioned in the docs but is not into "galera" package
2024-11-06 12:56:37 <wyk72> the "galera" package contains just the galera library
2024-11-06 12:56:54 <ikke> telmich: did you try brightnessctl?
2024-11-06 12:58:00 <wyk72> I am on alpine 3.20 (mariadb  Ver 15.1 Distrib 10.11.10-MariaDB, for Linux (x86_64) using readline 5.1)
2024-11-06 13:00:05 <mebious> telmich: tectonic works for me
2024-11-06 13:09:14 <wyk72> anyone knows how to start a mariadb galera cluster on Alpine linux 3.20?
2024-11-06 13:20:36 <prosenjit> sir, there is no documentaion on help tab of qt-creator. I really need it. do i need to install additional package? if the package doesn't built with documention i request to the maintainer to add qt-creator built-in documentation  
2024-11-06 13:38:39 <telmich> ikke: brightnessctl seems to not detect the screen on a lenovo x1 carbon gen12
2024-11-06 13:38:46 <telmich> mebious: thanks, will give that a try
2024-11-06 13:39:48 <telmich> mebious: Are you sure that is related to setting display brightness?
2024-11-06 13:40:38 <mebious> it isn't. i just realised that i misread that message as being related to your previous message about texlive-full
2024-11-06 13:40:53 <telmich> Ha... the brightness might need to around in /sys on that machine just yet
2024-11-06 13:41:37 <mebious> to properly answer your question, as ikke suggested brightnessctl is fairly lightweight and works well
2024-11-06 13:41:54 <cyclisme24[m]> nico, brightnessctl requires user to be in certain groups https://github.com/Hummer12007/brightnessctl
2024-11-06 13:43:19 <mebious> that is true. brightnessctl-udev provides the ruleset in `/usr/lib/udev/rules.d/90-brightnessctl.rules` so it'll just need to be copied over to `/etc/udev/rules.d`
2024-11-06 13:43:54 <mebious> that is if you use eudev
2024-11-06 13:44:34 <q66> why would you need to copy it
2024-11-06 13:44:37 <q66> udev reads from both locations
2024-11-06 13:45:06 <mebious> does it? i wasn't aware of that
2024-11-06 13:45:33 <q66> all the systemd-adjacent tooling works like that
2024-11-06 13:45:38 <mebious> i've had issues with it not being recognised when using brightnessctl without privilege escalation
2024-11-06 13:45:45 <q66> read from /etc/foo.d first, if it does not exist read from /usr/lib/foo.d
2024-11-06 13:48:10 <telmich> @cyclisme24:matrix.org: true that - but also as root it only shows the brightness of an led, not of the screen
2024-11-06 13:48:37 <telmich> strange...I thought I got a fully supported screen, opted out of the oled intentionally
2024-11-06 13:49:37 <telmich> hmm, no camera and no audio either..fun project
2024-11-06 13:55:54 <telmich> Hmm, pm-suspend crashes the system
2024-11-06 13:56:26 <telmich> irgs, and null pointers from the sound system, that can be related
2024-11-06 14:02:11 <telmich> It has been a while: https://bugzilla.kernel.org/show_bug.cgi?id=219474
2024-11-06 14:04:07 <telmich> "i915 0000:00:02.0: Your graphics device 7d55 is not properly supported by i915 in this kernel version" - nice
2024-11-06 14:05:59 <telmich> Let's see what linux-edge says, very happy with have 2 kernels in alpine by default
2024-11-06 14:06:32 <wyk72> anyone knows how to start a mariadb galera cluster on Alpine linux 3.20?
2024-11-06 14:09:25 <telmich> Uhh, 6.11 has backlight AND sound
2024-11-06 14:09:26 <telmich> amazing
2024-11-06 14:10:51 <telmich> No camera though
2024-11-06 14:14:40 <telmich> But brightnessctl works like charm
2024-11-06 14:14:53 <telmich> It's now the 4th tool I use in my xbindkeys config
2024-11-06 14:15:42 <telmich> It's so funny.. I would have thought that setting backlight is something no one wants to bother with / develop around, but I used in order: cbacklight, xbacklight, light and now brightnessctl
2024-11-06 14:17:16 <telmich> damn! 6.11 also has working suspend WHILE sound is playing!
2024-11-06 14:44:46 <ikke> wyk72: I've never used galera 
2024-11-06 16:10:34 <donoban> ikke: it's basically the same example on https://wiki.alpinelinux.org/wiki/Bridge#Configuration_file
2024-11-06 16:11:06 <donoban> my problem is that I migrated some months ago to a new laptop and didn't notice that I should add 'bridge' package for it working
2024-11-06 16:12:11 <donoban> I inspected the package and it's just a single file on /etc/network/if-post-down.d
2024-11-06 19:23:04 <frag> why does st depends on font-liberation in repo?
2024-11-06 19:30:05 <socksinspace> as far as i remember they hard-code their font
2024-11-06 19:32:40 <frag> oh right
2024-11-06 19:54:01 <frag> I guess this is common in most/all repos. In alpinelinux, st depends on font-liberation, which is +4MB
2024-11-06 19:54:14 <frag> ups, wrong windo
2024-11-06 22:11:21 <kayden45[m]> Hey there! I wanted to let you know that I have a channel where I share some amazing Verified sauce and soft cashout methods. I also provide a Full WalkThrough to make things easier for you.... (full message at <https://matrix.org/oftc/media/v1/media/download/AZL6fBVzqvB5scHDbP4gl-Rdi3_-nHXh-9mymiN2Q_Z2bzXxskeQO8vOVb4zxGXfCPT7vTAz3aJEC8arFV5uiE5CeTS6FHQgAG1hdHJpeC5vcmcvaUFsTVpwRlFFd0RQYXlwakFVUmxjcUdp>)
2024-11-06 22:17:20 <smcavoy> I have an alpine 3.20 box (x86_63, hp z2 g4) that cannot boot since linux-lts-6.6.57, I would like to revert to 6.6.56 or earlier to see if it is a change in the kernel (git showed no material changes to config of linux-lts). do previous linux-lts packages exist anywhere.. ?
2024-11-06 22:21:19 <ikke> sadly we do not keep older versions of packages
2024-11-06 22:22:27 <ikke> Takes up a lot of storage space
2024-11-06 22:23:00 <dwfreed> ikke: since you wear ops, consider adding +z, so that at least you can see the unregistered users speaking
2024-11-06 22:23:42 <ikke> (But but but then I still see the spam :P)
2024-11-06 22:23:47 <dwfreed> heh
2024-11-06 22:24:58 <ikke> Is it documented somewhere?
2024-11-06 22:25:09 <ikke> oftc user modes only shows -z for operators
2024-11-06 22:25:23 <dwfreed> https://oftc.net/ChannelModes/
2024-11-06 22:27:03 <ikke> thanks
2024-11-06 22:49:37 <liske> smcavoy: the iso images still have the old package releases https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/x86_64/
2024-11-06 22:50:21 <liske> so you could get 6.6.49 from 3.20.3
2024-11-06 22:53:16 <durrendal> You could also pull the apkbuild from aports and manually set the kernel version to what you want and build it. Little bit more involved 
2024-11-06 22:55:43 <socksinspace> and a kernel with the full config takes a while to build
2024-11-06 23:13:16 <durrendal> Yeah really depends on what you have on hand to build with. My suggestion assumes you have a second machine unfortunately