Thank you Richard
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1536871
Title:
[MIR] fwupd
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1536871
> I'd very much like to see the firmware.xml.gz file using sha-256
I added support for more than just SHA1 to fwupd last week. After some
more testing, I'll enable it on the metadata file from the LVFS.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subsc
@Tim,
gpgme doesn't do any underlying check on what version, it will happen on a
system with gnupg 1.x as well.
On Fri, Apr 1, 2016 at 12:41 AM Tim Chen <1536...@bugs.launchpad.net>
wrote:
> @Mario
> For #23, does this affect system without gnupg2 installed ? What will
> happen if system only has
@Mario
For #23, does this affect system without gnupg2 installed ? What will happen if
system only has gnupg 1.x ?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1536871
Title:
[MIR] fwupd
To manag
Richard,
Can you hold off until tomorrow on the tarball release? I'm working on a
fix for the test suite not working in sbuild I'll push later today that I
would like part of it.
On Thu, Mar 31, 2016, 13:15 Richard Hughes wrote:
> I can do a new tarball release with all the suggested fixes if t
I can do a new tarball release with all the suggested fixes if that
would make things easier.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1536871
Title:
[MIR] fwupd
To manage notifications about
Override component to main
fwupd 0.6.3-0ubuntu2 in xenial: universe/admin -> main
fwupd 0.6.3-0ubuntu2 in xenial amd64: universe/admin/optional/100% -> main
fwupd 0.6.3-0ubuntu2 in xenial arm64: universe/admin/optional/100% -> main
fwupd 0.6.3-0ubuntu2 in xenial armhf: universe/admin/optional/100%
subscribed foundations.
Override component to main
npth 1.2-3 in xenial: universe/libdevel -> main
libnpth-mingw-w64-dev 1.2-3 in xenial amd64: universe/libdevel/extra/100% ->
main
libnpth-mingw-w64-dev 1.2-3 in xenial arm64: universe/libdevel/extra/100% ->
main
libnpth-mingw-w64-dev 1.2-3 in xe
@mterry:
I'd propose foundations bugs for both.
As for the tests being disabled, you need libtool-bin in xenial (and libtool in
earlier releases).
This commit will handle it:
http://anonscm.debian.org/cgit/uefi/fwupd.git/commit/?h=ubuntu&id=4ea0dfe282ba0d26bebb9d47c311c24fea16de33
--
You receiv
I went ahead and looked at npth. It seems fine, but just needs a team
bug subscriber as well.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1536871
Title:
[MIR] fwupd
To manage notifications about
fwupd:
- Can we get a team bug subscriber for Ubuntu? Some team that promises to look
after this, with a bus factor bigger than 1 :)
- Tests are disabled, because of an old upstream bug
(https://github.com/hughsie/fwupd/issues/14). That bug is fixed. But tests
still don't work for me (pbuild
** Changed in: fwupd (Ubuntu)
Assignee: (unassigned) => Michael Terry (mterry)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1536871
Title:
[MIR] fwupd
To manage notifications about this bug g
the merged gnupg2 needs a MIR for npth
** Also affects: npth (Ubuntu)
Importance: Undecided
Status: New
** Changed in: npth (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://b
Mario, excellent detective work. I was going around in circles earlier
today trying to explain why Richard couldn't reproduce my failures and I
couldn't reproduce his successes.
Richard, thanks for describing the xtea use and md5 KDF. If this were an
important part of the project I'd be far more c
To address the various actions:
1) I created a bug to at least track that this is a problem in gpgme [0]
2) I uploaded a new gnupg2 to xenial-proposed. It's in unapproved. For now if
you want to give this a try until it's accepted I also have it on a PPA [1]
3) I added a check to fwupd to check
Oh and lastly per the comments in
https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1536871/comments/2
we should likely be able to turn the test suite back on once compiling
with gnupg2.1 in build-depends.
Seth let us know if there is anything else that needs investigation or
fixing from your p
Seth,
I believe I've identified what's going on (and why Richard couldn't
reproduce this on Fedora).
gpgme1.0 shells out to /usr/bin/gpg2 to perform actions. If you turn on
it's debug flags verbose enough you can track down the various calls
it's sending around.
I was noting the cert actually i
With the gpg issue, log in as root and do:
killall fwupd
gpg2 --list-sigs
if you see the LVFS key, "gpg2 --delete-keys 4538BAC2" -- then remove or
change /etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service
then restart fwupd and try a "fwupdmgr refresh" -- this should report:
failed t
Hey,
- gpgme_release() is called in finalize() unless you can see where we're not
deallocating an object on error
- as_store_from_xml() operates on a UTF-8 string, so any embedded NULs would
be invalid anyway
- /etc/pki/ is a cross-distro spec, no?
- /var/cache/app-info/xmls is specified in
Thanks again for the rapid feedback. It's nice to know that I jumped to
an unreasonable conclusion.
Now that I know to kill the fwupd process I've made more progress
testing the failure modes but still find some lacking:
- Removing /etc/pki/fwupd or /etc/pki/fwupd-metadata results in nice
error m
Here's the other miscellaneous notes I've made so far:
- fu_keyring_setup() doesn't use gpgme_release() on gpg_set_protocol()
failure
- fu_main_daemon_update_metadata() checks signature over an entire file
but uses g_strndup() to copy it in memory; a file may use an embedded
ASCII NUL to
Yes, also further to Mario's comment (you do need to restart the daemon)
you also need to clear the persistent gpg2 keyring. I perhaps wasn't
clear we also using the persistent keyring store -- using commit
https://github.com/hughsie/fwupd/commit/e4141f4f234d258424020069dadf8df39848a119
I see (usin
Seth,
Just to confirm, when you replaced those files did you also restart the
fwupd process?
On Mon, Mar 28, 2016, 23:20 Seth Arnold <1536...@bugs.launchpad.net>
wrote:
> Richard, Mario, thanks for the feedback, it's been helpful.
>
> I'm not sure that everything's hooked up correctly though --
Richard, Mario, thanks for the feedback, it's been helpful.
I'm not sure that everything's hooked up correctly though -- when I
replace both these files with my own GPG key and run fwupdmgr refresh I
get no errors:
/etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service
/etc/pki/fwupd/GPG-K
Seth, anything else you're looking for to finish your assessments? Just
as a friendly reminder we're blocked on turning on firmware support in
gnome-software (FFe bug 1544376) from this MIR.
The FFe has been approved for turning on firmware support, but it would
be highly desirable to bang on thi
Hi Seth,
Verification of the firmware LVFS metadata:
https://github.com/hughsie/fwupd/blob/master/src/fu-main.c#L947 which
then uses https://github.com/hughsie/fwupd/blob/master/src/fu-
keyring.c#L340
Verification of the cab file:
https://github.com/hughsie/fwupd/blob/master/src/fu-main.c#L495 af
Hi Richard, thanks for the reply.
This is quite unusual but the demands on our time are growing and it'd
help me immensely if you could aim me towards the methods that:
- verifies the firmware.xml.gz file
- verifies the contents of firmware.inf and firmware.metainfo.xml files
within the cab file
Seth,
Thanks for raising that early concern. I don't believe there is currently any
enforcement of sha256.
The LVFS metadata source that is configured by default
(https://secure-lvfs.rhcloud.com/downloads/firmware.xml.gz) is also set to use
sha1.
I'll talk to upstream about sorting out both
Thanks Mario, very helpful. I've found something else that worries me:
The Linux Vendor Firmware Service re-packs a cab with a firmware, a
detached signature, and some metadata. An example is at [1].
I haven't yet been able to find any chain of trust from a key to the
cabfile to download. If the
Mario, this review is in progress. One point that worries me greatly is
that fwupd appears to allow any hash to authenticate firmware files that
are served over appstream and our appstream package appears to allow MD5
and SHA-1, neither of which are acceptable to authenticate firmware
updates.
If
Hi Seth,
I'm the upstream of both fwupd and the LVFS. I wanted to point out a few
things:
* We use a GPG detached signature of the firmware file itself to avoid being
able to just C&P the signature between cab files
* I've reviewed (and fixed critical warning bugs) in libgcab, and have also
fuz
Any more updates on this?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1536871
Title:
[MIR] fwupd
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug
Also, if anyone wants a quick (well, 45 minute) overview of the whole
thing my DevConf presentation was recorded:
https://www.youtube.com/watch?v=7s2NhxEvwE0
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bu
Seth has been working on this security review.
** Changed in: fwupd (Ubuntu)
Status: Confirmed => In Progress
** Changed in: fwupd (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => Seth Arnold
(seth-arnold)
--
You received this bug notification because you are a member o
On 2016-03-02 17:53:17, Mario Limonciello wrote:
> Just wanted to check in on this security review for MIR. Is it still
> going to be done?
It is scheduled to start after the fwupdate MIR security review, which
should begin today.
--
You received this bug notification because you are a member o
Just wanted to check in on this security review for MIR. Is it still
going to be done?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1536871
Title:
[MIR] fwupd
To manage notifications about this b
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: fwupd (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1536871
Title:
[MIR
There is still fwupdate and gcab not in universe.
There is no team subscribed to the bugs for the package on Launchpad.
There also appears to be some important bugs that could be fixed with
the next upload for fwupd; in the Debian BTS.
Also, tests currently don't appear to be run, although an ups
I'll review this MIR.
** Changed in: fwupd (Ubuntu)
Assignee: (unassigned) => Mathieu Trudel-Lapierre (mathieu-tl)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1536871
Title:
[MIR] fwupd
To
** Description changed:
[Availability]
In Universe
[Rationale]
Required for GNOME Software (MIR in bug 1536870). Firmware updating
functionality is very desirable for OEMs / users.
[Security]
[Quality assurance]
[Dependencies]
- All dependencies in main.
+ All dependenci
** Description changed:
[Availability]
In Universe
[Rationale]
Required for GNOME Software (MIR in bug 1536870). Firmware updating
functionality is very desirable for OEMs / users.
[Security]
[Quality assurance]
[Dependencies]
+ All dependencies in main.
[Standards
41 matches
Mail list logo
