**** BEGIN LOGGING AT Wed Jul 17 02:59:57 2019 Jul 17 05:03:08 aparcar[m]: i pushed that commit and i thinkit should be safe Jul 17 05:03:12 (good) Jul 17 06:14:20 blame me (and ping me) if sysupgrade doesn't work for you anymore Jul 17 06:14:29 (anyone) Jul 17 06:33:34 aparcar[m]: using docker containers for a 800 line python script is very un-openwrt-ish Jul 17 06:33:40 that is a vendor solution Jul 17 06:34:23 the protocols inherent design allows recovery of lost drones and has a resend logic incase packets/replies get lost Jul 17 06:34:41 there is also a out-of-sync sequence detection Jul 17 06:34:53 morning Jul 17 06:35:01 the only thing which we can't cover that easily is the DUT actually being misflahed Jul 17 06:35:14 god I hate pgp and anything associated with it Jul 17 06:35:19 that would require manual hands on bootloader recovery Jul 17 06:35:26 jow: yeah Jul 17 06:35:40 I believe this thing was built to ensure that personal encrpytion will never become mainstream Jul 17 06:35:45 jow: you can put it into a docket container Jul 17 06:35:48 that should fix it Jul 17 06:35:57 actually I did, that was what broke it Jul 17 06:36:07 rofl Jul 17 06:36:27 but its a virtual container *bingo* Jul 17 06:36:53 I am in the process of rebuilding the entire build cluster, which led to some fallouts here and there Jul 17 06:37:04 just noticed that the pgp sigs weren't generated for master Jul 17 06:37:15 will be back in a few days/hours Jul 17 06:37:20 is that the sig/asc thing that guy asked about > Jul 17 06:37:26 yes Jul 17 06:37:30 .sig -> usign Jul 17 06:37:33 .asc -> pgp Jul 17 06:37:37 ah Jul 17 06:37:39 we're supposed to have both, normally Jul 17 06:37:52 but due to pebkac/breakage the .asc ones weren't generated for master Jul 17 06:37:52 put it into a container, that will fix it Jul 17 06:38:07 or better a container in the cloud Jul 17 06:38:17 ok, enough Jul 17 06:38:31 because, you know gpg --export-secret-keys doesn't actually export the secret keys Jul 17 06:38:41 well duh Jul 17 06:38:55 unless you also pass the completely obvious and self explaining --pinentry-mode loopback --no-tty --passphrase-fd 0 options Jul 17 06:39:12 otherwise it'll silently fail to launch pinentry, and thus simply do not export the secret key Jul 17 06:39:22 told you, should have used the pregenerated container for that Jul 17 06:39:25 but still produce output that looks like a successfully exported key Jul 17 06:39:37 now that part is neat Jul 17 06:39:41 which then even is successfully imported by gpg, even stating "secret keys read: 1" Jul 17 06:39:57 only that thewre isn't any secret key after the fact Jul 17 06:40:21 so this was *yet another* corner case not covered by previous checks Jul 17 06:40:23 I'll add that as a feature to udrone Jul 17 06:41:02 --bullshit --> "nine of eight tests passed with 102% accuracy" Jul 17 06:41:19 however, on the plus side we do have most buildslaves in containers now (I know...) Jul 17 06:41:28 and being under ansible config management Jul 17 06:41:29 :-D Jul 17 06:41:44 so with a few line changes in a config I can shift the build workers to different masters Jul 17 06:41:56 the rest is completely automated Jul 17 06:41:58 good work, thankls ! Jul 17 06:43:41 I had to do some rather ugly hacks to handle the usign stuff cleanly, this is something we need to fix in buildroot eventually Jul 17 06:44:15 the problem is that buildroot (base-files, opkg) only enables the usign capabilities in packages if both the public and the secret key file are present Jul 17 06:44:26 correct Jul 17 06:44:32 this needs to be split Jul 17 06:44:56 enable package index signing only if the secret key is present, but still build opkg and base-files with usign verification support if only the public key file is there Jul 17 06:45:37 right now I workaround this by creating a dummy secret key file, building almost all steps with CONFIG_SIGNED_PACKAGES=y but invoking make package/index with CONFIG_SIGNED_PACKAGES=n Jul 17 06:46:26 the dummy secret key file is just there to satisfy some if [ -f $(TOPDIR)/key-build ]; ... checks in base-files and package/Makefile Jul 17 06:46:53 I would've fixed that already but then there's this ucert stuff too now which I don't know how to handle Jul 17 06:47:09 i lost track of felix's features Jul 17 06:47:29 I heard that there's some willingness to enable the firmware image signing now Jul 17 06:47:51 that would however mean that we would need to expose the secret usign key for releases to potentially untrusted build slaves again Jul 17 06:51:17 that would essentially make the whole exercise a no-op Jul 17 06:52:28 basically what needs to be done is breaking out the signing part int oa script or something that can be run offline against a set of images Jul 17 06:52:55 which would probably imply host builds of at least fwtool and ucert Jul 17 07:20:51 jow: Daniel told me, that he has based usign on OpenBSD's signify, which makes me wonder, why we simply don't use signify for images/releases as well, avoiding the GPG? There's signify-openbsd package in Debian Jul 17 07:21:28 and copy&paste the workflow from OpenBSD, which probably should be good enough Jul 17 07:29:13 ynezz: just for sure, can you check [PATCH] imx6: sysupgrade: document Apalis code handiing rootfs_data Jul 17 07:29:18 is that ok & accurate? Jul 17 07:30:31 yep, it's accurate, but it seems to me like you're just overreacting :) the comment is longer then the code itself Jul 17 07:32:25 if you want to make it more explicit, then just move that into separate function with the name explaining the intention/purpose, but I kind of hate comments, which basically explain what you can read in the code :) Jul 17 07:32:27 I see the point, but I also don't want to run into debugging that ever again :P Jul 17 07:32:55 don't worry to much about that, it happens to all of us Jul 17 07:34:49 I bet, that it could be probably improved, like making jffsreset working even on unmounted rootfs_data, then we wouldn't need to care about such details when we call jffs2reset Jul 17 07:37:20 like `jffs2reset -y` would imply force mode (but it might be better to add another switch for this purpose) and simply run mkfs again (or just simply overwrite the start of that fs with 0) Jul 17 07:37:53 so we wouldn't need to copy over mkfs utils into ramfs Jul 17 07:51:51 i was thinking about mkfs for a moment, I'm just not sure if my desire of dropping platform_pre_upgrade() is good enough argument for that Jul 17 07:52:00 platform_pre_upgrade() is not that bad probably Jul 17 07:54:44 indeed, but that cleanup in other targets was really nice and welcome anyway Jul 17 07:55:21 :) Jul 17 07:55:35 i got one more cleanup coming Jul 17 08:11:04 rmilecki: I wonder if that jffs2reset really is nesessary, and wether just padding the squashfs-rootfs enough so the fs-check returns FS_NONE (and thus triggers a mkfs call) would be enough Jul 17 08:11:33 KanjiMonster: it's about "rootfs_data" partition that we need to clean Jul 17 08:12:27 rmilecki: but doesn't it dynamically start at the end of the squashfs root? Jul 17 08:12:41 ynezz: ^^ ? Jul 17 08:16:03 what if I want to keep the settings? Jul 17 08:17:21 I mean, when/where should I pad the squashfs image? Jul 17 08:18:04 the sysupgrade.tar.gz is copied to /boot, not the overlay Jul 17 08:18:07 IIRC Jul 17 08:23:01 ok, I'll try that, thanks Jul 17 08:30:06 ok, so factory image is combined, which has rootfs set to CONFIG_TARGET_ROOTFS_PARTSIZE=128, so I would need to pad squashfs to 128MB+something to overwrite the overlay, right? Jul 17 08:31:01 which seems quite excessive to me in comparison to jffs2reset :) Jul 17 08:32:16 KanjiMonster: rmilecki: ^ Jul 17 08:33:08 a lot of issue stems from the fact that the device is an emmc/sdcard device, but isn't setup to work like all the other emmc/sdcard devices Jul 17 08:33:45 ok, so what do you recommend? Jul 17 08:34:24 when adding apalis, I simply took what was there in imx6 available at that time Jul 17 08:35:17 all the other emmcs device don't use a sysupgrade-tar but instead use write disk image to the emmc card Jul 17 08:36:18 see e.g. turris omnia (mvebu), clearfog (mvebu), raspi Jul 17 08:43:21 Guys, would it be possible to cherry-pick this commit https://github.com/openwrt/openwrt/commit/299f6cb2da0a443484339aaa51b3d9edcc21ce4e to openwrt-19.07 branch? It fixes CVE-2019-11360. More details https://nvd.nist.gov/vuln/detail/CVE-2019-11360 Jul 17 08:45:01 x86 is another target with a different sysupgrade-procedure Jul 17 08:46:01 as well as the unielec mt7623-board, which has an emmc Jul 17 08:46:06 KanjiMonster: thanks, added this to my TODO list Jul 17 08:49:06 ynezz: I laready switched master buildbots to openbsd-signify Jul 17 08:49:15 gpg is still there for backwards compat Jul 17 08:49:25 ah, nice! Jul 17 08:49:30 but I too find the signify workflow way simpler to deal with Jul 17 08:49:45 especially the verify mode which can use sha256sum files directly Jul 17 08:50:01 it verifies the signature of the checksums file and the checksums itself in one pass Jul 17 08:50:15 KanjiMonster: BTW it seems like those devices have just one single emmc partition, right? Jul 17 08:52:33 ynezz: no, there are usually two partitions; a boot partition for the kernel, and a rootfs partition - they are using a raw disk image to write (including partition table) Jul 17 08:53:17 I mean for spl/bootloader Jul 17 08:54:44 mmcblk1: 7.28 GiB, mmcblk1boot0: 4.00 MiB, mcblk1boot1: 4.00 MiB, mmcblk1rpmb: 4.00 MiB Jul 17 08:55:57 so the /boot with kernel/dtbs goes to mmcblk1p1, mmcblk1p2 is squashfs, mmcblk1boot0 has SPL+uboot Jul 17 08:57:29 which makes this single disk image harder if I would like to update SPL+uboot with sysupgrade Jul 17 08:58:18 you can just start writing from offset 0 of the emmc, if I understand and remeber correctly :) Jul 17 08:58:31 I did that once and got to learn how to use JTAG Jul 17 09:00:46 well, content of `hexdump -C -n 2000 /dev/mmcblk1` doesn't match content of `hexdump -C -n 2000 /dev/mmcblk1boot0` Jul 17 09:01:44 perhaps the device I worked with worked differently, but there offset 0 of mmcblk0 was uboot Jul 17 09:02:07 or I messed up something else :) Jul 17 09:09:51 kristrev: For eMMC there is usually a partition table at the beginning. Jul 17 09:37:43 blogic: thanks for the clarification, I'm eager to see how it works once working Jul 17 09:37:44 blogic: I'm the signing guy Jul 17 09:37:45 jow: dango created ucert for the untrusted worker situation right? allowing to trust a chain of signers, but also retire exposed keys when needed Jul 17 09:37:45 this process just need some kind of update process, to keep trusted keys up to date Jul 17 09:40:13 hooray, I just sent the last sysupgrade cleanup patch Jul 17 09:40:24 rmilecki: :-) Jul 17 09:40:43 rmilecki: thanks for you work Jul 17 09:40:47 :) Jul 17 09:40:56 now I can start working on new features Jul 17 09:45:36 gch981213: Thanks. I see now that I was wrong, sorry for the noise. I need to stop talking before brain has booted properly Jul 17 10:00:45 is it possible to increase the window size of `make menuconfig`? Jul 17 10:12:10 increase the terminal size? Jul 17 10:21:13 rmilecki: just sysupgraded imx6, so it seems to work fine after your latest changes Jul 17 10:21:21 :) Jul 17 10:23:51 karlp: FS#2385 have you ever experienced something like this? Jul 17 10:30:02 ynezz:not noticed anything like that, but we have very few devices running in STA mode. Jul 17 10:30:15 we mostly use it as a single AP for configuration. Jul 17 10:31:20 (I'd suspect that when it "fully freezes" it's running into the watchdog reset fail issue that I've tried working araound, but that's just a guess, and not the cause of their problem, just a side affect that makes it worse) Jul 17 11:18:04 Hauke: rmilecki: any objections https://github.com/openwrt/openwrt/pull/2231 (brcm47xx: fix 831-old_gpio_wdt.patch for linux 4.19) ? Jul 17 12:58:22 dohh, added a agadget serial line to inittab, now I have console _only_ on the gadget, instead of on both the gadget and the actual serial port Jul 17 13:03:38 console or login shell Jul 17 13:03:48 inittab only does login but not console Jul 17 13:03:58 for console you need to also fiddle with the command line i think Jul 17 13:51:12 ynezz: if that doesn't break 4.14, i'm 100% fine with it Jul 17 13:51:25 if it breaks 4.14, we need #if LINUX_VERSION instead Jul 17 13:52:11 it seems timer_setup is present in 4.14: https://elixir.bootlin.com/linux/v4.14.133/ident/timer_setup Jul 17 13:52:15 so it should be fine Jul 17 13:52:16 rmilecki: if modifying a patch in patches-4.19 breaks 4.14, we would have a much larger issue ;P Jul 17 13:52:24 oh my Jul 17 13:52:26 silly my Jul 17 13:52:27 *me Jul 17 13:52:50 looks good then! Jul 17 13:56:33 blogic:well, I just want a login, but I somehow lost the login on the actual serial port, before I added the line to inittab, I had it only on the serial console. got more to play with yet :) Jul 17 15:20:37 I want to create ath10k board-2.bin for Phicomm K2T and I extracted the factory firmware, only to find that there are 5 variants of this router and manufacturer uses a preinit script to decide which boarddata file to use: https://paste.ubuntu.com/p/FYB7FVSz3m/ Jul 17 15:22:54 gch981213: I had a similar thing with the Linksys EA8300 and four, regional variants of board-2.bin -- Handled with four variants in the board files and in the DTS (haven't figured out if DT overlays work for anything but RPi-style devices) Jul 17 15:23:35 The only way to distinguish between variants is checking ART contents and device version stored in mtd. It's hard for users to do this check and we can't really create 5 firmware variants just for this purpose. Jul 17 15:23:38 It looks like it needs to be decided on the fly though, eh? Jul 17 15:23:48 Just saw that Jul 17 15:23:54 I wish I knew where to start with this https://pastebin.com/H6h8yRbp Jul 17 15:24:56 jeffsf: Yeah. I'm considering if I should do what the manufacturer did. (create 5 board-2.bin and use a script to link it into /lib/firmware) Jul 17 15:30:40 Would be nice to be able to build perf. Jul 17 15:31:33 gch981213: Tricky part is timing -- maybe in the firmware hotplug Jul 17 16:51:42 gch981213: https://github.com/openwrt/openwrt/blob/master/target/linux/ath79/base-files/etc/hotplug.d/firmware/11-ath10k-caldata#L198 Jul 17 16:53:26 jeffsf: ^ Jul 17 18:32:02 ldir: is that new regression? Jul 17 18:33:00 ldir: 57d096e2a9bb89a0185d296c0eb8dd76533aa43c Jul 17 18:36:21 rmilecki: thanks! Jul 17 18:36:53 The last time I played with perf it was k4.14 so this might be a k4.19 thing Jul 17 18:37:39 ok, then just try latest master and pls let me know Jul 17 18:38:31 latest master breaks - just trying revert the commit you mentioned Jul 17 18:39:38 and 16ac5c4fbd183398d6a1595f6c87fd85c8668b33 probably as well Jul 17 18:45:11 and please build with `make package/perf/compile V=sc JOBS=1 -j1` Jul 17 18:57:17 cotequeiroz: seems your previous fix to OpenSSL cryptodev did not work: https://downloads.openwrt.org/snapshots/faillogs/aarch64_cortex-a53/base/openssl/compile.txt Jul 17 19:01:40 mangix: This is not related to OpenSSL fixes, as I have done none lately. It is missing cryptodev headers, because cryptodev-linux itself failed. I would bet something kernel-related broke out-of tree module compilation. Jul 17 19:01:54 https://downloads.openwrt.org/snapshots/faillogs/aarch64_cortex-a53/base/cryptodev-linux/compile.txt Jul 17 19:03:03 cotequeiroz: i think the kernel itself is not compiling, causing long range build failures Jul 17 19:10:04 ynezz: no, it's all b0rken with/without the reverts - I suspect this is yet more upstream cross compile breakage. Jul 17 19:10:52 For what it is worth, I just compiled git master for ath79 and didn't have any issue. Jul 17 19:12:49 mamarley: oh I can build, just not the perf package Jul 17 19:13:10 Oh, OK, sorry. I misunderstood. Jul 17 19:25:09 ldir: try `make target/linux/{clean,prepare}; make package/perf/compile` Jul 17 19:28:15 ldir: and make sure, that you've `HOSTCFLAGS_jevents.o= -I$(srctree)/tools/include` in your $(LINUX_DIR)/tools/perf/pmu-events/Build Jul 17 19:29:05 ok, will try that a bit later - busy now. Jul 17 19:29:12 this include path is simply missing in your pastebin output Jul 17 19:32:15 Pepe: no idea if you have control. I recommend reopening this bug: https://gitlab.labs.nic.cz/turris/turris-os-packages/issues/398#note_113338 Jul 17 20:02:58 * blogic throws a frisbee at ldir Jul 17 20:22:30 DonkeyHotei: I did a small fix, can you please check https://git.openwrt.org/fec34d2fbd4512c7345a5bb165082cb39b69ed04 ? Jul 17 20:22:57 DonkeyHotei: $ARGV was obsoleted recently in the sysupgrade Jul 17 20:25:46 ynezz: LGTM but i can't test directly Jul 17 21:26:49 ynezz: nice catch with that $ARGV Jul 17 23:59:06 hey Jul 17 23:59:10 good night Jul 17 23:59:55 I want to request some features Jul 18 00:00:03 That i am willing to donate for Jul 18 00:00:08 anybody here Jul 18 00:00:25 Most of the lead devs are on European time Jul 18 00:01:50 are you a dev? Jul 18 00:02:14 how much donation is needed for requesting a feature Jul 18 00:02:15 I've hacked a few things, but not a "dev" as you probably mean it Jul 18 00:02:32 what do you think Jul 18 00:02:38 ? Jul 18 00:03:03 I want to request modem specific features Jul 18 00:03:19 Showing the value is perhaps more important. Figure that a consultant makes US$100-150 per hour and "simple changes" are probably 10-100 hours of time Jul 18 00:04:02 i know what i want Jul 18 00:04:19 but dont know how much will it cost! Jul 18 00:04:51 Have you asked on the forums if someone has already solved some or all of your needs? Jul 18 00:05:00 yes Jul 18 00:05:38 my needs are very specific and only few people understand Jul 18 00:05:44 usually gamers Jul 18 00:05:57 and streamers Jul 18 00:06:12 any one wanting good latency will dig in and find the problem Jul 18 00:06:42 I need a method for overriding low level settings enforced by the dslam Jul 18 00:07:08 A patch or mod Jul 18 00:07:12 or maybe a script Jul 18 00:07:21 You might want to find out if the device you're considering has source code. Jul 18 00:07:34 unsure Jul 18 00:07:37 Meaning for the DSL modem -- not for the router portion. Jul 18 00:07:42 dut the driver is opensource Jul 18 00:07:55 Lantiq chip has binaries Jul 18 00:07:59 and source codes Jul 18 00:08:14 with zero documenattion Jul 18 00:09:26 its the only supported vdsl chip Jul 18 00:10:46 i want full control over xdsl from both GUI and CLI Jul 18 00:11:11 I want to use any xdsl configuration i want Jul 18 00:11:23 what do you suggest? Jul 18 00:11:45 Buying a better internet connection Jul 18 00:12:29 Unless you can find someone "motivated" to make extensive changes to undocumented code. Jul 18 00:12:46 At least for me, that's a lot more than a "donation" could cover Jul 18 00:13:05 where Jul 18 00:13:14 any internet connection wil be xdsl Jul 18 00:13:24 FTTH wont be installed where i live Jul 18 00:13:45 I dont have much free time Jul 18 00:13:53 but i think patreon could cover it Jul 18 00:44:34 hey Jul 18 02:34:15 jow, may be he just forgot Jul 18 02:34:28 miss click **** ENDING LOGGING AT Thu Jul 18 02:59:56 2019