In T596#11020, @jonas.smedegaard wrote:

Others than me in Purism/PureOS are happy about Flatpack - doesn't that provide the needed sidechannel for injecting these popular tools?

Others than me in Purism/PureOS are happy about Flatpack - doesn't that provide the needed sidechannel for injecting these popular tools?

In T596#11018, @jonas.smedegaard wrote:

A bit of some history...
Last fall, soon after I was hired to Purism and my interest in nitpicking and policy making became clear, I was tasked with tracking "Freedom issues" - i.e. make sure PureOS would comply with FSF FSDG.
Instead of simply "obey the gospel of FSF", I tried make sense of their rules and find the logic that make sense to me that PureOS follows - which happens to fit FSF rules but makes sense on its own as well.
The rule I have followed - which FSF does not dictate but in my interpretation fits their concretely written rules - is that PureOS must be responsible towards our users in what we offer them.
My guess is that FSF has peculiarly odd phrases like "Nor should the distribution refer to third-party repositories that are not committed to only including free software; even if they only have free software today, that may not be true tomorrow" is that they don't trust other organisations (e.g. Debian) to stay on the rght path, but they do want other organisations to trust them (e.g. use their list of Mozilla-compatible addons).

A bit of some history...

Thanks @jonas.smedegaard ! Potentially this is a bad forum for this discussion but I appreciate the title change.

I don't mean to kill the conversation here. Just want to keep separate concrete issues from "meta issues". I will take the liberty of relabeling this one to perhaps better fit what we are discussing here...

I'll add really quickly - if Debian main is still considered problematic, I understand, but I don't think that precludes making some of the Electron-based clients for E2EE messaging available through their repos (though not marked by default).

You're quite right that the GNU FSDG is very clear on this issue:

Regarding what we can and cannot do according to FSF guidelines: Are you asking what the guidelines says, or are you asking how much we can bend the rules before our relations with them snap?

Not sure what you mean by "replicate everything in-house".

To clarify: You do _not_ need to search through and locate previous issues. Nice if you do, but perfectly fine if you don't have time for that. File new issues and leave it to us to correlate and maybe merge with existing ones. :-)

I agree none of what you presented here _is_ T247 - only _related_ to it.

Seems to me that the best course of action is to talk to DuckDuckGo and see what the opportunities are here. We could of course use DuckDuckGo's search without any discussion, but a custom arrangement might be better for both parties.

Understood, I'll think about this and see if it makes sense to comment on these other issues or open new, separate ones. However - T247 doesn't quite fit with the UA issue. The User Agent behavior is identifying PureBrowser in the way that has been decided in past discussions/issues, but Mozilla is detecting PureBrowser as not Firefox. Users who click Tools > Add-ons are given choices that don't work, and diverted down channels that go nowhere. See for example the attached screenshot of what my PureBrowser is currently recommending to me on the "Get Add-ons" screen.

This covers several issues, making it difficult to track.

In T596#10989, @jonas.smedegaard wrote:

Such change(s) would be encouraging those resources.
Since those resources are external to us, we cannot ensure our users that they fit our constraints e.g. regarding software freedoms - and even if they happen to currently align with out constraints we have no way of intervening if that change later on, after our users have installed our system onto their systems.
PureOS is the subset of Debian which is "Free" both by Debian definitions and by Free Software Foundation definitions. Encouraging inclusion of Debian resources would - in the eyes of FSF - be encouraging non-free stuff, and we would loose the endorsement from FSF as being a Free system by their standards.

Such change(s) would be encouraging those resources.

Only Matthias has access to automation tools, I believe.

I had this issue on the OEM version of PureOS 8 Beta 1, Librem 15 v3. I ended up doing a full reinstall of PureOS.

Thanks for the info on exiftool. I installed it and compared its output with pdfinfo, which was already installed as part of the poppler-utils package. There are slight differences (pdfinfo gives the page size), but both just do not report a nonexistent Creation Date or Modify Date. So at least they don't make up a bogus date for either of those.

As of today 2018-10-08, after intervening system updates, this issue persists. In the meantime I had to install an Xubuntu VM in Boxes, and then install Firefox within the VM.

I'm logged in under GNOME (default Wayland), not GNOME on Xorg, and I get this from gnome-logs after Thunar crashes:

As of today's updates (2018-10-08), this issue persists and is still seen with a number of applications: PureBrowser, GNOME Web (Epiphany), Kate, and Okular. It seems to have been fixed for GNOME Files (Nautilus) and Thunar.

I also encountered this issue today trying to install on my desktop with a USB mouse.

https://bugs.debian.org/906609#30 segfault should be fixed...

I'm going to go ahead and make the executive decision of un-assigning myself from this ticket - feel free to assign back if there is a "Next Action" for me of course, but I do not have an obvious step to proceed.

This was fixed a long time ago.
See https://tracker.pureos.net/T559#10667 for some instructions on how to resolve the configuration issue.

This looks like expected behavior to me: The first prompt is for the disk password, while the second one is for root permission to be actually able to mount the device.
However, there might still be an issue here, because apparently the disk is mounted twice, and also a local user should be able to mount disks directly without root permission, so the second authentication request might not be needed (it could be though that the system policy on what the user can do is different for encrypted disks compared to regular volumes).

Terrific. I am glad that worked for you.

Oh and btw. how do you intend to detect tampering anyway? Please don't tell me you need a Librem Key. Purism tries to sell the laptops as secure and not secure-with-additional-hardware, right? Or is the Key now part of the laptop shipment? If not, what is your security goal for a humble users without Librem Key?

You seem to be trapped in the thinking that signature verification is bad and measuring is good. Please don't see it like that. They both complement each other very well.

Hi Wayne,

I use the following commands from a terminal prompt:

Hi Wayne,
How do I make my system up-to date? I tried sudo apt-get update, but it returns an error.

If you have not already, you may wish to make certain your system is current. There was a similar issue, but it was fixed in late August. Please refer to https://tracker.pureos.net/T502.

We do not need or want it. Specifically the problem with systems like vboot (and why we went with Heads instead) is that we do not want to require that the BIOS pass a signature check against a key that we control. We want the user to be able to flash with a custom BIOS if they so choose, even if we haven't blessed it with our signature.

Kyle, can you evaluate vboot in terms of security, do we need it, do we want it and all that.. so we can decide if we want to add it or not

Alas, I don't know who has bandwidth to do it and do not have control over their inbox. :)

@chris.lamb, sorry, did not now whom to assign it to, so feel free to reassign to Jonas or Matthias.

(curious why this assigned to me, @mladen.pejakovic ?)

Sorry, above was inaccurate: I _do_ expect FSF to tolerate _FSF_ hosts as "middle-ground" but not e.g. "extensions.gnome.org".

No, "middle-ground" is some other option - possibly one of these:

In T585#10838, @jonas.smedegaard wrote:

d) Software center contacts other hosts than pureos.net only after the user spells out the host otherwise not mentioned at all
Case d) is acceptable by both FSF and Debian. Should IMO be acceptable by us.

(Now? Ie. with the openpgp-smartcard branch, no?)

Sweet! So, what's the timeline look like for me to be able to test this on something?

https://bugs.debian.org/909567

https://github.com/evilsocket/opensnitch/pull/207

@kyle.rankin Did you see https://bugs.debian.org/903163#135 ? :)

@james.rufer GNOME Software will fetch an extension list when run under GNOME Shell. So, you'll need to run it in a GNOME Shell session and the GNOME site has to be reachable. Try refreshing the software index (refresh button in GNOME Software) in case information is missing.

@todd It seems to me that your question at 11:52 was ambiguous: I guess you intended to ask about _default_ behaviour, and to me it is more likely that Matthias answered only about _ability_ - i.e. that Software center sends requests outside of pureos.net if told to do so. Therefore I disagree that @james.rufer's test is counter to @mak's answer.

@james.rufer does any GNOME extensions appear? (this would be the answer to only packages from approved PureOS.net and it would be counter to what Matthias mentioned in the chat history @ 12:05)... So I want to confirm that...

Chat history on the subject from #community-pureos:talk.puri.sm

Seems to me those fields are simply not provided, and Evince (which it seems you use to parse and inspect the files) wrongly show a bogus timestamp when none is proviced.

The tool nethogs is available in PureOS in the package nethogs. I.e. the tool is "included in most Linux distributions" as was quoted in that forum thread you are linking to.

This problem seems to occur especially when the system in on heavy load. I can easily reproduce it when building the Debian package hdf5.

Add:
This has occurred on three installations, so does not appear random.

After installation, when doing the system upgrade, get the following message:

Installed the latest ISO in Boxes. "UTC" did not come up in search.

I am not sure I understand the problem - what is the issue here? That extensions can be downloaded from GNOME?
Since we trust GNOME already, I don't think it makes sense to disallow that in GNOME software, especially because doing so means people will have trouble installing GNOME extensions.

Reassigning to Matthias, our expert on AppStream (including what and how much PureOS has derived from Debian in that area).