Um, ActuallyEP 13: Tuesday, Oct 3, 2023
Mark Johnson 0:03
Well, we’ve been doing this new podcast for a while now. And haven’t we had a lot of feedback?
Martin Wimpress 0:08
Yes, just a bit.
Mark Johnson 0:10
People have been getting in touch all over the place. I was astounded by how much people are using the web form on our website
Alan Pope 0:16
Mark Johnson 0:18
I know. Yeah. Lots of email, lots of Toots on Mastodon as well. So, yeah, let’s have a look at some of the things people have been saying. I mean, firstly, I think we just need to say thank you to all of the lovely comments that we got from people who were just happy to have us back, as we’re happy to be back. So thank you to everyone who sent their love.
Alan Pope 0:40
Yes, that was nice.
Martin Wimpress 0:41
It was indeed,
Mark Johnson 0:42
we had a few people getting contact about our show notes. David emailed to say that he wanted to check out the websites of other shows but couldn’t find them. Now, I think Joe is planning to add a site to Late Night linux.com With all of the shows in the late night Linux family, so they’re easier to find. And Tom and Connor emailed about links in our show notes to things that we were talking about. That was a bit of an oversight. On our part, we are trying to make sure that we add links to the things that we discussed. So hopefully, we’ll rectify those in the future.
Alan Pope 1:16
I went overboard in Episode 12. Every other word was the link.
Martin Wimpress 1:22
Yeah, I think up to this point, we’ve we’ve linked to like top level projects that we’ve discussed, we’ve tried to keep our show notes lean, we’re going for Six Sigma Black Belt status with podcast production here. But we also often write blog posts that supplement the episode. So some of those links are like full, expose A’s. And Alan, you’ve been doing loads of blogs and stuff. Now I think you’ve done more blogs to supplement the podcasts than any one. Yeah, probably more than podcast. Yes. Sorry about that. Uh, Mark, we had a stack of feedback about your journey or starting your journey with TPM and Lux. So Alex emailed us, and they said that they agreed they found setting up TPM to be rather finicky. But one thing that they did suggest is taking a look at unlocking locks with a UB key or similar. Yeah, I had this suggestion from a tonne of people. So the idea here is that you have a YubiKey, which is a separate USB device designed for storing things like encryption keys. So you have that plugged in when you boot, and you press a button or scanner, thumbprint or something. And then that basically types your password in as a pretend keyboard. And then you can take it out and store it separately when you’re not booting. And that means that if your laptop gets nicked, and they don’t have the YubiKey, they can’t then get into it. So that seems like a pretty neat suggestion for not having to type in a long password, while still maintaining quite a lot of security. One thing I didn’t have from anyone, which I was hoping for was I didn’t have anyone either say that are locking with a TPM. And it’s still secure because, and I also didn’t have anyone say it’s definitely not secure, because I was hoping that someone would show me the exploit, which means you definitely shouldn’t do this, there was one reported whereby you can basically if you mash the keyboard at the passphrase prompt, it causes it to drop to a root shell in the init RAM Fs. And because at that point, the boot state is in the state that the TPM is expecting you can then get the TPM to give you the password. So wow, that’s not ideal. But one thing which happened not long after we published was that Ubuntu had a big announcement that they’re adding support for this very setup in Ubuntu from 2310. Onwards, and the blog post about that and the Ubuntu security podcasts that came out in conjunction with that go into quite a lot of detail. They’re well worth a listen. But they did enlighten me to a few things, in particular, our use case for this. And in fact, the reason that they were working on in Ubuntu in the first place was that it lets you enable full disk encryption on unattended and headless systems much more easily because you might have an IoT device or headless server somewhere where you don’t have it connected to a keyboard and a monitor, or you don’t have someone there to enter a password. But you might still be worried that someone’s going to walk into your server rack and pull out the hard drive and wander off. So this actually allows you to benefit from full disk encryption in those scenarios. So that’s interesting because you talked about using the UB key and Simon emailed to describe that setup as well. And now you’re talking about like unattended systems. And we had a couple of emails, one from Alan, who was using some software called tang to do sort of network authenticated decryption. And then Manuel was using
In an SSH session into the sort of pre boot session of the device in order to unlock it over SSH, and just using a thumb drive with some sort of secret on it as the unlock mechanism, so it won’t decrypt at boot without the thumb drive being inserted. Yeah,
Mark Johnson 5:20
the SSH session seems a bit hairy to me. But I do like the idea that of having having a remote key server that can deliver your key at boot time. And then if your laptop gets stolen, you could revoke that key and it won’t be delivered. The downside, of course, being that you then have to be online, to be able to access it. I
Alan Pope 5:39
quite like the idea of the boot process being made as convoluted as possible. So that, you know, it will only boot on a Tuesday. And if the webcam is turned on, and you’re holding a banana, and winking at the same time, like who would spot that, you know, whenever you see the Edward Snowden documentaries, and he throws a blanket over his head while he’s unlocking his computer, so you can’t see what’s going on. I reckon he’s got a banana under there and holding the webcam. That’s, that’s all it is. That’s my, that’s my idea for unlock anyway.
Martin Wimpress 6:12
So was there anything else you learned from the feedback on TPM and Lux?
Mark Johnson 6:17
I think one other good thing from the Ubuntu blog post is that to get around that issue that I described, whereby you can basically interrupt the boot process at a point where the TPM is happy to deliver the passphrase. The way that Ubuntu are implementing this, are they using a snap, which contains both the kernel and a signed in it RAM disk, which makes that part of the process more secure, because the problem with doing it, the way I did it is that you have to rebuild your init RAM disk each time you update your kernel, which means that it can’t then be delivered in a signed form. But because Ubuntu we’re doing that, and delivering it as a whole image, then it can be signed, and it can be verified at boot time. So that’s another interesting piece of this puzzle in ensuring the boot process is secure.
Alan Pope 7:11
We also had a tremendous amount of feedback after the backup Bonanza episode that we did a few episodes ago, which Joe rightly predicted the case that it would be the one with the most feedback. And Joe, you’re right. Manny emailed in and said it was interesting to hear the bulk was quicker than our snapshot in my use case. And they said I’ve used water as a way to migrate data from Mac to Linux, which is interesting as a way to like backup on one system, and then restore and another. And I haven’t thought about that. But actually I have used that with Borg. I’ve mounted using the Borg mount command mounted the backup of a different machine so that I can pull files out so that I found very useful, but they went on to ask, Has anyone had experience with the built in? Cup has K up or bump be up breed? Have you heard of those or tried them?
Mark Johnson 8:07
I have not?
Martin Wimpress 8:08
I know that they’re the Cuban two tools that I’ve never used them?
Alan Pope 8:12
Are they the tools that are for Borg, or are they like votaries for Borg? Or are they some other, like built in backup tool?
Martin Wimpress 8:19
I don’t know, man.
Alan Pope 8:20
It’s weird how I can be using this for ages. And I’ve never even heard of these things before this email. So
Martin Wimpress 8:26
you’re talking there about you using bog when we recorded the episode, you were using our snapshots? So I think the unsaid rule here is something’s changed. Actually,
Alan Pope 8:37
the day after we recorded that episode, I switched from our snapshot to bool. So now I’m using Borg on everything. Yes. Yes, your influence over me. Martin has worked. Patrick also emailed in. And they were interested in the fact that we were talking about backing up family photos. I think it was Mark, you talked about that. And Patrick says they sound pretty complicated. And since they rely heavily on servers that you manage, don’t you run the risk of your family being losing all of their most precious data in the event of an untimely death is a bit dark. But yes, they’d love to hear what your spouses will be able to get out of your backups.
Mark Johnson 9:19
So in terms of photo syncing to next cloud, my partner is also does have an account on our next cloud and can access Yeah, he’s a shared volume that it backs up to. But yes, it’s a fair point that it is a server that I built and manage and administer. And I don’t think that she’d be too keen on trying to do that herself. And it’s something that we’ve considered discussing on the show, but various reasons have decided not to and something that I do have in mind that perhaps I need some sort of backup plan for my backup recovery in the event that I’m not around to do it.
Martin Wimpress 9:55
Yeah, that’s a thorny point. And similarly to you Although I’m using Borg to do backups, they’re like the tertiary backup. The main backups actually happen via Dropbox and sync thing, which my family do know how to operate and get all of the data and what have you. But like you, I do need to figure out how they get easy access and can look after, like in the event of my untimely demise is the data that is backed up via other means. But that’s not how they access the data. That’s like the insurance backup.
Alan Pope 10:32
I know, we don’t want to talk about that, for long, convoluted reasons. But I did talk to someone at work about this, there was a new starter, and we had a one to one, introducing them to the company. And for some reason, we go on to this topic. And they were telling me that they’ve got this thing they call a green box. And it is just a bright green box. It’s easy to spot. And that’s their box full of information. And they can put it somewhere safe and secure. But they’ve written stuff down and put it in there. That’s probably about as good as you can get with all the details of how to deal with it. Yeah. Jean emailed in and said, How do you deal with photos that are intentionally deleted from the phone? Do you have to delete them in both places?
Mark Johnson 11:09
Yeah, I mean, it depends on whether you managed to delete them before they get synced. But the way that we handle our photos is we sync everything up to next cloud. And then sort of monthly, we go through and decide which ones we actually want to keep and organise them. And then anything else gets deleted. So yeah, we’d have to delete the copy off our phones. But at that point, we can we can then see the folder from that month and say has this been Yeah. Has this been considered? Yes. And then the backups that are syncing to the cloud, at some point, I can go through and say, Oh, I know everything in the last six months has been sifted through and I can delete the auto sync folder for that from the backup as well
Martin Wimpress 11:50
got it. I won strict orders, photos cannot be lost. So our photos get synced over Dropbox sync thing. And iCloud
Alan Pope 11:59
merrily emailed and said, I considered Borg backup previously, but it didn’t seem noob friendly. Well, given I’d never heard of it before Martin told us about it. And I used it the next day, and I’ve converted every single machine, I converted most of them within about 24 hours. And I was a noob to bog. And honestly, I installed it and then ran a couple of commands. And then I found a shell script. And that was it. And I just run that same shell script on every machine. And I just have cron jobs that are running at different times. I’ve learned a bit as I go. But it’s it’s really not that hard. It’s not Uber noob. Friendly, for sure. You do need to have some smarts but it’s not that hard. Laos or Lazarus sent us an email saying they wondered about a comment we made about sync thing. Apparently, we mentioned that deleting a file causes the file to be deleted across your syncing folders. Have you not dabbled with the versioning system in sync thing
Martin Wimpress 12:58
they ask? Yeah, so this was May. I’m familiar with the fact that you can have versioning in sync thing, but I have turned it off. Because I’m using Borg as my safety net. And I didn’t want to account for a nother bit of buffer bloat with another thing keeping backups and versions. And most importantly, while sync thing can keep those versions. Working with those as a point of recovery is really cumbersome and awkward to do. So I’ve just decided to step it away and not deal with it and use something that’s designed to do backups as my solution, which is bog
Alan Pope 13:37
we got an A funny email from Emil that says, My backup strategy for photos is quite simple paper talking about you know, printing them out. And paper is also quite easy to use. No need for elaborate setups or prepare for if or when I’m hit by a bus. This is all very true. Very true. So thanks for all the emails and other contact with us about backups. I hope we get more of that because it was all very interesting.
Mark Johnson 14:08
Linux matters is part of the late night Linux family. If you enjoy the show, please consider supporting us and the rest of the late night Linux team using the PayPal or Patreon links at Linux matters.sh/support. For $5 a month on Patreon. You can enjoy an ad free feed of our show, or for $10 get access to all the late night Linux shows ad free. You can get in touch with us via email show at Linux matters.sh or chat with other listeners in our telegram group. All the details are at Linux matters.sh/contact. The conversation we had about Martin’s music streaming service prompted an email from Jonathan saying I found a great web service to import your playlists from one service to another. Yeah,
Martin Wimpress 14:53
so they talk about a thing called Sound lists. And they were saying that it can split up their playlists into song loans of up to 200 tracks at a time, when we recorded that podcast about me switching from Spotify to Apple Music, I hadn’t actually handled the migration of playlists, which I have since done. And the tool I use to do that is an app for iOS called Song shift. And it is magical and marvellous in every conceivable way. Only my daughter and I had playlists, the largest ones had up to about 165 songs, and it moved everything over automatically. And it was just great. So I highly recommend that.
Mark Johnson 15:37
So is it a case of you log into both your accounts on both services? And it says, Oh, that song is that song? And does it?
Martin Wimpress 15:44
Yep, exactly that it basically figures out what song is which on both sides. And occasionally it says, I couldn’t find this. And if you just do like a manual, resolve it, you can find the correct thing. So it worked really well. And my daughter was very happy to have her playlist, she was very grumpy about the hearings, we have been moved after she curated around playlists,
Mark Johnson 16:05
I have to say my biggest gripe about using Plex and previously MB for my music streaming locally, is the support for creating playlists for your own songs is absolutely dire.
Alan Pope 16:21
To have to create your own mp3 you files and
Mark Johnson 16:25
I wouldn’t mind that. But it doesn’t even support that you’ve got to go through and like find each song one at a time and say Add this to this playlist. And it’s it’s a real ball ache.
Martin Wimpress 16:34
I’ve got news for you mark, you can import pls and mp3 files into Plex. Oh, maybe that’s a topic for a future episode. And just to sort of round out my migration to Apple Music, I talked about this app called cider, which is an Apple Music client for the desktop. It’s Windows, Linux and Mac. And we did have some feedback at that time. That version one of cider was now considered out of support, it was sort of important bug fixes only, well, just a couple of days ago, I purchased cyder to the new version. From each.io. It cost me three pounds 50. It was available as a Deb or an app image or an RPM or an aid package build. So I’m using the app image. And it is better than the classic version in every possible way. So I’m now a fully paid upside user and I highly rated it’s excellent.
Alan Pope 17:34
We also had a bunch of feedback after the numerous mentions of zero tear on the show. Uri said, Thank you for covering zero tear on your podcast. However, I noticed several big mistakes in your coverage, or Oh,
Martin Wimpress 17:52
yeah, I think in an effort to sort of make that presentation of cero t as simple. I likened it to tail scale. And that was probably a mistake, because they they are different. And we also got some feedback via Mastodon from Yannick saying that they just simply didn’t understand what zero tier was. So I’m not going to cover it all again. But maybe to clarify things, you can say that zero tier is like a virtual layer to switch. So if you’re a networking nerd, then you’ll know what that means. And it just so happens that it then creates a mesh VPN between each of the clients on a given network. And it’s great, because it’s a layer two network, it means that all network discovery protocols work, which means I can like access the printer from the other office at home and stuff like that.
Alan Pope 18:44
So if you’re a network nerd, and you understand what a layer two switches, that’s fine, what if your Yannick doesn’t understand. It basically
Martin Wimpress 18:53
just extends your land to anywhere you are. So I’m going to talk about this in a future episode some more because I’ve done some more things with zero tear since. And I think that will help sort of clarify why zero tear is a superpower you really want is
Mark Johnson 19:12
a simpler way of saying it is it’s like all of your computers are plugged into the same box.
Martin Wimpress 19:17
Yeah, it’s like all of your computers are on the same Wi Fi network wherever they are in the world. Yeah,
Alan Pope 19:22
oh, you’ve got a very long cable trailing out the back of your car, and it’s plugged in.
Martin Wimpress 19:29
So a couple of things to look forward to in the future is I’ve added a zero tier router to my home LAN, and I’m going to explain why that is a new kind of amazing. And I also wrote a blog post about installing zero tier on the Steam deck, which I think you’ve done as well, Alan,
Alan Pope 19:47
I have I also linked to that guide in the last show episode 12. You can find it in the show notes for that one. Well
Mark Johnson 19:53
Martin hasn’t shoehorned a mention of Nix OS into this episode yet. So I think we’d better go through some of the feedback we’ve had About that Linden emailed regarding the call Martin for support system updates problem. I think next is auto upgrade should be sufficient, shouldn’t they? The
Martin Wimpress 20:10
answer that question is probably so they sent me a fragment of an SOS configuration to turn on auto upgrades. The only thing is I haven’t had the time to research if the auto upgrade mechanisms supports Nix flakes or not. So watch this space. I will report back on that once I’ve figured it all out. But thanks Linden for the steer in the right direction. Kayo email
Mark Johnson 20:34
to say they love the idea of Nix OS, but they can’t get printing discovery to work like it does in Kubuntu. Uh
Martin Wimpress 20:40
huh. Well, you’re speaking to the right person, I used to work with the leading expert on Linux printing. I’ll have some links in the show notes to fragments of my next configuration that explain how to do this. But for anyone listening along, you basically need to enable two surfaces. One is for cups, which is the printing surface, and the other is for Avahi. With mDNS enabled, and with those two surfaces running, printing discovery works, including as I was saying earlier, over zero tear from remote locations
Mark Johnson 21:14
where it’s been great to go over everyone’s feedback. Keep it coming in everyone, and I think we should probably do this again at some point in the future.
We go over the feedback from the first 12 episodes.
- Lots of people recommended YubiKey
- TPM-backed Full Disk Encryption is coming to Ubuntu
- Tang server for remote key delivery
- Unlocking with a USB key
- We answer some questions about our backup solutions
- Alan and Martin have installed ZeroTier on the Steam Deck.
- You can set up printing with auto discovering using Martin’s CUPS and Avahi configurations.
- Also see the NixOS Wiki about Printing
You can send feedback via
email@example.com or the Contact Form. If you’d like to hang out with other listeners and share your feedback with the community, you can join:
- The Linux Matters Chatters on Telegram.
#linux-matterschannel on the Late Night Linux Discord server.
If you enjoy the show, please consider supporting us using Patreon or PayPal. For $5 a month on Patreon, you can enjoy an ad-free feed of Linux Matters, or for $10, get access to all the Late Night Linux family of podcasts ad-free.