User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
6mo
Upgrading my Framework 16 took about three hours, but was otherwise painless. Windows did need me to re-set-up my fingerprint and pin after changing the entire motherboard, and I had to re-enter my bitlocker recovery key. But that process was accessible.
3
3
6
0
User avatar
the esoteric programmer @esoteric_programmer@social.stealthy.club
5mo
@fastfinge how's entering the bitlocker recovery key accessible? I thought that happens in the preboot environment
1
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
5mo
@esoteric_programmer it happens in a cut-down version of Windows, where narrator is available. I don't know how it works, but I assume Microsoft has an unencrypted boot partition with some sort of recovery Windows that it boots to. You enter the key in there, then reboot. If I were running Linux, you would probably be correct and it would be inaccessible.
1
0
1
0
User avatar
the esoteric programmer @esoteric_programmer@social.stealthy.club
5mo
@fastfinge O yeah, I forgot windows doesn't actually have full disk encryption per say, but it's approximate enough. I heard there's an equivalent mode to FDE, but that's actually inaccessible. It's possible to do that under linux too, encrypted home with ecryptfs, signed or encrypted /usr with the TPM, and if the TPM decryption fails, the /usr is replaced with a base one since that part of the system is immutable anyway, which would still allow you to boot to a graphical application with wayland and orca, where you can perform recovery.
1
0
1
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
5mo
@esoteric_programmer I'm sure it's possible. But it almost certainly involves a lot of undocumented hackery, and the sound drivers probably don't work, because sound drivers on Linux never work without endless babying. Accessible disc encryption on Linux is, I suspect, not the default, and not easy to set up.
1
0
0
0
User avatar
the esoteric programmer @esoteric_programmer@social.stealthy.club
5mo
@fastfinge correct! regular encryption that we have under linux is full disk encryption, which is more effective than anything else for sure, but then it assumes everything in your disk can be mutated at any time, and therefore it's of value. That's why the way of doing it I described can't be done unless we're talking about immutable systems. Gnome OS has this way of doing things as a future plan, so watch this space, I suppose
1
0
1
0
User avatar
the esoteric programmer @esoteric_programmer@social.stealthy.club
5mo
@fastfinge also re, sound drivers: not exactly, that'd be true if we're talking about the initramfs or even grub, but in this case we're talking about your full /usr, which definitely has the sound drivers. If it didn't, you wouldn't have sound in that computer at all
1
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
5mo
@esoteric_programmer You're assuming that when I actually need my replacement base /usr, whatever mechanism that's supposed to keep it up to date with kernel and driver changes is working. I'm not even sure what that would look like. Hooking into apt somehow?
1
0
0
0
User avatar
the esoteric programmer @esoteric_programmer@social.stealthy.club
5mo
@fastfinge it's a base /usr, that's on a different partition and that's what gets updated as part of the immutable system's updates. Everything in there is signed though, even if it's not encrypted. Another alternative would be a /usr that's still in another partition, but not regularly booted to, a recovery environment which updates only when you reinstall the whole OS.
1
0
1
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
5mo
@esoteric_programmer Right, but these days, OS updates are rolling. What happens when the kernel updates? The kernel isn't in /usr...but I think the dkms modules are? So then you get kernel/driver mismatch and ugly things happen.
1
0
0
0
User avatar
the esoteric programmer @esoteric_programmer@social.stealthy.club
5mo
@fastfinge nope, this is a unified kernel image(UKI), in your boot partition. And also, that all updates in lockstep, because that's how immutable systems work. To get an idea of how that's like, I recommend trying gnome OS
2
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
5mo
@esoteric_programmer Also, unified kernel images cause a bunch of other annoying problems. Remember the days of speakup?
1
0
0
0
User avatar
the esoteric programmer @esoteric_programmer@social.stealthy.club
5mo
@fastfinge I dk, speakup and espeakup still work over here, in a vm with a UKI, but that's because I built that module in with it
1
0
1
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
5mo
@esoteric_programmer Exactly. Compiling your own kernel isn’t something everyone should have to do every update.
1
0
0
0
User avatar
the esoteric programmer @esoteric_programmer@social.stealthy.club
5mo
@fastfinge wait a second, you mean package hooks don't trigger automatic kernel updates? this happens with arch transparently without me having to do anything
1
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
5mo
@esoteric_programmer They do in theory. But theory and practice often do not align.
1
0
0
0
User avatar
the esoteric programmer @esoteric_programmer@social.stealthy.club
5mo
@fastfinge ha, weird, I never had issues with that part of the stack, but then again that might just be me having luck
1
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
5mo
@esoteric_programmer The issues happen an update fails for whatever reason.
0
0
0
0