Dasharo / dasharo-issues

The Dasharo issue tracker
https://dasharo.com/
25 stars 0 forks source link

Protectli Vault VP2420 Dasharo Release v1.1.0 - review #419

Open pietrushnic opened 1 year ago

pietrushnic commented 1 year ago

Below is a similar review to #408 - I tried to avoid duplication, but duplicated problems were extracted to have a public record of issues we continuously repeat.

Archive: protectli_blobs.zip
End-of-central-directory signature not found. Either this file is not a zipfile, or it constitutes one disk of a multi-part archive. In the latter case the central directory and zipfile comment will be found on the last disk(s) of this archive. unzip: cannot find zipfile directory in one of protectli_blobs.zip or protectli_blobs.zip.zip, and cannot find protectli_blobs.zip.ZIP, period.


- :white_check_mark: build reproducibility confirmed with protectli-blobs-1.0.18.zip
artur-rs commented 1 year ago

link for downloads leads to 3mdeb.com instead of dl.3mdeb.com - maybe we didn't entirely switch yet, but changing will invalidate this newsletter unless we set redirection.

Redirection is a part of the migration plan, so this point will be covered

artur-rs commented 1 year ago

Recovery page is under construction. Can't we reuse the recovery procedure from another platform?

This is already scheduled after initial review

pietrushnic commented 1 year ago

Redirection is a part of the migration plan, so this point will be covered

How and where we can track it?

This is already scheduled after initial review

Can we link to PR?

macpijan commented 1 year ago

@pietrushnic I pushed some improvements regarding the blobs in building manual: https://github.com/Dasharo/docs/pull/570

Pokisiekk commented 1 year ago

I expanded the recovery page: https://github.com/Dasharo/docs/pull/559

macpijan commented 1 year ago

link for downloads leads to 3mdeb.com instead of dl.3mdeb.com - maybe we didn't entirely switch yet, but changing will invalidate this newsletter unless we set redirection.

We do have redirection in place. That was the prerequisite of moving the files domain in the first place.

Psotas commented 1 year ago

The new release introduces new features such as ... - low quality, better would be The new release introduces features like USB stack and SMM BIOS write protection enable/disable options.

fix in review

artur-rs commented 1 year ago

updated checkboxes (subissues) status in the first comment

Mixss commented 1 year ago

Overview page could have more information e.g., referral link to shop, picture of hardware, where to report issues.

Done: https://github.com/Dasharo/docs/pull/615

BeataZdunczyk commented 1 year ago

asciinema was posted from a private account instead of using 3mdeb one - we should get rid of asciinema and replace it with a generic signature validation procedure (manual) or DTS (automatic) For me procedure described in asciinema generate different results in a clean VM (I can't see 3mdeb Dasharo Master Key nor Protectli signing key signatures), --fetch-keys has other behavior than --import. Please check the gpg command output difference. We should use import instead of fetch-keys. It took me quite a lot of time to figure out why my output is different - let's save users time.

@pietrushnic changed by this PR, new procedure is published here: Dasharo release signature verification.

pietrushnic commented 1 year ago

@BeataZdunczyk --import was used so it resolve the sub-issue mentioned above.

miczyg1 commented 6 months ago

The whole procedure could be more precise. First, it says Ubuntu 22.04 would be used, then it points to DTS, then asks to compile flashrom. We should support only DTS-based deployment.

Protectli uses their own flashli for deployments. We have not supported any Protectli platform in DTS. EIther we implement support for it, or simply add instructions how to flash the ROM from DTS shell...

miczyg1 commented 6 months ago

This submenu allows configuring UEFI Secure Boot functionality. By default, Dasharo firmware released after October 2022 has Secure Boot disabled default with no keys and certificates provisioned

There is no such text in SB menu documentation anymore. Should we consider it resolved are UX improvements from Qubes OS Summit 2023?

miczyg1 commented 6 months ago

Regarding the Proteclti blobs ZIP, now we have the following description in building manual:

Obtain the Protectli blobs package (only v1.1.0 or older):

Replace <PROTECTLI_BLOBS_REPO> with a a proper path to the repository in a form of: git@repo-path.git. You should checkout to the same tag as in case aof the coreboot repository.

cd 3rdparty/blobs/mainboard/
git init
git remote add origin <PROTECTLI_BLOBS_REPO>
git fetch origin && git checkout protectli_vault_ehl_v1.1.0
cd -
miczyg1 commented 6 months ago

@pietrushnic please take a look at above 2 comments and let me know which of them we can consider resolved.

Regarding the flashing, we need some improvements overall for Protectli, as we don't support DTS. Suggestions welcome.

miczyg1 commented 6 months ago

low quality, better would be The new release introduces features like USB stack and SMM BIOS write protection enable/disable options.

I guess reviewers need to do a better job and overall do much more...

no social media announcement scheduled

Release process says:

[EX035] Social Media
Founder is responsible for this part of a process.   <-------------------------

Clients, community and end-users deserve high-quality information about what the new release is bringing and how it will improve their experience.

This process is performed according to Social Media Campaign Tracker [documentation](URL obfuscated)

@pietrushnic you may want to change this...

pietrushnic commented 6 months ago

I guess reviewers need to do a better job and overall do much more...

Probably. Either reviewers would improve, or the initial writer would improve. Descriptive PRs and commits are the essence of good release. I guess if we have descriptive PR or commits, then ChatGPT should do relatively well in wrapping up.

Founder is responsible for this part of a process.

This means I will publish, but adding to the schedule is PM work @BeataZdunczyk cc