DemiMarie
commented
3 years ago This is also a legitimate security risk since it drops a root shell. That much is obvious from the screenshot, which is why I didn’t worry about disclosing this.
Open ninavizz opened 3 years ago
DemiMarie
commented
3 years ago This is also a legitimate security risk since it drops a root shell. That much is obvious from the screenshot, which is why I didn’t worry about disclosing this.
andrewdavidwong
commented
3 years ago Andrew, someday I will have this repo memorized. Until then, this is your section.
It's not about memorization; it's about searching!
andrewdavidwong
commented
3 years ago This is also a legitimate security risk since it drops a root shell. That much is obvious from the screenshot, which is why I didn’t worry about disclosing this.
Since this is software we inherit from upstream, shouldn't that be reported as an upstream security bug (if it is one)?
The same could be said for the non-security UX request, but I highly doubt upstream would go for it.
DemiMarie
commented
3 years ago This is also a legitimate security risk since it drops a root shell. That much is obvious from the screenshot, which is why I didn’t worry about disclosing this.
Since this is software we inherit from upstream, shouldn't that be reported as an upstream security bug (if it is one)?
It was fixed after Fedora 25 went EOL, so we would need to backport it.
andrewdavidwong
commented
3 years ago This is also a legitimate security risk since it drops a root shell. That much is obvious from the screenshot, which is why I didn’t worry about disclosing this.
Since this is software we inherit from upstream, shouldn't that be reported as an upstream security bug (if it is one)?
It was fixed after Fedora 25 went EOL, so we would need to backport it.
Ah, I see. If you think that should be done, would you mind opening a separate issue for it? (This one is a UX enhancement, whereas that one would be a security bug.)
ninavizz
commented
3 years ago A thought I had this morning: Could it also just not timeout? Like: assuming my cat did walk over my keyboard and submit a bunch of bad passphrases for LUKS, could it not just infinitely bounce but remain on that screen? Or do a more standard pattern of "You tried and failed 15 times, no catnip for you"
The problem you're addressing (if any) I turned on my machine and then left the house for a run (expecting to do all the authentication things, after—I am impatient and my machine is slow). I returned, to this. An FPF person suggested it was what happens when my disk decryption password is entered erroneously too many times; a forum user hypothesized: "It is very likely you not provided your LUKS password to unlock the disk, then it’s timeout and the boot process failed." One of three cats was also likely involved.
Describe the solution you'd like Something elegant and without all the scary garble of indecipherable code would be lovely—but I appreciate that as a pre-boot screen, options are probably limited. Even just a nice block of friendly text at the end of the garble, would have spared my stomach falling onto the floor.
Where is the value to a user, and who might that user be? Panic is never a pleasant experience. This wall of indecipherable (to me) text triggered just that. I don't spend my days looking at CLI interfaces or walls of code, so this stoked panic. Not curiosity.
Yep: "that user" would be any of the usual non-technical, non-Linux users I tend to advocate for.
Describe alternatives you've considered Panicking and posting a phoneam pic to the forum. The Qubes forum does kinda rule.
Additional context Pretty sure it was Franklin. Astro never jumps onto my desk, and Tigger would have been more destructive.
Relevant documentation you've consulted
Zrubiin the discourse forum offered the hypothesis in the above point, explaining what resulted in this.Related, non-duplicate issues Andrew, someday I will have this repo memorized. Until then, this is your section.