The real kicker is that I'm fairly sure we aren't really using them at any real scale - if we do it's to demo our product within the context of AI development. So if anything, they get a lot of free press when we do that. If they're gonna throw a fit over it, I'm sure we can work with some other "AI" company (that's what they bill themselves as) that wants the free marketing. Heck, I can't imagine the anaconda ecosystem working out if they keep threatening the developers that enrich that ecosystem.
Maybe, one of these days, my SRE team can define SLOs that actually make sense. This "alert on whatever the customer wants" stance really really sucks.
Yes, I am aware.
I'm more asking if others are getting a wide spread of threatening messages across the org - even if they don't regularly use conda/anaconda.
It's like everyone glossed over "I don't use it in my job at all, and neither do my teammates" bit.
Send the emails to your company’s legal team. It’s not your fight.
Already did, and agreed. I also asked the legal team if they could ask Anaconda.com to stop contacting me and threatening me personally. We shall see what happens.
I'm not here to discuss the nuances of a startup versus medium sized company. Suffice it to say that much of the organization still views itself as a startup. Even though yes, you are right, it's a medium sized organization.
Sure. I can agree that my company would be liable. But the company isn't mine. I just work here. And my team doesn't use any conda stuff at all.
Essentially, I am being personally threatened of a lawsuit even though I have no ability to make a licensing or purchase decision.
That just doesn't sit right with me.
TPMs can be extracted with physical access
Sure, but IIRC, they'd still need my PIN (for TPM+PIN through cryptenroll). I don't think it's possible to do TPM backed encryption without a PIN on Linux.
EDIT: Oh wait, you can... Why anyone would is beyond me though.
This sounds like a lenovo machine. Or something with a similar MOK enrollment process.
I forget the exact process, but I recall needing to reset the secureboot keys in "install mode" or something, then it would allow me to perform the MOK enrollment. If secureboot is greyed out in the BIOS it is never linux's fault. That's a manufacturer issue.
Apparently, some models of Lenovo don't even enable MOK enrolment and lock it down entirely. Meaning that you'd need to sign with Microsofts keys, not your own. The only way to do this is to be a high-up microsoft employee OR use a pre-provided SHIM from the distribution.
For that case, Ubuntu and Fedora are better because, per the Ubuntu documentation they do this by default.
On Ubuntu, all pre-built binaries intended to be loaded as part of the boot process, with the exception of the initrd image, are signed by Canonical's UEFI certificate, which itself is implicitly trusted by being embedded in the shim loader, itself signed by Microsoft.
Once you have secureboot working on Ubuntu or Fedora, you could likely follow these steps to enable TPM+PIN - https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module
There might be some differences as far as kernel module loading and ensuring you're using the right tooling for your distro, but most importantly, the bones of the process are the same.
OH! And if you aren't getting the secureboot option in the installer UI, that could be due to booting the install media in "legacy" or "MBR" mode. Gotta ensure it's in UEFI mode.
EDIT: One more important bit, you'll need to be using the latest nvidia drivers with the nvidia-open modules. Otherwise you'll need to additionally sign your driver blobs and taint your kernel. Nvidia-Open is finally "default" as of the latest driver, but this might differ on a per-distro basis.
Yeah, no kidding. The same systemd that enables the very things OP is trying to enable...
systemdboot + sbctl + systemd-cryptenroll and voila. TPM backed disk encryption with a PIN or FIDO2 token.
AFAIK this should be doable in Ubuntu, it just requires some command-line-fu.
Last I heard the Fedora installer was aiming to better support this type of thing - not so sure about Ubuntu.
Hahah, good luck. Proton Drive is really terrible. I can't even upload a single 1GB file through the service.
Well, I mean, most corps trying to shoehorn AI into things are using Cloud implementations of the various "AI" solutions.
What, pay for our own datacenter? Nah.
Just import openai and add "the AI" that way. 🤦♂️
It's not even a steaming pile of crap or anything. Since it's basically a managed distributed database solution there's limits to what we can do and maintain strong consistency. Things generally take a long time and are very sequentially dependent. So we have automation of course! Buuuut there's very little comfort or trust in what is now very well exercised automation - which is the number 1 barrier in removing many sources of toil. Too many human "check this thing visually before proceeding" steps blocking an otherwise well automated process.
We are so damn close, but some key stakeholders keep wanting just one more thing in our platform support (We need ARM support, We need customer managed pki support, etc.) and we just don't get the latitude we need to actually make things reliable. It's like we're Cloud Platform / DevOps / QA / and SRE rolled into one and they can't seem to make up their damn mind on which rubric they decide to grade us on.
Hell they keep asking us to cut back our testing environment costs but demand new platform features tested at scale. We could solve it with a set of automated and standardized QA environments, but it's almost impossible to get that type of work prioritized.
My direct manager is actually pretty great, but found herself completely powerless after a recent reorg that changed the director she reports to. So all the organizational progress we made was completely reset and we're back to square one of having to explain what we want - except now we're having "kubernetes!" shouted at us while we try to chart a path.
I'm already brushing up my resume, but I must say, the new Gen-AI dominated hiring landscape is weird and bad. Until then, I just have to do the best I can with this business politics hell.
view more: next ›
Nah, it's spam, OP has posted the same question at P.D multiple times across various communities. Dude either somehow doesn't know forum ettiquite or is a bot.