IRC Logs for #crux-devel Wednesday, 2011-12-07

*** mike_k_ has joined #crux-devel01:18
*** mike_k_ has quit IRC02:26
*** mike_k_ has joined #crux-devel02:41
*** acrux has quit IRC04:53
*** acrux has joined #crux-devel04:54
*** acrux has quit IRC05:29
*** acrux has joined #crux-devel05:30
*** frinnst has quit IRC07:29
*** frinnst has joined #crux-devel07:35
*** frinnst has joined #crux-devel07:35
*** frinnst has quit IRC07:56
*** frinnst has joined #crux-devel07:56
*** frinnst has joined #crux-devel07:56
*** deus_ex has quit IRC08:08
*** deus_ex has joined #crux-devel08:15
*** j^2 has quit IRC08:33
*** j^2 has joined #crux-devel08:33
*** ente has joined #crux-devel11:26
*** ente has joined #crux-devel11:26
*** mike_k_ has quit IRC12:33
rmullHi, has the Arch package signing debacle had any effect on the crux process?14:46
teK_uh14:47
teK_URL?14:47
enteoh god oh god oh god14:47
rmullLol14:47
rmullhttp://www.toofishes.net/blog/real-story-behind-arch-linux-package-signing/14:47
rmullIt's a LONG read.14:47
enteah14:47
rmulllots of drama14:47
entethat's what arch is about14:47
entefunny enough, I was called an attention whore for using drama in one of my mails14:48
teK_:p14:48
enteand I'm glad you didn't link to their mailing lists :-)14:48
rmullI mean, let me put it in a nutshell - I run a repo, it could be broken into and someone could modify my Pkgfile URLs and .md5sum files, and my users would download tainted source files14:48
rmullBut if I signed my Pkgfiles with a GPG key, and that key was in the web of trust for other crux repo admins, then we'd have some verification that my Pkgfiles (and other files) haven't been modified by someone other than me14:49
rmullAt least, that's my higher-level understanding14:49
entesame thing can happen with upstream tarballs; someone could hack a mirror and people would use pkgmk -im, figuring upstream has changed their tarballs again, without making a new release14:49
rmullThat's true14:50
rmullBut that's not a justification for not doing it ourselves, correct?14:50
teK_you could fake the package with an identical MD5 sum =)14:50
rmullteK_: How feasible is that, realistically?14:50
teK_it's more of theoretical nature, but never say never? ;)14:51
jaegerhrmm... when is pkgmk.conf actually processed in the pkgmk chain?14:51
jaegerooh, found it, never mind14:51
rmullteK_: Well, that's interesting. According to wikipedia, United States Computer Emergency Readiness Team has declared that MD5 should be considered cryptographically broken and unsuitable for further use (in favor of SHA2)14:53
rmullsource: wikipedia14:53
teK_yeah for some time now14:54
rmullAm I being a disrespectful upstart for mentioning any of this stuff?14:54
rmullI mean, crux works fine and I like it.14:54
teK_no?14:54
rmullI'm sure it's all been gone over before14:55
teK_there was a discussion wrt md5 and the core maintainers rejected (romsters?) proposition + patches to use sha14:56
rmullteK_: Got it - I haven't crawled the list history but I'll do that before proceeding14:56
rmullhttp://crux.nu/bugs/index.php?do=details&task_id=223&project=1&order=id&sort=desc&pagenum=314:58
rmullSeems like jue would require a demonstrated proof of concept for a hash collision15:00
rmull...which actually seems pretty easy, given the instructions at the bottom of the page http://www.mscs.dal.ca/~selinger/md5collision/15:05
rmullcruxcon in boston? who is in??15:11
jaegerwe did that back in 2k5 :)15:12
rmullHow was it?15:12
teK_most (3) Maintainers are from germany :}15:13
teK_* official15:13
rmullAhh.15:13
jaegerIt was fun, had a good time15:14
jaegerwe even spoke to some students at the university about it15:14
rmullwhich one?15:15
jaegerI don't remember, to be honest. jdolan probably does15:16
rmullI went to school in boston15:17
rmulland live there now15:17
jaegerah15:17
Romsterrmull, predatorfreak and myself have been saying that for ages nothing happened it was deemed insignificant.15:48
Romsterwhy do you think i use sha256sums on my romster repo.15:48
Romstersha1 isn't far from being broken too.15:49
rmullRomster: hmm..15:51
rmullthat's a little unsatisfactory15:51
Romsterhttp://crux.nu/bugs/index.php?do=details&task_id=223&project=1&pagenum=215:54
Romsteranyways off too work later.15:55
jaegerMight be worth bringing up again15:57
jaegerthat was quite a while ago15:57
rmullI personally care more about the pkgfile signing than the md5sum but both seem like a worthy cause15:59
jaegerRomster: is HV multilib?16:05
*** j^2 has quit IRC16:57
*** j^2 has joined #crux-devel17:14
*** j^2 has quit IRC18:03
*** ente has quit IRC23:33
*** teK_ has quit IRC23:34
*** ente has joined #crux-devel23:39
*** ente has joined #crux-devel23:39
*** teK_ has joined #crux-devel23:41

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!