IRC Logs for #crux-devel Monday, 2016-03-21

*** Nomius has quit IRC00:28
*** Nomius has joined #crux-devel00:35
*** groovy2shoes has joined #crux-devel00:42
Romsterwhats to stop an attacker decompressing then altering the tar file or each file recompressing and checking if the sums are the same, and repeat the process until the sums match? slow but plausible. anyways i give up on that discussion.01:35
*** Workster has quit IRC02:59
*** teK_ has quit IRC03:18
*** teK_ has joined #crux-devel03:18
*** Workster has joined #crux-devel03:20
*** _________mavric6 has joined #crux-devel03:26
*** heroux has quit IRC04:12
*** heroux has joined #crux-devel04:13
*** heroux has quit IRC04:22
*** heroux has joined #crux-devel04:31
*** heroux has quit IRC04:59
*** heroux has joined #crux-devel05:57
*** heroux has quit IRC06:05
*** sudobaal has joined #crux-devel06:25
*** heroux has joined #crux-devel07:03
*** heroux_ has joined #crux-devel07:21
*** heroux has quit IRC07:23
*** heroux has joined #crux-devel07:29
*** Workster has quit IRC07:30
*** Workster has joined #crux-devel07:31
*** Nomius_ has joined #crux-devel10:18
*** Nomius has quit IRC10:18
jueRomster: you know, that's nonsense; but I agree, let's stop the discussion here ;)11:20
*** groovy2shoes has quit IRC12:07
frinnstagain: md5sum is not intended as a security feature12:37
*** Nomius_ has quit IRC12:49
*** Nomius has joined #crux-devel12:53
*** Nomius has quit IRC13:01
*** Nomius has joined #crux-devel13:16
*** Nomius has quit IRC15:24
*** Nomius has joined #crux-devel15:28
*** Nomius has quit IRC15:58
*** Nomius has joined #crux-devel16:01
*** Nomius has quit IRC16:33
rmullIn the check_hash() function of pkgmk it uses a call to diff, five calls to sed, and some temp files in order to compare the checksums. md5sum (and others) have a --check option that could replace all this. Any interest?16:36
*** Nomius has joined #crux-devel16:37
*** deus_ex has quit IRC16:38
juefrinnst: right, Per added the feature later, because we often had complains about "corrupted" downloads from sourceforge or the like17:15
jueand of course, the only way to get some kind of a "secure" ports system, the only way is to sign the port by the maintainer17:16
frinnstbut as rmull suggested yesterday? some more secure checksum and signing our commits in git might improve things a lot17:17
frinnstand calm some feelings a bit :)17:18
frinnstits not as good as actually signing the tarballs but it goes a long way I think. and it wont require any infrastructure changes afaik17:19
jueme neither17:19
juebut again and finally, md5 is secure for our use-case17:21
frinnstrmull: did you have patches available?17:22
jaegerWhat would be the downside to adding sha256 support?17:22
frinnstit would probably cause some mayhem with ports that are not well maintained17:23
jaegerIf we did add it I'd suggest preferring it but with a fallback to md517:23
frinnstand people would bitch about <randomport54> from <randomrepol33t>17:23
frinnston the upside it would let us know about those shitty repos and delist them from the portdb :-)17:24
frinnstor purge them from opt/contrib17:25
jaegerI don't have a strong position either way but if it's low-effort and would make people happy, might be worth reconsidering17:25
frinnstyeah. I dont mind it either17:26
frinnstsigning git commits is a good thing anyways17:26
jueyep, agree, I don't have the nerves for these discussions over and over and would suggest to do something like the patch from onodera17:26
jaegerI feel like the discussion has been more of an argument than it needs to be, myself17:27
frinnstyes and it feels like there has been a loooot of misunderstandings and confusion over the actual issues17:27
jueyeah, indeed17:27
frinnstbut what about us getting used to signing our commits in core? If we can start doing that we could perhaps look at introducing sha256 with 3.3 or something?17:28
jaegerno objections here17:29
frinnstwithout that, changing the hash seems pointless17:29
jueok, for me17:30
rmullfyi onodera's patch will make incompatible ports because it allows them to be created with .sha256sum only, no .md5sum. predatorfreak's patch (from the flyspray) will be a little safer in that regard because it will never create a port without also creating both checksum files. I have an updated version of that patch for latest pkgutils but it's not "improved" in any other ways17:33
rmullfrinnst: I don't have a patch for the sed/diff replacement, but I could - I was more wondering if it was the way it was because of portability reasons or something else. Openbsd md5sum also has --check fwiw17:34
juefrinnst: would you mid to organize/master the sign process, maybe with some docs?17:35
frinnstsure. I need to learn how it works anyways :). hopefully I'll have some time this week17:37
rmullfrinnst: You mentioned that signing the commits is not as good as signing the tarballs, but with sha256sums, signing the sum should be as good as signing the tarball17:38
frinnstyes, assuming sha256 hasnt been broken :)17:39
*** deus_ex has joined #crux-devel17:52
*** sudobaal has quit IRC18:13
*** Nomius has quit IRC18:30
*** Nomius has joined #crux-devel18:34
*** Nomius has quit IRC18:48
*** Nomius has joined #crux-devel18:48
*** Nomius has quit IRC19:40
*** Nomius has joined #crux-devel19:44
teK_Romster: I was wrong. cmake takes 16m, autotools 14m19:45
teK_jue frinnst I can help with the process if you like..19:46
*** sudobaal has joined #crux-devel20:38
*** Nomius has quit IRC20:44
*** Nomius has joined #crux-devel20:47
teK_imho we should check if signify fits our purposes20:53
teK_gpg is probably way too much and huge and bloated20:53
teK_uuuh sweet, it also das ed25519 :]20:53
teK_ In the interest of promoting inter-BSD cooperation, I figured I'd also show you the FreeBSD security officer key in case you'd like to take a picture of that as well.20:54
teK_<1000000 chars of small font text blob>20:54
teK_frinnst: we could do a skype/whatever call tomorrow night to collect ideas/requirements if you like20:55
frinnstskype? really? :)20:55
frinnstdoes it even still work these days? I only hear complaints about skype on linux20:56
teK_whatever floats your boat :>20:56
frinnsti'll opt for "whatever" :)20:56
teK_be careful, I even have MS communicator on this machine20:56
frinnstcommit 8ed2a1f44c7a91f43f61a445f9baf9999e9d706420:56
frinnstgpg: Signature made Mon Mar 21 21:50:53 2016 CET using RSA key ID 20F2351120:56
teK_what about your gpg key?20:57
frinnsti could borrow a windows laptop from work if you wanna watch my gorgeous face20:57
teK_audio is just fine20:57
teK_yeah, exactly20:58
teK_as my dad sometimes puts it: as gracile as a gazelle; or what's the name of that animal with the proboscis on its face21:00
teK_what repo has this commit?21:01
frinnstyou need to use --show-signature to show it21:01
frinnstgit log --show-signature21:01
teK_this is okayish for maintainers21:04
frinnstyeah just a first test. i'm clueless with regard to this stuff :)21:05
teK_it's a bit harder once you do rsync of ports21:05
teK_oh ok21:05
teK_I _believe_ I am not :=21:05
teK_we will see :D21:05
frinnstoooh the most dangerous combination there is! :)21:05
teK_that's why I volunteered21:05
teK_i.e. the dangerous combination21:06
frinnstwhat were your thoughts regarding signify? for commit ssh auth etc?21:06
teK_I do not worry that much about the commits maintainers are making, for starters21:06
teK_if you were able to push things to the server, you already ware authenticated, right?21:07
teK_I installed signify once, just out of curiosity21:08
teK_it was a quick tar && make && ./signify, iirc. try that with gnupg21:08
frinnstas in ?21:09
teK_OpenBSD had already been publishing checksums, but although a SHA256 checksum is ctyptographically secure, the checksums themselves were not being communicated to users in a secure manner, and were only useful for detecting accidental damage21:09
frinnstthat makes a lot more sense :)21:09
teK_they were in the exact same place, we are in :-)21:09
teK_the thing is.. we need to figure out if it's worth the 'hassle'(?) if each and every maintainer signifies his ports (do we have girls? dont think so)21:10
frinnstyeah, interesting21:11
teK_as I wrote earlier.. we _could_ make the server sign things and distribute the signature with rsync/httpup21:11
teK_this would be the easiest for maintainers. Extern pkgmk to run signify if .signature or whatever is found; make it even fail if signatures are set to mandatory21:12
frinnsti hope to have some time over and look at it tomorrow21:12
teK_et voila.. backwards compatibility and feature extension21:12
teK_we can also look together, I dont mind21:12
frinnstboss just took a 3 week vacation during our biggest migration yet21:12
teK_I think I got THAT hint21:12
frinnst_I_ have to set up a sharepoint extranet tomorrow21:13
frinnstI have about 10 minutes worth of experience *looking* at a sharepoint site21:13
teK_what masochistic sick f*** delegated that task? your boss?21:13
frinnstthats about it21:13
frinnstbut hey, what can you do?21:13
frinnstno, nobody did. It needs doing and nobody else is gonna do it21:13
teK_I have had the pleasure of using one for a project that ran for ~11 months21:14
teK_oh ok. Still sucks21:14
teK_at least if it's setup-able as it is (un)usable21:14
frinnstwe didnt know we would need it before our customer sprung this happy surprise on us21:14
teK_I really grew to tenderly hate that thing21:14
teK_hehe.. customers..21:14
frinnst.. indeed :)21:14
frinnstanyways looks simple enough. Found a youtube tutorial from some sharepoint wiz-kids21:15
frinnst(as in super-certified microsoft sharepoint partner)21:15
teK_gotta love those MS certificates21:16
frinnst"Microsoft MVP"21:17
teK_as an apprentice, I attended some school.. it was the MSDNAA, MS blabla alliance21:17
teK_they had that title instead of our university with a gazzillion more employees because they had more certificates on them than the university21:18
teK_boy did I hate that crap21:18
frinnstcertificates are (usually) pretty pointless and stupid21:18
teK_I only had get a Java cert. Then dropped out and finished the exam without school D:21:18
teK_I think there are exceptions, but genreally: probably21:18
teK_ Microsoft Imagine Academy Trainings zur MCP Ausbildung21:19
teK_why did I look? :\21:19
teK_on top, the courses are labeled MOC nnnnn21:19
teK_(whatever that means)21:20
frinnstat least I get a free tshirt!21:20
teK_well done21:20
teK_the head teacher of IT had like 20 certificates and dropped dead at under 5021:20
teK_look, what MS does to you!21:20
teK_he also loved Solaris and mocked Linux :P21:21
*** Nomius has quit IRC21:21
frinnstanyways, sleepytime21:21
teK_sleep tight21:22
*** Nomius has joined #crux-devel21:25
*** sudobaal has quit IRC21:35
*** Nomius_ has joined #crux-devel23:12
*** Nomius has quit IRC23:12
frinnstsweet, gtk 3.20 breaks themes again (no sleep for me)23:53

Generated by 2.14.0 by Marius Gedminas - find it at!