IRC Logs for #crux-devel Saturday, 2016-03-26

teK_certificate generation on is now scripted, too00:21
Romsterprtverify is old on it complains about /usr/share/man any chance that can be bumped teK_ ? you'll need elfutils and prt-utils from crux 3.2 i am guessing is still on 3.1?00:25
teK_it's not on 3.2 yet, no..00:27
teK_I can do a quick bump for the man dirs..00:27
Romsterthat would be nice00:28
Romsterit's probably got a few other minor changes there too. i sure hope openssl and opennssh isn't vulnerable on that box00:28
teK_accidentally, I checked openssl some minutes ago :)00:29
teK_wow00:32 cannot download the source file for prt-utils and gets a 40300:32
teK_me downloading it works fine, wth :)00:33
Romsteri'm also sorry i had mistaken the md5sums we use for security and not just for integrity use.00:37
Romsterhaving said that it should be possible to have 2 different archives with the same md5sum00:38
Romsterthat is the bit i don't get.00:39
teK_no need to be sorry, I have a colleague also doing security.. I explained our use case and he still claims it's a problem to use md5sums for our ports00:39
teK_which is BS as far as integrity from port dir to source file is concerned. :-)00:40
Romsteri'm not a crypto expert but isn't it possible to have two identical md5sums00:40
teK_i.e. assuming your local ports tree is fine let's you conclude if a downloaded file was ok or not.00:40
teK_Romster: if the attacker can "chose" the hashsum00:41
Romsteri went a step farther on pkgmk when i was patchng it in hvlinux. i even made it use 'file' to test if it was a downloaded html file than to just let the sum fail.00:41
Romsterand discarded that and try again on another mirror.00:42
teK_let's get back to that lightweight topic again ;-)00:42
teK_my patch, atm, is 126 lines for pkgmk00:42
Romsterie 404 html pages saying the file could not be found. but stupidly downloads the html file thinking it's the archive00:42
Romsterprobably wrong mime types on server or it's cgi scripting.00:43
Romsterthat md5sum --check thing i saw recently too.00:43
Romsterthat tool does it use a keyring or some directory like /etc/keys/ ?00:44
teK_btw you may check the differences and nuances of the attacks at
teK_Romster: I have yet to decide00:44
teK_maybe depends on frinnst, too00:45
teK_well that removes the status listing, right?00:46
teK_i.e. detailed info about which file failed00:46
teK_I took care to reimplement that with my signature based validation, too00:46
Romsterso you are thinking of maintainers each have a key to sign? that would then make everyone trust the maintainer has in place some means to garntee the projects downloaded file is correct and not just rely on pkgmk -um00:46
teK_you also assume that the developer's machine was not hacked etc.00:47
Romstermy idea was to grab the sign asc files of each projects site. the downloads can come from any of it's mirrors. if they pgp sign fails that mirror is bad.00:48
Romstermight give a false sense of security relying on the maintainer.00:48
teK_I patched the awk script for usr/share/man in prt-utils, btw.00:49
Romsterthere is also the chance the developer's machine is compromised but then they can't sign anything unless they got the private key.00:49
Romsterif they got that far, it's extremely serious on the devs side.00:49
teK_that's my point. It's still far better than what we have now00:50
teK_I think we wil stick to per repo keys00:50
Romsteri'd welcome any means to detect any of that.00:50
teK_it makes life easier for signature selection and substitute commits once a maintainer is on vacation etc.00:51
Romsterwould be easier but who has time to test all the sources. unless we can come up with a tool for that. that each packager can use.00:51
teK_test? in what sense00:51
Romsterwell currently we jsut download and update the md5sum. a few of us /may/ actually look at the sites sha256 or md5 or sign or any other means of verifying the file has not been tampered with.00:52
Romstertrusting the packager would be a good start, but also the main ports trees have ssh keys to git now.00:53
Romsterit's mostly the other personal collections that lack any sort of trust.00:53
teK_source package verification is very hard, agreed00:53
Romsteri was thinking of adding the gpg key to Pkgfiles that use that on the projects site.00:54
Romsteron my own hack up of pkgmk00:55
Romsteras a test00:55
Romsterbut not all projects provide those. so a way to grab the sum off the devs site would also make it easier to test, but that adds to the complexity.00:55
Romsternot sure if crux would like that.00:56
Romsterso i was thinking of doing that as a side project and seeing if it's possible.00:56
teK_how does automated grabbing help verifying the integrity of the source tarball?00:57
Romstersource tarballs can come from anywhere. some are from mirrors and not the official projects site. i envision to use /only/ the sum/sign off the projects site, the file can be off any mirror.00:58
Romstera mirror can be compromised or a silent file update not propagated to all mirrors.00:59
Romstercurrently if we just update the md5sum from source= and it's not the official mirror/ or devs site. what level of trust is there?01:00
Romstergranted i am probably being way over paranoid here.01:00
teK_this wont get you anywhere unless all upstream projects agree on providing checksums/signatures01:01
Romsterbut like break ins on etc has happened. but those use many more users and more ways to break in or get a user that has malicious intent01:01
teK_it's a good idea but they dont care, afaics01:01
Romstermost do.01:01
Romstermy idea is to at least move the attack to the projects master site at /least/01:02
teK_oh and btw I am strictly against using gpg01:03
teK_it's a monster01:03
Romsterwhat your doing will at lest let us trust package management. but then it's still their responsibility to make sure the sums are correct from the devs project site.01:03
teK_sure, it always is01:03
teK_just think of the rm -rf / usr/share/ bug of bumblebee01:03
Romsterpgp does look really heavy and i wondered if there was/is alternatives.01:03
teK_signify. :-)01:04
Romsterwho did that?01:04
teK_upstream, by accident01:04
teK_happens :)01:04
Romsteroh i vaguely remember that01:04
Romsterthis is why i think crux should be using fakeroot by default in pkgmk01:05
Romsterbut that still leaves pre/post install scripts as a possible issue.01:05
Romsternot that we had any01:05
Romsteri guess if they are signed we can at least blame who did the mistake.01:06
teK_just use git blam e;)01:07
teK_and it occurs to me, that we got rid of blaming altogether :)01:07
Romsterprobably the more pressing matter is stale and un-maintained ports we have currently.01:08
Romsteri know with any sort of change in crux the pros and cons need to be outweighed01:10
Romstercan't just willy nilly change stuff. which is why i sometimes try my own patches myself and see if they are even worth showing to everyone else.01:11
teK_sure :)01:11
Romstercan't get anywhere without first testing an idea.01:12
Romsteri wonder if i am allowed to touch more Pkgfiles to add files for /etc/revdep.d/$name to some ports?01:13
Romsternamely samba thunderbird and firefox.01:13
teK_just suggest/send patches to jue and frinnst?01:18
Romsterhmm i'll do that.01:18
Romsterand i have like 10 ports for alan i bumped in a docker container for samba that i need to make diffs and add to the bug tracker.01:22
teK_is he around anymore?01:23
Romsteri honestly have no idea.01:23
Romsterhe seems to get active once in a blue moon01:23
Romsterthen he comes out and doe a bunch of stuff then disappears again01:24
Romsterwe'll find out after i add the patches for each port i bumped.01:24
Romsterto flyspray01:24
Romsteri honestly take too much on myself of others.01:25
teK_but you decreased it already, right?01:28
Romsteri have been less active here yes01:29
teK_for the sake of your private life I hope01:29
teK_hopefully your gf also got more romster instead :-)01:30
Romsterwell work has been really stressful, one IT guy has jsut had a operatin on leave for a month now. and we got a new IT guy on board, the the boss took a week off as well. and it's jsut been hell... then the easter rush.01:31
Romsteri've been putting my gf first yes and my relaxing time from work madness01:32
teK_great to hear01:32
teK_at least the last part :]01:32
Romsterto the point i've been neglecting crux a bit.01:32
teK_whatever is healthier for you01:33
teK_I'd be sad without using/maintaining :]01:33
Romsterme to but stress has been getting to me and being mentally drained.01:35
teK_as I said, do as you need to do01:35
Romsteris no fun at all.01:35
Romsteri do. this is why i have been less active but i haven't abandoned :)01:35
teK_I had a break from crux aroudn this time last year too because of a bigger project I led01:35
Romsterit's probably not so bad for you as jue or jaeger can take over but if i don't do anything stuff just rots. be it mine or others that i eventually either fix myself or poke them to fix it.01:37
Romsterwork comes first this is just a hobby.01:37
jaegerI think it's a hobby for all of us01:40
Romstersome do use crux at work though?01:40
teK_I do01:41
teK_actually I am sitting at my work laptop running crux within a VM01:42
Romsteri do use linux at work for data recovery but it's not crux, i'd like it to be but i just haven't got time to set it up, so i use a live cd01:44
Romstertaking the dogs for a walk and enjoying the sun bbl01:51
teK_have fun01:59
teK_off to bed, too02:04
jaegerusing crux at work isn't the same as crux being a job02:14
Romsteronly 2 things i use windows for... work and games. and then most of the later i do in wine.03:27
*** _________mavric6 has quit IRC03:53
*** _________mavric6 has joined #crux-devel03:54
*** sudobaal has joined #crux-devel08:22
*** teK_ has quit IRC11:49
*** teK_ has joined #crux-devel12:00
*** teK_ has quit IRC12:39
*** teK_ has joined #crux-devel12:43
*** groovy2shoes has quit IRC17:17

Generated by 2.14.0 by Marius Gedminas - find it at!