IRC Logs for #crux Sunday, 2016-03-20

*** flat1101 has joined #crux00:14
*** flat1101 has left #crux ()00:15
*** toriso has quit IRC00:16
*** john_cephalopoda has quit IRC00:35
*** dougiel has quit IRC02:11
*** onodera has quit IRC03:05
*** SiFuh has joined #crux03:31
brian|lfsmaybe Wildefyr has bad ram or something03:43
*** mavrick61 has quit IRC03:44
*** mavrick61 has joined #crux03:45
brian|lfshello mavrick6104:32
*** jefeyay has quit IRC05:08
*** tilman has quit IRC05:25
*** tilman has joined #crux05:25
*** _tutima has quit IRC05:42
*** nightmared has quit IRC06:52
*** nightmared has joined #crux06:55
*** ivs has joined #crux08:08
*** john_cephalopoda has joined #crux08:29
*** toriso has joined #crux09:54
*** rain1 has joined #crux10:31
rain1hello10:31
rain1http://natmchugh.blogspot.co.uk/2014/10/how-i-created-two-images-with-same-md5.html10:32
rain1crux mirrors provide md5 but it may be better to move to sha256 or something10:32
*** frinnst has quit IRC10:40
*** xeirrr has joined #crux10:49
Romsterhttps://crux.nu/bugs/index.php?do=details&task_id=223&string=sha256&project=0&type[0]=&sev[0]=&pri[0]=&due[0]=&reported[0]=&cat[0]=&status[0]=&percent[0]=&opened=&dev=&closed=&duedatefrom=&duedateto=&changedfrom=&changedto=&openedfrom=&openedto=&closedfrom=&closedto=10:53
RomsterFS#223 - Add sha256 support to pkgutils10:53
Romsterbeen closed ages ago10:53
RomsterComment by Juergen Daubert (jue) - Sunday, 04 May 2008, 10:24 GMT10:54
RomsterI've took the time to read [1] carefully. As you might have noticed as well it's _not_ possible to target a given hash value, so you can not create an infected file with the same md5sum as the original file.10:54
Romster<quote>Existing files with a known hash that have not been prepared in this way are not vulnerable.</quote>10:54
RomsterWe are not using the md5sum in a application where a collision-resistant hash function is required, but in a one-way function, so in our usage the md5sum is still secure. [2]10:54
RomsterAnyway, I got the feeling that the whole md5/sha256 discussion is getting more emotional than constructive, but I'd like to go back to the later.10:54
RomsterBasically I have nothing against using sha256 or something else instead of md5, but I don't see any need for hurry here, and I'd like to see a solution that fits best for CRUX and works at least for the next years.10:54
RomsterWRT the implementation we should consider a hard break without backwards compatibility as well, which, of course, creates more rumor, but can be done easy and fast at least for the official repos. Seems more CRUX like to me.10:54
RomsterFinally I correct my above vote to 0.10:54
Romster[2] ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto2n2.pdf10:54
Romsteron another note, i started using .sha256 sums ages ago on my personal repo but i gave up on that.10:55
rain1"I don't see any need for hurry here"10:55
rain1I think it should be hurried because it is danger to security but whatever10:56
Romsterif you ask me our lack of security on sums and even gpg keys is seriously lacking.10:56
Romsterwe trust the source= to be reliable from each project.10:57
*** frinnst has joined #crux10:57
Romstermore to the point i am sick to death of devs bumping out new silent tarball changes and not a new version of it.10:58
Romsterbut that is out of our hands.10:59
Romsterand githubs lack of proper names to avoid clobbering other github files downloaded to the same directory.10:59
rain1On 20 February 2016, the Linux Mint website was breached by unknown hackers, who briefly replaced download links for a version of Linux Mint with a modified version that contained malware. The hackers also breached the database of the website's user forum.[16][17]11:00
Romsteri can rant all i like about it, it wont get fixed. :/11:00
Romsterwe have so minimal services on crux.nu i doubt there be any vectors for breaching.11:01
rain1these linux mint guys used md5 too11:01
rain1Romster, seems to be some kind of wiki, probably php11:01
Romsterphp bugs reside in the person who typed the php code itself not the oho engine.11:02
*** frinnst has quit IRC11:02
Romsternot the php11:02
rain1lol11:02
Romstergreat typo...11:02
rain1do you not thing there is a correlation11:02
rain1think*11:02
Romsteri'm not a core or site dev you will have to take it up with those. all i do is /maintain/ and package ports in opt compat-32 xorg and contrib. i don't have authority over any of the site. and i've been though this all before years ago and i got no where. irc logs of it that span days weeks of it.11:04
Romsteri gave up11:04
Romsterso take it up with the core team that also maintains the site. maybe they will listen to you.11:05
Romstersha1 is also broken sha256 is the next logical step to move to.11:06
Romsterconsidering we are a very small distro who would even bother with us, when their are bigger fish to fry?11:06
Romsterto top it off i already keep files of different hashes and i verify from the projects main site. http://romster.me/distfiles/hash/11:07
Romsteri do that personally.11:08
Romsterso i can extract and do a diff on them and see what's going on.11:08
Romsterby all means write to the mailing list about it open a bug report on it. i would like this fixed.11:09
rain1well it was nice totalk to you :)11:09
*** ileach has joined #crux11:09
Romsteri just got no where with it. :/11:09
rain1I'll do that!11:09
Romsterthank you and welcome.11:09
Romsterother than that we are a friendly group here.11:10
*** Romster has quit IRC11:17
*** Romster has joined #crux11:19
*** groovy2shoes has quit IRC11:19
*** frinnst has joined #crux11:35
*** frinnst has quit IRC11:35
*** frinnst has joined #crux11:35
*** xeirrr has quit IRC11:42
*** nightmared has quit IRC12:30
*** jefeyay has joined #crux12:36
*** nightmared has joined #crux12:37
*** rain1 has quit IRC13:16
*** jefeyay has quit IRC13:21
*** onodera has joined #crux13:26
*** dougiel has joined #crux13:29
ileachz14:23
*** arcetera has quit IRC14:52
*** arc__ has joined #crux14:53
*** arcetera has joined #crux14:53
*** arcetera has quit IRC14:55
*** arc__ has joined #crux14:55
*** arcetera has joined #crux14:56
*** dougiel has quit IRC15:19
*** jefeyay has joined #crux15:22
*** groovy2shoes has joined #crux16:56
arceterahow do you mount an android phone on crux?17:13
brian|lfshello all17:52
brian|lfsI see I missed a flame war earlier17:52
koria FLAME WAR17:54
koriwho would do that17:54
brian|lfsnot sure looked like Romster  and someone were going back and forth17:55
onoderaHmm to me it seemed like Romster and the guy agreed with each other17:57
brian|lfsya I know I'm just joking17:57
*** onodera has quit IRC17:59
*** onodera has joined #crux18:00
joacimby IRC. A normal discussion is a flamewar, disagreeing with someone makes you a troll18:02
arceteralol18:05
*** onodera has quit IRC18:15
*** onodera has joined #crux18:17
*** brian|lfs has quit IRC18:23
*** groovy2shoes has quit IRC18:25
onoderaprologic: hi, can you please update linux-firmware18:37
rmullI don't see what the harm in sha256 is. "Incompatible ports" is the only counterargument and it's not an actual problem. Meh.18:39
onoderaIt would be rather easy to create a script that updates all md5sums as well18:44
onoderaor you could just make pkgmk accept both md5sums and sha256, give maintainers a few months to update their ports18:45
*** dougiel has joined #crux18:51
rmullIt'd be no more challenging than the recent switch from /usr/man to /usr/share/man.18:52
*** blueness has quit IRC18:56
onoderathough there are still some packages that install in /man, mainly from contrib18:58
onoderaimo, (at the very least) contrib should be an open repo where everyone can send pull requests18:58
rmullThat's the point, things continue to work even though both are supported during the migratory period18:58
tilmancould keep md5, ie use more than one hash18:59
onoderayeah I mentioned that earlier19:01
onoderaI think accepts both sha256 and md5 as well19:01
onodera*think arch19:01
rmullTry sha256, fall back to md519:01
rmullwith a notification maybe.19:02
rmullI dunno. So many ways to make it happen.19:02
*** blueness has joined #crux19:11
onoderahttps://sr.ht/w-7R.txt19:44
onoderahttps://sr.ht/TgHz.patch19:45
onoderaadded sha256sum support, whilst still allowing md5sums19:45
onoderaseems to work perfectly19:46
onodera@ rmull tilman Romster19:49
rmullIs this derived from the predatorfreak's patch in the flyspray?19:52
rmullI was in the middle of porting it19:53
onoderanah19:54
onoderawhat it pretty much does is check if and md5sum file exist, if so it will use md5sum for everything by setting PKGMK_HASH to PKGMK_MD5SUM, and $PKGMK_HASH_TYPE to md5sum19:56
frinnstsha256 for tarballs sounds like snakeoil. Unless we can sign sources it will never be secure19:57
frinnstand we cant because we dont have the resources nor the manpower19:57
onoderaif there is a sha256sum file or no hash file at all it will use sha256 by default19:57
onoderaPKGMK_HASH_TYPE is used as a command in make_hash(), and for file names everywhere else19:58
frinnstthe md5-checksums are just there to make sure we dont download a corrupted tarball or a nice sourceforge html-page19:58
frinnstI'm all for increasing security. I think energy would be better spent solving that problem19:59
rmullfrinnst: Hypothetically - when Pkgfile/sum/footprint are committed to git, the committer could sign the commit (-S)19:59
rmulland then if ports are distributed via git (which currently works fine), isn't the problem solved?19:59
frinnstyeah but who knows what code is actually checksummed?20:00
rmullThe packager has that responsibility20:00
frinnstmaintainers need to verify sources by upstreams signed keys and we dont have a useful way to do that20:00
rmullBut even without that, we would still have some assurance that the packager was looking at the same thing the end user is looking at20:01
frinnstbut sure, signing commits is probably a very good idea20:01
rmullIf the package's upstream provides even more verifiability, that's great. If not, we still have the link between the crux packager and the crux user.20:01
rmull"Don't let perfect be the enemy of good" I think is the applicable expression here20:03
joacimhttp://i.imgur.com/jWJGEE4.jpg20:10
frinnstgood point :)20:10
joacimhaving random old motherboards standing around looks like science20:10
frinnstbut just dont confuse md5sums with some sort of security measure20:11
frinnstbecause it was never intended for that20:11
frinnstits just to verify you didnt download garbage20:11
rmullYeah, that's a fair point20:11
joacimbut most of the software you can download these days _is_ garbage :]20:12
rmullhah.20:12
*** john_cephalopoda has quit IRC20:12
joacimi have a feeling i'm no more productive today than i was 15 years ago20:12
frinnstI have a feeling i'm no more mature today than i was 15 years ago20:38
frinnstprobably less so20:43
*** nightmared has left #crux ("WeeChat 1.4")20:50
joacimyou age backwards21:08
joacimsoon you'll be driving a vw golf with a giant subwoofer in the back again21:09
frinnstsoon you'll be driving a vw golf21:18
frinnst"soon" ?21:18
frinnstI ALREADY AM21:18
frinnstoh god21:18
rmullHow big of a subwoofer do you have?21:19
frinnstno sub yet21:20
onoderarunning into a (EE) no screens found X11 error ;_:21:36
korionodera: check dmesg21:37
onoderathe nvidia module loads just fine, since I'm installing crux on my laptop I'm pretty sure it's some optimus problem21:38
onoderadoes anyone here have experience with optimus?21:43
*** toriso has quit IRC22:02
*** sudobaal has quit IRC22:03
rmullonodera: Did you rebuild it after upgrading X/kernel and all that stuff?22:22
*** onodera has quit IRC22:23
*** john_cephalopoda has joined #crux22:32
*** cruxbot has quit IRC23:04
*** mavrick61 has quit IRC23:06
*** ivs has quit IRC23:25
*** deus_ex has quit IRC23:25
*** deus_ex has joined #crux23:35
*** john_cephalopoda has quit IRC23:46
*** dougiel has quit IRC23:52

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!