On Sun, Jan 12, 2014 at 3:31 PM, Maykel Franco wrote:
[...]
>
> Thanks for your help.
Dear Mr. Franco,
Yeah, that was more than you should expect from arch-general. The real
mailing list where you want to ask for help is still aur-general which
has not magically changed by now. Also, if you're
On 01/12/2014 01:13 PM, Taylor Hornby wrote:
> Thank you, that makes so much more sense!
>
> So, really, the vulnerability only exists while the Arch dev (or
> package maintainer or whatever they're called) is building the
> package. Once they do, and sign it, all Arch users will verify their
> si
On Sun, 2014-01-12 at 16:37 -0500, Mark Lee wrote:
> On Sun, 2014-01-12 at 16:29 -0500, Mark Lee wrote:
> > On Sun, 2014-01-12 at 11:29 -0700, Taylor Hornby wrote:
> > > On 01/12/2014 10:11 AM, Mark Lee wrote:
> > > > Perhaps I'm not strong enough in mathematics but I'd like to know how
> > > > pos
On Sun, 2014-01-12 at 16:29 -0500, Mark Lee wrote:
> On Sun, 2014-01-12 at 11:29 -0700, Taylor Hornby wrote:
> > On 01/12/2014 10:11 AM, Mark Lee wrote:
> > > Perhaps I'm not strong enough in mathematics but I'd like to know how
> > > possible md5 collisions can be weaponized. From what I see, the
On Sun, 2014-01-12 at 11:29 -0700, Taylor Hornby wrote:
> On 01/12/2014 10:11 AM, Mark Lee wrote:
> > Perhaps I'm not strong enough in mathematics but I'd like to know how
> > possible md5 collisions can be weaponized. From what I see, the idea
> > would be to modify a binary such that it contains
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/12/2014 01:56 PM, Kyle Terrien wrote:
> On 01/12/2014 12:40 PM, Taylor Hornby wrote:
>>> I guess I just don't understand what happens when I type
>>> "pacman -S firefox." Does that run the PKGBUILD on my system,
>>> or does it download and instal
Hi,
I believe the topic stater has concerns about weakness of the MD5 hash
algorithm. He suggests to deprecate md5sums=() and use cryptographic
hash algorithm like SHA256. Personally I avoid MD5 in my packages
because of its bad reputation. But I am not an crypto expert though.
> I have been ass
On 01/12/2014 12:40 PM, Taylor Hornby wrote:
> I guess I just don't understand what happens when I type "pacman -S
> firefox." Does that run the PKGBUILD on my system, or does it download
> and install pre-compiled (and signed) Firefox binaries that were
> created by one of the Arch developers usin
On Sun, Jan 12, 2014 at 9:40 PM, Taylor Hornby wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 01/12/2014 10:27 AM, Jelle van der Waa wrote:
>> No, you don't rely on hashes for security, hashes are for
>> integrity checks. Signatures are for the verification of a file or
>> message
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/12/2014 10:27 AM, Jelle van der Waa wrote:
> No, you don't rely on hashes for security, hashes are for
> integrity checks. Signatures are for the verification of a file or
> message, since anyone can replace the hash on the server and upload
> a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12.1.2014 19:29, Taylor Hornby wrote:
> On 01/12/2014 10:11 AM, Mark Lee wrote:
>> Perhaps I'm not strong enough in mathematics but I'd like to know
>> how possible md5 collisions can be weaponized. From what I see,
>> the idea would be to modify a
On 01/12/2014 10:11 AM, Mark Lee wrote:
> Perhaps I'm not strong enough in mathematics but I'd like to know how
> possible md5 collisions can be weaponized. From what I see, the idea
> would be to modify a binary such that it contains malicious code
> (without changing the md5sum). Since most secur
On 01/12/14 at 09:58am, Taylor Hornby wrote:
> On 01/12/2014 02:58 AM, Rashif Ray Rahman wrote:
> > On 12 January 2014 14:09, Taylor Hornby wrote:
> >> Are there other packages still being verified with MD5? Can we fix them
> >> too? I'll gladly donate my time if it's not something that can be
>
On Sat, 2014-01-11 at 23:09 -0700, Taylor Hornby wrote:
> I noticed that the TrueCrypt package is downloaded over an insecure FTP
> connection and then only verified using MD5 hashes.
>
> https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/truecrypt
>
> There are p
On Sun, 12 Jan 2014 09:30:04 -0700
Taylor Hornby wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 01/12/2014 02:21 AM, Jelle van der Waa wrote:
> > SHA256 hashes won't fix anything, since hashes are only integritiy
> > checks telling you the downloaded file isn't corrupt.
>
> Rig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/12/2014 09:30 AM, Taylor Hornby wrote:
> The .sig file on the FTP server is the same one you can download
> from the TrueCrypt website. If it's used to verify the packages,
> the client needs a secure way to get the TrueCrypt Foundation's
> publi
On 01/12/2014 02:58 AM, Rashif Ray Rahman wrote:
> On 12 January 2014 14:09, Taylor Hornby wrote:
>> Are there other packages still being verified with MD5? Can we fix them
>> too? I'll gladly donate my time if it's not something that can be automated.
>
> Of the 4890 base packages shown by ABS,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/12/2014 02:21 AM, Jelle van der Waa wrote:
> SHA256 hashes won't fix anything, since hashes are only integritiy
> checks telling you the downloaded file isn't corrupt.
Right. I assumed it was the PKGBUILD that was signed and verified,
then it wa
2014/1/12 Kacper Żuk :
> 2014/1/12 Maykel Franco :
>> 2014/1/12 Kacper Żuk :
>>> 2014/1/12 Maykel Franco :
2014/1/12 Kacper Żuk :
> 2014/1/12 Maykel Franco :
>> 2014/1/11 BlissSam :>
>> Thanks for your responsed. I try install blink with python 2:
>>
>> [root@arch-maykel bl
2014/1/12 Maykel Franco :
> 2014/1/12 Kacper Żuk :
>> 2014/1/12 Maykel Franco :
>>> 2014/1/12 Kacper Żuk :
2014/1/12 Maykel Franco :
> 2014/1/11 BlissSam :>
> Thanks for your responsed. I try install blink with python 2:
>
> [root@arch-maykel blink-0.6.0]# python2 setup.py inst
2014/1/12 Kacper Żuk :
> 2014/1/12 Maykel Franco :
>> 2014/1/12 Kacper Żuk :
>>> 2014/1/12 Maykel Franco :
2014/1/11 BlissSam :>
Thanks for your responsed. I try install blink with python 2:
[root@arch-maykel blink-0.6.0]# python2 setup.py install
running install
runni
2014/1/12 Maykel Franco :
> 2014/1/12 Kacper Żuk :
>> 2014/1/12 Maykel Franco :
>>> 2014/1/11 BlissSam :>
>>> Thanks for your responsed. I try install blink with python 2:
>>>
>>> [root@arch-maykel blink-0.6.0]# python2 setup.py install
>>> running install
>>> running build
>>> running build_py
>>>
2014/1/12 Kacper Żuk :
> 2014/1/12 Maykel Franco :
>> 2014/1/11 BlissSam :>
>> Thanks for your responsed. I try install blink with python 2:
>>
>> [root@arch-maykel blink-0.6.0]# python2 setup.py install
>> running install
>> running build
>> running build_py
>> running build_scripts
>> running ins
2014/1/12 Maykel Franco :
> 2014/1/11 BlissSam :>
> Thanks for your responsed. I try install blink with python 2:
>
> [root@arch-maykel blink-0.6.0]# python2 setup.py install
> running install
> running build
> running build_py
> running build_scripts
> running install_lib
> running install_scripts
2014/1/11 BlissSam :
> 在 2014-1-11,6:39,Maykel Franco 写道:
>
>> I get the source code blink-qt and I have installed blink with python
>> setup.py install
>>
>> When I run the blink:
>>
>> [root@arch-maykel maykel]# blink
>> Traceback (most recent call last):
>> File "/usr/bin/blink", line 24, in
On 01/10/2014 10:39 PM, David C. Rankin wrote:
> So there should be no prohibition to mounting the config share.
For those running samba, there is a bug in 4.1.x regarding the use of 'force
user' 'force group'. (not just in my case) See for details:
https://bugzilla.samba.org/show_bug.cgi?id=9
Am 12.01.2014 10:21, schrieb Jelle van der Waa:
> On 01/11/14 at 11:09pm, Taylor Hornby wrote:
>> ...
> SHA256 hashes won't fix anything, since hashes are only integritiy checks
> telling you the downloaded file isn't corrupt.
>
> Signatures however are made to verify that the content isn't modif
On 12 January 2014 14:09, Taylor Hornby wrote:
> Are there other packages still being verified with MD5? Can we fix them
> too? I'll gladly donate my time if it's not something that can be automated.
Of the 4890 base packages shown by ABS, 2988 are MD5-only. That is
61%, or more than half.
--
G
On 01/11/14 at 11:09pm, Taylor Hornby wrote:
> I noticed that the TrueCrypt package is downloaded over an insecure FTP
> connection and then only verified using MD5 hashes.
>
> https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/truecrypt
>
> There are practical co
29 matches
Mail list logo
