On 3 July 2017 at 01:22, Eli Schwartz via arch-general
wrote:
> On 07/02/2017 07:01 PM, Ismael Bouya wrote:
>> (Mon, Jul 03, 2017 at 12:29:44AM +0200) Morten Linderud :
>>> But HTTPS doesnt matter here. We have a trusted signer inn the PKGBUILD,
>>> anyone can MITM for the good of their life.
>>>
On Sun, 2 Jul 2017 22:39:37 +0200, NicoHood wrote:
>I've checked the links and while those suggestions are a bit harsh,
>they are still valid:
>
>* btrfs-progs can use stronger hashes.
Hi,
the subject doesn't mention that "btrfs-progs can use stronger
hashes", the subject actually is "Sébastien L
(Sun, Jul 02, 2017 at 07:22:23PM -0400) Eli Schwartz via arch-general :
> Okay, this I am genuinely curious about.
>
> In what circumstances can I have:
> - the systemd repository cloned over the git:// protocol
> - an annotated tag for systemd v233 signed by Lennart Poettering.
> - an annotated t
On 07/02/2017 07:01 PM, Ismael Bouya wrote:
> (Mon, Jul 03, 2017 at 12:29:44AM +0200) Morten Linderud :
>> But HTTPS doesnt matter here. We have a trusted signer inn the PKGBUILD,
>> anyone can MITM for the good of their life.
>> Unless they can fake the signature (Hint; they cant), or trick Lenna
(Mon, Jul 03, 2017 at 01:06:04AM +0200) Morten Linderud :
> At this point we can't trust the trusted users to build and verify the
> correct packages, let alone maintaine a safe infrastructure to build
> packages. This is a slippery slope, and i really fucking hope this
> isn't a serious issue any
On Mon, Jul 03, 2017 at 01:01:35AM +0200, Ismael Bouya wrote:
> (Mon, Jul 03, 2017 at 12:29:44AM +0200) Morten Linderud :
> > But HTTPS doesnt matter here. We have a trusted signer inn the PKGBUILD,
> > anyone can MITM for the good of their life.
> > Unless they can fake the signature (Hint; they
(Mon, Jul 03, 2017 at 12:29:44AM +0200) Morten Linderud :
> But HTTPS doesnt matter here. We have a trusted signer inn the PKGBUILD,
> anyone can MITM for the good of their life.
> Unless they can fake the signature (Hint; they cant), or trick Lennart into
> signing something he shouldnt (Hint; h
On Mon, Jul 03, 2017 at 12:25:22AM +0200, NicoHood wrote:
> On 07/03/2017 12:21 AM, Morten Linderud wrote:
> > On Mon, Jul 03, 2017 at 12:16:53AM +0200, NicoHood wrote:
> >> On 07/03/2017 12:07 AM, Morten Linderud wrote:
> >>> On Sun, Jul 02, 2017 at 11:55:35PM +0200, NicoHood wrote:
> Yes the
On 07/03/2017 12:21 AM, Morten Linderud wrote:
> On Mon, Jul 03, 2017 at 12:16:53AM +0200, NicoHood wrote:
>> On 07/03/2017 12:07 AM, Morten Linderud wrote:
>>> On Sun, Jul 02, 2017 at 11:55:35PM +0200, NicoHood wrote:
Yes the GPG signature of the tag commit is checked. However you can
at
On Mon, Jul 03, 2017 at 12:16:53AM +0200, NicoHood wrote:
> On 07/03/2017 12:07 AM, Morten Linderud wrote:
> > On Sun, Jul 02, 2017 at 11:55:35PM +0200, NicoHood wrote:
> >> Yes the GPG signature of the tag commit is checked. However you can
> >> attack the git metadata and set a tag to a different
On 07/03/2017 12:07 AM, Morten Linderud wrote:
> On Sun, Jul 02, 2017 at 11:55:35PM +0200, NicoHood wrote:
>> Yes the GPG signature of the tag commit is checked. However you can
>> attack the git metadata and set a tag to a different commit. If this
>> commit is signed, but at an older stage which
On Sun, Jul 02, 2017 at 11:55:35PM +0200, NicoHood wrote:
> Yes the GPG signature of the tag commit is checked. However you can
> attack the git metadata and set a tag to a different commit. If this
> commit is signed, but at an older stage which is vulnearable, we have an
> issue. Just one example
I stand corrected which leaves only part of my last sentence. Thanks
for the detailed heads-up, everyone, especially Eli.
On Sun, Jul 2, 2017 at 11:05 PM, Martin Kühne wrote:
> we'll have to decide how we can deal with content like this in a way
> that tells the source to go f themselves [content
On 07/02/2017 11:38 PM, Eli Schwartz wrote:
> Let's make this clear: None of these claims are true! At all! Not even
> one of them!
You just say its not true, but that is wrong. I've wrote a statement for
every link he pointed out in which way it is valid or not.
> You have grabbed the troll ba
... so, apparently, people are determined to actually fall for this
clown. I was initially going to send this off-list, but I'd just like to
shut down these claims fast before people start falling for it. We
already had two people fall for it, people whose opinions I am not
generally inclined to di
On 07/02/2017 11:05 PM, Martin Kühne via arch-general wrote:
> On Sun, Jul 2, 2017 at 10:39 PM, NicoHood wrote:
>> So why are we so resistant against those suggestions? Those are good and
>> valid, no matter who this guy is and how he interacts with people. From
>> the technical point of view he i
On Sun, Jul 2, 2017 at 10:39 PM, NicoHood wrote:
> So why are we so resistant against those suggestions? Those are good and
> valid, no matter who this guy is and how he interacts with people. From
> the technical point of view he is right. And we all should care for our
> users, because we are re
On 07/02/2017 10:18 PM, Eli Schwartz via arch-general wrote:
> On 07/02/2017 04:12 PM, User via arch-general wrote:
>> Sébastien Luttringer,
>> https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/btrfs-progs&id=959539e1f7df15986f336bb03225ea796a44ca3e
>> ,
>> https://www.kern
On Sun, 2 Jul 2017 16:18:23 -0400, Eli Schwartz via arch-general wrote:
>So basically, you are confirming you are fnodeuser?
IMO it's better not to reply to her/him and instead to inform
arch-general-ow...@archlinux.org , just in case it wasn't already
noticed.
https://lists.archlinux.org/piperma
On 07/02/2017 04:21 PM, G. Schlisio wrote:
> Oh, please dont feed the troll… its exactly what he's aiming for.
I thought it was important that everyone know exactly who they are
dealing with (because he has a lot of history here and has now
progressed to hiding his name/handle). Otherwise I wouldn
Am 02.07.2017 um 22:18 schrieb Eli Schwartz via arch-general:
> On 07/02/2017 04:12 PM, User via arch-general wrote:
>> Sébastien Luttringer,
>> https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/btrfs-progs&id=959539e1f7df15986f336bb03225ea796a44ca3e
>> ,
>> https://www.ker
On 07/02/2017 04:12 PM, User via arch-general wrote:
> Sébastien Luttringer,
> https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/btrfs-progs&id=959539e1f7df15986f336bb03225ea796a44ca3e
> ,
> https://www.kernel.org/pub/linux/kernel/people/kdave/btrfs-progs/sha256sums.asc,
>
Sébastien Luttringer,
https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/btrfs-progs&id=959539e1f7df15986f336bb03225ea796a44ca3e
,
https://www.kernel.org/pub/linux/kernel/people/kdave/btrfs-progs/sha256sums.asc,
https://lists.archlinux.org/pipermail/arch-general/2016-Decemb
23 matches
Mail list logo
