On 2017-08-23 7:04 pm, Aaron Toponce wrote:
I noticed most software available on http://dl.suckless.org does not
provide
checksums and digital signatures for the compressed tarballs, and other
files.
I sought to remedy this, by creating a Github repository of only
checksums and
digital signatu
i'm not complaining, anselm. certain people need to stay busy in order
to prevent other forms of harm. i'm happy you're putting more time
lately to take care of all these kids here, thanks :)
On 28 August 2017 at 19:25, hiro <23h...@gmail.com> wrote:
> wow, so much development going on in suckless these days.
> i congratulate everybody involved in the lack of any shitty code
> written. thanks. (and i am serious).
Go ahead. I'm serious as well.
-Anselm
wow, so much development going on in suckless these days.
i congratulate everybody involved in the lack of any shitty code
written. thanks. (and i am serious).
Thanks Anselm, this sounds awesome!
Anselm R Garbe:
- (optional) repo owners/maintainers should sign their future git tags
for release creation by using their own private PGP key.
I suggest distributing OpenPGP-keys via the keyserver pool [0] *without*
self-hosting a copy. The point of keyser
On 27 August 2017 at 00:19, Mattias Andrée wrote:
> The user's must be able to find the appropriate keys some way the first
> time, so suckless must at least have links to them. If suckless is
> compromised these can be replaced. PGP keys only ensure that future
> keys are not fraudulent as all ne
On 26 August 2017 at 21:08, Laslo Hunhold wrote:
> On Fri, 25 Aug 2017 13:54:41 +0200
> Anselm R Garbe wrote:
>> Either that, or perhaps we can reinstate the old fashion of
>> suckless.org/~user/ homedir.
>
> I gave it a bit more thought and realized that putting the keys all in
> one place defea
On Sat, 26 Aug 2017 21:05:25 +0200
Laslo Hunhold wrote:
> On Fri, 25 Aug 2017 17:13:38 +0200
> Mattias Andrée wrote:
>
> Dear Mattias,
>
> > Each user could have a directory called pgp-keys and dl.suckless.org
> > could list those directories. This would allow us to store old keys
> > in a str
On Fri, 25 Aug 2017 13:54:41 +0200
Anselm R Garbe wrote:
Dear Anselm,
> Either that, or perhaps we can reinstate the old fashion of
> suckless.org/~user/ homedir.
I gave it a bit more thought and realized that putting the keys all in
one place defeats the purpose of PGP. If the server is compro
On Fri, 25 Aug 2017 17:13:38 +0200
Mattias Andrée wrote:
Dear Mattias,
> Each user could have a directory called pgp-keys and dl.suckless.org
> could list those directories. This would allow us to store old keys
> in a structured manner.
>
> An alternative is that the owner of a repo commits hi
On Fri, Aug 25, 2017 at 08:12:12AM +0200, Anselm R Garbe wrote:
> - (optional) repo owners/maintainers should sign their future git tags
> for release creation by using their own private PGP key.
Optionally, for those who don't want to use OpenPGP, the author of libsodium
created Minisign back in
On Fri, 25 Aug 2017 16:48:13 +0200
Anselm R Garbe wrote:
> Hi Mattias,
>
> On 25 August 2017 at 16:32, Mattias Andrée wrote:
> > On Fri, 25 Aug 2017 13:54:41 +0200
> > Anselm R Garbe wrote:
> >
> >> On 25 August 2017 at 12:56, Laslo Hunhold wrote:
> >> > On Fri, 25 Aug 2017 08:12:12 +0200
On Fri, 25 Aug 2017 13:54:41 +0200
Anselm R Garbe wrote:
> On 25 August 2017 at 12:56, Laslo Hunhold wrote:
> > On Fri, 25 Aug 2017 08:12:12 +0200
> > Anselm R Garbe wrote:
> >> - (optional) repo owners/maintainers should sign their future git tags
> >> for release creation by using their own
On 25 August 2017 at 12:56, Laslo Hunhold wrote:
> On Fri, 25 Aug 2017 08:12:12 +0200
> Anselm R Garbe wrote:
>> - (optional) repo owners/maintainers should sign their future git tags
>> for release creation by using their own private PGP key.
>
> the public PGP-keys could be put on the
> http://
On Fri, 25 Aug 2017 08:12:12 +0200
Anselm R Garbe wrote:
Dear Anselm,
> - (optional) repo owners/maintainers should sign their future git tags
> for release creation by using their own private PGP key.
the public PGP-keys could be put on the
http://suckless.org/people/*-pages.
--
Laslo Hunhol
Quoth Joshua Haase:
> It's not so many work if git is configured to always sign and/or the
> package build system sign by default.
Configuring git to sign every commit is a pain if you have a
passphrase on your gpg key, or it's tied to a smartcard; entering
that every time you commit makes the
Hi there,
let me summarise what we will carry out during the upcoming hackathon
besides a load of other stuff:
- (mandatory) introduction of HTTPS besides http support
- (mandatory) sorting the maintainership/ownership of suckless repos
(incl. the right to commit/accept/deny patch contributions)
my grandmother also got all her pots stolen when she gave it to a
person promising to bless them against bad ghosts. pgp is just a more
modern version of that tale they told.
some are apparently using the pgp tale to associate their names to
random software projects. probably didn't manage to get
I’m curious as to what the general criticisms of PGP are that sparked much of
this discussion - I’m somewhat ignorant on the subject but the general
consensus elsewhere seems to be that more PGP usage = better overall security.
Would really like to learn a bit more about what issues it has.
nsm
I also support using openPGP signatures, at least optionally. I think that
HTTPS would allay most of my concerns, but I'd like the option for further
validation, and it's not hard to automate.
-Chris
On Aug 24, 2017, at 3:41 PM, hiro <23h...@gmail.com> wrote:
>> does not hurt anyone and does n
> does not hurt anyone and does not force
> anyone to use it.
wtf is this bullshit rhetoric even called?
i guess i'll keep on calling it mental retardation...
On Thu, Aug 24, 2017 at 12:02:35PM -0500, Joshua Haase wrote:
> Laslo Hunhold writes:
>
> > On Thu, 24 Aug 2017 11:02:46 +0200
> > ilf wrote:
> >
> > As nice as PGP sounds, I think it has seen its best days already for
> > general usage. I know no package manager that implements this model
> > (
Laslo Hunhold writes:
> On Thu, 24 Aug 2017 13:45:35 +0200
> Hiltjo Posthuma wrote:
>
>> I think it's a good idea if we start to (optionally) sign (git)
>> releases. This can be discussed further.
>
> This is something I would support! :) We could go as far to tell
> dl.suckless.org to automatic
Laslo Hunhold writes:
> On Thu, 24 Aug 2017 11:02:46 +0200
> ilf wrote:
>
> As nice as PGP sounds, I think it has seen its best days already for
> general usage. I know no package manager that implements this model
> (tell if there is one). The ones I know use hashes.
pacman uses signatures to
On Thu, 24 Aug 2017 10:41:15 -0600
Aaron Toponce wrote:
Hey Aaron,
> There is no software on that github repository. It's all raw text.
maybe it's all raw text to us now, but who says they won't add
systemd-aarond to interpret this text as instructions to systemd to
turn each and every single c
Quoth Aaron Toponce:
> On Thu, Aug 24, 2017 at 12:45:15AM +0200, hiro wrote:
> > Any responsible suckless person should not download Aaron's software.
> > I cannot guarantee it's not ransomware!
>
> There is no software on that github repository. It's all raw text.
He's just trolling you, while im
On Thu, Aug 24, 2017 at 01:22:33PM +0200, Laslo Hunhold wrote:
> I won't support the PGP snake-oil movement just so you can sleep well
> at night. If you want to go with maximum trust, you can compare the
> tarball-contents with the status of the git-repo at a certain tag.
I'll continue to push ch
On Thu, Aug 24, 2017 at 12:45:15AM +0200, hiro wrote:
> Any responsible suckless person should not download Aaron's software.
> I cannot guarantee it's not ransomware!
There is no software on that github repository. It's all raw text.
--
. o . o . o . . o o . . . o .
. . o . o o o .
On Thu, 24 Aug 2017 13:45:35 +0200
Hiltjo Posthuma wrote:
Hey Hiltjo,
> We must have scripts for this. Generating the SHA256 checksums was
> easy. There were 2 checksums missing for surf which were fixed. If we
> automate this then there is less chance to forget anything. We should
> remove MD5
FWIW, as someone who mostly just a user of suckless stuff, I like
OpenPGP signing too. I don't have a strong opinion of git tags vs
tarballs for signing, either is good. It's nice to have a properly
secure proof of authenticity that doesn't depend on the link not
being compromised.
I'm really
Laslo Hunhold:
I know no package manager that implements this model (tell if there is
one).
https://wiki.debian.org/SecureApt
Another cool project: https://hannes.nqsb.io/Posts/Conex
But since suckless doesn't have an OS (yet), the debate is not about
package managers, but source releases. An
On Thu, Aug 24, 2017 at 01:22:33PM +0200, Laslo Hunhold wrote:
> On Thu, 24 Aug 2017 11:02:46 +0200
> ilf wrote:
>
> Dear ilf,
>
> > HTTPS is good, and it's the new default:
> > https://www.eff.org/deeplinks/2017/02/were-halfway-encrypting-entire-web
> > The hierarchical trust model of X.509 ma
On Thu, Aug 24, 2017 at 11:02:46AM +0200, ilf wrote:
> I want to stronly advocate for OpenPGP signatures of releases.
>
> HTTPS is good, and it's the new default:
> https://www.eff.org/deeplinks/2017/02/were-halfway-encrypting-entire-web
> The hierarchical trust model of X.509 make it suitable for
On Thu, 24 Aug 2017 11:02:46 +0200
ilf wrote:
Dear ilf,
> HTTPS is good, and it's the new default:
> https://www.eff.org/deeplinks/2017/02/were-halfway-encrypting-entire-web
> The hierarchical trust model of X.509 make it suitable for many
> things, but for signing code that we build and run on
I want to stronly advocate for OpenPGP signatures of releases.
HTTPS is good, and it's the new default:
https://www.eff.org/deeplinks/2017/02/were-halfway-encrypting-entire-web
The hierarchical trust model of X.509 make it suitable for many things,
but for signing code that we build and run on
On 24 August 2017 at 00:45, hiro <23h...@gmail.com> wrote:
> Any responsible suckless person should not download Aaron's software.
> I cannot guarantee it's not ransomware!
> But I also made a github and my checksums and signatures are certified
> by the German cybersecurity department of the TüV.
Any responsible suckless person should not download Aaron's software.
I cannot guarantee it's not ransomware!
But I also made a github and my checksums and signatures are certified
by the German cybersecurity department of the TüV. My githab is called
honestachmet. Please add me to your linkedin.
Mattias Andrée wrote:
> * An alternative to signature files is to sign the tags in Git, and those
> that care enough could pull releases from git instead.
That is a nice idea. It doesn't require any extra signature/checksum file cruft
on the webserver. It can easily be made optional and is in th
On Wed, 23 Aug 2017 22:29:17 +0200
Markus Teich wrote:
> Mattias Andrée wrote:
> > If the server's authenticity can be proven with HTTPS,
> > what additional secure does PGP-signatures provide?
>
> Some people trust persons they know more than they trust random corporations
> with questionable
Mattias Andrée wrote:
> If the server's authenticity can be proven with HTTPS,
> what additional secure does PGP-signatures provide?
Some people trust persons they know more than they trust random corporations
with questionable security policies. Other people think PGP sucks. I don't know
which gr
On Wed, 23 Aug 2017 22:03:41 +0200
Markus Teich wrote:
> Hiltjo Posthuma wrote:
> > Checksums are available in each project directory, yesterday I've added
> > SHA256 checksums.
> >
> > For example:
> > SHA256: http://dl.suckless.org/dwm/sha256sums.txt
> > SHA1: http://dl.suckless.org/
Hiltjo Posthuma wrote:
> Checksums are available in each project directory, yesterday I've added
> SHA256 checksums.
>
> For example:
> SHA256: http://dl.suckless.org/dwm/sha256sums.txt
> SHA1: http://dl.suckless.org/dwm/sha1sums.txt
> MD5:http://dl.suckless.org/dwm/md5sums
On Wed, Aug 23, 2017 at 08:21:45PM +0200, Hiltjo Posthuma wrote:
> Checksums are available in each project directory, yesterday I've added
> SHA256 checksums.
>
> For example:
> SHA256: http://dl.suckless.org/dwm/sha256sums.txt
> SHA1: http://dl.suckless.org/dwm/sha1sums.txt
>
On Wed, Aug 23, 2017 at 12:04:46PM -0600, Aaron Toponce wrote:
> I noticed most software available on http://dl.suckless.org does not provide
> checksums and digital signatures for the compressed tarballs, and other files.
> I sought to remedy this, by creating a Github repository of only checksums
I noticed most software available on http://dl.suckless.org does not provide
checksums and digital signatures for the compressed tarballs, and other files.
I sought to remedy this, by creating a Github repository of only checksums and
digital signatures. It's available at:
https://github.com/a
45 matches
Mail list logo
