| 1 |
On 170226-14:32-0600, R0b0t1 wrote: |
| 2 |
> On Sun, Feb 26, 2017 at 5:00 AM, Miroslav Rovis |
| 3 |
> <miro.rovis@××××××××××××××.hr> wrote: |
| 4 |
> > On 170225-21:34-0600, R0b0t1 wrote: |
| 5 |
> >> On Saturday, February 25, 2017, Miroslav Rovis <miro.rovis@××××××××××××××.hr> |
| 6 |
> >> wrote: |
| 7 |
> >> > |
| 8 |
> >> https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html |
| 9 |
> > ... |
| 10 |
> >> |
| 11 |
... |
| 12 |
> >> Aside: |
| 13 |
> >> http://ecrypt-eu.blogspot.com/2015/11/break-dozen-secret-keys-get-million.html |
| 14 |
> > |
| 15 |
> > Too technical for me. Too little learning gain for too much mumbo-jumbo noise, at this |
| 16 |
> > stage of my understanding of crypto, for me. |
| 17 |
> |
| 18 |
> My apologies. The useful part of the link is really the title. It |
| 19 |
> explains how, if you *do* successfully break a given key, you have |
| 20 |
> necessarily broken millions of them - you are just unsure if they are |
| 21 |
> currently in use. The wise option is then to record every key |
| 22 |
> combination you brute force in the hope that someone will start using |
| 23 |
> it in the future. |
| 24 |
I did figure that much out. But all of it useful... for true |
| 25 |
cryptographers. It's so appealing, but so distant yet (or forever, where |
| 26 |
can one find the time to learn that much?). |
| 27 |
> > |
| 28 |
> > But, when we talk crypto being broken, I can help thinking of other |
| 29 |
I meant: |
| 30 |
But, when we talk crypto being broken, I can't help thinking of other |
| 31 |
( ... can't ... ) |
| 32 |
> > threats to Gentoo and other FOSS GNU Linux that I fear are perfectly |
| 33 |
> > feasible (for the resourceful subjects) |
| 34 |
( And also, the Message-ID given in my email can only be found by |
| 35 |
subcribers to the gentoo-dev mailing list, not gentoo-user ML. ) |
| 36 |
> > Gentoo distro is increasingly served the insecure way, IMO, that is: via |
| 37 |
> > git, without the repositories being, for end users, PGP-verifiable. |
| 38 |
> > |
| 39 |
> > And via a new private big business, the Github. Giving over all users to |
| 40 |
> > big Github brother. |
| 41 |
> > |
| 42 |
> > And, in the trasition all the history got lost. Git started remembering |
| 43 |
> > only from 2015. |
| 44 |
> > |
| 45 |
> > I have asked a question about getting git-served repository verifiable |
| 46 |
> > for end users, but I didn't get any replies: |
| 47 |
> > |
| 48 |
> |
| 49 |
> This is something I was concerned about myself, especially since the |
| 50 |
> bare git protocol that most users access the repository from, even if |
| 51 |
> it is the repository hosted by the Gentoo Foundation, is insecure. Git |
| 52 |
> access via SSH or HTTPS *is* secure but is not implemented - I'm not |
| 53 |
> sure why, as they've purchased a "real" certificate and the Git |
| 54 |
> subdomain may already be covered by it. |
| 55 |
> |
| 56 |
And there's even no need purchasing certs any more. LetsEncrypt |
| 57 |
cetrificates are free in both some GNU/GNU-compatible way, and the |
| 58 |
free-of-charge way. |
| 59 |
|
| 60 |
But a repository can also really be verifiable only if it is PGP-signed |
| 61 |
(or some other cryptro-verifiable-way signed). So HTTPS alone does not |
| 62 |
do it. |
| 63 |
|
| 64 |
> Well, maybe someone will noticed this message. Or not. |
| 65 |
> |
| 66 |
> R0b0t1. |
| 67 |
> |
| 68 |
|
| 69 |
I hope too. |
| 70 |
|
| 71 |
Because it's depressing how large swathes of FOSS are getting under |
| 72 |
control of big business and to some extent, very minor here, but not |
| 73 |
negligeable, actually covertly privatized... |
| 74 |
|
| 75 |
I can't help but remind ( I wrote about it in: |
| 76 |
GUI-less (non-dbus) virt-manager (to run Tails in Gentoo) |
| 77 |
https://lists.gt.net/gentoo/user/321797 |
| 78 |
Message-ID: <20170111205529.GB28353@×××.xdwgrp> |
| 79 |
) how big dirty stingy Schmoogle the Schmoog treats Gentoo which it uses |
| 80 |
for its CoreOS |
| 81 |
[[ important thing there to find is the link to: |
| 82 |
Gentoo Foundation, background and status report Robin Johnson |
| 83 |
https://youtu.be/S3bmXVbxMgE |
| 84 |
and if a reader don't get to the same conclusion about the Schmoog that |
| 85 |
I arrived at, then the reader might be missing something ]] |
| 86 |
|
| 87 |
Ah, as far as distribution verifiability, I guess emerge-webrsync and |
| 88 |
PGP-signed portage trees functionality needs to be kept forever, then... |
| 89 |
|
| 90 |
Thanks for replying! |
| 91 |
( |
| 92 |
BTW, about the link, in the first email, to my message to secure-os ML, |
| 93 |
one of the secure-os folks kindly confirmed, but in a private message, |
| 94 |
that they were considering my email... |
| 95 |
) |
| 96 |
|
| 97 |
Sad how this topic, or the other linked in my first mail, to the |
| 98 |
gentoo-dev ML, didn't attract more discussion... It can't be too late to |
| 99 |
fix these issues... |
| 100 |
|
| 101 |
Regards! |
| 102 |
|
| 103 |
-- |
| 104 |
Miroslav Rovis |
| 105 |
Zagreb, Croatia |
| 106 |
https://www.CroatiaFidelis.hr |
Archives