1 |
On 170226-14:32-0600, R0b0t1 wrote: |
2 |
> On Sun, Feb 26, 2017 at 5:00 AM, Miroslav Rovis |
3 |
> <miro.rovis@××××××××××××××.hr> wrote: |
4 |
> > On 170225-21:34-0600, R0b0t1 wrote: |
5 |
> >> On Saturday, February 25, 2017, Miroslav Rovis <miro.rovis@××××××××××××××.hr> |
6 |
> >> wrote: |
7 |
> >> > |
8 |
> >> https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html |
9 |
> > ... |
10 |
> >> |
11 |
... |
12 |
> >> Aside: |
13 |
> >> http://ecrypt-eu.blogspot.com/2015/11/break-dozen-secret-keys-get-million.html |
14 |
> > |
15 |
> > Too technical for me. Too little learning gain for too much mumbo-jumbo noise, at this |
16 |
> > stage of my understanding of crypto, for me. |
17 |
> |
18 |
> My apologies. The useful part of the link is really the title. It |
19 |
> explains how, if you *do* successfully break a given key, you have |
20 |
> necessarily broken millions of them - you are just unsure if they are |
21 |
> currently in use. The wise option is then to record every key |
22 |
> combination you brute force in the hope that someone will start using |
23 |
> it in the future. |
24 |
I did figure that much out. But all of it useful... for true |
25 |
cryptographers. It's so appealing, but so distant yet (or forever, where |
26 |
can one find the time to learn that much?). |
27 |
> > |
28 |
> > But, when we talk crypto being broken, I can help thinking of other |
29 |
I meant: |
30 |
But, when we talk crypto being broken, I can't help thinking of other |
31 |
( ... can't ... ) |
32 |
> > threats to Gentoo and other FOSS GNU Linux that I fear are perfectly |
33 |
> > feasible (for the resourceful subjects) |
34 |
( And also, the Message-ID given in my email can only be found by |
35 |
subcribers to the gentoo-dev mailing list, not gentoo-user ML. ) |
36 |
> > Gentoo distro is increasingly served the insecure way, IMO, that is: via |
37 |
> > git, without the repositories being, for end users, PGP-verifiable. |
38 |
> > |
39 |
> > And via a new private big business, the Github. Giving over all users to |
40 |
> > big Github brother. |
41 |
> > |
42 |
> > And, in the trasition all the history got lost. Git started remembering |
43 |
> > only from 2015. |
44 |
> > |
45 |
> > I have asked a question about getting git-served repository verifiable |
46 |
> > for end users, but I didn't get any replies: |
47 |
> > |
48 |
> |
49 |
> This is something I was concerned about myself, especially since the |
50 |
> bare git protocol that most users access the repository from, even if |
51 |
> it is the repository hosted by the Gentoo Foundation, is insecure. Git |
52 |
> access via SSH or HTTPS *is* secure but is not implemented - I'm not |
53 |
> sure why, as they've purchased a "real" certificate and the Git |
54 |
> subdomain may already be covered by it. |
55 |
> |
56 |
And there's even no need purchasing certs any more. LetsEncrypt |
57 |
cetrificates are free in both some GNU/GNU-compatible way, and the |
58 |
free-of-charge way. |
59 |
|
60 |
But a repository can also really be verifiable only if it is PGP-signed |
61 |
(or some other cryptro-verifiable-way signed). So HTTPS alone does not |
62 |
do it. |
63 |
|
64 |
> Well, maybe someone will noticed this message. Or not. |
65 |
> |
66 |
> R0b0t1. |
67 |
> |
68 |
|
69 |
I hope too. |
70 |
|
71 |
Because it's depressing how large swathes of FOSS are getting under |
72 |
control of big business and to some extent, very minor here, but not |
73 |
negligeable, actually covertly privatized... |
74 |
|
75 |
I can't help but remind ( I wrote about it in: |
76 |
GUI-less (non-dbus) virt-manager (to run Tails in Gentoo) |
77 |
https://lists.gt.net/gentoo/user/321797 |
78 |
Message-ID: <20170111205529.GB28353@×××.xdwgrp> |
79 |
) how big dirty stingy Schmoogle the Schmoog treats Gentoo which it uses |
80 |
for its CoreOS |
81 |
[[ important thing there to find is the link to: |
82 |
Gentoo Foundation, background and status report Robin Johnson |
83 |
https://youtu.be/S3bmXVbxMgE |
84 |
and if a reader don't get to the same conclusion about the Schmoog that |
85 |
I arrived at, then the reader might be missing something ]] |
86 |
|
87 |
Ah, as far as distribution verifiability, I guess emerge-webrsync and |
88 |
PGP-signed portage trees functionality needs to be kept forever, then... |
89 |
|
90 |
Thanks for replying! |
91 |
( |
92 |
BTW, about the link, in the first email, to my message to secure-os ML, |
93 |
one of the secure-os folks kindly confirmed, but in a private message, |
94 |
that they were considering my email... |
95 |
) |
96 |
|
97 |
Sad how this topic, or the other linked in my first mail, to the |
98 |
gentoo-dev ML, didn't attract more discussion... It can't be too late to |
99 |
fix these issues... |
100 |
|
101 |
Regards! |
102 |
|
103 |
-- |
104 |
Miroslav Rovis |
105 |
Zagreb, Croatia |
106 |
https://www.CroatiaFidelis.hr |