On Mon, Aug 8, 2016 at 4:42 PM, Antoine Beaupré <anar...@debian.org> wrote:
> It is not hardcoded: you can change the central host and relay with a > simple commandline option. > > $ wormhole --help | grep -B1 'to use' > Options: > --relay-url URL rendezvous relay to use > --transit-helper tcp:HOST:PORT transit relay to use > > This could, arguably, be done in a configuration file to facilitate > using third party servers, but this can hardly be considered > hardcoded. Anyways, if the current main host goes down, I assume the > software can/will be patched to provide other hosts as options. > > Keep in mind transfers are ephemeral: the central hosts are used only to > establish contact and transfer the file, then everything is torn down. Fair enough, *a* central host is hardcoded. You could obviously set up your own, which sort of defeats the purpose of being simple, but point conceded. > >> We still ship FTP daemons that serve files without passwords and use > >> cleartext by default. > > > > They're not labeled "secure" though ;) > > Actually, quite a few are: [ ... snip ... ] > I agree it is somewhat of an empty word, but it shouldn't be considered > reason enough to keep stuff from entering Debian, because then you'd > have a *lot* of packages to kick out the archive. Heck, "apt search > secure" suggests I installed zendframework, and we know how scary PHP > security has been in the past. ;) Good point. > > Just to clarify, I never objected to the package itself, just that I > > wasn't sure about it being called "secure". I don't know enough about > > the algorithms and attack surfaces involved to make any kind of > > qualified statement though, so maybe it does qualify as secure. > > Well, I am not a cryptographer myself, so I can't comment about the > algorithm. But I am somewhat familiar with such protocols and I found > they brought a novel and robust system in place, that has similar > robustness properties than existing protocols (e.g. Oauth with a > digit-only PIN) with interesting enhancements that make it fail more > gracefully (abort transfer after first failed attempt). > > May I suggest that, if you do not know enough about security protocols, > you refrain from discouraging people, that do have some knowledge about > them, from packaging software into Debian? :) > Will do. Crawling back under my rock. At no point was I attempting to discourage anyone, apologies if it came off that way. It does look like a really useful tool, I just figured it might need a tiny bit more vetting before calling it secure. It appears I was wrong, which is cool. I like being wrong. :) Cheers, Fredrik.