On 170225-21:34-0600, R0b0t1 wrote: > On Saturday, February 25, 2017, Miroslav Rovis <miro.ro...@croatiafidelis.hr> > wrote: > > > https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html ... > > Very interesting. The first useful SHA-1 collision was, if I remember, done > in 2015, and subverted an HTTPS certificate (though not one which had been > issued). This was some guys with a couple of servers lined with graphics > cards. > > Seeing someone manage to do it in a garage a number of years before it was > cosidered feasible should, hopefully, make you have more conservative > estimates of the strength of modern cryptography. > > Aside: > http://ecrypt-eu.blogspot.com/2015/11/break-dozen-secret-keys-get-million.html
Too technical for me. Too little learning gain for too much mumbo-jumbo noise, at this stage of my understanding of crypto, for me. > R0b0t1. But, when we talk crypto being broken, I can help thinking of other threats to Gentoo and other FOSS GNU Linux that I fear are perfectly feasible (for the resourceful subjects) Gentoo distro is increasingly served the insecure way, IMO, that is: via git, without the repositories being, for end users, PGP-verifiable. And via a new private big business, the Github. Giving over all users to big Github brother. And, in the trasition all the history got lost. Git started remembering only from 2015. I have asked a question about getting git-served repository verifiable for end users, but I didn't get any replies: Date: Tue, 20 Dec 2016 00:47:56 +0100 Message-ID: <20161219234756.GA4008@g0n.xdwgrp> Subject: Is it safe to switch from webrsync to the git repo now? if you are subscribed and have three month worth of gentoo-user mail in your inbox or: (same subject as above of course) https://lists.gt.net/gentoo/dev/320922 Long term, this is an issue that will not go away unless it is fixed, i.e. git-served portage packages start being PGP-verifiable for end users. And when we talk security for privacy, and with... pretty much (at least from my perspective) privacy experts of today, how about this: [Secure Desktops] dbus, gnunet (was: unstable dnssec-root) https://secure-os.org/pipermail/desktops/2017-February/000180.html ( where note the dbus creating encrypted session, and the link thereto: How to avoid stealth installation of systemd? http://forums.debian.net/viewtopic.php?f=20&t=116770&start=45#p552566 ) Regards! - Miroslav Rovis Zagreb, Croatia https://www.CroatiaFidelis.hr
signature.asc
Description: Digital signature
