Re: [arch-general] Stronger Hashes for PKGBUILDs
> > You mean the source files that you downloaded and then hashed... > Yes. If the source files are being modified via a MITM attack (which is trivial if the host uses HTTP) the checksum is still useful.
Re: [arch-general] Stronger Hashes for PKGBUILDs
On Sat, Dec 3, 2016 at 6:27 AM, fnodeuser wrote: > https://lists.archlinux.org/pipermail/arch-dev-public/2016-November/028492.html I would suggest considering TUF - The Update Framework or stealing their signing scheme which withstands all kinds of attack scenarios.
Re: [arch-general] After upgrade
Before you discuss it further, Ralf and piequiex, I did announce using bofh excuses earlier in this thread. I actually pulled the part with Germany randoly from collection of bofh excuses. None of any of that was real. We're having extreme gravity fluctuations, please move your pc to the floor rapidly. cheers! mar77i
Re: [arch-general] After upgrade
> On Sat, 3 Dec 2016 00:30:43 + (GMT), piequiex wrote: > >> give some context and some information about what you upgraded, what > >> you were doing when it happened and what software was running. > >> Looking > >Read original message. > >On boot. > > I need to correct Martin, only your mails are censored: Why cencored? > do this, since I don't sign mails sent to mailing lists. This happen automatically on mail service side. I see nothing offensive in this action. -- Have a nice day!
Re: [arch-general] After upgrade
> On Fri, 2 Dec 2016 17:25:57 + (GMT) > piequiex wrote: > > > Have a nice day! > > > > > > > > > You too! > > Useless message. > > P.S. Adjust MUA setings. > > Just as useless as you original message. Then do not waste time on my useless message. -- Have a nice day!
Re: [arch-general] Stronger Hashes for PKGBUILDs
Am 03.12.2016 um 20:07 schrieb Maxwell Anselm via arch-general: >> >> I agree that we should use a strong hash by default where it makes >> sense. But in the absense ob effective validation of upstream packages, >> this is meaningless. >> > > It would at least indicate that the source file has been tampered with in > some way. Even though there would be no way to know the "correct" checksum. > You mean the source files that you downloaded and then hashed... signature.asc Description: OpenPGP digital signature
Re: [arch-general] After upgrade
> On Sat, 3 Dec 2016 00:30:43 + (GMT) > piequiex wrote: > > > > Whatever you expected to happen. I'm going to go through a few things > > The logical conclusion. > > Logical conclusion: It crashed. What more do you want us to say? We're not > kernel devs. Perfect conclusion! Advice? -- Have a nice day!
Re: [arch-general] Stronger Hashes for PKGBUILDs
> > I agree that we should use a strong hash by default where it makes > sense. But in the absense ob effective validation of upstream packages, > this is meaningless. > It would at least indicate that the source file has been tampered with in some way. Even though there would be no way to know the "correct" checksum.
Re: [arch-general] Stronger Hashes for PKGBUILDs
Am 03.12.2016 um 06:27 schrieb fnodeuser: > > if an upstream does not sign the files, does not have https enabled, and/or > refuses to take security and privacy seriously, sha512 must be used in the > PKGBUILD files. But using and hash value without the possibility to verify the hashed files, adds no security. It provides a false sense of security instead. I agree that we should use a strong hash by default where it makes sense. But in the absense ob effective validation of upstream packages, this is meaningless. signature.asc Description: OpenPGP digital signature
Re: [arch-general] Stronger Hashes for PKGBUILDs
> if an upstream does not sign the files, does not have https enabled, and/or > refuses to take security and privacy seriously, sha512 must be used in the > PKGBUILD files. Then 1) you could argue our using SHA512 is meaningless, but 2) it doesn't matter; we should still be doing the Right™ thing. -Chris Tonkinson signature.asc Description: OpenPGP digital signature
Re: [arch-general] After upgrade
On 12/02/16 at 05:47am, piequiex wrote: > -BEGIN PGP SIGNED MESSAGE- > [ 65.955101] BUG: unable to handle kernel paging request at 81e0 Welp, sounds like you a kernel bug, either the kernel just locked up or hit a BUG_ON(). > [ 65.956510] IP: [] __memmove+0x24/0x1a0 > [ 65.957874] PGD 1a09067 PUD 1a0a063 PMD 0 > [ 65.959198] Oops: [#17] PREEMPT SMP > [ 65.993921] CPU: 2 PID: 892 Comm: loadkeys Tainted: P DO > 4.8.11-1-ARCH #1 Your kenrel is tainted, mainline does not support tainted kernels. -- Jelle van der Waa signature.asc Description: PGP signature
Re: [arch-general] After upgrade
On Sat, 3 Dec 2016 00:30:43 + (GMT), piequiex wrote: >> give some context and some information about what you upgraded, what >> you were doing when it happened and what software was running. >> Looking >Read original message. >On boot. I need to correct Martin, only your mails are censored: https://lists.archlinux.org/pipermail/arch-general/2016-December/042686.html They censor your mails and after that they fix the broken PGP signature, too. I never noticed that content of my mails is missing in the archive, resp. for mails that came through the list and it would be easier to do this, since I don't sign mails sent to mailing lists. Regards, Ralf