Re: [aur-general] aur website default ssl

[Justin Davis]

On Wed, Oct 27, 2010 at 5:14 AM, Pierre Schmitz  wrote:
> On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru 
> wrote:

>> As i said earlier in a reply to Loui, maybe we can do it
>> better.Having https only for login and then redirecting to http is
>> like not having it at all.

Ionut,
This is a ridiculous claim. Maybe we should tell that to amazon,
newegg, and oh I don't know... 99% of websites on the planet? Most
sites use https only for logins and transactions. Publicly available
information like aur comments, aur packages, images, etc don't really
need encryption. Just about everything sent to/from the AUR is not
sensitive information. Except login passwords. I would be pissed off
if amazon had the same point of view. What if amazon decided that
their https for logins and credit cards was the same as not having it
at all and removed it?

> Simply using https for all connections is the easiest and best solution
> imho. Everything in between is either insecure or inconvenient for the
> users. And I also don't see the need for it. Every sane http client
> should handle a http redirect and https. If it does not it's just a bug
> in the client. Of course it is unfortunate that this wasn't tested by
> the clyde author before.

Pierre,
How is sending publicly available information unencrypted insecure? It
does not warrant a need for additional security in the first place. If
someone wants to see what comments you post on a package they go look
at the package's page. They don't have to sniff your traffic. I am
secure in my AUR traffic's triviality.

How is https for logins inconvenient for users? Forwarding between
http and https happens transparently on every major website. Most
people wouldn't know it was happening if it wasn't for the padlock
graphic. Many still don't.

Anyways the problem with clyde is fixed thanks to a (deleted?) comment
by tarfu on the AUR. luasec just needed to be installed. I just
freaked out alittle when I came home and found clyde broken. I still
want to switch it to luacurl and have the code ready.

I know you guys meant well and I probably shouldn't be so negative but
it sort of reminds me of when I saw some kids lock their bikes up to a
short post that I could easily lift the bike over. I disagree with the
principles you have stated but not with your motives.

-- 
-Justin

Re: [aur-general] aur website default ssl

[Kaiting Chen]

>
> Ionut,
> This is a ridiculous claim. Maybe we should tell that to amazon,
> newegg, and oh I don't know... 99% of websites on the planet? Most
> sites use https only for logins and transactions. Publicly available
> information like aur comments, aur packages, images, etc don't really
> need encryption. Just about everything sent to/from the AUR is not
> sensitive information. Except login passwords. I would be pissed off
> if amazon had the same point of view. What if amazon decided that
> their https for logins and credit cards was the same as not having it
> at all and removed it?
>
> > Simply using https for all connections is the easiest and best solution
> > imho. Everything in between is either insecure or inconvenient for the
> > users. And I also don't see the need for it. Every sane http client
> > should handle a http redirect and https. If it does not it's just a bug
> > in the client. Of course it is unfortunate that this wasn't tested by
> > the clyde author before.
>
> Pierre,
> How is sending publicly available information unencrypted insecure? It
> does not warrant a need for additional security in the first place. If
> someone wants to see what comments you post on a package they go look
> at the package's page. They don't have to sniff your traffic. I am
> secure in my AUR traffic's triviality.
>
> How is https for logins inconvenient for users? Forwarding between
> http and https happens transparently on every major website. Most
> people wouldn't know it was happening if it wasn't for the padlock
> graphic. Many still don't.


True story; and a lot of server resources would be saved by not having to
encrypt information that doesn't need to be encrypted.

-- 
Kiwis and Limes: http://kaitocracy.blogspot.com/

Re: [aur-general] aur website default ssl

[Isaac Dupree]

On 10/28/10 02:59, Justin Davis wrote:

Pierre,
How is sending publicly available information unencrypted insecure?


Some (weak) arguments:

1. net infrastructure in between me and Arch-server can see which 
specific pages on aur.archlinux.org that I'm loading.  And even change 
data such as PKGBUILDs maliciously, in theory.


2. in places with unencrypted/unencryptable wifi (like my college, for 
some reason..) my physical neighbors can spy on that information too.


3. "all https" reduces the chances of the website having bugs (security 
flaws) where it leaves the wrong things unencrypted... and if it has 
those bugs, it's not like we would notice, because it only affects 
people who are going out of their way to try and get other people's info.


(It's good for a website to have option of all-https though.  So the 
paranoid among us can use it.  Related work: 
https://www.eff.org/https-everywhere  Recent hype: 
http://codebutler.com/firesheep (about insecurity of logins that persist 
by means of unencrypted cookie -- I'm not sure, does this affect a 
partly-http AUR too, if you're logged in?))


-Isaac

Re: [aur-general] aur website default ssl

[Gergely Imreh]

On 28 October 2010 14:59, Justin Davis  wrote:
> On Wed, Oct 27, 2010 at 5:14 AM, Pierre Schmitz  wrote:
>> On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru 
>> wrote:
>
>>> As i said earlier in a reply to Loui, maybe we can do it
>>> better.Having https only for login and then redirecting to http is
>>> like not having it at all.
>
> Ionut,
> This is a ridiculous claim. Maybe we should tell that to amazon,
> newegg, and oh I don't know... 99% of websites on the planet? Most
> sites use https only for logins and transactions. Publicly available
> information like aur comments, aur packages, images, etc don't really
> need encryption. Just about everything sent to/from the AUR is not
> sensitive information. Except login passwords. I would be pissed off
> if amazon had the same point of view. What if amazon decided that
> their https for logins and credit cards was the same as not having it
> at all and removed it?

As the discussion gets more technical, it is good to see what the
people who actually know all about these issues have to say. I think
it is very education (well, for me at least) to read Firesheep's
author's comment on the people's reactions, and how there are many bad
solutions that look like good ones. Eg. the "Why is it hard to stay
safe - Forced SSL/HTTPS for posting of Login/Password credentials
only" section.
http://codebutler.com/firesheep-a-day-later

Re: Amazon and others, just because the big guys do it, does not mean
they do it right.

>> Simply using https for all connections is the easiest and best solution
>> imho. Everything in between is either insecure or inconvenient for the
>> users. And I also don't see the need for it. Every sane http client
>> should handle a http redirect and https. If it does not it's just a bug
>> in the client. Of course it is unfortunate that this wasn't tested by
>> the clyde author before.
>
> Pierre,
> How is sending publicly available information unencrypted insecure? It
> does not warrant a need for additional security in the first place. If
> someone wants to see what comments you post on a package they go look
> at the package's page. They don't have to sniff your traffic. I am
> secure in my AUR traffic's triviality.

Please correct me if I'm wrong, it's not just about sniffing, it's
about hijacking your session.
Eg. one could record your logging in, then come back later, and orphan
your packages (a "better" bad case), or update it with malicious code
(a worse one) while it looks like it was you
Not saying one would do that, but if we are throwing around hypotheticals...

Cheers,
   Greg

Re: [aur-general] aur website default ssl

[Pierre Schmitz]

On Thu, 28 Oct 2010 15:42:31 +0800, Gergely Imreh 
wrote:
> On 28 October 2010 14:59, Justin Davis  wrote:
>> Pierre,
>> How is sending publicly available information unencrypted insecure? It
>> does not warrant a need for additional security in the first place. If
>> someone wants to see what comments you post on a package they go look
>> at the package's page. They don't have to sniff your traffic. I am
>> secure in my AUR traffic's triviality.
> 
> Please correct me if I'm wrong, it's not just about sniffing, it's
> about hijacking your session.
> Eg. one could record your logging in, then come back later, and orphan
> your packages (a "better" bad case), or update it with malicious code
> (a worse one) while it looks like it was you
> Not saying one would do that, but if we are throwing around hypotheticals...
> 
> Cheers,
>Greg

Yes, https is not only about preventing others from reading the
transmitted data. It's also about making sure data was sent from the
correct server and hasn't been altered. E.g. nobody has injected some
code. Only encrypting the login page does not help much.

The session itself has to be send unencrypted and can be hijacked. Only
encrypting when one is login makes it unconvinced for users as they
always would have add the s to http (or click a link) if visiting a link
etc..

As for the server load: that's not true these days. There are some
studies from Google when they switched to https and also from my own
experience the increased load is not that significant to argue about.

In general I think it's a good idea that we now use https for most
sites and we shouldn't discuss about if that is sane or not but why are
some clients unable to handle it.

-- 
Pierre Schmitz, https://users.archlinux.de/~pierre

Re: [aur-general] aur website default ssl

[Pierre Schmitz]

On Thu, 28 Oct 2010 03:13:42 -0400, Kaiting Chen 
wrote:
>> Pierre,
>> How is sending publicly available information unencrypted insecure? It
>> does not warrant a need for additional security in the first place. If
>> someone wants to see what comments you post on a package they go look
>> at the package's page. They don't have to sniff your traffic. I am
>> secure in my AUR traffic's triviality.
>>
>> How is https for logins inconvenient for users? Forwarding between
>> http and https happens transparently on every major website. Most
>> people wouldn't know it was happening if it wasn't for the padlock
>> graphic. Many still don't.
> 
> 
> True story; and a lot of server resources would be saved by not having to
> encrypt information that doesn't need to be encrypted.

That's wrong. See for example
http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html. About 1%
cpu overhead is not worth talking about. In fact it would be a lot more
work and possible insecure to not just encrypt everything but
selectively.

-- 
Pierre Schmitz, https://users.archlinux.de/~pierre

Re: [aur-general] aur website default ssl

[Malte Rabenseifner]

On Thu, 28 Oct 2010 15:42:31 +0800, Gergely Imreh 
wrote:
> On 28 October 2010 14:59, Justin Davis  wrote:
>> On Wed, Oct 27, 2010 at 5:14 AM, Pierre Schmitz  wrote:
>>> On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru 
>>> wrote:
>>
 As i said earlier in a reply to Loui, maybe we can do it
 better.Having https only for login and then redirecting to http is
 like not having it at all.
>>
>> Ionut,
>> This is a ridiculous claim. Maybe we should tell that to amazon,
>> newegg, and oh I don't know... 99% of websites on the planet? Most
>> sites use https only for logins and transactions. Publicly available
>> information like aur comments, aur packages, images, etc don't really
>> need encryption. Just about everything sent to/from the AUR is not
>> sensitive information. Except login passwords. I would be pissed off
>> if amazon had the same point of view. What if amazon decided that
>> their https for logins and credit cards was the same as not having it
>> at all and removed it?
> 
> As the discussion gets more technical, it is good to see what the
> people who actually know all about these issues have to say. I think
> it is very education (well, for me at least) to read Firesheep's
> author's comment on the people's reactions, and how there are many bad
> solutions that look like good ones. Eg. the "Why is it hard to stay
> safe - Forced SSL/HTTPS for posting of Login/Password credentials
> only" section.
> http://codebutler.com/firesheep-a-day-later
> 
> Re: Amazon and others, just because the big guys do it, does not mean
> they do it right.
> 
>>> Simply using https for all connections is the easiest and best solution
>>> imho. Everything in between is either insecure or inconvenient for the
>>> users. And I also don't see the need for it. Every sane http client
>>> should handle a http redirect and https. If it does not it's just a bug
>>> in the client. Of course it is unfortunate that this wasn't tested by
>>> the clyde author before.
>>
>> Pierre,
>> How is sending publicly available information unencrypted insecure? It
>> does not warrant a need for additional security in the first place. If
>> someone wants to see what comments you post on a package they go look
>> at the package's page. They don't have to sniff your traffic. I am
>> secure in my AUR traffic's triviality.
> 
> Please correct me if I'm wrong, it's not just about sniffing, it's
> about hijacking your session.
> Eg. one could record your logging in, then come back later, and orphan
> your packages (a "better" bad case), or update it with malicious code
> (a worse one) while it looks like it was you
> Not saying one would do that, but if we are throwing around hypotheticals...
> 
> Cheers,
>Greg


I am sitting in a (switched) network with over 1000 clients day for
day. I really like the idea of having full-forced-TLS-encryption on
websites. It is the only save way I can be sure that noone is sniffing
my traffic with a simple arp-spoof. I don't care that other people know
what sites I visit (I have a Facebook account and use the "Like"
buttons, that says all) but I care that there could be someone in this
building who has control over my traffic (whatever his reason may be).
Therefore I agree to Greg's statement above and stronly disagree to
Justin's. It is not about getting information that is public none the
less. It is simply not the right way to get it and should be prevented.
One user +1 from me for https-only on all Arch websites (in the hope the
servers can handle that).

-- 
Malte Rabenseifner, Germany
m...@malte-rabenseifner.de
--
Beneath knowing, understanding.
Beneath understanding, seeing.
Beneath seeing, recognizing.
Beneath recognizing, knowing.
--

[aur-general] mysql-workbench-latest deletion

[Cédric Girard]

Hi,
mysql-workbench-latest [1] is an outdated duplicate of mysql-workbench [2]
in [community]. Please delete.

Thanks

[1] https://aur.archlinux.org/packages.php?ID=38100
[2] http://www.archlinux.org/packages/community/x86_64/mysql-workbench/

-- 
Cédric Girard

Re: [aur-general] mysql-workbench-latest deletion

[Jan Steffens]

Deleted, thank you.

2010/10/28 Cédric Girard :
> Hi,
> mysql-workbench-latest [1] is an outdated duplicate of mysql-workbench [2]
> in [community]. Please delete.
>
> Thanks
>
> [1] https://aur.archlinux.org/packages.php?ID=38100
> [2] http://www.archlinux.org/packages/community/x86_64/mysql-workbench/
>
> --
> Cédric Girard
>

Re: [aur-general] mysql-workbench-latest deletion

[Cédric Girard]

On Thu, Oct 28, 2010 at 11:24 AM, Jan Steffens wrote:

> Deleted, thank you.
>
> 2010/10/28 Cédric Girard :
> > Hi,
> > mysql-workbench-latest [1] is an outdated duplicate of mysql-workbench
> [2]
> > in [community]. Please delete.
> >
> > Thanks
> >
> > [1] https://aur.archlinux.org/packages.php?ID=38100
> > [2] http://www.archlinux.org/packages/community/x86_64/mysql-workbench/
> >
> > --
> > Cédric Girard
> >
>

Thank you.


-- 
Cédric Girard

[aur-general] Delete ratm

[Sebastian Schwarz]

Hello,

Please delete my package [ratm][1] as upstream is not available
since a very long time.

Thanks,
Sebastian

[1]: https://aur.archlinux.org/packages.php?ID=22406

Re: [aur-general] Delete ratm

[Lukáš Jirkovský]

On 28 October 2010 11:33, Sebastian Schwarz  wrote:
> Hello,
>
> Please delete my package [ratm][1] as upstream is not available
> since a very long time.
>
> Thanks,
> Sebastian
>
> [1]: https://aur.archlinux.org/packages.php?ID=22406
>

Thanks, deleted.

Lukas

Re: [aur-general] pkgstats and unused [community] packages

[Gianni Vialetto]

2010/10/27 Kaiting Chen :
>>
>> This is called mirrorbrain (ok, it is a little more advanced). We just
>> lack a server and someone to implement this. To make it more effective
>> we'd also need some pacman modifications.
>>
>> --
>> Pierre Schmitz, 
>> https://users.archlinux.de/~pierre
>>
>
> Holy shit I just checked out http://www.mirrorbrain.org/; I did not know
> that something like that existed. I think this weekend I'll go ahead and
> install it on my server, load the list of Arch mirrors, do a small scale
> trial. I'll post the results probably next week.
>

If i understand how mirrorbrain works, using it could be also the
solution for half-updated mirrors breaking things (I recall people had
problems with the libpng/libjpeg rebuilds where moved out of testing a
while ago, so much that someone pushed in AUR the old versions of
those libraries). Not half bad.

Re: [aur-general] aur website default ssl

[PyroPeter]

On 10/28/2010 08:59 AM, Justin Davis wrote:

On Wed, Oct 27, 2010 at 5:14 AM, Pierre Schmitz  wrote:

On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru
wrote:

As i said earlier in a reply to Loui, maybe we can do it
better.Having https only for login and then redirecting to http is
like not having it at all.


Ionut,
This is a ridiculous claim. Maybe we should tell that to amazon,
newegg, and oh I don't know... 99% of websites on the planet? Most
sites use https only for logins and transactions. Publicly available
information like aur comments, aur packages, images, etc don't really
need encryption. Just about everything sent to/from the AUR is not
sensitive information. Except login passwords. I would be pissed off
if amazon had the same point of view. What if amazon decided that
their https for logins and credit cards was the same as not having it
at all and removed it?


Your browser sends your session-id with every request. It would be
extremely easy to sniff the session-id, configure your browser to use
if, and do malicious actions.

This also works if the AUR associates session-ids with the IP of the
user: The attacker could use the same NAT-gateway as the user.

Regards, PyroPeter
--
freenode/pyropeter  "12:50 - Ich drücke Return."

Re: [aur-general] aur website default ssl

[Ionuț Bîru]

On 10/28/2010 03:27 AM, Loui Chang wrote:

On Wed 27 Oct 2010 14:14 +0200, Pierre Schmitz wrote:

On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru
wrote:

As i said earlier in a reply to Loui, maybe we can do it
better.Having https only for login and then redirecting to http is
like not having it at all.


Simply using https for all connections is the easiest and best solution
imho. Everything in between is either insecure or inconvenient for the
users. And I also don't see the need for it. Every sane http client
should handle a http redirect and https. If it does not it's just a bug
in the client. Of course it is unfortunate that this wasn't tested by
the clyde author before.


I would appreciate if you consult aur-dev before making changes to the
AUR. Can you please describe how you made this change, and how we can
enable normal http?



seriously, why did you changed it back to http over https?

in less than 1 day all aur helpers are working again and i don't see a 
reason to use http again. Really, what's the point?


--
Ionuț

Re: [aur-general] TU Application

[Xyne]

On 2010-10-27 00:33 -0400 (43:3)
Kaiting Chen wrote:

> Hi aur-general, my name is Kaiting Chen and Xyne has decided to sponsor me
> for my TU application.

/snip

Hi all,

I confirm that I have agreed to sponsor Kaiting. He has the skills and
motivation to be a good TU and I believe that his interests in particular areas
will complement the team nicely.

Let the discussion period begin. :)

Regards,
Xyne

Re: [aur-general] TU Application

[Xyne]

Kaiting Chen wrote:

> >
> > What do you need base-meta and base-devel-meta for?
> >
> > pacman -S base and pacman -S base-devel install every package of these
> > groups. And with this method you always automatically get the latest
> > group packages.
> >
> > pacman -Rs base and pacman -Rs base-devel deinstall these groups.
> >
> > Btw., base is automatically installed during the first installation
> > from the install CD anyway. And not having base installed can have
> > curious effects.
> >
> > I'd rather suggest deleting these packages from AUR.
> >
> > Heiko
> >
> 
> I adopted those packages from orphan status. It's for people who like to
> manage their dependencies carefully. Thus one need only base-devel-meta as
> explicit and the rest of the toolchain (gcc, patch, etc.) can be made into
> dependencies without showing up in pacman -Qtd. I don't actually use those
> packages.

Hehe, this came up in the pre-application discussion. I knew someone would
mention this. :P

Metapackages behave differently than groups. Once a group is installed it is no
different than a set of unrelated packages expect that they can be removed
together with a single command. If the members of a group change, the user will
not be informed and would have to run an extra command to make sure that the
package is up-to-date. Removing old members is also difficult as they are
explicitly installed and thus do not show up as orphans.

A metapackage resolves these issues and also reduces the clutter of "pacman
-Qe".

I've discussed the merits of metapackages vs groups at length before (check the
forum and pacman-dev mailing list). Basically, if optdeps were handled
properly, metapackages would be much better than groups imo.

Anyway, in this case, I'm still not sure whether such packages belong on the
AUR, but I don't see what harm they do and others clearly find them useful, so
this shouldn't be an issue.

Regards,
Xyne

Re: [aur-general] New Trusted User: Lukas Fleischer

[Andrea Scarpino]

On Sunday 24 October 2010 16:04:17 Loui Chang wrote:
> With 21 yes, 0 no, and 4 abstains out of 27 active members, we
> have a 92.5% quorum and a new Trusted User!
Welcome aboard and sorry for the delay.
BBS account updated (I cannot find your flyspray account if you own one).

-- 
Andrea Scarpino
Arch Linux Developer

Re: [aur-general] New Trusted User: Lukas Fleischer

[Ionuț Bîru]

On 10/28/2010 10:52 PM, Andrea Scarpino wrote:

On Sunday 24 October 2010 16:04:17 Loui Chang wrote:

With 21 yes, 0 no, and 4 abstains out of 27 active members, we
have a 92.5% quorum and a new Trusted User!

Welcome aboard and sorry for the delay.
BBS account updated (I cannot find your flyspray account if you own one).



lol? I know that he doesn't have a forum account and his bugtracker 
account is cryptocrack


--
Ionuț

[aur-general] deletion request: kernel26-systemd

[Dave Reisner]

Please delete the kernel26-systemd package. It set some flags that are
no longer necessary with Arch's 2.6.36 build.

thanks,
dave reisner

Re: [aur-general] New Trusted User: Lukas Fleischer

[Andrea Scarpino]

On Thursday 28 October 2010 22:10:09 Ionuț Bîru wrote:
> lol? I know that he doesn't have a forum account and his bugtracker
> account is cryptocrack
lol. it's viceversa!
flyspray account updated and I cannot find your BBS account :P

-- 
Andrea Scarpino
Arch Linux Developer

Re: [aur-general] deletion request: kernel26-systemd

[Lukas Fleischer]

On Thu, Oct 28, 2010 at 04:16:07PM -0400, Dave Reisner wrote:
> Please delete the kernel26-systemd package. It set some flags that are
> no longer necessary with Arch's 2.6.36 build.

Deleted, thanks.

Re: [aur-general] TU Application

[Loui Chang]

On Thu 28 Oct 2010 18:03 +0200, Xyne wrote:
> On 2010-10-27 00:33 -0400 (43:3)
> Kaiting Chen wrote:
> 
> > Hi aur-general, my name is Kaiting Chen and Xyne has decided to sponsor me
> > for my TU application.
> 
> /snip
> 
> Hi all,
> 
> I confirm that I have agreed to sponsor Kaiting. He has the skills and
> motivation to be a good TU and I believe that his interests in particular 
> areas
> will complement the team nicely.
> 
> Let the discussion period begin. :)

Awesome.

Re: [aur-general] aur website default ssl

[Loui Chang]

On Thu 28 Oct 2010 18:01 +0300, Ionuț Bîru wrote:
> On 10/28/2010 03:27 AM, Loui Chang wrote:
> >On Wed 27 Oct 2010 14:14 +0200, Pierre Schmitz wrote:
> >>On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru
> >>wrote:
> >>>As i said earlier in a reply to Loui, maybe we can do it
> >>>better.Having https only for login and then redirecting to http is
> >>>like not having it at all.
> >>
> >>Simply using https for all connections is the easiest and best solution
> >>imho. Everything in between is either insecure or inconvenient for the
> >>users. And I also don't see the need for it. Every sane http client
> >>should handle a http redirect and https. If it does not it's just a bug
> >>in the client. Of course it is unfortunate that this wasn't tested by
> >>the clyde author before.
> >
> >I would appreciate if you consult aur-dev before making changes to the
> >AUR. Can you please describe how you made this change, and how we can
> >enable normal http?
>
> seriously, why did you changed it back to http over https?
>
> in less than 1 day all aur helpers are working again and i don't see
> a reason to use http again. Really, what's the point?

The AUR isn't yours alone to decide how everyone should use it.
That's one reason you should consult aur-dev before making such changes.

SSL will still work. The point is to allow users to make the choice
whether or not they want to use ssl.

That choice was impossible the way it was implemented.