Re: [DNG] snapd in Devuan? Dependency on systemd...

2020-12-09 Thread Adam Borowski 
On Thu, Dec 10, 2020 at 01:36:30AM +0100, Adrian Zaugg wrote:
> So, then use DANE.

This.  DANE is the only way to have reasonably secure TLS that's actually
somewhat deployed in the world (not at all for browsers, well on its way
for SMTP).

Instead of trusting all of thousands of CAs, you trust 1 TLD of your choice,
and 1 registrar of your choice. [1]  And without trusting them you can't get
DNS anyway!

> The critics on the CA design I share basically, but his comparison with
> tofu of SSH misses the whole point of authentication of the server's
> identity (...and comparing fingerprints just doesn't scale – at least he
> could have mentioned SSHFP to get somewhere close).

Tofu 1. is totally unsecure the first time, 2. proves your communication
with the server if your device is seized.

Note that somehow Mozilla and Google are trying to introduce DANE-over-TLS
as their "implementation of DANE" -- ie, instead of (or in addition to)
CA chain you get DNSSEC signature chain passed after already connecting,
but that hardly gives you anything: it can be trivially downgraded, allowing
any attacker to eavesdrop if they could do so before.

Only DANE-over-DNS is currently downgrade-resistant (even if DNS itself is
tunnelled -- DANE-over-DNS-over-TLS is ok in this regard).

> Don't you guys run Linux? So the Linux Foundation and EFF is your
> competitor? Na. And the cleartext communication with LE is signed btw.,
> there is the DNS-01 challenge method, which can be secured by DNSSEC
> asf.

DANE is strictly better than LE (anyone who can subvert DNS{,SEC} can also
use that to obtain a CA certificate), LE is strictly better than http.

> The only option in his picture of the web is to use plaintext http
> or https that does not make a distinction between self-signed and issued
> certs. Is that any better? Does this guy understand what he writes
> about? I get the impression this is mostly publicly shown narcissism and
> false conclusions – me too, I feel contrarian.

Aye.  Self-signed is better than plaintext, CA-signed is much better than
self-signed.  That guy has two choices: worse X, bad Y, and argues for X
just because Y is bad.


Meow!

[1]. Technically, also the root domain, but you almost surely have your
TLD's key cached, and it's easy to pin TLD keys.
-- 
⢀⣴⠾⠻⢶⣦⠀ .--[ Makefile ]
⣾⠁⢠⠒⠀⣿⡁ # beware of races
⢿⡄⠘⠷⠚⠋⠀ all: pillage burn
⠈⠳⣄ `
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] What I learned at Distrowatch

2020-12-09 Thread Mason Loring Bliss 
On Thu, Dec 10, 2020 at 01:40:39AM +0100, Adrian Zaugg wrote:

> What shows
> 
>   apt remove --dry-run elogind

I'll try to get a chance to do a new install, as I should figure out just
what's pulling in what. I'll post this as soon as I've got it. I'm not sure
what's pulling it in during debootstrap, but I can typically remove it.

One thing I run now that wants either elogind or consolekit is
libvirt-daemon-system on my hypervisors. I haven't yet taken the time to
figure out why that's required. Someday, and/or I should look at
alternatives.


> Without GUI elogind can be removed easly with apt remove --purge elogind

FWIW, you can also say (less typing) 'apt purge elogind'. I've got a
recollection of purging elogind and having it insist on installing
consolekit, but then being able to purge consolekit without it demanding
elogind. I should take better notes whenever I encounter this kind of
oddity.

-- 
Mason Loring Bliss  ((   If I have not seen as far as others, it is because
 ma...@blisses.org   ))   giants were standing on my shoulders. - Hal Abelson


signature.asc
Description: PGP signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] What I learned at Distrowatch

2020-12-09 Thread Adrian Zaugg 


On 01.12.20 15:16, Mason Loring Bliss wrote:
> This brings us to the other thing worthy of note. Try sometime to install
> Devuan (not Debian, Devuan) without systemd and you'll be in for a rude
> shock. It's installed by default, and it's a massive pain to eradicate it.

What shows

apt remove --dry-run elogind

on your system? Do you run a GUI on it?

Without GUI elogind can be removed easly with apt remove --purge
elogind; libsystemd0 gets pulled in by openssh-server and thus is
present on many of my systems – unfortunately.

Regrads, Adrian.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] snapd in Devuan? Dependency on systemd...

2020-12-09 Thread Adrian Zaugg 


On 02.12.20 08:44, Ian Zimmerman wrote:
> Sorry, I feel contrarian today (and many other days too). So there:
> 
> http://michael.orlitzky.com/articles/lets_not_encrypt.xhtml

So, then use DANE.

The critics on the CA design I share basically, but his comparison with
tofu of SSH misses the whole point of authentication of the server's
identity (...and comparing fingerprints just doesn't scale – at least he
could have mentioned SSHFP to get somewhere close).

Don't you guys run Linux? So the Linux Foundation and EFF is your
competitor? Na. And the cleartext communication with LE is signed btw.,
there is the DNS-01 challenge method, which can be secured by DNSSEC
asf.

The only option in his picture of the web is to use plaintext http
or https that does not make a distinction between self-signed and issued
certs. Is that any better? Does this guy understand what he writes
about? I get the impression this is mostly publicly shown narcissism and
false conclusions – me too, I feel contrarian.

Adrian.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] DBus mitigation (Was: The status of simple-netaid-gtk)

2020-12-09 Thread aitor 

On 9/12/20 22:57, aitor wrote:

[...] developed in order to simplify the bloated UBus [...]


*DBus*


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] DBus mitigation (Was: The status of simple-netaid-gtk)

2020-12-09 Thread aitor 

Hi,

After pushing the newest code of simple-netaid-gtk to gitea.devuan.dev, 
I'm considering the following possible scenarios:


1) To keep the original idea of a suid binary and the use of a security 
model through parameters with the addition of an unix
socket in order to connect the backend and the frontend each other in a 
save way, whichis the aim of the client and the server

classes defined in the project:

https://gitea.devuan.dev/aitor_czr/simple-netaid-gtk/src/branch/master/gtk/cli.cpp 



https://gitea.devuan.dev/aitor_czr/simple-netaid-gtk/src/branch/master/gtk/svr.cpp 



or...

2) A more elaborated connection thanks to the use of libubus to connect 
the interface to the daemon. To some who do not
know it, ubus consists of a tiny inter-process communication from the 
OpenWrt projectdeveloped in order to simplify the bloated UBus:


https://gitea.devuan.dev/aitor_czr/libubus/src/branch/gbp-release-0.1


https://gitea.devuan.dev/aitor_czr/libubox/src/branch/gbp-release-0.1 



The man behind this debianization is Alexander Couzens. You can find 
further information about ubus here:


https://openwrt.org/docs/techref/ubus 



and here:

https://www.hyperbola.info/todo/dbus-mitigation/ 



In closing, one clarification: the GUI of simple-netaid will be 
compatible with both Gtk2 and Gtk3, as you can see in the pre-directives

used in main.cpp, icon_factory.cpp, etc.

Cheers,

Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] What I learned at Distrowatch

2020-12-09 Thread Steve Litt 
On Fri, 4 Dec 2020 13:20:53 -0500
Hendrik Boom  wrote:


> libsystemd0 is, as I've been told, a library that provides the 
> interfaces provided by systemd without the content.  For example, 
> a typical systemd feature will, as implemented in libsystemd0, 
> merely report back in the proper manner, that the facility requested 
> is not available. 

As a data point, my Void Linux computer doesn't have libsystemd0
installed. It only has eudev stuff:


[slitt@mydesk asml]$ xbps-query -s systemd
[*] eudev-3.2.9_1   Gentoo's fork of systemd-udev (enhanced
user... 
[*] eudev-libudev-3.2.9_1   Gentoo's fork of systemd-udev
(enhanced user... 
[*] eudev-libudev-32bit-3.2.9_1 Gentoo's fork of
systemd-udev (enhanced user... 
[*] eudev-libudev-devel-3.2.9_1 Gentoo's
fork of systemd-udev (enhanced user... 
[slitt@mydesk asml]$


SteveT

Steve Litt 
Autumn 2020 featured book: Thriving in Tough Times
http://www.troubleshooters.com/thrive
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng