Re: [DNG] snapd in Devuan? Dependency on systemd...
On 12/2/20 4:44 PM, Ian Zimmerman wrote: On 2020-12-02 01:09, Bernard Rosset via Dng wrote: Certbot has removed support of certbot-auto for Debian-based systems Sorry, I feel contrarian today (and many other days too). So there: http://michael.orlitzky.com/articles/lets_not_encrypt.xhtml Nice read. Thanks! ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] snapd in Devuan? Dependency on systemd...
On Thu, Dec 10, 2020 at 01:36:30AM +0100, Adrian Zaugg wrote:
> So, then use DANE.
This. DANE is the only way to have reasonably secure TLS that's actually
somewhat deployed in the world (not at all for browsers, well on its way
for SMTP).
Instead of trusting all of thousands of CAs, you trust 1 TLD of your choice,
and 1 registrar of your choice. [1] And without trusting them you can't get
DNS anyway!
> The critics on the CA design I share basically, but his comparison with
> tofu of SSH misses the whole point of authentication of the server's
> identity (...and comparing fingerprints just doesn't scale – at least he
> could have mentioned SSHFP to get somewhere close).
Tofu 1. is totally unsecure the first time, 2. proves your communication
with the server if your device is seized.
Note that somehow Mozilla and Google are trying to introduce DANE-over-TLS
as their "implementation of DANE" -- ie, instead of (or in addition to)
CA chain you get DNSSEC signature chain passed after already connecting,
but that hardly gives you anything: it can be trivially downgraded, allowing
any attacker to eavesdrop if they could do so before.
Only DANE-over-DNS is currently downgrade-resistant (even if DNS itself is
tunnelled -- DANE-over-DNS-over-TLS is ok in this regard).
> Don't you guys run Linux? So the Linux Foundation and EFF is your
> competitor? Na. And the cleartext communication with LE is signed btw.,
> there is the DNS-01 challenge method, which can be secured by DNSSEC
> asf.
DANE is strictly better than LE (anyone who can subvert DNS{,SEC} can also
use that to obtain a CA certificate), LE is strictly better than http.
> The only option in his picture of the web is to use plaintext http
> or https that does not make a distinction between self-signed and issued
> certs. Is that any better? Does this guy understand what he writes
> about? I get the impression this is mostly publicly shown narcissism and
> false conclusions – me too, I feel contrarian.
Aye. Self-signed is better than plaintext, CA-signed is much better than
self-signed. That guy has two choices: worse X, bad Y, and argues for X
just because Y is bad.
Meow!
[1]. Technically, also the root domain, but you almost surely have your
TLD's key cached, and it's easy to pin TLD keys.
--
⢀⣴⠾⠻⢶⣦⠀ .--[ Makefile ]
⣾⠁⢠⠒⠀⣿⡁ # beware of races
⢿⡄⠘⠷⠚⠋⠀ all: pillage burn
⠈⠳⣄ `
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] snapd in Devuan? Dependency on systemd...
On 02.12.20 08:44, Ian Zimmerman wrote: > Sorry, I feel contrarian today (and many other days too). So there: > > http://michael.orlitzky.com/articles/lets_not_encrypt.xhtml So, then use DANE. The critics on the CA design I share basically, but his comparison with tofu of SSH misses the whole point of authentication of the server's identity (...and comparing fingerprints just doesn't scale – at least he could have mentioned SSHFP to get somewhere close). Don't you guys run Linux? So the Linux Foundation and EFF is your competitor? Na. And the cleartext communication with LE is signed btw., there is the DNS-01 challenge method, which can be secured by DNSSEC asf. The only option in his picture of the web is to use plaintext http or https that does not make a distinction between self-signed and issued certs. Is that any better? Does this guy understand what he writes about? I get the impression this is mostly publicly shown narcissism and false conclusions – me too, I feel contrarian. Adrian. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] snapd in Devuan? Dependency on systemd...
On Wed, 2 Dec 2020 15:03:22 +0100 Arnt Karlsen wrote: > ..how does the guys running Slackware, and the *BSDs do this > certbot thing, and how does it work with e.g. Tor? Probably Dehydrated or a.n.other system > ..meanwhile, I too lean towards Ian's contrarianism: > http://michael.orlitzky.com/articles/lets_not_encrypt.xhtml That has plenty of criticisms - rightly - but no solutions. You can't change anything without an alternative solution. Just saying "I am not playing doesn't" cut it. And if businesses are getting marked down by not being https, they'll go with whatever gives them the best Gobble ranking. I tend to believe the main thing was getting people off their own email systems that Gobble couldn't read, and on to their cloud infra, which they could. To do that they needed to try and convince people they were the good guys (we protect you from spying governments with https) whilst getting themselves a nice big data store. See some comments say by Paul Wouters on Libreswan lists as to Gobble and their attitude towards VPNs especially WRT the extremely poor level of VPN encryption in Android. "They expect you to use https, and not bother with VPNs" As you rightly say, all for Gobbles benefit. Shhhhhh - remember those days when they were the good guys? I'm off to play Gopher :-) -- John Crisp pgpUR0jOKzAEm.pgp Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] snapd in Devuan? Dependency on systemd...
On Wed, 2 Dec 2020 01:09:06 +0100 Bernard Rosset via Dng wrote: > Certbot has removed support of certbot-auto for Debian-based systems > (cf. Just use dehydrated. No systemd (the Devil) or snapd (son of the aforementioned Devil) dependencies. Runs on pretty well anything. https://github.com/dehydrated-io/dehydrated Why wouldn't you? pgpAMU54fA0Rl.pgp Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] snapd in Devuan? Dependency on systemd...
On Tue, 1 Dec 2020 20:35:16 -0600, o1bigtenor wrote in message : > On Tue, Dec 1, 2020 at 6:09 PM Bernard Rosset via Dng > wrote: > > > > Certbot has removed support of certbot-auto for Debian-based systems > > (cf. > > https://github.com/certbot/certbot/blob/adacc4ab6dc63b024b17f0ec5adeb1adc9f93300/certbot-auto#L802). ..looks like we should thank them. :o) > > Official instructions for Debian > > (https://certbot.eff.org/lets-encrypt/debianbuster-other) tell to > > use the snapd package (https://packages.debian.org/buster/snapd)... > > which depends on systemd and has not been rebuilt separately for > > Devuan yet. > > > > Is there any plan to do so? > > I know making the list of repackaged packages grow is troublesome > > for maintenance future-wise... > > > > Greetings > > I would suggest that you stay as far as you can form snapd! > I spent about 8 months working on/with it and in the end was totally > frustrated. > After you install snapd - - - - -well canonical will upgrade anything > AND everything on its schedule. You CANNOT change that! The longest > file in the forum is individuals asking for an off switch for > updates. You can push it to about 60 days with some serious tap > dancing. I tried ALL the options giving to stop the triggered updates > - - - my machine responded by shutting down. So I didn't get the > updates but the machine would shut itself off when it was time for > upgrades. Then I tried to remove the shebang! I tried using $rm -r > and still had 'crap' hanging around. Got real frustrated with that. > Left the mess for about a year and then when I tried to restart the > machine I couldn't get a complete reboot (even using secure boot for > repair). So I was forced to replace the complete system - - - - a > right royal pita. > > The idea is good (lxd) but snapd - - - - that's toxic! ..I (dis)agree, to me, snapd looks more like an attempt to replace apt, yum etc packaging systems with pötterisms, rather than an attempt to help the EFF automate encrypting the web with certbot: https://github.com/snapcore/snapd https://github.com/snapcore https://snapcraft.io/docs https://snapcraft.io/store ..so Tor is secure under snap? Or, like under systemd?: https://snapcraft.io/search?category=security ..about certbot: https://certbot.eff.org/about/ https://certbot.eff.org/docs/intro.html https://letsencrypt.org/ https://github.com/certbot/certbot ..how does the guys running Slackware, and the *BSDs do this certbot thing, and how does it work with e.g. Tor? ..meanwhile, I too lean towards Ian's contrarianism: http://michael.orlitzky.com/articles/lets_not_encrypt.xhtml -- ..med vennlig hilsen = with Kind Regards from Arnt Karlsen ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] snapd in Devuan? Dependency on systemd...
On 2020-12-02 01:09, Bernard Rosset via Dng wrote: > Certbot has removed support of certbot-auto for Debian-based systems Sorry, I feel contrarian today (and many other days too). So there: http://michael.orlitzky.com/articles/lets_not_encrypt.xhtml -- Ian ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] snapd in Devuan? Dependency on systemd...
On Tue, Dec 1, 2020 at 6:09 PM Bernard Rosset via Dng wrote: > > Certbot has removed support of certbot-auto for Debian-based systems > (cf. > https://github.com/certbot/certbot/blob/adacc4ab6dc63b024b17f0ec5adeb1adc9f93300/certbot-auto#L802). > > Official instructions for Debian > (https://certbot.eff.org/lets-encrypt/debianbuster-other) tell to use > the snapd package (https://packages.debian.org/buster/snapd)... which > depends on systemd and has not been rebuilt separately for Devuan yet. > > Is there any plan to do so? > I know making the list of repackaged packages grow is troublesome for > maintenance future-wise... > Greetings I would suggest that you stay as far as you can form snapd! I spent about 8 months working on/with it and in the end was totally frustrated. After you install snapd - - - - -well canonical will upgrade anything AND everything on its schedule. You CANNOT change that! The longest file in the forum is individuals asking for an off switch for updates. You can push it to about 60 days with some serious tap dancing. I tried ALL the options giving to stop the triggered updates - - - my machine responded by shutting down. So I didn't get the updates but the machine would shut itself off when it was time for upgrades. Then I tried to remove the shebang! I tried using $rm -r and still had 'crap' hanging around. Got real frustrated with that. Left the mess for about a year and then when I tried to restart the machine I couldn't get a complete reboot (even using secure boot for repair). So I was forced to replace the complete system - - - - a right royal pita. The idea is good (lxd) but snapd - - - - that's toxic! HTH ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] snapd in Devuan? Dependency on systemd...
> On 2 Dec 2020, at 11:09, Bernard Rosset via Dng wrote: > > Certbot has removed support of certbot-auto for Debian-based systems (cf. > https://github.com/certbot/certbot/blob/adacc4ab6dc63b024b17f0ec5adeb1adc9f93300/certbot-auto#L802). > > Official instructions for Debian > (https://certbot.eff.org/lets-encrypt/debianbuster-other) tell to use the > snapd package (https://packages.debian.org/buster/snapd)... which depends on > systemd and has not been rebuilt separately for Devuan yet. > > Is there any plan to do so? > I know making the list of repackaged packages grow is troublesome for > maintenance future-wise... > > Cheers, > Bernard (Beer) Rosset > https://rosset.net Have you tried just installing certbot via apt directly? It’s available in the repositories. There are instructions on their website for Devuan Beowulf at https://certbot.eff.org/lets-encrypt/devuanbeowulf-other___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] snapd in Devuan? Dependency on systemd...
Certbot has removed support of certbot-auto for Debian-based systems (cf. https://github.com/certbot/certbot/blob/adacc4ab6dc63b024b17f0ec5adeb1adc9f93300/certbot-auto#L802). Official instructions for Debian (https://certbot.eff.org/lets-encrypt/debianbuster-other) tell to use the snapd package (https://packages.debian.org/buster/snapd)... which depends on systemd and has not been rebuilt separately for Devuan yet. Is there any plan to do so? I know making the list of repackaged packages grow is troublesome for maintenance future-wise... Cheers, Bernard (Beer) Rosset https://rosset.net/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
