Re: [gentoo-dev] rfc: zsh completions -- optional or mandatory?
On 27 March 2015 at 00:51, William Hubbs wrote: > The other method is shown by dev-vcs/hub at least, and maybe several > other packages -- e.g. unconditionally installing the completions > according to our small files installation practice and not reflecting > the rdepend on app-shells/zsh. This is standard practice already (e.g. for systemd unit files and bash completion files), so this should be followed for zsh completion files as well. -- Cheers, Ben | yngwin Gentoo developer
Re: [gentoo-dev] collab herd for cooperative pkg maintenance
On Fri, 27 Mar 2015 22:14:04 +0100 Pacho Ramos wrote: > I would prefer 1M (well... if the developer is not able to even > comment in bug reports in 1 month, maybe he should have at least a > devaway message explaining how to deal with his/her packages if he is > not able to reply so "soon") :/ > > Anyway, that is my personal opinion of course, maybe other would > prefer 3M or similar :| Why not have a forums poll? -- Ciaran McCreesh signature.asc Description: PGP signature
Re: [gentoo-dev] collab herd for cooperative pkg maintenance
El vie, 27-03-2015 a las 21:03 +, Robin H. Johnson escribió: > On Fri, Mar 27, 2015 at 09:45:25PM +0100, Pacho Ramos wrote: > > El mié, 25-03-2015 a las 21:25 +, Robin H. Johnson escribió: > > [...] > > > - timeout: > > > this is how long you we suggest you wait for the maintainer/team to > > > comment on your change. > > > Format should be a short duration specifier per ISO8601 > > > I'd like to default it to 1 week: 'P1W'. > > [...] > > > > I would establish a maximum here to prevent people from "avoiding" any > > changes by others setting, for example, the value to 1 year and, once > > the issue is completely ignored, blaming on not following the > > metadata.xml rules :| > Ok, what's a reasonable max that doesn't block progress? > P6M? > I would prefer 1M (well... if the developer is not able to even comment in bug reports in 1 month, maybe he should have at least a devaway message explaining how to deal with his/her packages if he is not able to reply so "soon") :/ Anyway, that is my personal opinion of course, maybe other would prefer 3M or similar :|
Re: [gentoo-dev] collab herd for cooperative pkg maintenance
On Fri, Mar 27, 2015 at 09:45:25PM +0100, Pacho Ramos wrote: > El mié, 25-03-2015 a las 21:25 +, Robin H. Johnson escribió: > [...] > > - timeout: > > this is how long you we suggest you wait for the maintainer/team to > > comment on your change. > > Format should be a short duration specifier per ISO8601 > > I'd like to default it to 1 week: 'P1W'. > [...] > > I would establish a maximum here to prevent people from "avoiding" any > changes by others setting, for example, the value to 1 year and, once > the issue is completely ignored, blaming on not following the > metadata.xml rules :| Ok, what's a reasonable max that doesn't block progress? P6M? -- Robin Hugh Johnson Gentoo Linux: Developer, Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
Re: [gentoo-dev] collab herd for cooperative pkg maintenance
El mié, 25-03-2015 a las 21:25 +, Robin H. Johnson escribió: [...] > - timeout: > this is how long you we suggest you wait for the maintainer/team to > comment on your change. > Format should be a short duration specifier per ISO8601 > I'd like to default it to 1 week: 'P1W'. [...] I would establish a maximum here to prevent people from "avoiding" any changes by others setting, for example, the value to 1 year and, once the issue is completely ignored, blaming on not following the metadata.xml rules :|
Re: [gentoo-dev] Should Gentoo do https by default?
On Fri, Mar 27, 2015 at 8:29 PM, Hanno Böck wrote: >> SSLUseStapling is Apache 2.3+ only, and that isn't stable yet. > > That's unfortunate, apache 2.2 is pretty outdated when it > comes to tls security. Please help with the blockers for 2.4 stabilization! Cheers, Dirkjan
Re: [gentoo-dev] Should Gentoo do https by default?
On Fri, Mar 27, 2015 at 3:15 PM, Diego Elio Pettenò wrote: > On 27 March 2015 at 19:14, Rich Freeman wrote: >> >> StartSSL in fact refuses to revoke certificates even when people >> publish their private keys publicly. If you buy a previously-used >> domain you might want to make sure that there isn't a StartSSL >> certificate floating around for it which is still valid... > > Uh? They don't do it for free, but they do revoke certificate if you pay for > it. > xine-project.org has a revoked cert from last year due to heartbleed. That was basically my point. There aren't any free options which are secure (that I'm aware of). There are options which cost money which are secure, including StartSSL. It just annoys me when people trot them out as an example of why SSL certificate costs aren't a problem. You can debate whether not having secure free options matters or not, but you can't argue that StartSSL is a secure free option. -- Rich
Re: [gentoo-dev] Should Gentoo do https by default?
On Fri, Mar 27, 2015 at 04:44:16PM +0100, Marc Schiffbauer wrote: > >"Certificates are too expensive" > >Gentoo already has certs for all pages, so this is not an argument > >here, but if this ever becomes an issue there are a number of CAs these > >days that issue free certs. In summer the community based CA Let's > >encrypt will start which will be another option. > Or CAs which offer a "Cert Flatrate" for a small fee per year like > StartSSL.com Please don't promote StartSSL with their excessive demands for personal information: https://www.startssl.com/?app=34 Passport AND (Drivers License or National ID) To be able to issue certs from them, EACH person in an organization needs to comply with that "Identity Validation", and the organization validation is on top of that: https://www.startssl.com/?app=35 How many people here would willingly send this level of detail to somebody in a foreign country? Does your home country not have strict regulations about who can keep a copy of this information (retaining this information is mostly prohibited by my local laws). We're with DigiCert instead, where only the organization was verified. They also have a good API for generating certificates, which was invaluable during the Heartbleed certificate switchover. > >I think defaulting the net to HTTPS is a big step for more security and > >I think Gentoo should join the trend here. > ... DNSSEC with TLSA records comes to my mind I proposed TLSA on the lists last year, and got very few takers. DNSSEC has been in place for years already. -- Robin Hugh Johnson Gentoo Linux: Developer, Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
Re: [gentoo-dev] Should Gentoo do https by default?
On Fri, 27 Mar 2015 15:14:02 -0400 Rich Freeman wrote: > As has been pointed out, this is a moot issue for Gentoo. However, > I'm not aware of anybody who both offers a free certificate and will > let you change your private key if it is compromised free of charge. I think wosign does. Haven't tested, but discussion on hacker news indicates revocation is free [1]. And yes, the startssl behaviour regarding revocation is not good... [1] https://news.ycombinator.com/item?id=8982013 -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
Re: [gentoo-dev] Should Gentoo do https by default?
On Fri, 27 Mar 2015 19:18:24 + "Robin H. Johnson" wrote: > > * Some with logins are mixed http/login-via-https, which makes them > > vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) > Are you sure about this? Everything on wiki should always redirect to > SSL very early. Sure about what? When I call the wiki page I currently get: http://wiki.gentoo.org/wiki/Main_Page Clicking on login will redirect to https, but at that point an attacker is already able to change this link. > Enabled for the following sites now (copied from cfengine commit): Great. (However I don't see that yet live - server restart needed or is there some deployment process that has to happen first?) > > * Make sure all use modern HTTPS features, including: > > * OCSP Stapling > SSLUseStapling is Apache 2.3+ only, and that isn't stable yet. That's unfortunate, apache 2.2 is pretty outdated when it comes to tls security. > > * A secure collection of cipher suites > What's wrong with our present Ciphers? Haven't checked them in detail, looks mostly fine. One issue: DH ciphers with a small modulus (1024 bit). But that's unfixable within apache 2.2, so same as above. > > (On the long term I think it would also be good to have downloads > > over https, but I'm aware that this is more difficult as it > > involves mirror operators that are not under direct control of > > gentoo infrastructure.) > This is why we published signatures on as much as we can. Yes, signatures are fine, but realistically they require manual intervention and not everyone will do that. Defaulting to https is a very usable way to make malicious downloads less likely. Signatures should stay as an additional protection measure. > Users behind firewalls that block HTTPS are now going to be blocked > from Gentoo services. > > Last time we proposed going HTTPS-by-default, there was complaint > from users that were going to be locked out. I would be very surprised if this is an issue any more. These days pretty much all big players use https only (google, facebook, twitter, github, ...). You can't really use the mainstream internet if your firewall blocks https. > We're still limited when it comes to services that need wildcards for > the service. We have one such presently, and I hope we don't get more: > Bugzilla, for attachments. (which are served at a different hostname > that can't access your base bugzilla cookies even the attachment > contains javascript that runs). I have hopes that Let's encrypt will also allow free wildcards, but that seems to be undecided yet. But wildcards aren't super-expensive. One can e.g. get a validation by startssl for an unlimited number of wildcards for a year, I don't remember the exact price but it was in the 100-200$ range. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
Re: [gentoo-dev] Should Gentoo do https by default?
On Fri, Mar 27, 2015 at 03:33:15PM +0100, Hanno Böck wrote: > Right now a number of Gentoo webpages are by default served over http. > There is a growing trend to push more webpages to default to https, > mostly pushed by google. I think this is a good thing and I think > Gentoo should follow. Please read my one counter-argument below, as it's not one you refuted. > Right now we seem to have a mix: ... > * Some with logins are mixed http/login-via-https, which makes them > vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) Are you sure about this? Everything on wiki should always redirect to SSL very early. > I'd propose the following: > * Make all pages under .gentoo.org https by default Enabled for the following sites now (copied from cfengine commit): files/etc/apache2/vhosts.d/sites/ads/01_ads.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/api/api.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/archives/30_archives.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/blogs/35_blogs.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/devmanual/35_devmanual.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/forums/01_forums.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/get/36_get.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/infra-status/40_infra-status.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/mirrorstats/20_mirrorstats.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/packages/packages.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/planet/40_planet.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/qa-reports/36_qa-reports.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/sources/30_sources.gentoo.org.conf | 6 ++ files/etc/apache2/vhosts.d/sites/www/www.gentoo.org.conf | 6 ++ 14 files changed, 84 insertions(+) > * Make sure all use modern HTTPS features, including: > * OCSP Stapling SSLUseStapling is Apache 2.3+ only, and that isn't stable yet. > * HSTS It's coming already, you can see it on security.gentoo.org. > * A secure collection of cipher suites What's wrong with our present Ciphers? https://www.ssllabs.com/ssltest/analyze.html?d=gentoo.org We have them configured per: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS SSLHonorCipherOrder on SSLCompression off > * (one may add HPKP here, but it requires careful planning and has the >potential to lock people out of the page if done wrong) Too risky at this point. > (On the long term I think it would also be good to have downloads over > https, but I'm aware that this is more difficult as it involves mirror > operators that are not under direct control of gentoo infrastructure.) This is why we published signatures on as much as we can. > As I know these discussions, I'll already answer to some > counter-arguments that may come up: Users behind firewalls that block HTTPS are now going to be blocked from Gentoo services. Last time we proposed going HTTPS-by-default, there was complaint from users that were going to be locked out. I've turned it on anyway now, and want them to come out of the woodwork to refute you that we're ready for HTTPS-by-default. > "Certificates are too expensive" > Gentoo already has certs for all pages, so this is not an argument > here, but if this ever becomes an issue there are a number of CAs these > days that issue free certs. In summer the community based CA Let's > encrypt will start which will be another option. We're still limited when it comes to services that need wildcards for the service. We have one such presently, and I hope we don't get more: Bugzilla, for attachments. (which are served at a different hostname that can't access your base bugzilla cookies even the attachment contains javascript that runs). -- Robin Hugh Johnson Gentoo Linux: Developer, Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
Re: [gentoo-dev] Should Gentoo do https by default?
On 27 March 2015 at 19:14, Rich Freeman wrote: > > StartSSL in fact refuses to revoke certificates even when people > publish their private keys publicly. If you buy a previously-used > domain you might want to make sure that there isn't a StartSSL > certificate floating around for it which is still valid... Uh? They don't do it for free, but they do revoke certificate if you pay for it. xine-project.org has a revoked cert from last year due to heartbleed. Diego Elio Pettenò — Flameeyes https://blog.flameeyes.eu/
Re: [gentoo-dev] Should Gentoo do https by default?
On Fri, Mar 27, 2015 at 11:44 AM, Marc Schiffbauer wrote: > * Hanno Böck schrieb am 27.03.15 um 15:33 Uhr: >> >> >> "Certificates are too expensive" >> Gentoo already has certs for all pages, so this is not an argument >> here, but if this ever becomes an issue there are a number of CAs these >> days that issue free certs. In summer the community based CA Let's >> encrypt will start which will be another option. > > > Or CAs which offer a "Cert Flatrate" for a small fee per year like > StartSSL.com As has been pointed out, this is a moot issue for Gentoo. However, I'm not aware of anybody who both offers a free certificate and will let you change your private key if it is compromised free of charge. StartSSL in fact refuses to revoke certificates even when people publish their private keys publicly. If you buy a previously-used domain you might want to make sure that there isn't a StartSSL certificate floating around for it which is still valid... I don't think this has any bearing whatsoever on Gentoo, but it does annoy me when people say that there are free cert options out there, when the whole point of having a CA is security and the ones which are both trusted and free have some pretty horrible security practices. The current CA system is horribly broken, but not as broken as not using SSL, or browsers which don't make you click 5 buttons every time you visit a non-SSL website the way they do when you visit an SSL website with an untrusted certificate. :) -- Rich
Re: [gentoo-dev] Should Gentoo do https by default?
On Fri, Mar 27, 2015 at 06:14:38PM +0100, Thomas D. wrote: > > Right now we seem to have a mix: > > * A number of webpages default to http and have optional https > > (www.gentoo.org) > > * Some with sensitive logins are already https by default (e.g. > > bugs.gentoo.org), but they don't use hsts, which they should > > * Some with logins are mixed http/login-via-https, which makes them > > vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) > Don't forget the forum (http://forums.gentoo.org/). Even if you connect > to https://forums.gentoo.org/ it will always fall back to HTTP. I can't reproduce this downgrade that you describe; please provide some steps to show it? -- Robin Hugh Johnson Gentoo Linux: Developer, Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
Re: [gentoo-dev] Should Gentoo do https by default?
Hi, Hanno Böck wrote: > Right now a number of Gentoo webpages are by default served over http. > There is a growing trend to push more webpages to default to https, > mostly pushed by google. I think this is a good thing and I think > Gentoo should follow. +1 > Right now we seem to have a mix: > * A number of webpages default to http and have optional https > (www.gentoo.org) > * Some with sensitive logins are already https by default (e.g. > bugs.gentoo.org), but they don't use hsts, which they should > * Some with logins are mixed http/login-via-https, which makes them > vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) Don't forget the forum (http://forums.gentoo.org/). Even if you connect to https://forums.gentoo.org/ it will always fall back to HTTP. Also all the mail notifications will send you to the HTTP version... -Thomas
Re: [gentoo-dev] Should Gentoo do https by default?
On Fri, Mar 27, 2015 at 3:33 PM, Hanno Böck wrote: > I'd propose the following: > * Make all pages under .gentoo.org https by default > * Make sure all use modern HTTPS features, including: > * OCSP Stapling > * HSTS > * A secure collection of cipher suites > * (one may add HPKP here, but it requires careful planning and has the >potential to lock people out of the page if done wrong) > (On the long term I think it would also be good to have downloads over > https, but I'm aware that this is more difficult as it involves mirror > operators that are not under direct control of gentoo infrastructure.) I'm with you! Cheers, Dirkjan
Re: [gentoo-dev] Should Gentoo do https by default?
TL;DR: Yes! * Hanno Böck schrieb am 27.03.15 um 15:33 Uhr: Hi, Right now a number of Gentoo webpages are by default served over http. There is a growing trend to push more webpages to default to https, mostly pushed by google. I think this is a good thing and I think Gentoo should follow. Right now we seem to have a mix: * A number of webpages default to http and have optional https (www.gentoo.org) * Some with sensitive logins are already https by default (e.g. bugs.gentoo.org), but they don't use hsts, which they should * Some with logins are mixed http/login-via-https, which makes them vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) I'd propose the following: * Make all pages under .gentoo.org https by default * Make sure all use modern HTTPS features, including: * OCSP Stapling * HSTS * A secure collection of cipher suites -> bettercrypro.org * (one may add HPKP here, but it requires careful planning and has the potential to lock people out of the page if done wrong) (On the long term I think it would also be good to have downloads over https, but I'm aware that this is more difficult as it involves mirror operators that are not under direct control of gentoo infrastructure.) +1 As I know these discussions, I'll already answer to some counter-arguments that may come up: "It's not neccessary to do https on pages without logins" These kinds of arguments show a fundamental misunderstanding of what https does. It guarantees confidentiality *and* integrity. In short, it protects content not only from observation, but also from manipulation, which is always a good thing. A very practical example is that on some networks foreign ads get injected into other peoples webpages. ack "Makes things slower / servers can't handle it" The performance costs for TLS on a server are often vastly overstatet. The performance hit on servers doing https is very close to zero, it just doesn't matter much. There are some latency problems for connections, but these can mostly be wiped out by a sane configuration of the server. If http/2 is used one can even improve the performance with https. And often a too slow /dev/random is the cuplrit which can be fixed by using haveged. "Certificates are too expensive" Gentoo already has certs for all pages, so this is not an argument here, but if this ever becomes an issue there are a number of CAs these days that issue free certs. In summer the community based CA Let's encrypt will start which will be another option. Or CAs which offer a "Cert Flatrate" for a small fee per year like StartSSL.com "CAs are bad and the whole system is broken" Partly true, but it doesn't get any better if people stick to HTTP. Many problems of the CA system can be mitigated by modern technologies like Key Pinning and Certificate Transparency. I think defaulting the net to HTTPS is a big step for more security and I think Gentoo should join the trend here. ... DNSSEC with TLSA records comes to my mind -- 0x35A64134 - 8AAC 5F46 83B4 DB70 8317 3723 296C 6CCA 35A6 4134 signature.asc Description: Digital signature
[gentoo-dev] Should Gentoo do https by default?
Hi, Right now a number of Gentoo webpages are by default served over http. There is a growing trend to push more webpages to default to https, mostly pushed by google. I think this is a good thing and I think Gentoo should follow. Right now we seem to have a mix: * A number of webpages default to http and have optional https (www.gentoo.org) * Some with sensitive logins are already https by default (e.g. bugs.gentoo.org), but they don't use hsts, which they should * Some with logins are mixed http/login-via-https, which makes them vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) I'd propose the following: * Make all pages under .gentoo.org https by default * Make sure all use modern HTTPS features, including: * OCSP Stapling * HSTS * A secure collection of cipher suites * (one may add HPKP here, but it requires careful planning and has the potential to lock people out of the page if done wrong) (On the long term I think it would also be good to have downloads over https, but I'm aware that this is more difficult as it involves mirror operators that are not under direct control of gentoo infrastructure.) As I know these discussions, I'll already answer to some counter-arguments that may come up: "It's not neccessary to do https on pages without logins" These kinds of arguments show a fundamental misunderstanding of what https does. It guarantees confidentiality *and* integrity. In short, it protects content not only from observation, but also from manipulation, which is always a good thing. A very practical example is that on some networks foreign ads get injected into other peoples webpages. "Makes things slower / servers can't handle it" The performance costs for TLS on a server are often vastly overstatet. The performance hit on servers doing https is very close to zero, it just doesn't matter much. There are some latency problems for connections, but these can mostly be wiped out by a sane configuration of the server. If http/2 is used one can even improve the performance with https. "Certificates are too expensive" Gentoo already has certs for all pages, so this is not an argument here, but if this ever becomes an issue there are a number of CAs these days that issue free certs. In summer the community based CA Let's encrypt will start which will be another option. "CAs are bad and the whole system is broken" Partly true, but it doesn't get any better if people stick to HTTP. Many problems of the CA system can be mitigated by modern technologies like Key Pinning and Certificate Transparency. I think defaulting the net to HTTPS is a big step for more security and I think Gentoo should join the trend here. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
