Re: [LAD] https for linuxaudio.org
On Sun, 26 Nov 2017 18:10:15 +0100, Ralf Mardorf wrote: >[rocketmouse@archlinux ~]$ grep hkp luamd64_1610.sh >key gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys FBB75451 >EFE21092 I win praise for a script that downloads Ubuntu desktop flavours and does all the signed key procedure, but it was criticized that I used the key short ID. https://lists.ubuntu.com/archives/lubuntu-users/2017-November/011741.html https://lists.ubuntu.com/archives/lubuntu-users/2017-November/011747.html Tricky ;). ___ Linux-audio-dev mailing list Linux-audio-dev@lists.linuxaudio.org https://lists.linuxaudio.org/listinfo/linux-audio-dev
Re: [LAD] https for linuxaudio.org
On Sun, 26 Nov 2017 16:57:12 +, Fons Adriaensen wrote: >- which keyserver to use ? In cases of doubt simply use keys.gnupg.net ;). To get a key by alias or by scripts I'm using different key servers e.g. [1]. Aren't the servers synced? I guess it's just useful that "Some famous LAD members sign" your key, not which server you use to upload your key. [1] [rocketmouse@archlinux ~]$ grep hkp .bashrc alias gkey='gpg --keyserver hkp://pgp.uni-mainz.de --recv-keys' alias gkey2='gpg2 --keyserver hkp://keys.gnupg.net --recv-keys' [rocketmouse@archlinux ~]$ grep hkp luamd64_1610.sh key gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys FBB75451 EFE21092 -- $ pacman -Q linux{,-rt{,-cornflower,-pussytoes}}|awk '{print $2}' 4.14-2 4.13.13_rt5-1 4.11.12_rt16-1 4.14_rt1-1 ___ Linux-audio-dev mailing list Linux-audio-dev@lists.linuxaudio.org https://lists.linuxaudio.org/listinfo/linux-audio-dev
Re: [LAD] https for linuxaudio.org
On Sun, Nov 26, 2017 at 04:51:53PM +0100, David Runge wrote: > That is right. I am not sure, how many can be convinced in the near > future. Asking is cheap, though, so would that work for you Fons? :) So that would mean: - I create a GPG key for signing zita-packages, and make it available on some keyserver. - Some famous LAD members sign my key. - I use gpg -b zita-zzz.tar.bz2 to generate a signature for each package and put it on my website. I see no problem with this. Some questions: - which keyserver to use ? - use gpg -b or gpg -ab ? Ciao, -- FA A world of exhaustive, reliable metadata would be an utopia. It's also a pipe-dream, founded on self-delusion, nerd hubris and hysterically inflated market opportunities. (Cory Doctorow) ___ Linux-audio-dev mailing list Linux-audio-dev@lists.linuxaudio.org https://lists.linuxaudio.org/listinfo/linux-audio-dev
Re: [LAD] https for linuxaudio.org
On Sun, 26 Nov 2017 16:51:53 +0100, David Runge wrote: >> Not that much, since even when additionally using TOR, privacy isn't >> ensured without exceptions, >> https://www.torproject.org/docs/faq.html.en#AttacksOnOnionRouting . >That of course is also true and thanks for pointing it out. >When writing, I was more thinking of subdomains hosting applications, >that require authentication (then seeing, that e.g. >{lists,wiki}.linuxaudio.org already facilitate letsencrypt certs). > >Of course, given the right tools and infrastructure, it gets >increasingly harder to achieve some form of privacy. >However, that's no reason not to aim for the maximum amount thereof. > >In any case (unless your ssl is broken) and however one wants to turn >it: It is beneficial to implement https and I'm happy to hear it will >be done. Btw. when I asked to provide Ardour for Arch with disabling the phone home option, as Debian and Ubuntu already did, it was not because I had concerns regarding upstream, I've done this, e.g. because activists use Ardour and at the same time TOR browser, without redirecting all traffic trough the onion. I'm pro ever little step to grant more privacy by default, https is one of those steps. Actually ssl is much known to the masses for Heartbleed, not for security and it's kinda always in a broken state. [rocketmouse@archlinux ~]$ arch-audit | grep ssl Package openssl-1.0 is affected by CVE-2017-3736, CVE-2017-3735. Medium risk! Ok, no output for openssl yet, just for openssl-1.0, however taking a look at... [rocketmouse@archlinux ~]$ pactree -r openssl-1.0 [snip] [rocketmouse@archlinux ~]$ pactree -r openssl [snip] ...we should take in consideration that ssl isn't the universal salvation. But again, I agree with you, https is better than no https ;). Regards, Ralf ___ Linux-audio-dev mailing list Linux-audio-dev@lists.linuxaudio.org https://lists.linuxaudio.org/listinfo/linux-audio-dev
Re: [LAD] https for linuxaudio.org
Hey Ralf, On 2017-11-21 06:44:27 (+0100), Ralf Mardorf wrote: > for security reasons developers should consider to provide signed > checksums, as fortunately e.g. > https://www.kernel.org/category/signatures.html does. This was > discussed at e.g. Arch general. That is right. I am not sure, how many can be convinced in the near future. Asking is cheap, though, so would that work for you Fons? :) > Not that much, since even when additionally using TOR, privacy isn't > ensured without exceptions, > https://www.torproject.org/docs/faq.html.en#AttacksOnOnionRouting . That of course is also true and thanks for pointing it out. When writing, I was more thinking of subdomains hosting applications, that require authentication (then seeing, that e.g. {lists,wiki}.linuxaudio.org already facilitate letsencrypt certs). Of course, given the right tools and infrastructure, it gets increasingly harder to achieve some form of privacy. However, that's no reason not to aim for the maximum amount thereof. In any case (unless your ssl is broken) and however one wants to turn it: It is beneficial to implement https and I'm happy to hear it will be done. Best, David -- https://sleepmap.de signature.asc Description: PGP signature ___ Linux-audio-dev mailing list Linux-audio-dev@lists.linuxaudio.org https://lists.linuxaudio.org/listinfo/linux-audio-dev
Re: [LAD] https for linuxaudio.org
Hey Jeremy, thanks for getting back! On 2017-11-21 12:44:41 (+0100), Jeremy Jongepier wrote: > CPU is not a problem. Unless anybody has any objections I'll enable SSL > for linuxaudio.org subdomains as soon as Let's Encrypt starts offering > wildcard certificates, that way we can secure more services too and it > makes maintenance a bit easier. That will be January 2018 but if LE > can't deliver in due time I'll request separate certificates. There are > some non-linuxaudio.org domains on the server too, I'll look at those too. That is good news and I'm looking forward to it! Note, that letsencrypt certificates can easily be setup using SAN (Subject Alternative Name), which gets around the need for a wildcard certificate (unless you literally have hundreds of subdomains). So that really shouldn't be a reason to wait. Certbot indeed makes it easy to do these things, but you can of course choose other ways to do the ACME response. Thanks and greetings, David -- https://sleepmap.de signature.asc Description: PGP signature ___ Linux-audio-dev mailing list Linux-audio-dev@lists.linuxaudio.org https://lists.linuxaudio.org/listinfo/linux-audio-dev