Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

On 3 July 2017 at 01:22, Eli Schwartz via arch-general wrote: > On 07/02/2017 07:01 PM, Ismael Bouya wrote: >> (Mon, Jul 03, 2017 at 12:29:44AM +0200) Morten Linderud : >>> But HTTPS doesnt matter here. We have a trusted signer inn the PKGBUILD, >>> anyone can MITM

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

On Sun, 2 Jul 2017 22:39:37 +0200, NicoHood wrote: >I've checked the links and while those suggestions are a bit harsh, >they are still valid: > >* btrfs-progs can use stronger hashes. Hi, the subject doesn't mention that "btrfs-progs can use stronger hashes", the subject actually is "Sébastien

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

(Sun, Jul 02, 2017 at 07:22:23PM -0400) Eli Schwartz via arch-general : > Okay, this I am genuinely curious about. > > In what circumstances can I have: > - the systemd repository cloned over the git:// protocol > - an annotated tag for systemd v233 signed by Lennart Poettering. > - an annotated

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

On 07/02/2017 07:01 PM, Ismael Bouya wrote: > (Mon, Jul 03, 2017 at 12:29:44AM +0200) Morten Linderud : >> But HTTPS doesnt matter here. We have a trusted signer inn the PKGBUILD, >> anyone can MITM for the good of their life. >> Unless they can fake the signature (Hint; they cant), or trick

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

(Mon, Jul 03, 2017 at 01:06:04AM +0200) Morten Linderud : > At this point we can't trust the trusted users to build and verify the > correct packages, let alone maintaine a safe infrastructure to build > packages. This is a slippery slope, and i really fucking hope this > isn't a serious issue any

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

On Mon, Jul 03, 2017 at 01:01:35AM +0200, Ismael Bouya wrote: > (Mon, Jul 03, 2017 at 12:29:44AM +0200) Morten Linderud : > > But HTTPS doesnt matter here. We have a trusted signer inn the PKGBUILD, > > anyone can MITM for the good of their life. > > Unless they can fake the signature (Hint; they

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

(Mon, Jul 03, 2017 at 12:29:44AM +0200) Morten Linderud : > But HTTPS doesnt matter here. We have a trusted signer inn the PKGBUILD, > anyone can MITM for the good of their life. > Unless they can fake the signature (Hint; they cant), or trick Lennart into > signing something he shouldnt (Hint;

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

On Mon, Jul 03, 2017 at 12:25:22AM +0200, NicoHood wrote: > On 07/03/2017 12:21 AM, Morten Linderud wrote: > > On Mon, Jul 03, 2017 at 12:16:53AM +0200, NicoHood wrote: > >> On 07/03/2017 12:07 AM, Morten Linderud wrote: > >>> On Sun, Jul 02, 2017 at 11:55:35PM +0200, NicoHood wrote: > Yes

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

On 07/03/2017 12:21 AM, Morten Linderud wrote: > On Mon, Jul 03, 2017 at 12:16:53AM +0200, NicoHood wrote: >> On 07/03/2017 12:07 AM, Morten Linderud wrote: >>> On Sun, Jul 02, 2017 at 11:55:35PM +0200, NicoHood wrote: Yes the GPG signature of the tag commit is checked. However you can

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

On Mon, Jul 03, 2017 at 12:16:53AM +0200, NicoHood wrote: > On 07/03/2017 12:07 AM, Morten Linderud wrote: > > On Sun, Jul 02, 2017 at 11:55:35PM +0200, NicoHood wrote: > >> Yes the GPG signature of the tag commit is checked. However you can > >> attack the git metadata and set a tag to a

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

On 07/03/2017 12:07 AM, Morten Linderud wrote: > On Sun, Jul 02, 2017 at 11:55:35PM +0200, NicoHood wrote: >> Yes the GPG signature of the tag commit is checked. However you can >> attack the git metadata and set a tag to a different commit. If this >> commit is signed, but at an older stage which

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

On Sun, Jul 02, 2017 at 11:55:35PM +0200, NicoHood wrote: > Yes the GPG signature of the tag commit is checked. However you can > attack the git metadata and set a tag to a different commit. If this > commit is signed, but at an older stage which is vulnearable, we have an > issue. Just one

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

I stand corrected which leaves only part of my last sentence. Thanks for the detailed heads-up, everyone, especially Eli. On Sun, Jul 2, 2017 at 11:05 PM, Martin Kühne wrote: > we'll have to decide how we can deal with content like this in a way > that tells the source to go

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

On 07/02/2017 11:38 PM, Eli Schwartz wrote: > Let's make this clear: None of these claims are true! At all! Not even > one of them! You just say its not true, but that is wrong. I've wrote a statement for every link he pointed out in which way it is valid or not. > You have grabbed the troll

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

... so, apparently, people are determined to actually fall for this clown. I was initially going to send this off-list, but I'd just like to shut down these claims fast before people start falling for it. We already had two people fall for it, people whose opinions I am not generally inclined to

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

On 07/02/2017 11:05 PM, Martin Kühne via arch-general wrote: > On Sun, Jul 2, 2017 at 10:39 PM, NicoHood wrote: >> So why are we so resistant against those suggestions? Those are good and >> valid, no matter who this guy is and how he interacts with people. From >> the

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

On Sun, Jul 2, 2017 at 10:39 PM, NicoHood wrote: > So why are we so resistant against those suggestions? Those are good and > valid, no matter who this guy is and how he interacts with people. From > the technical point of view he is right. And we all should care for our >

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

On 07/02/2017 10:18 PM, Eli Schwartz via arch-general wrote: > On 07/02/2017 04:12 PM, User via arch-general wrote: >> Sébastien Luttringer, >> https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/btrfs-progs=959539e1f7df15986f336bb03225ea796a44ca3e >> , >>

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

On Sun, 2 Jul 2017 16:18:23 -0400, Eli Schwartz via arch-general wrote: >So basically, you are confirming you are fnodeuser? IMO it's better not to reply to her/him and instead to inform arch-general-ow...@archlinux.org , just in case it wasn't already noticed.

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

On 07/02/2017 04:21 PM, G. Schlisio wrote: > Oh, please dont feed the troll… its exactly what he's aiming for. I thought it was important that everyone know exactly who they are dealing with (because he has a lot of history here and has now progressed to hiding his name/handle). Otherwise I

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

Am 02.07.2017 um 22:18 schrieb Eli Schwartz via arch-general: > On 07/02/2017 04:12 PM, User via arch-general wrote: >> Sébastien Luttringer, >> https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/btrfs-progs=959539e1f7df15986f336bb03225ea796a44ca3e >> , >>

Re: [arch-general] Sébastien Luttringer and Tobias Powalowski

On 07/02/2017 04:12 PM, User via arch-general wrote: > Sébastien Luttringer, > https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/btrfs-progs=959539e1f7df15986f336bb03225ea796a44ca3e > , > https://www.kernel.org/pub/linux/kernel/people/kdave/btrfs-progs/sha256sums.asc, >

[arch-general] Sébastien Luttringer and Tobias Powalowski

Sébastien Luttringer, https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/btrfs-progs=959539e1f7df15986f336bb03225ea796a44ca3e , https://www.kernel.org/pub/linux/kernel/people/kdave/btrfs-progs/sha256sums.asc,