On Mon, 28 Nov 2016 at 07:33:16, Baptiste Jonglez wrote:
> I would like to apply to become a TU. Lukas Fleischer has kindly accepted
> to sponsor my application.
> [...]
> Don't hesitate if you have any questions, or comments on my AUR packages!
The discussion period is over. Please cast your vot
On 02/12, Giancarlo Razzolini wrote:
Em dezembro 2, 2016 11:18 NicoHood escreveu:
The signature itself is only a signed hash (sha256). So we do rely on
the collision resistance of sha256[1] (or whatever the GPG itself uses).
You are right, that hashes themselves are not enough to verify that th
Em dezembro 2, 2016 11:18 NicoHood escreveu:
The signature itself is only a signed hash (sha256). So we do rely on
the collision resistance of sha256[1] (or whatever the GPG itself uses).
You are right, that hashes themselves are not enough to verify that the
original author provided this source
>>
>> Besides this issue, I already mentioned another drawback of using HTTPS:
>> untrusted certificates (either expired, self-signed, or just signed by an
>> untrusted CA) will cause build failure. This was a real issue for
>> OpenWRT, so they switched to using --no-check-certificate in 2010 [1]
Em dezembro 1, 2016 20:37 Baptiste Jonglez escreveu:
You almost sound like I'm opposing all forms of "security" (whatever you
mean by that). Of course we should promote the use of TLS and HTTPS on
the Internet, even though the trust model is flawed and implementations
are bloated/bugged.
I do
Hi Nicohood,
On Thu, Dec 01, 2016 at 04:23:27PM +0100, NicoHood wrote:
> you do not need to move the packages as fast as possible into
> community. I became TU month ago and arduino is still not in community
> because some issues needed to be solved first. So quality and security
> is more importa
On 11/29/2016 12:08 PM, Levente Polyak wrote:
> On 11/29/2016 11:33 AM, Baptiste Jonglez wrote:
>> For a package in [community], an expired certificate for the upstream
>> tarball is not a big deal, since it does not directly affect the Arch user
>> installing the package. As a packager, you can
On Wed, Nov 30, 2016 at 11:38:56PM +0100, Baptiste Jonglez wrote:
> 1) Would linux-mptcp [1] have its place in [community]? From what I read
>about linux-zen and linux-grsec [2], there does not seem to be strong
>objections, especially since most (or even all?) third-party kernel
>modu
On Tue, Nov 29, 2016 at 08:11:39PM +0100, Lukas Fleischer wrote:
> I confirm that I sponsor Baptiste.
>
> I have worked with him several times in the past; among other things he
> contributed several patches to calcurse back in 2012 [1]. He is
> knowledgable and I think he will be a great addition
On Mon, 28 Nov 2016 at 07:33:16, Baptiste Jonglez wrote:
> I would like to apply to become a TU. Lukas Fleischer has kindly accepted
> to sponsor my application.
I confirm that I sponsor Baptiste.
I have worked with him several times in the past; among other things he
contributed several patches
On Tue, 29 Nov 2016 12:08:39 +0100
Levente Polyak wrote:
> On 11/29/2016 11:33 AM, Baptiste Jonglez wrote:
> > For a package in [community], an expired certificate for the upstream
> > tarball is not a big deal, since it does not directly affect the Arch user
> > installing the package. As a pac
On 11/28/2016 06:29 PM, Baptiste Jonglez wrote:
> On the other hand, if one day the TLS certificate becomes invalid (expired
> certificate, untrusted CA, etc), the package would fail to build. I see
> this as a significant drawback of using git+https://.
When you say drawback, are you referring t
Well, I actually withdraw this sentence, the discussion period is
pretty much about discussing :P
technically the discussion period has not even begun, since there was no
confirmation of sponsorship yet.
g
On November 29, 2016 12:08:39 PM GMT+01:00, Levente Polyak
wrote:
>Fine, if you were already aware of the outcome, why this useless waste
>of time to discuss it yet again.
Well, I actually withdraw this sentence, the discussion period is pretty much
about discussing :P
Cheers,
Levente
On 11/29/2016 11:33 AM, Baptiste Jonglez wrote:
> For a package in [community], an expired certificate for the upstream
> tarball is not a big deal, since it does not directly affect the Arch user
> installing the package. As a packager, you can just get the tarball by
> some other means, or wait
On Tue, Nov 29, 2016 at 01:04:47AM +0100, Levente Polyak wrote:
> On 11/29/2016 12:29 AM, Baptiste Jonglez wrote:
> >> - you should use git+https:// instead of plain git:// even through the
> >> CA world is a bit wonky it still authenticates the server and at the
> >> very bare minimum adds con
On 11/29/2016 12:29 AM, Baptiste Jonglez wrote:
>> - you should use git+https:// instead of plain git:// even through the
>> CA world is a bit wonky it still authenticates the server and at the
>> very bare minimum adds confidentiality.
>
> I don't like the "everything-over-HTTP(S)" approach i
Hi,
On Mon, Nov 28, 2016 at 12:20:40PM +0100, Levente Polyak wrote:
> > Don't hesitate if you have any questions, or comments on my AUR packages!
>
> Sure, I always take a look at all packages of an applicant and suggest
> changes before I decide how to vote... so here we go :P
Yes, I was expect
On 11/28/2016 11:26 AM, Levente Polyak wrote:
> When using a commit hash you gain basically two things out of the box:
> - get aware if wonky upstream changes something
> - get an integrity value that a potential attacker must defeat, which
> not be the easiest task for a full commit hash (for a
On 11/28/2016 05:05 PM, Eli Schwartz via aur-general wrote:
> On 11/28/2016 06:20 AM, Levente Polyak wrote:
>> - #tag= should never be used for git packages, instead store the commit
>> hash for the tag and always use the #tag= prefix.
>
> Typo?
>
uuups, you caught me :P My bad! Of cause this
On 11/28/2016 06:20 AM, Levente Polyak wrote:
> linux-mptcp
> - you should use git+https:// instead of plain git:// even through the
> CA world is a bit wonky it still authenticates the server and at the
> very bare minimum adds confidentiality.
Now that you mention it, this does seem rather o
Hi Bapiste,
>
> Don't hesitate if you have any questions, or comments on my AUR packages!
>
Sure, I always take a look at all packages of an applicant and suggest
changes before I decide how to vote... so here we go :P
Excuse me if I copy-paste some blocks, its just simpler doing so :)
ring-d
Hello,
I would like to apply to become a TU. Lukas Fleischer has kindly accepted
to sponsor my application.
I am currently a PhD student in France, doing research on networking. I
am also involved in several projects, in particular DIY ISPs [1], the FDN
Federation in France [2], OpenWRT/LEDE [3
23 matches
Mail list logo
