> - I would not be able to include the new crypto features in the package
>anyway due to US export laws.
no, the US version contains no crypto code.
> (Debian packages are binary only, and
Both the source and binary US versions of mirrordir contain no crypto
code.
>FTP connectivity is
Paul Sheer wrote:
>I remember someone was maintaining the debian release of this software
>(although then, it did not support encryption). Please get the latest
>version from:
> ftp://lava.obsidian.co.za/pub/mirrordir/US/
I maintain the Debian package of mirrordir. The last version I
packa
Wichert wrote:
> Previously Paul Sheer wrote:
> > Also: there is no GPL secure shell (as far as I know).
>
> But people are working on that. From what I hear it's on the verge of
> becoming useable. Don't ask me about the name, I always forget it.
MIT Kerberos (4 and 5) is open source and provide
On Sun, 24 Jan 1999, Wichert Akkerman wrote:
> Previously Paul Sheer wrote:
> > Also: there is no GPL secure shell (as far as I know).
>
> But people are working on that. From what I hear it's on the verge of
> becoming useable. Don't ask me about the name, I always forget it.
It's called psst.
Previously Paul Sheer wrote:
> Also: there is no GPL secure shell (as far as I know).
But people are working on that. From what I hear it's on the verge of
becoming useable. Don't ask me about the name, I always forget it.
Wichert.
--
On Sat, 23 Jan 1999, Bear Giles wrote:
> > It supports strong encryption but is exportable from
> > the US because it does not have encryption compiled in by default. Instead
> > it downloads the scripts it needs from South Africa when it runs for the
> > first time.
>
> This is *extremely* risk
Bear Giles <[EMAIL PROTECTED]> wrote:
> The problem isn't in *producing* a package, it's in *acquiring* that
> package later. What happens if someone successfully attacks a site
> immediately before you mirror it?
What happens if someone replaces a PGP signature?
Answer: people notice.
[Conside
> Bear Giles <[EMAIL PROTECTED]> wrote:
> > But you're biting your own tail here. Where do you get that "good"
> > checksum?
>
> Any place which is acceptable to the package maintainer -- perhaps out
> of a pgp signed archive.
Remember, the start of this discussion was an (FTP) mirroring program
Bear Giles <[EMAIL PROTECTED]> wrote:
> But you're biting your own tail here. Where do you get that "good"
> checksum?
Any place which is acceptable to the package maintainer -- perhaps out
of a pgp signed archive.
If the package maintainer can't produce a trustable package, it
doesn't matter ho
> Bear Giles <[EMAIL PROTECTED]> wrote:
> > The only thing resilient to compromised servers are cryptographically
> > signed cryptographic checksums. Which requires PGP. Which is not
> > exportable. And which requires a "chain of trust" to evaluate
> > whether to trust the key used to sign the
Bear Giles <[EMAIL PROTECTED]> wrote:
> The only thing resilient to compromised servers are cryptographically
> signed cryptographic checksums. Which requires PGP. Which is not
> exportable. And which requires a "chain of trust" to evaluate
> whether to trust the key used to sign the checksum.
> It supports strong encryption but is exportable from
> the US because it does not have encryption compiled in by default. Instead
> it downloads the scripts it needs from South Africa when it runs for the
> first time.
This is *extremely* risky behavior.
FTP and HTTP sites *are* compromised.
12 matches
Mail list logo
