Thomas Koch writes ("Debian dev-machine best practice? was: keybase.io"):
> I'm planning to improve my paranoia once I become a DD. [...]
>
> I'm longing for linux containers to become usable for noobs like me. Than I
> could move untrusted applications from vi
Thomas Koch writes:
> I'm planning to improve my paranoia once I become a DD. For now I run
> Debian stable + backports exclusively on the machine having my private
> key. Everything else runs in a virtual machine with xpra[1] for X. I
> don't use Skype.
How good is the performance of this for
On Fri, 2014-04-25 at 11:07 +0200, Thomas Koch wrote:
> Hi,
>
> I'm planning to improve my paranoia once I become a DD. For now I run Debian
> stable + backports exclusively on the machine having my private key.
> Everything else runs in a virtual machine with xpra[1] for X. I don't use
> Skype
Hi,
I'm planning to improve my paranoia once I become a DD. For now I run Debian
stable + backports exclusively on the machine having my private key.
Everything else runs in a virtual machine with xpra[1] for X. I don't use
Skype.
[1] xpra package in Debian
I'm longing for linux containers to
Hello,
On Sat, 5 Apr 2014 09:50:23 +0200
Jakub Wilk wrote:
> >My point was this attack vector (nonfree code running on the same
> >machine as your OpenPGP key) taken to it's absolute extreme (wine,
> >dropboxd) is still *not* grounds for automated removal from the
> >keyring.
> It's a popula
u do with
> it besides just existing on teh graph?
I'm using keybase.io in the same way I use:
* pgp.mit.edu
* keyring.debian.org
* pgp.cs.uu.nl
None of those sites have a copy of my private key. My private key
resides offline at an encrypted storage on a trusted location.
Problem
]] Enrico Zini
> [3] Anyway, there is no activity LED for the microphone. Can I have a
> panel applet thingie which shows if some process is reading from a
> microphone or webcam device?
Use a physically separate microphone, either a headset or something like
http://www.yamaha.com/produc
On Fri, Apr 04, 2014 at 07:27:36PM -0400, Paul R. Tagliamonte wrote:
> This is true of the dropbox daemon too. Are we to throw out DDs with
> dropboxd installed?
Yes, please. We have too many apologists for non-free software
as it is.
--
To UNSUBSCRIBE, email to debian-project-requ...@lists.de
* Enrico Zini , 2014-04-05, 11:40:
+1 russ.
This is true of the dropbox daemon too. Are we to throw out DDs with
dropboxd installed? Wine?
...skype, steam, flashplugin-nonfree[1].
Code git-cloned without checking signatures on tags[2] or doing some
auditing[3].
Random cool vim plugins git
On Sat, Apr 05, 2014 at 12:45:53PM -0700, Russ Allbery wrote:
> If someone would write up a good step-by-step guide for how to isolate
> one's web browser in a VM running on the same host, so that you can still
> get reasonable display performance but have a real separation boundary
> between the
Enrico Zini writes:
> ssh -X or -Y to a remote host, then run X apps.
Which requires that host allow remote logins, which creates a different
sort of security issue. Also, tunneling a web browser over X is an
unbelievably painful experience.
> I've recently got worried about common practices I
> On 5 Apr 2014, at 00:18, Gunnar Wolf wrote:
>
> Well, please enlighten me here: Without fully auditing the Javascript
> code you are using to do the crypto client-side, can you *really* be
> certain your private half has not travelled to Keybase?
The client side crypto stuff can't be done wi
* Enrico Zini , 2014-04-05, 11:40:
ssh -X or -Y to a remote host, then run X apps.
For you convenience, Debian OpenSSH client sets ForwardX11Trusted to yes
by default, making -X and -Y synonymous.
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subj
On Fri, Apr 04, 2014 at 07:27:36PM -0400, Paul R. Tagliamonte wrote:
> +1 russ.
> This is true of the dropbox daemon too. Are we to throw out DDs with dropboxd
> installed? Wine?
...skype, steam, flashplugin-nonfree[1].
Code git-cloned without checking signatures on tags[2] or doing some
auditin
* Paul Tagliamonte , 2014-04-04, 20:15:
My point was this attack vector (nonfree code running on the same
machine as your OpenPGP key) taken to it's absolute extreme (wine,
dropboxd) is still *not* grounds for automated removal from the
keyring.
It's a popular misconception that the only purp
g and decrypting), since they looked safe and
> sane (and paste the results back in a form.
I had not noticed that was an option. I've also examined these commands,
decided they looked sane and pasted the output back into the form.
> > Firstly, there are 2 parts to the client side code
On Fri, Apr 04, 2014 at 08:56:50PM -0600, Gunnar Wolf wrote:
> Right. However, I guess that most uses of the app (other than sending
> a message saying "yes I'm here, this is me") will require pasting the
> key. Or not? Keybase users, please enlighten me: What do you do with
> it besides just exist
Russ Allbery dijo [Fri, Apr 04, 2014 at 04:23:03PM -0700]:
> > Well, please enlighten me here: Without fully auditing the Javascript
> > code you are using to do the crypto client-side, can you *really* be
> > certain your private half has not travelled to Keybase?
>
> If Javascript running in a b
earsigning and decrypting), since they looked safe and
sane (and paste the results back in a form.
> Firstly, there are 2 parts to the client side code from keybase.io, as
> far as I'm aware[0]. The first is they have an in browser implementation
> which requires your GPG private key
, if I spot any key
> > > > that's both in any of the Debian keyrings and in keybase.io, I will
> > > > proceed as if the key had been lost or compromised and immediately
> > > > remove it from our keyring.
> > >
> > > No, s
+1 russ.
This is true of the dropbox daemon too. Are we to throw out DDs with
dropboxd installed? Wine?
On Apr 4, 2014 7:23 PM, "Russ Allbery" wrote:
> Gunnar Wolf writes:
>
> > Urgh...
>
> > Well, please enlighten me here: Without fully auditing the Javascript
> > code you are using to do the
Gunnar Wolf writes:
> Urgh...
> Well, please enlighten me here: Without fully auditing the Javascript
> code you are using to do the crypto client-side, can you *really* be
> certain your private half has not travelled to Keybase?
If Javascript running in a browser has access to your GPG secret
Jonathan McDowell dijo [Fri, Apr 04, 2014 at 10:35:41PM +0100]:
> > > To be clear, if I spot any key
> > > that's both in any of the Debian keyrings and in keybase.io, I will
> > > proceed as if the key had been lost or compromised and immediately
> > >
On Fri, Apr 04, 2014 at 05:26:40PM -0400, Paul Tagliamonte wrote:
> On Fri, Apr 04, 2014 at 03:24:27PM -0600, Gunnar Wolf wrote:
> > Right, I strongly agree with Luca here.
>
> I do too
Likewise.
> > To be clear, if I spot any key
> > that's both in any of the D
Jonathan Dowland dijo [Fri, Apr 04, 2014 at 02:50:01PM +0100]:
> keybase.io is a thing. This thing lets you, amongst other things, upload a
> copy
> of your PGP private key to their servers. This is client-side encrypted.
>
> Discuss.
As this thread was started at debian-private,
On Fri, Apr 04, 2014 at 03:24:27PM -0600, Gunnar Wolf wrote:
> Right, I strongly agree with Luca here.
I do too
> To be clear, if I spot any key
> that's both in any of the Debian keyrings and in keybase.io, I will
> proceed as if the key had been lost or compromised and immedi
spot any key
that's both in any of the Debian keyrings and in keybase.io, I will
proceed as if the key had been lost or compromised and immediately
remove it from our keyring.
Not that I will be checking for it (for now, at least). Not that I
have even talked about it within the team. But I s
Am Freitag, den 04.04.2014, 16:33 +0200 schrieb Tobias Frost:
>
> Also, some reading suggestion:
> https://github.com/keybase/keybase-issues/issues/489
Sorry, just realized this I pasted the wrong link.
I meant this one:
http://blog.lrdesign.com/2014/03/thoughts-on-keybase-io/
--
To UNSUBSCRI
On Fri, Apr 04, 2014 at 04:33:18PM +0200, Tobias Frost wrote:
> Well, this "thing" raises several red flags just by reading "upload ...
> private key". This alone smells very wrong, because I'm the opinion a
> private key must never leave my (trusted) system)
More than that, it's good practice to
Am Freitag, den 04.04.2014, 14:50 +0100 schrieb Jonathan Dowland:
> keybase.io is a thing. This thing lets you, amongst other things, upload a
> copy
> of your PGP private key to their servers. This is client-side encrypted.
>
> Discuss.
Well, this "thing" raises
On Fri, Apr 04, 2014 at 02:50:01PM +0100, Jonathan Dowland wrote:
> keybase.io is a thing. This thing lets you, amongst other things, upload a
> copy of your PGP private key to their servers. This is client-side encrypted.
>
> Discuss.
FWIU, the client-side encryption is javascript
keybase.io is a thing. This thing lets you, amongst other things, upload a copy
of your PGP private key to their servers. This is client-side encrypted.
Discuss.
--
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Conta
32 matches
Mail list logo
