On Thu, 23 Aug 2018, Erik Hanson wrote:
On 8/23/18 5:59 PM, t...@airmail.cc wrote:
So, one can verify the authenticity of the SlackBuild script, but the
authenticity of the source tarball itself used by the aforementioned
script is uncertain? If that's the case then why would one bother with
ve
On 8/23/18 5:59 PM, t...@airmail.cc wrote:
> So, one can verify the authenticity of the SlackBuild script, but the
> authenticity of the source tarball itself used by the aforementioned
> script is uncertain? If that's the case then why would one bother with
> verifying authenticity at all? (Somet
On Fri, Aug 24, 2018 at 01:59:59AM +0300, t...@airmail.cc wrote:
> >What are all of those .asc files in the repository?
> >
> >Those files are GPG signatures. They can be used to verify that the
> >SlackBuild script tarball is exactly the one that we placed on the site.
>
> So, one can verify the
On Fri, 2018-08-24 at 01:59 +0300, t...@airmail.cc wrote:
> > > > Each SlackBuild archive is signed by the SBo devs, so any
> > > > modifications on the server (or in-between) would fail
> > > > subsequent
> > > > verification. In that case it's the GPG signature that you
> > > > trust to
> > > > v
Each SlackBuild archive is signed by the SBo devs, so any
modifications on the server (or in-between) would fail subsequent
verification. In that case it's the GPG signature that you trust to
verify the .info file contents (and all the rest of the SlackBuild
stuff), not the MD5 sum or whatever els
Hello,
I think this is not a big deal, changing to another hash function should be
easy enough.
But I also think slackbuilds should stay away of the security discussion.
Providing a secure distribution channel is in the hands of the code owner only.
If the source is already weak there is no en
On 08/23/2018 12:34 PM, B Watson wrote:
> So, plus, hyphen, and underscore are the only non-alphanumeric characters
> Pat uses. And they're 7-bit ASCII only. Those should be our rules,
> too. I'd even go so far as to say we should stick to that even if Pat
> changes his rules (because Pat doesn't h
On Thu, Aug 23, 2018 at 01:45:44AM -0400, T3 slider wrote:
> On Wed, Aug 22, 2018, 11:15 PM David O'Shaughnessy wrote:
>
> > For an attacker to change the upstream source archive without
> > changing the MD5 requires a 2nd preimage attack, which as far as
> > I understand is not computationally f
On 8/23/18, Didier Spaier wrote:
>
> Anyway, the '+" character is used in names of packages shipped in Slackware:
> biff+comsat-0.17-x86_64-1
> dvd+rw-tools-7.1-x86_64-2
> gcc-g++-5.5.0-x86_64-1_slack14.2
> gtk+-1.2.10-x86_64-5
> gtk+2-2.24.31-x86_64-1_slack14.2
> gtk+3-3.18.9-x86_64-1
> libcdio-p
On 08/23/2018 08:33 AM, Chris Abela wrote:
> My intention was to solicit your reconsideration on the inclusion of
> metacharacters in package names. They are a nuisance, ugly and they break
> things. Which characters are acceptable? Would you also accept white spaces
> and semi-colons?
Let's di
On 08/23/2018 03:45 PM, T3 slider wrote:
> The download files do not necessarily have to be tar archives, and in
> some cases (generally those with multiple download files and therefore
> multiple checksums), individual files can be included for download.
> Intentional PDF collisions have been arou
11 matches
Mail list logo
