Re: [dev] dl.suckless.org file integrity github project
On 24 August 2017 at 00:45, hiro <23h...@gmail.com> wrote: > Any responsible suckless person should not download Aaron's software. > I cannot guarantee it's not ransomware! > But I also made a github and my checksums and signatures are certified > by the German cybersecurity department of the TüV. My githab is called > honestachmet. Please add me to your linkedin. Actually the plan is to use HonestAchmed as our trusted CA for the upcoming TLS introduction on suckless.org ;) BR, Anselm
[dev] Question about arg.h
I'm currently familiarizing myself with various pieces of suckless code. One thing keeps bothering me, though: What is EARGF() and ARGF() shorthand for? I can more or less tell what they do but the best I can come up with is "Error arg flag" and "Arg flag", respectively. Hopefully someone can scratch that itch for me :). Dan
[dev] less(1) replacement?
Is the suckless project packing a replacement to my favorite pager, less(1)? Or is the advice to just use something like screen or tmux. I don't really want to bother installing and learning those when `less` meets my needs perfectly. As far as I can tell, there isn't. But I could have missed something, given how many unrelated results `suckless "less"` pulls up :) -- - fao_ PGP fingerprint: 739B 6C5C 3DE1 33FA "Too enough is always not much!"
Re: [dev] dl.suckless.org file integrity github project
Any responsible suckless person should not download Aaron's software. I cannot guarantee it's not ransomware! But I also made a github and my checksums and signatures are certified by the German cybersecurity department of the TüV. My githab is called honestachmet. Please add me to your linkedin.
Re: [dev] dl.suckless.org file integrity github project
Mattias Andrée wrote: > * An alternative to signature files is to sign the tags in Git, and those > that care enough could pull releases from git instead. That is a nice idea. It doesn't require any extra signature/checksum file cruft on the webserver. It can easily be made optional and is in the maintainers hands if he wants to provide the signatures or not (with his own key). --Markus
Re: [dev] dl.suckless.org file integrity github project
On Wed, 23 Aug 2017 22:29:17 +0200 Markus Teichwrote: > Mattias Andrée wrote: > > If the server's authenticity can be proven with HTTPS, > > what additional secure does PGP-signatures provide? > > Some people trust persons they know more than they trust random corporations > with questionable security policies. Other people think PGP sucks. I don't > know > which group has the majority in the suckless community, thus I asked for a > gentle vote by flamewar. > > I count myself to the PGP proponents, but have to admit, that I might be too > lazy to check the PGP signatures myself. > > --Markus > In general PGP is good (of course, cryptography inherently sucks, but that's something we have to live with it), but it's just a hassle when in comes to software packages. There a few things to take into consideration when deciding what do here: * The number of people that actually know the developers of a individual package is negligible, so there isn't actually anyone that the users can trust. * It's probably easier to trust the developers than suckless itself. * If a user verifies that there is no history of malice up to a signed release, the user can to some extent trust the developer and the developer's signature can be used to verify that no one else on suckless cause the server to upload a malicious version. * An alternative to signature files is to sign the tags in Git, and those that care enough could pull releases from git instead. * Signature files allows all developers, not just the owner, to sign the release. * If signature files are added, people will probably make packages in repositories, such as the AUR, check the signature which can be a burden on the users which must add the developer's key to the keyring or disable signature checks. * If someone with root access to the suckless servers want to replace a release, he can serve the genuine version of the site to everyone who has connected to the server previously, and server a malicious version to new visitors, and have the PGP keys changed. * If a developer publishes a release, only root and that developer should be able to replace the release. * So do PGP keys actually add any security if have HTTPS, or do they just give a false sense of security.
Re: [dev] dl.suckless.org file integrity github project
Mattias Andrée wrote: > If the server's authenticity can be proven with HTTPS, > what additional secure does PGP-signatures provide? Some people trust persons they know more than they trust random corporations with questionable security policies. Other people think PGP sucks. I don't know which group has the majority in the suckless community, thus I asked for a gentle vote by flamewar. I count myself to the PGP proponents, but have to admit, that I might be too lazy to check the PGP signatures myself. --Markus
Re: [dev] dl.suckless.org file integrity github project
On Wed, 23 Aug 2017 22:03:41 +0200 Markus Teichwrote: > Hiltjo Posthuma wrote: > > Checksums are available in each project directory, yesterday I've added > > SHA256 checksums. > > > > For example: > > SHA256: http://dl.suckless.org/dwm/sha256sums.txt > > SHA1: http://dl.suckless.org/dwm/sha1sums.txt > > MD5:http://dl.suckless.org/dwm/md5sums.txt > > > > HTTPs will be coming in a few weeks when some things are sorted. Maybe in > > the > > future we can add also add PGP signed releases. > > Heyho, > > I don't see the benefit of checksums without signatures. We already kind of > have > transmission integrity by IP for release downloads or by git. We really need > https, but PGP is probably controversial enough to be discussed. Maybe we have > some time for that at the hackathon, but that would exclude people who cannot > attend. > > Thus, start flaming your highly valued opinions about PGP-signing releases to > the list nao! ;P > > --Markus > If the server's authenticity can be proven with HTTPS, what additional secure does PGP-signatures provide? pgpyvwYAkUP6J.pgp Description: OpenPGP digital signature
Re: [dev] dl.suckless.org file integrity github project
Hiltjo Posthuma wrote: > Checksums are available in each project directory, yesterday I've added > SHA256 checksums. > > For example: > SHA256: http://dl.suckless.org/dwm/sha256sums.txt > SHA1: http://dl.suckless.org/dwm/sha1sums.txt > MD5:http://dl.suckless.org/dwm/md5sums.txt > > HTTPs will be coming in a few weeks when some things are sorted. Maybe in the > future we can add also add PGP signed releases. Heyho, I don't see the benefit of checksums without signatures. We already kind of have transmission integrity by IP for release downloads or by git. We really need https, but PGP is probably controversial enough to be discussed. Maybe we have some time for that at the hackathon, but that would exclude people who cannot attend. Thus, start flaming your highly valued opinions about PGP-signing releases to the list nao! ;P --Markus
Re: [dev] dl.suckless.org file integrity github project
On Wed, Aug 23, 2017 at 08:21:45PM +0200, Hiltjo Posthuma wrote: > Checksums are available in each project directory, yesterday I've added > SHA256 checksums. > > For example: > SHA256: http://dl.suckless.org/dwm/sha256sums.txt > SHA1: http://dl.suckless.org/dwm/sha1sums.txt > MD5:http://dl.suckless.org/dwm/md5sums.txt Sweet! > Please don't use an external github for this, it sucks. I don't have access to the dl.suckless.org server, otherwise I would have just added them there. This is an alternative approach, and millions of people turn to Github for software. Thankfully, all you need is a git(1) client, and you can clone the repository locally, and never interact with the web interface, if you don't want to. :) -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: PGP signature
Re: [dev] dl.suckless.org file integrity github project
On Wed, Aug 23, 2017 at 12:04:46PM -0600, Aaron Toponce wrote: > I noticed most software available on http://dl.suckless.org does not provide > checksums and digital signatures for the compressed tarballs, and other files. > I sought to remedy this, by creating a Github repository of only checksums and > digital signatures. It's available at: > > https://github.com/atoponce/dl.suckless.org > > Ultimately, it would be best if these were hosted on dl.suckless.org directly, > but I figured I could help by hosting them here until they can get deployed. > This is to help ensure that you have downloaded all the correct bits for both > the software and the checksum. > > Hopefully, this is of some value to the community and suckless users, such as > myself. > > -- > . o . o . o . . o o . . . o . > . . o . o o o . o . o o . . o > o o o . o . . o o o o . o o o Hi, Checksums are available in each project directory, yesterday I've added SHA256 checksums. For example: SHA256: http://dl.suckless.org/dwm/sha256sums.txt SHA1: http://dl.suckless.org/dwm/sha1sums.txt MD5:http://dl.suckless.org/dwm/md5sums.txt HTTPs will be coming in a few weeks when some things are sorted. Maybe in the future we can add also add PGP signed releases. Please don't use an external github for this, it sucks. -- Kind regards, Hiltjo signature.asc Description: PGP signature
[dev] dl.suckless.org file integrity github project
I noticed most software available on http://dl.suckless.org does not provide checksums and digital signatures for the compressed tarballs, and other files. I sought to remedy this, by creating a Github repository of only checksums and digital signatures. It's available at: https://github.com/atoponce/dl.suckless.org Ultimately, it would be best if these were hosted on dl.suckless.org directly, but I figured I could help by hosting them here until they can get deployed. This is to help ensure that you have downloaded all the correct bits for both the software and the checksum. Hopefully, this is of some value to the community and suckless users, such as myself. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: PGP signature
[dev] Re: st, spurious character in paste?
David Phillips: > Sounds to me like you are accidentally rolling your scroll wheel net.wisdom wins again. Thanks for the insight! I'm already running keynav, so pasting from there takes care of the issue. Thanks again, Andy
Re: [dev] st, spurious character in paste?
And even if that isn't the issue, I think find your process to be faster if you bind a key in vim to "xclip -o". On Wed, Aug 23, 2017, at 06:04, David Phillips wrote: > Sounds to me like you are accidentally rolling your scroll wheel. > > Thanks > David >
Re: [dev] st, spurious character in paste?
Sounds to me like you are accidentally rolling your scroll wheel. Thanks David