Re: [dev] dl.suckless.org file integrity github project

2017-08-23 Thread Anselm R Garbe 
On 24 August 2017 at 00:45, hiro <23h...@gmail.com> wrote:
> Any responsible suckless person should not download Aaron's software.
> I cannot guarantee it's not ransomware!
> But I also made a github and my checksums and signatures are certified
> by the German cybersecurity department of the TüV. My githab is called
> honestachmet. Please add me to your linkedin.

Actually the plan is to use HonestAchmed as our trusted CA for the
upcoming TLS introduction on suckless.org ;)

BR,
Anselm

[dev] Question about arg.h

2017-08-23 Thread Daniel Xu 
I'm currently familiarizing myself with various pieces of suckless code.
One thing keeps bothering me, though:

What is EARGF() and ARGF() shorthand for? I can more or less tell what
they do but the best I can come up with is "Error arg flag" and "Arg
flag",
respectively.

Hopefully someone can scratch that itch for me :).

Dan

[dev] less(1) replacement?

2017-08-23 Thread fao_ 

Is the suckless project packing a replacement to my favorite pager,
less(1)? Or is the advice to just use something like screen or tmux. I
don't really want to bother installing and learning those when `less` 
meets

my needs perfectly.

As far as I can tell, there isn't. But I could have missed something, 
given

how many unrelated results `suckless "less"` pulls up :)

--
- fao_
PGP fingerprint: 739B 6C5C 3DE1 33FA
"Too enough is always not much!"

Re: [dev] dl.suckless.org file integrity github project

2017-08-23 Thread hiro 
Any responsible suckless person should not download Aaron's software.
I cannot guarantee it's not ransomware!
But I also made a github and my checksums and signatures are certified
by the German cybersecurity department of the TüV. My githab is called
honestachmet. Please add me to your linkedin.

Re: [dev] dl.suckless.org file integrity github project

2017-08-23 Thread Markus Teich 
Mattias Andrée wrote:
> * An alternative to signature files is to sign the tags in Git, and those
>   that care enough could pull releases from git instead.

That is a nice idea. It doesn't require any extra signature/checksum file cruft
on the webserver. It can easily be made optional and is in the maintainers
hands if he wants to provide the signatures or not (with his own key).

--Markus

Re: [dev] dl.suckless.org file integrity github project

2017-08-23 Thread Mattias Andrée 
On Wed, 23 Aug 2017 22:29:17 +0200
Markus Teich  wrote:

> Mattias Andrée wrote:
> > If the server's authenticity can be proven with HTTPS,
> > what additional secure does PGP-signatures provide?  
> 
> Some people trust persons they know more than they trust random corporations
> with questionable security policies. Other people think PGP sucks. I don't 
> know
> which group has the majority in the suckless community, thus I asked for a
> gentle vote by flamewar.
> 
> I count myself to the PGP proponents, but have to admit, that I might be too
> lazy to check the PGP signatures myself.
> 
> --Markus
> 

In general PGP is good (of course, cryptography inherently sucks, but that's
something we have to live with it), but it's just a hassle when in comes to
software packages.

There a few things to take into consideration when deciding what do here:

* The number of people that actually know the developers of a individual
  package is negligible, so there isn't actually anyone that the users can
  trust.

* It's probably easier to trust the developers than suckless itself.

* If a user verifies that there is no history of malice up to a signed
  release, the user can to some extent trust the developer and the
  developer's signature can be used to verify that no one else on suckless
  cause the server to upload a malicious version.

* An alternative to signature files is to sign the tags in Git, and those
  that care enough could pull releases from git instead.

* Signature files allows all developers, not just the owner, to sign the
  release.

* If signature files are added, people will probably make packages in
  repositories, such as the AUR, check the signature which can be a burden
  on the users which must add the developer's key to the keyring or disable
  signature checks.

* If someone with root access to the suckless servers want to replace a
  release, he can serve the genuine version of the site to everyone who has
  connected to the server previously, and server a malicious version to new
  visitors, and have the PGP keys changed.

* If a developer publishes a release, only root and that developer should
  be able to replace the release.

* So do PGP keys actually add any security if have HTTPS, or do they just
  give a false sense of security.

Re: [dev] dl.suckless.org file integrity github project

2017-08-23 Thread Markus Teich 
Mattias Andrée wrote:
> If the server's authenticity can be proven with HTTPS,
> what additional secure does PGP-signatures provide?

Some people trust persons they know more than they trust random corporations
with questionable security policies. Other people think PGP sucks. I don't know
which group has the majority in the suckless community, thus I asked for a
gentle vote by flamewar.

I count myself to the PGP proponents, but have to admit, that I might be too
lazy to check the PGP signatures myself.

--Markus

Re: [dev] dl.suckless.org file integrity github project

2017-08-23 Thread Mattias Andrée 
On Wed, 23 Aug 2017 22:03:41 +0200
Markus Teich  wrote:

> Hiltjo Posthuma wrote:
> > Checksums are available in each project directory, yesterday I've added
> > SHA256 checksums.
> > 
> > For example:
> > SHA256: http://dl.suckless.org/dwm/sha256sums.txt
> > SHA1:   http://dl.suckless.org/dwm/sha1sums.txt
> > MD5:http://dl.suckless.org/dwm/md5sums.txt
> > 
> > HTTPs will be coming in a few weeks when some things are sorted. Maybe in 
> > the
> > future we can add also add PGP signed releases.  
> 
> Heyho,
> 
> I don't see the benefit of checksums without signatures. We already kind of 
> have
> transmission integrity by IP for release downloads or by git. We really need
> https, but PGP is probably controversial enough to be discussed. Maybe we have
> some time for that at the hackathon, but that would exclude people who cannot
> attend.
> 
> Thus, start flaming your highly valued opinions about PGP-signing releases to
> the list nao! ;P
> 
> --Markus
> 

If the server's authenticity can be proven with HTTPS,
what additional secure does PGP-signatures provide?


pgpyvwYAkUP6J.pgp
Description: OpenPGP digital signature

Re: [dev] dl.suckless.org file integrity github project

2017-08-23 Thread Markus Teich 
Hiltjo Posthuma wrote:
> Checksums are available in each project directory, yesterday I've added
> SHA256 checksums.
> 
> For example:
>   SHA256: http://dl.suckless.org/dwm/sha256sums.txt
>   SHA1:   http://dl.suckless.org/dwm/sha1sums.txt
>   MD5:http://dl.suckless.org/dwm/md5sums.txt
> 
> HTTPs will be coming in a few weeks when some things are sorted. Maybe in the
> future we can add also add PGP signed releases.

Heyho,

I don't see the benefit of checksums without signatures. We already kind of have
transmission integrity by IP for release downloads or by git. We really need
https, but PGP is probably controversial enough to be discussed. Maybe we have
some time for that at the hackathon, but that would exclude people who cannot
attend.

Thus, start flaming your highly valued opinions about PGP-signing releases to
the list nao! ;P

--Markus

Re: [dev] dl.suckless.org file integrity github project

2017-08-23 Thread Aaron Toponce 
On Wed, Aug 23, 2017 at 08:21:45PM +0200, Hiltjo Posthuma wrote:
> Checksums are available in each project directory, yesterday I've added
> SHA256 checksums.
> 
> For example:
>   SHA256: http://dl.suckless.org/dwm/sha256sums.txt
>   SHA1:   http://dl.suckless.org/dwm/sha1sums.txt
>   MD5:http://dl.suckless.org/dwm/md5sums.txt

Sweet!

> Please don't use an external github for this, it sucks.

I don't have access to the dl.suckless.org server, otherwise I would have just
added them there. This is an alternative approach, and millions of people turn
to Github for software.

Thankfully, all you need is a git(1) client, and you can clone the repository
locally, and never interact with the web interface, if you don't want to. :)

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o


signature.asc
Description: PGP signature

Re: [dev] dl.suckless.org file integrity github project

2017-08-23 Thread Hiltjo Posthuma 
On Wed, Aug 23, 2017 at 12:04:46PM -0600, Aaron Toponce wrote:
> I noticed most software available on http://dl.suckless.org does not provide
> checksums and digital signatures for the compressed tarballs, and other files.
> I sought to remedy this, by creating a Github repository of only checksums and
> digital signatures. It's available at:
> 
> https://github.com/atoponce/dl.suckless.org
> 
> Ultimately, it would be best if these were hosted on dl.suckless.org directly,
> but I figured I could help by hosting them here until they can get deployed.
> This is to help ensure that you have downloaded all the correct bits for both
> the software and the checksum.
> 
> Hopefully, this is of some value to the community and suckless users, such as
> myself.
> 
> -- 
> . o .   o . o   . . o   o . .   . o .
> . . o   . o o   o . o   . o o   . . o
> o o o   . o .   . o o   o o .   o o o

Hi,

Checksums are available in each project directory, yesterday I've added
SHA256 checksums.

For example:
SHA256: http://dl.suckless.org/dwm/sha256sums.txt
SHA1:   http://dl.suckless.org/dwm/sha1sums.txt
MD5:http://dl.suckless.org/dwm/md5sums.txt

HTTPs will be coming in a few weeks when some things are sorted. Maybe in the
future we can add also add PGP signed releases.

Please don't use an external github for this, it sucks.

-- 
Kind regards,
Hiltjo


signature.asc
Description: PGP signature

[dev] dl.suckless.org file integrity github project

2017-08-23 Thread Aaron Toponce 
I noticed most software available on http://dl.suckless.org does not provide
checksums and digital signatures for the compressed tarballs, and other files.
I sought to remedy this, by creating a Github repository of only checksums and
digital signatures. It's available at:

https://github.com/atoponce/dl.suckless.org

Ultimately, it would be best if these were hosted on dl.suckless.org directly,
but I figured I could help by hosting them here until they can get deployed.
This is to help ensure that you have downloaded all the correct bits for both
the software and the checksum.

Hopefully, this is of some value to the community and suckless users, such as
myself.

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o


signature.asc
Description: PGP signature

[dev] Re: st, spurious character in paste?

2017-08-23 Thread Andy Valencia 
David Phillips :
> Sounds to me like you are accidentally rolling your scroll wheel

net.wisdom wins again.  Thanks for the insight!

I'm already running keynav, so pasting from there takes care of the issue.

Thanks again,
Andy

Re: [dev] st, spurious character in paste?

2017-08-23 Thread Thomas Levine 
And even if that isn't the issue, I think find your process to be faster
if you bind a key in vim to "xclip -o".

On Wed, Aug 23, 2017, at 06:04, David Phillips wrote:
> Sounds to me like you are accidentally rolling your scroll wheel.
> 
> Thanks
> David
>

Re: [dev] st, spurious character in paste?

2017-08-23 Thread David Phillips 
Sounds to me like you are accidentally rolling your scroll wheel.

Thanks
David