On 170226-14:32-0600, R0b0t1 wrote: > On Sun, Feb 26, 2017 at 5:00 AM, Miroslav Rovis > <miro.ro...@croatiafidelis.hr> wrote: > > On 170225-21:34-0600, R0b0t1 wrote: > >> On Saturday, February 25, 2017, Miroslav Rovis > >> <miro.ro...@croatiafidelis.hr> > >> wrote: > >> > > >> https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html > > ... > >> ... > >> Aside: > >> http://ecrypt-eu.blogspot.com/2015/11/break-dozen-secret-keys-get-million.html > > > > Too technical for me. Too little learning gain for too much mumbo-jumbo > > noise, at this > > stage of my understanding of crypto, for me. > > My apologies. The useful part of the link is really the title. It > explains how, if you *do* successfully break a given key, you have > necessarily broken millions of them - you are just unsure if they are > currently in use. The wise option is then to record every key > combination you brute force in the hope that someone will start using > it in the future. I did figure that much out. But all of it useful... for true cryptographers. It's so appealing, but so distant yet (or forever, where can one find the time to learn that much?). > > > > But, when we talk crypto being broken, I can help thinking of other I meant: But, when we talk crypto being broken, I can't help thinking of other ( ... can't ... ) > > threats to Gentoo and other FOSS GNU Linux that I fear are perfectly > > feasible (for the resourceful subjects) ( And also, the Message-ID given in my email can only be found by subcribers to the gentoo-dev mailing list, not gentoo-user ML. ) > > Gentoo distro is increasingly served the insecure way, IMO, that is: via > > git, without the repositories being, for end users, PGP-verifiable. > > > > And via a new private big business, the Github. Giving over all users to > > big Github brother. > > > > And, in the trasition all the history got lost. Git started remembering > > only from 2015. > > > > I have asked a question about getting git-served repository verifiable > > for end users, but I didn't get any replies: > > > > This is something I was concerned about myself, especially since the > bare git protocol that most users access the repository from, even if > it is the repository hosted by the Gentoo Foundation, is insecure. Git > access via SSH or HTTPS *is* secure but is not implemented - I'm not > sure why, as they've purchased a "real" certificate and the Git > subdomain may already be covered by it. > And there's even no need purchasing certs any more. LetsEncrypt cetrificates are free in both some GNU/GNU-compatible way, and the free-of-charge way.
But a repository can also really be verifiable only if it is PGP-signed (or some other cryptro-verifiable-way signed). So HTTPS alone does not do it. > Well, maybe someone will noticed this message. Or not. > > R0b0t1. > I hope too. Because it's depressing how large swathes of FOSS are getting under control of big business and to some extent, very minor here, but not negligeable, actually covertly privatized... I can't help but remind ( I wrote about it in: GUI-less (non-dbus) virt-manager (to run Tails in Gentoo) https://lists.gt.net/gentoo/user/321797 Message-ID: <20170111205529.GB28353@g0n.xdwgrp> ) how big dirty stingy Schmoogle the Schmoog treats Gentoo which it uses for its CoreOS [[ important thing there to find is the link to: Gentoo Foundation, background and status report Robin Johnson https://youtu.be/S3bmXVbxMgE and if a reader don't get to the same conclusion about the Schmoog that I arrived at, then the reader might be missing something ]] Ah, as far as distribution verifiability, I guess emerge-webrsync and PGP-signed portage trees functionality needs to be kept forever, then... Thanks for replying! ( BTW, about the link, in the first email, to my message to secure-os ML, one of the secure-os folks kindly confirmed, but in a private message, that they were considering my email... ) Sad how this topic, or the other linked in my first mail, to the gentoo-dev ML, didn't attract more discussion... It can't be too late to fix these issues... Regards! -- Miroslav Rovis Zagreb, Croatia https://www.CroatiaFidelis.hr
signature.asc
Description: Digital signature