Apologies for my not being able to reply sooner! On 170227-18:18+0300, Andrew Savchenko wrote: > On Sun, 26 Feb 2017 12:00:50 +0100 Miroslav Rovis wrote: > > > But, when we talk crypto being broken, > > Git is not in the immediate threat due to SHA1 collision being > practical. See Linux blog about this: > > https://plus.google.com/+LinusTorvalds/posts/7tp2gYWQugL Will read it. (it's 02:00 past midnight CET)
> Note that git devs are working on moving to a more secure hash > function. Good to hear! > Also note that git can handle several files in the repo with the > same hash function. While this doesn't protect from the possible > repo forgery, it protects from accidental file collision where > subversion fails badly: > https://www.bleepingcomputer.com/news/security/sha1-collision-attack-makes-its-first-victim-subversion-repositories/ Pretty sad! > I do not want to offence subversion devs, but they haven't even > considered the possibility that hash function may collide. Huge > blunder on their side. > > > I can help thinking of other > > threats to Gentoo and other FOSS GNU Linux that I fear are perfectly > > feasible (for the resourceful subjects) > > > > Gentoo distro is increasingly served the insecure way, IMO, that is: via > > git, without the repositories being, for end users, PGP-verifiable. > > It is verifiable for end users, but not in an easy way. You can > either use web rsync or verify git commits yourself using gpupg and > gkeys. I'll try and do that. I have been trying to figure it out, a few times already, but I would always get lost in the volume of new stuff to digest... Will need more time to do it. However I am already using signed portage snapshots via emerge-webrsync, and I use local mirror. I am pretty safe, but on obsolete technology. > > And via a new private big business, the Github. Giving over all users to > > big Github brother. > > ??? > Github is entirely optional and is only for those who want to use it > (we have both users and devs willing so), but in no way anyone > demands its usage. Yeah! Still, it would be great if git was used in distributed way, and not from a central private business... > If you want to have sync-friendly git repo, Gentoo infra provides > one for you: > https://gitweb.gentoo.org/repo/sync/gentoo.git/ Harder to use than Github. Github is foolproof, extremely easy for newbies, compared to any other git server. The reason for their success... > > And, in the trasition all the history got lost. Git started remembering > > only from 2015. > > No, it isn't. Full historical git repo is available: > https://gitweb.gentoo.org/repo/gentoo/historical.git/ Great to know! Sorry for wrong claims that I made. > One may use git graft to join historical and actual repo together. Which is advanced usage for me at this stage. > > I have asked a question about getting git-served repository verifiable > > for end users, but I didn't get any replies: > > Do not forget that all devs are volunteers. I know that. Always keep that in mind. > User-transparent > GnuPG tree verification is indeed important. You can help! If I get that savvy in git/portage/other I will... That time is still distant yet, I'm afraid. > Join gkeys project, get in touch with infra, discuss what needs to be > done. I'll look gkeys up... > Don't just rattle about how insecure data is provided, You're right. > help to make it secure! (And as I shown above actual state is not that > bad and some options are already available.) I'm busy figuring how to deploy virtualization on my sans-dbus system, and have spent months on things like that... and only lately finally getting there. Also, practical verifiability in Gentoo is something I have been keen on for pretty long now. But you having showed to me (I haven't digested it yet, too late in the night right now) that verifiability is possibly does make it the next big wish of mine to apply for my Gentoo ( and my dream is to help test it, so everybody can use git for verifiable installations! ). > > Best regards, > Andrew Savchenko Your email means a lot to me! Thank you! Good night! (I see other emails, but have to go to sleep now first) -- Miroslav Rovis Zagreb, Croatia https://www.CroatiaFidelis.hr
signature.asc
Description: Digital signature
