> I guess you haven't read news about leaks happening once in a short while?
> It seems as if in most cases the govt is interested mostly not in what was
> leaked, but in who leaked it, so they can make an example of the
> whistleblower.
The arguments against this seem to center on an attacker bei
On Thu, 2017-12-07 at 22:04 +0100, Adam Borowski wrote:
> I might be inattentive, but I did not notice a single pro mentioned
> on
> this thread. The only part, Windows-like "you downloaded this file
> from the
> Internet, it may be bad" popup, can be done with a boolean, and is
> still a
> dubio
On Thu, Dec 07, 2017 at 12:17:10PM -0500, Paul R. Tagliamonte wrote:
> If the Secret Police has seized your computer, has physical access to
> your machine and the decryption passphrase for your system, I don't
> think there's any website that you visited that would be more
> incriminating than the
> I don't know how does it work in reality but the Windows way to mark
> downloaded files is actually to put a zone number into the attribute,
> and
> zones are that thing that theoretically distinguishes between local
> sites,
> internet sites, trusted sites etc.:
> https://msdn.microsoft.com/en-
On Thu, Dec 07, 2017 at 11:05:38AM -0800, Diane Trout wrote:
> Tracker should have a way to avoid indexing files that have been
> downloaded at least from untrusted domains, and possibly all downloaded
> files.
>
> But yes, we should have a way of indicating "trusted" domains, so users
> get fewer
On Thu, 2017-12-07 at 19:25 +0100, gregor herrmann wrote:
> On Thu, 07 Dec 2017 08:16:47 -0500, Paul R. Tagliamonte wrote:
>
> > Restricting the execution of files one downloads or disabling
> > macros on
> > word documents you download and open would be a huge security win.
>
> I'm skeptical, at
> The pros vastly outweighs the speculitive cons on this, it's
> literally
> just a tag that's stored on the filesystem. If you can read the tag,
> you can read the file. If you store porn that's readable by others,
> it's not a shock that you go to porn websites. If you have an
> overthrow the go
On Thu, 07 Dec 2017 08:16:47 -0500, Paul R. Tagliamonte wrote:
> Restricting the execution of files one downloads or disabling macros on
> word documents you download and open would be a huge security win.
I'm skeptical, at least if this leads to more of the
well-known-and-much-despised "Do you r
On Thu, Dec 7, 2017 at 11:06 AM, Ian Jackson
wrote:
> Paul R. Tagliamonte writes ("Re: Automatic downloading of non-free software
> by stuff in main"):
>> I claim if you can read this attribute, you can observe the rest of those
>> actions passively.
>
> So th
Quoting Ian Jackson (2017-12-07 17:06:43)
> Paul R. Tagliamonte writes ("Re: Automatic downloading of non-free software
> by stuff in main"):
>> I claim if you can read this attribute, you can observe the rest of
>> those actions passively.
>
> So the secret
Holger Levsen writes ("technical terms (Re: Automatic downloading of non-free
software by stuff in main)"):
> On Thu, Dec 07, 2017 at 04:06:43PM +, Ian Jackson wrote:
> > (Your logic would argue that browser porn mode is basically
> > pointless.)
>
> I did
On Thu, Dec 07, 2017 at 04:06:43PM +, Ian Jackson wrote:
> (Your logic would argue that browser porn mode is basically
> pointless.)
I didnt get what you ment originally, but after the 3rd mail using these
words I realized you ment "privacy mode".
I dont understand why you are using demeanin
Paul R. Tagliamonte writes ("Re: Automatic downloading of non-free software by
stuff in main"):
> I claim if you can read this attribute, you can observe the rest of those
> actions passively.
So the secret police who have seized my computer, or my spouse who
suspects me o
On Thu, Dec 07, 2017 at 01:59:16PM +, Holger Levsen wrote:
> On Thu, Dec 07, 2017 at 01:52:07PM +, Ian Jackson wrote:
> > Furthermore, this "file is dangerous" attribute ought to be copied
> > much more.
>
> no, it ought to be the default. all files should be considered harmful,
> unless t
On Dec 7, 2017 8:52 AM, "Ian Jackson"
wrote:
Paul R. Tagliamonte writes ("Re: Automatic downloading of non-free software
by stuff in main"):
> I hilariously discovered this last night as well (playing with IMA), and
> removing the creation of that attr would be a huge
On Thu, Dec 07, 2017 at 01:52:07PM +, Ian Jackson wrote:
> Furthermore, this "file is dangerous" attribute ought to be copied
> much more.
no, it ought to be the default. all files should be considered harmful,
unless tagged otherwise.
> It seems to me therefore that this XDG url saving attri
~Stuart Prescott writes ("Re: Automatically marking downloaded files (was Re:
Automatic downloading of non-free software by stuff in main)"):
> * wget in stretch doesn't set xattrs (but the version in sid does)
Cripes.
> * chromium doesn't set xattrs if you "Fi
Paul R. Tagliamonte writes ("Re: Automatic downloading of non-free software by
stuff in main"):
> I hilariously discovered this last night as well (playing with IMA), and
> removing the creation of that attr would be a huge step back.
>
> Restricting the execution of
I hilariously discovered this last night as well (playing with IMA), and
removing the creation of that attr would be a huge step back.
Restricting the execution of files one downloads or disabling macros on
word documents you download and open would be a huge security win.
These attributes are de
On Thu, Dec 7, 2017 at 9:09 PM, Holger Levsen wrote:
> ah, so it's a privacy hole in certain tools, but not in xattr.
Is it any more of a privacy hole than ~/.bash_history?
--
bye,
pabs
https://wiki.debian.org/PaulWise
On Thu, Dec 07, 2017 at 05:58:31PM +0500, Andrey Rahmatullin wrote:
> On Thu, Dec 07, 2017 at 12:50:06PM +, Holger Levsen wrote:
> > > > Ah, damnit. It supports *some* xattrs (like the security namespace),
> > > > but apparently not *user* xattrs.
> > > Good. While xattrs have some uses, this
On Thu, Dec 07, 2017 at 12:50:06PM +, Holger Levsen wrote:
> > > Ah, damnit. It supports *some* xattrs (like the security namespace),
> > > but apparently not *user* xattrs.
> > Good. While xattrs have some uses, this is a hidden privacy hole most users
> > aren't aware of
>
> could you be
On Thu, Dec 07, 2017 at 03:27:42AM +0100, Adam Borowski wrote:
> > Ah, damnit. It supports *some* xattrs (like the security namespace),
> > but apparently not *user* xattrs.
> Good. While xattrs have some uses, this is a hidden privacy hole most users
> aren't aware of
could you be so kind to e
> Which makes the XDG thing borderline, since the only indicator that a
> file
> has been downloaded they propose is the full url, not a boolean.
But having the URL is useful.
I would love to know where some terribly named file was downloaded
from. (This is at least a fairly common problem in sc
On Thu, Dec 07, 2017 at 11:53:50AM +0900, Mike Hommey wrote:
> > Good. While xattrs have some uses, this is a hidden privacy hole most users
> > aren't aware of (although /tmp/ is the filesystem least likely to be used
> > forensically against you).
>
> Which makes the XDG thing borderline, since
On Thu, Dec 07, 2017 at 03:27:42AM +0100, Adam Borowski wrote:
> On Thu, Dec 07, 2017 at 01:33:41AM +, Ben Hutchings wrote:
> > On Wed, 2017-12-06 at 19:14 -0500, Michael Stone wrote:
> > > On Thu, Dec 07, 2017 at 12:09:22AM +, Ben Hutchings wrote:
> > > > That's only because it lives in mm
On Thu, Dec 07, 2017 at 01:33:41AM +, Ben Hutchings wrote:
> On Wed, 2017-12-06 at 19:14 -0500, Michael Stone wrote:
> > On Thu, Dec 07, 2017 at 12:09:22AM +, Ben Hutchings wrote:
> > > That's only because it lives in mm/shmem.c, not under fs/. It does
> > > support xattrs.
> >
> > Have y
On Wed, 2017-12-06 at 19:14 -0500, Michael Stone wrote:
> On Thu, Dec 07, 2017 at 12:09:22AM +, Ben Hutchings wrote:
> > That's only because it lives in mm/shmem.c, not under fs/. It does
> > support xattrs.
>
> Have you tried it?
Ah, damnit. It supports *some* xattrs (like the security nam
Anthony DeRobertis wrote:
> On 12/05/2017 03:48 PM, Diane Trout wrote:
>> I would love for files downloaded via a web browser or email client to
>> be marked as having come from the Internet. (Major bonus points if a
>> sync tool like nextcloud can keep files I generated labeled separate
>> from o
On Thu, Dec 07, 2017 at 12:09:22AM +, Ben Hutchings wrote:
That's only because it lives in mm/shmem.c, not under fs/. It does
support xattrs.
Have you tried it?
Mike Stone
On Wed, 2017-12-06 at 21:33 -0200, Henrique de Moraes Holschuh wrote:
> On Wed, 06 Dec 2017, Ben Hutchings wrote:
> > > > Do most of our file systems have extended attributes turned on
> > > > by now?
> > >
> > > I think (or at least hope) so.
> >
> > Yes, xattrs are supported in most filesystems
On Wed, 06 Dec 2017, Ben Hutchings wrote:
> > > Do most of our file systems have extended attributes turned on by now?
> >
> > I think (or at least hope) so.
>
> Yes, xattrs are supported in most filesystems on Linux and our official
> kernel packages enable them wherever they're an optional feat
On Wed, 2017-12-06 at 09:09 +0500, Andrey Rahmatullin wrote:
> On Tue, Dec 05, 2017 at 12:48:36PM -0800, Diane Trout wrote:
> > I would love for files downloaded via a web browser or email client to
> > be marked as having come from the Internet. (Major bonus points if a
> > sync tool like nextclou
On 12/05/2017 03:48 PM, Diane Trout wrote:
I would love for files downloaded via a web browser or email client to
be marked as having come from the Internet. (Major bonus points if a
sync tool like nextcloud can keep files I generated labeled separate
from ones my coworkers made)
Chromium (by d
On Tue, Dec 05, 2017 at 12:48:36PM -0800, Diane Trout wrote:
> I would love for files downloaded via a web browser or email client to
> be marked as having come from the Internet. (Major bonus points if a
> sync tool like nextcloud can keep files I generated labeled separate
> from ones my coworker
On Thu, 2017-11-30 at 13:52 +, Ian Jackson wrote:
> (The question is: how do we stop a Postscript file received by email
> being rendered automatically when the user clicks on it, while
> allowing the user to still open a Postscript file they generated
> themselves ?)
I wanted to highlight tha
]] "G. Branden Robinson"
> At 2017-12-01T18:11:34+0100, Adam Borowski wrote:
> > Microcode itself has data loss and local exploits (such
> > as an unprivileged user of an unprivileged VM taking over the host machine),
> > then often comes in one bunch with IME updates that close remote holes.
>
On Fri, Dec 01, 2017 at 06:09:12AM +0100, Adam Borowski wrote:
> On Thu, Nov 30, 2017 at 01:52:18PM +, Ian Jackson wrote:
> > Over the years, d-legal has discussed a number of packages which
> > automatically download non-free software, under some circumstances.
> >
> > The obvious example is
On Fri, Dec 01, 2017 at 01:07:59PM -0500, G. Branden Robinson wrote:
> Hi Adam,
>
> I think you're probably already away of the factual portions of my
> claims below, but I'm making them for the benefit of the broader
> audience.
>
> At 2017-12-01T18:11:34+0100, Adam Borowski wrote:
> > > > No, t
At 2017-12-01T20:22:58+0500, Andrey Rahmatullin wrote:
> Adam spoke about derivative users, not derivative developers, though.
[...]
> Our users are declared our priority, our downstreams aren't.
This is a false dilemma and I urge our community to reject it.
--
Regards,
Branden
signature.asc
D
Hi Adam,
I think you're probably already away of the factual portions of my
claims below, but I'm making them for the benefit of the broader
audience.
At 2017-12-01T18:11:34+0100, Adam Borowski wrote:
> > > No, those derivatives are damage. While their hearts are in the right
> > > place, they c
Adam Borowski writes ("Re: Automatic downloading of non-free software by stuff
in main"):
> It looks like we two are in agreement that all non-free software is bad,
> even if we differ wrt how acceptable using it is. But we disagree about
> the reason _why_:
>
> * I sa
On Fri, Dec 01, 2017 at 01:53:22PM +, Ian Jackson wrote:
> (Dropping the crossposts. The stuff I want to reply to is probably
> material for -project.)
Thanks, crossposts are bad!
> Adam Borowski writes ("Re: Automatic downloading of non-free software by
> stuff in main&q
Andrey Rahmatullin writes ("Re: Automatic downloading of non-free software by
stuff in main"):
> > > > Our users are declared our priority, our downstreams aren't.
> > >
> > > It never occurred to me that our downstreams could be considered as n
On Fri, Dec 01, 2017 at 04:10:46PM +, Ian Jackson wrote:
> > > > Debian ought to be a good upstream for everyone, not just "me"
> > > > (whoever me is).
> > > Our users are declared our priority, our downstreams aren't.
> >
> > It never occurred to me that our downstreams could be considered a
Enrico Zini writes ("Re: Automatic downloading of non-free software by stuff in
main"):
> On Fri, Dec 01, 2017 at 08:22:58PM +0500, Andrey Rahmatullin wrote:
> > [Ian Jackson:]
> > > Debian ought to be a good upstream for everyone, not just "me"
> > &
On Fri, Dec 01, 2017 at 08:22:58PM +0500, Andrey Rahmatullin wrote:
> > Debian ought to be a good upstream for everyone, not just "me"
> > (whoever me is).
> Our users are declared our priority, our downstreams aren't.
It never occurred to me that our downstreams could be considered as not
being
On Fri, Dec 01, 2017 at 01:53:22PM +, Ian Jackson wrote:
> > > I would like to establish a way to prevent this. (There are even
> > > whole Debian derivatives who have as one of their primary goals,
> > > preventing this.
> >
> > No, those derivatives are damage. While their hearts are in th
(Dropping the crossposts. The stuff I want to reply to is probably
material for -project.)
Adam Borowski writes ("Re: Automatic downloading of non-free software by stuff
in main"):
> On Thu, Nov 30, 2017 at 01:52:18PM +, Ian Jackson wrote:
> > I would like to establish a
On Thu, Nov 30, 2017 at 01:52:18PM +, Ian Jackson wrote:
> Over the years, d-legal has discussed a number of packages which
> automatically download non-free software, under some circumstances.
>
> The obvious example is web browsers with extension repositories
> containing both free and non-f
On Thu, Nov 30, 2017 at 01:52:18PM +, Ian Jackson wrote:
> I would like to establish a way to prevent this.
Why would the project do that, though?
> (There are even whole Debian derivatives who have as one of their
> primary goals, preventing this.
Good.
> We should aim for most of the chang
This mail is going to a lot of lists. I have set the followups to
d-policy because ultimately this is hopefully going to result in a
change to policy.
Over the years, d-legal has discussed a number of packages which
automatically download non-free software, under some circumstances.
The obvious
52 matches
Mail list logo