On Wed, Feb 05, 2014 at 03:59:57PM -0200, Giancarlo Razzolini wrote:
Em 04-02-2014 18:03, Marc Espie escreveu:
I *encourage* you guys to read signify and pkg_add code and poke holes
in them!
I did read both last night. Signify is very easy and straightforward to
understand. I wasn't really
Em 04-02-2014 18:03, Marc Espie escreveu:
I *encourage* you guys to read signify and pkg_add code and poke holes
in them!
I did read both last night. Signify is very easy and straightforward to
understand. I wasn't really poking for holes, more for understanding
than that. The pkg part is a lot
Hi. I'm seeing, in this mailing list, much talk about the datagate and
related matters, and I can see why the topic may be of interest to
many OpenBSD users.
Anyway, I really like OpenBSD, but I always restrain myself from using
it on a desktop machine for a single reason: while pkg_add supports
Signing of base and package tarballs has been implemented in current,
and will be included in the next release.
-Otto
On Tue, Feb 04, 2014 at 02:00:35PM +0100, Kim Twain wrote:
Hi. I'm seeing, in this mailing list, much talk about the datagate and
related matters, and I can see why
Kim Twain kimtwa...@gmail.com wrote:
Well, I can fetch the ports tree in a secure way, verify its integrity
and origin,
You can? How?
--
Christian naddy Weisgerber na...@mips.inka.de
On Tue, Feb 04, 2014 at 03:41:09PM +0100, Daniel Cegie?ka wrote:
2014-02-04 Kim Twain kimtwa...@gmail.com:
Does pkg_add automatically check these signatures, or, as of now, I'd need
to manually download the packages, verify them with signify and then install
them locally with pkg_add?
2014-02-04 Kim Twain kimtwa...@gmail.com:
Does pkg_add automatically check these signatures, or, as of now, I'd need
to manually download the packages, verify them with signify and then install
them locally with pkg_add?
from man pkg:
If a package is digitally signed:
o pkg_add checks
2014-02-04 Otto Moerbeek o...@drijf.net:
On Tue, Feb 04, 2014 at 03:41:09PM +0100, Daniel Cegie?ka wrote:
I believe that in -current, the pubkey comes from /etc/signify.
-Otto
yes, but man pkg_sign:
-s signify|x509 [-s cert] -s privkey
Specify signature parameters
2014-02-04 Kim Twain kimtwa...@gmail.com:
Does pkg_add automatically check these signatures, or, as of now, I'd need
to manually download the packages, verify them with signify and then install
them locally with pkg_add?
In -current, if you don't use any flags to pkg_add, and you don't see any
On 4 February 2014 11:25, Marc Espie es...@nerim.net wrote:
2014-02-04 Kim Twain kimtwa...@gmail.com:
Does pkg_add automatically check these signatures, or, as of now, I'd need
to manually download the packages, verify them with signify and then install
them locally with pkg_add?
In
Em 04-02-2014 14:25, Marc Espie escreveu:
making sure the users don't do anything stupid is the right part.
As it has always been. People do stupid things. Even when they're not
expected to. People who cares about signed packages will go on further
to verify things. If you care, do your
Thanks. I tried 5.5 on my laptop and as I said, it works, even better than
freebsd 10, despite being a beta. I will switch to openbsd with the
release. The only other problem is that I have external/ultrabay hdds that
use lvm2, and I'll have to migrate the data, I think.
Anyway, while it's fine
On Tue, Feb 04, 2014 at 05:40:38PM +0100, Kim Twain wrote:
Thanks. I tried 5.5 on my laptop and as I said, it works, even better
than freebsd 10, despite being a beta. I will switch to openbsd with
the release. The only other problem is that I have external/ultrabay
hdds that use
On Tue, Feb 04, 2014 at 02:38:11PM -0200, Giancarlo Razzolini wrote:
Em 04-02-2014 14:25, Marc Espie escreveu:
making sure the users don't do anything stupid is the right part.
As it has always been. People do stupid things. Even when they're not
expected to. People who cares about signed
Em 04-02-2014 15:04, Marc Espie escreveu:
That's the motto secure by default. Does also mean try to make sure
things are reasonable by default, and that people will naturally do
not stupid things. (e.g., https is not reasonable. By default, you
get to trust a metric shitload of authorities you
2014-02-04 Marc Espie es...@nerim.net:
signify(1) makes things more transparent: no chain of trust, pure keys.
One cool thing is that the signatures are small enough that they can be
embedded directly in the package (which already has sha256 for everything).
This has the advantage of
On 02/04/2014 01:11 PM, Daniel Cegiełka wrote:
2014-02-04 Marc Espie es...@nerim.net:
signify(1) makes things more transparent: no chain of trust, pure keys.
One cool thing is that the signatures are small enough that they can be
embedded directly in the package (which already has sha256 for
On Tue, Feb 04, 2014 at 04:11:15PM -0200, Giancarlo Razzolini wrote:
Em 04-02-2014 15:04, Marc Espie escreveu:
That's the motto secure by default. Does also mean try to make sure
things are reasonable by default, and that people will naturally do
not stupid things. (e.g., https is not
Em 04-02-2014 17:23, Marc Espie escreveu:
Like the chinese curse goes may you live in interesting times. I'd
try to convince them to switch to FOO-BSD, so that they go annoy the
developers of FOO. (unless their attempts at stupidity are madly
entertaining, in which case those crackpots^Wpeople
On Tue, Feb 04, 2014 at 08:11:28PM +0100, Daniel Cegie?ka wrote:
2014-02-04 Marc Espie es...@nerim.net:
signify(1) makes things more transparent: no chain of trust, pure keys.
One cool thing is that the signatures are small enough that they can be
embedded directly in the package (which
Em 04-02-2014 17:11, Daniel Cegiełka escreveu:
2014-02-04 Marc Espie es...@nerim.net:
wow!? really? And how can I be sure that the public key that I
downloaded is exactly the same public key, which is stored on OpenBSD
servers (MITM)? signify is a step in the right direction but does not
fix
I agree with the fact that we have no solution to this problem, and
probably will not find it quickly (or ever). I do not want to shout
that now we have to do something. I want to make people aware that
even with signify still need to keep limited trust.
best,
Daniel
Em 04-02-2014 17:37, Daniel Cegiełka escreveu:
I agree with the fact that we have no solution to this problem, and
probably will not find it quickly (or ever). I do not want to shout
that now we have to do something. I want to make people aware that
even with signify still need to keep limited
On Tue, Feb 04, 2014 at 05:57:21PM -0200, Giancarlo Razzolini wrote:
Em 04-02-2014 17:37, Daniel Cegie??ka escreveu:
I agree with the fact that we have no solution to this problem, and
probably will not find it quickly (or ever). I do not want to shout
that now we have to do something. I
24 matches
Mail list logo
