delorie.com/archives/browse.cgi   search  
Mail Archives: geda-user/2021/01/11/17:48:03

X-Authentication-Warning: delorie.com: mail set sender to geda-user-bounces using -f
X-Recipient: geda-user AT delorie DOT com
X-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=7ySA8Y4zGrG6ICLNDD5QaHBkW954nbX6xLb0CKkpCt8=;
b=u9JlgJZFwnOHq1vYCAgFjVoQsgXmt7CPk+CkYAZldiFy2hZwrnPQIcBwf3a3ZjbMH0
EkOVIseXgDFCHx4pZurtfl83Yrodmlo5L6hCdkpFBorl5q1nHRlqM1tav3M1oX+QImsW
NU6uEX4lF8twwlDWPNuqt5nFmUxRI/PhYBzDqsZjV+K2r1ygwWgsAikhF07Qa+rcJ6AT
KeT2tk2ud/Vlw2OK+olr33OKy/SNVIb50cf68e1oqaN8zMxULwdAek6v6xtCEls1YqPu
v4VdE8AwYEiqbo0URAufFy7VNubwMdFJ/KIkYd3Tu9L5UrtAo35JGblR3JNZJECxVi+u
Rp/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=7ySA8Y4zGrG6ICLNDD5QaHBkW954nbX6xLb0CKkpCt8=;
b=VzlI5VE/O4oE3dqNafKNNbbzLma03WA1qjX5w3VBdQFEGvPVOh3fJGhFr9SMhWOQFI
ibe+TvS2UBqOv2lIo70vRTMRFcQx8jI9oqXhXYpe9qs7EzR3UE7/cu7+bT9jLCwUapo1
63O3VvuCZxRdzFThXOuH0HcOmMNMnqEk9Vc2zUYv4d1C8QcCdUt+cElwfSfJMkGmeWYg
Tq15WFGfbm+dLEMg8rvkwGJQjG1QQUlD883GLie2GIBhx7IypiD9NG27aqsl1I6sDnAH
0bjT7esSX27eVLvfT664ukQxVhIiOcG35UZwE/PaiXUNj4/YrvnVmqsojOVz1dvpu8HG
4+Aw==
X-Gm-Message-State: AOAM5311Bh6S/ibxqOFB1yk+SMFVnHl9n0892gMPVRx9EdnqL4ipQ+ew
p+6sXTHb0XOlzlDNpV0X8c3gUsmgOLn8G6FPUeNkfWqI
X-Google-Smtp-Source: ABdhPJzT+AHD61kYdxfwSnUGIQv3l0+ubgFa42yY9YlcmZPc1sX/tDmizjlcae5/i4doyYwuE0R0tLwroDoXnonuVNM=
X-Received: by 2002:aca:bc54:: with SMTP id m81mr467731oif.27.1610404063930;
Mon, 11 Jan 2021 14:27:43 -0800 (PST)
MIME-Version: 1.0
References: <xnim84jsdh DOT fsf AT envy DOT delorie DOT com> <197408a7-1183-7805-6f84-7794386c52dc AT fastmail DOT com>
In-Reply-To: <197408a7-1183-7805-6f84-7794386c52dc@fastmail.com>
From: "Erich Heinzle (a1039181 AT gmail DOT com) [via geda-user AT delorie DOT com]" <geda-user AT delorie DOT com>
Date: Tue, 12 Jan 2021 08:57:30 +1030
Message-ID: <CAHUm0tNfewMqL7mpXxuESB+r-vDYhO5vcRp+LfW-wXHjdkh=jw@mail.gmail.com>
Subject: Re: [geda-user] No https for pcb-rnd
To: geda-user <geda-user AT delorie DOT com>
Reply-To: geda-user AT delorie DOT com

--0000000000002ced2e05b8a76a0f
Content-Type: text/plain; charset="UTF-8"

If you install pcb-rnd from a distribution, i.e. using a set of .deb files,
you are protected by the checksums and security packages the distribution
uses for its package distribution.

If you are working on the development branch of software, you are stuck
with the security provided by svn and/or git.

The web site for the software doesn't affect the security if either of
these options, and is arguably just window dressing.

If you do download a tarball from the website, you can check the checksum
with a developer over a parallel channel like email or irc in real time if
you are really paranoid.

Regards,

Erich

On Tue, 12 Jan 2021 08:27 Girvin Herr (gherrl AT fastmail DOT com) [via
geda-user AT delorie DOT com], <geda-user AT delorie DOT com> wrote:

>
> On 1/10/21 3:15 PM, DJ Delorie wrote:
>
> "Girvin Herr (gherrl AT fastmail DOT com) [via geda-user AT delorie DOT com]"<geda-user AT delorie DOT com> <geda-user AT delorie DOT com> writes:
>
> I don't know why you are so resistant to computer security.
>
>
> Computer security takes time and effort, and it's wasted on static data
> that has no real value.  Do you really need to hide the fact that you're
> looking at EDA software?  Do you worry that terrorists are going to
> modify a wiki page you're reading?
>
>
> Why did I post my concern about pcb-rnd on this forum? Good question. I
> thought about it a while and decided that since pcb-rnd was on this
> forum in the past, and that it may be polled by the pcb-rnd devs,
>
>
> Nope, none of them are here any more.  They left long ago.
>
>
> Now that includes gEDA too.
>
>
> You didn't mention that at all in your original email ;-)
>
>
> I hope the gEDA server maintainers create a https portal on the web
> server(s) asap.
>
>
> The gEDA server is a very old arm-based device running a prototype
> operating system.  HTTPS is not an option at this point, unless someone
> (or many someones) steps up to migrate everything to a modern server.
>
>
> Greetings,
>
> My immediate concern is the software download site. I do not want to
> download corrupted software. The risk is low, but I think it is still
> there. On the other end, I am concerned that the gEDA site could get
> attacked with possible resultant data corruption. In that respect, I don't
> think computer security is "wasted". You are correct in that since the
> transactions do not involve the transmission of sensitive data, such as
> logins and passwords, the risk is low and maybe not worth the effort to
> upgrade, except for the program download site.
>
> I didn't mention the gEDA sites in my original posting because I had not
> yet gotten to my gEDA site bookmarks, so at the time I wrote the original
> posting I did not know for sure if gEDA should be included. I suppose in
> hindsight, I should have waited until I had completed my year-end bookmarks
> purge before I posted my first posting on this subject. Sorry.
>
> I had a suspicion that the problem may be with the server. I guess the
> best I can ask for is to consider upgrading to https, at least for the
> software download server part, when a need to upgrade the server is
> discussed.
>
> Since we are trading URLs, here is an article, written by Mick Bauer, that
> I am using to harden my desktop computer at this time:
>
>
> https://www.linuxjournal.com/magazine/paranoid-penguin-brutally-practical-linux-desktop-security
>
> Here is an applicable snippet under "Never Transmit Unencrypted Passwords"
> for consideration:
>
> Telnet, non-anonymous FTP, IMAP, POP3 and any browser-based login
> involving an http:// URL rather than https://, therefore, are all off
> limits. In the modern era, all these applications (remote shell, file
> transfer, e-mail and most Web applications) can and should be used in
> encrypted implementations, such as SSH, FTPS or SFTP, IMAPS, POP3S and
> https, at least for logons and other sensitive transactions.
>
> Operative phrase: " at least ".
>
> Note that pcb, under sourceforge, is using https to download.
>
> As a side note, a while back I was looking to make a donation to gEDA to
> help out and partially compensate for the use I have gotten from gEDA/gaf.
> However, I could not find a place to make such a donation. I think a PayPal
> transaction could be made using an email address. I am not sure how to set
> it up. It may require a PayPal business account. Such donations could help
> purchase a new server and maybe pay the small fee for the certificate(s).
>
> Thanks and take care.
>
> Girvin
>
>
>

--0000000000002ced2e05b8a76a0f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">If you install pcb-rnd from a distribution, i.e. using a =
set of .deb files, you are protected by the checksums and security packages=
 the distribution uses for its package distribution.<div dir=3D"auto"><br><=
/div><div dir=3D"auto">If you are working on the development branch of soft=
ware, you are stuck with the security provided by svn and/or git.</div><div=
 dir=3D"auto"><br></div><div dir=3D"auto">The web site for the software doe=
sn&#39;t affect the security if either of these options, and is arguably ju=
st window dressing.</div><div dir=3D"auto"><br></div><div dir=3D"auto">If y=
ou do download a tarball from the website, you can check the checksum with =
a developer over a parallel channel like email or irc in real time if you a=
re really paranoid.</div><div dir=3D"auto"><br></div><div dir=3D"auto">Rega=
rds,</div><div dir=3D"auto"><br></div><div dir=3D"auto">Erich</div></div><b=
r><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Tue, =
12 Jan 2021 08:27 Girvin Herr (<a href=3D"mailto:gherrl AT fastmail DOT com">gherr=
l AT fastmail DOT com</a>) [via <a href=3D"mailto:geda-user AT delorie DOT com">geda-user=
@delorie.com</a>], &lt;<a href=3D"mailto:geda-user AT delorie DOT com">geda-user AT d=
elorie.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
 =20
   =20
 =20
  <div>
    <p><br>
    </p>
    <div>On 1/10/21 3:15 PM, DJ Delorie wrote:<br>
    </div>
    <blockquote type=3D"cite">
      <pre>&quot;Girvin Herr (<a href=3D"mailto:gherrl AT fastmail DOT com" target=
=3D"_blank" rel=3D"noreferrer">gherrl AT fastmail DOT com</a>) [via <a href=3D"mai=
lto:geda-user AT delorie DOT com" target=3D"_blank" rel=3D"noreferrer">geda-user AT d=
elorie.com</a>]&quot;
<a href=3D"mailto:geda-user AT delorie DOT com" target=3D"_blank" rel=3D"noreferre=
r">&lt;geda-user AT delorie DOT com&gt;</a> writes:
</pre>
      <blockquote type=3D"cite">
        <pre>I don&#39;t know why you are so resistant to computer security=
.
</pre>
      </blockquote>
      <pre>
Computer security takes time and effort, and it&#39;s wasted on static data
that has no real value.  Do you really need to hide the fact that you&#39;r=
e
looking at EDA software?  Do you worry that terrorists are going to
modify a wiki page you&#39;re reading?

</pre>
      <blockquote type=3D"cite">
        <pre>Why did I post my concern about pcb-rnd on this forum? Good qu=
estion. I=20
thought about it a while and decided that since pcb-rnd was on this=20
forum in the past, and that it may be polled by the pcb-rnd devs,
</pre>
      </blockquote>
      <pre>
Nope, none of them are here any more.  They left long ago.

</pre>
      <blockquote type=3D"cite">
        <pre>Now that includes gEDA too.
</pre>
      </blockquote>
      <pre>
You didn&#39;t mention that at all in your original email ;-)

</pre>
      <blockquote type=3D"cite">
        <pre>I hope the gEDA server maintainers create a https portal on th=
e web
server(s) asap.
</pre>
      </blockquote>
      <pre>
The gEDA server is a very old arm-based device running a prototype
operating system.  HTTPS is not an option at this point, unless someone
(or many someones) steps up to migrate everything to a modern server.</pre>
    </blockquote>
    <br>
    <p>Greetings,</p>
    <p>My immediate concern is the software download site. I do not want
      to download corrupted software. The risk is low, but I think it is
      still there. On the other end, I am concerned that the gEDA site
      could get attacked with possible resultant data corruption. In
      that respect, I don&#39;t think computer security is &quot;wasted&quo=
t;. You are
      correct in that since the transactions do not involve the
      transmission of sensitive data, such as logins and passwords, the
      risk is low and maybe not worth the effort to upgrade, except for
      the program download site.</p>
    <p>I didn&#39;t mention the gEDA sites in my original posting because I
      had not yet gotten to my gEDA site bookmarks, so at the time I
      wrote the original posting I did not know for sure if gEDA should
      be included. I suppose in hindsight, I should have waited until I
      had completed my year-end bookmarks purge before I posted my first
      posting on this subject. Sorry.</p>
    <p>I had a suspicion that the problem may be with the server. I
      guess the best I can ask for is to consider upgrading to https, at
      least for the software download server part, when a need to
      upgrade the server is discussed.</p>
    <p>Since we are trading URLs, here is an article, written by Mick
      Bauer, that I am using to harden my desktop computer at this time:</p=
>
    <blockquote>
      <p><a href=3D"https://www.linuxjournal.com/magazine/paranoid-penguin-=
brutally-practical-linux-desktop-security" target=3D"_blank" rel=3D"norefer=
rer">https://www.linuxjournal.com/magazine/paranoid-penguin-brutally-practi=
cal-linux-desktop-security</a><br>
      </p>
    </blockquote>
    <p>Here is an applicable snippet under &quot;Never Transmit Unencrypted
      Passwords&quot; for consideration:</p>
    <blockquote>
      <p> Telnet, non-anonymous FTP, IMAP, POP3 and any browser-based
        login involving an http:// URL rather than https://, therefore,
        are all off limits. In the modern era, all these applications
        (remote shell, file transfer, e-mail and most Web applications)
        can and should be used in encrypted implementations, such as
        SSH, FTPS or SFTP, IMAPS, POP3S and https, at least for logons
        and other sensitive transactions. </p>
    </blockquote>
    <p>Operative phrase: &quot; at least &quot;.</p>
    <p>Note that pcb, under sourceforge, is using https to download.</p>
    <p>As a side note, a while back I was looking to make a donation to
      gEDA to help out and partially compensate for the use I have
      gotten from gEDA/gaf. However, I could not find a place to make
      such a donation. I think a PayPal transaction could be made using
      an email address. I am not sure how to set it up. It may require a
      PayPal business account. Such donations could help purchase a new
      server and maybe pay the small fee for the certificate(s).</p>
    <p>Thanks and take care.</p>
    <p>Girvin</p>
    <p><br>
    </p>
  </div>

</blockquote></div>

--0000000000002ced2e05b8a76a0f--

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019