Mail Archives: geda-user/2021/01/11/20:05:03

delorie.com/archives/browse.cgi

search

Mail Archives: geda-user/2021/01/11/20:05:03

X-Authentication-Warning: delorie.com: mail set sender to geda-user-bounces using -f

X-Recipient: geda-user AT delorie DOT com

X-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=gmail.com; s=20161025;

h=mime-version:references:in-reply-to:from:date:message-id:subject:to;

bh=NukQtWIcQK8mlr/xgqRzYBqH1FtEMjH8l73x27KTwA8=;

b=arNBlbxymA2K/GmhVxbg0OCmUcFLOsG3qc4TdjqYbmckT5A7HbjVUo2H9Hgnf8GKGl

YgcBvQNO2i1iMrRPil6NovK6f/mB16Gu1hpGHs4vjJQRpIhV8ici4R1ljpOJDYn5A0DM

HtVFWvXB8/Mc7KmWYOd0FwNfedn5nxds6Y5+PRFwKhknUA6QdBhA2WyCaCZelLWs4Vhd

o0DTHFS/pOOQnn5om7i2Z6LDPu2NP7+bip2IuyW2rknRZXt8q245Fm0wSBAig8oiZ+1A

tQ9ZXcVBIzMBf2WnYc05v0O8trmKl5cWGL0ME4hRqK1DgaCeolVM5P/lFM0dCdzWI4c8

Pn0w==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20161025;

h=x-gm-message-state:mime-version:references:in-reply-to:from:date

:message-id:subject:to;

bh=NukQtWIcQK8mlr/xgqRzYBqH1FtEMjH8l73x27KTwA8=;

b=J3gCN2R33UXcRKpobv7pnT/MSh+F1+y0v2qJLzyLNQIkjhgjY/kihnHrpbMqYwSz9x

ACNDI8MSyM3UXPjvsudq5MmsnFq5NSKC4wJZaWAuHFZB1cwgN4BK4JBukbasSDNP7uHS

oH8Z+jnytmDW1xQ4alAposL0EwY7ACfObkMCtOzpov1Z1QBwNHhc7PGfqrJPXA6abuRW

NJSPzfNGWS+GauZfqcU+YS2toMtjYpPw3PLq29pSvaITRFKpm+zs54FJuvhTrvWyTzQZ

uF8cP9K9QrudtUOPAdnTTgLjJbaDAMGWgWGhWVsgthpfT8ku8lKyrCa59h5yvzUCY7/6

pnkw==

X-Gm-Message-State: AOAM530CPdTKRh0Hn8YtQ/vEYICkn81vxXCMxodGXTlb+loHpw2d3RhK

9tBeFhdu8LHsQvKEHw3cUkfqzroW8RvWhI8OUD8VhhNo

X-Google-Smtp-Source: ABdhPJzw/hP4Kbgq0hyCY6iraxkiSEPDS58cN0661VyaUtqyABL+Ww0Ru9cXCW5mGO35/wlUHdFb09RR/gaqSvOqLFg=

X-Received: by 2002:a05:6512:3090:: with SMTP id z16mr988128lfd.44.1610412287108;

Mon, 11 Jan 2021 16:44:47 -0800 (PST)

MIME-Version: 1.0

References: <xnim84jsdh DOT fsf AT envy DOT delorie DOT com> <197408a7-1183-7805-6f84-7794386c52dc AT fastmail DOT com>

<CAHUm0tNfewMqL7mpXxuESB+r-vDYhO5vcRp+LfW-wXHjdkh=jw AT mail DOT gmail DOT com> <20210111235323 DOT GB9305 AT recycle DOT lbl DOT gov>

In-Reply-To: <20210111235323.GB9305@recycle.lbl.gov>

From: "Erich Heinzle (a1039181 AT gmail DOT com) [via geda-user AT delorie DOT com]" <geda-user AT delorie DOT com>

Date: Tue, 12 Jan 2021 11:14:34 +1030

Message-ID: <CAHUm0tMUKMS3Av2MLz+0uR5W+jg4utpmkvNHXYsG5Bvi-HHh+Q@mail.gmail.com>

Subject: Re: [geda-user] No https for pcb-rnd

To: geda-user <geda-user AT delorie DOT com>

Reply-To: geda-user AT delorie DOT com

--00000000000050ac0505b8a9547d
Content-Type: text/plain; charset="UTF-8"

Indeed, if you don't trust the package maintainers and package submission
process for your distribution, and don't trust other installed software
like a browser from a 3rd party source, then https is irrelevant, since
your browser or local ssh libs can be compromised to perform MITM attacks,
and if you build from source, you need to trust your compiler... but how do
you build that from source....

regards,

Erich








On Tue, 12 Jan 2021 11:03 Larry Doolittle (ldoolitt AT recycle DOT lbl DOT gov) [via
geda-user AT delorie DOT com], <geda-user AT delorie DOT com> wrote:

> Erich -
>
> On Tue, Jan 12, 2021 at 08:57:30AM +1030, Erich Heinzle (
> a1039181 AT gmail DOT com) [via geda-user AT delorie DOT com] wrote:
> > If you install pcb-rnd from a distribution, i.e. using a set of .deb
> files,
> > you are protected by the checksums and security packages the distribution
> > uses for its package distribution.
>
> Sure, but where does the _distribution_ get its source?
>
> I'm not a personally fan of mandating https, for some of the reasons
> alredy mentioned on this thread.
> Its illusion of security is stronger than its actual contribution to
> security.
> Authentication and supply chains are a pretty big deal in general these
> days.
> See SolarWinds, reproducible-builds.org, and bootstrappable.org.
>
>   - Larry
>

--00000000000050ac0505b8a9547d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto"><div>Indeed, if you don&#39;t trust the package maintaine=
rs and package submission process for your distribution, and don&#39;t trus=
t other installed software like a browser from a 3rd party source, then htt=
ps is irrelevant, since your browser or local ssh libs can be compromised t=
o perform MITM attacks, and if you build from source, you need to trust you=
r compiler... but how do you build that from source....</div><div dir=3D"au=
to"><br></div><div dir=3D"auto">regards,</div><div dir=3D"auto"><br></div><=
div dir=3D"auto">Erich</div><div dir=3D"auto"><br></div><div dir=3D"auto"><=
br><div dir=3D"auto"><br></div><div dir=3D"auto"><br><div dir=3D"auto"><br>=
</div><div dir=3D"auto"><br></div></div><br><br><div class=3D"gmail_quote" =
dir=3D"auto"><div dir=3D"ltr" class=3D"gmail_attr">On Tue, 12 Jan 2021 11:0=
3 Larry Doolittle (<a href=3D"mailto:ldoolitt AT recycle DOT lbl DOT gov">ldoolitt AT rec=
ycle.lbl.gov</a>) [via <a href=3D"mailto:geda-user AT delorie DOT com">geda-user AT d=
elorie.com</a>], &lt;<a href=3D"mailto:geda-user AT delorie DOT com">geda-user AT del=
orie.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D=
"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Erich -<br>
<br>
On Tue, Jan 12, 2021 at 08:57:30AM +1030, Erich Heinzle (<a href=3D"mailto:=
a1039181 AT gmail DOT com" target=3D"_blank" rel=3D"noreferrer">a1039181 AT gmail DOT com=
</a>) [via <a href=3D"mailto:geda-user AT delorie DOT com" target=3D"_blank" rel=
=3D"noreferrer">geda-user AT delorie DOT com</a>] wrote:<br>
&gt; If you install pcb-rnd from a distribution, i.e. using a set of .deb f=
iles,<br>
&gt; you are protected by the checksums and security packages the distribut=
ion<br>
&gt; uses for its package distribution.<br>
<br>
Sure, but where does the _distribution_ get its source?<br>
<br>
I&#39;m not a personally fan of mandating https, for some of the reasons al=
redy mentioned on this thread.<br>
Its illusion of security is stronger than its actual contribution to securi=
ty.<br>
Authentication and supply chains are a pretty big deal in general these day=
s.<br>
See SolarWinds, <a href=3D"http://reproducible-builds.org" rel=3D"noreferre=
r noreferrer" target=3D"_blank">reproducible-builds.org</a>, and <a href=3D=
"http://bootstrappable.org" rel=3D"noreferrer noreferrer" target=3D"_blank"=
>bootstrappable.org</a>.<br>
<br>
=C2=A0 - Larry<br>
</blockquote></div></div></div>

--00000000000050ac0505b8a9547d--

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Authentication-Warning:	delorie.com: mail set sender to geda-user-bounces using -f
X-Recipient:	geda-user AT delorie DOT com
X-Original-DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
	bh=NukQtWIcQK8mlr/xgqRzYBqH1FtEMjH8l73x27KTwA8=;
	b=arNBlbxymA2K/GmhVxbg0OCmUcFLOsG3qc4TdjqYbmckT5A7HbjVUo2H9Hgnf8GKGl
	YgcBvQNO2i1iMrRPil6NovK6f/mB16Gu1hpGHs4vjJQRpIhV8ici4R1ljpOJDYn5A0DM
	HtVFWvXB8/Mc7KmWYOd0FwNfedn5nxds6Y5+PRFwKhknUA6QdBhA2WyCaCZelLWs4Vhd
	o0DTHFS/pOOQnn5om7i2Z6LDPu2NP7+bip2IuyW2rknRZXt8q245Fm0wSBAig8oiZ+1A
	tQ9ZXcVBIzMBf2WnYc05v0O8trmKl5cWGL0ME4hRqK1DgaCeolVM5P/lFM0dCdzWI4c8
	Pn0w==
X-Google-DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:references:in-reply-to:from:date
	:message-id:subject:to;
	bh=NukQtWIcQK8mlr/xgqRzYBqH1FtEMjH8l73x27KTwA8=;
	b=J3gCN2R33UXcRKpobv7pnT/MSh+F1+y0v2qJLzyLNQIkjhgjY/kihnHrpbMqYwSz9x
	ACNDI8MSyM3UXPjvsudq5MmsnFq5NSKC4wJZaWAuHFZB1cwgN4BK4JBukbasSDNP7uHS
	oH8Z+jnytmDW1xQ4alAposL0EwY7ACfObkMCtOzpov1Z1QBwNHhc7PGfqrJPXA6abuRW
	NJSPzfNGWS+GauZfqcU+YS2toMtjYpPw3PLq29pSvaITRFKpm+zs54FJuvhTrvWyTzQZ
	uF8cP9K9QrudtUOPAdnTTgLjJbaDAMGWgWGhWVsgthpfT8ku8lKyrCa59h5yvzUCY7/6
	pnkw==
X-Gm-Message-State:	AOAM530CPdTKRh0Hn8YtQ/vEYICkn81vxXCMxodGXTlb+loHpw2d3RhK
	9tBeFhdu8LHsQvKEHw3cUkfqzroW8RvWhI8OUD8VhhNo
X-Google-Smtp-Source:	ABdhPJzw/hP4Kbgq0hyCY6iraxkiSEPDS58cN0661VyaUtqyABL+Ww0Ru9cXCW5mGO35/wlUHdFb09RR/gaqSvOqLFg=
X-Received:	by 2002:a05:6512:3090:: with SMTP id z16mr988128lfd.44.1610412287108;
	Mon, 11 Jan 2021 16:44:47 -0800 (PST)
MIME-Version:	1.0
References:	<xnim84jsdh DOT fsf AT envy DOT delorie DOT com> <197408a7-1183-7805-6f84-7794386c52dc AT fastmail DOT com>
	<CAHUm0tNfewMqL7mpXxuESB+r-vDYhO5vcRp+LfW-wXHjdkh=jw AT mail DOT gmail DOT com> <20210111235323 DOT GB9305 AT recycle DOT lbl DOT gov>
In-Reply-To:	<20210111235323.GB9305@recycle.lbl.gov>
From:	"Erich Heinzle (a1039181 AT gmail DOT com) [via geda-user AT delorie DOT com]" <geda-user AT delorie DOT com>
Date:	Tue, 12 Jan 2021 11:14:34 +1030
Message-ID:	<CAHUm0tMUKMS3Av2MLz+0uR5W+jg4utpmkvNHXYsG5Bvi-HHh+Q@mail.gmail.com>
Subject:	Re: [geda-user] No https for pcb-rnd
To:	geda-user <geda-user AT delorie DOT com>
Reply-To:	geda-user AT delorie DOT com