| delorie.com/archives/browse.cgi | search |
| X-Authentication-Warning: | delorie.com: mail set sender to geda-user-bounces using -f |
| X-Recipient: | geda-user AT delorie DOT com |
| IronPort-SDR: | 36JUSkaITDSyJtSj+OZNOaCp2qSg+nBmWba3ZStUkJPS4aUVKNvVyyiT6FYs5sCaSKMkaKr7kA |
| /xzgfZek+i5w== | |
| X-Ironport-SBRS: | None |
| Date: | Mon, 11 Jan 2021 19:02:55 -0800 |
| From: | "Larry Doolittle (ldoolitt AT recycle DOT lbl DOT gov) [via geda-user AT delorie DOT com]" <geda-user AT delorie DOT com> |
| To: | geda-user <geda-user AT delorie DOT com> |
| Subject: | Re: [geda-user] No https for pcb-rnd |
| Message-ID: | <20210112030255.GA9588@recycle.lbl.gov> |
| References: | <xnim84jsdh DOT fsf AT envy DOT delorie DOT com> |
| <197408a7-1183-7805-6f84-7794386c52dc AT fastmail DOT com> | |
| <CAHUm0tNfewMqL7mpXxuESB+r-vDYhO5vcRp+LfW-wXHjdkh=jw AT mail DOT gmail DOT com> | |
| <20210111235323 DOT GB9305 AT recycle DOT lbl DOT gov> | |
| <CAHUm0tMUKMS3Av2MLz+0uR5W+jg4utpmkvNHXYsG5Bvi-HHh+Q AT mail DOT gmail DOT com> | |
| MIME-Version: | 1.0 |
| In-Reply-To: | <CAHUm0tMUKMS3Av2MLz+0uR5W+jg4utpmkvNHXYsG5Bvi-HHh+Q@mail.gmail.com> |
| User-Agent: | Mutt/1.10.1 (2018-07-13) |
| Reply-To: | geda-user AT delorie DOT com |
| Errors-To: | nobody AT delorie DOT com |
| X-Mailing-List: | geda-user AT delorie DOT com |
| X-Unsubscribes-To: | listserv AT delorie DOT com |
Erich - On Tue, Jan 12, 2021 at 11:14:34AM +1030, Erich Heinzle (a1039181 AT gmail DOT com) [via geda-user AT delorie DOT com] wrote: > Indeed, if you don't trust the package maintainers and package submission > process for your distribution, and don't trust other installed software > like a browser from a 3rd party source, then https is irrelevant, [...] I guess what I didn't say explicitly is that enabling https will reduce the risk that a distribution's capturing of a package source could be MITMed. I'm assuming that the package maintainers are trustworthy but not necessarily hyper-vigilant. > your browser or local ssh libs can be compromised to perform MITM attacks, > and if you build from source, you need to trust your compiler... but how do > you build that from source.... Yes, and everyone here is invited to chip in to the vast, ongoing efforts to harden open source software projects and supply chains in general. I mentioned two starting points in my earlier email: reproducible-builds.org, and bootstrappable.org. This is of course outside the scope of gEDA. There are even harder problems to be solved to harden and build trust in hardware, which is perhaps more on-topic here. I highly recommend bunnie's 36c3 (December 2019) talk on this subject: 36C3 - Open Source is Insufficient to Solve Trust Problems in Hardware 1:00:45 https://www.youtube.com/watch?v=Hzb37RyagCQ - Larry
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |