Mail Archives: geda-user/2021/08/14/00:36:16
X-Authentication-Warning: | delorie.com: mail set sender to geda-user-bounces using -f
|
X-Recipient: | geda-user AT delorie DOT com
|
X-Original-DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed;
|
| d=gmail.com; s=20161025;
|
| h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
|
| bh=MnS6kRDXq+aB08f8KmrCY6w94dF4ibuqp+DUAi2SLSQ=;
|
| b=HIf89pJOy9CtxXz+jRyGvlOf1XlMkI6vqidPA6MlNxAizyWd3YC/sthh2uoJDDnOqO
|
| ie/73S0xaTBVQPRQLlFWNDUUWMexzqyueuGZjrH4mQGFKhylvx4JYxCmgrJIkERVFnFP
|
| 3whgh5UXj/baP8tuPdUcelpl8+SUvvBuTMnFUteVNySyUmBiAcHJuhZRToAUV2lc7H+n
|
| j4Pow8QpEUMNbfIDVg3Bm1DgnSVLd6aNFiBPhdRMAaOwMcxqH0MQEJHYUk//I0XP8BDd
|
| tpTLVzeHaQLffXiR4eKrPp9vyV9MTEIphuBs+6d2MCaT2mKRMhueb//uzRFEnks1cVHP
|
| B7OQ==
|
X-Google-DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed;
|
| d=1e100.net; s=20161025;
|
| h=x-gm-message-state:mime-version:references:in-reply-to:from:date
|
| :message-id:subject:to;
|
| bh=MnS6kRDXq+aB08f8KmrCY6w94dF4ibuqp+DUAi2SLSQ=;
|
| b=ramt4K6CCZoEgbcYWrEeCdVr8tIVTGFdRAM3e6Rig+/MAnp8T7zMZcS5CB7t5nzk5N
|
| eDuh7QMMRA8hq6Hb4kqiOsOa/DzBFCrtrPX8UWhaL+A/l2VQkxgW1jqhOYzJ6c0/k+2G
|
| HPqvbXxtR1sLbi1OIDTS/tqGWq+QobJa7BTkl/lTml3w379dek85IweaCuOvnu+ug1Wq
|
| FuEuxwGHJ3fvSLzj+6tvUgoL8AcO/eqwge2faFvIILUujedZixpCPbX1GnNZiPsqOmzi
|
| C/qgqVzN4aKd7sS/SbXojvq06Zy/UxGeGGi7r0Ux/36WNRvK10QKjh0DjdjT7y9U8O0a
|
| FJ1w==
|
X-Gm-Message-State: | AOAM530TLWfdbRpWZSZFTFx3uUzr/Z55llmSD6U6CRst8V3uxJDcrLF+
|
| ydfD5czaT477JV2GvviFAh1aB1UH4XPRRYNgN3K+3DC+
|
X-Google-Smtp-Source: | ABdhPJyx0Zm4OhF1MhEfOUmSXJBdwZTyZNRDsuETHiB9lDvRrgXyxF1i1Ktw+uL0L+93p14Cyca2uRri26YsiYFq2/o=
|
X-Received: | by 2002:a05:6512:3f1:: with SMTP id n17mr4194555lfq.44.1628915691165;
|
| Fri, 13 Aug 2021 21:34:51 -0700 (PDT)
|
MIME-Version: | 1.0
|
References: | <20210813015127 DOT 43f5c7cd AT brane_wrks> <xnh7fuds0u DOT fsf AT envy DOT delorie DOT com>
|
| <6115ecdb DOT 1c69fb81 DOT ee1b6 DOT 51cfSMTPIN_ADDED_BROKEN AT mx DOT google DOT com>
|
| <CAJZxidBFpXjWSjWRdo71W7hM--naM9ohBo+-p_EY+rpddcWUMA AT mail DOT gmail DOT com> <61171bcb DOT 1c69fb81 DOT a7fc2 DOT 9206SMTPIN_ADDED_BROKEN AT mx DOT google DOT com>
|
In-Reply-To: | <61171bcb.1c69fb81.a7fc2.9206SMTPIN_ADDED_BROKEN@mx.google.com>
|
From: | "Erich Heinzle (a1039181 AT gmail DOT com) [via geda-user AT delorie DOT com]" <geda-user AT delorie DOT com>
|
Date: | Sat, 14 Aug 2021 14:04:38 +0930
|
Message-ID: | <CAHUm0tOAtfH-8pUu3RYoxFHKM=p1qBCXn9tfwy4aTxux6e6M6g@mail.gmail.com>
|
Subject: | Re: [geda-user] geda and pcb git repos inaccessible ?
|
To: | geda-user <geda-user AT delorie DOT com>
|
Reply-To: | geda-user AT delorie DOT com
|
--000000000000241cfc05c97d7dfd
Content-Type: text/plain; charset="UTF-8"
this is why I always use SVN for pcb-rnd
;-)
Erich
On Sat, 14 Aug 2021 10:56 Branko Badrljica (brankob AT s5tehnika DOT net) [via
geda-user AT delorie DOT com], <geda-user AT delorie DOT com> wrote:
> On Fri, 13 Aug 2021 10:59:29 -0400
> "Chad Parker (parker DOT charles AT gmail DOT com) [via geda-user AT delorie DOT com]"
> <geda-user AT delorie DOT com> wrote:
>
> > If you're concerned about maintaining the integrity of the source
> > code as you download it, git makes it easy to compute and compare the
> > hashes of your source tree with that of the server's.
>
> Git wasn't made with great securtiy in mind. Yes, it has hashes, but
> those were broken. There was a case of good attempt of source insertion
> in Linux kernel. Had it gone unnoticed, that source plant would have a
> HUGE/GLOBAL muultiplicative effect. Everyone bases their kernel on
> www.kernel.org.
>
> It took them ages to change the hash and even curernt version isn't
> anything to write home about. And there probably are plenty of other
> vulnerabilities and concerns.
> I have nothing against git, but it isn't a tool for ensuring safety or
> confidenitality or privacy as its priority.
>
> Use tool for the job. Users expect to be able to go about their
> business without EVERYONE along the way taking notes of that.
>
> That is, unless you happen to have other instructions - to keep it
> open.
>
> After all, geda/PCB do get used by interesting crowd that Surveillance
> State has to keep their eye on.
> But as I said, that would make you guys (not that well) hidden
> participants.
>
> >
> > If you don't trust the developers... well, there's nothing I can
> > really do about that, other than to say that none of us are
> > interested in gaining root access to any of your computing devices or
> > networks. You can believe me or not. That's up to you.
>
> I trust no one completely, much less usual strangers that I never
> met. Which is probagbly around baseline standard - nothing
> especially paranoic.
>
> WRT trust to the state- we obviously already have installed
> omnipresewnt surveillance system that scores behavioural patterns of
> EVERY CITIZZEN in REAL TIME ( automatedly):
>
>
> https://www.reddit.com/r/conspiracy/comments/p3ja8j/personal_score_point_system_of_the_global/
>
>
> and we have fresh things like "The Secrets Act" that will enable The
> State to basically lock out ANYONE with an "inconvenient truth".
> And the first batch of freshly jailed people is already being prepared.
> And big platforms are trying to hide "The Secrets Act" in their new
> usage rules:
>
>
> https://www.reddit.com/r/conspiracy/comments/p3j13e/newest_changes_in_privacy_policies_and_forum/
>
>
>
>
>
> >
> > Does this mean that there are zero security flaws? No. I don't think
> > any of us are computer security professionals. We're mostly just
> > engineers that enjoy coding. So, we do our best. If you find some
> > issues, we'd welcome you pointing them out, or even better, providing
> > a patch that fixes them.
> >
> > --Chad
> >
> >
> > On Thu, Aug 12, 2021 at 11:54 PM Branko Badrljica
> > (brankob AT s5tehnika DOT net) [via geda-user AT delorie DOT com]
> > <geda-user AT delorie DOT com> wrote:
> >
> > > On Thu, 12 Aug 2021 21:58:57 -0400
> > > DJ Delorie <dj AT delorie DOT com> wrote:
> > >
> > >
> > > > You are an overly paranoid individual...
> > >
> > > Couple more things:
> > >
> > > 1. One of the methods of breaching the machies are timing attacks
> > > and usual excplouts over networks. They breach your server through a
> > > service and get to own it.
> > >
> > > 2. Servers as yours have high "multiplicative effects". Your server
> > > can fruther the attack on any client that connects to git repo and
> > > thus infect their machines through similar or very same attack
> > > vector.
> > >
> > > 3. World is full of intertwined human swarm, engaged in a war. This
> > > kind of stance exposes you and might make you seem as a prticipant
> > > and thus a target. Norm for the git is https transfers everywhere
> > > outside controlled internal LAN.
> > > You are sticking out of the norm. If anyone
> > > gets suspicious, you could be on shortlist of hostile "suspects".
> > > Swarms aren't known for lengthy legal processes, evidence
> > > collecting, "innocent until proven guilty" etcetc.
> > >
> > >
> > >
> > >
> > >
>
>
--000000000000241cfc05c97d7dfd
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"auto">this is why I always use SVN for pcb-rnd<div dir=3D"auto"=
><br></div><div dir=3D"auto">;-)</div><div dir=3D"auto"><br></div><div dir=
=3D"auto">Erich</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" =
class=3D"gmail_attr">On Sat, 14 Aug 2021 10:56 Branko Badrljica (<a href=3D=
"mailto:brankob AT s5tehnika DOT net">brankob AT s5tehnika DOT net</a>) [via <a href=3D"m=
ailto:geda-user AT delorie DOT com">geda-user AT delorie DOT com</a>], <<a href=3D"mai=
lto:geda-user AT delorie DOT com">geda-user AT delorie DOT com</a>> wrote:<br></div><b=
lockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px =
#ccc solid;padding-left:1ex">On Fri, 13 Aug 2021 10:59:29 -0400<br>
"Chad Parker (<a href=3D"mailto:parker DOT charles AT gmail DOT com" target=3D"_b=
lank" rel=3D"noreferrer">parker DOT charles AT gmail DOT com</a>) [via <a href=3D"mail=
to:geda-user AT delorie DOT com" target=3D"_blank" rel=3D"noreferrer">geda-user AT de=
lorie.com</a>]"<br>
<<a href=3D"mailto:geda-user AT delorie DOT com" target=3D"_blank" rel=3D"noref=
errer">geda-user AT delorie DOT com</a>> wrote:<br>
<br>
> If you're concerned about maintaining the integrity of the source<=
br>
> code as you download it, git makes it easy to compute and compare the<=
br>
> hashes of your source tree with that of the server's.<br>
<br>
Git wasn't made with great securtiy in mind. Yes, it has hashes, but<br=
>
those were broken. There was a case of good attempt of source insertion<br>
in Linux kernel. Had it gone unnoticed, that source plant would have a<br>
HUGE/GLOBAL muultiplicative effect. Everyone bases their kernel on<br>
<a href=3D"http://www.kernel.org" rel=3D"noreferrer noreferrer" target=3D"_=
blank">www.kernel.org</a>.<br>
<br>
It took them ages to change the hash and even curernt version isn't<br>
anything to write home about. And there probably are plenty of other<br>
vulnerabilities and concerns.<br>
I have nothing against git, but it isn't a tool for ensuring safety or<=
br>
confidenitality or privacy=C2=A0 as its priority.<br>
<br>
Use tool for the job. Users expect to be able to go about their<br>
business without EVERYONE along the way taking notes of that.<br>
<br>
That is, unless you happen to have other instructions - to keep it<br>
open. <br>
<br>
After all, geda/PCB do get used by interesting crowd that Surveillance<br>
State has to keep their eye on.<br>
But as I said, that would make you guys (not that well) hidden<br>
participants.<br>
<br>
> <br>
> If you don't trust the developers... well, there's nothing I c=
an<br>
> really do about that, other than to say that none of us are<br>
> interested in gaining root access to any of your computing devices or<=
br>
> networks. You can believe me or not. That's up to you.<br>
<br>
I trust no one completely, much less usual strangers that I never<br>
met. Which is probagbly around baseline standard - nothing<br>
especially paranoic.<br>
<br>
WRT trust to the state- we obviously already have installed<br>
omnipresewnt surveillance system that scores behavioural patterns of<br>
EVERY CITIZZEN in REAL TIME ( automatedly):<br>
<br>
<a href=3D"https://www.reddit.com/r/conspiracy/comments/p3ja8j/personal_sco=
re_point_system_of_the_global/" rel=3D"noreferrer noreferrer" target=3D"_bl=
ank">https://www.reddit.com/r/conspiracy/comments/p3ja8j/personal_score_poi=
nt_system_of_the_global/</a><br>
<br>
<br>
and we have fresh things like "The Secrets Act" that will enable =
The<br>
State to basically lock out ANYONE with an "inconvenient truth".<=
br>
And the first batch of freshly jailed people is already being prepared.<br>
And big platforms are trying to hide "The Secrets Act" in their n=
ew<br>
usage rules:<br>
<br>
<a href=3D"https://www.reddit.com/r/conspiracy/comments/p3j13e/newest_chang=
es_in_privacy_policies_and_forum/" rel=3D"noreferrer noreferrer" target=3D"=
_blank">https://www.reddit.com/r/conspiracy/comments/p3j13e/newest_changes_=
in_privacy_policies_and_forum/</a><br>
<br>
<br>
<br>
<br>
<br>
> <br>
> Does this mean that there are zero security flaws? No. I don't thi=
nk<br>
> any of us are computer security professionals. We're mostly just<b=
r>
> engineers that enjoy coding. So, we do our best. If you find some<br>
> issues, we'd welcome you pointing them out, or even better, provid=
ing<br>
> a patch that fixes them.<br>
> <br>
> --Chad<br>
> <br>
> <br>
> On Thu, Aug 12, 2021 at 11:54 PM Branko Badrljica<br>
> (<a href=3D"mailto:brankob AT s5tehnika DOT net" target=3D"_blank" rel=3D"nor=
eferrer">brankob AT s5tehnika DOT net</a>) [via <a href=3D"mailto:geda-user AT delori=
e.com" target=3D"_blank" rel=3D"noreferrer">geda-user AT delorie DOT com</a>]<br>
> <<a href=3D"mailto:geda-user AT delorie DOT com" target=3D"_blank" rel=3D"=
noreferrer">geda-user AT delorie DOT com</a>> wrote:<br>
> <br>
> > On Thu, 12 Aug 2021 21:58:57 -0400<br>
> > DJ Delorie <<a href=3D"mailto:dj AT delorie DOT com" target=3D"_blank=
" rel=3D"noreferrer">dj AT delorie DOT com</a>> wrote:<br>
> ><br>
> ><br>
> > > You are an overly paranoid individual...<br>
> ><br>
> > Couple more things:<br>
> ><br>
> > 1. One of the methods of breaching the machies are timing attacks=
<br>
> > and usual excplouts over networks. They breach your server throug=
h a<br>
> > service and get to own it.<br>
> ><br>
> > 2. Servers as yours have high "multiplicative effects".=
Your server<br>
> > can fruther the attack on any client that connects to git repo an=
d<br>
> > thus infect their machines through similar or very same attack<br=
>
> > vector.<br>
> ><br>
> > 3. World is full of intertwined human swarm, engaged in a war. Th=
is<br>
> > kind of stance exposes you and might make you seem as a prticipan=
t<br>
> > and thus a target. Norm for the git is https transfers everywhere=
<br>
> > outside controlled internal LAN.<br>
> > You are sticking out of the norm. If anyone<br>
> > gets suspicious, you could be on shortlist of hostile "suspe=
cts".<br>
> > Swarms aren't known for lengthy legal processes, evidence<br>
> > collecting, "innocent until proven guilty" etcetc.<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
<br>
</blockquote></div>
--000000000000241cfc05c97d7dfd--
- Raw text -