X-Authentication-Warning: delorie.com: mail set sender to geda-user-bounces using -f X-Recipient: geda-user AT delorie DOT com X-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=NukQtWIcQK8mlr/xgqRzYBqH1FtEMjH8l73x27KTwA8=; b=arNBlbxymA2K/GmhVxbg0OCmUcFLOsG3qc4TdjqYbmckT5A7HbjVUo2H9Hgnf8GKGl YgcBvQNO2i1iMrRPil6NovK6f/mB16Gu1hpGHs4vjJQRpIhV8ici4R1ljpOJDYn5A0DM HtVFWvXB8/Mc7KmWYOd0FwNfedn5nxds6Y5+PRFwKhknUA6QdBhA2WyCaCZelLWs4Vhd o0DTHFS/pOOQnn5om7i2Z6LDPu2NP7+bip2IuyW2rknRZXt8q245Fm0wSBAig8oiZ+1A tQ9ZXcVBIzMBf2WnYc05v0O8trmKl5cWGL0ME4hRqK1DgaCeolVM5P/lFM0dCdzWI4c8 Pn0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=NukQtWIcQK8mlr/xgqRzYBqH1FtEMjH8l73x27KTwA8=; b=J3gCN2R33UXcRKpobv7pnT/MSh+F1+y0v2qJLzyLNQIkjhgjY/kihnHrpbMqYwSz9x ACNDI8MSyM3UXPjvsudq5MmsnFq5NSKC4wJZaWAuHFZB1cwgN4BK4JBukbasSDNP7uHS oH8Z+jnytmDW1xQ4alAposL0EwY7ACfObkMCtOzpov1Z1QBwNHhc7PGfqrJPXA6abuRW NJSPzfNGWS+GauZfqcU+YS2toMtjYpPw3PLq29pSvaITRFKpm+zs54FJuvhTrvWyTzQZ uF8cP9K9QrudtUOPAdnTTgLjJbaDAMGWgWGhWVsgthpfT8ku8lKyrCa59h5yvzUCY7/6 pnkw== X-Gm-Message-State: AOAM530CPdTKRh0Hn8YtQ/vEYICkn81vxXCMxodGXTlb+loHpw2d3RhK 9tBeFhdu8LHsQvKEHw3cUkfqzroW8RvWhI8OUD8VhhNo X-Google-Smtp-Source: ABdhPJzw/hP4Kbgq0hyCY6iraxkiSEPDS58cN0661VyaUtqyABL+Ww0Ru9cXCW5mGO35/wlUHdFb09RR/gaqSvOqLFg= X-Received: by 2002:a05:6512:3090:: with SMTP id z16mr988128lfd.44.1610412287108; Mon, 11 Jan 2021 16:44:47 -0800 (PST) MIME-Version: 1.0 References: <197408a7-1183-7805-6f84-7794386c52dc AT fastmail DOT com> <20210111235323 DOT GB9305 AT recycle DOT lbl DOT gov> In-Reply-To: <20210111235323.GB9305@recycle.lbl.gov> From: "Erich Heinzle (a1039181 AT gmail DOT com) [via geda-user AT delorie DOT com]" Date: Tue, 12 Jan 2021 11:14:34 +1030 Message-ID: Subject: Re: [geda-user] No https for pcb-rnd To: geda-user Content-Type: multipart/alternative; boundary="00000000000050ac0505b8a9547d" Reply-To: geda-user AT delorie DOT com --00000000000050ac0505b8a9547d Content-Type: text/plain; charset="UTF-8" Indeed, if you don't trust the package maintainers and package submission process for your distribution, and don't trust other installed software like a browser from a 3rd party source, then https is irrelevant, since your browser or local ssh libs can be compromised to perform MITM attacks, and if you build from source, you need to trust your compiler... but how do you build that from source.... regards, Erich On Tue, 12 Jan 2021 11:03 Larry Doolittle (ldoolitt AT recycle DOT lbl DOT gov) [via geda-user AT delorie DOT com], wrote: > Erich - > > On Tue, Jan 12, 2021 at 08:57:30AM +1030, Erich Heinzle ( > a1039181 AT gmail DOT com) [via geda-user AT delorie DOT com] wrote: > > If you install pcb-rnd from a distribution, i.e. using a set of .deb > files, > > you are protected by the checksums and security packages the distribution > > uses for its package distribution. > > Sure, but where does the _distribution_ get its source? > > I'm not a personally fan of mandating https, for some of the reasons > alredy mentioned on this thread. > Its illusion of security is stronger than its actual contribution to > security. > Authentication and supply chains are a pretty big deal in general these > days. > See SolarWinds, reproducible-builds.org, and bootstrappable.org. > > - Larry > --00000000000050ac0505b8a9547d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Indeed, if you don't trust the package maintaine= rs and package submission process for your distribution, and don't trus= t other installed software like a browser from a 3rd party source, then htt= ps is irrelevant, since your browser or local ssh libs can be compromised t= o perform MITM attacks, and if you build from source, you need to trust you= r compiler... but how do you build that from source....

regards,

<= div dir=3D"auto">Erich

<= br>



=



On Tue, 12 Jan 2021 11:0= 3 Larry Doolittle (ldoolitt AT rec= ycle.lbl.gov) [via geda-user AT d= elorie.com], <geda-user AT del= orie.com> wrote:
Erich -

On Tue, Jan 12, 2021 at 08:57:30AM +1030, Erich Heinzle (a1039181 AT gmail DOT com= ) [via geda-user AT delorie DOT com] wrote:
> If you install pcb-rnd from a distribution, i.e. using a set of .deb f= iles,
> you are protected by the checksums and security packages the distribut= ion
> uses for its package distribution.

Sure, but where does the _distribution_ get its source?

I'm not a personally fan of mandating https, for some of the reasons al= redy mentioned on this thread.
Its illusion of security is stronger than its actual contribution to securi= ty.
Authentication and supply chains are a pretty big deal in general these day= s.
See SolarWinds, reproducible-builds.org, and bootstrappable.org.

=C2=A0 - Larry
--00000000000050ac0505b8a9547d--