X-Authentication-Warning: delorie.com: mail set sender to geda-user-bounces using -f
X-Recipient: geda-user AT delorie DOT com
X-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=qIa+TMQC7uOZA1K3nK2v2BYgJ2mj8OoEjuqaiPu7CBc=;
        b=dbWC/uKUq5EZ4mzQg+zDns7kHowojsOfWyNaVZgtBQ2J6hQWJNlh7cD8mvrGc2LxXo
         IDomutCppHyTIEfYYG0DNDGuHdUEZZkeE27n2yQGGXZJNv8mnuL3YnJTXA8ZNKzU22vL
         JuR8T05DbsJhDz2N2R84XA2G/TzBKAtajuMly1t1gEs9K2FmPKa0vcjC5dDyb5hkbt+Q
         X0j412CSA17xDIJTgCTZ45TR96hxS+JcZlcO7O4/3WoVLN1HZU798s332PV002DuD0Fe
         vg6Yax5YS8tV97/LXZ8cxGd0HfdE8x2iZxZel8o+gZQ42WOak6yDIQo2GjSTpqKivsZH
         sDhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=qIa+TMQC7uOZA1K3nK2v2BYgJ2mj8OoEjuqaiPu7CBc=;
        b=DmgD+0SS+msQQrecW2taFO+7it13R5dJ+ANEmfHK28rLPi+Q5Uk9zxwbCwfT7j6Tvr
         HDMak307xB4vgv67q4Gl4awLtNejf92HgWaqnCerM3n77Q76kQpPEBUNzby0/QLsC7ge
         cKkQ4oGxin3aqBoUx3cwC0p0/P86iQi4O34TwT38gMDDuWP6OENfdPvY5ZK9wTC8WLBf
         Oa1y6nBtP5MNElNNG0+YfQu+EmRY+pR/Ieysq4PoYJl5qqCY0kuP+K7dNc2Rax5mfEdO
         x/8jPMfjEZI6ERjP+A0coPyGpU6wPu0TvqoHkgzMLX7LmucGyJ2RRg8vJmGiuPS49NA2
         zXtg==
X-Gm-Message-State: AOAM533+jTQFOOmztrvONL7IdbCJ19QLFwLyaT/Fo8ieWOcfZPzoh1R3
	iwXF17h7biE6R85HLNNZYL5cB0rpqDskLqPA294+4JBcHaRgkg==
X-Google-Smtp-Source: ABdhPJyfkri7YQMPmCi0nZ2R28jyXhj3tv9BwPGAii3rDo7xXMLz3jfHBTEPp+YXXg39KZjkPx9Q/oWPV+ysIvr4H/c=
X-Received: by 2002:a05:6102:22d5:: with SMTP id a21mr2242271vsh.32.1628866780675;
 Fri, 13 Aug 2021 07:59:40 -0700 (PDT)
MIME-Version: 1.0
References: <20210813015127 DOT 43f5c7cd AT brane_wrks> <xnh7fuds0u DOT fsf AT envy DOT delorie DOT com>
 <6115ecdb DOT 1c69fb81 DOT ee1b6 DOT 51cfSMTPIN_ADDED_BROKEN AT mx DOT google DOT com>
In-Reply-To: <6115ecdb.1c69fb81.ee1b6.51cfSMTPIN_ADDED_BROKEN@mx.google.com>
From: "Chad Parker (parker DOT charles AT gmail DOT com) [via geda-user AT delorie DOT com]" <geda-user AT delorie DOT com>
Date: Fri, 13 Aug 2021 10:59:29 -0400
Message-ID: <CAJZxidBFpXjWSjWRdo71W7hM--naM9ohBo+-p_EY+rpddcWUMA@mail.gmail.com>
Subject: Re: [geda-user] geda and pcb git repos inaccessible ?
To: geda-user AT delorie DOT com
Content-Type: multipart/alternative; boundary="000000000000d93f8405c97219f9"
Reply-To: geda-user AT delorie DOT com

--000000000000d93f8405c97219f9
Content-Type: text/plain; charset="UTF-8"

If you're concerned about maintaining the integrity of the source code as
you download it, git makes it easy to compute and compare the hashes of
your source tree with that of the server's.

If you're concerned about people adding malicious code into the repository,
then know that a limited number of people have permissions to merge code
into the master branch, and all such code is reviewed by those developers.

If you don't trust the developers... well, there's nothing I can really do
about that, other than to say that none of us are interested in gaining
root access to any of your computing devices or networks. You can believe
me or not. That's up to you.

Does this mean that there are zero security flaws? No. I don't think any of
us are computer security professionals. We're mostly just engineers that
enjoy coding. So, we do our best. If you find some issues, we'd welcome you
pointing them out, or even better, providing a patch that fixes them.

--Chad


On Thu, Aug 12, 2021 at 11:54 PM Branko Badrljica (brankob AT s5tehnika DOT net)
[via geda-user AT delorie DOT com] <geda-user AT delorie DOT com> wrote:

> On Thu, 12 Aug 2021 21:58:57 -0400
> DJ Delorie <dj AT delorie DOT com> wrote:
>
>
> > You are an overly paranoid individual...
>
> Couple more things:
>
> 1. One of the methods of breaching the machies are timing attacks
> and usual excplouts over networks. They breach your server through a
> service and get to own it.
>
> 2. Servers as yours have high "multiplicative effects". Your server can
> fruther the attack on any client that connects to git repo and thus
> infect their machines through similar or very same attack vector.
>
> 3. World is full of intertwined human swarm, engaged in a war. This
> kind of stance exposes you and might make you seem as a prticipant and
> thus a target. Norm for the git is https transfers everywhere outside
> controlled internal LAN.
> You are sticking out of the norm. If anyone
> gets suspicious, you could be on shortlist of hostile "suspects".
> Swarms aren't known for lengthy legal processes, evidence collecting,
> "innocent until proven guilty" etcetc.
>
>
>
>
>

--000000000000d93f8405c97219f9
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>If you&#39;re concerned about maintaining the integri=
ty of the source code as you download it, git makes it easy to compute and =
compare the hashes of your source tree with that of the server&#39;s.</div>=
<div><br></div><div>If you&#39;re concerned about people adding malicious c=
ode into the repository, then know that a limited number of people have per=
missions to merge code into the master branch, and all such code is reviewe=
d by those developers.</div><div><br></div><div>If you don&#39;t trust the =
developers... well, there&#39;s nothing I can really do about that, other t=
han to say that none of us are interested in gaining root access to any of =
your computing devices or networks. You can believe me or not. That&#39;s u=
p to you.<br></div><div><br></div><div>
<div>Does this mean that there are zero security flaws? No. I don&#39;t=20
think any of us are computer security professionals. We&#39;re mostly just=
=20
engineers that enjoy coding. So, we do our best. If you find some issues, w=
e&#39;d welcome you pointing them out, or even better, providing a patch th=
at fixes them.</div><div><br></div><div>--Chad<br></div><div><br></div>

</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_=
attr">On Thu, Aug 12, 2021 at 11:54 PM Branko Badrljica (<a href=3D"mailto:=
brankob AT s5tehnika DOT net">brankob AT s5tehnika DOT net</a>) [via <a href=3D"mailto:ge=
da-user AT delorie DOT com">geda-user AT delorie DOT com</a>] &lt;<a href=3D"mailto:geda-=
user AT delorie DOT com">geda-user AT delorie DOT com</a>&gt; wrote:<br></div><blockquote=
 class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px so=
lid rgb(204,204,204);padding-left:1ex">On Thu, 12 Aug 2021 21:58:57 -0400<b=
r>
DJ Delorie &lt;<a href=3D"mailto:dj AT delorie DOT com" target=3D"_blank">dj AT delor=
ie.com</a>&gt; wrote:<br>
<br>
<br>
&gt; You are an overly paranoid individual...<br>
<br>
Couple more things:<br>
<br>
1. One of the methods of breaching the machies are timing attacks<br>
and usual excplouts over networks. They breach your server through a<br>
service and get to own it.<br>
<br>
2. Servers as yours have high &quot;multiplicative effects&quot;. Your serv=
er can<br>
fruther the attack on any client that connects to git repo and thus<br>
infect their machines through similar or very same attack vector.<br>
<br>
3. World is full of intertwined human swarm, engaged in a war. This<br>
kind of stance exposes you and might make you seem as a prticipant and<br>
thus a target. Norm for the git is https transfers everywhere outside<br>
controlled internal LAN. <br>
You are sticking out of the norm. If anyone<br>
gets suspicious, you could be on shortlist of hostile &quot;suspects&quot;.=
<br>
Swarms aren&#39;t known for lengthy legal processes, evidence collecting,<b=
r>
&quot;innocent until proven guilty&quot; etcetc.<br>
<br>
<br>
<br>
<br>
</blockquote></div>

--000000000000d93f8405c97219f9--