X-Authentication-Warning: delorie.com: mail set sender to geda-user-bounces using -f X-Recipient: geda-user AT delorie DOT com X-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=MnS6kRDXq+aB08f8KmrCY6w94dF4ibuqp+DUAi2SLSQ=; b=HIf89pJOy9CtxXz+jRyGvlOf1XlMkI6vqidPA6MlNxAizyWd3YC/sthh2uoJDDnOqO ie/73S0xaTBVQPRQLlFWNDUUWMexzqyueuGZjrH4mQGFKhylvx4JYxCmgrJIkERVFnFP 3whgh5UXj/baP8tuPdUcelpl8+SUvvBuTMnFUteVNySyUmBiAcHJuhZRToAUV2lc7H+n j4Pow8QpEUMNbfIDVg3Bm1DgnSVLd6aNFiBPhdRMAaOwMcxqH0MQEJHYUk//I0XP8BDd tpTLVzeHaQLffXiR4eKrPp9vyV9MTEIphuBs+6d2MCaT2mKRMhueb//uzRFEnks1cVHP B7OQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=MnS6kRDXq+aB08f8KmrCY6w94dF4ibuqp+DUAi2SLSQ=; b=ramt4K6CCZoEgbcYWrEeCdVr8tIVTGFdRAM3e6Rig+/MAnp8T7zMZcS5CB7t5nzk5N eDuh7QMMRA8hq6Hb4kqiOsOa/DzBFCrtrPX8UWhaL+A/l2VQkxgW1jqhOYzJ6c0/k+2G HPqvbXxtR1sLbi1OIDTS/tqGWq+QobJa7BTkl/lTml3w379dek85IweaCuOvnu+ug1Wq FuEuxwGHJ3fvSLzj+6tvUgoL8AcO/eqwge2faFvIILUujedZixpCPbX1GnNZiPsqOmzi C/qgqVzN4aKd7sS/SbXojvq06Zy/UxGeGGi7r0Ux/36WNRvK10QKjh0DjdjT7y9U8O0a FJ1w== X-Gm-Message-State: AOAM530TLWfdbRpWZSZFTFx3uUzr/Z55llmSD6U6CRst8V3uxJDcrLF+ ydfD5czaT477JV2GvviFAh1aB1UH4XPRRYNgN3K+3DC+ X-Google-Smtp-Source: ABdhPJyx0Zm4OhF1MhEfOUmSXJBdwZTyZNRDsuETHiB9lDvRrgXyxF1i1Ktw+uL0L+93p14Cyca2uRri26YsiYFq2/o= X-Received: by 2002:a05:6512:3f1:: with SMTP id n17mr4194555lfq.44.1628915691165; Fri, 13 Aug 2021 21:34:51 -0700 (PDT) MIME-Version: 1.0 References: <20210813015127 DOT 43f5c7cd AT brane_wrks> <6115ecdb DOT 1c69fb81 DOT ee1b6 DOT 51cfSMTPIN_ADDED_BROKEN AT mx DOT google DOT com> <61171bcb DOT 1c69fb81 DOT a7fc2 DOT 9206SMTPIN_ADDED_BROKEN AT mx DOT google DOT com> In-Reply-To: <61171bcb.1c69fb81.a7fc2.9206SMTPIN_ADDED_BROKEN@mx.google.com> From: "Erich Heinzle (a1039181 AT gmail DOT com) [via geda-user AT delorie DOT com]" Date: Sat, 14 Aug 2021 14:04:38 +0930 Message-ID: Subject: Re: [geda-user] geda and pcb git repos inaccessible ? To: geda-user Content-Type: multipart/alternative; boundary="000000000000241cfc05c97d7dfd" Reply-To: geda-user AT delorie DOT com --000000000000241cfc05c97d7dfd Content-Type: text/plain; charset="UTF-8" this is why I always use SVN for pcb-rnd ;-) Erich On Sat, 14 Aug 2021 10:56 Branko Badrljica (brankob AT s5tehnika DOT net) [via geda-user AT delorie DOT com], wrote: > On Fri, 13 Aug 2021 10:59:29 -0400 > "Chad Parker (parker DOT charles AT gmail DOT com) [via geda-user AT delorie DOT com]" > wrote: > > > If you're concerned about maintaining the integrity of the source > > code as you download it, git makes it easy to compute and compare the > > hashes of your source tree with that of the server's. > > Git wasn't made with great securtiy in mind. Yes, it has hashes, but > those were broken. There was a case of good attempt of source insertion > in Linux kernel. Had it gone unnoticed, that source plant would have a > HUGE/GLOBAL muultiplicative effect. Everyone bases their kernel on > www.kernel.org. > > It took them ages to change the hash and even curernt version isn't > anything to write home about. And there probably are plenty of other > vulnerabilities and concerns. > I have nothing against git, but it isn't a tool for ensuring safety or > confidenitality or privacy as its priority. > > Use tool for the job. Users expect to be able to go about their > business without EVERYONE along the way taking notes of that. > > That is, unless you happen to have other instructions - to keep it > open. > > After all, geda/PCB do get used by interesting crowd that Surveillance > State has to keep their eye on. > But as I said, that would make you guys (not that well) hidden > participants. > > > > > If you don't trust the developers... well, there's nothing I can > > really do about that, other than to say that none of us are > > interested in gaining root access to any of your computing devices or > > networks. You can believe me or not. That's up to you. > > I trust no one completely, much less usual strangers that I never > met. Which is probagbly around baseline standard - nothing > especially paranoic. > > WRT trust to the state- we obviously already have installed > omnipresewnt surveillance system that scores behavioural patterns of > EVERY CITIZZEN in REAL TIME ( automatedly): > > > https://www.reddit.com/r/conspiracy/comments/p3ja8j/personal_score_point_system_of_the_global/ > > > and we have fresh things like "The Secrets Act" that will enable The > State to basically lock out ANYONE with an "inconvenient truth". > And the first batch of freshly jailed people is already being prepared. > And big platforms are trying to hide "The Secrets Act" in their new > usage rules: > > > https://www.reddit.com/r/conspiracy/comments/p3j13e/newest_changes_in_privacy_policies_and_forum/ > > > > > > > > > Does this mean that there are zero security flaws? No. I don't think > > any of us are computer security professionals. We're mostly just > > engineers that enjoy coding. So, we do our best. If you find some > > issues, we'd welcome you pointing them out, or even better, providing > > a patch that fixes them. > > > > --Chad > > > > > > On Thu, Aug 12, 2021 at 11:54 PM Branko Badrljica > > (brankob AT s5tehnika DOT net) [via geda-user AT delorie DOT com] > > wrote: > > > > > On Thu, 12 Aug 2021 21:58:57 -0400 > > > DJ Delorie wrote: > > > > > > > > > > You are an overly paranoid individual... > > > > > > Couple more things: > > > > > > 1. One of the methods of breaching the machies are timing attacks > > > and usual excplouts over networks. They breach your server through a > > > service and get to own it. > > > > > > 2. Servers as yours have high "multiplicative effects". Your server > > > can fruther the attack on any client that connects to git repo and > > > thus infect their machines through similar or very same attack > > > vector. > > > > > > 3. World is full of intertwined human swarm, engaged in a war. This > > > kind of stance exposes you and might make you seem as a prticipant > > > and thus a target. Norm for the git is https transfers everywhere > > > outside controlled internal LAN. > > > You are sticking out of the norm. If anyone > > > gets suspicious, you could be on shortlist of hostile "suspects". > > > Swarms aren't known for lengthy legal processes, evidence > > > collecting, "innocent until proven guilty" etcetc. > > > > > > > > > > > > > > > > > --000000000000241cfc05c97d7dfd Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
this is why I always use SVN for pcb-rnd

;-)

Erich

On Sat, 14 Aug 2021 10:56 Branko Badrljica (brankob AT s5tehnika DOT net) [via geda-user AT delorie DOT com], <geda-user AT delorie DOT com> wrote:
On Fri, 13 Aug 2021 10:59:29 -0400
"Chad Parker (parker DOT charles AT gmail DOT com) [via geda-user AT de= lorie.com]"
<geda-user AT delorie DOT com> wrote:

> If you're concerned about maintaining the integrity of the source<= br> > code as you download it, git makes it easy to compute and compare the<= br> > hashes of your source tree with that of the server's.

Git wasn't made with great securtiy in mind. Yes, it has hashes, but those were broken. There was a case of good attempt of source insertion
in Linux kernel. Had it gone unnoticed, that source plant would have a
HUGE/GLOBAL muultiplicative effect. Everyone bases their kernel on
www.kernel.org.

It took them ages to change the hash and even curernt version isn't
anything to write home about. And there probably are plenty of other
vulnerabilities and concerns.
I have nothing against git, but it isn't a tool for ensuring safety or<= br> confidenitality or privacy=C2=A0 as its priority.

Use tool for the job. Users expect to be able to go about their
business without EVERYONE along the way taking notes of that.

That is, unless you happen to have other instructions - to keep it
open.

After all, geda/PCB do get used by interesting crowd that Surveillance
State has to keep their eye on.
But as I said, that would make you guys (not that well) hidden
participants.

>
> If you don't trust the developers... well, there's nothing I c= an
> really do about that, other than to say that none of us are
> interested in gaining root access to any of your computing devices or<= br> > networks. You can believe me or not. That's up to you.

I trust no one completely, much less usual strangers that I never
met. Which is probagbly around baseline standard - nothing
especially paranoic.

WRT trust to the state- we obviously already have installed
omnipresewnt surveillance system that scores behavioural patterns of
EVERY CITIZZEN in REAL TIME ( automatedly):

https://www.reddit.com/r/conspiracy/comments/p3ja8j/personal_score_poi= nt_system_of_the_global/


and we have fresh things like "The Secrets Act" that will enable = The
State to basically lock out ANYONE with an "inconvenient truth".<= br> And the first batch of freshly jailed people is already being prepared.
And big platforms are trying to hide "The Secrets Act" in their n= ew
usage rules:

https://www.reddit.com/r/conspiracy/comments/p3j13e/newest_changes_= in_privacy_policies_and_forum/





>
> Does this mean that there are zero security flaws? No. I don't thi= nk
> any of us are computer security professionals. We're mostly just > engineers that enjoy coding. So, we do our best. If you find some
> issues, we'd welcome you pointing them out, or even better, provid= ing
> a patch that fixes them.
>
> --Chad
>
>
> On Thu, Aug 12, 2021 at 11:54 PM Branko Badrljica
> (brankob AT s5tehnika DOT net) [via geda-user AT delorie DOT com]
> <geda-user AT delorie DOT com> wrote:
>
> > On Thu, 12 Aug 2021 21:58:57 -0400
> > DJ Delorie <dj AT delorie DOT com> wrote:
> >
> >
> > > You are an overly paranoid individual...
> >
> > Couple more things:
> >
> > 1. One of the methods of breaching the machies are timing attacks=
> > and usual excplouts over networks. They breach your server throug= h a
> > service and get to own it.
> >
> > 2. Servers as yours have high "multiplicative effects".= Your server
> > can fruther the attack on any client that connects to git repo an= d
> > thus infect their machines through similar or very same attack > > vector.
> >
> > 3. World is full of intertwined human swarm, engaged in a war. Th= is
> > kind of stance exposes you and might make you seem as a prticipan= t
> > and thus a target. Norm for the git is https transfers everywhere=
> > outside controlled internal LAN.
> > You are sticking out of the norm. If anyone
> > gets suspicious, you could be on shortlist of hostile "suspe= cts".
> > Swarms aren't known for lengthy legal processes, evidence
> > collecting, "innocent until proven guilty" etcetc.
> >
> >
> >
> >
> >

--000000000000241cfc05c97d7dfd--