You are not logged in.

#26 2011-03-22 19:29:21

songandsilence
Member
From: Burlingame, KS, USA
Registered: 2010-12-01
Posts: 28

Re: Arch Package Signing issue getting big on Reddit

Why not just publish MD5 and/or SHA1 checksums on the package listing pages, and if the user wants to check the validity of the packages, they'll have the ability to?

If not, it seems good to include in the next version of pacman... something along the lines of "pacman -Si" also displaying MD5 or SHA1 checksum information? I'm no dev, so please don't flame...

Last edited by songandsilence (2011-03-22 19:31:51)

Offline

#27 2011-03-22 23:59:58

ngoonee
Forum Fellow
From: Between Thailand and Singapore
Registered: 2009-03-17
Posts: 7,358

Re: Arch Package Signing issue getting big on Reddit

songandsilence wrote:

Why not just publish MD5 and/or SHA1 checksums on the package listing pages

Which are just as vulnerable to attack (single point of failure) as the various mirrors.

Implementation of security measures cannot and should not be done haphazardly. In general, opinions which start with "don't you JUST have to..." are not well thought out and do not actually improve security.

The manner in which things may technically be accomplished is discussed on pacman-dev. I don't have the technical competency to verify/understand how well it works, so I can only trust that those who ARE working on it do. I'd say the same applies to most people reading this, hence 'suggestions' of this sort won't really help anything.

Summary? Technical discussion on implementation should be in [pacman-dev] smile


Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.

Offline

#28 2011-03-23 15:04:11

Mr.Elendig
#archlinux@freenode channel op
From: The intertubes
Registered: 2004-11-07
Posts: 4,094

Re: Arch Package Signing issue getting big on Reddit


Evil #archlinux@libera.chat channel op and general support dude.
. files on github, Screenshots, Random pics and the rest

Offline

#29 2011-03-23 23:10:38

ssri
Member
Registered: 2010-02-16
Posts: 216

Re: Arch Package Signing issue getting big on Reddit

Condoms are not guaranteed 100% safe either.

Last edited by ssri (2011-03-24 02:52:16)

Offline

#30 2011-03-23 23:55:48

ataraxia
Member
From: Pittsburgh
Registered: 2007-05-06
Posts: 1,553

Re: Arch Package Signing issue getting big on Reddit

Offline

#31 2011-03-24 17:21:26

toofishes
Developer
From: Chicago, IL
Registered: 2006-06-06
Posts: 602
Website

Re: Arch Package Signing issue getting big on Reddit

Since LWN decided to write a rather questionable one-sided article, I've written a rather lengthy but hopefully insightful blog post on this whole debacle: http://www.toofishes.net/blog/real-stor … e-signing/

Offline

#32 2011-03-24 18:15:54

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Arch Package Signing issue getting big on Reddit


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#33 2011-03-24 18:16:16

mundane
Banned
Registered: 2011-03-23
Posts: 49

Re: Arch Package Signing issue getting big on Reddit

Thank toofishes for writing that! I am shocked by the LWN article at how absurdly one-sided it is. They obviously don't realise how much of a troll IG was is and seem to take his word for truth.

Unfortunately, after LWN exposure and the number of hits his blog will get, IG's head will now grow larger than the earth itself yikes

Last edited by mundane (2011-03-24 18:17:37)

Offline

#34 2011-03-24 18:19:18

Inxsible
Forum Fellow
From: Chicago
Registered: 2008-06-09
Posts: 9,183

Re: Arch Package Signing issue getting big on Reddit

Does anyone have a link to the LWN article... I'd just like to read it for laughs and to see if its a replica of IG's blog

EDIT : Never mind....I was still reading through Dan's blog post....found the link

Last edited by Inxsible (2011-03-24 18:20:58)


Forum Rules

There's no such thing as a stupid question, but there sure are a lot of inquisitive idiots !

Offline

#35 2011-03-24 18:21:05

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Arch Package Signing issue getting big on Reddit

Inxsible wrote:

Does anyone have a link to the LWN article... I'd just like to read it for laughs and to see if its a replica of IG's blog

http://lwn.net/SubscriberLink/434990/4c611307c60a7ae1/

Offline

#36 2011-03-24 18:31:08

tvale
Member
From: Portugal
Registered: 2008-12-11
Posts: 175

Re: Arch Package Signing issue getting big on Reddit

Thank you for clarifying things for us. :-)

Offline

#37 2011-03-24 21:01:20

Inxsible
Forum Fellow
From: Chicago
Registered: 2008-06-09
Posts: 9,183

Re: Arch Package Signing issue getting big on Reddit

Just found this by IG : http://igurublog.wordpress.com/2011/03/19/had-a-gnuff/

IgnorantGurus' blog wrote:

Gee, why does that scenario sound familiar? It seems these guys must have run into the ‘Brick Arch’. Reading this, I also had a light bulb which has so far been dim, light up. I could never understand Arch dev Allan McRae’s reluctancy to just signing the Arch package database – he really threw all of himself against any attempt to get this implemented. Now the puzzle piece fits – fear of competition. With other pacman variants floating around, I think he knows that if the database is signed, they’ll fly by pacman in terms of features and security. Just a theory, but I’ll bet it’s right. And it would fit in with the Arch lack of care for users – he would rather risk users security than have people abandon HIS project.

Either way, this also got me thinking how Arch is an unusual distro. It’s not like it has a customized DM or much that glues it together. Mostly it is a package manager (and build system) and a few repos. The packages in Arch are little less than tarballs of files to be copied. Creating a spin-off of Arch is a matter of creating a package manager, which is exactly what Gnuffy has done. So it makes sense that the core Arch team might be a little insecure about this state of affairs, but it’s fair play in Linux. This also might explain why their forums are in a such a panic over any dissent – the forum is one of the only real influences they have on the user community, since the software is mostly vanilla and made by other developers outside Arch.

I don't know why he makes everything so personal. neutral


Forum Rules

There's no such thing as a stupid question, but there sure are a lot of inquisitive idiots !

Offline

#38 2011-03-24 21:06:30

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Arch Package Signing issue getting big on Reddit

Inxsible wrote:

Just found this by IG : http://igurublog.wordpress.com/2011/03/19/had-a-gnuff/

IgnorantGurus' blog wrote:

Gee, why does that scenario sound familiar? It seems these guys must have run into the ‘Brick Arch’. Reading this, I also had a light bulb which has so far been dim, light up. I could never understand Arch dev Allan McRae’s reluctancy to just signing the Arch package database – he really threw all of himself against any attempt to get this implemented. Now the puzzle piece fits – fear of competition. With other pacman variants floating around, I think he knows that if the database is signed, they’ll fly by pacman in terms of features and security. Just a theory, but I’ll bet it’s right. And it would fit in with the Arch lack of care for users – he would rather risk users security than have people abandon HIS project.

Either way, this also got me thinking how Arch is an unusual distro. It’s not like it has a customized DM or much that glues it together. Mostly it is a package manager (and build system) and a few repos. The packages in Arch are little less than tarballs of files to be copied. Creating a spin-off of Arch is a matter of creating a package manager, which is exactly what Gnuffy has done. So it makes sense that the core Arch team might be a little insecure about this state of affairs, but it’s fair play in Linux. This also might explain why their forums are in a such a panic over any dissent – the forum is one of the only real influences they have on the user community, since the software is mostly vanilla and made by other developers outside Arch.

I don't know why he makes everything so personal. neutral

Yes, nobody came with the patches for package signing for years but people will fork Arch - any day now.

There's already a bunch of Arch-based distros to choose from: https://wiki.archlinux.org/index.php/Ar … s_(Active)

Last edited by karol (2011-03-24 21:11:47)

Offline

#39 2011-03-24 21:11:06

SS4
Member
From: !Rochford, Essex
Registered: 2010-12-05
Posts: 699

Re: Arch Package Signing issue getting big on Reddit

From what I understand it is only IgnorantGuru and his sock puppet accounts that have kicked up any fuss about this?


Rauchen verboten

Offline

#40 2011-03-24 21:42:58

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Arch Package Signing issue getting big on Reddit

SS4 wrote:

From what I understand it is only IgnorantGuru and his sock puppet accounts that have kicked up any fuss about this?

seems so, yes.

Make no mistake, however, of believing that others simply don't care, just because they are not obnoxious.

It isn't that others don't recognize that a lack of package signing is an issue. Even the pacman devs themselves realize it, as you can see from toofishes' mailing list links and historical perspective he provided in his rebuttal.

It is simply that others perhaps do not have enough time, skill, or issue relevance to create the patches necessary to make it happen -- and are not the type of people who feel libel and social blackmail are viable ways to get their way.

Last edited by cactus (2011-03-24 21:45:58)


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#41 2011-03-24 21:56:11

barzam
Member
From: Sweden
Registered: 2009-01-27
Posts: 277

Re: Arch Package Signing issue getting big on Reddit

Great post, Dan.

For what it's worth, I really appreciate the effort the Arch developers put into this distribution. Package signing isn't a big deal for me really but I can still see the point in but I trust you will implement it sooner or later.

Offline

#42 2011-03-25 03:06:48

bones
Member
From: Brisbane
Registered: 2006-03-24
Posts: 322
Website

Re: Arch Package Signing issue getting big on Reddit

I don't know sometimes. Where is it written that you have to use a product that you don't like or agree with. If you ain't paying for it then, Don't use it and go use something else and stop complaining, nobody has a gun to your head.
Seems some people just love to bitch about things because they have nothing better to do.


"When once you have tasted flight, you will forever walk the earth with your eyes turned skyward, for there you have been, and there you will always long to return."

Offline

#43 2011-03-25 04:54:52

Fingel
Member
Registered: 2009-02-28
Posts: 105

Re: Arch Package Signing issue getting big on Reddit

Dan McGee pitches in:
The real story behind Arch Linux package signing
An even better read than the original link I posted.

Offline

#44 2011-03-25 04:57:10

Inxsible
Forum Fellow
From: Chicago
Registered: 2008-06-09
Posts: 9,183

Re: Arch Package Signing issue getting big on Reddit

Fingel wrote:

Dan McGee pitches in:
The real story behind Arch Linux package signing
An even better read than the original link I posted.

https://bbs.archlinux.org/viewtopic.php … 78#p907878

It seems you are late to the party !! tongue


Forum Rules

There's no such thing as a stupid question, but there sure are a lot of inquisitive idiots !

Offline

#45 2011-03-25 04:59:56

Fingel
Member
Registered: 2009-02-28
Posts: 105

Re: Arch Package Signing issue getting big on Reddit

Inxsible wrote:
Fingel wrote:

Dan McGee pitches in:
The real story behind Arch Linux package signing
An even better read than the original link I posted.

https://bbs.archlinux.org/viewtopic.php … 78#p907878

It seems you are late to the party !! tongue

Oh hey look at that! I was in Disneyland, can you blame me? tongue
Thanks for the writeup toofishes. Btw here is the reddit link where I found it:
Link

Offline

#46 2011-03-25 06:53:49

mundane
Banned
Registered: 2011-03-23
Posts: 49

Re: Arch Package Signing issue getting big on Reddit

Fingel wrote:
Inxsible wrote:
Fingel wrote:

Dan McGee pitches in:
The real story behind Arch Linux package signing
An even better read than the original link I posted.

https://bbs.archlinux.org/viewtopic.php … 78#p907878

It seems you are late to the party !! tongue

Oh hey look at that! I was in Disneyland, can you blame me? tongue
Thanks for the writeup toofishes. Btw here is the reddit link where I found it:
Link

You were late to that party too tongue

https://bbs.archlinux.org/viewtopic.php … 98#p907898

Offline

#47 2011-03-25 10:31:27

KimTjik
Member
From: Sweden
Registered: 2007-08-22
Posts: 715

Re: Arch Package Signing issue getting big on Reddit

When pacman eventually will include signing I expect to see a blog entry titled: "How I fixed package signing in Arch". Maybe it's already written waiting in queue to be released...

Offline

#48 2011-03-25 11:40:29

ssri
Member
Registered: 2010-02-16
Posts: 216

Re: Arch Package Signing issue getting big on Reddit

KimTjik wrote:

When pacman eventually will include signing I expect to see a blog entry titled: "How I fixed package signing in Arch". Maybe it's already written waiting in queue to be released...

You cannot deny that there has been an uptick of activity the gpg branch of pacman-git (http://projects.archlinux.org/users/all … log/?h=gpg) after his initial post.  Sadly, this whole brouhaha may set a precedent on how to get things "done".  The response will transition from "patches welcome" to "talk is cheap, show me the code."  Actually, I think the latter is better because it more up-front and less obfuscating.

Last edited by ssri (2011-03-25 11:47:48)

Offline

#49 2011-03-25 11:45:23

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,473
Website

Re: Arch Package Signing issue getting big on Reddit

Note that is not new activity.  It is mainly cleaning up old patches to apply on the current code base. 

e.g. the patch at the top:
author    Allan McRae <allan@archlinux.org>    2010-11-24 07:22:32 (GMT)
committer    Dan McGee <dan@archlinux.org>    2011-03-23 08:59:21 (GMT)

Online

#50 2011-03-25 12:37:28

dolby
Member
From: 1992
Registered: 2006-08-08
Posts: 1,581

Re: Arch Package Signing issue getting big on Reddit

First there was ESR, RMS, now theres McGee and McRae.

Is Arch ruled by Schotchmen?


There shouldn't be any reason to learn more editor types than emacs or vi -- mg (1)
[You learn that sarcasm does not often work well in international forums.  That is why we avoid it. -- ewaller (arch linux forum moderator)

Offline

Board footer

Powered by FluxBB