You are not logged in.

#51 2011-03-25 12:42:58

KimTjik
Member
From: Sweden
Registered: 2007-08-22
Posts: 715

Re: Arch Package Signing issue getting big on Reddit

ssri wrote:
KimTjik wrote:

When pacman eventually will include signing I expect to see a blog entry titled: "How I fixed package signing in Arch". Maybe it's already written waiting in queue to be released...

You cannot deny that there has been an uptick of activity the gpg branch of pacman-git (http://projects.archlinux.org/users/all … log/?h=gpg) after his initial post.  Sadly, this whole brouhaha may set a precedent on how to get things "done".  The response will transition from "patches welcome" to "talk is cheap, show me the code."  Actually, I think the latter is better because it more up-front and less obfuscating.

I cannot deny that I've followed these discussions and related information since long before IgnorantGuru started his blog. Less obfuscating or not, I think it kills the whole idea of a FOSS community.

I would also appreciate the implementation of signed packages, even though it doesn't guarantee a secure system. I don't have the knowledge to help out and I honestly don't have any spare time to learn yet another set of skills. I type fast and messages I post on the Web is usually a product of a couple of minutes; a kind of rest between tasks. Hence my contributions are limited to a few additions to the Wiki. The realization of my own situation serves as a restriction for what I can expect of others. That's why I despise this strategy of twisting a technical matter into accusations about ill will, not only directed at developers, moderators, but the majority of the Arch community. We can however feel thankfulness that this uproar, revolt, doesn't concern anything critical to world peace and security, if so yet another bloody conflict could have been started.

I doubt it's a sustainable working model that shouting the loudest sets the agenda for all. A person who admits to not like to cooperate with others on projects cannot set the standard for a community, can he?

Offline

#52 2011-03-25 13:17:17

zodmaner
Member
Registered: 2007-07-11
Posts: 653

Re: Arch Package Signing issue getting big on Reddit

If we really get package signing due to this one person throwing a tantrum, it will really set a bad precedent on how one should behave in the community.

Seriously, I'd rather that the devs stop development on package signing than just give in, if just to teach people that such behaviour is not appropriate.

...God, when I talk about IgnorantGuru, I feels like I'm dealing with a child here.


Memento mori

Offline

#53 2011-03-25 13:23:17

mundane
Banned
Registered: 2011-03-23
Posts: 49

Re: Arch Package Signing issue getting big on Reddit

zodmaner wrote:

If we really get package signing due to this one person throwing a tantrum, it will really set a bad precedent on how one should behave in the community.

Seriously, I'd rather that the devs stop development on package signing than just give in, if just to teach people that such behaviour is not appropriate.

Well, I see you're saying, but that would be a very bad idea if the devs stopped developing it just to make a point...that would make them just as childish as IG (and obviously I don't expect the devs to do that, they are orders of magnitude more mature than IG).

And it's already clear to most that IG's behaviour is inappropriate, but that unfortunately doesn't stop some people from siding with him.

Last edited by mundane (2011-03-25 13:25:52)

Offline

#54 2011-03-25 13:29:03

karol
Archivist
Registered: 2009-05-06
Posts: 25,433

Re: Arch Package Signing issue getting big on Reddit

zodmaner wrote:

If we really get package signing due to this one person throwing a tantrum, it will really set a bad precedent on how one should behave in the community.

Seriously, I'd rather that the devs stop development on package signing than just give in, if just to teach people that such behaviour is not appropriate.

...God, when I talk about IgnorantGuru, I feels like I'm dealing with a child here.

IG is right, we don't have package signing, and maybe that info should have been more prominently displayed, but he could have just edited the wiki to include this valuable info.

Neither LWN nor his blog aren't "bringing this issue to light" as it's by far the most voted for bug in the bugtracker
https://bugs.archlinux.org/task/5331
https://bugs.archlinux.org/index.php?pr … l&switch=1
so it's not like just IG wants it bad.

The second most voted bug is FS#16394 - Split Packages in AUR, 38 votes, over a hundred votes less.
But Arch is not a democracy, if you want something done, you ask on the ML how can you contribute. Whining (and voting) alone won't get you far.

Offline

#55 2011-03-25 13:42:56

zodmaner
Member
Registered: 2007-07-11
Posts: 653

Re: Arch Package Signing issue getting big on Reddit

mundane wrote:

Well, I see you're saying, but that would be a very bad idea if the devs stopped developing it just to make a point...that would make them just as childish as IG (and obviously I don't expect the devs to do that, they are orders of magnitude more mature than IG).

Yes, I agree with you. Let us ignore the guy and get on with our live.


Memento mori

Offline

#56 2011-03-25 16:32:28

ssri
Member
Registered: 2010-02-16
Posts: 213

Re: Arch Package Signing issue getting big on Reddit

Hey, at least all of this being in the news may save the lead devs from any legal liabilities, particularly those living or having property in the litigation-happy USA.  Even though Arch is not a corporation, you can still sue non-merchants (meaning lead devs) for pushing out a product/good (as defined in the UCC) with its security risk deliberately hidden (in the eyes of a jury using the reasonableness standard).  Although it is a stretch, it is still doable.  Oh yeah, IANAL

Last edited by ssri (2011-03-25 16:43:42)

Offline

#57 2011-03-25 19:04:36

ANOKNUSA
Member
Registered: 2010-10-22
Posts: 2,141

Re: Arch Package Signing issue getting big on Reddit

karol wrote:

IG is right, we don't have package signing, and maybe that info should have been more prominently displayed, but he could have just edited the wiki to include this valuable info.

I'm not about to say the guy's initial point--that package signing is an invaluable idea and needs to be implemented--isn't without merit (and I agree with it), but I will say that his manner in addressing the issue is childish, alarmist nonsense, just general rabble-rousing and tantrum throwing (though his efforts with paccheck deserve acknowledgment).  However, in all fairness, I was aware of the lack of package signing before I ever installed Arch, because I looked into Arch before switching to it.  The Arch Wikipedia page mentions it, for one thing, citing the mailing list archive as a reference; there's also an interview on Distro Watch with Judd Vinet dating back to 2003 that mentions a lack of it (and the history of development can be traced, as mentioned by others).  I asked myself important questions, looked over the various aspects of Arch in the wiki and the forums, reasoned out that the risk to myself didn't outweigh the benefits, and there were steps I could take to make my own system as secure or more than the average PC.  In the spirit of Arch, those who don't bother to do a little research, educate themselves, and take measures to protect themselves (instead listening to fanfolks' accolades or to rants like IG's to make their decisions) won't do too well here--or aguably anywhere, since they'll only get as far as others' opinions allow them to go.  Anyone who's gonna stake potentially important and sensitive data ought to learn how to take measures to protect it, and needs to evaluate the risk to themselves, instead of holding someone else wholly responsible.

ssri wrote:

Hey, at least all of this being in the news may save the lead devs from any legal liabilities, particularly those living or having property in the litigation-happy USA.

See Above.

Offline

#58 2011-03-25 20:03:09

sctincman
Member
From: CO (USA)
Registered: 2009-04-08
Posts: 85

Re: Arch Package Signing issue getting big on Reddit

ssri wrote:

Hey, at least all of this being in the news may save the lead devs from any legal liabilities, particularly those living or having property in the litigation-happy USA.  Even though Arch is not a corporation, you can still sue non-merchants (meaning lead devs) for pushing out a product/good (as defined in the UCC) with its security risk deliberately hidden (in the eyes of a jury using the reasonableness standard).  Although it is a stretch, it is still doable.  Oh yeah, IANAL

There's the warranty section of pretty much every open source license--warning there is no warranty and the copyright holders are not responsible/liable for any damages sustained, etc.

...but of course that wouldn't stop someone from trying and creating headaches :P

Offline

#59 2011-05-02 08:08:23

ksira
Member
Registered: 2009-10-27
Posts: 31

Re: Arch Package Signing issue getting big on Reddit

A friend just pointed out to me that Arch isn't secure and that I should ditch it. I wouldn't just do that, so I read into it and found the whole signing issue.

All of this uproar about signing seems silly to me, especially when you think about the factors involved. Still it will be nice to see it implemented. My thought is that there are much better targets for an attacker.

Even if you had package signing with pacman, what would prevent someone from attempting the same Man in the Middle attack in-between upstream and the Arch developer?

Furthermore, what is to say that the Arch developer's compiler or another tool has not been compromised in a situation outlined by K. Thompson in this article:
http://cm.bell-labs.com/who/ken/trust.html

Why would a bad guy want to go after users, when he could go after the devs? I mean it's not like it's any secret who the Arch devs are. Once you break their security, you have compromised everyone.  Shouldn't we be much more worried about someone getting to Linus' box than our own machines with these sorts of issues. This issue is not badly written code causing a vulnerability like a Firefox zero day exploit, it is someone injecting a Trojan horse into correctly written code.

Offline

#60 2011-05-02 08:30:49

litemotiv
Forum Fellow
Registered: 2008-08-01
Posts: 5,026

Re: Arch Package Signing issue getting big on Reddit

ksira wrote:

Why would a bad guy want to go after users, when he could go after the devs? I mean it's not like it's any secret who the Arch devs are. Once you break their security, you have compromised everyone.  Shouldn't we be much more worried about someone getting to Linus' box than our own machines with these sorts of issues. This issue is not badly written code causing a vulnerability like a Firefox zero day exploit, it is someone injecting a Trojan horse into correctly written code.

Absolutely, no one knows exactly how many backdoors there are in popular software. See for instance the ProFTPD hack a few months ago: http://isc.sans.edu/diary.html?storyid=10024


ᶘ ᵒᴥᵒᶅ

Offline

#61 2011-05-02 08:47:50

ngoonee
Forum Fellow
From: Between Thailand and Singapore
Registered: 2009-03-17
Posts: 6,856

Re: Arch Package Signing issue getting big on Reddit

ksira wrote:

Why would a bad guy want to go after users, when he could go after the devs? I mean it's not like it's any secret who the Arch devs are. Once you break their security, you have compromised everyone.  Shouldn't we be much more worried about someone getting to Linus' box than our own machines with these sorts of issues. This issue is not badly written code causing a vulnerability like a Firefox zero day exploit, it is someone injecting a Trojan horse into correctly written code.

Everybody thinks himself more important than most of the plebes around him, duncha know? Noone likes acknowledging that they're just one of the herd, and all that. That's probably part of the 'cool'-ness of using Linux in the first place, especially when people look at your compiz cube (or tiled screen) and say "what the hell is that?"


Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.

Offline

Board footer

Powered by FluxBB