-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/20/2016 02:19 PM, Georgi Guninski wrote:
> On Tue, Sep 20, 2016 at 12:38:43PM -0400, Steve Kinney wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On the downside, it makes denying that you wrote something all
>> but impossible - "somebody stole my signing key and its pass
>> phrase" is not what someone who is trying to avoid embarrassment
>> would like to say.
>>
>
> lol, tell this to the gpg's guys and gals, who completely
> compromised the El Gamal's signing keys
Oh dear. That implies that the DEB and RPM package managers are blown
wide open, as both use GPG for integrity checks. At least this
explains why everybody gets rooted all the time.
We gonna have to compile and install from source signed by the
devel... um, heh heh, signed with what? Houston, come in? Anybody
down there?
No. The Debian maintainers revoked all their ElGamal signing keys. It was a big fuck up, but it's been dealt with. The problem is the larger issue of writing secure software and building services/processes that depend on that software. There needs to be more defense in depth, where a single broken primitive can't compromise the whole chain. Signing commits, publishing them in multiple independent places, reproducible builds, extensive test suites. Of course, this is all unglamorous work that's hard to get volunteers to do unless they're really passionate about end-to-end security, i.e. the hard, dirty stuff that requires interacting with other humans, as opposed to individual security primitives which tend to be more standalone and thus easier for someone to work on in their spare time.
> and to debian, who memset() what they read from /dev/random.
Sounds like a personal issue to me...
> search the interwebz for references.
TL;DR
teh intertubes has too big, probably over 9000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBAgAGBQJX4bDnAAoJEECU6c5XzmuqPqcIALe915KwejZB6uNapRyaR2bh
UvCO/Obw+qiBlVBXn5kJJPUWWmF0pi8H3q1q+THWbuGJUnXojzFR3lpQYIf/z5Iz
QqdSQr0mbbA4ffRncpBXwtMH9Yh//NHSHxJ4wimg4RmDuunNgJyLosWvXCaFSZaC
mlKuf71P8CsL5Yxx/5ze9APa7B8FFygL/Z7PMaT7WtVGD3rUh++E0hBmB8DEEYjG
PlPfI5oeoAuTQpDEOv0aH8Hn4mIPhPhR7OP3Dz6TSvki6sYkDb0HPlR6WxANiVO3
K1GVYTMydR1xAlB4wpHsRJPdZ5nhWAnCb3fFRFqRunHmEbi74WTMFarC7hyFhjE=
=P36O
-----END PGP SIGNATURE-----