on communication - gpg's el gamal and debian's openssl

Sean Lynch seanl at literati.org
Tue Sep 20 15:47:47 PDT 2016 

On Tue, Sep 20, 2016, 14:58 Steve Kinney <admin at pilobilus.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On 09/20/2016 02:19 PM, Georgi Guninski wrote:
> > On Tue, Sep 20, 2016 at 12:38:43PM -0400, Steve Kinney wrote:
> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >>
> >> On the downside, it makes denying that you wrote something all
> >> but impossible - "somebody stole my signing key and its pass
> >> phrase" is not what someone who is trying to avoid embarrassment
> >> would like to say.
> >>
> >
> > lol, tell this to the gpg's guys and gals, who completely
> > compromised the El Gamal's signing keys
>
> Oh dear.  That implies that the DEB and RPM package managers are blown
> wide open, as both use GPG for integrity checks.  At least this
> explains why everybody gets rooted all the time.
>
> We gonna have to compile and install from source signed by the
> devel... um, heh heh, signed with what?  Houston, come in?  Anybody
> down there?
>

No. The Debian maintainers revoked all their ElGamal signing keys. It was a
big fuck up, but it's been dealt with. The problem is the larger issue of
writing secure software and building services/processes that depend on that
software. There needs to be more defense in depth, where a single broken
primitive can't compromise the whole chain. Signing commits, publishing
them in multiple independent places, reproducible builds, extensive test
suites. Of course, this is all unglamorous work that's hard to get
volunteers to do unless they're really passionate about end-to-end
security, i.e. the hard, dirty stuff that requires interacting with other
humans, as opposed to individual security primitives which tend to be more
standalone and thus easier for someone to work on in their spare time.


> > and to debian, who memset() what they read from /dev/random.
>
> Sounds like a personal issue to me...
>
> > search the interwebz for references.
>
> TL;DR
>
> teh intertubes has too big, probably over 9000
>
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQEcBAEBAgAGBQJX4bDnAAoJEECU6c5XzmuqPqcIALe915KwejZB6uNapRyaR2bh
> UvCO/Obw+qiBlVBXn5kJJPUWWmF0pi8H3q1q+THWbuGJUnXojzFR3lpQYIf/z5Iz
> QqdSQr0mbbA4ffRncpBXwtMH9Yh//NHSHxJ4wimg4RmDuunNgJyLosWvXCaFSZaC
> mlKuf71P8CsL5Yxx/5ze9APa7B8FFygL/Z7PMaT7WtVGD3rUh++E0hBmB8DEEYjG
> PlPfI5oeoAuTQpDEOv0aH8Hn4mIPhPhR7OP3Dz6TSvki6sYkDb0HPlR6WxANiVO3
> K1GVYTMydR1xAlB4wpHsRJPdZ5nhWAnCb3fFRFqRunHmEbi74WTMFarC7hyFhjE=
> =P36O
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3148 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20160920/e7597deb/attachment.txt>

More information about the cypherpunks mailing list