Mail Archives: geda-user/2021/08/13/21:18:38
On Fri, 13 Aug 2021 10:59:29 -0400
"Chad Parker (parker DOT charles AT gmail DOT com) [via geda-user AT delorie DOT com]"
<geda-user AT delorie DOT com> wrote:
> If you're concerned about maintaining the integrity of the source
> code as you download it, git makes it easy to compute and compare the
> hashes of your source tree with that of the server's.
Git wasn't made with great securtiy in mind. Yes, it has hashes, but
those were broken. There was a case of good attempt of source insertion
in Linux kernel. Had it gone unnoticed, that source plant would have a
HUGE/GLOBAL muultiplicative effect. Everyone bases their kernel on
www.kernel.org.
It took them ages to change the hash and even curernt version isn't
anything to write home about. And there probably are plenty of other
vulnerabilities and concerns.
I have nothing against git, but it isn't a tool for ensuring safety or
confidenitality or privacy as its priority.
Use tool for the job. Users expect to be able to go about their
business without EVERYONE along the way taking notes of that.
That is, unless you happen to have other instructions - to keep it
open.
After all, geda/PCB do get used by interesting crowd that Surveillance
State has to keep their eye on.
But as I said, that would make you guys (not that well) hidden
participants.
>
> If you don't trust the developers... well, there's nothing I can
> really do about that, other than to say that none of us are
> interested in gaining root access to any of your computing devices or
> networks. You can believe me or not. That's up to you.
I trust no one completely, much less usual strangers that I never
met. Which is probagbly around baseline standard - nothing
especially paranoic.
WRT trust to the state- we obviously already have installed
omnipresewnt surveillance system that scores behavioural patterns of
EVERY CITIZZEN in REAL TIME ( automatedly):
https://www.reddit.com/r/conspiracy/comments/p3ja8j/personal_score_point_system_of_the_global/
and we have fresh things like "The Secrets Act" that will enable The
State to basically lock out ANYONE with an "inconvenient truth".
And the first batch of freshly jailed people is already being prepared.
And big platforms are trying to hide "The Secrets Act" in their new
usage rules:
https://www.reddit.com/r/conspiracy/comments/p3j13e/newest_changes_in_privacy_policies_and_forum/
>
> Does this mean that there are zero security flaws? No. I don't think
> any of us are computer security professionals. We're mostly just
> engineers that enjoy coding. So, we do our best. If you find some
> issues, we'd welcome you pointing them out, or even better, providing
> a patch that fixes them.
>
> --Chad
>
>
> On Thu, Aug 12, 2021 at 11:54 PM Branko Badrljica
> (brankob AT s5tehnika DOT net) [via geda-user AT delorie DOT com]
> <geda-user AT delorie DOT com> wrote:
>
> > On Thu, 12 Aug 2021 21:58:57 -0400
> > DJ Delorie <dj AT delorie DOT com> wrote:
> >
> >
> > > You are an overly paranoid individual...
> >
> > Couple more things:
> >
> > 1. One of the methods of breaching the machies are timing attacks
> > and usual excplouts over networks. They breach your server through a
> > service and get to own it.
> >
> > 2. Servers as yours have high "multiplicative effects". Your server
> > can fruther the attack on any client that connects to git repo and
> > thus infect their machines through similar or very same attack
> > vector.
> >
> > 3. World is full of intertwined human swarm, engaged in a war. This
> > kind of stance exposes you and might make you seem as a prticipant
> > and thus a target. Norm for the git is https transfers everywhere
> > outside controlled internal LAN.
> > You are sticking out of the norm. If anyone
> > gets suspicious, you could be on shortlist of hostile "suspects".
> > Swarms aren't known for lengthy legal processes, evidence
> > collecting, "innocent until proven guilty" etcetc.
> >
> >
> >
> >
> >
- Raw text -