From owner-freebsd-current@freebsd.org Thu Dec 31 19:39:17 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D085D4CCBA5 for ; Thu, 31 Dec 2020 19:39:17 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D6JPc73ZSz3k3q for ; Thu, 31 Dec 2020 19:39:16 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 0BVJd8u0080738 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 31 Dec 2020 11:39:08 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 0BVJd8VW080737; Thu, 31 Dec 2020 11:39:08 -0800 (PST) (envelope-from jmg) Date: Thu, 31 Dec 2020 11:39:08 -0800 From: John-Mark Gurney To: grarpamp Cc: freebsd-current@freebsd.org Subject: Re: HEADS UP: FreeBSD src repo transitioning to git this weekend Message-ID: <20201231193908.GC31099@funkthat.com> Mail-Followup-To: grarpamp , freebsd-current@freebsd.org References: <5fdc0b90.1c69fb81.866eb.8c29SMTPIN_ADDED_MISSING@mx.google.com> <20201218175241.GA72552@spindle.one-eyed-alien.net> <20201218182820.1P0tK%steffen@sdaoden.eu> <20201223023242.GG31099@funkthat.com> <20201223162417.v7Ce6%steffen@sdaoden.eu> <20201229011939.GU31099@funkthat.com> <20201229210454.Lh4y_%steffen@sdaoden.eu> <20201230004620.GB31099@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Thu, 31 Dec 2020 11:39:09 -0800 (PST) X-Rspamd-Queue-Id: 4D6JPc73ZSz3k3q X-Spamd-Bar: / X-Spamd-Result: default: False [0.24 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[funkthat.com]; RBL_DBL_DONT_QUERY_IPS(0.00)[208.87.223.18:from]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; SPAMHAUS_ZRD(0.00)[208.87.223.18:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.96)[-0.964]; R_SPF_NA(0.00)[no SPF record]; FREEMAIL_TO(0.00)[gmail.com]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; MAILMAN_DEST(0.00)[freebsd-current]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Dec 2020 19:39:17 -0000 grarpamp wrote this message on Wed, Dec 30, 2020 at 00:55 -0500: > > signatures of the magnet links > > Signing torrent.asc, with stronger or even same hash as BT > protocol, still serve purpose of authenticate torrent file back > to a signer to the degree therein, caveat their platform security, > caveat sha-1 inside torrent still being abuseable by third party, > caveat etc. With no torrent.asc there is nothing directly saying > the torrent file / infohash itself went through freebsd project. > Whether torrent or git or else, there can be useable scope > and case for such "stronger over weaker" constructions. There is already HTTPS to protect the "authenticity" of the magnet link. Yes, someone could vandalize the wiki page but I'm now subscribed and will notice it... Also, magnet links are not officially supported the project.. I provide them because I think it's useful, and there are some people who request them... One of the large parts of security is that not everyone knows the in's and out's of security, so people who don't know, will have heard that SHA-1 is a cryptographic hash, and assume that something is secure when using it. It's difficult to educate people on these points.. > gpg offers better hash algos than sha-1 these days, > all users should look into configuring and using it, > same goes for abandoning the old [a]symmetric algos > and weaker keys, made with old weak /dev/random, etc. > > One cannot sign or verify anything without knowing gpg first :) snapaid was designed to make it even easier... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."