Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 31 Dec 2020 11:39:08 -0800
From:      John-Mark Gurney <jmg@funkthat.com>
To:        grarpamp <grarpamp@gmail.com>
Cc:        freebsd-current@freebsd.org
Subject:   Re: HEADS UP: FreeBSD src repo transitioning to git this weekend
Message-ID:  <20201231193908.GC31099@funkthat.com>
In-Reply-To: <CAD2Ti2-4xS5n0%2B1oLOHyFh4%2BOCnwtNAAwMkkWzwRVDnt-xmb1Q@mail.gmail.com>
References:  <CANCZdfpb0MF%2BuoW=K3cQpL%2B3vNQjSBDeVMab5d4JJhUO4sy-2Q@mail.gmail.com> <5fdc0b90.1c69fb81.866eb.8c29SMTPIN_ADDED_MISSING@mx.google.com> <20201218175241.GA72552@spindle.one-eyed-alien.net> <20201218182820.1P0tK%steffen@sdaoden.eu> <20201223023242.GG31099@funkthat.com> <20201223162417.v7Ce6%steffen@sdaoden.eu> <20201229011939.GU31099@funkthat.com> <20201229210454.Lh4y_%steffen@sdaoden.eu> <20201230004620.GB31099@funkthat.com> <CAD2Ti2-4xS5n0%2B1oLOHyFh4%2BOCnwtNAAwMkkWzwRVDnt-xmb1Q@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
grarpamp wrote this message on Wed, Dec 30, 2020 at 00:55 -0500:
> > signatures of the magnet links
> 
> Signing torrent.asc, with stronger or even same hash as BT
> protocol, still serve purpose of authenticate torrent file back
> to a signer to the degree therein, caveat their platform security,
> caveat sha-1 inside torrent still being abuseable by third party,
> caveat etc. With no torrent.asc there is nothing directly saying
> the torrent file / infohash itself went through freebsd project.
> Whether torrent or git or else, there can be useable scope
> and case for such "stronger over weaker" constructions.

There is already HTTPS to protect the "authenticity" of the magnet
link.  Yes, someone could vandalize the wiki page but I'm now
subscribed and will notice it...

Also, magnet links are not officially supported the project..  I
provide them because I think it's useful, and there are some people
who request them...

One of the large parts of security is that not everyone knows the
in's and out's of security, so people who don't know, will have heard
that SHA-1 is a cryptographic hash, and assume that something is secure
when using it.  It's difficult to educate people on these points..

> gpg offers better hash algos than sha-1 these days,
> all users should look into configuring and using it,
> same goes for abandoning the old [a]symmetric algos
> and weaker keys, made with old weak /dev/random, etc.
> 
> One cannot sign or verify anything without knowing gpg first :)

snapaid was designed to make it even easier...

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20201231193908.GC31099>