tinono: ey
up_the_irons: please don't forget my ne2k_pci ticket, I'd be glad to have it done when I wake up in a few hours :-) ***: tinono has quit IRC (Quit: Page closed)
cedwards has quit IRC (Ping timeout: 264 seconds)
cedwards has joined #arpnetworks
cedwards_ has joined #arpnetworks
cedwards has quit IRC (Read error: Connection reset by peer)
heidar has quit IRC (Ping timeout: 264 seconds)
heidar has joined #arpnetworks
nesta has quit IRC (Ping timeout: 245 seconds)
nesta has joined #arpnetworks
RandalSchwartz has joined #arpnetworks
RandalSchwartz has quit IRC (Changing host)
RandalSchwartz has joined #arpnetworks
cpet has joined #arpnetworks cpet: hello nesta: hiya cpet: nesta: mind if i priv msg you? nesta: sure
go ahead cpet: up_the_irons: hit me up when you are around please. ***: cedwards_ is now known as cedwards
cedwards has quit IRC (Changing host)
cedwards has joined #arpnetworks
cpet has quit IRC (Quit: Lost terminal)
heavysixer has quit IRC (Quit: heavysixer)
fink has joined #arpnetworks
heda_ has joined #arpnetworks
heda has quit IRC (Ping timeout: 240 seconds)
heda_ is now known as heda
heda has quit IRC (Client Quit)
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
schmir has joined #arpnetworks
schmir has quit IRC (Ping timeout: 252 seconds)
Sheath has quit IRC (Quit: ZNC - http://znc.sourceforge.net)
Sheath has joined #arpnetworks
Sheath has quit IRC (Read error: Connection reset by peer)
Sheath has joined #arpnetworks
blovett has quit IRC (Quit: leaving)
Sheath has quit IRC (Quit: ZNC - http://znc.sourceforge.net)
Sheath has joined #arpnetworks
Sheath is now known as Guest77152
jlgaddis has joined #arpnetworks
islandfox has quit IRC (Ping timeout: 240 seconds) jlgaddis: 32 packets transmitted, 5 packets received, 84.4% packet loss
round-trip min/avg/max/stddev = 97.851/104.179/112.136/6.145 ms nakano: any problem now?
112 packets transmitted, 23 received, 79% packet loss, time 110990ms
to my host..
(from 2 places UK/Japan.. so, looks not my side problem..) jlgaddis: =(
nakano: i started getting alerts from pingdom 44 mins ago ***: Guest77152 has quit IRC (Read error: Connection reset by peer) nakano: i just reported the same issue. but looks nobody here..
sounds yours and mine are on the same place.. ***: islandfox has joined #arpnetworks
Husky has joined #arpnetworks ww: http://world.ckan.net/
... oops... wrong channel nakano: looks better now.. but still something wrong.. ***: mjp has joined #arpnetworks cedwards: ohh joy. another discussion about how *BSD ports are insecure because they don't use signing keys. vcs: lol nesta: cedwards: ? cedwards: nesta: in one of the LUG channels I lurk in someone brought up this article [http://bsdly.blogspot.com/2010/10/if-it-runs-openbsd-it-has-to-be.html] as proof GPG signing is the one true way (tm) nesta: ahhhh
hehe
thanks ***: tinono has joined #arpnetworks tinono: cedwards: do you think gpg signing would hurt though? cedwards: I don't think it adds much, particularly in a ports-based environment. jpalmer: especially when an md5 checksum is verified unless deliberately disabled. tinono: I had the privilege of being flamed by Mr Deraadt once, because I asked why some sha256 check was failing
he told me to lower my expectations fink: tinono: that's good advice for life tinono: "a checksum can fail. it's ok." jpalmer: 2 people in the community I have little respect for: TDR and RMS. cedwards: I think the probability of someone gaining access to a GPG signing key is much higher than it is of altering both my local ports-tree and the upstream .tar.gz. jpalmer: both fairly intelligent, but both also seem to be of the mindset that we're not intelligent enough to make decisions for ourselves. tinono: I don't think the probability of such an attack is very high. still, it only takes one compromised makefile on the master cvs.
no need to alter any disfile jpalmer: I think more likely, is the source code itself being maliciously edited, that a port tarball. as we've seen in the past. tinono: yes
and once again, in most of those cases, the lack of signing was at fault. jpalmer: tinono: using a gpg sig for a port tarball doesn't help, if the projects source code itself is compromised. (think unrealircd a few months back) tinono: of course it doesn't jpalmer: then you're arguing apples and oranges. tinono: unrealircd took action, and now they sign releases. cedwards: I'm reminded of when the Red Hat / Fedora build server was compromised and they had to generate a new key. tinono: every step where tampering can be dangerous, signing can help nesta: tinono: unreal got drastically owned
they kinda had to to save face
but yeh.. tinono: indeed nesta: tis good anyway cedwards: in any case. I've argued this with this user a dozen times. He's Debian to the bone, and I prefer the ports system. tinono: so do i. i still think it could welcome some for of signing as an improvement :-p cedwards: I don't know that you get better than having an independent local copy of the md5/sha to verify the upstream .tar.gz tinono: that's the point of signing. you trust that the information contained in the port comes from where it's supposed to come. This information includes the sha/md5 for the distfile, but also the url for the distfile.
not to mention all the bad things a Makefile 'running' as root can do :-)
but ey, I'm not really losing sleep over it. just saying I guess it wouldn't hurt. jpalmer: I remain unconvinced that the extra effort would actually be beneficial. tinono: It might very well not be warranted. Talk is cheap. Those who have to support all that make the decisions, I'm fine with that :) jdoe: hrm
anything I should know about updating to 4.7? azmarco: just run -current =)
and follow src-changes. then upgrading is never really an issue ***: tinono has left
fink has quit IRC (Quit: fink)
fink has joined #arpnetworks
shatt_ is now known as shatt
schmir has joined #arpnetworks
fink has quit IRC (Quit: fink)