[00:26] *** tinono has joined #arpnetworks
[00:26] <tinono> ey
[00:27] <tinono> up_the_irons: please don't forget my ne2k_pci ticket, I'd be glad to have it done when I wake up in a few hours :-)
[01:13] *** tinono has quit IRC (Quit: Page closed)
[02:20] *** cedwards has quit IRC (Ping timeout: 264 seconds)
[02:24] *** cedwards has joined #arpnetworks
[02:48] *** cedwards_ has joined #arpnetworks
[02:50] *** cedwards has quit IRC (Read error: Connection reset by peer)
[02:50] *** heidar has quit IRC (Ping timeout: 264 seconds)
[02:51] *** heidar has joined #arpnetworks
[04:32] *** nesta has quit IRC (Ping timeout: 245 seconds)
[04:35] *** nesta has joined #arpnetworks
[05:18] *** RandalSchwartz has joined #arpnetworks
[05:18] *** RandalSchwartz has quit IRC (Changing host)
[05:18] *** RandalSchwartz has joined #arpnetworks
[06:01] *** cpet has joined #arpnetworks
[06:01] <cpet> hello
[06:07] <nesta> hiya
[06:08] <cpet> nesta: mind if i priv msg you?
[06:08] <nesta> sure
[06:08] <nesta> go ahead
[06:32] <cpet> up_the_irons: hit me up when you are around please.
[06:59] *** cedwards_ is now known as cedwards
[06:59] *** cedwards has quit IRC (Changing host)
[06:59] *** cedwards has joined #arpnetworks
[07:23] *** cpet has quit IRC (Quit: Lost terminal)
[07:51] *** heavysixer has quit IRC (Quit: heavysixer)
[10:25] *** fink has joined #arpnetworks
[11:51] *** heda_ has joined #arpnetworks
[11:53] *** heda has quit IRC (Ping timeout: 240 seconds)
[11:53] *** heda_ is now known as heda
[11:55] *** heda has quit IRC (Client Quit)
[12:21] *** heavysixer has joined #arpnetworks
[12:21] *** ChanServ sets mode: +o heavysixer
[12:24] *** schmir has joined #arpnetworks
[12:38] *** schmir has quit IRC (Ping timeout: 252 seconds)
[13:23] *** Sheath has quit IRC (Quit: ZNC - http://znc.sourceforge.net)
[13:24] *** Sheath has joined #arpnetworks
[13:27] *** Sheath has quit IRC (Read error: Connection reset by peer)
[13:31] *** Sheath has joined #arpnetworks
[13:51] *** blovett has quit IRC (Quit: leaving)
[13:55] *** Sheath has quit IRC (Quit: ZNC - http://znc.sourceforge.net)
[13:58] *** Sheath has joined #arpnetworks
[13:58] *** Sheath is now known as Guest77152
[13:59] *** jlgaddis has joined #arpnetworks
[14:00] *** islandfox has quit IRC (Ping timeout: 240 seconds)
[14:04] <jlgaddis> 32 packets transmitted, 5 packets received, 84.4% packet loss
[14:04] <jlgaddis> round-trip min/avg/max/stddev = 97.851/104.179/112.136/6.145 ms
[14:04] <nakano> any problem now?
[14:04] <nakano> 112 packets transmitted, 23 received, 79% packet loss, time 110990ms
[14:04] <nakano> to my host..
[14:04] <nakano> (from 2 places UK/Japan.. so, looks not my side problem..)
[14:04] <jlgaddis> =(
[14:05] <jlgaddis> nakano: i started getting alerts from pingdom 44 mins ago
[14:05] *** Guest77152 has quit IRC (Read error: Connection reset by peer)
[14:07] <nakano> i just reported the same issue. but looks nobody here..
[14:12] <nakano> sounds yours and mine are on the same place..
[14:14] *** islandfox has joined #arpnetworks
[14:17] *** Husky has joined #arpnetworks
[14:19] <ww> http://world.ckan.net/
[14:20] <ww> ... oops... wrong channel
[14:25] <nakano> looks better now.. but still something wrong..
[15:29] *** mjp has joined #arpnetworks
[16:42] <cedwards> ohh joy. another discussion about how *BSD ports are insecure because they don't use signing keys.
[17:27] <vcs> lol
[17:45] <nesta> cedwards: ?
[17:47] <cedwards> nesta: in one of the LUG channels I lurk in someone brought up this article [http://bsdly.blogspot.com/2010/10/if-it-runs-openbsd-it-has-to-be.html] as proof GPG signing is the one true way (tm)
[17:47] <nesta> ahhhh
[17:47] <nesta> hehe
[17:47] <nesta> thanks
[17:53] *** tinono has joined #arpnetworks
[17:55] <tinono> cedwards: do you think gpg signing would hurt though?
[17:56] <cedwards> I don't think it adds much, particularly in a ports-based environment.
[17:57] <jpalmer> especially when an md5 checksum is verified unless deliberately disabled.
[17:57] <tinono> I had the privilege of being flamed by Mr Deraadt once, because I asked why some sha256 check was failing
[17:58] <tinono> he told me to lower my expectations
[17:58] <fink> tinono: that's good advice for life
[17:58] <tinono> "a checksum can fail. it's ok."
[17:58] <jpalmer> 2 people in the community I have little respect for:  TDR and RMS.
[17:58] <cedwards> I think the probability of someone gaining access to a GPG signing key is much higher than it is of altering both my local ports-tree and the upstream .tar.gz.
[17:58] <jpalmer> both fairly intelligent,  but both also seem to be of the mindset that we're not intelligent enough to make decisions for ourselves.
[18:00] <tinono> I don't think the probability of such an attack is very high. still, it only takes one compromised makefile on the master cvs.
[18:00] <tinono> no need to alter any disfile
[18:01] <jpalmer> I think more likely,  is the source code itself being maliciously edited,  that a port tarball.   as we've seen in the past.
[18:01] <tinono> yes
[18:01] <tinono> and once again, in most of those cases, the lack of signing was at fault.
[18:02] <jpalmer> tinono: using a gpg sig for a port tarball doesn't help, if the projects source code itself is compromised.  (think unrealircd a few months back)
[18:03] <tinono> of course it doesn't
[18:03] <jpalmer> then you're arguing apples and oranges.
[18:03] <tinono> unrealircd took action, and now they sign releases.
[18:03] <cedwards> I'm reminded of when the Red Hat / Fedora build server was compromised and they had to generate a new key.
[18:03] <tinono> every step where tampering can be dangerous, signing can help
[18:03] <nesta> tinono: unreal got drastically owned
[18:04] <nesta> they kinda had to to save face
[18:04] <nesta> but yeh..
[18:04] <tinono> indeed
[18:04] <nesta> tis good anyway
[18:04] <cedwards> in any case. I've argued this with this user a dozen times. He's Debian to the bone, and I prefer the ports system.
[18:05] <tinono> so do i. i still think it could welcome some for of signing as an improvement :-p
[18:07] <cedwards> I don't know that you get better than having an independent local copy of the md5/sha to verify the upstream .tar.gz
[18:12] <tinono> that's the point of signing. you trust that the information contained in the port comes from where it's supposed to come. This information includes the sha/md5 for the distfile, but also the url for the distfile.
[18:13] <tinono> not to mention all the bad things a Makefile 'running' as root can do :-)
[18:13] <tinono> but ey, I'm not really losing sleep over it. just saying I guess it wouldn't hurt.
[18:17] <jpalmer> I remain unconvinced that the extra effort would actually be beneficial.
[18:18] <tinono> It might very well not be warranted. Talk is cheap. Those who have to support all that make the decisions, I'm fine with that :)
[19:05] <jdoe> hrm
[19:05] <jdoe> anything I should know about updating to 4.7?
[19:06] <azmarco> just run -current  =)
[19:07] <azmarco> and follow src-changes. then upgrading is never really an issue
[19:29] *** tinono has left 
[19:44] *** fink has quit IRC (Quit: fink)
[20:42] *** fink has joined #arpnetworks
[21:23] *** shatt_ is now known as shatt
[21:44] *** schmir has joined #arpnetworks
[22:28] *** fink has quit IRC (Quit: fink)