:: Re: [DNG] BAD sig with Devuan Jessi…
Góra strony
Delete this message
Reply to this message
Autor: Miroslav Rovis
Data:  
Dla: Jaromil
CC: dng
Temat: Re: [DNG] BAD sig with Devuan Jessie 1.0.0-RC
On 170424-12:13+0200, Jaromil wrote:
>
>
> dear Miroslav,
>
> first of all thanks for your attention to details, your report and
> that of another person in private is helping to review small problems
> in the release process, one reason why this is an RC after all is that
> we shouldn't give anything for granted in this process, but battle
> test it as we are doing.

I'm really happy I was useful for Devuan which is a project that I
fervently believe in :) .

>
> The problem with shasums in installer-iso was multiple
>
> 1) the amd64 DVD list.gz was somehow incompletely transferred from the
>    build server

>
> 2) the shasums file I signed was the one of the build server, not the
>    final one on the files.devuan.org distribution server and across
>    these two server the filenames were changed (because we use a new
>    file naming convention that is more script friendly) but the change
>    was not reflected in the sha256 sums

>
>
> what i did to solve this now was:
>
> 1) transfer properly the list.gz (which does not affects the hashes
>    anyway, but ok that was not correct)

>
> 2) check that all the distributed iso files are matching with the
>    original ones that are on the build server, which is reachable only to
>    a few developers

>
> 3) resign the correct shasums file after careful checking, noticing
>    that no shasum has changed so the files stay the same and there was no
>    corruption

>
> I'm now working on an automation of the process in the future so that
> it can eliminate much of the errors made mostly because I operate it
> by hand.
>
> also this email is signed

Which verifies so nicely :) , our leader's fine PGP signature!

> ciao
>
>
>
>
> -- 
> ~.,_   Denis Roio aka Jaromil    http://Dyne.org think &do tank
>     "+.   CTO and co-founder      free/open source developers
>       @)   ⚷ crypto κρυπτο крипто गुप्त् 加密 האנוסים المشفره
>     @@)  GnuPG: 6113D89C A825C5CE DD02C872 73B35DA5 4ACB7D10
> (@@@)  opmsg:73a8e097a038d82b 8afb4c05804bda0d 281b3880fbc19b88

>
>


For the sake of other readers, so that they may understand more about
the cause, and also for reasons of sincerity, I'm attaching what I would
have posted at:

https://www.CroatiaFidelis.hr/foss/cap/cap-170423-devuan-iso-sig/devuan-iso-sig-1.php
(
but delayed readers are likely to find there the page with Devuan's
correct and verifying sha256 sums!

Because all is fixed! See:

$ gpg --verify SHA256SUMS.asc SHA256SUMS
gpg: Signature made Mon 24 Apr 2017 12:09:25 CEST
gpg:                using RSA key 73B35DA54ACB7D10
gpg: Good signature from "Denis Roio (Jaromil) <jaromil@???>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6113 D89C A825 C5CE DD02  C872 73B3 5DA5 4ACB 7D10
$
)


So [I'm attaching what I would have posted at] the above page. I don't
mean to bother you Jaromil about it, skim through it if you feel like,
but readers, pls. see what stressful time I had.

For the attachment, I simply ran:

$ lynx -dump \
http://localhost/CroatiaFidelis/foss/cap/cap-170423-devuan-iso-sig/devuan-iso-sig-1.php \
> devuan-iso-sig-1.txt


(where my website is in offline, where I prepare my website)

and without any modifications what I wrote in that text is what would
have appeared publicly. Pls. open attachment:

devuan-iso-sig-1.txt

Phew! The bad dream is over. Also sorry for my impatience and for
doubting there was hiding and worse...

Sorry for that! Also I was a little too harsh toward Rick. Sorry!

But I'm not touching that text, Not modifying one single bit. It is from
my state of mind and heart before Jaromil's email to which this email of
mine is a reply.

Also it wasn't a "successful attack on Devuan leader's PGP keys" like I
thought and wrote there, and thanks God for that!

And the only place it will remain (somewhat) published by me, (and with
relief instead of disappointment) is: in the attachment to this email.

Phew! Bad dream is over! Eviva Devuan! It's all much better than I
feared it were...

--
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr
* [1]Croatia Fidelis
     * [2]FOSS
          + [3]Gentoo
               o [4]Building Cinelerra 1
               o [5]Building Cinelerra 2
               o [6]Building Cinelerra 3
     * [7]Other Main
          + [8]Other 01
          + [9]Other 02
     * [10]Other Yet


BAD sig on Devuan ISO 1

                                                    [11](No. 0)  [12]No. 1


I will simply employ my scripts [13]tshark-streams and
[14]tshark-hosts-conv now (ermh, actually [15]next). For developers
it's like drinking water to follow [16]here, but it is attainable
knowledge for (really) hardworking common users, whom I always have in
mind, as I like to spread good computing, and Devuan is the brightest
star around since relatively long. I wish this hasn't happened, and
that repeated security failures like this (

there were other issues that I reported, e.g. [17]default login
username and password for live Devuan media and [18]files.devua.org
cert expired --sic!, with that typo in the subject line-- that I know
of

), and I really hope that these few security failures make for lessons
having been learned by now, and that Devuan will be getting strong and
secure...

I started the [19]former, and participated by sending private notices
about the [20]latter of the two issues (because I wanted to help the
issue get fixed), and with some nostalgia I need to link at this time
to the correct behavior when it comes to telling Devuan team about
vulnerabilities:

[21]golinux's reply in "default login username and password for live
Devuan media".

And golinux, member of Devuan distro team (the great very loveable
themes and designs are of her making), also replied to my PMs about the
expired certificate.

Devuan moderators should live up to such kind and honorable standards
like golinux showed. The Dng ML moderator shouldn't really have
[22]completely misunderstood what my first message was about, probably
starting with a prejudice of member's (me) inferiority and dedicating
seconds to reading the message, and the few dozen extra kilobytes
should really have been allowed to the list...

I've wished/and advocated for systemd-free Debian distro, and
participated quite a lot in Debian Forums topics on the matter, mostly
those were the same topics where also golinux and edbarx (Edward
Bartolo) participated. I also subscribed very early to the Dng ML and
tried to help where I could but sadly I was even less skilled back
then.

Still, Devuan is my distro too.

If you search on Gentoo Forums you will find a lot of places where I
linked to events that were going on in Devuan, and you will often find
people appreciative of the information that I was spreading about
Devuan. And in many other places.

But, enough said about that.

OTOH, while I could really really not live with systemd, and I most
honestly wish Pöttering would leave FOSS and go and do what he is good
at, which is serving the big business interests, and not the freedom in
computing enshrined in the great unix GNU+Linux distros, neither do I
think hiding ("moderating") and censorship, if that be attemped,
because, now that I studied this issue for looong hours, this does very
much appear to be an successful attack on Devuan leader's PGP keys...

[But, while I most honestly wish Lennart Pöttering left our free FOSS
territory and went to work in what he is good at, which is serving the
big business,] neither do I think that hiding ("moderating") and
censorship could serve any good purpose...

Now it's too late anyway. If I had been replied to, be it in private
email, or on the mailing list, in any sensible way, because there are
very capable programmers that must have figured out much much earlier
than me... than that would have been possible...

It really only is starting to become clear to me how bad, although
probably not devastatingly disastrous, the issue seems to be. And some
of the really capable Devuan developers I'm sure got the full scale of
it if not earlier, than right after I sent my first mail, the one that
was dropped --is that really how reporters on vulnerabilities should be
treated? dropping their mail along with accusing them of, basically,
stupidity?-- from the list...

And for the first few hours since I became aware and wrote about the
issue, I was completely uncertain where the cause originated. Just read
my first emails where my complete uncertainty about it was obvious.

But instead of taking me at least somewhat seriously, alas! I was,
instead, by the Dng list moderator, basically offered to accept that,
and resignate to, how grotesquely stupid email I sent...

Which actions by that moderator kind of compelled me to study and show
how there was a lot of sense, sadly likely too much sense, in that
message...

So now that it is, due to inaction on the part of where getting
actionable should have been the way to go, and not hiding and not
outward silence, I have to conclude this matter and analyze the two
events, of 2017-04-23 16:42 and 2017-04-23 21:02.

In [23]No. 2.

And sincerely I hope I'm doing it for, longer term, more secure and
better Devuan. My distro as well.

And may the systemDestruction intruders into sacred FOSS territory
leave us alone!



   The site is (slowly) being redesigned.
   Some things may not work (well).
     * [24]Croatia Fidelis
     * [25]FOSS
          + [26]Gentoo
               o [27]Building Cinelerra 1
               o [28]Building Cinelerra 2
               o [29]Building Cinelerra 3
     * [30]Other Main
          + [31]Other 01
          + [32]Other 02
     * [33]Other Yet


[34]Creative Commons License
The works on www.CroatiaFidelis.hr, if not otherwise stated, are
licensed under [35]Creative Commons
Attribution-NonCommercial-ShareAlike 4.0 International License.

References

1. http://localhost/CroatiaFidelis/foss/cap/cap-170423-devuan-iso-sig/devuan-iso-sig-1.php
2. http://localhost/CroatiaFidelis/index.php
3. http://localhost/CroatiaFidelis/foss/gentoo/
4. http://localhost/CroatiaFidelis/foss/gentoo/cinelerra-out-of.php
5. http://localhost/CroatiaFidelis/foss/gentoo/cinelerra-out-of-2.php
6. http://localhost/CroatiaFidelis/foss/gentoo/cinelerra-out-of-3.php
7. http://localhost/CroatiaFidelis/foss/cap/cap-170423-devuan-iso-sig/devuan-iso-sig-1.php
8. http://localhost/CroatiaFidelis/foss/cap/cap-170423-devuan-iso-sig/devuan-iso-sig-1.php
9. http://localhost/CroatiaFidelis/foss/cap/cap-170423-devuan-iso-sig/devuan-iso-sig-1.php
10. http://localhost/CroatiaFidelis/foss/cap/cap-170423-devuan-iso-sig/devuan-iso-sig-1.php
11. http://localhost/CroatiaFidelis/foss/cap/cap-170423-devuan-iso-sig/index.php
12. http://localhost/CroatiaFidelis/foss/cap/cap-170423-devuan-iso-sig/devuan-iso-sig-1.php
13. https://github.com/miroR/tshark-streams
14. https://github.com/miroR/tshark-hosts-conv
15. http://localhost/CroatiaFidelis/foss/cap/cap-170423-devuan-iso-sig/devuan-iso-sig-2.php
16. http://localhost/CroatiaFidelis/foss/cap/cap-170423-devuan-iso-sig/devuan-iso-sig-2.php
17. https://dev1galaxy.org/viewtopic.php?id=136
18. https://lists.dyne.org/lurker/thread/20170406.194939.4eb2ba45.en.html#20170406.194939.4eb2ba45
19. https://dev1galaxy.org/viewtopic.php?id=136
20. https://lists.dyne.org/lurker/thread/20170406.194939.4eb2ba45.en.html#20170406.194939.4eb2ba45
21. https://dev1galaxy.org/viewtopic.php?id=136#p575
22. https://lists.dyne.org/lurker/message/20170423.185106.042c90c7.en.html
23. http://localhost/CroatiaFidelis/foss/cap/cap-170423-devuan-iso-sig/devuan-iso-sig-2.php
24. http://localhost/CroatiaFidelis/foss/cap/cap-170423-devuan-iso-sig/devuan-iso-sig-1.php
25. http://localhost/CroatiaFidelis/index.php
26. http://localhost/CroatiaFidelis/foss/gentoo/
27. http://localhost/CroatiaFidelis/foss/gentoo/cinelerra-out-of.php
28. http://localhost/CroatiaFidelis/foss/gentoo/cinelerra-out-of-2.php
29. http://localhost/CroatiaFidelis/foss/gentoo/cinelerra-out-of-3.php
30. http://localhost/CroatiaFidelis/foss/cap/cap-170423-devuan-iso-sig/devuan-iso-sig-1.php
31. http://localhost/CroatiaFidelis/foss/cap/cap-170423-devuan-iso-sig/devuan-iso-sig-1.php
32. http://localhost/CroatiaFidelis/foss/cap/cap-170423-devuan-iso-sig/devuan-iso-sig-1.php
33. http://localhost/CroatiaFidelis/foss/cap/cap-170423-devuan-iso-sig/devuan-iso-sig-1.php
34. http://creativecommons.org/licenses/by-nc-sa/4.0/
35. http://creativecommons.org/licenses/by-nc-sa/4.0/