Development mailing list

Syndicate content
Archive of posts for haiku-development at FreeLists
Updated: 26 min 43 sec ago

[haiku-development] Re: Design for signed packages (Jonathan Schleifer)

Sat, 2014-04-05 14:45
Am 28.03.2014 um 20:46 schrieb Julian Harnath julian.harnath@xxxxxxxxxxxxxx: Jonathan Schleifer js-haiku-development@xxxxxxxxxxx schrieb: Am 28.03.2014 um 15:46 schrieb Stephan Aßmus superstippi@xxxxxx: It can't verify that the software contains no viruses or backdoors. Exactly. That was why I was against signing certificates … That doesn't make sense, if software is malicious or not has nothing to ...
Categories: Development

[haiku-development] Re: Design for signed packages (Jonathan Schleifer)

Sat, 2014-04-05 14:45
Am 28.03.2014 um 18:32 schrieb Ari Haviv arielbhaviv@xxxxxxxxx: It's also something users don't care about...until after they are hit. That's when they get upset. It's a thankless job. Many developers (open source is not immune) are features oriented because they can show something now. It would be nice to see someone being proactive for a change. Well, I didn't want to stop after signed packages. But that was what I deemed the most necessary step, as every developer downloads unsigned packages during the build process and then later uploads packages. So all that's needed to ...
Categories: Development

[haiku-development] Re: Design for signed packages (Julian Harnath)

Sat, 2014-04-05 14:45
Jonathan Schleifer js-haiku-development@xxxxxxxxxxx schrieb: Am 28.03.2014 um 15:46 schrieb Stephan Aßmus superstippi@xxxxxx: It can't verify that the software contains no viruses or backdoors. Exactly. That was why I was against signing certificates … That doesn't make sense, if software is malicious or not has nothing to do with signing or certificates -- the siging only ensures authenticity and integrity of a package. ...
Categories: Development

[haiku-development] Re: Design for signed packages (Ari Haviv)

Sat, 2014-04-05 14:45
On Fri, Mar 28, 2014 at 1:17 PM, Jonathan Schleifer js-haiku-development@xxxxxxxxxxx wrote: Am 28.03.2014 um 17:46 schrieb Matthew Getch getchmatthew@xxxxxxxxx: Because of the current stage of the project and the direction that Haiku is going (Haiku is a fast, efficient, simple to use, easy to learn...) security on this level shouldn't be addressed until we've met all of these design goals. ...
Categories: Development

[haiku-development] Re: Design for signed packages (Jonathan Schleifer)

Sat, 2014-04-05 14:45
Am 28.03.2014 um 17:46 schrieb Matthew Getch getchmatthew@xxxxxxxxx: Because of the current stage of the project and the direction that Haiku is going (Haiku is a fast, efficient, simple to use, easy to learn...) security on this level shouldn't be addressed until we've met all of these design goals. Security is not a feature, but a thought process. You have to start thinking about it as early as possible and keep it in mind. We all saw what happened if you don't with Windows. It took them almost 10 years to get at least a little ...
Categories: Development

[haiku-development] Re: Design for signed packages (Jonathan Schleifer)

Sat, 2014-04-05 14:45
Am 28.03.2014 um 15:46 schrieb Stephan Aßmus superstippi@xxxxxx: It can't verify that the software contains no viruses or backdoors. Exactly. That was why I was against signing certificates … That's not what this is about however, its about verifying the authenticy of the entity requesting a certificate. … that, however, is more likely and I see no problem with that. Except maybe ...
Categories: Development

[haiku-development] Re: Design for signed packages (Matthew Getch)

Sat, 2014-04-05 12:45
I feel I should introduce myself before I actually make a comment on the matter, my name is Matthew and I'm a GSoC applicant who is relatively new to Haiku. I've been following the conversation for the last few days and feel that it's premature to introduce and signed packaging into Haiku. In particular the open source schema seems to almost reject the idea of any centralized control over the source code, this modularity is one of the real powers of open source projects and part of what makes Haiku so powerful. This modularity must be brought to a certain point before it can resemble being ...
Categories: Development

[haiku-development] Re: Design for signed packages (Stephan Aßmus)

Sat, 2014-04-05 12:45
Am 28.03.2014 15:28, schrieb Jonathan Schleifer: Am 28.03.2014 um 04:00 schrieb waddlesplash ajcsweb@xxxxxxxxx: Let me be frank here: I am not opposed to signed packages. I am opposed to too much paranoia. Simple signed packages, as in I guarantee this is in the state X Corp created it in and not Haiku, Inc tested this and verified that it both comes from X Corp ...
Categories: Development

[haiku-development] Re: Design for signed packages (Jonathan Schleifer)

Sat, 2014-04-05 12:45
Am 28.03.2014 um 10:42 schrieb Stephan Aßmus superstippi@xxxxxx: I also think that signing packages can mean nothing more than that the package has not been tampered with since it was signed by its publisher, and that the publisher has been verified to be who he claims to be (by the certificate authority). That sounds very sane, including the part that signing a key only means that the key has been verified to belong to that person, but not making any claim about the software that key signs. ...
Categories: Development

[haiku-development] Re: Design for signed packages (Jonathan Schleifer)

Sat, 2014-04-05 10:45
Am 28.03.2014 um 04:00 schrieb waddlesplash ajcsweb@xxxxxxxxx: Let me be frank here: I am not opposed to signed packages. I am opposed to too much paranoia. Simple signed packages, as in I guarantee this is in the state X Corp created it in and not Haiku, Inc tested this and verified that it both comes from X Corp and is virus-free. The first is good, the second is paranoia IMO. Actually, that's exactly what I said. I proposed to not sign it by Haiku, Ingo proposed to be able to sign keys with other keys, e.g. with a Haiku Inc. Key. ...
Categories: Development

[haiku-development] Re: Design for signed packages (Kingdon Barrett)

Sat, 2014-04-05 04:45
On Fri, Mar 28, 2014 at 8:52 AM, Kingdon Barrett kingdon@xxxxxxxxxxxxxxxxxx wrote: This is part of Windows 8 logo support for x86/64 machines. There is no requirement to allow user keys or SB deactivation on Windows 8 ARM machines at all, and many (how many different ARM/W8 machines are there?) actually don't support it. I don't think it's a concession to their evil plans at all, when they ...
Categories: Development

[haiku-development] Re: Design for signed packages (Kingdon Barrett)

Sat, 2014-04-05 02:45
I don't really have a position on this, other than... secure boot machines I've used have done some of the weirdest things (like apparently having permanently bricked WiFi in a Yoga 2 after loading up Ubuntu Linux LiveUSB for the first time, with bricked as in bricked)... I just wanted to mention, not really an inaccuracy in context but still I think slightly incomplete information: On Thu, Mar 27, 2014 at 4:50 PM, Jonathan Schleifer js-haiku-development@xxxxxxxxxxx wrote: ...
Categories: Development

[haiku-development] Re: Design for signed packages (Fredrik Holmqvist)

Fri, 2014-04-04 22:45
2014-03-28 10:42 GMT+01:00 Stephan Aßmus superstippi@xxxxxx: I think it is right on topic. A lot of the arguments from Jonathan seemed to be based on the thinking that these guarantees are actually possible to make. It probably deserves its own discussion, security and Haiku seems to be very much 'up in the air' at the moment. We probably should have a grand plan on what we want to achieve in that regard. Kind of wish there was a BeGeistert to talk about this in detail. ...
Categories: Development

[haiku-development] Re: Design for signed packages (Stephan Aßmus)

Fri, 2014-04-04 18:45
Am 28.03.2014 10:23, schrieb Fredrik Holmqvist: 2014-03-28 4:00 GMT+01:00 waddlesplash ajcsweb@xxxxxxxxx: Let me be frank here: I am not opposed to signed packages. I am opposed to too much paranoia. Simple signed packages, as in I guarantee this is in the state X Corp created it in and not Haiku, Inc tested this and verified that it both comes from X Corp and is virus-free. The first is good, the second is paranoia IMO. ...
Categories: Development

[haiku-development] Re: Design for signed packages (Fredrik Holmqvist)

Fri, 2014-04-04 18:45
2014-03-28 4:00 GMT+01:00 waddlesplash ajcsweb@xxxxxxxxx: Let me be frank here: I am not opposed to signed packages. I am opposed to too much paranoia. Simple signed packages, as in I guarantee this is in the state X Corp created it in and not Haiku, Inc tested this and verified that it both comes from X Corp and is virus-free. The first is good, the second is paranoia IMO. I'm not sure if this is really helpful or leading the discussion forward. At some point we need to discuss what should be signed and what guarantees we make, but this thread is about the design of a ...
Categories: Development

[haiku-development] Re: Design for signed packages (waddlesplash)

Fri, 2014-04-04 12:45
Let me be frank here: *I am not opposed to signed packages. I am opposed to too much paranoia.* Simple signed packages, as in I guarantee this is in the state X Corp created it in and not Haiku, Inc tested this and verified that it both comes from X Corp and is virus-free. The first is good, the second is paranoia IMO. You can buy Windows signing keys and sign viruses -- until someone catches you at it, that is. ...
Categories: Development

[haiku-development] Re: Design for signed packages (Jonathan Schleifer)

Fri, 2014-04-04 02:45
Am 28.03.2014 um 02:12 schrieb François Revol revol@xxxxxxx: That's news to me, last I heard SecureBoot was mandatory on ARM... They had it mandatory on both, but changed the requirements for x86. I don't think ARM is relevant anyway, as there's almost nothing running Windows RT, and only those systems would be affected. It's also not different to other systems where the bootloader is locked, which is the even the case for most Android devices. ...
Categories: Development