Development mailing list

Syndicate content
Archive of posts for haiku-development at FreeLists
Updated: 57 min 47 sec ago

[haiku-development] Re: Design for signed packages (Jonathan Schleifer)

Thu, 2014-04-03 18:45
Am 27.03.2014 um 15:39 schrieb Fredrik Holmqvist fredrik.holmqvist@xxxxxxxxx: If you are still interested I recommend start coding and take the technical discussion directly with the few who have shown interest and knowledge in this, and skip this mailing-list. There's not much point in just starting something like that. If you don't talk about it before, it might never get merged and you just wasted your time. If you don't talk about it, there might also be a fundamental flaw - and you wasted your time. ...
Categories: Development

[haiku-development] Re: Design for signed packages (Jonathan Schleifer)

Thu, 2014-04-03 16:45
Am 27.03.2014 um 15:14 schrieb Stephan Aßmus superstippi@xxxxxx: Please point out in the thread where anybody said security is pointless. People don't want to live with certain restrictions. Some of which seemed to be implied by your design, like an encrypted disk. That just means that some of this stuff needs to be optional or have ways for the user to override. That's all. I never said an encrypted disk is necessary to use Haiku. I said it's necessary *if we ever decide to go the SecoreBoot route*. And not necessary as in a ...
Categories: Development

[haiku-development] Re: Design for signed packages (François Revol)

Thu, 2014-04-03 16:45
On 27/03/2014 15:11, Ari Haviv wrote: On Thu, Mar 27, 2014 at 8:28 AM, Jonathan Schleifer js-haiku-development@xxxxxxxxxxx wrote: I deleted the branch now as people are clearly offended by even only having the minimum level of security that even Windows offers since Windows XP (optionally signed executables, optionally signed drivers, signed updates) - and that was introduced 14 years ago - and prefer to repeat the security disaster of Windows 98. Users wouldn't even have noticed that packages are signed unless they installed a hpkg from a 3rd party without ...
Categories: Development

[haiku-development] Re: Design for signed packages (Fredrik Holmqvist)

Wed, 2014-04-02 11:45
2014-03-27 15:00 GMT+01:00 Jonathan Schleifer js-haiku-development@xxxxxxxxxxx: I didn't think that I would spend more time justifying myself why I want signed packages than actually implementing it. If I would have spent all that time that I had to justify myself, we'd already have package signing. Keep in mind that anyone registered to the mailing list can post here, so there may be mail from people who has little to say in haiku development or knowledge of the matter at hand. There are probably many devs, like myself, who think signed packages ...
Categories: Development

[haiku-development] Re: Design for signed packages (Stephan Aßmus)

Wed, 2014-04-02 09:45
Hi, Meta-discussions... Am 27.03.2014 15:00, schrieb Jonathan Schleifer: Am 27.03.2014 um 14:24 schrieb Stephan Aßmus superstippi@xxxxxx: Why do you even start a discussion when you are not prepared to ...
Categories: Development

[haiku-development] Re: Design for signed packages (Ari Haviv)

Wed, 2014-04-02 05:45
On Thu, Mar 27, 2014 at 8:28 AM, Jonathan Schleifer js-haiku-development@xxxxxxxxxxx wrote: I deleted the branch now as people are clearly offended by even only having the minimum level of security that even Windows offers since Windows XP (optionally signed executables, optionally signed drivers, signed updates) - and that was introduced 14 years ago - and prefer to repeat the security disaster of Windows 98. Users wouldn't even have noticed that packages are signed unless they installed a hpkg from a 3rd party without using a repository, but clearly, people feel offended by even the thought ...
Categories: Development

[haiku-development] Re: Design for signed packages (Jonathan Schleifer)

Wed, 2014-04-02 03:45
Am 27.03.2014 um 14:24 schrieb Stephan Aßmus superstippi@xxxxxx: I am sorry you are frustrated and carried through with this reaction. You had announced your intended deletion in IRC last night, and even though Axel and myself (maybe more) told you there is no general objection against anything security-related and you might read something into replies which was not intended by their authors, you decided to delete your branch anyway. The branch only had Ed25519 integrated into the Haiku source and some Ed25519 modifications, plus it needed more modifications to be usable, so it was not ...
Categories: Development

[haiku-development] Re: Design for signed packages (Stephan Aßmus)

Wed, 2014-04-02 01:45
Am 27.03.2014 13:28, schrieb Jonathan Schleifer: Am 27.03.2014 um 04:02 schrieb SMC.Collins smc.collins@xxxxxxxxxxx: +1 (this is actually the only email I really read :P) Y'all would do well to read if you haven't already. -waddlesplash ...
Categories: Development

[haiku-development] Re: Design for signed packages (SMC.Collins)

Tue, 2014-04-01 23:45
I deleted the branch now as people are clearly offended by even only having the minimum level of security that even Windows offers since Windows XP (optionally signed executables, optionally signed drivers, signed updates) - and that was introduced 14 years ago - and prefer to repeat the security disaster of Windows 98. Users wouldn't even have noticed that packages are signed unless they installed a hpkg from a 3rd party without using a repository, but clearly, people feel offended by even the thought that there is cryptography involved ...
Categories: Development

[haiku-development] Re: Design for signed packages (Fredrik Holmqvist)

Tue, 2014-04-01 21:45
2014-03-27 13:28 GMT+01:00 Jonathan Schleifer js-haiku-development@xxxxxxxxxxx: I deleted the branch now as people are clearly offended by even only having the minimum level of security that even Windows offers since Windows XP (optionally signed executables, optionally signed drivers, signed updates) - and that was introduced 14 years ago - and prefer to repeat the security disaster of Windows 98. Users wouldn't even have noticed that packages are signed unless they installed a hpkg from a 3rd party without using a repository, but clearly, people feel offended by even the thought that there is cryptography involved that makes sure that the updates you install are ...
Categories: Development

[haiku-development] Re: Design for signed packages (Jonathan Schleifer)

Tue, 2014-04-01 19:45
Am 27.03.2014 um 04:02 schrieb SMC.Collins smc.collins@xxxxxxxxxxx: +1 (this is actually the only email I really read :P) Y'all would do well to read if you haven't already. -waddlesplash I read that article and it rings of unix concerns, concerns mainframes at banks have. Here is what users want, a OS they can install on hardware , vm etc, and to not have to be hassled with constant certificate updates, passwords etc. ...
Categories: Development

[haiku-development] Re: Design for signed packages (SMC.Collins)

Tue, 2014-04-01 19:45
+1 (this is actually the only email I really read :P)Y'all would do well to read if you haven't already. -waddlesplash I read that article and it rings of unix concerns, concerns mainframes at banks have. Here is what users want, a OS they can install on hardware , vm etc, and to not have to be hassled with constant certificate updates, passwords etc. ...
Categories: Development

[haiku-development] Re: Design for signed packages (waddlesplash)

Tue, 2014-04-01 13:45
On 3/26/2014 4:48 PM, Urias McCullough wrote: I'm pretty sure most people are skimming this entire discussion because it's amazingly heavy on paranoia, and doesn't really focus on the most common attack scenarios at all. I know I've been mostly Mark as read on the threads personally, and I'm starting to consider some gmail filters to round-file a large part of it. ...
Categories: Development

[haiku-development] Re: hpkgs and compression (Ingo Weinhold)

Tue, 2014-04-01 09:45
On 26.03.2014 16:51, David Given wrote: On 3/25/14, 8:59 PM, Ingo Weinhold wrote: [...] Yes, the start of the data is always page-aligned. What I meant is making contained data structures 8-byte aligned, like the start of the heap, the TOC, etc. ...
Categories: Development

[haiku-development] Re: Design for signed packages (Ingo Weinhold)

Sun, 2014-03-30 17:45
On 26.03.2014 22:25, Julian Harnath wrote: (3) Package signing is a good idea so the user can know if a package really originates from a certain source. The discussed options are: 1. Always sign each individual package. ...
Categories: Development

[haiku-development] Re: Design for signed packages (Jonathan Schleifer)

Sun, 2014-03-30 15:45
Am 26.03.2014 um 22:29 schrieb Ingo Weinhold ingo_weinhold@xxxxxx: How is supporting multiple algorithms in one format different from supporting different formats versions with one algorithm each in this respect? In either case the older algorithm can easily be disabled when it is no longer considered secure. True, the difference would only be which field to use to indicate the algorithm. I don't care about that too much. ...
Categories: Development

[haiku-development] Re: Design for signed packages (Ingo Weinhold)

Sun, 2014-03-30 15:45
On 26.03.2014 04:23, Jonathan Schleifer wrote: Am 25.03.2014 um 23:09 schrieb Ingo Weinhold ingo_weinhold@xxxxxx: It restricts us to a single algorithm. Not really, as we could just increase the hpkg version to change the version. Or do you want to use multiple algorithms at the same time ...
Categories: Development

[haiku-development] Re: Design for signed packages (Julian Harnath)

Sat, 2014-03-29 23:45
Hey, I'll just throw in a summary of the various issues discussed in this thread and the ones surrounding it. The idea is that the discussion shouldn't be gone to waste, a few things have been agreed on after all. For now, let's focus more on what we can agree on than on the disagreements. Correct me if I'm wrong, but I guess agreement is on the following things: ...
Categories: Development

[