Jakukyo Friel weakish@identi.ca

The KDE community is now co-producing a laptop =)

“Today KDE is proud to announce the immediate availability of the KDE Slimbook, a KDE-branded laptop that comes pre-installed with Plasma and KDE Applications (running on Linux) and is assured to work with our software as smoothly as possible. ”

dot.kde.org/2017/01/26/kde-and-slimbook-release-laptop-kde-fans

→ http://kde.slimbook.es/

Here's hoping it's free of proprietary blobs and IntelME too, though that's hard to accomplish.

"The new result demonstrates a collision in SHA-1. The researchers found two PDF files that have the same hash."

I tried to push the git devs toward having a switch to throw, or a transition plan for this day, but I failed. There has been some slow work being done to that end, so perhaps this will pick up the pace.

You can, however, check the new colliding PDFs into git-annex. Just don't use --backend SHA1 when you do.

If I had a project that contained binary files, and stored them in git, and that it might be worth $100k for an attacker to backdoor, I would be worried about the new SHA1 collisions.

A good example of such a project is git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git :(

The "random" data that makes the collision is only 128 bytes, and it can be prefixed by any good data you want when the collision is being calculated on your compute cluster. It would be feasible to take a working piece of firmware and disassemble it enough to add an exploit payload, and generate colliding versions that do and don't run the exploit.

Using git-annex and signed commits together is a good way to fix such repositories.

(Stained glass by my dad, lizard by leaving all doors in the house open all week.)

Back at Cornell for the first time in 21 years. My feet still remember the way around.

We, the Debian project and the Tor project are enabling Tor onion services for several of our sites. These sites can now be reached without leaving the Tor network, providing a new option for securely connecting to resources provided by Debian and Tor.

The freedom to use open source software may be compromised when access to that software is monitored, logged, limited, prevented, or prohibited. As a community, we acknowledge that users should not feel that their every action is trackable or observable by others. Consequently, we are pleased to announce that we have started making several of the various web services provided by both Debian and Tor available via onion services.

While onion services can be used to conceal the network location of the machine providing the service, this is not the goal here. Instead, we employ onion services because they provide end-to-end integrity and confidentiality, and they authenticate the onion service end point.

For instance, when users connect to the onion service running at http://sejnfjrq6szgca7v.onion/, using a Tor-enabled browser such as the TorBrowser, they can be certain that their connection to the Debian website cannot be read or modified by third parties, and that the website that they are visiting is indeed the Debian website. In a sense, this is similar to what using HTTPS provides. However, crucially, onion services do not rely on third-party certification authorities (CAs). Instead, the onion service name cryptographically authenticates its cryptographic key.

In addition to the Tor and Debian websites, the Debian FTP and the Debian Security archives are available from .onion addresses, enabling Debian users to update their systems using only Tor connections. With the apt-transport-tor package installed, the following entries can replace the normal debian mirror entries in the apt configuration file (/etc/apt/sources.list):

  deb  tor+http://vwakviie2ienjx6t.onion/debian          jessie            main
  deb  tor+http://vwakviie2ienjx6t.onion/debian          jessie-updates    main
  deb  tor+http://sgvtcaew4bxjd7ln.onion/debian-security jessie/updates    main

Likewise, Tor's Debian package repository is available from an onion service :

  deb tor+http://sdscoq7snqtznauu.onion/torproject.org   jessie    main

Where appropriate, we provide services redundantly from several backend machines using OnionBalance. The Debian OnionBalance package is available from the Debian backports repository.

Lists of several other new onion services offered by Debian and Tor are available from https://onion.debian.org and https://onion.torproject.org respectively. We expect to expand these lists in the near future to cover even more of Debian's and Tor's services.

Debian is now officialy endorsed on Microsoft Azure platform; official images
created in collaboration between several Debian teams, credativ and Microsoft.
More info:
http://www.credativ.co.uk/credativ-blog/official-debian-images-microsoft-azure-are-now-available
https://wiki.debian.org/Teams/Cloud 

Debian is saddened to share the news of the passing of Ian Murdock. Ian was not only the founder of Debian, but friend and mentor to many. We will miss him dearly.

Welcome to this year's ninth issue of DPN, the newsletter for the Debian community.

Topics covered in this issue include: Mourning Ian Murdock, The "New" Debian Project News, Internal News/Happenings,

Help needed, More than just code, Reports, Outside News, Want to continue reading DPN?

Find the current issue at: https://www.debian.org/News/weekly/2015/09/

Has anyone noticed that arm boards just keep running for aproximately forever? I have now ancient nslu2's, thecus, etc that still run fine, although they're now too old to bother with.

No moving parts, no power supply (just 5v in), barely any capacitors to plague out. Just not much to go wrong. The only arm board I've ever had die was stuck by lightning.

(Compare with laptops which are fully consumable.)

Happy 2015, pumpipeople!!

\o/