KDE and Slimbook Release a Laptop for KDE Fans
The KDE community is now co-producing a laptop =)
“Today KDE is proud to announce the immediate availability of the KDE Slimbook, a KDE-branded laptop that comes pre-installed with Plasma and KDE Applications (running on Linux) and is assured to work with our software as smoothly as possible. ”
Here's hoping it's free of proprietary blobs and IntelME too, though that's hard to accomplish.
the end times (of git security) are here
"The new result demonstrates a collision in SHA-1. The researchers found two PDF files that have the same hash."
I tried to push the git devs toward having a switch to throw, or a transition plan for this day, but I failed. There has been some slow work being done to that end, so perhaps this will pick up the pace.
You can, however, check the new colliding PDFs into git-annex. Just don't use --backend SHA1 when you do.Show all 8 replies
Looks like it just claimed it's first victim:
If I had a project that contained binary files, and stored them in git, and that it might be worth $100k for an attacker to backdoor, I would be worried about the new SHA1 collisions.
A good example of such a project is git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git :(
The "random" data that makes the collision is only 128 bytes, and it can be prefixed by any good data you want when the collision is being calculated on your compute cluster. It would be feasible to take a working piece of firmware and disassemble it enough to add an exploit payload, and generate colliding versions that do and don't run the exploit.
Using git-annex and signed commits together is a good way to fix such repositories.
joeyh shared this.
Bits from Debian: Debian and Tor Services available as Onion ServicesLink to original post: Debian and Tor Services available as Onion Services
We, the Debian project and the Tor project are enabling Tor onion services for several of our sites. These sites can now be reached without leaving the Tor network, providing a new option for securely connecting to resources provided by Debian and Tor.
The freedom to use open source software may be compromised when access to that software is monitored, logged, limited, prevented, or prohibited. As a community, we acknowledge that users should not feel that their every action is trackable or observable by others. Consequently, we are pleased to announce that we have started making several of the various web services provided by both Debian and Tor available via onion services.
While onion services can be used to conceal the network location of the machine providing the service, this is not the goal here. Instead, we employ onion services because they provide end-to-end integrity and confidentiality, and they authenticate the onion service end point.
For instance, when users connect to the onion service running at http://sejnfjrq6szgca7v.onion/, using a Tor-enabled browser such as the TorBrowser, they can be certain that their connection to the Debian website cannot be read or modified by third parties, and that the website that they are visiting is indeed the Debian website. In a sense, this is similar to what using HTTPS provides. However, crucially, onion services do not rely on third-party certification authorities (CAs). Instead, the onion service name cryptographically authenticates its cryptographic key.
In addition to the Tor and Debian websites, the Debian FTP and the Debian Security archives are available from .onion addresses, enabling Debian users to update their systems using only Tor connections. With the apt-transport-tor package installed, the following entries can replace the normal debian mirror entries in the apt configuration file (
deb tor+http://vwakviie2ienjx6t.onion/debian jessie main deb tor+http://vwakviie2ienjx6t.onion/debian jessie-updates main deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security jessie/updates main
Likewise, Tor's Debian package repository is available from an onion service :
deb tor+http://sdscoq7snqtznauu.onion/torproject.org jessie main
Lists of several other new onion services offered by Debian and Tor are available from https://onion.debian.org and https://onion.torproject.org respectively. We expect to expand these lists in the near future to cover even more of Debian's and Tor's services.
electrum insecure use of sslhttps://github.com/spesmilo/electrum/issues/1782
At this point, I'm not particularly suprised when a program turns out to utterly fail at SSL cert validation. Because that seems to be how SSL libraries are designed to be misused. OTOH, this is a program I've entrusted with a few thousand dollars in the past. If I own bitcoin again, I'll have to think twice about using Electrum.
Jakukyo Friel likes this.
Jakukyo Friel shared this.
crossover pointSHA1 collision cost estimate now only $75k and a couple months. So, it's cheaper to break SHA1 now than it will be to fix git not to use SHA1. https://sites.google.com/site/itstheshappening/
Christopher Allan Webber shared this.
- WOW. Amazing, eloquent 18-minute TEDx talk by @ninapaley about copyright abolition: http://questioncopyright.org/copyright_is_brain_damage. Share widely!
Mikkel Kirkgaard Nielsen shared this.
Official Debian Images for Microsoft Azure
Debian is now officialy endorsed on Microsoft Azure platform; official images
created in collaboration between several Debian teams, credativ and Microsoft.
Matteo Bechini shared this.
Debian mourns the passing of Ian Murdock
Debian is saddened to share the news of the passing of Ian Murdock. Ian was not only the founder of Debian, but friend and mentor to many. We will miss him dearly.
DPN 01 Jan 2016: Mourning Ian Murdock, The "New" Debian Project News, Internal News/Happenings, Help needed, ...
Welcome to this year's ninth issue of DPN, the newsletter for the Debian community.
Topics covered in this issue include: Mourning Ian Murdock, The "New" Debian Project News, Internal News/Happenings,
Help needed, More than just code, Reports, Outside News, Want to continue reading DPN?
Find the current issue at: https://www.debian.org/News/weekly/2015/09/
arm boards don't die
Has anyone noticed that arm boards just keep running for aproximately forever? I have now ancient nslu2's, thecus, etc that still run fine, although they're now too old to bother with.
No moving parts, no power supply (just 5v in), barely any capacitors to plague out. Just not much to go wrong. The only arm board I've ever had die was stuck by lightning.
(Compare with laptops which are fully consumable.)
Happy Gnu Year!!
Happy 2015, pumpipeople!!
- Steve McIntyre: Bootstrapping #arm64 in #Debian http://blog.einval.com/2015/01/06#bootstrapping-debian-arm64
Jakukyo Friel likes this.