<sphalerite>
FRidh: I don't understand how my poezio thing would cause merge conflicts, since it's just folding two of the full package expressions in python-packages.nix into a single line?
<sphalerite>
i.e. everything other than those two is unaffected…
<infinisil>
I'm not sure what you mean by that, there's no authenticity at all with HTTP. An attacker would just have to compromise your network and ofborg's network to inject a fake hash
<infinisil>
And with Let's Encrypt it goes through a self-signed certificate first. While I haven't looked too deeply into this process, I think we may assume that HTTPS certificates from Let's Encrypt are indeed valid and not half-assed
<ekleog>
infinisil: LE does the job by testing your domain over http
<ekleog>
basically, an attacker that compromises LE's network can create a fake https cert
<ekleog>
what I'm saying is, basically this is the same thing, and I'd even think our hashes would be more secure than HTTPS if we forced a proportion of rebuilds at random (so people would notice what doesn't build) -- but that last point is for after the reproducibility build effort lands
<ekleog>
(well, LE can do the job by testing over self-signed https too, but that's not better than http from an integrity pov)
<ekleog>
(also, all that is assuming no CA is compromised, which is not necessarily true)
<ekleog>
basically, yes I agree https is marginally better than http for our use case, but I don't think it's significantly better :)
<infinisil>
ekleog: Got any links on that? I've never heard of let's encrypt being insecure like that. I guess it makes sense to some extent (gotta start with http), but I had a feeling there were Smart (tm) ways to get around that
<ekleog>
well, it's just as insecure as any other CA :)
<ekleog>
(most CAs do automated management)
<infinisil>
Ah yeah that's a good point
<infinisil>
ekleog: It's basically TOFU though
<ekleog>
typically, StartSSL only required receiving unencrypted mails sent to the admin@[dns] email address, iirc
<ekleog>
yup
<infinisil>
And if a bogus cert was created on first use, wouldn't this get detected eventually?
<ekleog>
well, at a time it wouldn't have been detected for a while (eg. google certs have been frauded in iran, iirc)
<ekleog>
now there are certificate transparency logs, that allow one to check the certificate they receive is in the transparency logs for more confidence
<infinisil>
Yeah I read about that
<ekleog>
and people are supposed to monitor the cert transp logs to check no fraudulent cert is issued for their domain (and at worst the offending CA can be held responsible)
<infinisil>
Okay, so https has still some flaws, but I still think it's strictly better than http and should be used if available
<infinisil>
I'm still curious why that PR switched that url from https to http though
<ekleog>
now, that's similar to what we do with nixpkgs hashes (the logs are the git repo), except we have fewer builders than a typical website has users, I guess
<ekleog>
oh totally agree with you about https>http, tbh I'd love it if http just vanished
<ekleog>
encrypting everything makes encrypted stuff less suspicious
<ekleog>
and yeah, I don't know why it switched to http either :/
<infinisil>
I'm hopeful that we can drop all kinds of insecure protocols in a couple decades
<infinisil>
Am actually just taking a network security course this semester, currently about TLS 1.3, and oh boy, it does sound pretty good
<ekleog>
does it still have the 0RTT mode? :/
<ekleog>
but yeah, browsers dropping tls1.0 and 1.1 is great :)
<infinisil>
Yeah sure does, but needs to be used carefully
<ekleog>
yeah, 0RTT mode is the thing I'm convinced will be misused by almost everyone who implements it
<infinisil>
To be exact: Only use 0RTT for idempotent messages, because it can be used for replay attacks
<infinisil>
That's the only flaw I think
orivej has joined #nixos-dev
<ekleog>
well, it's also not-encrypted
<ekleog>
which is already a Bad Thing(tm)
<ekleog>
like, I don't know many protocols where a non-negligible portion of the initial message is not confidential but the rest totally is
<infinisil>
I'm pretty sure it is encrypted
<ekleog>
hmm actually maybe I'm wrong about it indeed
* ekleog
can't remember, it's been ~6 months since I last searched about tls1.3
<ekleog>
oh 0rtt is enabled only on session resumption
<ekleog>
so that's what (I misremembered|changed)
<infinisil>
Yeah
<infinisil>
TLS1.3 is actually fully verified in the Tamarin prover :O
<ekleog>
so I withdraw my complaint about tls1.3, though I still feel like this feature will likely cause tears at some point :)
<infinisil>
ekleog: Agreed
orivej has quit [Ping timeout: 246 seconds]
orivej has joined #nixos-dev
init_6 has joined #nixos-dev
pie_ has joined #nixos-dev
orivej_ has joined #nixos-dev
orivej has quit [Read error: Connection reset by peer]
phreedom has quit [Ping timeout: 256 seconds]
sir_guy_carleton has joined #nixos-dev
sphalerite_ has joined #nixos-dev
mic921 has quit [*.net *.split]
Jackneill has quit [*.net *.split]
thefloweringash has quit [*.net *.split]
sphalerite has quit [*.net *.split]
thefloweringash has joined #nixos-dev
__Sander__ has quit [Quit: Konversation terminated!]
<gchristensen>
karma? the number goes up, never goes down, and doesn't count for much beyond a thank-you (unless you get many points, and then I'll mail you a t-shirt or something :P)
<Synthetica>
Free t-shirts? Oh my
<gchristensen>
,loot
<{^_^}>
[2018-05-26 20:24:58] <gchristensen> 25 points gets you a sticker, 100 points gets you a t-shirt, 1000 verified points gets you a free trip to nixcon *restrictions apply, must be verifiable points, given by grateful people, in channels I'm in
<roberth>
gchristensen++
<{^_^}>
gchristensen's karma got increased to 39
<roberth>
{^_^}++
<{^_^}>
{^_^}'s karma got increased to 140
<gchristensen>
the good news is {^_^} doesn't like stickers or t-shirts, and is very cheap to deliver to nixcon ;)
<Synthetica>
Do they have 19' t-shirts? (Assuming {^_^} is running on a blade :P)
orivej has joined #nixos-dev
pepesza has quit [Quit: ZNC 1.6.3+deb1ubuntu0.1 - http://znc.in]