1. 1

    This was already posted. Also should have (2015) in the title.

    From 2 years ago: https://lobste.rs/s/z736eo/ideology_talk_by_gary_bernhardt_from

    @alynpost Is this something that should be merged or is that not a thing for such an old post?

    1. 2

      I agree on the (2015) in the title, unfortunately I can’t make any changes to it now, so maybe a moderator could do that?

      This was submitted before, 2 years ago and had no discussion (there’s a link at the bottom). I resubmitted it because its contents is still relevant and I’m happy to see it brought up a bit of a discussion and potentially reached a new audience.

    1. -3

      This seems like self-congratulatory nonsense to me. Marked as spam.

        1. 6

          I upvoted because it expresses a pattern of behaviour that I’ve noticed in djb for well over 20 years now, and have come across myself. Many years ago I noticed a bug in qmail-imapd where it wasn’t implementing a part of the RFC at all, and it was breaking some IMAP clients. djb said that that part of the RFC wasn’t important and refused to implement it, forcing many of our end users to switch their email clients and causing a lot of head-aches. because of that, and a few other interactions, I have never used another piece of software by djb, even though it might be in many ways technically better. It’s just not worth the headaches of having to deal with him

          1. 5

            djb is genius-level smart, and find many of his programs have a kind of rare brilliance to them. In an alternative universe where he’s not such a pain to deal with we’d all be running qmail instead of postfix and daemontools instead of systemd.

            1. 1

              Yep. It’s actually quite a shame, really.

              1. 1

                There’s usually saner implementations of the same idea — namely runit for daemontools. And most famously libsodium for NaCl.

                As for mail.. qmail seems arcane and complicated. OpenSMTPd is the only mail server I’d be willing to admin :D

                1. 1

                  i tried setting opensmptd up with virtual users / virtual domains using sqlite and to my surprise it didn’t work anymore as the opensmptd-extras have a version mismatch in debian, so postfix it is again. maybe more of a debian problem than opensmptd.

              2. 3

                Many years ago I noticed a bug in qmail-imapd where it wasn’t implementing a part of the RFC at all, and it was breaking some IMAP clients

                There is no qmail-imapd.

                djb said that that part of the RFC wasn’t important and refused to implement it

                No he didn’t, because there is no qmail-imapd.

                1. 1

                  Huh, you’re absolutely right about there not being an imap server associated with qmail. I wonder what program the bug was associated with. It was nearly 20 years ago, so aspects of it may be entirely wrong.

                2. 2

                  Wait, there is a qmail-imapd ? I would be happy to know where you found it, as I fail to see it in the qmail source, and all I find for “qmail-imapd” is tcp rules for courrier-imap as part of some qmail metapackage : https://www.opennet.ru/base/patch/qmail_ldap.txt.html

                  1. 1

                    I think djb is a jackass but I flagged this as off-topic for basically the same reason as @gerikson

                  1. 1

                    really with this?

                    @alynpost can we merge this with https://lobste.rs/s/ti21d7/opensmtpd_6_6_4p1_released_addressing ?

                    You can correct me if this shouldn’t be merged but I don’t see the point in a new post for this.

                    1. 2

                      Thank you @fro. I have merged story nxn7jz in to story ti21d7.

                      Your request to merge is correct. The article, despite being the same CVE, is a substantive update, adding three sections that can now be published. It’s appropriate that story nxn7jz was submitted [for merge]–it’s routine for credit, acknowledgments, exploits, or more detailed data to be published in this fashion as part of the responsible disclosure process.

                    1. 9

                      Securing MTA must be a cursed job.

                      Back in the old days we had near weekly RCEs in sendmail and exim and these days it’s OpenSMTPD with strong ties to the f’ing OpenBSD project. That’s the one project I expect an RCE the least from; much less two in as many months.

                      Email is hard.

                      1. 5

                        It’s actually 3 — this one has two separate CVE’s in a single release, including a full local escalation to root on Fedora due to Fedora-specific bugs adding an extra twist (CVE-2020-8793).

                        The other bug here (CVE-2020-8794) is a remote one in the default install; although the local user still has to initiate an action to trigger an outgoing connection to an external mail server of the attacker, so, I guess OpenBSD might not count it towards the remote-default count of just two bugs since years ago.

                        1. 2

                          I guess OpenBSD might not count it towards the remote-default count of just two bugs since years ago.

                          I feel like that would be disingenuous. I realize it’s not enabled by default in a way that’s exploitable but in the default install there’s literally nothing running that’s even listening really (you can enable OpenSSH in a default install, I suppose); this is of course the correct way to configure things by default. However, the statement degenerates to “no remotely exploitable bugs in our TCP/IP stack and OpenSSH”…which is awesome, but…

                          (Also, it’s easy to criticize: I’ve never written enterprise grade software used by millions.)

                          1. 1

                            Can you explain more about why you think that’s disingenuous? OpenBSD making this claim doesn’t seem different to me than folks saying that this new bug is remotely exploitable. It’s very specific and if something doesn’t meet the specific criteria then it doesn’t apply. Does that make sense?

                            It is my opinion that the statement should be removed – not because it’s not accurate but because I just think it’s tacky.

                            1. 4

                              IMHO it’s disingenuous because it implies that there are only two remote holes in a heck of a long time on a working server. It’s like saying “this car has a 100% safety record in its default state,” that is, turned off.

                              (I’m reminded of Microsoft bragging about Windows NT’s C2 security rating, while neglecting to mention that it got that rating only on a system that didn’t have a network card installed and its floppy drive glued shut.)

                              I’m not sure if they include OpenSSH in their “default state” (I think it is enabled by default), but other than OpenSSH there’s nothing else running that’s remotely reachable. Most people want to use OpenBSD for things other than just an OpenSSH server (databases, mail servers, web servers, etc), and they might get an inflated sense of security from statements like that

                              (Note that OpenBSD is remarkably secure and their httpd and other projects are excellent and more secure than most alternatives, but that’s not quite the point. Again, it’s easy for me to criticize, sitting here having not written software that has been used by millions.)

                              1. 2

                                I appreciate you taking the time to elaborate. I think the claim is tacky as it seems to be more provocative than anything else – whether true or not. I don’t think it’s needed because I think what OpenBSD stands for speaks for itself. I think I understand why the claim was used in the past but this conversation about it comes up every time there’s a bug – whether remote or not. The whole thing is played out.

                                1. 2

                                  AFAIK OpenSMTPD is enabled by default, but does local mail delivery only with the default config. This makes the claim about “only 2 remote holes” still stand still, though I agree with your analysis of bullshit-o-meter of this slogan. But hey, company slogans are usually even more bullshit-ridden, so I don’t care.

                            2. 1

                              You’re saying a local user has to do something to make it remote? Can you explain how that makes it remote?

                              1. 2

                                One of the exploitation paths is parsing responses from remote SMTP servers, so you need to request that OpenSMTP connect out to an attacker-controlled server (e.g. by sending email).

                                It looks like on some older versions there’s a remote root without local user action needed…

                                1. 1

                                  I reckon I’ll go back and read the details again. However, if something requires that a local user do a very specific thing under very specific circumstances (attacker controlled server, etc.) in order to exploit – that does not jive with my definition of remote.

                                  1. 3

                                    Apparently you can remotely exploit the server by triggering a bounce message.

                            3. 2

                              Step zero is don’t run as root and don’t have world writable directories.

                              .

                              .

                              .

                              Sorry, was I yelling?

                              1. 4

                                Mail is hard that way in that the daemon needs to listen to privileged ports and the delivery agent needs to write into directories only readable and writable by a specific user.

                                Both of these parts require root rights.

                                So your step zero is impossible to accomplish for an MTA. You can use multiple different processes and only run some privileged, but you cannot get away with running none of them as root if you want to work within the framework of traditional Unix mail.

                                Using port redirection and virtual users exposing just IMAP you can work around those issues, but them you’re leaving the traditional Unix setup and you’re adding more moving parts to the mix (like a separate imap daemon) which might or might not bring additional security concerns

                                1. 2

                                  At least on Linux there’s a capability for binding into privileged ports that is (the cap) not equivalent to root.

                                  1. 3

                                    yes. or you redirect the port. but that still leaves mail delivery.

                                    As I said in my original comment: email is hard and that’s ok. I take issue with people reducing these vulnerabilities (or any issue they don’t fully understand) to “just do X - it’s so easy” (which is a strong pointer they don’t understand the issue)

                                    Which is why I sit in my rant about still using C for (relatively) new projects when safer languages exist, though - oh boy is it tempting to be dropping a quick “buffer overflows are entirely preventable in as-performant but more modern languages like rust. why did you have to write OpenSMPTD in C”, but I’m sure there were good reasons - especially for people as experienced and security focused as the OpenBSD folks.

                                    1. 3

                                      It’s hard if you impose the constraint that you need to support the classical UNIX model of email that was prevalent from the late 70s to the mid 90s. I was once very attached to this model but it’s based on UNIX file-system permissions that are hard to reason about and implement safely and successfully. The OpenSMTPD developers didn’t make these mistakes because they’re stupid, it’s really really hard. But it’s an unfortunate choice for a security focused system to chose to implement a hard model for email rather than making POP/IMAP work well, or some other approach to getting email under the control of a the recipient without requiring priviledges.

                                  2. 1

                                    Not sure any of these are true, but more of a self-imposed traditional limitation.

                                    Lower ports being bindable by root only could easily be removed; given linux has better security mechanisms to restrict lower port binding, like selinux, I’m not even sure why the kernel still imposes this moronic concept on people. Mail delivery (maildir, mbox, whatever zany construct) can also be done giving limited rw access to the specific user and the MDA. hell, MAIL on my system just points to /var/spool/mail which is owned by root anyhow.

                                    1. 1

                                      selinux isn’t everywhere.

                                1. 2

                                  Thank you @fro. When I first saw your request (prior to your adding a link to the story to merge in to) I thought the story you were asking to merge referred to CVE-2020-7247 / OpenSMTPD 6.6.2p1, which has fallen outside the merge window. I quickly realized you meant story ti21d7 / OpenSMTPD 6.6.4p1, and they are now merged.

                                  1. 2

                                    Yeah I was a bit late on the link. Thanks!

                                1. 3

                                  CPU manufacturers have been ignoring security for a long time, relying on obscurity. My pessimistic observation is this:

                                  1. Some researchers look under a rock (i.e CPU), find bad security.
                                  2. It becomes trendy to look under these rocks, other researchers join the fun.
                                  3. Repeat

                                  This may be a bit tautological, but if you want to find new vulnerabilities as a security researcher, it seems as simple as to look where others haven’t and aren’t, for whatever reason. And I think the nature of academia discourages this, so it’s not tough to think of.

                                  This comment may be a bit of an oversimplification. I know some things about security, but I’m by no means an expert. Am I wrong here?

                                  1. 2

                                    I’m no expert but I agree with the sentiment and think there is definitely truth in what you’re saying here.

                                    1. 2

                                      Thank you @gerikson, I have merged the stories regarding CVE-2020-7247.

                                      1. 1

                                        I don’t think the post-mortem should be merged into this.

                                        1. 2

                                          Will you explain why?

                                          1. 2

                                            It is now buried here with older posts. It also contains more information on how it happened, why it happened, what was done to fix it, and future plans. It’s more recent than the others and potential discussions from a detailed post-mortem seem worthwhile to me and they’re less likely to happen here now.

                                            1. 4

                                              The reason I merged story 4gd1oz (“OpenSMTPD advisory dissected”) in to story wcgwqk (“LPE and RCE in OpenSMTPD (CVE-2020-7247)”) was that both stories covered the same topic, and were submitted within two weeks of each other. This has been how story merging has been used since it was implemented in August 2014:

                                              Similar stories such as multiple sites reporting about the same news topic, or duplicates not found by the duplicate detection code should be able to be merged into one story.

                                              To determine whether a two stories cover the same topic, I use the following tests:

                                              A) Is the article for the newly submitted story a near-duplicate of the article for the previously submitted story? i.e., was the material republished or rebroadcast?

                                              B) Does the article for the newly submitted story reference or link to the article for the previously submitted story? i.e., is it a response or follow-up? (Occasionally described as a hot take.)

                                              C) Does the article for the newly submitted story discuss the same situation or event as the article for the previously submitted story link? i.e., are there multiple sources?

                                              D) Does the article for the newly submitted story cover the same subject matter as the article for the previously submitted story link? e.g., is it a source code repository for a project that was the subject of a blog post?

                                              E) In all cases, is the newly submitted story submitted no later than two weeks after the previously submitted story?

                                              Any one of tests A-D are sufficient to merge, so long as test E holds.

                                              Here, I merged story 4gd1oz because it passed test C: the topic (in this case the situation under discussion) for both articles being the “Qualys Security Advisory for OpenSMTPD (CVE-2020-7247)”, and test E: story wcgwqk was submitted on or about Wed, 29 Jan 2020 and story 4gd1oz was submitted on or about Fri, 31 Jan 2020. Approximately two days apart.

                                              It is a near-certainty that later published stories will contain more information (“It also contains more information on how it happened, why it happened, what was done to fix it, and future plans”) due to the straightforward fact that more time was available to communicate with others. Variation in information content of an article doesn’t pertain to topicality, however. Stories are merged when they cover the same topic.

                                              There has been at least one experiment to address your first reason (“It is now buried here with older posts”) due to similar report in issue 300. It was eventually reverted in commit c602b01 having been deployed less than a month.

                                              If you’re able to describe an improvement to the hotness calculation for merged stories that you think would substantively address your last reason (“potential discussions from a detailed post-mortem seem worthwhile to me and they’re less likely to happen here now”) I’d encourage you or anyone reading to submit a PR for review. An advantage of the current hotness behavior is that a story cannot be kept alive via “trickle” of newly submitted, merged stories–a story submission behavior we do see with multiple part blog posts. Changes to how hotness is calculated on merged stories need to account for all reasons a story is merged (i.e., the merge tests articulated here). A significant majority of story merges are unremarkable and a PR should aim to incrementally make more of them so.

                                              If you or anyone reading is able to improve the series of tests I use to decide whether a story should be merged, please voice it. Note however that where possible, I have removed discretion from the decision to merge a story via use of these tests. I’m not interested in adding discretion back in to the process. Doing so would not be an improvement. More decidability, not less.

                                              I hope this explanation adequately describes the trade-offs involved in merging stories, why story 4gd1oz was merged, and can serve as a guide to understanding how this feature as currently implemented is and will be used.

                                              1. 1

                                                Stories are merged when they cover the same topic.

                                                Does that only happen by request? I see other stories about the same topic that are not merged.

                                                1. 1

                                                  I merge those stories I notice that other folks haven’t already suggested. If you see one you’re welcome to suggest it get merged–gerikson highlighted me for story n9ttxa here.

                                                  1. 1

                                                    I just wanted to make sure I was understanding this all correctly. Thanks for the very detailed explanation of everything.

                                              2. 2

                                                I fully agree with @fro here.

                                                The CVE was “am I affected? no? ignore. yes? patch.”

                                                This is potentially interesting for anyone who writes software :)

                                      1. 2

                                        Interesting work! Suggested appending “(2001)” to the title, since that’s when the usenix paper was published. The link on the slides is no longer served.

                                        1. 1

                                          good lookin out!

                                        1. 1

                                          Hey, this link is paywalled!

                                          Here’s a link that actually works: https://lwn.net/SubscriberLink/810077/dbf5b46deb28b38d/

                                          1. 1

                                            Both links links work fine for me and I don’t pay for this. Weird.

                                          1. 3

                                            So, ASLR on OpenBSD isn’t really ASLR?

                                            1. 1

                                              If you like internet fights: correct, it’s not

                                              1. 3

                                                I didn’t ask to cause a fight. I asked because I want to know. Is there a technical reason or is it just because it doesn’t follow the PaX model? Is that reason enough? Is it because it doesn’t use the same deltas or because it uses none? Is it just a naming issue? The difference between ASR and ASLR have been briefly explained to me before in another comment here. However, that was in reference to FreeBSD’s rather recent implementation. There’s also this: https://hardenedbsd.org/content/easy-feature-comparison which is from the author but that means he’s not being consistent. Is there a reason for that? Maybe just an oversight? New information? I’m very curious about this. I have a very basic understanding of these things and maybe I’m just overlooking something that I should have picked up on. Here’s the other comment: https://lobste.rs/s/curktg/implement_address_space_layout#c_aok28i

                                                1. 3

                                                  PaX introduced ASLR, and in that sense it had a specific meaning. It has since then been used to refer generically to various sorts of allocation address randomization. In a claim about ASLR the specific implementation is unclear, absent additional context.

                                                  About two decades ago PaX ASR had performance and fragmentation concerns (on i386 Linux) which were addressed by PaX ASLR. However, those concerns are not necessarily applicable to other operating systems on contemporary 64-bit processors in today’s context.

                                                  1. 1

                                                    Yep. This all makes sense. The explanation about the difference between ASR and ASLR makes sense too. Though I’d never seen the term ASR mentioned before or by anyone else. However, it does seem as though OpenBSD uses some of those deltas or maybe ones that aren’t in line with the PaX model. Looking here: http://inertiawar.com/openbsd/hawkes_openbsd.pdf which is old and specific to OpenBSD 3.9 (i386) but still seems to imply that there’s the randomized stack top + randomized stack gap.

                                                  2. 2

                                                    I need to update the feature comparison page such that the mouse hover text mentions ASR rather than ASLR for OpenBSD. Thanks for the reminder!

                                                    1. 3

                                                      I reckon OpenBSD should update their innovations page as it specifically mentions ASLR also.

                                                      https://www.openbsd.org/innovations.html

                                              1. 1

                                                I flagged this as spam. I like and respect some of the things that came out of grsecurity/PaX. However, this blog post mostly seems like a way to promote the product.

                                                1. 8

                                                  Gonna disagree pretty strenously on that one. While they do sell a product, the post is a good breakdown, with actual code listings. I hope others don’t follow your example

                                                  1. 3

                                                    I agree with you here. And I prefer this kind of advertising over yet another bollocks node.js-startup that creates blogs to recruit people. I swear to god, something dies inside of me every time I read something along the lines of “Our young and fresh startup is looking for new SOAP heroes. Apply now using our REST API!”

                                                    1. 1

                                                      I’d prefer no advertising but that’s unrealistic.

                                                    2. 2

                                                      That’s fine. I think it would be a good breakdown without the product plug and the “but we offer this service to our customers” nonsense.

                                                      1. 2

                                                        fair enough. its a find line to be sure

                                                    3. 2

                                                      This feels like an ad, but with a technical mindset. I dislike their attitude the most. They maybe correct, but they come over as assholes. Oh look how great we are and how bad the kernel team is…

                                                      1. 2

                                                        True, there’s certainly an element of that, but honestly I was pleasantly surprised at how much less snipey and insulting this post was than most things I’ve seen from the PaX/grsec team (I feel like they’re usually worse in that regard).

                                                        1. 2

                                                          Yeah, if you ever read anything that grsecurity/PaX folks write it’s always the same thing. Everyone else is stupid and not doing what they’re supposed to be doing (or stealing their code and not giving credit to them) and everything they do is the proper and only way to do it. I still like some of the things they do but this attitude will always be a problem.

                                                        2. 2

                                                          Also I’m not completely clear when they noticed it. I hope at the latter end of this story, and then reported it. But by interspersing “we did x” in between all the “they did y” this makes me read “we noticed and just didn’t tell them”.

                                                      1. 3

                                                        Curious why this is downvoted? He is one of the most powerful and accomplished programmers in the world, and opening himself up big time. I think this along deserves big kudos, and I’m very much looking forward to watching it.

                                                        1. 7

                                                          Because it’s an ad for a film focusing on his personality and philanthropy; there’s zero mention of programming. Even if there was any topical material, a trailer isn’t really designed to learn from or prompt new discussion. We’d likely just rehash old arguments about him or Microsoft’s business practices.

                                                          1. 1

                                                            But he’s a talented programmer who started the current largest software company (and company generally by market cap) in the world. So surely there are aspects of his personality and habits that can shed light on how and why he has done the things he has done. Any programmer looking to make an impact should probably watch this.

                                                            Disclosure: I used to work at MS, but I have mixed feelings about MS and BG, due to: https://en.wikipedia.org/wiki/Open_Letter_to_Hobbyists, https://www.theregister.co.uk/2001/06/02/ballmer_linux_is_a_cancer/, and http://techrights.org/2009/06/25/bill-gates-office-patents/

                                                            1. 5

                                                              No one has denied he was a programmer. I’m saying that this is not about the programs he wrote, or the way he wrote programs, or the effects of those programs, or the business selling those programs, or the career that followed, it’s about what he’s up to after that business. That’s a lot of steps away from topicality, and then there’s one more giant leap away because this is an ad, it’s not even the mini-series itself. Notice that none of the justifications you gave pointed to content present in this link. It’s like the joke about how La Croix flavors aren’t even flavors.

                                                              1. 2

                                                                I guess I find it interesting and relevant, as someone who is always on the lookout for ways to improve my programming ability. Does knowing what BillG’s favorite food is help me become a better programmer? It turns out, no, but I didn’t know that prior to seeing this. (If he had said “bran muffins” instead of “Hamburgers”, perhaps I’d look into it more).

                                                                I don’t care whether or not people check it out, I just want to register my surprise that it’s being downvoted. An analogy would be if this were a forum about basketball and people were downvoting an official autodocumentary from Michael Jordan because it might be only 20% about basketball.

                                                                1. 3

                                                                  It’s not downvoted because it’s about Bill Gates, it’s downvoted because it’s an ad. See my other comment here: https://lobste.rs/s/3fxyl0/inside_bill_s_brain#c_okluxr

                                                              2. 3

                                                                If you want that, watch Pirates of Silicon Valley. It’s the only movie Wozniak endorses as accurate about the personalities and nature of what they were doing. Even if, as always, the specifics weren’t all right.

                                                                Give you a nice head start, anyway.

                                                              3. 1

                                                                Thanks for explaining. There are a number of mentions related to programming, even in this short clip, btw.

                                                              4. 6

                                                                I flagged this because it’s a twitter link, he’s promoting something about himself, and I don’t care what Bill Gates’ favorite animal is.

                                                                1. 1

                                                                  I disagree, but like that you explained why. :)

                                                                2. 4

                                                                  I flagged this just before going to bed.

                                                                  I’m trying to be more open and transparent in my flagging of late, so here’s my explanation.

                                                                  It’s an ad for an ad for an ad.

                                                                  First ad: new content on Netflix.

                                                                  Next ad: billg is on Twitter!

                                                                  Third ad: a trailer for a show - which is an ad per definition.

                                                                  Relevant link for this particular piece of content (the Netflix show):

                                                                  • a review - either by a knowledgeable insider, or a good TV reviewer, or just a crustacean
                                                                  • something from Netflix that explains a bit more about this - who’s directing, what kind of access they have, what other stuff have they done. There’s docs and there’s docs - some are investigative journalism, some are corporate puff-pieces
                                                                  • the actual show itself (“There’s a documentary about Bill Gates on Netflix. I’ve watched it, and I think it would be a good watch for others on this site)

                                                                  [Bill Gates] is one of the most powerful and accomplished programmers in the world

                                                                  He’s a very successful businessman who also has deep technical and commercial knowledge and instincts. The company and products he’s helped make have made a lasting impression - not always positive! - on the world, and on the free software/open source community. See for example this discussion which shows that distrust of MSFT is still deeply felt, and that many associate Bill Gates with it.

                                                                  1. 2

                                                                    Good point. A text link with more information that also included the video would be more appropriate.

                                                                1. 1

                                                                  This reads like an infomercial.

                                                                  1. 1

                                                                    yeah it does. i think it’s weird that they want contact info for access to the whitepaper as well.

                                                                    there’s this too: https://arstechnica.com/information-technology/2019/08/silent-windows-update-patched-side-channel-that-leaked-data-from-intel-cpus/

                                                                    also i added linux tag since it seems like it may affect linux.

                                                                  1. 2

                                                                    In more detail, the Linux and PaX (FreeBSD, HardenedGentoo and others use the PaX ASLR approximation) ASLR designs rely on the same core ideas, in that they define four partial-VM areas: (1) stack, (2) libraries/mmaps, (3) executable and (4) heap.

                                                                    FreeBSD’s implementation:

                                                                    1. Is disabled by default.
                                                                    2. Is ASR, not ASLR (ASR does not use deltas, whereas ASLR does).
                                                                    3. Is incomplete, and therefore cannot be relied upon in academia.
                                                                    4. Building applications as PIEs in FreeBSD is disabled by default.
                                                                    5. They incorrectly list FreeBSD in the PaX list–it’s HardenedBSD (a derivative of FreeBSD that aims to provide the BSD community with a clean-room reimplementation of the publicly-documented bits of the PaX/grsecurity patchset) that uses the PaX model. As mentioned previously, FreeBSD is working on their own ASR implementation.
                                                                    1. 2

                                                                      I noticed this mistake as well but I knew you or someone else here would be able to clear up any confusion around that. I’m curious to know your thoughts on the rest of the paper once you have time to read it.

                                                                      1. 2

                                                                        I’ve added it to my “thorough reading” list. Problem is, that list is growing exponentially and hopelessly. I think I have enough in my list to last me a few years now. ;)

                                                                      1. -8

                                                                        This is a joke right? “verification” by sig checking? didn’t they (openbsd) write a fucking tool (signify) to make them not do this stupid shit any more? I guess we can’t remember what happened all of 4 years ago when it comes to people’s actual security. Really underscores the trend of bsd mania being really disinterested in actual user security.

                                                                        1. 8

                                                                          They use signify?: “Verify SHA256.sig using unprivileged signify(1)” - slide 11 of linked PDF.

                                                                          source: https://github.com/openbsd/src/blob/7f3597a0e5ea0b10e5130afef0c253a58e676224/usr.sbin/syspatch/syspatch.sh#L168

                                                                          1. 7

                                                                            Feel free to make your point. But please don’t be an angry/aggressive asshole in how you say it. We are all people here.

                                                                            1. 4

                                                                              How would you do verification?

                                                                              1. 2

                                                                                what are some other examples of this “trend” you mention?

                                                                                1. 2

                                                                                  This is a joke right? “verification” by sig checking? didn’t they (openbsd) write a fucking tool (signify)

                                                                                  What exactly do you think signify does? hint, it’s in the ‘sig’ part of the name.

                                                                                  1. 6

                                                                                    Actually, this particular operation is in the ify part of the name. :)

                                                                                    1. 2

                                                                                      ifysign has a nice ring to it too ;)