<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_1_1438735201351_18164">I assume Linus would be slightly suspicious getting a pull request from himself. :)<br></div><div id="yui_3_16_0_1_1438735201351_19015"><br></div><div id="yui_3_16_0_1_1438735201351_24706">But in cases where there's no obvious hierarchy for new users to enter the network, oversights like these are surely dangerous.  Unfortunately the free software community infrastructure has the same issues--</div><div id="yui_3_16_0_1_1438735201351_25125"><br></div><div dir="ltr" id="yui_3_16_0_1_1438735201351_25604">1) download all the public GPG keystores<br></div><div id="yui_3_16_0_1_1438735201351_24271">2) count the total number of keys</div><div dir="ltr" id="yui_3_16_0_1_1438735201351_26876">3) generate that same number of keys, copying the name/email info you got from the keys in the keystore<br></div><div dir="ltr" id="yui_3_16_0_1_1438735201351_29024">4) graft the social graph (i.e., which keys signed which other keys) from the keystores onto the keys you generated, creating a kind of "shadow" keychain</div><div id="yui_3_16_0_1_1438735201351_29894" dir="ltr">5) slowly upload your "shadow" keychain back up to the public GPG keystores.</div><div id="yui_3_16_0_1_1438735201351_36403" dir="ltr"><br></div><div id="yui_3_16_0_1_1438735201351_31610" dir="ltr">Voila!  Now you have two Richard Stallmans, two IOhanneses, two everything.  Big deal.  But you also have the _exact_ same number of signatures on each key as the real keychain.  To the newcomer its impossible to tell which is real and which is fake by counting the signatures.</div><div id="yui_3_16_0_1_1438735201351_32480" dir="ltr"><br></div><div id="yui_3_16_0_1_1438735201351_33340" dir="ltr">I mentioned this to some GPG gurus, and they brushed it off because-- after all-- the "shadow" keychain just sits there on its own little island.  And that's true, until somebody accidentally signs something in the "shadow" keychain from the real one.</div><div id="yui_3_16_0_1_1438735201351_40429" dir="ltr"><br></div><div id="yui_3_16_0_1_1438735201351_39996" dir="ltr">(I also watched a video of a security expert mentioning this same issue, which was alarming because I had always assumed I didn't understand well enough how the web of trust works...)<br></div><div id="yui_3_16_0_1_1438735201351_39116" dir="ltr"><br></div><div id="yui_3_16_0_1_1438735201351_39123" dir="ltr">-Jonathan<br></div><div id="yui_3_16_0_1_1438735201351_31449" dir="ltr"><br></div><div id="yui_3_16_0_1_1438735201351_31609" dir="ltr"><br></div><br><div class="qtdSeparateBR"><br><br></div><div style="display: block;" class="yahoo_quoted"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"> <font face="Arial" size="2"> On Tuesday, August 4, 2015 8:59 PM, Chris McCormick <chris@mccormick.cx> wrote:<br> </font> </div>  <br><br> <div class="y_msg_container"><div id="yiv1399134476"><div><div><span style="font-size:15px;line-height:19px;white-space:nowrap;">Ha ha:</span></div><div><span style="font-size:15px;line-height:19px;white-space:nowrap;"><br clear="none"></span></div><div><span style="font-size:15px;line-height:19px;white-space:nowrap;"><a rel="nofollow" shape="rect" target="_blank" href="https://github.com/amoffat/masquerade/commit/9b0562595cc479ac8696110cb0a2d33f8f2b7d29">https://github.com/amoffat/masquerade/commit/9b0562595cc479ac8696110cb0a2d33f8f2b7d29</a></span><br clear="none"><br clear="none">Chris.</div><div><br clear="none">--<div><a rel="nofollow" shape="rect" target="_blank" href="http://mccormick.cx/">http://mccormick.cx/</a></div></div><div><div class="yiv1399134476yqt3145081955" id="yiv1399134476yqtfd84771"><br clear="none">On 01/08/2015, at 11:59, Chris McCormick <<a rel="nofollow" shape="rect" ymailto="mailto:chris@mccormick.cx" target="_blank" href="mailto:chris@mccormick.cx">chris@mccormick.cx</a>> wrote:<br clear="none"><br clear="none"></div></div><blockquote type="cite"><div><div class="yiv1399134476yqt3145081955" id="yiv1399134476yqtfd76919"><span>On 01/08/15 04:12, Jonathan Wilkes via Pd-dev wrote:</span><br clear="none"><blockquote type="cite"><span>And why do you prefer Github to Sourceforge?  What's different enough in</span><br clear="none"></blockquote><blockquote type="cite"><span>their business model that there is no inherent conflict between serving</span><br clear="none"></blockquote><blockquote type="cite"><span>the free software</span><br clear="none"></blockquote><blockquote type="cite"><span>community on the one hand and monetizing their users/userdata on the other?</span><br clear="none"></blockquote><span></span><br clear="none"><span>"...GitHub has been called the 'Facebook for developers'..."</span><br clear="none"><span></span><br clear="none"><span><a rel="nofollow" shape="rect" target="_blank" href="http://www.wsj.com/article_email/github-raises-250-million-at-2-billion-valuation-1438206722-lMyQjAxMTA1NjI1OTEyNzk0Wj">http://www.wsj.com/article_email/github-raises-250-million-at-2-billion-valuation-1438206722-lMyQjAxMTA1NjI1OTEyNzk0Wj</a></span><br clear="none"><span></span><br clear="none"><span>-_-</span><br clear="none"><span></span><br clear="none"><span>I still can't get gittorrent working properly, but I'm continuing to try. Hopefully it will mature.</span><br clear="none"><span></span><br clear="none"><span>Chris.</span><br clear="none"><span></span><br clear="none"><span>-- </span><br clear="none"><span><a rel="nofollow" shape="rect" target="_blank" href="http://mccormick.cx/">http://mccormick.cx/</a></span></div><br clear="none"><span></span><br clear="none"><span>_______________________________________________</span><br clear="none"><span>Pd-dev mailing list</span><br clear="none"><span><a rel="nofollow" shape="rect" ymailto="mailto:Pd-dev@lists.iem.at" target="_blank" href="mailto:Pd-dev@lists.iem.at">Pd-dev@lists.iem.at</a></span><br clear="none"><span><a rel="nofollow" shape="rect" target="_blank" href="http://lists.puredata.info/listinfo/pd-dev">http://lists.puredata.info/listinfo/pd-dev</a></span><div class="yiv1399134476yqt3145081955" id="yiv1399134476yqtfd03970"><br clear="none"></div></div></blockquote></div></div><br><br></div>  </div> </div>  </div></div></body></html>