[PD-dev] moving to git?

Jonathan Wilkes jancsika at yahoo.com
Wed Aug 5 04:07:33 CEST 2015 

I assume Linus would be slightly suspicious getting a pull request from himself. :)

But in cases where there's no obvious hierarchy for new users to enter the network, oversights like these are surely dangerous.  Unfortunately the free software community infrastructure has the same issues--
1) download all the public GPG keystores
2) count the total number of keys3) generate that same number of keys, copying the name/email info you got from the keys in the keystore
4) graft the social graph (i.e., which keys signed which other keys) from the keystores onto the keys you generated, creating a kind of "shadow" keychain5) slowly upload your "shadow" keychain back up to the public GPG keystores.
Voila!  Now you have two Richard Stallmans, two IOhanneses, two everything.  Big deal.  But you also have the _exact_ same number of signatures on each key as the real keychain.  To the newcomer its impossible to tell which is real and which is fake by counting the signatures.
I mentioned this to some GPG gurus, and they brushed it off because-- after all-- the "shadow" keychain just sits there on its own little island.  And that's true, until somebody accidentally signs something in the "shadow" keychain from the real one.
(I also watched a video of a security expert mentioning this same issue, which was alarming because I had always assumed I didn't understand well enough how the web of trust works...)

-Jonathan





     On Tuesday, August 4, 2015 8:59 PM, Chris McCormick <chris at mccormick.cx> wrote:
   

 Ha ha:
https://github.com/amoffat/masquerade/commit/9b0562595cc479ac8696110cb0a2d33f8f2b7d29

Chris.
--http://mccormick.cx/
On 01/08/2015, at 11:59, Chris McCormick <chris at mccormick.cx> wrote:


On 01/08/15 04:12, Jonathan Wilkes via Pd-dev wrote:

And why do you prefer Github to Sourceforge?  What's different enough in


their business model that there is no inherent conflict between serving


the free software


community on the one hand and monetizing their users/userdata on the other?


"...GitHub has been called the 'Facebook for developers'..."

http://www.wsj.com/article_email/github-raises-250-million-at-2-billion-valuation-1438206722-lMyQjAxMTA1NjI1OTEyNzk0Wj

-_-

I still can't get gittorrent working properly, but I'm continuing to try. Hopefully it will mature.

Chris.

-- 
http://mccormick.cx/

_______________________________________________
Pd-dev mailing list
Pd-dev at lists.iem.at
http://lists.puredata.info/listinfo/pd-dev



  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.puredata.info/pipermail/pd-dev/attachments/20150805/061bba35/attachment-0001.html>

More information about the Pd-dev mailing list