29 Mar 2021 |
_hc | to FDroidException | 09:16:39 |
_hc | the buildbot prototype shows that it would be much easier to capture logs with buildbot | 09:17:38 |
30 Mar 2021 |
| shiver left the room. | 00:03:05 |
| shiver joined the room. | 00:08:54 |
izzy | Just wondering: is anyone going to (or already did) answer that mail to team on F-Droid being pre-installed on that new phone? I'm not fit enough in that area to answer it, but it's lying there for almost 4 days now. | 00:24:49 |
cdesai | how can I get added to team@? admin issue? | 00:26:16 |
izzy | I guess so. AFAIR Ciaran runs that address and would need to add you. Check admin, there must already be the issue from the "previous run". | 00:37:02 |
cdesai | last comment there was 2y ago :D | 00:37:55 |
cdesai | admin#95 | 00:38:15 |
[gibot] | [admin] #95: being added to team@f-droid.org - https://gitlab.com/fdroid/admin/issues/95 | 00:38:16 |
| @freenode_whf:matrix.org left the room. | 01:23:07 |
| @freenode_whf:matrix.org joined the room. | 01:23:16 |
| @freenode_whf:matrix.org left the room. | 01:23:16 |
mimi89999 | _hc, In https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/246 is the compressed data different with a 2-8 byte diff in size or is it the same with the 2-8 bytes appended? | 14:09:39 |
_hc | mimi89999: I don't know, but my guess is that the compressed data is the same since the ZIP algorithm should be deterministic | 16:27:59 |
mimi89999 | Ok, but is the data the same? | 16:29:18 |
mimi89999 | Did you upload the 2 apk? | 16:30:11 |
mimi89999 | I can inspect them | 16:31:14 |
mimi89999 | Even if it should, it does not mean that the implementations are identical | 16:32:44 |
_hc | I thought obfusk was able to confirm that the Python and Java implementation were able to produce the exact same compressed output | 17:28:14 |
_hc | based on this, seems like we should up our security standards. Like requiring two factor auth for accounts with Developer status: https://arstechnica.com/gadgets/2021/03/hackers-backdoor-php-source-code-after-breaching-internal-git-server/ | 19:29:31 |
cdesai | I'm not sure if gitlab lets you configure that with such granularity | 19:30:50 |
cdesai | https://gitlab.com/help/security/two_factor_authentication#enforcing-2fa-for-all-users-in-a-group | 19:32:15 |
proletarius101 | In reply to @eighthave:matrix.org based on this, seems like we should up our security standards. Like requiring two factor auth for accounts with Developer status: https://arstechnica.com/gadgets/2021/03/hackers-backdoor-php-source-code-after-breaching-internal-git-server/ What have it actually done? To my understanding, the attack path is on the git server other than github. And it attempt to impersonate commit authors | 19:33:13 |
cdesai | As Developer I can't see 2fa status of others, but owners should be able to under | 19:33:19 |
cdesai | https://gitlab.com/groups/fdroid/-/group_members?sort=access_level_desc | 19:33:19 |
proletarius101 | In reply to @proletarius101:matrix.org What have it actually done? To my understanding, the attack path is on the git server other than github. And it attempt to impersonate commit authors That's why I think it has nothing to do with account compromise | 19:35:32 |
cdesai | proletarius101: in our case, gitlab is the git server who we trust, but in addition if anybody who has developer access has an account compromise they could push commits | 19:36:31 |
proletarius101 | We can prevent this simply by protect the main branch (no force push on that), and ask each commit to be signed | 19:36:37 |
proletarius101 | In reply to @freenode_cdesai:matrix.org proletarius101: in our case, gitlab is the git server who we trust, but in addition if anybody who has developer access has an account compromise they could push commits Yeah, but the commit owner should be transparent | 19:37:15 |