| jrwren | crap they are pulling: mitm ssl proxy :( | 00:14 |
|---|---|---|
| cmaloney | Yeah, thats' some bullshit | 02:46 |
| jrwren | mitm ssl proxy is especially scary when you consider that your wireless vendor controls the root ca list on your wireless device. they can mitm ssl and you would never know. | 13:44 |
| brousch | One more reason the Internet needs to be treated as a regulated public utility | 13:46 |
| dzho | I don't disagree at either end of that, but I don't think the connection between them is as strong. | 14:41 |
| dzho | the conclusion I'd draw is, this is why we need libre software on our devices | 14:41 |
| dzho | so we can know from whence our ca settings come, and what they are | 14:41 |
| brousch | So Linux users are unaffected by this mitm attack? | 14:46 |
| cmaloney | GOo dmorning | 14:47 |
| rick_h_ | morning | 14:52 |
| jrwren | dzho: exactly! And we need not just browsers like firefox, but firefox with Certificate Patrol and ability to not SSL connect if a CA has changed. sadly, trusted CAs can't be trusted. | 15:00 |
| dzho | brousch: sorry, is that a serious question, or just rhetorical? | 15:02 |
| dzho | in either case, you perhaps may be confusing me for an open source advocate. | 15:03 |
| brousch | Serious. If open source software prevents this kind of problem, why were Linux users still affected? | 15:03 |
| dzho | haha | 15:03 |
| dzho | yeah, that's the problem. | 15:03 |
| dzho | you seem to think I'm advocating free software as some sort of magic pixie dust to improve quality. | 15:03 |
| dzho | as if this is just some question of industrial efficiency. | 15:04 |
| dzho | Six Sigma, whoo! | 15:04 |
| dzho | brousch: this is what happens when people handwave away the difference between the free software movement and open source | 15:07 |
| jrwren | brousch: linux users are affected. I think dzho was pointing out that it is only with open source that we can be sure what is happening. | 15:07 |
| dzho | jrwren: close enough, yeah | 15:07 |
| brousch | Perhaps | 15:08 |
| dzho | that's still a quality argument, and I won't dispute it. | 15:08 |
| dzho | https://www.gnu.org/philosophy/when_free_software_isnt_practically_better.html | 15:08 |
| dzho | if you've seen that already, my apologies. | 15:09 |
| dzho | sorry, I lost this link, which I prefer, since it brings more to the forefront Mako http://mako.cc/writing/hill-when_free_software_isnt_better.html | 15:11 |
| jrwren | dzho: does anecdotal evidence to the contrary negate the entirity of that argument? | 15:12 |
| dzho | I'm sympathetic to some of the aversion to RMS that people have, and so think it good to emphasize that there are other prominent free software advocates. | 15:12 |
| dzho | jrwren: sorry, which argument? | 15:12 |
| jrwren | dzho: nevermind. This isn't the article that I thought it was. :) | 15:13 |
| dzho | there's an open source quality argument, and a free software is inherently valuable despite quality argumen . . . oh, ok :-) | 15:13 |
| cmaloney | I think OSS tends to bring deeper-level security to the forefront | 15:14 |
| jrwren | cmaloney: hahahahahahahahaha | 15:14 |
| jrwren | cmaloney: you've heard of openssl? | 15:14 |
| cmaloney | But I can say from personal experience that I haven't checked my CA list in a while | 15:14 |
| jrwren | cmaloney: you remember the debian ssh keys issue? | 15:14 |
| cmaloney | jrwren: You remember ILOVEYOU? :) | 15:14 |
| jrwren | cmaloney: :) | 15:14 |
| cmaloney | The fact that it was 20 years on for openssl means the code was convoluted enough for smart people not to notice | 15:15 |
| jrwren | cmaloney: Yes. | 15:16 |
| cmaloney | And OSS gets volunteers with varying levels of experience, much like commercial software. | 15:16 |
| cmaloney | Trying to think of the recent case where a router was pretty much "WONTFIX" on something rather serious. | 15:16 |
| jrwren | cmaloney: in fact, mozilla NSS is a good example | 15:16 |
| cmaloney | Not coming to me offhand. | 15:16 |
| dzho | I sort of think of FOSS conditions are pre-requisites, rather than guarantees of, certain kinds of security. | 15:18 |
| cmaloney | The difference between OSS and commercial software is commercial software has to pay smart people to audit their code. :) | 15:18 |
| dzho | (commas might need to be shifted around a bit there but whatev) | 15:18 |
| dzho | OSS and commercial are not opposites :-) | 15:19 |
| cmaloney | OSS hopefully gets those smart people for free. :) | 15:19 |
| cmaloney | dzho: Oh I know this. They're two sides of the same coin. | 15:19 |
| dzho | in fact, I think it *possible* for FOSS to allow companies to collaborate to their mutual benefit in a way that would be rightly seen as collusive in a proprietary context. | 15:19 |
| cmaloney | I can see where you're coming from on that | 15:20 |
| dzho | dangit, I've got a spot on this shirt. | 15:21 |
| cmaloney | I'm glad I'm not in Marquette at the moment | 15:38 |
| cmaloney | Apparently they have the snow. | 15:38 |
| jrwren | cmaloney: or OSS doesn't get those smart people at all, because they are too busy being employed by the commercial vendors. | 15:39 |
| cmaloney | jrwren: Yeah | 15:41 |
| cmaloney | http://arstechnica.com/information-technology/2014/11/microsoft-open-sources-net-takes-it-to-linux-and-os-x/ | 15:45 |
| rick_h_ | yea, jrwren must be doing a happy dance right now...or a "wtf, why not just buy out and use mono" | 15:48 |
| brousch | I've been using VS 2013 desktop for a week now. Very nice | 15:51 |
| jrwren | yeah, speaking of open source. | 15:51 |
| jrwren | rick_h_: they likely will be using mono, or did use mono to do the port. | 15:51 |
| rick_h_ | jrwren: yea, curious on how that interaction went down | 15:52 |
| jrwren | rick_h_: MSFT has basically been helping Xamarin every since they launched. | 15:53 |
| brousch | I'm so confused! How can it be a trap if it's MIT licensed? | 15:53 |
| greg-g | patents | 15:53 |
| jrwren | Every since Scott Guthrie became VP of that division, MSFT has been very open and nice. | 15:53 |
| rick_h_ | jrwren: yea, but they've still kind of kept thing apart in a way. | 15:53 |
| jrwren | rick_h_: yup, and now they'll be less apart. | 15:53 |
| rick_h_ | jrwren: yea, but now do they need two different implementations? | 15:54 |
| rick_h_ | jrwren: or can they all get on board in a single community/code base? | 15:54 |
| brousch | Whew, thanks greg-g | 15:54 |
| greg-g | brousch: yw, have a nice (paranoid) day! | 15:54 |
| rick_h_ | jrwren: they get mono's work on apps on other platforms and mono gets to be ootb for all users | 15:54 |
| jrwren | rick_h_: pretty sure Mono will use the parts of open source .net that make sense. definitely std library. | 15:58 |
| jrwren | rick_h_: runtime will probably be trickier since mono targets WAY more platforms than .net. | 15:58 |
| jrwren | rick_h_: Mono does some things which .net has never done. 64bit large array for example. Which people do use in certain applications. Mono runtime will likely stick around. | 15:59 |
| jrwren | greg-g: https://github.com/dotnet/corefx/blob/master/PATENTS.TXT | 16:00 |
| jrwren | brousch: .net was never a trap, silly. | 16:00 |
| greg-g | of course that doesn't have line breaks.... | 16:01 |
| greg-g | also, thanks jrwren :) | 16:01 |
| greg-g | :) We (WMF) are probably going to switch to Debian Jessie (not all at once, gradually) from Precise | 16:40 |
| rick_h_ | greg-g: :( | 16:41 |
| rick_h_ | greg-g: any killer issue you hit out of curiosity? | 16:41 |
| jrwren | greg-g: o_O why? | 16:41 |
| rick_h_ | or just general debian support? | 16:41 |
| brousch | I assumed it was already on Debian | 16:47 |
| greg-g | rick_h_: jrwren there will probably be a blog post when we start doing it. Right now it's just a 17 message thread on our ops list. Hard to summarize. One point is security updates on the entire archive, not just "main" | 16:51 |
| greg-g | Also, systemd vs upstart | 16:51 |
| greg-g | the longer we stick with upstart the longer we'll create techdebt in it, so might as well switch to systemd now with Jessie than with ... uh, whatever version Ubuntu will be doing the switch | 16:52 |
| greg-g | 15.04, apparently | 16:52 |
| greg-g | paste-spam: | 16:53 |
| greg-g | * One important difference is, of course, upstart & systemd. This is certainly going to be a difference and is going to require work. However, Ubuntu has already declared they will also switch (probably by 15.04) and hence we'll need to do this eventually anyway. Us jumping ship earlier means that we won't need to keep writing upstart | 16:53 |
| greg-g | services for thefull trusty cycle (until April 2016) and that we c an take advantage of the systemd ecosystem and its benefits (cgroups anyone?) earlier. | 16:53 |
| greg-g | but, nothing official yet, but the tea leaves (aka list discussion) seems to be saying we're going to switch to Debian with Jessie (on a rolling basis) | 16:55 |
| jrwren | interesting. | 16:58 |
| jrwren | do you use many packages outside of main? | 16:58 |
| jrwren | i've not run debian in a long time. Doesn't debian have main and contrib as well? | 16:58 |
| greg-g | doubt we use anything in contrib that we don't package ourselves, but debian's security promise is much wider (by # of packages) than Ubuntu's | 16:59 |
| greg-g | * Debian actually security-supports the whole archive, rather than ignoring 95% of it (universe), like Ubuntu. This isn't theoretical: it's the reason e.g. we still have Icinga behind password auth, why we've had a phpMyAdmin compromise in Labs in the past etc. | 17:00 |
| greg-g | * Even in the small set of packages that overlap, Debian's security support is usually better than Canonical's. They're usually faster and usually with more well-thought out patches. (e.g. Heartbleed & POODLE). Also compare the quality (and domain name!) of http://security-tracker.debian.org/ with http://people.canonical.com/~ubuntu-security/cve/ | 17:00 |
| jrwren | greg-g: very interesting. | 17:01 |
| jrwren | I wonder how debian is so good now when they were so terrible years ago :) | 17:01 |
| greg-g | (that phpmyadmin reference is because someone installed it on a vm in our "labs" infra, aka, our public openstack for anyone) | 17:01 |
| rick_h_ | greg-g: but still, 6mo wait for ubuntu + systemd is > changing out whole OS? | 17:05 |
| rick_h_ | we already have cgroups in ubuntu, the whole LXC toolchain is based on it | 17:05 |
| * greg-g is on a call now | 17:05 | |
| rick_h_ | greg-g: np, just doing some :P | 17:05 |
| jrwren | i'm anti systemd. I hope ubuntu changes course and continues with upstart. | 17:10 |
| jrwren | I think eventually debian will not use systemd by default. | 17:10 |
| jrwren | So, it seems we value different things :) | 17:10 |
| greg-g | rick_h_: short answer: there's a lot more in the thread about this that I haven't quoted :) | 17:35 |
| rick_h_ | greg-g: cool, I was just curious if there was a straw that broke the camels back kind of thing | 17:56 |
| greg-g | not sure if there was a straw, I think it's more "we all kinda want to do it anyways, and timing is right" | 18:00 |
| greg-g | the only problem will be our OpenStack host machines, from what I can tell. | 18:00 |
| greg-g | (not the guests, but the hosts) | 18:00 |
| rick_h_ | cool | 18:01 |
| rick_h_ | hmm, so is this a kind of app hosting thing like a strange app engine built off aws? https://aws.amazon.com/blogs/aws/code-management-and-deployment/ | 18:21 |
| jrwren | rick_h_: looks like it. Looks like AWS take on Heroku or Azure Web Sites. | 18:22 |
| rick_h_ | yea | 18:22 |
| jrwren | rick_h_: or, AWS take on the best of them all, Cloud Foundry :) | 18:23 |
| jrwren | rick_h_: not sure how it is different from Elastic Beanstalk | 18:24 |
| * cmaloney is listening to Finntroll - Trollhammaren | 20:11 | |
| cmaloney | <3 | 20:11 |
| jrwren | evarlast is currently listening to Suffer the Flesh, by Android Lust (from Resolution) | 20:17 |
| trevlar | rick_h_: are you going to CHC tonight? I can finally get your books back to you :) | 22:51 |
| rick_h_ | trevlar: yep, what books? | 23:11 |
| mrgoodcat | company gf works at is looking for a html/css/js developer | 23:13 |
| mrgoodcat | let me know if interested | 23:13 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!