security – Why does GraphineOS use signify instead of PGP to sign their releases (GPG, cryptographic signatures)?

Daniel Micay (Lead developer of GraphineOS) decided to use signify instead of gpg because of many issues associated with gpg and the OpenPGP standard, including:

  1. PGP Certificate Flooding attacks
  2. gpg is very hard to use
  3. signify is far simpler than the OpenPGP spec; it’s less vulnerable to (keychain) exploits, the code is shorter, and has a lower attack surface
  4. The gpg implementation bugs permitting DOS attacks on keyrings are long-standing and not being addressed in a timely manner by its developers

It’s overly complex with far too much attack surface and has egregiously bad usability and security. It’s only suitable for usage as a case study in how not to design and implement software. Rather than changing the instructions to work around GPG deficiencies, it won’t be used.

Source: https://twitter.com/DanielMicay/status/1145264664315604992

It’s a systemic issue, not a specific problem. GPG is vulnerable to a severe denial of service (permanently bricking the keyring) when importing public keys through multiple weaknesses. The public keyservers make the situation worse, but the issues with the GPG implementation are still relevant even without keyservers.

GPG also has a lot more wrong with it than this. I’ve been phasing it out over time for my own usage and had previously talked about my plans to phase it out for GrapheneOS too. OpenPGP is a overly complex and poorly designed legacy standard, and GPG is a low quality implementation of it.

The thing that finally pushed me to prioritize fixing this was the terrible responses of the GPG developers to the issue summarized well by Hanno Böck: https://twitter.com/hanno/status/1145597144373575680.

Look through my recent tweets / replies and retweets about GPG, or my previous threads about it in May.

Source: https://www.reddit.com/r/GrapheneOS/comments/c7gb3f/grapheneos_factory_images_are_now_signed_with/

These are the opinions of Daniel, not my own. Of course I think signing with PGP is better than not signing at all (or where signature verification requires you to use a tool that cannot itself be obtained securely), which is the absurd reality of most Android ROMs.

agile – How do you currently manage wireframes and storyboards for software releases?

I usually make storyboards in PowerPoint and put them on a central file share. (Used to be Sharepoint, which I liked). This is a starting point for the developers.

I usually work with them on the actual product and things shift and change from the original PowerPoint design. In the end, the PowerPoint only has a weak link to the real thing. It becomes outdated and useless.

We have demo days, once a week, where we show off our work to a larger group. This is where things solidify and become “the way its supposed to be”. We make punchlists in those meetings. QA attends too, so they know what is “designed behavior”.

Then nearing release (monthly) we work with training, support, product marketing, etc to document the existing behavior.

There are lots of methods. This is just the one I use. I hope this was helpful for you.

updates – Android ROMs whoose releases are cryptographically signed (gpg)

What is the list of popular Android ROMs whose releases are cryptographically signed?

Today I learned that LineageOS (arguably the most-popular open-source Android ROM) does not cryptographically sign their releases with PGP. As such, they do not provide a safe way for users to download and install copies of LineageOS.

There is an issue open to fix this, but it’s been unanswered for months

Generally speaking, the Android open-source ecosystem is a security nightmare: most ROMs will point you to download a .zip on some (often third party) web server with no crypographic signature — so LineageOS is not an exception here.

So what ROMs are available to the Android user that cares about their security? Which ROM developers care enough to sign their releases with GPG?

authentication – Android ROMs whoose releases are cryptographically signed (gpg)

What is the list of popular Android ROMs whose releases are cryptographically signed?

Today I learned that LineageOS (arguably the most-popular open-source Android ROM) does not cryptographically sign their releases with PGP. As such, they do not provide a safe way for users to download and install copies of LineageOS.

There is an issue open to fix this, but it’s been unanswered for months

Generally speaking, the Android open-source ecosystem is a security nightmare: most ROMs will point you to download a .zip on some (often third party) web server with no crypographic signature — so LineageOS is not an exception here.

So what ROMs are available to the Android user that cares about their security? Which ROM developers care enough to sign their releases with GPG?

Access to over 80TB of the latest media releases (FTP) | NewProxyLists

Hello,

Offering Private FTP accounts @ centropy.ch – Asking for a small donation to help cover server costs. Updates daily. We are not a TOPSITE just to get that out of the way. We are an archive media server. 1000s of PC games, movies & the hottest TV series. English only. We also have a 100,000+ rom collection! Big gaming arcade packs (7k+)

$10 donation

Twitter Releases "TipJar" Allowing Users to Send Money To Other Users

Twitter has introduced TipJar to a limited number of users which allows followers to send money to their favourite users.

Canon 760D: Pressing the shutter button half-way releases the shutter

I’ve had cameras in the past with very sensitive shutter buttons. Sometimes what was intended by me to be a half press was enough pressure to result in a full press. The resulting vibration of the camera as the mirror, shutter, and shutter reset mechanism were actuated was usually enough to disengage the full press and the effect was very much like what you describe. Practice a bit with your camera and see if that might be the case.

Regardless of the camera’s configuration, if the mirror is cycling, the shutter is operating, and an image is being recorded to the memory card upon an actual half press of the shutter button, your camera is malfunctioning. There is no configuration option for the EOS 77D (or any other Canon EOS camera of which I’m aware) that enables an image to be recorded when the shutter button is half pressed. Images should only be recorded with a full press of the shutter button.

Like xenoid advises in the comments to the question, I’d recommend trying a wired cable release (you can get a generic for about $5 on amazon or eBay) with a two stage button. The cheaper wired releases would probably be better in this regard, as there is more of a difference in the “feel” between a half press and full press compared to your camera’s shutter button.

  • If the malfunction continues with a half press of the wired release, then the issue is not in your shutter button itself but in the way the camera responds to the shutter button’s position.
  • If the issue is not present when you half press the button on the wired remote, then the issue is probably in the contacts in the shutter button and the camera is interpreting that as a very short duration full press.

soft fork – Is there network split risk for Taproot activation with two releases (Bitcoin Core and Bitcoin Taproot)?

Every soft fork or consensus change involves a (very small) non-zero risk of a network split. That risk is considerably lower for a soft fork than say a hard fork (where all nodes need to upgrade). That’s why soft forks aren’t attempted every month or year. All you can do is minimize that risk.

Aaron lays out some scenarios that are theoretically possible. Any incompatibility between “Bitcoin Core” and “Bitcoin Taproot” during the Speedy Trial deployment is in my view highly unlikely. If Speedy Trial fails to activate and we reach November 2022 (please note 2022 not 2021) without miners activating then we are in a similar scenario to the UASF in 2017 where it depends on what the economic majority is running. I can’t predict what the economic majority would be running in November 2022 but I highly suspect the delaying of Taproot activation would be at the top of everyone’s minds.

You do have to weigh up these risks of a network split with miners deliberately blocking Taproot activation potentially forever. If we were to say no more UASFs ever again because we don’t want to take any network split risk that would be handing miners a permanent veto to block the activations of soft forks that have community consensus. So you have to weigh up the risk of the latter which would be just as concerning (if not more concerning) to people.

So in summary these are subtle trade-offs. A number of developers have worked hard to minimize the risk of a network split. But it doesn’t get to zero unless you literally never try a soft fork again. And that would mean that Bitcoin would never seriously improve again.

development – How to cryptographically verify the authenticity and integrity of Android Studio releases (with gpg?)

For a given Android Studio release published by Google, how can I cryptographically verify the authenticity and integrity of the .tar.gz file that I downloaded before I copy it onto a USB drive and attempt to install it on my laptop?

Today I wanted to download Android Studio, but the download page said nothing about how to cryptographically verify the integrity and authenticity of their release after download.

https://developer.android.com/studio#downloads

I expected to see a message on the download page telling me:

  1. The fingerprint of their PGP release signing key,
  2. A link to further documentation, and
  3. Links to (a) a manifest file (eg SHA256SUMS) and (b) a detached signature of that manifest file (eg SHA256SUMS.asc, SHA256SUMS.sig, SHA256SUMS.gpg, etc)

Unfortunately, the only information I found on the download page was how to verify the integrity of the tarball using a SHA-256 checksum found in a table on the same page. Obviously, this checks integrity but not authenticity. And it provides no security because it’s not out-of-band from the .tar.gz itself.

How can I preform cryptographic integrity and authenticity verification with Google’s Android Studio releases?

centos – What is the lifecycle of Oracle Linux for minor releases?

We are discovering Oracle Linux and considering the move from other RHEL clones.

One question that’s remains unanswered is: what’s the lifecycle of minor releases on Oracle Linux? Do we get updates, on the free tier, when a new point release is available for the previous ones?

Exemple: I need to install an Enterprise Linux 7.7 server, on CentOS world we need to get the ISOs from CentOS Vault and there’s only updates to the last day before CentOS 7.8 is released. In other hand on RHEL there will be some security updates for RHEL 7.7 even if 7.8 is already released for a period of time. So RHEL is a better fit than CentOS in this case.

So which is the policy on Oracle Linux in this case? Where I can read about it? How can I pin Oracle Linux to keep a point release and maintain it patched just like in RHEL?

Thank you all.