From mboxrd@z Thu Jan 1 00:00:00 1970 From: Achim Gratz Subject: Re: Why no secure code retrieval Date: Sun, 03 Jul 2016 20:25:16 +0200 Message-ID: <87mvlymveb.fsf@Rainer.invalid> References: <87mvm4sewl.fsf@systemreboot.net> <87y45m28vp.fsf@saiph.selenimh> <87lh1k5dj1.fsf@free.fr> <20160702165130.GA1401@scamper2.bantercat.co.uk> <87eg7bnqob.fsf@free.fr> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:54838) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bJm5F-0005Ht-8f for emacs-orgmode@gnu.org; Sun, 03 Jul 2016 14:25:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bJm5A-0004cb-Pf for emacs-orgmode@gnu.org; Sun, 03 Jul 2016 14:25:32 -0400 Received: from plane.gmane.org ([80.91.229.3]:41830) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bJm5A-0004cV-BP for emacs-orgmode@gnu.org; Sun, 03 Jul 2016 14:25:28 -0400 Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1bJm57-00027l-Pu for emacs-orgmode@gnu.org; Sun, 03 Jul 2016 20:25:25 +0200 Received: from p54b478af.dip0.t-ipconnect.de ([84.180.120.175]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 03 Jul 2016 20:25:25 +0200 Received: from Stromeko by p54b478af.dip0.t-ipconnect.de with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 03 Jul 2016 20:25:25 +0200 List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org Sender: "Emacs-orgmode" To: emacs-orgmode@gnu.org Konstantin Kliakhandler writes: > For what it is worth, the current discussion is actually precisely what I > was aiming at. I agree with your analysis of my Intended goals but > completely disagree that SHA1 alone is any sort of guarantee.. To be > precise, I don't just think that it doesn't provide much, but rather that > alone it provides none at all. This is because I have no idea who produced > a given SHA1 - whether it was Bastien, or a MITM attacker, or just someone > who compromised the server. Getting the same data via https doesn't give you that sort of guarantee either, it only ensures that the data cannot be read and altered in transport. If the server or repo gets compromised, then it is game over until someone notices that the server suddenly doesn't match up the local clone. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Waldorf MIDI Implementation & additional documentation: http://Synth.Stromeko.net/Downloads.html#WaldorfDocs