From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1VyxZU-00077N-CE for bitcoin-development@lists.sourceforge.net; Fri, 03 Jan 2014 05:45:24 +0000 X-ACL-Warn: Received: from nl.grid.coop ([50.7.166.116]) by sog-mx-4.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1VyxZT-00059C-6k for bitcoin-development@lists.sourceforge.net; Fri, 03 Jan 2014 05:45:24 +0000 Received: from localhost (localhost [127.0.0.1]) (uid 1000) by nl.grid.coop with local; Thu, 02 Jan 2014 23:45:15 -0600 id 000000000006E26B.0000000052C64E6B.00005C6F Date: Thu, 2 Jan 2014 23:45:15 -0600 From: Troy Benjegerdes To: Gregory Maxwell Message-ID: <20140103054515.GL3180@nl.grid.coop> References: <52A3C8A5.7010606@gmail.com> <1795f3067ba3fcdd0caf978cc59ff024.squirrel@fruiteater.riseup.net> <52A435EA.7090405@gmail.com> <201312081237.24473.luke@dashjr.org> <20131212205106.GA4572@netbook.cypherspace.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Mime-Autoconverted: from 8bit to quoted-printable by courier 0.68.2 X-Spam-Score: -0.5 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.5 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain X-Headers-End: 1VyxZT-00059C-6k Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts? X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jan 2014 05:45:24 -0000 On Tue, Dec 31, 2013 at 05:48:06AM -0800, Gregory Maxwell wrote: > On Tue, Dec 31, 2013 at 5:39 AM, Drak wrote: > > The NSA has the ability, right now to change every download of bitcoi= n-qt, > > on the fly and the only cure is encryption. No, the only cure is the check the hashes. We should know something about hashes here. TLS is a big pile of 'too big to audit'. Spend a couple of satoshis and put the hash of the source tar.gz and the binaries in the blockchain. Problem solved. > The downloads are protected by something far stronger than SSL > already, which might even have a chance against the NSA. Actual > signatures of the downloads with offline keys. >=20 > I'm all pro-SSL and all that, but you are=E2=80=94 piece by piece=E2=80= =94 really > convincing me that it produces an entirely false sense of security > which is entirely unjustified. I used to think encryption was important, and this exchange convinced me that kerberized telnet with no encryption but with integrity checking would be far more secure than 'secure' shell. Also, there's some organization that's inserting malicious memes that try to get me to buy shit below my signature. How about we=20 move the mailing list? I've run mailman servers before, and there's also http://savannah.gnu.org/maintenance/WhyChooseSavannah/ -- Troy (da hozer)