logs archiveIRC Archive / Oftc / #tor / 2010 / March / 12 / 1
mikeperry
does ubuntu have a package for torbutton in its repositories?
or debian, for that matter?
pipe
debian does
nsa
or: phobos committed revision 21923 (/website/trunk/include): osx ppc packages for 0.2.2.10 available
mikeperry
can you tell me which versions are in which repositories?
pipe
apparently ubuntu too
ubuntu: Version: 1.2.1-1ubuntu2
debian testing: Version: 1.2.4-2
mikeperry
is that ubuntu 9.10?
pipe
Yeah
mikeperry
ah
pipe
Haven't dared to upgrade to the latest alpha/beta
         

mikeperry
that is a damn old version of torbutton
how does it even work on their firefox I wonder
they ship firefox 3.5.7 right?
pipe
3.5.3 I think..
I don't use the ubuntu package of torbutton, I don't even use tor on my ubuntu machine at the moment
mikeperry
wait, do they have a separate updates repo maybe?
3.5.3 is also very old
pipe
Well, ubuntu 9.10 *is* half a year old
mikeperry
not as old as torbutton 1.2.1 though. those two shouldn't work together at all
yeah, but they should still be providing security updates right?
pipe
Yeah
Firefox might be some special case of that
Since the firefox people didn't like when people just added security fixes without adding the new features
Which is why debian had to rebrand firefox to iceweasel, since debian stable means stable, not "stable plus lots of new random features"
I don't know how Ubuntu does it
pde
karsten: do you need anything from me beyond an ideas list?
karsten
pde: no, just the ideas list.
i think i can re-use most of last year's application.
pde
and will this constrain what gets offered to the students?
karsten
but having a new/updated ideas list would be good.
pde
we should have some non-switzerland things to offer this year
karsten
well, students may use your ideas list as starting point. most of them will pick items from that list, others will go beyond that.
if you have non-switzerland things you want students to work on, put them on the list.
hmm, now that you ask, are the mailing list and irc channel in the 2009 application switzerland-specific?..
pde
yeees
we really should revive the old EFF irc channel
karsten
there, i just fwded you the 2009 application. the second paragraph under "2. Why is your organization applying" needs an update if you want to offer non-switzerland projects.
other than that, i'm going to change 2009 to 2010 and admit that 2009 happened.
pipe
you know what would be cool? for google to turn all their servers into tor relays.
pde
I think that would cause a lot of NAT routers with relays behind them to explode
bja
pipe: From the point of view of a systems arquitecht if you have 1000 servers and they are not used at least at 95 % capacity all the time, you have idle servers and you are loosing money
pde
bridges might work better?
bja
Besides you would have a bunch of servers concentrated on a few point over the whole world
pipe
yeah
And google ad-team eagerly sniffing all the traffic :)
(if they are exit nodes)
         

karsten
pde: going to bed now. if you have further questions, please send mail.
pde
okay!
do you know what time the deadline is tomorrow?
Sebastian_
4 PM PDT / 23:00 UTC
karsten
March 12:
4 PM PDT / 23:00 UTC
Mentoring organization application deadline.
http://socghop.appspot.com/document/show/gsoc_program/google/gsoc2010/timeline
but don't bookmark that page. i'm going to lie about future deadlines so that we'll be done a day early. ;)
chestoes
anyone alive
pipe
sort of
chestoes
got a quick question...
in the web site on the unix/linux distro
setting up the server
i am trying to set up using ubantu and the info giving the gpg key info that is listed, does not work
in trying to download the tor
is there a new key someplace,maybe that I havent found as odf yet
its in the option two Tor on Ubuntu or Debian
i keep getting an error msg that gpg is unknown
pipe
do you actually have gpg installed on your computer?
chestoes
no
pipe
ok
chestoes
this is the info just before the listing of the keys:
Then add the gpg key used to sign the packages by running
then the gpg info - 2 lines - is listed to be added to the resouces.list
pipe
resources.list?
chestoes
yes
pipe
it says you should run the commands
chestoes
nope
pipe
"by running"
You even wrote that just now
So you should type those lines beginning with "gpg" in a terminal
bja
chestoes: you have to run a few commands in order to fetch the keys and put them on your local keyring
chestoes
but it says to add those lines, it does say to use a terminal
right
bja
the lines starting with deb are the ones you should add to sources.list
chestoes
the way it is reading to me, is add the lines after 1st line that has the http to where to go to the torproject
right, but the wording then is not clear
bja
chestoes: let me fetch the correct page, and lets analyze it
chestoes
http://www.torproject.org/docs/debian.html.en#ubuntu
pipe
I don't you're reading whole sentences
+think
I don't think I'm writing whole sentences :)
bja
chestoes: Option two: .......
chestoes
lol
bja
Then add this line to your /etc/apt/sources.list file:
so here is the deb line deb blablalba
chestoes
thats the deb line
right
bja
Then add the gpg key used to sign the packages by running
gpg --keyserver keys.gnupg.net --recv 886DDD89
chestoes
duh......ok now i see it...
bja
which fetches the keys from the debian mantainer. That tells apt is sfe
chestoes
key word is running
bja
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
chestoes
got it now
pipe
I suppose it *could* be written more clearly, with perhaps some <code>..</code> blocks around the actual code
bja
that lines adds it to your keyring. Both lines are important
chestoes
ok, i knew it had to be simplier that what i was making it :)
pipe
And a "$ gpg" instead of "gpg"
chestoes
got it
let me do that, if i have furhter issues, i will be back....
Thanks
ok, its telling me that gpg: WARNING: nothing found
gpg: no valid OpenPGP data found
that came after I put in the export line
bja
chestoes: first you have to run the first line
gpg --key..... bla lba
that is the one that fetches the key
chestoes
right, i did and it went thru, no problem
bja
any messages ?
chestoes
only msgs was what i posted
18:32] <chestoes> ok, its telling me that gpg: WARNING: nothing found
[18:32] <chestoes> gpg: no valid OpenPGP data found
that was from the last line
the 1st line accepted
bja
chestoes: ok you'll have to wait for the heavy hitters, i didn't have any of those problems
chestoes
ok, thanks
pipe
that line works for me in ubuntu 9.10
also works in debian
chestoes
hmmmmmmmm, i am in 9.10 now
ok, i guess i must be doing some wrong
pipe
gpg --keyserver keys.gnupg.net --recv 886DDD89
chestoes
i am running it again
pipe
just copy and paste that into a terminal
chestoes
first line telling me that toal number processed: 1
pipe
good
chestoes
unchanged: 1
pipe
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
that line breaks?
chestoes
yes
pipe
what happens if you type this line:
gpg -k 886DDD89
chestoes
give me a min, my screen froze, i will try it when i am back in
pub 2048R/886DD89 2009-09-04 [expires: 2014-09-03]
uid deb.torproject.org archive signing key
sub 2048r/219ec810 2009-09-04 [expires: 2012-09-03]
pipe
Ok, that looks great
try this: gpg --export 886DDD89 | wc -c
it should hopefully say '2251'
chestoes
would it make any difference that i am going thru a virtual and not a straight hard drive
ok
pipe
No, it shouldn't make a difference
chestoes
yep, 2251
pipe
Then I can't see why it wouldn't work
try: gpg --export 886DDD89 | sudo apt-key add -
chestoes
k
says: ok
pipe
ok, so then it should work
chestoes
hmmmmmmm
i tried it on 2 deiffefent unbuntu and both came up with the same issue
ok, i will try to figire something oput
thanks for ur help :)
pipe
np
sve
how do i make my client use only relays on 443 port since i have to use a proxy
Sebastian_
See ReachableAddresses on http://www.torproject.org/tor-manual.html.en
StrangeCharm
today, someone demoed an attack that made me completely loose any faith that i ever had in the ca pki
i'm officially switching off all cas in my browser, and using manual certificate authentication
phobos
ha
pipe
Nice
phobos
and people called me crazy and paranoid
for doing that years ago
;)
Manny
StrangeCharm: if you've ever known a person at one of the cert co's, youd feel the same way
pipe
How do you do that 'officially'?
Press release? :)
phobos
for firefox, you rename libnssckbi.so to something else
tada, all the firefox CAs are gone
pipe
Question: Is there any standards for using, say, gpg for the web?
Maybe I need to read up on this
StrangeCharm
pipe blog, i guess
pipe
StrangeCharm: good enough
StrangeCharm
pipe, like x509?
located at https://activerhetoric.wordpress.com
pipe
I don't know, I don't really know what I'm talking about here
StrangeCharm
(note, i did not actually blog about it)
though, i guess that i could
Manny
what does that even mean?
pipe
what's this? irc? I'm so confused
StrangeCharm
Manny, turning off certificate authorities? it means that i don't trust anyone to authenticate who i'm talking to, when i try to make a secure connection on the web
pipe, i recommend taking a look at the latest posts on freedom to tinker
Manny
no, 'gpg for web'
StrangeCharm
phobos, until the next update...
pipe
Manny: I mean that you don't trust the CAs, but instead you make a "web of trust" with your friends
StrangeCharm
Manny, i think pipe means 'using a web-of-trust rather than a centralised authority model for ssl authentication"
pipe
but integrated with the www-web
Manny
ah
yo9u sign each others keys
StrangeCharm
though i'm skeptical of the ability of most people to generate trust chains that end at - say - paypal
pipe
yeah
phobos
StrangeCharm: actually, no
once it's renamed, it seems to survive updates
« prev 1 2 3 4 next »