Re: keybase.io

2014-04-05 Thread Clint Adams
On Fri, Apr 04, 2014 at 07:27:36PM -0400, Paul R. Tagliamonte wrote: > This is true of the dropbox daemon too. Are we to throw out DDs with > dropboxd installed? Yes, please. We have too many apologists for non-free software as it is. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.de

Re: keybase.io

2014-04-05 Thread Jakub Wilk
* Enrico Zini , 2014-04-05, 11:40: +1 russ. This is true of the dropbox daemon too. Are we to throw out DDs with dropboxd installed? Wine? ...skype, steam, flashplugin-nonfree[1]. Code git-cloned without checking signatures on tags[2] or doing some auditing[3]. Random cool vim plugins git

Re: keybase.io

2014-04-05 Thread Enrico Zini
On Sat, Apr 05, 2014 at 12:45:53PM -0700, Russ Allbery wrote: > If someone would write up a good step-by-step guide for how to isolate > one's web browser in a VM running on the same host, so that you can still > get reasonable display performance but have a real separation boundary > between the

Re: keybase.io

2014-04-05 Thread Russ Allbery
Enrico Zini writes: > ssh -X or -Y to a remote host, then run X apps. Which requires that host allow remote logins, which creates a different sort of security issue. Also, tunneling a web browser over X is an unbelievably painful experience. > I've recently got worried about common practices I

Re: keybase.io

2014-04-05 Thread Jonathan Dowland
> On 5 Apr 2014, at 00:18, Gunnar Wolf wrote: > > Well, please enlighten me here: Without fully auditing the Javascript > code you are using to do the crypto client-side, can you *really* be > certain your private half has not travelled to Keybase? The client side crypto stuff can't be done wi

Re: keybase.io

2014-04-05 Thread Jakub Wilk
* Enrico Zini , 2014-04-05, 11:40: ssh -X or -Y to a remote host, then run X apps. For you convenience, Debian OpenSSH client sets ForwardX11Trusted to yes by default, making -X and -Y synonymous. -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subj

Re: keybase.io

2014-04-05 Thread Enrico Zini
On Fri, Apr 04, 2014 at 07:27:36PM -0400, Paul R. Tagliamonte wrote: > +1 russ. > This is true of the dropbox daemon too. Are we to throw out DDs with dropboxd > installed? Wine? ...skype, steam, flashplugin-nonfree[1]. Code git-cloned without checking signatures on tags[2] or doing some auditin

Re: keybase.io

2014-04-05 Thread Jakub Wilk
* Paul Tagliamonte , 2014-04-04, 20:15: My point was this attack vector (nonfree code running on the same machine as your OpenPGP key) taken to it's absolute extreme (wine, dropboxd) is still *not* grounds for automated removal from the keyring. It's a popular misconception that the only purp