Github messages for voidlinux
 help / color / mirror / Atom feed
* Re: lurch / libomemo: 12-byte IVs patch
       [not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-26757@inbox.vuxu.org>
@ 2020-11-30  4:25 ` eli-schwartz
  2020-11-30  4:31 ` ericonr
                   ` (14 subsequent siblings)
  15 siblings, 0 replies; 16+ messages in thread
From: eli-schwartz @ 2020-11-30  4:25 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 1048 bytes --]

New comment by eli-schwartz on void-packages repository

https://github.com/void-linux/void-packages/issues/26757#issuecomment-735536652

Comment:
Note this is based on https://github.com/xsf/xeps/pull/894 which got NACKed by the author and closed without merging.

@Neustradamus has proceeded to trick various people into applying this specific patch, including at https://bugs.archlinux.org/task/68766 by claiming it's a critical security vulnerability (the severity got corrected prior to the bug being rejected), and the actual discussion in https://github.com/gkdr/libomemo/issues/24 seems to consist of more or less everyone being mad at @Neustradamus for circumventing actual development processes and pushing, randomly and inconsistently, at select distributors to use downstream patches that are under dispute.

I recommend reverting it and seeking upstream guidance. e.g.

https://github.com/gkdr/libomemo/issues/24#issuecomment-735408224
> please stop pushing downstream changes, it makes the whole situation even more confusing.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: lurch / libomemo: 12-byte IVs patch
       [not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-26757@inbox.vuxu.org>
  2020-11-30  4:25 ` lurch / libomemo: 12-byte IVs patch eli-schwartz
@ 2020-11-30  4:31 ` ericonr
  2020-11-30  7:32 ` Neustradamus
                   ` (13 subsequent siblings)
  15 siblings, 0 replies; 16+ messages in thread
From: ericonr @ 2020-11-30  4:31 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 161 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/issues/26757#issuecomment-735538234

Comment:
@leahneukirchen ^^

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: lurch / libomemo: 12-byte IVs patch
       [not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-26757@inbox.vuxu.org>
  2020-11-30  4:25 ` lurch / libomemo: 12-byte IVs patch eli-schwartz
  2020-11-30  4:31 ` ericonr
@ 2020-11-30  7:32 ` Neustradamus
  2020-11-30 12:26 ` ericonr
                   ` (12 subsequent siblings)
  15 siblings, 0 replies; 16+ messages in thread
From: Neustradamus @ 2020-11-30  7:32 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 349 bytes --]

New comment by Neustradamus on void-packages repository

https://github.com/void-linux/void-packages/issues/26757#issuecomment-735607468

Comment:
I confirm the security problem, we need to disable OMEMO Security to talk with Monal users.

Please read all and directly: https://github.com/gkdr/libomemo/issues/24#issuecomment-735294183

Thanks.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: lurch / libomemo: 12-byte IVs patch
       [not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-26757@inbox.vuxu.org>
                   ` (2 preceding siblings ...)
  2020-11-30  7:32 ` Neustradamus
@ 2020-11-30 12:26 ` ericonr
  2020-11-30 12:30 ` leahneukirchen
                   ` (11 subsequent siblings)
  15 siblings, 0 replies; 16+ messages in thread
From: ericonr @ 2020-11-30 12:26 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 331 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/issues/26757#issuecomment-735756151

Comment:
From the actually accepted PR, https://github.com/xsf/xeps/pull/903

>   <li>Divide the HKDF output into a 32-byte encryption key, a 32-byte authentication key and a 16 byte IV.</li>



^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: lurch / libomemo: 12-byte IVs patch
       [not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-26757@inbox.vuxu.org>
                   ` (3 preceding siblings ...)
  2020-11-30 12:26 ` ericonr
@ 2020-11-30 12:30 ` leahneukirchen
  2020-11-30 12:42 ` ericonr
                   ` (10 subsequent siblings)
  15 siblings, 0 replies; 16+ messages in thread
From: leahneukirchen @ 2020-11-30 12:30 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 205 bytes --]

New comment by leahneukirchen on void-packages repository

https://github.com/void-linux/void-packages/issues/26757#issuecomment-735757826

Comment:
This is for OMEMO 0.4, apparently lurch implements 0.3?

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: lurch / libomemo: 12-byte IVs patch
       [not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-26757@inbox.vuxu.org>
                   ` (4 preceding siblings ...)
  2020-11-30 12:30 ` leahneukirchen
@ 2020-11-30 12:42 ` ericonr
  2020-11-30 14:11 ` Neustradamus
                   ` (9 subsequent siblings)
  15 siblings, 0 replies; 16+ messages in thread
From: ericonr @ 2020-11-30 12:42 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 163 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/issues/26757#issuecomment-735763165

Comment:
Never mind me, then.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: lurch / libomemo: 12-byte IVs patch
       [not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-26757@inbox.vuxu.org>
                   ` (5 preceding siblings ...)
  2020-11-30 12:42 ` ericonr
@ 2020-11-30 14:11 ` Neustradamus
  2020-11-30 14:22 ` q66
                   ` (8 subsequent siblings)
  15 siblings, 0 replies; 16+ messages in thread
From: Neustradamus @ 2020-11-30 14:11 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 397 bytes --]

New comment by Neustradamus on void-packages repository

https://github.com/void-linux/void-packages/issues/26757#issuecomment-735808884

Comment:
I have updated the main description.

All clients must support the OMEMO 0.3.0.

There was not the 0.3.1 badly.

XEP-0384: OMEMO 0.4.0 breaks all, there is a new "urn:xmpp:omemo:1".

OMEMO 0.4.0+ is a new step, I have done a ticket about it.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: lurch / libomemo: 12-byte IVs patch
       [not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-26757@inbox.vuxu.org>
                   ` (7 preceding siblings ...)
  2020-11-30 14:22 ` q66
@ 2020-11-30 14:30 ` leahneukirchen
  2020-11-30 14:36 ` ericonr
                   ` (6 subsequent siblings)
  15 siblings, 0 replies; 16+ messages in thread
From: leahneukirchen @ 2020-11-30 14:30 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 230 bytes --]

New comment by leahneukirchen on void-packages repository

https://github.com/void-linux/void-packages/issues/26757#issuecomment-735820265

Comment:
Lots of other OMEMO 0.3 clients use 12-bit IV too, I don't see the problem here.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: lurch / libomemo: 12-byte IVs patch
       [not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-26757@inbox.vuxu.org>
                   ` (8 preceding siblings ...)
  2020-11-30 14:30 ` leahneukirchen
@ 2020-11-30 14:36 ` ericonr
  2020-11-30 14:49 ` Neustradamus
                   ` (5 subsequent siblings)
  15 siblings, 0 replies; 16+ messages in thread
From: ericonr @ 2020-11-30 14:36 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 257 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/issues/26757#issuecomment-735823756

Comment:
From what I understood, those other clients knew how to handle 16-bit IV, which isn't the case for a specific app.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: lurch / libomemo: 12-byte IVs patch
       [not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-26757@inbox.vuxu.org>
                   ` (9 preceding siblings ...)
  2020-11-30 14:36 ` ericonr
@ 2020-11-30 14:49 ` Neustradamus
  2021-01-14  1:29 ` Neustradamus
                   ` (4 subsequent siblings)
  15 siblings, 0 replies; 16+ messages in thread
From: Neustradamus @ 2020-11-30 14:49 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 374 bytes --]

New comment by Neustradamus on void-packages repository

https://github.com/void-linux/void-packages/issues/26757#issuecomment-735831591

Comment:
Links:
- https://www.google.com/search?q=12+byte+iv
- https://monal.im/blog/omemo-and-french-laws/
- https://github.com/ChatSecure/ChatSecure-iOS#127
- https://monal.im/blog/omemo-is-broken-in-general-across-the-ecosystem/

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: lurch / libomemo: 12-byte IVs patch
       [not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-26757@inbox.vuxu.org>
                   ` (10 preceding siblings ...)
  2020-11-30 14:49 ` Neustradamus
@ 2021-01-14  1:29 ` Neustradamus
  2021-01-14  1:44 ` the-maldridge
                   ` (3 subsequent siblings)
  15 siblings, 0 replies; 16+ messages in thread
From: Neustradamus @ 2021-01-14  1:29 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 345 bytes --]

New comment by Neustradamus on void-packages repository

https://github.com/void-linux/void-packages/issues/26757#issuecomment-759864648

Comment:
@the-maldridge: I see your revert, why?

The problem is compatibility with all OMEMO 0.3.0 clients.
libomemo 0.7.0 has been released with the fix.
Alpine, Debian, Gentoo, Alt Linux are perfect.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: lurch / libomemo: 12-byte IVs patch
       [not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-26757@inbox.vuxu.org>
                   ` (11 preceding siblings ...)
  2021-01-14  1:29 ` Neustradamus
@ 2021-01-14  1:44 ` the-maldridge
  2021-01-14  1:46 ` Neustradamus
                   ` (2 subsequent siblings)
  15 siblings, 0 replies; 16+ messages in thread
From: the-maldridge @ 2021-01-14  1:44 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 360 bytes --]

New comment by the-maldridge on void-packages repository

https://github.com/void-linux/void-packages/issues/26757#issuecomment-759869381

Comment:
Void tracks upstream, not random patches hurled out by persons unaffiliated who try to pass them off as "security" items when they clearly aren't.  If your patch is that important, work with upstream to ship it.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: lurch / libomemo: 12-byte IVs patch
       [not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-26757@inbox.vuxu.org>
                   ` (12 preceding siblings ...)
  2021-01-14  1:44 ` the-maldridge
@ 2021-01-14  1:46 ` Neustradamus
  2021-01-14  1:51 ` Neustradamus
  2021-01-14  1:52 ` the-maldridge
  15 siblings, 0 replies; 16+ messages in thread
From: Neustradamus @ 2021-01-14  1:46 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 231 bytes --]

New comment by Neustradamus on void-packages repository

https://github.com/void-linux/void-packages/issues/26757#issuecomment-759869902

Comment:
It is, look libomemo 0.7.0:
- https://github.com/gkdr/libomemo/releases/tag/v0.7.0

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: lurch / libomemo: 12-byte IVs patch
       [not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-26757@inbox.vuxu.org>
                   ` (13 preceding siblings ...)
  2021-01-14  1:46 ` Neustradamus
@ 2021-01-14  1:51 ` Neustradamus
  2021-01-14  1:52 ` the-maldridge
  15 siblings, 0 replies; 16+ messages in thread
From: Neustradamus @ 2021-01-14  1:51 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 244 bytes --]

New comment by Neustradamus on void-packages repository

https://github.com/void-linux/void-packages/issues/26757#issuecomment-759871662

Comment:
The problem is that in Void, there are not 3 packages like other OS:
- axc
- libomemo
- lurch

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: lurch / libomemo: 12-byte IVs patch
       [not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-26757@inbox.vuxu.org>
                   ` (14 preceding siblings ...)
  2021-01-14  1:51 ` Neustradamus
@ 2021-01-14  1:52 ` the-maldridge
  15 siblings, 0 replies; 16+ messages in thread
From: the-maldridge @ 2021-01-14  1:52 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 688 bytes --]

New comment by the-maldridge on void-packages repository

https://github.com/void-linux/void-packages/issues/26757#issuecomment-759872002

Comment:
Great, if you look at the timeline you'll see the revert happened before 0.7.0 was cut.  Again, Void's patch policy is not to accept patches from random people on the internet trying to bypass upstream review protocols, and so your patch was reverted.  You are welcome to submit a patch to update the package to the now released version which would be the appropriate way to get the update into Void.  Do note that as this is now OT for this issue and the content of this issue is now resolved, I'm unsubscribed from further notifications.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: lurch / libomemo: 12-byte IVs patch
       [not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-26757@inbox.vuxu.org>
                   ` (6 preceding siblings ...)
  2020-11-30 14:11 ` Neustradamus
@ 2020-11-30 14:22 ` q66
  2020-11-30 14:30 ` leahneukirchen
                   ` (7 subsequent siblings)
  15 siblings, 0 replies; 16+ messages in thread
From: q66 @ 2020-11-30 14:22 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 454 bytes --]

New comment by q66 on void-packages repository

https://github.com/void-linux/void-packages/issues/26757#issuecomment-735815321

Comment:
> I confirm the security problem, we need to disable OMEMO Security to talk with Monal users.
> 

not being able to use encrypted messaging with users of a single client on iOS is not a security issue, and trying to pass it as one is just completely ridiculous

i vote that we revert this and follow upstream


^ permalink raw reply	[flat|nested] 16+ messages in thread

end of thread, other threads:[~2021-01-14  1:52 UTC | newest]

Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-26757@inbox.vuxu.org>
2020-11-30  4:25 ` lurch / libomemo: 12-byte IVs patch eli-schwartz
2020-11-30  4:31 ` ericonr
2020-11-30  7:32 ` Neustradamus
2020-11-30 12:26 ` ericonr
2020-11-30 12:30 ` leahneukirchen
2020-11-30 12:42 ` ericonr
2020-11-30 14:11 ` Neustradamus
2020-11-30 14:22 ` q66
2020-11-30 14:30 ` leahneukirchen
2020-11-30 14:36 ` ericonr
2020-11-30 14:49 ` Neustradamus
2021-01-14  1:29 ` Neustradamus
2021-01-14  1:44 ` the-maldridge
2021-01-14  1:46 ` Neustradamus
2021-01-14  1:51 ` Neustradamus
2021-01-14  1:52 ` the-maldridge

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).