log☇︎
1000+ entries in 0.322s
mircea_popescu: you used gpg: public key is E5FF86FA
mircea_popescu: so make it gpg format.
asciilifeform: GyrosGeier: those will have signatures but gpg will correctly reject them as invalid.
asciilifeform: too many for the lamer gpg format, yes
asciilifeform: adlai: all it is, is primes 2 ... N (for some large N) turned into a phuctor-compatible gpg key
mircea_popescu: Public Exponent 281479271743489 is NOT PRIME ! Modulus has mirrored low-order 32 bits ! User(s): Robert L. Vaessen (MobileMe key generated with gpg) <rvaessen@me.com>;
mircea_popescu: well the other thing is that a guy who can do a spiffy web framework couldn't necessarily do gpg arcana or c++ nonsense in bitcoind.
mircea_popescu: and for that matter i've yet to hear someone go "i'm not sending anything to derpy webwallet / webexchange / webusgtronism because htey don't gpg sign the address" ☟︎
mircea_popescu: re gpg verification : yeah, guy's name, special char.
mircea_popescu: hey, same way gpg works.
asciilifeform: https://github.com/blog/2144-gpg-signature-verification << shithub cribs from phf !
mircea_popescu: it'll be very useful because i use gpg auth for eulora, will just have new players reg and then i can get their key
asciilifeform: incidentally ~gpg~ is broken NOW, i can make a fresh key with, e.g., mircea_popescu's fingerprint, for less than the cost of a bus.
asciilifeform: phf: one of the big reasons gpg is a turd is the 'keys in dbs' idiocy
asciilifeform: afaik using any reserved bits (algo field) will nuke ordinary gpg.
asciilifeform: davout: if using format of classic gpg, there is no way to uniquely specify 'this is vtronically signed'
asciilifeform: trinque: l0l! srsly? which gpg?!
asciilifeform: there is no clean way to do it with classical gpg
asciilifeform: at the cost of gpg being utterly retarded in 101 ways ☟︎
asciilifeform: it only APPEARS to work for gpg
asciilifeform: this is not actually true of gpg clearsign
mircea_popescu: " 1]To whomever is now going to say "it's server fault, deedbot should output GPG signed material with proper mimetype like application/pgp-signature". I can only recommend frontal lobotomy by robot that fetches its instructions with wget." << i lolled.
asciilifeform: if so, why did he write gpg to begin with, as disinfo ?
mircea_popescu: you got a gpg key ?
asciilifeform: gpg --verify some.vpatch.sig
asciilifeform: hdbuck: if you take that key and manually run gpg --verify ..... on one of my patches, what do you get ?
asciilifeform: hdbuck: yours barfs on line 45, gpg --verify buildroot-2015.05.tar.gz.sign ?
mircea_popescu: "security hole found in gpg" vs "security hole found in ecdsa - rsa not affected, you should have not switched"
asciilifeform: and where is the patch for gpg 1.4 ?
mircea_popescu: so listen, register your gpg key with assbot.
ascii_butugychag surprised at how mircea_popescu puts up with 'cementing' the abominably-broken gpg set
ascii_butugychag: but re: earlier thread, i'ma publish 'g'. and it'll have one or more of the bad old ciphers from gpg. BECAUSE gpg is ~already~ the weak link in the proposed system. or ben_vulpes doesn't get to download his w4r3z
mircea_popescu: i don;'t wish to continue using gpg.
ascii_butugychag: this is something we're stuck with for so long as using gpg
mircea_popescu: http://log.bitcoin-assets.com/?date=04-02-2016#1396264 << few do. just another in the long list of gotchas gpg has been gleefully suppling us with over the years. was a big thread about it coupla years ago, but not really repeated often hence. ☝︎
mircea_popescu: http://log.bitcoin-assets.com/?date=04-02-2016#1396208 << how is this a symmetric cipher lol. it's just a clunky overimplementation of blowfish or w/e it is gpg uses. ☝︎
asciilifeform: http://log.bitcoin-assets.com/?date=04-02-2016#1395950 << recall, it calls out to gpg on shell !1111 ☝︎
mircea_popescu: felipelalli the reason you're getting so much grief is that it's not clear how your premises work. i mean i get it, you want to help people, and teach them about otc and so on. this is one thing. but i mean what did you do, i don't follow, reimplement gpg as a java thing ?
mircea_popescu: <felipelalli> mircea_popescu, I know that you think expire a key is a bad idea. I saw you saying that in MPEx FAQ. But why? Could you elaborate more about that? Isn't that useful in case someone dies or lost the control over the key? << how is a bitfield in the gpg key help you in case you die ? or lose control of the key ? neither of these are time-able events.
mircea_popescu: we're going the other way : taking gpg out, not putting more of it in.
mircea_popescu: gpg --import not gnarly enough ?
mircea_popescu: + # You need to have these keys in your gpg keyring to vertify V, trinque's special patch, buildroot, and other stuff.
ascii_butugychag: it is a gpg atavism
asciilifeform: on the same planet where gpg prints 'Decrypting......'
mircea_popescu: moreover, the corruptive influence of bitcoin over enemies works in gpg and v space too.
mircea_popescu: moreover, gpg is specificalloy intended to work as a PSEUDONYMOUS system. much like bitcoin addresses are.
mircea_popescu: danielpbarron here's a lulzy bit : all these schmucks worried about "scaling bitcoin" could, for the price of a gpg key, make themselves an eulora account. trade bitcoin with everyone instantly for free!
mircea_popescu: "GPG is useless because if somebody manages to exchange the data while it is transferred to you, he probably also switched the key with his own to sign the application again so it looks valid."
mircea_popescu: copypaste it'll take a while to implement, you'll have to pull in gpg too, and some other shit. but once done it does obsolete current chanology. i can't conceive who or how could run a chan anymore on anything else. ☟︎
mircea_popescu: copypaste how are they forced ? you run gpg and make a key. whatever it comes out.
ascii_butugychag: i could even see the argument that 'signer' oughta be a gpg fp
mircea_popescu: ben_vulpes Do so (this is not a GPG guide), << Do so (<a href=http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpg-cs.html>GPG guide</a>), ?
mircea_popescu: but yes - i would have loved to be a bff of gpg. instead we're just best enemies.
asciilifeform: my main objection to subkey as implemented in gpg is that IT DOES NOT TELL YOU OR EVEN LET YOU CHOOSE with which modulus (i.e. which sub) it actually signs with ! ☟︎☟︎
asciilifeform: gpg won't allow the key to be signed again, either, because 'was already signed'
asciilifeform: though, interestingly, importing the 3TH7E2K.txt yields a warning, 'gpg: no ultimately trusted keys found'
asciilifeform: foobar verifies on my test box using kakobrekla's gpg binary and using this pubkey.
asciilifeform: i can only conclude that the problem exists on kakobrekla's side (gpg config?)
asciilifeform: verifies under clean .gpg on test box also
mircea_popescu: imagine for a moment gpg ran the bitcoin.
mircea_popescu: if gpg were just released today we'd suspect the nsa impacted that stupid design
asciilifeform: ;;later tell jurov what version of gpg is used in turdatron? kakobrekla's chokes on my updated key, but turdatron - happily eats
mircea_popescu: psa : do not use the gpg supplied mechanism for "key expiration", or anything else from there as far as "key management" goes for that matter.
mircea_popescu: honestly, in my mind i realise now, gpg --clearisng has taken over a hole left by telex.
asciilifeform: either the start/end marker (as in traditional gpg) or length offset marker (as somebody suggested here)
mircea_popescu: so your idea of a working gpg is "everyone must learn new alphabet now" ?
mircea_popescu: but a gpg would-be replacement that doesn't have clearsign is not actually usable as a replacement
asciilifeform: http://log.bitcoin-assets.com/?date=25-12-2015#1353071 << if you must have one file, gpg --armour it. or tar it. whatever. ☝︎
mircea_popescu: how about this : only accept gpg-encrypted communications, and only distribute the pubkey to people you like. ☟︎
asciilifeform: and since gpg is retarded by virtue of having to ride on top of 7bit-clean turdmailz etc., it happily mutilates strings to make'em signable
asciilifeform: let's approach mathematically. with detached sig in gpg, i can sign ANY bitstring which fits in the machine.
mircea_popescu: http://log.bitcoin-assets.com/?date=25-12-2015#1352814 |<< everyone who had to use gpg got bruised by gpg. davout was talking to me about this in 2013, for a diff project ☝︎
asciilifeform: ideally a tmsr 'pastebin' would take input by gpg --encrypt --recipient thingspubkey... | curl -X POST ... ☟︎
mircea_popescu: goes in the summary header of "gpg is a pos".
asciilifeform: mircea_popescu: you might be confusing with gpg
asciilifeform: the design of gpg rng subsystem assumes extreme entropy-starvation. this is plain as daylight from 10 minutes of reading the src.
mircea_popescu: you're guaranteed to discover unsavory contents in all foss matter, exactly like asciilifeform found in gpg.
asciilifeform: gpg 1.4.10
mircea_popescu: ascii_field "At some point I may do a similar surgical extraction for GPG 1.4.10’s entropy gatherer, but this is a very different project." << i have nfi why you'd be including "software entropy generators". ☟︎
ascii_field: http://log.bitcoin-assets.com/?date=28-11-2015#1333229 << for gossipd, using stock gpg, much less an abomination (time the invocations some time..!) like gpgme, is a monumentally bad idea ☝︎
mircea_popescu: ironically, my foray into bitcoin was started by random guy on the internet [at the time hadn't used irc at all in decade +] insisting i move into his "GPG" castle.
mircea_popescu: kakobrekla oh i see, THERE it's about the version. if it were a different version than 3.1 it'd have been fine, because windows is usgtronics. MEANWHILE the problems with gpg-hijacked are really problems WITH PGP.
mircea_popescu: "Except maybe not: if you happen to do this with GnuPG 2.0.18 -- one version off from the very latest GnuPG -- the client won't actually bother to check the fingerprint of the received key. A malicious server (or HTTP attacker) can ship you back the wrong key and you'll get no warning. This is fixed in the very latest versions of GPG but... Oy Vey."
mircea_popescu: gpg 0day ?? ?\
asciilifeform: gpg didn't use openssl for anything
asciilifeform: 'i wrote enough in c to be able to prime gpg machinery and send packets over the wire' suggested callout. but why not wait till phf wakes up and clarifies.
mircea_popescu: so in this sense the design is sane, as he has it. callout to "gpg", to be replaced by p
asciilifeform: standalone in the sense mpi was in gpg.
asciilifeform: phf: callouts to gpg are a dead end
asciilifeform: but of gpg, but secondarily, the whole shebang.
asciilifeform: oh and, phun phakt of the day, gpg 1.4.10 will link in 'gettext' if it finds it
mircea_popescu: incidentally : should we deedbot a version of the logs, in the manner of gpg source etc ?
asciilifeform: ben_vulpes: consider reading the src to gpg
mircea_popescu: now suppose cca 2026 some twerps come to persuade you to go take minsk. and you quote this line of the log to them, and they go "huh" becaue hey, log is too difficult and what's a gpg ?
mircea_popescu: in general, the path of "usable" in gpg is kind-of narrow.
mircea_popescu: Thing 4. We're trying to create a proper (=crypto) communication system ; as part of this gpg was cut up and we're still barfing at the results. this is a huge task and if thee end product is reasonably well understood, the design's still widely open.
ascii_field: gpg is ~extremely~ librarization-resistant, much like gcc. ☟︎
asciilifeform: if you want to laugh, cry, read the one in gpg 1.4.10.
asciilifeform: which is what reading, e.g., linux kernel, or gpg, feels like
asciilifeform: incidentally - there is a very convenient 1-byte flag, that, if 'poked', will instantly cause gpg to use ordinary (paged) memory.