Please remove Bitcoin from Sourceforge.net - page 2.

kjj

legendary

Activity: 1302

Merit: 1026

Quote from: Raoul Duke on August 17, 2011, 07:22:04 PM

Quote from: kjj on August 17, 2011, 06:56:30 PM

If someone shows up and wants to host a mirror in a country that we are allowed to export to, and that doesn't itself prohibit distribution to other countries, that person will find plenty of people willing and eager to help set things up.

Well, as far as i know sourceforge redirects download links to the geographically closest mirrors from where the download is requested, but people in those block lists don't even get redirected, they just get the part of their terms that say they are on the "forbidden" list, go figure...

So, i guess what you are saying is not the complete truth. Doesn't matter how many mirrors they have, the result will be the same. Unless you weren't talking about sourceforge in that paragraph and i understood you wrong. If so, I apologize, and ask for clarification about that statement.

Since the topic is getting around SourceForge's compliance with US Government policy, I had thought that it was pretty obvious that I was talking about a non-SF mirror.

twobits

sr. member

Activity: 574

Merit: 250

Quote from: Maged on August 17, 2011, 06:06:25 PM

Quote from: twobits on August 17, 2011, 11:03:38 AM

Quote from: Maged on August 17, 2011, 10:54:41 AM

Quote from: Raoul Duke on August 17, 2011, 10:40:11 AM

Quote from: kjj on August 17, 2011, 10:34:05 AM

Do you really think it will be hard for the US gov to make sourceforge put backdoored binaries up on the only mirror we have today?

Fixed that for ya

We would notice within hours if they did that. You see, the SHA-1 hashes of all official releases are PGP signed by a trusted developer, and people DO check them every now and then. It'd be great if we had a bot check them, though.

Thats good. I was surprised that it seemed like they are not. Would be good to use two different hashes or at least not sha-1 anymore. Also, it is not obvious at all from the bitcoin.org page. I just see link to downloads of the binaries, where are the links to the signatures?

What's wrong with just using SHA-1?

The the signed hash list is right along-side the binaries:
http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.24/

While we are on this side topic, I would like to point out that hosting the signature files right along side the binaries is also probably not the best idea. If I can replace files on sf I would just replace both now.

twobits

sr. member

Activity: 574

Merit: 250

Quote from: EricJ2190 on August 17, 2011, 11:23:03 PM

Quote from: twobits on August 17, 2011, 09:42:40 PM

Quote from: EricJ2190 on August 17, 2011, 09:01:44 PM

Quote from: twobits on August 17, 2011, 08:32:56 PM

sha-1 was broken about six years ago now, and even if it was not, whatever has it being used could be broken tomorrow. So always better for something important to use two very different hashes. The link to those hashes is not obvious at all from the link to the downloads on the main page. A link to them should be added.

SHA-1 is not broken. It is also highly unlikely it will go from where it stands now to completely broken and unusable for this purpose overnight. That said, I would be in favor of also signing a stronger hash. It is good to stay ahead.

It is broken. Think it was in '05. I remember it being a Chinese paper that showed this. If really need be I can probably dig up the links.

I assume you are referring to this: Collision Search Attacks on SHA1

This only demonstrates a collision of SHA1 with a reduced number of rounds. Their research does reduce the complexity of an attack on full the 80-round SHA1, but not enough that anyone has been able to produce a full collision.

Scary stuff, and a very good reason to move to something better, but, at least for now, an attacker can't tamper with a file without changing the SHA1 hash.

By the way, I am using the term "broken" to mean that actual collisions have been found or could reasonably be found with current technology. If you use "broken" to mean that there is a known attack faster than a birthday attack, then SHA1 is definitely broken.

That is the right authors, but not the later paper, they have another one that shows it to be much weaker yet. Came out about 3 or 4 months later. Unfortunately, the authors got denied a visa to present it at a conference in the USA. It would not surprise me to learn they are further along with this now, but have stopped the English papers. It is not recommended to use sha-1 in any new projects any more. I personally would use two very different hashing algos to publish official binaries for something like bitcoins.

I do think we may be using different definitions, I think you are talking about what I would call cracked, and it is not cracked yet in any public papers I know of.

EricJ2190

full member

Activity: 134

Merit: 102

Quote from: twobits on August 17, 2011, 09:42:40 PM

Quote from: EricJ2190 on August 17, 2011, 09:01:44 PM

Quote from: twobits on August 17, 2011, 08:32:56 PM

sha-1 was broken about six years ago now, and even if it was not, whatever has it being used could be broken tomorrow. So always better for something important to use two very different hashes. The link to those hashes is not obvious at all from the link to the downloads on the main page. A link to them should be added.

SHA-1 is not broken. It is also highly unlikely it will go from where it stands now to completely broken and unusable for this purpose overnight. That said, I would be in favor of also signing a stronger hash. It is good to stay ahead.

It is broken. Think it was in '05. I remember it being a Chinese paper that showed this. If really need be I can probably dig up the links.

I assume you are referring to this: Collision Search Attacks on SHA1

This only demonstrates a collision of SHA1 with a reduced number of rounds. Their research does reduce the complexity of an attack on full the 80-round SHA1, but not enough that anyone has been able to produce a full collision.

Scary stuff, and a very good reason to move to something better, but, at least for now, an attacker can't tamper with a file without changing the SHA1 hash.

By the way, I am using the term "broken" to mean that actual collisions have been found or could reasonably be found with current technology. If you use "broken" to mean that there is a known attack faster than a birthday attack, then SHA1 is definitely broken.

twobits

sr. member

Activity: 574

Merit: 250

Quote from: EricJ2190 on August 17, 2011, 09:01:44 PM

Quote from: twobits on August 17, 2011, 08:32:56 PM

sha-1 was broken about six years ago now, and even if it was not, whatever has it being used could be broken tomorrow. So always better for something important to use two very different hashes. The link to those hashes is not obvious at all from the link to the downloads on the main page. A link to them should be added.

SHA-1 is not broken. It is also highly unlikely it will go from where it stands now to completely broken and unusable for this purpose overnight. That said, I would be in favor of also signing a stronger hash. It is good to stay ahead.

It is broken. Think it was in '05. I remember it being a Chinese paper that showed this. If really need be I can probably dig up the links.

EricJ2190

full member

Activity: 134

Merit: 102

Quote from: twobits on August 17, 2011, 08:32:56 PM

sha-1 was broken about six years ago now, and even if it was not, whatever has it being used could be broken tomorrow. So always better for something important to use two very different hashes. The link to those hashes is not obvious at all from the link to the downloads on the main page. A link to them should be added.

SHA-1 is not broken. It is also highly unlikely it will go from where it stands now to completely broken and unusable for this purpose overnight. That said, I would be in favor of also signing a stronger hash. It is good to stay ahead.

jackjack

legendary

Activity: 1176

Merit: 1280

May Bitcoin be touched by his Noodly Appendage

They should sign the binaries with a Bitcoin address

twobits

sr. member

Activity: 574

Merit: 250

Quote from: Maged on August 17, 2011, 06:06:25 PM

Quote from: twobits on August 17, 2011, 11:03:38 AM

Quote from: Maged on August 17, 2011, 10:54:41 AM

Quote from: Raoul Duke on August 17, 2011, 10:40:11 AM

Quote from: kjj on August 17, 2011, 10:34:05 AM

Do you really think it will be hard for the US gov to make sourceforge put backdoored binaries up on the only mirror we have today?

Fixed that for ya

We would notice within hours if they did that. You see, the SHA-1 hashes of all official releases are PGP signed by a trusted developer, and people DO check them every now and then. It'd be great if we had a bot check them, though.

Thats good. I was surprised that it seemed like they are not. Would be good to use two different hashes or at least not sha-1 anymore. Also, it is not obvious at all from the bitcoin.org page. I just see link to downloads of the binaries, where are the links to the signatures?

What's wrong with just using SHA-1?

The the signed hash list is right along-side the binaries:
http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.24/

sha-1 was broken about six years ago now, and even if it was not, whatever has it being used could be broken tomorrow. So always better for something important to use two very different hashes. The link to those hashes is not obvious at all from the link to the downloads on the main page. A link to them should be added.

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Quote from: kjj on August 17, 2011, 06:56:30 PM

If someone shows up and wants to host a mirror in a country that we are allowed to export to, and that doesn't itself prohibit distribution to other countries, that person will find plenty of people willing and eager to help set things up.

Well, as far as i know sourceforge redirects download links to the geographically closest mirrors from where the download is requested, but people in those block lists don't even get redirected, they just get the part of their terms that say they are on the "forbidden" list, go figure...

So, i guess what you are saying is not the complete truth. Doesn't matter how many mirrors they have, the result will be the same. Unless you weren't talking about sourceforge in that paragraph and i understood you wrong. If so, I apologize, and ask for clarification about that statement.

Not going to comment on your other paragraphs because I already said too much on this thread and honnestly I don't feel like entering a path that will lead nowhere.

As I said on the OP: I'm not eloquent enough to be the one to put this on the table, but as I didn't see anyone else doing it, I did what i thought and believed was the right thing to do.

Now it's better to leave the persons who are smarter than me to discuss it and reach their own conclusions.

kjj

legendary

Activity: 1302

Merit: 1026

Quote from: Raoul Duke on August 17, 2011, 01:38:38 PM

mainly because Sourceforge is a puppet on US government hands. For an organization that is said to promote openness they seem to closed to me. And they should to you also.

Dude. You just crossed your own parody horizon. I actually can't think of a parody of your position that is even as bizarre as your own statements.

US citizens, residents and companies do not become "puppets" of the government by following federal laws. We merely stay out of prison.

If someone shows up and wants to host a mirror in a country that we are allowed to export to, and that doesn't itself prohibit distribution to other countries, that person will find plenty of people willing and eager to help set things up.

Maged

legendary

Activity: 1204

Merit: 1015

Quote from: twobits on August 17, 2011, 11:03:38 AM

Quote from: Maged on August 17, 2011, 10:54:41 AM

Quote from: Raoul Duke on August 17, 2011, 10:40:11 AM

Quote from: kjj on August 17, 2011, 10:34:05 AM

Do you really think it will be hard for the US gov to make sourceforge put backdoored binaries up on the only mirror we have today?

Fixed that for ya

We would notice within hours if they did that. You see, the SHA-1 hashes of all official releases are PGP signed by a trusted developer, and people DO check them every now and then. It'd be great if we had a bot check them, though.

Thats good. I was surprised that it seemed like they are not. Would be good to use two different hashes or at least not sha-1 anymore. Also, it is not obvious at all from the bitcoin.org page. I just see link to downloads of the binaries, where are the links to the signatures?

What's wrong with just using SHA-1?

The the signed hash list is right along-side the binaries:
http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.24/

zellfaze

full member

Activity: 141

Merit: 101

Security Enthusiast

Somehow though I bet they still use that same list.

Could someone check that though.

captainteemo

full member

Activity: 143

Merit: 101

Sourceforge does have Swedish and Swiss mirrors...

memvola

hero member

Activity: 938

Merit: 1002

Quote from: Raoul Duke on August 17, 2011, 02:30:43 PM

Maybe it's because of what my parents suffered before i was born and the way i was raised because of it that i feel it's a great injustice what is being done to the persons in those countries.

Well, there is a slim chance that in the near future my home country could get into those "up to no good" lists. So there indeed will be people who would support legislations that deny me access to Bitcoin. That is indeed interesting to me. I know we are preaching to the choir here, but looks like these two items may not be so obvious to everyone:

Technologies such as Bitcoin, and free information in general, have a liberating effect. So if you think that people living in these countries are oppressed, it would help them recover. U.S. is not doing this to secure information, but to exert political pressure. There is nothing particularly good about it.
States have their own agenda. I don't want to get into a debate about why one would think Iran's government is "up to no good" and what the actual threat is here. But we are the the people, there is nothing that binds us to their quarrel. Bitcoin is free and it is ours.

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Quote from: memvola on August 17, 2011, 02:24:25 PM

What are you talking about?

The proposal is to host Bitcoin project in a more neutral ground where everyone in the world can access its content freely. Not in "up to no good" countries like Iran or USA. (Joking, I love both Iranians and Americans.)

By the way, there was a talk about signing executables and other distributed packages (I still advocate distributing the blockchain as an option) by multiple developers, preferably living in different jurisdictions, so that it won't be enough for "them" to get to one. This may be a different issue, but related.

Honnestly, I'm already sorry that i answered him. I should know better than to answer to brainwashed sock puppets.

Maybe it's because of what my parents suffered before i was born and the way i was raised because of it that i feel it's a great injustice what is being done to the persons in those countries.

memvola

hero member

Activity: 938

Merit: 1002

Quote from: pekv2 on August 17, 2011, 02:00:17 PM

It makes sense to me as you want bitcoin removed because iran and no up to good other countries cannot access SF. Why would I care if the US govt seen my ip accessing bitcoin files from SF? Is bitcoin illegal in the USA? I wouldn't trust any of these country's "Cuba, Iran, North Korea, Sudan and Syria" either.

What are you talking about?

The proposal is to host Bitcoin project in a more neutral ground where everyone in the world can access its content freely. Not in "up to no good" countries like Iran or USA. (Joking, I love both Iranians and Americans.)

By the way, there was a talk about signing executables and other distributed packages (I still advocate distributing the blockchain as an option) by multiple developers, preferably living in different jurisdictions, so that it won't be enough for "them" to get to one. This may be a different issue, but related.

pekv2

hero member

Activity: 770

Merit: 502

Quote from: Raoul Duke on August 17, 2011, 02:15:57 PM

Quote from: pekv2 on August 17, 2011, 02:00:17 PM

Yes I read it. Nonsense? It makes sense to me as you want bitcoin removed because iran and no up to good other countries cannot access SF. Why would I care if the US govt seen my ip accessing bitcoin files from SF? Is bitcoin illegal in the USA? I wouldn't trust any of these country's "Cuba, Iran, North Korea, Sudan and Syria" either.

I'm secretelly hoping for your country to get into one of those lists. maybe then you will understand that the inhabitants of a country are not the same as their governing powers.

Ask me how i know that... because unfortunatelly my parents lived in a country under an oppressive regime for many years of their life, in fact it was like more than half of their life. All that stopped when the said country army ended that oppressive regime in 1974. If your reasoning were to be correct, then the army would not rebel against the government to free the people, because as you said, those countries are up to no good.

Then go create an opensource website just for those country's.

Quote

Grow up dude. and take your head out of your arse, you sure need it.

Right...

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Quote from: pekv2 on August 17, 2011, 02:00:17 PM

Yes I read it. Nonsense? It makes sense to me as you want bitcoin removed because iran and no up to good other countries cannot access SF. Why would I care if the US govt seen my ip accessing bitcoin files from SF? Is bitcoin illegal in the USA? I wouldn't trust any of these country's "Cuba, Iran, North Korea, Sudan and Syria" either.

I'm secretelly hoping for your country to get into one of those lists. maybe then you will understand that the inhabitants of a country are not the same as their governing powers.

Ask me how i know that... because unfortunatelly my parents lived in a country under an oppressive regime for many years of their life, in fact it was like more than half of their life. All that stopped when the said country army ended that oppressive regime in 1974. If your reasoning were to be correct, then the army would not rebel against the government to free the people, because as you said, those countries(and subsequently the persons that live there, army included) are up to no good.

Grow up dude. and take your head out of your arse, you sure need it.

1 more thing: Bitcoin is not illegal in the US... YET! and i hope when it reaches that point you will be the first person to get arrested and sent to gitmo for the rest of your life

pekv2

hero member

Activity: 770

Merit: 502

Quote from: Raoul Duke on August 17, 2011, 01:38:38 PM

Quote from: pekv2 on August 17, 2011, 01:30:30 PM

Because people in iran cannot access sourceforge, you want bitcoin not to be hosted on SF?

Have you bothered to even read the thread?

mainly because Sourceforge is a puppet on US government hands. For an organization that is said to promote openness they seem to closed to me. And they should to you also.

And is it only Iran? What about Cuba, North Korea, Sudan and Syria? Shouldn't it be these people that live under opressive regimes that Bitcoin should help? Or only american and european lazy ass speculators are intitled to use a free decentralized currency?

Maybe you should go live in one of those countries and enjoy their restrictions before you start talking nonsense.

What about the danger that it poses to distribute an essential piece of the project on servers that are owned by a company that will turn in all their logs and HDD's to US government as soon as they ask?

Maybe when the government of the country you live in asks sourceforge for the IP logs that accessed the bitcoin files and yours is among them you will think diferently.

So much for a free internet when people can't see past their belly... Roll Eyes

Yes I read it. Nonsense? It makes sense to me as you want bitcoin removed because iran and no up to good other countries cannot access SF. Why would I care if the US govt seen my ip accessing bitcoin files from SF? Is bitcoin illegal in the USA? I wouldn't trust any of these country's "Cuba, Iran, North Korea, Sudan and Syria" either.

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Quote from: pekv2 on August 17, 2011, 01:30:30 PM

Because people in iran cannot access sourceforge, you want bitcoin not to be hosted on SF?

Have you bothered to even read the thread?

mainly because Sourceforge is a puppet on US government hands. For an organization that is said to promote openness they seem to closed to me. And they should to you also.

And is it only Iran? What about Cuba, North Korea, Sudan and Syria? Shouldn't it be these people that live under opressive regimes that Bitcoin should help? Or only american and european lazy ass speculators are intitled to use a free decentralized currency?

Maybe you should go live in one of those countries and enjoy their restrictions before you start talking nonsense.

What about the danger that it poses to distribute an essential piece of the project on servers that are owned by a company that will turn in all their logs and HDD's to US government as soon as they ask?

Maybe when the government of the country you live in asks sourceforge for the IP logs that accessed the bitcoin files and yours is among them you will think diferently.

So much for a free internet when people can't see past their belly... Roll Eyes

Topic: Please remove Bitcoin from Sourceforge.net - page 2. (Read 5917 times)