Bug#833090: ITP: magic-wormhole -- Securely and simply transfer data between computers
On 2016-08-08 06:19:46, Fredrik Alströmer wrote:
> On Mon, Aug 8, 2016 at 3:19 AM, anarcat <anarcat@debian.org> wrote:
>
>> I'd go even further and say this should be shipped as part of regular
>> Debian releases, ie. just push it to unstable.
>
> I think the argument against that was that it requires a hard-coded
> third-party server as a middleman, and it's explicitly stated that it'll
> disappear if load increases.
It is not hardcoded: you can change the central host and relay with a
simple commandline option.
$ wormhole --help | grep -B1 'to use'
Options:
--relay-url URL rendezvous relay to use
--transit-helper tcp:HOST:PORT transit relay to use
This could, arguably, be done in a configuration file to facilitate
using third party servers, but this can hardly be considered
hardcoded. Anyways, if the current main host goes down, I assume the
software can/will be patched to provide other hosts as options.
Keep in mind transfers are ephemeral: the central hosts are used only to
establish contact and transfer the file, then everything is torn down.
>> We still ship FTP daemons that serve files without passwords and use
>> cleartext by default.
>
> They're not labeled "secure" though ;)
Actually, quite a few are:
$ LANG=C apt search 'ftpd$' secure
Sorting... Done
Full Text Search... Done
pure-ftpd/stable 1.0.36-3.2 amd64
Secure and efficient FTP server
twoftpd/stable,testing 1.42-1 amd64
a simple secure efficient FTP server (programs)
vsftpd/stable 3.0.2-17+deb8u1 amd64
lightweight, efficient FTP server written for security
"Secure" can mean anything. A dog in a house can make it more secure,
and the best crypto in the world can be considered insecure if you have
the password on a sticky on your screen facing an outside window.
In the above case, "secure" means anything from "no known remote root
vulnerabilities", "TLS support" or "privilege separation"...
I agree it is somewhat of an empty word, but it shouldn't be considered
reason enough to keep stuff from entering Debian, because then you'd
have a *lot* of packages to kick out the archive. Heck, "apt search
secure" suggests I installed zendframework, and we know how scary PHP
security has been in the past. ;)
> Just to clarify, I never objected to the package itself, just that I
> wasn't sure about it being called "secure". I don't know enough about
> the algorithms and attack surfaces involved to make any kind of
> qualified statement though, so maybe it does qualify as secure.
Well, I am not a cryptographer myself, so I can't comment about the
algorithm. But I am somewhat familiar with such protocols and I found
they brought a novel and robust system in place, that has similar
robustness properties than existing protocols (e.g. Oauth with a
digit-only PIN) with interesting enhancements that make it fail more
gracefully (abort transfer after first failed attempt).
May I suggest that, if you do not know enough about security protocols,
you refrain from discouraging people, that do have some knowledge about
them, from packaging software into Debian? :)
Thank you for your feedback,
A.
--
Life is like riding a bicycle. To keep your balance you must keep moving.
- Albert Einstein
Reply to: