I'm thinking that you might be confused, are you sure you are not mixing hashes (MD5, SHA1) with signatures. Hashes do need to be spreaded in several sources, but signatures can only be created with a single private key that corresponds with a single public key. There is only one signature needed, that come with the package.
With software that you're likely to install as root you want to be able to check the sources with care. Thats why I proposed the extension to the tar. I am not stating that it should be mandatory or even that we should change the tar file format (see my other comment about ".tar.gpg.gz"). Just sugesting a standard way to integrate a signature scheme to a tar ball.
I would integrate into the tar for simplicity of use. You download on archive only with the data and the signature. It could be integrated in the same way gzip is integrated now with a signature armor and an extra option to check the signature auto-maticly with pgp. say a file.tar.pgp.gz.
Other advantage is to create a single way to sign and check signatures.
Why tar? Because we need a sign for pristine sources, the ones that are used to create the packages (rpm, deb, whatever) that are usualy already signed by the distribuition.
My point is that those packagers sign builds, binary packages. I am sugesting a standard way to sign sources, indepently from distribution and package system.
Today you can find the same program signed by diferent people, samba is signed in the RPM form by red hat, madrake, conectiva and probably a others. I expect that there are a few diferent packages of the same samba in the deb format also.
What if one of those packagers got a rooted samba? How can he know? Today he is lost. If there was a signing infrastructure I mentioned, he could test the signature. Supose he checks the signature and it print out:
signed by someone <someone@sambe.org>
If he was expecting
signed by someone <someone@samba.org>
He can detect that there is something fishy about that tar. Remember that the private key are retrieved from a third party server or the harddisk if it has that key already. It is possible that the atacker could have rooted the key server also, but is less probable.
If the developer lost his key, you have a point, but this guy should be more carefull.:-)
Not if the private key is diferent from the independently stored public key from the author. There could be, as already exist today, independent servers with keys. The program print the author and email so you can check with the values you expect to retrieve.
This would not have happend and would have been detected if the packages were signed. Maybe it's time for the open-source comunity to think in a standard way to sign tar files. A standard way that would be checked by the tar program it self.
you get a tar ball, tar verifys that this tar is signed, it checks the signature with either a local or remote public key. If it matches it prints out the name and email for witch the signature is valid. If those match with the developer you're safe (well at least if you trust the developer himself).
Why tar? Because we need a sign for pristine sources, the ones that are used to create the packages (rpm, deb, whatever) that are usualy already signed by the distribuition.
Overcharging... Humm... this can happen, I never heard it happening in restaurants, more like in "camelos" (street sales). The other kind, the ones who talked about the sunburns, I could bet they were only trying to start a conversation.
Have you been in Rio? Sure we have criminals, and tourist are targeted, but we are also a very friendly to foreingers. People do like to talk and be-friends with them here.
Rio is a very violent place, but this violence is mostly restricted to slums (favelas) and the only affected by it are the lower economic class. Witch is a shame I agree, but this hard core violence does not afect most people.
My experience in getting to know tourists here is that almost every one fall in love with our town and our people.
I would like point out that I was not trying to insult you or anyone, I am sorry if I did that. I guess that the 40% of troll moderation I got I probably insulted a lot of people. I just stating that I don't agree with your goverment and the actions that your country is taking. This is a matter of opinion, in this case I was showing mine.
I actually aways wanted to visit the united states, but after the bush goverment I actually am afraid, not of terrorist but of the goverment. I am also not very confortable to visit and take my hard earned money ($1.00 = R$3.00) to a country that will treat me like a criminal from the day I arrive.
I am sorry, I do not plan to visit the US anymore. I am sure there is plenty to see and many cool things there. But I do not have anything against American people, and I will sure welcome they here in my home city, Rio de Janeiro.:-)
If you're away from your voting place, you can go to any post office and excuse your self. I made this myself once, when I was travelling during one election. you probably can excuse your self latter, due to faults due to medical conditions or other stuff.
Also I don't agree with compulsory vote, I think it should be optional (see my reply above or below, heck it is hard to know where your post will be positioned in slashdot).
I agree with you, not to choose is also a choice. I believe that people should not be forced to vote.
As a relief, not much of a relief I would say, we have two options (beside the valid vote) while voting:
We can vote in blank witch means you don't care who wins, and is somewhat similar to not vote at all.
We also can nullify our vote. The null vote cannot be de-referenced, you could get a segmentation fault.... Seriously talking, the null vote is a vote against all the options.
Well, no one (or very few) will read this now, I know that. But I must say that if this machines are hard to use, assemble and whatever this is tha fault of whoever design them.
Brasil have eletronic voting in a national scale for some years now. Here we have mandatory voting, this means that every Brasilian must vote or at least justify (if you're away for instance). This includes a large portion of the population that is iliterate.
This means that in a federal election, like the last one that elected Lula in 2002, we have eletronic voting machines installed in places in the middle of the amazon jungle, that can only be reached by "donkeys", and those machines are sometimes installed and operated by people who are not intimate with any tecnology at all, and the voters sometimes can't even read.
but at least Open Source doesn't suffer from the awful confusion surrounding the catchphrase "Free Software" which seems to get translated to the altogether semantically different "freeware" as often as not in mass media articles.
This actually is a short coming of the english language. In portuguese "Livre" (free as in software) is very diferent from "Gratis" (free as in beer). Pehaps the logo of the free software group should be in latin or esperanto, so it don't get so confusing.
Even people who are not assholes can forget. I usually check 3 or 4 times if my cell is off when I go to a movie theater, but it already happen that I forgot it on for the entire movie. Luckly no one call me in that period.
Many cameras have 16 bit per channel does png support this? Many cameras work with different color spaces, does PNG support this? Many cameras have a single "monochrome" color LCD with a colored tiled mask to get, those mask are either RGB, CMY or even more unusual patterns, do PNG encode this?
This image format was created arround the TIFF format, why extend png witch is not as widelly accepeted to accomodate those stuff instead of the TIFF, witch already suport many of those things?
The sensor (CCD) are the first lossy transformation the image goes throught they are somewhat similar to the negative in the film/analog fotography.
The camera captures this data and usually pass it throught a pipeline of operation that end up in a compression. Usually you have white balance, denoise, color conversion and depth (raw is 16bit p/ channel, jpg 8 bits p/ channel) adjustment. All those adjustment could be viewed as a "digital ampliation" if you stretch your mind a little.
Having access to the raw format is like having access to negative, many effects can be achieved in the amplifier, and as such many effects can be achieved with the raw format that are simply impossible with the jpg.
Sure many people will still preffer the jpg, but I do heard some people trhow their negatives in the trash.
Even if you had say 70 different keys that would encode only the year of birth, or maybe 140 encoding year and gender. Why would this make the net more safe? People would end up giving/lending their ids to others.
I can imagine a parent with the "safe" feeling that "my boy is not getting any porn because he don't have a USB-id", and the kidis simply using one that he borrowed/bougthed from his friend. Well in my times (no internet you see) I simply new the correct newstand the sold porn to kids. Kids will be kids.:-)
So if it is not to control porn but to help stablish a overall identity on chat rooms. The same will happen, I can imagine a old sick person getting a younger id to lure women to him for insatance. People will belive him more since he have a pretense secure ID.
But how can one be sure? All it needs a single id for each device and you can collect all kind of data. This seams much more usefull for colecting data, even if only age/gender, then any other thing.
Slashdot Mirror
I'm thinking that you might be confused, are you sure you are not mixing hashes (MD5, SHA1) with signatures. Hashes do need to be spreaded in several sources, but signatures can only be created with a single private key that corresponds with a single public key. There is only one signature needed, that come with the package.
With software that you're likely to install as root you want to be able to check the sources with care. Thats why I proposed the extension to the tar. I am not stating that it should be mandatory or even that we should change the tar file format (see my other comment about ".tar.gpg.gz"). Just sugesting a standard way to integrate a signature scheme to a tar ball.
I would integrate into the tar for simplicity of use. You download on archive only with the data and the signature. It could be integrated in the same way gzip is integrated now with a signature armor and an extra option to check the signature auto-maticly with pgp. say a file.tar.pgp.gz.
Other advantage is to create a single way to sign and check signatures.
My point is that those packagers sign builds, binary packages. I am sugesting a standard way to sign sources, indepently from distribution and package system.
Today you can find the same program signed by diferent people, samba is signed in the RPM form by red hat, madrake, conectiva and probably a others. I expect that there are a few diferent packages of the same samba in the deb format also.
What if one of those packagers got a rooted samba? How can he know? Today he is lost. If there was a signing infrastructure I mentioned, he could test the signature. Supose he checks the signature and it print out
signed by someone <someone@sambe.org>
If he was expecting
signed by someone <someone@samba.org>
He can detect that there is something fishy about that tar. Remember that the private key are retrieved from a third party server or the harddisk if it has that key already. It is possible that the atacker could have rooted the key server also, but is less probable.
If the developer lost his key, you have a point, but this guy should be more carefull.
Not if the private key is diferent from the independently stored public key from the author. There could be, as already exist today, independent servers with keys. The program print the author and email so you can check with the values you expect to retrieve.
This would not have happend and would have been detected if the packages were signed. Maybe it's time for the open-source comunity to think in a standard way to sign tar files. A standard way that would be checked by the tar program it self.
you get a tar ball, tar verifys that this tar is signed, it checks the signature with either a local or remote public key. If it matches it prints out the name and email for witch the signature is valid. If those match with the developer you're safe (well at least if you trust the developer himself).
Why tar? Because we need a sign for pristine sources, the ones that are used to create the packages (rpm, deb, whatever) that are usualy already signed by the distribuition.
They will know if 10% of the customers start complaining. :-)
If it is that hot, maybe it need water cooling or some other crazy refrigerating scheme so easily found here in slashdot. :-)
Overcharging... Humm... this can happen, I never heard it happening in restaurants, more like in "camelos" (street sales). The other kind, the ones who talked about the sunburns, I could bet they were only trying to start a conversation.
Have you been in Rio? Sure we have criminals, and tourist are targeted, but we are also a very friendly to foreingers. People do like to talk and be-friends with them here.
Rio is a very violent place, but this violence is mostly restricted to slums (favelas) and the only affected by it are the lower economic class. Witch is a shame I agree, but this hard core violence does not afect most people.
My experience in getting to know tourists here is that almost every one fall in love with our town and our people.
I would like point out that I was not trying to insult you or anyone, I am sorry if I did that. I guess that the 40% of troll moderation I got I probably insulted a lot of people. I just stating that I don't agree with your goverment and the actions that your country is taking. This is a matter of opinion, in this case I was showing mine.
By some of the answers I got here I suposed this was interpreted as a "flame" by some, well I sure didn't meant this as a "flame bait".
I actually aways wanted to visit the united states, but after the bush goverment I actually am afraid, not of terrorist but of the goverment. I am also not very confortable to visit and take my hard earned money ($1.00 = R$3.00) to a country that will treat me like a criminal from the day I arrive.
:-)
I am sorry, I do not plan to visit the US anymore. I am sure there is plenty to see and many cool things there. But I do not have anything against American people, and I will sure welcome they here in my home city, Rio de Janeiro.
If you're away from your voting place, you can go to any post office and excuse your self. I made this myself once, when I was travelling during one election. you probably can excuse your self latter, due to faults due to medical conditions or other stuff.
Also I don't agree with compulsory vote, I think it should be optional (see my reply above or below, heck it is hard to know where your post will be positioned in slashdot).
As a relief, not much of a relief I would say, we have two options (beside the valid vote) while voting:
Brasil have eletronic voting (nation wide), and we can't even expect that, since iliterate people are guaranteed the right to vote also.
Well, no one (or very few) will read this now, I know that. But I must say that if this machines are hard to use, assemble and whatever this is tha fault of whoever design them.
Brasil have eletronic voting in a national scale for some years now. Here we have mandatory voting, this means that every Brasilian must vote or at least justify (if you're away for instance). This includes a large portion of the population that is iliterate.
This means that in a federal election, like the last one that elected Lula in 2002, we have eletronic voting machines installed in places in the middle of the amazon jungle, that can only be reached by "donkeys", and those machines are sometimes installed and operated by people who are not intimate with any tecnology at all, and the voters sometimes can't even read.
No I disagree, voting against a candidate is just as justified as voting for someone.
This actually is a short coming of the english language. In portuguese "Livre" (free as in software) is very diferent from "Gratis" (free as in beer). Pehaps the logo of the free software group should be in latin or esperanto, so it don't get so confusing.
Even people who are not assholes can forget. I usually check 3 or 4 times if my cell is off when I go to a movie theater, but it already happen that I forgot it on for the entire movie. Luckly no one call me in that period.
I really enjoyed reading this enterview. I agree with most of what Mr. Coob says. If I were an american I would probably vote on him.
Many cameras have 16 bit per channel does png support this? Many cameras work with different color spaces, does PNG support this? Many cameras have a single "monochrome" color LCD with a colored tiled mask to get, those mask are either RGB, CMY or even more unusual patterns, do PNG encode this?
This image format was created arround the TIFF format, why extend png witch is not as widelly accepeted to accomodate those stuff instead of the TIFF, witch already suport many of those things?
The sensor (CCD) are the first lossy transformation the image goes throught they are somewhat similar to the negative in the film/analog fotography.
The camera captures this data and usually pass it throught a pipeline of operation that end up in a compression. Usually you have white balance, denoise, color conversion and depth (raw is 16bit p/ channel, jpg 8 bits p/ channel) adjustment. All those adjustment could be viewed as a "digital ampliation" if you stretch your mind a little.
Having access to the raw format is like having access to negative, many effects can be achieved in the amplifier, and as such many effects can be achieved with the raw format that are simply impossible with the jpg.
Sure many people will still preffer the jpg, but I do heard some people trhow their negatives in the trash.
Even if you had say 70 different keys that would encode only the year of birth, or maybe 140 encoding year and gender. Why would this make the net more safe? People would end up giving/lending their ids to others.
:-)
I can imagine a parent with the "safe" feeling that "my boy is not getting any porn because he don't have a USB-id", and the kidis simply using one that he borrowed/bougthed from his friend. Well in my times (no internet you see) I simply new the correct newstand the sold porn to kids. Kids will be kids.
So if it is not to control porn but to help stablish a overall identity on chat rooms. The same will happen, I can imagine a old sick person getting a younger id to lure women to him for insatance. People will belive him more since he have a pretense secure ID.
I cannot imagine what the mustache guy will think when he sees the surge of access in the page.
"oh, finaly we got the attention we deserve..."
But how can one be sure? All it needs a single id for each device and you can collect all kind of data. This seams much more usefull for colecting data, even if only age/gender, then any other thing.
An then connect it to the internet?
Or maybe programing a robot to play it?