Ah, I'm glad someone else on this forum knows this. It's worth noting that this irritating limitation is gone in OpenOffice.org 2.0--there is no longer a need to maintain a machine-wide "network" install, and separate user installs for each user.
Not only are Valve very publicly against this practice, but it is also no good if the seller didn't take the trouble to create a separate Steam account for each game he wanted to sell.
It doesn't mean unstable as in crashing; it means unstable as in volitile, changing. Every night you can apt-get upgrade to a new host of potential problems. Stable is called such because the only changes that are ever made are backports of security fixes. Thus, stable is suitable for servers or large workstation deployments, etc, while testing/unstable are ok to use for random hacking on a desktop machine at home.
To your first paragraph: I posit that such people do exist, and may indeed read Slashdot. Just consider that you would never know about it, because the instant they mention that they don't have a TV, they are relegated to the "pompous windbag" category, and if they don't then they are assumed to _have_ a TV because it's the default...
Oh come on, this is the same kind of argument that Reagan's yes men made for the existance of (among other things) a Soviet missile defence system. The CIA repeatedly said that there was no evidence that the USSR had anywhere near the technology or resources to pull off such a thing, and that furthermore their economy was collapsing--Team B retorted that this was an elaborate ruse by the Soviets, and if the CIA couldn't see evidence of such a system then the Soviet system was obviously SO ADVANCED that it was undetetectable!
I think it's a far more likely explanation that a copilot, cabin crewmember or passenger was messing around with a laser pointer.:)
There's actually a patch floating around that allows you to do exactly that with/proc/net/$proto/ports/$port or some such. Can't remember the name unfortunatly.
> Decide whether we like curses or termcap, and get rid of the other one
Hmm. Curses is a library that allows you to say stuff like "print text in bold" or "draw a box here".
Termcap is an (obsolete) system that allows you to map operations such as "print text in bold" to the specific escape codes to do so on a particular terminal.
Termcap is used _by_ ncurses. One cannot replace the other. Besides, termcap is obsolete, everyone (including ncurses) actually uses terminfo these days. I think...
> What's the difference between the kind of installer you despise and an > installation script ebuild on Gentoo or a Debian installation script packaged > into a.deb file?
It's all about where you get your packages from. Speaking for Debian, no package that did such things would be allowed into the archive. However, since there is no similar repository of vetted software for Windows, everyone gets software from the vendors' individual sites.
I think the poster meant that the stuff in/sbin is generally used for administration, rather than being commands that a user would often use.
Nothing stops a user from running stuff in/sbin; ifconfig is useful, but most of the programs in there (ldconfig, fsck, mkfs and so on) won't do much without access to the system that usualy only root has.
I am merely trying to counter the bad advice you are handing out: namely, that verifying the MD5 sums can be used as anything other than a check for file corruption. If you're not doing some kind of cryptographic check, then you can not be sure that the file is safe.
If, in fact, this was not your position then I apologise--the ratio of signal to noise is hitting an all time low in the comments on this story.
I specifically said, "the people providing the content" in order to avoid an agrument about whether hosting torrent files is legal (which from my layman's understanding of the law, it is).
Well, the fact that the checksums are signed allows me to check that the certificate mozilla.org (hypothetically) provides is legit. Of course, most people aren't in the web of trust, the self-signed cert thing was only a suggestion as an alternative to getting a cert for TLS from Verisign, or another trusted CA.
> The MD5 sums are posted on ftp servers all over the world, and only take a few > seconds to get.
What part of this don't you understand? This is not secure at all! Again, the attacker could be sitting at your ISP, ensuring that no matter what site you visit, you recieve his poisined data.
> Didn't say to do that - said to get the MD5 hash from a second site. quicker, > and easy to check - heck, you can just paste the two into an editor and eyeball > them if you don't trust your computer to do the job.
The two approaches have exactly the same merit, security wise. That is, none at all. If you're not verifying that you can trust the checksums cryptographically, then you have no security at all.
> You are giving people the wrong idea! There is no such thing as absolute > security, only levels of security.
Of course there is no such thing as absolute security.
However, checking the MD5 sums against the downloaded file does not help you. You must verify that the MD5 sums you have are in fact the "correct" values.
> How do you know someone didn't tamper with the repository of certificates or > keys?
> At least by comparing the computed MD5sum from a copy of Firefox with the MD5sum > on the mozilla.org website, you would make it much harder for an employee at the > mirror site to alter Firefox without your knowledge.
Harder, but still not good enough. What if both sites are compromised by the same cracker? What if the cracker is sitting in your ISP's server room, poisining all traffic going to your machine?
Please actually read what I wrote, before you crack off your next wiseass reply.
If *both* sites have been compromised by the same person, the MD5 sums will match.
Neither site has to have actually been broken into for this to occur--a third party between you and the two sites could be altering packets as they get sent to your machine.
If the attacker was your upstream ISP, then they would be able to poisin the traffic from any site you cared to visit.
Presumably you trust your ISP, otherwise you wouldn't be on the Net. But do can you trust them to not have been broken into by another, malicious, party?
For the final time, I will state that MD5 sums are (the clue is in the name) a *checksum*. Unless you get the checksums from a trusted source (eg, verify them against a Moz developer's PGP key) then you are not in a position to make the call on whether the file you downloaded has been altered.
Downloading the same file off two sites and seeing that the two copies match does not count as verification!
Well, the global version number _is_ the API version. The developers are making the assumption that the APIs break every new release of the software. This is a conservative decision, one that errs on the side of caution. After all, even though the API and ABI match exactly, if the behaviour of one of the functions changes, the API _is_ broken.
But, if you want to override the extension manager, you can re-enable your disabled extensions. Google for more info.
Indeed, the dialog box should have Cancel selected as the default option. However, it is worth noting that the dialog will only ever be *displayed* if the XPI file came from a site in the user's extension installation whitelist, which by default only contains update.mozilla.org.
Oh, or mozilla.org could use a self signed certificate, and post the sha1sum and md5sum of the publik key on their web site, along with a PGP signature.
The MD5SUMS file can be signed, this allows you to make sure that it is trusted.
Without using cryptography (either PGP, which mozilla.org provides in spite of what the author of the original article claims; or certificates), the MD5SUMS file is indeed just a checksum.
Slashdot Mirror
Ah, I'm glad someone else on this forum knows this. It's worth noting that this irritating limitation is gone in OpenOffice.org 2.0--there is no longer a need to maintain a machine-wide "network" install, and separate user installs for each user.
Not only are Valve very publicly against this practice, but it is also no good if the seller didn't take the trouble to create a separate Steam account for each game he wanted to sell.
It doesn't mean unstable as in crashing; it means unstable as in volitile, changing. Every night you can apt-get upgrade to a new host of potential problems. Stable is called such because the only changes that are ever made are backports of security fixes. Thus, stable is suitable for servers or large workstation deployments, etc, while testing/unstable are ok to use for random hacking on a desktop machine at home.
Hey, hey, don't blame the (most excellent) FTP protocol just because your client couldn't resume transfers!
To your first paragraph: I posit that such people do exist, and may indeed read Slashdot. Just consider that you would never know about it, because the instant they mention that they don't have a TV, they are relegated to the "pompous windbag" category, and if they don't then they are assumed to _have_ a TV because it's the default...
Oh come on, this is the same kind of argument that Reagan's yes men made for the existance of (among other things) a Soviet missile defence system. The CIA repeatedly said that there was no evidence that the USSR had anywhere near the technology or resources to pull off such a thing, and that furthermore their economy was collapsing--Team B retorted that this was an elaborate ruse by the Soviets, and if the CIA couldn't see evidence of such a system then the Soviet system was obviously SO ADVANCED that it was undetetectable!
:)
I think it's a far more likely explanation that a copilot, cabin crewmember or passenger was messing around with a laser pointer.
There's actually a patch floating around that allows you to do exactly that with /proc/net/$proto/ports/$port or some such. Can't remember the name unfortunatly.
> Decide whether we like curses or termcap, and get rid of the other one
Hmm. Curses is a library that allows you to say stuff like "print text in bold" or "draw a box here".
Termcap is an (obsolete) system that allows you to map operations such as "print text in bold" to the specific escape codes to do so on a particular terminal.
Termcap is used _by_ ncurses. One cannot replace the other. Besides, termcap is obsolete, everyone (including ncurses) actually uses terminfo these days. I think...
> What's the difference between the kind of installer you despise and an .deb file?
> installation script ebuild on Gentoo or a Debian installation script packaged
> into a
It's all about where you get your packages from. Speaking for Debian, no package that did such things would be allowed into the archive. However, since there is no similar repository of vetted software for Windows, everyone gets software from the vendors' individual sites.
$ which cp /bin/cp
/sbin is generally used for administration, rather than being commands that a user would often use.
/sbin; ifconfig is useful, but most of the programs in there (ldconfig, fsck, mkfs and so on) won't do much without access to the system that usualy only root has.
I think the poster meant that the stuff in
Nothing stops a user from running stuff in
Erm, the little matter of distributing copyrighted material without the permission of the copyright holder.
I am merely trying to counter the bad advice you are handing out: namely, that verifying the MD5 sums can be used as anything other than a check for file corruption. If you're not doing some kind of cryptographic check, then you can not be sure that the file is safe.
If, in fact, this was not your position then I apologise--the ratio of signal to noise is hitting an all time low in the comments on this story.
I specifically said, "the people providing the content" in order to avoid an agrument about whether hosting torrent files is legal (which from my layman's understanding of the law, it is).
Publik? argh! :)
Well, the fact that the checksums are signed allows me to check that the certificate mozilla.org (hypothetically) provides is legit. Of course, most people aren't in the web of trust, the self-signed cert thing was only a suggestion as an alternative to getting a cert for TLS from Verisign, or another trusted CA.
The people providing the content are not permitted to by the copyright holder.
Yes, it's forgery, and a damn sight more serious. What's your point?
> The MD5 sums are posted on ftp servers all over the world, and only take a few
> seconds to get.
What part of this don't you understand? This is not secure at all! Again, the attacker could be sitting at your ISP, ensuring that no matter what site you visit, you recieve his poisined data.
> Didn't say to do that - said to get the MD5 hash from a second site. quicker,
> and easy to check - heck, you can just paste the two into an editor and eyeball
> them if you don't trust your computer to do the job.
The two approaches have exactly the same merit, security wise. That is, none at all. If you're not verifying that you can trust the checksums cryptographically, then you have no security at all.
> You are giving people the wrong idea! There is no such thing as absolute
> security, only levels of security.
Of course there is no such thing as absolute security.
However, checking the MD5 sums against the downloaded file does not help you. You must verify that the MD5 sums you have are in fact the "correct" values.
> How do you know someone didn't tamper with the repository of certificates or
> keys?
If someone is messing around with stuff on my own computer, I'm fucked anyway. As for the rest of the chain, start reading here: http://www.google.com/search?q=chain%20of%20trust
> At least by comparing the computed MD5sum from a copy of Firefox with the MD5sum
> on the mozilla.org website, you would make it much harder for an employee at the
> mirror site to alter Firefox without your knowledge.
Harder, but still not good enough. What if both sites are compromised by the same cracker? What if the cracker is sitting in your ISP's server room, poisining all traffic going to your machine?
Please actually read what I wrote, before you crack off your next wiseass reply.
If *both* sites have been compromised by the same person, the MD5 sums will match.
Neither site has to have actually been broken into for this to occur--a third party between you and the two sites could be altering packets as they get sent to your machine.
If the attacker was your upstream ISP, then they would be able to poisin the traffic from any site you cared to visit.
Presumably you trust your ISP, otherwise you wouldn't be on the Net. But do can you trust them to not have been broken into by another, malicious, party?
For the final time, I will state that MD5 sums are (the clue is in the name) a *checksum*. Unless you get the checksums from a trusted source (eg, verify them against a Moz developer's PGP key) then you are not in a position to make the call on whether the file you downloaded has been altered.
Downloading the same file off two sites and seeing that the two copies match does not count as verification!
Well, the global version number _is_ the API version. The developers are making the assumption that the APIs break every new release of the software. This is a conservative decision, one that errs on the side of caution. After all, even though the API and ABI match exactly, if the behaviour of one of the functions changes, the API _is_ broken.
But, if you want to override the extension manager, you can re-enable your disabled extensions. Google for more info.
Indeed, the dialog box should have Cancel selected as the default option. However, it is worth noting that the dialog will only ever be *displayed* if the XPI file came from a site in the user's extension installation whitelist, which by default only contains update.mozilla.org.
Please go away and read about how PGP works before cracking off a smart alec reply. You can start here.
Oh, or mozilla.org could use a self signed certificate, and post the sha1sum and md5sum of the publik key on their web site, along with a PGP signature.
You can get a certificate from another CA. Verisign is not the only other choice.
You can view the list of trusted root CAs that IE uses (I dunno how off the top of my head). Any one of them will do.
The MD5SUMS file can be signed, this allows you to make sure that it is trusted.
Without using cryptography (either PGP, which mozilla.org provides in spite of what the author of the original article claims; or certificates), the MD5SUMS file is indeed just a checksum.