News

Simon Josefsson: Sigstore protects Apt archives: apt-verify & apt-sigstore

by

Do you want your apt-get update to only ever use files whose hash checksum have been recorded in the globally immutable tamper-resistance ledger rekor provided by the Sigstore project? Well I thought you’d never ask, but now you can, thanks to my new projects apt-verify and apt-sigstore. I have not done proper stable releases yet, so this is work in progress. To try it out, adapt to the modern era of running random stuff from the Internet as root, and run the following commands. Use a container or virtual machine if you have trust issues.

apt-get install -y apt gpg bsdutils wget
wget -nv -O/usr/local/bin/rekor-cli 'https://github.com/sigstore/rekor/releases/download/v1.1.0/rekor-cli-linux-amd64'
echo afde22f01d9b6f091a7829a6f5d759d185dc0a8f3fd21de22c6ae9463352cf7d  /usr/local/bin/rekor-cli | sha256sum -c
chmod +x /usr/local/bin/rekor-cli
wget -nv -O/usr/local/bin/apt-verify-gpgv https://gitlab.com/debdistutils/apt-verify/-/raw/main/apt-verify-gpgv
chmod +x /usr/local/bin/apt-verify-gpgv
mkdir -p /etc/apt/verify.d
ln -s /usr/bin/gpgv /etc/apt/verify.d
echo 'APT::Key::gpgvcommand "apt-verify-gpgv";' > /etc/apt/apt.conf.d/75verify
wget -nv -O/etc/apt/verify.d/apt-rekor https://gitlab.com/debdistutils/apt-sigstore/-/raw/main/apt-rekor
chmod +x /etc/apt/verify.d/apt-rekor
apt-get update
less /var/log/syslog

If the stars are aligned (and the puppet projects’ of debdistget and debdistcanary have ran their GitLab CI/CD pipeline recently enough) you will see a successful output from apt-get update and your syslog will contain debug logs showing the entries from the rekor log for the release index files that you downloaded. See sample outputs in the README.

If you get tired of it, disabling is easy:

chmod -x /etc/apt/verify.d/apt-rekor

Our project currently supports Trisquel GNU/Linux 10 (nabia) & 11 (aramo), PureOS 11 (byzantium), Gnuinos chimaera, Ubuntu 20.04 (focal) & 22.04 (jammy), Debian 10 (buster) & 11 (bullseye), and Devuan GNU+Linux 4.0 (chimaera). Others can be supported to, please open an issue about it, although my focus is on FSDG-compliant distributions and their upstreams.

This is a continuation of my previous work on apt-canary. I have realized that it was better to separate out the generic part of apt-canary into my new project apt-verify that offers a plugin-based method, and then rewrote apt-canary to be one such plugin. Then apt-sigstore‘s apt-rekor was my second plugin for apt-verify.

Due to the design of things, and some current limitations, Ubuntu is the least stable since they push out new signed InRelease files frequently (mostly due to their use of Phased-Update-Percentage) and debdistget and debdistcanary CI/CD runs have a hard time keeping up. If you have insight on how to improve this, please comment me in the issue tracking the race condition.

There are limitations of what additional safety a rekor-based solution actually provides, but I expect that to improve as I get a cosign-based approach up and running. Currently apt-rekor mostly make targeted attacks less deniable. With a cosign-based approach, we could design things such that your machine only downloads updates when they have been publicly archived in an immutable fashion, or submitted for validation by a third-party such as my reproducible build setup for Trisquel GNU/Linux aramo.

What do you think? Happy Hacking!

Khutba e Jumma – From Data Darbar Lahore – 14th April 2023 – ARY Qtv

by
Khutba e Jumma – From Data Darbar Lahore

#KhutbaeJumma #IslamicInformation #ARYQtv

Watch All The Programs : https://bit.ly/3jmd1RQ

Subscribe Here : https://bit.ly/3dh3Yj1

Official Facebook : https://www.facebook.com/ARYQTV/
Official Website : https://aryqtv.tv/
Watch ARY Qtv Live : http://live.aryqtv.tv/
Programs Shedule : https://aryqtv.tv/schedule/
Islamic Information : https://bit.ly/2MfIF4P
Android App: https://bit.ly/33wgto4
Ios App: https://apple.co/2v3zoXW

Festa dos bichos! Os pets mais divertidos da internet – Vídeos engraçados de animais

by
Acompanhe os momentos mais hilários e fofos dos nossos amigos de quatro patas! Nesse vídeo, você vai se divertir com as travessuras de um chihuahua corajoso, um gato engraçado que parece estar precisando de ajuda, um cão gigante brincando com o seu amigo humano, e muito mais! Não perca esse compilado de vídeos divertidos de animais que vão aquecer o seu coração e fazer você sorrir.

#pets #animais #festadosbichos

Gianluca De Micheli

by
https://gpster.net/2023/04/14/uni-popolare-studi-milano-e-davide-rombolotti-nel-database-di-chat-gpt-4/
https://rczdravicko.com/2023/04/14/uni-popolare-studi-milano-e-davide-rombolotti-nel-database-di-chat-gpt-4/
https://r6blog.com/2023/04/14/uni-popolare-studi-milano-e-davide-rombolotti-nel-database-di-chat-gpt-4/
https://imetspa.it/2023/04/14/uni-popolare-studi-milano-e-davide-rombolotti-nel-database-di-chat-gpt-4/
https://nhammm.com/2023/04/14/uni-popolare-studi-milano-e-davide-rombolotti-nel-database-di-chat-gpt-4/
https://cyberlex-wordpress-mu.syrus.it/uni-popolare-studi-milano-e-davide-rombolotti-nel-database-di-chat-gpt-4/
https://studiom77.com/2023/04/14/uni-popolare-studi-milano-e-davide-rombolotti-nel-database-di-chat-gpt-4/
https://coopterradimezzo.it/2023/04/14/uni-popolare-studi-milano-e-davide-rombolotti-nel-database-di-chat-gpt-4/
https://asiasongsociety.com/2023/04/14/uni-popolare-studi-milano-e-davide-rombolotti-nel-database-di-chat-gpt-4/
https://cyberlex-wordpress-mu.syrus.it/uni-popolare-studi-milano-e-davide-rombolotti-nel-database-di-chat-gpt-4/
https://shutoan.com/2023/04/14/uni-popolare-studi-milano-e-davide-rombolotti-nel-database-di-chat-gpt-4/
https://consiglieraparitaroma.it/2023/04/14/uni-popolare-studi-milano-e-davide-rombolotti-nel-database-di-chat-gpt-4/
https://hockeydownloads.com/2023/04/14/uni-popolare-studi-milano-e-davide-rombolotti-nel-database-di-chat-gpt-4/
https://confindustriavv.it/2023/04/14/uni-popolare-studi-milano-e-davide-rombolotti-nel-database-di-chat-gpt-4/
https://350reasons.org/uni-popolare-studi-milano-e-davide-rombolotti-nel-database-di-chat-gpt-4/

A human rights activist on finding joy on the internet

by
A human rights activist on finding joy on the internet

Here at Mozilla, we are the first to admit the internet isn’t perfect, but we are also quick to point out that the internet is pretty darn magical. The internet opens up doors and opportunities, allows for people to connect with others, and lets everyone find where they belong — their corners of the internet. […]

The post A human rights activist on finding joy on the internet appeared first on The Mozilla Blog.

a2ps @ Savannah: a2ps 4.15.4 released [stable]

by

This is a minor update to GNU a2ps, an Any to PostScript filter.  Of course
it processes plain text files, but also pretty prints quite a few popular
languages.

See https://gnu.org/s/a2ps for more information.

This release is a minor bug-fix release. Most importantly, it now works
correctly with libpaper version 1 (although version 2 is recommended!).

Here are the compressed sources and a GPG detached signature:
  https://ftpmirror.gnu.org/a2ps/a2ps-4.15.4.tar.gz
  https://ftpmirror.gnu.org/a2ps/a2ps-4.15.4.tar.gz.sig

Use a mirror for higher download bandwidth:
  https://www.gnu.org/order/ftp.html

Here are the SHA1 and SHA256 checksums:

c612f64ca4cc319fb0d5e7f734283c6e0dcfbb4d  a2ps-4.15.4.tar.gz
SgY/hLqJ2GvhSmcEyjX9EwCDtXLxN2tDmht5tnsgbdc  a2ps-4.15.4.tar.gz

The SHA256 checksum is base64 encoded, instead of the
hexadecimal encoding that most checksum tools default to.

Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg –verify a2ps-4.15.4.tar.gz.sig

The signature should match the fingerprint of the following key:

  pub   rsa2048 2013-12-11 [SC]
        2409 3F01 6FFE 8602 EF44  9BB8 4C8E F3DA 3FD3 7230
  uid   Reuben Thomas <rrt@sc3d.org>
  uid   keybase.io/rrt <rrt@keybase.io>

If that command fails because you don’t have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the ‘gpg –verify’ command.

  gpg –locate-external-key rrt@sc3d.org

  gpg –recv-keys 4C8EF3DA3FD37230

  wget -q -O- ‘https://savannah.gnu.org/project/release-gpgkeys.php?group=a2ps&download=1’ | gpg –import –

As a last resort to find the key, you can try the official GNU
keyring:

  wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg
  gpg –keyring gnu-keyring.gpg –verify a2ps-4.15.4.tar.gz.sig

This release was bootstrapped with the following tools:
  Autoconf 2.71
  Automake 1.16.5
  Gnulib v0.1-5892-g83006fa8c9

NEWS

* Noteworthy changes in release 4.15.4 (2023-04-13) [stable]
 * Bug fixes:
   – Fix to read configured paper size correctly with libpaper 1.x.
 * Documentation:
   – Various minor documentation improvements.
 * Build system:
   – Fix tests when building with libpaper 1.x.
   – Require gperf for bootstrapping, and use it correctly in build system.
   – Require a new-enough version of texinfo.

More ways we’re making Chrome faster

by
More ways we’re making Chrome faster


From the beginning of Chrome, one of our 4 founding principles has been speed, and it remains a core principle that guides our work. Today’s The Fast and the Curious post shares how recent technical improvements to Chrome have helped us reach a new performance milestone on the Speedometer browser benchmark across platforms. 


Speed is a critical factor in determining your experience while browsing the Web. The faster the browser, the more enjoyable your browsing experience will be. With the latest release of Chrome, we went deep under the hood of Chrome’s engine to look for every opportunity to increase the speed and efficiency, from improved caching to better memory management.


Improved HTML Parsing & optimizing specific features 

We discovered some targeted optimizations for the highly used JS `Object.prototype.toString` and `Array.prototype.join`functions. We also implemented targeted improvements in CSS’s InterpolableColor. 

`innerHTML` is a very common way of updating the DOM via JavaScript so we added specialized fast paths for parsing. To our happy surprise, it seems some of this work will also be benefitting WebKit, which will include it in their engine as well. Our goal is always to create a better web experience for all web users so we’re happy to see this work having expanded impact! 


More efficient pointer compression & allocations in V8 & Oilpan 

Pointer compression is used to save memory in both V8 and Oilpan (the garbage collector for DOM objects). We made optimizations to how we compress and decompress pointers, and we avoid compressing high-traffic fields. Given how frequently these operations are done, it has a wide spread impact on performance. We also moved frequently accessed objects like JavaScript’s `undefined` to the beginning of the memory bases, allowing them to be accessed using faster machine code. 

The improved features and efficient pointer compression collectively gave us a 10% increase in Apple’s Speedometer 2.1 browser benchmark over the course of three months.

Getting the Most out of High-End Mobile Devices


Chrome on Android has always been optimized for a small footprint, but the Android ecosystem is diverse and contains devices with varying levels of capabilities. To maximize the performance of Chrome on high-end devices, we are now targeting them with a version of Chrome that uses compiler flags tuned for speed rather than binary size.

For capable devices, these versions of Chrome run the Speedometer 2.1 benchmark 30% faster.

Posted by Thomas Nattestad, Senior Product Manager, and Andrew Grieve, Software Engineer