BAD sig on Devuan ISO 1

(No. 0)  No. 1  No. 2 

I will simply employ my scripts tshark-streams and tshark-hosts-conv now. For developers it's like drinking water to follow here, but it is attainable knowledge for (really) hardworking common users, whom I always have in mind, as I like to spread good computing, and Devuan is the brightest star around since relatively long. I wish this hasn't happened, and that repeated security failure like this (there were other issues that I reported, e.g. default login username and password for live Devuan media and files.devua.org cert expired --sic!, with that typo in the subject line-- that I know of), and I really hope that lessons have been learned by now, and that Devuan will be getting strong and secure...

I started the former, and participated in sending notices about the latter of the two issues, and with some nostalgia I need to point at this time to the correct behavior when it comes to telling Devuan team about vulnerabilities:

golinux's reply in default login username and password for live Devuan media

and golinux, member of Devuan distro team (the great very loveable themes and designs are of her making), also replied to my PMs about the expired certificate.

Devuan moderators should live up to such kind and honorable standards like golinux showed. The Dng ML moderator shouldn't really have completely misunderstood what my first post was about, and the few extra kilobytes should really have been allowed to the list...

I've wished for systemd-free Debian distro, and participated quite a lot in Debian Forums topics on the matter, mostly those were the same topics where also golinux and edbarx (Edward Bartolo) participated. I also subscribed very early and tried to help where I could in the Dng ML but sadly I was even less skilled back then. Still, Devuan is my distro too.

If you search on Gentoo Forums you will find a lot of places where I linked to events that were going on in Devuan, and you will often find people appreciative of the information that I was spreading about Devuan. And in many other places.

But, enough said about that.

OTOH, while I could really really not live with systemd, and I most honestly wish Pöttering would leave FOSS and go and do what he is good at, which is serving the big business interests, and not the freedom in computing enshrined in the great unix GNU+Linux distros, neither do I think hiding and censorship, if that be attemped, because, now that I studied this issue for looong hours, this does very much appear to be an successful attack on Devuan leader's PGP keys...

But, while I most honestly wish Lennart Pöttering left our free FOSS territory and went to work in what he is good at, which is serving the big business, neither do I think that hiding and censorship could do any good...

Now it's too late anyway. If I had been replied to, be it in private email, or on the mailing list, in any sensible way, because there are very capable programmers that must have figured out much much earlier than me... than that would have been possible...

It really only is starting to become clear to me how bad, although probably not devastatingly disastrous, the issue seems to be. And some of the really capable Devuan developers I'm sure got the full scale of it if not earlier, than right after I sent my first mail, the one that was dropped from the list...

And for the first few hours since I became aware and wrote about the issue, I was completely uncertain where the cause lied. And was, by the Dng list moderator, basically offered to accept how I sent a stupid email... And kind of was compelled by his actions to study and show how there was sense in that message...

So I'll analyze the two events, of 2017-04-23 16:42 and 2017-04-23 21:02.

---

The files necessary for this study are listed in:

ls-1

dump_170423_1642_g0n.pcap
Screen_170423_1642_g0n.webm
dump_170423_2102_g0n.pcap
Screen_170423_2102_g0n.webm
dump_170423_2102_g0n_SSLKEYLOGFILE.txt

and verify to: ls-1.sum signed by: ls-1.sum.asc

You might find dump_dLo.sh script from my uncenz program more useful then downloading each file separately.

Also it might be helpful to you to see how the files are obtained, by perusing other of my (primitive) programs:

tshark-streams

tshark-hosts-conv