Good morning, snowy Brussels! Despite the dangers https://fosstodon.org/@fosdem/101521776002184981 #FOSDEM starts. Let's now go the "ethics and blockchain" session.
Mitchell Baker speaking without slides (it seems there is a technical glitch). #FOSDEM
Now, Deb Nicholson on "Blockchain: The Ethical Considerations" (first slide: a man working on a giant strawberry)
(I'm disappointed: this big room - Janson - is not full.)
I learn that Hammurabi https://en.wikipedia.org/wiki/Code_of_Hammurabi was a precursor of the blockchain, because he wrote laws. #CodeIsLaw #FOSDEM
Very good talk of Tom Hacohen about the pleasures of developing a really serious privacy-oriented application. #FOSDEM
* everything is done on the client : changing the protocol requires to upgrade all clients
* data is encrypted client-side, the developer never sees the data, so cannot debug data-related issues.
#privacy #endToEndEncryption #FOSDEM
"I won't talk about cookies, but a bit about macarons." https://en.wikipedia.org/wiki/Macaron #FOSDEM
Now, panel about #ActivityPub at #FOSDEM. Christopher Webber, Gualter Barbas Baptista "How many people in the room have read the specification?" [Several hands, including mine] "Wow, that's a lot for a specification."
"What interested you in #ActivityPub?"
"It is simple to understand"
"Because it is used in #Mastodon"
"It is about distributing power"
"#ActivityPub has a good model as a foundation: everything is actors sending messages to each other."
With such vague description, any protocol is ActivityPub...
"It would be cool to have a documentation of 'MastodonPub' [the actual protocol(s) needed to work with Mastodon] but we must not forget that #ActivityPub could be used for very different things, too." #FOSDEM
By the way, are there women working on #ActivityPub? The panel seems, at first glance, be all-male. #FOSDEM
#ActivityPub has a client-to-server protocol but nobody uses it, every ActivityPub server has its API. Is it a bad thing?
"Use cases are too different [Mastodon for chatting, Funkwhale to listen music], a common client would lead to a poor user experience."
"What I don't like in #ActivityPub is that it uses #JSON." Troll incoming, flame war ahead. #FOSDEM
What is needed for the fediverse to talk to alice@7j3ncmar4jm2r3e7.onion? Webfinger and ActivityPub can work over Tor but most Mastodon instances cannot talk Tor. #FOSDEM
Someone just asked a question about #ActivityPub and #blockchain. #FOSDEM
Good morning, Brussels! Second day of #FOSDEM https://fosdem.org/2019/
Today, for me, #DNS devroom https://fosdem.org/2019/schedule/track/dns/ where we will talk, among others, about #privacy.
Philip Homburg certifies #DNS results from his application, with #getdns.
He starts with a comparison with X.509 (1) with X.5909, you need to trust a lot of other parties 2) if the attacker controls DNS,it controls X.509 anyway). https://getdnsapi.net/ #DNSSEC #FOSDEM
Speaking of #getdns, a volunteer to write a monitoring plugin with getdns? https://www.monitoring-plugins.org/
Existing #DNS plugins call dig or nslookup :-(
One good example why local #DNSSEC validation is useful, #SSH keys in the #DNS. The speaker's example https://dns.bortzmeyer.org/playout.hq.phicoh.net/SSHFP
Remember: if you want an operating system without #systemd, there is Alpine https://alpinelinux.org/
@bortzmeyer Are there slides for this one?
@steven_ovadia There were not on the screen (a lot of technical problems, it seems, this year) but I assume so, yes.
@bortzmeyer Cool. I'll look. Thanks for reporting out!
@bortzmeyer Ah bah ils seront pas restés trop longtemps les slides
@whilelm Mauvaise langue. Ils sont de retour...
@bortzmeyer
@AugierLe42e Mais pour combien de présentations ? =/
@whilelm Tu es une personne de peu de foi 😋
@bortzmeyer
@AugierLe42e @whilelm Google Conference et Facebook Talk sont mieux organisés. #talk
@bortzmeyer who said it is simple to understand. who is this genius
@darius I missed his name, but I was surprised, too.
@darius @bortzmeyer show yourself, coward! ;)
@bortzmeyer I have issues with that conclusion that I can only express by implementing it, dammit
@djsundog I tried to summarize what @eliotberriot said.
@bortzmeyer @eliotberriot no worries, I'm mostly grumping at myself for not finishing up a proof of concept yet ;)
@djsundog @bortzmeyer @eliotberriot would love to see this, no pressure 😎
@bortzmeyer chic :) ça fait maintenant 5 ans que j'ai mis ça en place dans le puppet d'Octopuce : un bout de script qui prend les clés SSH des serveurs et les publie dans le DNS :
https://dns.bortzmeyer.org/tim.octopuce.fr/SSHFP
ça + VerifyHostKeyDNS yes
dans ssh_config = <3
@vincib L'orateur a bien expliqué pourquoi 'VerifyHostKeyDNS yes' était un no-op :-)
@bortzmeyer ah, (je ne suis pas au Fosdem) en quoi est-ce un Noop ?
debug1: matching host key fingerprint found in DNS
debug1: Host 'tim.octopuce.fr' is known and matches the ECDSA host key.
@vincib Parce que la bibliothèque ldns, utilisée par openssh, ne charge pas la clé de la racine, il faut le faire manuellement (et personne ne le fait). Donc, pas de validation DNSSEC.
@bortzmeyer ah, tu veux dire qu'il te demande confirmation quand même ? oui, c'est pas 100% trust, mais j'obtiens ça sur une nouvelle machine :
debug1: found 3 insecure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
The authenticity of host 'tim.octopuce.fr (2001:67c:288::90)' can't be established.
ECDSA key fingerprint is Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?
@vincib Le mot-clé dans le message est 'insecure'. L'orateur vient de dire qu'il avait envoyé un patch, qui n'a pas été intégré.
@vincib @bortzmeyer il fait la vérification mais il ne fait pas de validation DNSSEC du tout. Il faudrait mettre une variable d'environnement (faut voir dans le code de ldnsà
@bortzmeyer always so welcoming 😉
@bortzmeyer hmmm, do I have L. Poettering just in the seat next to me?
@bortzmeyer Bonjour, Stéphane.
De fait, j'ai testé sur mon domaine 'stephane-huc.net' ce que retourne ton site. Et, rien... c'est bizarre.
Alors que dans ma zone, j'ai configuré SSHFP, même TLSA, voire OPENPGPKEY...
Aie-je mal configuré quelque chose ? telle est la question que je me pose ?! :p
@hucste Ces trois enregistrements ne se mettent pas à l'apex de la zone. Pour deux d'entre eux, je ne peux pas deviner le nom. Le TLSA est bien là : https://dns.bortzmeyer.org/_443._tcp.stephane-huc.net/TLSA
@Keltounet Je vois @mherrb aussi.
@bortzmeyer @kjeurbechne we should check the video podcasts or that room ;-)
If #Google access to federated, then we would become Google trap again.
They mine all our data here too
@bob @bortzmeyer
Now, Veronika Nad on #journalism, and how it could benefit from free software. #FOSDEM
(The room is not full, which is very rare for the Decentralized Internet and Privacy devroom.)