| 6 Jul 2022 |
 @linus:schreibt.jetzt | (I really don't know enough about PGP to be sure of any of this...) | 14:03:11 |
 stigo | yes i think that's right, in the gnupg case it seems to be like a signature can be turned into a "zip bomb" | 14:05:04 |
 hexa | this is how I understood it as well | 14:11:17 |
| hexa | the author of the patch kindly demonstrated that on oss-sec | 14:11:25 |
| stigo | You can test it with curl -O https://seclists.org/oss-sec/2022/q3/att-9/decomp-3.bin && gpg --verify decomp-3.bin /dev/null | 14:12:25 |
| stigo | (slower if you import the pubkey https://seclists.org/oss-sec/2022/q3/att-9/test-key_cert.bin it seems) | 14:14:04 |
| stigo | * You can test it with #POC# curl -O https://seclists.org/oss-sec/2022/q3/att-9/decomp-3.bin && gpg --verify decomp-3.bin /dev/null | 14:16:15 |
| stigo | hm, maybe more fun with some very large rsa keys | 14:24:14 |
| 7 Jul 2022 |
| stigo | https://github.com/NixOS/nixpkgs/pull/180336 broke tests in gpgme, can't look at it today, too much work to do. | 08:49:42 |
| hexa | Not a good day for me either, sorry | 09:32:39 |
| @linus:schreibt.jetzt | hexa: vcunat (thanks!) seems to have taken care of it :) | 09:36:16 |
 vcunat | Well, I unblocked the builds, but I haven't really verified whether the test detected some real unexpected consequence. | 09:38:15 |
| vcunat | And perhaps notify some appropriate place around upstream or around the patch? | 09:38:50 |
| stigo | It's unclear what upstream thinks of this patch/bug -> https://seclists.org/oss-sec/2022/q3/27 | 12:11:10 |
| stigo | In reply to @vcunat:matrix.org
And perhaps notify some appropriate place around upstream or around the patch? Pinged the patch author on #180336, just in case | 12:49:42 |
| hexa | cool. | 12:54:20 |
| hexa | https://element.io/blog/element-launches-chatterbox/ | 14:14:06 |
| hexa | looks like they're selling that feature | 14:16:27 |
 Dandellion | https://github.com/vector-im/chatterbox it's foss, they're selling homeserver hosting as usual (just lower rates for the guest users through the livechat thing) | 16:15:48 |
 K900 | Oh, it's Hydrogen | 16:18:06 |
| hexa | graham was looking for something besides email to bootstrap encrypted disclosure | 16:18:57 |
| hexa | wondering if that could be that | 16:19:03 |
| Dandellion | I think element needs an easier way to do pgp style key verification stuff in that case | 16:20:05 |
| hexa | especially predistributing the key independently | 16:20:33 |
| hexa | and having an option to verify that | 16:20:47 |
| hexa | might be cumbersome, but. | 16:20:57 |
| Dandellion | That is a thing for the device specific ones FWIW | 16:21:08 |
| hexa | * especially predistributing the public key independently | 16:21:08 |
| Dandellion | and used to be the only way | 16:21:14 |
| Dandellion | I don't think it is a thing for the cross signing master key thing | 16:21:35 |
