Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <N8N2bSYC-uYAYqebHWIj3JBV3zq4qnIHC8el8y1t3rE2BJdgCyxsH2korDSHDb6a_OPZKDW3OI7XGUmz7bcJY2U1ZiUblBVfzvjm7ndWvIQ=@hexsys.org>
Date: Thu, 01 Jan 2026 18:25:07 +0000
From: Ali Polatel <alip@...sys.org>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Best practices for signature verifcation

On Wednesday, 31 December 2025 at 04:35, Eli Schwartz <eschwartz@...too.org> wrote:

> Hi,
> 

> 

> If the Exherbo Linux distribution lacks enough manpower</snip> > 


You were NOT a Gentoo developer back when Gentoo initialy started
using manifests, as some of us were, so you can NOT possibly know.
Yet, you had to take the time on a precious new year's day to pay
me your respects by formulating two completely non-technical answers.
Haters gonna hate?..

I have respect to this list and I wouldn't reply if this was the
only thing I had to say but the feedback otherwise has been great.
I've learned from David Runge on Mastodon[1] that Arch Linux people
are working on this project called voa[2] that can unify package
artifact signing across distributions. I've also learned this project
is kindly funded by STF. Voa supports GPG atm but they are open to
adding support for minisign, signify and friends. I intend to work together
with them to add signify support as a start. I deeply hope we can use this
solution for Exherbo Linux too.

Meanwhile, I did a bit of work and released 0.1.1. Now I am fairly sure
it does the same thing as OpenBSD signify does. Is that the right thing?
That's of course open for debate. I have also added AFL++ fuzzing
which I intend to leave running for a week or three[3]. Next goal is
to port to WASM, below is the changelog[4] for 0.1.1[5]:

    - Write unit tests, property based tests, and AFL++ fuzz tests to ensure code correctness.
    - Compile keyrings(7) support by default on Linux and Android, and remove the keyring feature.
    - Port OpenBSD regression tests and fix issues related to CLI option parsing spotted by them.
    - Use a 1KB buffer rather than 4KB for password input which is consistent with OpenBSD.

Enjoy.

> --
> Eli Schwartz

Please Eli, take this moment to make a new start. It does not have to be like this.
I hate what happened in the history as much as you do. Let's refuse to feed this
hate further. Do not drink your own poison and hope me to die. Happy new year.

[1]: https://chaos.social/@dvzrv/115819220124450391
[2]: https://voa.archlinux.page/
[3]: inb4 we crack ed25519 :P
[4]: https://git.sr.ht/~alip/signify/tree/main/item/ChangeLog.md
[5]: https://crates.io/crates/signify-rs/0.1.1

Best regards,
Ali Polatel
Download attachment "publickey - alip@...sys.org - 0xC22DA9DE.asc" of type "application/pgp-keys" (637 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (344 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.