FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 05-16-2012, 07:22 AM
Jonathan Wiltshire
 
Default Bug#673071: ITP: vodstok -- Voluntary Distributed Storage Kit

Hi,

On 2012-05-15 21:33, Pierre Jaury wrote:

This is an opensource, free and viral project


Viral? I hope this is just a translation artefact; can you explain
exactly what you mean by it?


Thanks,

--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: a9449e27c74791ff2838a3199b2751a1@hogwarts.powdarrm onkey.net">http://lists.debian.org/a9449e27c74791ff2838a3199b2751a1@hogwarts.powdarrm onkey.net
 
Old 05-16-2012, 09:02 AM
Cyril Brulebois
 
Default Bug#673071: ITP: vodstok -- Voluntary Distributed Storage Kit

Jonathan Wiltshire <jmw@debian.org> (16/05/2012):
> Viral? I hope this is just a translation artefact; can you explain
> exactly what you mean by it?

Quite a shock for a project advertised as licensed under the BSD!

(INSTALL.txt says GPLv2 though.)

Mraw,
KiBi.
 
Old 05-16-2012, 09:36 AM
"Thomas Preud'homme"
 
Default Bug#673071: ITP: vodstok -- Voluntary Distributed Storage Kit

Le mercredi 16 mai 2012 09:22:46, Jonathan Wiltshire a écrit :
> Hi,
>
> On 2012-05-15 21:33, Pierre Jaury wrote:
> > This is an opensource, free and viral project
>
> Viral? I hope this is just a translation artefact; can you explain
> exactly what you mean by it?

From the website linked in the ITP:

4. Why is this project "viral" ?

Once your Vodstok server functional, please drop the last version
of Vodstok in the root directory of this web application. A webpage
will be displayed when browsing the index page, and the kit would
be available from this page. This is the "viral" part.

Not exactly the definition of viral I have.

>
> Thanks,
 
Old 05-16-2012, 11:09 AM
Jonas Smedegaard
 
Default Bug#673071: ITP: vodstok -- Voluntary Distributed Storage Kit

On 12-05-16 at 11:36am, Thomas Preud'homme wrote:
> Le mercredi 16 mai 2012 09:22:46, Jonathan Wiltshire a écrit :
> > Hi,
> >
> > On 2012-05-15 21:33, Pierre Jaury wrote:
> > > This is an opensource, free and viral project
> >
> > Viral? I hope this is just a translation artefact; can you explain
> > exactly what you mean by it?
>
> From the website linked in the ITP:
>
> 4. Why is this project "viral" ?
>
> Once your Vodstok server functional, please drop the last version
> of Vodstok in the root directory of this web application. A webpage
> will be displayed when browsing the index page, and the kit would
> be available from this page. This is the "viral" part.
>
> Not exactly the definition of viral I have.

It feels obvious to me that it refers to viral marketing:
http://en.wikipedia.org/wiki/Viral_marketing


- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

[x] quote me freely [ ] ask before reusing [ ] keep private
 
Old 05-16-2012, 12:19 PM
Pierre Jaury
 
Default Bug#673071: ITP: vodstok -- Voluntary Distributed Storage Kit

Hi,

On Wed, 2012-05-16 at 11:02 +0200, Cyril Brulebois wrote:
> Jonathan Wiltshire <jmw@debian.org> (16/05/2012):
> > Viral? I hope this is just a translation artefact; can you explain
> > exactly what you mean by it?
>
> Quite a shock for a project advertised as licensed under the BSD!
>
> (INSTALL.txt says GPLv2 though.)
>
> Mraw,
> KiBi.

As explained already, this is a translation artifact. Should be
understood as ``intended to be self-distributable' as long as the web
ui embeds the source package for download.

About the license, my bad: it is licensed under *GPLv2*, I must have
been distracted when first writing the ITP ticket.

regards,
Pierre
 
Old 05-16-2012, 12:41 PM
Jonathan Wiltshire
 
Default Bug#673071: ITP: vodstok -- Voluntary Distributed Storage Kit

On 2012-05-16 13:19, Pierre Jaury wrote:

On Wed, 2012-05-16 at 11:02 +0200, Cyril Brulebois wrote:

Jonathan Wiltshire <jmw@debian.org> (16/05/2012):
> Viral? I hope this is just a translation artefact; can you explain
> exactly what you mean by it?

Quite a shock for a project advertised as licensed under the BSD!

(INSTALL.txt says GPLv2 though.)


As explained already, this is a translation artifact. Should be
understood as ``intended to be self-distributable' as long as the
web

ui embeds the source package for download.



Thank you for the clarification.



--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 7f5fa357591ff090ebee2d93b433216f@hogwarts.powdarrm onkey.net">http://lists.debian.org/7f5fa357591ff090ebee2d93b433216f@hogwarts.powdarrm onkey.net
 
Old 05-23-2012, 08:28 PM
Pierre Jaury
 
Default Bug#673071: ITP: vodstok -- Voluntary Distributed Storage Kit

Hi,

> Pierre Jaury <pierre@jaury.eu> writes:
> > This software is still an early research project: as far as I know, only
> > basic formal security analysis has been performed.
>
> Ok, just make sure that the users know about this.

They will. Additionally, I plan on preparing the project for definitive
packaging once some crucial bugs I already reported are fixed upstream.

By the way, a detailed cryptographic analysis is currently being
performed for vodstok protocol. The only spotted weakness is the single
AES key being used for many related chunks, even if those are uploaded
to various locations and named pseudo-randomly. Yet, an additional
feature is being designed that will allow multiple keys to be used
(ultimately, one key per chunk). vodstok could also use AES CBC (or any
chained mode) as well as ECB for small files, ie. when downloading the
whole file before decrypting remains an option.

> > Yet, for your specific concern about usual AES vulnerability when using
> > independently encrypted blocks, the project aims at providing temporary
> > private storage but does not pretend to provide secure operations.
>
> Ok, next question is then: how does vodstok detects tampering done by
> hostile peers?

There is no reason for vodstok to detect tampering, as long as design
choices ensure that the system is reliable enough for temporary storage
of non-critical files.

First, repositories have a maximum amount of disk space to allocate.
Once it is full, a repository will automatically delete old chunks to
free enough disk space for the new uploaded files to be stored.

Because uploaded chunks have a limited lifetime, there is a significant
risk that a file lacks some chunks before it is successfully downloaded
by clients. To avoid such a phenomenon, repositories publish statistics
about the average lifetime of chunks; client software use these
statistics to distribute the chunks so that small repositories are not
overloaded.

In case of an attacker flooding a repository with dummy chunks to
quickly delete the useful ones, two mechanisms will mitigate the
attempt. Timers are set so that a repository is not simply being flooded
by some dumb client. Plus, the deletion mechanism relies on a
most-recently-used list (and soon a most-frequently-used list) to ensure
that chunks belonging to popular files are not deleted.

> Two separate binary packages might make sense in that case yes but
> they'll of course be part of the same source package I assume?

Yes.

Regards,
Pierre.
 
Old 05-23-2012, 08:40 PM
Pierre Jaury
 
Default Bug#673071: ITP: vodstok -- Voluntary Distributed Storage Kit

Hi again,

I must clarify my very own point.

> vodstok could also use AES CBC (or any
> chained mode) as well as ECB for small files, ie. when downloading the
> whole file before decrypting remains an option.

vodstok is actually using CBC, but for small independent chunks, which
means it has more or less the same vulnerabilities as ECB. I was
actually mentioning the possibility to encrypt the whole file using CBC
before splitting it. Of course, because chunks are downloaded in random
order, this is fine only for small files (the whole thing has to be
downloaded before decryption).

Regards.
 

Thread Tools




All times are GMT. The time now is 05:15 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org