Recherche avancée

Sur d’autres sites (4692)

• How to verify signatures for Piwik release packages

  19 novembre 2014, par Piwik Core Team — Security

  We are proud to announce that Piwik project now cryptographically signs the Piwik releases using PGP following requests from several community members. In this post we will explain how you can verify the signatures of the Piwik release you downloaded, with instructions for Windows, Mac OS X and Linux.

  What is a signature and why should I check it ?

  ---

  How do you know that the Piwik platform you have is really the one we made ? Some software sites list sha1 hashes alongside the software on their website, so users can verify that they downloaded the file without any errors. These “checksums” help you answer the question “Did I download this file correctly from whoever sent it to me ?” They do a good job at making sure you didn’t have any random errors in your download, but they don’t help you figure out whether you were downloading it from a compromised server. The better question to answer is : “Is this file that I just downloaded the file that Piwik intended me to get ?”. Over the years several Piwik users have requested that we start signing our releases.

  Where do I get the signatures and the keys that made them ?

  ---

  Each file on our release server builds.piwik.org is accompanied by a file with the same name as the package and the extension .asc. These .asc files are GPG signatures. They allow you to verify the file you’ve downloaded is exactly the one that we intended you to get. For example, piwik-2.9.0.zip is accompanied by piwik-2.9.0.zip.asc<code>.

  Currently Matthieu Aubry is the release manager and signs the Piwik releases. His signature can be found here : builds.piwik.org/signature.asc

  How to verify signatures on Windows

  ---

  You need to have GnuPG installed before you can verify signatures. Download it from http://gpg4win.org/download.html.

  Once it’s installed, use GnuPG to import the key that signed your package. Since GnuPG for Windows is a command-line tool, you will need to use cmd.exe. Unless you edit your PATH environment variable, you will need to tell Windows the full path to the GnuPG program. If you installed GnuPG with the default values, the path should be something like this : C :\Program Files\Gnu\GnuPg\gpg.exe.

  Import Piwik Release manager Matthieu’s key (0x416F061063FEE659) by starting cmd.exe and typing :

  "C :\Program Files\Gnu\GnuPg\gpg.exe" —keyserver keys.gnupg.net —recv-keys 814E346FA01A20DBB04B6807B5DBD5925590A237

  After importing the key, you can verify that the fingerprint is correct :

  "C :\Program Files\Gnu\GnuPg\gpg.exe" —fingerprint 814E346FA01A20DBB04B6807B5DBD5925590A237

  You should see :

  pub   4096R/5590A237 2013-07-24
        Key fingerprint = 814E 346F A01A 20DB B04B  6807 B5DB D592 5590 A237
  uid                  Matthieu Aubry <matt@piwik.org>
  uid                  Matthieu Aubry <matthieu.aubry@gmail.com>
  uid                  Matthieu Aubry <matt@piwik.pro>
  sub   4096R/43F0D330 2013-07-24
  

  To verify the signature of the package you downloaded, you will need to download the ".asc" file as well. Assuming you downloaded the package and its signature to your Desktop, run :

  "C :\Program Files\Gnu\GnuPg\gpg.exe" —verify C :\Users\Alice\Desktop\piwik-2.9.0.zip.asc C :\Users\Alice\Desktop\piwik-2.9.0.zip

  The output should say "Good signature" :

  gpg : Signature made Thu 13 Nov 2014 17:42:18 NZDT using RSA key ID 5590A237
  gpg : Good signature from "Matthieu Aubry <matt@piwik.org>"
  gpg :                 aka "Matthieu Aubry <matthieu.aubry@gmail.com>"
  gpg :                 aka "Matthieu Aubry <matt@piwik.pro>"
  

  Notice that there may be a warning in case you haven’t assigned a trust index to this person. This means that GnuPG verified that the key made that signature, but it’s up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.

  Mac OS X and Linux

  ---

  On Linux GnuPG is usually installed by default. On Mac OS X, you need to have GnuPG installed before you can verify signatures. You can install it from http://www.gpgtools.org/.

  Once it’s installed, use GnuPG to import the key that signed your package. Matthieu Aubry signs the Piwik releases. Import his key (814E346FA01A20DBB04B6807B5DBD5925590A237) by starting the terminal (under "Applications") and typing :

  gpg —keyserver keys.gnupg.net —recv-keys 814E346FA01A20DBB04B6807B5DBD5925590A237

  After importing the key, you can verify that the fingerprint is correct :

  gpg —fingerprint 814E346FA01A20DBB04B6807B5DBD5925590A237

  You should see :

  pub   4096R/5590A237 2013-07-24
        Key fingerprint = 814E 346F A01A 20DB B04B  6807 B5DB D592 5590 A237
  uid                  Matthieu Aubry <matt@piwik.org>
  uid                  Matthieu Aubry <matthieu.aubry@gmail.com>
  uid                  Matthieu Aubry <matt@piwik.pro>
  sub   4096R/43F0D330 2013-07-24
  

  To verify the signature of the package you downloaded, you will need to download the ".asc" file as well. Assuming you downloaded the package and its signature to your Desktop, run :

  gpg —verify /Users/Alice/piwik-2.9.0.zip.asc*,

  The output should say "Good signature" :

  gpg : Signature made Thu 13 Nov 2014 17:42:18 NZDT using RSA key ID 5590A237
  gpg : Good signature from "Matthieu Aubry <matt@piwik.org>"
  gpg :                 aka "Matthieu Aubry <matthieu.aubry@gmail.com>"
  gpg :                 aka "Matthieu Aubry <matt@piwik.pro>"
  

  Notice that there may be a warning in case you haven’t assigned a trust index to this person. This means that GnuPG verified that the key made that signature, but it’s up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.

  That’s it ! In this article you have learnt how you can verify that the Piwik package you have downloaded on your computer was the same as the one Piwik team has officially created. We hope this helps you use Piwik with more security.

  Source : this article was copied and adapted from the great Tor Browser project website page How to verify signatures for Tor packages

• Senior Software Engineer to join Piwik Product Engineering team

  10 janvier 2015, par Matthieu Aubry — Jobs

  At Piwik and Piwik PRO we develop the leading open source web analytics platform, used by more than one million websites worldwide. Our vision is to help the world liberate their analytics data by building the best open alternative to Google Analytics.

  The Piwik platform collects, stores and processes a lot of information : hundreds of millions of data points each month. We create intuitive, simple and beautiful reports that delight our users.

  Are you seeking a new challenge ? We are currently looking for a full time Software Developer to join our small and dedicated Product Engineering team.

  At Piwik PRO we practise agile methodology, test driven development and fast release cycles. The main technologies we work with are PHP5, JavaScript (AngularJS, jQuery) and MySQL and our tools include PhpStorm, Github, Travis CI and Slack.

  As a Software Developer for Piwik PRO, you will be writing open source code that will directly benefit 250,000+ Piwik users in 200+ countries and 50 languages.

  Key Responsibilities

  • Writing server-side code (PHP 5) and front-end code (JavaScript).
  • Creating robust high-volume production applications and developing prototypes quickly.
  • Tackling new problems as we continue to push technology forward.
  • Assisting other developers by writing peer code reviews.
  • Improving and updating our platform developer guides.
  • Lead by example, able to self manage and use initiative to get things done.

  Minimum qualifications

  • Experience in product development, security, the open source philosophy and usable interface design.
  • Understanding of, and practical experience with PHP5 and JavaScript application development.
  • 3+ years experience building successful production software systems.
  • Solid knowledge of testing principles and OOP.
  • Strong analytical and coding skills.
  • Strong written communication.

  Location

  • Offices based in Wellington, New Zealand or Wrocław, Poland.
  • However remote work is also possible.

  Apply online

  To apply for this position, please Apply online here. We look forward to receiving your applications !

• Evolution of Multimedia Fiefdoms

  1er octobre 2014, par Multimedia Mike — General

  I want to examine how multimedia fiefdoms have risen and fallen through the years.

  
  
  

  Back in the day, the multimedia fiefdoms were built around the formats put forth by competing companies : there was Microsoft/WMV, Apple/MOV, and Real/RM as the big contenders. On2 always wanted to be a player in this arena but could never quite catch a break. A few brave contenders held the line for open source and also for the power users who desired one application that could handle everything (my original motivation for wanting to get into multimedia hacking).

  The computer desktop was the battleground for internet-based media stream. Whatever happened to those days ? Actually, if memory serves, Flash-based video streaming stepped on all of them.

  Over the last 6-7 years, the battleground has expanded to cover mobile devices, where Flash’s impact has… lessened. During this time, multimedia technology pretty well standardized on a particular stack, namely, the MPEG (MP4/H.264/AAC) stack.

  The belligerents in this war tried for years to effectively penetrate new territory, namely, the living room where the television lived. This had been slowgoing for years due to various user interface and content issues, but steadily improved.

  Last April, Amazon announced their entry into the set-top box market with the Fire TV. That was when it suddenly crystallized for me that the multimedia ecosystem has radically shifted. Now, the multimedia fiefdoms revolve around access to content via streaming services.

  Off the top of my head, here are some of the fiefdoms these days (fiefdoms I have experience using) :

  • Netflix (subscription streaming)
  • Amazon (subscription, rental, and purchased streaming)
  • Hulu Plus (subscription streaming)
  • Apple (rental and purchased media)

  I checked some results on Can I Stream.It ? (which I refer to often) and found a bunch more streaming fiefdoms such as Google (both Play and YouTube, which are separate services), Sony, Xbox 360, Crackle, Redbox Instant, Vudu, Target Ticket, Epix, Sony, SnagFilms, and XFINITY StreamPix. And surely, these are probably just services available in the United States ; I know other geographical regions have their own fiefdoms.

  What happened ?

  When I got into multimedia hacking, there were all these disparate, competing ecosystems. As a consumer, I didn’t care where the media came from, I just wanted to play it. That’s what inspired me to work on open source multimedia projects. Now I realize that I have the same problem 10-15 years later : there are multiple competing ecosystems. I might subscribe to fiefdoms X and Y, but am frustrated to learn that something I’d like to watch is only available through fiefdom Z. Very few of these fiefdoms can be penetrated using open source technology.

  I’m not really sure about the point about this whole post. Multimedia technology seems really standardized these days. But that’s probably just my perspective because I have spent way too long focusing on a few areas of multimedia technology such as audio and video coding. It’s interesting that all these services probably leverage the same limited number of codecs. Their differentiation comes from the catalog of content that each is able to license for streaming. There are different problems to solve in the multimedia arena now.