-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Thats your problem - sarge officially doesnt support it, etch and > later only does...
So, let's follow your statement: - Stable distribution is used on production servers, since production needs stability. - So, we do use the official stable Debian distribution in our companies. - Production also needs security, since it's production. - For this purpose, Debian puts on an *official* page (http://www.debian.org/releases/) a tool, named apt-check-sigs, since the version of apt available in the stable distribution does not support the integrity and authenticity check (it would need apt >= 0.6). - This tool is used since 2001 (5 years!) - It checks the Release.gpg signature file, against the Release file, which is available on the repositories (the sarge one, for our purpose) *BUT* - The key has expired a month ago - Unfortunately, the Release file is still signed with the 2005 key, so the signature is not valid anymore - The words "expired" and "not valid" mean that there is something not going well, consequently, there's something to fix, and, oh gosh, it's about security! - Some people reports it, some others are still waiting in the background for a quick fix (you know, typing `gpg --detach-sign --armor - -o Release.gpg Release`. So hard...) *BUT* Since the tool is not "official" (understand "it's a hack", but made by someone of the Debian team 5 (*FIVE*!) years ago, but we don't even know it, because we are autists), we just have to shut up and wait. Listen carefully: you're telling us that the *stable* Debian release, which is used on many many many production servers, *CAN'T* be trusted nor be used for packages trustability, since it's too old! What do you have in your head? Don't you understand the implication of all of that in a lot of companies which are using the apt-check-sigs script (which is available on an *official* Debian webpage, and is the only solution for them)? They can't update their servers nor install new servers! Oh and, I thought ***security*** bug fixes were treated in priority. So why do we have to wait for this critical one? Maybe because you're so incompetent that you don't know how to fix it (hum, I gave you the solution upwards)? (since you don't even seems to catch *why* to fix it) As I told to your buddy yesterday (he even didn't want to answer me afterwards, such a coward), a lot of people are angry about all of this, and moreover since it affects security. You say "This is your problem", but don't you think this is bad advertisement for Debian? Don't you see any implications? Do you really know what security is? Please, fix it. - -- Julien Raeis mailto:[EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFECWzYD+Lc9HLrYl8RAquPAJ47xXBLLF97LgPXJDQ8E5GdE3UhXACeMzW6 UK9ffMkD/sAx/1vBZKS3Gz4= =1skS -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
