"Steinar H. Gunderson" <[EMAIL PROTECTED]>:
> On Thu, May 15, 2008 at 05:11:27AM +0200, Goswin von Brederlow wrote:
>
> > Also if you have 2 messages signed with the same random number you can
> > compute the secret key. It is more complicated then this but
> > simplified boils down to is computin
Am Donnerstag, den 15.05.2008, 15:20 +0200 schrieb Thijs Kinkhorst:
> On Thursday 15 May 2008 14:04, Martin Uecker wrote:
> > If I understand this correctly, this means that not only should keys
> > generated with the broken ssl lib be considered compromised, but all
>
Am Donnerstag, den 15.05.2008, 17:33 +0200 schrieb Thijs Kinkhorst:
> On Thursday 15 May 2008 16:47, Martin Uecker wrote:
> > > You mean less likely than once in 15 years? We're open to your
> > > suggestions.
> >
> > Something as bad as this might be rare, s
"Kevin B. McCarty" <[EMAIL PROTECTED]> wrote:
> If you see packages for which a Debian-specific patch seems unnecessary,
> please by all means file a bug (severity wishlist) requesting that the
> patch be either reverted or submitted upstream.
Most time the patch is already submitted upstream,
[EMAIL PROTECTED] wrote:
> I disagree. The cause of the disaster was not that Debian does its own
> patching, but the fact that that patch was buggy.
Buggy patches happen all the time. The question is, how could
something as bad as this slip through? And one important
reason is IMHO, that spli
martin f krafft <[EMAIL PROTECTED]> wrote:
> [2] And IMO we should go further than patches.d.o, we need to create a
> cross-distro infrastructure where we can share patches. We really have to
> show the way here... (we complained enough that ubuntu patches were
> unusable, surely we can show how
Barry deFreese wrote:
[...]
> > Buggy patches happen all the time. The question is, how could
> > something as bad as this slip through? And one important
> > reason is IMHO, that splitting up the development/bug fixing/review
> > by creating different software branches is bad.
>
> Different softw
Hi Kevin!
"Kevin B. McCarty" <[EMAIL PROTECTED]> wrote:
> Martin Uecker wrote:
[...]
> Well, *assuming* the patch is good, a subset of users of the software
> (i.e. Debian users and users of downstream distributions) benefit from
> it between the time it's ap
Hi Michal!
> Martin Uecker <[EMAIL PROTECTED]> wrote:
>
> > Upstream answered that it is okay too remove the seeding of the PRNG
> > with uninitialized memory, but the concrete patch which additionally and
> > erranously removed all seeding was never posted on
On Fri, May 16, 2008 at 11:26:01AM -0700, Don Armstrong wrote:
> On Fri, 16 May 2008, Martin Uecker wrote:
>
> > Requiring distro specific changes feels wrong anyway. Software
> > should be coupled by standardized interfaces. But I might be naive
> > here. What are the di
Tollef Fog Heen wrote:
> * Martin Uecker
>
> | Another problem I have argued about before, not directly related to this
> | incident, but IMHO another desaster waiting to happen: There is no
> | way to independetly validate that a debian binary package was
> | created from
Tollef Fog Heen wrote:
> * Martin Uecker
[...]
> | There was a thread "building packages with exact binary matches"
> | about it. Unfortunately, most people seem to think that this is not
> | worth it.
>
> I don't think that's unfortunate; I think it
Patrick Winnertz wrote:
> Am Dienstag, 18. September 2007 21:12:44 schrieb Julien Cristau:
> > > Hmmhh, what do you do about programs etc that encode the build-time in
> > > the binary? I mean they obviously will change between builds?
> >
> > Hopefully they don't encode the build-time in the file
Neil Williams <[EMAIL PROTECTED]>:
> Martin Uecker <[EMAIL PROTECTED]> wrote:
[...]
> >
> > I think it would be really cool if the Debian policy required
> > that packages could be rebuild bit-identical from source.
> > At the moment, it is impossible t
Joey Hess <[EMAIL PROTECTED]>:
> Joerg Jaspert wrote:
> > > On 11150 March 1977, Peter Eckersley wrote:
> > > > I've seen reports from very large sites indicating that
> > > > User-Agent
> > > > strings are almost as useful as cookies for tracking their
> > > > users.
> > >
> > > I cant believe th
Benjamin A'Lee <[EMAIL PROTECTED]>:
> On Mon, Sep 24, 2007 at 12:54:58AM +0200, Martin Uecker wrote:
> > Neil Williams <[EMAIL PROTECTED]>:
> > > This has been covered before - certain upstream macros are among
> > > many factors that ensure that
> On Mon, 24 Sep 2007 00:54:58 +0200
> Martin Uecker <[EMAIL PROTECTED]> wrote:
>
> > Neil Williams <[EMAIL PROTECTED]>:
> > > This has been covered before - certain upstream macros are among
> > > many factors that ensure that this is unlikely.
Manoj Srivastava <[EMAIL PROTECTED]> wrote:
> On Mon, 24 Sep 2007 04:56:45 +0200, Martin Uecker <[EMAIL PROTECTED]> said:
>
> > If policy would require the exact reproducability of binaries, then it
> > would be a policy violation.
>
>That is not how
On Mon, Sep 24, 2007 at 08:35:50PM +0200, Goswin von Brederlow wrote:
> Martin Uecker <[EMAIL PROTECTED]> writes:
> > I think it would be really cool if the Debian policy required
> > that packages could be rebuild bit-identical from source.
> > At the moment, it
On Mon, Sep 24, 2007 at 06:20:40PM -0500, Manoj Srivastava wrote:
> On Tue, 25 Sep 2007 00:04:15 +0200, Martin Uecker <[EMAIL PROTECTED]> said:
>
> > It would be enough when just a few people are actually recompiling the
> > binaries and compare it to the offici
On Tue, Sep 25, 2007 at 01:03:27AM +0100, Benjamin A'Lee wrote:
> On Tue, Sep 25, 2007 at 12:04:15AM +0200, Martin Uecker wrote:
> > Manoj Srivastava <[EMAIL PROTECTED]> wrote:
> > >Actually, if you do not trust the path down which a binary
> > &
On Tue, Sep 25, 2007 at 06:33:40PM -0500, Manoj Srivastava wrote:
> On Tue, 25 Sep 2007 23:49:17 +0200, Martin Uecker <[EMAIL PROTECTED]> said:
>
> > On Mon, Sep 24, 2007 at 06:20:40PM -0500, Manoj Srivastava wrote:
> >> On Tue, 25 Sep 2007 00:04:15 +0200, Mart
On Wed, Sep 26, 2007 at 12:25:02AM -0500, Manoj Srivastava wrote:
> On Wed, 26 Sep 2007 02:45:09 +0200, Martin Uecker <[EMAIL PROTECTED]> said:
[...]
> >> > No. I would trust the binaries if there are *no mails* from other
> >>
> >> Ah, security t
Ben Finney <[EMAIL PROTECTED]> wrote:
> Martin Uecker <[EMAIL PROTECTED]> writes:
>
> > On Tue, Sep 25, 2007 at 06:33:40PM -0500, Manoj Srivastava wrote:
> > > Ah, security through blissful ignorance :) You do not
> > > actually trust the
On Thu, Sep 27, 2007 at 02:26:49AM -0500, Manoj Srivastava wrote:
> On Wed, 26 Sep 2007 12:31:51 +0200, Martin Uecker <[EMAIL PROTECTED]> said:
>
> > On Wed, Sep 26, 2007 at 12:25:02AM -0500, Manoj Srivastava wrote:
>
> >> Just because you have _heard_ anyone
On Thu, Sep 27, 2007 at 06:31:58PM -0500, Manoj Srivastava wrote:
> On Thu, 27 Sep 2007 11:28:47 +0200, Martin Uecker <[EMAIL PROTECTED]> said:
[...]
> >> But recompiling from what? If you do not get the exact same source,
> >> you have no hope of getting the sa
On Fri, Sep 28, 2007 at 09:05:59AM -0700, Don Armstrong wrote:
> On Fri, 28 Sep 2007, Martin Uecker wrote:
> > You are seriously stating that is as easy to hide a trojan in the
> > source code as in the binary?
>
> Consider the fact that we've already had such a case,[
On Fri, Sep 28, 2007 at 09:18:12PM -0500, Manoj Srivastava wrote:
> On Fri, 28 Sep 2007 23:04:00 +0200, Martin Uecker <[EMAIL PROTECTED]> said:
>
> > There is some other thing I do not like about the way Debian packages
> > work. Every package I install can actually
Samuel Thibault:
> Matthias Urlichs, le Thu 25 Sep 2014 21:17:58 +0200, a écrit :
> > Samuel Thibault:
> > > Sounds crazy to me.
> > >
> > Definitely. This is now out in the wild; exploits which simply replace
> > echo or cat-without-/bin are going to happen. :-/
>
> That's not so easy to exploi
Russ Allbery :
> Martin Uecker writes:
>
> > While everybody is looking at bash, isn't this the real the injection
> > part? Why are there still programs which copy stuff from the network
> > into environment without proper sanitation?
>
> The previous san
On Wed, Sep 15, 1999 at 01:19:34PM +0200, Paul Slootman wrote:
[...]
> > With dinstall a compromise is short lived and can be undone by erasing the
> > effected package. Creating a new key and getting people to sign it cannot
> > really be undone.
>
> How do you prove to whoever is able to erase
Hi all,
are there any plans to add -fstack-clash-protection to
the hardening flags?
Martin
Adrian Bunk:
> On Fri, Jun 17, 2022 at 10:18:43AM +0200, Matthias Klose wrote:
...
>
> >...
> > Link time
> > optimizations are also at least turned on in other distros like Fedora,
> > OpenSuse (two years) and Ubuntu (one year).
> >...
> > The idea is to file wishlist bug reports for those 373
Package: wnpp
Severity: wishlist
Owner: Martin Uecker
* Package name: bart-view
Version : 0.0.01
Upstream Author : Martin Uecker
* URL : https://github.com/mrirecon/view/
* License : BSD
Programming Lang: C
Description : Image viewer for multi
34 matches
Mail list logo
