Re: ca-certificates: no more cacert.org certificates?!?

[Marc Haber]

On Mon, 31 Mar 2014 16:03:30 -0700, Russ Allbery 
wrote:
>Of course, I'm one of those people who believes that web site certificate
>signatures as currently implemented, with the level of vetting that's
>actually done by commercial CAs in practice, are more of an extortion
>racket than a security measure.

I have to agree on that. But a Startcom Certificate on a personal web
site is one web site more that doesn't train users to blindly click
away certificate warnings. A cacert certificate or a self-signed
certificate on a personal web site is one web site more that does that
kind of training.

Grüße
Marc
-- 
-- !! No courtesy copies, please !! -
Marc Haber |   " Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/e1wuszb-0007bm...@swivel.zugschlus.de

Re: Problem with packages version(on m68k architecture, but also on amd64 and maybe somewhere else)

[Thorsten Glaser]

Ondrej Riha dixit:

>linux-headers-2.6-* and linux-image-2.6-* and linux-doc-2.6-*

These packages no longer exist, they have been removed from unstable.

Debian-Ports mini-dak does not generally follow this sort¹ of removals
automatically, so they will eventually be cleaned up manually.

The packages are now called linux-headers-* and linux-image-*, for
example linux-image-m68k is the kernel you need to boot a current
Debian/m68k system. It has been like this in jessie/sid for quite
a long time already.

The second thing you’re seeing here is that Debian/m68k no longer
has six flavour-specific kernels but one kernel for all subarchi‐
tectures, so the -amiga etc. variants are all gone, replaced by
the -m68k variant. This is a side benefit of the move to initrd
which was necessary for yet separate reasons (size being the most
important one), and desirable to stay closer to the other Debian
architectures.

bye,
//mirabilos

① The other sort of removals (drop binary packages that are no
  longer built from source packages when a new upload of any binary
  packages from that source package happens), dpo mini-dak does
  *too* eagerly: it doesn’t check if the old binary package is
  still depended on before it gets removed. Case in point, libdb5.1.
-- 
 exceptions: a truly awful implementation of quite a nice idea.
 just about the worst way you could do something like that, afaic.
 it's like anti-design.   that too… may I quote you on that?
 sure, tho i doubt anyone will listen ;)


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/pine.bsm.4.64l.1404010734130.14...@herc.mirbsd.org

Re: default messaging/VoIP client for Debian 8/Jessie

[Thomas Goirand]

On 03/31/2014 08:27 PM, Jean-Michel Nirgal Vourgère wrote:
> Empathy was lacking OTR encryption for text, last time I checked.
> 
> Jitsi does support it ok, so I can continue to do secure chat with my
> existing contacts from pidgin (previously known as gaim).

BTW, it'd be nice to have a backport of Jitsi. Not sure how much work
that would be though (there must be lots of java dependencies...).

Thomas


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/533a73bc.8040...@debian.org

Re: ca-certificates: no more cacert.org certificates?!?

[Philip Hands]

Marc Haber  writes:

> On Mon, 31 Mar 2014 16:03:30 -0700, Russ Allbery 
> wrote:
>>Of course, I'm one of those people who believes that web site certificate
>>signatures as currently implemented, with the level of vetting that's
>>actually done by commercial CAs in practice, are more of an extortion
>>racket than a security measure.
>
> I have to agree on that. But a Startcom Certificate on a personal web
> site is one web site more that doesn't train users to blindly click
> away certificate warnings. A cacert certificate or a self-signed
> certificate on a personal web site is one web site more that does that
> kind of training.

Do you really think that the content on a Startcom certificated site is
more likely to be trustworthy than an CAcert certificated site?

I think the real problem here is the user interface asking one to trust
a site (forever, unless you're concentrating) at a point where you
really don't care because all you're interested in is seeing the cute
picture of an otter on someone's blog.

If browsers treated all new certificates with suspicion, limiting the
things that could be done in javascript, and not allowing forms to be
filled in, say, and then when you decided that you wanted to offer the
site some trust (because you want to fill in your credit card on the
https://amazon-really-it-is.mafia.biz/ site) the browser could then
guide you toward some checks that you might want to perform before
continuing, and because you've got a credit card n your hand you might
be vaguely interested at that point.

Anyway, can we not just have a cacert-certificates package, and then
people like me, who use cacert, could decide to trust them easily on my
machines at least?  If we instead do things that make it harder for even
Free Software enthusiasts to use something like CAcert, then the slim
chance that CAcert might eventually become properly useful gets even
slimmer.

Cheers, Phil.
-- 
|)|  Philip Hands [+44 (0)20 8530 9560]http://www.hands.com/
|-|  HANDS.COM Ltd.http://ftp.uk.debian.org/
|(|  10 Onslow Gardens, South Woodford, London  E18 1NE  ENGLAND


pgpAystKr6qOU.pgp
Description: PGP signature

Re: ca-certificates: no more cacert.org certificates?!?

[Paul Wise]

On Tue, Apr 1, 2014 at 6:04 PM, Philip Hands wrote:

> I think the real problem here is the user interface asking one to trust
> a site (forever, unless you're concentrating) at a point where you
> really don't care because all you're interested in is seeing the cute
> picture of an otter on someone's blog.

Indeed, the browser vendors basically fell for the NSA's social
engineering and put up scary warnings for a situation that is
approximately equivalent to plain unencrypted HTTP, which they treat
as all fine and good.

> If browsers treated all new certificates with suspicion, limiting the
> things that could be done in javascript, and not allowing forms to be
> filled in, say, and then when you decided that you wanted to offer the
> site some trust (because you want to fill in your credit card on the
> https://amazon-really-it-is.mafia.biz/ site) the browser could then
> guide you toward some checks that you might want to perform before
> continuing, and because you've got a credit card n your hand you might
> be vaguely interested at that point.

They don't even do that stuff for plain unencrypted HTTP so it is
unlikely they would for self-signed or unknown-ca HTTPS connections.

> Anyway, can we not just have a cacert-certificates package, and then
> people like me, who use cacert, could decide to trust them easily on my
> machines at least?  If we instead do things that make it harder for even
> Free Software enthusiasts to use something like CAcert, then the slim
> chance that CAcert might eventually become properly useful gets even
> slimmer.

>From the discussion on #debian-security it sounds like what will
happen is either a ca-certificates-cacert package or adding cacert.org
to ca-certificates but disabled by default.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caktje6et5cbxheabmfmw4fcv+mfkpto21oo6upm9yyk+br0...@mail.gmail.com

Bug#743282: ITP: apt-get-snapshot -- Download a specific package version from snapshot.debian.org

[Mike Gabriel]

Package: wnpp
Severity: wishlist
Owner: Mike Gabriel 

* Package name: apt-get-snapshot
  Version : 1.1
  Upstream Author : Leandro Lisboa Penz 
* URL : https://github.com/lpenz/apt-get-snapshot
* License : BSD
  Programming Lang: Python
  Description : Download a specific package version from snapshot.debian.org

 apt-get-snapshot is a command-line tool that downloads a specific version of
 a debian package from snapshot.debian.org.
 .
 When using debian testing, it is not trivial to get the previous version of a
 package after it is upgraded. snapshot.debian.org is the source to go for these
 cases, but it has only a web interface. apt-get-snapshot navigates that web
 interface and fetches the desired package.


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20140401103829.17481.87143.report...@minobo.das-netzwerkteam.de

Re: Bug#743282: ITP: apt-get-snapshot -- Download a specific package version from snapshot.debian.org

[James McCoy]

On Apr 1, 2014 6:39 AM, "Mike Gabriel" 
wrote:
> * Package name: apt-get-snapshot
>   Version : 1.1
>   Upstream Author : Leandro Lisboa Penz 
> * URL : https://github.com/lpenz/apt-get-snapshot
> * License : BSD
>   Programming Lang: Python
>   Description : Download a specific package version from
snapshot.debian.org
>
>  apt-get-snapshot is a command-line tool that downloads a specific
version of
>  a debian package from snapshot.debian.org.

This sounds a lot like the debsnap tool in the devscripts package.

Cheers,
James

Re: Bug#743282: ITP: apt-get-snapshot -- Download a specific package version from snapshot.debian.org

[Mike Gabriel]

Hi James, hi Arno,

On  Di 01 Apr 2014 13:07:47 CEST, James McCoy wrote:


On Apr 1, 2014 6:39 AM, "Mike Gabriel" 
wrote:

* Package name: apt-get-snapshot
  Version : 1.1
  Upstream Author : Leandro Lisboa Penz 
* URL : https://github.com/lpenz/apt-get-snapshot
* License : BSD
  Programming Lang: Python
  Description : Download a specific package version from

snapshot.debian.org


 apt-get-snapshot is a command-line tool that downloads a specific

version of

 a debian package from snapshot.debian.org.


This sounds a lot like the debsnap tool in the devscripts package.


I was not aware of that tool. Sorry. Would have saved me some work...

Considering to request a REJECT for my already uploaded package.

Mike

--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb


pgpeztYFYqjMo.pgp
Description: Digitale PGP-Signatur

Re: Bug#743282: ITP: apt-get-snapshot -- Download a specific package version from snapshot.debian.org

[Arno Töll]

Hi,

On 01.04.2014 12:38, Mike Gabriel wrote:
>  When using debian testing, it is not trivial to get the previous version of a
>  package after it is upgraded.  [..]

debsnap (in devscripts) is your friend.



-- 
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D



signature.asc
Description: OpenPGP digital signature

Re: Bug#743282: ITP: apt-get-snapshot -- Download a specific package version from snapshot.debian.org

[Peter Palfrader]

Mike Gabriel schrieb am Dienstag, dem 01. April 2014:

>  When using debian testing, it is not trivial to get the previous version of a
>  package after it is upgraded. snapshot.debian.org is the source to go for 
> these
>  cases, but it has only a web interface. apt-get-snapshot navigates that web
>  interface and fetches the desired package.

Others already have pointed to debsnap.  This is just to state that
"navigating the web interface" is not the way to access snapshot
programatically.  There's an interface documented at [1] and linked
from the snapshot front-page.

Cheers,
weasel

1.  
http://anonscm.debian.org/gitweb/?p=mirror/snapshot.debian.org.git;a=blob_plain;f=API
-- 
   |  .''`.   ** Debian **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140401113344.gw1...@anguilla.noreply.org

Re: ca-certificates: no more cacert.org certificates?!?

[Holger Levsen]

Hi,

On Dienstag, 1. April 2014, Marc Haber wrote:
> I have to agree on that. But a Startcom Certificate on a personal web
> site is one web site more that doesn't train users to blindly click
> away certificate warnings. A cacert certificate or a self-signed
> certificate on a personal web site is one web site more that does that
> kind of training.

so what? SSL is broken by design, "trusting" anything based on an SSL 
certificate is foolish at best. any CA (of which there are hundreds enabled in 
browsers and system libraries by default) can sign any certificate and most 
(all?) tools won't complain/detect this.

so in a way, training not to trust these certs is the best one can do :)


cheers,
Holger, who wishes banks would push gpg & monkeysphere for https




signature.asc
Description: This is a digitally signed message part.

--> APT's New Version <--

[The deity team]

After much discussion, the deity team has now picked an official
stanza on what a version number says about the stability and quality
of a software product:

16 years after the initial announcement[0] we are pleased to announce
apt in version "1.0.0.0b" as a birthday present to everyone caring
deeply about numbers.

Everyone else will find in this beta^Wbinary release the fulfilment of
a longstanding dream: /usr/bin/apt provided by apt rather than java.

We want to thank the java community for deprecating their "Annotation
Processing Tool" a long time ago and the java maintainers for
preparing the takeover by us.

Our newest addition to the apt family is intended as a user interface
and comes therefore bundled with a bunch of configuration and
interface changes compared to its siblings – but we don't want to blow
the surprise, so play with it for yourself! No worries through,
/usr/bin/apt-* will keep working just as before.

But a word of caution: the "/usr/bin/apt" binary is still work in
progress, so now is the time to speak up if you miss features or find
bugs and patch the hell out of/into it for a nice Debian
freeze&release in November. :)


16 years old and still ever changing: Not even the name remains
stable.  What used to be called "deity" was announced as "Apt", first
released as "APT" [1], shipped as "apt-get" and "apt-cache",
interpreted as "A Package Tool" and "Advanced Package Tool" and is now
also available as "apt" … But the initial wisdom holds: "it's still a
good word in its own right".  And this word has surely influenced the
way we manage our software on phones, servers and space stations. It
also still stirs envy among users and developers outside the Debian
universe – and rightly so! ;)

This would not have been possible without contributions by hundreds of
people in code, documentation, translations, bugreports and support!
Thank YOU for all this work – and please keep it coming! :) 

A very special thanks also goes out to the original authors: Your
little baby is now a sweet teenager who can legally drink beer! [2]

Who would have guessed that 16 years ago? Do you remember what you did
on the first April in 1998? What is the first thing you thought while
reading this mail? And most important of all: Have you mooed today?

It is "Sweet 16"-APT-1.0-Release-Partytime, so feel free to join the
fun and tell us your answers or anything else you want to share!
de...@lists.debian.org and #debian-apt are waiting for you.


Best regards and: Moo!

Your APT Development Team

[0] https://lists.debian.org/debian-devel/1998/04/msg00027.html
[1] https://lists.debian.org/debian-devel/1998/04/msg00274.html
[2] based on current team member origins. Your mileage may vary.
We recommend tea (with a lacing of milk maybe) while working apt
though. Super cow recommends that you smash some milk instead. 


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140401153904.GA27105@bod

Re: --> APT's New Version <--

[Bjoern Meier]

Hi,

best wishes fron my side and a "sweet 16". I salute to you.
LEVEL UP! You are strong enough to gain supercow powers.
But remind yourself: "With great power comes great responsibility"

Can we add something to the supercow powers verbosity comments like:
"Supercow power +1. More style and stability than power, but ...
mooo!" ;)

Greetings,
Björn


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAGMPS56W8cQkwq+Ez+U7jRvH8MShF+cBq356sHEa=bvuwh8...@mail.gmail.com

Re: default messaging/VoIP client for Debian 8/Jessie

[Ean Schuessler]

- "Thomas Goirand"  wrote:

> And yes, Java sux! :/ And it's going to take *a lot* of space on the
> CD1. This should therefore be discussed on the debian-cd list as well.
> I don't think that only the argument "it's better because of this or
> that feature" would be the only one (unfortunately).

"Java sux" is so 1990s. Java produces faster results than most of the
other advanced languages (python, ruby, perl, etc.), has better support
for threads, an enormous range of support libraries and is Free 
Software. Eclipse is probably the most popular Free Software IDE in
the world. Assertions about the space it takes up are fair but why not
leave "java sux" type comments to the trolls, where they belong?


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/30457674.80051396371033364.javamail.r...@newmail.brainfood.com

Re: ca-certificates: no more cacert.org certificates?!?

[Kevin Chadwick]

previously on this list people contributed:

> I still don't see why we penalize Debian users for the fact that _other_
> operating systems don't include the cacert certificate

Seems illogical to me we need more free CAs not less and I do agree
about the extortionism especially on EV.

If a web designer only tests if one browser works on one OS without a
chaining issue then does he really care and is he a fool that needs
teaching anyhow.

>> I have to agree on that. But a Startcom Certificate on a personal web
>> site is one web site more that doesn't train users to blindly click
>> away certificate warnings. A cacert certificate or a self-signed
>> certificate on a personal web site is one web site more that does that
>> kind of training.

Or to check if they are on the right domain?

Xombrero caching of cert changes and warnings is useful in the terrible
climate for those who know what to check.


-- 
___

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd
___

I have no idea why RTFM is used so aggressively on LINUX mailing lists
because whilst 'apropos' is traditionally the most powerful command on
Unix-like systems it's 'modern' replacement 'apropos' on Linux is a tool
to help psychopaths learn to control their anger.

(Kevin Chadwick)

___


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/169118.38101...@smtp132.mail.ir2.yahoo.com

Re: ca-certificates: no more cacert.org certificates?!?

[Bas Wijnen]

On Tue, Apr 01, 2014 at 11:04:43AM +0100, Philip Hands wrote:
> I think the real problem here is the user interface asking one to trust
> a site (forever, unless you're concentrating) at a point where you
> really don't care because all you're interested in is seeing the cute
> picture of an otter on someone's blog.

Yes.  And the fact that making your blog use an encrypted connection
causes either scary warnings for all your visitors, or a lot of hassle
trying to find a CA who is slightly less extorting than the others,
leads to the result that most people give it up and don't use encryption
on their blog.  I think at Debian we all agree that it would be a good
thing if everything would be encrypted, so this is a very bad outcome.

> If browsers treated all new certificates with suspicion, limiting the
> things that could be done in javascript, and not allowing forms to be
> filled in, say, and then when you decided that you wanted to offer the
> site some trust (because you want to fill in your credit card on the
> https://amazon-really-it-is.mafia.biz/ site) the browser could then
> guide you toward some checks that you might want to perform before
> continuing, and because you've got a credit card n your hand you might
> be vaguely interested at that point.

But what does that accomplish?  Having a signature from one of the many
CAs on the key doesn't really prove anything.  It certainly doesn't mean
they're going to be careful with your money.

On Tue, Apr 01, 2014 at 06:30:11PM +0800, Paul Wise wrote:
> On Tue, Apr 1, 2014 at 6:04 PM, Philip Hands wrote:
> 
> > I think the real problem here is the user interface asking one to trust
> > a site (forever, unless you're concentrating) at a point where you
> > really don't care because all you're interested in is seeing the cute
> > picture of an otter on someone's blog.
> 
> Indeed, the browser vendors basically fell for the NSA's social
> engineering and put up scary warnings for a situation that is
> approximately equivalent to plain unencrypted HTTP, which they treat
> as all fine and good.

It's not at all equivalent.  When using (good) encryption, the only
thing left to worry about is man in the middle attacks.  Even when
someone is actively performing a man in the middle attack on you, your
data is _still_ more secure than a plain text connection, because while
the person doing the attack can read your data, the rest of the world
still can't.  Of course the person doing the attack is probably more of
a problem than the rest of the world, but he could read your data if it
was unencrypted as well.

An unencrypted connection is readable to everyone; an encrypted
connection is readable to those in a position to alter your packets.
And when they use it, it is detectable (which doesn't imply it is
detected, but it probably would be if an organization like the NSA would
start doing it on a really large scale).

There are three problems to solve: first, you need to know that you're
talking to the right person.  Second, you need to make sure only that
person can read your packets, and third, you need to know that that
person is not evil.  CAs try (but fail) to solve the first point only.
They are however treated by many people as if they solve all three.

The second point is already solved and it works just fine.  The only
problem is that browsers scare away all visitors when you use a
self-signed certificate, or one from a CA that isn't recognized.

> > Anyway, can we not just have a cacert-certificates package, and then
> > people like me, who use cacert, could decide to trust them easily on my
> > machines at least?  If we instead do things that make it harder for even
> > Free Software enthusiasts to use something like CAcert, then the slim
> > chance that CAcert might eventually become properly useful gets even
> > slimmer.
> 
> From the discussion on #debian-security it sounds like what will
> happen is either a ca-certificates-cacert package or adding cacert.org
> to ca-certificates but disabled by default.

Hmm, I would hope for a ca-certificates-cacert package then.  If I have
to, I want to explain people that they need to install this; I don't
want to explain them how to enable certificates.  Encryption is one of
those things which should work by default, and any extra required step
to make it possible is a bad thing.

I've also asked Mozilla to give plain HTTP connections at least as much
warnings as self-signed certificates (which would probably mean no
warnings for either of them), but I don't think they'll listen.

Thanks,
Bas


signature.asc
Description: Digital signature

Re: default messaging/VoIP client for Debian 8/Jessie

[Bas Wijnen]

First of all, I agree that we should provide a system that is as usable
as possible.  If a desktop environment such as Gnome chooses to use an
inferior product, we don't have to let _our_ users suffer from that
choice.  Having a client which integrates well with the system is nice,
but what's more important is having one that actually works for
communication with others (including video, audio, chat, encryption, and
including communication with people who don't use Debian, or even
something GNU-based).

On Tue, Apr 01, 2014 at 11:50:33AM -0500, Ean Schuessler wrote:
> "Java sux" is so 1990s. Java produces faster results than most of the
> other advanced languages (python, ruby, perl, etc.), has better support
> for threads, an enormous range of support libraries and is Free 
> Software.

That may be true, but when I tried running Jitsi some time ago and it
didn't work, the first thing I was told was "You need to use Oracle's
JVM" (which is non-free).

(From Daniel's message I take it that problem is resolved?  I'll try it
again then.  Btw: thanks Daniel for all your work on this!)

I see the problem of all the bloat that comes with Java, but it is
minor.  The main problem is still
https://www.gnu.org/philosophy/java-trap.html
In particular
> To reliably ensure your Java programs run fine in a free environment,
> you need to develop them using IcedTea. Theoretically the Java
> platforms should be compatible, but they are not compatible 100
> percent.

Thanks,
Bas


signature.asc
Description: Digital signature

Re: ca-certificates: no more cacert.org certificates?!?

[Marc Haber]

On Tue, 01 Apr 2014 11:04:43 +0100, Philip Hands 
wrote:
>Marc Haber  writes:
>> On Mon, 31 Mar 2014 16:03:30 -0700, Russ Allbery 
>> wrote:
>>>Of course, I'm one of those people who believes that web site certificate
>>>signatures as currently implemented, with the level of vetting that's
>>>actually done by commercial CAs in practice, are more of an extortion
>>>racket than a security measure.
>>
>> I have to agree on that. But a Startcom Certificate on a personal web
>> site is one web site more that doesn't train users to blindly click
>> away certificate warnings. A cacert certificate or a self-signed
>> certificate on a personal web site is one web site more that does that
>> kind of training.
>
>Do you really think that the content on a Startcom certificated site is
>more likely to be trustworthy than an CAcert certificated site?

No.

I have nothing to add to Paul's explanation.

Greetings
Marc
-- 
-- !! No courtesy copies, please !! -
Marc Haber |   " Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/e1wv5s4-0004ic...@swivel.zugschlus.de

Re: default messaging/VoIP client for Debian 8/Jessie

[Russ Allbery]

Bas Wijnen  writes:

> I see the problem of all the bloat that comes with Java, but it is
> minor.  The main problem is still
> https://www.gnu.org/philosophy/java-trap.html

> In particular

>> To reliably ensure your Java programs run fine in a free environment,
>> you need to develop them using IcedTea. Theoretically the Java
>> platforms should be compatible, but they are not compatible 100
>> percent.

We use Java relatively heavily at work, and I've got to say that this is
largely a thing of the past.  If you're developing against Java 7, and to
a large extent Java 6, you will be very hard-pressed to tell the
difference between OpenJDK and the Oracle Java implementation.

With Java 5 and earlier, this was indeed a problem, and a lot of things
wouldn't work unless you ran them with the Oracle Java.  But sometimes
software gets better.

-- 
Russ Allbery (r...@debian.org)   


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87d2h0g4ls@windlord.stanford.edu

Re: default messaging/VoIP client for Debian 8/Jessie

[Kevin Chadwick]

previously on this list Bas Wijnen contributed:

> I see the problem of all the bloat that comes with Java, but it is
> minor.  The main problem is still
> https://www.gnu.org/philosophy/java-trap.html

I guess you missed all the exploits in JAVA over the years and
especially last year where it was banned for long periods from all
browsers. To the point that the pressure is building on web hosts to
drop JAVA KVM clients completely.

I'm starting to question if Debian takes security and correctness
seriously enough.

-- 
___

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd
___

I have no idea why RTFM is used so aggressively on LINUX mailing lists
because whilst 'apropos' is traditionally the most powerful command on
Unix-like systems it's 'modern' replacement 'apropos' on Linux is a tool
to help psychopaths learn to control their anger.

(Kevin Chadwick)

___


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/92558.69695...@smtp146.mail.ir2.yahoo.com

Re: ca-certificates: no more cacert.org certificates?!?

[Kevin Chadwick]

previously on this list Bas Wijnen contributed:

> From: Bas Wijnen 
> To: debian-devel@lists.debian.org
> Subject: Re: ca-certificates: no more cacert.org certificates?!?
> Date: Tue, 1 Apr 2014 22:22:12 +0200
> User-Agent: Mutt/1.5.21 (2010-09-15)
> 
> On Tue, Apr 01, 2014 at 11:04:43AM +0100, Philip Hands wrote:
> > I think the real problem here is the user interface asking one to trust
> > a site (forever, unless you're concentrating) at a point where you
> > really don't care because all you're interested in is seeing the cute
> > picture of an otter on someone's blog.  
> 
> Yes.  And the fact that making your blog use an encrypted connection
> causes either scary warnings for all your visitors, or a lot of hassle
> trying to find a CA who is slightly less extorting than the others,
> leads to the result that most people give it up and don't use encryption
> on their blog.

I agree

>  I think at Debian we all agree that it would be a good
> thing if everything would be encrypted, so this is a very bad outcome.
> 

I beg to differ I'm afraid. SSL should be used where it is required
otherwise you are opening the server upto DOS and as it is more
complex, bugs and exploits not to mention greater memory and cpu usage
in similar fashion to systemd.

> 
> I've also asked Mozilla to give plain HTTP connections at least as much
> warnings as self-signed certificates (which would probably mean no
> warnings for either of them), but I don't think they'll listen.

What have you asked them exactly. I believe glaring warnings should be
removed from self-signed and green bars removed completely for EV certs
but you should be asked to check the fingerprint for self-signed and the
browser should cache the cert and warn of changes in all cases
though that would scare the uninitiated at first???


-- 
___

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd
___

I have no idea why RTFM is used so aggressively on LINUX mailing lists
because whilst 'apropos' is traditionally the most powerful command on
Unix-like systems it's 'modern' replacement 'apropos' on Linux is a tool
to help psychopaths learn to control their anger.

(Kevin Chadwick)

___


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/616880.64104...@smtp144.mail.ir2.yahoo.com

Re: ca-certificates: no more cacert.org certificates?!?

[Bas Wijnen]

On Tue, Apr 01, 2014 at 10:49:15PM +0100, Kevin Chadwick wrote:
> >  I think at Debian we all agree that it would be a good
> > thing if everything would be encrypted, so this is a very bad outcome.
> 
> I beg to differ I'm afraid. SSL should be used where it is required
> otherwise you are opening the server upto DOS and as it is more
> complex, bugs and exploits not to mention greater memory and cpu usage
> in similar fashion to systemd.

That's a valid point.  I think all connections should be encrypted,
unless the server admin knowingly disables the encryption.  Does that
sound better?

What I would like to see, is that if someone new to making websites
tries something, they will be using encrypted connections.  And if they
start asking people to fill out personal data, they don't need to do
anything extra to make sure it works right.

> > I've also asked Mozilla to give plain HTTP connections at least as much
> > warnings as self-signed certificates (which would probably mean no
> > warnings for either of them), but I don't think they'll listen.
> 
> What have you asked them exactly.

https://bugzilla.mozilla.org/show_bug.cgi?id=566008#c12

> I believe glaring warnings should be removed from self-signed and
> green bars removed completely for EV certs but you should be asked to
> check the fingerprint for self-signed and the browser should cache the
> cert and warn of changes in all cases though that would scare the
> uninitiated at first???

I think from a usability perspective, "normal" browsing, including
self-signed certificates, should just work without any messages.  But I
gladly leave the details to the browser developers.  There is one thing
I would like them to do, and that is scare users more towards encrypted
connections than away from them.  I don't think any scaring is required,
but if they are going to scare people for self-signed certificates, they
should scare them even more for unencrypted connections.

Thanks,
Bas


signature.asc
Description: Digital signature

Re: --> APT's New Version <--

[Andrew M.A. Cater]

On Tue, Apr 01, 2014 at 05:39:04PM +0200, The deity team wrote:
> After much discussion, the deity team has now picked an official
> stanza on what a version number says about the stability and quality
> of a software product:
> 
> 16 years after the initial announcement[0] we are pleased to announce
> apt in version "1.0.0.0b" as a birthday present to everyone caring
> deeply about numbers.
> 
> Everyone else will find in this beta^Wbinary release the fulfilment of
> a longstanding dream: /usr/bin/apt provided by apt rather than java.
> 
> We want to thank the java community for deprecating their "Annotation
> Processing Tool" a long time ago and the java maintainers for
> preparing the takeover by us.
> 
> Our newest addition to the apt family is intended as a user interface
> and comes therefore bundled with a bunch of configuration and
> interface changes compared to its siblings – but we don't want to blow
> the surprise, so play with it for yourself! No worries through,
> /usr/bin/apt-* will keep working just as before.
> 
> But a word of caution: the "/usr/bin/apt" binary is still work in
> progress, so now is the time to speak up if you miss features or find
> bugs and patch the hell out of/into it for a nice Debian
> freeze&release in November. :)
> 
> 
> 16 years old and still ever changing: Not even the name remains
> stable.  What used to be called "deity" was announced as "Apt", first
> released as "APT" [1], shipped as "apt-get" and "apt-cache",
> interpreted as "A Package Tool" and "Advanced Package Tool" and is now
> also available as "apt" … But the initial wisdom holds: "it's still a
> good word in its own right".  And this word has surely influenced the
> way we manage our software on phones, servers and space stations. It
> also still stirs envy among users and developers outside the Debian
> universe – and rightly so! ;)
> 
> This would not have been possible without contributions by hundreds of
> people in code, documentation, translations, bugreports and support!
> Thank YOU for all this work – and please keep it coming! :) 
> 
> A very special thanks also goes out to the original authors: Your
> little baby is now a sweet teenager who can legally drink beer! [2]
> 
> Who would have guessed that 16 years ago? Do you remember what you did
> on the first April in 1998? What is the first thing you thought while
> reading this mail? And most important of all: Have you mooed today?
> 

I think I was just pleased that I'd thought of the name and that Jason,
Manoj and others had accepted it - it defused an almighty flamewar :)


> It is "Sweet 16"-APT-1.0-Release-Partytime, so feel free to join the
> fun and tell us your answers or anything else you want to share!
> de...@lists.debian.org and #debian-apt are waiting for you.
> 
> 
> Best regards and: Moo!
> 
> Your APT Development Team
> 
> [0] https://lists.debian.org/debian-devel/1998/04/msg00027.html
> [1] https://lists.debian.org/debian-devel/1998/04/msg00274.html
> [2] based on current team member origins. Your mileage may vary.
> We recommend tea (with a lacing of milk maybe) while working apt
> though. Super cow recommends that you smash some milk instead. 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: https://lists.debian.org/20140401153904.GA27105@bod

Andy Cater


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140401215359.ga5...@galactic.demon.co.uk

Re: --> APT's New Version <--

[Ben Finney]

The deity team  writes:

> Everyone else will find in this beta^Wbinary release the fulfilment of
> a longstanding dream: /usr/bin/apt provided by apt rather than java.

I don't know, this all seems a bit hasty. What about all my shell
scripts to work with the Java “apt” to turn it into my package manager?
Have you no regard for backward-compatibility?

> But a word of caution: the "/usr/bin/apt" binary is still work in
> progress, so now is the time to speak up if you miss features or find
> bugs and patch the hell out of/into it for a nice Debian
> freeze&release in November. :)

Oh. Well, I'll get to work on the patches. I assume the project is using
a Java CAPS instance, can I have access to it?

> It is "Sweet 16"-APT-1.0-Release-Partytime, so feel free to join the
> fun and tell us your answers or anything else you want to share!
> de...@lists.debian.org and #debian-apt are waiting for you.

Huge thanks to everyone who has worked on APT over the years, making it
the standard by which to judge all other package management systems.

-- 
 \   “Give a man a fish, and you'll feed him for a day; give him a |
  `\religion, and he'll starve to death while praying for a fish.” |
_o__)   —Anonymous |
Ben Finney


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/85txaclmsg@benfinney.id.au

Re: default messaging/VoIP client for Debian 8/Jessie

[Russ Allbery]

Kevin Chadwick  writes:

> I guess you missed all the exploits in JAVA over the years and
> especially last year where it was banned for long periods from all
> browsers. To the point that the pressure is building on web hosts to
> drop JAVA KVM clients completely.

Most of the exploits in Java (I have no idea why you write the word in all
caps) are flaws in the sandbox security model.  While those are real
vulnerabilities in the context of running untrusted Java applets
downloaded from the network, they're not horribly interesting in the
context of running trusted applications installed through normal signed
apt repositories.

> I'm starting to question if Debian takes security and correctness
> seriously enough.

While we would be sad to lose your insightful commentary in debian-devel,
I'm sure we'd all understand if you felt like you needed to move to a
different distribution.

-- 
Russ Allbery (r...@debian.org)   


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87zjk4elhy@windlord.stanford.edu

Ezoic and debianhelp.co.uk

[Nacim Benni]

Hi Debian,

We are a venture capital-backed, California-based tech company.  

We are in the process of recruiting websites such as debianhelp.co.uk for our 
beta program.

Based on data collected from over 600 participating sites, our scientifically 
optimized websites earn 2-3x more revenue and users spend upwards of 35% more 
time on the site.

This opportunity is by invitation only. Please get back to me if you are 
interested in a free 2-week trial of Ezoic for debianhelp.co.uk.

Nacim Benni
Informational Site Specialist
Ezoic Inc.
http://www.ezoic.com

Phone: 1 760-487-8931
Linkedin: http://www.linkedin.com/in/nacimbenni
Twitter: @ezoic
Facebook: http://facebook.com/ezoic



-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/463bd5faac77517577dc08adf4d32...@s.ezoic.com

Re: ca-certificates: no more cacert.org certificates?!?

[Paul Wise]

On Wed, Apr 2, 2014 at 4:22 AM, Bas Wijnen wrote:

> It's not at all equivalent.  When using (good) encryption, the only
> thing left to worry about is man in the middle attacks.  Even when
> someone is actively performing a man in the middle attack on you, your
> data is _still_ more secure than a plain text connection, because while
> the person doing the attack can read your data, the rest of the world
> still can't.  Of course the person doing the attack is probably more of
> a problem than the rest of the world, but he could read your data if it
> was unencrypted as well.
>
> An unencrypted connection is readable to everyone; an encrypted
> connection is readable to those in a position to alter your packets.
> And when they use it, it is detectable (which doesn't imply it is
> detected, but it probably would be if an organization like the NSA would
> start doing it on a really large scale).

Encrypted and unencrypted connections are equivalent because anyone
who is on your network path (or can manipulate DNS or BGP) can MITM
the connection. The MITM could be active or passive in either case,
encryption pushes more attacks to the active side but either is still
feasible. The NSA just does things like log all ciphertext for years
and then break endpoint security. Forward secrecy hasn't been in focus
until the recent NSA revelations really.

> There are three problems to solve: first, you need to know that you're
> talking to the right person.  Second, you need to make sure only that
> person can read your packets, and third, you need to know that that
> person is not evil.  CAs try (but fail) to solve the first point only.
> They are however treated by many people as if they solve all three.

Fourth, you need to know that the person will never subject to an
authority that could be evil at any point in time.

> Hmm, I would hope for a ca-certificates-cacert package then.  If I have
> to, I want to explain people that they need to install this; I don't
> want to explain them how to enable certificates.  Encryption is one of
> those things which should work by default, and any extra required step
> to make it possible is a bad thing.

I mentioned this point on IRC during the discussion.

> I've also asked Mozilla to give plain HTTP connections at least as much
> warnings as self-signed certificates (which would probably mean no
> warnings for either of them), but I don't think they'll listen.

I think they are constrained by the browser market; if they add
annoying popups and other browser vendors don't then they will
probably lose market share. This is the fundamental problem with web
security; the wider user population wants things to 'work', anything
that gets in the way tends

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAKTje6FDijKX_ytQhj9d_=tqT=y_jlaq2cjtb_xoste7wfw...@mail.gmail.com

Re: --> APT's New Version <--

[Thomas Goirand]

On 04/02/2014 06:14 AM, Ben Finney wrote:
> The deity team  writes:
> 
>> Everyone else will find in this beta^Wbinary release the fulfilment of
>> a longstanding dream: /usr/bin/apt provided by apt rather than java.
> 
> I don't know, this all seems a bit hasty. What about all my shell
> scripts to work with the Java “apt” to turn it into my package manager?
> Have you no regard for backward-compatibility?

I really first thought it has to do with the day of washing the lions
ceremony [1]. I'd suggest avoiding such a date for announcements in the
future. Anyway, I then checked the facts, and really ... \o/ !!!

It feels great to use apt instead of apt-get / apt-cache, and the new
colorful output is awesome (btw, will Dpkg::Progress-Fancy be on by
default on the next update? I kind of like it...).

*THANKS TO EVERYONE WHO WORKED ON APT* !!!
Debian wouldn't what it is today without it.

Thomas

[1]
https://upload.wikimedia.org/wikipedia/commons/f/fb/Washing_of_the_Lions.jpg


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/533ba502.6090...@debian.org

Re: ca-certificates: no more cacert.org certificates?!?

[Paul Wise]

On Wed, Apr 2, 2014 at 1:26 PM, Paul Wise wrote:

> I think they are constrained by the browser market; if they add
> annoying popups and other browser vendors don't then they will
> probably lose market share. This is the fundamental problem with web
> security; the wider user population wants things to 'work', anything
> that gets in the way tends

... not to get implemented.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caktje6fmpxy-ymumkb0juu2wwobo3wurotj3ud7tytxvu-m...@mail.gmail.com