Package: wnpp
Severity: wishlist
* Package name: zope-groupuserfolder
Version : 1.32
Upstream Author : P.-J. Grizel <[EMAIL PROTECTED]>
* URL : ftp://ftp.sourceforge.net/pub/sourceforge/collective
* License : ZPL-2.0
Description : Group management for Zop
On Wed, 2003-12-03 at 11:12, Theodore Ts'o wrote:
> > On Tue, Dec 02, 2003 at 12:04:31PM +, bruce wrote:
> > > I did a first pass at the UserLinux white paper, it's at
> > > http://userlinux.org/white_paper.html. I think I'll sleep for a while.
>
> The next logical question then is why will an
Scott James Remnant <[EMAIL PROTECTED]> writes:
> On Wed, 2003-12-03 at 01:52, Goswin von Brederlow wrote:
>
> > Scott James Remnant <[EMAIL PROTECTED]> writes:
> >
> > > No Cc was necessary, I am subscribed to debian-devel.
> > >
> >
> I can only assume you ignored this out of either spite or
On Tue, 2 Dec 2003 22:49:20 -0600
John Goerzen <[EMAIL PROTECTED]> wrote:
> First of all. This is obviously not a Debian project (since it is not
> operating within the Debian framework.) I don't see why this then
> necessitates over a dozen threads on debian-devel -- AND why it gets to
> call it
On Wed, 2003-12-03 at 15:08, Theodore Ts'o wrote:
> On Tue, Dec 02, 2003 at 04:52:47PM -0800, Bruce Perens wrote:
> > I don't deny that many businesses do have to come to their vendor on
> > bended knee to get support for a new platform. It's important, however,
> > to realize that this does indi
First of all. This is obviously not a Debian project (since it is not
operating within the Debian framework.) I don't see why this then
necessitates over a dozen threads on debian-devel -- AND why it gets to
call itself "Debian." Moreover, I remain unconvinced that there is any
need to split fro
On Sun, Nov 30, 2003 at 01:47:29PM +0100, Bernhard R. Link wrote:
> * Russell Coker <[EMAIL PROTECTED]> [031130 05:53]:
> > Some daemons such as cups are written in a way that requires that they be
> > able to write to their own configuration files. If such a daemon is run as
> > non-root then
On Tue, Dec 02, 2003 at 04:52:47PM -0800, Bruce Perens wrote:
> I don't deny that many businesses do have to come to their vendor on
> bended knee to get support for a new platform. It's important, however,
> to realize that this does indicate a problem in the customer's
> relationship with the
(Really should read ahead further ... here are more, and all laid out
together)
* DFSG Free Software only (I know this one will get debated, but this is
the whole point of Debian Enterprise - if you want proprietary software,
go buy Red Hat or SUSE/Novell).
* Specifically targetting For-Profit en
(re-titled to - flavors)
To give limits to Debian Enterprise/ User Linux we need to define some
areas of focus.
Flavours (and sub-flavours/ tasks/ yadda) is as good a place to start as
any. So here are some proposed flavours:
- Enterprise (base packages and more "neutral" config)
- Enterprise
On Wed, 2003-12-03 at 14:52, Zenaan Harkness wrote:
> On Wed, 2003-12-03 at 14:32, Zenaan Harkness wrote:
> > (Please CC [EMAIL PROTECTED])
> >
> > To throw them into the ring:
> >
> > * DFSG Free Software only (I know this one will get debated, but this is
> > the whole point of Debian Enterpris
On Wed, 2003-12-03 at 14:32, Zenaan Harkness wrote:
> (Please CC [EMAIL PROTECTED])
>
> To throw them into the ring:
>
> * DFSG Free Software only (I know this one will get debated, but this is
> the whole point of Debian Enterprise - if you want proprietary software,
> go buy Red Hat or SUSE/Nov
On Fri, Nov 28, 2003 at 10:08:45AM +0100, Bernd Eckenfels wrote:
> In the final announcement I would add also a statement about reducing the
> number of trust relations between the machines and perhaps limiting shell
> access.
It seems fairly clear that this was not an issue because the compromis
On Wed, 2003-12-03 at 14:45, Zenaan Harkness wrote:
> As per the recommendations from Bruce Perens' User Linux paper
> http://userlinux.com/white_paper.html, this thread is to discuss the
> applications within the bounded set of Debian Enterprise/ User Linux.
>
> The bounded set will depend on the
As per the recommendations from Bruce Perens' User Linux paper
http://userlinux.com/white_paper.html, this thread is to discuss the
applications within the bounded set of Debian Enterprise/ User Linux.
The bounded set will depend on the flavour. So first comes proposed
flavours (and sub-flavours/
To give limits to Debian Enterprise/ User Linux we need to define some
areas of focus.
Flavours (and sub-flavours/ tasks/ yadda) is as good a place to start as
any. So here are some proposed flavours:
- Enterprise (base packages and more "neutral" config)
- Enterprise Desktop - with sub-flavour
(Please CC [EMAIL PROTECTED])
To throw them into the ring:
* DFSG Free Software only (I know this one will get debated, but this is
the whole point of Debian Enterprise - if you want proprietary software,
go buy Red Hat or SUSE/Novell).
* Specifically targetting For-Profit entities (vs Debian-NP
On Wed, 3 Dec 2003 12:34, Don Armstrong <[EMAIL PROTECTED]> wrote:
> Smartcards are not a magical panacea either.
True.
> The problems associated
> with them aren't too terribly different from those associated with
> keys or other forms of physical security, notably, that they can be
> stolen, or
On Tue, Dec 02, 2003 at 08:47:10PM -0600, Steve Langasek wrote:
> On Wed, Dec 03, 2003 at 02:57:11AM +0100, Bernd Eckenfels wrote:
> > On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
> > > The only way to have avoided this kernel vulnerability from day-0 of
> > > discovery/fix relea
On Wed, 3 Dec 2003 13:02, Bernd Eckenfels <[EMAIL PROTECTED]> wrote:
> Even if it is painful to decide: more priveledges to DDs on a need-to-have
> base.
Every DD needs to have immediate access to servers running each of the
supported architectures.
I use mainly i386. If I have to jump through
On Wed, 3 Dec 2003 12:19, Tom <[EMAIL PROTECTED]> wrote:
> Smartcards would have avoided the Debian compromise: merely having a
> compromised DD box would have prevented bad guy from getting on the box.
>
> It's all about layers of defense.
>
> I think the DD's should seriously think about requirin
On Wed, 2003-12-03 at 01:52, Goswin von Brederlow wrote:
> Scott James Remnant <[EMAIL PROTECTED]> writes:
>
> > No Cc was necessary, I am subscribed to debian-devel.
> >
>
I can only assume you ignored this out of either spite or stupidity.
I don't mind too much if people forget the code of c
Oliver Elphick writes:
> On Wed, 2003-12-03 at 00:52, [EMAIL PROTECTED]
> wrote:
> > > /* map the file and load an extra page in case the new line expands the
> > > file across the page boundary; adding 2 allows for the truncating
> > > effect of integer division. Forcing an extra pa
On Wed, Dec 03, 2003 at 02:57:11AM +0100, Bernd Eckenfels wrote:
> On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
> > The only way to have avoided this kernel vulnerability from day-0 of
> > discovery/fix release would have been to be constantly upgrading to
> > pre-release kernels
On Wed, Dec 03, 2003 at 03:07:17AM +0100, Goswin von Brederlow wrote:
> But this kind of tampering _can_ be checked by apt before installing
> the deb simply by adding a signature verifyer into the
> DPkg::Pre-Install-Pkgs config option, the same mechanism
> apt-listchanges already uses to display
Henning Makholm <[EMAIL PROTECTED]> writes:
> Scripsit Goswin von Brederlow
> > Henning Makholm <[EMAIL PROTECTED]> writes:
>
> > > I refer you to Ken Thompson's Turing award lecture. If someone who
> > > really means business manages to compromise binary toolchain debs, all
> > > the hackers in
Andreas Barth <[EMAIL PROTECTED]> writes:
> * Wouter Verhelst ([EMAIL PROTECTED]) [031202 19:40]:
> > So unless you have a suggestion that would solve this particular issue,
> > I'm afraid this idea won't work in practice.
>
> Two suggestions come to my mind. However, I can't judge how useful
> t
On Wed, Dec 03, 2003 at 03:17:20AM +0100, Goswin von Brederlow wrote:
> What the admins signature can gives us is a trusted timestamp and
> another pair of eyes reading the changes files.
Well, a trusted timestamp can be added/required by a third party. No need to
bother a build admin with signing
On Tue, Dec 02, 2003 at 11:21:10PM +0100, Gürkan Sengün wrote:
> I could not reach [EMAIL PROTECTED] which is mentioned
> on the following page:
> http://people.debian.org/~apenwarr/popcon/
Avery is a little busy right now. But he can probably be
reached at [EMAIL PROTECTED]
Simon
On Wed, 2003-12-03 at 13:09, Jeroen van Wolffelaar wrote:
> On Wed, Dec 03, 2003 at 01:04:49PM +1100, Zenaan Harkness wrote:
> > URL for the PDF file (1-page image, ~350KiB):
> > http://debian-enterprise.org/img/enterprise-debian.pdf
>
> [EMAIL PROTECTED]/scratch$ wget
> http://debian-enterprise.
Henning Makholm <[EMAIL PROTECTED]> writes:
> Scripsit Wouter Verhelst <[EMAIL PROTECTED]>
>
> > Requiring us to log in to the autobuilder to sign the .deb remotely is
> > not acceptable, for two reasons:
> > * it's way too much work for most of us
> > * it requires copying the secret key over, w
Joey Hess <[EMAIL PROTECTED]> writes:
> Andreas Metzler wrote:
> > I still don't understand how you change the version number (or the
> > package-name) without breaking the signature.
>
> Which signature? The Packages file is being modified, so of course the
> hain of trust back to the Release fi
URL for the PDF file (1-page image, ~350KiB):
http://debian-enterprise.org/img/enterprise-debian.pdf
(The debian-enterprise.org website is also updated in various other
places.)
Regards
Zenaan
--
Debian Enterprise: A Custom Debian Distribution: http://debian-enterprise.org/
* Homepage: http://h
On Tue, Dec 02, 2003 at 05:19:22PM -0800, Tom wrote:
> I think the DD's should seriously think about requiring smartcards. It
> would have prevented the proxmiate cause of our recent troubles.
No, we have to deal with a large population of untrusted individuals. Even
if we can keep outsiders out
On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
> The only way to have avoided this kernel vulnerability from day-0 of
> discovery/fix release would have been to be constantly upgrading to
> pre-release kernels.
Yes but also the debian servers would not have been vulnerable if they
On Tue, Dec 02, 2003 at 04:52:47PM -0800, Bruce Perens wrote:
> So, our problem is how to rebalance the vendor-customer relationship for
> our purposes. Probably the most useful tool is the industry group
> organization, where a number of similar businesses get together to steer
> their particip
Scott James Remnant <[EMAIL PROTECTED]> writes:
> No Cc was necessary, I am subscribed to debian-devel.
>
> On Tue, 2003-12-02 at 03:30, Goswin von Brederlow wrote:
>
> > Scott James Remnant <[EMAIL PROTECTED]> writes:
> >
> > > A compromised dinstall on ftp-master could also replace the keyrin
On Wed, 2003-12-03 at 01:05, Steve Greenland wrote:
> > sprintf(buf, "Failed to open %s for writing", filename);
>
>
> Where did you make 'buf' point to any usuable memory? Everything after
> this is bogus...
You are right that that w
On Tue, Dec 02, 2003 at 04:52:47PM -0800, Bruce Perens wrote:
> So, our problem is how to rebalance the vendor-customer relationship for
> our purposes. Probably the most useful tool is the industry group
> organization, where a number of similar businesses get together to steer
> their particip
On Tue, 02 Dec 2003, Tom wrote:
> I think the DD's should seriously think about requiring smartcards.
> It would have prevented the proxmiate cause of our recent troubles.
Smartcards are not a magical panacea either. The problems associated
with them aren't too terribly different from those associ
On 02-Dec-03, 18:37 (CST), Oliver Elphick wrote:
> /
> Write a line in user_clusters
> /
> void write_cluster_line(const char *user, const char *group,
>
On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
> On Wed, Dec 03, 2003 at 11:17:19AM +1100, Russell Coker wrote:
>
> The only way to have avoided this kernel vulnerability from day-0 of
> discovery/fix release would have been to be constantly upgrading to
> pre-release kernels.
>
Chad Walstrom <[EMAIL PROTECTED]> writes:
> On Tue, Dec 02, 2003 at 02:01:23PM +0100, Bernhard R. Link wrote:
> > > A true IDS is needed, such as aide, tripwire, or cfengine to detect
> > > post-installation intrusion. Tie in aide or tripwire database
> > > checks/updates with the apt.conf "PostI
John Goerzen writes:
>On Tue, Dec 02, 2003 at 12:27:00PM -0500, Noah L. Meyerhans wrote:
>> release goal of December 1 didn't inspire any new activity. This gives
>> the appearance that the ARM port maintainers simply don't care if sarge
>> gets released at all. This is very discouraging.
>
>If t
On Wed, Dec 03, 2003 at 11:17:19AM +1100, Russell Coker wrote:
> Of course someone could look at the MS fixes and do some decompilation for a
> similar result. Sure it would be more difficult to analyse the assembler
> code produced from decompilation than to analyse C source, but OTOH there is
Ted,
The problem you mention manifests itself this way. A number of shops
will standardize on the Linux that Oracle endorses. 99% of the systems
upon which that Linux runs do not host Oracle, but they don't want to
have to know two systems. And thus they end up paying so much for Linux
that th
On Wed, 2003-12-03 at 00:52, [EMAIL PROTECTED]
wrote:
> > /* map the file and load an extra page in case the new line expands the
> > file across the page boundary; adding 2 allows for the truncating
> > effect of integer division. Forcing an extra page ensures
> > that we can ide
Andreas Metzler <[EMAIL PROTECTED]> writes:
> Joey Hess <[EMAIL PROTECTED]> wrote:
> > Goswin von Brederlow wrote:
> >> > dpkg that it is downgrading the package, and a clever attacker might
> >> > avoid even that.
>
> >> How would you avoid it?
>
> > Make the replacement package really be a dif
Wouter Verhelst <[EMAIL PROTECTED]> writes:
> Op ma 01-12-2003, om 14:34 schreef Goswin von Brederlow:
> [...]
> > Deb signatures method C:
> >
> > And now for something completly different. A man with 3 noses. :)
> >
> > Instead of keeping extra files with the signature of the deb the
> > infor
> /* map the file and load an extra page in case the new line expands the
> file across the page boundary; adding 2 allows for the truncating
> effect of integer division. Forcing an extra page ensures
> that we can identify the end of the buffer by finding a NUL */
No, it does n
I'd like to reiterate this to all involved:
Martin Schulze wrote:
> [...]
> Thanks
>
> . James Troup and Ryan Murray for their general work on all hosts
> . Adam Heath and Brian Wolfe for their work on master and murphy
> . Wichert Akkerman for his work on klecker
> . Dann Frazier and Mat
Here's a bug I believe there is in glibc. I've filed a bug report, but
I think that bugs.debian.org is sitting on it. If anyone can point out
what stupidity I have committed that means it isn't really a bug, I'd be
happy!
I should add to the report below that strchr() is used elsewhere in the
pr
On Tue, Dec 02, 2003 at 11:46:45PM +, Geoff Richards wrote:
>
> South of where?
USA. North Carolina. Not South Carolina. Remember that.
Redhat is in North Carolina. I always wonder if those
mascara-wearing Cure-listening long-haired Linux skater punks ever get
into trouble out in thos
Hi,
[please CC me, I'm not on the list]
> To install a package directly, with apt downloading any necessary
> dependencies:
> apt-get install rpmver-2.0-13498cl.i386.rpm
Gustavo (maintainer of apt-rpm) has a version ready that supports http
and ftp installs beside local files. This is nice and
On Wed, 3 Dec 2003 10:20, Andrew Pollock <[EMAIL PROTECTED]> wrote:
> What bugs the hell out of me is that people with nothing better to do with
> their time can sit on the lkml and watch what's getting fixed, and put more
> analysis into individual fixes than the kernel maintainers themselves can,
> On Tue, Dec 02, 2003 at 12:04:31PM +, bruce wrote:
> > I did a first pass at the UserLinux white paper, it's at
> > http://userlinux.org/white_paper.html. I think I'll sleep for a while.
This is an interesting white paper, but I think it's missing something
rather important in its discussion
And oh damn ... shoulda uploaded and linked to it.
Sincere apologies
Zen
--
Debian Enterprise: A Custom Debian Distribution: http://debian-enterprise.org/
* Homepage: http://homepages.ihug.com.au/~zenaan/
* PGP Key: http://homepages.ihug.com.au/~zenaan/zen.asc
* Please respect the confidentialit
On Tue, Dec 02, 2003 at 01:28:28PM -0800, Tom wrote:
> On Tue, Dec 02, 2003 at 08:51:50PM +0100, Andreas Rottmann wrote:
> > Tom <[EMAIL PROTECTED]> writes:
> >
> > > On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
> > >> rather far from changing anything in the kernel memory. Andreas i
On Wed, 2003-12-03 at 09:21, Joerg Wendland wrote:
> Fabian Fagerholm, on 2003-12-02, 22:58, you wrote:
> > Debian is the super-project.
> > XYZ is a Debian Subproject,
> > which provides the flavors A, B and C.
> >
> > Opinions?
>
> I like that though my in opinion flavors should
On Tue, Dec 02, 2003 at 10:08:03AM +0100, Andreas Metzler wrote:
>
> Apparently nobody knew it was comparable to ptrace, it looked like a
> simple bugfix and not like a local root exploit.
>
What bugs the hell out of me is that people with nothing better to do with
their time can sit on the lkml
Scripsit Goswin von Brederlow
> Henning Makholm <[EMAIL PROTECTED]> writes:
> > I refer you to Ken Thompson's Turing award lecture. If someone who
> > really means business manages to compromise binary toolchain debs, all
> > the hackers in the world reading source over and over will not find
> >
On Wed, 2003-12-03 at 07:58, Fabian Fagerholm wrote:
> Debian Enterprise could, for example, have an
> install-time option to set up a file and print server, an
authentication
> server, or a web server. Those would be _flavors_, in my view. Despite
> all that has been written and referenced on this
Steve Langasek <[EMAIL PROTECTED]> wrote:
> On Tue, Dec 02, 2003 at 06:05:44PM +0100, Andreas Metzler wrote:
>> Joey Hess <[EMAIL PROTECTED]> wrote:
>> > Goswin von Brederlow wrote:
>> >> > dpkg that it is downgrading the package, and a clever attacker might
>> >> > avoid even that.
>> >> How woul
Henning Makholm <[EMAIL PROTECTED]> writes:
> Scripsit Goswin von Brederlow <[EMAIL PROTECTED]>
>
> > There is no security as strong as many people reading the source over
> > and over. You can't hack their brains to skip over the backdoor code
> > and you can only obfuscate a backdoor so much.
>
Hi,
Debian has a usability problem - it's hard to start lots of programs,
installed from debian packages, because simple users just can't find
them in menu.
Standart debian menu entry isn't good solution for user-friendly
desktops, like Gnome and KDE, because debian menu isn't intuitive (for
exam
begin Henrique de Moraes Holschuh <[EMAIL PROTECTED]> wrote:
> On Sat, 22 Nov 2003, Joerg Sommer wrote:
>> I hope someone knows what policy-rc.d is and can comment my idea, because
>> the maintainer of file-rc will stay conform to sysv-rc, which uses
>> policy-rc.d.
>
> http://people.debian.org/~h
On Wed, 2003-12-03 at 07:58, Fabian Fagerholm wrote:
> Debian Enterprise could, for example, have an
> install-time option to set up a file and print server, an authentication
> server, or a web server. Those would be _flavors_, in my view. Despite
> all that has been written and referenced on this
Henning Makholm wrote:
Scripsit Tom <[EMAIL PROTECTED]>
On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
rather far from changing anything in the kernel memory. Andreas is
definitely right that the hole doesn't look like that it is that dangerous.
If it wasn't a big deal we wouldn't be
I could not reach [EMAIL PROTECTED] which is mentioned
on the following page:
http://people.debian.org/~apenwarr/popcon/
Please read the attached mail.
Please note my statistics using gnuplot are not working
because I can not get the data because of the debian compromise,
it will work again, some
Fabian Fagerholm, on 2003-12-02, 22:58, you wrote:
> Debian is the super-project.
> XYZ is a Debian Subproject,
> which provides the flavors A, B and C.
>
> Opinions?
I like that though my in opinion flavors should only exist as
specialized installers, specialized kernels and pack
On Mon, Dec 01, 2003 at 04:10:56PM -0800, Mike Fedyk wrote:
>...
> > * it isn't consistent in all respects; e.g. although the package
> > dependencies might have been fulfilled, it contained for some time a
> > strange mixture of GNOME 1 and GNOME 2
>
> I'm pretty sure that was because of hi
On Wed, 2003-12-03 at 07:08, Fabian Fagerholm wrote:
> Hi,
G'Day from down under!
> I trying to unload all my thoughts about the Enterprise Debian project.
> I don't have time to participate actively in the discussion on
> debian-devel, but I'm following it as much as I can since I'm very
> inter
* Steve Langasek ([EMAIL PROTECTED]) [031202 22:10]:
> AFAIK, apt does not sanity check the relationship between package names
> and filenames (and it's not obvious that this should be part of its
> responsibilities), and dpkg only gets a list of .debs to install once
> they've been downloaded.
So
On Tue, 02 Dec 2003 22:58:28 +0200, Fabian Fagerholm wrote:
> Hi,
>
> Recently, when thinking about the terminology surrounding Debian
> Subprojects, I thought about the term "flavor". I always liked that
> term, because I find it very descriptive.
>
[...]
> So I suggest the following terms:
>
On Wed, Dec 03, 2003 at 07:17:57AM +1100, Brian May wrote:
> On Tue, Dec 02, 2003 at 01:46:02PM +, Mark Howard wrote:
> > On Tue, Dec 02, 2003 at 06:56:13PM +1100, Brian May wrote:
> > > A release critical bug in one package could be caused by a non-release
> > > critical bug in another package
On Wed, 2003-12-03 at 08:07, Fabian Fagerholm wrote:
> > (Just looking briefly at the diagram, I'm thinking "The Core" would be
> > the organisation - eg. Enterprise-Debian.org, or UserLinux.com, or
> > whatever is ultimately decided on.)
>
> Ok. I have probably mixed both technical and organisati
I meant to mention that this is Debian bug #222154.
On Tue, Dec 02, 2003 at 08:51:50PM +0100, Andreas Rottmann wrote:
> Tom <[EMAIL PROTECTED]> writes:
>
> > On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
> >> rather far from changing anything in the kernel memory. Andreas is
> >> definitely right that the hole doesn't look like that it
Hi, Henrique de Moraes Holschuh wrote:
> On Tue, 02 Dec 2003, Wouter Verhelst wrote:
>> So unless you have a suggestion that would solve this particular issue,
>> I'm afraid this idea won't work in practice.
>
> We could verify if the gpg agent (gpa? I forget the name...) cannot do this
> over a
Hi,
Recently, when thinking about the terminology surrounding Debian
Subprojects, I thought about the term "flavor". I always liked that
term, because I find it very descriptive.
I wrote to Zenaan Harkness concerning Debian Enterprise
(http://debian-enterprise.org/), and I suggested that such a s
On Mon, Dec 01, 2003 at 01:12:52PM -0500, Andres Salomon wrote:
> For packages, we may want to focus on apt-secure
> (http://monk.debian.net/apt-secure/); I'm not sure the status of it, [...]
You could easily find out here:
http://bugs.debian.org/203741
--
- mdz
On Tue, Dec 02, 2003 at 09:33:39AM -0500, Sam Hartman wrote:
> [...] It takes me about an
> afternoon to do a PAM or OpenAFS release even if I change one line.
> OK, for a one line change I can probably get that down to two hours or
> so.
>
> It's a lot easier for me if I batch bugs together and
On Tue, Dec 02, 2003 at 01:46:02PM +, Mark Howard wrote:
> On Tue, Dec 02, 2003 at 06:56:13PM +1100, Brian May wrote:
> > A release critical bug in one package could be caused by a non-release
> > critical bug in another package.
>
> How?
> If the bug is caused by a problem in another package
* Wouter Verhelst ([EMAIL PROTECTED]) [031202 19:40]:
> As much as I like this idea in principle, storing signatures inside
> .debs has a serious problem: it won't work for us buildd maintainers.
Workability for the buildd maintainers is IMHO _certainly_ one
important thing.
> As I explain in my
Scripsit Wouter Verhelst <[EMAIL PROTECTED]>
> Requiring us to log in to the autobuilder to sign the .deb remotely is
> not acceptable, for two reasons:
> * it's way too much work for most of us
> * it requires copying the secret key over, which is, uh, a bad idea.
Um, perhaps this is really stup
On Tue, Dec 02, 2003 at 06:05:44PM +0100, Andreas Metzler wrote:
> Joey Hess <[EMAIL PROTECTED]> wrote:
> > Goswin von Brederlow wrote:
> >> > dpkg that it is downgrading the package, and a clever attacker might
> >> > avoid even that.
> >> How would you avoid it?
> > Make the replacement package
Tom <[EMAIL PROTECTED]> writes:
> On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
>> rather far from changing anything in the kernel memory. Andreas is
>> definitely right that the hole doesn't look like that it is that dangerous.
>
[snip]
>
> If it wasn't a big deal we wouldn't be talk
On Tue, Dec 02, 2003 at 12:27:00PM -0500, Noah L. Meyerhans wrote:
> release goal of December 1 didn't inspire any new activity. This gives
> the appearance that the ARM port maintainers simply don't care if sarge
> gets released at all. This is very discouraging.
If that is what happens, then I
Andreas Metzler wrote:
> I still don't understand how you change the version number (or the
> package-name) without breaking the signature.
Which signature? The Packages file is being modified, so of course the
hain of trust back to the Release file signature can be used to catch
tampering with it
On Tue, 2003-12-02 at 17:31, Tom wrote:
> On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
> > rather far from changing anything in the kernel memory. Andreas is
> > definitely right that the hole doesn't look like that it is that dangerous.
>
> It messed up your life for a couple weeks.
Wouter Verhelst wrote:
> Requiring us to log in to the autobuilder to sign the .deb remotely is
> not acceptable, for two reasons:
> * it's way too much work for most of us
> * it requires copying the secret key over, which is, uh, a bad idea.
>
> An alternative would be to copy over the .debs, si
No Cc was necessary, I am subscribed to debian-devel.
On Tue, 2003-12-02 at 03:30, Goswin von Brederlow wrote:
> Scott James Remnant <[EMAIL PROTECTED]> writes:
>
> > A compromised dinstall on ftp-master could also replace the keyring
> > package with a new one containing an extra key, used to s
On Mon, Dec 01, 2003 at 10:09:34PM +0100, Roland Stigge wrote:
> Finally, the "decision" isn't just "technical".
Ah, the inevitable cry of the advocate of the technically inferior
approach.
--
.''`. ** Debian GNU/Linux ** | Andrew Suffield
: :' : http://www.debian.org/ |
`. `'
Scripsit Tom <[EMAIL PROTECTED]>
> On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
> > rather far from changing anything in the kernel memory. Andreas is
> > definitely right that the hole doesn't look like that it is that dangerous.
> If it wasn't a big deal we wouldn't be talking abo
On Tue, 02 Dec 2003, Wouter Verhelst wrote:
> So unless you have a suggestion that would solve this particular issue,
> I'm afraid this idea won't work in practice.
We could verify if the gpg agent (gpa? I forget the name...) cannot do this
over a secure channel. It should be able to, and if not,
On Tue, 2003-12-02 at 02:41, Goswin von Brederlow wrote:
> Source only uploads were afaik disabled because the uploaded source
> would just disapear and never enter the archive afaik. It was just
> easier to block them than to fix the archive scripts I guess.
Just trying it (for fun, see package "
Op di 02-12-2003, om 14:46 schreef Mark Howard:
> On Tue, Dec 02, 2003 at 06:56:13PM +1100, Brian May wrote:
> > A release critical bug in one package could be caused by a non-release
> > critical bug in another package.
>
> How?
A program could use some library for most of its core operation, an
Goswin von Brederlow wrote:
> Joey Hess <[EMAIL PROTECTED]> writes:
> I submitted a one line patch to apt to fix this and behave like
> dpkg. I hope this gets added soon. Till then its either signed debs or
> pre-configuring of packages.
>>I filed bugs about this a long time ago, it is apparently
Joey Hess <[EMAIL PROTECTED]> wrote:
> Goswin von Brederlow wrote:
>> > dpkg that it is downgrading the package, and a clever attacker might
>> > avoid even that.
>> How would you avoid it?
> Make the replacement package really be a different package entirely, of
> a higher version than the packa
On Tue, Dec 02, 2003 at 05:09:37PM +1000, Anthony Towns wrote:
> > What happens if say there are simply not enough people interested in
> > GNOME for example, and the RC counts rise, and rise at an increasing
> > rate, and we never release again?
>
> That's not a very interesting hypothetical -- t
1 - 100 of 172 matches
Mail list logo
