Re: Keysafe dynamic UID

On 10/24/2016 12:42 AM, Colin Watson wrote: > On Sat, Oct 22, 2016 at 02:57:23PM -0700, Sean Whitton wrote: >> I am packaging Keysafe,[1] and the binary package keysafe-server needs >> to create a new system user with a dynamically allocated UID. >> >> I am using the username 'keysafe'. I do not a

Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)

On Sun, Oct 23, 2016 at 7:28 PM, Russ Allbery wrote: > The idea is to *add* HTTPS protection on top of the protections we already > have. You're correct that it doesn't give you authentication of the > packages without a bunch of work, and we should assume that the general > public CA system is c

Re: client-side signature checking of Debian archives

On Sun, Oct 23, 2016 at 6:46 PM, Paul Wise wrote: > Better privacy than https can be had using Tor: > > https://onion.debian.org/ If Debian is open to improving SecureAPT's out of the box configuration by utilizing Tor, then that is fine, but I highly doubt Debian operators will enjoy the slownes

Re: Bug#841851: ITP: bind-key -- simple way to manage personal keybindings

Hi Adam and Simon, when it comes to binary packages, their names are elpa-bind-key and elpa-use-package. Source package names in this case may be misleading, I agree, but only for those who will see _only_ source package names. Rationale for these _source_ package names was that (1) these are upst

Re: Bug#841851: ITP: bind-key -- simple way to manage personal keybindings

Hello, On Sun, Oct 23, 2016 at 11:28:23PM +0100, Simon McVittie wrote: > I suggest talking to an Emacs-related packaging team (for example > Debian Emacs addons team > seems to maintain several packages) about whether there is an Emacs > addon naming convention you can follow. Team member here.

Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)

"Eugene V. Lyubimkin" writes: > I'm not sure that benefits outweight the costs. HTTPS requires that I > trust the third-parties -- mirror provider and CA. Gpgv doesn't require > third parties. It's critical here that we do not drop GPG. We continue using GPG for the integrity and authenticatio

Re: client-side signature checking of Debian archives

Paul Wise writes: > On Mon, Oct 24, 2016 at 7:21 AM, Kristian Erik Hermansen wrote: >> The point is to improve privacy. > Better privacy than https can be had using Tor: > https://onion.debian.org/ Yeah, but this is *way* harder than just using TLS. You get much of the benefit by using TLS, a

Re: client-side signature checking of Debian archives

On Mon, Oct 24, 2016 at 7:21 AM, Kristian Erik Hermansen wrote: > The point is to improve privacy. Better privacy than https can be had using Tor: https://onion.debian.org/ -- bye, pabs https://wiki.debian.org/PaulWise

Re: client-side signature checking of Debian archives

On Sun, Oct 23, 2016 at 4:43 PM, Russ Allbery wrote: > susceptible to traffic analysis. You can make some pretty good guesses > from the size of the object downloaded, particularly if you can watch over > time and see what happens when updated packages are released. > > Of course, it's much harde

Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)

On Sun, Oct 23, 2016 at 10:03 AM, Eugene V. Lyubimkin wrote: > Thank you for the long list of examples what could go wrong. I'm happy I > don't have urgent fixes to apply. Well, I would say the privacy issues are rather concerning. Security is generally broken down into at least the following th

Re: client-side signature checking of Debian archives

Ivan Shmakov writes: > My understanding is that the suggestion being discussed is to > use TLS /alongside/ the usual Debian/APT signatures – not > instead of them; and the primary goal is to improve user’s > privacy. That is: only the mirror operator will remain > e

Re: client-side signature checking of Debian archives

On Sun, Oct 23, 2016 at 10:45 AM, Ivan Shmakov wrote: > use TLS /alongside/ the usual Debian/APT signatures – not > instead of them; and the primary goal is to improve user’s > privacy. That is: only the mirror operator will remain > Exactly right. The point is to improve

Re: When should we https our mirrors?

On 10/18/2016 06:47 PM, Marco d'Itri wrote: > On Oct 17, Ian Campbell wrote: >> Have we gotten to the point where we consider deb.d.o suitable for >> production use? The web page still says Experimental (so I would assume > I do not think that it is appropriate for general use, since at least > o

Re: Keysafe dynamic UID

On Sat, Oct 22, 2016 at 02:57:23PM -0700, Sean Whitton wrote: > I am packaging Keysafe,[1] and the binary package keysafe-server needs > to create a new system user with a dynamically allocated UID. > > I am using the username 'keysafe'. I do not anticipate any collision > with any other package,

Re: Bug#841851: ITP: bind-key -- simple way to manage personal keybindings

On Mon, 24 Oct 2016 at 01:28:27 +0500, Lev Lamberov wrote: > * Package name: bind-key This seems like a very generic package name, and gives no indication that it is to do with Emacs. I suggest talking to an Emacs-related packaging team (for example Debian Emacs addons team seems to maintain

Re: Bug#841851: ITP: bind-key -- simple way to manage personal keybindings

On Mon, Oct 24, 2016 at 01:28:27AM +0500, Lev Lamberov wrote: > * Package name: bind-key > * URL : https://github.com/jwiegley/use-package > * License : GPL-2+ > Programming Lang: Emacs Lisp > Description : simple way to manage personal keybindings > > If you have l

Bug#841852: ITP: use-package -- use-package declaration for simplifying your .emacs

Package: wnpp Severity: wishlist Owner: Lev Lamberov * Package name: use-package Version : 2.2 Upstream Author : John Wiegley * URL : https://github.com/jwiegley/use-package * License : GPL-2+ Programming Lang: Emacs Lisp Description : use-package decl

Bug#841851: ITP: bind-key -- simple way to manage personal keybindings

Package: wnpp Severity: wishlist Owner: Lev Lamberov * Package name: bind-key Version : 1.0 Upstream Author : John Wiegley * URL : https://github.com/jwiegley/use-package * License : GPL-2+ Programming Lang: Emacs Lisp Description : simple way to manag

Bug#841838: ITP: diminish-el -- hiding or abbreviation of the mode line displays of minor-modes

Package: wnpp Severity: wishlist Owner: Lev Lamberov * Package name: diminish-el Version : 0.45 Upstream Author : Martin Yrjölä * URL : https://github.com/myrjola/diminish.el * License : GPL-2+ Programming Lang: Emacs Lisp Description : hiding or abbre

Re: client-side signature checking of Debian archives

> Eugene V Lyubimkin writes: […] > I'm not sure that benefits outweigh the costs. HTTPS requires that > I trust the third-parties – mirror provider and CA. Gpgv doesn't > require third parties. It does; you have to trust whatever source you’ve /initially/ got the public

Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)

Hi, [ please don't CC me directly ] On 23.10.2016 17:20, Kristian Erik Hermansen wrote: > On Sun, Oct 23, 2016 at 7:23 AM, Eugene V. Lyubimkin > wrote: >> I'm a developer of a tool which downloads and validates Debian archives >> in a similar way APT does. >> >> As you use the word "theoretical

Re: Keysafe dynamic UID

On Sun, 23 Oct 2016 16:06:30 +0200, Guillem Jover wrote: >I might be completely wrong, but the way I read the current situation >is: > > * The (previous) proponents of the Debian- prefixed names don't >mind much because they are fine delegating that decision to >someone else, they just w

Re: Keysafe dynamic UID

On Sun, 23 Oct 2016 16:15:09 +0200, Michael Biebl wrote: >Am 23.10.2016 um 14:48 schrieb Guillem Jover: >> I think the solution here is pretty clear. The _-prefix is neutral, >> short and used by other sytems. The Debian-prefix makes names way >> long (used(?) to cause problems on display), is a D

Re: Keysafe dynamic UID

On Sun, 23 Oct 2016 14:48:44 +0200, Guillem Jover wrote: >Right now I'm actually considering going over the archive and sending >patches to convert Debian-user and debian-user to _user… Don't bother for my packages. I'm not risiking doing disruptive changes and being forced to do them again when

Re: Keysafe dynamic UID

Guillem Jover writes ("Re: Keysafe dynamic UID"): > I might be completely wrong, but the way I read the current situation > is: > > * The (previous) proponents of the Debian- prefixed names don't > mind much because they are fine delegating that decision to > someone else, they just wan

RE:Keysafe dynamic UID

> Also renaming a user is actually trivial: > usermod -l _something Debian-something In my case (tango-db package), We need also to take care of the user database access privilege. granted by dbconfig-common. So when moving from tango -> _tango users, they should be availalbe a sort of hook

Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)

Hi :) On Sun, Oct 23, 2016 at 7:23 AM, Eugene V. Lyubimkin wrote: > I'm a developer of a tool which downloads and validates Debian archives > in a similar way APT does. > > As you use the word "theoretically", that suggests that practically > one can bypass the validation. Could you please list a

Bug#841825: ITP: golang-github-stacktic-dropbox -- Go client library for the Dropbox core and Datastore API

Package: wnpp Severity: wishlist Owner: Dr. Tobias Quathamer * Package name: golang-github-stacktic-dropbox Version : 0.0~git20160424.0.58f839b-1 Upstream Author : Arnaud Ysmal * URL : https://github.com/stacktic/dropbox * License : BSD-2-clause Programming

Re: Keysafe dynamic UID

Hi! On Sun, 2016-10-23 at 12:32:30 -0200, Henrique de Moraes Holschuh wrote: > On Sun, 23 Oct 2016, Guillem Jover wrote: > > Right now I'm actually considering going over the archive and sending > > patches to convert Debian-user and debian-user to _user… > Make it active only for new installs, a

Re: Keysafe dynamic UID

On Sun, 2016-10-23 at 16:06:30 +0200, Guillem Jover wrote: > I've just sent a patch for adduser to accept _-prefixed system names > (but not for normal users w/o --force-badname). Then if this gets > merged, there will be even more compelling reasons to use that. ;) Sorry, that would be

Re: Keysafe dynamic UID

On Sun, 23 Oct 2016, Guillem Jover wrote: > Right now I'm actually considering going over the archive and sending > patches to convert Debian-user and debian-user to _user… Make it active only for new installs, and you will have bypassed the most troublesome issue. Just be *extremely* careful to

client-side signature checking of Debian archives (Re: When should we https our mirrors?)

Hello Kristian, On 23.10.2016 15:04, Kristian Erik Hermansen wrote: > [...] > Although APT theoretically protects tampering of packages in transit > over HTTP based on the signing key, there are numerous ways to exploit > the plaintext HTTP protocol in transit and the way APT handles some > aspect

Re: Keysafe dynamic UID

Am 23.10.2016 um 14:48 schrieb Guillem Jover: > I think the solution here is pretty clear. The _-prefix is neutral, > short and used by other sytems. The Debian-prefix makes names way > long (used(?) to cause problems on display), is a Debianism that > seems wrong on non-Debian systems, and is only

Re: Keysafe dynamic UID

Hi! On Sun, 2016-10-23 at 15:07:27 +0200, Vincent Bernat wrote: > ❦ 23 octobre 2016 14:38 +0200, Guillem Jover  : > >> It is better to use either _keysafe or Debian-keysafe to avoid collision > >> with existing users (like Kevin Eysafe). > > > > Please avoid the atrocious «Debian-user» Debianism.

Re: Keysafe dynamic UID

❦ 23 octobre 2016 14:38 +0200, Guillem Jover  : >> It is better to use either _keysafe or Debian-keysafe to avoid collision >> with existing users (like Kevin Eysafe). > > Please avoid the atrocious «Debian-user» Debianism. The «_user» is > shorter, and used on some of the BSDs already. I agree

Re: When should we https our mirrors?

Greetings list :) > So, the real question: > > So, when are we going to push this? If not now, what criteria need to be > met? Why can't we https-ify the default CDN mirror today? > > (Sadly this means my trick to MITM the debian mirrors with my LAN mirror > breaks, but this strikes me as a featur

Re: Keysafe dynamic UID

On Oct 23, Guillem Jover wrote: > I think the solution here is pretty clear. The _-prefix is neutral, > short and used by other sytems. The Debian-prefix makes names way > long (used(?) to cause problems on display), is a Debianism that > seems wrong on non-Debian systems, and is only used by der

Re: Keysafe dynamic UID

Hi! On Sun, 2016-10-23 at 12:54:56 +0200, Marc Haber wrote: > On Sun, 23 Oct 2016 00:26:40 +0200, Jakub Wilk wrote: > > Maybe we could fix #429671? > > I know it's been only 9 years old, but still... > We either need a policy change or a TC decision for that. The policy > editor didn't want to do

Bug#841776: ITP: vagrant-digitalocean -- Vagrant provider plugin for DigitalOcean Droplets

Package: wnpp Severity: wishlist Owner: "Iain R. Learmonth" * Package name: vagrant-digitalocean Version : 0.9.1 Upstream Author : devopsgroup.io * URL : https://github.com/devopsgroup-io/vagrant-digitalocean * License : MPL-2.0 Programming Lang: Ruby Descr

Re: Keysafe dynamic UID

Hi! On Sun, 2016-10-23 at 00:14:43 +0200, Vincent Bernat wrote: > ❦ 22 octobre 2016 14:57 -0700, Sean Whitton  : > > I am packaging Keysafe,[1] and the binary package keysafe-server needs > > to create a new system user with a dynamically allocated UID. > > > > I am using the username 'keysafe'.

Bug#841775: ITP: golang-github-ncw-go-acd -- Go library for accessing Amazon Cloud Drive

Package: wnpp Severity: wishlist Owner: Dr. Tobias Quathamer * Package name: golang-github-ncw-go-acd Version : 0.0~git20160921.0.56da839-1 Upstream Author : Nick Craig-Wood * URL : https://github.com/ncw/go-acd * License : MIT Programming Lang: Go Descrip

Bug#841773: ITP: biboumi -- XMPP gateway to IRC

Package: wnpp Severity: wishlist Owner: Vasudev Kamath * Package name: biboumi Version : 3.0 Upstream Author : Florent Le Coz (louiz’) * URL : https://lab.louiz.org/louiz/biboumi * License : zlib Programming Lang: C++ Description : XMPP gateway to IRC

Re: Keysafe dynamic UID

On Sun, 23 Oct 2016 00:26:40 +0200, Jakub Wilk wrote: >* Vincent Bernat , 2016-10-23, 00:14: >>>I am using the username 'keysafe'. I do not anticipate any collision with >>>any other package, but policy says I should e-mail you to confirm that. >>It is better to use either _keysafe or Debian-key