Package: wnpp
Severity: wishlist
Owner: Sruthi Chandran
X-Debbugs-CC: debian-devel@lists.debian.org
* Package name: node-trim-newlines
Version : 1.0.0
Upstream Author : Sindre Sorhus
(sindresorhus.com)
* URL : https://github.com/sindresorhus/trim-newlines
* License
Package: wnpp
Severity: wishlist
Owner: Sruthi Chandran
X-Debbugs-CC: debian-devel@lists.debian.org
* Package name: node-strip-indent
Version : 2.0.0
Upstream Author : Sindre Sorhus
(sindresorhus.com)
* URL : https://github.com/sindresorhus/strip-indent#readme
* Licen
Package: wnpp
Severity: wishlist
Owner: Sruthi Chandran
X-Debbugs-CC: debian-devel@lists.debian.org
* Package name: node-repeating
Version : 3.0.0
Upstream Author : Sindre Sorhus
(sindresorhus.com)
* URL : https://github.com/sindresorhus/repeating#readme
* License
Paul Wise writes:
> Debian has Tor onion service frontends to various Debian services,
> including several Debian machines with archive mirrors, this is
> implemented in an automated way using Puppet and onionbalance. So we do
> not rely on Tor exit nodes, just relays and the onion service system
Hi,
I haven't been paying close attention to the "PIE by default" [1] discussions,
so I may have missed the memo, but: it seems the transition is underway?
I've seen two bugs already claiming "static library foo must be compiled with
-fPIC" -- because some reverse dependency now fails to buil
On Tue, Oct 25, 2016 at 7:33 AM, Russ Allbery wrote:
> Tor is easier for us as a project, since we don't really have to do
> anything (assuming we just rely on existing exit nodes).
Debian has Tor onion service frontends to various Debian services,
including several Debian machines with archive m
Adrian Bunk writes:
> The government operating or having access to the mirror you are using is
> a lot more realistic and easier than the MITM with a fake certificate
> you were talking about.
Both of those were also in the category of things that I think are
unlikely attacks unless the governme
On Mon, Oct 24, 2016 at 09:22:39AM -0700, Russ Allbery wrote:
> Adrian Bunk writes:
> > On Sun, Oct 23, 2016 at 07:28:23PM -0700, Russ Allbery wrote:
>
> >>...
> >> The value of HTTPS lies in its protection against passive snooping. Given
> >> the sad state of the public CA infrastructure, you c
Package: wnpp
Severity: wishlist
Owner: "W. Martin Borgert"
* Package name: opcua-client-gui
Version : 0.4.5
Upstream Author : Olivier Roulet-Dubonnet
* URL : https://github.com/FreeOpcUa/opcua-client-gui
* License : GPL3
Programming Lang: Python
Descripti
Package: wnpp
Severity: wishlist
Owner: Thomas Goirand
* Package name: puppet-module-camptocamp-kmod
Version : 2.1.1
Upstream Author : Raphaël Pinson
* URL : https://github.com/camptocamp/puppet-kmod
* License : Apache-2.0
Programming Lang: Puppet
Descript
Hi
first a short announce: Saturday (that is, 29th of October) we give it
another shot of moving the ftp-master host, so expect another bit of
downtime there.
More importantly: With the changes to the upload queues I announced just
yesterday, we turned off ftpd on the ftp-master host. Anyone who
On Mon, Oct 24, 2016 at 07:26:37PM +0200, Tollef Fog Heen wrote:
> ]] Paul Tagliamonte
> > On Mon, Oct 24, 2016 at 04:00:39PM +0100, Ian Jackson wrote:
> > > It is also evident that there are some challenges for deploying TLS on
> > > a mirror network and/or CDN. I don't think anyone is suggestin
Hi Kristian,
To one of your side questions,
On 24.10.2016 02:33, Kristian Erik Hermansen wrote:
>> 1) Checking chain (e.g. gpgv and its callers) have bugs. True, same as
>> checking layer for secure transports also have bugs.
>
> Agreed. Please let me know of a good test case to validate that y
Hi Sean,
24.10.2016 22:27, Sean Whitton пишет:
> Dear Lev,
>
> On Mon, Oct 24, 2016 at 09:55:50AM +0500, Lev Lamberov wrote:
>> (3) users will rather see their elpa-{bind-key,use-package}
>> counterparts
> I don't understand this reasoning.
I don't get what you don't understand.
1. use-package
On Mon, Oct 24, 2016 at 08:58:49AM +0200, Christian Seiler wrote:
> The requirement to have this for dynamically allocated IDs also
> probably stems from the fact that the users created in postinst scripts
> should not conflict. But wouldn't it be far easier to just create a
> page on the Debian Wi
Package: wnpp
Severity: wishlist
Owner: Michael Fladischer
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
* Package name: bootstrap-datetimepicker
Version : 4.17.43
Upstream Author : Jonathan Peterson
* URL : https://github.com/Eonasdan/bootstrap-datetimepicker
* Lic
Dear Lev,
On Mon, Oct 24, 2016 at 09:55:50AM +0500, Lev Lamberov wrote:
> (3) users will rather see their elpa-{bind-key,use-package}
> counterparts
I don't understand this reasoning.
The source package name is based on upstream's project name. The elpa
package name is based on the package.el p
]] Paul Tagliamonte
> On Mon, Oct 24, 2016 at 04:00:39PM +0100, Ian Jackson wrote:
> > It is also evident that there are some challenges for deploying TLS on
> > a mirror network and/or CDN. I don't think anyone is suggesting
> > tearing down our existing mirror network.
>
> https://deb.debian.
On Mon, Oct 24, 2016 at 06:52:41PM +0200, Ansgar Burchardt wrote:
> deb.debian.org has a debian-security area, so security updates should
> also be available via https:// now.
yes, they are, thanks!
--
cheers,
Holger
signature.asc
Description: Digital signature
Adrian Bunk writes ("Re: When should we https our mirrors?"):
> My point is that for the problem Kristian is describing,
> using https is just snake oil.
Since you haven't stopped being rude just because I asked, I have
emailed listmaster.
Russ's recent posting is a useful contribution to the sub
On Mon, 2016-10-24 at 15:15 +, Ivan Shmakov wrote:
> > > > > >
> >
> > Ben Hutchings writes:
>
>
> […]
>
> > Those certificates look as expected. Since TLS encryption of SMTP
> > between servers is opportunistic, there's no particular reason to use
> > a widely trusted CA for server c
On Mon, 2016-10-24 at 16:30 +, Holger Levsen wrote:
> On Mon, Oct 24, 2016 at 11:51:00AM -0400, Paul Tagliamonte wrote:
> > https://deb.debian.org/ is now set up (thanks, folks!)
>
> whoohooo, & it works on stable too! apt install apt-transport-https
> was
> all it took. (and changing the entr
On Tue, Oct 18, 2016 at 07:52:13PM +0800, Paul Wise wrote:
>
> It was posted to bug #820036, which is tracking Debian support for
> secure boot. Peter was advocating quite correctly that as well as
> having our copy of shim (the first-stage bootloader on secure boot
> systems) signed by Microsoft,
On Mon, Oct 24, 2016 at 11:51:00AM -0400, Paul Tagliamonte wrote:
> https://deb.debian.org/ is now set up (thanks, folks!)
whoohooo, & it works on stable too! apt install apt-transport-https was
all it took. (and changing the entries in sources.list to that…)
Just security.d.o (or rather, it's su
Adrian Bunk writes:
> On Sun, Oct 23, 2016 at 07:28:23PM -0700, Russ Allbery wrote:
>>...
>> The value of HTTPS lies in its protection against passive snooping. Given
>> the sad state of the public CA infrastructure, you cannot really protect
>> against active MITM with HTTPS without certificate
On Mon, Oct 24, 2016 at 04:00:39PM +0100, Ian Jackson wrote:
> Adrian Bunk writes ("Re: When should we https our mirrors?"):
>...
> Adrian:
> > Noone is arguing that switching to https would be a bad thing,
> > but whether or not it will happen depends solely on whether or
> > not people like you w
On Mon, Oct 24, 2016 at 04:00:39PM +0100, Ian Jackson wrote:
> It is also evident that there are some challenges for deploying TLS on
> a mirror network and/or CDN. I don't think anyone is suggesting
> tearing down our existing mirror network.
https://deb.debian.org/ is now set up (thanks, folks!
> Ben Hutchings writes:
[…]
> Those certificates look as expected. Since TLS encryption of SMTP
> between servers is opportunistic, there's no particular reason to use
> a widely trusted CA for server certificates. A MITM can just as
> easily block STARTTLS as substitute their own key.
> Julien Cristau writes:
> On Mon, Oct 24, 2016 at 11:45:33 +, Ivan Shmakov wrote:
[…]
>> Speaking of which. Does the gnutls-cli transcript MIMEd signify of
>> an ongoing MitM attack, or is it just a misconfiguration?
> Neither.
> _25._tcp.bendel.debian.org. 3600 IN RRSIG TLSA
Adrian Bunk writes ("Re: When should we https our mirrors?"):
> On Mon, Oct 24, 2016 at 04:00:49AM -0700, Kristian Erik Hermansen wrote:
> > so I also probably
> > shouldn't consider your TLS knowledge very highly...
>
> Your incorrect claims won't become better by personal attacks against me.
C
On Mon, 2016-10-24 at 13:00 +, Ivan Shmakov wrote:
> >
> > Andrey Rahmatullin writes:
> > On Mon, Oct 24, 2016 at 11:45:33AM +, Ivan Shmakov wrote:
>
>
> >> $ gnutls-cli --starttls -p 25 bendel.debian.org
>
> […]
>
> >> Connecting to '82.195.75.100:443'...
>
> > I cannot reproduc
On Mon, Oct 24, 2016 at 11:45:33 +, Ivan Shmakov wrote:
> > Kristian Erik Hermansen writes:
> > On Mon, Oct 24, 2016 at 1:59 AM, Adrian Bunk wrote:
>
> […]
>
> >> For the kind of attacks you are describing, https is just snake oil.
>
> > Profusely disagree and so do other member
> Andrey Rahmatullin writes:
> On Mon, Oct 24, 2016 at 11:45:33AM +, Ivan Shmakov wrote:
>> $ gnutls-cli --starttls -p 25 bendel.debian.org
[…]
>> Connecting to '82.195.75.100:443'...
> I cannot reproduce gnutls-cli connecting to :443 when asked :25.
Indeed, my mistake
Package: wnpp
Severity: wishlist
Owner: Jonathan Carter
* Package name: gnome-shell-extension-hide-activities
Version : 0.00~git20131024.1.6574986-1
Upstream Author : Shay Elkin
* URL : https://github.com/shayel/gnome-hide-activities
* License : PD
Programmin
On Mon, Oct 24, 2016 at 11:45:33AM +, Ivan Shmakov wrote:
> $ gnutls-cli --starttls -p 25 bendel.debian.org
> Processed 173 CA certificate(s).
> Resolving 'bendel.debian.org'...
> Connecting to '2001:41b8:202:deb:216:36ff:fe40:4002:443'...
> Connecting to '82.195.75.100:443'...
I cannot repro
Package: wnpp
Severity: wishlist
Owner: Jonathan Carter
* Package name: gnome-shell-extension-refresh-wifi
Version : 6-1
Upstream Author : Gopi Sankar Karmegam
* URL : https://github.com/kgshank/gse-refresh-wifi
* License : GPL-3
Programming Lang: Javascript
On Mon, Oct 24, 2016 at 04:00:49AM -0700, Kristian Erik Hermansen wrote:
> On Mon, Oct 24, 2016 at 1:59 AM, Adrian Bunk wrote:
> but also I should point out that your email is being routed
> insecurely via welho.com and lacks TLS in transit, so I also probably
> shouldn't consider your TLS knowled
> Kristian Erik Hermansen writes:
> On Mon, Oct 24, 2016 at 1:59 AM, Adrian Bunk wrote:
[…]
>> For the kind of attacks you are describing, https is just snake oil.
> Profusely disagree and so do other members of this list. I'll leave
> it at that, but also I should point out that y
(Disclaimer: I am a maintainer of apt-transport-tor… but also of
-https and apt itself, so I am biased beyond hope in this matter)
On Sun, Oct 23, 2016 at 07:20:35PM -0700, Russ Allbery wrote:
> Paul Wise writes:
> > On Mon, Oct 24, 2016 at 7:21 AM, Kristian Erik Hermansen wrote:
> >> The point i
On Mon, Oct 24, 2016 at 2:33 AM, Adrian Bunk wrote:
> You are implicitely assuming that mirrors can be trusted,
> and even that is not true.
No, not actually. Just presuming that NSA doesn't operate ALL mirrors.
Of course they can operate single servers or a number of servers, but
that increases
On Mon, Oct 24, 2016 at 1:59 AM, Adrian Bunk wrote:
> It is a common misconception that https could help against these kinds
> of attacks.
>
> https is an improvement over http and it would be good if Debian could
> switch to https by default in stretch, but for the problem you are
> talking about
Quoting Tollef Fog Heen :
I'd prefer if user creation was just done declaratively and then we
could scan the archive. If we have a manually-maintained list, it will
get out of sync with reality pretty quickly.
+1 and +1
It would be nice to have some progress on this:
https://wiki.debian.org/Te
On Sun, Oct 23, 2016 at 07:28:23PM -0700, Russ Allbery wrote:
>...
> The value of HTTPS lies in its protection against passive snooping. Given
> the sad state of the public CA infrastructure, you cannot really protect
> against active MITM with HTTPS without certificate pinning.
You are implicite
html {width: 100%}
body {background-color: #ff; margin: 0px; padding: 0px; font-family: Arial,
Helvetica, sans-serif;}
Caso não esteja visualizando as imagens, acesse aqui
Package: wnpp
Severity: wishlist
Owner: Sascha Steinbiss
* Package name: golang-github-dhowett-go-plist
Version : 0.0~git20160708.0.fec78c8-1
Upstream Author : Dustin L. Howett
* URL : https://github.com/dhowett/go-plist
* License : BSD
Programming Lang: Go
Package: wnpp
Severity: wishlist
Owner: Sascha Steinbiss
* Package name: golang-github-voxelbrain-goptions
Version : 2.5.11-1
Upstream Author : voxelbrain
* URL : https://github.com/voxelbrain/goptions
* License : BSD-3-clause
Programming Lang: Go
Descripti
Package: wnpp
Severity: wishlist
Owner: Sascha Steinbiss
* Package name: golang-github-thecreeper-go-notify
Version : 0.0~git20160203.0.b5cd147-1
Upstream Author :
* URL : https://github.com/TheCreeper/go-notify
* License : BSD-2-clause
Programming Lang: Go
On Sun, Oct 23, 2016 at 06:04:50AM -0700, Kristian Erik Hermansen wrote:
>...
> The main issue is that a well positioned attacker, such as the NSA or
> Chinese router admins, have the ability to collect and analyze in
> real-time what systems have installed what patches installed by
> monitoring th
Package: wnpp
Severity: wishlist
Owner: Sascha Steinbiss
* Package name: golang-github-hydrogen18-stalecucumber
Version : 0.0~git20161012.0.cd9ec28-1
Upstream Author : Eric Urban
* URL : https://github.com/hydrogen18/stalecucumber
* License : BSD-2-clause
Pro
Package: wnpp
Severity: wishlist
Owner: Sruthi Chandran
X-Debbugs-CC: debian-devel@lists.debian.org
* Package name: node-builtin-modules
Version : 1.1.1
Upstream Author : Sindre Sorhus
(sindresorhus.com)
* URL : https://github.com/sindresorhus/builtin-modules#readme
*
Package: wnpp
Severity: wishlist
Owner: Sascha Steinbiss
* Package name: golang-github-twstrike-gotk3adapter
Version : 0.0~git20160819.0.3499960-1
Upstream Author : STRIKE Team
* URL : https://github.com/twstrike/gotk3adapter
* License : GPL-3.0
Programming L
Package: wnpp
Severity: wishlist
Owner: Sascha Steinbiss
* Package name: golang-github-gotk3-gotk3
Version : GOTK3_0_2_0+git20161020.501.2caa15f-1
Upstream Author : Conformal Systems LLC.
* URL : https://github.com/gotk3/gotk3
* License : ISC
Programming Lang
Package: wnpp
Severity: wishlist
Owner: Sascha Steinbiss
* Package name: golang-github-twstrike-otr3
Version : 0.0~git20161015.0.744856d-1
Upstream Author : STRIKE Team
* URL : https://github.com/twstrike/otr3
* License : GPL-3.0
Programming Lang: Go
Descri
❦ 24 octobre 2016 09:12 +0200, Tollef Fog Heen :
>> The requirement to have this for dynamically allocated IDs also
>> probably stems from the fact that the users created in postinst scripts
>> should not conflict. But wouldn't it be far easier to just create a
>> page on the Debian Wiki and tra
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, Oct 21, 2016 at 07:26:43AM +0200, Vincent Bernat wrote:
> It would be as easy for the security team to modify the unminified version
> than the "upper" upstream version of the source.
The release team has just decided that "browserified" files
On 10/24/2016 09:12 AM, Tollef Fog Heen wrote:
> I'd prefer if user creation was just done declaratively and then we
> could scan the archive. If we have a manually-maintained list, it will
> get out of sync with reality pretty quickly.
Doing this declaratively would definitely be the ideal solut
]] Philipp Kern
> On 10/18/2016 06:47 PM, Marco d'Itri wrote:
> > On Oct 17, Ian Campbell wrote:
> >> Have we gotten to the point where we consider deb.d.o suitable for
> >> production use? The web page still says Experimental (so I would assume
> > I do not think that it is appropriate for gene
Hi Russ, Kristian,
On 24.10.2016 07:19, Kristian Erik Hermansen wrote:
> On Sun, Oct 23, 2016 at 7:28 PM, Russ Allbery wrote:
>> The idea is to *add* HTTPS protection on top of the protections we already
>> have. You're correct that it doesn't give you authentication of the
>> packages without a
]] Christian Seiler
> On 10/24/2016 12:42 AM, Colin Watson wrote:
> > On Sat, Oct 22, 2016 at 02:57:23PM -0700, Sean Whitton wrote:
> >> I am packaging Keysafe,[1] and the binary package keysafe-server needs
> >> to create a new system user with a dynamically allocated UID.
> >>
> >> I am using t
59 matches
Mail list logo
