On July 15, 2019 8:50:48 PM UTC, Russ Allbery wrote:
>Ansgar Burchardt writes:
>
>> SHA-1 isn't going to get stronger in the future. The TLS world has
>> already moved on, OpenPGP is still in the slow process to move on,
>> Release/Packages stopped using it[1], there is no reason to continue
On Mon, 2019-07-15 at 20:54 +0200, Ansgar Burchardt wrote:
> Russ Allbery writes:
> > If so, I think that security model is roughly equivalent to the automatic
> > signing of binary packages by buildds, so probably doesn't introduce a new
> > vulnerability,
>
> It doesn't rely on strong cryptograp
On Mon, 2019-07-15 at 00:00 +0200, Martin Steigerwald wrote:
> Hello.
>
> Theodore Ts'o - 14.07.19, 22:07:
> > So requiring support of non-systemd ecosystems is in general, going to
> > require extra testing. In the case of cron/systemd.timers, this
> > means testing and/or careful code inspectio
Package: wnpp
Severity: wishlist
Owner: Nobuhiro Iwamatsu
* Package name: golang-github-briandowns-spinner
Version : 1.6.1
Upstream Author : Brian Downs
* URL : https://github.com/briandowns/spinner
* License : Apache-2.0
Programming Lang: Go
Description
Package: wnpp
Severity: wishlist
Owner: Nobuhiro Iwamatsu
* Package name: golang-github-caarlos0-env
Version : 6.0.0
Upstream Author : Carlos Alexandro Becker
* URL : https://github.com/caarlos0/env
* License : Expat
Programming Lang: Go
Description : G
Russ Allbery writes:
> Ansgar Burchardt writes:
>> The client tool could possibly also just create the .dsc and .changes,
>> except for hashes of the compressed files, and the web service just
>> recreate the tarball and compress them.
>
> I think experience with pristine-tar indicates that recrea
Ansgar Burchardt writes:
> SHA-1 isn't going to get stronger in the future. The TLS world has
> already moved on, OpenPGP is still in the slow process to move on,
> Release/Packages stopped using it[1], there is no reason to continue
> using it.
Well, the reason to continue using it is that Git
Russ Allbery writes:
> Ansgar Burchardt writes:
>> Russ Allbery writes:
>>> If so, I think that security model is roughly equivalent to the
>>> automatic signing of binary packages by buildds, so probably doesn't
>>> introduce a new vulnerability,
>
>> It doesn't rely on strong cryptographic hashes
Package: wnpp
Severity: wishlist
Owner: Ondřej Nový
* Package name: python-sphinx-issues
Version : 1.2.0
Upstream Author : Steven Loria
* URL : https://github.com/sloria/sphinx-issues/
* License : Expat
Programming Lang: Python
Description : extension f
Hi,
not sure against which package to file a bug so I'm posting here.
Since today on apt update I get:
E: Release file for
http://ftp.de.debian.org/debian-debug/dists/bullseye-debug/InRelease is
expired (invalid since 4h 32min 12s). Updates for this repository will
not be applied.
E: Release fi
Ansgar Burchardt writes:
> Russ Allbery writes:
>> If so, I think that security model is roughly equivalent to the
>> automatic signing of binary packages by buildds, so probably doesn't
>> introduce a new vulnerability,
> It doesn't rely on strong cryptographic hashes to guarantee integrity.
>
Russ Allbery writes:
> If so, I think that security model is roughly equivalent to the automatic
> signing of binary packages by buildds, so probably doesn't introduce a new
> vulnerability,
It doesn't rely on strong cryptographic hashes to guarantee integrity.
To quote Wikipedia:
+---
| Revision
On Mon, Jul 15, 2019 at 06:01:39PM +, Stefan Pietsch wrote:
> This affects more Debian packages:
> https://qa.debian.org/developer.php?email=gui%40iroqwa.org
>
> Do you know if the maintainer is still active?
it's not a particular problem of this particular maintainer, but rather
of almost 10
On 15.07.19 18:22, Geert Stappers wrote:
> Yes, that is what https://tracker.debian.org/pkg/hping3 also says.
>
> At https://anonscm.debian.org/ is a link
> to https://alioth-archive.debian.org/
>
> However under https://alioth-archive.debian.org/git/ is
> indeed no hping3
>
>
> So `apt-get so
Hello,
On Mon 15 Jul 2019 at 10:22AM -07, Russ Allbery wrote:
> Just to make sure I fully understand the model, is the idea that this
> system will verify the signature on the Git tag, construct a source
> package from the signed archive, and then sign the resulting source
> package with some int
Sean Whitton writes:
> The current plan is for this machine to be firewalled such that it talks
> only to salsa. For exactly the sort of reasons you describe, you won't
> be able to use this with arbitrary git hosts.
> The only untrusted input is the git tags before their signature has been
> v
Hello Michael,
On Mon 15 Jul 2019 at 01:16PM +02, Michael Kesper wrote:
> Nonetheless it seems to me you are moving from trusting local signing
> to trusting upload by salsa, thereby making salsa more attractive for
> attackers.
I don't follow -- the git tag is PGP-signed, locally, by the upload
Peter Pentchev writes:
> On Sun, Jul 14, 2019 at 12:30:16PM -0700, Russ Allbery wrote:
>> There seems to be a clear infrastructure gap for the non-systemd world
>> here that's crying out for some inetd-style program that implements the
>> equivalent of systemd socket activation and socket passing
On Mon, Jul 15, 2019 at 03:28:48PM +, Stefan Pietsch wrote:
> Dear Debian developers,
>
> the git repository for hping3 does not exist.
>
> apt source points to git://anonscm.debian.org/collab-maint/hping3.git
>
>
> $ git clone git://anonscm.debian.org/collab-maint/hping3.git
> Cloning into
Dear Debian developers,
the git repository for hping3 does not exist.
apt source points to git://anonscm.debian.org/collab-maint/hping3.git
$ git clone git://anonscm.debian.org/collab-maint/hping3.git
Cloning into 'hping3'...
fatal: unable to connect to anonscm.debian.org:
anonscm.debian.org[0:
On 2019-07-09 20:53, Julian Andres Klode wrote:
we currently have code dealing with falling back from InRelease
to Release{,.gpg} and it's all a bit much IMO. Now that buster
has been released with an InRelease file, the time has IMO come for
us to drop support for the old stuff from APT!
Timeli
* patrick.dre...@gmx.net [190714 14:24]:
> Propositon: Multiarchitecture Support in Next Debian 64-bit (64-bit and
> 32-bit), Mozilla Firefox Release, in LXDE Startup Menu a Search field
> 32-bit i386 for Adobe Reader ftp.adobe.com
All of your recent posts to this list (debian-devel@lists.debian.
Processing commands for cont...@bugs.debian.org:
> reassign 931290 linux-image-4.9.0-9-amd64
Bug #931290 [general] general: Asrock A300 Deskmini AMD Athlon 200GE ends in
black screen Monitor has no Signal
Bug reassigned from package 'general' to 'linux-image-4.9.0-9-amd64'.
Ignoring request to al
Hi,
On Mon, Jul 15, 2019 at 01:49:04PM +0200, Guillem Jover wrote:
> > In the same way, we could implement "service monitoring" in sysvinit by
> > adding an "inittab.d" directory, but I'm fairly sure that I'm not the first
> > person who had this idea in the last thirty years, so there is probabl
On Mon, Jul 15, 2019 at 6:48 PM Simon Richter wrote:
> The main limitation seems to be that it's not permitted to modify
> inetd.conf from maintainer scripts. We could probably "fix" this by adding
> an "inetd.conf.d" mechanism.
There is update-inetd, but it doesn't support xinetd and doesn't
app
On Mon, 2019-07-15 at 12:30:09 +0200, Simon Richter wrote:
> On Sun, Jul 14, 2019 at 07:23:31PM +0100, Simon McVittie wrote:
> > Some systemd system services are meant to start on-demand via socket
> > events (systemd.socket(5)), and can work via inetd on non-systemd-booted
> > systems. micro-httpd
On Sun, Jul 14, 2019 at 12:30:16PM -0700, Russ Allbery wrote:
> Vincent Bernat writes:
>
> > inetd uses stdin/stdout to communicate with the daemon and have to
> > launch one instance for each client connecting. systemd.socket pass a
> > regular listening socket on first connection to the daemon
Hi Sean, hi all,
On 12.07.19 09:00, Sean Whitton wrote:
> On Fri 12 Jul 2019 at 04:30am +00, Scott Kitterman wrote:
>
>> Has there been any analysis of the security implications of this
>> proposed service?
>
> Nothing formal, though of course we were thinking about it while we were
> working on
Hi,
On Sun, Jul 14, 2019 at 07:23:31PM +0100, Simon McVittie wrote:
> Some systemd system services are meant to start on-demand via socket
> events (systemd.socket(5)), and can work via inetd on non-systemd-booted
> systems. micro-httpd appears to be an example of this - I'm a bit surprised
> the
Hi,
I updated https://trends.debian.net .
Main changes:
* Refreshed data (up to July 2019)
* Added data about DEP5 copyright format adoption
* Added data about autopkgtest adoption
* Various minor changes
Now is probably a good time to go through smells in your packages and
update them to newer
30 matches
Mail list logo
