m governments or organized
crime^W^Wcorporate interests snooping it, but the distinction is
significant. PGP and TLS are not even remotely similar models
privacy-wise.
--
Jeremy Stanley
signature.asc
Description: PGP signature
system has the
capacity to install new firmware behind your back regardless of
whether or you're personally okay with it doing so.
--
Jeremy Stanley
signature.asc
Description: PGP signature
ngage with counsel
to get answers. Turn-around time is typically somewhere between a
week and a month depending on their availability, and whether the
specific questions necessitate a referral to other colleagues with
slightly different specializations.
--
Jeremy Stanley
signature.asc
Descri
the vi vs emacs
skirmishes of yore.
--
Jeremy Stanley
signature.asc
Description: PGP signature
gh nonfree-firmware match official vendor checksums
would be roughly the same as if you fetched them from the hardware
vendor to install manually yourself.
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2025-03-07 10:08:23 + (+), Jonathan Dowland wrote:
On Thu Mar 6, 2025 at 7:08 AM GMT, Henrik Ahlgren wrote:
> It is essential to have a method for distinguishing between hard
> and soft newlines if you want to reflow text properly.
Agreed! And, as Jeremy Stanley points
y "unwrapped" or "rewrapped" after concatenating
subsequent lines.
Absence of a space at the line end doesn't say not to wrap that
line, but merely not to combine it with the line that follows. The
line itself can still be wrapped as needed if it exceeds the
cl
s the contemporary age of packages in the prior LTS is
well over two years by then.
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2025-03-05 08:52:22 +0900 (+0900), Charles Plessy wrote:
[...]
I am surprised nobody has mentionned support (or lack of support) of
text/markdown at this point...
[...]
Surely you mean troff/groff?
.Pp
.Bd It's \fIthe best\fP!
;)
--
Jeremy Stanley
signature.asc
Description: PGP signature
7;ll go ahead and annotate the recommendation to suggest it's
probably outdated, thanks for pointing that out!
--
Jeremy Stanley
signature.asc
Description: PGP signature
tmux session on a remote cloud VM), so this was
extremely helpful for me as well.
I'm composing and sending this with your suggestions applied, seems
to be working well so far. Thanks again!
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2025-02-26 15:30:48 -0500 (-0500), Marvin Renich wrote:
> * Jeremy Stanley [250226 13:39]:
> > The only real hassle is
> > if I want to copy a very long URL out of a message, I either need to
> > piecemeal reassemble it from the lines that URL is spread across or
> >
ndent levels deep, but I do sometimes manually re-flow any
quoted material I haven't trimmed from others' messages if I see
they're near to or exceeding my 80-character terminal margin.
--
Jeremy Stanley
signature.asc
Description: PGP signature
t being fixed or fixes for it not getting
backported, we remind them that we don't consider it a vulnerability
and they're free to take it up with whoever requested or issued it.
--
Jeremy Stanley
signature.asc
Description: PGP signature
source tarballs where that
data is extracted from their Git repositories so it can be included
correctly, but package maintainers need to be careful to run the
same source tarball build process for the basis of the Debian source
package in those cases and not just pretend that the _files_ tracke
and often face different
challenges that need their own solutions or aren't willing to
compromise by adopting partial solutions popular elsewhere just to
conform.
--
Jeremy Stanley
signature.asc
Description: PGP signature
r list I recognize as being in
the same situation, but no idea how many more there might be.
--
Jeremy Stanley
signature.asc
Description: PGP signature
I
know GitLab does not do it, so this is not particularly relevant to
Debian while Salsa is running GitLab.
--
Jeremy Stanley
signature.asc
Description: PGP signature
at it's
implemented in Python instead of PHP, which made modifying it or
writing custom plugins for MoinMoin myself a little easier and less
dicey.
--
Jeremy Stanley
signature.asc
Description: PGP signature
l
Out of curiosity, what does the Tinker Blend have to do with Debian
Wiki management? It's described as "a Debian Pure Blend which aims
to provide fully configured installations for various forms of
tinkering/hacking on electronics and other hardware devices."
--
Jeremy Stanley
s
package of a project where I eventually
moved the upstream codebase into revision control but have been too
lazy/distracted to do the same for the debian directory (which I
realistically only update once every year or two). I'm committed to
importing that into Salsa eventually, it's just
s older than I am, I'd found other
hobbies and/or gone into a different field of work.
--
Jeremy Stanley
signature.asc
Description: PGP signature
x27;t depicted directly on my keyboard's keycaps,
after all.
--
Jeremy Stanley
signature.asc
Description: PGP signature
t probably not. As you noted,
priorities matter and it's entirely possible to be involved in
Debian without that (depending on what exactly you want to do of
course). There's quite a lot that doesn't require upload permissions
in the archive, and also quite a lot of amazing people
On 2024-11-09 14:19:53 +0100 (+0100), PICCA Frederic-Emmanuel wrote:
> is it via ChatGPT or an llm self hosted ?
[...]
It's DebGPT: https://salsa.debian.org/deeplearning-team/debgpt
--
Jeremy Stanley
signature.asc
Description: PGP signature
acement, but
ideally wait until all versions for old Debian releases had
completely aged out of the pool (these days I guess that would
include waiting for LTS versions to no longer include it as well?).
--
Jeremy Stanley
signature.asc
Description: PGP signature
ecking generated files into version control if they can be
recreated from existing contents of version control (not merely the
versioned files but also the accompanying metadata).
--
Jeremy Stanley
signature.asc
Description: PGP signature
sometimes like trying to steer a train.
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2024-08-26 21:28:38 -0700 (-0700), Otto Kekäläinen wrote:
> On Tue, 2 Apr 2024 at 17:19, Jeremy Stanley wrote:
> > On 2024-04-02 16:44:54 -0700 (-0700), Russ Allbery wrote:
> > [...]
> > > I think a shallow clone of depth 1 is sufficient, although that's not
> &
urselves back then) to track the entirety of
/etc in RCS. Yes having an auditable change history for your
configuration is useful, but Git didn't invent that. Git has merely
supplanted all prior version control systems, for this use case as
well as others.
--
Jeremy Stanley
signature.asc
Description: PGP signature
urity content[***]. Hope that helps.
[*] https://bugs.debian.org/1069654
[**] https://bugs.debian.org/1009804
[***] https://bugs.debian.org/1074468
--
Jeremy Stanley
signature.asc
Description: PGP signature
, nothing like the scale
of GitHub, so I wouldn't recommend building large-scale workflows
around our loose-knit community patterns.
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2024-08-01 22:10:58 +0100 (+0100), Luca Boccassi wrote:
> On Thu, 1 Aug 2024 at 18:23, Jeremy Stanley wrote:
> >
> > On 2024-08-01 12:23:43 +0100 (+0100), Luca Boccassi wrote:
> > [...]
> > > To pick a random example, a less well known, less used, less
> > &
e time by projects trying to inflate public impressions
of their size: you're aware that GitHub counts someone as a
"contributor" even if all the do is leave a comment on a bug report,
right? By that gauge, Debian is probably orders of magnitude larger.
--
Jeremy Stanley
signat
eam maintainers understand that
downstream distributions want to include source code and can't
necessarily include full copies of our Git repositories, so we
create and cryptographically sign source code tarballs with all that
extracted/assembled metadata in the form of "generated" files, and
present those as our primary source distributions.
--
Jeremy Stanley
signature.asc
Description: PGP signature
onal information into our source archives.
--
Jeremy Stanley
signature.asc
Description: PGP signature
messages on the current branch
since the most recent tag if its SemVer-based version-guessing kicks
in (typically if the current commit isn't tagged and the version
string hasn't been overridden with an envvar).
--
Jeremy Stanley
signature.asc
Description: PGP signature
but it's merely your opinion that sdists are *not*
"upstream-created source tarballs" (an opinion *not* shared by
everyone).
--
Jeremy Stanley
signature.asc
Description: PGP signature
a proprietary service who discovered a saboteur in their ranks.
--
Jeremy Stanley
signature.asc
Description: PGP signature
claimed secure workflows seems entirely intractable. Sure you could
ask every DD to fill out a questionnaire, but if you don't trust
them to all follow documented practices then why would you trust
them to accurately answer survey questions either?
--
Jeremy Stanley
signature.asc
Description: PGP signature
For a volunteer-driven community effort, we have to rely on
everyone to exercise their best judgement in these sorts of matters.
--
Jeremy Stanley
signature.asc
Description: PGP signature
sing
popularity of the externally-developed cryptography library as a
good reason to strip any remnants of cryptographic modules and
bindings from the stdlib.
--
Jeremy Stanley
signature.asc
Description: PGP signature
quire uninstalling the pipewire audio stack at least.
--
Jeremy Stanley
signature.asc
Description: PGP signature
.d.o/doc (and maybe also wiki.d.o) could be
cool.
--
Jeremy Stanley
signature.asc
Description: PGP signature
they have made things more complicated and more
inconvenient, which often ends up pressuring users into finding
less-secure workarounds, defeating the purpose of the additional
measures they enacted.
--
Jeremy Stanley
signature.asc
Description: PGP signature
the "trusted publisher" authentication mechanism (which
only supports GitHub Actions for now), there will likely be more
options in the future that also avoid use of global API tokens.
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2023-11-16 00:20:40 +0100 (+0100), Salvo Tomaselli wrote:
> In data mercoledì 15 novembre 2023 15:58:15 CET, Jeremy Stanley ha scritto:
> > why do you need to put an OpenPGP key on the service
> > you're using to upload Python packages (not Debian packages) to
> > PyP
assert that their more recent addition of HTTPS and strong checksums
mostly serves the purpose of users being able to double-check that
what they downloaded is what PyPI meant to serve them (even if they
can't as easily double-check that what they downloaded is what the
author believes was originally uploaded).
--
Jeremy Stanley
signature.asc
Description: PGP signature
right files too, or is it really simply a hard-coded list of
matching patterns?
Regardless, this is great work, thanks for kicking off the
reevaluation!
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2023-09-08 13:31:43 + (+), Jeremy Stanley wrote:
> On 2023-09-08 12:09:09 +0530 (+0530), Hideki Yamane wrote:
> [...]
> > SPDX is led by the Linux foundation project, OpenChain for license
> > compliance.
> [...]
>
> Unless I'm misreading, OpenChain
it seems like all too often it's in pursuit of signing on more
and more donors at the expense of distracting active free/libre open
source software communities from what they would normally focus on
achieving.
--
Jeremy Stanley
signature.asc
Description: PGP signature
tually doing the work), is another matter of course. Like a
library choosing not to repurchase a particular damaged book due to
lack of popularity, rather than being pressed to remove it from the
shelves because someone disagrees with what's printed inside even
though they're never going
mment in GNU HURD sources, should we censor it out?
For that matter, if Debian was going to get into book burning over
racist, homophobic and misogynistic writing, all those packaged
versions of religious texts would presumably be the first things
tossed onto the pyre.
--
Jeremy Stanley
signatur
omment telling people where to
find our contributor workflow documentation.
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2023-08-16 11:45:43 +0800 (+0800), Paul Wise wrote:
> On Sun, 2023-08-13 at 21:18 +0000, Jeremy Stanley wrote:
>
> > Similarly, I got one for __pycache__/*.cpython-311.pyc file
> > overwrites... is that something dh_python should clean?
>
> Probably just send upstrea
s with a *.egg-info/ line in d/clean should both
> work. (Personally, I'd use extend-diff-ignore if the egg-info is
> also shipped in the source tarball and d/clean if not)
Similarly, I got one for __pycache__/*.cpython-311.pyc file
overwrites... is that something dh_python should clean
ripheral for
some reason. I get that I'm probably an exception, but there are
definitely users who simply find automounting behavior annoying,
beyond any potential security concerns.
--
Jeremy Stanley
signature.asc
Description: PGP signature
way. There's also basic substitutions
support in the reStructuredText specification, which might be useful
to reduce the amount of actual content you need to swap at build
time:
https://docutils.sourceforge.io/docs/ref/rst/restructuredtext.html#substitution-definitions
--
Jeremy Stanley
signature.asc
Description: PGP signature
static compilation,
but rather vendor in additional dynamically-linked libs which are
unlikely to be present on the target installations.
--
Jeremy Stanley
signature.asc
Description: PGP signature
. So at first
> I'd like to gather more input on this and would appreciate suggestions
> where to head for next. In the quest for final truth.
I'll be perfectly satisfied with bookworm-is-released. ;)
--
Jeremy Stanley
signature.asc
Description: PGP signature
key material used to decrypt and encrypt.
Not that I'm a fan of the proposed use case, but see the manpage for
cryptsetup-luksAddKey(8): "Adds a keyslot protected by a new
passphrase." So while there is only one passphrase for a key, a
device can be accessed by an arbitrary number
s you reasonably want to invest in defending against. I'm
certainly not saying there's *never* a reason to encrypt /boot, but
people who feel they need to do so aren't involved in improving
tools and automation sufficiently to make it convenient to set up
either.
--
Jeremy Stanley
signature.asc
Description: PGP signature
your machine from prying eyes if it gets
stolen, but unless you're putting sensitive data in /boot why go to
the added trouble of encrypting it?
--
Jeremy Stanley
signature.asc
Description: PGP signature
endbr64
--
Jeremy Stanley
signature.asc
Description: PGP signature
to a target - even if it means fiddling
> increasingly with flags.
This is getting increasingly off-topic, but you're able to get a
modern SSH client to successfully connect to an old device which
only speaks SSHv1 protocol?
--
Jeremy Stanley
signature.asc
Description: PGP signature
a Telnet client, it makes sense to
include at least a reference implementation of a Telnet server in
order to be able to validate its functionality.
--
Jeremy Stanley
signature.asc
Description: PGP signature
e (Debian 11) point
releases or bookworm (testing) daily snapshots, the old "openstack"
images have been superseded by the "cloud" images now, so you can
find them here instead:
https://cdimage.debian.org/cdimage/cloud/bullseye/latest/
https://cdimage.debian.org/cdimage/c
ion=article;sid=20210722072359
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2022-04-19 22:51:59 +0200 (+0200), Bastian Blank wrote:
> On Tue, Apr 19, 2022 at 12:17:06PM +0000, Jeremy Stanley wrote:
> > It's probably what you meant, but just to be clear, as a user I'd
> > also want to know which of the firmware packages used/installed were
>
irtues
of open firmware.
4. Consider (as you mentioned) working on my own reimplementation.
--
Jeremy Stanley
signature.asc
Description: PGP signature
ype and maybe package
parameters as well as your search regex.
--
Jeremy Stanley
signature.asc
Description: PGP signature
ouple of years without having to step
through several intermediate versions of everything in order to do
so. A big part of the problem is testing though: if we want to
continuously test upgrade viability, then the number of possible
combinations of start and end versions for those upgrade tests
presen
nd need to be able to
"skip" between arbitrary numbers of intermediate releases, so not
trivial either.
--
Jeremy Stanley
signature.asc
Description: PGP signature
x27;s not actually true. Either
way, the object really shouldn't be copied into the binary package
though, and should be rebuilt at package build time instead in order
to confirm all of the compiled form can be built exclusively with
tools available in main.
--
Jeremy Stanley
signature.asc
Description: PGP signature
es could
also be distributed separately in non-free from different source
packages (so long as their licenses permit their distribution at
all, which is another fun problem these bits sometimes raise).
--
Jeremy Stanley
signature.asc
Description: PGP signature
a few people involved in upstream Kernel development, so hopefully
that's not a stretch for them.
--
Jeremy Stanley
signature.asc
Description: PGP signature
vides a modern password reset solution which
won't leak plaintext passwords to people sniffing SMTP
communications, so we do intend to add HTTPS when upgrading to that,
which ought to be fairly soon.
--
Jeremy Stanley
signature.asc
Description: PGP signature
istribution might be in their best interests... but they've only
just begun to investigate what building a Debian derivative might
mean for them (for example, they've been relying on OpenSuse's OBS
to build all their distro packages up till now, and that may not be
a great fit for tryi
On 2021-09-19 01:24:17 + (+), Paul Wise wrote:
[...]
> Jeremy Stanley pointed out that this is for the StarlingX project,
> please consider merging StarlingX changes back to Debian and our
> upstream projects and contributing new packages back into Debian
> itself.
[...]
On 2021-09-19 01:24:32 + (+), Paul Wise wrote:
> On Sat, Sep 18, 2021 at 2:35 PM Jeremy Stanley wrote:
[...]
> > http://lists.starlingx.io/pipermail/starlingx-discuss/2021-September/012058.html
>
> Hmm, this site has a confusing way of not supporting https.
[...]
Thanks f
entirely from scratch. Ideally, many of the
build dependencies could be satisfied initially from unadulterated
packages already available in Debian, and then replaced with custom
patched versions once any problem dependency cycles have been
broken.
--
Jeremy Stanley
signature.asc
Description: PGP signature
nificant amount of new security or
privacy for Debian users, that would be disingenuous. Just say the
default is switching to HTTPS because that's what users, by and
large, expect today.
--
Jeremy Stanley
signature.asc
Description: PGP signature
posed by plain HTTP when used for unrelated
purposes, and no longer needing to repeatedly explain to users that
Debian has gone to great lengths to implement package distribution
security which doesn't really depend at all on transport layer
encryption.
--
Jeremy Stanley
signature.asc
Description: PGP signature
nt-side bugs will almost certainly never be
fixed.
--
Jeremy Stanley
signature.asc
Description: PGP signature
rce package build time does seem marginally
obsessive (though I suppose that's fine so long as you actually
remember to do it).
--
Jeremy Stanley
signature.asc
Description: PGP signature
some extra time to work on
exploiting that vulnerability. The practicality of this particular
attack isn't all that high, as there are often going to be other
avenues of compromise which involve less effort on the part of the
attacker anyway. Still, people are correct to call it out as some
form
onsidered unhygienic. Transparent "web accelerators"
used to be popular in such environments, but the modern trend to
switch most communications to HTTPS has rendered them essentially
useless since years.
--
Jeremy Stanley
signature.asc
Description: PGP signature
block you from downloading security updates until the
old indices they're injecting expire, but they can also more noisily
prevent you from downloading security updates for far longer,
regardless of whether you use HTTPS as a transport.
--
Jeremy Stanley
signature.asc
Description: PGP signature
d directly by a particular package, I think D-I and
various bootstrapping tools independently write it at installation,
so the "fixes" for this are likely to be in a variety of places.
--
Jeremy Stanley
signature.asc
Description: PGP signature
date applications or protocols, but the time
developers will spend having to explain why they're using MD5 or
SHA-1 hashes can be orders of magnitude greater still.
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2021-08-20 11:36:41 +0200 (+0200), Bjørn Mork wrote:
> Jeremy Stanley writes:
>
> > While this does complicate it, a snooping party can still know the
> > site they're connecting to via SNI happening unencrypted,
>
> I believe this can be fixed with TLS 1.3?
&
f your MitM knows the right people, and CDNs are now in
the business of snooping on everyone's traffic for sites where they
handle SSL/TLS termination. HTTPS as deployed on the open Internet
is a sip of security with several gulps of theater.
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2021-07-02 01:24:09 + (+), Paul Wise wrote:
> On Thu, Jul 1, 2021 at 1:27 PM Jeremy Stanley wrote:
>
> > There's nothing especially wrong about using signed-by, but
> > it's not the security fix some people seem to believe. In short,
> > *any* pac
On 2021-07-01 20:19:55 + (+), Jeremy Stanley wrote:
[...]
> > Lets not throw the baby out with the bathwater, shall we?
> [...snip bits about the abject horrors of apt-key...]
>
> This was in response to the linked wiki article you helped edit,
> purporting to represen
the moon,
> never to return to the main branch again, […] because that challenge
> is one that we are willing to accept, one we are unwilling to postpone,
> and one we intend to win".
[...]
Thanks, I'm looking forward to that!
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2021-07-01 14:26:48 -0400 (-0400), Kyle Edwards wrote:
> On 7/1/21 2:19 PM, Jeremy Stanley wrote:
> > Also, as other's have stated, deb822 might be a cleaner way to
> > express this.
>
> I'm a little confused - I thought deb822 was just a generic format
>
. On top of that, you can embed Signed-By fields with
your key fingerprint in your repository's Release files, in order to
highlight if someone gets an updated index which is signed by a
different key than you previously indicated it should be. I think
anything as recent as Stretch should su
On 2021-07-01 09:35:16 -0400 (-0400), Kyle Edwards wrote:
> On 7/1/21 9:27 AM, Jeremy Stanley wrote:
> > It's not clear (to me at least) that placing keys into
> > /etc/apt/trusted.gpg.d is deprecated
>
> According to
> https://wiki.debian.org/DebianRepository/UseThi
ome other package repository which they've
surreptitiously signed with their key, nor try to sneak into your
system with conflicting package names, they can simply stick
backdoors in the maintscripts of the packages you already want to
install from them.
--
Jeremy Stanley
signature.asc
Description: PGP signature
digest, fitting the names of all the
relevant software into the subject would be unlikely a lot of the
time. As such, list subscribers are far less likely to spot one for
software they might care about.
--
Jeremy Stanley
signature.asc
Description: PGP signature
1 - 100 of 233 matches
Mail list logo
