Hi,
On Sat, Nov 09, 2019 at 07:20:44PM +0200, Wouter Verhelst wrote:
> Hi Timo,
>
> On Sun, Nov 03, 2019 at 07:33:10PM +0100, Timo Weingärtner wrote:
> > Hallo Wouter Verhelst,
> >
> > 03.11.19 18:35 Wouter Verhelst:
> > > The software from the package downloads the metadata index and validates
Hi Timo,
On Sun, Nov 03, 2019 at 07:33:10PM +0100, Timo Weingärtner wrote:
> Hallo Wouter Verhelst,
>
> 03.11.19 18:35 Wouter Verhelst:
> > The software from the package downloads the metadata index and validates
> > the GPG signature; and if everything checks out, adds configuration to
> > /etc/
On Mon, Nov 4, 2019 at 4:44 PM Ansgar wrote:
> I would recommend against doing this as long as sources.list is a
> configuration file: it would need regular updates to change to the new
> signing key. That doesn't work out of the box.
No updates are needed if you use what Timo suggested:
> I j
Paul Wise writes:
> On Mon, Nov 4, 2019 at 4:52 AM Guillem Jover wrote:
>
>> The official archive-keyring packages that use these, I think it's mostly
>> for backwards compatibility reasons.
>
> I wonder if it is feasible to and how the debian-archive-keyring could
> migrate from /etc/apt/trusted.
On Mon, Nov 4, 2019 at 4:52 AM Guillem Jover wrote:
> The official archive-keyring packages that use these, I think it's mostly
> for backwards compatibility reasons.
I wonder if it is feasible to and how the debian-archive-keyring could
migrate from /etc/apt/trusted.gpg.d/ to /usr/share/keyring
On Sun, 2019-11-03 at 11:04:01 -0800, Russ Allbery wrote:
> Timo Weingärtner writes:
> > Please don't use /etc/apt/trusted* for 3rd-party repositories. If a key
> > is in there its owner can impersonate the official debian repos for
> > default setups.¹ Please use some other path (such as
> > /var
Timo Weingärtner writes:
> Please don't use /etc/apt/trusted* for 3rd-party repositories. If a key
> is in there its owner can impersonate the official debian repos for
> default setups.¹ Please use some other path (such as
> /var/lib/extrepo/keyrings/) for the keyrings and connect it with
> "Sig
Hallo Wouter Verhelst,
03.11.19 18:35 Wouter Verhelst:
> The software from the package downloads the metadata index and validates
> the GPG signature; and if everything checks out, adds configuration to
> /etc/apt/sources.list.d and /etc/apt/trusted.gpg.d to enable the
> repository.
Please don't
So, in 2015 I wrote:
> Hi,
>
> At $DAYJOB, I'm maintaining a few repositories with ready-to-install
> packages for a number of distributions[1]
>
> Currently, the instructions[2] say to do the following:
> - Download and install an "eid-archive" package, which contains the GPG
> keys and gener
Le vendredi 12 juin 2015, 17:56:04 Wouter Verhelst a écrit :
> On Fri, Jun 12, 2015 at 10:08:35AM +0200, Alexandre Detiste wrote:
> > Le vendredi 12 juin 2015, 00:59:51 Wouter Verhelst a écrit :
> > > On Thu, Jun 11, 2015 at 12:38:29PM +0200, Bálint Réczey wrote:
> > > > I see eid-mw is built on fo
Hi!
On Mon, 2015-08-17 at 09:53:17 +0200, Wouter Verhelst wrote:
> A repository with a whitelist cannot install packages with names outside
> that whitelist. It should also not be able to have packages with
> Provides: or Replaces: headers outside that whitelist (so you can't ship
> a package that
On Mon, Aug 17, 2015 at 11:15:08AM +0200, David Kalnischkies wrote:
> On Sun, Aug 16, 2015 at 12:06:53PM +, Anthony Towns wrote:
> The user interface improvement might be worth it anyhow, but selling
> this as huge security improvement is just wrong, which is all I am
> against.
I think it's a
(heavy-pruning same-mail subthreads)
On Sun, Aug 16, 2015 at 12:06:53PM +, Anthony Towns wrote:
> Here's how you currently setup an external repo as securely as possible:
>
> 1. You hear about a cool repo from somewhere, and are told to go to
> https://example.org/debian/README.html for
Hi,
On Wed, Aug 12, 2015 at 08:37:49PM +0200, David Kalnischkies wrote:
> (now that I was ping'ed in reallife… lets finish this draft and make the
> discussion even longer as my previous mail was obviously not long enough
> ;) – or ignore the rambling entirely and skip to the last paragraph )
The
On Sat, Aug 15, 2015 at 12:47:42PM +0200, David Kalnischkies wrote:
> > I think my working assumption is "anyone" can register, and it's done
> > automatically. If you want to ensure the URL is owned by the register,
> > you could use a dummy DNS record ("please add
> >extrepo-de684554ae0c3440.
On Thu, Aug 13, 2015 at 05:46:24PM +, Anthony Towns wrote:
> On Thu, Aug 13, 2015 at 11:23:19AM +0200, David Kalnischkies wrote:
> > On Wed, Aug 12, 2015 at 11:12:05PM +, Anthony Towns wrote:
> > > To use an external repo, you need a deb822 sources.list file and a pubkey.
> > >
> > > To ge
On Thu, Aug 13, 2015 at 07:53:52PM +0200, Jakub Wilk wrote:
> * Anthony Towns , 2015-08-12, 23:12:
> >debian-keyring is a 51MB deb, that's pretty big.
>
> FWIW, it could be shrunk to ~10MB if the keys were minimized
> (--export-options export-minimal).
We recently switched to export-clean to reta
* Anthony Towns , 2015-08-12, 23:12:
debian-keyring is a 51MB deb, that's pretty big.
FWIW, it could be shrunk to ~10MB if the keys were minimized
(--export-options export-minimal).
--
Jakub Wilk
On Thu, Aug 13, 2015 at 11:23:19AM +0200, David Kalnischkies wrote:
> On Wed, Aug 12, 2015 at 11:12:05PM +, Anthony Towns wrote:
> > I'm not sure if the idea is PPAs can only be added to by DDs/DMs. [...]
> There is a session about Debian PPAs at 2015-08-21 17:00..18:00
> @ DebConf, so all the
On Wed, Aug 12, 2015 at 11:12:05PM +, Anthony Towns wrote:
> I'm not sure if the idea is PPAs can only be added to by DDs/DMs. If
> not, can anonymous folks setup a PPA for pirated software, or try to
> compromise the PPA build system or similar? If PPAs are for DDs and DMs
> only, I'm presumin
❦ 12 août 2015 23:12 GMT, Anthony Towns :
> - PPAs: Debian hosted, but more loosely controlled. experimental gone
>wild? maybe third party uploads? probably only free things?
It could also be backports that don't fit the backport policy.
--
I have never let my schooling interfere with my
(Piling onto this after a dc15 dinner convo referencing it)
On Tue, Jul 28, 2015 at 12:41:45AM +0200, Wouter Verhelst wrote:
> On Sat, Jul 25, 2015 at 07:27:21PM +0200, David Kalnischkies wrote:
> > On Thu, Jul 23, 2015 at 10:14:21AM +0200, Wouter Verhelst wrote:
(apologies if the identity of who
(now that I was ping'ed in reallife… lets finish this draft and make the
discussion even longer as my previous mail was obviously not long enough
;) – or ignore the rambling entirely and skip to the last paragraph )
On Tue, Jul 28, 2015 at 12:41:45AM +0200, Wouter Verhelst wrote:
> On Sat, Jul 25,
Quoting Игорь Пашев (2015-07-28 21:11:57)
> 2015-06-05 19:10 GMT+03:00 Josh Triplett :
>> Given that the packages in question appear to be Free Software (at least
>> from a quick check of a couple of them, as well as the repository being
>> named "main"), is there a reason you don't maintain them i
2015-06-05 19:10 GMT+03:00 Josh Triplett :
> Given that the packages in question appear to be Free Software (at least
> from a quick check of a couple of them, as well as the repository being
> named "main"), is there a reason you don't maintain them in Debian
> (including backports or volatile if
On Sat, Jul 25, 2015 at 07:27:21PM +0200, David Kalnischkies wrote:
> On Thu, Jul 23, 2015 at 10:14:21AM +0200, Wouter Verhelst wrote:
> > - Apt will try to download it from a default location in the repository
> > (or perhaps a location specified in the deb822 sources.list file
> > itself).
>
On Thu, Jul 23, 2015 at 10:14:21AM +0200, Wouter Verhelst wrote:
> - Apt will try to download it from a default location in the repository
> (or perhaps a location specified in the deb822 sources.list file
> itself).
What the heck is "it" in this sentence? I envision "deb822 sources.list"
file
Hi!
On Sat, 2015-07-25 at 11:10:25 +0800, Paul Wise wrote:
> I would suggest reviewing Ubuntu's solution for adding PPA sources.list
> snippets and seeing if we can take any inspiration from it or make our
> solution more compatible with it.
>
> https://help.ubuntu.com/community/Repositories/Ubun
On Thu, 2015-07-23 at 10:14 +0200, Wouter Verhelst wrote:
> Thoughts?
Looks good to me.
This will be more useful once the Debian PPA idea is implemented.
Where does the name of the file in /etc/apt/sources.list.d/ come from?
I would suggest reviewing Ubuntu's solution for adding PPA sources.li
Wouter Verhelst writes ("Re: Facilitating external repositories"):
> On Thu, Jul 23, 2015 at 01:03:15PM +0100, Ian Jackson wrote:
> > The /name/ of the external repository should also be covered by the
> > signature.
>
> What would you describe as the "name
On Thu, Jul 23, 2015 at 01:03:15PM +0100, Ian Jackson wrote:
> Wouter Verhelst writes ("Re: Facilitating external repositories"):
> > - It may be GPG-signed by one or more keys. Apt should have a way of
> > configuring GPG keys that may be allowed to sign sources.list fi
Wouter Verhelst writes ("Re: Facilitating external repositories"):
> - It may be GPG-signed by one or more keys. Apt should have a way of
> configuring GPG keys that may be allowed to sign sources.list files,
> preloaded with the set of keys in the Debian keyring. This wi
So,
I've been giving this some more thought, and have tried to write a spec, but
then found that...
On Sat, Jun 13, 2015 at 05:03:15PM +0800, Paul Wise wrote:
> https://lists.debian.org/deity/2014/01/msg00055.html
...this (and the discussion following it) actually seems fairly close to
what my
]] Paul Wise
> On Sat, Jun 13, 2015 at 4:31 PM, Tollef Fog Heen wrote:
>
> > I could see us extending the apt preferences format to be something
> > like:
>
> Why the preferences file instead of the sources.list file, which can
> already be in deb822 format?
Primarily because I wasn't aware of
On Sat, Jun 13, 2015 at 4:31 PM, Tollef Fog Heen wrote:
> I could see us extending the apt preferences format to be something
> like:
Why the preferences file instead of the sources.list file, which can
already be in deb822 format?
https://lists.debian.org/deity/2014/01/msg00055.html
Some more
]] Wouter Verhelst
> On Mon, Jun 08, 2015 at 09:12:51AM +0200, Tollef Fog Heen wrote:
> > ]] Wouter Verhelst
> >
> > > Having said that, I do agree with you that we should not allow just
> > > about anyone to create a repository which will be automatically trusted
> > > by the whole Debian syst
On Sat, Jun 13, 2015 at 10:48:35AM +0800, Paul Wise wrote:
> On Fri, Jun 12, 2015 at 11:47 PM, Wouter Verhelst wrote:
>
> > For the latter, it is usually possible to supply a link to a ".repo"
> > file; for all of those distributions, tools exist to automagically
> > configure the system so that t
On Fri, Jun 12, 2015 at 11:47 PM, Wouter Verhelst wrote:
> For the latter, it is usually possible to supply a link to a ".repo"
> file; for all of those distributions, tools exist to automagically
> configure the system so that the repository is enabled and the gpg key
> is added as a trusted key
Hi Bálint,
On Fri, Jun 12, 2015 at 11:19:30AM +0200, Bálint Réczey wrote:
> Hi Wouter,
>
> 2015-06-12 0:59 GMT+02:00 Wouter Verhelst :
> >
> > - I don't want to have to deal with doing a maven build in a Debian
> > package. If you see what the packages' debian/rules do, ou'll see that
> > we
On Fri, Jun 12, 2015 at 10:08:35AM +0200, Alexandre Detiste wrote:
> Le vendredi 12 juin 2015, 00:59:51 Wouter Verhelst a écrit :
> > On Thu, Jun 11, 2015 at 12:38:29PM +0200, Bálint Réczey wrote:
> > > I see eid-mw is built on for i386 and amd64, while I assume it would
> > > build and work perfec
Hi Wouter,
2015-06-12 0:59 GMT+02:00 Wouter Verhelst :
> On Thu, Jun 11, 2015 at 12:38:29PM +0200, Bálint Réczey wrote:
>> Hi Wouter,
>>
>> 2015-06-07 23:31 GMT+02:00 Wouter Verhelst :
>> > On Sun, Jun 07, 2015 at 07:43:30PM +0200, Bálint Réczey wrote:
>> >> I think this situation still allows mai
Le vendredi 12 juin 2015, 00:59:51 Wouter Verhelst a écrit :
> On Thu, Jun 11, 2015 at 12:38:29PM +0200, Bálint Réczey wrote:
> > I see eid-mw is built on for i386 and amd64, while I assume it would
> > build and work perfectly on arm* laptops and computers as well:
> > https://files.eid.belgium.be
On Thu, Jun 11, 2015 at 12:38:29PM +0200, Bálint Réczey wrote:
> Hi Wouter,
>
> 2015-06-07 23:31 GMT+02:00 Wouter Verhelst :
> > On Sun, Jun 07, 2015 at 07:43:30PM +0200, Bálint Réczey wrote:
> >> I think this situation still allows maintaining the packages in
> >> Debian, when (if ever) your cont
Hi Wouter,
2015-06-07 23:31 GMT+02:00 Wouter Verhelst :
> On Sun, Jun 07, 2015 at 07:43:30PM +0200, Bálint Réczey wrote:
>> I think this situation still allows maintaining the packages in
>> Debian, when (if ever) your contract ends and you don't want to
>> maintain the packages in your free time
On Mon, Jun 08, 2015 at 09:12:51AM +0200, Tollef Fog Heen wrote:
> ]] Wouter Verhelst
>
> > Having said that, I do agree with you that we should not allow just
> > about anyone to create a repository which will be automatically trusted
> > by the whole Debian system. Establishing such a trust cha
On 4 June 2015 at 17:18, Wouter Verhelst wrote:
> - Run "apt-get update";
> - Install the "eid-mw" and/or "eid-viewer" packages.
These two steps can be accomplished with a single APT URL, e.g.:
install pkg
which will refresh and install request package(s). Ubuntu's software
centre is the defaul
]] Wouter Verhelst
> Having said that, I do agree with you that we should not allow just
> about anyone to create a repository which will be automatically trusted
> by the whole Debian system. Establishing such a trust chain should,
> indeed, require some vetting by at least one Debian Developer,
On Sun, Jun 07, 2015 at 11:55:23PM +0200, Wouter Verhelst wrote:
> On Sun, Jun 07, 2015 at 11:30:01AM -0700, Josh Triplett wrote:
> > On Sun, Jun 07, 2015 at 11:08:36AM +0200, Wouter Verhelst wrote:
> > > On Fri, Jun 05, 2015 at 09:10:56AM -0700, Josh Triplett wrote:
> > > > If that's not an option
On Sun, Jun 07, 2015 at 11:30:01AM -0700, Josh Triplett wrote:
> On Sun, Jun 07, 2015 at 11:08:36AM +0200, Wouter Verhelst wrote:
> > On Fri, Jun 05, 2015 at 09:10:56AM -0700, Josh Triplett wrote:
> > > If that's not an option for some reason, then given that the packages
> > > are Free Software an
On Sun, Jun 07, 2015 at 07:43:30PM +0200, Bálint Réczey wrote:
> I think this situation still allows maintaining the packages in
> Debian, when (if ever) your contract ends and you don't want to
> maintain the packages in your free time you can orphan the packages.
> The next maintainer could adopt
On Sun, Jun 07, 2015 at 11:08:36AM +0200, Wouter Verhelst wrote:
> On Fri, Jun 05, 2015 at 09:10:56AM -0700, Josh Triplett wrote:
> > If that's not an option for some reason, then given that the packages
> > are Free Software and of reasonably broad interest, you could at least
> > upload a package
Hi Wouter,
2015-06-07 11:08 GMT+02:00 Wouter Verhelst :
> On Fri, Jun 05, 2015 at 09:10:56AM -0700, Josh Triplett wrote:
>> Wouter Verhelst wrote:
>> > At $DAYJOB, I'm maintaining a few repositories with ready-to-install
>> > packages for a number of distributions[1]
>> >
>> > Currently, the instr
On Thu, Jun 04, 2015 at 06:18:16PM +0200, Wouter Verhelst wrote:
> - There is no trust path from your already-installed distribution to the
> "archive" package (yes, I did sign the gpg keys; no, I don't consider
> that enough).
There are 2 popular methods for this:
- Have an "app store". We w
On Sat, Jun 06, 2015 at 01:48:12PM +0800, Paul Wise wrote:
> On Sat, Jun 6, 2015 at 8:13 AM, Brian May wrote:
>
> > the software is far to volatile (e.g. important bug fixes on a weekly basis)
>
> We have a place for such software: experimental
>
> > I don't want old versions hanging around any
Hi Chris,
On Sat, Jun 06, 2015 at 11:49:21PM -0400, Chris Knadle wrote:
> Hey, Wouter.
>
> On 06/04/2015 12:18 PM, Wouter Verhelst wrote:
> > Hi,
> >
> > At $DAYJOB, I'm maintaining a few repositories with ready-to-install
> > packages for a number of distributions[1]
> >
> > Currently, the ins
On Fri, Jun 05, 2015 at 09:10:56AM -0700, Josh Triplett wrote:
> Wouter Verhelst wrote:
> > At $DAYJOB, I'm maintaining a few repositories with ready-to-install
> > packages for a number of distributions[1]
> >
> > Currently, the instructions[2] say to do the following:
> > - Download and install
On Sun, Jun 7, 2015 at 11:49 AM, Chris Knadle wrote:
> I recall the prior DPL wanting to support PPAs in Debian, and I would
> imagine that this issue is one of the "sticking points" to that idea.
The Debian PPA proposal will be different to Launchpad PPAs and will
be signed by the same keys as t
Hey, Wouter.
On 06/04/2015 12:18 PM, Wouter Verhelst wrote:
> Hi,
>
> At $DAYJOB, I'm maintaining a few repositories with ready-to-install
> packages for a number of distributions[1]
>
> Currently, the instructions[2] say to do the following:
> - Download and install an "eid-archive" package, wh
On Sat, Jun 06, 2015 at 09:47:01AM +0200, Alexandre Detiste wrote:
> Well, this had been in Debian for some years until 2010
> under an other name: 'beid'
> https://packages.qa.debian.org/b/beid.html
> but I don't know why it was removed.
The reason is in the RM bug (#672784):
RM: beid -- RoQA; RC
Le samedi 6 juin 2015, 00:13:59 Brian May a écrit :
> On Sat, 6 Jun 2015 at 02:11 Josh Triplett wrote:
>
> > Given that the packages in question appear to be Free Software (at least
> > from a quick check of a couple of them, as well as the repository being
> > named "main"), is there a reason yo
❦ 6 juin 2015 13:48 +0800, Paul Wise :
>> the software is far to volatile (e.g. important bug fixes on a weekly basis)
>
> We have a place for such software: experimental
Won't work for users needing the software on a stable release.
--
Use recursive procedures for recursively-defined data st
On Sat, Jun 6, 2015 at 8:13 AM, Brian May wrote:
> the software is far to volatile (e.g. important bug fixes on a weekly basis)
We have a place for such software: experimental
> I don't want old versions hanging around any longer then absolutely required
We have a place for such software: exper
On Sat, 6 Jun 2015 at 02:11 Josh Triplett wrote:
> Given that the packages in question appear to be Free Software (at least
> from a quick check of a couple of them, as well as the repository being
> named "main"), is there a reason you don't maintain them in Debian
> (including backports or vola
Hi,
On Thu, Jun 04, 2015 at 06:18:16PM +0200, Wouter Verhelst wrote:
> Hi,
>
...
> Currently, the instructions[2] say to do the following:
> - Download and install an "eid-archive" package, which contains the GPG
> keys and generates a sources.list.d file for the repository;
> - Run "apt-get up
Wouter Verhelst wrote:
> At $DAYJOB, I'm maintaining a few repositories with ready-to-install
> packages for a number of distributions[1]
>
> Currently, the instructions[2] say to do the following:
> - Download and install an "eid-archive" package, which contains the GPG
> keys and generates a s
65 matches
Mail list logo
