On Wed, May 28, 2008 at 11:13 AM, Colin Watson <[EMAIL PROTECTED]> wrote:
> I think everyone involved did a wonderful job, especially given the
> appalling constraints they were under. There is a difference, though,
> between acknowledging the excellent work that was done and burying one's
> head i
On Tue, May 27, 2008 at 01:45:25AM +0200, Klaus Ethgen wrote:
> Am Di den 27. Mai 2008 um 1:09 schrieb Colin Watson:
> > On Thu, May 15, 2008 at 09:15:57AM -0700, Mike Bird wrote:
> > > The rollout of information and updates was appalling - even adding in
> > > the material from Ubuntu the informa
On Fri, May 16, 2008 at 05:26:09PM +0200, nicolas vigier wrote:
If I understand correctly, it means that if you use a good key with a
flawed openssl to connect to an other host using that key, then that
key can be considered compromised.
If I have a DSA key, and the client (my machine) has a ba
On Fri, May 16, 2008 at 11:26 AM, nicolas vigier <[EMAIL PROTECTED]> wrote:
> On Thu, 15 May 2008, Steinar H. Gunderson wrote:
>> No. Any key who had a single DSA signature created by the flawed version of
>> OpenSSL should be considered compromised. DSA requires a secret, random
>> number as part
On Thu, 15 May 2008, Steinar H. Gunderson wrote:
> On Wed, May 14, 2008 at 06:22:37PM -0500, Steve Greenland wrote:
> >> Therefore, anyone who had a DSA key has had it compromised...
> > Shouldn't that be "anyone who had a DSA key *created by the flawed
> > version of openssl* has had it compromis
"Miriam Ruiz" <[EMAIL PROTECTED]> writes:
> Maybe there should also be a clasification of packages according to
> how bad would a bug be in them for the whole system, so that patches
> in those could be more carefully reviewed.
Perhaps uploads could come with the diff against the last version (or
2008/5/16 Thibaut Paumard <[EMAIL PROTECTED]>:
> the topic has already been changed to "ssl security desaster", and in my
> opinion this is precisely what my post is about: what can we learn from this
> disaster. (More precisely, I'm giving my 2c on what level of patching is
> acceptable in a Debi
Le 16 mai 08 à 15:04, Olivier Berger a écrit :
Le vendredi 16 mai 2008 à 14:48 +0200, Thibaut Paumard a écrit :
Let's hope this discussion will, in the end, bring good ideas and
trigger actual work to improve Debian, and perhaps the free software
community at large.
Best regards, Thibaut.
Le vendredi 16 mai 2008 à 14:48 +0200, Thibaut Paumard a écrit :
> Let's hope this discussion will, in the end, bring good ideas and
> trigger actual work to improve Debian, and perhaps the free software
> community at large.
>
> Best regards, Thibaut.
>
>
That'd be great.
But please, ma
Hi,
Le 16 mai 08 à 13:48, Martin Uecker a écrit :
"Kevin B. McCarty" <[EMAIL PROTECTED]> wrote:
If you see packages for which a Debian-specific patch seems
unnecessary,
please by all means file a bug (severity wishlist) requesting that
the
patch be either reverted or submitted upstream.
"Kevin B. McCarty" <[EMAIL PROTECTED]> wrote:
> If you see packages for which a Debian-specific patch seems unnecessary,
> please by all means file a bug (severity wishlist) requesting that the
> patch be either reverted or submitted upstream.
Most time the patch is already submitted upstream,
Peter Samuelson <[EMAIL PROTECTED]> writes:
>
> Who is this "we"? Whose serious efforts? Who is investigating? Most
> importantly, should we assume that, as in the past, you, Mike Bird,
> intend to do nothing but talk?
I think this is a common stylistic choice. I consider myself part of
the De
This one time, at band camp, Mike Bird said:
> Yet Debian makes it hard for people to help. Like most software
> engineers I simply don't have the time to waste on Debian's NM
> process. Debian's processes are indisputably Debian's decision
> alone, but Debian has to live with the consequences ..
Hi,
Le 15 mai 08 à 20:17, Mike Bird a écrit :
Nevertheless, non-DD's can and do help by filing bug reports and
patches (upstream is best), helping people on d-u, and offering
constructive advice to DDs.
And maintaining packages! It can be long to find a sponsor for your
first package (espec
[Mike Bird]
> Nevertheless, non-DD's can and do help by filing bug reports and
> patches (upstream is best), helping people on d-u, and offering
> constructive advice to DDs.
Very well. I propose that anyone who wishes to give "constructive
advice" to developers, but who doesn't actually do any
On Thu May 15 2008 10:34:01 Peter Samuelson wrote:
> Who is this "we"? Whose serious efforts? Who is investigating? Most
> importantly, should we assume that, as in the past, you, Mike Bird,
> intend to do nothing but talk?
Debian is still one of the world's best distros and I hope it
continues
[Mike Bird]
> but we should blame the process. And fix it.
> it would probably have been better to devote less effort to the
> scanner and more effort to documenting all the kinds of key
> replacements
> Serious efforts are needed
> Second, we must ensure
> This calls for a thorough investiga
Martin Uecker wrote:
> Am Donnerstag, den 15.05.2008, 17:33 +0200 schrieb Thijs Kinkhorst:
>> If you're interested in for example changing the level to which software is
>> patched in Debian, I suggest to start with a representative review of what
>> gets patched and why it's done. That would g
On Thursday 15 May 2008 18:26, Martin Uecker wrote:
> Why not? A plane crash is a very rare incident. Still every single
> crash is investigated to make recommendations for their future
> avoidance.
Maybe that wasn't clear from my first mail, but I don't think that nothing can
be learned from thi
Am Donnerstag, den 15.05.2008, 17:33 +0200 schrieb Thijs Kinkhorst:
> On Thursday 15 May 2008 16:47, Martin Uecker wrote:
> > > You mean less likely than once in 15 years? We're open to your
> > > suggestions.
> >
> > Something as bad as this might be rare, still, if something can be
> > improved,
On Thu May 15 2008 08:33:54 Thijs Kinkhorst wrote:
> I welcome change and review of our processes, but taking one extreme
> incident as the base on which to draw conclusions seems not the wise thing
> to do. If you're interested in for example changing the level to which
> software is patched in De
On Thu May 15 2008 06:20:10 Thijs Kinkhorst wrote:
> You mean less likely than once in 15 years? We're open to your suggestions.
Leaving millions of systems open to crackers for 2 years out of 15
is not a joke. I don't blame the DD - we have all made mistakes
and most of us are lucky they weren't
On Thursday 15 May 2008 16:47, Martin Uecker wrote:
> > You mean less likely than once in 15 years? We're open to your
> > suggestions.
>
> Something as bad as this might be rare, still, if something can be
> improved, it should.
>
> Upstream complained about the extensive Debian patching. I think
Am Donnerstag, den 15.05.2008, 15:20 +0200 schrieb Thijs Kinkhorst:
> On Thursday 15 May 2008 14:04, Martin Uecker wrote:
> > If I understand this correctly, this means that not only should keys
> > generated with the broken ssl lib be considered compromised, but all
> > keys which were potentially
On Thursday 15 May 2008 14:04, Martin Uecker wrote:
> If I understand this correctly, this means that not only should keys
> generated with the broken ssl lib be considered compromised, but all
> keys which were potentially used to create DSA signatures by those
> broken libs.
>
> In this case, the
"Steinar H. Gunderson" <[EMAIL PROTECTED]>:
> On Thu, May 15, 2008 at 05:11:27AM +0200, Goswin von Brederlow wrote:
>
> > Also if you have 2 messages signed with the same random number you can
> > compute the secret key. It is more complicated then this but
> > simplified boils down to is computin
On Thu, May 15, 2008 at 05:11:27AM +0200, Goswin von Brederlow wrote:
> The DSA signing uses (secret key + random) in the signature and that
> sum is trivial to compute given the signed message and public key. The
> security of DSA relies solely on the fact that random can't be guessed
> so you can
Russ Allbery <[EMAIL PROTECTED]> writes:
> Steve Greenland <[EMAIL PROTECTED]> writes:
>> "brian m. carlson" <[EMAIL PROTECTED]> wrote:
>
>>> Therefore, anyone who had a DSA key has had it compromised...
>
>> Shouldn't that be "anyone who had a DSA key *created by the flawed
>> version of openssl
On Thu, May 15, 2008 at 02:00:25AM +0200, Steinar H. Gunderson wrote:
On Wed, May 14, 2008 at 11:12:26PM +, brian m. carlson wrote:
If one can solve the Discrete Logarithm Problem, then one can
factor, but the reverse is not true.
This is the first time I've ever heard anyone claim this; I
Steve Greenland <[EMAIL PROTECTED]> writes:
> "brian m. carlson" <[EMAIL PROTECTED]> wrote:
>> Therefore, anyone who had a DSA key has had it compromised...
> Shouldn't that be "anyone who had a DSA key *created by the flawed
> version of openssl* has had it compromised..."? Or are you asserting
On Wed, May 14, 2008 at 11:12:26PM +, brian m. carlson wrote:
> If one can solve the Discrete Logarithm Problem, then one can
> factor, but the reverse is not true.
This is the first time I've ever heard anyone claim this; I've seen people
and textbooks claim they're roughly equivalent, but no
On Wed, May 14, 2008 at 06:22:37PM -0500, Steve Greenland wrote:
>> Therefore, anyone who had a DSA key has had it compromised...
> Shouldn't that be "anyone who had a DSA key *created by the flawed
> version of openssl* has had it compromised..."? Or are you asserting
> something stronger?
No. An
On 14-May-08, 18:12 (CDT), "brian m. carlson" <[EMAIL PROTECTED]> wrote:
> Therefore, anyone who had a DSA key has had it compromised...
Shouldn't that be "anyone who had a DSA key *created by the flawed
version of openssl* has had it compromised..."? Or are you asserting
something stronger?
Ste
On Wed, May 14, 2008 at 11:12:26PM +, brian m. carlson wrote:
Also, DSA absolutely requires a good random
number generator for every signature. If the nonce is not chosen
randomly, it will leak bits of the key. This is true for all discrete
logarithm algorithms. Therefore, anyone who had a
On Thu, May 15, 2008 at 08:09:12AM +1000, Ben Finney wrote:
Roland Mas <[EMAIL PROTECTED]> writes:
- Keys submitted through the web interface are now filtered, and only
RSA keys end up in your authorized_keys file. Don't even try
putting DSA keys in your authorized_keys2 file, the use of t
On Thu, May 15, 2008 at 08:09:12AM +1000, Ben Finney wrote:
> Could you explain the rationale for this? My impression was that DSA
> was recommended over RSA.
DSA was recommended over RSA in years gone by for reasons of
freedom, until late 2000 when MIT's 17-year US patent (4405829)
expired on the
36 matches
Mail list logo
