On Mon, 2003-12-01 at 15:45, Anthony Towns wrote:
> Having critical, grave or serious bugs open for an extended period is simply
> not acceptable.
>
> Nor is it excusable. While it's possible that you mightn't have the skill
> required to fix some security bug, or mightn't have the time to respond
Anthony Towns wrote:
[...]
> Fallback plans are important though, and in this case if we're not able
> to get in a position where maintainers are able to keep control of their
> RC bug count (which is to say, keep it at zero), we'll have to consider
> more drastic measures. An obvious one is to tra
A levelezőm azt hiszi, hogy Zenaan Harkness a következőeket írta:
> Can "requesting removal from archive" be automated, to occur say after 3
> weeks of inactivity of rc/grave/serious bug?
>
> As a DD, I assume there is some pride and/ or utility in having your
> package in the archive. This would
On Tue, Dec 02, 2003 at 05:32:59PM +1100, Zenaan Harkness wrote:
Hrm.
] $ grep Harkness /var/lib/apt/lists/*_*; echo $?
] 1
> Can "requesting removal from archive" be automated, to occur say after 3
> weeks of inactivity of rc/grave/serious bug?
It could, but it shouldn't be -- requests for rem
On Mon, Dec 01, 2003 at 07:50:29PM -0800, A.J. Rossini wrote:
>
[snip]
>
> Joey Hess <[EMAIL PROTECTED]> writes:
>
[snip]
> >
> > To install a package directly, with apt downloading any necessary
> > dependencies:
> > apt-get install rpmver-2.0-13498cl.i386.rpm
>
> couldn't this just refe
Got it -- a bit more than just parsing out... but suprisingly little
(other than someone's time, which is always worth a great deal...)
Andrew Pollock <[EMAIL PROTECTED]> writes:
> On Mon, Dec 01, 2003 at 07:50:29PM -0800, A.J. Rossini wrote:
>>
>
> [snip]
>
>>
>> Joey Hess <[EMAIL PROTECTED]
It seems to me that libvorbis package is missing from the repository of sarge.
Trying to install kdelibs4-dev depends on libvorbis0-dev in a tree that could
not be satisfied.
--
Don't go around saying the world owes you a living. The world owes you
nothing. It was here first.
Hi!
Uups, yesterday I have forgot ACM_SCP.
Today's issue is about ADO.
ACM_SCP.3 Development tools CM coverage (appears at EAL5)
ACM_SCP.3.1D The developer shall provide a list of
configuration items for the TOE.
(dpkg -l)
ACM_SCP.3.1C The list of configuration items shall include the
f
On Tue, 2 Dec 2003, Zenaan Harkness wrote:
> Is there a single place where all official Custom Debian Distributions
> (CDDs - even a reasonable TLA), aka internal projects, are listed?
Unfortunately not yet under www.debian.org, but if the redirection
loop to people.debian.org is solved again you
On Monday 01 December 2003 16:07, Hereon wrote:
> On Mon, 1 Dec 2003 15:51:37 +0330, "Arash Bijanzadeh"
>
> <[EMAIL PROTECTED]> said:
> > On Sunday 30 November 2003 18:10, Steve Langasek wrote:
> > > Er, on what grounds are you claiming that this is broken? The
> > > dependencies declared by these
On Tue, Dec 02, 2003 at 05:32:59PM +1100, Zenaan Harkness wrote:
> Can "requesting removal from archive" be automated, to occur say after 3
> weeks of inactivity of rc/grave/serious bug?
>
> As a DD, I assume there is some pride and/ or utility in having your
> package in the archive. This would g
Martin Michlmayr ([EMAIL PROTECTED]) wrote:
>
>* Thomas Viehmann <[EMAIL PROTECTED]> [2003-12-01 15:30]:
>> BTW: This is offtopic, but it seems that potato is neither in debian/
>> nor in debian-archive/?
>Potato is on archive.debian.org (in /debian-archive/dists).
Ah. Thanks.
ftp.debian.org/debia
On Tue, 2 Dec 2003, Zenaan Harkness wrote:
> > ? It might help you registering a site under www.debian.org (once its
> > services are up again.
>
> Cool. I'll check it out in a day or five :)
If you are interested I could send you my CDD - talk stuff in private mail
until people.d.o is up again.
On Mon, 2003-12-01 at 22:36, Alexander Kitzberger wrote:
> we and a couple of other linux companies are also thinking this way,
> and we would like also to support a enterprise debian.
Great stuff ... we are forming it now. As you probably well know by now,
there's a web page started at:
http://de
In article <[EMAIL PROTECTED]>,
Anthony Towns wrote:
>Without having evaluated null hypotheses or done exhaustive analyses,
>the correlation nevertheless seems fairly convincing. To put it bluntly,
>our regular package maintainers are doing such a bad job that without
>significant assistance from
On 20031201T144509+1000, Anthony Towns wrote:
> * #208646 - grep-dctrl - Antti-Juhani Kaijanaho
> unspecified problems with version in unstable, should take
> "a couple of days" to fix, no activity since September
The "unspecified problems" are mainly recorded in the other op
> "ag" == Andrea Glorioso <[EMAIL PROTECTED]> writes:
> "t" == Tom <[EMAIL PROTECTED]> writes:
t> One of the "flavors" linked to on
t> http://www.debian.org/devel/debian-nonprofit/ is www.demudi.org
t> --
t> which is running IIS on Windows 2000!
ag> demudi.org is a r
On Tue, Dec 02, 2003 at 01:05:29AM +0100, Enrico Zini wrote:
> > > - GNU ERP software project ?name?
> > GNU Enterprise (gnue) http://www.gnue.org/
> I've just learnt of Cubit from South Africa: http://www.cubit.co.za/
...and of the Impi distribution from South Africa, Debian-based:
Welcome
* Goswin von Brederlow ([EMAIL PROTECTED]) [031202 04:55]:
> Andreas Barth <[EMAIL PROTECTED]> writes:
> > Technical details should IMHO be discussed later, but a sample
> > passport could look like:
> >
> > accepted by katie on Mon, 1 Dec 2003 20:34:58 + because of good
> > signature of DD,
Frederik Dannemare <[EMAIL PROTECTED]> wrote:
> just curious: any particular reason why we didn't see a backport any sooner
> of
> the integer overflow in the brk system call (see recent announcement by
> Wichert Akkerman:
> http://lists.debian.org/debian-security-announce/debian-security-annou
On Tue, 2003-12-02 at 18:12, Magosányi Árpád wrote:
> A levelezőm azt hiszi, hogy Zenaan Harkness a következőeket írta:
> > Can "requesting removal from archive" be automated, to occur say after 3
> > weeks of inactivity of rc/grave/serious bug?
> >
> > As a DD, I assume there is some pride and/ o
* Joey Hess ([EMAIL PROTECTED]) [031202 02:55]:
> Goswin von Brederlow wrote:
> > What can we do with deb signatures?
> >
> > For our current problem, the integrity of the debian archive being
> > questioned, the procedure would be easy and available to every user:
> >
> > 1. get any clean Debian
On Tue, Dec 02, 2003 at 10:08:03AM +0100, Andreas Metzler wrote:
>
> Apparently nobody knew it was comparable to ptrace, it looked like a
> simple bugfix and not like a local root exploit.
>
Well, I just downloaded 2.4.23 from kernel.org and installed it.
[obGrumble] I never got hit by any of t
On Tue, Dec 02, 2003 at 05:38:15AM +1100, Zenaan Harkness wrote:
> On Tue, 2003-12-02 at 02:46, Anthony Towns wrote:
> > So, using my definitions, the following conclusions are (IMO) true:
> >
> > * all flavours are policy compliant
> >
> > * some derived distros might be policy compliant
On Tue, Dec 02, 2003 at 11:07:53AM +0100, Andreas Barth wrote:
> * Joey Hess ([EMAIL PROTECTED]) [031202 02:55]:
> > Goswin von Brederlow wrote:
> > > What can we do with deb signatures?
> > >
> > > For our current problem, the integrity of the debian archive being
> > > questioned, the procedure
On Tue, 2003-12-02 at 19:14, Andreas Tille wrote:
> On Tue, 2 Dec 2003, Zenaan Harkness wrote:
> > Then, it's up to the projects to start using the term. A list would I
> > think be very good for making cdd discussions stand out at this point -
> > there seems to be enough traffic. But perhaps I'm
On Tue, Dec 02, 2003 at 06:24:58AM +1100, Zenaan Harkness wrote:
> I guess if you're a DD (I'm in the NM-process myself), you can creake
> "official" Debian wiki, etc?
AFAIK, the "official" Debian wiki is http://wiki.debian.net and like
most wikis, *anyone* can create a page. Please go ahead and d
> On Tue, Dec 02, 2003 at 05:32:59PM +1100, Zenaan Harkness wrote:
>> Can "requesting removal from archive" be automated, to occur say after 3
>> weeks of inactivity of rc/grave/serious bug?
>>
>> As a DD, I assume there is some pride and/ or utility in having your
>> package in the archive. Thi
On Tue, 2003-12-02 at 18:09, Anthony Towns wrote:
> On Tue, Dec 02, 2003 at 05:32:59PM +1100, Zenaan Harkness wrote:
> ] $ grep Harkness /var/lib/apt/lists/*_*; echo $?
> ] 1
It's not much (directly) Debian related (yet), but:
I'd be in NM but for the keyservers and NM registration page being down
On Tue, 2003-12-02 at 18:56, Brian May wrote:
> On Tue, Dec 02, 2003 at 05:32:59PM +1100, Zenaan Harkness wrote:
> > Can "requesting removal from archive" be automated, to occur say after 3
> > weeks of inactivity of rc/grave/serious bug?
> >
> > As a DD, I assume there is some pride and/ or utili
Moin Goswin!
Goswin von Brederlow schrieb am Tuesday, den 02. December 2003:
> > I would like to see the following things happen:
> >
> > - current md5sums file in control.tar.gz should contain
> >checksums of really all files
> > - a signature of the md5sums file should be stored either in
On Tue, 2003-12-02 at 19:14, Andreas Tille wrote:
> On Tue, 2 Dec 2003, Zenaan Harkness wrote:
> > Is there a single place where all official Custom Debian Distributions
> > (CDDs - even a reasonable TLA), aka internal projects, are listed?
> Unfortunately not yet under www.debian.org, but if the r
On Tue, 2003-12-02 at 20:46, Enrico Zini wrote:
> On Tue, Dec 02, 2003 at 01:05:29AM +0100, Enrico Zini wrote:
> > > > - GNU ERP software project ?name?
> > > GNU Enterprise (gnue) http://www.gnue.org/
> > I've just learnt of Cubit from South Africa: http://www.cubit.co.za/
...
> ...and of the Im
On Tue, 2003-12-02 at 21:41, Benj. Mako Hill wrote:
> On Tue, Dec 02, 2003 at 06:24:58AM +1100, Zenaan Harkness wrote:
> > I guess if you're a DD (I'm in the NM-process myself), you can creake
> > "official" Debian wiki, etc?
>
> AFAIK, the "official" Debian wiki is http://wiki.debian.net and like
Hi!
The saga continues. Now we look at the development assurance
measures. Unfortunately this part is where open source is
not good at (not saying that closed source is better).
This is because writing documentation is quite
boring, and ADV is about writing design documentation.
I personally thin
David B Harris <[EMAIL PROTECTED]> wrote:
>> And I think I have the structure to make this work. I'm
>> writing now, should have something for you later today.
>
> Sorry, yeah. I should instead have said "*their*
> company", not any one company. The company they buy
> their hardware and support f
Tom <[EMAIL PROTECTED]> wrote:
> On Tue, Dec 02, 2003 at 10:08:03AM +0100, Andreas Metzler wrote:
>> Apparently nobody knew it was comparable to ptrace, it looked like a
>> simple bugfix and not like a local root exploit.
> Well, I just downloaded 2.4.23 from kernel.org and installed it.
You cou
Joey Hess <[EMAIL PROTECTED]> writes:
> John Goerzen wrote:
> > Please check out the debsigs package. I wrote it when I worked at
> > Progeny back in 2001, and Branden Robinson maintains it these days. It
> > does exactly that.
>
> Unfortunatly, the method debsigs uses to add the signature to t
Eduard Bloch <[EMAIL PROTECTED]> writes:
> Moin Goswin!
> Goswin von Brederlow schrieb am Tuesday, den 02. December 2003:
>
> > > I would like to see the following things happen:
> > >
> > > - current md5sums file in control.tar.gz should contain
> > >checksums of really all files
> > > -
On Tue, 2003-12-02 at 11:05, Enrico Zini wrote:
> On Mon, Dec 01, 2003 at 02:33:57PM -0600, Chad Walstrom wrote:
>
> > > - GNU ERP software project ?name?
> > GNU Enterprise (gnue) http://www.gnue.org/
>
> I've just learnt of Cubit from South Africa: http://www.cubit.co.za/
Thank you very much
On Tue, Dec 02, 2003 at 10:34:26AM +0200, Antti-Juhani Kaijanaho wrote:
> That said, it has been too long since I last looked at grep-dctrl. I'll
> try to fix that "in a couple of days" :) I can only say that my
> teaching duties have exhausted me during the autumn.
And hey, if you manage to fix
Hello Töns,
we are trying to get the Siemens ServerView ported to debian.
After I read your message. I think you may have contact to FSC?
Or may be this software is already ported?
Do you have some more information for me?
Thank you in advance
best regards
Alex
Toens Bueker schrieb:
David B Harris
Andreas Barth <[EMAIL PROTECTED]> writes:
> * Joey Hess ([EMAIL PROTECTED]) [031202 02:55]:
> > Goswin von Brederlow wrote:
> > > What can we do with deb signatures?
> > >
> > > For our current problem, the integrity of the debian archive being
> > > questioned, the procedure would be easy and av
Tom <[EMAIL PROTECTED]> writes:
> On Tue, Dec 02, 2003 at 11:07:53AM +0100, Andreas Barth wrote:
> > * Joey Hess ([EMAIL PROTECTED]) [031202 02:55]:
> > > Goswin von Brederlow wrote:
> > > > What can we do with deb signatures?
> > > >
> > > > For our current problem, the integrity of the debian a
I did a first pass at the UserLinux white paper, it's at
http://userlinux.org/white_paper.html. I think I'll sleep for a while.
Thanks
Bruce
That's userlinux.com . I don't have the .org, some domain squatter has
that.
Thanks
Bruce
On Tue, Dec 02, 2003 at 12:04:31PM +, bruce wrote:
> I did a first pass at the UserLinux white paper, it's at
> http://userlinux.org/white_paper.html. I think I'll sleep for a while.
>
On Tue, Dec 02, 2003 at 01:17:58PM +0100, Goswin von Brederlow wrote:
> Tom <[EMAIL PROTECTED]> writes:
> > What precautions are taken that the DD actually signed it with the DD's
> > private key?
> > Set aside the possibility that the DD herself is actually the attacker.
>
> You never can. Bu
Hello,
On Tue, Dec 02, 2003 at 09:53:19AM +1100, Zenaan Harkness wrote:
> On Tue, 2003-12-02 at 07:31, David B Harris wrote:
> > who run it, as is so often the case these days. I can't count the number
> > of times I've heard horror stories from HP customers (and other vendors
> > as well) about
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2003-12-01 19:12, Andres Salomon wrote:
> d-i enhancements might include installation types (similar to redhat's
> installer; select server, workstation, etc, and have packages selected
> for you), support for enterprise features directly in the ins
* Chad Walstrom <[EMAIL PROTECTED]> [031201 22:28]:
> md5sums and signatures are most useful in the context of installation.
> Post-installation, you cannot be guaranteed that an intrusion rootkit
> doesn't compromise the md5sum files themselves. Using the installed
> *.md5sum files to check the in
Tom <[EMAIL PROTECTED]> writes:
> On Tue, Dec 02, 2003 at 01:17:58PM +0100, Goswin von Brederlow wrote:
>
> > Tom <[EMAIL PROTECTED]> writes:
> > > What precautions are taken that the DD actually signed it with the DD's
> > > private key?
> > > Set aside the possibility that the DD herself is ac
On Tue, Dec 02, 2003 at 02:20:43PM +0100, Goswin von Brederlow wrote:
> There is no security as strong as many people reading the source over
> and over. You can't hack their brains to skip over the backdoor code
> and you can only obfuscate a backdoor so much.
Allright, allright, I'll cry uncle.
On Tue, Dec 02, 2003 at 06:56:13PM +1100, Brian May wrote:
> A release critical bug in one package could be caused by a non-release
> critical bug in another package.
How?
If the bug is caused by a problem in another package then it should be
reassigned (and more importantly fixed). The bug is sti
A.J. Rossini wrote:
> Maybe I'm missing something, but none of this sounds like
> functionality that a bit of parsing out to other programs can't
> solve, given that I do it locally for the systems in my lab.
>
> Joey Hess <[EMAIL PROTECTED]> writes:
>
> > Interesting article on LWN: http://lwn.
On Mon, Dec 01, 2003 at 11:17:26PM -0800, A.J. Rossini wrote:
>
> Andrew Pollock <[EMAIL PROTECTED]> writes:
>
> > On Mon, Dec 01, 2003 at 07:50:29PM -0800, A.J. Rossini wrote:
> >>
> >> Joey Hess <[EMAIL PROTECTED]> writes:
> >>
> >> >
> >> > To install a package directly, with apt downloading
On Tue, Dec 02, 2003 at 11:07:53AM +0100, Andreas Barth wrote:
> > The canoical attack against signed debs in this situation is to find a
> > signed deb on snapshot.debian.net that contains a known security hole.
>
> To avoid this attack, it is necessary that the filename of the deb or
> the versi
On Mon, Dec 01, 2003 at 02:45:09PM +1000, Anthony Towns wrote:
> Hello world,
Hello aj.
>* LSB 1.3 compatibility mostly achieved
>
> (LSB non-compliance issues are now Release Critical; bugs
> should be filed and addressed by the LSB team, which hangs
> aroun
On Mon, Dec 01, 2003 at 07:06:41PM -0500, Joey Hess wrote:
> Similarly, to check the build depends of a source package file:
> apt-get build-dep apt-listchanges-1.49-11104cl.src.rpm
Should this be the job of apt-get? Fetching a list of build-depends is a
similar job to that performed by apt-ca
On Tue, Dec 02, 2003 at 12:08:17PM +0100, Andreas Metzler wrote:
> Afaik: 2.4.23 contains literally 100s of changes, one of these was a
> small change to do_brk(), which looked like a normal non-critical
> bugfix to everybody involved. Some time later Debian was hacked and
> backtracing how the i
> "aj" == Anthony Towns writes:
aj> or overloaded with work, or, for that matter, fixing compromised Debian
aj> servers -- do you think it's desirable and possible to:
aj> * for confirmed bugs with a known fix, upload a fixed package
aj> within a day or two
Goswin von Brederlow wrote:
> > dpkg that it is downgrading the package, and a clever attacker might
> > avoid even that.
>
> How would you avoid it?
Make the replacement package really be a different package entirely, of
a higher version than the package it purports to replace.
I think aj had s
> "Jonathan" == Jonathan Dowland <[EMAIL PROTECTED]> writes:
Jonathan> On Tue, Dec 02, 2003 at 12:08:17PM +0100, Andreas Metzler
Jonathan> wrote:
>> Afaik: 2.4.23 contains literally 100s of changes, one of these was a
>> small change to do_brk(), which looked like a normal non-
Scripsit Goswin von Brederlow <[EMAIL PROTECTED]>
> There is no security as strong as many people reading the source over
> and over. You can't hack their brains to skip over the backdoor code
> and you can only obfuscate a backdoor so much.
I refer you to Ken Thompson's Turing award lecture. If
[It looks like the x-debbugs-cc part of bugs.d.o is not working atm (nor is
the index page for wnpp showing new bugs), so I'm resending this message to
pertinent lists. I know the upload queue is down due the hack, but it would
probably be good to make this ITP known so we don't get several dup
On Tue, Dec 02, 2003 at 02:01:23PM +0100, Bernhard R. Link wrote:
> > A true IDS is needed, such as aide, tripwire, or cfengine to detect
> > post-installation intrusion. Tie in aide or tripwire database
> > checks/updates with the apt.conf "PostInst" option in addition to a
> > daily cronjon to e
On Mon, Dec 01, 2003 at 07:06:41PM -0500, Joey Hess wrote:
> Interesting article on LWN: http://lwn.net/Articles/60650/ (subscription
> required) In summary, apparently apt-rpm users can now do some things
> with apt that we cannot.
This has been true for some time; merging the applicable parts o
Hi, Joey Hess wrote:
> Of course dpkg-checkbuildeps can
> be used if you unpack the source.
So, giving a .dsc to dpkg-checkbuildeps shouldn't be any more work than
"skip the GPG armor, if present".
Unless I am overlooking something, of course.
--
Matthias Urlichs | {M:U} IT Design @ m-u-it
On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
> rather far from changing anything in the kernel memory. Andreas is
> definitely right that the hole doesn't look like that it is that dangerous.
It messed up your life for a couple weeks.
Jesus, it's not the end of the world, but that's
[personal reply, and posting on -devel]
Hi Joey,
thanks for this report. I am aware that this is the result of tedious
work, and I really appreciate your efforts. Let me, however, ask a few
probably inconventient questions, and I surely hope that they won't be
ignored this time.
On Tue, Dec 02,
Hallo.
Henrique de Moraes Holschuh wrote:
> Otherwise, it simply won't happen, unless about 90% of the packages or so
> aready use md5sums. At that figure, you have some changes of passing a
> policy of 'must', and you are guaranteed to get a 'should' to be approved
> IMHO.
More than 92% of the p
Op ma 01-12-2003, om 14:34 schreef Goswin von Brederlow:
[...]
> Deb signatures method C:
>
> And now for something completly different. A man with 3 noses. :)
>
> Instead of keeping extra files with the signature of the deb the
> information could be stored inside the deb itself.
[...]
As much
christophe barbe wrote:
> On Mon, Dec 01, 2003 at 08:24:09PM +0100, Thomas Viehmann wrote:
>
>>Michael Ablassmeier wrote:
>>
>>>IMHO Lintian should also check if "dh_md5sums" is called and
>>>print at least a warning if this is not the case.
>>
>>In principle, I argree, but maybe it's better to ch
On Tue, Dec 02, 2003 at 05:09:37PM +1000, Anthony Towns wrote:
> > What happens if say there are simply not enough people interested in
> > GNOME for example, and the RC counts rise, and rise at an increasing
> > rate, and we never release again?
>
> That's not a very interesting hypothetical -- t
Joey Hess <[EMAIL PROTECTED]> wrote:
> Goswin von Brederlow wrote:
>> > dpkg that it is downgrading the package, and a clever attacker might
>> > avoid even that.
>> How would you avoid it?
> Make the replacement package really be a different package entirely, of
> a higher version than the packa
Goswin von Brederlow wrote:
> Joey Hess <[EMAIL PROTECTED]> writes:
> I submitted a one line patch to apt to fix this and behave like
> dpkg. I hope this gets added soon. Till then its either signed debs or
> pre-configuring of packages.
>>I filed bugs about this a long time ago, it is apparently
Op di 02-12-2003, om 14:46 schreef Mark Howard:
> On Tue, Dec 02, 2003 at 06:56:13PM +1100, Brian May wrote:
> > A release critical bug in one package could be caused by a non-release
> > critical bug in another package.
>
> How?
A program could use some library for most of its core operation, an
On Tue, 2003-12-02 at 02:41, Goswin von Brederlow wrote:
> Source only uploads were afaik disabled because the uploaded source
> would just disapear and never enter the archive afaik. It was just
> easier to block them than to fix the archive scripts I guess.
Just trying it (for fun, see package "
On Tue, 02 Dec 2003, Wouter Verhelst wrote:
> So unless you have a suggestion that would solve this particular issue,
> I'm afraid this idea won't work in practice.
We could verify if the gpg agent (gpa? I forget the name...) cannot do this
over a secure channel. It should be able to, and if not,
Scripsit Tom <[EMAIL PROTECTED]>
> On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
> > rather far from changing anything in the kernel memory. Andreas is
> > definitely right that the hole doesn't look like that it is that dangerous.
> If it wasn't a big deal we wouldn't be talking abo
On Mon, Dec 01, 2003 at 10:09:34PM +0100, Roland Stigge wrote:
> Finally, the "decision" isn't just "technical".
Ah, the inevitable cry of the advocate of the technically inferior
approach.
--
.''`. ** Debian GNU/Linux ** | Andrew Suffield
: :' : http://www.debian.org/ |
`. `'
No Cc was necessary, I am subscribed to debian-devel.
On Tue, 2003-12-02 at 03:30, Goswin von Brederlow wrote:
> Scott James Remnant <[EMAIL PROTECTED]> writes:
>
> > A compromised dinstall on ftp-master could also replace the keyring
> > package with a new one containing an extra key, used to s
Wouter Verhelst wrote:
> Requiring us to log in to the autobuilder to sign the .deb remotely is
> not acceptable, for two reasons:
> * it's way too much work for most of us
> * it requires copying the secret key over, which is, uh, a bad idea.
>
> An alternative would be to copy over the .debs, si
On Tue, 2003-12-02 at 17:31, Tom wrote:
> On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
> > rather far from changing anything in the kernel memory. Andreas is
> > definitely right that the hole doesn't look like that it is that dangerous.
>
> It messed up your life for a couple weeks.
Andreas Metzler wrote:
> I still don't understand how you change the version number (or the
> package-name) without breaking the signature.
Which signature? The Packages file is being modified, so of course the
hain of trust back to the Release file signature can be used to catch
tampering with it
On Tue, Dec 02, 2003 at 12:27:00PM -0500, Noah L. Meyerhans wrote:
> release goal of December 1 didn't inspire any new activity. This gives
> the appearance that the ARM port maintainers simply don't care if sarge
> gets released at all. This is very discouraging.
If that is what happens, then I
Tom <[EMAIL PROTECTED]> writes:
> On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
>> rather far from changing anything in the kernel memory. Andreas is
>> definitely right that the hole doesn't look like that it is that dangerous.
>
[snip]
>
> If it wasn't a big deal we wouldn't be talk
On Tue, Dec 02, 2003 at 06:05:44PM +0100, Andreas Metzler wrote:
> Joey Hess <[EMAIL PROTECTED]> wrote:
> > Goswin von Brederlow wrote:
> >> > dpkg that it is downgrading the package, and a clever attacker might
> >> > avoid even that.
> >> How would you avoid it?
> > Make the replacement package
Scripsit Wouter Verhelst <[EMAIL PROTECTED]>
> Requiring us to log in to the autobuilder to sign the .deb remotely is
> not acceptable, for two reasons:
> * it's way too much work for most of us
> * it requires copying the secret key over, which is, uh, a bad idea.
Um, perhaps this is really stup
* Wouter Verhelst ([EMAIL PROTECTED]) [031202 19:40]:
> As much as I like this idea in principle, storing signatures inside
> .debs has a serious problem: it won't work for us buildd maintainers.
Workability for the buildd maintainers is IMHO _certainly_ one
important thing.
> As I explain in my
On Tue, Dec 02, 2003 at 01:46:02PM +, Mark Howard wrote:
> On Tue, Dec 02, 2003 at 06:56:13PM +1100, Brian May wrote:
> > A release critical bug in one package could be caused by a non-release
> > critical bug in another package.
>
> How?
> If the bug is caused by a problem in another package
On Tue, Dec 02, 2003 at 09:33:39AM -0500, Sam Hartman wrote:
> [...] It takes me about an
> afternoon to do a PAM or OpenAFS release even if I change one line.
> OK, for a one line change I can probably get that down to two hours or
> so.
>
> It's a lot easier for me if I batch bugs together and
On Mon, Dec 01, 2003 at 01:12:52PM -0500, Andres Salomon wrote:
> For packages, we may want to focus on apt-secure
> (http://monk.debian.net/apt-secure/); I'm not sure the status of it, [...]
You could easily find out here:
http://bugs.debian.org/203741
--
- mdz
Hi,
Recently, when thinking about the terminology surrounding Debian
Subprojects, I thought about the term "flavor". I always liked that
term, because I find it very descriptive.
I wrote to Zenaan Harkness concerning Debian Enterprise
(http://debian-enterprise.org/), and I suggested that such a s
Hi, Henrique de Moraes Holschuh wrote:
> On Tue, 02 Dec 2003, Wouter Verhelst wrote:
>> So unless you have a suggestion that would solve this particular issue,
>> I'm afraid this idea won't work in practice.
>
> We could verify if the gpg agent (gpa? I forget the name...) cannot do this
> over a
On Tue, Dec 02, 2003 at 08:51:50PM +0100, Andreas Rottmann wrote:
> Tom <[EMAIL PROTECTED]> writes:
>
> > On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
> >> rather far from changing anything in the kernel memory. Andreas is
> >> definitely right that the hole doesn't look like that it
I meant to mention that this is Debian bug #222154.
On Wed, 2003-12-03 at 08:07, Fabian Fagerholm wrote:
> > (Just looking briefly at the diagram, I'm thinking "The Core" would be
> > the organisation - eg. Enterprise-Debian.org, or UserLinux.com, or
> > whatever is ultimately decided on.)
>
> Ok. I have probably mixed both technical and organisati
On Wed, Dec 03, 2003 at 07:17:57AM +1100, Brian May wrote:
> On Tue, Dec 02, 2003 at 01:46:02PM +, Mark Howard wrote:
> > On Tue, Dec 02, 2003 at 06:56:13PM +1100, Brian May wrote:
> > > A release critical bug in one package could be caused by a non-release
> > > critical bug in another package
On Tue, 02 Dec 2003 22:58:28 +0200, Fabian Fagerholm wrote:
> Hi,
>
> Recently, when thinking about the terminology surrounding Debian
> Subprojects, I thought about the term "flavor". I always liked that
> term, because I find it very descriptive.
>
[...]
> So I suggest the following terms:
>
* Steve Langasek ([EMAIL PROTECTED]) [031202 22:10]:
> AFAIK, apt does not sanity check the relationship between package names
> and filenames (and it's not obvious that this should be part of its
> responsibilities), and dpkg only gets a list of .debs to install once
> they've been downloaded.
So
1 - 100 of 172 matches
Mail list logo
