Toi can mua ve may bay di BomBay An Do xin vui long bao gia dum.
Ve khu hoi.
On Thu, Nov 24, 2005 at 07:17:06PM +0100, Goswin von Brederlow wrote:
> > That's easy: you trust the Packages file to be correct when using apt,
> > and it's not verified at all by per-package signatures.
> In what way trust and how does that change anything?
> At best you can prevent a newer ve
Quoting Paul LeoNerd Evans <[EMAIL PROTECTED]>:
> I'm not too familiar with creating a source package that can create
> multiple binary packages, but I have a local modification of the "sudo"
> source package which creates a "sudo-ldap" binary package. This is built
> using LDAP support.
>
> If yo
* Bastian Blank <[EMAIL PROTECTED]> [2005-11-24 23:45]:
> On Thu, Nov 24, 2005 at 10:48:39PM +0100, Rafael Laboissiere wrote:
> > Yes, I have been doing things wrongly in the past, but this is not the
> > case anymore. The Changed-By fields are correct now. See, for instance,
> > my last upload:
On Wed, Nov 23, 2005 at 05:34:41PM +0100, Jeroen van Wolffelaar wrote:
> In the archive, 525 out of 283283 .deb's are dpkg-sig'd (0.19%). There
> are 8 distinct keys used for those 525 .deb's, seven of which correspond
> to DD's[1].
Slightly off the topic, but does this mean the archive contains .
* Hamish Moffatt [Fri, 25 Nov 2005 20:34:02 +1100]:
> On Wed, Nov 23, 2005 at 05:34:41PM +0100, Jeroen van Wolffelaar wrote:
> > In the archive, 525 out of 283283 .deb's are dpkg-sig'd (0.19%). There
> > are 8 distinct keys used for those 525 .deb's, seven of which correspond
> > to DD's[1].
> Sl
On Thu, Nov 24, 2005 at 10:36:41PM +0100, Thiemo Seufer wrote:
> > I can see arguments against it, but none that make
> > it an RC bug.
> Policy violations are RC by definition.
Actually, no; policy violations are RC by *default*, but the definition of
what's release-critical for a release is set
Si deseas desinscribirte de esta lista, envia un correo a [EMAIL PROTECTED] solicitandolo. Gracias
Hi,
Anthony Towns wrote:
The problem is that using gzip and ar is complicated, which adds
possibilities for errors. You might find yourself not putting the deb
together again and getting false signature mismatches, or worse, you
might find yourself only verifying part of the .deb, and having dp
Hello Steve,
Steve Langasek <[EMAIL PROTECTED]> wrote:
> On Sun, Nov 20, 2005 at 11:50:55PM +, Joerg Sommer wrote:
>> Steve Langasek <[EMAIL PROTECTED]> wrote:
>
>> > "Does not work with j2re1.3" means you should be depending on what it
>> > *does*
>> > work with, not trying to conflict with
Hello sean,
sean finney <[EMAIL PROTECTED]> wrote:
> hi joerg,
>
> On Sun, Nov 20, 2005 at 10:23:58AM +, Joerg Sommer wrote:
>> I've got a bug report (#336527) my package bootchart-view do not work
>> with j2re1.3. But j2re1.3 is not in Debian. Can I set a conflict upon a
>> packages that is n
Wouter Verhelst <[EMAIL PROTECTED]> writes:
> On Thu, Nov 24, 2005 at 06:51:24PM +0100, Goswin von Brederlow wrote:
>> Wouter Verhelst <[EMAIL PROTECTED]> writes:
>> > I personally see the packages in unstable as something good for
>> > end-users who want to use it, or understand how the system wo
Michael Banck <[EMAIL PROTECTED]> writes:
> On Thu, Nov 24, 2005 at 06:44:42PM +0100, Goswin von Brederlow wrote:
>> Michael Banck <[EMAIL PROTECTED]> writes:
>> > On Wed, Nov 23, 2005 at 03:50:11PM +0100, Goswin von Brederlow wrote:
>> >> If you NEED to do a manual binNMU it is probably best to
Michael Banck <[EMAIL PROTECTED]> writes:
> On Thu, Nov 24, 2005 at 06:51:24PM +0100, Goswin von Brederlow wrote:
>> Wouter Verhelst <[EMAIL PROTECTED]> writes:
>> > They were, originally. Ryan's been very active on it since, and it's
>> > diverged a bit from the code you're maintaining.
>>
>> Th
Adeodato "=?utf-8?B?U2ltw7M=?=" <[EMAIL PROTECTED]> writes:
> * Goswin von Brederlow [Thu, 24 Nov 2005 18:51:24 +0100]:
>
> Hi,
>
>> Wouter Verhelst <[EMAIL PROTECTED]> writes:
>
>> > They were, originally. Ryan's been very active on it since, and it's
>> > diverged a bit from the code you're main
Anthony Towns writes:
> On Thu, Nov 24, 2005 at 06:28:04PM +0100, Florian Weimer wrote:
> If you just want to check hashes, you should just use changes files. If
> you _actually_ want to check hashes, and this isn't just a thought
> experiment, working out a usable way to deliver .changes for wha
Steve Langasek <[EMAIL PROTECTED]> writes:
> On Thu, Nov 24, 2005 at 07:17:06PM +0100, Goswin von Brederlow wrote:
>
>> > That's easy: you trust the Packages file to be correct when using apt,
>> > and it's not verified at all by per-package signatures.
>
>> In what way trust and how does that cha
On Fri, Nov 25, 2005 at 02:38:32PM +0100, Goswin von Brederlow wrote:
> Michael Banck <[EMAIL PROTECTED]> writes:
> > On Thu, Nov 24, 2005 at 06:51:24PM +0100, Goswin von Brederlow wrote:
> >> Wouter Verhelst <[EMAIL PROTECTED]> writes:
> >> > They were, originally. Ryan's been very active on it si
Anthony Towns writes:
> On Thu, Nov 24, 2005 at 07:47:58PM +0100, Goswin von Brederlow wrote:
>> Anthony Towns writes:
>> > On Wed, Nov 23, 2005 at 09:18:40PM +0100, Goswin von Brederlow wrote:
>> >> Use 1: I have this deb in my apt-move mirror and I want to know if it
>> >>was compromis
Henrique de Moraes Holschuh <[EMAIL PROTECTED]> writes:
> On Thu, 24 Nov 2005, Anthony Towns wrote:
>> On Thu, Nov 24, 2005 at 07:39:57AM +0100, Marc Haber wrote:
>> > >Uh, packages not uploaded to the official Debian archive can do whatever
>> > >they want.
>> > It would, however, be convenient t
On Fri, Nov 25, 2005 at 02:03:12PM +0100, Goswin von Brederlow wrote:
> Wouter Verhelst <[EMAIL PROTECTED]> writes:
> > It's in Debian, and it's easy to use and understand. If it doesn't
> > diverge too far from the sbuild actually on svn.cyberhqz.com, it's also
> > good enough to give you a workin
Simon Richter <[EMAIL PROTECTED]> writes:
>>>IF this means we can switch the effort to a detached signature that is more
>>>powerful than a .changes file (or we are allowed to have multiple signatures
>>> in a .changes file),
>
> That is already possible with gnupg, just not well-documented; I'm n
Daniel Leidert <[EMAIL PROTECTED]> writes:
> Am Donnerstag, den 24.11.2005, 19:53 +0100 schrieb Goswin von Brederlow:
>> An incoming queue for reprepo is a ~100 lines shell script to check the
>> changes file signature and include the files in reprepro. Probably less
>> if you rewrite it in perl.
Wouter Verhelst <[EMAIL PROTECTED]> writes:
> On Fri, Nov 25, 2005 at 02:03:12PM +0100, Goswin von Brederlow wrote:
>> It just pains me that Debian does not include all the software to
>> build Debian.
>
> Sure it does. It just doesn't include the software that Debian uses to
> automatically build
Scripsit "Krzysztof Krzyzaniak (eloy)" <[EMAIL PROTECTED]>
> This module has only one function, which is also exported by default:
> subname NAME, CODEREF
> Assigns a new name to referenced sub.
> The name is only used for informative routines (caller, Carp, etc).
Is this really useful enough
Scripsit Chris Boyle <[EMAIL PROTECTED]>
> On Thu, Nov 24, 2005 at 06:54:12PM +, paddy wrote:
>> I though a robots.txt thingy on the list web archive is coming to the
>> rescue ?
> Huh? Isn't having the lists searchable generally a good thing?
Yes, a very good thing in general. But excluding
On Fri, Nov 25, 2005 at 03:22:37PM +0100, Goswin von Brederlow wrote:
> A signature in the deb by a random developer is as trustworthy as the
> changes file and you already trust that. So we are going from snakeoil
> to snakoil. No harm done.
It's not the same, actually. A signature in a .deb nee
On 11/25/05, Matthew Palmer <[EMAIL PROTECTED]> wrote:
> Of course, using the signature on the .changes to verify the .debs
> independent from the archive at some later date is a nice side-benefit, but
> one which suffers from the same key-lifetime issues as in-deb signatures,
What exactly is this
Michael Banck <[EMAIL PROTECTED]> writes:
> On Fri, Nov 25, 2005 at 02:38:32PM +0100, Goswin von Brederlow wrote:
>> Michael Banck <[EMAIL PROTECTED]> writes:
>> > On Thu, Nov 24, 2005 at 06:51:24PM +0100, Goswin von Brederlow wrote:
>> >> Wouter Verhelst <[EMAIL PROTECTED]> writes:
>> >> > They w
Matthew Palmer <[EMAIL PROTECTED]> writes:
> On Fri, Nov 25, 2005 at 03:22:37PM +0100, Goswin von Brederlow wrote:
>> A signature in the deb by a random developer is as trustworthy as the
>> changes file and you already trust that. So we are going from snakeoil
>> to snakoil. No harm done.
>
> It'
Olaf van der Spek <[EMAIL PROTECTED]> writes:
> On 11/25/05, Matthew Palmer <[EMAIL PROTECTED]> wrote:
>> Of course, using the signature on the .changes to verify the .debs
>> independent from the archive at some later date is a nice side-benefit, but
>> one which suffers from the same key-lifetim
On Fri, 25 Nov 2005, Anthony Towns wrote:
> (I'm amazed the security "crisis" we're having is about deb sigs
> *again*, when we're still relying on md5sum which has a public exploit
> available now...)
Do you really want a thread about how we should switch everything to SHA-512
or something like t
* Anthony Towns:
> (I'm amazed the security "crisis" we're having is about deb sigs
> *again*, when we're still relying on md5sum which has a public exploit
> available now...)
These exploits are irrelevant as far as the Debian archive is
concerned. (And that's not because hardly any sarge user
Henning Makholm wrote:
> Scripsit Chris Boyle <[EMAIL PROTECTED]>
>
>>On Thu, Nov 24, 2005 at 06:54:12PM +, paddy wrote:
>
>
>>>I though a robots.txt thingy on the list web archive is coming to the
>>>rescue ?
>
>
>>Huh? Isn't having the lists searchable generally a good thing?
>
>
> Yes
Blrgh!
OK. So I was working on the problem of fixing dpkg-dev so that
foo Depends: foo-data {SourceVersion}, foo-libs {BinaryVersion}
or something similar actually works. By parsing the version numbers.
Now it's apparently been changed under our noses, in such a way that my
proposed
sch
Anthony Towns writes:
> .deb signatures are aimed at giving users some sort of assurance the
> package is "valid"; but when you actually look into it -- at least in
> Debian's circumstances -- those signatures can't actually give any
> meaningful assurance for any specific validity.
Don't they g
Goswin von Brederlow <[EMAIL PROTECTED]> writes:
> The archive signing key gives absolutely no integrity ensurance on the
> deb package. The only thing it insures is that the file was not
> altered _after_ leaving ftp.de.debian.org for the mirrors and/or
> user. In no way does it prevent altering
Package: wnpp
Severity: wishlist
Owner: Patrick Das Gupta <[EMAIL PROTECTED]>
* Package name: me-jasspa
Version : 20050505
Upstream Author : Jon Green
* URL : http://www.jasspa.com/
* License : GPL
Description : A lightweight but fully featured editor
Ja
On Fri, Nov 25, 2005 at 03:13:58PM +0100, Goswin von Brederlow wrote:
> > You're correct.
> And he is also wrong.
> That would result in debs with the same name and version but different
> md5sums. Something that easily confuses apt-get and people.
And yet, somehow people manage partial cross-grad
On Fri, Nov 25, 2005 at 12:49:11PM -0800, Thomas Bushnell BSG wrote:
> Anthony Towns writes:
> > .deb signatures are aimed at giving users some sort of assurance the
> > package is "valid"; but when you actually look into it -- at least in
> > Debian's circumstances -- those signatures can't actua
On Fri, Nov 25, 2005 at 02:27:23PM -0200, Henrique de Moraes Holschuh wrote:
> Well, the email about the new bin-NMU structure implied that it was fixed
> for *NMUs done through that structure*.
Then the email was wrong. *shrug*
> > > > My objection is that it's *useless* for *Debian*. Debian h
On Fri, Nov 25, 2005 at 07:59:40PM +0100, Florian Weimer wrote:
> * Anthony Towns:
> > (I'm amazed the security "crisis" we're having is about deb sigs
> > *again*, when we're still relying on md5sum which has a public exploit
> > available now...)
> These exploits are irrelevant as far as the Debi
Ken Bloom wrote:
Henning Makholm wrote:
Scripsit Chris Boyle <[EMAIL PROTECTED]>
On Thu, Nov 24, 2005 at 06:54:12PM +, paddy wrote:
I though a robots.txt thingy on the list web archive is coming to the
rescue ?
Huh? Isn't having the lists searchable gen
On Fri, Nov 25, 2005 at 09:01:24AM +0100, Rafael Laboissiere wrote:
> * Bastian Blank <[EMAIL PROTECTED]> [2005-11-24 23:45]:
> > | Maintainer: Debian/IA64 Build Daemon <[EMAIL PROTECTED]>
> > | Changed-By: Debian Octave Group <[EMAIL PROTECTED]>
>
> Could you please explain to me why having Chang
On Sat, Nov 26, 2005 at 08:48:45AM +1000, Anthony Towns wrote:
> On Fri, Nov 25, 2005 at 03:13:58PM +0100, Goswin von Brederlow wrote:
> > > You're correct.
> > And he is also wrong.
> > That would result in debs with the same name and version but different
> > md5sums. Something that easily confus
On Sat, Nov 26, 2005 at 09:13:02AM +1000, Anthony Towns wrote:
>> Moving away from MD5 is certainly not a bad idea, but it's not clear
>> whether the alternatives are any better. Sure, everyone recommends
>> SHA-256 at this stage, but nobody can give a rationale.
> MD5 is broken; SHA-1 is where MD
> "Thiemo" == Thiemo Seufer <[EMAIL PROTECTED]> writes:
>> Well, even if I know naught about it, it looks to me that having
>> something signed is better than having the same something not signed.
Thiemo> Sorry, but that's a snake oil rationale.
A: Why do you lock your car up[1]?
On Sat, Nov 26, 2005 at 10:47:57AM +1100, Brian May wrote:
>>> Well, even if I know naught about it, it looks to me that having
>>> something signed is better than having the same something not signed.
>> Sorry, but that's a snake oil rationale.
> A: Why do you lock your car up[1]?
Because it make
On Fri, 25 Nov 2005, Nathanael Nerode wrote:
> OK. So I was working on the problem of fixing dpkg-dev so that
>
> foo Depends: foo-data {SourceVersion}, foo-libs {BinaryVersion}
>
> or something similar actually works. By parsing the version numbers.
I'd very much like debhelper or dpkg-* to g
My biggest concern with the Heimdal in experimental, is glob() in
libroken.
To the best of my knowledge, it isn't required because libc6 glob()
does everything required.
I am concerned, because of the potential of the symbols conflicting
with the function in libc6.
The Heimdal configure script c
On Fri, Nov 25, 2005 at 02:57:36PM +0100, Goswin von Brederlow wrote:
> Steve Langasek <[EMAIL PROTECTED]> writes:
> > On Thu, Nov 24, 2005 at 07:17:06PM +0100, Goswin von Brederlow wrote:
> >> > That's easy: you trust the Packages file to be correct when using apt,
> >> > and it's not verified a
* Steve Langasek [Fri, 25 Nov 2005 17:19:01 -0800]:
> how arbitrary users are supposed to verify whether a given key is in the
> keyring. The debian-keyring package doesn't get updated every time there's
> a key added or removed, and the web interface to keyring.debian.org doesn't
> provide any c
Brian May wrote:
> > "Thiemo" == Thiemo Seufer <[EMAIL PROTECTED]> writes:
>
> >> Well, even if I know naught about it, it looks to me that having
> >> something signed is better than having the same something not signed.
>
> Thiemo> Sorry, but that's a snake oil rationale.
>
> A
Si deseas desinscribirte de esta lista, envia un correo a [EMAIL PROTECTED] solicitandolo. Gracias
Package: wnpp
Severity: wishlist
Owner: Kari Pahula <[EMAIL PROTECTED]>
* Package name: gearhead
Version : 1.000
Upstream Author : Joseph Hewitt <[EMAIL PROTECTED]>
* URL : http://www.geocities.com/pyrrho12/programming/gearhead/
* License : LGPL
Description
On Fri, Nov 25, 2005 at 05:19:01PM -0800, Steve Langasek wrote:
> Oh, and BTW, check the IPs of ftp-master.debian.org and
> keyring.debian.org...
Well, at this moment those are distinct, because ftp-master is
temporarily hosted on spohr.debian.org, and not on raff.debian.org,
where keyring.d.o sti
[Steinar H. Gunderson]
> All three might eventually be truly broken, but you can bet that MD5
> will be the first to go. If you use SHA-256 today instead of MD5, you
> probably buy yourself a few extra years, which you can use to smooth
> out the transition to the next hash function when the world
57 matches
Mail list logo
