-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Am Mo den 31. Mai 2010 um 5:42 schrieb Christian PERRIER: > > This repository holds secured packages of the insecure debian packages > > just without the insecure patch (or the insecurity patched). The full > > sources are available to build. At the moment the repository holds > > base-files, openssh and procmail. > > Is this repository signed by a key?
Yes, my own key. But read below. > Where is that key available? On Keyservers and signed by many people. > By who is this key signed? Many people, including some DDs. > Are there people around to speak and guarantee that the repository > owner is not providing malicious packages through this "secured" > repository? Thats the point. Nobody can do that. Thats the reason I hold the changes as small as possible and upload the full sources to the repo too. The point is that I cannot live with the insecure debian packages at all. So I builded that packages for my own. The repository is to give the secured packages to people who need it too. There is no need to develop the wheel every time again. > Don't take be wrong. I do not. I was thinking about that too. But I decided to make it available anyway. > though I certainly do question the technical arguments you brought in > this thread and the way you did it (the umsak 'disaster'). Well, I think (and I am not alone with this opinion) that the umask changes are a security disaster. And I do not want to make secret of it. > Unless the packages you provide are inspected by the same web of trust > that lives around the official Debian repository, Well, the web of trust seems to fail in this case. > I think that potential users should definitely be warned that they're > using it at their own risk (the same stands for any private > repository, of course, including those I manage myself...:-)). Yes, its a good idea. At the moment the repository is just as it is and it holds the secured packages I use by my own. However, I will consider to add such a note. Regards Klaus - -- Klaus Ethgen http://www.ethgen.de/ pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <kl...@ethgen.de> Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEVAwUBTAN+Lp+OKpjRpO3lAQoMwAf+JvdiNfa+rJT48Ey6ZTIst5IZcKqFHxbU h+/UwfW9jzNViVoV+lYgftM56lWDX3ka4+9eUzwtfvq1IA0ZswgjoqvO9oHhlnGR SE66/aNC/U2WOIR3kbfsnzY1DRCKxuho27+kVUGypGYUzDQVkz48L26rU77gS9c/ 9CtdzIxRUABUu44pCuLRCzHWad/0Tm6Qje4OEV4wWLrFfBFSBfYsVW65UlZLqO7G h4pP0sb7F9Wtpjts+SShqyxrKXeUZITyQsiunIEzwiBc72vbKn9Ac/ODPouDihuJ lynvhDCnJscnoo6HP5WUn9h2JvPcvrr3Rvg+bnlgt5K19tlkUpUSiA== =uObw -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100531091526.gb27...@ikki.ethgen.de
