Re: APT public key updates?

On Thu, Jan 05, 2006 at 11:15:08PM -0800, Thomas Bushnell BSG wrote: > But that means that AJ should rotate his key too. Yes. In theory I'd do that once every five years or so; in practice longer. :-/ > Another way to put the same point, inverted if you will, is to ask why > it's ok to trust AJs

Re: APT public key updates?

Thomas Bushnell BSG <[EMAIL PROTECTED]> wrote: > It seems to me that this kind of computation depends intrinsically on > how long it takes to compromise. If it takes eleven months, then > we're currently screwed. It seems unlikely to me that this kind of > analysis has taken place, which makes it

Work-needing packages report for Jan 6, 2006

The following is a listing of packages for which help has been requested through the WNPP (Work-Needing and Prospective Packages) system in the last week. Total number of orphaned packages: 166 (new: 0) Total number of packages offered up for adoption: 94 (new: 0) Total number of packages requeste

Re: APT public key updates?

On Thu, Jan 05, 2006 at 07:38:37PM -0800, Steve Langasek wrote: > In the third case, again the compromise is either detected, or it isn't. If > it's detected, we're revoking the key again; if it's *not* detected (and it > seems to me that anyone able to compromise the pgp key without also having >

Re: APT public key updates?

On Thu, Jan 05, 2006 at 11:04:32PM -0800, Thomas Bushnell BSG wrote: > It seems to me that this kind of computation depends intrinsically on > how long it takes to compromise. If it takes eleven months, then > we're currently screwed. It seems unlikely to me that this kind of > analysis has taken

Re: APT public key updates?

Steve Langasek <[EMAIL PROTECTED]> writes: > For a user with a compromised local network, the only safe solution is to > validate the new key via some web of trust. This is the feature that's > missing today, to give Joe User some reasonable method of checking keys > against the web of trust befo

Re: APT public key updates?

Anthony Towns writes: > How so? In the long term you end up with "aj signed 2005, aj and 2005 > signed 2006, 2005 is expired"; I don't think there's anything broken in > that situation. So I do trust aj's keys, and the keys he signs. Unfortunately, I don't have any way to indicate that to apt-

Re: APT public key updates?

Nick Phillips <[EMAIL PROTECTED]> writes: > On Thu, Jan 05, 2006 at 04:43:13PM -0800, Thomas Bushnell BSG wrote: > >> If the key is compromised, which is the only way the non-expiring key >> method can be broken, then the expiring key doesn't seem to be >> offering all that much additional securit

Re: APT public key updates?

On Fri, Jan 06, 2006 at 05:22:44AM +0100, Bernd Eckenfels wrote: > Nick Phillips <[EMAIL PROTECTED]> wrote: > > If the 2006 key takes (say) 15 months to compromise, then it is fine > > to use it to sign and verify the new key on 1/1/2007, so long as you > > perform that verification before March...

Re: Fwd: Bug#344758: init.d script should create /var/run/dirmngr

On Thu, Jan 05, 2006 at 09:07:58AM -0200, Henrique de Moraes Holschuh wrote: > On Wed, 04 Jan 2006, Steve Langasek wrote: > > On Wed, Jan 04, 2006 at 10:43:57PM -0200, Henrique de Moraes Holschuh wrote: > > > > > > Do it. We are *heavly* considering support for ephemeral /var/run (which > > > is

A Big Thank You to all OSS Developers (especially Debian Developers)

Hi all, I realize that this is a technical forum, and I have something technically useful to contribute (in the sense of offering motivation to keep going full steam): my heartfelt thanks for all the efforts given by Debian Developers. I've carefully written a technically detailed "Thank You

Re: APT public key updates?

Nick Phillips <[EMAIL PROTECTED]> wrote: > If the 2006 key takes (say) 15 months to compromise, then it is fine > to use it to sign and verify the new key on 1/1/2007, so long as you > perform that verification before March... Or be able to proof the date of signing. > IOW using the old key to si

Re: APT public key updates?

"Michael Vogt" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] On Fri, Jan 06, 2006 at 01:22:50AM +0100, Petter Reinholdtsen wrote: [Michael Vogt] > Sorry for the delay. I'm preparing a new upload that adds the 2006 > archive key to the default keyring. Sounds good. Will this aut

Re: APT public key updates?

On Thu, Jan 05, 2006 at 04:43:13PM -0800, Thomas Bushnell BSG wrote: > Steve Langasek <[EMAIL PROTECTED]> writes: > > AIUI, Ubuntu isn't rotating their archive keys -- something else that their > > centralized model more readily affords them. > I'm a little confused about why we do rotate the key

Re: APT public key updates?

On Thu, Jan 05, 2006 at 04:43:13PM -0800, Thomas Bushnell BSG wrote: > If the key is compromised, which is the only way the non-expiring key > method can be broken, then the expiring key doesn't seem to be > offering all that much additional security. If the 2006 key takes (say) 15 months to co

Re: APT public key updates?

On Fri, Jan 06, 2006 at 01:22:50AM +0100, Petter Reinholdtsen wrote: > [Michael Vogt] > > Sorry for the delay. I'm preparing a new upload that adds the 2006 > > archive key to the default keyring. > > Sounds good. Will this automatically take care of the key update and > make sure no manual inte

Re: APT public key updates?

On Fri, Jan 06, 2006 at 01:26:41AM +0100, Bartosz Fenski aka fEnIo wrote: > On Thu, Jan 05, 2006 at 11:13:06PM +0100, Michael Vogt wrote: > > > These are all notable in > > > > > > a) being RC > > > b) not having any response from an apt maintainer > > > > Sorry for the delay. I'm preparing a ne

Re: APT public key updates?

On Fri, Jan 06, 2006 at 01:22:50AM +0100, Petter Reinholdtsen wrote: > > [Michael Vogt] > > Sorry for the delay. I'm preparing a new upload that adds the 2006 > > archive key to the default keyring. > > Sounds good. Will this automatically take care of the key update and > make sure no manual i

[no subject]

Please remove me from Call Wave.  I now have a cable connection and no longer require the service. Thank you. Mary H. Allen [EMAIL PROTECTED] 8341 Pine Cone Drive Gautier, Ms.  39553 228/497-2010 I just dialed the telephone number I was given to use to discontinue this service and I held on

Re: Experimental or unstable.

On Thu, Jan 05, 2006 at 02:03:37PM +, Simon Huggins wrote: > Is there any better way I can get snapshots/betas tested by the majority > of users? Do people think that this is the sort of thing that should > just be uploaded to unstable and allowed to flow into testing? Provided you're willing

Re: APT public key updates?

Steve Langasek <[EMAIL PROTECTED]> writes: > AIUI, Ubuntu isn't rotating their archive keys -- something else that their > centralized model more readily affords them. I'm a little confused about why we do rotate the keys. I'm not experienced in thinking through the subtle issues concerned, so I

Re: APT public key updates?

On Fri, Jan 06, 2006 at 01:22:50AM +0100, Petter Reinholdtsen wrote: > [Michael Vogt] > > Sorry for the delay. I'm preparing a new upload that adds the 2006 > > archive key to the default keyring. > Sounds good. Will this automatically take care of the key update and > make sure no manual inter

Re: APT public key updates?

On Thu, Jan 05, 2006 at 11:13:06PM +0100, Michael Vogt wrote: > > These are all notable in > > > > a) being RC > > b) not having any response from an apt maintainer > > Sorry for the delay. I'm preparing a new upload that adds the 2006 > archive key to the default keyring. Does it mean we need

Re: APT public key updates?

[Michael Vogt] > Sorry for the delay. I'm preparing a new upload that adds the 2006 > archive key to the default keyring. Sounds good. Will this automatically take care of the key update and make sure no manual intervention is needed to get packages upgraded? Isn't Ubuntu using the signed apt

Re: APT public key updates?

On Thu, Jan 05, 2006 at 03:02:05PM -0500, Joey Hess wrote: > Daniel Leidert wrote: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345823 > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345891 > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345956 > > http://bugs.debian.org/cgi-bin/b

Re: APT public key updates?

x-post to deity list Am Donnerstag, den 05.01.2006, 15:02 -0500 schrieb Joey Hess: > Daniel Leidert wrote: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345823 > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345891 > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345956 > > http://

Re: Experiment: poll on "switching to vim-tiny for standard vi?"

On Wed, Jan 04, 2006 at 07:29:10AM -0600, Steve Greenland wrote: > On 04-Jan-06, 05:08 (CST), paddy <[EMAIL PROTECTED]> wrote: > > Time to add a policy-alternatives hook to update-alternatives ?? > > Huh? If the admin manually sets an alternative with with > update-alternatives, it won't be overr

Re: APT public key updates?

Daniel Leidert wrote: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345823 > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345891 > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345956 > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=346002 These are all notable in a) being RC b) no

Re: ITP

On Thursday 05 January 2006 00.29, campanoni simone wrote: > ~ - i'd like to try to mantain the wss packet (to learn to mantein > a debian packet) Start here: Especially at Then, for all the details, there is

Re: Maintaining a debian package

On Tuesday 03 January 2006 22.59, Andi Drebes wrote: > Hi there! > [...] As I'm using debian and like it > pretty much, I'd like to add it to the list of packages that debian > oficially provides. The first problem is, that I don't know how to create > debian-packages. Start here:

Re: bits from the release team

On Wednesday 04 January 2006 09.53, Andrew M.A. Cater wrote: > Better to use a tested and stable kernel in stable whenever it is > released rather than trying to synch to current kernels sometime too > close to release time just for the sake of releasing a semi-current > kernel. Well sarge's

Re: bits from the release team

On Wednesday 04 January 2006 00.43, Brian Nelson wrote: > Why don't we use RHEL's kernel, or collaborate with them to maintain a > stable kernel tree, or something? The real nice thing would be a central mailing list where all kernel development were coordinated. Perhaps some sort of industry-s

Re: Experimental or unstable.

On Thu, Jan 05, 2006 at 01:13:05PM -0500, Travis Crump wrote: > > Is there a command that can display the list of packages I'm using with a > > version on experimental higher than the current version on unstable? > > `aptitude -t experimental` That's neat! > I love aptitude :) I love it even mo

Bug#346112: ITP: paps -- Pango to PostScript converter

Package: wnpp Severity: wishlist Owner: Lior Kaplan <[EMAIL PROTECTED]> * Package name: paps Version : 0.6.3 Upstream Author : Dov Grobgeld <[EMAIL PROTECTED]> * URL : http://paps.sourceforge.net/ * License : GPL Description : UTF-8 to PostScript converte

Re: Experimental or unstable.

Simon Huggins dijo [Thu, Jan 05, 2006 at 02:03:37PM +]: > > http://www.perrier.eu.org/weblog/2005/09/30#experimental-useless > > See this worries me a bit. > > I'd love for Debian users to test some more cutting edge versions of > packages (partly so upstream gets more testers, partly so

Re: Experimental or unstable.

On Thu, Jan 05, 2006 at 05:38:31PM +0100, Jan C. Nordholz wrote: > > [[ Marc Haber ]] > > Experience with adduser shows that no-one besides the maintainers > > themselves and their closest environment uses experimental packages. > I wouldn't say that package maintainers are the only ones who use

Re: Experimental or unstable.

Nicolas François wrote: > On Thu, Jan 05, 2006 at 02:03:37PM +, Simon Huggins wrote: >> On Thu, Jan 05, 2006 at 02:44:38PM +0100, Adeodato Simó wrote: >>> * Marc Haber [Thu, 05 Jan 2006 14:40:45 +0100]: Experience with adduser shows that no-one besides the maintainers themselves and t

Re: Experimental or unstable.

* Olaf van der Spek [Thu, 05 Jan 2006 18:10:36 +0100]: > I'd be nice if it's possible to easily install a package from > experimental or unstable (in testing or unstable) once or to track > that section for that package. I once heard that pinning experimental to 101 achieves that. I since the

Re: Experimental or unstable.

On 1/5/06, Nicolas François <[EMAIL PROTECTED]> wrote: > How Debian users can know there is a new version in experimental? > There are some messages in debian-devel, or blogs on planet, but not all > users or developers are reading them. > > Is there a command that can display the list of packages

Re: Experimental or unstable.

On Thu, Jan 05, 2006 at 02:03:37PM +, Simon Huggins wrote: > On Thu, Jan 05, 2006 at 02:44:38PM +0100, Adeodato Simó wrote: > > * Marc Haber [Thu, 05 Jan 2006 14:40:45 +0100]: > > > Experience with adduser shows that no-one besides the maintainers > > > themselves and their closest environment

Re: Experimental or unstable.

Hi DDs, > [[ Marc Haber ]] > Experience with adduser shows that no-one besides the maintainers > themselves and their closest environment uses experimental packages. > [[ Simon Huggins ]] > See this worries me a bit. > > I'd love for Debian users to test some more cutting edge versions of > pack

Re: bits from the release team

On Thu, Jan 05, 2006 at 02:40:45PM +0100, Marc Haber wrote: > On Wed, 04 Jan 2006 14:25:17 +0100, Josselin Mouette <[EMAIL PROTECTED]> > wrote: > >Unstable means dependencies can be broken, not that packages themselves > >can always broken. Each and every single package uploaded to unstable > >shou

Re: replacing sysklogd

Bas Zoetekouw wrote: > Hi Nathanael! > > You wrote: > > >>284914 -- trivial bug in klogd. >> I still say we switch to another syslogd implementation and remove >> sysklogd entirely. It's got 4 RC bugs and 99 bugs total, including 34 >> patches. Effectively, it's unmaintained, but Joey hasn'

Re: Experimental or unstable.

I'd love for Debian users to test some more cutting edge versions of packages (partly so upstream gets more testers, partly so I can see the bits I hate about the new versions and try to get them fixed) but I don't want them in testing now until they are properly released as a stable series. In f

Experimental or unstable.

On Thu, Jan 05, 2006 at 02:44:38PM +0100, Adeodato Simó wrote: > * Marc Haber [Thu, 05 Jan 2006 14:40:45 +0100]: > > Experience with adduser shows that no-one besides the maintainers > > themselves and their closest environment uses experimental packages. > More evidence: > http://www.perrier

Re: bits from the release team

* Marc Haber [Thu, 05 Jan 2006 14:40:45 +0100]: > Experience with adduser shows that no-one besides the maintainers > themselves and their closest environment uses experimental packages. More evidence: http://www.perrier.eu.org/weblog/2005/09/30#experimental-useless -- Adeodato Simó

Re: bits from the release team

On Wed, 04 Jan 2006 14:25:17 +0100, Josselin Mouette <[EMAIL PROTECTED]> wrote: >Unstable means dependencies can be broken, not that packages themselves >can always broken. Each and every single package uploaded to unstable >should be of release quality. Otherwise, it should go to experimental. Ex

Re: Fwd: Bug#344758: init.d script should create /var/run/dirmngr

On Wed, 04 Jan 2006, Steve Langasek wrote: > On Wed, Jan 04, 2006 at 10:43:57PM -0200, Henrique de Moraes Holschuh wrote: > > > > Do it. We are *heavly* considering support for ephemeral /var/run (which is > > orthogonal to /run or anything else in that topic), so you might as well do > > it now

Re: slirp and slang-slirp

On Thu, Jan 05, 2006 at 03:53:01PM +0530, Kapil Hari Paranjape wrote: > Hello, > > Apologies in advance if debian-devel is the wrong list. I think this is > a bug but I don't know against which virtual package so I am posting it > here in the hope that someone will see it. > > The "slirp" source

slirp and slang-slirp

Hello, Apologies in advance if debian-devel is the wrong list. I think this is a bug but I don't know against which virtual package so I am posting it here in the hope that someone will see it. The "slirp" source package in testing has been "taken-over" by the "Debian JED Group"---but what they a

Re: replacing sysklogd (was: Oldest RC bugs affecting etch)

Hi Nathanael! You wrote: > 284914 -- trivial bug in klogd. > I still say we switch to another syslogd implementation and remove > sysklogd entirely. It's got 4 RC bugs and 99 bugs total, including 34 > patches. Effectively, it's unmaintained, but Joey hasn't orphaned it. > It's a sloppy