Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

On Thu, Oct 16, 2014 at 05:42:23AM +0200, Christoph Anton Mitterer wrote: > On Wed, 2014-10-15 at 18:31 -0700, Russ Allbery wrote: > > It feels to me like you're spending lots of time telling other people > > they're wrong and telling other people what they should be spending time > > on, and then

Re: Any news about Blends in tasks selection (Was: Debian Installer Jessie Beta 2 release)

Hi Bas, On Wed, Oct 15, 2014 at 07:49:32PM +0200, Bas Wijnen wrote: > > > For the moment the way to install Blends is to use the plain Debian > > installer and afterwards install a bunch of metapackages. > > Ah, and that's what you want to change now. That sounds like a very > good idea. :-)

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

Joey Hess writes: > In general, I think that Debian needs to identify upstreams that are > being proactive about dropping old crypto algos, and those that are not. > Major browsers, openssh upstream, etc are going to be more on top of > this than we are, and make better decisions. Web servers prob

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

On Thu, Oct 16, 2014 at 05:42:23AM +0200, Christoph Anton Mitterer wrote: > On Wed, 2014-10-15 at 18:31 -0700, Russ Allbery wrote: > > It feels to me like you're spending lots of time telling other people > > they're wrong and telling other people what they should be spending time > > on, and then

Bug#765512: marked as done (general: distrust old crypto algos and protocols perdefault)

Your message dated Thu, 16 Oct 2014 05:42:23 +0200 with message-id <1413430943.4706.42.ca...@scientia.net> and subject line Re: Bug#765512: general: distrust old crypto algos and protocols perdefault has caused the Debian Bug report #765512, regarding general: distrust old crypto algos and protoco

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

On Wed, 2014-10-15 at 18:31 -0700, Russ Allbery wrote: > It feels to me like you're spending lots of time telling other people > they're wrong and telling other people what they should be spending time > on, and then arguing with anyone who tells you that how you're going about > this isn't effect

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

Christoph Anton Mitterer writes ("Re: Bug#765512: general: distrust old crypto algos and protocols perdefault"): > So what's wrong about my approach, apart from the paradigm "security > first"? Firstly, I agree with everything Russ has said. But secondly, I would worry that you're perhaps not pa

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

Christoph Anton Mitterer writes: > So what's wrong about my approach, apart from the paradigm "security > first"? It feels to me like you're spending lots of time telling other people they're wrong and telling other people what they should be spending time on, and then arguing with anyone who te

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

On Wed, 2014-10-15 at 23:44 +, brian m. carlson wrote: > HIGH:MEDIUM:!aNULL is a better default. Still allows quite a number of combinations I probably wouldn't want to entrust my data: RC4 stuff, DSS stuff, even some MD5 combination is in the list. smime.p7s Description: S/MIME cryptograph

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

On Thu, 2014-10-16 at 10:55 +1100, Brian May wrote: > What about security updates? Should Debian be releasing wheezy > security updates for browsers, web servers, etc, that disable SSLv3 > by default now that SSLv3 is considered insecure? I'd guess that as soon as the respective vendor issues a

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

On Wed, 2014-10-15 at 13:58 -0700, Russ Allbery wrote: > The approach that you are taking to this discussion is destroying my > desire and willingness to explain to you all of the nuance that you're > ignoring. Well I respect that you have another opinion on security, but I didn't demand you to ex

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

On 16 October 2014 10:44, brian m. carlson wrote: > Unfortunately, not all upstreams make good decisions. OpenSSL ships > with a set of default ciphers that is completely insecure. There is no > reason that every application using OpenSSL directly or indirectly[0] > should have to disable expor

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

On Wed, Oct 15, 2014 at 01:58:34PM -0700, Russ Allbery wrote: > It's unlikely that you're going to be able to make better cost/benefit > decisions about these things than well-informed upstreams for general use > cases. Debian is targeted for general use cases. If we were making a > security-hard

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

On Wed, Oct 15, 2014 at 11:47:07PM +0100, Ian Jackson wrote: > Joey Hess writes ("Bug#765512: general: distrust old crypto algos and > protocols perdefault"): > > Instead, it makes sense to adapt workflows that do not trust git hashes, > > which mostly means making signed tags and commits, and che

Bug#765512: general: distrust old crypto algos and protocols perdefault

Joey Hess writes ("Bug#765512: general: distrust old crypto algos and protocols perdefault"): > Instead, it makes sense to adapt workflows that do not trust git hashes, > which mostly means making signed tags and commits, and checking the > signatures. This is something Debian could improve in man

Re: Bug#765522: ITP: elixir -- Functional language for the Erlang VM

Control: reassign -1 wnpp Control: severity -1 wishlist On Jo, 16 oct 14, 00:12:10, Evgeny Golyshev wrote: > Package: wnppSeverine: wishlist > Owner: Evgeny Golyshev > > * Package name : elixir > * Version : 1.0.1 > * Upstream Author : José Valim > * URL : http://elix

Re: bash exorcism experiment ('bug' 762923 & 763012)

Wouter Verhelst writes ("Re: bash exorcism experiment ('bug' 762923 & 763012)"): > But that's *also* not the point. The point is that we have a policy > which states particular things, and that you should follow that policy. > If you think policy is wrong, you're welcome to change it; doing so > re

Re: piece of mind (Re: Moderated posts?)

On Wed, Oct 15, 2014 at 01:49:43PM -0400, Joey Hess wrote: > Thorsten Glaser wrote: > > On Mon, 13 Oct 2014, Joey Hess wrote: > > > > > Only thing I don't understand is why so few votes for systemd-shim out > > > of the group who has it installed. > > > > Maybe noatime? That’s probably popular on

Bug#765512: general: distrust old crypto algos and protocols perdefault

* Christoph Anton Mitterer: > Not sure if there is already some concentrated effort, but I think > there should be one, i.e.: Fedora is currently working on this: However, it is an ongoing effort to make applications adhere to the system d

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

Christoph Anton Mitterer writes: > On Wed, 2014-10-15 at 12:55 -0700, Russ Allbery wrote: >> For another example, upstream for both Heimdal and MIT Kerberos know >> very well what the situation is with the RC4 use in the Kerberos >> protocol and are making well-informed decisions based on compati

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

On Wed, 2014-10-15 at 21:55 +0200, Jonas Meurer wrote: > While I appreciate your efforts to raise security-relevant topics within > the Debian distribution, I have to admit that exactly the same happens > to quite a few of your "meta-bugreports" as well. There's a lot of > discussion and a few cha

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

On Wed, Oct 15, 2014 at 09:44:43PM +0200, Christoph Anton Mitterer wrote: > Well a bug is at least something, where one has a central log of all > discussions... and where one can really keep track of... Only if people remember to copy it. And that's less likely to happen when you start getting do

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

Hey, Am 15.10.2014 um 21:44 schrieb Christoph Anton Mitterer: > On Wed, 2014-10-15 at 20:25 +0100, Jonathan Dowland wrote: >> There are a number of mechanisms for proposing and tracking distro-wide >> changes, such as release goals and DEPs in some cases. But this is not what >> the >> general b

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

Joey Hess writes: > In general, I think that Debian needs to identify upstreams that are > being proactive about dropping old crypto algos, and those that are not. > Major browsers, openssh upstream, etc are going to be more on top of > this than we are, and make better decisions. Web servers pro

Bug#765512: general: distrust old crypto algos and protocols perdefault

On Wed, 2014-10-15 at 15:18 -0400, Joey Hess wrote: > I've talked about this with the git developers before, and while they > seemed to have some ideas for how to handle a conversion to a different > hash, they're not keen on doing it until forced by SHA1 being more > broken than it is now. Well,.

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

On Wed, 2014-10-15 at 20:25 +0100, Jonathan Dowland wrote: > There are a number of mechanisms for proposing and tracking distro-wide > changes, such as release goals and DEPs in some cases. But this is not what > the > general bug is for. Please choose something and then kindly close this bug. We

Re: Any news about Blends in tasks selection (Was: Debian Installer Jessie Beta 2 release)

Quoting Bas Wijnen (2014-10-15 19:49:32) > On occasion, I've needed a single-use system; something that boots up > into an application and that shuts down when that application exits. > (Having the full power of Debian in the background is a nice feature, > but mostly unused.) For example, for

Re: bash exorcism experiment ('bug' 762923 & 763012)

On Wed, Oct 15, 2014 at 10:10:00AM +0200, Marco d'Itri wrote: > On Oct 15, Wouter Verhelst wrote: > > If you target posh, you target all shells that policy allows for -- > > including those that are smaller and/or faster than dash. > > Can you list some, and what benefits they would bring over das

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

There are a number of mechanisms for proposing and tracking distro-wide changes, such as release goals and DEPs in some cases. But this is not what the general bug is for. Please choose something and then kindly close this bug. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org wi

Bug#765512: general: distrust old crypto algos and protocols perdefault

Christoph Anton Mitterer wrote: > For git it's e.g. quite clear that it's use of SHA1 *is* security > relevant. I've talked about this with the git developers before, and while they seemed to have some ideas for how to handle a conversion to a different hash, they're not keen on doing it until for

Re: Built-Using, again…

* Paul Wise (p...@debian.org) [141015 17:22]: > [ powerpc buildd admins ] > According to LDAP it appears to be wouter, he, pkern. This list is incomplete. There are more people, especially there is a group who is buildd admin on all buildds, and tends to fix problems if they are known. (However, t

Re: Built-Using, again…

* Thorsten Glaser (t...@mirbsd.de) [141013 12:05]: > sbuild/buildd runs apt-get update, but not apt-get *upgrade, > before each build. But I assume this should not be changed > either… > > So we need either a technical, or a policy-ical, or a human, > solution to this problem, right? Or we just h

Re: Built-Using, again…

* Thorsten Glaser (t.gla...@tarent.de) [141015 16:20]: > On Wed, 15 Oct 2014, Cyril Brulebois wrote: > > > Thorsten Glaser (2014-10-15): > > > Who are powerpc buildd admins, again? > > > > Still listed at the same location since last time you asked: > > Yeah, I tend to forget it. > > > https

Bug#765512: general: distrust old crypto algos and protocols perdefault

Package: general Severity: important Tags: security Hi. Not sure if there is already some concentrated effort, but I think there should be one, i.e.: --- To disable crypto algorithms and protocols per default, which are known to be no longer secure, across Debian. And ideally, to default to s

Re: what free software is about/and supporting nonfree?, maybe add to clause 5?

On Sun, Oct 12, 2014 at 08:26:04PM +0200, Bas Wijnen wrote: > On Sun, Oct 12, 2014 at 02:07:09PM +0200, Wouter Verhelst wrote: > > The FSF has a stated goal of wanting to eradicate all non-free software. > > That's fine, that's their right, and if they manage to do that, more > > power to them. >

Re: Built-Using, again…

Hi Thorsten, On Mon, Oct 13, 2014 at 12:05:21PM +0200, Thorsten Glaser wrote: [...] > from dak, because the version is neither in testing (yet or > still) and not in unstable (any more) and so not known to > dak. The buildd admins do not react on this and happily > ignore eMails asking them, polit

Re: piece of mind (Re: Moderated posts?)

Thorsten Glaser wrote: > On Mon, 13 Oct 2014, Joey Hess wrote: > > > Only thing I don't understand is why so few votes for systemd-shim out > > of the group who has it installed. > > Maybe noatime? That’s probably popular on desktops. “vote” does > not really say much, anyway. I doubt noatime ha

Re: Any news about Blends in tasks selection (Was: Debian Installer Jessie Beta 2 release)

Hi, On Wed, Oct 15, 2014 at 09:31:36AM +0200, Andreas Tille wrote: > You belong to a majority if I might conclude from my experience. I have > no idea whether I should feel responsible for this but I'm fighting on > several fronts like the extensive documentation[1] and countless > talks[2] as we

Bug#765509: ITP: python-flask-admin -- admin interface extension for Flask

Package: wnpp Severity: wishlist Owner: Arto Jantunen * Package name: python-flask-admin Version : 1.0.8 Upstream Author : Serge S. Koval * URL : https://github.com/mrjoes/flask-admin * License : BSD Programming Lang: Python Description : admin interfa

Re: Determining, ad hoc, whether someone is a DD

On Wed, Oct 15, 2014 at 03:02:07PM +0100, Ian Jackson wrote: > Many of our lookup interfaces don't give out a clear indication of the > status of the person you are looking up. Eg db.debian.org contains > DMs and DDs and the public lookup doesn't distinguish. > www.debian.org/devel/people lists ma

Re: [OT] $*/$@/$IFS and Bourne vs Almquist vs Korn vs mksh

2014-10-15 16:19:00 +0200, Thorsten Glaser: [...] > tglase@tglase:~ $ dash -c 'IFS=; x=abc; printf "<%s>\n" ${x#$*}' x a b | sed > -n l > $ > $ > tglase@tglase:~ $ ksh93 -c 'IFS=; x=abc; printf "<%s>\n" ${x#$*}' x a b | sed > -n l > $ > tglase@tglase:~ $ mksh -c 'IFS=; x=abc; printf "<%s>\n" ${x#

Bug#765493: ITP: bifrost -- Intelligent self-learning whitelist-based web application firewall

Package: wnpp Severity: wishlist Owner: Joao Eriberto Mota Filho * Package name: bifrost Version : 0.1.0-alpha Upstream Author : Jan Seidl * URL : https://github.com/jseidl/bifrost * License : MIT Programming Lang: Python Description : Intelligent self

Re: Built-Using, again…

On Wed, Oct 15, 2014 at 10:20 PM, Thorsten Glaser wrote: > On Wed, 15 Oct 2014, Cyril Brulebois wrote: >> https://www.debian.org/intro/organization > > Ah wonderful, a set of 0 people. No surprise then. Unfortunately that page is maintained manually. According to LDAP it appears to be wouter, h

Re: Determining, ad hoc, whether someone is a DD

On Wed, Oct 15, 2014 at 10:02 PM, Ian Jackson wrote: > db.debian.org contains DMs and DDs db.d.o does not contain DMs AFAIK, but it does have guest accounts and indeed doesn't distinguish those. DSA have been working on a replacement for our current interface and could use help with improving it.

Re: Determining, ad hoc, whether someone is a DD

On Wed, Oct 15, 2014 at 10:02 PM, Ian Jackson wrote: > [1] I'm told that looking at db.d.o ldapsearch can help if you then > see whether the user has `gidNumber=800' or perhaps whether the user > has `objectClass=debianDeveloper' but there are rumours that the > latter is misleading. gidNumber is

[PATCH] link buildd admin mail template to organisational chart listing them

Signed-off-by: Thorsten Glaser --- library.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library.php b/library.php index a5a0d8e..43e2c45 100644 --- a/library.php +++ b/library.php @@ -1432,7 +1432,7 @@ function html_footer_text($raw=false) { echo " Page generated on

Re: Built-Using, again…

On Wed, 15 Oct 2014, Cyril Brulebois wrote: > Thorsten Glaser (2014-10-15): > > Who are powerpc buildd admins, again? > > Still listed at the same location since last time you asked: Yeah, I tend to forget it. > https://www.debian.org/intro/organization Ah wonderful, a set of 0 people. No s

Re: $*/$@/$IFS and Bourne vs Almquist vs Korn vs mksh

On Wed, 15 Oct 2014, Stephane Chazelas wrote: > $ mksh -c 'IFS=; x=abc; printf "<%s>\n" ${x#$*}' x a b | sed -n l > <\a\300a>$ > $ Interesting… but all shells diverge on this one. tglase@tglase:~ $ bash -c 'IFS=; x=abc; printf "<%s>\n" ${x#$*}' x a b | sed -n l $ tglase@tglase:~ $ dash -c 'IFS=

Re: piece of mind (Re: Moderated posts?)

On Mon, 13 Oct 2014, Joey Hess wrote: > Only thing I don't understand is why so few votes for systemd-shim out > of the group who has it installed. Maybe noatime? That’s probably popular on desktops. “vote” does not really say much, anyway. bye, //mirabilos -- Sometimes they [people] care too m

Determining, ad hoc, whether someone is a DD

Many of our lookup interfaces don't give out a clear indication of the status of the person you are looking up. Eg db.debian.org contains DMs and DDs and the public lookup doesn't distinguish. www.debian.org/devel/people lists maintainers, DMs and DDs without distinction. (This is contrary to the

Re: piece of mind (Re: Moderated posts?)

On 10/14/2014 at 04:15 PM, Olav Vitters wrote: > On Sun, Oct 12, 2014 at 06:18:01PM +0200, lee wrote: > >> Considering that the users are Debians' priority, couldn't this >> issue be a case in which significant concerns from/of the users >> about an issue might initiate a GR? Wouldn't it speak l

$*/$@/$IFS and Bourne vs Almquist vs Korn vs mksh (Was: bash exorcism experiment ('bug' 762923 & 763012))

2014-10-15 12:13:06 +0200, Thorsten Glaser: > On Mon, 13 Oct 2014, Stephane Chazelas wrote: > > > $*, $@, "$*" were not special in any way. They just underwent > > the same rules as other variables. Only "$@" was. > > This changed in POSIX sh though. I remember having > to change some things in mks

Re: Built-Using, again…

Thorsten Glaser (2014-10-15): > Who are powerpc buildd admins, again? Still listed at the same location since last time you asked: https://www.debian.org/intro/organization https://lists.debian.org/debian-devel/2014/07/msg00446.html KiBi. signature.asc Description: Digital signature

Re: Built-Using, again…

On Mon, 13 Oct 2014, Wookey wrote: > I _think_ we don't do this because the upgrading uses a lot of time on > buildds, especially slow ones. I did do this (build in snapshot, Right. > the same packages over and over until the snapshot was updated (which > was manual and done approx weekly). This

Re: bash exorcism experiment ('bug' 762923 & 763012)

On Mon, 13 Oct 2014, Stephane Chazelas wrote: > $*, $@, "$*" were not special in any way. They just underwent > the same rules as other variables. Only "$@" was. This changed in POSIX sh though. I remember having to change some things in mksh to adhere to 2008 and post-2008. bye, //mirabilos --

Re: Any news about Blends in tasks selection (Was: Debian Installer Jessie Beta 2 release)

Hi Holger, On Wed, Oct 15, 2014 at 10:25:20AM +0200, Holger Levsen wrote: > Hi, > > On Dienstag, 14. Oktober 2014, Andreas Tille wrote: > > While this "no" means: There exist 1 or 2 Blends focussing on a > > specific desktop environment (as far as I know Debian Edu and Ezgo) but > > Debian Edu

Re: bash exorcism experiment ('bug' 762923 & 763012)

On Oct 15, Wouter Verhelst wrote: > If you target posh, you target all shells that policy allows for -- > including those that are smaller and/or faster than dash. Can you list some, and what benefits they would bring over dash? -- ciao, Marco signature.asc Description: Digital signature

Bug#765444: RFP: mustache-java -- Mustache (templating language) implementation in Java

Package: wnpp Severity: wishlist * Package name: mustache-java Version : 0.8.17 Upstream Author : Sam Pullara * URL or Web page : http://github.com/spullara/mustache.java * License : Apache-2.0 Description : Mustache (templating language) implementation in Java --

Re: Any news about Blends in tasks selection (Was: Debian Installer Jessie Beta 2 release)

Hi, On Tue, Oct 14, 2014 at 08:29:47PM +0200, Jonas Smedegaard wrote: > > Well, Blends and "the desktop situation" could be considered > orthogonal. > > > > Do all blends work well with all desktop environments? > > No. While this "no" means: There exist 1 or 2 Blends focussing on

Re: Any news about Blends in tasks selection (Was: Debian Installer Jessie Beta 2 release)

Hi Bas, On Tue, Oct 14, 2014 at 07:19:36PM +0200, Bas Wijnen wrote: > On Tue, Oct 14, 2014 at 11:20:02AM +0200, Andreas Tille wrote: > > I admit I expected *you* to know about Blends for a while - but > > considering the video recorded quote I think I was not wrong using this > > chance to point t

Re: bash exorcism experiment ('bug' 762923 & 763012)

On Sun, Oct 12, 2014 at 10:05:20PM +0200, Florian Weimer wrote: > If you need array variables, it's likely that the script has grown so > complex that switching to another language is a good idea. /etc/init.d/nbd-client It's not exactly *needed*; I could replace it with a set of eval instructions