On Mon, 01 Dec 2003 15:49:14 +0100, Marc Haber
<[EMAIL PROTECTED]> wrote:
>Actually, yes.
Actually, it is bad to do four things simultaneously _and_ to read
-devel as a fifth.
Peter is of course right. The keys are compromised and shouldn't be
re-used.
Greetings
Marc
--
---
On Mon, 1 Dec 2003, Andrea Glorioso wrote:
> zh> and debian-multimedia (which I am on) was kind of moving
> zh> forward on the implementation.
>
> I'm not sure what you mean here.
>
> The original idea I discussed with Guenter Geiger and Marco Trevisani
> was that debian-multimedia
On Mon, Dec 01, 2003 at 03:51:44AM -0800, Hereon wrote:
> Request For Comment on:
> Enhancing the Debian mailing lists by:
> Creating debian-user-woody and debian-user-sarge mailing lists,
> and deactivating debian-user.
Bad idea. It's generally wrong to assume that more email lists will
re
> "gg" == guenter geiger <[EMAIL PROTECTED]> writes:
gg> I think I have to clear up some misconceptions here. At the
gg> beginning of this year I stopped packaging for demudi
gg> directly, and put all my packaging effort into making packages
gg> for Debian proper.
On Mon, Dec 01, 2003 at 12:36:37PM +0100, Andreas Tille wrote:
> This is right but under the terms we defined in Oslo also your first
> example belongs to this group. The problem is that there was no
> official announcement where "Custom Debian" was *defined*.
These sorts of terms are generally
On Mon, Dec 01, 2003 at 01:35:38PM +0100, Stefano Zacchiroli wrote:
> On Mon, Dec 01, 2003 at 12:24:52PM +0100, Oliver Kurth wrote:
> > http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=webfs&arch=source
> > http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=webfs
[or any other url containing "pkgrep
On Mon, Dec 01, 2003 at 10:55:36AM +0100, Enrico Zini wrote:
> Could you please define precisely "flavours" and "derivative distros"?
Damn, I thought I'd already done that.
Since I evidently didn't, I'm going to spell things out in as much
boring detail as I can. If I don't end up insulting your
On Mon, Dec 01, 2003 at 03:30:58PM +0100, Thomas Viehmann wrote:
> However: As "md5sum my.deb ; ar q my.deb _deb_signature ; ar d my.deb
> _deb_signature ; md5sum my.deb" gives two different lines, I'd think
> signing the individual members of the deb, not the deb in itself is
Please check out th
On Mon, 2003-12-01 at 13:34, Goswin von Brederlow wrote:
> We have no continous trust chain going from the maintainer (also
> meaning buildd + admin), ftp-master.d.o, mirrors to the user. A
> compromised dinstall on master could replace binary uploads with
> trojan versions without any user being
On Mon, Dec 01, 2003 at 03:56:59PM +, Scott James Remnant wrote:
> Assuming that level of compromise, there's no recent to suspect that
> they couldn't have free reign adding anything to the archive they
> wanted. Signed .debs gain you nothing here.
If every .deb must be signed by a developer
#include
John Goerzen schrieb am Monday, den 01. December 2003:
> Debsigs generates its signature by effectively cating the control and
> data components of the ar file together, running that through gpg, and
> storing the resulting signature data in a new component of the ar file.
> I did test t
On Mon, Dec 01, 2003 at 05:00:53PM +, Scott James Remnant wrote:
> No Cc was necessary, I am subscribed to debian-devel.
Please set your Mail-Followup-To accordingly, then.
> > If every .deb must be signed by a developer, and we assume that no
> > developer leaves secret keys on public machine
Anthony Towns wrote:
> It should happen with all recently filed bugs; basically the indices
> aren't being updated properly. That's a bit odd, actually, since they're
I actually have a bug submission dated November 29 (MsgID
<[EMAIL PROTECTED]>) that is correctly transmitted to
master.d.o, but I ha
On Tue, 2 Dec 2003, Anthony Towns wrote:
> On Mon, Dec 01, 2003 at 10:55:36AM +0100, Enrico Zini wrote:
> > Could you please define precisely "flavours" and "derivative distros"?
>
> Damn, I thought I'd already done that.
The problem is that we want to get those "Custom Debian Distributions"
which
On Mon, 01 Dec 2003 15:56:59 +, Scott James Remnant
<[EMAIL PROTECTED]> wrote:
>Download the source package components, verify their MD5 signatures
>against the Sources file, verify the MD5 signature of the Sources file
>against the Release file and verify that file's GPG signature. This
>prov
On Mon, 2003-12-01 at 17:35, John Goerzen wrote:
> On Mon, Dec 01, 2003 at 05:00:53PM +, Scott James Remnant wrote:
> > No Cc was necessary, I am subscribed to debian-devel.
>
> Please set your Mail-Followup-To accordingly, then.
>
You are now kill-filed, I will not reply to the rest of this
On Sat, 2003-11-22 at 09:35, Manoj Srivastava wrote:
> On Wed, 19 Nov 2003 10:46:52 -0700, Liberty Young <[EMAIL PROTECTED]> said:
>
> > I'm building kernels for an embedded x86 product, and I'm falling in
> > love with make-kpkg. My only problem is that make-kpkg
> > --added-modules pcmcia-cs ke
On Tue, 2003-12-02 at 02:06, Andrea Glorioso wrote:
> > "gg" == guenter geiger <[EMAIL PROTECTED]> writes:
>
> gg> I think I have to clear up some misconceptions here. At the
> gg> beginning of this year I stopped packaging for demudi
> gg> directly, and put all my pack
I have discussed the idea of a Debian Enterprise sub-project with
various people, and have concluded that it's a worthy goal. I have
listed the technical reasons/goals for this sub-project below.
Initial preparation for Debian Enterprise will take place within Debian
itself, with the following sh
On 01-Dec-03, 08:26 (CST), Roland Stigge <[EMAIL PROTECTED]> wrote:
>
> Unfortunately, there wasn't much response to this. Maybe this is related
> to the big Debian KO.
Or maybe because making technical decisions by voting is silly.
Steve
--
Steve Greenland
The irony is that Bill Gates cl
On Tue, 2003-12-02 at 02:46, Anthony Towns wrote:
> So, using my definitions, the following conclusions are (IMO) true:
>
> * all flavours are policy compliant
>
> * some derived distros might be policy compliant
Do you mean to include, eg. derived distros including non-free software
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
hi Eduard,
On Mon, Dec 01, 2003 at 06:08:28PM +0100, Eduard Bloch wrote:
> - current md5sums file in control.tar.gz should contain
>checksums of really all files
Unfortunately many Maintainers do not use "dh_md5sums" to ship
an .md5sums File in
Seems like now is a good time to start a new thread. Including [custom]
tag too...
On Mon, 2003-12-01 at 22:36, Alexander Kitzberger wrote:
> Hello,
> we and a couple of other linux companies are also thinking this way,
> and we would like also to support a enterprise debian.
>
> We have the pro
On Mon, 01 Dec 2003 13:12:52 -0500
Andres Salomon <[EMAIL PROTECTED]> wrote:
> I have discussed this sub-project extensively at Voxel, and we are
> willing to commit to seeing this idea through - in a manner that allows
> the Debian community to benefit from resources that we put into it. We
> are
tag 222076 + wontfix
retitle 222076 xdm: init script's execution can be terminated prematurely if
invoke-rc.d run from child process of xdm
thanks
On Sun, Nov 23, 2003 at 05:09:38AM +0800, Dan Jacobson wrote:
> Package: xdm
> Version: 4.2.1-13
> Severity: important
> File: /etc/init.d/xdm
>
> If
On Mon, Dec 01, 2003 at 07:43:17PM +0100, Michael Ablassmeier wrote:
> Unfortunately many Maintainers do not use "dh_md5sums" to ship
> an .md5sums File in their Package(s). This makes it harder to
> check the already installed Files on a Debian installation.
>
> I think, at least Packages like "d
On Mon, Dec 01, 2003 at 05:54:17PM +, Scott James Remnant wrote:
> On Mon, 2003-12-01 at 17:35, John Goerzen wrote:
> > > No Cc was necessary, I am subscribed to debian-devel.
> >
> > Please set your Mail-Followup-To accordingly, then.
I guess quibbling about CCs is a great way to disguise th
On Mon, Dec 01, 2003 at 05:54:17PM +, Scott James Remnant wrote:
> > Please set your Mail-Followup-To accordingly, then.
> >
> You are now kill-filed, I will not reply to the rest of this post.
>
> 1) Please re-read the etiquette of the Debian mailing lists as published
>at http://www.deb
On Tue, 2003-12-02 at 05:12, Andres Salomon wrote:
> I have discussed the idea of a Debian Enterprise sub-project with
> various people, and have concluded that it's a worthy goal. I have
> listed the technical reasons/goals for this sub-project below.
Great to hear. I started a web page at http:
To Whom It May Concern;
I'm sorry but your e mail address was added automatically to by list and I do not know who you are?
Please advise:
Your company
What do you do?
Regards,
Don
On Tue, 2003-12-02 at 05:46, David B Harris wrote:
> On Mon, 01 Dec 2003 13:12:52 -0500
> Andres Salomon <[EMAIL PROTECTED]> wrote:
> > I have discussed this sub-project extensively at Voxel, and we are
> > willing to commit to seeing this idea through - in a manner that allows
> > the Debian commu
On Tue, Dec 02, 2003 at 06:24:58AM +1100, Zenaan Harkness wrote:
> Great to hear. I started a web page at http://debian-enterprise.org/.
Aren't we still waiting for clarification on the use of "Debian"
in domain names, etc? As highlighted by the Adamantix name changed?
> And as I put on the
Michael Ablassmeier wrote:
> IMHO Lintian should also check if "dh_md5sums" is called and
> print at least a warning if this is not the case.
In principle, I argree, but maybe it's better to check for the presence
of an md5sums file than to "force" (haha) people who don't like it to do
this.
Attach
* Roland Stigge ([EMAIL PROTECTED]) [031201 15:55]:
> On Sat, 2003-11-15 at 14:50, Roland Stigge wrote:
> > [...]
> > Instead, I volunteer to host a small, unofficial and non-anonymous
> > survey to get an impression of the community's opinion. If you are a
> > Debian Developer, please send me a pr
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, Dec 01, 2003 at 01:56:09PM -0500, christophe barbe wrote:
> Before mass bug-filling, it would be necessary to make it mandatory
> which unfortunately is not the case right now afaik.
No, it is not mandatory. However, it would be a nice Wishli
On Mon, 01 Dec 2003, christophe barbe wrote:
> Before mass bug-filling, it would be necessary to make it mandatory
> which unfortunately is not the case right now afaik.
Deployment plan for md5sums everywhere:
1. List packages that do not have a md5sum included.
For every package in the list:
Zennan,
Thanks. I can't get to your site at the moment.
I have just closed out some customer work that has been taking up 100%
of my time, and am today writing a manifesto that I will post at
userlinux.com . I will read the debian-devel postings and, hopefully,
your site before I do that.
I
On Tue, 2 Dec 2003, Zenaan Harkness wrote:
> Seems like now is a good time to start a new thread. Including [custom]
> tag too...
:)
> I have started a web site at
>
> http://debian-enterprise.org/
Did you
apt-get install subproject-howto
? It might help you registering a site under www.deb
On Tue, 2 Dec 2003, Zenaan Harkness wrote:
> I guess if you're a DD (I'm in the NM-process myself), you can creake
> "official" Debian wiki, etc?
If I'm not completely wrong you do not need to be a DD to get CVS access
to wml pages.
Kind regards
Andreas.
On Mon, 2003-12-01 at 14:11, [EMAIL PROTECTED] wrote:
> To Whom It May Concern;
>
> I'm sorry but your e mail address was added automatically to by
> list and I do not know who you are?
>
> Please advise:
> Your company
> What do you do?
This is a Linux Distribution Mailing List fo
* John Goerzen ([EMAIL PROTECTED]) [031201 17:40]:
> Even if the attacker could place a new keyring file in the archive,
> people verifying signatures on signed .debs would not install it, since
> it would not have the signature of a developer.
And to be honest: If all debs are signed, and it is e
On Mon, 01 Dec 2003 11:45:35 -0800
Bruce Perens <[EMAIL PROTECTED]> wrote:
> I am still negotiating with the large industry group that approached me
> about this project. When the price tag is north of $1M, it takes time.
> If that works out, they would fund 3-5 engineers full-time, plus myself
On Tue, 02 Dec 2003 06:27:12 +1100
Zenaan Harkness <[EMAIL PROTECTED]> wrote:
> > Any thoughts on that? Anybody from HP or IBM here want to weigh in?
>
> My primary thought wrt making money from Free Software - make as much as
> we possibly can - at least that's my goal, so that I can provide for
* Marc Haber ([EMAIL PROTECTED]) [031201 18:25]:
> On Mon, 01 Dec 2003 15:56:59 +, Scott James Remnant
> <[EMAIL PROTECTED]> wrote:
> >Download the source package components, verify their MD5 signatures
> >against the Sources file, verify the MD5 signature of the Sources file
> >against the Rel
* Scott James Remnant ([EMAIL PROTECTED]) [031201 18:40]:
> On Mon, 2003-12-01 at 16:26, John Goerzen wrote:
> > Even if the attacker could place a new keyring file in the archive,
> > people verifying signatures on signed .debs would not install it, since
> > it would not have the signature of a d
We've completed the migration from internal CVS to external Subversion
and launched an umbrella site to house our various projects, as well as
to detail our larger goals for doing all this. Among other things,
the site contains instructions for how to retrieve our port of
Red Hat's Anaconda install
* Michael Ablassmeier ([EMAIL PROTECTED]) [031201 19:55]:
> I think, at least Packages like "dpkg" or "gnupg" should call
> "dh_md5sums". I was wondering, if it would be usefull to make
> a mass bug-filling against these Packages. Before, it would be
> nice to have a List of Packages (maybe sorted
* christophe barbe ([EMAIL PROTECTED]) [031201 20:10]:
> On Mon, Dec 01, 2003 at 07:43:17PM +0100, Michael Ablassmeier wrote:
> > Unfortunately many Maintainers do not use "dh_md5sums" to ship
> > an .md5sums File in their Package(s). This makes it harder to
> > check the already installed Files on
On Mon, Dec 01, 2003 at 06:08:28PM +0100, Eduard Bloch wrote:
> Kinda off-topic but nowhere in the discussion the question of checking
> already installed files was adressed and it should be asked:
md5sums and signatures are most useful in the context of installation.
Post-installation, you cannot
On Tue, 2003-12-02 at 06:42, Steve Kemp wrote:
> On Tue, Dec 02, 2003 at 06:24:58AM +1100, Zenaan Harkness wrote:
> > And as I put on the web page, a goal of debian-enterprise ("should be",
> > IMHO) to explicitly support *for-profit* organisations. Let's make no
> > bones about it - the goal is to
On Tue, Dec 02, 2003 at 05:38:15AM +1100, Zenaan Harkness wrote:
> * you can't always create a flavour to do what you want
# From a currently installed machine (or chroot)...
shell$ dpkg --get-selections > selections
shell$ vim selections
shell$ mv selections desktop.selections
shell$ m
On Tue, Dec 02, 2003 at 05:43:21AM +1100, Zenaan Harkness wrote:
> - GNU ERP software project ?name?
GNU Enterprise (gnue) http://www.gnue.org/
--
Chad Walstrom <[EMAIL PROTECTED]> http://www.wookimus.net/
assert(expired(knowledge)); /* core dump */
pgppwhG5wx4GS.pgp
Des
Hi Steve,
>> Unfortunately, there wasn't much response to this. Maybe this is
>> related to the big Debian KO.
> Or maybe because making technical decisions by voting is silly.
At this stage, I personally decided that more official efforts wouldn't
be appropriate just to reflect the community's
* Goswin von Brederlow ([EMAIL PROTECTED]) [031201 14:40]:
> Instead of keeping extra files with the signature of the deb the
> information could be stored inside the deb itself. Of cause the
> signature can't be contained in the thing being signed. Instead the
> signature would be added to the end
On Mon, Dec 01, 2003 at 01:51:31AM -0800, Tom wrote:
> That's true. It can be any string. The fact that it just happens to
> look like an HTTP url and DTD is actually at that URL is not part of the
> standard, AFAIK.
Errr, we are not getting confused??
An example is:
http://www.oasis-open.or
Henrique de Moraes Holschuh wrote:
> On Mon, 01 Dec 2003, christophe barbe wrote:
>
>>Before mass bug-filling, it would be necessary to make it mandatory
>>which unfortunately is not the case right now afaik.
>
>
> Deployment plan for md5sums everywhere:
At ~600 affected source packages, this s
On Tue, 2003-12-02 at 07:08, Andreas Tille wrote:
> On Tue, 2 Dec 2003, Zenaan Harkness wrote:
> > I have started a web site at
> >
> > http://debian-enterprise.org/
> Did you
> apt-get install subproject-howto
I did actually - after your last such recommendation. Double thanks.
> ? It migh
On Mon, 01 Dec 2003, Thomas Viehmann wrote:
> Henrique de Moraes Holschuh wrote:
> > On Mon, 01 Dec 2003, christophe barbe wrote:
> >
> >>Before mass bug-filling, it would be necessary to make it mandatory
> >>which unfortunately is not the case right now afaik.
> >
> >
> > Deployment plan for
On Tue, 2003-12-02 at 01:26, Roland Stigge wrote:
> Meanwhile, I strongly suggest the utilization of pbuilder{,-uml} to
> increase quality. Some developers (not the ones who participated here) I
> talked with have never used these tools. Their usage will prevent many
> of those stupid FTBFS bugs.
> * Michael Ablassmeier ([EMAIL PROTECTED]) [031201 19:55]:
> > I think, at least Packages like "dpkg" or "gnupg" should call
> > "dh_md5sums". I was wondering, if it would be usefull to make
> > a mass bug-filling against these Packages. Before, it would be
> > nice to have a List of Packages (may
On Mon, Dec 01, 2003 at 03:31:29PM -0500, David B Harris wrote:
> (Why does money always need to get involved?)
I think people start burnin' cars and shit if they don't have something
to do all day.
> Okay, that sort of turned into a rant :) I do apologise, but I'd
> desperately like to help
On Tue, 2003-12-02 at 06:45, Bruce Perens wrote:
> Note there is also a gnUserlinux.org, but RMS objects to that name -
> he feels that people will percieve it as an official FSF project if
> the GNU comes first. This came as something of a surprise.
:)
I'd be betting you're not the only one.
Ho
On Tue, Dec 02, 2003 at 07:48:04AM +1100, Brian May wrote:
> On Mon, Dec 01, 2003 at 01:51:31AM -0800, Tom wrote:
> > That's true. It can be any string. The fact that it just happens to
> > look like an HTTP url and DTD is actually at that URL is not part of the
> > standard, AFAIK.
>
> Errr,
On Tue, 2003-12-02 at 07:00, Andreas Barth wrote:
> * John Goerzen ([EMAIL PROTECTED]) [031201 17:40]:
> > Even if the attacker could place a new keyring file in the archive,
> > people verifying signatures on signed .debs would not install it, since
> > it would not have the signature of a develop
On Mon, Dec 01, 2003 at 09:11:52PM +0100, Andreas Barth wrote:
> > Before mass bug-filling, it would be necessary to make it mandatory
> > which unfortunately is not the case right now afaik.
>
> Severity: wishlist
> Where is the problem?
Waste of time ?
If it's not mandatory, a full coverage wi
On Mon, Dec 01, 2003 at 08:24:09PM +0100, Thomas Viehmann wrote:
> Michael Ablassmeier wrote:
> > IMHO Lintian should also check if "dh_md5sums" is called and
> > print at least a warning if this is not the case.
> In principle, I argree, but maybe it's better to check for the presence
> of an md5s
Hello Frantisek,
On Sat, Nov 29, 2003 at 03:55:20PM +0100, frantisek hrbata wrote:
> /usr/local/lib/foo/ and manual pages in /usr/local/man/. when i invoke
> dpkg -r or -P, dpkg wants to delete directories like /usr/local,
> /usr/local/man and others. when a put files in right directories(binary
>
David B Harris wrote:
(I don't know if you're subscribed to debian-devel@lists.debian.org, so
I am resending this mail here.
It's best to copy me on things you want me to read. Also note that mail
that doesn't have my address in the To: or Cc: field won't go to my main
inbox and is usually discar
* Gergely Nagy ([EMAIL PROTECTED]) [031201 23:10]:
> > * Michael Ablassmeier ([EMAIL PROTECTED]) [031201 19:55]:
> > > I think, at least Packages like "dpkg" or "gnupg" should call
> > > "dh_md5sums". I was wondering, if it would be usefull to make
> > > a mass bug-filling against these Packages. B
On Tue, 2003-12-02 at 07:31, David B Harris wrote:
> On Mon, 01 Dec 2003 11:45:35 -0800
> Bruce Perens <[EMAIL PROTECTED]> wrote:
> > I am still negotiating with the large industry group that approached me
> > about this project. When the price tag is north of $1M, it takes time.
> > If that work
Hi!
Sorry for starting with the more boring part. Here is a short overview
of the assurance requirements of Common Criteria, and how they
are covered by Debian (in parenthesis).
This overview is made for the Adamantix developers, but might be
interesting for debian developers also.
This part cov
On Tue, 2003-12-02 at 06:45, Bruce Perens wrote:
> Thanks. I can't get to your site at the moment.
My ISP has been intermittent over the last week - obviously having
server troubles. Usually fine though.
Also if you were trying my personal domain: http://soulsound.net/, that
might still be propag
Hi everybody,
just curious: any particular reason why we didn't see a backport any sooner of
the integer overflow in the brk system call (see recent announcement by
Wichert Akkerman:
http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00212.html)
like we did with t
Frederik Dannemare wrote:
Hi everybody,
just curious: any particular reason why we didn't see a backport any
sooner of the integer overflow in the brk system call (see recent
announcement by Wichert Akkerman:
http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00212
* Thomas Viehmann <[EMAIL PROTECTED]> [2003-12-01 15:30]:
> BTW: This is offtopic, but it seems that potato is neither in debian/
> nor in debian-archive/?
Potato is on archive.debian.org (in /debian-archive/dists).
--
Martin Michlmayr
[EMAIL PROTECTED]
On Mon, Dec 01, 2003 at 02:33:57PM -0600, Chad Walstrom wrote:
> > - GNU ERP software project ?name?
> GNU Enterprise (gnue) http://www.gnue.org/
I've just learnt of Cubit from South Africa: http://www.cubit.co.za/
Ciao,
Enrico
On Sat, Nov 22, 2003 at 02:20:20AM +0100, Adrian Bunk wrote:
> libfoo version 2-1 isn't allowed to enter testing since this would make
> myprog uninstallable in testing
>
> myprog 5-2 isn't allowed to enter testing since this would make myprog
> uninstallable in testing.
>
> These two packages n
On Mon, 01 Dec 2003 13:53:02 -0800
Bruce Perens <[EMAIL PROTECTED]> wrote:
> >Are you still on good terms with some people at HP?
> >
> Yes. Has anyone discussed this with Bdale?
He hasn't participated in the thread yet.
> >I wouldn't mind getting paid well for the work
> >I do, but that's a rari
Goswin von Brederlow wrote:
> What can we do with deb signatures?
>
> For our current problem, the integrity of the debian archive being
> questioned, the procedure would be easy and available to every user:
>
> 1. get any clean Debian keyring (or just the key signing the keyring)
> 2. verify the
John Goerzen wrote:
> Please check out the debsigs package. I wrote it when I worked at
> Progeny back in 2001, and Branden Robinson maintains it these days. It
> does exactly that.
Unfortunatly, the method debsigs uses to add the signature to the .deb
provuces a file that apt (including apt-ftp
Interesting article on LWN: http://lwn.net/Articles/60650/ (subscription
required) In summary, apparently apt-rpm users can now do some things
with apt that we cannot.
To install a package directly, with apt downloading any necessary
dependencies:
apt-get install rpmver-2.0-13498cl.i386.rpm
Sim
Roland Stigge <[EMAIL PROTECTED]> writes:
> Hi Steve,
>
> >> Unfortunately, there wasn't much response to this. Maybe this is
> >> related to the big Debian KO.
>
> > Or maybe because making technical decisions by voting is silly.
>
> At this stage, I personally decided that more official effo
Liberty Young <[EMAIL PROTECTED]> writes:
> On Sat, 2003-11-22 at 09:35, Manoj Srivastava wrote:
> > On Wed, 19 Nov 2003 10:46:52 -0700, Liberty Young <[EMAIL PROTECTED]> said:
> >
> > > I'm building kernels for an embedded x86 product, and I'm falling in
> > > love with make-kpkg. My only probl
Thomas Viehmann <[EMAIL PROTECTED]> writes:
> Hi.
>
> Goswin von Brederlow wrote:
> > PS: I favour method C and would esspecially like some feedback on the
> > technical aspect. Can a "_deb_signature" file be savely added to the
> > end of a deb without breaking existing tools (apt/dpkg/dinstall
John Goerzen <[EMAIL PROTECTED]> writes:
> On Mon, Dec 01, 2003 at 03:30:58PM +0100, Thomas Viehmann wrote:
> > However: As "md5sum my.deb ; ar q my.deb _deb_signature ; ar d my.deb
> > _deb_signature ; md5sum my.deb" gives two different lines, I'd think
> > signing the individual members of the
On 2 Dec 2003, Zenaan Harkness wrote:
> - debconf package configurations (with "enterprise" defaults)
To me this is still the largest hurdle, having to work around packages
that don't yet use debconf, and not easily being able to take a debconf
snapshot and apply it to another host. Being able t
Eduard Bloch <[EMAIL PROTECTED]> writes:
> #include
> John Goerzen schrieb am Monday, den 01. December 2003:
>
> > Debsigs generates its signature by effectively cating the control and
> > data components of the ar file together, running that through gpg, and
> > storing the resulting signature
christophe barbe <[EMAIL PROTECTED]> writes:
> On Mon, Dec 01, 2003 at 09:11:52PM +0100, Andreas Barth wrote:
> > > Before mass bug-filling, it would be necessary to make it mandatory
> > > which unfortunately is not the case right now afaik.
> >
> > Severity: wishlist
> > Where is the problem?
On Mon, Dec 01, 2003 at 06:46:11AM +0100, Bastian Blank wrote:
> On Mon, Dec 01, 2003 at 09:53:48AM +1100, Brian May wrote:
> > You can find copies of the source code at
> > http://www.microcomaustralia.com.au/debian/experimental>.
>
> the sources are broken, run autoreconf -i -f and lart the auth
Scott James Remnant <[EMAIL PROTECTED]> writes:
> On Mon, 2003-12-01 at 13:34, Goswin von Brederlow wrote:
>
> > We have no continous trust chain going from the maintainer (also
> > meaning buildd + admin), ftp-master.d.o, mirrors to the user. A
> > compromised dinstall on master could replace bi
On Tue, 2 Dec 2003, Anthony Towns wrote:
> Since I evidently didn't, I'm going to spell things out in as much
> boring detail as I can. If I don't end up insulting your intelligence,
> my apologies. :)
You have clarified the situation nicely.
>
> So, using my definitions, the following conclusio
On Mon, Dec 01, 2003 at 06:48:20PM +0100, Andreas Tille wrote:
> For instance we have defined a term "Package Pools" and everybody now
> knows what we are talking about ...
Of course, not everyone used the term "Package pools" for the same thing
originally.
Cheers,
aj
--
Anthony Towns <[EMAIL P
Andreas Barth <[EMAIL PROTECTED]> writes:
> * Goswin von Brederlow ([EMAIL PROTECTED]) [031201 14:40]:
> > Instead of keeping extra files with the signature of the deb the
> > information could be stored inside the deb itself. Of cause the
> > signature can't be contained in the thing being signed
Maybe I'm missing something, but none of this sounds like
functionality that a bit of parsing out to other programs can't
solve, given that I do it locally for the systems in my lab.
Joey Hess <[EMAIL PROTECTED]> writes:
> Interesting article on LWN: http://lwn.net/Articles/60650/ (subscription
On Tue, Dec 02, 2003 at 03:58:53AM +0100, Goswin von Brederlow wrote:
> John Goerzen <[EMAIL PROTECTED]> writes:
>
> PS: Does debsigs just sign the control and data file or all files in
> the ar? What if we add some more files at some point (like a
> _buildinfo)?
It cats the control and data file
On Tue, 2003-12-02 at 13:42, Niall Young wrote:
> On 2 Dec 2003, Zenaan Harkness wrote:
>
> > - debconf package configurations (with "enterprise" defaults)
>
> To me this is still the largest hurdle, having to work around packages
> that don't yet use debconf,
AIUI, policy will not change "shoul
Joey Hess <[EMAIL PROTECTED]> writes:
> Goswin von Brederlow wrote:
> > What can we do with deb signatures?
> >
> > For our current problem, the integrity of the debian archive being
> > questioned, the procedure would be easy and available to every user:
> >
> > 1. get any clean Debian keyring
Goswin von Brederlow <[EMAIL PROTECTED]> writes:
> Thomas Viehmann <[EMAIL PROTECTED]> writes:
>
> > Hi.
> >
> > Goswin von Brederlow wrote:
> > > PS: I favour method C and would esspecially like some feedback on the
> > > technical aspect. Can a "_deb_signature" file be savely added to the
> >
> Debian-Jr, Debian-Med, Debian-Edu, Debian-Np, Debian-Lex
Is there a single place where all official Custom Debian Distributions
(CDDs - even a reasonable TLA), aka internal projects, are listed?
> These Custom Distributions use the technique of metapackages and have
> common goals and try to de
No Cc was necessary, I am subscribed to debian-devel.
On Mon, 2003-12-01 at 16:26, John Goerzen wrote:
> On Mon, Dec 01, 2003 at 03:56:59PM +, Scott James Remnant wrote:
> > Assuming that level of compromise, there's no recent to suspect that
> > they couldn't have free reign adding anything
1 - 100 of 101 matches
Mail list logo
