On Wed, 3 Dec 2003, John Goerzen wrote:
> > I see it clearly as Debian project and can't find the rationale why
> > you sais that it is _obviousely_ not.
>
> It's not hosted on Debian machines. Nobody designated it ats a project.
> It doesn't use our BTS, it doesn't use our mailing lists, etc. I
* Goswin von Brederlow ([EMAIL PROTECTED]) [031203 03:25]:
> Henning Makholm <[EMAIL PROTECTED]> writes:
> > If an attacker compromises the buildd to the point where he can gain
> > access to its secret key, he could just as well attack its build
> > environment, or simply use his access to convinc
* Manoj Srivastava <[EMAIL PROTECTED]> [031203 20:12]:
> Before we make such a push, we should at least ensure that it
> is something we really want to do. I think locally generated
> checksums are a better solution.
I don't think so. md5-calculation it not the fastest thing (especially
on
Andreas Schuldei wrote:
> * Russell Coker ([EMAIL PROTECTED]) [031203 04:03]:
> > I have sent a message to Werner asking if the GPG smart-card device
> > could be re-implemented with a USB interface. I think that a USB
> > dongle with GPG technology would be a good option as most developer's
> > m
Op wo 03-12-2003, om 10:09 schreef Andreas Barth:
> > > file back signed by the build admin. The debian archive scripts
> > > accepts packages signed by a buildd-key only if it is a binary package
> > > for this architecture, the key is valid (i.e. in the right year), and
> > > this package has bee
On Wed, Dec 03, 2003 at 08:02:42AM +0100, Matthias Urlichs wrote:
> IMHO, there's no need to discuss this to death -- .desktop files make
> sense, therefore packages should supply them. There's no sane way to
> ask maintainers to do so except to file bugs, therefore bugs should be
> filed, and that
On Thu, 2003-12-04 at 01:02, Benj. Mako Hill wrote:
> On Wed, Dec 03, 2003 at 01:24:24PM +0200, Fabian Fagerholm wrote:
> > If some of the people who participated in the Debcamp Custom
> > Distribution BOF (see
> > http://www.debian.org/devel/debian-nonprofit/News/2003/20030717) are
> > listening,
Matthias Urlichs <[EMAIL PROTECTED]> wrote:
> AKL. Mantas Kriauciunas wrote:
>
>> Herbert Xu: "Please discuss this on debian-devel before filing further
>> bugs."
>
> IMHO, there's no need to discuss this to death -- .desktop files make
> sense, therefore packages should supply them. There's no s
On Wed, 3 Dec 2003 14:17:18 +1100, Russell Coker <[EMAIL PROTECTED]> said:
> On Wed, 3 Dec 2003 12:34, Don Armstrong <[EMAIL PROTECTED]>
> wrote:
>> The problems associated with them aren't too terribly different
>> from those associated with keys or other forms of physical
>> security, notably,
hi...
I was talking with Ian Murdock yesterday, and he suggested I pose the
question to this group.
We're interested in creating a development environment that would allow open
source applications to be created. The development environment would go
beyond simply providing project management funct
Op wo 03-12-2003, om 22:36 schreef Tom:
> On Wed, Dec 03, 2003 at 09:24:07AM -0600, Manoj Srivastava wrote:
> > Heh. Your grasp of the practicality of the situation is
> > slipping. Not only do these guys donate a fairly expensive chunk of
> > billable hours and expertise, they must pay to b
AKL. Mantas Kriauciunas <[EMAIL PROTECTED]> wrote:
>
> Solution is to add freedesktop.org standartized menu entry for programs,
> which could be started from menu (for example there is no meaning to
> start apt-get tool from menu). Then users of modern desktops will be
> happy, because they can ea
On Tue, Dec 02, 2003 at 09:33:39AM -0500, Sam Hartman wrote:
> > "aj" == Anthony Towns writes:
> aj> or overloaded with work, or, for that matter, fixing compromised Debian
> aj> servers -- do you think it's desirable and possible to:
>
> aj> * for confirmed bugs with a known fi
Theodore Ts'o wrote:
Why does Group 1 really care about running under Linux, as opposed to some other OS? Is it really about price sensitivity? If so, it's surprising because to the extent that they pay $50,000 for Oracle, or $1,000,000+ for SAP R/3, why should they care about the cost of
On Mon, 2003-12-01 at 13:48, Branden Robinson wrote:
> To be solved properly this would require some sort of signaling
> mechanism detacted from most of the normal process hierarchy; say, an
> "invoke-rc.dd" (daemon) with which invoke-rc.d communicated.
Couldn't you just catch the signal, and ign
On Tue, Dec 02, 2003 at 02:10:56PM +, Jonathan Dowland wrote:
> On Mon, Dec 01, 2003 at 07:06:41PM -0500, Joey Hess wrote:
>
> > Similarly, to check the build depends of a source package file:
> > apt-get build-dep apt-listchanges-1.49-11104cl.src.rpm
>
> Should this be the job of apt-get?
On Mon, 01 Dec 2003 11:16:53 -0700, Liberty Young <[EMAIL PROTECTED]> said:
> I'm installing by tarball. Unfortunately, my embedded OS doesn't
> have apt or dpkg (yet). I was thinking that make-kpkg modules_image
> or kernel_image would include in the packaged .deb a modules.dep
> that would inc
On Wed, 2003-12-03 at 15:32, Manoj Srivastava wrote:
> An even better security guideline is "something you are" -- so
> should we not spring for retinal scanners/fingerprint readers/other
> buiometrics? I mean, we _are_ talking about other peoples money. :P
This idea has recently been in t
On Mon, 2003-12-01 at 09:49, Marc Haber wrote:
> >Do you really think that one should use the old hostkeys again?
>
> Actually, yes. I trust the DSA not to allow a compromised system to be
> on the network.
Which is why they won't be re-using the old host keys.
Are you aware that the SSH host k
On Tue, Dec 02, 2003 at 02:02:19PM -0600, Steve Langasek wrote:
> You change the contents of the compromised Packages file, so that
> Package: bash
> is accompanied by
> Filename: pool/main/b/bash/vulnerable-ident-server_1.0-1_i386.deb
> which contains a perfectly valid .deb file, signed by a DD,
On Wed, 3 Dec 2003 08:30:55 +0100, Bernd Eckenfels <[EMAIL PROTECTED]> said:
> Hehe, well I am sorry. I had the impression 2.4.23 was older. Should
> have checked my facts.
> BTW: I do have checked the kernel version of the major distros, all
> ship newer kernels than debian (if you look at the
On Wed, Dec 03, 2003 at 10:34:13AM +0100, Artur R. Czechowski wrote:
> What about RSA tokens? This solution does not require any special hardware
> to connect on the client side.
This also means it does not provide any additional security, besides the costs.
Greetings
Bernd
--
(OO) -- [EM
* Goswin von Brederlow ([EMAIL PROTECTED]) [031203 03:40]:
> Andreas Barth <[EMAIL PROTECTED]> writes:
> > * Wouter Verhelst ([EMAIL PROTECTED]) [031202 19:40]:
> > > So unless you have a suggestion that would solve this particular issue,
> > > I'm afraid this idea won't work in practice.
> > Two
On Wed, Dec 03, 2003 at 11:14:29PM +0100, Wouter Verhelst wrote:
>
> Let me reiterate. You want to set up something with the Debian Project's
> machines so that I have to pay for the privilege of contributing?
>
> Thanks, but no thanks. Volunteers don't work that way.
>
No sweat, that's totally
* Marc Haber
> The way -config does the configuration is something that is questioned
> by a lot of people. Most conservative eximists hate the configuration
> being split out in several files,
Absolutely, this is a slight convenience for the packagers which causes
a major inconvenience to
On Thu, Dec 04, 2003 at 12:03:52AM +1100, Russell Coker wrote:
> For an initial order of 1200 units and the potential for other larger orders
> they may reconsider this.
There are some more tokens, which are baed on the open X9.9 DES protcol and
not the secret SecureID stuff.
Greetings
Bernd
--
On Wed, Dec 03, 2003 at 05:44:36PM +0100, Santiago Vila wrote:
|| file=main/libp/libpng/libpng2_1.0.12-3.woody.3_i386.deb
|| wget -q -O 1.deb http://ftp.debian.org/debian/pool/$file
|| wget -q -O 2.deb http://security.debian.org/pool/updates/$file
|| diff 1.deb 2.deb
||
|| Binary files 1.deb
On Wed, 03 Dec 2003, Andreas Metzler wrote:
> Steve Greenland <[EMAIL PROTECTED]> wrote:
> [...]
> > I think the idea of a namespace for usernames used by packages is a good
> > idea, but rather than "debian-", we should take this to the LSB folk, so
> > that we can get it done once.
>
> The prob
Debian Installer sarge-i386-bussinescard.iso, httP://freedesktop.or/
~daniel/d-i from 22.11.2003
MB Asus P4B266-E,
Installed on /dev/hdb3 without any problems.
$ dmesg
Copyright (c) 1992-2003 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
T
On Wed, Dec 03, 2003 at 06:04:26PM +, Tom Badran wrote:
> Is there anywhere i can download debian-installer beta images (im
> getting a new laptop tommorow), prefereably with support for
> reiserfs filesystems? Gluck still isnt working and i cant seem to
> find mirrors anywhere.
http://freede
Package: wnpp
Severity: wishlist
* Package name: libcaca
Version : 0.2
Upstream Author : Sam Hocevar <[EMAIL PROTECTED]>
* URL : http://sam.zoy.org/projects/libcaca/
* License : LGPL
Description : text mode graphics library
Package: libcaca-dev
Section: l
On Thu, Dec 04, 2003 at 10:18:44AM +1100, Russell Coker wrote:
> > > What about RSA tokens? This solution does not require any special
> > > hardware to connect on the client side.
> > This also means it does not provide any additional security, besides the
> > costs.
> What makes you think that?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2003-12-03 05:08, Theodore Ts'o wrote:
> To the extent that they are self-supporting, they become economically
> irrelevant to a commerical distribution or to a support provider of
> UserLinux. The best that you will get out of these customers are
On Wed, Dec 03, 2003 at 06:30:16PM +0100, Jeroen van Wolffelaar wrote:
> On Wed, Dec 03, 2003 at 05:44:36PM +0100, Santiago Vila wrote:
> > file=main/libp/libpng/libpng2_1.0.12-3.woody.3_i386.deb
> > wget -q -O 1.deb http://ftp.debian.org/debian/pool/$file
> > wget -q -O 2.deb http://security.debia
On Wed, Dec 03, 2003 at 10:48:57AM -0800, bruce wrote:
> Our goals:
> * Provide Project Management
> * Provide a Development Network of Servers
> * Provide Test Servers
> * Allow users to configure Test Servers as Required
> * Allow users to build/execute/test their code on the Test Servers
>
On Wed, Dec 03, 2003 at 11:42:06PM +0100, Bernd Eckenfels wrote:
> On Wed, Dec 03, 2003 at 10:34:13AM +0100, Artur R. Czechowski wrote:
> > What about RSA tokens? This solution does not require any special hardware
> > to connect on the client side.
> This also means it does not provide any additio
On Wed, 2003-12-03 at 20:01, cobaco wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 2003-12-03 12:24, Fabian Fagerholm wrote:
> > On Wed, 2003-12-03 at 12:17, Andreas Tille wrote:
> > > On Tue, 2 Dec 2003, Fabian Fagerholm wrote:
> > > > The term suggests that the distribution is "
On Sun, 2003-11-30 at 15:46, Russ Allbery wrote:
> It does have the drawback that you could end up with accounts that differ
> only in case, which means that MTAs would probably have to be checked to
> make sure that they do the right thing.
RFC 2821 gives some great advice here:
"Howeve
On Fri, 2003-11-28 at 20:49, Martin Michlmayr wrote:
> * Colin Walters <[EMAIL PROTECTED]> [2003-09-10 19:02]:
> > Therefore, I'm putting most (but not quite all) of my packages up
> > for adoption. Specifically:
> >
> > build-essential crack-attack dbus desktop-base fontconfig fontilus
> > gnome
On Wed, Dec 03, 2003 at 05:26:59PM -0500, Colin Walters wrote:
> I'll take xml-resume-library back
ok, i will stop to work on it
Bernd
--
(OO) -- [EMAIL PROTECTED] --
( .. ) [EMAIL PROTECTED],linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD [EMAIL PRO
On Wed, Dec 03, 2003 at 06:50:09AM +0100, Goswin von Brederlow wrote:
[TSP]
> If there is no person sitting there signing it manually its useless.
Why is that? I trust an automated service to provide me signed timestamps. In
fact
a Box doing exactly this and nothing else can be very securely lock
On Thu, 4 Dec 2003 09:42, Bernd Eckenfels <[EMAIL PROTECTED]> wrote:
> On Wed, Dec 03, 2003 at 10:34:13AM +0100, Artur R. Czechowski wrote:
> > What about RSA tokens? This solution does not require any special
> > hardware to connect on the client side.
>
> This also means it does not provide any a
On Thu, Dec 04, 2003 at 10:27:57AM +1100, Russell Coker wrote:
> Current fingerprint readers have been shown to be very unreliable. Both
> false-positives and false-negatives are big problems.
and normally they cant be used over untrusted channels/terminals, since they
work with
a shared secret
On Thu, 4 Dec 2003 02:32, Manoj Srivastava <[EMAIL PROTECTED]> wrote:
> An even better security guideline is "something you are" -- so
> should we not spring for retinal scanners/fingerprint readers/other
> buiometrics? I mean, we _are_ talking about other peoples money. :P
Biometric sca
The security advisory does not mention these (the current 2.4.x kernels
available in sarge), and the upstream fix is apparently not until 2.4.23.
Can we get an announcement as to the safety of these Debian packages?
--
Nathanael Nerode
http://home.twcny.rr.com/nerode/neroden/fdl.html
Le mercredi 03 décembre 2003 à 14:00:51, Russell Coker a écrit:
> I agree that smartcards would help a lot. However as has been previously
> suggested the cost of 1200+ smart-card readers is probably prohibitive.
I don't know how a USB dongle compares with a smart card reader
regarding price.
>
On Thu, 2003-12-04 at 03:18, John Goerzen wrote:
> On Wed, Dec 03, 2003 at 10:58:12AM +0100, Andreas Tille wrote:
> > On Tue, 2 Dec 2003, John Goerzen wrote:
> >
> > > First of all. This is obviously not a Debian projects
> > I see it clearly as Debian project and can't find the rationale why
> >
On Wed, 2003-12-03 at 05:23, Manoj Srivastava wrote:
> Because it buys little security wise?
I can take a rescue disk, a CD with relevant packages on it, boot the
suspect server from the rescue disk, and quickly check md5sums. At
least, if all packages had md5sums I could.
signature.asc
On Thu, 4 Dec 2003 05:02, Andreas Schuldei <[EMAIL PROTECTED]> wrote:
> * Russell Coker ([EMAIL PROTECTED]) [031203 04:03]:
> > I have sent a message to Werner asking if the GPG smart-card device could
> > be re-implemented with a USB interface. I think that a USB dongle with
> > GPG technology wo
John,
You hit the nail on the head!! What we really need is a serious well
experienced network/security admin/engineer who can help architect the
system.
Our goals:
* Provide Project Management
* Provide a Development Network of Servers
* Provide Test Servers
* Allow users to configure Test S
On Wednesday 03 December 2003 21:31, Zenaan Harkness wrote:
> I agree. I would like to see .desktop standard adopted. There have been
> a few threads I have seen so far, and there seems to be some level of
> resistance to the idea.
The silly question is : What does our actual menu system provide t
Le mardi 02 décembre 2003 à 17:19:22, Tom a écrit:
> Smartcards would have avoided the Debian compromise: merely having a
> compromised DD box would have prevented bad guy from getting on the box
On Wed, 2003-12-03 at 19:34, Thomas Wana wrote:
> P.S.: in the pasted part:
>
> $ FreeBSD 5.1-RELEASE-p11 #0: Thu Nov 27 15:07:08 CET 2003
> FreeBSD: not found
>
Ah, wonderful... I need a new sig to torment my ex boss with.
Scott
--
Have you ever, ever felt like this?
Had strange things happe
On Wed, Dec 03, 2003 at 02:57:11AM +0100, Bernd Eckenfels wrote:
> On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
> > The only way to have avoided this kernel vulnerability from day-0 of
> > discovery/fix release would have been to be constantly upgrading to
> > pre-release kernels
> You hit the nail on the head!! What we really need is a serious well
> experienced network/security admin/engineer who can help architect the
> system.
You could probably find some candidates from within the Debian community.
Perhaps a DD could comment on which mailing list would be appropriate
On Wed, 2003-12-03 at 17:47, Bernd Eckenfels wrote:
> On Wed, Dec 03, 2003 at 05:26:59PM -0500, Colin Walters wrote:
> > I'll take xml-resume-library back
>
> ok, i will stop to work on it
If you have any patches I'd be happy to take them...
signature.asc
Description: This is a digitally signe
On Wed, 3 Dec 2003 13:26:02 +0100, Matthias Urlichs said:
> I'm also a bit concerned about MitM attacks; the hash-or-whatever which
Obviously you can do this only using a secure channel.
> the local side is supposed to sign should probably be encrypted with the
> signer's public key, otherwise I
On Wed, Dec 03, 2003 at 10:58:12AM +0100, Andreas Tille wrote:
> On Tue, 2 Dec 2003, John Goerzen wrote:
>
> > First of all. This is obviously not a Debian projects
> I see it clearly as Debian project and can't find the rationale why
> you sais that it is _obviousely_ not.
It's not hosted on De
I recall prepending a nohup:
[EMAIL PROTECTED] nohup invoke-rc.d xdm stop
solved the problem. So maybe a nohup or trap inside /etc/init.d/xdm
would be what you want. The only problem left then would be cleaning
up the nohup.out created.
This could also be done for other /etc/init.d/?dm's.
On Wednesday 03 December 2003 15:32, Manoj Srivastava wrote:
> An even better security guideline is "something you are" -- so
> should we not spring for retinal scanners/fingerprint readers/other
> buiometrics? I mean, we _are_ talking about other peoples money. :P
However 'something you a
On Wed, 3 Dec 2003 05:42:20 -0800, Tom Ballard <[EMAIL PROTECTED]> said:
> On Thu, Dec 04, 2003 at 12:20:57AM +1100, Hamish Moffatt wrote:
>>
>> How about including your full name somewhere in your posts too
>> then? I find it a bit off-putting to discuss security with someone
>> who's obscuring
On Wed, Dec 03, 2003 at 04:23:33AM -0600, Manoj Srivastava wrote:
> On Mon, 1 Dec 2003 17:12:36 -0500, christophe barbe <[EMAIL PROTECTED]> said:
>
> > I don't see why adding a md5dsum_are_mandatory clause to the debian
> > policy would be difficult (what would be a good reason to not add
> > md5
On Wed, Dec 03, 2003 at 02:11:59PM +1100, Russell Coker wrote:
> Every DD needs to have immediate access to servers running each of the
> supported architectures.
Yes of course. But this does not mean they have to have access to
infrastructure of the project. A box for a DD to debug and test the
"Bernhard R. Link" <[EMAIL PROTECTED]> writes:
> * Manoj Srivastava <[EMAIL PROTECTED]> [031203 20:12]:
> > Before we make such a push, we should at least ensure that it
> > is something we really want to do. I think locally generated
> > checksums are a better solution.
>
> I don't think s
Manoj Srivastava <[EMAIL PROTECTED]> writes:
> On Mon, 1 Dec 2003 17:12:36 -0500, christophe barbe <[EMAIL PROTECTED]> said:
>
> > I don't see why adding a md5dsum_are_mandatory clause to the debian
> > policy would be difficult (what would be a good reason to not add
> > md5sum to a package?).
Matt Zimmerman <[EMAIL PROTECTED]> writes:
> On Wed, Dec 03, 2003 at 06:43:18AM +0100, Goswin von Brederlow wrote:
>
> > Matt Zimmerman <[EMAIL PROTECTED]> writes:
> >
> > > On Wed, Dec 03, 2003 at 03:07:17AM +0100, Goswin von Brederlow wrote:
> > >
> > > > But this kind of tampering _can_ be c
On Wed, Dec 03, 2003 at 05:26:59PM -0500, Colin Walters wrote:
> On Fri, 2003-11-28 at 20:49, Martin Michlmayr wrote:
> > Okay, if I'm counting correctly, gnome-mag and xml-resume-library have
> > not been taken yet. Is anyone interested in these packages? Note
> > that gnome-mag has a RC outstan
Dan Jacobson <[EMAIL PROTECTED]> writes:
> I recall prepending a nohup:
> [EMAIL PROTECTED] nohup invoke-rc.d xdm stop
> solved the problem. So maybe a nohup or trap inside /etc/init.d/xdm
> would be what you want. The only problem left then would be cleaning
> up the nohup.out created.
>
> Thi
Wouter Verhelst <[EMAIL PROTECTED]> writes:
> Op wo 03-12-2003, om 10:09 schreef Andreas Barth:
> > > > file back signed by the build admin. The debian archive scripts
> > > > accepts packages signed by a buildd-key only if it is a binary package
> > > > for this architecture, the key is valid (i.
On Tue, 2 Dec 2003, Andrea Glorioso wrote:
> > "t" == Tom <[EMAIL PROTECTED]> writes:
> t> One of the "flavors" linked to on
> t> http://www.debian.org/devel/debian-nonprofit/ is www.demudi.org
> t> --
>
> t> which is running IIS on Windows 2000!
> A little update.
> www.de
Anthony DeRobertis <[EMAIL PROTECTED]> writes:
> On Wed, 2003-12-03 at 05:23, Manoj Srivastava wrote:
>
> > Because it buys little security wise?
>
> I can take a rescue disk, a CD with relevant packages on it, boot the
> suspect server from the rescue disk, and quickly check md5sums. At
>
On Wed, 2003-12-03 at 21:04, Graham Wilson wrote:
> If you don't have much time for xml-resume-library, I am sure that you
> can give it to the Debian XML/SGML Project. Or you could even
> co-maintain it with us. Whatever works for you.
That sounds cool. I'm all about co-maintenance. So we'll m
On Wed, Dec 03, 2003 at 10:20:14AM -0500, Anthony DeRobertis wrote:
> Please, please, use debian- or some other prefix! That shouldn't confuse
> any rational person
What about sys- as a prefix?
--
gram
signature.asc
Description: Digital signature
101 - 173 of 173 matches
Mail list logo
