On Thu, May 15, 2008 at 05:11:27AM +0200, Goswin von Brederlow wrote:
> The DSA signing uses (secret key + random) in the signature and that
> sum is trivial to compute given the signed message and public key. The
> security of DSA relies solely on the fact that random can't be guessed
> so you can
On Thu, 15 May 2008 08:09:02 +0200
Norbert Preining <[EMAIL PROTECTED]> wrote:
> On Do, 15 Mai 2008, Steinar H. Gunderson wrote:
> > No. Any key who had a single DSA signature created by the flawed version of
> > OpenSSL should be considered compromised. DSA requires a secret, random
>
> Does thi
On Thursday 15 May 2008 11:24, Olivier Berger wrote:
> I guess openssh-blacklist is only available on stable/updates and not in
> testing/updates ... any reason why not ?
It is currently available in unstable; I have no doubt that the release
managers will push it into testing as soon as possible
Hello,
I just reassigned a bug to acpid and discovered how badly maintained it
is. Despite a new maintainer in january this year, the BTS still shows
many RC bugs and a bunch with patches.
Hopefully this mail will draw some attention to the problem and some
volunteers will step up to help maintai
Hi.
I guess openssh-blacklist is only available on stable/updates and not in
testing/updates ... any reason why not ?
Thanks in advance.
--
Olivier BERGER <[EMAIL PROTECTED]> (*NEW ADDRESS*)
http://www-inf.it-sudparis.eu/~olberger/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Ins
Hi,
Considering recent issues, http://db.debian.org/password.html requires
updated as "s/id_dsa.pub/id_rsa.pub/".
Discussion as below. Do I need to make rt thingy? I am not yet
familiar with it.
On Wed, May 14, 2008 at 07:50:29PM +0200, Luk Claes wrote:
> Osamu Aoki wrote:
> > Hi,
> >
> > Re
"Steinar H. Gunderson" <[EMAIL PROTECTED]>:
> On Thu, May 15, 2008 at 05:11:27AM +0200, Goswin von Brederlow wrote:
>
> > Also if you have 2 messages signed with the same random number you can
> > compute the secret key. It is more complicated then this but
> > simplified boils down to is computin
On Thursday 15 May 2008 14:04, Martin Uecker wrote:
> If I understand this correctly, this means that not only should keys
> generated with the broken ssl lib be considered compromised, but all
> keys which were potentially used to create DSA signatures by those
> broken libs.
>
> In this case, the
On Thu, 15 May 2008, Osamu Aoki wrote:
> Considering recent issues, http://db.debian.org/password.html requires
> updated as "s/id_dsa.pub/id_rsa.pub/".
My mail to d-i-a said that you need to use RSA keys. You have read
that, right?
The page on db.d.o will get updated eventually, for now think
On Wed, May 14, 2008 at 08:13:53PM -0400, Filipus Klutiero wrote:
> Your second parenthesis is wrong. Just like LKM-s when the stock kernels'
> ABINAME is bumped, applications need to be rebuilt when the ABI of one of the
> libraries they link to changes in a way which is not backwards-compatible
Dear all,
it is almost one year that sbackup was modified to use a group ID that
exists on Ubuntu but not on Debian systems. As suggested on
[EMAIL PROTECTED], I have increased the severity of the bug to
'serious' three weeks ago. (#427697)
sbackup is a native Debian package whose maintainer is a
On Thu, May 15, 2008 at 03:03:55PM +0200, Peter Palfrader wrote:
> On Thu, 15 May 2008, Osamu Aoki wrote:
>
> > Considering recent issues, http://db.debian.org/password.html requires
> > updated as "s/id_dsa.pub/id_rsa.pub/".
>
> My mail to d-i-a said that you need to use RSA keys. You have rea
* Michal Čihař:
> GnuPG does not use OpenSSL, so it should be safe. But generally it
> could be possible to use same key for both GnuPG and OpenSSL and then
> you would have a problem.
There is no benefit from doing that, so this is highly unlikely. It
requires manual key conversion, too.
--
T
Hi Brian,
On Thu, May 15, 2008 at 03:33:41PM +1000, Brian May wrote:
> Apparently, Heimdal in Debian also is affected. I am not aware of any
> solution other then to manually regenerate all keys.
Could you give some details here? Password based principals aren't
affected? For those using a keytab
Martin Uecker <[EMAIL PROTECTED]> writes:
> In this case, the security advisory should clearly be updated. And all
> advise about searching for weak keys should be removed as well, because
> it leads to false sense of security. In fact, *all* keys used on Debian
> machines should be considered com
Guido Günther <[EMAIL PROTECTED]> writes:
> On Thu, May 15, 2008 at 03:33:41PM +1000, Brian May wrote:
>> Apparently, Heimdal in Debian also is affected. I am not aware of any
>> solution other then to manually regenerate all keys.
> Could you give some details here? Password based principals are
On Thu, May 15, 2008 at 03:03:55PM +0200, Peter Palfrader <[EMAIL PROTECTED]>
wrote:
> On Thu, 15 May 2008, Osamu Aoki wrote:
>
> > Considering recent issues, http://db.debian.org/password.html requires
> > updated as "s/id_dsa.pub/id_rsa.pub/".
>
> My mail to d-i-a said that you need to use RS
Am Donnerstag, den 15.05.2008, 15:20 +0200 schrieb Thijs Kinkhorst:
> On Thursday 15 May 2008 14:04, Martin Uecker wrote:
> > If I understand this correctly, this means that not only should keys
> > generated with the broken ssl lib be considered compromised, but all
> > keys which were potentially
On Thu, 15 May 2008, Mike Hommey wrote:
> On Thu, May 15, 2008 at 03:03:55PM +0200, Peter Palfrader <[EMAIL PROTECTED]>
> wrote:
> > On Thu, 15 May 2008, Osamu Aoki wrote:
> >
> > > Considering recent issues, http://db.debian.org/password.html requires
> > > updated as "s/id_dsa.pub/id_rsa.pub/
On Thu, May 15, 2008 at 05:11:30PM +0200, Peter Palfrader <[EMAIL PROTECTED]>
wrote:
> On Thu, 15 May 2008, Mike Hommey wrote:
>
> > On Thu, May 15, 2008 at 03:03:55PM +0200, Peter Palfrader <[EMAIL
> > PROTECTED]> wrote:
> > > On Thu, 15 May 2008, Osamu Aoki wrote:
> > >
> > > > Considering re
On Do, 15 Mai 2008, Mike Hommey wrote:
> I beg to differ. This particular mail is important enough to be sent to
> d-d-a instead of d-i-a.
I agree, dia is not what I would be subscribed to under normal
circumstances, and with all the caos that type of announce is for dda.
Best wishes
Norbert
--
On Thursday 15 May 2008 16:47, Martin Uecker wrote:
> > You mean less likely than once in 15 years? We're open to your
> > suggestions.
>
> Something as bad as this might be rare, still, if something can be
> improved, it should.
>
> Upstream complained about the extensive Debian patching. I think
On Thu May 15 2008 06:20:10 Thijs Kinkhorst wrote:
> You mean less likely than once in 15 years? We're open to your suggestions.
Leaving millions of systems open to crackers for 2 years out of 15
is not a joke. I don't blame the DD - we have all made mistakes
and most of us are lucky they weren't
On Thu May 15 2008 08:33:54 Thijs Kinkhorst wrote:
> I welcome change and review of our processes, but taking one extreme
> incident as the base on which to draw conclusions seems not the wise thing
> to do. If you're interested in for example changing the level to which
> software is patched in De
Am Donnerstag, den 15.05.2008, 17:33 +0200 schrieb Thijs Kinkhorst:
> On Thursday 15 May 2008 16:47, Martin Uecker wrote:
> > > You mean less likely than once in 15 years? We're open to your
> > > suggestions.
> >
> > Something as bad as this might be rare, still, if something can be
> > improved,
On Thursday 15 May 2008 18:26, Martin Uecker wrote:
> Why not? A plane crash is a very rare incident. Still every single
> crash is investigated to make recommendations for their future
> avoidance.
Maybe that wasn't clear from my first mail, but I don't think that nothing can
be learned from thi
Martin Uecker wrote:
> Am Donnerstag, den 15.05.2008, 17:33 +0200 schrieb Thijs Kinkhorst:
>> If you're interested in for example changing the level to which software is
>> patched in Debian, I suggest to start with a representative review of what
>> gets patched and why it's done. That would g
Twas brillig at 10:30:44 15.05.2008 UTC-07 when Kevin B. McCarty did gyre and
gimble:
KBM> Believe me, there are lots of upstreams for which extensive
KBM> patching really is necessary. (I have no idea whether OpenSSL is
KBM> one of those, as I have no familiarity with its code nor the
KBM>
[Mike Bird]
> but we should blame the process. And fix it.
> it would probably have been better to devote less effort to the
> scanner and more effort to documenting all the kinds of key
> replacements
> Serious efforts are needed
> Second, we must ensure
> This calls for a thorough investiga
Mikhail Gusarov <[EMAIL PROTECTED]> writes:
> Probably the work then should be clearly labeled as fork (especially
> given the other distro maintainers also share some patches)? It will
> reduce the confusion, like "oh, erm, our is not quite upstream
> , we rewrote it from scratch, and left the n
On Thu May 15 2008 10:34:01 Peter Samuelson wrote:
> Who is this "we"? Whose serious efforts? Who is investigating? Most
> importantly, should we assume that, as in the past, you, Mike Bird,
> intend to do nothing but talk?
Debian is still one of the world's best distros and I hope it
continues
[Mike Bird]
> Nevertheless, non-DD's can and do help by filing bug reports and
> patches (upstream is best), helping people on d-u, and offering
> constructive advice to DDs.
Very well. I propose that anyone who wishes to give "constructive
advice" to developers, but who doesn't actually do any
Hi,
Le 15 mai 08 à 20:17, Mike Bird a écrit :
Nevertheless, non-DD's can and do help by filing bug reports and
patches (upstream is best), helping people on d-u, and offering
constructive advice to DDs.
And maintaining packages! It can be long to find a sponsor for your
first package (espec
Hi Mikhail,
Mikhail Gusarov wrote:
> Twas brillig at 10:30:44 15.05.2008 UTC-07 when Kevin B. McCarty did gyre and
> gimble:
>
> KBM> Believe me, there are lots of upstreams for which extensive
> KBM> patching really is necessary. (I have no idea whether OpenSSL is
> KBM> one of those, as I
On Thu, 15 May 2008, Norbert Preining wrote:
> On Do, 15 Mai 2008, Mike Hommey wrote:
> > I beg to differ. This particular mail is important enough to be sent to
> > d-d-a instead of d-i-a.
>
> I agree, dia is not what I would be subscribed to under normal
> circumstances, and with all the caos t
Hi!
Noticing among others this bug report
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322751 and observing the
many packages depending on $MTA | mail-transport-agent with $MTA having
values like postfix, exim, exim4, sendmail, nullmailer and probably others.
And some packages just dependi
On Thu May 15 2008 14:33:04 Sune Vuorela wrote:
> The latter, just depending on mail-transport-agent, makes apt, at least
> currently, pick the package first in the alphabet providing m-t-a. (A bit
> ago, this was courier. now it is citadel). This definately needs fixing,
> but why not sort everyth
Le May 15, 2008 09:55:40 am Lennart Sorensen, vous avez écrit :
> On Wed, May 14, 2008 at 08:13:53PM -0400, Filipus Klutiero wrote:
> > Your second parenthesis is wrong. Just like LKM-s when the stock kernels'
> > ABINAME is bumped, applications need to be rebuilt when the ABI of one of
> > the lib
2008/5/15 Charles Plessy <[EMAIL PROTECTED]>:
> Despite the fact that the maintainer of sbackup is actively blogging on
> planet.d.o, I wonder if sbackup is maintained. From a user perspective
> (and I am a user of sbackup, that is why I feel concerned), I think that
> if there is no future for sba
2) Introduce a default-mta package (currently) depending on exim4. All
packages requiring a MTA should depend on default-mta | mail-transport-agent.
This will have the extra advantage that we (and others like CDDs and derived
distros) easily could swap default MTA.
What concerns me about this a
peter green <[EMAIL PROTECTED]> writes:
> It seems to me that the ideal soloution would be to fix apt/the
> repositry system so that the defaults for a virtual package can be
> explicitly designed.
I have no idea how to do this and no time to help, but I think this would
be really cool and would
On Thu, May 15, 2008 at 11:39:36PM +0100, peter green wrote:
>> 2) Introduce a default-mta package (currently) depending on exim4. All
>> packages requiring a MTA should depend on default-mta |
>> mail-transport-agent. This will have the extra advantage that we (and
>> others like CDDs and der
Mike Bird <[EMAIL PROTECTED]> writes:
> All of the MTA's provide mail-transport-agent. I had assumed that apt
> would choose between them on the basis that exim4-daemon-light is the
> only provider with priority standard, the others being optional or extra.
>
> If apt does not consider package p
On Thu, May 15, 2008 at 11:33:04PM +0200, Sune Vuorela wrote:
> Noticing among others this bug report
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322751 and observing the
> many packages depending on $MTA | mail-transport-agent with $MTA having
> values like postfix, exim, exim4, sendmai
15 травня 2008 о 16:24 -0700 Steve Langasek написав(-ла):
> > What concerns me about this approach is that it could easilly end up with
> > dist-upgrades swapping out users mail systems without warning. I would
> > consider such behaviour unacceptable as it could easilly cause mail loss
>
> Er,
Le Fri, May 16, 2008 at 01:22:12AM +0300, Aigars Mahinovs a écrit :
>
> The upstream situation is not as clear cut - I've been making every
> effort to a new and enthusiastic developer (Ouattara Oumar Aziz) take
> over the upstream development of SBackup peacefully.
> I am discussing the future o
On Fri, May 16, 2008 at 02:10:39AM +0200, Eugeniy Meshcheryakov wrote:
> 15 травня 2008 о 16:24 -0700 Steve Langasek написав(-ла):
> > > What concerns me about this approach is that it could easilly end up with
> > > dist-upgrades swapping out users mail systems without warning. I would
> > > con
This one time, at band camp, Mike Bird said:
> Yet Debian makes it hard for people to help. Like most software
> engineers I simply don't have the time to waste on Debian's NM
> process. Debian's processes are indisputably Debian's decision
> alone, but Debian has to live with the consequences ..
Steve Langasek <[EMAIL PROTECTED]> writes:
> On Thu, May 15, 2008 at 11:33:04PM +0200, Sune Vuorela wrote:
>
> > 2) Introduce a default-mta package (currently) depending on exim4.
> > All packages requiring a MTA should depend on default-mta |
> > mail-transport-agent. This will have the extra ad
On Fri, May 16, 2008 at 10:53:03AM +1000, Ben Finney wrote:
> Steve Langasek <[EMAIL PROTECTED]> writes:
> > On Thu, May 15, 2008 at 11:33:04PM +0200, Sune Vuorela wrote:
> > > 2) Introduce a default-mta package (currently) depending on exim4.
> > > All packages requiring a MTA should depend on d
Steve Langasek <[EMAIL PROTECTED]> writes:
> sensible-editor and sensible-browser are /commands/
Provided by the 'debianutils' package.
> default-mta is not at all like this.
You're right, I'm wrong. Thanks for clearing my confusion.
--
\ "Hey Homer! You're late for English!" "Pff! Engl
Steve Langasek <[EMAIL PROTECTED]> writes:
> On Fri, May 16, 2008 at 02:10:39AM +0200, Eugeniy Meshcheryakov wrote:
>> 15 ÑÑÐ°Ð²Ð½Ñ 2008 о 16:24 -0700 Steve Langasek напиÑав(-ла):
>> > > What concerns me about this approach is that it could easilly end up
>> > > with
>> > > dist-upg
On Friday 16 May 2008 10:20, Charles Plessy wrote:
> Since the revitalisation of sbackup is expected after the freezing of
> Lenny, we have to solve the most important bugs of the current version
> of sbackup. I do not know enough of python for helping on bug #427697
> (the gid of the backups). If
I notice that pwsafe is linked against openssl. Is it affected by the
recent debacle and if so, how? Do I need to regenerate all my
randomized passwords, or somehow re-encrypt the pwsafe database?
Thanks,
Daniel
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscri
Peter Samuelson <[EMAIL PROTECTED]> writes:
>
> Who is this "we"? Whose serious efforts? Who is investigating? Most
> importantly, should we assume that, as in the past, you, Mike Bird,
> intend to do nothing but talk?
I think this is a common stylistic choice. I consider myself part of
the De
On Thu, May 15, 2008 at 11:30:40PM +0200, Peter Palfrader wrote:
> On Thu, 15 May 2008, Norbert Preining wrote:
>
> > On Do, 15 Mai 2008, Mike Hommey wrote:
> > > I beg to differ. This particular mail is important enough to be sent to
> > > d-d-a instead of d-i-a.
> >
> > I agree, dia is not what
The following is a listing of packages for which help has been requested
through the WNPP (Work-Needing and Prospective Packages) system in the
last week.
Total number of orphaned packages: 433 (new: 6)
Total number of packages offered up for adoption: 104 (new: 6)
Total number of packages request
On Thu, 15 May 2008, Steve Langasek wrote:
> > 2) Introduce a default-mta package (currently) depending on exim4. All
> > packages requiring a MTA should depend on default-mta |
> > mail-transport-agent.
> > This will have the extra advantage that we (and others like CDDs and
> > derived
> >
On Do, 15 Mai 2008, Peter Palfrader wrote:
> > > I beg to differ. This particular mail is important enough to be sent to
> > > d-d-a instead of d-i-a.
> >
> > I agree, dia is not what I would be subscribed to under normal
> > circumstances, and with all the caos that type of announce is for dda.
>
59 matches
Mail list logo
