On Fri, 2014-06-20 at 22:58 +0200, Christoph Anton Mitterer wrote:
> > But after you've sent them money or downloaded their software
> > you have formed a trust relationship with whoever controls that cert far
> > stronger than the assurances X.509 provides. That is true in the
> > positive sense
http://packages.qa.debian.org/p/pv.html
i love this tool. there's a bunch new releases sitting upstream that I'd
be happy to package in debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745820
anyone heard of Kevin (in cc)? he seems to be MIA right now... i
contacted the MIA team before,
]] Christoph Anton Mitterer
> A user of Debian already fully trusts us (by using our distro, where we
> could do basically everything).
That user trusts us to build a distro fairly competently, something we
have a history of doing.
> If he ultimately trusts our X.509 root, he doesn't give us mo
]] Christoph Anton Mitterer
> And if your concern is that a Debian CA could be used to forge
> certificates for non-Debian stuff... given that we have >150 root certs
> in the Mozilla bundle... many of them already completely untrustworthy
> and many of them probably introducing intermediate CAs
On Sat, 2014-06-21 at 16:40 +0200, Tollef Fog Heen wrote:
> That user trusts us to build a distro fairly competently, something we
> have a history of doing.
Well it's not that we'd have never made mistakes there...
> That user would then trust us to run a CA competently, something we as a
> pro
On 06/21/2014 01:03 AM, Neil McGovern wrote:
> On Sat, Jun 21, 2014 at 12:49:52AM +0800, Thomas Goirand wrote:
>> So, do I understand well that it's your view that just linking with
>> AGPLv3 make it mandatory to re-license using AGPLv3? Is there such a
>> clause in the AGPLv3 license?
>>
>
> No,
Hello,
Currently, LLVM default binaries are managed by the llvm-defaults package
(similar to gcc-defaults).
To sum up, we have binaries like /usr/bin/llvm-nm-X.Y. llvm-defaults
provides symlinks /usr/bin/llvm-nm to the actual binaries.
Usually, I manage 3 versions of LLVM in parallel (currently, 3
❦ 21 juin 2014 18:46 +0200, Sylvestre Ledru :
> Currently, LLVM default binaries are managed by the llvm-defaults package
> (similar to gcc-defaults).
> To sum up, we have binaries like /usr/bin/llvm-nm-X.Y. llvm-defaults
> provides symlinks /usr/bin/llvm-nm to the actual binaries.
> Usually, I
On Sat, 2014-06-21 at 17:58 +0200, Christoph Anton Mitterer wrote:
> Take Turktrust as an example... IIRC the case correctly, they
> "accidentally" (whoever believes that) issued a cert which was a
> intermediate CA and which was used to issue forged Google certs.
> After days and only after long d
On Sun, 2014-06-22 at 10:52 +1000, Russell Stuart wrote:
> The problem isn't that government security agencies can in all
> likelihood MITM any connection they wish. I'm sure that's true, but I'm
> equally sure they don't do it that often for fear of being caught. It's
> actually far worse than
Hey Holger,
On Wed, 2014-06-18 at 12:46 +0200, Holger Levsen wrote:
> > It also doesn't seem to protect against downgrading attacks... (see my
> > previous post about that).
> one or two bug reports might be oh so more useful than posting on -devel.
I will submit tickets for the ones I know (as s
On Sun, Jun 22, 2014 at 12:46 AM, Sylvestre Ledru wrote:
> Any opinions on the subject?
There is already the CC (and CXX etc) environment variable to select
the compiler, they should use that.
Build systems that ignore those environment variables are broken and
need to be fixed.
--
bye,
pabs
FYI: On Wed, 2014-06-18 at 12:46 +0200, Holger Levsen wrote:
> one or two bug reports might be oh so more useful than posting on -devel.
#752275 and #752277
Cheers,
Chris.
smime.p7s
Description: S/MIME cryptographic signature
On 21/06/2014 19:19, Paul Wise wrote:
> On Sun, Jun 22, 2014 at 12:46 AM, Sylvestre Ledru wrote:
>
>> Any opinions on the subject?
> There is already the CC (and CXX etc) environment variable to select
> the compiler, they should use that.
I am not talking about Clang but LLVM here. LLVM itself shi
On Wed, 2014-06-18 at 13:55 +0200, Jakub Wilk wrote:
> Yes, maintaining packages properly takes time. If packaging new upstream
> releases is too much effort, why bother uploading it to Debian in the
> first place?
Actually, I think everything that tries to circumvent the package
management syst
On Sun, 2014-06-22 at 03:34 +0200, Christoph Anton Mitterer wrote:
> Well as it should be clear to everyone by now... with a own CA and with
> specifically checking for certs issued by *only that* CA you can fully
> secure things like apt-listbugs.
Sure, but you are no longer discussing a PKI syst
16 matches
Mail list logo
