Re: No port 443 (https) available at "security.debian.org"-repository

2017-07-25 Thread James Bromberger
On 26/07/2017 6:20 AM, Adam Borowski wrote: > https provides no protection against targetted attacks by government agents. > The CA cartel model consists of 400+ CAs, many of them outright controlled > by governments, most of the rest doing what they're told (no, warrants are > are a story for n

Re: No port 443 (https) available at "security.debian.org"-repository

2017-07-25 Thread Adam Borowski
On Wed, Jul 26, 2017 at 07:01:36AM +0800, James Bromberger wrote: > On 26/07/2017 6:20 AM, Adam Borowski wrote: > > https provides no protection against targetted attacks by government > > agents. > > The CA cartel model consists of 400+ CAs, many of them outright controlled > > by governments, m

Re: No port 443 (https) available at "security.debian.org"-repository

2017-07-25 Thread Adam Borowski
On Tue, Jul 25, 2017 at 09:56:41PM +0100, Chris Lamb wrote: > > your repositories on "debian.org" (especially "http://security.debian.org/"; > > !!) are not! > > The files are cryptographically signed which guarantees > they haven't been tampered with in transit (modulo replay > attacks which are

Re: Request for official help

2017-07-25 Thread Ian Jackson
MENGUAL Jean-Philippe writes ("Re: Request for official help"): > The alternative is my initial proposal, more simple than others indeed: > mentioning in an official letter that Debian will not get any EAN in > next two years, and that Debian does not want Hypra to sell Debian > without EAN. It doe

Re: No port 443 (https) available at "security.debian.org"-repository

2017-07-25 Thread Peter Palfrader
On Tue, 25 Jul 2017, Chris Lamb wrote: > Zeiha, > > > your repositories on "debian.org" (especially "http://security.debian.org/"; > > !!) are not! > In short, there's no need for SSL. Please see > for the technical details. > We still want to provide this e

Re: No port 443 (https) available at "security.debian.org"-repository

2017-07-25 Thread Chris Lamb
Zeiha, > your repositories on "debian.org" (especially "http://security.debian.org/"; > !!) are not! This has been brought up many times on many lists; please see/search the archives in future. The files are cryptographically signed which guarantees they haven't been tampered with in transit (mo

No port 443 (https) available at "security.debian.org"-repository

2017-07-25 Thread Zei Ha gmx.net
Dear Madams, dear Sirs, quite all web-pages of "debian.org" (even the "forums") are available through secure-http (https, port 443), but your repositories on "debian.org" (especially "http://security.debian.org/"; !!) are not! Why?? Beside vulnerabilities in "apt", it is not less important, that a

Re: Request for official help

2017-07-25 Thread MENGUAL Jean-Philippe
Le 25/07/2017 à 19:49, Chris Lamb a écrit : > Henrique de Moraes Holschuh wrote: > >> Run that through some legal advice, though. If "we" (Debian, SPI, etc) >> get to be co-responsible for the actions of someone using our EANs with >> permission [in some relevant juridisction], it is best to no

Re: Request for official help

2017-07-25 Thread Ian Jackson
Chris Lamb writes ("Re: Request for official help"): > Henrique de Moraes Holschuh wrote: > > Run that through some legal advice, though. If "we" (Debian, SPI, etc) > > get to be co-responsible for the actions of someone using our EANs with > > permission [in some relevant juridisction], it is bes

Re: Request for official help

2017-07-25 Thread Chris Lamb
Henrique de Moraes Holschuh wrote: > Run that through some legal advice, though. If "we" (Debian, SPI, etc) > get to be co-responsible for the actions of someone using our EANs with > permission [in some relevant juridisction], it is best to not have them > in the first place. I'm inclined to ag

Re : Re: Request for official help

2017-07-25 Thread MENGUAL Jean-Philippe
Hi, I agree with this. I think we mainly should create EANs for live DVDs and CD/DVD1 of installer, for some architectures only, then on-demand. THe fact is that if I understand what I read about EANs, it would have not additional cost for Debian, just some time. Once the framework done (subsc

Re: Request for official help

2017-07-25 Thread Henrique de Moraes Holschuh
On Tue, 25 Jul 2017, Wouter Verhelst wrote: > On Thu, Jul 20, 2017 at 04:39:21PM +0200, MENGUAL Jean-Philippe wrote: > > Right but if Debian could subscribe to such service, it could freely > > generate as EANs as needed for their releases, installers, liveDVDs. But > > indeed, maybe it is not the

Re: Request for official help

2017-07-25 Thread Wouter Verhelst
On Thu, Jul 20, 2017 at 04:39:21PM +0200, MENGUAL Jean-Philippe wrote: > Right but if Debian could subscribe to such service, it could freely > generate as EANs as needed for their releases, installers, liveDVDs. But > indeed, maybe it is not the easiest solution. I think it does make sense to hav