also sprach martin f krafft <[EMAIL PROTECTED]> [2005.02.15.1101 +0100]:
> > I'd rather have this discussion on debian-devel or debian-dpkg
> > since that's a logical place where more people are able to get
> > involved and find the archive much easier than a strangely named
> > list on the mad duc
Don Armstrong <[EMAIL PROTECTED]> writes:
> On Mon, 14 Feb 2005, Gunnar Wolf wrote:
>> Goswin von Brederlow dijo [Sat, Feb 12, 2005 at 01:55:43PM +0100]:
>> > Do you realy think it is difficult to get a second signature onto
>> > your gpg key? Go to one key-signing party and you get 10 even on a
>
On Mon, 14 Feb 2005, Gunnar Wolf wrote:
> Goswin von Brederlow dijo [Sat, Feb 12, 2005 at 01:55:43PM +0100]:
> > Do you realy think it is difficult to get a second signature onto
> > your gpg key? Go to one key-signing party and you get 10 even on a
> > small one.
>
> There should be some kind of
also sprach Martin Schulze <[EMAIL PROTECTED]> [2005.02.15.0719 +0100]:
> I'd rather have this discussion on debian-devel or debian-dpkg
> since that's a logical place where more people are able to get
> involved and find the archive much easier than a strangely named
> list on the mad duck site.
* Martin Schulze ([EMAIL PROTECTED]) [050215 07:30]:
> martin f krafft wrote:
> > also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.02.14.2201 +0100]:
> > > Do you think it would be possible to upload apt 0.6 to sid before
> > > testing-security (or what's it called) is ready? Andreas?
> >
> >
martin f krafft wrote:
> also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.02.14.2201 +0100]:
> > Do you think it would be possible to upload apt 0.6 to sid before
> > testing-security (or what's it called) is ready? Andreas?
>
> Let's work on a list of items that need to be addressed to get A
also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.02.14.2201 +0100]:
> Do you think it would be possible to upload apt 0.6 to sid before
> testing-security (or what's it called) is ready? Andreas?
Let's work on a list of items that need to be addressed to get APT
out of experimental.
Please j
* Florian Weimer ([EMAIL PROTECTED]) [050214 22:05]:
> * Martin Schulze:
> > RfH generated. I hope I don't have to coordinate this. Florian, mind
> > to chair?
> I'd feel honored.
>
> Do you think it would be possible to upload apt 0.6 to sid before
> testing-security (or what's it called) is
* Martin Schulze:
> RfH generated. I hope I don't have to coordinate this. Florian, mind
> to chair?
I'd feel honored.
Do you think it would be possible to upload apt 0.6 to sid before
testing-security (or what's it called) is ready? Andreas?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
w
Gunnar Wolf <[EMAIL PROTECTED]> writes:
> Goswin von Brederlow dijo [Sat, Feb 12, 2005 at 01:55:43PM +0100]:
>> Do you realy think it is difficult to get a second signature onto your
>> gpg key? Go to one key-signing party and you get 10 even on a small
>> one.
>
> There should be some kind of exe
Andreas Barth wrote:
> Actually, we discussed about apt 0.6 within the release team and with
> the maintainers. IIRC, the two blocking issues are:
> 1. All the concepts (default installation, key management, how do
> security updates work, ...) needs some review
> 2. There is noone who started work
Goswin von Brederlow dijo [Sat, Feb 12, 2005 at 01:55:43PM +0100]:
> > I don't get it. Do you have a concrete example that makes this necessary?
> > It seems more and more difficult to become member of Debian, which is
> > after all a volonteer-only project. Why trying to more and more discourage
>
also sprach Andreas Barth <[EMAIL PROTECTED]> [2005.02.14.1429 +0100]:
> 1. All the concepts (default installation, key management, how do
> security updates work, ...) needs some review
> 2. There is noone who started working on 1.
> (One part of 2. is that nobody made a summary after discussion,
also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.02.14.1438 +0100]:
> Anthony Town's announcement, and continuing practice to use the same
> key.
Look again; it's not the same key.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECT
* martin f. krafft:
> also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.02.14.1415 +0100]:
>> > users need multiple ways to verify the key until the trust level
>> > meets their requirements. Right now, one single method exists, and
>> > its weak.
>>
>> There are at least two.
>
> And they are
* Florian Weimer ([EMAIL PROTECTED]) [050214 13:55]:
> I don't understand what's keeping apt 0.6 from being distributed with
> sarge (modulo a new run of non-automated regression tests, of course).
> The key management issue could be side-stepped by switching from a
> year-based signing key to a re
also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.02.14.1415 +0100]:
> > users need multiple ways to verify the key until the trust level
> > meets their requirements. Right now, one single method exists, and
> > its weak.
>
> There are at least two.
And they are?
Anyway, I would like a coupl
* martin f. krafft:
> key management still requires some sort of professionalism. Just
> creating a key and signing it isn't the entire game;
I disagree. Even Verisign claims it isn't liable for its certificate.
In this case, the only response to a bad signing key is to remove it
from your APT
also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.02.14.1351 +0100]:
> I don't understand what's keeping apt 0.6 from being distributed with
> sarge (modulo a new run of non-automated regression tests, of course).
It's "too radical a switch" this *close* to the release.
> The key management is
* martin f. krafft:
> also sprach Martin Schulze <[EMAIL PROTECTED]> [2005.02.14.1143 +0100]:
>> > Time we introduce archive signatures then!
>>
>> Too bad there is no Release.gpg anymore, because otherwise we had
>> that already.
>
> $ HEAD http://ftp.debian.org/debian/dists/sarge/Release.gpg |
also sprach Martin Schulze <[EMAIL PROTECTED]> [2005.02.14.1143 +0100]:
> > Time we introduce archive signatures then!
>
> Too bad there is no Release.gpg anymore, because otherwise we had
> that already.
$ HEAD http://ftp.debian.org/debian/dists/sarge/Release.gpg | head -1
200 OK
We still do.
martin f krafft wrote:
> also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.02.13.2236 +0100]:
> > If I wanted to hurt Debian users, I'd become a mirror admin. The
>
> Time we introduce archive signatures then!
Too bad there is no Release.gpg anymore, because otherwise we had
that already.
Re
also sprach Lars Wirzenius <[EMAIL PROTECTED]> [2005.02.12.1359 +0100]:
> Voting priviledges also matter.
I believe I addressed that.
also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.02.13.2236 +0100]:
> If I wanted to hurt Debian users, I'd become a mirror admin. The
Time we introduce arch
* martin f. krafft:
> Every additional member with write access to the archive is an
> additional threat to the integrity of the archive in case of
> a developer gone bad or a compromised key;
If I wanted to hurt Debian users, I'd become a mirror admin. The
damage potential is far higher, and th
la, 2005-02-12 kello 13:52 +0100, martin f krafft kirjoitti:
also sprach Jérôme Marant <[EMAIL PROTECTED]> [2005.02.12.1320 +0100]:
> What about translators? Isn't it time to give them a real status?
> They definitely aren't second-class contributors.
They do not need developer status, do they? The
la, 2005-02-12 kello 13:52 +0100, martin f krafft kirjoitti:
> also sprach Jérôme Marant <[EMAIL PROTECTED]> [2005.02.12.1320 +0100]:
> > What about translators? Isn't it time to give them a real status?
> > They definitely aren't second-class contributors.
>
> They do not need developer status, d
On Saturday 12 February 2005 14:28, Jérôme Marant wrote:
> You missed the point. I'm asking for the rationale about the need
> for more and more key signatures.
The OP stated, that the second signature was needed to protect against a DD
"faking" a second one.
Regards, David
also sprach Jérôme Marant <[EMAIL PROTECTED]> [2005.02.12.1836 +0100]:
> All of this is very questionable, IMHO. I can't make mistakes that
> easily. At least, people notice mistakes very quickly.
Sure. But if your mistake is to let J. Random Hacker take over
your key without you taking note, it c
martin f krafft <[EMAIL PROTECTED]> writes:
> also sprach Jérôme Marant <[EMAIL PROTECTED]> [2005.02.12.1426 +0100]:
>> Why wouldn't they get a _Debian membership_ status like any other
>> contributor? Isn't it unfair not to do so?
>
> Every additional member with write access to the archive is an
On Sat, Feb 12, 2005 at 03:02:33PM +0100, martin f krafft wrote:
> also sprach Jérôme Marant <[EMAIL PROTECTED]> [2005.02.12.1426 +0100]:
> > Why wouldn't they get a _Debian membership_ status like any other
> > contributor? Isn't it unfair not to do so?
>
> Every additional member with write acce
also sprach Jérôme Marant <[EMAIL PROTECTED]> [2005.02.12.1426 +0100]:
> Why wouldn't they get a _Debian membership_ status like any other
> contributor? Isn't it unfair not to do so?
Every additional member with write access to the archive is an
additional threat to the integrity of the archive i
* Bruno Barrera C. ([EMAIL PROTECTED]) [050212 14:25]:
> On Sat, 2005-02-12 at 13:55 +0100, Goswin von Brederlow wrote:
> > Do you realy think it is difficult to get a second signature onto your
> > gpg key? Go to one key-signing party and you get 10 even on a small
> > one.
> >
> > It might be di
Goswin von Brederlow <[EMAIL PROTECTED]> writes:
>> I don't get it. Do you have a concrete example that makes this necessary?
>> It seems more and more difficult to become member of Debian, which is
>> after all a volonteer-only project. Why trying to more and more discourage
>> people to contribu
martin f krafft <[EMAIL PROTECTED]> writes:
> also sprach Jérôme Marant <[EMAIL PROTECTED]> [2005.02.12.1320 +0100]:
>> What about translators? Isn't it time to give them a real status?
>> They definitely aren't second-class contributors.
>
> They do not need developer status, do they? They should
Andreas Barth <[EMAIL PROTECTED]> writes:
>> What about translators? Isn't it time to give them a real status?
>> They definitely aren't second-class contributors.
>
> Looking at Frans, this seems to work. My experience (also as AM) is that
> people who join Debian with another core task than main
On Sat, 2005-02-12 at 13:55 +0100, Goswin von Brederlow wrote:
>
> Do you realy think it is difficult to get a second signature onto your
> gpg key? Go to one key-signing party and you get 10 even on a small
> one.
>
> It might be difficult to get a DD signature for geographical reasons
> but any
On Saturday 12 February 2005 13:55, Goswin von Brederlow wrote:
> =?iso-8859-15?q?J=E9r=F4me_Marant?= <[EMAIL PROTECTED]> writes:
> >> - Also not accepted are people without traceable actions for
> >> Debian. Examples of this include
> >>- having only one package in the archive, with only one
=?iso-8859-15?q?J=E9r=F4me_Marant?= <[EMAIL PROTECTED]> writes:
>> - We wont accept[5] applicants who have only one signature on their GPG-key
>> if that signature is made by the advocate. If it has only a signature
>> from the advocate at least another one from the web-of-trust is
>> needed
also sprach Jérôme Marant <[EMAIL PROTECTED]> [2005.02.12.1320 +0100]:
> What about translators? Isn't it time to give them a real status?
> They definitely aren't second-class contributors.
They do not need developer status, do they? They should not upload
directly anyway, but go through the main
* Jérôme Marant ([EMAIL PROTECTED]) [050212 13:25]:
> Joerg Jaspert <[EMAIL PROTECTED]> writes:
> > - Also not accepted are people without traceable actions for
> > Debian. Examples of this include
> >- having only one package in the archive, with only one upload,
> >- packages with dead
(CC'ing -project as well)
Joerg Jaspert <[EMAIL PROTECTED]> writes:
> Hi,
Hi,
Here are few comments/questions.
> following the various "Bits from $foo" this is a small mail to summarize
> whats up with "the DAMs".
[...]
> 1. Introduction of the new DAM member
> -
41 matches
Mail list logo
