Uriah Welcome <[EMAIL PROTECTED]> writes:
> Sorry to be off topic, but I had to reply..
I'm glad you did. The blame to become so OT is on me, please excuse.
> I'm the Sr. Systems Administrator for SourceForge.net. We still allow
> users to download their nightly CVS tarball and they can easily
Uriah Welcome <[EMAIL PROTECTED]> writes:
> Sorry to be off topic, but I had to reply..
I'm glad you did. The blame to become so OT is on me, please excuse.
> I'm the Sr. Systems Administrator for SourceForge.net. We still allow
> users to download their nightly CVS tarball and they can easily
There is a list of "official mirrors" available at:
http://www.debian.org/misc/README.mirrors
Downloading your packages from any other site than on
listed on this page significantly increases your odds of
downloading an unofficial package (IE: Trojan Horse...)
Regards,
Phil
> On Thu, 13 Dec
Any PGPG keys used by package maintainers will themselves be signed and
trusted by the Debian official community. What a "secure apt" must do is
alert if the key used is not so trusted, even if it uses the same name
and email address as it "should".
This assumes that the crackers PGPG key has, som
On Thu, 13 Dec 2001, Wichert Akkerman wrote:
>
> There is a seperate plan for verifying signatures using apt. From
> memory this goes as follows:
>
> * deb packages are installed in the archive
> * the MD5 checksum for each package is listed in the Packages file
> * the MD5 checksum for each Pac
There is a list of "official mirrors" available at:
http://www.debian.org/misc/README.mirrors
Downloading your packages from any other site than on
listed on this page significantly increases your odds of
downloading an unofficial package (IE: Trojan Horse...)
Regards,
Phil
> On Thu, 13 Dec
Any PGPG keys used by package maintainers will themselves be signed and
trusted by the Debian official community. What a "secure apt" must do is
alert if the key used is not so trusted, even if it uses the same name
and email address as it "should".
This assumes that the crackers PGPG key has, som
On Thu, 13 Dec 2001, Wichert Akkerman wrote:
>
> There is a seperate plan for verifying signatures using apt. From
> memory this goes as follows:
>
> * deb packages are installed in the archive
> * the MD5 checksum for each package is listed in the Packages file
> * the MD5 checksum for each Pa
On Thu, Dec 13, 2001 at 08:41:38PM +0100, Wichert Akkerman wrote:
> Previously Javier Fern?ndez-Sanguino Pe?a wrote:
> > I guess a public database could be useful both for
>
> We have a private database (well, a status-file in which we keep track
> of things). A public database can't be used s
Previously Javier Fern?ndez-Sanguino Pe?a wrote:
> I guess a public database could be useful both for
We have a private database (well, a status-file in which we keep track
of things). A public database can't be used since we frequently get
private info we can't share.
Wichert.
--
_
Previously J C Lawrence wrote:
> What is the status of having Jack Goerzen's dpkg patch accepted?
>
> http://lists.debian.org/debian-dpkg/2001/debian-dpkg-200103/msg00024.html
A modified version of that was commited to CVS om March 9.
Wichert.
--
___
On Thu, Dec 13, 2001 at 08:41:38PM +0100, Wichert Akkerman wrote:
> Previously Javier Fern?ndez-Sanguino Pe?a wrote:
> > I guess a public database could be useful both for
>
> We have a private database (well, a status-file in which we keep track
> of things). A public database can't be used
On Thu, 13 Dec 2001 16:24:47 +0100
Wichert Akkerman <[EMAIL PROTECTED]> wrote:
> Previously Alexander Karelas wrote:
>> RedHat uses a PGP signature scheme. What are we doing about it?
> apt-get install debsign
What is the status of having Jack Goerzen's dpkg patch accepted?
http://lists.debi
How do the Debian Security team currently follow the vulnerabilities
posted
upstream? I guess that's easy when the upstream maintainer (or the one that
found the
bug) tells Debian's team before posting. But what if somebody posts in bugtraq a
security issue around a software available at
On Thu, 2001-12-13 at 10:44, Wichert Akkerman wrote:
> Previously Blake Barnett wrote:
> > Conectiva currently has support for signed _repositories_, as well as
> > signed RPM packages. Check out their /etc/apt/sources.list for more
> > info on it.
>
> That's exactly what I just described.. the
On Thu, Dec 13, 2001 at 01:54:49PM +0100, Robert Epprecht wrote:
> Benoît Sibaud <[EMAIL PROTECTED]> writes:
>
> >> BTW: I would prefer to keep the main cvs repository local and copy
> >> (rsync ?) it to the foreign sever, if that's possible. Or would this
> >> confuse cvs on the other server? W
Previously Blake Barnett wrote:
> Conectiva currently has support for signed _repositories_, as well as
> signed RPM packages. Check out their /etc/apt/sources.list for more
> info on it.
That's exactly what I just described.. the Conectiva apt also seems
to be based on an ancient version, they
Conectiva currently has support for signed _repositories_, as well as
signed RPM packages. Check out their /etc/apt/sources.list for more
info on it.
The code may be portable to Debian, as their APT is based directly off
of Debian's way of doing things.
http://distro.conectiva.com/projetos/4
Previously Javier Fern?ndez-Sanguino Pe?a wrote:
> I guess a public database could be useful both for
We have a private database (well, a status-file in which we keep track
of things). A public database can't be used since we frequently get
private info we can't share.
Wichert.
--
Previously J C Lawrence wrote:
> What is the status of having Jack Goerzen's dpkg patch accepted?
>
> http://lists.debian.org/debian-dpkg/2001/debian-dpkg-200103/msg00024.html
A modified version of that was commited to CVS om March 9.
Wichert.
--
__
Hi,
[snips:]
Wichert Akkerman wrote:
> Previously Alexander Karelas wrote:
> > RedHat uses a PGP signature scheme. What are we doing about it?
>
> apt-get install debsign
I am running woody and cannot find this package, nor is it listed as
part of unstable, (checked www.debian.org/distrib/packa
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
In message <[EMAIL PROTECTED]>, Robert Epprecht writes:
>Beno=EEt Sibaud <[EMAIL PROTECTED]> writes:
>> (I only know about SF) I don't think you can rsync the SF
Previously jereme wrote:
> Can/is the checking of these signatures, (and fetching the appropriate
> developer keys) integrated into apt-get? What am I missing?
Apt works at a different level: it deals with download packages and
archives, so it will not verify the signature that is embedded in
a d
Previously Emiel Metselaar wrote:
> Could anyone point me to some documentation about how this fits within
> the 'usual' apt-get update apt-get install procedure.
The idea is:
* packages are signed using debsig and get one (or more) embedded
signatures
* apt & friends don't look at the signatur
On Thursday 13 December 2001 16:24, Wichert Akkerman wrote:
> Previously Alexander Karelas wrote:
> > RedHat uses a PGP signature scheme. What are we doing about it?
>
> apt-get install debsign
>
> Wichert.
Could anyone point me to some documentation about how this fits within
the 'usual' apt-get
On Thu, 13 Dec 2001 16:24:47 +0100
Wichert Akkerman <[EMAIL PROTECTED]> wrote:
> Previously Alexander Karelas wrote:
>> RedHat uses a PGP signature scheme. What are we doing about it?
> apt-get install debsign
What is the status of having Jack Goerzen's dpkg patch accepted?
http://lists.deb
Hi,
[snips:]
Wichert Akkerman wrote:
> Previously Alexander Karelas wrote:
> > RedHat uses a PGP signature scheme. What are we doing about it?
>
> apt-get install debsign
I am running woody and cannot find this package, nor is it listed as
part of unstable, (checked www.debian.org/distrib/pack
How do the Debian Security team currently follow the vulnerabilities posted
upstream? I guess that's easy when the upstream maintainer (or the one that found the
bug) tells Debian's team before posting. But what if somebody posts in bugtraq a
security issue around a software available at
Previously ralphtheraccoon wrote:
> There isn't a "stable" debsig-verify or other package...
> does this mean that "stable" is less secure than "unstable"?
Neither actually, the debsig infrastructure isn't use currently
Wichert.
--
_
There isn't a "stable" debsig-verify or other package...
does this mean that "stable" is less secure than "unstable"?
If so... I'll probably be upgrading.
Dan
On Thu, 2001-12-13 at 10:44, Wichert Akkerman wrote:
> Previously Blake Barnett wrote:
> > Conectiva currently has support for signed _repositories_, as well as
> > signed RPM packages. Check out their /etc/apt/sources.list for more
> > info on it.
>
> That's exactly what I just described.. th
debsign is a part of devscripts. It looks to be present even in Potato.
- Ben
On Thu, Dec 13, 2001 at 05:37:42PM +0200, Samuli Suonpaa blathered thusly:
> Wichert Akkerman <[EMAIL PROTECTED]> wrote:
> > Previously Alexander Karelas wrote:
> >> RedHat uses a PGP signature scheme. What are we doin
Miek Gieben <[EMAIL PROTECTED]> wrote:
> [On 13 Dec, 2001, Samuli Suonpaa wrote in " Re: Apt-get is insecure
> "]
>> Wichert Akkerman <[EMAIL PROTECTED]> wrote:
>> Umm... What exactly did you mean with your one-liner?
> i looked with dselect and did a:
>
>apt-get install debsig-verify
Oh, sil
Previously Alan James wrote:
> don't you mean debsig-verify ?
Hmm, possibly :)
Wichert.
--
_
/[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 10
On Thu, Dec 13, 2001 at 01:54:49PM +0100, Robert Epprecht wrote:
> Benoît Sibaud <[EMAIL PROTECTED]> writes:
>
> >> BTW: I would prefer to keep the main cvs repository local and copy
> >> (rsync ?) it to the foreign sever, if that's possible. Or would this
> >> confuse cvs on the other server?
[On 13 Dec, 2001, Samuli Suonpaa wrote in " Re: Apt-get is insecure "]
> Wichert Akkerman <[EMAIL PROTECTED]> wrote:
> Umm... What exactly did you mean with your one-liner?
i looked with dselect and did a:
apt-get install debsig-verify
grtz
Miek
--
miek.nl
:wq!
On 13 Dec 2001 17:37:42 +0200
Samuli Suonpaa <[EMAIL PROTECTED]> wrote:
> Umm... What exactly did you mean with your one-liner?
[EMAIL PROTECTED]:~/tmp/email$ apt-cache search sign |grep debsig
debsig-verify - Debian Package Signature Verification Tool
debsigs - Utility for creating signatures in
Previously Blake Barnett wrote:
> Conectiva currently has support for signed _repositories_, as well as
> signed RPM packages. Check out their /etc/apt/sources.list for more
> info on it.
That's exactly what I just described.. the Conectiva apt also seems
to be based on an ancient version, the
On Thu, 13 Dec 2001 16:24:47 +0100, Wichert Akkerman <[EMAIL PROTECTED]>
wrote:
>apt-get install debsign
don't you mean debsig-verify ?
Alan.
unsuccessful:
"E: Couldn't find package debsign"
On Thu, Dec 13, 2001 at 04:24:47PM +0100, Wichert Akkerman wrote:
> Previously Alexander Karelas wrote:
> > RedHat uses a PGP signature scheme. What are we doing about it?
>
> apt-get install debsign
>
Conectiva currently has support for signed _repositories_, as well as
signed RPM packages. Check out their /etc/apt/sources.list for more
info on it.
The code may be portable to Debian, as their APT is based directly off
of Debian's way of doing things.
http://distro.conectiva.com/projetos/
Wichert Akkerman <[EMAIL PROTECTED]> wrote:
> Previously Alexander Karelas wrote:
>> RedHat uses a PGP signature scheme. What are we doing about it?
> apt-get install debsign
$ sudo apt-get install debsign
Reading Package Lists... Done
Building Dependency Tree... Done
E: Couldn't find package debs
Hi,
[snips:]
Wichert Akkerman wrote:
> Previously Alexander Karelas wrote:
> > RedHat uses a PGP signature scheme. What are we doing about it?
>
> apt-get install debsign
I am running woody and cannot find this package, nor is it listed as
part of unstable, (checked www.debian.org/distrib/pack
Previously Alexander Karelas wrote:
> RedHat uses a PGP signature scheme. What are we doing about it?
apt-get install debsign
Wichert.
--
_
/[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
In message <[EMAIL PROTECTED]>, Robert Epprecht writes:
>Beno=EEt Sibaud <[EMAIL PROTECTED]> writes:
>> (I only know about SF) I don't think you can rsync the SF
A poster on slashdot has done some interesting research on whether an ISP that
co-operates with the FBI can insert a trojan horse in your Debian machine. He
demonstrates that it is easy:
http://slashdot.org/comments.pl?sid=24834&cid=2697504
RedHat uses a PGP signature scheme. What are we doing
Previously jereme wrote:
> Can/is the checking of these signatures, (and fetching the appropriate
> developer keys) integrated into apt-get? What am I missing?
Apt works at a different level: it deals with download packages and
archives, so it will not verify the signature that is embedded in
a
Previously Emiel Metselaar wrote:
> Could anyone point me to some documentation about how this fits within
> the 'usual' apt-get update apt-get install procedure.
The idea is:
* packages are signed using debsig and get one (or more) embedded
signatures
* apt & friends don't look at the signatu
On Thursday 13 December 2001 16:24, Wichert Akkerman wrote:
> Previously Alexander Karelas wrote:
> > RedHat uses a PGP signature scheme. What are we doing about it?
>
> apt-get install debsign
>
> Wichert.
Could anyone point me to some documentation about how this fits within
the 'usual' apt-get
Hi,
[snips:]
Wichert Akkerman wrote:
> Previously Alexander Karelas wrote:
> > RedHat uses a PGP signature scheme. What are we doing about it?
>
> apt-get install debsign
I am running woody and cannot find this package, nor is it listed as
part of unstable, (checked www.debian.org/distrib/pac
Previously ralphtheraccoon wrote:
> There isn't a "stable" debsig-verify or other package...
> does this mean that "stable" is less secure than "unstable"?
Neither actually, the debsig infrastructure isn't use currently
Wichert.
--
There isn't a "stable" debsig-verify or other package...
does this mean that "stable" is less secure than "unstable"?
If so... I'll probably be upgrading.
Dan
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
debsign is a part of devscripts. It looks to be present even in Potato.
- Ben
On Thu, Dec 13, 2001 at 05:37:42PM +0200, Samuli Suonpaa blathered thusly:
> Wichert Akkerman <[EMAIL PROTECTED]> wrote:
> > Previously Alexander Karelas wrote:
> >> RedHat uses a PGP signature scheme. What are we doi
Miek Gieben <[EMAIL PROTECTED]> wrote:
> [On 13 Dec, 2001, Samuli Suonpaa wrote in " Re: Apt-get is insecure
> "]
>> Wichert Akkerman <[EMAIL PROTECTED]> wrote:
>> Umm... What exactly did you mean with your one-liner?
> i looked with dselect and did a:
>
>apt-get install debsig-verify
Oh, si
Previously Alan James wrote:
> don't you mean debsig-verify ?
Hmm, possibly :)
Wichert.
--
_
[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 10
[On 13 Dec, 2001, Samuli Suonpaa wrote in " Re: Apt-get is insecure "]
> Wichert Akkerman <[EMAIL PROTECTED]> wrote:
> Umm... What exactly did you mean with your one-liner?
i looked with dselect and did a:
apt-get install debsig-verify
grtz
Miek
--
miek.nl
:wq!
--
To UNSUBSCRIBE, email
On 13 Dec 2001 17:37:42 +0200
Samuli Suonpaa <[EMAIL PROTECTED]> wrote:
> Umm... What exactly did you mean with your one-liner?
hans@Turing:~/tmp/email$ apt-cache search sign |grep debsig
debsig-verify - Debian Package Signature Verification Tool
debsigs - Utility for creating signatures in .deb
On Thu, 13 Dec 2001 16:24:47 +0100, Wichert Akkerman <[EMAIL PROTECTED]>
wrote:
>apt-get install debsign
don't you mean debsig-verify ?
Alan.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
unsuccessful:
"E: Couldn't find package debsign"
On Thu, Dec 13, 2001 at 04:24:47PM +0100, Wichert Akkerman wrote:
> Previously Alexander Karelas wrote:
> > RedHat uses a PGP signature scheme. What are we doing about it?
>
> apt-get install debsign
>
--
To UNSUBSCRIBE, email to [EMAIL PROT
Wichert Akkerman <[EMAIL PROTECTED]> wrote:
> Previously Alexander Karelas wrote:
>> RedHat uses a PGP signature scheme. What are we doing about it?
> apt-get install debsign
$ sudo apt-get install debsign
Reading Package Lists... Done
Building Dependency Tree... Done
E: Couldn't find package deb
Benoît Sibaud <[EMAIL PROTECTED]> writes:
>> BTW: I would prefer to keep the main cvs repository local and copy
>> (rsync ?) it to the foreign sever, if that's possible. Or would this
>> confuse cvs on the other server? Would I have direct write access to
>> 'my' files in the (foreign) repositor
Previously Alexander Karelas wrote:
> RedHat uses a PGP signature scheme. What are we doing about it?
apt-get install debsign
Wichert.
--
_
[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]
A poster on slashdot has done some interesting research on whether an ISP that
co-operates with the FBI can insert a trojan horse in your Debian machine. He
demonstrates that it is easy:
http://slashdot.org/comments.pl?sid=24834&cid=2697504
RedHat uses a PGP signature scheme. What are we doing
Benoît Sibaud <[EMAIL PROTECTED]> writes:
>> BTW: I would prefer to keep the main cvs repository local and copy
>> (rsync ?) it to the foreign sever, if that's possible. Or would this
>> confuse cvs on the other server? Would I have direct write access to
>> 'my' files in the (foreign) reposito
Well, I couldn't run away this year either... I'm giving out a Lecture at
UMEET 2001 today (thursday 19:00 CET) regarding Debian GNU/Linux security.
If anyone is interested in attending/helping go to irc.uninet.edu (#redes).
I will be also at #debian-devel today.
Regards
Javi
P
Well, I couldn't run away this year either... I'm giving out a Lecture at
UMEET 2001 today (thursday 19:00 CET) regarding Debian GNU/Linux security.
If anyone is interested in attending/helping go to irc.uninet.edu (#redes).
I will be also at #debian-devel today.
Regards
Javi
66 matches
Mail list logo
