On Mon, Aug 23, 2004 at 01:03:54AM +0200, martin f krafft wrote:
> So if I wanted to attack 80% of all Debian machines all over the
> world, I would try to compromise one of the 1000 keys, thereby
> getting write access to the incoming queue. Then, I could NMU
> a package and upload a trojaned vers
blee
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
martin f krafft <[EMAIL PROTECTED]> writes:
> > > I think, adding package signatures will actually make Debian less
> > > secure than it was before, although it's doubtful that the average
> > > user will notice or care.
> >
> > How can it make it less secure?
>
> It gives the users a false sens
* martin f. krafft:
> I've been giving APT 0.6 a lot of thought lately and have come to
> the conclusion that it is a whole lot of snake oil in the context of
> the Debian project as we have it. Bear with me for a second... I am
> not about to take the piss out of the APT 0.6 people, who have done
martin f krafft wrote:
> also sprach Geoff <[EMAIL PROTECTED]>
[2004.08.23.0134 +0200]:
Is it possible on a gpg key server to mark a key as invalid, with
out access to the private key?
Yes, by removing it from the keyring.
The question is how one would continuously QA the developers... and
how
On Fri, Aug 20, 2004 at 11:42:04AM -0500, Micah Anderson wrote:
> I have seen that also, but that doesn't help me understand if there is
> official security support for sarge yet or not?
http://www.infodrom.org/~joey/log/?200408230851
HTH
Sven
--
It ain't so bad bein' alone if you know it'll neve
* Jan Niehusmann:
> While you have a point that the huge number of people with full write
> access to the archive is a problem, I still think that apt 0.6 serves a
> purpose: It makes local mirrors more secure.
I fully agree, and that's certainly an important step. Mirrors are
often used for mul
Just a note:
I have 149 emails in my deb-sec-announce folder. The earliest is dated
12/30/2003, and the latest is 8/18/2004. Security announce is NOT a
high volume list, if that's your concern.
PaulNM
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contac
On Mon, 23 Aug 2004, s. keeling wrote:
> Incoming from Timo Veith:
> >
> > if I have a package on hold for some reason AND I would not read
> > debian-security-announce, how could I get to know whether there is a
> > secur[it]y update for that package ?
>
> i) Subscribe to debian-security-announ
On Mon, Aug 23, 2004 at 01:03:54AM +0200, martin f krafft wrote:
> Debian did not have package signatures for years, and it's been
> rarely a problem. Now we are going to add them, but the sole effect
> is that of a false security feeling. To me, APT 0.6 is snake oil,
> which is *not* an offence to
Incoming from Timo Veith:
>
> if I have a package on hold for some reason AND I would not read
> debian-security-announce, how could I get to know whether there is a
> secur[it]y update for that package ?
i) Subscribe to debian-security-announce !?!
ii) Go to lists.debian.org and
Hi list,
if I have a package on hold for some reason AND I would not read
debian-security-announce, how could I get to know whether there is a
secury update for that package ?
TIA
Timo
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PRO
Thanks for all the input so far!
also sprach Thomas Bushnell BSG <[EMAIL PROTECTED]> [2004.08.23.0121 +0200]:
> I think this is a real problem. I would quibble with your
> estimate of its likelihood, but that doesn't really matter. (And
> I don't know what "incredulously high" means--check your
13 matches
Mail list logo
