Daniel Sousa:
> On Sun, Aug 4, 2013 at 2:55 PM, Michael Stone wrote:
>
>> On Sun, Aug 04, 2013 at 10:12:40AM +0200, Heimo Stranner wrote:
>>
>>> I think the real issue is about if the malicious patch is not part of
>>> the source package
>>>
>>
>> Why? It certainly makes your argument simpler if
Michael Stone:
> On Sun, Aug 04, 2013 at 10:12:40AM +0200, Heimo Stranner wrote:
>> I think the real issue is about if the malicious patch is not part of
>> the source package
>
> Why? It certainly makes your argument simpler if you arbitrarily
> restrict the problem set, but it isn't obvious that
On Sun, Aug 04, 2013 at 05:13:51PM +0100, Daniel Sousa wrote:
First of all, they could apply that change (calling it a patch was not one of
my greatest ideas) for every update they do, it's not necesserily a one time
thing. It's also much easier (and probably much dangerous) to write some code
th
On Sun, Aug 4, 2013 at 2:55 PM, Michael Stone wrote:
> On Sun, Aug 04, 2013 at 10:12:40AM +0200, Heimo Stranner wrote:
>
>> I think the real issue is about if the malicious patch is not part of
>> the source package
>>
>
> Why? It certainly makes your argument simpler if you arbitrarily restrict
On Sun, Aug 04, 2013 at 10:12:40AM +0200, Heimo Stranner wrote:
I think the real issue is about if the malicious patch is not part of
the source package
Why? It certainly makes your argument simpler if you arbitrarily
restrict the problem set, but it isn't obvious that it makes sense. If I
wa
On Sun, Aug 04, 2013 at 02:25:03PM +0200, Jann Horn wrote:
> On Sun, Aug 04, 2013 at 10:51:08AM +0200, Volker Birk wrote:
> > Now I'm surprised ;-) I think, this is not a matter of security of
> > checksums here. Of course, only a digital signature will do, or at least
> > a MAC.
> Huh, what? Aren'
I am really sorry if you think it's rude to start a topic here without
subscribing. I thought that it was acceptable, since a lot of people do it
in debian-users (I know it has a lot more volume than this one) and it's
the default action when you click on "Reply to All" in most clients (well,
proba
On Sun, Aug 04, 2013 at 10:51:08AM +0200, Volker Birk wrote:
> Now I'm surprised ;-) I think, this is not a matter of security of
> checksums here. Of course, only a digital signature will do, or at least
> a MAC.
Huh, what? Aren't MACs always symmetric? How do MACs fit in here?
signature.asc
De
Volker Birk:
> On Sun, Aug 04, 2013 at 03:04:33AM +, adrelanos wrote:
>> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
>>> There will be the correct checksum, if the maintainer of the package
>>> does it.
>> Why?
>
> How and by whom are checksums defined?
Please hav
Heimo Stranner:
> On 2013-08-04 09:50, intrigeri wrote:
>> Hi,
>>
>> adrelanos wrote (04 Aug 2013 03:04:33 GMT) :
>>> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
> Volker Birk:
>> On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
>>> That should hel
intrigeri:
> Hi,
>
> adrelanos wrote (04 Aug 2013 03:04:33 GMT) :
>> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
Volker Birk:
> On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
>> That should help to defeat any kind of sophisticated backdoor on b
On 08/04/2013 11:51 AM, Volker Birk wrote:
> To make that clear: I don't think this is a matter of security of
> the procedure what we're discussing. It is a matter of trusting
> the involved people.
>
> Yours, VB.
Exactly, problem is similar as trusted certificate authors were for
ssl certific
On 2013-08-04 09:50, intrigeri wrote:
> Hi,
>
> adrelanos wrote (04 Aug 2013 03:04:33 GMT) :
>> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
Volker Birk:
> On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
>> That should help to defeat any kind of s
On Sun, Aug 04, 2013 at 03:04:33AM +, adrelanos wrote:
> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
> > There will be the correct checksum, if the maintainer of the package
> > does it.
> Why?
How and by whom are checksums defined?
> > And if you're taking the bu
Hi,
adrelanos wrote (04 Aug 2013 03:04:33 GMT) :
> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
>>> Volker Birk:
On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
> That should help to defeat any kind of sophisticated backdoor on build
> machines.
15 matches
Mail list logo
