Re: Reaction to potential PGP schism

Daniel Kahn Gillmor wrote... (...) Thanks for your exhaustive description. I'd just like to point out one point: > In practice, i think it makes the most sense to engage with > well-documented, community-reviewed, interoperably-tested standards, and > the implementations that try to follow them.

Re: HTTPS enabled Debian Security repository

林博仁 wrote... > I believe that there's no benefit on accessing Debian archive with HTTPS as > they uses GnuPG for authentication GnuPG indeed serves the purposes of authenticity and integrity very well. Modulo bugs every now and then, but they happen on other layers as well. Also, nobody should r

Re: Fwd: Re: [scr330159] lintian - 2.5.41, not fixed yet

Niels Thykier wrote... > > Deserialization vulnerability in lintian through 2.5.50.3 > > allows attackers to trigger code execution by requesting a review of > > a source package with a crafted YAML file. In my opinion lintian is just the victim of an issue in the YAML::XS module (libyaml-libyaml

Re: Some Debian package upgrades are corrupting rsync "quick check" backups

Adam Warner wrote... > Why is a 27 January recompilation of the source package purporting to > have the same modification time as the original binary package > distributed 16 days earlier? Lemme guess: For the sake of reproducible builds, the timestamp of all created files is set to the time of t

Re: HTTPS needs to be implemented for updating

Marc Haber wrote... > On Wed, Dec 21, 2016 at 09:31:23AM +0100, Joerg Jaspert wrote: > > Now, if you want to manually download a .deb and dpkg -i it - then you > > have to manually do the same steps apt & co do: Get the corresponding > > packages and (In)Release files, verify its signature validat

Re: HTTPS needs to be implemented for updating

Casper Thomsen wrote... > On Sun, Dec 18, 2016 at 12:35 PM, datanoise wrote: > > There could be https mirrors as well as non-https mirrors. > > There is https://cloudfront.debian.net which you could decide to trust. > > It doesn't *need* to be a "Debian SSL cert"; since you trust the > mirror a

Re: [SECURITY] [DSA 3121-1] file security update

Henrique de Moraes Holschuh wrote... > I do have a private backport of file/5.21+15, but it is a quick hack job > that dropped multiarch and build-profile support to ease backporting. If > someone has a better backport that preserves multiarch support, please > upload. file maintainer here. I do

Re: [SECURITY] [DSA 3074-1] php5 security update

Christoph Biedl wrote... > +[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -F0 | sed -zne > "s/^n//p" | xargs -0i echo touch -c -h "'{}'" Addendum, that "echo" rather looks like debugging. Christoph signature.asc Description: Digital signature

Re: [SECURITY] [DSA 3074-1] php5 security update

Yves-Alexis Perez wrote... > - > Debian Security Advisory DSA-3074-1 secur...@debian.org > http://www.debian.org/security/ Yves-Alexis Perez > November 18, 2014 ht

Re: [SECURITY] [DSA 2858-1] iceweasel security update

Hello Debian security, Moritz Muehlenhoff wrote... > Package: iceweasel (...) > This update updates Iceweasel to the ESR24 series of Firefox. Unfortunately, this upgrade broke the xul-ext-certificatepatrol package (src:certificatepatrol) in stable due to "Breaks: ... iceweasel (>= 19.0