Russell Coker:
> I think it would be good to have a package for improving system security.
https://github.com/Whonix/security-misc
> It
> could depend on packages like spectre-meltdown-checker and also contain
> scripts that look for ways of improving system security. For example
> recommend
Elmar Stellnberger:
>>> Things debcheckroot does not check at the moment are the initrd and
>> the MBR (master boot record). You may unpack the initrd by hand and
>> check the files contained there against a sha256sum list generated by
>> debcheckroot. The MBR can first be backuped by confinedrv/di
Anyone using this yet?
I would speculate, not many are using it. It needs step by step
instructions. Otherwise, most users are lost at hello.
> Things debcheckroot does not check at the moment are the initrd and
the MBR (master boot record). You may unpack the initrd by hand and
check the files c
I am very interested in Verified Boot. Was wondering how it could be
implemented on a Linux desktop distribution such as Debian. I would like
to implement in Debian derivatives, that I maintain (Whonix, Kicksecure).
Came up with some ideas which I will share here.
https://www.whonix.org/wiki/Veri
What about Debian graphical installer security?
Isn't that in meanwhile the ideal target for exploitation for targeted
attacks? Because it will take a while until the Debian point release
with fixed apt.
And during the gui installer, the output of apt-get is not visible. And
stuff during installe
Julian Andres Klode:
> (2) look at the InRelease file and see if it contains crap
> after you updated (if it looks OK, it's secure - you need
> fairly long lines to be able to break this)
Thank you for that hint, Julian!
Can you please elaborate on this? (I am asking for Qubes and Whonix
Geert Stappers:
> On Thu, Dec 15, 2016 at 09:43:59PM +0100, SZÉPE Viktor wrote:
>> Quoting Patrick Schleizer :
>>
>>> Very short summary of the bug:
>>> (my own words) During apt-get upgrading signature verification can be
>>> tricked resulting in arbitra
TLDR:
Is it possible to disable InRelease processing by apt-get?
Long:
Very short summary of the bug:
(my own words) During apt-get upgrading signature verification can be
tricked resulting in arbitrary package installation, system compromise.
sources:
- https://security-tracker.debian.org/tra
Holger Levsen:
> On Wed, May 18, 2016 at 06:33:52PM +0200, Jakub Wilk wrote:
>> Could you explain how any of these tools leak any information "without a
>> user's consent/expectation"?
>
> gnome-calculator contacts a web page/service with currency exchange
> information *on every start*, I think t
Hello we are a privacy-centric distro based on Debian and wanted to know
what Debian packages leak information about the system to the network
without a user's consent/expectation.
As documented on the page below, a system's security also depends on
avoiding leaking any identifiable information to
Elmar Stellnberger:
> Dear Debian-Security
>
> Having just released debcheckroot I wanna shortly present you my new tool:
> It was originally designed as a replacement for debsums and has the following
> qualities:
> * full support of Debian repos reading /etc/[apt/]sources.list to fetch
> che
ted mode interface to
> be secure in theory - Nonetheless just believe me that things are not as
> theoretical in practice as this description may make you believe.).
>
> Regards,
> Elmar
>
> On 29.11.2015 22:05, Patrick Schleizer wrote:
>> Elmar Stellnberger:
>>&
Hi!
Are you aware of this already?
[SECURITY NOTICE] libidn with bad UTF8 input
http://curl.haxx.se/mail/lib-2015-06/0143.html
Haven’t found anything related on debian.org mailing lists and/or curl's
changelog.
Cheers,
Patrick
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian
Brett Parker:
> On 18 Mar 16:27, Patrick Schleizer wrote:
>> Hi,
>>
>> I was running:
>> sudo apt-build install ccache
>>
>> And the output contained a message:
>>
>> WARNING: The following packages cannot be authenticated!
>> ccache
Cyril Brulebois:
> Patrick Schleizer (2015-03-18):
>> Hi,
>>
>> I was running:
>> sudo apt-build install ccache
>>
>> And the output contained a message:
>>
>> WARNING: The following packages cannot be authenticated!
>> ccache
>>
Holger Levsen:
> Hi,
>
> On Donnerstag, 19. März 2015, Patrick Schleizer wrote:
>>> I think you probably just need to run "apt-get update" before "apt-get
>>> install"...
>> I did that, I am sure of it. Reproduced this on two different systems
Holger Levsen:
> I think you probably just need to run "apt-get update" before "apt-get
> install"...
I did that, I am sure of it. Reproduced this on two different systems.
Cheers,
Patrick
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Tr
Dear security team!
Paul Wise thinks this is a security issue
Paul Wise:
> This is a security issue, [...]
I was running:
sudo apt-build install ccache
And the output contained a message:
WARNING: The following packages cannot be authenticated!
ccache
Authentication warning overridden.
Hi,
I was running:
sudo apt-build install ccache
And the output contained a message:
WARNING: The following packages cannot be authenticated!
ccache
Authentication warning overridden.
Is this just how apt-build works or could this be a security issue due
to installing unauthenticated packages
Hi,
what is your opinion on the deterministic linux kernel SameKernel with
grsecurity by mempo?
https://wiki.debian.org/SameKernel
https://github.com/mempo/mempo-kernel
Cheers,
Patrick
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Troub
Yves-Alexis Perez:
> On sam., 2014-10-18 at 13:55 +0000, Patrick Schleizer wrote:
>> Otherwise, what are the relevant people, how to contact them?
>
> You can find some hints in
> https://lists.debian.org/debian-security/2013/10/msg00066.html
>
> If it's really that
Yves-Alexis Perez:
> On ven., 2014-10-17 at 17:14 +0000, Patrick Schleizer wrote:
>> Debian has no good mechanism to revoke apt keys in case of compromise,
>> neither a way to inform users in emergency situations:
>> https://lists.debian.org/debian-security/2013/10/msg000
David Hubner:
> Hi,
>
> I am just wondering about a hypothetical situation where the master GPG key
> used for signing the debian archive was stolen. After creating a new master
> key and getting a new public key into the debian-keyring package, how would
> you get that to users?
>
> I mean if yo
Joey Hess:> [...] there are situations where
> debootstrap is used without debian-archive-keyring being available, [...]
Please elaborate, which situations are these?
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas..
Peter Palfrader:
> On Fri, 30 May 2014, Joey Hess wrote:
>
>> Alfie John wrote:
>>> Taking a look at the Debian mirror list, I see none serving over HTTPS:
>>>
>>> https://www.debian.org/mirror/list
>>
>> https://mirrors.kernel.org/debian is the only one I know of.
>>
>> It would be good to have
Paul Wise:
> On Sun, 2014-05-18 at 01:41 +0000, Patrick Schleizer wrote:
>
>> Got started:
>> https://wiki.debian.org/Security/Features
>>
>> Anyone knows how to view (as a non-admin) the wiki markup of
>> https://wiki.ubuntu.com/Security/Features ? (I would
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Paul Wise:
> On Sun, 2014-05-18 at 21:53 +0200, herzogbrigit...@t-online.de
> wrote:
>
>> So: Please help us to complete the table.
>
> Why didn't you just use the Ubuntu script to automatically fill it
> out?
>
> https://bazaar.launchpad.net/~ubu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
herzogbrigit...@t-online.de:
>> Yes it would be great if you can start with such a page. Use the
>> Ubuntu table as a template to start. I'll try to help as much as
>> I can in the wiki. Many Linux-Distros have a security features
>> page in their
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
herzogbrigit...@t-online.de:
> Thank you for all your replies. I understand that the user is
> important for security, but it's a difference whether you start
> from scratch or you can work with somethink prebuilt. So, could you
> tell me, which of t
Joel Rees:
>> He told me to use Ubuntu instead. He explained that with the fact,
>> that Ubuntu has more security features enabled than Debian (also
>> more compiler flags for security) in a fresh install. He gave me a
>> link to the following site:
>> https://wiki.ubuntu.com/Security/Features
>>
Marko Randjelovic:
> On Tue, 29 Apr 2014 11:52:14 +
> Patrick Schleizer wrote:
>
>> Marko Randjelovic:
>>> I was thinking about some kind
>>> of wizard:
>>>
>>> - create a chroot if doesn't already exist
>>> - create a launc
Marko Randjelovic:
> I was thinking about some kind
> of wizard:
>
> - create a chroot if doesn't already exist
> - create a launcher for your DE
> - create a shell script to run a program from terminal or a simple WM
>
> hint: chroot $CHROOT_PATH su - $USER -c "$command_with_args"
chroot is not
Elmar Stellnberger:
>>> As Debian package headers do not use to be signed
>> I think you are mistaken here or maybe I misunderstand. When you have a
>> Debian medium you trust (such as a Live DVD from a trusted source), we
>> can regard keys in /etc/apt/trusted.gpg.d/ and /etc/apt/trusted.gpg as
>>
Hi Elmar!
This is a most interesting tool!
The opensuse logo on http://www.elstel.org/debcheckroot/ is confusing,
since this is a Debian tool. This might scare of interested people.
> As Debian package headers do not use to be signed
I think you are mistaken here or maybe I misunderstand. When
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi!
Stable, http://cdimage.debian.org/debian-cd/7.3.0/i386/iso-dvd/ contains
gpg signatures.
Wheezy, http://cdimage.debian.org/cdimage/weekly-builds/i386/iso-dvd/
does not contain gpg signatures.
Can you offer gpg signatures for Jessie as well ple
35 matches
Mail list logo
