On Fri, 2002-10-18 at 09:55, Gustavo Franco wrote:
> Talking about secpack, is it non-free? I can't see in your mail(Clemens)
> the url or apt-line to get the source package.
No, it's BSD. I didn't dare to put up a license for that minimal collection.
There isn't even a source package. I just dpk
On Fri, 2002-10-18 at 09:55, Gustavo Franco wrote:
> Talking about secpack, is it non-free? I can't see in your mail(Clemens)
> the url or apt-line to get the source package.
No, it's BSD. I didn't dare to put up a license for that minimal collection.
There isn't even a source package. I just dpk
Four words: Single point of failure.
(Or is that six? Or ten? Yes, yes, that's right, twelve words. Let's try
that again, shall we? ... ;)
Besides, I strongly believe that it already does this... IIRC apt-get does
this to make sure that the packages weren't corrupted (or truncated) in tra
Four words: Single point of failure.
(Or is that six? Or ten? Yes, yes, that's right, twelve words. Let's try that
again, shall we? ... ;)
Besides, I strongly believe that it already does this... IIRC apt-get does this to
make sure that the packages weren't corrupted (or truncated) in tra
On Fri, Oct 18, 2002 at 10:48:16AM -0400, R. Bradley Tilley wrote:
> Why can't apt-get be modified to check the md5sum of a package against an
> official debian md5sum list before downloading and installing debs? This
> seems much simpler and easier than signing debs.
It does. The problem is, ho
Why can't apt-get be modified to check the md5sum of a package against an
official debian md5sum list before downloading and installing debs? This
seems much simpler and easier than signing debs.
On Friday 18 October 2002 09:55 am, Jan Niehusmann wrote:
> On Fri, Oct 18, 2002 at 08:20:14AM -0500
>IMHO there is no lack of interesting ideas - what we really need are
>implementations.
Ja. I just have to find the time. :)
>apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could
>also improve security significantly. Together, I'd say they'd suffice to
>make the debian mirror
On Fri, Oct 18, 2002 at 08:20:14AM -0500, Joseph Pingenot wrote:
> If people are interested enough in it, I might throw together something
> more formal.
IMHO there is no lack of interesting ideas - what we really need are
implementations.
apt-check-sigs is a nice proof-of-concept, and the deb
>From Jan Niehusmann on Friday, 18 October, 2002:
>On Fri, Oct 18, 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote:
>> Can someone explain why 'apt-get update && apt-get dist-upgrade' is not
>> sufficient to keep a debian system secure and updated?
>Of course, if the hacker managed to modify fi
On Fri, Oct 18, 2002 at 10:48:16AM -0400, R. Bradley Tilley wrote:
> Why can't apt-get be modified to check the md5sum of a package against an
> official debian md5sum list before downloading and installing debs? This
> seems much simpler and easier than signing debs.
It does. The problem is, ho
Why can't apt-get be modified to check the md5sum of a package against an
official debian md5sum list before downloading and installing debs? This
seems much simpler and easier than signing debs.
On Friday 18 October 2002 09:55 am, Jan Niehusmann wrote:
> On Fri, Oct 18, 2002 at 08:20:14AM -0500
>IMHO there is no lack of interesting ideas - what we really need are
>implementations.
Ja. I just have to find the time. :)
>apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could
>also improve security significantly. Together, I'd say they'd suffice to
>make the debian mirror
On Fri, 2002-10-18 at 09:33, Mark Janssen wrote:
> On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote:
> > I don't understand the need for this.
> >
> > Can someone explain why 'apt-get update && apt-get dist-upgrade' is not
> > sufficient to keep a debian system secure and updated?
>
> It'll
On Fri, 18 Oct 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote:
> I don't understand the need for this.
>
> Can someone explain why 'apt-get update && apt-get dist-upgrade' is not
> sufficient to keep a debian system secure and updated?
As pointed out several times in the past Debian has not fu
On Fri, Oct 18, 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote:
> Can someone explain why 'apt-get update && apt-get dist-upgrade' is not
> sufficient to keep a debian system secure and updated?
Because a hacked mirror could contain malicious packages.
When you check signatures before upgradin
On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote:
> I don't understand the need for this.
>
> Can someone explain why 'apt-get update && apt-get dist-upgrade' is not
> sufficient to keep a debian system secure and updated?
It'll get to you when you have 200+ debian systems spread across the
I don't understand the need for this.
Can someone explain why 'apt-get update && apt-get dist-upgrade' is not
sufficient to keep a debian system secure and updated?
On Friday 18 October 2002 06:58 am, Fruhwirth Clemens wrote:
> Hi!
>
> http://therapy.endorphin.org/secpack_0.1-1.deb implements
On Fri, Oct 18, 2002 at 08:20:14AM -0500, Joseph Pingenot wrote:
> If people are interested enough in it, I might throw together something
> more formal.
IMHO there is no lack of interesting ideas - what we really need are
implementations.
apt-check-sigs is a nice proof-of-concept, and the deb
>From Jan Niehusmann on Friday, 18 October, 2002:
>On Fri, Oct 18, 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote:
>> Can someone explain why 'apt-get update && apt-get dist-upgrade' is not
>> sufficient to keep a debian system secure and updated?
>Of course, if the hacker managed to modify fi
Hi!
http://therapy.endorphin.org/secpack_0.1-1.deb implements a simple cron
based daily security update with signature checking using a modified version
of ajt's apt-check-sigs.
Feedback is appreciated. CC please, /me not on list.
Regards, Clemens
pgpVBkwjvCD5f.pgp
Description: PGP signature
On Fri, 2002-10-18 at 09:33, Mark Janssen wrote:
> On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote:
> > I don't understand the need for this.
> >
> > Can someone explain why 'apt-get update && apt-get dist-upgrade' is not
> > sufficient to keep a debian system secure and updated?
>
> It'll
On Fri, 18 Oct 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote:
> I don't understand the need for this.
>
> Can someone explain why 'apt-get update && apt-get dist-upgrade' is not
> sufficient to keep a debian system secure and updated?
As pointed out several times in the past Debian has not fu
On Fri, Oct 18, 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote:
> Can someone explain why 'apt-get update && apt-get dist-upgrade' is not
> sufficient to keep a debian system secure and updated?
Because a hacked mirror could contain malicious packages.
When you check signatures before upgradin
On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote:
> I don't understand the need for this.
>
> Can someone explain why 'apt-get update && apt-get dist-upgrade' is not
> sufficient to keep a debian system secure and updated?
It'll get to you when you have 200+ debian systems spread across the
I don't understand the need for this.
Can someone explain why 'apt-get update && apt-get dist-upgrade' is not
sufficient to keep a debian system secure and updated?
On Friday 18 October 2002 06:58 am, Fruhwirth Clemens wrote:
> Hi!
>
> http://therapy.endorphin.org/secpack_0.1-1.deb implements
Hi!
http://therapy.endorphin.org/secpack_0.1-1.deb implements a simple cron
based daily security update with signature checking using a modified version
of ajt's apt-check-sigs.
Feedback is appreciated. CC please, /me not on list.
Regards, Clemens
msg07424/pgp0.pgp
Description: PGP signat
26 matches
Mail list logo
