On 17 Dec 2001 14:34:12 +1100
Simon Hill <[EMAIL PROTECTED]> wrote:
> so assuming that dpkg (and/or apt?) can deal with embedded gpg
> signiatures in .deb files, how do we get maintainers to start
> using them?
File bugs?
--
J C Lawrence
-(*)Satan, oscil
On 17 Dec 2001 14:34:12 +1100
Simon Hill <[EMAIL PROTECTED]> wrote:
> so assuming that dpkg (and/or apt?) can deal with embedded gpg
> signiatures in .deb files, how do we get maintainers to start
> using them?
File bugs?
--
J C Lawrence
-(*)Satan, osci
Previously Hendrik Naumann wrote:
> All or just those that are not signed correctly?
All, since none are signed currently. If we only use signatures
from developers the debsig policy would also be huge since you
would need to list 500+ keys in it and update it regularly.
> Is there the possibilit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi
> > Could anyone point me to some documentation about how this fits
> > within the 'usual' apt-get update apt-get install procedure.
>
> The idea is:
> * packages are signed using debsig and get one (or more) embedded
> signatures
> * apt & frien
Previously Hendrik Naumann wrote:
> All or just those that are not signed correctly?
All, since none are signed currently. If we only use signatures
from developers the debsig policy would also be huge since you
would need to list 500+ keys in it and update it regularly.
> Is there the possibili
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi
> > Could anyone point me to some documentation about how this fits
> > within the 'usual' apt-get update apt-get install procedure.
>
> The idea is:
> * packages are signed using debsig and get one (or more) embedded
> signatures
> * apt & frie
On Mon, 17 Dec 2001, Simon Hill wrote:
> so assuming that dpkg (and/or apt?) can
> deal with embedded gpg signiatures in .deb
> files, how do we get maintainers to start
> using them?
We deploy the required infrastructure to make good use of signatures in the
archive, test it, send email explai
On Mon, 17 Dec 2001, Simon Hill wrote:
> so assuming that dpkg (and/or apt?) can
> deal with embedded gpg signiatures in .deb
> files, how do we get maintainers to start
> using them?
We deploy the required infrastructure to make good use of signatures in the
archive, test it, send email expla
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
so assuming that dpkg (and/or apt?) can
deal with embedded gpg signiatures in .deb
files, how do we get maintainers to start
using them?
- ---
GPG Key ID: 6ED78BCA
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
so assuming that dpkg (and/or apt?) can
deal with embedded gpg signiatures in .deb
files, how do we get maintainers to start
using them?
- ---
GPG Key ID: 6ED78BCA
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For
so assuming that dpkg (and/or apt?) can deal with embedded gpg
signiatures in .deb files, how do we get maintainers to start using
them?
---
GPG Key ID: 6ED78BCA
so assuming that dpkg (and/or apt?) can deal with embedded gpg
signiatures in .deb files, how do we get maintainers to start using
them?
---
GPG Key ID: 6ED78BCA
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Previously Torrin wrote:
> Well, if it's not used (skipped) should we even bother installing
> debsig-verify and debsigs?
Right now it's only useful if you want to play with the technology.
Wichert.
--
_
/[EMAIL PROTECTED]
Previously Torrin wrote:
> Well, if it's not used (skipped) should we even bother installing
> debsig-verify and debsigs?
Right now it's only useful if you want to play with the technology.
Wichert.
--
_
[EMAIL PROTECTED]
On Thu, Dec 13, 2001 at 05:20:14PM +0100, Wichert Akkerman wrote:
[SNIP]
> package
> * dpkg will call debsig-verify to verify the signature and validate the
> package
>
> The last step is currently skipped since /etc/dpkg/dpkg.cfg includes
> the no-debsig option by default, otherwise debsig-ve
On Thu, Dec 13, 2001 at 05:20:14PM +0100, Wichert Akkerman wrote:
[SNIP]
> package
> * dpkg will call debsig-verify to verify the signature and validate the
> package
>
> The last step is currently skipped since /etc/dpkg/dpkg.cfg includes
> the no-debsig option by default, otherwise debsig-v
On Fri, Dec 14, 2001 at 10:59:47AM +0100, Wichert Akkerman wrote:
>
> > From what I know, this will be supported scheme in the next release.
>
> Well, afaik base is frozen and the current released version of
> apt doesn't do that yet..
>
Of course, I meant next to woody, *not* woody...
On Fri, Dec 14, 2001 at 10:59:47AM +0100, Wichert Akkerman wrote:
>
> > From what I know, this will be supported scheme in the next release.
>
> Well, afaik base is frozen and the current released version of
> apt doesn't do that yet..
>
Of course, I meant next to woody, *not* woody...
(Please don't use overly long lines, it makes text hard to read).
Previously Javier Fern?ndez-Sanguino Pe?a wrote:
> A far better scheme was the one proposed by Wichert (signing
> only one file: Packages.gz and stablish a trust relationship
> like this):
FWIW, I didn't propose it I just described
On Thu, Dec 13, 2001 at 06:05:29PM -0600, Jor-el wrote:
> On Thu, 13 Dec 2001, Wichert Akkerman wrote:
>
> Note that if the packages are PGP / GPG signed, the problem is
> only a little less acute. Mr. Cracker could sign the package with his /
> her key. How would a user know that Mr. Cracke
(Please don't use overly long lines, it makes text hard to read).
Previously Javier Fern?ndez-Sanguino Pe?a wrote:
> A far better scheme was the one proposed by Wichert (signing
> only one file: Packages.gz and stablish a trust relationship
> like this):
FWIW, I didn't propose it I just describe
On Thu, Dec 13, 2001 at 06:05:29PM -0600, Jor-el wrote:
> On Thu, 13 Dec 2001, Wichert Akkerman wrote:
>
> Note that if the packages are PGP / GPG signed, the problem is
> only a little less acute. Mr. Cracker could sign the package with his /
> her key. How would a user know that Mr. Crack
There is a list of "official mirrors" available at:
http://www.debian.org/misc/README.mirrors
Downloading your packages from any other site than on
listed on this page significantly increases your odds of
downloading an unofficial package (IE: Trojan Horse...)
Regards,
Phil
> On Thu, 13 Dec
rackers PGPG key has, somehow, made it onto your
keyring where only your friends and the Debian maintainers aught to be
anyway.
Curt-
-Original Message-
From: Jor-el [mailto:[EMAIL PROTECTED]
Sent: Friday, December 14, 2001 09:05
To: debian-security@lists.debian.org
Subject: Re: Apt-get is i
On Thu, 13 Dec 2001, Wichert Akkerman wrote:
>
> There is a seperate plan for verifying signatures using apt. From
> memory this goes as follows:
>
> * deb packages are installed in the archive
> * the MD5 checksum for each package is listed in the Packages file
> * the MD5 checksum for each Pac
There is a list of "official mirrors" available at:
http://www.debian.org/misc/README.mirrors
Downloading your packages from any other site than on
listed on this page significantly increases your odds of
downloading an unofficial package (IE: Trojan Horse...)
Regards,
Phil
> On Thu, 13 Dec
rackers PGPG key has, somehow, made it onto your
keyring where only your friends and the Debian maintainers aught to be
anyway.
Curt-
-Original Message-
From: Jor-el [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 14, 2001 09:05
To: [EMAIL PROTECTED]
Subject: Re: Apt-get is insecure
On Thu, 13 Dec 2001, Wichert Akkerman wrote:
>
> There is a seperate plan for verifying signatures using apt. From
> memory this goes as follows:
>
> * deb packages are installed in the archive
> * the MD5 checksum for each package is listed in the Packages file
> * the MD5 checksum for each Pa
Previously J C Lawrence wrote:
> What is the status of having Jack Goerzen's dpkg patch accepted?
>
> http://lists.debian.org/debian-dpkg/2001/debian-dpkg-200103/msg00024.html
A modified version of that was commited to CVS om March 9.
Wichert.
--
___
On Thu, 13 Dec 2001 16:24:47 +0100
Wichert Akkerman <[EMAIL PROTECTED]> wrote:
> Previously Alexander Karelas wrote:
>> RedHat uses a PGP signature scheme. What are we doing about it?
> apt-get install debsign
What is the status of having Jack Goerzen's dpkg patch accepted?
http://lists.debi
On Thu, 2001-12-13 at 10:44, Wichert Akkerman wrote:
> Previously Blake Barnett wrote:
> > Conectiva currently has support for signed _repositories_, as well as
> > signed RPM packages. Check out their /etc/apt/sources.list for more
> > info on it.
>
> That's exactly what I just described.. the
Previously Blake Barnett wrote:
> Conectiva currently has support for signed _repositories_, as well as
> signed RPM packages. Check out their /etc/apt/sources.list for more
> info on it.
That's exactly what I just described.. the Conectiva apt also seems
to be based on an ancient version, they
Conectiva currently has support for signed _repositories_, as well as
signed RPM packages. Check out their /etc/apt/sources.list for more
info on it.
The code may be portable to Debian, as their APT is based directly off
of Debian's way of doing things.
http://distro.conectiva.com/projetos/4
Previously J C Lawrence wrote:
> What is the status of having Jack Goerzen's dpkg patch accepted?
>
> http://lists.debian.org/debian-dpkg/2001/debian-dpkg-200103/msg00024.html
A modified version of that was commited to CVS om March 9.
Wichert.
--
__
Hi,
[snips:]
Wichert Akkerman wrote:
> Previously Alexander Karelas wrote:
> > RedHat uses a PGP signature scheme. What are we doing about it?
>
> apt-get install debsign
I am running woody and cannot find this package, nor is it listed as
part of unstable, (checked www.debian.org/distrib/packa
Previously jereme wrote:
> Can/is the checking of these signatures, (and fetching the appropriate
> developer keys) integrated into apt-get? What am I missing?
Apt works at a different level: it deals with download packages and
archives, so it will not verify the signature that is embedded in
a d
Previously Emiel Metselaar wrote:
> Could anyone point me to some documentation about how this fits within
> the 'usual' apt-get update apt-get install procedure.
The idea is:
* packages are signed using debsig and get one (or more) embedded
signatures
* apt & friends don't look at the signatur
On Thursday 13 December 2001 16:24, Wichert Akkerman wrote:
> Previously Alexander Karelas wrote:
> > RedHat uses a PGP signature scheme. What are we doing about it?
>
> apt-get install debsign
>
> Wichert.
Could anyone point me to some documentation about how this fits within
the 'usual' apt-get
On Thu, 13 Dec 2001 16:24:47 +0100
Wichert Akkerman <[EMAIL PROTECTED]> wrote:
> Previously Alexander Karelas wrote:
>> RedHat uses a PGP signature scheme. What are we doing about it?
> apt-get install debsign
What is the status of having Jack Goerzen's dpkg patch accepted?
http://lists.deb
Hi,
[snips:]
Wichert Akkerman wrote:
> Previously Alexander Karelas wrote:
> > RedHat uses a PGP signature scheme. What are we doing about it?
>
> apt-get install debsign
I am running woody and cannot find this package, nor is it listed as
part of unstable, (checked www.debian.org/distrib/pack
Previously ralphtheraccoon wrote:
> There isn't a "stable" debsig-verify or other package...
> does this mean that "stable" is less secure than "unstable"?
Neither actually, the debsig infrastructure isn't use currently
Wichert.
--
_
There isn't a "stable" debsig-verify or other package...
does this mean that "stable" is less secure than "unstable"?
If so... I'll probably be upgrading.
Dan
On Thu, 2001-12-13 at 10:44, Wichert Akkerman wrote:
> Previously Blake Barnett wrote:
> > Conectiva currently has support for signed _repositories_, as well as
> > signed RPM packages. Check out their /etc/apt/sources.list for more
> > info on it.
>
> That's exactly what I just described.. th
debsign is a part of devscripts. It looks to be present even in Potato.
- Ben
On Thu, Dec 13, 2001 at 05:37:42PM +0200, Samuli Suonpaa blathered thusly:
> Wichert Akkerman <[EMAIL PROTECTED]> wrote:
> > Previously Alexander Karelas wrote:
> >> RedHat uses a PGP signature scheme. What are we doin
Miek Gieben <[EMAIL PROTECTED]> wrote:
> [On 13 Dec, 2001, Samuli Suonpaa wrote in " Re: Apt-get is insecure
> "]
>> Wichert Akkerman <[EMAIL PROTECTED]> wrote:
>> Umm... What exactly did you mean with your one-liner?
> i looked with dselect and did a
Previously Alan James wrote:
> don't you mean debsig-verify ?
Hmm, possibly :)
Wichert.
--
_
/[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 10
[On 13 Dec, 2001, Samuli Suonpaa wrote in " Re: Apt-get is insecure "]
> Wichert Akkerman <[EMAIL PROTECTED]> wrote:
> Umm... What exactly did you mean with your one-liner?
i looked with dselect and did a:
apt-get install debsig-verify
grtz
Miek
--
miek.nl
:wq!
On 13 Dec 2001 17:37:42 +0200
Samuli Suonpaa <[EMAIL PROTECTED]> wrote:
> Umm... What exactly did you mean with your one-liner?
[EMAIL PROTECTED]:~/tmp/email$ apt-cache search sign |grep debsig
debsig-verify - Debian Package Signature Verification Tool
debsigs - Utility for creating signatures in
Previously Blake Barnett wrote:
> Conectiva currently has support for signed _repositories_, as well as
> signed RPM packages. Check out their /etc/apt/sources.list for more
> info on it.
That's exactly what I just described.. the Conectiva apt also seems
to be based on an ancient version, the
On Thu, 13 Dec 2001 16:24:47 +0100, Wichert Akkerman <[EMAIL PROTECTED]>
wrote:
>apt-get install debsign
don't you mean debsig-verify ?
Alan.
unsuccessful:
"E: Couldn't find package debsign"
On Thu, Dec 13, 2001 at 04:24:47PM +0100, Wichert Akkerman wrote:
> Previously Alexander Karelas wrote:
> > RedHat uses a PGP signature scheme. What are we doing about it?
>
> apt-get install debsign
>
Conectiva currently has support for signed _repositories_, as well as
signed RPM packages. Check out their /etc/apt/sources.list for more
info on it.
The code may be portable to Debian, as their APT is based directly off
of Debian's way of doing things.
http://distro.conectiva.com/projetos/
Wichert Akkerman <[EMAIL PROTECTED]> wrote:
> Previously Alexander Karelas wrote:
>> RedHat uses a PGP signature scheme. What are we doing about it?
> apt-get install debsign
$ sudo apt-get install debsign
Reading Package Lists... Done
Building Dependency Tree... Done
E: Couldn't find package debs
Hi,
[snips:]
Wichert Akkerman wrote:
> Previously Alexander Karelas wrote:
> > RedHat uses a PGP signature scheme. What are we doing about it?
>
> apt-get install debsign
I am running woody and cannot find this package, nor is it listed as
part of unstable, (checked www.debian.org/distrib/pack
Previously Alexander Karelas wrote:
> RedHat uses a PGP signature scheme. What are we doing about it?
apt-get install debsign
Wichert.
--
_
/[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]
Previously jereme wrote:
> Can/is the checking of these signatures, (and fetching the appropriate
> developer keys) integrated into apt-get? What am I missing?
Apt works at a different level: it deals with download packages and
archives, so it will not verify the signature that is embedded in
a
Previously Emiel Metselaar wrote:
> Could anyone point me to some documentation about how this fits within
> the 'usual' apt-get update apt-get install procedure.
The idea is:
* packages are signed using debsig and get one (or more) embedded
signatures
* apt & friends don't look at the signatu
On Thursday 13 December 2001 16:24, Wichert Akkerman wrote:
> Previously Alexander Karelas wrote:
> > RedHat uses a PGP signature scheme. What are we doing about it?
>
> apt-get install debsign
>
> Wichert.
Could anyone point me to some documentation about how this fits within
the 'usual' apt-get
Hi,
[snips:]
Wichert Akkerman wrote:
> Previously Alexander Karelas wrote:
> > RedHat uses a PGP signature scheme. What are we doing about it?
>
> apt-get install debsign
I am running woody and cannot find this package, nor is it listed as
part of unstable, (checked www.debian.org/distrib/pac
Previously ralphtheraccoon wrote:
> There isn't a "stable" debsig-verify or other package...
> does this mean that "stable" is less secure than "unstable"?
Neither actually, the debsig infrastructure isn't use currently
Wichert.
--
There isn't a "stable" debsig-verify or other package...
does this mean that "stable" is less secure than "unstable"?
If so... I'll probably be upgrading.
Dan
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
debsign is a part of devscripts. It looks to be present even in Potato.
- Ben
On Thu, Dec 13, 2001 at 05:37:42PM +0200, Samuli Suonpaa blathered thusly:
> Wichert Akkerman <[EMAIL PROTECTED]> wrote:
> > Previously Alexander Karelas wrote:
> >> RedHat uses a PGP signature scheme. What are we doi
Miek Gieben <[EMAIL PROTECTED]> wrote:
> [On 13 Dec, 2001, Samuli Suonpaa wrote in " Re: Apt-get is insecure
> "]
>> Wichert Akkerman <[EMAIL PROTECTED]> wrote:
>> Umm... What exactly did you mean with your one-liner?
> i looked with dselect and did a
Previously Alan James wrote:
> don't you mean debsig-verify ?
Hmm, possibly :)
Wichert.
--
_
[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 10
[On 13 Dec, 2001, Samuli Suonpaa wrote in " Re: Apt-get is insecure "]
> Wichert Akkerman <[EMAIL PROTECTED]> wrote:
> Umm... What exactly did you mean with your one-liner?
i looked with dselect and did a:
apt-get install debsig-verify
grtz
Miek
--
miek.nl
:wq
On 13 Dec 2001 17:37:42 +0200
Samuli Suonpaa <[EMAIL PROTECTED]> wrote:
> Umm... What exactly did you mean with your one-liner?
hans@Turing:~/tmp/email$ apt-cache search sign |grep debsig
debsig-verify - Debian Package Signature Verification Tool
debsigs - Utility for creating signatures in .deb
On Thu, 13 Dec 2001 16:24:47 +0100, Wichert Akkerman <[EMAIL PROTECTED]>
wrote:
>apt-get install debsign
don't you mean debsig-verify ?
Alan.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
unsuccessful:
"E: Couldn't find package debsign"
On Thu, Dec 13, 2001 at 04:24:47PM +0100, Wichert Akkerman wrote:
> Previously Alexander Karelas wrote:
> > RedHat uses a PGP signature scheme. What are we doing about it?
>
> apt-get install debsign
>
--
To UNSUBSCRIBE, email to [EMAIL PROT
Wichert Akkerman <[EMAIL PROTECTED]> wrote:
> Previously Alexander Karelas wrote:
>> RedHat uses a PGP signature scheme. What are we doing about it?
> apt-get install debsign
$ sudo apt-get install debsign
Reading Package Lists... Done
Building Dependency Tree... Done
E: Couldn't find package deb
Previously Alexander Karelas wrote:
> RedHat uses a PGP signature scheme. What are we doing about it?
apt-get install debsign
Wichert.
--
_
[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]
70 matches
Mail list logo
