On Wed, Jun 29, 2022 at 1:46 PM Ravi Dwivedi wrote:
> Since the below mentioned analysis of Debian's security, and that too
> compared to other distros, is not very well-known outside of Debian
> project
honestly i don't believe it's even widely known *in* the debian project
[quite how damn good
Hi Paul,
On 25/05/2022 02:10, Paul Wise wrote:
bullseye-updates: receives occasional time-sensitive and important
updates, such as updates to the timezone database, which often happen
just days before the timezone changes, or fixes for packages that get
completely broken by some external servic
On Tue, 2022-05-24 at 16:27 +0100, piorunz wrote:
> Important note: Disabling bullseye-updates is actually causing
> point-release updates to be delivered on one, predetermined date,
> bundled all together. By disabling this entry you still get them all,
> but in controlled fashion, you are not "b
On 23/05/2022 19:59, Adam McKenna wrote:
You are talking about a deterrent though. I think the question is, what
if someone cares more about their political cause than retaining their
uploader access?
What if someone's keys are compromised and an attacker uploads a
compromised package?
Debian
On Mon, May 23, 2022 at 7:59 PM Adam McKenna wrote:
> You are talking about a deterrent though. I think the question is,
> what if someone cares more about their political cause than
> retaining their uploader access?
they get one and only one chance to do something that stupid.
> What if someo
> they get one and only one chance to do something that stupid.
So the answer is that we have no way of preventing a developer from
intentionally sabotaging a package in any / as many ways as they choose and
the only risk to them is losing their uploader access after the fact?
>the response is sw
> anyone stupid enough to abuse their position may only do so once, at
which point their GPG key is revoked.
You are talking about a deterrent though. I think the question is, what if
someone cares more about their political cause than retaining their
uploader access?
What if someone's keys are
On Mon, May 23, 2022 at 6:28 PM Adam McKenna wrote:
>
> > i believe the answer is in the question. debian is based on distributed
> > trust. i did the analysis (took 3 weeks): it is literally the only distro
> > in the world with an inviolate chain of trust from a large keyring dating
> > back
> i believe the answer is in the question. debian is based on distributed
trust. i did the analysis (took 3 weeks): it is literally the only distro
in the world with an inviolate chain of trust from a large keyring dating
back 20 years that is itself GPG-signed as a package, with a package
distrib
> i did the analysis (took 3 weeks)
Do you have a publication of that analysis? I was thinking the same
about the organization of Debian for some time but never did analysis
or compared it to other distros.
Also I like to add that reproducible builds are an excellent addition
to the mechanisms yo
On 17/04/2022 19:26, Satvik Sinha wrote:
> abusing your OS's reputation?
i believe the answer is in the question. debian is based on distributed trust.
i did the analysis (took 3 weeks): it is literally the only distro in the world
with an inviolate chain of trust from a large keyring datin
11 matches
Mail list logo
