On Sat, 2 May 2020 10:14:13 +0200
Davide Prina wrote:
> On 01/05/20 22:00, Rebecca N. Palmer wrote:
> > On 01/05/2020 20:31, Elmar Stellnberger wrote:
> >> https isn´t any more secure than http as long as you do not have a
> >> verifiably trustworthy server certificate that you can check for. As
On Sat, 2020-05-02 at 18:01 +0200, estel...@elstel.org wrote:
>
> Am 02.05.2020 10:14, schrieb Davide Prina:
> > On 01/05/20 22:00, Rebecca N. Palmer wrote:
> > > On 01/05/2020 20:31, Elmar Stellnberger wrote:
> > > > https isn´t any more secure than http as long as you do not have a
> > > > veri
I've seen this before with Firefox. Basically Firefox has disabled
weaker certificates from
working, where Chrome and IE still accept ones with 128bit encryption,
they do show an error (at
least in Chrome) if you dig into the SSL debug screen. Firefox just
refuses to view it.
Ah, I have read
Am 02.05.2020 00:51, schrieb Marcus Dean Adams:
It's better than nothing. Even if somebody were using self signed
certificates that aren't publicly trusted, the information would still
be encrypted in transit. Whether the other end is trustworthy is
another issue and up to the user and package ma
Am 02.05.2020 02:53, schrieb Paul Wise:
On Fri, May 1, 2020 at 8:18 PM Rebecca N. Palmer wrote:
This is already policy (and enforced by blocking network access) for
official Debian package builds: dependencies must be installed by the
package manager, not the build script.
Correction: the d
Am 02.05.2020 10:14, schrieb Davide Prina:
On 01/05/20 22:00, Rebecca N. Palmer wrote:
On 01/05/2020 20:31, Elmar Stellnberger wrote:
https isn´t any more secure than http as long as you do not have a
verifiably trustworthy server certificate that you can check for. As
we know the certifica
The list seems to have lost this, as it doesn't appear at
https://lists.debian.org/debian-security/2020/05/maillist.html.
Forwarded Message
Subject: Re: Scripts that run insecurely-downloaded code
Date: Fri, 01 May 2020 22:51:05 +
From: Marcus Dean Adams
Davide Prina wrote:
Not all the software that implement HTTPS verify the validity of the
certificate and the validity of all the certification chain.
These scripts are using wget or curl, which both say they do verify
certificates. If they do not do so correctly, please report this.
For exam
On 01/05/20 22:00, Rebecca N. Palmer wrote:
On 01/05/2020 20:31, Elmar Stellnberger wrote:
https isn´t any more secure than http as long as you do not have a
verifiably trustworthy server certificate that you can check for. As
we know the certification authority system is totally broken.
Impe
On Fri, May 1, 2020 at 7:12 PM Rebecca N. Palmer wrote:
> Around 200 packages [0] include upstream scripts that download code via
> (non-secure) http, then run it without an integrity check.
A lot of these appear to be in documentation, dependency installation
scripts (such as in docker) or conti
On Fri, May 1, 2020 at 8:18 PM Rebecca N. Palmer wrote:
> This is already policy (and enforced by blocking network access) for
> official Debian package builds: dependencies must be installed by the
> package manager, not the build script.
Correction: the debian.org buildds do not at this time bl
On 01/05/2020 20:31, Elmar Stellnberger wrote:
https isn´t any more secure than http as long as you do not have a
verifiably trustworthy server certificate that you can check for. As we
know the certification authority system is totally broken.
Imperfect yes, but still better than nothing.
It
https isn´t any more secure than http as long as you do not have a
verifiably trustworthy server certificate that you can check for. As we
know the certification authority system is totally broken. It is a bug
if a build script tries to download something. It must work offline as
well. I do not
13 matches
Mail list logo
