-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Russ Allbery wrote: [...] > what packages on your servers are missing security patches, basically
popularity-contest doesn't submit package versions, so it is not *that* easy to know whether security updates have been installed or not. As for what security matters popularity-contest could: * randomly change the "recent" value of a random number of packages * submit via https (or ftp+ssl), and/or even encrypt the data with gpg * have some sort of apt-pinning so that it is possible to indicate that the data corresponding to a given package(s) or repository (ies) should NOT be sent. thereby preventing the "I know when you went on VAC because your xfoo-bar-custom package is marked as old" information leak. With those security meassures I believe there's a slight chance that a few more people (or institutions) will install popularity-contest. Cheers, Raphael Geissert -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAklzySsACgkQYy49rUbZzlo5rQCffJsZ3Ws3iCrj2XlG47syH+R5 bacAn2tDyPob40e7VdoasMOPL/BBQTt/ =tK0A -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org