Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

2014-10-14 Thread René Mayrhofer 
On 2014-09-25 06:24, Hans-Christoph Steiner wrote:

 W. Martin Borgert wrote:
 On 2014-09-24 23:05, Hans-Christoph Steiner wrote:
 * the signature files sign the package contents, not the hash of
   whole .deb file (i.e. control.tar.gz and data.tar.gz).
 So preinst and friends would not be signed? Sounds dangerous to me.
 All package contents would be signed, except the signature itself.  The
 signature would be a separate file in the ar archive of the .deb that signs
 control.tar.gz and data.tar.gz. See jar or apk format for an example of how
 this works.
I know I'm late to the discussion, but for the record, I fully agree
with this approach as the probably best compromise between usability
(don't underestimate that, see the emergence of the various app shops
for Linux applications), security, and flexibility. If anybody wants to
work on that, I'm happy to support it in the University Linz context
(i.e. as student work, thesis, etc.) and contribute to the process
(although, depressingly but realistically, not the implementation).

Rene



-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/543cde75.7050...@debian.org

External check

2014-10-14 Thread Raphael Geissert 
CVE-2014-3593: RESERVED
CVE-2014-3675: RESERVED
CVE-2014-3676: RESERVED
CVE-2014-3677: RESERVED
CVE-2014-8242: missing from list
--
The output might be a bit terse, but the above ids are known elsewhere,
check the references in the tracker. The second part indicates the status
of that id in the tracker at the moment the script was run.


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/543cc64c.oqz4dwhnehfwryad%atomo64+st...@gmail.com