Friday 28 November 2003, alle 17:51, Federico Di Gregorio:
: Il ven, 2003-11-28 alle 14:07, Carlo Contavalli ha scritto:
: Ciao!
:Per pubblicizzare l'evento traduzioni di cui vi ho parlato, ho
: preso il famoso flyer.tex e rifatto il testo. Cosa ne pensate?
: Qualche suggerimento? Qualche
On Mon, 2003-12-01 at 15:45, Anthony Towns wrote:
Having critical, grave or serious bugs open for an extended period is simply
not acceptable.
Nor is it excusable. While it's possible that you mightn't have the skill
required to fix some security bug, or mightn't have the time to respond
to
Anthony Towns wrote:
[...]
Fallback plans are important though, and in this case if we're not able
to get in a position where maintainers are able to keep control of their
RC bug count (which is to say, keep it at zero), we'll have to consider
more drastic measures. An obvious one is to
A levelezm azt hiszi, hogy Zenaan Harkness a kvetkezeket rta:
Can requesting removal from archive be automated, to occur say after 3
weeks of inactivity of rc/grave/serious bug?
As a DD, I assume there is some pride and/ or utility in having your
package in the archive. This would give you a
On Tue, Dec 02, 2003 at 05:32:59PM +1100, Zenaan Harkness wrote:
Hrm.
] $ grep Harkness /var/lib/apt/lists/*_*; echo $?
] 1
Can requesting removal from archive be automated, to occur say after 3
weeks of inactivity of rc/grave/serious bug?
It could, but it shouldn't be -- requests for
On Mon, Dec 01, 2003 at 07:50:29PM -0800, A.J. Rossini wrote:
[snip]
Joey Hess [EMAIL PROTECTED] writes:
[snip]
To install a package directly, with apt downloading any necessary
dependencies:
apt-get install rpmver-2.0-13498cl.i386.rpm
couldn't this just refer to dpkg
Got it -- a bit more than just parsing out... but suprisingly little
(other than someone's time, which is always worth a great deal...)
Andrew Pollock [EMAIL PROTECTED] writes:
On Mon, Dec 01, 2003 at 07:50:29PM -0800, A.J. Rossini wrote:
[snip]
Joey Hess [EMAIL PROTECTED] writes:
It seems to me that libvorbis package is missing from the repository of sarge.
Trying to install kdelibs4-dev depends on libvorbis0-dev in a tree that could
not be satisfied.
--
Don't go around saying the world owes you a living. The world owes you
nothing. It was here first.
Hi!
Uups, yesterday I have forgot ACM_SCP.
Today's issue is about ADO.
ACM_SCP.3 Development tools CM coverage (appears at EAL5)
ACM_SCP.3.1D The developer shall provide a list of
configuration items for the TOE.
(dpkg -l)
ACM_SCP.3.1C The list of configuration items shall include the
On Tue, 2 Dec 2003, Zenaan Harkness wrote:
Is there a single place where all official Custom Debian Distributions
(CDDs - even a reasonable TLA), aka internal projects, are listed?
Unfortunately not yet under www.debian.org, but if the redirection
loop to people.debian.org is solved again you
On Monday 01 December 2003 16:07, Hereon wrote:
On Mon, 1 Dec 2003 15:51:37 +0330, Arash Bijanzadeh
[EMAIL PROTECTED] said:
On Sunday 30 November 2003 18:10, Steve Langasek wrote:
Er, on what grounds are you claiming that this is broken? The
dependencies declared by these packages have
On Tue, Dec 02, 2003 at 05:32:59PM +1100, Zenaan Harkness wrote:
Can requesting removal from archive be automated, to occur say after 3
weeks of inactivity of rc/grave/serious bug?
As a DD, I assume there is some pride and/ or utility in having your
package in the archive. This would give
Martin Michlmayr ([EMAIL PROTECTED]) wrote:
* Thomas Viehmann [EMAIL PROTECTED] [2003-12-01 15:30]:
BTW: This is offtopic, but it seems that potato is neither in debian/
nor in debian-archive/?
Potato is on archive.debian.org (in /debian-archive/dists).
Ah. Thanks.
On Tue, 2 Dec 2003, Zenaan Harkness wrote:
? It might help you registering a site under www.debian.org (once its
services are up again.
Cool. I'll check it out in a day or five :)
If you are interested I could send you my CDD - talk stuff in private mail
until people.d.o is up again.
On Mon, 2003-12-01 at 22:36, Alexander Kitzberger wrote:
we and a couple of other linux companies are also thinking this way,
and we would like also to support a enterprise debian.
Great stuff ... we are forming it now. As you probably well know by now,
there's a web page started at:
In article [EMAIL PROTECTED],
Anthony Towns aj@azure.humbug.org.au wrote:
Without having evaluated null hypotheses or done exhaustive analyses,
the correlation nevertheless seems fairly convincing. To put it bluntly,
our regular package maintainers are doing such a bad job that without
On 20031201T144509+1000, Anthony Towns wrote:
* #208646 - grep-dctrl - Antti-Juhani Kaijanaho
unspecified problems with version in unstable, should take
a couple of days to fix, no activity since September
The unspecified problems are mainly recorded in the other open
ag == Andrea Glorioso [EMAIL PROTECTED] writes:
t == Tom [EMAIL PROTECTED] writes:
t One of the flavors linked to on
t http://www.debian.org/devel/debian-nonprofit/ is www.demudi.org
t --
t which is running IIS on Windows 2000!
ag demudi.org is a round-robin record. I'm
On Tue, Dec 02, 2003 at 01:05:29AM +0100, Enrico Zini wrote:
- GNU ERP software project ?name?
GNU Enterprise (gnue) http://www.gnue.org/
I've just learnt of Cubit from South Africa: http://www.cubit.co.za/
...and of the Impi distribution from South Africa, Debian-based:
Welcome to
* Goswin von Brederlow ([EMAIL PROTECTED]) [031202 04:55]:
Andreas Barth [EMAIL PROTECTED] writes:
Technical details should IMHO be discussed later, but a sample
passport could look like:
accepted by katie on Mon, 1 Dec 2003 20:34:58 + because of good
signature of DD, KeyID
Frederik Dannemare [EMAIL PROTECTED] wrote:
just curious: any particular reason why we didn't see a backport any sooner
of
the integer overflow in the brk system call (see recent announcement by
Wichert Akkerman:
On Tue, 2003-12-02 at 18:12, Magosnyi rpd wrote:
A levelezm azt hiszi, hogy Zenaan Harkness a kvetkezeket rta:
Can requesting removal from archive be automated, to occur say after 3
weeks of inactivity of rc/grave/serious bug?
As a DD, I assume there is some pride and/ or utility in
* Joey Hess ([EMAIL PROTECTED]) [031202 02:55]:
Goswin von Brederlow wrote:
What can we do with deb signatures?
For our current problem, the integrity of the debian archive being
questioned, the procedure would be easy and available to every user:
1. get any clean Debian keyring (or
On Tue, Dec 02, 2003 at 10:08:03AM +0100, Andreas Metzler wrote:
Apparently nobody knew it was comparable to ptrace, it looked like a
simple bugfix and not like a local root exploit.
Well, I just downloaded 2.4.23 from kernel.org and installed it.
[obGrumble] I never got hit by any of the
On Tue, Dec 02, 2003 at 05:38:15AM +1100, Zenaan Harkness wrote:
On Tue, 2003-12-02 at 02:46, Anthony Towns wrote:
So, using my definitions, the following conclusions are (IMO) true:
* all flavours are policy compliant
* some derived distros might be policy compliant
Do you
On Tue, Dec 02, 2003 at 11:07:53AM +0100, Andreas Barth wrote:
* Joey Hess ([EMAIL PROTECTED]) [031202 02:55]:
Goswin von Brederlow wrote:
What can we do with deb signatures?
For our current problem, the integrity of the debian archive being
questioned, the procedure would be easy
On Tue, 2003-12-02 at 19:14, Andreas Tille wrote:
On Tue, 2 Dec 2003, Zenaan Harkness wrote:
Then, it's up to the projects to start using the term. A list would I
think be very good for making cdd discussions stand out at this point -
there seems to be enough traffic. But perhaps I'm wrong,
On Tue, Dec 02, 2003 at 06:24:58AM +1100, Zenaan Harkness wrote:
I guess if you're a DD (I'm in the NM-process myself), you can creake
official Debian wiki, etc?
AFAIK, the official Debian wiki is http://wiki.debian.net and like
most wikis, *anyone* can create a page. Please go ahead and do so.
On Tue, Dec 02, 2003 at 05:32:59PM +1100, Zenaan Harkness wrote:
Can requesting removal from archive be automated, to occur say after 3
weeks of inactivity of rc/grave/serious bug?
As a DD, I assume there is some pride and/ or utility in having your
package in the archive. This would give
On Tue, 2003-12-02 at 18:09, Anthony Towns wrote:
On Tue, Dec 02, 2003 at 05:32:59PM +1100, Zenaan Harkness wrote:
] $ grep Harkness /var/lib/apt/lists/*_*; echo $?
] 1
It's not much (directly) Debian related (yet), but:
I'd be in NM but for the keyservers and NM registration page being down.
On Tue, 2003-12-02 at 18:56, Brian May wrote:
On Tue, Dec 02, 2003 at 05:32:59PM +1100, Zenaan Harkness wrote:
Can requesting removal from archive be automated, to occur say after 3
weeks of inactivity of rc/grave/serious bug?
As a DD, I assume there is some pride and/ or utility in
Moin Goswin!
Goswin von Brederlow schrieb am Tuesday, den 02. December 2003:
I would like to see the following things happen:
- current md5sums file in control.tar.gz should contain
checksums of really all files
- a signature of the md5sums file should be stored either in
On Tue, 2003-12-02 at 19:14, Andreas Tille wrote:
On Tue, 2 Dec 2003, Zenaan Harkness wrote:
Is there a single place where all official Custom Debian Distributions
(CDDs - even a reasonable TLA), aka internal projects, are listed?
Unfortunately not yet under www.debian.org, but if the
On Tue, 2003-12-02 at 20:46, Enrico Zini wrote:
On Tue, Dec 02, 2003 at 01:05:29AM +0100, Enrico Zini wrote:
- GNU ERP software project ?name?
GNU Enterprise (gnue) http://www.gnue.org/
I've just learnt of Cubit from South Africa: http://www.cubit.co.za/
...
...and of the Impi
On Tue, 2003-12-02 at 21:41, Benj. Mako Hill wrote:
On Tue, Dec 02, 2003 at 06:24:58AM +1100, Zenaan Harkness wrote:
I guess if you're a DD (I'm in the NM-process myself), you can creake
official Debian wiki, etc?
AFAIK, the official Debian wiki is http://wiki.debian.net and like
most
Hi!
The saga continues. Now we look at the development assurance
measures. Unfortunately this part is where open source is
not good at (not saying that closed source is better).
This is because writing documentation is quite
boring, and ADV is about writing design documentation.
I personally
David B Harris [EMAIL PROTECTED] wrote:
And I think I have the structure to make this work. I'm
writing now, should have something for you later today.
Sorry, yeah. I should instead have said *their*
company, not any one company. The company they buy
their hardware and support from. In my
Tom [EMAIL PROTECTED] wrote:
On Tue, Dec 02, 2003 at 10:08:03AM +0100, Andreas Metzler wrote:
Apparently nobody knew it was comparable to ptrace, it looked like a
simple bugfix and not like a local root exploit.
Well, I just downloaded 2.4.23 from kernel.org and installed it.
You could have
Joey Hess [EMAIL PROTECTED] writes:
John Goerzen wrote:
Please check out the debsigs package. I wrote it when I worked at
Progeny back in 2001, and Branden Robinson maintains it these days. It
does exactly that.
Unfortunatly, the method debsigs uses to add the signature to the .deb
Eduard Bloch [EMAIL PROTECTED] writes:
Moin Goswin!
Goswin von Brederlow schrieb am Tuesday, den 02. December 2003:
I would like to see the following things happen:
- current md5sums file in control.tar.gz should contain
checksums of really all files
- a signature of the
On Tue, 2003-12-02 at 11:05, Enrico Zini wrote:
On Mon, Dec 01, 2003 at 02:33:57PM -0600, Chad Walstrom wrote:
- GNU ERP software project ?name?
GNU Enterprise (gnue) http://www.gnue.org/
I've just learnt of Cubit from South Africa: http://www.cubit.co.za/
Thank you very much. Added
On Tue, Dec 02, 2003 at 10:34:26AM +0200, Antti-Juhani Kaijanaho wrote:
That said, it has been too long since I last looked at grep-dctrl. I'll
try to fix that in a couple of days :) I can only say that my
teaching duties have exhausted me during the autumn.
And hey, if you manage to fix it
Hello Töns,
we are trying to get the Siemens ServerView ported to debian.
After I read your message. I think you may have contact to FSC?
Or may be this software is already ported?
Do you have some more information for me?
Thank you in advance
best regards
Alex
Toens Bueker schrieb:
David B Harris
Andreas Barth [EMAIL PROTECTED] writes:
* Joey Hess ([EMAIL PROTECTED]) [031202 02:55]:
Goswin von Brederlow wrote:
What can we do with deb signatures?
For our current problem, the integrity of the debian archive being
questioned, the procedure would be easy and available to every
Tom [EMAIL PROTECTED] writes:
On Tue, Dec 02, 2003 at 11:07:53AM +0100, Andreas Barth wrote:
* Joey Hess ([EMAIL PROTECTED]) [031202 02:55]:
Goswin von Brederlow wrote:
What can we do with deb signatures?
For our current problem, the integrity of the debian archive being
I did a first pass at the UserLinux white paper, it's at
http://userlinux.org/white_paper.html. I think I'll sleep for a while.
Thanks
Bruce
That's userlinux.com . I don't have the .org, some domain squatter has
that.
Thanks
Bruce
On Tue, Dec 02, 2003 at 12:04:31PM +, bruce wrote:
I did a first pass at the UserLinux white paper, it's at
http://userlinux.org/white_paper.html. I think I'll sleep for a while.
On Tue, Dec 02, 2003 at 01:17:58PM +0100, Goswin von Brederlow wrote:
Tom [EMAIL PROTECTED] writes:
What precautions are taken that the DD actually signed it with the DD's
private key?
Set aside the possibility that the DD herself is actually the attacker.
You never can. But once the
Hello,
On Tue, Dec 02, 2003 at 09:53:19AM +1100, Zenaan Harkness wrote:
On Tue, 2003-12-02 at 07:31, David B Harris wrote:
who run it, as is so often the case these days. I can't count the number
of times I've heard horror stories from HP customers (and other vendors
as well) about
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2003-12-01 19:12, Andres Salomon wrote:
d-i enhancements might include installation types (similar to redhat's
installer; select server, workstation, etc, and have packages selected
for you), support for enterprise features directly in the
* Chad Walstrom [EMAIL PROTECTED] [031201 22:28]:
md5sums and signatures are most useful in the context of installation.
Post-installation, you cannot be guaranteed that an intrusion rootkit
doesn't compromise the md5sum files themselves. Using the installed
*.md5sum files to check the
Tom [EMAIL PROTECTED] writes:
On Tue, Dec 02, 2003 at 01:17:58PM +0100, Goswin von Brederlow wrote:
Tom [EMAIL PROTECTED] writes:
What precautions are taken that the DD actually signed it with the DD's
private key?
Set aside the possibility that the DD herself is actually the
On Tue, Dec 02, 2003 at 02:20:43PM +0100, Goswin von Brederlow wrote:
There is no security as strong as many people reading the source over
and over. You can't hack their brains to skip over the backdoor code
and you can only obfuscate a backdoor so much.
Allright, allright, I'll cry uncle.
On Tue, Dec 02, 2003 at 06:56:13PM +1100, Brian May wrote:
A release critical bug in one package could be caused by a non-release
critical bug in another package.
How?
If the bug is caused by a problem in another package then it should be
reassigned (and more importantly fixed). The bug is
A.J. Rossini wrote:
Maybe I'm missing something, but none of this sounds like
functionality that a bit of parsing out to other programs can't
solve, given that I do it locally for the systems in my lab.
Joey Hess [EMAIL PROTECTED] writes:
Interesting article on LWN:
On Mon, Dec 01, 2003 at 11:17:26PM -0800, A.J. Rossini wrote:
Andrew Pollock [EMAIL PROTECTED] writes:
On Mon, Dec 01, 2003 at 07:50:29PM -0800, A.J. Rossini wrote:
Joey Hess [EMAIL PROTECTED] writes:
To install a package directly, with apt downloading any necessary
On Tue, Dec 02, 2003 at 11:07:53AM +0100, Andreas Barth wrote:
The canoical attack against signed debs in this situation is to find a
signed deb on snapshot.debian.net that contains a known security hole.
To avoid this attack, it is necessary that the filename of the deb or
the version of
On Mon, Dec 01, 2003 at 02:45:09PM +1000, Anthony Towns wrote:
Hello world,
Hello aj.
* LSB 1.3 compatibility mostly achieved
(LSB non-compliance issues are now Release Critical; bugs
should be filed and addressed by the LSB team, which hangs
around the
On Mon, Dec 01, 2003 at 07:06:41PM -0500, Joey Hess wrote:
Similarly, to check the build depends of a source package file:
apt-get build-dep apt-listchanges-1.49-11104cl.src.rpm
Should this be the job of apt-get? Fetching a list of build-depends is a
similar job to that performed by
On Tue, Dec 02, 2003 at 12:08:17PM +0100, Andreas Metzler wrote:
Afaik: 2.4.23 contains literally 100s of changes, one of these was a
small change to do_brk(), which looked like a normal non-critical
bugfix to everybody involved. Some time later Debian was hacked and
backtracing how the
aj == Anthony Towns aj@azure.humbug.org.au writes:
aj or overloaded with work, or, for that matter, fixing compromised Debian
aj servers -- do you think it's desirable and possible to:
aj * for confirmed bugs with a known fix, upload a fixed package
aj within a
Goswin von Brederlow wrote:
dpkg that it is downgrading the package, and a clever attacker might
avoid even that.
How would you avoid it?
Make the replacement package really be a different package entirely, of
a higher version than the package it purports to replace.
I think aj had some
Jonathan == Jonathan Dowland [EMAIL PROTECTED] writes:
Jonathan On Tue, Dec 02, 2003 at 12:08:17PM +0100, Andreas Metzler
Jonathan wrote:
Afaik: 2.4.23 contains literally 100s of changes, one of these was a
small change to do_brk(), which looked like a normal non-critical
Scripsit Goswin von Brederlow [EMAIL PROTECTED]
There is no security as strong as many people reading the source over
and over. You can't hack their brains to skip over the backdoor code
and you can only obfuscate a backdoor so much.
I refer you to Ken Thompson's Turing award lecture. If
[It looks like the x-debbugs-cc part of bugs.d.o is not working atm (nor is
the index page for wnpp showing new bugs), so I'm resending this message to
pertinent lists. I know the upload queue is down due the hack, but it would
probably be good to make this ITP known so we don't get several
On Tue, Dec 02, 2003 at 02:01:23PM +0100, Bernhard R. Link wrote:
A true IDS is needed, such as aide, tripwire, or cfengine to detect
post-installation intrusion. Tie in aide or tripwire database
checks/updates with the apt.conf PostInst option in addition to a
daily cronjon to ensure the
On Mon, Dec 01, 2003 at 07:06:41PM -0500, Joey Hess wrote:
Interesting article on LWN: http://lwn.net/Articles/60650/ (subscription
required) In summary, apparently apt-rpm users can now do some things
with apt that we cannot.
This has been true for some time; merging the applicable parts of
Hi, Joey Hess wrote:
Of course dpkg-checkbuildeps can
be used if you unpack the source.
So, giving a .dsc to dpkg-checkbuildeps shouldn't be any more work than
skip the GPG armor, if present.
Unless I am overlooking something, of course.
--
Matthias Urlichs | {M:U} IT Design @ m-u-it.de
On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
rather far from changing anything in the kernel memory. Andreas is
definitely right that the hole doesn't look like that it is that dangerous.
It messed up your life for a couple weeks.
Jesus, it's not the end of the world, but that's
[personal reply, and posting on -devel]
Hi Joey,
thanks for this report. I am aware that this is the result of tedious
work, and I really appreciate your efforts. Let me, however, ask a few
probably inconventient questions, and I surely hope that they won't be
ignored this time.
On Tue, Dec 02,
Hallo.
Henrique de Moraes Holschuh wrote:
Otherwise, it simply won't happen, unless about 90% of the packages or so
aready use md5sums. At that figure, you have some changes of passing a
policy of 'must', and you are guaranteed to get a 'should' to be approved
IMHO.
More than 92% of the
Op ma 01-12-2003, om 14:34 schreef Goswin von Brederlow:
[...]
Deb signatures method C:
And now for something completly different. A man with 3 noses. :)
Instead of keeping extra files with the signature of the deb the
information could be stored inside the deb itself.
[...]
As much as I
christophe barbe wrote:
On Mon, Dec 01, 2003 at 08:24:09PM +0100, Thomas Viehmann wrote:
Michael Ablassmeier wrote:
IMHO Lintian should also check if dh_md5sums is called and
print at least a warning if this is not the case.
In principle, I argree, but maybe it's better to check for the
On Tue, Dec 02, 2003 at 05:09:37PM +1000, Anthony Towns wrote:
What happens if say there are simply not enough people interested in
GNOME for example, and the RC counts rise, and rise at an increasing
rate, and we never release again?
That's not a very interesting hypothetical -- there're
Joey Hess [EMAIL PROTECTED] wrote:
Goswin von Brederlow wrote:
dpkg that it is downgrading the package, and a clever attacker might
avoid even that.
How would you avoid it?
Make the replacement package really be a different package entirely, of
a higher version than the package it
Goswin von Brederlow wrote:
Joey Hess [EMAIL PROTECTED] writes:
I submitted a one line patch to apt to fix this and behave like
dpkg. I hope this gets added soon. Till then its either signed debs or
pre-configuring of packages.
I filed bugs about this a long time ago, it is apparently
Op di 02-12-2003, om 14:46 schreef Mark Howard:
On Tue, Dec 02, 2003 at 06:56:13PM +1100, Brian May wrote:
A release critical bug in one package could be caused by a non-release
critical bug in another package.
How?
A program could use some library for most of its core operation, and
fail
On Tue, 2003-12-02 at 02:41, Goswin von Brederlow wrote:
Source only uploads were afaik disabled because the uploaded source
would just disapear and never enter the archive afaik. It was just
easier to block them than to fix the archive scripts I guess.
Just trying it (for fun, see package
On Tue, 02 Dec 2003, Wouter Verhelst wrote:
So unless you have a suggestion that would solve this particular issue,
I'm afraid this idea won't work in practice.
We could verify if the gpg agent (gpa? I forget the name...) cannot do this
over a secure channel. It should be able to, and if not,
Scripsit Tom [EMAIL PROTECTED]
On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
rather far from changing anything in the kernel memory. Andreas is
definitely right that the hole doesn't look like that it is that dangerous.
If it wasn't a big deal we wouldn't be talking about it.
On Mon, Dec 01, 2003 at 10:09:34PM +0100, Roland Stigge wrote:
Finally, the decision isn't just technical.
Ah, the inevitable cry of the advocate of the technically inferior
approach.
--
.''`. ** Debian GNU/Linux ** | Andrew Suffield
: :' : http://www.debian.org/ |
`. `'
No Cc was necessary, I am subscribed to debian-devel.
On Tue, 2003-12-02 at 03:30, Goswin von Brederlow wrote:
Scott James Remnant [EMAIL PROTECTED] writes:
A compromised dinstall on ftp-master could also replace the keyring
package with a new one containing an extra key, used to sign the
Wouter Verhelst wrote:
Requiring us to log in to the autobuilder to sign the .deb remotely is
not acceptable, for two reasons:
* it's way too much work for most of us
* it requires copying the secret key over, which is, uh, a bad idea.
An alternative would be to copy over the .debs, sign
On Tue, 2003-12-02 at 17:31, Tom wrote:
On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
rather far from changing anything in the kernel memory. Andreas is
definitely right that the hole doesn't look like that it is that dangerous.
It messed up your life for a couple weeks.
Andreas Metzler wrote:
I still don't understand how you change the version number (or the
package-name) without breaking the signature.
Which signature? The Packages file is being modified, so of course the
hain of trust back to the Release file signature can be used to catch
tampering with it.
On Tue, Dec 02, 2003 at 12:27:00PM -0500, Noah L. Meyerhans wrote:
release goal of December 1 didn't inspire any new activity. This gives
the appearance that the ARM port maintainers simply don't care if sarge
gets released at all. This is very discouraging.
If that is what happens, then I
Tom [EMAIL PROTECTED] writes:
On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
rather far from changing anything in the kernel memory. Andreas is
definitely right that the hole doesn't look like that it is that dangerous.
[snip]
If it wasn't a big deal we wouldn't be talking about
On Tue, Dec 02, 2003 at 06:05:44PM +0100, Andreas Metzler wrote:
Joey Hess [EMAIL PROTECTED] wrote:
Goswin von Brederlow wrote:
dpkg that it is downgrading the package, and a clever attacker might
avoid even that.
How would you avoid it?
Make the replacement package really be a
Scripsit Wouter Verhelst [EMAIL PROTECTED]
Requiring us to log in to the autobuilder to sign the .deb remotely is
not acceptable, for two reasons:
* it's way too much work for most of us
* it requires copying the secret key over, which is, uh, a bad idea.
Um, perhaps this is really stupid
* Wouter Verhelst ([EMAIL PROTECTED]) [031202 19:40]:
As much as I like this idea in principle, storing signatures inside
.debs has a serious problem: it won't work for us buildd maintainers.
Workability for the buildd maintainers is IMHO _certainly_ one
important thing.
As I explain in my
On Tue, Dec 02, 2003 at 01:46:02PM +, Mark Howard wrote:
On Tue, Dec 02, 2003 at 06:56:13PM +1100, Brian May wrote:
A release critical bug in one package could be caused by a non-release
critical bug in another package.
How?
If the bug is caused by a problem in another package then it
On Tue, Dec 02, 2003 at 09:33:39AM -0500, Sam Hartman wrote:
[...] It takes me about an
afternoon to do a PAM or OpenAFS release even if I change one line.
OK, for a one line change I can probably get that down to two hours or
so.
It's a lot easier for me if I batch bugs together and if I
On Mon, Dec 01, 2003 at 01:12:52PM -0500, Andres Salomon wrote:
For packages, we may want to focus on apt-secure
(http://monk.debian.net/apt-secure/); I'm not sure the status of it, [...]
You could easily find out here:
http://bugs.debian.org/203741
--
- mdz
Hi,
Recently, when thinking about the terminology surrounding Debian
Subprojects, I thought about the term flavor. I always liked that
term, because I find it very descriptive.
I wrote to Zenaan Harkness concerning Debian Enterprise
(http://debian-enterprise.org/), and I suggested that such a
Hi, Henrique de Moraes Holschuh wrote:
On Tue, 02 Dec 2003, Wouter Verhelst wrote:
So unless you have a suggestion that would solve this particular issue,
I'm afraid this idea won't work in practice.
We could verify if the gpg agent (gpa? I forget the name...) cannot do this
over a secure
On Tue, Dec 02, 2003 at 08:51:50PM +0100, Andreas Rottmann wrote:
Tom [EMAIL PROTECTED] writes:
On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
rather far from changing anything in the kernel memory. Andreas is
definitely right that the hole doesn't look like that it is that
I meant to mention that this is Debian bug #222154.
On Wed, 2003-12-03 at 08:07, Fabian Fagerholm wrote:
(Just looking briefly at the diagram, I'm thinking The Core would be
the organisation - eg. Enterprise-Debian.org, or UserLinux.com, or
whatever is ultimately decided on.)
Ok. I have probably mixed both technical and organisational
On Wed, Dec 03, 2003 at 07:17:57AM +1100, Brian May wrote:
On Tue, Dec 02, 2003 at 01:46:02PM +, Mark Howard wrote:
On Tue, Dec 02, 2003 at 06:56:13PM +1100, Brian May wrote:
A release critical bug in one package could be caused by a non-release
critical bug in another package.
On Tue, 02 Dec 2003 22:58:28 +0200, Fabian Fagerholm wrote:
Hi,
Recently, when thinking about the terminology surrounding Debian
Subprojects, I thought about the term flavor. I always liked that
term, because I find it very descriptive.
[...]
So I suggest the following terms:
Debian
1 - 100 of 174 matches
Mail list logo