Re: Reaction to potential PGP schism

2023-12-21 Thread Daniel Kahn Gillmor
Hi Gioele-- On Thu 2023-12-21 11:02:06 +0100, Gioele Barabucci wrote: > On 21/12/23 04:16, Daniel Kahn Gillmor wrote: > As the Uploader of rust-sequoia-openpgp, what do you think of the > related sequoia-chameleon-gnupg project [1] (drop-in replacement for gpg > that uses sequoi

Re: Reaction to potential PGP schism

2023-12-20 Thread Daniel Kahn Gillmor
hey folks-- [ This message won't make sense unless the reader distinguishes clearly between OpenPGP the protocol and GnuPG the implementation! As a community we have a history of fuzzily conflating the two terms, which is one of the reasons that we're in this mess today. Please read

Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

2014-09-22 Thread Daniel Kahn Gillmor
On 09/22/2014 04:07 AM, Elmar Stellnberger wrote: Am 22.09.14 um 01:52 schrieb Paul Wise: The Debian archive does not allow files to change their checksum, so every signature addition requires a new version number. That sounds like a bad idea to me. Yes, that is something we definitely do

Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

2014-09-22 Thread Daniel Kahn Gillmor
On 09/21/2014 02:04 PM, Elmar Stellnberger wrote: a well programmed dpkg-cmp. ... and as long as the tool should not be available simply un-ar and compare the data.tar.gz-s. fwiw, this suggestion fails to compare the contents of control.tar.gz, which includes the maintainer scripts (preinst,

Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

2014-09-19 Thread Daniel Kahn Gillmor
On 09/19/2014 06:07 AM, Elmar Stellnberger wrote: Isn`t there really any way to include the signatures in the header of the .deb files? Why not simply add multiple signature files in the control.tar.gz of a .deb just next to the md5sums which should in deed be a sha256sums (otherwise there

Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

2014-09-18 Thread Daniel Kahn Gillmor
On 09/19/2014 12:34 AM, Paul Wise wrote: On Fri, Sep 19, 2014 at 9:30 AM, Hans-Christoph Steiner wrote: Finally did this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762153 Please note that you proposal to add signatures to .deb files will break reproducible builds because the hash

Re: [SECURITY] [DSA-2010-1] New kvm packages fix several vulnerabilities

2010-03-10 Thread Daniel Kahn Gillmor
Hi Debian Security folks-- On 03/10/2010 01:18 PM, dann frazier wrote: Debian Security Advisory DSA-2010 secur...@debian.org http://www.debian.org/security/ Dann Frazier March 10,

Re: [SECURITY] [DSA-2010-1] New kvm packages fix several vulnerabilities

2010-03-10 Thread Daniel Kahn Gillmor
On 03/10/2010 02:49 PM, dann frazier wrote: On Wed, Mar 10, 2010 at 02:18:38PM -0500, Daniel Kahn Gillmor wrote: It's not clear to me from the instructions above whether users should re-build their kvm modules package as well as installing the revised versions. Is the vulnerability fully

[Fwd: Re: [SECURITY] [DSA-2010-1] New kvm packages fix several vulnerabilities]

2010-03-10 Thread Daniel Kahn Gillmor
sorry, this proposed boilerplate change was meant to go to the list, not just to dann. Thanks for all your work, folks. --dkg ---BeginMessage--- On 03/10/2010 04:53 PM, dann frazier wrote: On Wed, Mar 10, 2010 at 04:09:48PM -0500, Daniel Kahn Gillmor wrote: So would the 4th be fixed