[arch-general] secure package signing related websites (was: Re: Keyring package for real)
Hello everybody, (As I am not allowed to post to arch-dev-public resending it here.) ok, not really related to the keyring package, but it came to my mind when installing it and while signing the key: I think it makes sense to not allow pages related to package signing being delivered via http. Instead automatically redirect to https to avoid man in the middle attacks. First site that comes to my mind: https://www.archlinux.org/master-keys/ -- Best regards, Chris O ascii ribbon campaign stop html mail - www.asciiribbon.org
[arch-general] Release firefox search add-ons for Arch Linux users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, folks. I was released some firefox search add-ons for Arch Linux users: Arch Linux Package Database Search https://addons.mozilla.org/ja/firefox/addon/archlinux-packa/ Arch Linux AUR Search https://addons.mozilla.org/ja/firefox/addon/archlinux-aur/ Arch Linux Wiki Search https://addons.mozilla.org/ja/firefox/addon/archlinux-wiki/ You can search these Arch Linux resources to quickly and easily with firefox if you want. Thanks. - -- Usagi ITO in Wonder Rabbit Project. http://www.WonderRabbitProject.net/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPU0kJAAoJEGNWs1QwfxcsS8kH/RDYPqqaj9+9W0LB73V/rsfQ nJQE+k2oSyRZO4MLXA6b5pYwxLwZC3bUkvXIIIO+d2tD5tFV8Z+s/T+Ol2du/MlL bhBfEgF1aPBrQVA4AFvz5Oc0T9g9wB7GZRyr2k2Q2z5OwmnK7PPEiCJFgO8yqRlv VCUT8Z5OHY+mX4t5/4so3EDKC8aUh6/aTFRXbJJFWCJDGquC5NzX+lPRYwaKzE5p OiElYn00ixJuG8DLrXA5AFtNSUy9XW0isJ3Pkz+daW/Mf6goDJaj7r/ZIziKGvNo dkjJNq4KL5DlJB2n3APPM0eQUA7vq8dRc5Xs0Z/OOjGBrR/mNp6Q+j5UzGLQAOc= =leIX -END PGP SIGNATURE-
Re: [arch-general] secure package signing related websites
On 03/04/2012 12:22 PM, Christian Hesse wrote:
Hello everybody,
(As I am not allowed to post to arch-dev-public resending it here.)
ok, not really related to the keyring package, but it came to my mind when
installing it and while signing the key:
I think it makes sense to not allow pages related to package signing being
delivered via http. Instead automatically redirect to https to avoid man in
the middle attacks. First site that comes to my mind:
https://www.archlinux.org/master-keys/
open a feature request and tag it with {archweb}
--
Ionuț
signature.asc
Description: OpenPGP digital signature
Re: [arch-general] Release firefox search add-ons for Arch Linux users
We already have one in official repos that does all that.
Re: [arch-general] Release firefox search add-ons for Arch Linux users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks Jesse. ok, unrelease these my packages on Mozilla repos soon. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPU1j6AAoJEGNWs1QwfxcsmmkH/i1RLxI6fOOpgUsitZ/YIZQk +WhqxnQUciNxpXqiqgvjW30dl4wT7+QPhDJHcSyomcnehw18mHzce6Ha8svhCBvS I7bECCjKgHYMyHG2A5pXw4yWA98JpuxEDrdGrALC8S55QtB9zHIh7iE6XQKWVhV4 n4u8t/49SoPYnz3Qvs/oKSwcSVhbYBglAk1Ab1dG44b20qkJBdVdM7q/EML9OQQX odiaLMLIU+9RzK2Ba1EA2jXz4bswuf6G0aLA5Nj55BYZx3nNaL0gxZFhZHlnMsQf QtsHbNgWAYJXqAd2OsHMtPAXJtyPAnjXQb6O4XwXcrGxzHhiHtohiJdjCp9u38w= =pWxq -END PGP SIGNATURE-
[arch-general] Firefox search add-ons for Arch Linux
Hi, folks. I was released some firefox search add-ons for Arch Linux users: Arch Linux Package Database Search https://addons.mozilla.org/ja/firefox/addon/archlinux-packa/ Arch Linux AUR Search https://addons.mozilla.org/ja/firefox/addon/archlinux-aur/ Arch Linux Wiki Search https://addons.mozilla.org/ja/firefox/addon/archlinux-wiki/ You can search these Arch Linux resources to quickly and easily with firefox if you want. Thanks. -- Usagi ITO in Wonder Rabbit Project. http://www.WonderRabbitProject.net/ signature.asc Description: This is a digitally signed message part.
Re: [arch-general] Firefox search add-ons for Arch Linux
Op 04-03-12 11:46, Usagi Ito schreef: Hi, folks. I was released some firefox search add-ons for Arch Linux users: Arch Linux Package Database Search https://addons.mozilla.org/ja/firefox/addon/archlinux-packa/ Arch Linux AUR Search https://addons.mozilla.org/ja/firefox/addon/archlinux-aur/ Arch Linux Wiki Search https://addons.mozilla.org/ja/firefox/addon/archlinux-wiki/ You can search these Arch Linux resources to quickly and easily with firefox if you want. Thanks. Seems a bit strange to have two different search add-ons with the same purpose. In my opinion, the one in the Mozilla database should be the same as the one in the Arch official repo. Maybe yours should replace the one in the Arch repo or the Arch repo one should replace yours, I don't know which one is better (I don't use either of them). But then again, the way it is now probably won't hurt anyone. Just a suggestion to think about I guess! - Christian.
Re: [arch-general] secure package signing related websites
Ionut Biru ib...@archlinux.org on Sun, 04 Mar 2012 12:57:53 +0200:
On 03/04/2012 12:22 PM, Christian Hesse wrote:
I think it makes sense to not allow pages related to package signing being
delivered via http. Instead automatically redirect to https to avoid man
in the middle attacks. First site that comes to my mind:
https://www.archlinux.org/master-keys/
open a feature request and tag it with {archweb}
Done. Thanks!
https://bugs.archlinux.org/task/28771
--
Best regards,
Chris
O ascii ribbon campaign
stop html mail - www.asciiribbon.org
Re: [arch-general] fakeroot package() - mkdir: cannot create directory : Permission denied
On 03/03/2012 06:34 PM, David C. Rankin wrote:
On 03/03/2012 04:39 PM, Allan McRae wrote:
I'm not sure what makepkg needs to tell it to put the packages in the $pkgdir
from within the Makefile. Anyone else been bitten by this? Any quick fix?
make INSTALL_ROOT=$pkdir install
What determines whether you need:
make DESTDIR=${pkgdir} install
or
make INSTALL_ROOT=${pkgdir} install
??
Can you grep something before building and tell?
The Makefile
I just find it's easier to just let it puke and then have a look at the
Makefile
BTW how is trinity going?
I haven't looked at trinity for some time, as I dropped out.
Re: [arch-general] secure package signing related websites
On Sun, 4 Mar 2012 14:56:43 +0100
Christian Hesse l...@eworm.de wrote:
Ionut Biru ib...@archlinux.org on Sun, 04 Mar 2012 12:57:53 +0200:
On 03/04/2012 12:22 PM, Christian Hesse wrote:
I think it makes sense to not allow pages related to package signing
being delivered via http. Instead automatically redirect to https to
avoid man in the middle attacks. First site that comes to my mind:
https://www.archlinux.org/master-keys/
open a feature request and tag it with {archweb}
Done. Thanks!
https://bugs.archlinux.org/task/28771
The strong point of the signing thingy is users' ability to verify keys
using multiple independent sources, such as devs' personal websites,
keyservers, etc. Relying on archlinux.org solely would be a mistake, imho. Do
I really trust in integrity of archlinux.org infrastructure? Not really, but I
don't have to.
Having said that, just use https:// directly or install a browser plugin (e.g.
https finder).
--
Leonid Isaev
GnuPG key ID: 164B5A6D
Key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
signature.asc
Description: PGP signature
Re: [arch-general] [arch-dev-public] Cleaning up orphaned packages
Am 24.02.2012 17:06, schrieb Lukas Fleischer: Apart from that, +1 to this idea. I already checked the list of unneeded orphans and there's 20 packages I'd like to maintain if they aren't picked up in [extra]... Send me a list of these packages. But ensure they are still orphan and are not a dep or makedep of any package in core/extra. Greetigns, Pierre -- Pierre Schmitz, http://pierre-schmitz.com
Re: [arch-general] [arch-dev-public] Cleaning up orphaned packages
Am 24.02.2012 16:45, schrieb Bartłomiej Piotrowski: On 02/24/2012 04:19 PM, Pierre Schmitz wrote: * If a TU wants to maintain an orphan that is currently in [extra], please let us know. Then if you could move following packages to [community], I'd be glad to take them: * gftp * midori * orage * ristretto * pwgen * vsftpd I moved these into community: gftp ristretto vsftpd midori and pwgen already in community orage is part of the fce4-goodies group with packages in extra Greetings, Pierre -- Pierre Schmitz, http://pierre-schmitz.com
Re: [arch-general] [arch-dev-public] Xorg 1.12 moves soon to testing for stabilization phase
Final Xorg-server has been released. No major issues have been reported to our tracker. Touchpad issues seem all solved, right? I'm going to move this soon to extra if you don't raise any stopper. -Andy signature.asc Description: PGP signature
