Re: Debian APT Key Revocation Procedure
Paul Wise: On Thu, Oct 31, 2013 at 8:55 PM, adrelanos wrote: What are your plans if you ever have reason to believe that the Debian archive signing key has been compromised? It is unlikely that the people responsible for that are reading this list. I suggest you contact them (DSA, ftpteam) directly. Is there a public mailing list? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5273aa1b.5080...@riseup.net
Re: Debian APT Key Revocation Procedure
On Fri, Nov 01, 2013 at 01:18:19PM +, adrelanos wrote: Paul Wise: On Thu, Oct 31, 2013 at 8:55 PM, adrelanos wrote: What are your plans if you ever have reason to believe that the Debian archive signing key has been compromised? It is unlikely that the people responsible for that are reading this list. I suggest you contact them (DSA, ftpteam) directly. Is there a public mailing list? ftpmas...@ftp-master.debian.org will get you to the ftpteam (nonpublic ML), and the DSA are at debian-ad...@lists.debian.org (is public) Earlier, Jordon Bedwell jor...@envygeeks.com wrote: That's almost jokingly ironic. I take issue with this. I find this attitude really crappy. I'd strongly invite you to reconsider this tone and belief. Cheers, Paul -- .''`. Paul Tagliamonte paul...@debian.org : :' : Proud Debian Developer `. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `- http://people.debian.org/~paultag signature.asc Description: Digital signature
Re: Debian APT Key Revocation Procedure
On Fri, Nov 1, 2013 at 8:23 AM, Paul Tagliamonte paul...@debian.org wrote: I take issue with this. I find this attitude really crappy. I'd strongly invite you to reconsider this tone and belief. I invite you to jump back down to earth and stop judging people as if you are somehow better. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAM5XQnwOtTVgYQsusoBt7iUac3+3MBsd5=zckdzmky87was...@mail.gmail.com
Re: Debian APT Key Revocation Procedure
On Fri, Nov 01, 2013 at 08:27:03AM -0500, Jordon Bedwell wrote: On Fri, Nov 1, 2013 at 8:23 AM, Paul Tagliamonte paul...@debian.org wrote: I take issue with this. I find this attitude really crappy. I'd strongly invite you to reconsider this tone and belief. I invite you to jump back down to earth and stop judging people as if you are somehow better. (I'm not the one insulting two core teams at once) -- .''`. Paul Tagliamonte paul...@debian.org : :' : Proud Debian Developer `. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `- http://people.debian.org/~paultag signature.asc Description: Digital signature
Re: Debian APT Key Revocation Procedure
On Fri, Nov 1, 2013 at 8:30 AM, Paul Tagliamonte paul...@debian.org wrote: On Fri, Nov 01, 2013 at 08:27:03AM -0500, Jordon Bedwell wrote: On Fri, Nov 1, 2013 at 8:23 AM, Paul Tagliamonte paul...@debian.org wrote: I take issue with this. I find this attitude really crappy. I'd strongly invite you to reconsider this tone and belief. I invite you to jump back down to earth and stop judging people as if you are somehow better. (I'm not the one insulting two core teams at once) Nope, you just take it a step further and insult the individual people. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAM5XQnzgiy2aAtERiD0ezCrKeiiF4EZ+=CBo-O9Af5=u8v2...@mail.gmail.com
Re: Debian APT Key Revocation Procedure
On Fri, Nov 1, 2013 at 8:33 AM, Jordon Bedwell jor...@envygeeks.com wrote: On Fri, Nov 1, 2013 at 8:30 AM, Paul Tagliamonte paul...@debian.org wrote: On Fri, Nov 01, 2013 at 08:27:03AM -0500, Jordon Bedwell wrote: On Fri, Nov 1, 2013 at 8:23 AM, Paul Tagliamonte paul...@debian.org wrote: I take issue with this. I find this attitude really crappy. I'd strongly invite you to reconsider this tone and belief. I invite you to jump back down to earth and stop judging people as if you are somehow better. (I'm not the one insulting two core teams at once) Nope, you just take it a step further and insult the individual people. I should say individual people without the, as the implies you were insulting the people on the team, and not people in general. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam5xqnybxozwlmh8_r4z-t7xwh8zf5psd3eufp36oyxkquk...@mail.gmail.com
Re: Debian APT Key Revocation Procedure
On Fri, Nov 01, 2013 at 08:27:03AM -0500, Jordon Bedwell wrote: On Fri, Nov 1, 2013 at 8:23 AM, Paul Tagliamonte paul...@debian.org wrote: I take issue with this. I find this attitude really crappy. I'd strongly invite you to reconsider this tone and belief. I invite you to jump back down to earth and stop judging people as if you are somehow better. I think the open invitation to participate in the Debian project mailing lists should now be withdrawn. ccing listmasters. Neil -- signature.asc Description: Digital signature
Re: Debian APT Key Revocation Procedure
I should say individual people without the, as the implies you were insulting the people on the team, and not people in general. No one here thinks they are better or smarter than you. It would just be nice if you could try to keep it a little more professional in your communication and responses. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cagysloehud-+xosnrw8e_qx_mrndkm_w0go7yxm7ej3jjon...@mail.gmail.com
Re: Debian APT Key Revocation Procedure
On Fri, Nov 1, 2013 at 8:42 AM, Darko Gavrilovic d.gavrilo...@gmail.com wrote: I should say individual people without the, as the implies you were insulting the people on the team, and not people in general. No one here thinks they are better or smarter than you. It would just be nice if you could try to keep it a little more professional in your communication and responses. There was nothing unprofessional about what I said. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam5xqnw9_qf-zf7jqwvmndwt5uqg_e_a8zfanfkk+2czkyv...@mail.gmail.com
Re: Debian APT Key Revocation Procedure
Paul Wise: On Thu, Oct 31, 2013 at 8:55 PM, adrelanos wrote: What are your plans if you ever have reason to believe that the Debian archive signing key has been compromised? It is unlikely that the people responsible for that are reading this list. I suggest you contact them (DSA, ftpteam) directly. Thank you, Paul. I mailed DSA. I find it a non-ideal, that there is no place to discuss this in public. (Neither DSA nor ftpmaster mailing list is publicly archived or allows public sign up.) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5273dcd2.1070...@riseup.net
Re: Debian APT Key Revocation Procedure
On Thu, 31 Oct 2013, adrelanos wrote: But what could you do with the revocation certificate? Only manually spread the news and ask users to obtain the revocation certificate? We would widely publish that information, that's a given. But it is not the only way to publish the revocation certificate and the replacement keys. Or will the apt on Debian user's machines somehow learn about that revocation certificate? If so, how does that procedure work? Where is it configured? I believe we'd deploy a security update of the debian-archive-keyring package, with the updated key material and revocation certificates. There are backup keys to allow for key rollover. Now, this does NOT address all scenarios. It is not a perfect solution. For a more precise answer, please ask the debian-admin ML. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131101171006.ga1...@khazad-dum.debian.net
External check
CVE-2013-5801: TODO: This issue was fixed in Oracle Java, but not in OpenJDK. Likely not-affected, but needs further check CVE-2013-5832: TODO: This issue was fixed in Oracle Java, but not in OpenJDK. Likely not-affected, but needs further check CVE-2013-5843: TODO: This issue was fixed in Oracle Java, but not in OpenJDK. Likely not-affected, but needs further check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52734d84.rbt6gef7t8xikulx%atomo64+st...@gmail.com