announcing the beginning of security support for testing
http://lists.debian.org/debian-devel-announce/2005/09/msg6.html -- Enviado por Moisés Jardim Pinheiro Fone: (53) 9107 8473 E-mail: [EMAIL PROTECTED] ICQ: 300539142 MSN: [EMAIL PROTECTED] Linux User #366875 Canguçu/RS
Re: [Secure-testing-team] Re: announcing the beginning of security support for testing
* Jiann-Ming Su: On 9/9/05, Joey Hess [EMAIL PROTECTED] wrote: deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free How is this different from deb http://security.debian.org/ testing/updates main? Is testing/updates actually used? I don't think so. Apparently, the archive doesn't contain any packages. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: announcing the beginning of security support for testing
s. keeling [EMAIL PROTECTED] writes: deb http://security.debian.org/ etch/updates main deb-src http://security.debian.org/ etch/updates main deb http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free deb-src http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free Joey, These entries are quite different from your announcement. Can you comment on them? -- Bill Wohler [EMAIL PROTECTED] http://www.newt.com/wohler/ GnuPG ID:610BD9AD Maintainer of comp.mail.mh FAQ and MH-E. Vote Libertarian! If you're passed on the right, you're in the wrong lane. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: announcing the beginning of security support for testing
On 9/9/05, Joey Hess [EMAIL PROTECTED] wrote: deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free How is this different from deb http://security.debian.org/ testing/updates main? -- Jiann-Ming Su I have to decide between two equally frightening options. If I wanted to do that, I'd vote. --Duckman
Re: announcing the beginning of security support for testing
Bill Wohler wrote: You may get the following error message and not know what it means: W: Couldn't stat source package list http://secure-testing.debian.net etch/security-updates/main Packages (/var/lib/apt/lists/secure-testing.debian.net_debian-secure-testing_dists_etch_security-updates_main_binary-i386_Packages) - stat (2 No such file or directory) ... W: You may want to update the package lists to correct these missing files W: GPG error: http://secure-testing.debian.net etch/security-updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 946AA6E18722E71E W: You may want to update the package lists to correct these missing files I didn't, but fortunately, I stumbled on an unrelated README this morning and learned what was missing: apt-key. It's not likely that users of testing will run into this since the relevant version of apt has not reached testing yet. With that said, I strongly encourage everyone to install the new secure version of apt from unstable if you can, as it's an important enhancement to the overall security of a debian system. Since the use of apt-key is something that users do rarely if at all, a reminder of what to do with that information would be welcome. And that is: 1. Save the above key into a file, say, /tmp/debian.key. 2. Load the key with: sudo apt-key add /tmp/debian.key Actually step 0 is to carefully validate the origin of the key and make sure you can verify it came from someone you trust. -- see shy jo signature.asc Description: Digital signature
Re: announcing the beginning of security support for testing
Oliver Lupton wrote: Sorry if this is a newbie question, but why is this secure-testing.debian.net when debian.org is the official site? Is the testing security nonofficial? Or are .net and .org equivilant? debian.net hostnames are provided for any debian developers to use for machines and serives they provide on their own that are not officially administered by Debian. It's fairly typical in Debian for new projects to begin life on debian.net, and only get integrated into Debian proper once it's clear that they are important to the project and will continue and are worth committing to. At that point they get absorbed into debian.org. An example is wiki.debian.net, which proved that Debian needs an official wiki, which is now being set up as wiki.debian.org. Another example is the amd64 port, which was hosted on amd64.debian.net. It's kind of analagous to google labs in a way, except we take cool projects out of beta eventually. ;-) The testing security archive is currently using a debian.net machine for similar reasons. -- see shy jo signature.asc Description: Digital signature
Re: announcing the beginning of security support for testing
You may get the following error message and not know what it means: W: Couldn't stat source package list http://secure-testing.debian.net etch/security-updates/main Packages (/var/lib/apt/lists/secure-testing.debian.net_debian-secure-testing_dists_etch_security-updates_main_binary-i386_Packages) - stat (2 No such file or directory) ... W: You may want to update the package lists to correct these missing files W: GPG error: http://secure-testing.debian.net etch/security-updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 946AA6E18722E71E W: You may want to update the package lists to correct these missing files I didn't, but fortunately, I stumbled on an unrelated README this morning and learned what was missing: apt-key. Joey Hess [EMAIL PROTECTED] writes: The archive signing key that is used to sign the apt repository is included below and can also be downloaded from http://secure-testing-master.debian.net/ziyi-2005-7.asc Since the use of apt-key is something that users do rarely if at all, a reminder of what to do with that information would be welcome. And that is: 1. Save the above key into a file, say, /tmp/debian.key. 2. Load the key with: sudo apt-key add /tmp/debian.key -- Bill Wohler [EMAIL PROTECTED] http://www.newt.com/wohler/ GnuPG ID:610BD9AD Maintainer of comp.mail.mh FAQ and MH-E. Vote Libertarian! If you're passed on the right, you're in the wrong lane. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: announcing the beginning of security support for testing
Joey Hess wrote: deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free deb-src http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free Alternatively, replace secure-testing.debian.net in the above lines with a mirror near you: ftp.de.debian.org (located in Germany) ftp.nl.debian.org (located in the Netherlands) the.earth.li (located in UK) ftp2.jp.debian.org(located in Japan) farbror.acc.umu.se(located in Sweden) Sorry if this is a newbie question, but why is this secure-testing.debian.net when debian.org is the official site? Is the testing security nonofficial? Or are .net and .org equivilant? Oliver -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: announcing the beginning of security support for testing
Oliver Lupton [EMAIL PROTECTED] writes: Joey Hess wrote: deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free deb-src http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free Alternatively, replace secure-testing.debian.net in the above lines with a mirror near you: ftp.de.debian.org (located in Germany) ftp.nl.debian.org (located in the Netherlands) the.earth.li (located in UK) ftp2.jp.debian.org(located in Japan) farbror.acc.umu.se(located in Sweden) Sorry if this is a newbie question, but why is this secure-testing.debian.net when debian.org is the official site? Is the testing security nonofficial? I think in general the distinction is that debian.org machines are controlled by the debian-admin team, whereas debian.net machines are not (though they are usually maintained by Debian developers). -- Society is never going to make any progress until we all learn to pretend to like each other. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: announcing the beginning of security support for testing
Could a list of md5sums be provided for this archive, like the file /debian/indices/md5sums.gz in the main (debian) archive? With the help of a simple script, this file allows me to check the package integrity in my mirror of the main debian archive. I am hoping that this method can be used for other archives as well, as an alternative to the currently recommended checking method. The problem with the secure-testing checking procedure (which is also used by security.debian.org and marillat archives) is that it requires apt 0.6.* Unfortunately, the version of apt in debian testing is only 0.5.28.6 and in any case it will be a long time before all of my systems run apt version 0.6 or higher. In addition, the recommended checking procedure only checks packages during installation, if I understand it correctly -- it cannot check the inegrity of an entire mirror archive. For my purposes, I need to check the integrity of all packages in my local archives, before I attempt to install them. Compounding this problem is the fact that rsync to the (primary) secure-testing archive is disallowed using the -c (checksumming) option, understandably so. rsync with checksumming has been my workaround with my local debian-security archive. *See http://www.debian.org/doc/manuals/securing-debian-howto/ch7#s-deb-pack-sign which is referenced by the Debian security FAQ. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Secure-testing-team] Re: announcing the beginning of security support for testing
Hi Marty, On Monday, 12 Sep 2005, you wrote: Could a list of md5sums be provided for this archive, like the file /debian/indices/md5sums.gz in the main (debian) archive? With the help of a simple script, this file allows me to check the package integrity in my mirror of the main debian archive. I am hoping that this method can be used for other archives as well, as an alternative to the currently recommended checking method. i added the md5sums file. It should be indices/md5sums.gz with the next run of dinstall. Compounding this problem is the fact that rsync to the (primary) secure-testing archive is disallowed using the -c (checksumming) option, understandably so. rsync with checksumming has been my workaround with my local debian-security archive. Allowing -c option for rsync adds WAYS TOO MUCH load to the server, so please accept that we will not enable that on the server. Greetings Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: announcing the beginning of security support for testing
On Sep 09 2005, Patrick Wiseman wrote: I like to follow testing, so that's what I'll keep in my sources.list file. Exactly the same situation here. I like to follow testing as a way of getting updates and also to report bugs in the packages that I happen to use, when I find one. This is one of the ways that I can give back to the community that created such great software that I use. And, yes, using testing instead of etch seems to work (just browsed one of the sites). Thanks for the security team, Rogério Brito. -- Rogério Brito : [EMAIL PROTECTED] : http://www.ime.usp.br/~rbrito Homepage of the algorithms package : http://algorithms.berlios.de Homepage on freshmeat: http://freshmeat.net/projects/algorithms/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: announcing the beginning of security support for testing
The Debian testing security team is pleased to announce the beginning of full security support for Debian's testing distribution. Has anyone else been able to verify the signature on that message? Try as I might, I cannot. It may be because I'm reading this group on gmane, but I've also tried to verify the message directly from the list archives. I can't do it. Any help appreciated. Andrew. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: announcing the beginning of security support for testing
s. keeling wrote: Really? -- W: Couldn't stat source package list http://secure-testing.debian.net \ testing/security-updates/main Packages \ (/var/lib/apt/lists/secure-testing.debian.net_ \ debian-secure-testing_dists_testing_security-updates_\ main_binary-i386_Packages) - stat (2 No such file or directory) -- apt-get update I haven't seen an etch archive yet that allows me to use etch instead of testing. I have; all of them. It's a symlink.. I just subscribed to the list, tried to confirm the subscription, and my confirmation mail bounced. I confirmed on the webpage then posted the problem to the list. My post is held for moderator's approval. Reason: moderated list. Since you're trying to post to the announcement list, that's not suprising. -- see shy jo signature.asc Description: Digital signature
Fwd: announcing the beginning of security support for testing
Acho que é de interesse geral, e complementa especialmente a discussão que ocorria com assunto xorg. -- Mensagem reenviada -- Subject: announcing the beginning of security support for testing Date: Sex 09 Set 2005 16:27 From: Joey Hess [EMAIL PROTECTED] To: debian-devel-announce@lists.debian.org, debian-user@lists.debian.org --- Debian Testing Security TeamSeptember 9th, 2005 secure-testing-team@lists.alioth.debian.org http://secure-testing-master.debian.net/ --- Security support for testing The Debian testing security team is pleased to announce the beginning of full security support for Debian's testing distribution. We have spent the past year building the team, tracking and fixing security holes, and creating our infrastructure, and now the final pieces are in place, and we are able to offer security updates and advisories for testing. We invite Debian users who are currently running testing, or who would like to switch to testing, to subscribe to the secure-testing-announce mailing list, which is used to announce security updates: http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce We also invite you to add the following lines to your /etc/apt/sources.list file, and run apt-get update apt-get upgrade to make the security updates available. deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free deb-src http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free Alternatively, replace secure-testing.debian.net in the above lines with a mirror near you: ftp.de.debian.org (located in Germany) ftp.nl.debian.org (located in the Netherlands) the.earth.li (located in UK) ftp2.jp.debian.org(located in Japan) farbror.acc.umu.se(located in Sweden) Some initial advisories have already been posted to the list and are already available in the repository. These include: [DTSA-1-1] New kismet packages fix remote code execution [DTSA-2-1] New centericq packages fix multiple vulnerabilities [DTSA-3-1] New clamav packages fix denial of service and privilege escalation [DTSA-4-1] New ekg packages fix multiple vulnerabilities [DTSA-5-1] New gaim packages fix multiple remote vulnerabilities [DTSA-6-1] New cgiwrap packages fix multiple vulnerabilities [DTSA-7-1] New mozilla packages fix frame injection spoofing [DTSA-8-1] New mozilla-firefox packages fix several vulnerabilities [DTSA-9-1] New bluez-utils packages fix bad device name escaping [DTSA-10-1] New pcre3 packages fix buffer overflow [DTSA-11-1] New maildrop packages fix local privilege escalation [DTSA-12-1] New vim packages fix modeline exploits [DTSA-13-1] New evolution packages fix format string vulnerabilities Note that while all of Debian's architectures are supported, we may release an advisory before fixed packages have built for all supported architectures. If so, the missing builds will become available as they complete. We are not currently issuing advisories for security fixes that reach testing through normal propagation from unstable, but only for security fixes that are made available through our repository. So users of testing should continue to upgrade their systems on a regular basis to get such security fixes. We might provide information about security issues that have been fixed through regular testing propagation in the future, though. Note that this announcement does not mean that testing is suitable for production use. Several security issues are present in unstable, and an even larger number are present in testing. Our beginning of security support only means that we are now able to begin making security fixes available for testing nearly as quickly as for unstable. The testing security team's website has information about what security holes are still open, and users should use this information to make their own decisions about whether testing is secure enough for them. Finally, we are still in the process of working out how best to serve users of testing and keep your systems secure, and we welcome comments and feedback about ways to do better. You can reach the testing security team at [EMAIL PROTECTED] If you want to become a mirror, please see http://secure-testing-master.debian.net/mirroring.html Debian developers who would like to upload fixes for security holes in testing to the repository can do so, following the instructions on our web site. For more information about the testing security team, see our web site, http://secure-testing-master.debian.net/ The archive signing key that is used to sign the apt repository is included below and can also be
announcing the beginning of security support for testing
--- Debian Testing Security TeamSeptember 9th, 2005 secure-testing-team@lists.alioth.debian.org http://secure-testing-master.debian.net/ --- Security support for testing The Debian testing security team is pleased to announce the beginning of full security support for Debian's testing distribution. We have spent the past year building the team, tracking and fixing security holes, and creating our infrastructure, and now the final pieces are in place, and we are able to offer security updates and advisories for testing. We invite Debian users who are currently running testing, or who would like to switch to testing, to subscribe to the secure-testing-announce mailing list, which is used to announce security updates: http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce We also invite you to add the following lines to your /etc/apt/sources.list file, and run apt-get update apt-get upgrade to make the security updates available. deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free deb-src http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free Alternatively, replace secure-testing.debian.net in the above lines with a mirror near you: ftp.de.debian.org (located in Germany) ftp.nl.debian.org (located in the Netherlands) the.earth.li (located in UK) ftp2.jp.debian.org(located in Japan) farbror.acc.umu.se(located in Sweden) Some initial advisories have already been posted to the list and are already available in the repository. These include: [DTSA-1-1] New kismet packages fix remote code execution [DTSA-2-1] New centericq packages fix multiple vulnerabilities [DTSA-3-1] New clamav packages fix denial of service and privilege escalation [DTSA-4-1] New ekg packages fix multiple vulnerabilities [DTSA-5-1] New gaim packages fix multiple remote vulnerabilities [DTSA-6-1] New cgiwrap packages fix multiple vulnerabilities [DTSA-7-1] New mozilla packages fix frame injection spoofing [DTSA-8-1] New mozilla-firefox packages fix several vulnerabilities [DTSA-9-1] New bluez-utils packages fix bad device name escaping [DTSA-10-1] New pcre3 packages fix buffer overflow [DTSA-11-1] New maildrop packages fix local privilege escalation [DTSA-12-1] New vim packages fix modeline exploits [DTSA-13-1] New evolution packages fix format string vulnerabilities Note that while all of Debian's architectures are supported, we may release an advisory before fixed packages have built for all supported architectures. If so, the missing builds will become available as they complete. We are not currently issuing advisories for security fixes that reach testing through normal propagation from unstable, but only for security fixes that are made available through our repository. So users of testing should continue to upgrade their systems on a regular basis to get such security fixes. We might provide information about security issues that have been fixed through regular testing propagation in the future, though. Note that this announcement does not mean that testing is suitable for production use. Several security issues are present in unstable, and an even larger number are present in testing. Our beginning of security support only means that we are now able to begin making security fixes available for testing nearly as quickly as for unstable. The testing security team's website has information about what security holes are still open, and users should use this information to make their own decisions about whether testing is secure enough for them. Finally, we are still in the process of working out how best to serve users of testing and keep your systems secure, and we welcome comments and feedback about ways to do better. You can reach the testing security team at [EMAIL PROTECTED] If you want to become a mirror, please see http://secure-testing-master.debian.net/mirroring.html Debian developers who would like to upload fixes for security holes in testing to the repository can do so, following the instructions on our web site. For more information about the testing security team, see our web site, http://secure-testing-master.debian.net/ The archive signing key that is used to sign the apt repository is included below and can also be downloaded from http://secure-testing-master.debian.net/ziyi-2005-7.asc -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.4.1 (GNU/Linux) mQGiBEMM7wgRBACs/rcYtu++PqBV5t6qTf9FsjJYZV4OUoQmtK849PdHUoVONh/b yz0vmP4QPCJXraFYiiiaur8WLcOphwY3DFaz0quozxl3pZfJjN27qDdTTDUKk1Kq zFQYTsDaXjSh0nRGW3gFmbyIqTL8sVGOAAz2KbrtLEQE11qYZjzvylEf4wCgv6ss
Re: announcing the beginning of security support for testing
On 9/9/05, Olaf van der Spek [EMAIL PROTECTED] wrote: On 9/9/05, Patrick Wiseman [EMAIL PROTECTED] wrote: http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free deb-src http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free Could I replace 'etch' with 'testing' or should I replace 'testing' with 'etch' elsewhere in my sources.list file?testing instead of etch worksIt depends on what you wish to do when testing and etch aren't equal anymore. Do you want to follow testing or etch then? I like to follow testing, so that's what I'll keep in my sources.list file. Patrick
Re: announcing the beginning of security support for testing
On 9/9/05, Patrick Wiseman [EMAIL PROTECTED] wrote: http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free deb-src http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free Could I replace 'etch' with 'testing' or should I replace 'testing' with 'etch' elsewhere in my sources.list file? testing instead of etch works It depends on what you wish to do when testing and etch aren't equal anymore. Do you want to follow testing or etch then?
Re: announcing the beginning of security support for testing
On 9/9/05, Joey Hess [EMAIL PROTECTED] wrote: Security support for testingThe Debian testing security team is pleased to announce the beginning of full security support for Debian's testing distribution. This is great news, and thank you! [...] We also invite you to add the following lines to your/etc/apt/sources.list file, and run apt-get update apt-get upgrade to make the security updates available.deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free deb-src http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free Could I replace 'etch' with 'testing' or should I replace 'testing' with 'etch' elsewhere in my sources.list file? Patrick
