Hi,
On Sat, Nov 09, 2019 at 07:20:44PM +0200, Wouter Verhelst wrote:
> Hi Timo,
>
> On Sun, Nov 03, 2019 at 07:33:10PM +0100, Timo Weingärtner wrote:
> > Hallo Wouter Verhelst,
> >
> > 03.11.19 18:35 Wouter Verhelst:
> > > The software from the package downloads the metadata index and validates
Hi Timo,
On Sun, Nov 03, 2019 at 07:33:10PM +0100, Timo Weingärtner wrote:
> Hallo Wouter Verhelst,
>
> 03.11.19 18:35 Wouter Verhelst:
> > The software from the package downloads the metadata index and validates
> > the GPG signature; and if everything checks out, adds configuration to
> >
On Mon, Nov 4, 2019 at 4:44 PM Ansgar wrote:
> I would recommend against doing this as long as sources.list is a
> configuration file: it would need regular updates to change to the new
> signing key. That doesn't work out of the box.
No updates are needed if you use what Timo suggested:
> I
Paul Wise writes:
> On Mon, Nov 4, 2019 at 4:52 AM Guillem Jover wrote:
>
>> The official archive-keyring packages that use these, I think it's mostly
>> for backwards compatibility reasons.
>
> I wonder if it is feasible to and how the debian-archive-keyring could
> migrate from
On Mon, Nov 4, 2019 at 4:52 AM Guillem Jover wrote:
> The official archive-keyring packages that use these, I think it's mostly
> for backwards compatibility reasons.
I wonder if it is feasible to and how the debian-archive-keyring could
migrate from /etc/apt/trusted.gpg.d/ to
On Sun, 2019-11-03 at 11:04:01 -0800, Russ Allbery wrote:
> Timo Weingärtner writes:
> > Please don't use /etc/apt/trusted* for 3rd-party repositories. If a key
> > is in there its owner can impersonate the official debian repos for
> > default setups.¹ Please use some other path (such as
> >
Timo Weingärtner writes:
> Please don't use /etc/apt/trusted* for 3rd-party repositories. If a key
> is in there its owner can impersonate the official debian repos for
> default setups.¹ Please use some other path (such as
> /var/lib/extrepo/keyrings/) for the keyrings and connect it with
>
Hallo Wouter Verhelst,
03.11.19 18:35 Wouter Verhelst:
> The software from the package downloads the metadata index and validates
> the GPG signature; and if everything checks out, adds configuration to
> /etc/apt/sources.list.d and /etc/apt/trusted.gpg.d to enable the
> repository.
Please don't
So, in 2015 I wrote:
> Hi,
>
> At $DAYJOB, I'm maintaining a few repositories with ready-to-install
> packages for a number of distributions[1]
>
> Currently, the instructions[2] say to do the following:
> - Download and install an "eid-archive" package, which contains the GPG
> keys and
Le vendredi 12 juin 2015, 17:56:04 Wouter Verhelst a écrit :
> On Fri, Jun 12, 2015 at 10:08:35AM +0200, Alexandre Detiste wrote:
> > Le vendredi 12 juin 2015, 00:59:51 Wouter Verhelst a écrit :
> > > On Thu, Jun 11, 2015 at 12:38:29PM +0200, Bálint Réczey wrote:
> > > > I see eid-mw is built on
Hi!
On Mon, 2015-08-17 at 09:53:17 +0200, Wouter Verhelst wrote:
A repository with a whitelist cannot install packages with names outside
that whitelist. It should also not be able to have packages with
Provides: or Replaces: headers outside that whitelist (so you can't ship
a package that
(heavy-pruning same-mail subthreads)
On Sun, Aug 16, 2015 at 12:06:53PM +, Anthony Towns wrote:
Here's how you currently setup an external repo as securely as possible:
1. You hear about a cool repo from somewhere, and are told to go to
https://example.org/debian/README.html for
On Mon, Aug 17, 2015 at 11:15:08AM +0200, David Kalnischkies wrote:
On Sun, Aug 16, 2015 at 12:06:53PM +, Anthony Towns wrote:
The user interface improvement might be worth it anyhow, but selling
this as huge security improvement is just wrong, which is all I am
against.
I think it's a
Hi,
On Wed, Aug 12, 2015 at 08:37:49PM +0200, David Kalnischkies wrote:
(now that I was ping'ed in reallife… lets finish this draft and make the
discussion even longer as my previous mail was obviously not long enough
;) – or ignore the rambling entirely and skip to the last paragraph )
The
On Sat, Aug 15, 2015 at 12:47:42PM +0200, David Kalnischkies wrote:
I think my working assumption is anyone can register, and it's done
automatically. If you want to ensure the URL is owned by the register,
you could use a dummy DNS record (please add
On Thu, Aug 13, 2015 at 05:46:24PM +, Anthony Towns wrote:
On Thu, Aug 13, 2015 at 11:23:19AM +0200, David Kalnischkies wrote:
On Wed, Aug 12, 2015 at 11:12:05PM +, Anthony Towns wrote:
To use an external repo, you need a deb822 sources.list file and a pubkey.
To get those,
On Wed, Aug 12, 2015 at 11:12:05PM +, Anthony Towns wrote:
I'm not sure if the idea is PPAs can only be added to by DDs/DMs. If
not, can anonymous folks setup a PPA for pirated software, or try to
compromise the PPA build system or similar? If PPAs are for DDs and DMs
only, I'm presuming
On Thu, Aug 13, 2015 at 11:23:19AM +0200, David Kalnischkies wrote:
On Wed, Aug 12, 2015 at 11:12:05PM +, Anthony Towns wrote:
I'm not sure if the idea is PPAs can only be added to by DDs/DMs. [...]
There is a session about Debian PPAs at 2015-08-21 17:00..18:00
@ DebConf, so all the
* Anthony Towns a...@erisian.com.au, 2015-08-12, 23:12:
debian-keyring is a 51MB deb, that's pretty big.
FWIW, it could be shrunk to ~10MB if the keys were minimized
(--export-options export-minimal).
--
Jakub Wilk
On Thu, Aug 13, 2015 at 07:53:52PM +0200, Jakub Wilk wrote:
* Anthony Towns a...@erisian.com.au, 2015-08-12, 23:12:
debian-keyring is a 51MB deb, that's pretty big.
FWIW, it could be shrunk to ~10MB if the keys were minimized
(--export-options export-minimal).
We recently switched to
(Piling onto this after a dc15 dinner convo referencing it)
On Tue, Jul 28, 2015 at 12:41:45AM +0200, Wouter Verhelst wrote:
On Sat, Jul 25, 2015 at 07:27:21PM +0200, David Kalnischkies wrote:
On Thu, Jul 23, 2015 at 10:14:21AM +0200, Wouter Verhelst wrote:
(apologies if the identity of who's
❦ 12 août 2015 23:12 GMT, Anthony Towns a...@erisian.com.au :
- PPAs: Debian hosted, but more loosely controlled. experimental gone
wild? maybe third party uploads? probably only free things?
It could also be backports that don't fit the backport policy.
--
I have never let my schooling
(now that I was ping'ed in reallife… lets finish this draft and make the
discussion even longer as my previous mail was obviously not long enough
;) – or ignore the rambling entirely and skip to the last paragraph )
On Tue, Jul 28, 2015 at 12:41:45AM +0200, Wouter Verhelst wrote:
On Sat, Jul 25,
2015-06-05 19:10 GMT+03:00 Josh Triplett j...@joshtriplett.org:
Given that the packages in question appear to be Free Software (at least
from a quick check of a couple of them, as well as the repository being
named main), is there a reason you don't maintain them in Debian
(including backports
Quoting Игорь Пашев (2015-07-28 21:11:57)
2015-06-05 19:10 GMT+03:00 Josh Triplett j...@joshtriplett.org:
Given that the packages in question appear to be Free Software (at least
from a quick check of a couple of them, as well as the repository being
named main), is there a reason you don't
On Sat, Jul 25, 2015 at 07:27:21PM +0200, David Kalnischkies wrote:
On Thu, Jul 23, 2015 at 10:14:21AM +0200, Wouter Verhelst wrote:
- Apt will try to download it from a default location in the repository
(or perhaps a location specified in the deb822 sources.list file
itself).
What
On Thu, Jul 23, 2015 at 10:14:21AM +0200, Wouter Verhelst wrote:
- Apt will try to download it from a default location in the repository
(or perhaps a location specified in the deb822 sources.list file
itself).
What the heck is it in this sentence? I envision deb822 sources.list
file, but
Hi!
On Sat, 2015-07-25 at 11:10:25 +0800, Paul Wise wrote:
I would suggest reviewing Ubuntu's solution for adding PPA sources.list
snippets and seeing if we can take any inspiration from it or make our
solution more compatible with it.
On Thu, 2015-07-23 at 10:14 +0200, Wouter Verhelst wrote:
Thoughts?
Looks good to me.
This will be more useful once the Debian PPA idea is implemented.
Where does the name of the file in /etc/apt/sources.list.d/ come from?
I would suggest reviewing Ubuntu's solution for adding PPA
Wouter Verhelst writes (Re: Facilitating external repositories):
On Thu, Jul 23, 2015 at 01:03:15PM +0100, Ian Jackson wrote:
The /name/ of the external repository should also be covered by the
signature.
What would you describe as the name of the repository?
The URL is already part
Wouter Verhelst writes (Re: Facilitating external repositories):
- It may be GPG-signed by one or more keys. Apt should have a way of
configuring GPG keys that may be allowed to sign sources.list files,
preloaded with the set of keys in the Debian keyring. This will allow
system
On Thu, Jul 23, 2015 at 01:03:15PM +0100, Ian Jackson wrote:
Wouter Verhelst writes (Re: Facilitating external repositories):
- It may be GPG-signed by one or more keys. Apt should have a way of
configuring GPG keys that may be allowed to sign sources.list files,
preloaded with the set
So,
I've been giving this some more thought, and have tried to write a spec, but
then found that...
On Sat, Jun 13, 2015 at 05:03:15PM +0800, Paul Wise wrote:
https://lists.debian.org/deity/2014/01/msg00055.html
...this (and the discussion following it) actually seems fairly close to
what my
On Sat, Jun 13, 2015 at 10:48:35AM +0800, Paul Wise wrote:
On Fri, Jun 12, 2015 at 11:47 PM, Wouter Verhelst wrote:
For the latter, it is usually possible to supply a link to a .repo
file; for all of those distributions, tools exist to automagically
configure the system so that the
]] Wouter Verhelst
On Mon, Jun 08, 2015 at 09:12:51AM +0200, Tollef Fog Heen wrote:
]] Wouter Verhelst
Having said that, I do agree with you that we should not allow just
about anyone to create a repository which will be automatically trusted
by the whole Debian system.
]] Paul Wise
On Sat, Jun 13, 2015 at 4:31 PM, Tollef Fog Heen wrote:
I could see us extending the apt preferences format to be something
like:
Why the preferences file instead of the sources.list file, which can
already be in deb822 format?
Primarily because I wasn't aware of that
On Sat, Jun 13, 2015 at 4:31 PM, Tollef Fog Heen wrote:
I could see us extending the apt preferences format to be something
like:
Why the preferences file instead of the sources.list file, which can
already be in deb822 format?
https://lists.debian.org/deity/2014/01/msg00055.html
Some more
Le vendredi 12 juin 2015, 00:59:51 Wouter Verhelst a écrit :
On Thu, Jun 11, 2015 at 12:38:29PM +0200, Bálint Réczey wrote:
I see eid-mw is built on for i386 and amd64, while I assume it would
build and work perfectly on arm* laptops and computers as well:
Hi Wouter,
2015-06-12 0:59 GMT+02:00 Wouter Verhelst wou...@debian.org:
On Thu, Jun 11, 2015 at 12:38:29PM +0200, Bálint Réczey wrote:
Hi Wouter,
2015-06-07 23:31 GMT+02:00 Wouter Verhelst w...@uter.be:
On Sun, Jun 07, 2015 at 07:43:30PM +0200, Bálint Réczey wrote:
I think this situation
On Fri, Jun 12, 2015 at 11:47 PM, Wouter Verhelst wrote:
For the latter, it is usually possible to supply a link to a .repo
file; for all of those distributions, tools exist to automagically
configure the system so that the repository is enabled and the gpg key
is added as a trusted key
On Fri, Jun 12, 2015 at 10:08:35AM +0200, Alexandre Detiste wrote:
Le vendredi 12 juin 2015, 00:59:51 Wouter Verhelst a écrit :
On Thu, Jun 11, 2015 at 12:38:29PM +0200, Bálint Réczey wrote:
I see eid-mw is built on for i386 and amd64, while I assume it would
build and work perfectly on
Hi Bálint,
On Fri, Jun 12, 2015 at 11:19:30AM +0200, Bálint Réczey wrote:
Hi Wouter,
2015-06-12 0:59 GMT+02:00 Wouter Verhelst wou...@debian.org:
- I don't want to have to deal with doing a maven build in a Debian
package. If you see what the packages' debian/rules do, ou'll see that
Hi Wouter,
2015-06-07 23:31 GMT+02:00 Wouter Verhelst w...@uter.be:
On Sun, Jun 07, 2015 at 07:43:30PM +0200, Bálint Réczey wrote:
I think this situation still allows maintaining the packages in
Debian, when (if ever) your contract ends and you don't want to
maintain the packages in your free
On Thu, Jun 11, 2015 at 12:38:29PM +0200, Bálint Réczey wrote:
Hi Wouter,
2015-06-07 23:31 GMT+02:00 Wouter Verhelst w...@uter.be:
On Sun, Jun 07, 2015 at 07:43:30PM +0200, Bálint Réczey wrote:
I think this situation still allows maintaining the packages in
Debian, when (if ever) your
On Mon, Jun 08, 2015 at 09:12:51AM +0200, Tollef Fog Heen wrote:
]] Wouter Verhelst
Having said that, I do agree with you that we should not allow just
about anyone to create a repository which will be automatically trusted
by the whole Debian system. Establishing such a trust chain
]] Wouter Verhelst
Having said that, I do agree with you that we should not allow just
about anyone to create a repository which will be automatically trusted
by the whole Debian system. Establishing such a trust chain should,
indeed, require some vetting by at least one Debian Developer, so
On 4 June 2015 at 17:18, Wouter Verhelst wou...@debian.org wrote:
- Run apt-get update;
- Install the eid-mw and/or eid-viewer packages.
These two steps can be accomplished with a single APT URL, e.g.:
a href=apt:pkg?refresh=yepinstall pkg/a
which will refresh and install request package(s).
On Sun, Jun 07, 2015 at 11:08:36AM +0200, Wouter Verhelst wrote:
On Fri, Jun 05, 2015 at 09:10:56AM -0700, Josh Triplett wrote:
If that's not an option for some reason, then given that the packages
are Free Software and of reasonably broad interest, you could at least
upload a package to
Hi Wouter,
2015-06-07 11:08 GMT+02:00 Wouter Verhelst wou...@debian.org:
On Fri, Jun 05, 2015 at 09:10:56AM -0700, Josh Triplett wrote:
Wouter Verhelst wrote:
At $DAYJOB, I'm maintaining a few repositories with ready-to-install
packages for a number of distributions[1]
Currently, the
On Thu, Jun 04, 2015 at 06:18:16PM +0200, Wouter Verhelst wrote:
- There is no trust path from your already-installed distribution to the
archive package (yes, I did sign the gpg keys; no, I don't consider
that enough).
There are 2 popular methods for this:
- Have an app store. We would
On Sun, Jun 07, 2015 at 11:55:23PM +0200, Wouter Verhelst wrote:
On Sun, Jun 07, 2015 at 11:30:01AM -0700, Josh Triplett wrote:
On Sun, Jun 07, 2015 at 11:08:36AM +0200, Wouter Verhelst wrote:
On Fri, Jun 05, 2015 at 09:10:56AM -0700, Josh Triplett wrote:
If that's not an option for some
On Sun, Jun 07, 2015 at 07:43:30PM +0200, Bálint Réczey wrote:
I think this situation still allows maintaining the packages in
Debian, when (if ever) your contract ends and you don't want to
maintain the packages in your free time you can orphan the packages.
The next maintainer could adopt
On Fri, Jun 05, 2015 at 09:10:56AM -0700, Josh Triplett wrote:
Wouter Verhelst wrote:
At $DAYJOB, I'm maintaining a few repositories with ready-to-install
packages for a number of distributions[1]
Currently, the instructions[2] say to do the following:
- Download and install an
Hi Chris,
On Sat, Jun 06, 2015 at 11:49:21PM -0400, Chris Knadle wrote:
Hey, Wouter.
On 06/04/2015 12:18 PM, Wouter Verhelst wrote:
Hi,
At $DAYJOB, I'm maintaining a few repositories with ready-to-install
packages for a number of distributions[1]
Currently, the instructions[2]
On Sat, Jun 06, 2015 at 01:48:12PM +0800, Paul Wise wrote:
On Sat, Jun 6, 2015 at 8:13 AM, Brian May wrote:
the software is far to volatile (e.g. important bug fixes on a weekly basis)
We have a place for such software: experimental
I don't want old versions hanging around any longer
On Sun, Jun 07, 2015 at 11:30:01AM -0700, Josh Triplett wrote:
On Sun, Jun 07, 2015 at 11:08:36AM +0200, Wouter Verhelst wrote:
On Fri, Jun 05, 2015 at 09:10:56AM -0700, Josh Triplett wrote:
If that's not an option for some reason, then given that the packages
are Free Software and of
On Sun, Jun 7, 2015 at 11:49 AM, Chris Knadle wrote:
I recall the prior DPL wanting to support PPAs in Debian, and I would
imagine that this issue is one of the sticking points to that idea.
The Debian PPA proposal will be different to Launchpad PPAs and will
be signed by the same keys as the
❦ 6 juin 2015 13:48 +0800, Paul Wise p...@debian.org :
the software is far to volatile (e.g. important bug fixes on a weekly basis)
We have a place for such software: experimental
Won't work for users needing the software on a stable release.
--
Use recursive procedures for
Le samedi 6 juin 2015, 00:13:59 Brian May a écrit :
On Sat, 6 Jun 2015 at 02:11 Josh Triplett j...@joshtriplett.org wrote:
Given that the packages in question appear to be Free Software (at least
from a quick check of a couple of them, as well as the repository being
named main), is there
On Sat, Jun 06, 2015 at 09:47:01AM +0200, Alexandre Detiste wrote:
Well, this had been in Debian for some years until 2010
under an other name: 'beid'
https://packages.qa.debian.org/b/beid.html
but I don't know why it was removed.
The reason is in the RM bug (#672784):
RM: beid -- RoQA;
Hey, Wouter.
On 06/04/2015 12:18 PM, Wouter Verhelst wrote:
Hi,
At $DAYJOB, I'm maintaining a few repositories with ready-to-install
packages for a number of distributions[1]
Currently, the instructions[2] say to do the following:
- Download and install an eid-archive package, which
Hi,
At $DAYJOB, I'm maintaining a few repositories with ready-to-install
packages for a number of distributions[1]
Currently, the instructions[2] say to do the following:
- Download and install an eid-archive package, which contains the GPG
keys and generates a sources.list.d file for the
Wouter Verhelst wrote:
At $DAYJOB, I'm maintaining a few repositories with ready-to-install
packages for a number of distributions[1]
Currently, the instructions[2] say to do the following:
- Download and install an eid-archive package, which contains the GPG
keys and generates a
Hi,
On Thu, Jun 04, 2015 at 06:18:16PM +0200, Wouter Verhelst wrote:
Hi,
...
Currently, the instructions[2] say to do the following:
- Download and install an eid-archive package, which contains the GPG
keys and generates a sources.list.d file for the repository;
- Run apt-get update;
-
On Sat, 6 Jun 2015 at 02:11 Josh Triplett j...@joshtriplett.org wrote:
Given that the packages in question appear to be Free Software (at least
from a quick check of a couple of them, as well as the repository being
named main), is there a reason you don't maintain them in Debian
(including
On Sat, Jun 6, 2015 at 8:13 AM, Brian May wrote:
the software is far to volatile (e.g. important bug fixes on a weekly basis)
We have a place for such software: experimental
I don't want old versions hanging around any longer then absolutely required
We have a place for such software:
66 matches
Mail list logo
