On Wed, May 28, 2008 at 12:00:47AM +0100, Colin Watson wrote:
On Tue, May 27, 2008 at 05:49:59PM +0200, Patrik Fimml wrote:
No, actually, /all/ keys I generated were allegedly weak -- this means,
after
executing ssh-keygen and dowkd.pl five times, I stuck to the key.
This rings all my
Martin Langhoff [EMAIL PROTECTED] writes:
On Wed, May 28, 2008 at 11:13 AM, Colin Watson [EMAIL PROTECTED] wrote:
I think everyone involved did a wonderful job, especially given
the appalling constraints they were under.
A wonderful job indeed. *Thanks* from this corner of the world to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sorry, I did not answer to the list:
Am Mi den 28. Mai 2008 um 1:13 schrieb Colin Watson:
It is never ever a good idea to make security issues secret or
protracting it.
And in this special case it was easy to fix the problem very fast when
* Florian Weimer:
Well, you can send me the key in private if you want. Let's see if I
can factor it. 8-)
I got the key from Patrik, but it's not contained in my blacklist. We
couldn't find a dowkd version that flagged the key as weak, nor could we
definitely confirm that the very same key
On Tue, May 27, 2008 at 05:49:59PM +0200, Patrik Fimml wrote:
On Tue, May 27, 2008 at 04:51:36PM +0200, Florian Weimer wrote:
Well, I actually had false positives (on amd64) -- even freshly
generated keys with the new libopenssl package were reported as bad,
which irritated me a bit.
On Tue, May 27, 2008 at 01:45:25AM +0200, Klaus Ethgen wrote:
Am Di den 27. Mai 2008 um 1:09 schrieb Colin Watson:
On Thu, May 15, 2008 at 09:15:57AM -0700, Mike Bird wrote:
The rollout of information and updates was appalling - even adding in
the material from Ubuntu the information was
On Wed, May 28, 2008 at 11:13 AM, Colin Watson [EMAIL PROTECTED] wrote:
I think everyone involved did a wonderful job, especially given the
appalling constraints they were under. There is a difference, though,
between acknowledging the excellent work that was done and burying one's
head in the
Tollef Fog Heen wrote:
* Martin Uecker
[...]
| There was a thread building packages with exact binary matches
| about it. Unfortunately, most people seem to think that this is not
| worth it.
I don't think that's unfortunate; I think it's a waste of resources
better spent elsewhere.
If
On Fri, May 16, 2008 at 03:27:42PM -0500, Adam Majer wrote:
Russ Allbery wrote:
Martin Uecker [EMAIL PROTECTED] writes:
In this case, the security advisory should clearly be updated. And all
advise about searching for weak keys should be removed as well, because
it leads to false sense
* Thibaut Paumard:
Actually, I seem to remember that the issue of critical packages being
maintained by only one person have been pointed out here several times
already this year (although I don't remember the particular
threads). Certainly, such packages needs a better QA than the rest.
Tollef Fog Heen wrote:
* Martin Uecker
| Another problem I have argued about before, not directly related to this
| incident, but IMHO another desaster waiting to happen: There is no
| way to independetly validate that a debian binary package was
| created from the corresponding source.
* Martin Uecker
| Tollef Fog Heen wrote:
|
| How would you go about doing that? If you just mean «all packages
| should be built on the buildds», that's fairly easy to do, but if you
| are talking about actual verification of source = binary which can be
| done post-mortem, that's much
Kevin B. McCarty [EMAIL PROTECTED] wrote:
If you see packages for which a Debian-specific patch seems unnecessary,
please by all means file a bug (severity wishlist) requesting that the
patch be either reverted or submitted upstream.
Most time the patch is already submitted upstream, but
Hi,
Le 16 mai 08 à 13:48, Martin Uecker a écrit :
Kevin B. McCarty [EMAIL PROTECTED] wrote:
If you see packages for which a Debian-specific patch seems
unnecessary,
please by all means file a bug (severity wishlist) requesting that
the
patch be either reverted or submitted upstream.
Le vendredi 16 mai 2008 à 14:48 +0200, Thibaut Paumard a écrit :
Let's hope this discussion will, in the end, bring good ideas and
trigger actual work to improve Debian, and perhaps the free software
community at large.
Best regards, Thibaut.
That'd be great.
But please, may I
2008/5/16 Thibaut Paumard [EMAIL PROTECTED]:
the topic has already been changed to ssl security desaster, and in my
opinion this is precisely what my post is about: what can we learn from this
disaster. (More precisely, I'm giving my 2c on what level of patching is
acceptable in a Debian
Miriam Ruiz [EMAIL PROTECTED] writes:
Maybe there should also be a clasification of packages according to
how bad would a bug be in them for the whole system, so that patches
in those could be more carefully reviewed.
Perhaps uploads could come with the diff against the last version (or
a link
Le 16 mai 08 à 15:41, Miriam Ruiz a écrit :
2008/5/16 Thibaut Paumard [EMAIL PROTECTED]:
[...] Maybe there should also be a
clasification of packages according to how bad would a bug be in them
for the whole system, so that patches in those could be more carefully
reviewed.
Actually, I seem
Hi Martin,
Martin Uecker wrote:
Kevin B. McCarty [EMAIL PROTECTED] wrote:
If you see packages for which a Debian-specific patch seems unnecessary,
please by all means file a bug (severity wishlist) requesting that the
patch be either reverted or submitted upstream.
Most time the patch
Hi Kevin!
Kevin B. McCarty [EMAIL PROTECTED] wrote:
Martin Uecker wrote:
[...]
Well, *assuming* the patch is good, a subset of users of the software
(i.e. Debian users and users of downstream distributions) benefit from
it between the time it's applied in Debian and the time it's applied
Martin Uecker [EMAIL PROTECTED] writes:
I don't now. I see no reason why all this good work which now ends up in
Debian patches can't be seperated from the actual packaging work.
It's probably worth mentioning somewhere in this discussion that one of
the most common, perhaps the most common
Russ Allbery wrote:
Martin Uecker [EMAIL PROTECTED] writes:
In this case, the security advisory should clearly be updated. And all
advise about searching for weak keys should be removed as well, because
it leads to false sense of security. In fact, *all* keys used on Debian
machines should
* Martin Uecker
| Another problem I have argued about before, not directly related to this
| incident, but IMHO another desaster waiting to happen: There is no
| way to independetly validate that a debian binary package was
| created from the corresponding source.
How would you go about doing
Tollef Fog Heen [EMAIL PROTECTED] writes:
* Martin Uecker
| What bothers me too is the fact that the installer scripts of all
| packages have root permissions during installation. While this might
| be hard to do, in principle I see no good reason why installer
| scripts could not be
Steinar H. Gunderson [EMAIL PROTECTED]:
On Thu, May 15, 2008 at 05:11:27AM +0200, Goswin von Brederlow wrote:
Also if you have 2 messages signed with the same random number you can
compute the secret key. It is more complicated then this but
simplified boils down to is computing k given
On Thursday 15 May 2008 14:04, Martin Uecker wrote:
If I understand this correctly, this means that not only should keys
generated with the broken ssl lib be considered compromised, but all
keys which were potentially used to create DSA signatures by those
broken libs.
In this case, the
Martin Uecker [EMAIL PROTECTED] writes:
In this case, the security advisory should clearly be updated. And all
advise about searching for weak keys should be removed as well, because
it leads to false sense of security. In fact, *all* keys used on Debian
machines should be considered
Am Donnerstag, den 15.05.2008, 15:20 +0200 schrieb Thijs Kinkhorst:
On Thursday 15 May 2008 14:04, Martin Uecker wrote:
If I understand this correctly, this means that not only should keys
generated with the broken ssl lib be considered compromised, but all
keys which were potentially used
On Thursday 15 May 2008 16:47, Martin Uecker wrote:
You mean less likely than once in 15 years? We're open to your
suggestions.
Something as bad as this might be rare, still, if something can be
improved, it should.
Upstream complained about the extensive Debian patching. I think this
is
On Thu May 15 2008 06:20:10 Thijs Kinkhorst wrote:
You mean less likely than once in 15 years? We're open to your suggestions.
Leaving millions of systems open to crackers for 2 years out of 15
is not a joke. I don't blame the DD - we have all made mistakes
and most of us are lucky they weren't
On Thu May 15 2008 08:33:54 Thijs Kinkhorst wrote:
I welcome change and review of our processes, but taking one extreme
incident as the base on which to draw conclusions seems not the wise thing
to do. If you're interested in for example changing the level to which
software is patched in
Am Donnerstag, den 15.05.2008, 17:33 +0200 schrieb Thijs Kinkhorst:
On Thursday 15 May 2008 16:47, Martin Uecker wrote:
You mean less likely than once in 15 years? We're open to your
suggestions.
Something as bad as this might be rare, still, if something can be
improved, it should.
On Thursday 15 May 2008 18:26, Martin Uecker wrote:
Why not? A plane crash is a very rare incident. Still every single
crash is investigated to make recommendations for their future
avoidance.
Maybe that wasn't clear from my first mail, but I don't think that nothing can
be learned from this
Martin Uecker wrote:
Am Donnerstag, den 15.05.2008, 17:33 +0200 schrieb Thijs Kinkhorst:
If you're interested in for example changing the level to which software is
patched in Debian, I suggest to start with a representative review of what
gets patched and why it's done. That would give
Twas brillig at 10:30:44 15.05.2008 UTC-07 when Kevin B. McCarty did gyre and
gimble:
KBM Believe me, there are lots of upstreams for which extensive
KBM patching really is necessary. (I have no idea whether OpenSSL is
KBM one of those, as I have no familiarity with its code nor the
KBM
[Mike Bird]
but we should blame the process. And fix it.
it would probably have been better to devote less effort to the
scanner and more effort to documenting all the kinds of key
replacements
Serious efforts are needed
Second, we must ensure
This calls for a thorough investigation
Mikhail Gusarov [EMAIL PROTECTED] writes:
Probably the work then should be clearly labeled as fork (especially
given the other distro maintainers also share some patches)? It will
reduce the confusion, like oh, erm, our foo is not quite upstream
foo, we rewrote it from scratch, and left the
On Thu May 15 2008 10:34:01 Peter Samuelson wrote:
Who is this we? Whose serious efforts? Who is investigating? Most
importantly, should we assume that, as in the past, you, Mike Bird,
intend to do nothing but talk?
Debian is still one of the world's best distros and I hope it
continues as
[Mike Bird]
Nevertheless, non-DD's can and do help by filing bug reports and
patches (upstream is best), helping people on d-u, and offering
constructive advice to DDs.
Very well. I propose that anyone who wishes to give constructive
advice to developers, but who doesn't actually do any of
Hi,
Le 15 mai 08 à 20:17, Mike Bird a écrit :
Nevertheless, non-DD's can and do help by filing bug reports and
patches (upstream is best), helping people on d-u, and offering
constructive advice to DDs.
And maintaining packages! It can be long to find a sponsor for your
first package
Hi Mikhail,
Mikhail Gusarov wrote:
Twas brillig at 10:30:44 15.05.2008 UTC-07 when Kevin B. McCarty did gyre and
gimble:
KBM Believe me, there are lots of upstreams for which extensive
KBM patching really is necessary. (I have no idea whether OpenSSL is
KBM one of those, as I have no
This one time, at band camp, Mike Bird said:
Yet Debian makes it hard for people to help. Like most software
engineers I simply don't have the time to waste on Debian's NM
process. Debian's processes are indisputably Debian's decision
alone, but Debian has to live with the consequences ...
Peter Samuelson [EMAIL PROTECTED] writes:
Who is this we? Whose serious efforts? Who is investigating? Most
importantly, should we assume that, as in the past, you, Mike Bird,
intend to do nothing but talk?
I think this is a common stylistic choice. I consider myself part of
the Debian
43 matches
Mail list logo
