]
}
}
}
```
This would allow adding additional top-level keys later should the need
arise. (I'll prepare the archive-side changes for this later today.)
Could all maintainers (for fwupd, fwupdate, grub2, linux) please ack one
last time that their packages are ready for switc
Hi,
Colin Watson writes:
> On Mon, Feb 25, 2019 at 08:13:22PM +0100, Ansgar wrote:
>> I added support for listing `trusted_certs`[1] as proposed by Ben
>> Hutchings. This means the `files.json` structure *must* list the
>> sha256sum of certificates the signed binaries
it was suggested to use
init=/bin/systemd for testing purposes in the past (see below). So just
removing the symlink might make some systems unbootable.
Ansgar
Michael Biebl writes:
>> Running `systemd` in an interactive shell is not a good idea. To
>> avoid this happening by accident, the
Ben Hutchings writes:
> On Wed, 2019-09-11 at 19:20 +0200, Ansgar wrote:
>> would it be possible to add a fallback to try /lib/systemd/systemd if
>> the user provided init=/bin/systemd and the file no longer exists?
>>
>> I would like systemd to stop shippi
ly it looks like this requires more digging. I'll try later :/
At least it is an interesting problem.
Ansgar
is. But then signing stuff producing truncated files also shouldn't
happen...
Ansgar
Tomas Janousek writes:
> On Fri, Oct 25, 2019 at 09:45:55AM +0200, Ansgar wrote:
>> Tomas Janousek suggested in https://bugs.debian.org/942881#41 that the
>> file might be truncated and two bytes missing. I think that might be
>> the problem, but with three bytes missing:
&g
Hi,
Hector Oron writes:
> I would like to support Debian Linux kernel team by doing kernel
> package uploads.
Related to Linux uploads: I've added an exception to allow source-only
uploads to NEW for src:linux. Feel free to try.
Ansgar
moval request if src:linux-latest and the packages
mentioned above should already be removed. I think it will otherwise
be reported as cruft later when the linux-*-rt-* packages are taken over
as well.
Ansgar
ady uses this scheme).
Ansgar
Accepted on security-master, and synced to ftp-master as we still do
that for uploaded accepted from the NEW queue, even though we probably
should not. Anyway, it should be rejected on ftp-master.
===
Please feel free to respond to this email if you don't understand why
your files were
Upload targeted at stretch which is no longer updated on ftp-master
(but uploads from policy queues still end up synced to ftp-master)
===
Please feel free to respond to this email if you don't understand why
your files were rejected, or if you upload new files which address our
concerns.
Upload targeted at stretch which is no longer updated on ftp-master
(but uploads from policy queues still end up synced to ftp-master)
===
Please feel free to respond to this email if you don't understand why
your files were rejected, or if you upload new files which address our
concerns.
signing a kernel module with the patched sign-file and that
still worked.
Ansgar
>From d11fb170c3ec172ce6707baab03b1499f14e0f20 Mon Sep 17 00:00:00 2001
From: Ansgar Burchardt
Date: Sun, 3 Jul 2022 11:17:50 +0200
Subject: [PATCH] sign-file: correct error handling
The functions CMS_fi
0 (as one might for a large integer type), but the
other side expects a fixed size?
If so, the file should validate if one injects two leading 0 bytes in
the OCTET STRING (and updates all length values). I would need to check
how to manipulate files using ASN.1's DER encoding to try this...
Ansgar
[1]: https://bugs.debian.org/1012741#48
Hi,
On Mon, 2022-07-04 at 22:00 +0200, Ansgar wrote:
> The correct signature (using OpenSSL) has:
>
> +---
> > 138 256: OCTET STRING
> > : 00 00 45 75 A8 93 B1 B1 37 0A 53 69 82 BB 1C B6
> +---[ data.ko.p7s.success ]
>
> The incor
data/key/cert, but it is reproducible with the same key.
Ansgar
ykcs11-signature-failure.tar.gz
Description: application/compressed-tar
re bug that was fixed.
Ansgar
Hi,
On Tue, 2022-07-05 at 09:00 +0200, Bastian Blank wrote:
> On Mon, Jul 04, 2022 at 10:34:39PM +0200, Ansgar wrote:
> > As a further test I tried a different PKCS#11 module:
>
> Could you try the same with "openssl cms"? Just to make sure it's
> not sign-file its
It can also be found in the code-signing repository:
https://salsa.debian.org/ftp-team/code-signing/-/blob/master/etc/debian-prod-2022-linux.pem
Please switch to using it with the next src:linux upload (in any
suite). Please also do so for src:linux-5.10.
Ansgar
debian-prod-2022-linux.pem
0
+---
I only use the integrated Intel graphics, the Nvidia card is unused.
There was no null pointer dereference with the previous kernel
(5.19.11-1 (2022-09-24)).
Besides the null pointer dereference above, suspend to RAM also no
longer works properly after the upgrade. I have not investigated that
furth
On Wed, 2022-10-19 at 18:47 +0200, Ansgar wrote:
> After upgrading to linux 6.0.2-1 I see the following message during
> boot:
[...]
> Besides the null pointer dereference above, suspend to RAM also no
> longer works properly after the upgrade. I have not investigated that
>
Hi,
Ben Hutchings writes:
> As code signing is enabled in buster suites, I think this requires a
> change to the configuration of the code signing service.
Bastian Blank prepared the required changes on our side (dak,
codesigning) and they should be live by now.
Ansgar
.
Regards,
Ansgar
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/20101220102148.2219.94217.report...@pc-kmaurisc.mathi.uni-heidelberg.de
up in the upcoming
version 3.2.9-1.
[...]
It's a trivial patch[1] to fix at. How about just backporting that
change to stable, to avoid that known trouble too? This is what Ubuntu
did for the Lucid LTS release that was getting backported kernels (with
link restrictions) built for it.
Ansgar
-system-amd64:i386 should be removed.
xen-linux-system-3.10-3-amd64 still depends on xen-system-amd64:
# Broken Depends:
linux: xen-linux-system-3.10-3-amd64
With xen-system-amd64 gone on i386, xen-linux-system-*-amd64 should
probably also be dropped (on i386).
Ansgar
--
To UNSUBSCRIBE
As requested on IRC.
===
Please feel free to respond to this email if you don't understand why
your files were rejected, or if you upload new files which address our
concerns.
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
l help?
I set the override suite for {unstable,experimental}-debug to unstable;
and for testing-debug to testing. Please tell if this doesn't work.
It should work for -dbgsym packages that are listed in d/control
contrary to the assumption they are always automatically built.
Ansgar
ildds
either. It also makes it harder to trust the build process less in the
future (for example by moving it to a VM so it is restricted to do evil
stuff only the the current build, not having access to private keys and
removing access to network services).
Ansgar
fine with me; Joerg wanted to do the 8.11 one, but if he has
time restrictions on June 23rd and doing 8.11 after 9.5 would be too
late for him, I could probably also do both.
(If Joerg wants to do both, that's also fine with me.)
Ansgar
ther or both of those dates?
>
> The 7th is looking like the favourite so far (although would mean
> freezing next weekend), but we still need an ftp-master (N)ACK on
> either / both date.
I still have time on either weekend.
Ansgar
Jessie no longer maintained on ftp-master
===
Please feel free to respond to this email if you don't understand why
your files were rejected, or if you upload new files which address our
concerns.
Jessie no longer maintained on ftp-master
===
Please feel free to respond to this email if you don't understand why
your files were rejected, or if you upload new files which address our
concerns.
Ben Hutchings writes:
> On Sat, 2018-08-18 at 15:00 +0000, Ansgar Burchardt wrote:
>> Jessie no longer maintained on ftp-master
>
> This was uploaded to security-master so I don't know why you're seeing
> it on ftp-master as well.
The security-master -> ftp-master sync ha
Jessie LTs no longer updated on ftp-master
===
Please feel free to respond to this email if you don't understand why
your files were rejected, or if you upload new files which address our
concerns.
all the unsigned
version. This doesn't look like a bug in apt to me.
The easiest way to avoid this would be to drop the Provides from the
unsigned image. Is there any downside for doing so?
Ansgar
sha256sum
c2a36f35867ae92b8664f4bd2193e70370eb3b92013ea53f3573d2508d3da4cb
(which matches snd-hda-codec-hdmi.ko.sig in src:linux-signed-amd64)
So linux' sign-file likely produced a truncated file for some reason;
note that ftp-master still uses linux-kbuild-4.9/4.9.189-3+deb9u1.
Ansgar
37 matches
Mail list logo
