Paul Wise: On Mon, Dec 16, 2013 at 1:34 PM, adrelanos wrote:
I am wondering how excited the apt developers would be about adding a
bash script to their app. I'll see how far I get and contact them when
there is something to talk about.
I suppose POSIX shell would be preferable.
I always
Paul Wise:
On Sun, Dec 15, 2013 at 11:15 AM, adrelanos wrote:
I can try that. Should that become a separate package or part of, well
apt-get? It would probably just be three files, a config file, an
/etc/apt/apt.conf.d/ config fragment and a bash script.
I'm guessing the apt package would
Paul Wise:
On Sat, Dec 14, 2013 at 6:47 AM, adrelanos wrote:
is it possible to hook apt-get somehow to do some action done before
apt-get starts any network activity?
Based on a quick grep of the apt package, APT::Update::Pre-Invoke
might be what you want.
That seems perfect.
Here
), but not
really for apt-get?
Closest thing for now seems to use dpkg-divert and a wrapper? Do you
have any better solution in mind?
(I am asking this because I would like to add such a feature to Whonix,
which is a derivative of Debian. Hope you don't mind me asking here.)
Cheers,
adrelanos
Bastian Blank:
On Sat, Dec 07, 2013 at 10:55:30AM -0600, Richard Owlett wrote:
Any help/direction appreciated.
The answer is: None. If you don't have anything listen on the network,
nothing can be accessed anyway.
Does Debian still come with open ports in a default installation?
--
To
Frédéric CORNU:
Le 08/12/2013 11:34, Bastian Blank a écrit :
On Sat, Dec 07, 2013 at 10:55:30AM -0600, Richard Owlett wrote:
Any help/direction appreciated.
The answer is: None. If you don't have anything listen on the network,
nothing can be accessed anyway.
Bastian
What about the
question in other words: are sometimes updates fixing
security issues released though repositories other than the security
repository?
Why would someone interested in doing that? Getting fewer updates,
saving bandwidth, time and system load.
Cheers,
adrelanos
--
To UNSUBSCRIBE, email to debian
Paul Wise:
On Thu, Oct 31, 2013 at 8:55 PM, adrelanos wrote:
What are your plans if you ever have reason to believe that the Debian
archive signing key has been compromised?
It is unlikely that the people responsible for that are reading this
list. I suggest you contact them (DSA, ftpteam
Paul Wise:
On Thu, Oct 31, 2013 at 8:55 PM, adrelanos wrote:
What are your plans if you ever have reason to believe that the Debian
archive signing key has been compromised?
It is unlikely that the people responsible for that are reading this
list. I suggest you contact them (DSA, ftpteam
Paul Wise:
On Thu, Oct 31, 2013 at 8:55 PM, adrelanos wrote:
What are your plans if you ever have reason to believe that the Debian
archive signing key has been compromised?
It is unlikely that the people responsible for that are reading this
list. I suggest you contact them (DSA, ftpteam
What are your plans if you ever have reason to believe that the Debian
archive signing key has been compromised?
http://ftp-master.debian.org/keys.html says:
Key Revocation Procedure
A revokation certificate for the archive key is produced at the time
of the creation of an archive key. The
For apt-get a self-signed certificate could be used which comes together
with Debian. No CA required. This is both simpler and safer.
Vipul Agarwal:
How about if we use a SSL certificate signed by debian's own root CA which
can be shipped with the distros? This will eliminate the paranoia about
Celejar:
Maybe I'm missing something, but the security of the apt system has
nothing to do with SSL - it uses GPG signatures. This discussion about
SSL concerns the website, etc.
That was indeed the original question, but it then drifted into the
direction into how great is would be to further
Djones Boni:
On 30-10-2013 11:05, Celejar wrote:
You're snipping crucial context; my comment above was in response to
this:
For apt-get a self-signed certificate could be used which comes together
with Debian. No CA required. This is both simpler and safer.
I was pointing out that this
Jordon Bedwell:
On Tue, Oct 29, 2013 at 4:29 AM, Nikolay Kubarelov n...@tightwax.com wrote:
I would use Tor hidden service instead of SSL.
Wait: What? Can't tell if serious.
Why shouldn't that be serious?
Tor hidden services can not only be used to hide the location of a
server, but they
Tormen:
On 29/10/13 10:44, Jordon Bedwell wrote:
On Tue, Oct 29, 2013 at 4:29 AM, Nikolay Kubarelov n...@tightwax.com wrote:
I would use Tor hidden service instead of SSL.
Wait: What? Can't tell if serious.
And then again:
Djones Boni:
A Debian THS is a good idea for the security it provides, not for
anonymity or down rate. It would be harder to someone MITM and hide
updates from you. That is why Debian should use SSL (and THS).
Downloading apt-get updates over Tor hidden services would be awesome!
- Even when
Djones Boni:
A better idea is offer both SSL and a Tor Hidden Service. You choose
which use.
Yes, having both is better. Only relying on Tor Hidden Services wouldn't
be a good idea. Offering as an option would be awesome!
Do not forget Tor encryption is not considered secure anymore.
There
Paul Wise:
On Wed, Sep 18, 2013 at 9:36 AM, Török Edwin wrote:
Why not just reinstall from a trusted source, then restore /etc, /home and
/var from backups
and audit the changes introduced by that only?
That is a slightly short-sighted way to do it; if you restore from
scratch without
Török Edwin:
On 09/17/2013 09:45 PM, adrelanos wrote:
Situation:
* You have a Debian machine, which might be compromised by a backdoor
due to a targeted attack. You don't know and want to make sure it's not.
For example, a server or a client internet machine.
Why not just reinstall from
/release/verify_build
Comments, criticism, enhancements, etc. welcome. It would be great if
anyone is interested to co-author the script (we can pick any Free
license) to make it usable for the general use-case.
Cheers,
adrelanos
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
How secure is a Debian installation packages installed only from main,
none from contrib or non-free?
It will lack for example the firmware-linux-nonfree package and the
intel-microcode / amd-microcode package. At least the microcode one is
security relevant? Are there any other packages which
adrelanos:
How secure is a Debian installation packages installed only from main,
none from contrib or non-free?
It will lack for example the firmware-linux-nonfree package and the
intel-microcode / amd-microcode package. At least the microcode one is
security relevant? Are there any other
Jose Luis Rivas:
So no, there's no other contrib/non-free packages there.
I didn't want to imply, that there are preinstalled.
The reason why you can't install Debian directly from a WiFi with some
manufacturers is precisely that we do not ship non-free nor contrib
software by default in our
Okay, thank you for your reply! Convinces me.
Joel Rees:
I assume you have read his essay on
trusting trust?
Yes, but I am not claiming, that I fully understand it.
rant-mode
Not perceived as rant at all.
Are there other contrib and/or non-free packages, similar to the
microcode package,
Joel Rees:
I am not Debian, but I am in rant-mode on this subject today, so bear with me
--
On Fri, Sep 13, 2013 at 10:02 AM, adrelanos adrela...@riseup.net wrote:
Jose Luis Rivas:
So no, there's no other contrib/non-free packages there.
I didn't want to imply
Timo Juhani Lindfors:
adrelanos adrela...@riseup.net writes:
Some Debian maintainers are working on deterministic builds, although
they call it reproducible builds, that's great! Link:
https://wiki.debian.org/ReproducibleBuilds
Terminology is hard :) As mentioned in the bof we can make sure
Just wanted to share news on this topic.
Why are deterministic builds important? Mike Perry from The Tor Project
wrote a blog post:
https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
Some Debian maintainers are working on deterministic builds, although
intrigeri:
Hi,
adrelanos wrote (04 Aug 2013 03:04:33 GMT) :
Volker Birk: On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
Volker Birk:
On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
That should help to defeat any kind of sophisticated backdoor on build
machines
Heimo Stranner:
On 2013-08-04 09:50, intrigeri wrote:
Hi,
adrelanos wrote (04 Aug 2013 03:04:33 GMT) :
Volker Birk: On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
Volker Birk:
On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
That should help to defeat any kind
Volker Birk:
On Sun, Aug 04, 2013 at 03:04:33AM +, adrelanos wrote:
Volker Birk: On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
There will be the correct checksum, if the maintainer of the package
does it.
Why?
How and by whom are checksums defined?
Please have a look
Michael Stone:
On Sun, Aug 04, 2013 at 10:12:40AM +0200, Heimo Stranner wrote:
I think the real issue is about if the malicious patch is not part of
the source package
Why? It certainly makes your argument simpler if you arbitrarily
restrict the problem set, but it isn't obvious that it
Daniel Sousa:
On Sun, Aug 4, 2013 at 2:55 PM, Michael Stone mst...@debian.org wrote:
On Sun, Aug 04, 2013 at 10:12:40AM +0200, Heimo Stranner wrote:
I think the real issue is about if the malicious patch is not part of
the source package
Why? It certainly makes your argument simpler if
I think deterministic builds would be the best answer to ensure in long
term being free of backdoors.
A deterministic build process to allows multiple builders to create
identical binaries. This allows multiple parties to sign the resulting
binaries, guaranteeing that the binaries and tool chain
Volker Birk:
On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
That should help to defeat any kind of sophisticated backdoor on build
machines.
Really?
How do you detect, if maintainer's patches contain backdoors?
Someone else builds the same package (binary) and detects
Volker Birk: On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
Volker Birk:
On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
That should help to defeat any kind of sophisticated backdoor on build
machines.
Really?
How do you detect, if maintainer's patches contain
Robert Tomsick:
On 08/03/13 13:36, Rick Moen wrote:
Quoting Volker Birk (v...@pibit.ch):
Really?
How do you detect, if maintainer's patches contain backdoors? If I would
want to attack Debian, I would try to become the maintainer of one of
the most harmless, most used packages. And believe
the distribution's package
repository. How can I do that?
Cheers,
adrelanos
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/517f1e87.30...@riseup.net
Hi!
Stable, http://cdimage.debian.org/debian-cd/6.0.6/i386/iso-dvd/ contains
gpg signatures.
Wheezy, http://cdimage.debian.org/cdimage/weekly-builds/i386/iso-dvd/
does not contain gpg signatures.
Can you offer gpg signatures for Wheezy as well please?
Cheers,
adrelanos
--
To UNSUBSCRIBE
?
Cheers,
adrelanos
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/50c8c45f.1050...@riseup.net
Moritz Mühlenhoff:
On Wed, Dec 12, 2012 at 05:52:31PM +, adrelanos wrote:
Hi,
I do not want to discuss security implications of the upstream closed
source Adobe Flash plugin. This is about how the Flash plugin is
downloaded and installed in Debian.
/usr/sbin/update-flashplugin-nonfree
41 matches
Mail list logo