On Fri, 2002-10-18 at 09:55, Gustavo Franco wrote:
Talking about secpack, is it non-free? I can't see in your mail(Clemens)
the url or apt-line to get the source package.
No, it's BSD. I didn't dare to put up a license for that minimal collection.
There isn't even a source package. I just
On Fri, 2002-10-18 at 09:55, Gustavo Franco wrote:
Talking about secpack, is it non-free? I can't see in your mail(Clemens)
the url or apt-line to get the source package.
No, it's BSD. I didn't dare to put up a license for that minimal collection.
There isn't even a source package. I just
I don't understand the need for this.
Can someone explain why 'apt-get update apt-get dist-upgrade' is not
sufficient to keep a debian system secure and updated?
On Friday 18 October 2002 06:58 am, Fruhwirth Clemens wrote:
Hi!
http://therapy.endorphin.org/secpack_0.1-1.deb implements a
On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote:
I don't understand the need for this.
Can someone explain why 'apt-get update apt-get dist-upgrade' is not
sufficient to keep a debian system secure and updated?
It'll get to you when you have 200+ debian systems spread across the
On Fri, Oct 18, 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote:
Can someone explain why 'apt-get update apt-get dist-upgrade' is not
sufficient to keep a debian system secure and updated?
Because a hacked mirror could contain malicious packages.
When you check signatures before upgrading,
On Fri, 18 Oct 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote:
I don't understand the need for this.
Can someone explain why 'apt-get update apt-get dist-upgrade' is not
sufficient to keep a debian system secure and updated?
As pointed out several times in the past Debian has not fully
On Fri, 2002-10-18 at 09:33, Mark Janssen wrote:
On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote:
I don't understand the need for this.
Can someone explain why 'apt-get update apt-get dist-upgrade' is not
sufficient to keep a debian system secure and updated?
It'll get to you
From Jan Niehusmann on Friday, 18 October, 2002:
On Fri, Oct 18, 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote:
Can someone explain why 'apt-get update apt-get dist-upgrade' is not
sufficient to keep a debian system secure and updated?
Of course, if the hacker managed to modify files on
On Fri, Oct 18, 2002 at 08:20:14AM -0500, Joseph Pingenot wrote:
If people are interested enough in it, I might throw together something
more formal.
IMHO there is no lack of interesting ideas - what we really need are
implementations.
apt-check-sigs is a nice proof-of-concept, and the
IMHO there is no lack of interesting ideas - what we really need are
implementations.
Ja. I just have to find the time. :)
apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could
also improve security significantly. Together, I'd say they'd suffice to
make the debian mirrors
Why can't apt-get be modified to check the md5sum of a package against an
official debian md5sum list before downloading and installing debs? This
seems much simpler and easier than signing debs.
On Friday 18 October 2002 09:55 am, Jan Niehusmann wrote:
On Fri, Oct 18, 2002 at 08:20:14AM
On Fri, Oct 18, 2002 at 10:48:16AM -0400, R. Bradley Tilley wrote:
Why can't apt-get be modified to check the md5sum of a package against an
official debian md5sum list before downloading and installing debs? This
seems much simpler and easier than signing debs.
It does. The problem is, how
I don't understand the need for this.
Can someone explain why 'apt-get update apt-get dist-upgrade' is not
sufficient to keep a debian system secure and updated?
On Friday 18 October 2002 06:58 am, Fruhwirth Clemens wrote:
Hi!
http://therapy.endorphin.org/secpack_0.1-1.deb implements a
On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote:
I don't understand the need for this.
Can someone explain why 'apt-get update apt-get dist-upgrade' is not
sufficient to keep a debian system secure and updated?
It'll get to you when you have 200+ debian systems spread across the
On Fri, Oct 18, 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote:
Can someone explain why 'apt-get update apt-get dist-upgrade' is not
sufficient to keep a debian system secure and updated?
Because a hacked mirror could contain malicious packages.
When you check signatures before upgrading,
On Fri, 18 Oct 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote:
I don't understand the need for this.
Can someone explain why 'apt-get update apt-get dist-upgrade' is not
sufficient to keep a debian system secure and updated?
As pointed out several times in the past Debian has not fully
On Fri, 2002-10-18 at 09:33, Mark Janssen wrote:
On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote:
I don't understand the need for this.
Can someone explain why 'apt-get update apt-get dist-upgrade' is not
sufficient to keep a debian system secure and updated?
It'll get to you
From Jan Niehusmann on Friday, 18 October, 2002:
On Fri, Oct 18, 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote:
Can someone explain why 'apt-get update apt-get dist-upgrade' is not
sufficient to keep a debian system secure and updated?
Of course, if the hacker managed to modify files on
On Fri, Oct 18, 2002 at 08:20:14AM -0500, Joseph Pingenot wrote:
If people are interested enough in it, I might throw together something
more formal.
IMHO there is no lack of interesting ideas - what we really need are
implementations.
apt-check-sigs is a nice proof-of-concept, and the
IMHO there is no lack of interesting ideas - what we really need are
implementations.
Ja. I just have to find the time. :)
apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could
also improve security significantly. Together, I'd say they'd suffice to
make the debian mirrors
Why can't apt-get be modified to check the md5sum of a package against an
official debian md5sum list before downloading and installing debs? This
seems much simpler and easier than signing debs.
On Friday 18 October 2002 09:55 am, Jan Niehusmann wrote:
On Fri, Oct 18, 2002 at 08:20:14AM
On Fri, Oct 18, 2002 at 10:48:16AM -0400, R. Bradley Tilley wrote:
Why can't apt-get be modified to check the md5sum of a package against an
official debian md5sum list before downloading and installing debs? This
seems much simpler and easier than signing debs.
It does. The problem is, how
Four words: Single point of failure.
(Or is that six? Or ten? Yes, yes, that's right, twelve words. Let's try
that again, shall we? ... ;)
Besides, I strongly believe that it already does this... IIRC apt-get does
this to make sure that the packages weren't corrupted (or truncated) in
23 matches
Mail list logo
