On Monday 27 June 2005 20:39, Marek Olejniczak wrote:
I don't understand the philosophy of Debian security team. It's really
so difficult to push into sarge spamassassin 3.0.4 which is not
vulnerable? This version is in Debian testing and why this version
can't be push into stable?
Seems that
also sprach Moritz Muehlenhoff [EMAIL PROTECTED] [2005.06.28.0156 +0200]:
Have a look at the system we use for the testing security team (I
always thought it originated in the security team):
http://lists.alioth.debian.org/pipermail/secure-testing-commits/2005-June/thread.html
This system is
also sprach Marek Olejniczak [EMAIL PROTECTED] [2005.06.28.0854 +0200]:
For me stable distribution means secure. Is now Sarge secure?
No, it isn't!
Most installations are secure. I know security is a delicate topic,
but there is no point in polemic exaggeration.
Four weeks after new release
On Mon, Jun 27, 2005 at 06:44:06PM -0400, Michael Stone wrote:
On Tue, Jun 28, 2005 at 12:00:28AM +0200, martin f krafft wrote:
Do you guys see this as a de facto state with no solution, or is
a good solution simply waiting to be found?
The security secretaries were originally going to be
hi ya
On Tue, 28 Jun 2005, Javier [iso-8859-1] Fernández-Sanguino Peña wrote:
lots of people have their own requiremetns for security ...
instead of adding to the security team's tasks, and instead of writting
emails, why don't we spend the time to write some scripts to do
what we're expecting
On Tue, 28 Jun 2005, martin f krafft wrote:
also sprach Marek Olejniczak [EMAIL PROTECTED] [2005.06.28.0854 +0200]:
Sarge has many security holes in packages and kernel, and some of
this holes are critical. In my opinion Sarge isn't stable
distribution now, it's dangerous distribution.
Then
also sprach Alvin Oga [EMAIL PROTECTED] [2005.06.28.1031 +0200]:
lots of people have their own requiremetns for security ...
security *is* subjective.
instead of adding to the security team's tasks, and instead of
writting emails, why don't we spend the time to write some scripts
to do what
On Tue, Jun 28, 2005 at 10:36:34AM +0200, Marek Olejniczak wrote:
On Tue, 28 Jun 2005, martin f krafft wrote:
We are working to fix it. The last thing we need now are people
complaining and moaning.
I'm working for many ISP providers. And now I have problems with security
on this servers.
also sprach Marek Olejniczak [EMAIL PROTECTED] [2005.06.28.1036 +0200]:
Then don't use it.
I must use it. Sarge is working on a ISP production servers.
I am sorry. The best I can tell you is that it currently looks as if
the situation will soon be under control and resolved. And soon is
also sprach Matthew Palmer [EMAIL PROTECTED] [2005.06.28.1104 +0200]:
Other distros don't have such problems with security. I'm
complain because I think it was mistake to install Debian Sarge
on this servers. :-(
You're complaining to *us* because someone *else* made a decision
you don't
On Tuesday 28 June 2005 11:02, martin f krafft wrote:
instead of adding to the security team's tasks, and instead of
writting emails, why don't we spend the time to write some scripts
to do what we're expecting to be done by the security team ??
thanks for the proposal. why did you write
also sprach martin f krafft [EMAIL PROTECTED] [2005.06.17.0944 +0200]:
also sprach Michael Buchholz [EMAIL PROTECTED] [2005.06.17.0857 +0200]:
And also, when you write any block, you have to reencrypt all the
remaining blocks.
Yes, don't you?
From all I can tell, this is the case for EBC
On Tue, 28 Jun 2005, Matthew Palmer wrote:
On Tue, Jun 28, 2005 at 10:36:34AM +0200, Marek Olejniczak wrote:
On Tue, 28 Jun 2005, martin f krafft wrote:
We are working to fix it. The last thing we need now are people
complaining and moaning.
I'm working for many ISP providers. And now I
Marek Olejniczak wrote:
I must use it. Sarge is working on a ISP production servers.
I work for a medium-sized company and moved nearly all our application
hosting server from wind0ze and SuSE to Debian. Debian is our choice for
production servers.
I'm working for many ISP providers. And
On Tue, 28 Jun 2005, martin f krafft wrote:
No, he installed Sarge because it was cool back at the time.
You are right - I'm waiting with installation on new servers for the new
Debian release. On my other servers is runnig Woody.
That said... of course woody is currently also
potentially
also sprach Marek Olejniczak [EMAIL PROTECTED] [2005.06.28.1148 +0200]:
No, it was *my* decision! I'm using Debian since 4 years and
I like this distribution. And it suprised me that my favourite
distro has problems with security.
It surprised everyone, even though it was not a real surprise
also sprach Thomas Seliger [EMAIL PROTECTED] [2005.06.28.1208 +0200]:
Even if you did not use those techniques (.deb building, running an apt
source) up to now, I think its rewarding for you, especially if you run
a larger number of servers. I do not have any links ready to point you
to,
also sprach Marek Olejniczak [EMAIL PROTECTED] [2005.06.28.1215 +0200]:
Unfortunately you are right :-( At this moment there is no secure
Debian distribution.
unstable. :)
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :
* Moritz Muehlenhoff:
The whole embargo thing about stable security is overrated anyway;
Yes, that's my impression as well.
as far as I can see it for May and June only mailutils, qpopper and
ppxp were embargoed, so that they hadn't been publicly known when
the DSA was published (and even
Now your woman will be really happy with your intimate life!
http://xjdi.bqwmfubm8lbjxcb.gymnetrousnc.com
We are always in our own company.
Confound those who have said our remarks before us.
Duty is ours, results are God's.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
On Tue, Jun 28, 2005 at 11:48:23AM +0200, Marek Olejniczak wrote:
No, it was *my* decision! I'm using Debian since 4 years and I like this
distribution. And it suprised me that my favourite distro has problems
with security.
Like any other *volunteer* project, there are ups and downs. Don't
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
I picked one of the bugs (see bottom of email). Is
this sort of information is useful to the security
team and if so, how?
vulnerability: sudo race condition.
Severity: High
Type: local
References:
CAN-2005-1993
BID:13993
URL:http://www.securityfocus.com/bid/13993
On Tue, 28 Jun 2005, Alvin Oga wrote:
On Tue, 28 Jun 2005, martin f krafft wrote:
thanks for the proposal. why did you write it and not just get on
with those scripts already?
idea
if somebody at debian.org can create yaml, say [EMAIL PROTECTED],
than the rest of us moaners, complainers
also sprach Alvin Oga [EMAIL PROTECTED] [2005.06.28.1420 +0200]:
if somebody at debian.org can create yaml, say
[EMAIL PROTECTED], than the rest of us moaners,
complainers and wanna-volunteer can get started ...
Just use this list.
the machine can be called sec-test.debian.org so that we
On Tue, 28 Jun 2005, martin f krafft wrote:
Just use this list.
i think the point of this list is its not moving fast
enough for some folks wanting security updates
the machine can be called sec-test.debian.org so that we have
a way to test another security update/process/procedures out
also sprach Alvin Oga [EMAIL PROTECTED] [2005.06.28.1451 +0200]:
- all other debian boxes does NOT trust it and nbody else should
trust it either... it is for testing and development
I know. But what happens when someone decides to abuse it? I could
host a machine, no problem. But giving root
On Tue, Jun 28, 2005 at 05:20:51AM -0700, Alvin Oga wrote:
personally, i pull down all the important tar balls from the originating
author's site and compile it ... if the distro's version of any app is
too far behind
the main point about stable security is that exactly this does not
happen: i
Hello
I working on a small project, and i have a problem related to keeping
gpg private keys stored on usb drives secure when working with them.
My problem is that in case the machine is compromised, if the usb with
the key is mounted the attacker has access to it.
Has anyone heard of an
On 6/28/05, Radu Spineanu [EMAIL PROTECTED] wrote:
Has anyone heard of an implementation, or at least a whitepaper related
to creating some kind of secure zone where i can keep these keys ?
If you're using strong enough passwords, your keys would still be
pretty safe. An attacker could try
Edward Faulkner wrote:
As to your question, once someone roots your box all bets are off. If
you're really paranoid about these keys, keep them on a dedicated
machine that's extremely locked down. Or even a machine with no
network at all, and move data back and forth on a usb drive.
I was
martin f krafft wrote:
Not meaning to disspell it, but isn't this essentially a bug
tracking system or ticket system done slightly differently?
No, if it were a bug tracking system we could use the Debian BTS and not
bother with it. It's a vulnerability/non vulnerability tracking system;
we use
Hello,
I've done a fix for sudo of sarge. Code from new upstream version.
Who is willing to check and update?
Version: 1.6.8p7-1.2
Distribution: unstable
Urgency: high
Maintainer: Markus Kolb [EMAIL PROTECTED]
Changed-By: Markus Kolb [EMAIL PROTECTED]
Description:
sudo - Provide limited
* Radu Spineanu [EMAIL PROTECTED]:
I working on a small project, and i have a problem related to keeping
gpg private keys stored on usb drives secure when working with them.
My problem is that in case the machine is compromised, if the usb with
the key is mounted the attacker has access to
Hi,
why security team doesn't ask for help if they have not enough time for
and problems with package fixing?
I can help.
I need only a security team member for contact and maybe a debian member
to sign my gnupg key.
Bye
Markus
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Radu Spineanu wrote:
Hello
I working on a small project, and i have a problem related to
keeping gpg private keys stored on usb drives secure when working
with them.
My problem is that in case the machine is compromised, if the usb
with the
On Tue, Jun 28, 2005 at 05:38:16PM +0200, Christian Storch wrote:
The only absolute solution would be a kind of intelligent usb drive
which is accepting
a file to decrypt or sign and offer the result.
So somebody could use the key as long as you leave your usb drive in
your machine,
but not
I think what you are looking for is a USB Smartcard. I had a problem
like this when using encryption on ATM (banking) devices. The keys
were vulnerable to someone coming after them on the filesystem.
I found the solution in USB format smartcards. The private key is
loaded into the secure
ti, 2005-06-28 kello 17:38 +0200, Christian Storch kirjoitti:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Radu Spineanu wrote:
Hello
I working on a small project, and i have a problem related to
keeping gpg private keys stored on usb drives secure when working
with them.
My
On Tue, Jun 28, 2005 at 05:45:41PM +0200, Markus Kolb wrote:
Hi,
why security team doesn't ask for help if they have not enough time for
and problems with package fixing?
I can help.
I need only a security team member for contact and maybe a debian member
to sign my gnupg key.
And
Quoting Radu Spineanu ([EMAIL PROTECTED]):
Has anyone heard of an implementation, or at least a whitepaper related
to creating some kind of secure zone where i can keep these keys ?
Mine is called a PalmPilot with Keyring (3DES password store) installed,
where I'm careful about what I install
Sven Hoexter wrote on Tue, Jun 28, 2005 at 20:05:47 +0200:
On Tue, Jun 28, 2005 at 05:45:41PM +0200, Markus Kolb wrote:
Hi,
why security team doesn't ask for help if they have not enough time for
and problems with package fixing?
I can help.
I need only a security team member
On 6/28/05, Rick Moen [EMAIL PROTECTED] wrote:
Mine is called a PalmPilot with Keyring (3DES password store) installed,
where I'm careful about what I install on it. It strikes me that threat
models are more easily isolated and dealth with on a PDA than on a
networked computer, especially a
Quoting Edward Faulkner ([EMAIL PROTECTED]):
I do the same thing with my passwords, but that doesn't quite answer
the question. Radu wants a place to keep GPG keys safe - not just
their passwords.
Yes, good point.
I don't have a good answer to Radu's situation other than don't use the
martin f krafft wrote:
It surprised everyone, even though it was not a real surprise -- if
that makes sense. The security team has been a major weakness of
Debian for a while. It was only a question of time until it all came
down on Joey.
Anyway, if you like Debian, then you should keep using
On Mon, Jun 27, 2005 at 08:39:43PM +0200, Marek Olejniczak wrote:
On Mon, 27 Jun 2005, Matt Zimmerman wrote:
The security team has always been a difficult one to expand. A strong
level of trust is necessary due to confidentiality issues, and security
support is a lot of (mostly boring and
Edward Faulkner wrote:
It would be pretty cool to use a PDA as a trusted device - it would
download a document from the PC, ask you to verify it, then sign it
and send it back. It's even better than a smart card, because you can
use the PDA's display to verify that you're signing what you
Radu Spineanu wrote:
In case anyone has some experience, is it hard to write such a symbian
application ?
Being more specific, porting gpg to symbian.
I noticed an implementation of pgp:
http://my-symbian.com/9210/applications/applications.php?faq=5fldAuto=336
Radu
--
To UNSUBSCRIBE, email
Radu Spineanu wrote on 28/06/2005 21:41:
Radu Spineanu wrote:
In case anyone has some experience, is it hard to write such a symbian
application ?
Being more specific, porting gpg to symbian.
I noticed an implementation of pgp:
Increase the length and girth of your penis
http://www.asdokm.com/ss/
Truth is a pathless land.
Practice yourself what you preach.
We cannot direct the wind, but we can adjust the sails.
The greatest griefs are those we cause ourselves.
Indifference, then, is not only
On Tue, Jun 28, 2005 at 09:16:04PM +0200, Markus Kolb wrote:
Sven Hoexter wrote on Tue, Jun 28, 2005 at 20:05:47 +0200:
On Tue, Jun 28, 2005 at 05:45:41PM +0200, Markus Kolb wrote:
Hi,
why security team doesn't ask for help if they have not enough time for
and problems with package
Alvin Oga schrieb am Tuesday, den 28. June 2005:
[snip]
etch/testing where are the security patches ??
- i want it to also have latest apps i care about
( latest kernels, latest apache, latest xxx, .. )
- this is the parts i'm interested in structuring for security
On Tue, 28 Jun 2005, Micah Anderson wrote:
Alvin Oga schrieb am Tuesday, den 28. June 2005:
If you are interested in testing security, then there is a group
working on this project. Here is some information about the history of
the team, and if you read through the message there is
54 matches
Mail list logo