On May 30, 2014, at 2:41 PM, W. Martin Borgert wrote:
Quoting Jeremie Marguerie jere...@marguerie.org:
Thanks for bringing that issue! I feel the same way when I install a
packet from a non-official PPA.
Unfortunately, every package can do anything: pre-inst, post-inst,
pre-rm, post-rm
On May 30, 2014, at 10:06 AM, micah anderson wrote:
Kurt Roeckx k...@roeckx.be writes:
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
The public Debian mirrors
On Jun 2, 2014, at 9:29 AM, Jann Horn wrote:
On Fri, May 30, 2014 at 10:06:06AM -0400, micah anderson wrote:
Now I don't want to call into question the esteemed authors of said
program, and depending libraries, but I do think that providing https
mirrors gives us two distinct advantages over
On Jul 3, 2014, at 11:05 AM, Hans-Christoph Steiner wrote:
On May 30, 2014, at 10:06 AM, micah anderson wrote:
Kurt Roeckx k...@roeckx.be writes:
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at
On Thu, Jul 03, 2014 at 11:05:17AM -0400, Hans-Christoph Steiner wrote:
I definitely agree there are legitimate concerns that using HTTPS on apt
mirrors would help, and people who suggest otherwise are out of date on what
the threats are. I think the integrity of the package itself is not
On Jul 3, 2014, at 11:09 AM, Hans-Christoph Steiner h...@at.or.at wrote:
On Jun 2, 2014, at 9:29 AM, Jann Horn wrote:
On Fri, May 30, 2014 at 10:06:06AM -0400, micah anderson wrote:
Now I don't want to call into question the esteemed authors of said
program, and depending libraries, but I
On Jul 3, 2014, at 11:55 AM, Reid Sutherland wrote:
On Jul 3, 2014, at 11:09 AM, Hans-Christoph Steiner h...@at.or.at wrote:
On Jun 2, 2014, at 9:29 AM, Jann Horn wrote:
On Fri, May 30, 2014 at 10:06:06AM -0400, micah anderson wrote:
Now I don't want to call into question the esteemed
Hans-Christoph Steiner h...@at.or.at writes:
I should add: apt-transport-tor is a great project to improve this situation
as well that is probably more secure than HTTPS, but at a cost of probably
much slower download speeds. Using an apt mirror with an onion address would
entirely
On Jul 3, 2014, at 11:52 AM, Michael Stone wrote:
On Thu, Jul 03, 2014 at 11:05:17AM -0400, Hans-Christoph Steiner wrote:
I definitely agree there are legitimate concerns that using HTTPS on apt
mirrors would help, and people who suggest otherwise are out of date on what
the threats are.
On Jul 3, 2014, at 12:10 PM, Hans-Christoph Steiner wrote:
On Jul 3, 2014, at 11:52 AM, Michael Stone wrote:
On Thu, Jul 03, 2014 at 11:05:17AM -0400, Hans-Christoph Steiner wrote:
I definitely agree there are legitimate concerns that using HTTPS on apt
mirrors would help, and people
Hans-Christoph Steiner wrote:
This could be approached another way. There could be scripts in the
packaging tools that mark a package if it does not run anything in any
of the scripts that does not come from the packaging tools. I think
many many packages would qualify here, most packages do
On Jul 3, 2014, at 12:25 PM, Hans-Christoph Steiner h...@at.or.at wrote:
As for how to manage making HTTPS by default, this does not require every
mirror buying HTTPS certificates every year from Certificate Authorities.
There are workable solutions based on self-signed certificates.
In
On 07/03/2014 12:38 PM, Reid Sutherland wrote:
On Jul 3, 2014, at 12:25 PM, Hans-Christoph Steiner h...@at.or.at wrote:
As for how to manage making HTTPS by default, this does not require every
mirror buying HTTPS certificates every year from Certificate Authorities.
There are workable
On Jul 3, 2014, at 12:46 PM, Hans-Christoph Steiner h...@at.or.at wrote:
SSH uses entirely unsigned keys, and it has proven a lot more reliable than
HTTPS/TLS. You use HTTPS/TLS keys the same way as SSH, but TLS requires
signed keys, self-signed works. The signatures are only worth the
On 07/03/2014 12:58 PM, Reid Sutherland wrote:
On Jul 3, 2014, at 12:46 PM, Hans-Christoph Steiner h...@at.or.at wrote:
SSH uses entirely unsigned keys, and it has proven a lot more reliable than
HTTPS/TLS. You use HTTPS/TLS keys the same way as SSH, but TLS requires
signed keys,
* Hans-Christoph Steiner h...@at.or.at [140703 18:10]:
You are correct that HTTPS would not entirely address #2, but it does
improve the situation over HTTP. For example, an ISP, network operator,
or government could block an entire mirror or all mirrors by redirecting
requests to their own
On Thu, Jul 03, 2014 at 12:46:45PM -0400, Hans-Christoph Steiner wrote:
Google uses SPKI pinning heavily, for example,
but they still use CA-signed certificates so their HTTPS works with Firefox,
IE, Opera, etc.
Yes, and MS does similar. The difference is, they own their
infrastructure and
On 07/03/2014 03:08 PM, Michael Stone wrote:
On Thu, Jul 03, 2014 at 12:46:45PM -0400, Hans-Christoph Steiner wrote:
Google uses SPKI pinning heavily, for example,
but they still use CA-signed certificates so their HTTPS works with Firefox,
IE, Opera, etc.
Yes, and MS does similar. The
On 07/03/2014 02:26 PM, Bernhard R. Link wrote:
* Hans-Christoph Steiner h...@at.or.at [140703 18:10]:
You are correct that HTTPS would not entirely address #2, but it does
improve the situation over HTTP. For example, an ISP, network operator,
or government could block an entire mirror or
Joel Rees wrote:
On Sat, Jun 28, 2014 at 12:45 AM, [...]
I know, I am a jerk, but it was the first thing I thought of
I don't think that makes you a jerk at all.
We are all jerks at times. It's part of being human and not
understanding the other guy's situation.
IMHO one of the most
After the latest revelation about NSA tracking all Tor downloads[1] (with
source code!) and the whole Debian mirrors and MITM redux, I think we should
start talking about concrete steps that we can take to improve the situation.
The first things that came to mind would be quite easy to do:
*
21 matches
Mail list logo
