-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi!
Stable, http://cdimage.debian.org/debian-cd/7.3.0/i386/iso-dvd/ contains
gpg signatures.
Wheezy, http://cdimage.debian.org/cdimage/weekly-builds/i386/iso-dvd/
does not contain gpg signatures.
Can you offer gpg signatures for Jessie as well
Hi Elmar!
This is a most interesting tool!
The opensuse logo on http://www.elstel.org/debcheckroot/ is confusing,
since this is a Debian tool. This might scare of interested people.
As Debian package headers do not use to be signed
I think you are mistaken here or maybe I misunderstand. When
Elmar Stellnberger:
As Debian package headers do not use to be signed
I think you are mistaken here or maybe I misunderstand. When you have a
Debian medium you trust (such as a Live DVD from a trusted source), we
can regard keys in /etc/apt/trusted.gpg.d/ and /etc/apt/trusted.gpg as
trusted.
Marko Randjelovic:
I was thinking about some kind
of wizard:
- create a chroot if doesn't already exist
- create a launcher for your DE
- create a shell script to run a program from terminal or a simple WM
hint: chroot $CHROOT_PATH su - $USER -c $command_with_args
chroot is not a
Marko Randjelovic:
On Tue, 29 Apr 2014 11:52:14 +
Patrick Schleizer adrela...@riseup.net wrote:
Marko Randjelovic:
I was thinking about some kind
of wizard:
- create a chroot if doesn't already exist
- create a launcher for your DE
- create a shell script to run a program from
Joel Rees:
He told me to use Ubuntu instead. He explained that with the fact,
that Ubuntu has more security features enabled than Debian (also
more compiler flags for security) in a fresh install. He gave me a
link to the following site:
https://wiki.ubuntu.com/Security/Features
That's
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
herzogbrigit...@t-online.de:
Thank you for all your replies. I understand that the user is
important for security, but it's a difference whether you start
from scratch or you can work with somethink prebuilt. So, could you
tell me, which of the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
herzogbrigit...@t-online.de:
Yes it would be great if you can start with such a page. Use the
Ubuntu table as a template to start. I'll try to help as much as
I can in the wiki. Many Linux-Distros have a security features
page in their wikis.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Paul Wise:
On Sun, 2014-05-18 at 21:53 +0200, herzogbrigit...@t-online.de
wrote:
So: Please help us to complete the table.
Why didn't you just use the Ubuntu script to automatically fill it
out?
Paul Wise:
On Sun, 2014-05-18 at 01:41 +, Patrick Schleizer wrote:
Got started:
https://wiki.debian.org/Security/Features
Anyone knows how to view (as a non-admin) the wiki markup of
https://wiki.ubuntu.com/Security/Features ? (I would like to learn by
example how wiki tables are made
Peter Palfrader:
On Fri, 30 May 2014, Joey Hess wrote:
Alfie John wrote:
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
https://mirrors.kernel.org/debian is the only one I know of.
It would be good to have a few more, because
Joey Hess: [...] there are situations where
debootstrap is used without debian-archive-keyring being available, [...]
Please elaborate, which situations are these?
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
David Hubner:
Hi,
I am just wondering about a hypothetical situation where the master GPG key
used for signing the debian archive was stolen. After creating a new master
key and getting a new public key into the debian-keyring package, how would
you get that to users?
I mean if you
Yves-Alexis Perez:
On ven., 2014-10-17 at 17:14 +, Patrick Schleizer wrote:
Debian has no good mechanism to revoke apt keys in case of compromise,
neither a way to inform users in emergency situations:
https://lists.debian.org/debian-security/2013/10/msg00065.html
The only information
Yves-Alexis Perez:
On sam., 2014-10-18 at 13:55 +, Patrick Schleizer wrote:
Otherwise, what are the relevant people, how to contact them?
You can find some hints in
https://lists.debian.org/debian-security/2013/10/msg00066.html
If it's really that hard, here are some pointers.
DSA
Hi,
I was running:
sudo apt-build install ccache
And the output contained a message:
WARNING: The following packages cannot be authenticated!
ccache
Authentication warning overridden.
Is this just how apt-build works or could this be a security issue due
to installing unauthenticated
Dear security team!
Paul Wise thinks this is a security issue
Paul Wise:
This is a security issue, [...]
I was running:
sudo apt-build install ccache
And the output contained a message:
WARNING: The following packages cannot be authenticated!
ccache
Authentication warning overridden.
Holger Levsen:
I think you probably just need to run apt-get update before apt-get
install...
I did that, I am sure of it. Reproduced this on two different systems.
Cheers,
Patrick
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble?
Holger Levsen:
Hi,
On Donnerstag, 19. März 2015, Patrick Schleizer wrote:
I think you probably just need to run apt-get update before apt-get
install...
I did that, I am sure of it. Reproduced this on two different systems.
can you put the output of apt-get update and apt-cache policy
Hi,
what is your opinion on the deterministic linux kernel SameKernel with
grsecurity by mempo?
https://wiki.debian.org/SameKernel
https://github.com/mempo/mempo-kernel
Cheers,
Patrick
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe.
Cyril Brulebois:
Patrick Schleizer adrela...@riseup.net (2015-03-18):
Hi,
I was running:
sudo apt-build install ccache
And the output contained a message:
WARNING: The following packages cannot be authenticated!
ccache
Authentication warning overridden.
Is this just how apt-build
Brett Parker:
On 18 Mar 16:27, Patrick Schleizer wrote:
Hi,
I was running:
sudo apt-build install ccache
And the output contained a message:
WARNING: The following packages cannot be authenticated!
ccache
Authentication warning overridden.
Have you tried updating the debian-archive
Hi!
Are you aware of this already?
[SECURITY NOTICE] libidn with bad UTF8 input
http://curl.haxx.se/mail/lib-2015-06/0143.html
Haven’t found anything related on debian.org mailing lists and/or curl's
changelog.
Cheers,
Patrick
--
To UNSUBSCRIBE, email to
tected mode interface to
> be secure in theory - Nonetheless just believe me that things are not as
> theoretical in practice as this description may make you believe.).
>
> Regards,
> Elmar
>
> On 29.11.2015 22:05, Patrick Schleizer wrote:
>> Elmar Stellnberger:
>>&
Holger Levsen:
> On Wed, May 18, 2016 at 06:33:52PM +0200, Jakub Wilk wrote:
>> Could you explain how any of these tools leak any information "without a
>> user's consent/expectation"?
>
> gnome-calculator contacts a web page/service with currency exchange
> information *on every start*, I think
Hello we are a privacy-centric distro based on Debian and wanted to know
what Debian packages leak information about the system to the network
without a user's consent/expectation.
As documented on the page below, a system's security also depends on
avoiding leaking any identifiable information
Elmar Stellnberger:
> Dear Debian-Security
>
> Having just released debcheckroot I wanna shortly present you my new tool:
> It was originally designed as a replacement for debsums and has the following
> qualities:
> * full support of Debian repos reading /etc/[apt/]sources.list to fetch
>
TLDR:
Is it possible to disable InRelease processing by apt-get?
Long:
Very short summary of the bug:
(my own words) During apt-get upgrading signature verification can be
tricked resulting in arbitrary package installation, system compromise.
sources:
-
Geert Stappers:
> On Thu, Dec 15, 2016 at 09:43:59PM +0100, SZÉPE Viktor wrote:
>> Quoting Patrick Schleizer <adrela...@riseup.net>:
>>
>>> Very short summary of the bug:
>>> (my own words) During apt-get upgrading signature verification can be
>
What about Debian graphical installer security?
Isn't that in meanwhile the ideal target for exploitation for targeted
attacks? Because it will take a while until the Debian point release
with fixed apt.
And during the gui installer, the output of apt-get is not visible. And
stuff during
Julian Andres Klode:
> (2) look at the InRelease file and see if it contains crap
> after you updated (if it looks OK, it's secure - you need
> fairly long lines to be able to break this)
Thank you for that hint, Julian!
Can you please elaborate on this? (I am asking for Qubes and Whonix
I am very interested in Verified Boot. Was wondering how it could be
implemented on a Linux desktop distribution such as Debian. I would like
to implement in Debian derivatives, that I maintain (Whonix, Kicksecure).
Came up with some ideas which I will share here.
Anyone using this yet?
I would speculate, not many are using it. It needs step by step
instructions. Otherwise, most users are lost at hello.
> Things debcheckroot does not check at the moment are the initrd and
the MBR (master boot record). You may unpack the initrd by hand and
check the files
Elmar Stellnberger:
>>> Things debcheckroot does not check at the moment are the initrd and
>> the MBR (master boot record). You may unpack the initrd by hand and
>> check the files contained there against a sha256sum list generated by
>> debcheckroot. The MBR can first be backuped by
Russell Coker:
> I think it would be good to have a package for improving system security.
https://github.com/Whonix/security-misc
> It
> could depend on packages like spectre-meltdown-checker and also contain
> scripts that look for ways of improving system security. For example
>
35 matches
Mail list logo