Hi,
Michael Orlitzky wrote:
You should disable OCSP anyway. In Firefox, it's under,
Edit - Preferences - Advanced - Encryption - Validation
The OCSP protocol is itself is vulnerable to MITM attacks, which is cute
when you consider its purpose.
Moreover, it sends the address of every
Hi,
mingdao wrote:
Now, if any one of us turned off OCSP as Michael suggested, what should one do
after turning it back on? Could there now be certificates trusted there which
should not be?
Well, only your current browser session can be affected. For Firefox:
History - Clear Recent
Hi,
Duncan wrote:
Meanwhile, another question for Thomas. Is this certificate stapling
the same thing google chrome is now doing for the google site, that
enabled it to detect the (I think it was) Iranian and/or Chinese CA
tampering, allowing them to say a google cert was valid that was
Hi,
Michael Orlitzky wrote:
If you are aware about any other know attacks, please share.
Replay attacks, mentioned in the RFC (or Google). These could be
mitigated, but no one has bothered.
The OCSP response is signed. The signature contains a time stamp. If
your clock is right, replay
Hi,
Michał Górny wrote:
Now, does anyone have an old portage-YYZZ.tar.{bz2,xz} snapshot? I
need the official one from our mirrors, preferably 3-4 months old.
https://dl.dropboxusercontent.com/s/ldh8ie2zzdpnc57/portage-20121228.tar.bz2
Hi,
not everyone is using systemd. On my systems for example, I don't have
/lib/systemd/ (INSTALL_MASK).
The current news item draft raises question like When the 'actual
configuration' is in /lib/systemd/network/99-default.link... what will
happen to people without systemd (and a INSTALL_MASK
Hi,
line 16 (renamed the file to
/lib/udev/rules.d/80-net-setup-link.rules) and line 18 (you can
override in /etc/systemd/network/) doesn't end with punctuation.
Did I get this right? I am using udev to give my interfaces custom names
and I am not a systemd user but to keep my setup working
Hi,
Rich Freeman wrote:
On Tue, Feb 25, 2014 at 6:39 AM, Thomas D. whi...@whissi.de wrote:
Also, I cannot belief that I cannot overwrite
/lib/udev/rules.d/80-net-setup-link.rules via /etc/udev/rules.d...
I don't see why not - from the news item:
So, to clarify, you can override the new
Hi,
I like your (Alex) new proposal, but I have the following annotations:
As of sys-fs/udev-210, the options CONFIG_FHANDLE and CONFIG_NET
are now required in the kernel. A warning will be issued if they
are missing when you upgrade. See the package's README in
/usr/share/doc/udev-210/ for
Hi,
Ian Stakenvicius wrote:
That said, what we could do (if this isn't done already) is have
portage automatically elog or ewarn what files are excluded from
the system on merge time due to the INSTALL_MASK. At least that
way, users would be able to see in the log what files were removed,
Hi,
Ryan Hill wrote:
Probably best to make FEATURES=distcc disable network-sandbox
then. People enabling it are explicitly saying they want to access
the network.
Do you really think it is a good behavior to automatically disable
something you can call a security feature? At least there
Hi,
Ciaran McCreesh wrote:
Sandboxing isn't about security. It's about catching mistakes.
From Wikipedia
(http://en.wikipedia.org/wiki/Sandbox_%28computer_security%29):
In computer security, a sandbox is a security mechanism for
separating running programs. It is often used to execute
Hi,
Michał Górny wrote:
I see two generic approaches possible here:
1. proxying distcc from within the build environment, or
2. moving distcc-spawned processes back to parent's namespace.
distcc client/server solution
-
The most obvious solution to me
Hi,
William Hubbs wrote:
I believe, back in the day we started this practice, portage did not
support --newuse or --changed-use, so there was no way to only update
packages that had changed or new use flags. In that situation, I
understand why we installed all of these add-on files
Hi,
Hanno Böck wrote:
Right now a number of Gentoo webpages are by default served over http.
There is a growing trend to push more webpages to default to https,
mostly pushed by google. I think this is a good thing and I think
Gentoo should follow.
+1
Right now we seem to have a mix:
* A
Hi,
thank you all for the feedback.
I read through the news archive and most previous news items don't use
the package category in the title.
I'll propose
Title: shorewall is now a single package
I filled a bug for the news item request:
https://bugs.gentoo.org/show_bug.cgi?id=546952
.
===
Title: New net-firewall/shorewall all-in-one package
Author: Thomas D. whi...@whissi.de
Content-Type: text/plain
Posted: 2015-04-to-be-set
Revision: 1
News-Item-Format: 1.0
Display-If-Installed: net-firewall/shorewall-core
Display
17 matches
Mail list logo