Re: Debian APT Key Revocation Procedure
Paul Wise: On Thu, Oct 31, 2013 at 8:55 PM, adrelanos wrote: What are your plans if you ever have reason to believe that the Debian archive signing key has been compromised? It is unlikely that the people responsible for that are reading this list. I suggest you contact them (DSA, ftpteam) directly. The DSA told me it doesn't relate to DSA and the ftpteam didn't reply. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/527d6377.30...@riseup.net
Re: Debian APT Key Revocation Procedure
I think the big issue here is that you need to be part of the 'in crowd' to know that the DSA team is reached via the debian-admin list. It's not logical, IMHO, for these to be related. I don't believe that these two teams completely ignore the debian-security lists, as they obviously(IMHO) have stake in the security aspect of Debian. There is likely and should be a few ppl, not necessarily members, watching debian-security that could forward on an FYI to these teams. I don't think it's right to try and teach EVERYONE the layout of the land, instead such postings should be forwarded to the correct team without needing to involve the individual trying to help with the local and internal politics. I say this only because it's logical to outsiders that these teams be reachable here and thus they should be, even if they are not. Cheers. On Fri, Nov 1, 2013 at 12:10 PM, Henrique de Moraes Holschuh h...@debian.org wrote: On Thu, 31 Oct 2013, adrelanos wrote: But what could you do with the revocation certificate? Only manually spread the news and ask users to obtain the revocation certificate? We would widely publish that information, that's a given. But it is not the only way to publish the revocation certificate and the replacement keys. Or will the apt on Debian user's machines somehow learn about that revocation certificate? If so, how does that procedure work? Where is it configured? I believe we'd deploy a security update of the debian-archive-keyring package, with the updated key material and revocation certificates. There are backup keys to allow for key rollover. Now, this does NOT address all scenarios. It is not a perfect solution. For a more precise answer, please ask the debian-admin ML. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131101171006.ga1...@khazad-dum.debian.net
Re: Debian APT Key Revocation Procedure
This one time, at band camp, Henrique de Moraes Holschuh said: For a more precise answer, please ask the debian-admin ML. Why? DSA has nothing to do with this. Cheers, -- - | ,''`.Stephen Gran | | : :' :sg...@debian.org | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - signature.asc Description: Digital signature
Re: Debian APT Key Revocation Procedure
On Sun, 03 Nov 2013, Stephen Gran wrote: This one time, at band camp, Henrique de Moraes Holschuh said: For a more precise answer, please ask the debian-admin ML. Why? DSA has nothing to do with this. Hmm, come to think of it you're correct that they're not the best team to ask about it. On second thought, ftp-masters are probably the best team to ask about this, along with the Debian release team. Anyway, it looks like it would be best to have the emergency key revocation and roll-over procedure written down and published to the public. If it is already out there, a pointer would be appreciated. AFAIK, the *regular* key rollovers are handled by a normal update of the debian-archive-keyring package (extended to stable and old-stable as well), plus email notification to the debian-announce ML. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131103205250.ga14...@khazad-dum.debian.net
Re: Debian APT Key Revocation Procedure
Paul Wise: On Thu, Oct 31, 2013 at 8:55 PM, adrelanos wrote: What are your plans if you ever have reason to believe that the Debian archive signing key has been compromised? It is unlikely that the people responsible for that are reading this list. I suggest you contact them (DSA, ftpteam) directly. Is there a public mailing list? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5273aa1b.5080...@riseup.net
Re: Debian APT Key Revocation Procedure
On Fri, Nov 01, 2013 at 01:18:19PM +, adrelanos wrote: Paul Wise: On Thu, Oct 31, 2013 at 8:55 PM, adrelanos wrote: What are your plans if you ever have reason to believe that the Debian archive signing key has been compromised? It is unlikely that the people responsible for that are reading this list. I suggest you contact them (DSA, ftpteam) directly. Is there a public mailing list? ftpmas...@ftp-master.debian.org will get you to the ftpteam (nonpublic ML), and the DSA are at debian-ad...@lists.debian.org (is public) Earlier, Jordon Bedwell jor...@envygeeks.com wrote: That's almost jokingly ironic. I take issue with this. I find this attitude really crappy. I'd strongly invite you to reconsider this tone and belief. Cheers, Paul -- .''`. Paul Tagliamonte paul...@debian.org : :' : Proud Debian Developer `. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `- http://people.debian.org/~paultag signature.asc Description: Digital signature
Re: Debian APT Key Revocation Procedure
On Fri, Nov 1, 2013 at 8:23 AM, Paul Tagliamonte paul...@debian.org wrote: I take issue with this. I find this attitude really crappy. I'd strongly invite you to reconsider this tone and belief. I invite you to jump back down to earth and stop judging people as if you are somehow better. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAM5XQnwOtTVgYQsusoBt7iUac3+3MBsd5=zckdzmky87was...@mail.gmail.com
Re: Debian APT Key Revocation Procedure
On Fri, Nov 01, 2013 at 08:27:03AM -0500, Jordon Bedwell wrote: On Fri, Nov 1, 2013 at 8:23 AM, Paul Tagliamonte paul...@debian.org wrote: I take issue with this. I find this attitude really crappy. I'd strongly invite you to reconsider this tone and belief. I invite you to jump back down to earth and stop judging people as if you are somehow better. (I'm not the one insulting two core teams at once) -- .''`. Paul Tagliamonte paul...@debian.org : :' : Proud Debian Developer `. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `- http://people.debian.org/~paultag signature.asc Description: Digital signature
Re: Debian APT Key Revocation Procedure
On Fri, Nov 1, 2013 at 8:30 AM, Paul Tagliamonte paul...@debian.org wrote: On Fri, Nov 01, 2013 at 08:27:03AM -0500, Jordon Bedwell wrote: On Fri, Nov 1, 2013 at 8:23 AM, Paul Tagliamonte paul...@debian.org wrote: I take issue with this. I find this attitude really crappy. I'd strongly invite you to reconsider this tone and belief. I invite you to jump back down to earth and stop judging people as if you are somehow better. (I'm not the one insulting two core teams at once) Nope, you just take it a step further and insult the individual people. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAM5XQnzgiy2aAtERiD0ezCrKeiiF4EZ+=CBo-O9Af5=u8v2...@mail.gmail.com
Re: Debian APT Key Revocation Procedure
On Fri, Nov 1, 2013 at 8:33 AM, Jordon Bedwell jor...@envygeeks.com wrote: On Fri, Nov 1, 2013 at 8:30 AM, Paul Tagliamonte paul...@debian.org wrote: On Fri, Nov 01, 2013 at 08:27:03AM -0500, Jordon Bedwell wrote: On Fri, Nov 1, 2013 at 8:23 AM, Paul Tagliamonte paul...@debian.org wrote: I take issue with this. I find this attitude really crappy. I'd strongly invite you to reconsider this tone and belief. I invite you to jump back down to earth and stop judging people as if you are somehow better. (I'm not the one insulting two core teams at once) Nope, you just take it a step further and insult the individual people. I should say individual people without the, as the implies you were insulting the people on the team, and not people in general. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam5xqnybxozwlmh8_r4z-t7xwh8zf5psd3eufp36oyxkquk...@mail.gmail.com
Re: Debian APT Key Revocation Procedure
On Fri, Nov 01, 2013 at 08:27:03AM -0500, Jordon Bedwell wrote: On Fri, Nov 1, 2013 at 8:23 AM, Paul Tagliamonte paul...@debian.org wrote: I take issue with this. I find this attitude really crappy. I'd strongly invite you to reconsider this tone and belief. I invite you to jump back down to earth and stop judging people as if you are somehow better. I think the open invitation to participate in the Debian project mailing lists should now be withdrawn. ccing listmasters. Neil -- signature.asc Description: Digital signature
Re: Debian APT Key Revocation Procedure
I should say individual people without the, as the implies you were insulting the people on the team, and not people in general. No one here thinks they are better or smarter than you. It would just be nice if you could try to keep it a little more professional in your communication and responses. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cagysloehud-+xosnrw8e_qx_mrndkm_w0go7yxm7ej3jjon...@mail.gmail.com
Re: Debian APT Key Revocation Procedure
On Fri, Nov 1, 2013 at 8:42 AM, Darko Gavrilovic d.gavrilo...@gmail.com wrote: I should say individual people without the, as the implies you were insulting the people on the team, and not people in general. No one here thinks they are better or smarter than you. It would just be nice if you could try to keep it a little more professional in your communication and responses. There was nothing unprofessional about what I said. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam5xqnw9_qf-zf7jqwvmndwt5uqg_e_a8zfanfkk+2czkyv...@mail.gmail.com
Re: Debian APT Key Revocation Procedure
Paul Wise: On Thu, Oct 31, 2013 at 8:55 PM, adrelanos wrote: What are your plans if you ever have reason to believe that the Debian archive signing key has been compromised? It is unlikely that the people responsible for that are reading this list. I suggest you contact them (DSA, ftpteam) directly. Thank you, Paul. I mailed DSA. I find it a non-ideal, that there is no place to discuss this in public. (Neither DSA nor ftpmaster mailing list is publicly archived or allows public sign up.) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5273dcd2.1070...@riseup.net
Re: Debian APT Key Revocation Procedure
On Thu, 31 Oct 2013, adrelanos wrote: But what could you do with the revocation certificate? Only manually spread the news and ask users to obtain the revocation certificate? We would widely publish that information, that's a given. But it is not the only way to publish the revocation certificate and the replacement keys. Or will the apt on Debian user's machines somehow learn about that revocation certificate? If so, how does that procedure work? Where is it configured? I believe we'd deploy a security update of the debian-archive-keyring package, with the updated key material and revocation certificates. There are backup keys to allow for key rollover. Now, this does NOT address all scenarios. It is not a perfect solution. For a more precise answer, please ask the debian-admin ML. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131101171006.ga1...@khazad-dum.debian.net
Re: Debian APT Key Revocation Procedure
On Thu, Oct 31, 2013 at 8:55 PM, adrelanos wrote: What are your plans if you ever have reason to believe that the Debian archive signing key has been compromised? It is unlikely that the people responsible for that are reading this list. I suggest you contact them (DSA, ftpteam) directly. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caktje6hyohzalxkaqotfjp98enqy0zj47hty19-hkdhevzi...@mail.gmail.com
Re: Debian APT Key Revocation Procedure
On Thu, Oct 31, 2013 at 10:28 AM, Paul Wise p...@debian.org wrote: On Thu, Oct 31, 2013 at 8:55 PM, adrelanos wrote: What are your plans if you ever have reason to believe that the Debian archive signing key has been compromised? It is unlikely that the people responsible for that are reading this list. I suggest you contact them (DSA, ftpteam) directly. That's almost jokingly ironic. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAM5XQnximXvUazKz6=ccerdremzvedmp5s+xhcgmkotwqtr...@mail.gmail.com
Re: Debian APT Key Revocation Procedure
On Fri, Nov 1, 2013 at 5:21 AM, Jordon Bedwell wrote: That's almost jokingly ironic. That's to be expected, the list is mostly noise and in no way required for them to be able to do their job. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6FMEgt2S61ML2Jj2pooipoRFP13W+iFK4V5iht=1_s...@mail.gmail.com
