Am 8. Dezember 2023 18:56:00 MEZ schrieb Simon Josefsson :
>
>I think that is unfortunate and not sustainable over time: you need to
>have access to the public keys to verify old signatures, and for as long
>as the old signatures are published we should make a public keyring for
>them easily
Jonathan McDowell writes:
> On Mon, Dec 04, 2023 at 11:07:38AM +0100, Simon Josefsson wrote:
>> Judit Foglszinger writes:
>> >> > Dmitri, could you re-run the numbers with the debian-maintainer
>> >> > keyring?
>> >>
>> >> That is correct. I have updated the results now. The 2,455 no
>> >>
On 2023-12-06 Dimitri John Ledkov wrote:
[...]
> May I also do a mass bug file against the above set of packages, at
> wishlist priority to nudge maintainers (or QA or Janitor) to make an
> upload?
> ideally bundled with any other reasonable modernisations. As such an
> algorithm indicates that
On Fri, 1 Dec 2023 at 00:20, Dimitri John Ledkov wrote:
>
> Hi,
>
> Currently dak requires signatures on .changes & .dsc uploads. .changes with
> signatures are publicly announced and then .dsc are published in the archive
> with signatures. .changes references .dsc.
>
> All .dsc have
On Mon, Dec 04, 2023 at 11:07:38AM +0100, Simon Josefsson wrote:
> Judit Foglszinger writes:
> >> > Dmitri, could you re-run the numbers with the debian-maintainer
> >> > keyring?
> >>
> >> That is correct. I have updated the results now. The 2,455 no
> >> public key has now become 1,238
> >
>
Judit Foglszinger writes:
> Hi,
>
>> > Dmitri, could you re-run the numbers with the debian-maintainer keyring?
>>
>> That is correct. I have updated the results now.
>> The 2,455 no public key has now become 1,238
>
> Another is the DN keyring.
> Also I'd expect many keys to be found in older
Hi,
> > Dmitri, could you re-run the numbers with the debian-maintainer keyring?
>
> That is correct. I have updated the results now.
> The 2,455 no public key has now become 1,238
Another is the DN keyring.
Also I'd expect many keys to be found in older versions of the keyring
package/keyring
On Fri, Dec 01, 2023 at 12:20:16AM +, Dimitri John Ledkov wrote:
> And many of them cannot be verified using debian-keyring:
> 2,455 no public key
> 3 wrong key usage
And how many can be verified? Do any show broken signatures?
> Should we stop requiring signed .dsc on uploads?
We had
Hi,
On Fri, 1 Dec 2023 at 10:50, Simon Josefsson wrote:
>
> Salvo Tomaselli writes:
>
> >> hi, on "no public key" list there are my uploads, I'm debian maintainer
> >> (https://nm.debian.org/person/fantu/), I signed with my key and I have
> >> DM upload right for them
> >>
Salvo Tomaselli writes:
>> hi, on "no public key" list there are my uploads, I'm debian maintainer
>> (https://nm.debian.org/person/fantu/), I signed with my key and I have
>> DM upload right for them
>> (https://qa.debian.org/developer.php?login=fantonifabio%40tiscali.it)
>
> I think he just
Il 01/12/2023 01:20, Dimitri John Ledkov ha scritto:
Hi,
Currently dak requires signatures on .changes & .dsc uploads. .changes
with signatures are publicly announced and then .dsc are published in
the archive with signatures. .changes references .dsc.
All .dsc have Checksums-Sha256 for the
Also note that some of the listed packages are signed with 1024-bit DSA
(Logjam attack), which would be more concerning if there were no
additional release signatures.
Regards
Stephan
signature.asc
Description: This is a digitally signed message part
Hello Dimitri
On Fri, 2023-12-01 at 00:20 +, Dimitri John Ledkov wrote:
> This makes me wonder if signatures on uploaded or published .dsc have
> any value at all.
Cryptographically speaking, 160-bit hash algorithms are vulnerable to
collision attacks but not to preimage attacks. Even today,
Hi!
On Fri, 2023-12-01 at 00:20:16 +, Dimitri John Ledkov wrote:
> Currently dak requires signatures on .changes & .dsc uploads. .changes with
> signatures are publicly announced and then .dsc are published in the
> archive with signatures. .changes references .dsc.
>
> All .dsc have
Hi,
Currently dak requires signatures on .changes & .dsc uploads. .changes with
signatures are publicly announced and then .dsc are published in the
archive with signatures. .changes references .dsc.
All .dsc have Checksums-Sha256 for the files they reference, .dsc itself
can be verified through
15 matches
Mail list logo
