Bug#732450: please sign new apache releases only with strong keys -- trimming the KEYS file
On 26 Dec 2013, at 21:47, Daniel Kahn Gillmor wrote: As part of the dicsussion, it's become clear that some of the keys in https://www.apache.org/dist/httpd/KEYS are weak by any modern consideration of public key cryptography. Could this set of keys be pruned? You're ahead of us. Individual Apache folks like Jim have taken responsibility and moved to 4096-bit keys, but we haven't as a community had the discussion that might lead to pruning KEYS. My inclination is to say NO to requiring anyone to remove old keys, but YES to encouraging strong keys to sign all releases. What is Debian's view on the relative importance of key size vs breadth and depth of the WoT surrounding a key? I would tend to find an ancient 1024-bit key with 100 strong-set sigs much more reassuring than a shiny new 4096-bit with just 1 (let alone any number of non-strong-set keys)! That may be an issue for some Apache folks. For myself, my newer (4096-bit) key has fewer sigs than my old 1024-bit[1], though not catastrophically so. What is perhaps more of an issue is that hardly any of the signatures on the new key are from Apache folks, as I have (alas) not made it to Apachecon for a couple of years now. Others may have a range of reasons for retaining older keys. [1] Key IDs 40581837 and B87F79A9 -- Nick Kew -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#686348: libnids-dev: nids.h is missing a dependency on libpcap.h
Package: libnids-dev Version: 1.23-1.1 Severity: normal Originally found on Ubuntu, but the Ubuntu folks tell me the package is taken straight from Debian so should be reported here. nids.h includes pcap.h. But I can install libnids-dev without libpcap being found as a dependency. That leaves the configure script of a package I'm trying to install telling me misleadingly that it can't find nids.h. -- System Information: Debian Release: squeeze/sid APT prefers lucid-updates APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid') Architecture: i386 (i686) Kernel: Linux 2.6.31-23-generic (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libnids-dev depends on: ii libc6-dev 2.11.1-0ubuntu7.10 Embedded GNU C Library: Developmen ii libnids1.21 1.23-1.1 IP defragmentation TCP segment rea libnids-dev recommends no packages. libnids-dev suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#395959: APR/MySQL
Hi, Joachim has just drawn my attention to this report. I am the original developer of the MySQL driver, and it was originally my decision to license it under the GPL. I'm also director of WebThing, and a member of the Apache Software Foundation (though not, in this message, speaking in an official capacity). I'm not dogmatic about the licensing, and I'd be happy for it to change if it helps, subject to the constraints of the other licenses involved. Originally I'd have been more dogmatic about it, because apr_dbd_mysql released under the Apache license seems to risk undermining MySQL's GPL rights, and I didn't want to be responsible for that. However, MySQL AB has made it clear that they are happy to live with that: indeed, they explicitly name APR and the Apache license at http://www.mysql.com/company/legal/licensing/foss-exception.html So the sticking point is no longer the GPL, but rather ASF policy, which does not permit us to distribute anything that would impose restrictions on our users, over and above those in the Apache License. The ASF takes the view that to take advantage of MySQL's exception risks leaving our users in limbo. That clearly doesn't apply to Debian: your primary license is after all the GPL. A quick google reveals that some Linux distros have apr_dbd_mysql as a separate (RPM) package, and have presumably built apr-util to enable dynamic loading of a DBD driver. This seems to me an excellent solution. I hope Debian will see a way to make this available for your users. If I can help, please ask. -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]