On Thu, Nov 24, 2005 at 11:13:45AM -0200, Henrique de Moraes Holschuh wrote:
While the point about you can no longer just use md5sum is useless (you
need gpg, other special tools won't make it any more difficult, especially
since they are gzip and ar),
The problem is that using gzip and ar is
On Thu, Nov 24, 2005 at 06:28:04PM +0100, Florian Weimer wrote:
Of course, with current state of technology, there can't be a digital
signature that directly says that installation of this package will
not cause any harm. But this doesn't mean that we should give up
completely.
Mmm. I'd
* Marc Brockschmidt:
Today (or last night, whatever), the dak installation on ftp-master was
changed to not accept packages that include more than 3 parts, which are
usually the binary version and the compressed control and data
tarballs. This means that signed binary packages are rejected.
On Wed, Nov 23, 2005 at 11:33:47AM +0100, Florian Weimer wrote:
* Marc Brockschmidt:
Today (or last night, whatever), the dak installation on ftp-master was
changed to not accept packages that include more than 3 parts, which are
usually the binary version and the compressed control and
On Tue, Nov 22, 2005 at 04:50:02PM +0100, Marc 'HE' Brockschmidt wrote:
As I'm responsible for most of dpkg-sig's code (and planned to do some
more work in the next two months) I'd like to know if anyone cares about
using these binary signatures or if I can invest my time into something
that's
On Wed, 23 Nov 2005 17:34:41 +0100, Jeroen van Wolffelaar
[EMAIL PROTECTED] wrote:
On Tue, Nov 22, 2005 at 04:50:02PM +0100, Marc 'HE' Brockschmidt wrote:
As I'm responsible for most of dpkg-sig's code (and planned to do some
more work in the next two months) I'd like to know if anyone cares
* Marc Haber [EMAIL PROTECTED] [2005:11:23 18:40 +0100]:
On Wed, 23 Nov 2005 17:34:41 +0100, Jeroen van Wolffelaar
Just to provide some statistics about dpkg-sig usage, as I got curious
about it too:
In the archive, 525 out of 283283 .deb's are dpkg-sig'd (0.19%). There
are 8 distinct keys
On Tue, Nov 22, 2005 at 04:50:02PM +0100, Marc 'HE' Brockschmidt wrote:
As I'm responsible for most of dpkg-sig's code (and planned to do some
more work in the next two months) I'd like to know if anyone cares about
using these binary signatures or if I can invest my time into something
that's
On Wed, 23 Nov 2005, Marc Haber wrote:
In the archive, 525 out of 283283 .deb's are dpkg-sig'd (0.19%). There
are 8 distinct keys used for those 525 .deb's, seven of which correspond
to DD's[1].
So, most of the DD's do not care about security at all. Why does
Debian have a reputation of
On 11/23/05, Marc Haber [EMAIL PROTECTED] wrote:
In the archive, 525 out of 283283 .deb's are dpkg-sig'd (0.19%). There
are 8 distinct keys used for those 525 .deb's, seven of which correspond
to DD's[1].
So, most of the DD's do not care about security at all. Why does
Debian have a
On Thu, 24 Nov 2005, Anthony Towns wrote:
Personally, I think it's cryptographic snake oil, at least in so far
A signed deb has a seal of procedence and allows one to track the path it
made through the system, and who changed it. It ties a non-trustable
timestamp to every singed step in that
Marc Haber writes:
So, most of the DD's do not care about security at all.
I think that DD's do not use dpkg-sig and debsigs because they believe them
to be hard to use and not supported by the infrastructure or by policy.
--
John Hasler
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a
On Wed, 23 Nov 2005, Jeroen van Wolffelaar wrote:
In the archive, 525 out of 283283 .deb's are dpkg-sig'd (0.19%). There
are 8 distinct keys used for those 525 .deb's, seven of which correspond
to DD's[1].
I'm not going to interpret these numbers, as it's close to impossible to
do so
Olaf van der Spek writes:
Security is more than package signatures.
What is your specific proposal?
--
John Hasler
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
On Wed, 23 Nov 2005, John Hasler wrote:
Olaf van der Spek writes:
Security is more than package signatures.
What is your specific proposal?
Don't go there, or at least start another thread to do so. Olaf is correct,
signed packages are not enough and we have reharsed that discursion a lot.
On 11/23/05, John Hasler [EMAIL PROTECTED] wrote:
Olaf van der Spek writes:
Security is more than package signatures.
What is your specific proposal?
I don't have one. But I don't see how that's relevant.
Anthony Towns aj@azure.humbug.org.au writes:
On Wed, Nov 23, 2005 at 11:33:47AM +0100, Florian Weimer wrote:
* Marc Brockschmidt:
Today (or last night, whatever), the dak installation on ftp-master was
changed to not accept packages that include more than 3 parts, which are
usually the
Goswin von Brederlow [EMAIL PROTECTED] wrote:
Use 2: I have this Ubuntu CD and want to know which debs are from
debian and which got recompiled
Look for all debs that have a deb signature of the debian archive
(to be added to dinstall at some point).
The answer is all of them,
[Erinn Clark]
Yet just today you filed a bug (#340403) for documentation to be
included in the package since you were unable to explain dpkg-sig's
strengths. How is it possible for you to claim something is more secure
when you don't understand it well enough to say how it's different?
[Goswin von Brederlow]
Use 2: I have this Ubuntu CD and want to know which debs are from
debian and which got recompiled
Look for all debs that have a deb signature of the debian archive
(to be added to dinstall at some point).
[Matthew Garrett]
The answer is all of
On Wed, 23 Nov 2005 17:03:51 -0200, Henrique de Moraes Holschuh
[EMAIL PROTECTED] wrote:
This doesn't mean that signed packages are useless, far from it.
They are useless at the moment. They cannot be uploaded.
Greetings
Marc
--
-- !! No courtesy copies,
On Wed, 23 Nov 2005 12:11:20 -0600, John Hasler [EMAIL PROTECTED]
wrote:
Marc Haber writes:
So, most of the DD's do not care about security at all.
I think that DD's do not use dpkg-sig and debsigs because they believe them
to be hard to use and not supported by the infrastructure or by policy.
On Wed, 23 Nov 2005 12:09:34 -0600 (CST), Adam Heath
[EMAIL PROTECTED] wrote:
There's been no push. No default. No message saying that it's acceptable and
wanted to sign debs.
So Debian doesn't care about security. If we did, we would have an
official message saying so. Why do we have the
On Wed, 23 Nov 2005 12:58:12 -0500, Erinn Clark
[EMAIL PROTECTED] wrote:
* Marc Haber [EMAIL PROTECTED] [2005:11:23 18:40 +0100]:
On Wed, 23 Nov 2005 17:34:41 +0100, Jeroen van Wolffelaar
Just to provide some statistics about dpkg-sig usage, as I got curious
about it too:
In the archive,
On Wed, Nov 23, 2005 at 09:18:40PM +0100, Goswin von Brederlow wrote:
Use 2: I have this Ubuntu CD and want to know which debs are from
debian and which got recompiled
Look for all debs that have a deb signature of the debian archive
(to be added to dinstall at some point).
I
Jeroen van Wolffelaar [EMAIL PROTECTED] writes:
On Tue, Nov 22, 2005 at 04:50:02PM +0100, Marc 'HE' Brockschmidt wrote:
As I'm responsible for most of dpkg-sig's code (and planned to do some
more work in the next two months) I'd like to know if anyone cares about
using these binary signatures
I wrote:
I think that DD's do not use dpkg-sig and debsigs because they believe
them to be hard to use and not supported by the infrastructure or by
policy.
Marc Haber writes:
dpkg-sig is harly hard to use.
Please re-read what I wrote.
--
John Hasler
--
To UNSUBSCRIBE, email to [EMAIL
On Tue, Nov 22, 2005 at 04:50:02PM +0100, Marc 'HE' Brockschmidt wrote:
I'd like to know if anyone cares about using these binary signatures
Before your mail I was completely unaware of the existence of dpkg-sig.
Now that I know it, I care about it and would like to start uploading my
packages
* John Hasler [EMAIL PROTECTED] [051123 19:11]:
So, most of the DD's do not care about security at all.
I think that DD's do not use dpkg-sig and debsigs because they believe them
to be hard to use and not supported by the infrastructure or by policy.
... or not even know about them. I
Peter Samuelson [EMAIL PROTECTED] wrote:
[Goswin von Brederlow]
Use 2: I have this Ubuntu CD and want to know which debs are from
debian and which got recompiled
=20
Look for all debs that have a deb signature of the debian archive
(to be added to dinstall at some point).
Matt Zimmerman [EMAIL PROTECTED] writes:
On Wed, Nov 23, 2005 at 09:18:40PM +0100, Goswin von Brederlow wrote:
Use 2: I have this Ubuntu CD and want to know which debs are from
debian and which got recompiled
Look for all debs that have a deb signature of the debian archive
(to
Marc 'HE' Brockschmidt [EMAIL PROTECTED] writes:
Jeroen van Wolffelaar [EMAIL PROTECTED] writes:
On Tue, Nov 22, 2005 at 04:50:02PM +0100, Marc 'HE' Brockschmidt wrote:
As I'm responsible for most of dpkg-sig's code (and planned to do some
more work in the next two months) I'd like to know if
Stefano Zacchiroli [EMAIL PROTECTED] writes:
On Tue, Nov 22, 2005 at 04:50:02PM +0100, Marc 'HE' Brockschmidt wrote:
I'd like to know if anyone cares about using these binary signatures
Before your mail I was completely unaware of the existence of dpkg-sig.
Now that I know it, I care about
On Thu, Nov 24, 2005 at 02:08:17AM +1000, Anthony Towns wrote:
On Wed, Nov 23, 2005 at 11:33:47AM +0100, Florian Weimer wrote:
* Marc Brockschmidt:
Today (or last night, whatever), the dak installation on ftp-master was
changed to not accept packages that include more than 3 parts, which
Stefano Zacchiroli [EMAIL PROTECTED] writes:
[...]
I will fill a whishlist bugreport against debuild to support dpkg-sig
side by side with debuild.
There is already #247825. #247824 is the wishlist bug for
dpkg-buildpackage support.
Marc
--
BOFH #105:#247824
UPS interrupted the server's power
On Wed, Nov 23, 2005 at 10:52:52PM +0100, Marc Haber wrote:
On Wed, 23 Nov 2005 12:09:34 -0600 (CST), Adam Heath
[EMAIL PROTECTED] wrote:
There's been no push. No default. No message saying that it's acceptable
and
wanted to sign debs.
So Debian doesn't care about security. If we did, we
Marc Haber wrote:
[snip]
How is it possible for you to claim something is more secure
when you don't understand it well enough to say how it's different?
Well, even if I know naught about it, it looks to me that having
something signed is better than having the same something not signed.
Marc == Marc 'HE' Brockschmidt [EMAIL PROTECTED] writes:
Marc Brian May [EMAIL PROTECTED] writes:
I've never seen dpkg-sig mentioned before, only debsigs,
so I'm not familiar with the tool itself, but the concept
is one that needs a lot more exposure.
I would speculate
On Wed, Nov 23, 2005 at 04:37:05PM -0200, Henrique de Moraes Holschuh wrote:
On Thu, 24 Nov 2005, Anthony Towns wrote:
Personally, I think it's cryptographic snake oil, at least in so far
A signed deb has a seal of procedence and allows one to track the path it
made through the system, and
On Thu, Nov 24, 2005 at 12:38:37AM +0100, Goswin von Brederlow wrote:
I know this is a contrived use case, but Ubuntu doesn't use any .debs from
Debian.
One could prove that. :)
No, one couldn't -- the signatures could just be removed from the debs,
no recompilation needed.
Cheers,
aj
On Thu, Nov 24, 2005 at 09:09:21AM +1100, Matthew Palmer wrote:
2) A signature from dinstall saying this package was installed in the
Debian archive would provide a means of automatic assurance of the source
of a binary package, when I'm putting together custom CDs or package repos.
You can
On Wed, Nov 23, 2005 at 09:18:40PM +0100, Goswin von Brederlow wrote:
Use 1: I have this deb in my apt-move mirror and I want to know if it
was compromised on yesterdays breakin
Boot a clean system with debian keyring and check all deb
signatures.
Find some don't pass because they
On Thu, Nov 24, 2005 at 11:54:33AM +1000, Anthony Towns wrote:
On Wed, Nov 23, 2005 at 04:37:05PM -0200, Henrique de Moraes Holschuh wrote:
On Thu, 24 Nov 2005, Anthony Towns wrote:
Personally, I think it's cryptographic snake oil, at least in so far
A signed deb has a seal of procedence
On Thu, Nov 24, 2005 at 12:30:37PM +1000, Anthony Towns wrote:
On Thu, Nov 24, 2005 at 09:09:21AM +1100, Matthew Palmer wrote:
3) I can verify the provenance of a particular package in my own custom
repos at any time (did that come from Debian? Did someone build it
internally? What's
On Thu, Nov 24, 2005 at 02:31:22PM +1100, Matthew Palmer wrote:
Then there's the opposite argument about why not do that inside the .deb?.
Simple answers: unnecessary bloat, unwarranted feeling of security
leading to bad decisions.
Whenever anyone asks how do you manage the keys, the answer
On Thu, 24 Nov 2005 11:54:33 +1000, Anthony Towns
aj@azure.humbug.org.au wrote:
On Wed, Nov 23, 2005 at 04:37:05PM -0200, Henrique de Moraes Holschuh wrote:
Not in a very useable form, and only for Debian packages uploaded to the
official Debian archive. This is hardly good enough.
Uh,
On Thu, Nov 24, 2005 at 03:48:15PM +1000, Anthony Towns wrote:
On Thu, Nov 24, 2005 at 02:31:22PM +1100, Matthew Palmer wrote:
I think the final judgment in this issue is going to come down to personal
taste and needs more than anything else.
That's fine for personal repositories, it's not
Heya,
Today (or last night, whatever), the dak installation on ftp-master was
changed to not accept packages that include more than 3 parts, which are
usually the binary version and the compressed control and data
tarballs. This means that signed binary packages are rejected.
This is not the
[Marc 'HE' Brockschmidt]
I'd like to know if anyone cares about using these binary signatures
I can not really say if I care or not, as I do not really know what
these binary signatures are. Care to send URL to pages explaining the
topic?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a
On Tue, Nov 22, 2005 at 05:41:05PM +0100, Petter Reinholdtsen wrote:
[Marc 'HE' Brockschmidt]
I'd like to know if anyone cares about using these binary signatures
I can not really say if I care or not, as I do not really know what
these binary signatures are. Care to send URL to pages
Marc 'HE' Brockschmidt writes:
I'd like to know if anyone cares about using these binary signatures
I do.
--
John Hasler
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
also sprach Marc 'HE' Brockschmidt [EMAIL PROTECTED] [2005.11.22.1650 +0100]:
As I'm responsible for most of dpkg-sig's code (and planned to do
some more work in the next two months) I'd like to know if anyone
cares about using these binary signatures or if I can invest my
time into something
On Tue, Nov 22, 2005 at 04:50:02PM +0100, Marc 'HE' Brockschmidt wrote:
As I'm responsible for most of dpkg-sig's code (and planned to do some
more work in the next two months) I'd like to know if anyone cares about
using these binary signatures or if I can invest my time into something
that's
Matthew == Matthew Palmer [EMAIL PROTECTED] writes:
Matthew I'm keenly interested in per-package signatures for
Matthew Debian packages -- I think they're a great idea and it's
Matthew a pity that they haven't received more interest.
Same here.
I would really like to see all
Heya,
After discussing this in IRC, we agreed that I give a short overview
about the important stuff. As I'm quite lazy, I'm quoting James Troup
for the history bits:
elmo was written for Ubuntu, specifically because they were activating
data.tar.bz2 support in debs. as a side effect it also
Brian May [EMAIL PROTECTED] writes:
I've never seen dpkg-sig mentioned before, only debsigs,
so I'm not familiar with the tool itself, but the concept
is one that needs a lot more exposure.
I would speculate debsigs got a name change to dpkg-sig. Can somebody
confirm or deny?
No. dpkg-sig is
On Wed, Nov 23, 2005 at 10:29:32AM +1100, Brian May wrote:
I would speculate debsigs got a name change to dpkg-sig. Can somebody
confirm or deny?
As Mark said, it's not a name change. The FAQ on the dpkg-sig site
(http://dpkg-sig.turmzimmer.net/) has more info.
- Matt
--
To UNSUBSCRIBE,
101 - 157 of 157 matches
Mail list logo