Re: sofftware outside Debian (Re: holes in secure apt)

2014-06-22 Thread Holger Levsen
Hi Christoph, On Sonntag, 22. Juni 2014, Christoph Anton Mitterer wrote: > To be honest, Holger, I don't know why you've asked me to report these > issues at all, [...] so they are tracked and easy to be referenced - #752275 is way better than several message-ids on lists.d.o. > But now I just

Re: sofftware outside Debian (Re: holes in secure apt)

2014-06-22 Thread Christoph Anton Mitterer
On Sun, 2014-06-22 at 12:27 +0200, Holger Levsen wrote: > On Sonntag, 22. Juni 2014, Christoph Anton Mitterer wrote: > > > one or two bug reports might be oh so more useful than posting on -devel. > > #752275 and #752277 > > thanks for these! To be honest, Holger, I don't know why you've asked m

Re: sofftware outside Debian (Re: holes in secure apt)

2014-06-22 Thread Holger Levsen
Hi Christoph, On Sonntag, 22. Juni 2014, Christoph Anton Mitterer wrote: > > one or two bug reports might be oh so more useful than posting on -devel. > #752275 and #752277 thanks for these! cheers, Holger signature.asc Description: This is a digitally signed message part.

Re: sofftware outside Debian (Re: holes in secure apt)

2014-06-21 Thread Christoph Anton Mitterer
On Wed, 2014-06-18 at 13:55 +0200, Jakub Wilk wrote: > Yes, maintaining packages properly takes time. If packaging new upstream > releases is too much effort, why bother uploading it to Debian in the > first place? Actually, I think everything that tries to circumvent the package management syst

Re: sofftware outside Debian (Re: holes in secure apt)

2014-06-21 Thread Christoph Anton Mitterer
FYI: On Wed, 2014-06-18 at 12:46 +0200, Holger Levsen wrote: > one or two bug reports might be oh so more useful than posting on -devel. #752275 and #752277 Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature

Re: sofftware outside Debian (Re: holes in secure apt)

2014-06-21 Thread Christoph Anton Mitterer
Hey Holger, On Wed, 2014-06-18 at 12:46 +0200, Holger Levsen wrote: > > It also doesn't seem to protect against downgrading attacks... (see my > > previous post about that). > one or two bug reports might be oh so more useful than posting on -devel. I will submit tickets for the ones I know (as s

Re: sofftware outside Debian (Re: holes in secure apt)

2014-06-18 Thread Jakub Wilk
* Holger Levsen , 2014-06-18, 12:46: usually one should depend on a fixed hash in such downloader packages... doing it with gpg is securely possible, but much more complicated. and then for each update you need to update the launcher package - thats an aweful lot of work for little / no gain

Re: sofftware outside Debian (Re: holes in secure apt)

2014-06-18 Thread Holger Levsen
Hi, On Mittwoch, 18. Juni 2014, Christoph Anton Mitterer wrote: > torbrowser-launcher seems to use the keys from the upstream > developers... basically giving them (who are not DDs) the potential > power to install _any_ code in the system of Debian users. fun fact: there's at least one DD among

Re: sofftware outside Debian (Re: holes in secure apt)

2014-06-17 Thread Christoph Anton Mitterer
On Tue, 2014-06-17 at 13:39 +0200, Holger Levsen wrote: > > Well I guess the reason for flash is rather the license, isn't it? > no, it's in contrib, because it's a downloader package. Well sure... but flash itself is not in main for it's license... > both torbrowser-launcher as well as flashplu

Re: sofftware outside Debian (Re: holes in secure apt)

2014-06-17 Thread Holger Levsen
Hi Christoph, On Montag, 16. Juni 2014, Christoph Anton Mitterer wrote: > Well I guess the reason for flash is rather the license, isn't it? no, it's in contrib, because it's a downloader package. > Anyway... just because something it in contrib/non-free for legal > reasons... I see no necessit

Re: sofftware outside Debian (Re: holes in secure apt)

2014-06-16 Thread Christoph Anton Mitterer
On Thu, 2014-06-12 at 23:06 +0200, Holger Levsen wrote: > both flashplugin-nonfree and torbrowser-launcher are (or will be) in contrib > (and thus not be part of Debian) for exactly those reasons you described. Well I guess the reason for flash is rather the license, isn't it? Anyway... just bec

sofftware outside Debian (Re: holes in secure apt)

2014-06-12 Thread Holger Levsen
Hi Christoph, On Donnerstag, 12. Juni 2014, Christoph Anton Mitterer wrote: [many things] both flashplugin-nonfree and torbrowser-launcher are (or will be) in contrib (and thus not be part of Debian) for exactly those reasons you described. And both rightfully belong to contrib, even though tor