Re: md5 hashes used in security announcements

2008-10-24 Thread Alexander Konovalenko
On Sat, Oct 25, 2008 at 02:33, Kees Cook <[EMAIL PROTECTED]> wrote: > [...] > > Additionally, it doesn't matter -- it's just the md5 in the email > announcement. The Release and Packages files for the archive have SHA1 > and SHA256. The md5 from the announcement is almost not important, > IMO --

Re: How to verify package integrity after they have been downloaded?

2008-04-05 Thread Alexander Konovalenko
On Sun, Apr 6, 2008, Bernd Eckenfels <[EMAIL PROTECTED]> wrote: > In article <[EMAIL PROTECTED]> you wrote: > > I trust the archive maintainers and have a secure way to get a copy of > > their public key. I don't trust individual developers and cannot have > > all of their keys securely distribu

Re: How to verify package integrity after they have been downloaded?

2008-04-05 Thread Alexander Konovalenko
On Sun, Apr 6, 2008, Bernd Eckenfels <[EMAIL PROTECTED]> wrote: > > It should be possible to verify the package on install time. (Especially > when not using apt-get). > > Not sure if debsig-verify can work in that environment. debsig-verify is not applicable in my case. It implements a differe

Re: How to verify package integrity after they have been downloaded?

2008-04-05 Thread Alexander Konovalenko
On Sun, Apr 6, 2008, Julien Stuby <[EMAIL PROTECTED]> wrote: > Hi, > > If some packages are localy modified, This suggests that your local system > is already compromised. > :¬ Of course. I will be verifying the integrity of my .deb files from another, more trusted system (a LiveCD or a hardene

How to verify package integrity after they have been downloaded?

2008-04-04 Thread Alexander Konovalenko
I would like to verify that some .deb files I downloaded a while ago (using apt) haven't been tampered with. (Actually, I'll be doing this kind of thing more than once.) I have the appropriate Release, Release.gpg and Packages files. As the apt-secure(8) manual page states, apt verifies the integr

Re: [Secure-testing-team] Vulnerabilities not affecting Debian: reporting proposal

2007-07-12 Thread Alexander Konovalenko
On 7/11/07, Alec Berryman <[EMAIL PROTECTED]> wrote: I can't speak for the security team, but the testing security team could always use more people doing what you apparently already do - determine which new CVEs affect Debian and find ways to get those issues fixed. Actually I'm not currently

Re: Vulnerabilities not affecting Debian: reporting proposal

2007-07-11 Thread Alexander Konovalenko
On 7/11/07, Martin Schulze <[EMAIL PROTECTED]> wrote: Do you know about http://www.debian.org/security/nonvulns-etch Oh, that's great. I should have read the website more carefully! Thanks. What about providing a more elaborate summary for some issues? Some entries merely say that the bug is

Vulnerabilities not affecting Debian: reporting proposal

2007-07-11 Thread Alexander Konovalenko
I would like to propose that Debian security teams publish a short report each time they review a vulnerability in a program that's included in Debian and find that the vulnerability does *not* affect Debian. Problem description When I maintain a secure machine, I naturally want to keep it secur

Re: How To Set Up Mail-out-only System ?

2004-02-11 Thread Alexander Konovalenko
>On Wed, 11 Feb 2004 01:41:13 +, I wrote: >The idea of removing the "-bd" switch from the Exim startup line in >/etc/init.d/exim is appealing, though I guess I'd have to remember to >make that amendment every time a major upgrade occurred ... in that >context, I suppose editing exim.conf is mor

Re: How To Set Up Mail-out-only System ?

2004-02-11 Thread Alexander Konovalenko
>On Wed, 11 Feb 2004 01:41:13 +, I wrote: >The idea of removing the "-bd" switch from the Exim startup line in >/etc/init.d/exim is appealing, though I guess I'd have to remember to >make that amendment every time a major upgrade occurred ... in that >context, I suppose editing exim.conf is mor

Warning message about /boot/System.map-2.2.19

2001-06-12 Thread Alexander Konovalenko
ted. Feel free not to send your reply to debian-security if my problem is not related to security in any way. Please cc your reply to me. Please point an appropriate place (a mailing list, a newsgroup) to ask more about my problem if it cannot be related to security. Regards, Alexander K

Warning message about /boot/System.map-2.2.19

2001-06-12 Thread Alexander Konovalenko
ted. Feel free not to send your reply to debian-security if my problem is not related to security in any way. Please cc your reply to me. Please point an appropriate place (a mailing list, a newsgroup) to ask more about my problem if it cannot be related to security. Regards, Alexander K