FYI, I wrote a script to check the amd64 packages against the published
hash, if anyone wants to use it, it is attached.
.hc
Evgeny Kapun:
> On 22.01.2019 16:59, Vladislav Kurz wrote:
>> Hello everybody,
>>
>> is this vulnerability affecting also apt-get ?
>
> Yes, the vulnerability is in http
Ansgar Burchardt:
> Henrique de Moraes Holschuh writes:
>> On Fri, 27 Oct 2017, Hans-Christoph Steiner wrote:
>>> This idea that GPG signatures on the index files is enough has been
>>> totally disproven. There was a bug in apt where Debian devices could be
>>&g
Christoph Biedl:
> 林博仁 wrote...
>
>> I believe that there's no benefit on accessing Debian archive with HTTPS as
>> they uses GnuPG for authentication
>
> GnuPG indeed serves the purposes of authenticity and integrity very
> well. Modulo bugs every now and then, but they happen on other layers
Seems like a decent idea for this, if other packages need an insecure
openssl. As for making it hard to link to, the .so can be put into a
non-standard dir so it has to be explicitly enabled both with a
-lcrypto-insecure and -L/usr/lib/openssl-insecure.
.hc
Jonathan Yu:
> Given that this would b
Hans-Christoph Steiner:
>
>
> Peter Lawler:
>>
>>
>> On 18/12/16 22:03, Christoph Moench-Tegeder wrote:
>>> second point requires a lot of work
>>> to resolve.
>>>
>>> Regards,
>>> Christoph
>>>
>>
>>
Peter Lawler:
>
>
> On 18/12/16 22:03, Christoph Moench-Tegeder wrote:
>> second point requires a lot of work
>> to resolve.
>>
>> Regards,
>> Christoph
>>
>
> Monday morning yet-to-be-caffienated thoughts...
>
> I'm going to ignore the 'inconvenience' because I think in this case
> that's a
Patrick Schleizer:
> Julian Andres Klode:
>> (2) look at the InRelease file and see if it contains crap
>> after you updated (if it looks OK, it's secure - you need
>> fairly long lines to be able to break this)
>
> Thank you for that hint, Julian!
>
> Can you please elaborate on this?
neral:
* mostly various user utilities
* no setuid or special permissions
* only one daemon-like thing, adb, with no net access by default
* a good chunk is just files on the filesystem (e.g. libs for Android apps)
.hc
Hans-Christoph Steiner:
>
> BoringSSL is just a part of the Android SDK.
BoringSSL is just a part of the Android SDK. It has an unstable API
because it is only the C backing to a single Java library called
conscrypt. That library is in turn only used as part of the Android
SDK. Using the upstream build system, all of the source code is checked
out at once from many
René Mayrhofer wrote:
> On 2014-09-25 06:24, Hans-Christoph Steiner wrote:
>>
>> W. Martin Borgert wrote:
>>> On 2014-09-24 23:05, Hans-Christoph Steiner wrote:
>>>> * the signature files sign the package contents, not the hash of
>>>> whol
W. Martin Borgert wrote:
> On 2014-09-24 23:05, Hans-Christoph Steiner wrote:
>> * the signature files sign the package contents, not the hash of
>> whole .deb file (i.e. control.tar.gz and data.tar.gz).
>
> So preinst and friends would not be signed? Sounds dangerou
Daniel Kahn Gillmor wrote:
> Thanks for the discussion, Hans.
>
> On 09/19/2014 02:47 PM, Hans-Christoph Steiner wrote:
>> Packages should not be accepted into any official repo, sid included, without
>> some verification builds. A .deb should remain unchanged once it is
Daniel Kahn Gillmor wrote:
> On 09/22/2014 04:06 PM, Hans-Christoph Steiner wrote:
>> I think we're starting to nail down the moving parts here, so I want to
>> outline that so we can find out the parts where we agree and where we
>> disagree.
>>
>> * I
Holger Levsen wrote:
> Hi Hans,
>
> On Mittwoch, 16. Juli 2014, Hans-Christoph Steiner wrote:
>> What I'm talking about already exists in Debian, but is rarely used.
>> dpkg-sig creates a signature that is embedded in the .deb file. So that
>> means no mat
On 07/17/2014 08:20 AM, Joel Rees wrote:
> A little context?
>
> On Thu, Jul 17, 2014 at 1:26 AM, Hans-Christoph Steiner wrote:
>> [...]
>> * TAILS is a Debian-based live CD
>> * the core system image by definition cannot be modified (live CD)
>> * it has a
On 07/16/2014 08:06 AM, Holger Levsen wrote:
> Hi,
>
> On Mittwoch, 16. Juli 2014, Michael Stone wrote:
>> Yes you are--what you described is exactly how the Release files work.
>
> Well, there are (many) other .debs on the net which are not part of our
> releases, so it still seems to me that
On 07/15/2014 02:11 PM, Michael Stone wrote:
> On Tue, Jul 15, 2014 at 01:28:08PM -0400, Hans-Christoph Steiner wrote:
>> How do you propose managing a distro that mostly needs apt as is, but other
>> times need "Acquire::Check-Valid-Until off;"? In other words, how wou
On 07/14/2014 01:57 PM, Michael Stone wrote:
> On Mon, Jul 14, 2014 at 01:22:10PM -0400, Hans-Christoph Steiner wrote:
>>> Or, you could make use of the Check-Valid-Until and Min-ValidTime options in
>>> apt.conf. There's a reason things are done the way they
On 07/14/2014 01:12 PM, Michael Stone wrote:
> On Mon, Jul 14, 2014 at 12:45:38PM -0400, Hans-Christoph Steiner wrote:
>> One place that this will help a lot is managing completely offline machines,
>> like machines for running secure build and signing processes. Right now,
On 07/14/2014 12:59 PM, Paul Wise wrote:
> On Tue, Jul 15, 2014 at 12:45 AM, Hans-Christoph Steiner wrote:
>
>> I'd like to contribute to this effort
>
> First thing is to get #733029 fixed, which involves disabling signing
> by default (signing should be done aft
On 07/14/2014 12:31 PM, Paul Wise wrote:
> On Tue, Jul 15, 2014 at 12:24 AM, Hans-Christoph Steiner wrote:
>
>> I agree that .deb packages should be individually signed
> ...
>> This has been discussed in the past. I really think it is just a
>> matter of someone do
es are
> cooperating with the NSA?
>
> So how can we really be sure that our Debian install has not been
> compromised from the beginning?
>
>
>
>
>
>
>
> On Thu, Jul 3, 2014 at 8:44 PM, Hans-Christoph Steiner
> wrote:
>
>>
>> After
On 07/07/2014 06:43 PM, Jeremie Marguerie wrote:
> On Mon, Jul 7, 2014 at 3:15 PM, Lou RUPPERT wrote:
>>> If I'm looking at a catalog page from a shoe store on my table,
>>> connected via the phone network, getting close to my 2G cap for my
>>> wireless router for the month. My battery's getting
On 07/06/2014 10:31 PM, Lou RUPPERT wrote:
> Joel Rees:
>> On Sat, Jul 5, 2014 at 12:43 AM, Lou RUPPERT
>> wrote:
>>
>> As someone pointed out, verifying the mirror we've connected to is
>> not useful when we don't particularly have, or want, a way to
>> prevent a spook-owned mirror from joining
On 07/06/2014 10:20 PM, Michael Stone wrote:
> On Sat, Jul 05, 2014 at 08:54:55AM +0900, Joel Rees wrote:
>> And you know, the funny thing is that MSIE took to "warning" people
>> when there was a mix of encrypted and unencrypted data on a page. How
>> long ago? Yeah, I know, it was so they could
On 07/04/2014 11:43 AM, Lou RUPPERT wrote:
> Joel Rees:
>> On Fri, Jul 4, 2014 at 11:44 AM, Hans-Christoph Steiner
>> wrote:
>>>
>>> [rhetoric encouraging the use of TLS transport for mirrors] [list
>>> of current https mirrors]
>
>> Far be
After the latest revelation about NSA tracking all Tor downloads[1] (with
source code!) and the whole "Debian mirrors and MITM" redux, I think we should
start talking about concrete steps that we can take to improve the situation.
The first things that came to mind would be quite easy to do:
* i
On 07/03/2014 02:26 PM, Bernhard R. Link wrote:
> * Hans-Christoph Steiner [140703 18:10]:
>> You are correct that HTTPS would not entirely address #2, but it does
>> improve the situation over HTTP. For example, an ISP, network operator,
>> or government could block an
On 07/03/2014 03:08 PM, Michael Stone wrote:
> On Thu, Jul 03, 2014 at 12:46:45PM -0400, Hans-Christoph Steiner wrote:
>> Google uses SPKI pinning heavily, for example,
>> but they still use CA-signed certificates so their HTTPS works with Firefox,
>> IE, Opera, etc.
On 07/03/2014 12:58 PM, Reid Sutherland wrote:
>
> On Jul 3, 2014, at 12:46 PM, Hans-Christoph Steiner wrote:
>>
>> SSH uses entirely unsigned keys, and it has proven a lot more reliable than
>> HTTPS/TLS. You use HTTPS/TLS keys the same way as SSH, but TLS requi
On 07/03/2014 12:38 PM, Reid Sutherland wrote:
> On Jul 3, 2014, at 12:25 PM, Hans-Christoph Steiner wrote:
>> As for how to manage making HTTPS by default, this does not require every
>> mirror buying HTTPS certificates every year from Certificate Authorities.
>&g
On Jul 3, 2014, at 12:10 PM, Hans-Christoph Steiner wrote:
>
> On Jul 3, 2014, at 11:52 AM, Michael Stone wrote:
>
>> On Thu, Jul 03, 2014 at 11:05:17AM -0400, Hans-Christoph Steiner wrote:
>>> I definitely agree there are legitimate concerns that using HTTPS on apt
On Jul 3, 2014, at 11:52 AM, Michael Stone wrote:
> On Thu, Jul 03, 2014 at 11:05:17AM -0400, Hans-Christoph Steiner wrote:
>> I definitely agree there are legitimate concerns that using HTTPS on apt
>> mirrors would help, and people who suggest otherwise are out of date on what
On Jul 3, 2014, at 11:55 AM, Reid Sutherland wrote:
> On Jul 3, 2014, at 11:09 AM, Hans-Christoph Steiner wrote:
>
>>
>> On Jun 2, 2014, at 9:29 AM, Jann Horn wrote:
>>
>>> On Fri, May 30, 2014 at 10:06:06AM -0400, micah anderson wrote:
>>>&g
On Jul 3, 2014, at 11:05 AM, Hans-Christoph Steiner wrote:
>
> On May 30, 2014, at 10:06 AM, micah anderson wrote:
>
>> Kurt Roeckx writes:
>>
>>> On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
>>>> On Fri, May 30, 2014, at 10:24 PM,
On Jun 2, 2014, at 9:29 AM, Jann Horn wrote:
> On Fri, May 30, 2014 at 10:06:06AM -0400, micah anderson wrote:
>> Now I don't want to call into question the esteemed authors of said
>> program, and depending libraries, but I do think that providing https
>> mirrors gives us two distinct advantage
On May 30, 2014, at 10:06 AM, micah anderson wrote:
> Kurt Roeckx writes:
>
>> On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
>>> On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
> The public Debian mirrors
On May 30, 2014, at 2:41 PM, W. Martin Borgert wrote:
> Quoting Jeremie Marguerie :
>> Thanks for bringing that issue! I feel the same way when I install a
>> packet from a non-official PPA.
>
> Unfortunately, every package can do anything: pre-inst, post-inst,
> pre-rm, post-rm run as root. If
On 01/26/2014 01:30 PM, Andrew McGlashan wrote:
> On 25/01/2014 7:39 PM, Emmanuel Thierry wrote:
>> Then DNSSEC appeared ! :)
>
> I wish it was that simple I don't believe it is today, but one day
> it will have to be the standard.
>
>> I remind you it is really difficult to compromise DNS
On 01/20/2014 12:22 PM, Octavio Alvarez wrote:
> On 01/20/2014 05:29 AM, Marco Saller wrote:
>> I have read that the NSA proposed to include SELinux in linux 2.5. (Linux
>> Kernel Summit 2001)
>> Don't you think that may be one of their fancy tricks to gain access to
>> computers running linux?
On 11/12/2013 01:58 PM, Henrik Ahlgren wrote:
> On Tue, Nov 12, 2013 at 01:15:38PM -0500, Hans-Christoph Steiner wrote:
>> Having the key generated on the card is the most secure, since those cards
>> are
>> designed so you can't read the secret key off of the card. S
be the cost of replacing the
> certificate inside the device once/if compromised?
>
>
> 2013/11/12 Andreas Kuckartz
>
>> Hans-Christoph Steiner:
>>> The crypto smartcard (aka Hardware Security Module) are some work to
>> setup,
>>> but not really all that m
On 11/11/2013 07:41 PM, Jérémie Marguerie wrote:
> On Mon, Nov 11, 2013 at 2:48 PM, Mike Mestnik wrote:
>> I don't see how this is relevant? Obviously if hardware is seized then the
>> owners no longer have control. If you have suggestions as to how to secure
>> hardware that's great, but if y
On 10/30/2013 10:49 AM, Norbert Kiszka wrote:
> Dnia 2013-10-30, śro o godzinie 11:34 -0200, Djones Boni pisze:
>> On 30-10-2013 11:05, Celejar wrote:
>>> You're snipping crucial context; my comment above was in response to
>>> this:
For apt-get a self-signed certificate could be used which co
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 08/29/2013 10:56 AM, Michael Stone wrote:
> On Thu, Aug 29, 2013 at 11:35:47AM +0200, Sébastien Le Ray wrote:
>> Yes but the whole thing looks weird, on one hand OP wants to include a
>> signed jar in the package, on the other hand he says "signa
I want to run an unusual idea by everyone here as an approach to getting an
outside signature into a packaged Java jar built from source on the Debian
build machines: we want to get http://martus.org packaged and into Debian.
Martus is an app that has high requirements for security, so they have a
On Oct 12, 2012, at 9:03 PM, Hans-Christoph Steiner wrote:
>
> On Oct 1, 2012, at 7:36 PM, Hans-Christoph Steiner wrote:
>
>> On 10/01/2012 06:32 PM, Stephen Lombardo wrote:
>>> Hello Florian,
>>>
>>> On Mon, Oct 1, 2012 at 1:57 PM, Florian Wei
On Oct 1, 2012, at 7:36 PM, Hans-Christoph Steiner wrote:
> On 10/01/2012 06:32 PM, Stephen Lombardo wrote:
>> Hello Florian,
>>
>> On Mon, Oct 1, 2012 at 1:57 PM, Florian Weimer wrote:
>>> Okay. Can your fork open unencrypted databases? Are there any symb
On 10/01/2012 06:32 PM, Stephen Lombardo wrote:
> Hello Florian,
>
> On Mon, Oct 1, 2012 at 1:57 PM, Florian Weimer wrote:
>> Okay. Can your fork open unencrypted databases? Are there any symbol
>> collisions with vanilla SQLite?
>>
> Yes, SQLCipher can open standard, unencrypted SQLite database
On 09/28/2012 04:23 PM, Florian Weimer wrote:
> * Hans-Christoph Steiner:
>
>> The tricky part is that it is a modified version of SQLite3, and lintian
>> properly gives an error about that. But because of the features that
>> SQLCipher provides, it must modify th
Hey all,
I'm reading to upload a new package called SQLCipher
(http://sqlcipher.net/) and I want to run it by y'all first. The upside
is that it provides AES256 encrypted SQLite databases in a DFSG-free
package that has been pretty widely tested, deployed and audited. You
can find out more here
51 matches
Mail list logo