Re: Bad press again...

* Paul Gear: > It makes perfect sense to me... All it's saying is that IP-to-MAC > mappings are cached in the 'Recent' set for each interface for > $MACLIST_TTL seconds without requiring them to be passed through the MAC > filter for every packet. The problem is this sentence: "Subsequent connec

Re: Bad press again...

Florian Weimer wrote: > ... > # When a new connection arrives from a 'maclist' interface, the packet passes > # through then list of entries for that interface in /etc/shorewall/maclist. > If > # there is a match then the source IP address is added to the 'Recent' set for > # that interface. Subse

Re: Bad press again...

* Michael Stone: > On Tue, Aug 30, 2005 at 12:17:22AM +0200, Florian Weimer wrote: >>I think this part of the diff is pretty instructive, together with >>upstream's explanation: > > Frankly, no, it's not. > >> if [ -n "$MACLIST_TTL" ]; then >> chain1=$(macrecent_target $interface) >

Bug#318946: Info received (was Bad press again...)

Thank you for the additional information you have supplied regarding this problem report. It has been forwarded to the package maintainer(s) and to other interested parties to accompany the original report. Your message has been sent to the package maintainer(s): Lorenzo Martignoni <[EMAIL PROTE

Re: Bad press again...

* Paul Gear: > Florian Weimer wrote: >> ... >> It seems that shorewall generates an ACL that ACCEPTs all traffic once >> a MAC rule matches. Further rules are not considered. The >> explanations in version 2.2.3 seem to indicate that this was the >> intended behavior, but its implications surpri

Re: Bad press again...

* Paul Gear: > The maintainer is not the problem. Lorenzo has prepared 2.2.3-2 for > sarge [1] and has tested the before and after situations and found that > the bug is fixed. The problem is no response from Martin Schulze. > > [1] http://idea.sec.dico.unimi.it/~lorenzo/tmp/ This information s

Re: Bad press again...

Florian Weimer wrote: > ... > It seems that shorewall generates an ACL that ACCEPTs all traffic once > a MAC rule matches. Further rules are not considered. The > explanations in version 2.2.3 seem to indicate that this was the > intended behavior, but its implications surprised upstream, and a >

Re: Bad press again...

Florian Weimer wrote: > ... >>If we're going to have another crack at it, then, what track should we >>take? Reopen the bug as Florian suggested, > ... >>email the security team, just keep pestering Joey? > > > IMHO, the first step would be to convince the shorewall maintainer > that a security

Re: Bad press again...

[Frans Pop] > IMO the status of the security team is not changed by that mail: if > it was delegated before that time, it still is, and similar if it > was not. Personally, I only find it reasonable that all groups in Debian with special privileges within the Debian community are delegates. It a

Re: Bad press again...

On Tuesday 30 August 2005 10:34, Antti-Juhani Kaijanaho wrote: > Frans Pop wrote: > > On Monday 29 August 2005 22:23, Florian Weimer wrote: > >>I've obtained permission from tbm to quote the message reproduced > >>below in public. This should make it clear that the intent was to > >>delegate: "Nac

Re: Bad press again...

Frans Pop wrote: > On Monday 29 August 2005 22:23, Florian Weimer wrote: > >>I've obtained permission from tbm to quote the message reproduced >>below in public. This should make it clear that the intent was to >>delegate: "Nach [URL] hat debian-admin klar die Authorität" -- >>"according to [URL]

Re: Bad press again...

On Tue, Aug 30, 2005 at 12:17:22AM +0200, Florian Weimer wrote: I think this part of the diff is pretty instructive, together with upstream's explanation: Frankly, no, it's not. if [ -n "$MACLIST_TTL" ]; then chain1=$(macrecent_target $interface) createchain $

Re: Bad press again...

Florian Weimer wrote: > * Steve Wray: > > I view this as a security problem because what if you *think* you've made changes to your firewall and are now protected only... you arn't and the firewall hasn't been updated? Is that enough of a security problem for the fix to get i

Re: Bad press again...

* Steve Wray: >>>I view this as a security problem because what if you *think* you've >>>made changes to your firewall and are now protected only... you arn't >>>and the firewall hasn't been updated? >>> >>>Is that enough of a security problem for the fix to get into stable? >> >> >> The underly

Re: Bad press again...

Florian Weimer wrote: > * Steve Wray: > > >>Another example is fwbuilder which *silently* fails to overwrite its >>generated script at compile time if the user doesn't have write >>permissions on the existing script. > > > Most bugs in security tools are security bugs. We have to draw a line >

Re: Bad press again...

* Michael Stone: > On Mon, Aug 29, 2005 at 11:44:59PM +0200, Florian Weimer wrote: >>IMHO, Debian should publish at least a DSA that explains this >>discrepancy, especially if the package maintainer also thinks that >>it's necessary. > > Thank you for your input. Would anyone else like to register

Re: Bad press again...

* Steve Wray: > Another example is fwbuilder which *silently* fails to overwrite its > generated script at compile time if the user doesn't have write > permissions on the existing script. Most bugs in security tools are security bugs. We have to draw a line somewhere, otherwise "stable" becomes

Re: Bad press again...

On Mon, Aug 29, 2005 at 11:44:59PM +0200, Florian Weimer wrote: IMHO, Debian should publish at least a DSA that explains this discrepancy, especially if the package maintainer also thinks that it's necessary. Thank you for your input. Would anyone else like to register their opinion? BTW, did y

Re: Bad press again...

Florian Weimer wrote: > * Michael Stone: > > >>Contact the security team. Describe the bug in such a way that the >>security team understands its severity and impact. It is not sufficient >>to say "just trust me and issue an advisory". From what I've seen so far >>this is not the obvious buffer o

Re: Bad press again...

* Michael Stone: > Contact the security team. Describe the bug in such a way that the > security team understands its severity and impact. It is not sufficient > to say "just trust me and issue an advisory". From what I've seen so far > this is not the obvious buffer overflow sort of bug, it's a c

Re: Bad press again...

On Tue, Aug 30, 2005 at 06:48:07AM +1000, Paul Gear wrote: If we're going to have another crack at it, then, what track should we take? Reopen the bug as Florian suggested, email the security team, just keep pestering Joey? Contact the security team. Describe the bug in such a way that the sec

Re: Bad press again...

On Monday 29 August 2005 22:23, Florian Weimer wrote: > I've obtained permission from tbm to quote the message reproduced > below in public. This should make it clear that the intent was to > delegate: "Nach [URL] hat debian-admin klar die Authorität" -- > "according to [URL], debian-admin clearly

Re: Bad press again...

* Paul Gear: > If we're going to have another crack at it, then, what track should we > take? Reopen the bug as Florian suggested, According to a recent discussion on -devel, this bug is still open. The BTS web is a bit confusing. > email the security team, just keep pestering Joey? IMHO, the

Re: Bad press again...

Michael Stone wrote: > ... > I also disagree with the characterization that much effort > has been put into describing the bug. If we're going to have another crack at it, then, what track should we take? Reopen the bug as Florian suggested, email the security team, just keep pestering Joey? I d

Re: Bad press again...

* Paul Gear: >> In the latter case, such discussion should be Cc:ed to the bug >> report, IMHO. > > Is that a policy issue, common convention, or just a suggestion? It's a suggestion ("IMHO"). I would like to see it as a common convention. I think there are many little things which should be do

Re: Bad press again...

Florian Weimer wrote: > * Paul Gear: > > >>I don't know upon what you're basing your characterization, but i'm >>party to at least 3 emails to Joey describing the nature of the bug >>in sufficient detail to understand it as a security flaw. > > > Was this pre- or post-disclosure? There was no

Re: Bad press again...

Could we move this thread to -project or -curiosa? Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Bad press again...

* Frans Pop: > On Monday 29 August 2005 21:40, Florian Weimer wrote: >> > I see no "(as DPL) I appoint" or "I delegate" in that mail. >> >> This is not necessary. > > I'm sorry, but I still think you're doing creative reading. There is only > an announcement of the addition of a new member to an

Re: Bad press again...

On Monday 29 August 2005 21:40, Florian Weimer wrote: > > I see no "(as DPL) I appoint" or "I delegate" in that mail. > > This is not necessary. I'm sorry, but I still think you're doing creative reading. There is only an announcement of the addition of a new member to an existing team. There is

Re: Bad press again...

* Frans Pop: > On Monday 29 August 2005 20:13, Florian Weimer wrote: >> Martin Michlmayr has made the security team a delegate by this >> message: >> > > Huh? I read no formal delegation in that message. There are no formal req

Re: Bad press again...

also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.08.29.2013 +0200]: > > 2) I bring the Debian Security Team under delegation[2]. > > Martin Michlmayr has made the security team a delegate by this > message: > > > > Have yo

Re: Bad press again...

On Monday 29 August 2005 20:13, Florian Weimer wrote: > Martin Michlmayr has made the security team a delegate by this > message: > Huh? I read no formal delegation in that message. It just states that he talked to some people a

Re: Bad press again...

* Branden Robinson: > 2) I bring the Debian Security Team under delegation[2]. Martin Michlmayr has made the security team a delegate by this message: Have you withdrawn this delegation in the meantime? AIUI, DPL elections d

Re: Bad press again...

also sprach Branden Robinson / Debian Project Leader <[EMAIL PROTECTED]> [2005.08.29.1846 +0200]: > As far as I know, the stable/oldstable security team was never (recently) > down to Joey S. alone. Mike Stone and Steve Kemp have been active members > for some time (Steve was, as I understand it,

Re: Bad press again...

On Mon, Aug 29, 2005 at 11:46:24AM -0500, Branden Robinson / Debian Project Leader wrote: > As far as I know, the stable/oldstable security team was never (recently) > down to Joey S. alone. Mike Stone and Steve Kemp have been active members > for some time (Steve was, as I understand it, promot

Re: Bad press again...

On Sat, Aug 27, 2005 at 10:40:36PM +0200, martin f krafft wrote: > Following the debate around LinuxTag, Branden put a trusted and very > active and skilled developer on the task to research the security > problems. Unfortunately, he has not been able to get far with this > job yet, probably due to

Re: Bad press again...

On Fri, Aug 26, 2005 at 04:39:04PM +, W. Borgert wrote: > On Fri, Aug 26, 2005 at 05:36:26PM +0200, martin f krafft wrote: > > Heck, we *should* have a responsive and communicative security team. > > Do we have a security team for stable? I know, that we have a > security team for testing con

Re: Bad press again... decisions

On Mon, 29 Aug 2005, Paul Gear wrote: ... [ prev procss/proceedure snipped ] > What makes you think that this didn't occur? sounds like a normal thing .. good > > joey and crew can't possibly examine, review, fix, verify all bugs > > no matter how good of an expert security coder they were >

Re: Bad press again...

* Paul Gear: > I don't know upon what you're basing your characterization, but i'm > party to at least 3 emails to Joey describing the nature of the bug > in sufficient detail to understand it as a security flaw. Was this pre- or post-disclosure? In the latter case, such discussion should be Cc:

Re: Bad press again...

On Mon, Aug 29, 2005 at 09:53:15PM +1000, Paul Gear wrote: Michael Stone wrote: I also disagree with the characterization that much effort has been put into describing the bug. I don't know upon what you're basing your characterization I reviewed the security team mail before I responded. M

Re: Bad press again...

* Paul Gear: >>>There certainly have been exceptions to that rule. The maintainer of >>>shorewall has been trying for weeks to get a DSA issued about a >>>vulnerability, and it seems we have to convince Joey that it *is* a >>>vulnerability before he'll issue it. >> >> >> Is this #318946? > >

Re: Bad press again...

Florian Weimer wrote: > * Paul Gear: > > >>There certainly have been exceptions to that rule. The maintainer of >>shorewall has been trying for weeks to get a DSA issued about a >>vulnerability, and it seems we have to convince Joey that it *is* a >>vulnerability before he'll issue it. > > >

Re: Bad press again...

Michael Stone wrote: > ... >> There certainly have been exceptions to that rule. The maintainer of >> shorewall has been trying for weeks to get a DSA issued about a >> vulnerability, and it seems we have to convince Joey that it *is* a >> vulnerability before he'll issue it. > ... > > I disagree

Re: Bad press again...

Alvin Oga wrote: > ... >>shorewall has been trying for weeks to get a DSA issued about a >>vulnerability, and it seems we have to convince Joey that it *is* a >>vulnerability before he'll issue it. (I don't understand this - how can >>Joey even *try* to understand every security bug?) Repeated at

Re: Bad press again...

Goswin von Brederlow wrote: > ... >>There certainly have been exceptions to that rule. The maintainer of >>shorewall has been trying for weeks to get a DSA issued about a >>vulnerability, and it seems we have to convince Joey that it *is* a >>vulnerability before he'll issue it. (I don't understa

Re: Bad press again...

On Mon, 29 Aug 2005, Paul Gear wrote: > > if it's important... they will post dsa ?? > > There certainly have been exceptions to that rule. The maintainer of there will always be exceptions ... > shorewall has been trying for weeks to get a DSA issued about a > vulnerability, and it seems we

Re: Bad press again...

* Paul Gear: > There certainly have been exceptions to that rule. The maintainer of > shorewall has been trying for weeks to get a DSA issued about a > vulnerability, and it seems we have to convince Joey that it *is* a > vulnerability before he'll issue it. Is this #318946? This one is tagge

Re: Bad press again...

Greetings, Am Freitag, 26. August 2005 01:57 schrieb Ralph Katz: > On 08/25/2005 06:10 PM, Stefan Fritsch wrote: > >>> Do they have some monitoring script? Or some monitoring people? > >>> (Might be interesting to know who: [disgruntled users? the > >>> competition?]) > > > > cron-apt will send yo

Re: Bad press again...

Paul Gear <[EMAIL PROTECTED]> writes: > Alvin Oga wrote: >> >> On Sun, 28 Aug 2005, Florian Weimer wrote: >> >> >>>AFAIK, you can only blame the security team for lack of communication. >> >> >> nah ... they're doing fine .. to the extent is needed ?? >> >> if it's important... they will pos

Re: Bad press again...

On Mon, Aug 29, 2005 at 07:40:23AM +1000, Paul Gear wrote: There certainly have been exceptions to that rule. The maintainer of shorewall has been trying for weeks to get a DSA issued about a vulnerability, and it seems we have to convince Joey that it *is* a vulnerability before he'll issue it.

Re: Bad press again...

Alvin Oga wrote: > > On Sun, 28 Aug 2005, Florian Weimer wrote: > > >>AFAIK, you can only blame the security team for lack of communication. > > > nah ... they're doing fine .. to the extent is needed ?? > > if it's important... they will post dsa ?? There certainly have been exceptions to t

Re: Bad press again...

also sprach Alvin Oga <[EMAIL PROTECTED]> [2005.08.28.1328 +0200]: > nah ... they're doing fine .. to the extent is needed ?? > if it's important... they will post dsa ?? Where have you been? > what i think is needed is an automated script that checks > debian against known exploits or a way to v

Re: Bad press again...

On Sun, 28 Aug 2005, Florian Weimer wrote: > AFAIK, you can only blame the security team for lack of communication. nah ... they're doing fine .. to the extent is needed ?? if it's important... they will post dsa ?? > They were ready to upload the packages, but the infrastructure to > process

Re: Bad press again...

* martin f. krafft: > also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.08.28.1154 +0200]: >> Or are there many packages with backported security patches, ready >> for upload, and the security team does not act on them? I don't >> think so. > > This was the case throughout June. AFAIK, you ca

Re: Bad press again...

also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.08.28.1154 +0200]: > Or are there many packages with backported security patches, ready > for upload, and the security team does not act on them? I don't > think so. This was the case throughout June. > Maybe that's because it was a non-issue

Re: Bad press again...

* Petter Reinholdtsen: > [Florian Weimer] >> Correct me if I'm wrong, but the current team doesn't seem to want >> new members. > > I've been told that the current stable security team consist of one > person doing the work, Martin Schulze. If this "team" do not want new > members, something stra

Re: Bad press again...

* martin f. krafft: >> I don't think so. Joey seems to be satisfied with this situation, > > How would you know? Joey doesn't ignore all mail, only some of it. > That's because complaints don't actually have any result, so I, for > instance, have stopped. I've pointed to severe problems with De

Re: Bad press again...

also sprach Petter Reinholdtsen <[EMAIL PROTECTED]> [2005.08.28.0025 +0200]: > In short, I see no downsides to helping out the testing security team > while we at the same time try to address the issues with stable > security work. I was not trying to suggest so. The testing security team is a tru

Re: Bad press again...

[Martin F Krafft] >> And prospective security team members should start working in the >> testing security team. There are no need to keep secrets (all is done >> in public), > > Which doesn't address the problem that embargoed bugs are possibly > handled suboptimally in Debian. > > And it does n

Re: Bad press again...

also sprach Petter Reinholdtsen <[EMAIL PROTECTED]> [2005.08.27.2255 +0200]: > I've been told that the current stable security team consist of one > person doing the work, Martin Schulze. If this "team" do not want new > members, something strange is afoot. At least one other member is working ac

Re: Bad press again...

[Florian Weimer] > Correct me if I'm wrong, but the current team doesn't seem to want > new members. I've been told that the current stable security team consist of one person doing the work, Martin Schulze. If this "team" do not want new members, something strange is afoot. And prospective sec

Re: Bad press again...

also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.08.27.1107 +0200]: > > Do we have a security team for stable? I know, that we have a > > security team for testing consisting of nine DDs and ten > > non-DDs, but it seems to me, that stable is handled by Joey > > alone. Has this changed since

Re: Bad press again...

also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2005.08.27.2019 +0200]: > Show how much they know about Solaris security. Still, why don't you drop > by IRC and try to talk to Branden and Joey? Branden is offline, and Joey can't be bothered to talk about this stuff with me, it seems

Re: Bad press again...

On Sat, 27 Aug 2005, martin f krafft wrote: > security; ever additional day hurts the project reputation severely, > at least here in Germany and Switzerland. I have clients (one of > which is a major German bank) voicing their concerns and considering > switching away from Debian to Solaris becaus

Re: Bad press again...

also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2005.08.27.1720 +0200]: > Huh? They probably do, for all I know. Whether they have people > they trust for the job right now is something else, though. We > can probably expect It's hard to tell for the requirements are not publicly av

Re: Bad press again...

On Sat, 27 Aug 2005, Florian Weimer wrote: > * Henrique de Moraes Holschuh: > > On Sat, 27 Aug 2005, Florian Weimer wrote: > >> I don't think so. Joey seems to be satisfied with this situation, and > >> apart from unanswered email messages to <[EMAIL PROTECTED]>, there > >> are few complaints, AFA

Re: Bad press again...

On Sat, 27 Aug 2005, Henrique de Moraes Holschuh wrote: > For this to work, you need a master s.d.o mirror, and automatic signing (so > that you can keep the timestamping as low as a few hours). This gives you a > mirror network, with the same single "owning" point of failure we have right > now.

Re: Bad press again...

also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.08.27.1648 +0200]: > Correct me if I'm wrong, but the current team doesn't seem to want > new members. If you nevertheless force new members upon them, you > are in fact looking for a complete replacement. This is what > I call "drastic". When

Re: Bad press again...

* martin f. krafft: > FWIW, Florian sent me this interesting link: > http://www.cs.berkeley.edu/~nweaver/0wn2.html This is was only intended as an explanation of the term "single point of ownership". I don't agree with Nicholas Weaver's analysis. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED

Re: Bad press again...

Hi martin! On Sat, 27 Aug 2005, martin f krafft wrote: > also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2005.08.27.1540 > +0200]: > > > security.debian.org already is a Single Point of Ownership. I don't > > > think we need multiple ones, so this is definitely a post-etch thing. >

Re: Bad press again...

* martin f. krafft: > also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2005.08.27.1540 > +0200]: >> > security.debian.org already is a Single Point of Ownership. I don't >> > think we need multiple ones, so this is definitely a post-etch thing. >> >> Irrelevant if secure apt is depl

Re: Bad press again...

* Henrique de Moraes Holschuh: > On Sat, 27 Aug 2005, Florian Weimer wrote: >> * martin f. krafft: >> > I think Alvin was alluding to how it *should* be solved. As in: we >> > should have more than one security server, globally spaced. >> >> security.debian.org already is a Single Point of Owners

Re: Bad press again...

* Petter Reinholdtsen: > The count of open security issues in stable and oldstable is probably > a better measuring meter, and it does not look too good. Security support is a task for Debian as a whole, not just the security team. IMHO, the main role of the security team is information sharing,

Re: Bad press again...

also sprach Rudolf Lohner <[EMAIL PROTECTED]> [2005.08.27.1651 +0200]: > This scenario could be avoided if s.d.o would authenticate itself. > Is authentication of the server something which has been considered > with secure apt? I'v suggested this before but never had the time to implement it. Pat

Re: Bad press again...

Am Samstag, 27. August 2005 15:44 schrieb martin f krafft: > No. Imagine exim gets a root exploit and I spoof the DNS to some > mirror of s.d.o. That mirror will be consistent wrt secure APT, but > it won't get updates, so admins who don't follow DSAs and run > apt-get upgrade consciously and caref

Re: Bad press again...

* Henrique de Moraes Holschuh: > On Sat, 27 Aug 2005, Florian Weimer wrote: >> I don't think so. Joey seems to be satisfied with this situation, and >> apart from unanswered email messages to <[EMAIL PROTECTED]>, there >> are few complaints, AFAIK. The email part is very unfortunate indeed, >> b

Re: Bad press again...

On Sat, Aug 27, 2005 at 11:07:21AM +0200, Florian Weimer wrote: > apart from unanswered email messages to <[EMAIL PROTECTED]>, there > are few complaints, AFAIK. The email part is very unfortunate indeed, I'm not entirely happy with the lack of redundance. Given the (not only commercial) signifi

Re: Bad press again...

also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2005.08.27.1540 +0200]: > > security.debian.org already is a Single Point of Ownership. I don't > > think we need multiple ones, so this is definitely a post-etch thing. > > Irrelevant if secure apt is deployed correctly. No. Imagine

Re: Bad press again...

On Sat, 27 Aug 2005, Florian Weimer wrote: > I don't think so. Joey seems to be satisfied with this situation, and > apart from unanswered email messages to <[EMAIL PROTECTED]>, there > are few complaints, AFAIK. The email part is very unfortunate indeed, > but it probably doesn't warrant drastic

Re: Bad press again...

On Sat, 27 Aug 2005, Florian Weimer wrote: > * martin f. krafft: > > I think Alvin was alluding to how it *should* be solved. As in: we > > should have more than one security server, globally spaced. > > security.debian.org already is a Single Point of Ownership. I don't > think we need multiple

Re: Bad press again...

[Florian Weimer] > I don't think so. Joey seems to be satisfied with this situation, > and apart from unanswered email messages to <[EMAIL PROTECTED]>, > there are few complaints, AFAIK. I'm not sure if the satisfaction of Martin Schulze is a good measuring stick to judge the quality of the stabl

Re: Bad press again...

* W. Borgert: > Do we have a security team for stable? I know, that we have a > security team for testing consisting of nine DDs and ten > non-DDs, but it seems to me, that stable is handled by Joey > alone. Has this changed since the havoc a few months ago? I don't think so. Joey seems to be

Re: Bad press again...

* martin f. krafft: > I think Alvin was alluding to how it *should* be solved. As in: we > should have more than one security server, globally spaced. security.debian.org already is a Single Point of Ownership. I don't think we need multiple ones, so this is definitely a post-etch thing. -- T

Re: Bad press again...

also sprach martin f krafft <[EMAIL PROTECTED]> [2005.08.26.1907 +0200]: > security.debian.org is not a server, it's a DNS A record. It's > a whole lot easier to point that elsewhere in case of problems than > expecting users to make sense of the errors they get when some > servers can't be reached

Re: Bad press again...

also sprach tomasz abramowicz <[EMAIL PROTECTED]> [2005.08.26.1836 +0200]: > why arent all redundant security servers included in the sources.list, > or why doesnt it ask at install time to include all backup security servers? > as well as security.debian.org? security.debian.org is not a server,

Re: Bad press again...

On Fri, Aug 26, 2005 at 05:36:26PM +0200, martin f krafft wrote: > Heck, we *should* have a responsive and communicative security team. Do we have a security team for stable? I know, that we have a security team for testing consisting of nine DDs and ten non-DDs, but it seems to me, that stable i

Re: Bad press again...

martin f krafft wrote: also sprach Timo Veith <[EMAIL PROTECTED]> [2005.08.26.1726 +0200]: either case can be solved by: security1.debian.org in LA and security2.debian.org in NYC and security3.debian.org in berlin :-) Reading Package Lists... Done Building Dependency Tree Reading extended s

Re: Bad press again...

also sprach Luis M <[EMAIL PROTECTED]> [2005.08.26.1750 +0200]: > perhaps instead of security2.d.o securyN.d.o it should be done like > the ftp aliases: > > security.us.d.o (or better by location like: security.us.ny.d.o) > security.de.d.o, etc... No matter what they are called, it should be poss

Re: Bad press again...

perhaps instead of security2.d.o securyN.d.o it should be done like the ftp aliases: security.us.d.o (or better by location like: security.us.ny.d.o) security.de.d.o, etc... I guess once GPG signed packages (now in Sid) become a reality, these things can be done more safely. -- )(- Lui

Re: Bad press again...

also sprach Timo Veith <[EMAIL PROTECTED]> [2005.08.26.1726 +0200]: > >either case can be solved by: security1.debian.org in LA > >and security2.debian.org in NYC and security3.debian.org in berlin :-) > > Reading Package Lists... Done > Building Dependency Tree > Reading extended state informati

Re: Bad press again...

Yep, that is bad, even here from LA. [EMAIL PROTECTED] ~]$ dig  security1.debian.org @samosa.debian.org. ; <<>> DiG 9.2.5 <<>> security1.debian.org @samosa.debian.org. ; (1 server found) ;; global options:  printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14151 ;; flag

Re: Bad press again...

Alvin Oga schrieb: either case can be solved by: security1.debian.org in LA and security2.debian.org in NYC and security3.debian.org in berlin :-) This is interessting but: Reading Package Lists... Done Building Dependency Tree Reading extended state information Initializing package states...

Re: Re: Bad press again...

On 08/25/2005 06:10 PM, Stefan Fritsch wrote: > >>> Do they have some monitoring script? Or some monitoring people? >>> (Might be interesting to know who: [disgruntled users? the >>> competition?]) > > > cron-apt will send you a mail. > > Aug 25 05:16:31 xxx cron-apt: Failed to fetch > http://

Re: Bad press again...

On Thursday 25 August 2005 23:33, Peer Janssen wrote: > Do they have some monitoring script? Or some monitoring people? > (Might be interesting to know who: [disgruntled users? the > competition?]) cron-apt will send you a mail. Aug 25 05:16:31 xxx cron-apt: Failed to fetch http://security.debia

Re: Bad press again...

On Thu, 25 Aug 2005, Jan Luehr wrote: again the debian security infrastructure has proofed to be accident sensitive. [...] Sometimes it's just bothers me to read this news on heise.de first. Nothing on deb-ann dev-ann or sec-ann. What's wrong here? Maybe you can plug into the same sens

Re: Bad press again...

On Thu, 25 Aug 2005, Jan Luehr wrote: > Again the debian security infrastructure has proofed to be accident > sensitive. > This night, power supply broke down, > taking security.debian.org being > responsible for delivering updates offline. The power cut off happend in the > data center rac

Bad press again...

Greetings, today the German publishing househeise reports disruptions in debian-security http://www.heise.de/newsticker/meldung/63242 Rather free translation: "Breakdown at debian security Again the debian security infrastructure has proofed to be accident sensitive. This night, power supply b