Re: Anounce of a secure repo for debian
-----BEGIN PGP SIGNED MESSAGE-----
Am Mo den 31. Mai 2010 um 5:42 schrieb Christian PERRIER:
> > This repository holds secured packages of the insecure debian packages
> > just without the insecure patch (or the insecurity patched). The full
> > sources are available to build. At the moment the repository holds
> > base-files, openssh and procmail.
> Is this repository signed by a key?
Yes, my own key. But read below.
> Where is that key available?
On Keyservers and signed by many people.
> By who is this key signed?
Many people, including some DDs.
> Are there people around to speak and guarantee that the repository
> owner is not providing malicious packages through this "secured"
Thats the point. Nobody can do that. Thats the reason I hold the
changes as small as possible and upload the full sources to the repo
The point is that I cannot live with the insecure debian packages at
all. So I builded that packages for my own. The repository is to give
the secured packages to people who need it too. There is no need to
develop the wheel every time again.
> Don't take be wrong.
I do not. I was thinking about that too. But I decided to make it
> though I certainly do question the technical arguments you brought in
> this thread and the way you did it (the umsak 'disaster').
Well, I think (and I am not alone with this opinion) that the umask
changes are a security disaster. And I do not want to make secret of it.
> Unless the packages you provide are inspected by the same web of trust
> that lives around the official Debian repository,
Well, the web of trust seems to fail in this case.
> I think that potential users should definitely be warned that they're
> using it at their own risk (the same stands for any private
> repository, of course, including those I manage myself...:-)).
Yes, its a good idea. At the moment the repository is just as it is and
it holds the secured packages I use by my own. However, I will consider
to add such a note.
Klaus Ethgen http://www.ethgen.de/
pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----