Re: percentage of popcon submitters

To: debian-devel@lists.debian.org
Subject: Re: percentage of popcon submitters
From: Raphael Geissert <atomo64+debian@gmail.com>
Date: Sun, 18 Jan 2009 18:28:27 -0600
Message-id: <[🔎] gl0hfk$of7$1@ger.gmane.org>
References: <[🔎] 20090115210004.GV21644@serveme.schnalke.local> <[🔎] 87zlhsi2kf.fsf@windlord.stanford.edu>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Russ Allbery wrote:
[...]
> what packages on your servers are missing security patches, basically

popularity-contest doesn't submit package versions, so it is not *that* easy to
know whether security updates have been installed or not.

As for what security matters popularity-contest could:
* randomly change the "recent" value of a random number of packages
* submit via https (or ftp+ssl), and/or even encrypt the data with gpg
* have some sort of apt-pinning so that it is possible to indicate that the data
corresponding to a given package(s) or repository (ies) should NOT be sent.
thereby preventing the "I know when you went on VAC because your
xfoo-bar-custom package is marked as old" information leak.

With those security meassures I believe there's a slight chance that a few more
people (or institutions) will install popularity-contest.

Cheers,
Raphael Geissert
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklzySsACgkQYy49rUbZzlo5rQCffJsZ3Ws3iCrj2XlG47syH+R5
bacAn2tDyPob40e7VdoasMOPL/BBQTt/
=tK0A
-----END PGP SIGNATURE-----

Reply to:

References:
- percentage of popcon submitters
  - From: markus schnalke <meillo@marmaro.de>
- Re: percentage of popcon submitters
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Bug#512136: Acknowledgement (ITP: nox -- nox -- Meta package)
Next by Date: Re: percentage of popcon submitters
Previous by thread: Re: percentage of popcon submitters
Next by thread: Re: percentage of popcon submitters
Index(es):
- Date
- Thread