Re: Anounce of a secure repo for debian

To: debian-devel@lists.debian.org
Subject: Re: Anounce of a secure repo for debian
From: Klaus Ethgen <Klaus@Ethgen.de>
Date: Mon, 31 May 2010 10:15:26 +0100
Message-id: <[🔎] 20100531091526.GB27642@ikki.ethgen.de>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20100531044257.GX3336@mykerinos.kheops.frmug.org>
References: <[🔎] 20100530181249.GA17971@ikki.ethgen.de> <[🔎] 20100531044257.GX3336@mykerinos.kheops.frmug.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Am Mo den 31. Mai 2010 um  5:42 schrieb Christian PERRIER:
> > This repository holds secured packages of the insecure debian packages
> > just without the insecure patch (or the insecurity patched). The full
> > sources are available to build. At the moment the repository holds
> > base-files, openssh and procmail.
> 
> Is this repository signed by a key?

Yes, my own key. But read below.

> Where is that key available?

On Keyservers and signed by many people.

> By who is this key signed?

Many people, including some DDs.

> Are there people around to speak and guarantee that the repository
> owner is not providing malicious packages through this "secured"
> repository?

Thats the point. Nobody can do that. Thats the reason I hold the
changes as small as possible and upload the full sources to the repo
too.

The point is that I cannot live with the insecure debian packages at
all. So I builded that packages for my own. The repository is to give
the secured packages to people who need it too. There is no need to
develop the wheel every time again.

> Don't take be wrong.

I do not. I was thinking about that too. But I decided to make it
available anyway.

> though I certainly do question the technical arguments you brought in
> this thread and the way you did it (the umsak 'disaster').

Well, I think (and I am not alone with this opinion) that the umask
changes are a security disaster. And I do not want to make secret of it.

> Unless the packages you provide are inspected by the same web of trust
> that lives around the official Debian repository,

Well, the web of trust seems to fail in this case.

> I think that potential users should definitely be warned that they're
> using it at their own risk (the same stands for any private
> repository, of course, including those I manage myself...:-)).

Yes, its a good idea. At the moment the repository is just as it is and
it holds the secured packages I use by my own. However, I will consider
to add such a note.

Regards
   Klaus
- -- 
Klaus Ethgen                            http://www.ethgen.de/
pub  2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE  EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEVAwUBTAN+Lp+OKpjRpO3lAQoMwAf+JvdiNfa+rJT48Ey6ZTIst5IZcKqFHxbU
h+/UwfW9jzNViVoV+lYgftM56lWDX3ka4+9eUzwtfvq1IA0ZswgjoqvO9oHhlnGR
SE66/aNC/U2WOIR3kbfsnzY1DRCKxuho27+kVUGypGYUzDQVkz48L26rU77gS9c/
9CtdzIxRUABUu44pCuLRCzHWad/0Tm6Qje4OEV4wWLrFfBFSBfYsVW65UlZLqO7G
h4pP0sb7F9Wtpjts+SShqyxrKXeUZITyQsiunIEzwiBc72vbKn9Ac/ODPouDihuJ
lynvhDCnJscnoo6HP5WUn9h2JvPcvrr3Rvg+bnlgt5K19tlkUpUSiA==
=uObw
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Anounce of a secure repo for debian
  - From: Marc Haber <mh+debian-devel@zugschlus.de>

References:
- Anounce of a secure repo for debian
  - From: Klaus Ethgen <Klaus@Ethgen.de>
- Re: Anounce of a secure repo for debian
  - From: Christian PERRIER <bubulle@debian.org>

Prev by Date: Re: Re: Bug#529974: RFP: rtmpdump -- download media streamed with the RTMP/RTMPE protocol
Next by Date: Re: Anounce of a secure repo for debian
Previous by thread: Re: Anounce of a secure repo for debian
Next by thread: Re: Anounce of a secure repo for debian
Index(es):
- Date
- Thread