Re: Key rollover instructions
On Wed, May 14, 2008 at 02:29:48PM -0400, Joey Hess wrote:
> Moritz Muehlenhoff wrote:
> > Dear Web Team,
> > please fold in the information for the key rollover into the
> > website. The Security Team will collect and prepare information
> > through the wiki and by contacting maintainers and
> > send finalised instructions to you in regular intervals.
> > I think we should have an alphabetical list and a separate
> > page of packages known not to be vulnerable.
> I've committed an initial pass at this to CVS.
Thanks, there's more to come soon.
> Did put an alphabetical
> list at the top, but don't have a list of vulnerable packages included yet.
> (Afaik that list only needs gnupg, and some crypto filesystems on it?)
I think we should set the hurdle of understanding rather low.
E.g. MySQL uses OpenSSL for most distributions, while Debian uses
the internal yassl implementation.
I think it would be good to add such information even if strictly
speaking it can be figured out by looking at dependencies.
Or does anyone have concerns the list might become too convoluted?