| === EvilJackyAlcine is now known as JackyAlcine | ||
| === JontheEchidna is now known as JontheEnchidna | ||
| === JontheEnchidna is now known as JontheEchidna | ||
| === tumbleweed_ is now known as tumbleweed | ||
| === Quintasan_ is now known as Quintasan | ||
| === yofel_ is now known as yofel | ||
| * SpamapS drops pin, hears it bounce 3 times | 15:23 | |
| * penguin42 picks up the pin and sticks it in SpamapS thumb | 15:40 | |
| vrum | a somewhat paranoid question: do maintainers for packages in main/universe have access to upload binaries compiled by themselves? | 16:50 |
|---|---|---|
| vrum | or do ubuntu/canonical utilize some kind of a buildfarm (with strict access control) that compiles all packages found in these repos? | 16:51 |
| Nafallo | the latter | 16:51 |
| vrum | cool | 16:51 |
| penguin42 | although they can stuff binaries into the packages in some cases - e.g. ia32-libs is done like that | 16:52 |
| Nafallo | well, that's still a sourcecode upload though :-) | 16:53 |
| Ampelbein | Hmm, I have a weird deja-vu feeling right now. vrum, did you ask that question before? | 16:57 |
| vrum | Ampelbein: yep, in debian-devel, i'm contemplating debian vs ubuntu | 16:57 |
| Ampelbein | vrum: Ah, ok. So I'm not crazy after all. ;-) | 16:57 |
| Nafallo | Ampelbein: ... or at least not as obviously ;-) | 16:58 |
| vrum | was always a debian user, but knowing of ubuntus usage of the hardening wrappers + this makes ubuntu sound promising | 16:58 |
| Ampelbein | vrum: debian has adopted hardening flags as a release goal, http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags | 16:59 |
| vrum | yea i've been reading about that; sounds hopeful | 17:01 |
| nullie | Hello. Does indicator development belong to app-devel channel? | 21:21 |
| trinikrono | nullie: ask maybe in motu since no one seems to be in | 21:34 |
| vrum | are the md5/sha*-fields in Packages optional? | 23:47 |
| vrum | referense: http://dangertux.wordpress.com/2011/11/29/trusted-respitories-not-so-trustworthy/ | 23:48 |
| vrum | seems rather laughable if the only thing needed to distribute malicious packages is to compromise a mirror and change/remove those fields for said package | 23:48 |
| penguin42 | vrum: Ouch | 23:50 |
| ion | Huh. Isn’t the signature of Packages checked? | 23:50 |
| elmo | the signature of Releases is checked, and it contains hashsums of the Packages files | 23:52 |
| elmo | so, I'm not sure how they managed (or claims to have managed to) alter the Packages file without apt freaking out | 23:53 |
| stgraber | yeah, that example simply can't work without showing a warning (either md5 mismatch or signature mismatch or "unsigned packages") | 23:53 |
| stgraber | unless he signed it with another key that's added ot his apt keyring (apparently not the case) | 23:54 |
| stgraber | I know apt isn't complaining a lot when it's the first time you add a repository that's not signed though, but that's definitely not the case of security.u.c | 23:54 |
| vrum | okay, will try myself when i sober up a bit. sounds quite strange/pointless to sign anything package-related if it'd work though | 23:58 |
| broder | what about stripping the signatures from the Release file, though? | 23:58 |
| broder | does apt yell in the same way about unsigned Release files that it does for Release files signed with a key you don't have? | 23:59 |
| stgraber | IIRC it complains heavily if you do it once it already knows the repository | 23:59 |
| stgraber | so if you add a new unsigned repository, it won't complain about it | 23:59 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!