[15:23]  * SpamapS drops pin, hears it bounce 3 times
[15:40]  * penguin42 picks up the pin and sticks it in SpamapS thumb
[16:50] <vrum> a somewhat paranoid question: do maintainers for packages in main/universe have access to upload binaries compiled by themselves?
[16:51] <vrum> or do ubuntu/canonical utilize some kind of a buildfarm (with strict access control) that compiles all packages found in these repos?
[16:51] <Nafallo> the latter
[16:51] <vrum> cool
[16:52] <penguin42> although they can stuff binaries into the packages in some cases - e.g. ia32-libs is done like that
[16:53] <Nafallo> well, that's still a sourcecode upload though :-)
[16:57] <Ampelbein> Hmm, I have a weird deja-vu feeling right now. vrum, did you ask that question before?
[16:57] <vrum> Ampelbein: yep, in debian-devel, i'm contemplating debian vs ubuntu
[16:57] <Ampelbein> vrum: Ah, ok. So I'm not crazy after all. ;-)
[16:58] <Nafallo> Ampelbein: ... or at least not as obviously ;-)
[16:58] <vrum> was always a debian user, but knowing of ubuntus usage of the hardening wrappers + this makes ubuntu sound promising
[16:59] <Ampelbein> vrum: debian has adopted hardening flags as a release goal, http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[17:01] <vrum> yea i've been reading about that; sounds hopeful
[21:21] <nullie> Hello. Does indicator development belong to app-devel channel?
[21:34] <trinikrono> nullie: ask maybe in motu since no one seems to be in
[23:47] <vrum> are the md5/sha*-fields in Packages optional?
[23:48] <vrum> referense: http://dangertux.wordpress.com/2011/11/29/trusted-respitories-not-so-trustworthy/
[23:48] <vrum> seems rather laughable if the only thing needed to distribute malicious packages is to compromise a mirror and change/remove those fields for said package
[23:50] <penguin42> vrum: Ouch
[23:50] <ion> Huh. Isn’t the signature of Packages checked?
[23:52] <elmo> the signature of Releases is checked, and it contains hashsums of the Packages files
[23:53] <elmo> so, I'm not sure how they managed (or claims to have managed to) alter the Packages file without apt freaking out
[23:53] <stgraber> yeah, that example simply can't work without showing a warning (either md5 mismatch or signature mismatch or "unsigned packages")
[23:54] <stgraber> unless he signed it with another key that's added ot his apt keyring (apparently not the case)
[23:54] <stgraber> I know apt isn't complaining a lot when it's the first time you add a repository that's not signed though, but that's definitely not the case of security.u.c
[23:58] <vrum> okay, will try myself when i sober up a bit. sounds quite strange/pointless to sign anything package-related if it'd work though
[23:58] <broder> what about stripping the signatures from the Release file, though?
[23:59] <broder> does apt yell in the same way about unsigned Release files that it does for Release files signed with a key you don't have?
[23:59] <stgraber> IIRC it complains heavily if you do it once it already knows the repository
[23:59] <stgraber> so if you add a new unsigned repository, it won't complain about it