When you defend the death of a civilian
and say
he should have known better
he should have left his home
and his life
in the land of your enemy
that is hate.

When you say the boy's death was justified,
for daring to be born in that country
with such people
and such policies
it is because you hate.

When the war comes to your town
and you are caught in the cross fire,
I too will say,
you had it coming.

This is the keysigning exchange service at Biglumber.

The owner of key F5538629A12E35418DFBF242FA89FA5556F42D8B has signed your key (DEA27BAA479CCA5876E5DE5628DEAE7F29982E5A). Your key with this signature on it will be emailed to you once you have uploaded a signed copy of their public key to Biglumber.

Log in to biglumber.com and look for the key exchange link.

Ah, the great democratization of PGP. Who needs security when we can just collect signatures like baseball cards and hawk our identities on eBay instead? Should be an easy profit, apparently I don't even have to show that I'm me to get in on the signature exchange market.

This PSA brought to you by the committee for not trusting Ryan Ward. ...whoever that is.

Erich,

Are you using bind9-host? If so, which version?

If you're using the sarge version of bind9-host, with the sarge version of libssl0.9.7, and running all this on an i686-class system, then you're looking at bug #321721. The issue is that, if a binary includes hand-written assembly, gcc will assume by default that the code requires an executable stack unless you set a .note.GNU-stack section in the assembly file which says otherwise. And the i686 version of libcrypto includes (surprise!) hand-written assembly.

This bug is already fixed for etch, both in libcrypto.so.0.9.7 and libcrypto.so.0.9.8.

Joey, what's the blogging equivalent to quoting an entire 80-line post on Usenet just to add "me too" to it? :-)

I've watched with growing dismay as Debian's press officer continued to blog prognostications of doom for the future of Debian security, which have done nothing but whet the press's appetite for a story of impending disaster. I find this kind of blogging to be irresponsible in the extreme; not only does it not help fix the problems, it doesn't even help users make informed decisions because it doesn't contain salient facts.

Here are a few facts to go along with Joey's blog entry "Debian Security still broken":

• Three security advisories had already been issued for sarge on July 1. Binaries for the arm architecture were not included, but most users were covered by the binaries that were made available.
• The arm autobuilder has since caught up with those advisories, so updated advisories will probably be available soon. In addition, three more security advisories were issued for sarge on July 5 that include binaries for all architectures, and two more have been issued so far today.
• Security updates for woody were not being built on ia64 and arm because no buildd was configured to do so. (These are the missing builds Joey blogged about.) Once this issue was identified, it was quickly resolved; in any case, it had no impact on the infrastructure for sarge updates.
• Joey correctly identified in his blog that there was an issue with two packages (one each from woody and sarge) not being picked up for building. Once this issue was identified to the people responsible for the infrastructure, it was quickly resolved.
• There was one last missing sarge build on m68k, for zlib. This was a case of the package going missing after being built; this is something that happens from time to time with the autobuilders; it doesn't point to a (fixable) software failure, the only thing to be done is to re-try the build. This was done, and the advisory was issued today as DSA 740, before the corresponding advisory from Red Hat...
• Lest this be seen as a fluke instead of being representative of Debian's security support going forward, it looks like there are six more advisories in the queue for sarge and about a dozen pending for woody.
• While I agree that there's a need for Debian to expand its security team, following the controversy in June we now have three security team members actively working on security (two full members and a security team secretary), which AIUI is a 50% increase over where we'd been earlier this year.
• And let's not forget Joey Hess's reminder that quantity isn't everything where security is concerned.

I share Joey Schulze's dissatisfaction with the state of security support for this past month, but his blog smacks of bitterness, not of measured objectivity. So here we are, five days after the first security advisories have been published for sarge, and new stories are still appearing in the press reporting that Debian is OMFG broken.

Is there any hope that the press will give the same coverage of the story that Debian's security infrastructure is not broken?