gpg: failed to create temporary file '/var/lib/lurker/.#lk0x581bd100.hantslug.org.uk.12910': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Wed May 14 17:35:45 2008 BST
gpg: using DSA key 20ACB3BE515C238D
gpg: Can't check signature: No public key
On Wed, May 14, 2008 at 05:27:43PM +0100, Steve Kemp wrote:
> On Wed May 14, 2008 at 17:19:25 +0100, Hugo Mills wrote:
>
> > > > The pain of this one is that a security update will only prevent you
> > > > from creating weak keys in the future - it doesn't protect you in any
> > > > way from any keys you've created previously which are now trivially
> > > > crackable ..
> > >
> > > However the end result is that Open Source model has allowed this error to
> > > be spotted and fixed within the day.
> >
> > The problem was known about in January -- that's when the CVE
> > number was allocated. It wasn't discovered and fixed in the space of a
> > day.
>
> Not entirely true (speaking as Debian security team member).
>
> Debian, and most other Linux distributions, has its own pool of
> CVE numbers assigned which it can allocate to issues reported to it
> without needing to contact Mitre.
[snip]
> So, in conclusion, the date/size of a CVE assignment cannot be used
> to judge the age of a security issue.
Ah, OK. My apologies. I didn't know that it was arranged that way.
Hugo.
--
=== Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk ===
PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk
--- Happiness is mandatory. Are you happy? ---
