gpg: failed to create temporary file '/var/lib/lurker/.#lk0x56707100.hantslug.org.uk.4050': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Wed May 14 17:35:45 2008 BST
gpg:                using DSA key 20ACB3BE515C238D
gpg: Can't check signature: No public key
On Wed, May 14, 2008 at 05:27:43PM +0100, Steve Kemp wrote:
> On Wed May 14, 2008 at 17:19:25 +0100, Hugo Mills wrote:
> 
> > > >   The pain of this one is that a security update will only prevent you
> > > >  from creating weak keys in the future - it doesn't protect you in any
> > > >  way from any keys you've created previously which are now trivially
> > > >  crackable ..
> > > 
> > > However the end result is that Open Source model has allowed this error to
> > > be spotted and fixed within the day.
> > 
> >    The problem was known about in January -- that's when the CVE
> > number was allocated. It wasn't discovered and fixed in the space of a
> > day.
> 
>   Not entirely true (speaking as Debian security team member).
> 
>   Debian, and most other Linux distributions, has its own pool of 
>  CVE numbers assigned which it can allocate to issues reported to it
>  without needing to contact Mitre.
[snip]
>   So, in conclusion, the date/size of a CVE assignment cannot be used
>  to judge the age of a security issue.
   Ah, OK. My apologies. I didn't know that it was arranged that way.
   Hugo.
-- 
=== Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk ===
  PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk
             --- Happiness is mandatory.  Are you happy? ---