Re: Intent to mass-file bugs: FDL/incorrect copyright files

[Steve Kemp]

On Wed, Nov 17, 2004 at 06:49:21PM +, Brian M. Carlson wrote:
> This is an intent to mass-file bugs as required per custom.
> 
> Bugs will be filed:
> 
>  1) on packages that include GNU Free Documentation Licensed-material;
>  2) on packages in 1) that do not include the copyright or license of
> the material in their copyright files;
>  3) at serious severity (DP sec. 2.2.1 and 12.5);
>  4) with reportbug -m (maintonly@);
>  5) by a human, with all facts checked first.

  Without wishing to start/take part in a huge flamewar didn't we have
 a vote and agree to leave such documentation issues until after
 Sarge's release?

  Here's the result I'm thinking of:

http://www.debian.org/vote/2004/vote_004

 
Steve
--

Re: Bug#285234: ITP: unlzx -- unarchiver for *.lzx archives

[Steve Kemp]

On Sat, Dec 11, 2004 at 04:37:01PM -0600, Graham Wilson wrote:
> On Sat, Dec 11, 2004 at 10:53:10PM +0100, Marcin Orlowski wrote:
> > Package: wnpp
> > Severity: wishlist
> > 
> > * Package name: unlzx
> >   Version : x.y.z
> >   Upstream Author : Name <[EMAIL PROTECTED]>
> > * URL : http://ftp.uni-paderborn.de/aminetbin/find?unlzx 
> > * License : (GPL, LGPL, BSD, MIT/X, etc.)
> >   Description : unarchiver for *.lzx archives
> 
> How can so many people fail to fill in all of the fields in reportbug's
> ITP template? Is there some way to make it more clear, or are people
> just lazy?

  Maybe patching reportbug to complain if an ITP doesn't have
 some of its fields changed from the defaults would be a good
 idea?

Steve
--

Re: dselect survey

[Steve Kemp]

On Sun, Dec 12, 2004 at 11:35:22AM +1100, Paul Hampson wrote:

> apt-get and apt-cache are my friends, and I love them for letting me
> specify what I want to do in a way that is intuitive to me. Altough I
> wish I could tab-complete package names sometimes. ^_^

  If you're running bash you can source the file 

/etc/bash_completion

  This gives you tab completion on a lot of commands.  For example:

apt-get install kernel-image-

  apt-get upg also does the right thing for example...

  This can be setup globally if you uncomment the relevent lines
 in /etc/bash.bashrc.


Steve
--

Re: Bug#285625: ITP: expocity -- An enanced Window Manager based on metacity

[Steve Kemp]

On Tue, Dec 14, 2004 at 04:43:11PM +0100, Christian Surchi wrote:
> > ==
> > Date: Tue, 14 Dec 2004 16:33:43 +0100
> > From: martin f krafft <[EMAIL PROTECTED]>
> > To: debian-devel@lists.debian.org
> > Subject: Re: Bug#285625: ITP: expocity -- An enanced Window Manager 
> > based on metacity
> > ==
> > 
> > enlighten us non-Darwinists: what does Expos? do? How does this
> > differ from tabs as provided e.g. by fluxbox.
> 
> http://www.apple.com/macosx/features/expose/

  If you want to do something like this it seems more practical to make
 it available to all window managers.

  The package 'skippy' was recently mentioned on debian-mentors[1], and
 can be found here:

[Upstream]
http://thegraveyard.org/skippy.php

[Initial packages]
http://cxhome.ath.cx/debian/skippy/

  It works nicely with my IceWM environment, and I'd love to see it
 uploaded...

Steve
--
# Debian Administration Tips
www.debian-administration.org


[1] http://lists.debian.org/debian-mentors/2004/12/msg00135.html

Re: installing a source tree?

[Steve Kemp]

On Wed, Dec 15, 2004 at 12:01:24PM -0500, Chasecreek Systemhouse wrote:
> So, I humbly request suggestions or hints as to a direction I can
> follow to be able to get the source cod and development tree (READ Not
> CVS Tree) of say package PostgresSQL.
> 
> I have tried variations of -
> apt-get install postgresql-source
> 
> as well as variations of -
> apt-get build-dep [package]
> apt-get source --compile [package]
> 
> However the other package cannot find the PostgresSQL source tree.

  First of all download the source which matches the package you have
 installed with:

apt-get source postgresql

  Then you'll need to examine the software you're trying to build against
 it to see how it finds the source directory.  Maybe there's a flag
 to use:

./configure --source=../postgresql.. 

  Or similar.

  Honestly I'm suprised you need the full package source.  Normally
 you'd just get the development packages to give you the header files
 and the libraries which are linked against.

  In your case that would be the stuff provided by the package
 'postgresql-dev'.

  What's the name of the software you're trying to build?

> I'm creating/documenting  a quick Debian_Hints file at:
> http://insecurity.org/ll3i11_j0n35/Debian_Hints

  Have you read many of the fine Debian manuals?  There's a lot of
 good stuff linked to from:

http://www.debian.org/doc/

Steve
--

Re: Who could be able to help SW vendors to support Debian?

[Steve Kemp]

On Tue, Feb 01, 2005 at 10:57:08PM +0100, Christian Perrier wrote:

> Well, I'm not the software vendor here..:-)
> 
> As far as I've inderstood, this product induces some interaction at
> kernel-level and the vendor developers may have concerns about the
> kernel on the distribution they want to support their product on. They
> probably also have concerns about the library compatibility and such
> stuff.

  Perhaps rather than having a requirement for a specific kernel
 they could use something like that Yin-Yang, or dazuko kernel modules
 which can provide an interface for on-access operations?

  That way they have a greater chance of working with arbitary
 distributions.  (The latter is packaged for Debian).

  Beyond that I think the other poster was right, really there
 should be more focus on linking statically, packing in an open
 format such as .tar.gz not .rpm and miminal links to the kernel
 or OS.

  Obviously some software such as VmWare or the Nvidia drivers
 need tight integration, but providing open source shims can
 minimize the variation between different host kernels.

  (It might be worth discussing platform compatability - too many
 closed code assumes only x86.  Using Debian in that context is
 an interesting way of making the point that there are more chips
 in the world than x86 and ppc.)

Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: /etc under svk

[Steve Kemp]

On Fri, Feb 11, 2005 at 06:36:04PM +0100, Enrico Zini wrote:

> And a question: where do we collect this kind of tips?

  wiki.debian.net

  debian-administration.org

  debianplanet.org

  debianhelp.org

  And any page that's accessible to google!

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Tips wanted for debugging and testing Debian

[Steve Kemp]

On Thu, Feb 24, 2005 at 09:39:51PM +0100, Michael Tautschnig wrote:
> >You can browse our bug database at . A good way
> >to start is to search for any bugs in software you regularly use, and to
> >see if you can help out.
> >
> 
> But what could one do, if the maintainer doesn't react (for some time) - 
> such that even bugreport with fixes provided are never acted upon?

  If a bug is serious, and not a trivial thing, and if a patch has
 been filed then a NMU could be applied.

  Isn't that what we do when serious bugs are present and the maintainer
 doesn't fix them?

  (And if it's wishlist bug you'll expect to be flamed .. :)

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Tips wanted for debugging and testing Debian

[Steve Kemp]

On Fri, Feb 25, 2005 at 02:41:48PM +0100, Michael Tautschnig wrote:

> > If a bug is serious, and not a trivial thing, and if a patch has
> >been filed then a NMU could be applied.
> But only a Debian developer can do so, right?

  Usually, but I've sponsored NMU uploads by non-DDs before.

> When saying "trivial" - did you mean easy to fix or the priority of a 
> bug (i.e., wishlist)?

  I mean it should be a serious bug which is affecting real people
 but has gone unadressed.  Not something like adding a new feature
 which was filed as a wishlist.

  It's a judgement which people may make differently.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How to debug - apachetop

[Steve Kemp]

On Wed, Jan 11, 2006 at 11:10:51AM -0600, Alejandro Bonilla wrote:

> After the actual error I got with apachetop:
> debian:~# apachetop -f /var/log/apache/access.log
> *** glibc detected *** free(): invalid pointer: 0xb7da08c8 ***
> Aborted
> 
> I want to learn how to debug and see what went wrong. How can I learn to debug
> this kind of things or how can I enable some debugging for this kind of 
> things?

  Mostly this invokes recompiling the application to make sure it
 has debugging symbols.

  As the package maintainer I took a look at this, and found a possible
 bug.  Here's how I did it.

  (I just noticed there is a bug report showing the same error reported
 a few days ago.  I posted a followup asking for more information,  as
 I hadn't seen it myself until now.)

  OK.  So we get the application and run it under gdb:

[EMAIL PROTECTED]:~# gdb apachetop
GNU gdb 6.4-debian
Copyright 2005 Free Software
...

  Type "r" to run the application:

(gdb)  r
Starting program: /usr/sbin/apachetop 
(no debugging symbols found)
*** glibc detected *** free(): invalid pointer: 0xb7e448c0 ***

Program received signal SIGABRT, Aborted.
0xb7d397a7 in raise () from /lib/tls/libc.so.6


  Here we see two things:  There are no debugging symbols and we managed
 to see the crash.

  Rebuilding with debugging enabled we can try again:

[EMAIL PROTECTED]:~# gdb ./debian/sid/apachetop/apachetop-0.12.5/src/apachetop
GNU gdb 6.4-debian
...
(gdb) r
Starting program:
/home/skx/debian/sid/apachetop/apachetop-0.12.5/src/apachetop 
*** glibc detected *** free(): invalid pointer: 0xb7e448c0 ***

Program received signal SIGABRT, Aborted.
0xb7d397a7 in raise () from /lib/tls/libc.so.6


   Type "up" a few times to move up the call stack and see if we
  can see where it dies:

(gdb) up
#1  0xb7d3b04b in abort () from /lib/tls/libc.so.6
(gdb) up
#2  0xb7d70015 in __fsetlocking () from /lib/tls/libc.so.6
(gdb) up
#3  0xb7d76667 in malloc_usable_size () from /lib/tls/libc.so.6
(gdb) up
#4  0xb7d76b02 in free () from /lib/tls/libc.so.6
(gdb) up
#5  0x0804a15f in new_file (filename=0x804f5b9
"/var/log/apache2/access.log", 
do_seek_to_end=true) at apachetop.cc:1029
1029if (this_file->filename)
free(this_file->filename);

  Ahah!

  We see there is an error in free, and it was caused by the line 
 "if (this_file->filename) free (this_file->filename)".

  Comment that line of the program out, and rebuild it.

  No more crash!

  That's Steve's patented introduction to solving an Apachetop crash
 with gdb ;)

  Seriously using the application under the debugger is the most obvious
 way to look for bugs for me.  Valgrind, strace, etc, are very good
 at what they do.  But if you can rebuild your application to use 
 debugging symbols then using gdb is simple enough.  There are tutorials
 on getting started which google will help you find.

  I'll try to see where the filename is getting setup and what is
 wrong with it.  Might take me a day or two, but as a quick fix you
 can safely comment out/delete the free line and just suffer a small
 memory leak for the moment.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: ITP: moleinvasion -- Jump'n run game with Tux

[Steve Kemp]

On Tue, Mar 14, 2006 at 10:51:51AM +0100, G?rkan wrote:

> * Package name: moleinvasion
>   Version : 0.2
>   Upstream Author : Guillaume Chambraud <[EMAIL PROTECTED]>
> * URL : http://moleinvasion.tuxfamily.org/
> * License : GNU General Public License, version 2
>   Description : Jump'n run game with Tux
>  This is a classic jump?n run game where Tux must deal with Moles.
>  .
>  Homepage: http://moleinvasion.tuxfamily.org/
> 

  Please consider the following patch:

--- font.c-orig 2006-03-14 11:30:45.0 +
+++ font.c  2006-03-14 11:31:14.0 +
@@ -122,7 +122,9 @@
FILE * fd=NULL;

if(getenv("LANG"))
-   {   sprintf(buffer,"txt/%s",getenv("LANG"));
+   {
+   memset(buffer,'\0',sizeof(buffer));
+   snprintf(buffer,sizeof(buffer)-1,"txt/%s",getenv("LANG"));
ptr=strchr(buffer,'_');
sprintf(ptr,"_%s",LONG_TXT_FILE);


Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: apply to NM? ha!

[Steve Kemp]

On Tue, Jan 25, 2005 at 09:48:04AM +0100, Ingo Juergensmann wrote:
> On Tue, Jan 25, 2005 at 09:17:32AM +0100, Goswin von Brederlow wrote:
> 
> > > I wish more women would join Debian and the lists. My experience is that
> > > usually there's not that much aggressiveness when there are women around. 
> > That usualy only works if you recognise them as females and can lead
> > to quite the oposite as well sometimes. :)
> 
> Oh, you mean we should use video mails or such?

  That'd be too much, but I'd love to see a photo field in the
 db.debian.org database, or some other gallery of developers.

  It's been interesting seeing what a lot of people look like in the
 little headshots on planet.debian.org, and more would only be a good
 thing.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: advice needed on handling network port conflicts

[Steve Kemp]

On Thu, Apr 21, 2005 at 12:07:26PM -0400, Eric Cooper wrote:

> But if apt-proxy is still installed and running when apt-proxy starts
> up, it will fail because the port is in use.  Should I make the approx
> package conflict with apt-proxy?  Both packages allow the port to be
> changed to something else, so it's not impossible for them to coexist
> (just difficult in their default configurations).  Any suggestions
> or policy pointers here would be appreciated.

  Apache2 does some magic in its postinst script which recognises
 when port 80 is in use and disables itself, by placing something
 similar to the following in /etc/defaults/apache2:

i_am_disabled=1

  This is then tested in the init.d script, and is used to prevent
 it from starting.

  Perhaps you can do something similar?  


Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Greylisting for @debian.org email, please

[Steve Kemp]

On Sat, Jun 18, 2005 at 05:39:10PM -0400, Glenn Maynard wrote:

> Email is realtime.  I receive mails much more quickly than five minutes
> on average; within seconds, typically, even for round-trips to many
> mailing lists.

  Email may appear to be realtime, and you may even expect it to
 be because this is frequently how it works.  But this is not guaranteed.

  Either way people's, misguided, beliefs on the realtimeness of
 email delivery is not a valid reason to choose against greylisting.

>  Reducing that to minutes on average is beyond unacceptable.

  I'm amazed that this can even be suggested.  @debian.org mail
 is what?  Bug reports, mailing lists (possibly), and random
 other mails?  

  Which of those, specifically, would suffer from delays?  Bearing
 in mind I'm assuming that due to the distributed geographical
 and timezone nature of the Debian mailing lists delays are more
 common than in other settings.

  99% of the time when I wake up I get more mails delivered 
 overnight when I'm not around to deal with them in a realtime
 fashion than during the day.

  Presumably the realtime nature of debian mail becomes more important
 in on-going dicussions?  That suggests that prior communication
 has already occurred - so greylisting wouldn't delay things
 further anyway..

 
Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Greylisting for @debian.org email, please

[Steve Kemp]

On Sat, Jun 18, 2005 at 03:08:38PM -0700, Thomas Bushnell BSG wrote:
> Steve Kemp <[EMAIL PROTECTED]> writes:
> 
> >   Email may appear to be realtime, and you may even expect it to
> >  be because this is frequently how it works.  But this is not guaranteed.
> 
> The RFC requires "best effort".  

  Sure.

> >   99% of the time when I wake up I get more mails delivered 
> >  overnight when I'm not around to deal with them in a realtime
> >  fashion than during the day.
> 
> Greylisting can cause email to fail entirely.  

  And *that* is a valid complaint.

  Choosing not to use greylisting because it causes mail to become
 non-realtime is *not* a valid complaint.  Which is the point I was
 trying to make in a roundabout fashion.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Why does Ubuntu have all the ideas?

[Steve Kemp]

On Fri, Jul 28, 2006 at 05:37:11PM +0100, Matthew Garrett wrote:
> Steve Kemp <[EMAIL PROTECTED]> wrote:
> 
> >   Neither Ubuntu nor Debian do anything special to get hardware support
> >  that is provided by the kernel proper and tools that neither group
> >  created.
> 
> That's not actually true. I do a lot of work in Ubuntu to add extra 
> hardware support. 

  OK I stand corrected.

  I did consider that software suspend, etc, probably gets a fair amount
 work.  But mostly I was thinking of hardware support which is mostly a
 kernel issue.  (Along with the difference between free vs. non-free firmware).

> If Debian had slightly less of a culture of 
> "Keep your hands off my package", I'd do it here instead.

  That seems understandable.  I'm keen on teams, but even more keen
 on a less "ownery" stance by package owners.

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Why does Ubuntu have all the ideas?

[Steve Kemp]

On Fri, Jul 28, 2006 at 06:55:26PM +0200, Fabio Tranchitella wrote:

> How many Debian maintainers think the same? I'm sure there are a lot
> of them who do not soffer of the "this is my package, go away" syndrome.

  There is a small list of some people who accept them here:

http://wiki.debian.org/LowThresholdNmu

  It could be improved, hopefully seeing this will spur some additions
  ..

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: thedebianuser.org started

[Steve Kemp]

On Thu, Aug 03, 2006 at 08:26:57AM -0600, Joseph Smidt wrote:
> Wolfgang,
>   I think that is a great idea.  You should make a post on
> forums.debian.net to since that is another place many of the community
> hang out.  That's just my two cents.

  Seconded.  I put a simple advert on Debian-Administration which 
 you can follow here:

http://www.debian-administration.org/adverts/47

  If people wish to advertise other sites of interest to Debian users
 on my site then feel free to submit them here:

http://www.debian-administration.org/create/advert

  (Adverts are free, and are only vetted to ensure they *do* go
 to Debian-friendly sites.)

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: thedebianuser.org started

[Steve Kemp]

On Thu, Aug 03, 2006 at 08:26:41PM +0200, Eduard Bloch wrote:

> Why don't you create a web ring and place banners everywhere? (seriously)

  There is a "promote debian" ring already:

http://spreaddebian.com/

  I like to see related sites linking to each other, and I
 like to see friendly cooperation and communication between
 Debian-community sites maintainers/users.

  That is something which I think does exist currently.
 I've heard from/chatted to several site-maintainers and
 everybody seems very keen on promoting resources for the
 benefit of the *users* rather than the site-owners.
 (Only one minor exception.)

  But having said that I'm not personally a fan of web-rings.

  Mostly because you have no control over the quality of the
 other sites which join.  By having a lot of big sites join
 you're implicitly endorsing the ring and the other members of
 that ring, sight-unseen.  If I want to endorse a site I want
 to do so knowingly.

  Still I think there are probably valuable Debian-friendly, or
 Debian-community sites/pages which could do with more promotion
 and recognition.  I guess the Debian wiki is a good starting point:

http://wiki.debian.org/DebianResources

Steve
-- 


signature.asc
Description: Digital signature

Re: Howto: Package for Debain the ???Easy??? Way

[Steve Kemp]

On Sat, Aug 05, 2006 at 09:18:39AM -0600, Joseph Smidt wrote:
> I just posted a blog: blog.thedebianuser.org/?p=13, where I outline
>how I feel:  that working through examples using .diff files teaches how
>to package better then trying to learn from documentation alone.  The blog
>isn't he most complete, but it outlines my basic idea.

  To be honest I have to say that the webpage you point people to as
 being the best resource isn't very good IMHO.  You already mention
 the New Maintainers guide and I think that does an excellent job
 showing you how to package something from start to finish.

  As a secondary comment I think your blog entries are good but they
 really really could benefit from some formatting changes.

   Having long paragraphs which are justified makes it hard to
 find the commands and output in the text.  Even something like
 using "command name" would help, but more would probably
 be even better.

>The reason I am telling to all about it is I would like to know your
>opinion on what I wrote.  It you feel it is a good idea, I may set up a
>wiki where I upload a few simple packages with their corresponding .diff
>files and show how to use the .diff file to properly build each package. 
>That approach may be helpful to people since it was most helpful with me. 
>I would just like to know what you think.  Thanks.

  Mostly people can see the diffs if they run "apt-get source foo",
 as the contents are mostly uninteresting to people unless they care
 about the package I can't say I think it is a great idea.

  However taking an interesting package and explaining what the
 preinst/postinst/etc files are doing might be fun.  Better than
 just saying "here is a 300 line .diff.gz file; isn't it great?"

>PS.  If you don't like the blog please don't rip it to pieces.  I'm
>honestly just trying to be helpful and make learning how to package
>easier.

  Look at the debian-mentors list for tips/suggestions.  It has
 an audience who are probably more in touch as "beginners"...

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Quickcam pro 4000, pwc problem

[Steve Kemp]

On Tue, Aug 22, 2006 at 02:45:38PM +0100, John Talbut wrote:

> Can anyone explain the official Debian set up for pwc based web cams?  

  ..

> The only Debian package for pwc is pwc-source .  According to the copyright
> information fro this package:

  I've got one of these devices and found it similarly tricky to start
 with.  When I use the pwc module included in the standard Debian kernel
 images I just see a blank grey rectangle when using
 camgrab/camstream/etc.

  Ultimately I got it working by :

  1.  Removing any existing pwc module from the debian-supplied kernel:

find /lib/modules -name 'pwc.*' -exec rm -rf \{\} \;
rmmod pwc

  2.  Setting up module-assistant:

apt-get install module-assistant
m-a prepare

  3.  Downloading and building the external sources:

apt-get install pwc-source
m-a build pwc-source

  4.  Installing the built module:

m-a install pwc-source
depmod -a
modprobe pwc

  5.  Working with it :
apt-get install camstream && camstream

  You say you've built the module?  I might guess that even after
  building it you're using the "old" module...?

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Orphaning my packages

[Steve Kemp]

On Mon, Sep 18, 2006 at 10:58:31AM -0400, Nathanael Nerode wrote:

> The ones which haven't been picked up either with ITAs or in this thread,
> and which aren't lib*-perl or lib*-ruby, are:
> 
> * 

  I'll take  since it hasn't been claimed.

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Orphaning my packages

[Steve Kemp]

On Mon, Sep 18, 2006 at 06:13:23PM +0100, James Westby wrote:

> >   I'll take  since it hasn't been claimed.

> I claimes it via ITA straight away, perhaps I should have emailed the
> list as well sorry. 

  No problem, it was my fault for trusting the mail and not checking.

> I'm always happy for co-maintenance, or you can take it yourself.
> I imagine it will be easy to maintain. I also maintain another package
> by the same author, and he is great to work with.

  Great.  It sounds like you'd be the best choice for it then.

  I would offer to comaintain, since I think that is generally a good
 thing, but for a slow-moving package like this I'm not sure that it
 is required.

> I was wondering what the upload ettiquete should be. There is no now,
> version, no bugs, and the packaging is fine. Do I try and find a sponsor
> just for a change of maintainer, or do I wait until there is something
> to do?

  You could upload now to fix the standards version and to set the
 new maintainer - thats what I'd do, even though there are no bugs
 or newer upstream available.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Packages up for adoption

[Steve Kemp]

  I've recently orphaned all my packages whilst being on a 
 bit of hiatus from project work.

  Several packages are still unclaimed, although people have
 offered on some of them.  Please take a look at the list if
 you're interested:

   * debian-builder[O][O]
   * driftnet
   * dsniff
   * flawfinder
   * gnump3d
   * komi
   * late
   * libcgi-session-expiresessions-perl[O]
   * libnids
   * pscan
   * rats

   Several packages have a willing co-maintainer and none have massive
  amounts of work to do for them.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages up for adoption

[Steve Kemp]

On Sat, Oct 14, 2006 at 10:52:41PM +0200, Uwe Hermann wrote:
> Hi Steve,
> 
> On Tue, Oct 10, 2006 at 08:25:26PM +0100, Steve Kemp wrote:
> >* flawfinder
> >* pscan
> 
> As I haven't gotten around to do too much audit work, I'll at least take
> care of a few audit tools: flawfinder and pscan. It seems rats already
> has a new maintainer...

  Great - thanks a lot.

  Once I've gotten all the packages adopted I'll be able to dedicate
 at least one evening a week to doing auditing work.

Steve
-- 


signature.asc
Description: Digital signature

Re: LWN subscription

[Steve Kemp]

On Thu, Nov 09, 2006 at 06:22:14PM +0300, Al Nikolov wrote:

> Is it possible for developers to subscribe to LWN as described in [1]? My
> messages to [EMAIL PROTECTED] stay without any answer.
> 
> [1] http://lwn.net/Articles/13797/

  Yes.  Though it might take a while to get processed.

Steve
-- 


signature.asc
Description: Digital signature

Re: Bash /dev/tcp and /dev/udp

[Steve Kemp]

On Thu, Nov 23, 2006 at 12:30:09PM +0100, Klaus Ethgen wrote:

> For this feature there are several scripts and tools around which use
> this feature. Moreover if you want to make a net boot image where you
> need to contact a other host easy there is no way to do this with debian
> Linux so I have to switch to an other distribution like RedHat or even
> Susi^He.

  Of course there is.  Using netcat, telnet, ftp, tftp, or similar.

  Yes it is a shame this isn't available, but it isn't something
 that you should switch distribution over.  If its that important
 rebuilding the package with it enabled wouldn't take more than an
 hour ..

> The related bug report is tagged as wontfix (146464) but this is absolute
> not reasonable.

  You might disagree with the decision of the maintainer
 but this isn't an unreasonable action at all.

Steve
-- 


signature.asc
Description: Digital signature

Re: Etch, apache-perl and php5 needs manual config

[Steve Kemp]

On Thu, Nov 30, 2006 at 07:48:40PM +0100, Patrick Frank wrote:

>But I have to manually edit /etc/apache-perl/httpd.conf and enable
>"AddType application/x-httpd-php .php" aswell as
>/etc/apache-perl/modules.conf
>to add "LoadModule php5_module /usr/lib/apache/1.3/libphp5.so".
> 
>Why do the installer scripts not handle that automatically?

  They would if you used the more recent Apache 2.x or 2.2.x packages.

  (In that case you'd use the utility helper script "a2enmod" and
 "a2dismod" to enable/disable a module, and that would happen
 automatically for the majority of modules.  Certainly for
 PHP.)

Steve
-- 


signature.asc
Description: Digital signature

Re: RFC: Proposal for official screenshot repo

[Steve Kemp]

On Fri, Jan 05, 2007 at 12:16:25PM +0100, Jorge Salamero Sanz wrote:
> On Friday 05 January 2007 11:55, Andrea Bolognani wrote:
> > What I don't really get is, why would we want a similar service in Debian?
> >
> > We should already be pointing to the upstream site with the Homepage:
> > pseudo-header, and in case of GUI programs or games there are usually
> > plenty of screenshots there.
> >
> > I really se no point in doing this.
> 
> and with the name of the pkg an i'm feeling luky search will leave you in the 
> homepage of the app.
> 
> those extra fields like homepage and screenshot have their point in 
> integration with gui pkg managers.

  The problem with relying upon the upstream site hosting screenshots
 is that they will most likely be removed/replaced when a new release
 is made.

  Consider a package in etch with a header like:

X-pic: http://some.project.sf.net/screenshot.jpg

  (Ignoring 'X-pic', and ignoring the .jpg.)

  If the upstream releases a new version they will change the screenshot
 and the link in the frozen Etch package will be misleading.

  Better by far to have:

X-pic: http://screenshots.debian.net/package/version.jpg

  This way multiple package versions can have distinct images, eg. the
 package in Etch, the package in Lenny, and the package in Sid.  Each
 of which might look completely different.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: RFC: Proposal for official screenshot repo

[Steve Kemp]

On Fri, Jan 05, 2007 at 12:59:51PM +0100, Andrea Bolognani wrote:

> If we really use that scheme, there would be no need to declare an extra
> header -- the location of the file can be calculated by the package manager
> using the name of the package and the version number.

  Agreed.  I just wanted to make the point that we'd need to allow for
 multiple versions of screenshots which I'd not seen mentioned.

> I personally find useless to have a single screenshot: what can you really
> understand about the look and feel of a program by looking at a single
> screenshot?

  For some things yes, for other things no.  I like your idea of
 an XML/description file containing links to the images and the
 versions to which they apply a lot though.

  That also gives a nice canonical location:

http://screenshots.debian.net/package-name.xml

  If going down the XML route then I see no real reason to have
 a distinct file per version.  Instead have something like:

   

 .. images



   

  (Or in some other valid way - my XML is weak.)

  That would allow a person to see all screenshots of available versions 
 in one go, or just those specific to the users distribution
 (sid/etch/whatever).

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: RFC: Proposal for official screenshot repo

[Steve Kemp]

On Fri, Jan 05, 2007 at 01:37:03PM +0100, Jorge Salamero Sanz wrote:
> On Friday 05 January 2007 13:09, Steve Kemp wrote:
> > ? If going down the XML route then I see no real reason to have
> > ?a distinct file per version. ?Instead have something like:
> 
> we should be careful with one xml for all versions if we want to change 
> something in the future.

  Surely that would be another argument in *favour* of XML?

  (My understanding is that clients are supposed to ignore tags they
 don't recognise ..)

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian Mini-distro: how to recompile base-system and remove Java?

[Steve Kemp]

On Mon, May 29, 2006 at 07:53:02PM -0300, Daniel Ruoso wrote:

> In fact, I want it to work as a native debian system. This way,
> buildroot causes a lot of problems 

  Isn't this what 'apt-build' can be used for?

http://julien.danjou.info/article-apt-build.html

  That allows you to rebuild the whole system, via 'apt-build world',
 and I guess you could go from there to building other packages
 easily enough.

  (Ignore the optimisations, obviously.)

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#370722: ITP: libnet-httpserver-perl -- An extensible HTTP server framework for perl

[Steve Kemp]

Package: wnpp
Severity: wishlist
Owner: Steve Kemp <[EMAIL PROTECTED]>


* Package name: libnet-httpserver-perl
  Version : 1.1.1.
  Upstream Author : Ryan Eatmon <[EMAIL PROTECTED]>
* URL : http://search.cpan.org/~reatmon/Net-HTTPServer/
* License : LGPL
  Description : An extensible HTTP server framework for perl

  Net::HTTPServer provides a lite HTTP server. It can serve files, or
  can be configured to call Perl functions when a URL is accessed.
  .
  Net::HTTPServer basically turns a CGI script into a stand alone
  server. Useful for temporary services, mobile/local servers, or
  embedding an HTTP server into another program.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.12.6-xen
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#376419: ITP: libapache2-mod-ifier -- Filter or reject incoming client requests

[Steve Kemp]

Package: wnpp
Severity: wishlist
Owner: Steve Kemp <[EMAIL PROTECTED]>


* Package name: libapache2-mod-ifier
  Version : 0.2
  Upstream Author : Steve Kemp <[EMAIL PROTECTED]>
* URL : http://www.steve.org.uk/Software/mod_ifier/
* License : GPL + Apache and SSL linking exception.
  Description : Filter or reject incoming client requests

 mod_ifier allows you to discard or filter the incoming requests which
 are sent to your Apache server.
 .
 There are facilities for dropping connections based upon headers sent
 with the request as well as logging and command execution.
 .
 This module is intended to be an extremely lightweight replacement
 for mod_security, which is not going to be included in Debian Etch.
 Although it doesn't have exactly the same featureset it does the
 jobs I need it to.
 .
 Homepage: http://www.steve.org.uk/Software/mod_ifier



  Packaged specifically because mod-security is no longer redistributable
 or available for Debian.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.12.6-xen
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: A question on setting setuid bit

[Steve Kemp]

On Tue, Jul 04, 2006 at 08:37:52PM -0400, LEE, Yui-wah (Clement) wrote:

> I am building a package in which one of the binary has
> to have the setuid and setgid bits set.  I wonder which
> one of the following two is the more appropriate method
> to use?

  It looks like you've got the answer to this already, but
 it is worth considering whether the bit needs to be set
 by default.

  Perhaps a debconf question like man-db, or cdrecord, could
 allow the user to disable/enable this.

  I'd want to be extremely sure that the package had no
 buggy code before installing it setuid/setgid.   If you'd
 like somebody to check over the code for you, or as a
 second pair of eyes, then please consider asking the auditing
 people:

http://shellcode.org/mailman/listinfo/debian-audit

Steve
-- 


signature.asc
Description: Digital signature

Re: how to deal with packages depending on mysql-server

[Steve Kemp]

On Tue, Jul 25, 2006 at 10:21:03AM +0200, Michal ??iha?? wrote:

> > My proposal to satisfy both use-cases was, to provide two versions of
> > wordpress:
> > (1) wordpress -- depends on mysql-server
> > (2) wordpress-remotesql -- does not

  How about:

Depends: mysql-remote-server | mysql-server

  Then create a dummy "mysql-remote-server" package which (possibly
  conflicts with mysql-server) could be used to satisfy dependencies
  only?

  (Placing the mysql remote server deliberately first.)

> I think suggests is enough for this case. Having two packages just
> because of different dependencies is overcomplicated.

  Suggests works for me,but I do think there is a bit of simplification
 in the idea of a virtual package..

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/



signature.asc
Description: Digital signature

Re: Why does Ubuntu have all the ideas?

[Steve Kemp]

On Fri, Jul 28, 2006 at 09:02:57AM -0600, Katrina Jackson wrote:

>A.  Ubuntu seems like it can get hardware support immeadiatly, but that
>support never seems to quickly get to Debian.   I have been using Ubuntu
>since Debian doesn't wok on my laptop.  Suspend doesn't work and my
>wireless pro  3945ABG doesn't work.  With Ubuntu everything works fine.
> 

  Neither Ubuntu nor Debian do anything special to get hardware support
 that is provided by the kernel proper and tools that neither group
 created.

  Ubuntu might have support for a specific piece of hardware which
 Debian lacks but that is because of the relative recentness of their
 release - they just have more modern bits.

  I'd expect if you used Debian Testing/Etch then your hardware would
 be supported equally well.

>B.  Ubuntu members not only support mailing lists and IRC but suport user
>forums which are so much more user friendly and don't fill up your
>mailbox.

  Debian has forums, such as forums.debian.net, but personally I
 prefer mailing lists.

>C.  You seem to worry only about packaging.  You push people to package. 
>But you don't focus on making your OS better.  Ubuntu has made so many
>nice features for their OS that you don't seem to do.

  Packages do make an OS distribution better.  Without packages we have
 no software, no drivers, no integrated desktop support, no environment
 at all.

> Why does Ubuntu have to have
>all the great ideas for their users?  One example:  They have a pop up
>telling you updates are ready.  Now maybe you now have this feature,
 
   Debian does have this feature.  (Package 'update-notifier'.)

   I don't know offhand whether "they" had it first or "we" had it
  first, and I don't think it matters terribly much.  Some packages
  both distributions have in common (many!) and some start in one
  and get shared to the other later.

>don't know, but I see great ideas like this every six months with Ubuntu,

  Please be specific in "ideas".

>and I see nothing from debian.
> Except apt, but man, one nice thing a decade is pretty slow.

  Updated kernels, drivers, installer, and etc.  All of these are
 new ideas. 

  And these are packages which you seem to regard as less important
 than ideas .. which I don't fully understand your reasoning for.

>D.  Going back to C., doesn't is concern you you have so many programmers
>but so few good new Ideas for your OS compared to Ubuntu that will help
>your users?  How do they have 10 times the good ideas you seem to.  And
>furthermore, when a good idea is presented to them they say, "good idea,
>we should impliment that" not "there's plenty of documantation, do it
>yourself".  

  I disagree with almost every statement you made in this paragraph.

>E.  Going back to the last statement, I could write an entire email on how
>people think you guys are so unapproachable and so down right mean to
>users who make these suggestions.   Users' concerns mean nothing to you. 

  Peoples ideas are important.  People making comparisions and generally
 trying to stir up trouble are what happens more often "Oooh Ubuntu is
 better - you're dying. Ha". etc.

  One of the overriding goals of the Debian Project is to satisfy our
 users.

>***If they did you would be spending as much time as Ubuntu coming up with
>great ideas to revoultionize your OS to better meet people's needs***  Why
>are you so mean?  I know you will either ignore this letter or rip my head
>off, but somebody needs to tell you.  

  I'd bite the head of anybody who called me mean in person. If you can
 be objective about Debians shortcomings and give specific suggestions
 about how to improve then people *will* listen.

  Calling people mean and suggesting that we're selfish and unconcerned
 about users will not accomplish anything useful.

>There seems to be so many issues.  It seems you guys just don't care about
>your users.  You don't go out of your way to make your users have a better
>experience. 

  *Every* *Single* Debian release has been all about making Debian
 better from our users.  If you genuinely cannot see that then you're
 not sending a concerned mail you are just trolling and stiring up
 arguments without understanding.

>I hope you guys will put some thought into this, but by the reputation you
>have I am guessing you will say, "If a user wants something done do it
>yourself,  there's plenty of documentation.  We don't need to change, we
>are the best programmers there are.  We are too good to take notes from
>Ubuntu" Unfortunatly I think you just aren't smart enough to read the
>writing on the wall that there is a reason Ubuntu has been for a while now
>such a more popular distro then us.

  I suggest that if you want people to listen to you then being polite
 and offering constructive suggestions would be a more useful way
 of accomplishin

Re: Reboot in postinst

[Steve Kemp]

On Thu, Jan 20, 2005 at 03:09:46PM -0300, Diogo Kollross wrote:
> Is there a problem in using something like
> 
>   shutdown -r now
> 
> inside a postinst script of a package?

  Definately.

  Even if the package requires a reboot to work you should let the
 administrator choose when that should be done.

  (Even kernel upgrades, or module upgrades, draw the line at this
 they just tell you a reboot is "strongly recommended").

Steve
--
# Debian System Administration
www.debian-administration.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: setuid/setgid binaries contained in the Debian repository.

[Steve Kemp]

  A long time ago[1] I asked if there was a list of all the setuid/setgid
 binaries contained in the previous Debian stable release. 

  As there still isn't such a list I've created one and placed it online
 with a simple search form.

  (This is the list that my recent spate of bug reporting has been
 based upon).
 
http://www.steve.org.uk/cgi-bin/debian/index.cgi

Steve
-- 
www.steve.org.uk


[1] 
http://lists.debian.org/debian-devel/2002/debian-devel-200211/msg02720.html


pgpS8Jn3yG3EF.pgp
Description: PGP signature

Re: setuid/setgid binaries contained in the Debian repository.

[Steve Kemp]

On Thu, Jul 31, 2003 at 05:30:11PM +0300, Richard Braakman wrote:

> If you're just scanning for binaries with s bits set, then you'll
> probably miss all the ones that use whatever that tool was
> (suidmanager?) that was used by some packages before we had
> dpkg-statoverride.

  Yes I know that I'm missing a few, but apart from the ones that get
 +suided in the Debian/rules files, or are handled via other means
 then I've got a more comprehensive list than I've seen anywhere
 else.
 
  There's probably a lot to be said for building a chroot installation
 and installing each package in turn; but I don't have the time for that
 at the moment.
 
Steve
--
www.steve.org.uk


pgp9kxAnEFBVj.pgp
Description: PGP signature

Re: setuid/setgid binaries contained in the Debian repository.

[Steve Kemp]

On Thu, Jul 31, 2003 at 12:55:28PM -0400, Joey Hess wrote:

> I'd like to see us move all of our setgid games (except, perhaps,
> nethack) away from using global score files by default. 

  I think that should be a good option, but I can see several 
 games that might suffer by it.

  I'm loath to ask the user if it should be setgid in the installer
 because that's just needless distraction, but perhaps some global
 'setgidnes' setting could be stored in /etc/games?

> I also think it would be a good idea for policy to require all
> setuid/gid bit grants to go through this or another list for peer
> review, much as pre-depends are supposed to.

  I was thinking of approaching that problem a different way.
  
  In the same way that apt-listchanges shows a packages changelog
 at install time, I could see a script 'apt-listsetuid' which would
 warn the admin at install time if any new setuid/setgid applications
 were being installed.
  (Optionally with the option to remove such bits on a global or per
 package basis).
 
  I've thought this several times, but never quite gotten around to
 writing the code - if there was any interest I would.
 
Steve
---
www.steve.org.uk


pgpDp7LJFCK6J.pgp
Description: PGP signature

Re: setuid/setgid binaries contained in the Debian repository.

[Steve Kemp]

On Fri, Aug 01, 2003 at 08:20:08AM +0200, Tollef Fog Heen wrote:

> what's wrong with a low-priority debconf question with a sane default?

  Absolutely nothing at all, but it's a slippery slope, and I thought
 we were tending towards less interactivity in installations?

Steve
-- 

Re: setuid/setgid binaries contained in the Debian repository.

[Steve Kemp]

On Fri, Aug 01, 2003 at 11:18:53AM -0400, Matt Zimmerman wrote:

> > I also think it would be a good idea for policy to require all setuid/gid
> > bit grants to go through this or another list for peer review, much as
> > pre-depends are supposed to.
> 
> I absolutely support this idea.  All set[ug]id setups should be reviewed
> before they go in the archive, and I volunteer to do the review (though I
> hope that others will help).  Does this need a proposal to go into policy
> with the same force as the existing pre-depends verbiage?

  I would support such a change too, and would volunteer to assist if
  there was need for it.

Steve
-- 


pgpVrvHIYtBXb.pgp
Description: PGP signature

Re: setuid/setgid binaries contained in the Debian repository.

[Steve Kemp]

On Fri, Aug 01, 2003 at 09:16:25PM -0400, Joey Hess wrote:

> Only because Steve Kemp is doing some good work on auditing our games.
> I suspect he would have just as much luck finding security holes in some
> other areas.

   I've mostly covered the games now, there's not too many left that I 
  want to have a look at.

   Next it's editors - I can't believe I found a setuid(0) one!

> > Yes, but I think the eyes should concentrate on non sgid-games first.
> > Because this might be a realy BIG junk of UGLYNESS one will find there :)

  I've found a lot of problems in non-setgid programs too, but those
 reports don't often get as much attention - and to be honest they're
 usually triggered by situations a normal user wouldn't ever trigger.

  So, sure they're important, but they're not _as_ important.

> I understand that if you want to help with the auditing effort,
> information is here:
> http://www.steve.org.uk/Debian/

  Yes assistence would be great; I've not coordinated anything so at
 the moment it's a bit arbitary "pick a package, and have a look at
 it".
 
  I'll post a list of the packages that I've eximined shortly to avoid
 duplication.
 
Steve
---
www.steve.org.uk


pgpvH4PiaombR.pgp
Description: PGP signature

Re: setuid/setgid binaries contained in the Debian repository.

[Steve Kemp]

On Sat, Aug 02, 2003 at 08:58:00PM -0500, Manoj Srivastava wrote:
> 
>   Given the last review of a setgid program, I wonder if two
>  people are enough. The mistake was simple, human, and undesrtandable,
>  but the review does not in fact talk about any flaws in the current
>  version of angband (tome does need to be so changed); and this kind
>  of error would undermine the process -- especially if the results are
>  couched in terms like those below:

  I think it's accepted that no matter how many people look at a piece
 of code that there may be things missed.

  There are programs I've examined in the past which I believed were OK
 only to later see that they contained flaws.  It's easy to imagine
 things would still be overlooked with more people looking at the code,
 so a "false positive" review would occur.
 
  However what's the worst that could happen?  If there were a team and
 they messed up we'd have a vulnerable program in the archive which is
 exactly what we have now.  If something were spotted then it could be
 fixed and we'd have reached a better degree of security than that which
 we currently enjoy.

  Given the time it would take for a few people to look over a program
 I think it's a reasonable suggestion, and worth doing even if it doesnt
 catch *everything*.

Steve
---


pgp5MhTeqFMFt.pgp
Description: PGP signature

Re: setuid/setgid binaries contained in the Debian repository.

[Steve Kemp]

On Sun, Aug 03, 2003 at 03:14:23AM -0400, Matt Zimmerman wrote:

> Surely two people would be an improvement over the current situation, where
> there is no review at all.  Our demonstration has shown how one person can
> discover some common flaws with a relatively brief review.

  *Exactly*.  Well said.
> Keep in mind that there are also potentially more than two people interested
> in this review process.  Another person besides myself has already
> volunteered in just the first day of discussion, and I find this very
> encouraging.

  I find that very pleasing also.  I have no desire to go down a *BSD
 route and audit every single thing, (mostly due to a lack of time),
 but it's good to see that there are people interested in this kind of
 work.

> I would like to promote this beneficial process within Debian in order to
> reduce the workload of the security team and the presence of vulnerabilities
> in our stable releases.

  I did feel a little guilty when reporting so many issues that I was
 putting unfair pressure upon the security team to release fixes, but I
 assumed if that were the case somebody would tell me.
  
  Anything that could make it easier for the security team to do their
 job is a good thing as you do such a good and important job.  Thanks to
 all of you.

Steve
---


pgpDAvsb7jebr.pgp
Description: PGP signature

Re: About NM and Next Release

[Steve Kemp]

On Thu, Aug 07, 2003 at 09:44:07AM +0200, Goswin von Brederlow wrote:

> > I don't know the current average time for a NM to get
> > through the queue but I would guess at it being around 3-4 months.
> 
> How can that be with the DAM only accepting a few people every 6
> month or so? Whats the average time for DDs accepted this year or
> within the last 12 month?

  My account was created on 22/9/2002 - and the process took around 3
 months for me.  I'd not been terribly active prior to that.

  I reported a couple of bugs with the website, and supplied a patch or
 two but nothing major.

Steve
-- 

Re: Snort: Mass Bug Closing

[Steve Kemp]

On Mon, Aug 25, 2003 at 01:33:37AM +0200, Goswin von Brederlow wrote:
> 
> Why don't you add an option to load newer rulesets and/or update
> information to snort. Once a day/week/month snort you probe some url
> for a signed ruleset or news file and report to the user about any
> updates.
> 
> That way you can have the binary in stable and still provide changes
> on a more regular basis.

  That's a perfect solution, but only works for the cases which the
 snort binary can understand the rulesets which are being downloaded.

  The way I understand the current situation the real problem is that
 the stable snort cannot understand the newer rule files; because it's
 simply too old.

  However the solution would have to be a little bit more complex than
 that which you select - blindly installing the rulesets might not be
 the best idea.

  I'd love to see a system which used a simple curses interface to:

1.  List all new rulesets with a discription of their
   use.  (eg. msblast.snrt - Alert on MSBlaster worm probes).

2.  Upgrade all the rules which are currently installed.
 
  (Essentially apt-get + apt-cache for snort rules.  Clearly packaging a
  single rule file within one package is a gross misuse of resources but
  it might be sufficient if they were signed and hosted somewhere
  sensible..)


Steve
-- 


pgpWkMvO3c77w.pgp
Description: PGP signature

Re: apt-get internals help

[Steve Kemp]

On Sat, Sep 06, 2003 at 09:50:14AM -0400, Neil Roeth wrote:

> I did not realize the full context of what you were trying to do from your
> initial question. You're proposing a fundamental change from a process that is
> static and noninteractive (so that build daemons will work, package building
> is reproducible, etc.) to a process that is dynamic and interactive (so users
> can custom build packages for their environment). It seems you were hoping to
> tweak a few scripts and be done, but it will take more than that.  I think you
> need to step back and think it through more deeply.

  If they are global defaults, a la Gentoo, perhaps a small shell script
 would do the job:

 #!/bin/sh
 #
 # ~/bin/gcc - Give GCC global flags
 #
 /usr/bin/gcc `cat /etc/gcc-options.default` "$*"

  Obviously that's just a bare idea, a more complete solution would have
 to look out for conflicting arguments, and work with G++ etc.

  That would give you the oppertunity to specify global flags for GCC
 for all your builds.

Steve
-- 


pgppLwbHf5Jw1.pgp
Description: PGP signature

Re: Rotation of /var/log/mail.log

[Steve Kemp]

On Tue, Sep 23, 2003 at 11:18:27PM +0200, [EMAIL PROTECTED] wrote:

> While /var/log/mail.log is rotated nicely on my (woody) boxes, 
> I have no idea which package is responsible for that. 
> Any suggestions ?

  /etc/cron.weekly/sysklogd 

  This script rotates all the files which are output from running:

/usr/sbin/syslogd-listfiles --weekly

> That would help me to solve bug #212237.

  If you make sure there is an entry for mail in /etc/syslog.conf then
 these files will be output from the 'syslogd-listfiles' and rotated
 correctly.
  Alternatively you could drop a file in /etc/logrotate.d/ to force
 the issue.

  I hope that helps; and thanks for the great work with courier.

Steve
--
www.steve.org.uk

Re: ..last mirror update was a week ago, what's going on???

[Steve Kemp]

On Fri, Jul 29, 2005 at 02:31:01AM +0200, Arnt Karlsen wrote:

> ..last mirror update was a week ago, what's going on???

> ..and, yeah, gg:"Debian mirror update" "21-Jul-2005" etc 
> finds _lotsa_ noise.

> ..whether this mirror update lapse is planned or not, a wee 
> mention here on d-m and and on d-announce would IMHO 
> be warranted.  

  It was announced.  Two machines, including ftp-master, were
 shut down so they could be physically moved.

  They took longer than the couple of days announced, but this
 was the source of the delay.

  Original announcement:

http://lists.debian.org/debian-devel-announce/2005/07/msg00013.html

  Followup when service was restored:

http://lists.debian.org/debian-devel-announce/2005/07/msg00018.html

> In its absence, I ask what I believe is a relevant question 
> to d-m, here.

  This message was sent to *far* too many mailing lists.  Especially
 given that the move was announced, and the outage has previously
 been discussed on several of the mailing lists you include your
 query upon.

  Followup set to debian-user, which is least liable to complain ;)

Steve
-- 
# Debian System Administration
www.debian-administration.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Steve Kemp <[EMAIL PROTECTED]> Please check your Debian E-Mail.

[Steve Kemp]

On Tue, Aug 02, 2005 at 03:58:33PM -0400, Greg Folkert wrote:

> I was finally able to acquire an SSP Build Host for you.
> If you are still interest. Please contact me.

  A bit quick off the mark there, Greg!  I think I've replied to all
 your previous mails within a day or two...?

  Anyway for anybody else watching.  This host is going to be used
 for rebuilding Debian's Stable release, Sarge, with the SSP
 compiler.

  The SSP compiler is a patch against GCC and offers "Stack Smashing
 Protection".  In short it gives protection against buffer overflow 
 bugs, and attacks.

  Whilst it doesn't protect a system in all cases, and other
 avenues of exploitation are still available (eg, format string
 attacks) it's a good means of hardening the system.

  The big drawback with using SSP is that it is a compiler based
 security system, so to use it all system binaries must be rebuilt.

  The intention is *not* to create a new distribution, like
 Adamantix[1].  I've neither the skill, intention, or the patience
 to support a full distribution.   Instead the goal is twofold:

   1.  See if there is any interest in supporting this in Debian.

   2.  See if it all actually works.  (eg.  #213994, #233208).

Steve
--
[1] http://www.adamantix.org/ 
- Last updated news page 2004-08-17 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Steve Kemp <[EMAIL PROTECTED]> Please check your Debian E-Mail.

[Steve Kemp]

On Sun, Aug 07, 2005 at 10:12:56PM -0400, Daniel Jacobowitz wrote:

> >   The SSP compiler is a patch against GCC and offers "Stack Smashing
> >  Protection".  In short it gives protection against buffer overflow 
> >  bugs, and attacks.
> 
> Steve, you are aware that GCC 4.1 will include a complete
> reimplementaton of this feature, right?  Wouldn't time be better spent
> with that than with the obsolete SSP patches?

  The GCC 4.1 implementation, mudflap, appears to do an entirely
 different thing.

  Whilst it is true that the changes of the SSP patch ever going into
 the mainline GCC codebase have become much more minimal it is still
 an interesting experiment.  If only to be used as a benchmark against
 other compiler-based approaches.

  I take the point that sooner or later, and probably sooner, the
 experiment will have to end and there may likely not be a clean
 upgrade patch.  However as long as people are willing to bear
 that in mind it is work that I would find personally interesting
 and would do pretty much regardless of an interested audience.

Steve
-- 
# Debian System Administration
www.debian-administration.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 810-1] New Mozilla packages fix several vulnerabilities

[Steve Kemp]

On Tue, Sep 13, 2005 at 09:25:22AM -0400, Roberto C. Sanchez wrote:

> I am concerned that a version of Mozilla claiming to be an earlier will
> eventually break user-installed extensions.  

  ..

> There really has to be a better way.

  The time to make suggestions was probably when Joey asked for
 help handling Mozilla updates:

http://lists.debian.org/debian-security/2005/07/msg00315.html

  It is a hard problem, and the Mozilla folks don't appear to give
 much assistance for security-only fixes...

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Is openssl actually safe now? (was: debian infrastructure ssh key logins disabled, passwords reset)

[Steve Kemp]

On Wed May 14, 2008 at 10:21:18 +0200, BALLABIO GERARDO wrote:

> If so, and if that was the ONLY entropy source used in generating keys,
> then upstream openssl is (and has always been) just as broken as the
> patched Debian package. 

  It wasn't.

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packaging a module that overwrites kernel-provided files

[Steve Kemp]

On Wed Jun 18, 2008 at 10:41:13 -0430, Ernesto Hernandez-Novich wrote:

> Been there, done that, doesnt't work for these machines. The problem has
> to do with the interaction of the card with IBM's IPMI controller, and
> requires the latest Broadcom drivers.

  What you want to do is install the Etch xen packages, then use
 a "diversion" to move the modules which are replaced out of the way.

  See here for an old, simple, example:

http://www.debian-administration.org/articles/118

  That's probably enough to point you in the right direction.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Orphaning debmirror

[Steve Kemp]

On Fri Jul 31, 2009 at 18:47:58 +0200, Siggy Brentrup wrote:

> Who wrote debmirror?  Without installing I can't find out since
> only maintainers are listed in the PTS.

  Look at the copyright file:

  e.g.


http://packages.debian.org/changelogs/pool/main/d/debmirror/debmirror_20070123/debmirror.copyright

> I'm asking because
> there's a lot of perl code in Debian I wouldn't even think about
> touching due to the author's programming style.

  If you only care about the style why not actually download it
 and examine it?


Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Packages that download/install unsecured files

[Steve Kemp]

On Thu Sep 17, 2009 at 21:26:38 +0200, Christoph Anton Mitterer wrote:

> CURRENT SITUATION:
> One can differ between three classes of packages:
> 0) Packages who do not download anything from the web.
>
> 1) Packages which download stuff but this is just normal data like
> pidgin, firefox (I mean html here, not plugins), wget,..
>
> 2) Package installation already downloads something and installs this
> e.g. some font packages (msttcorefonts) or documentations (susv2/3) do
> this.
>
> 3) The package provides automatic update scripts (like here), where
> content that in principle belongs to the package is replaced/updated.
> Many packages do this (clamav-freshclam, rkhunter, tiger, some packages
> for firmwares)

  I'd add :

  4) The package downloads insecure code and directly executes it.

  For an example of this see #451303 - which is fixed - but a perfect
  example.

Steve
--


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: I don't understand Debian

[Steve Kemp]

On Fri Jun 22, 2007 at 20:24:22 +0200, ignatius wrote:

> - Why it's Debian that fixes bugs and security holes? Why it isn't upstream 
> developers? 

  Generally upstream developers *will* fix security holes, however 
 Debian users generally get their software from *us*.

  So if we're shipping software in our stable release then for a fix
 to be sent to our users we need to release it.

  (Otherwise the upstream software project might release a fixed
 release; but 99% of the package users would not notice and still
 be installing the version from our repository.)

> How can you be sure that all security holes will be found or 
> revealed?

  We cannot.

  We sometimes have some people scanning for problems and reporting
 them, but there is absolutely no promise that a program we ship
 will be free of security issues.

  Since you use Windows in your mail then I could say "How can
 Microsoft promise that their software is security-hole free?".  The
 answer is that they cannot, and neither can we.

> (for instance an old software in stable can have a security issue 
> which is not in the recent version, so upstream can't find it) Why upstream 
> developers of important softwares do not sometimes provide stable versions of 
> their programs (eg linux kernel, libc, xorg), instead of let Debian do the 
> job 
> for them?

  You'll have to ask them.

  Some projects do release patches for old(er) versions.  Others, such
 as the Mozilla project, do not.

> I mean, with Windows? (sorry), things are sometimes more logical: the kernel, 
> "xserver, xclient", etc. (important apps) are stable for years, but you can 
> have the last firefox without update them (like a mix stable/unstable, except 
> that stable softwares are maintained by uptream, not by a distribution).

  This is tangential to security support, and security updates.
 Important windows DLLs *do* get changed for security fixes, but the
 public API doesn't change - so that the latest programs still run.
 This is the same as the Debian stable release system.

> - Why Debian isn't KISS (Keep It Simple, Stupid!) compliant? I mean, I never 
> need to change my conf files. If I have a problem, I solve with apt-get or 
> dpkg-reconfigure. I don't understand how things works and I'm too dependent 
> on 
> Debian.

  The problem with you being dependent upon Debian is with you, not with
 Debian.

> Futhermore, .deb are really complicated compare with other package 
> tools. I like for instance Frugalware philosophy: "We try to ship fresh and 
> stable software, as close to the original source as possible, because in our 
> opinion most software is the best as is, and doesn't need patching."

  They are simple and logical once you look at them.  However 99% of
 users will never need to look at the files manually.  So it doesn't
 matter.

  I don't understand RPMs, but I don't need to.  I just install them
 with "yum install emacs" and it works.  The complexity is hidden from
 me and with good reason.

> Well, I don't like what is Linux today. Software developers don't care about 
> stability, are not responsible, whereas each Linux distributions re-do the 
> same 
> jobs without cooperate. Linus should do something. It's too easy to create a 
> kernel and then let it go alone.

  Linus has no say in distributions, and most likely doesn't care.
  If you have an objection to the way things are currently working
 you need to persuade the people who make your distribution to change,
 not just say that "you don't like it".  If you do that too often
 people will, rightly, ignore you.

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Intend to orphan pscan.

[Steve Kemp]

On Sat Jun 30, 2007 at 18:43:36 +0900, Charles Plessy wrote:

> I would like to know if it is OK that I orphan pscan and open a
> discussion about its removal.

  I think it would be grossly rude to attempt to orphan a package
 which you do not maintain which has no bugs against it.  (Except
 the naming collision that is currently being discussed.)

  As the "newcomer" I'd suggest that the solution would be for
 you to rename/move your binaries rather than forcing the previously
 working packages to change their names/behaviors.
 (Something I think you've agreed to do.  Just sharing opinion.)

  pscan I previously maintained, use often, and would miss majorly
 if it were orphaned and removed.

Steve
-- 


pgpewpvXbaQ8w.pgp
Description: PGP signature

Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages

[Steve Kemp]

On Mon Aug 11, 2008 at 10:57:56 +0400, Dmitry E. Oboukhov wrote:

> I set Severity into grave for  this  bug.   The  tableof  discovered
> problems is below.

  Great work.

  I don't think there should be any objection to a mass-filing for
 security sensitive bugs - and from the sounds of it you'll only be
 filing a few bugs, not a mass of them.

Steve
-- 
http://www.steve.org.uk/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages

[Steve Kemp]

  Great work.  If you have the time to see if any of these are included
 in stable (etch) please could you do so?

  It might be that we'd need to release a security update, or at least
 a package for the next point release.  (I guess severity "grave" and
 a tag of "security" will ensure the same thing happens for
 testing/lenny.)

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: screenshots.debian.net goes beta

[Steve Kemp]

On Tue Nov 11, 2008 at 01:02:42 +0100, Christoph Haas wrote:

> >  * There are 14 pages and the navigation is truncated to 'Page: 1 2 3 ..
> >14 >'. Could you (optionally) display links to all pages? Or alter
> >the number of results per page (increase, or make user configurable)?
> 
> I'll change the pager radius to 10. Will be fixed in the next deployment.

  I'd love a "random" link in there somewhere too..


Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: SmellyWerewolf.com perfume & make-up discount

[Steve Kemp]

On Sun Nov 23, 2008 at 17:59:13 +0100, Josselin Mouette wrote:

>  - Send your private Debian GPG Key to [EMAIL PROTECTED] Include
>the brand of your perfume and the color of the make-up.

  I find it disappointing to see this posted, and in bad taste.

  I'm sure I'm not alone.

Steve
-- 


signature.asc
Description: Digital signature

Re: SmellyWerewolf.com perfume & make-up discount

[Steve Kemp]

On Sun Nov 23, 2008 at 19:52:46 +0200, Antti-Juhani Kaijanaho wrote:

> > >  - Send your private Debian GPG Key to [EMAIL PROTECTED] Include
> > >the brand of your perfume and the color of the make-up.
> > 
> >   I find it disappointing to see this posted, and in bad taste.
> 
> I found it generally hilarious and a well-made point, though I agree the
> presentation could have been in better taste.

  Indeed, the original post was borderline and a rational reply would
 have been fine.  A comedy-followup would have been less good, but
 still acceptable.

  The actual reply posted just didn't sit well with me, which is perhaps my
 problem, but with debian-women making strides forward it seems this
 was a step backward.

  Anyway I'm done now..

Steve
-- 


signature.asc
Description: Digital signature

Re: For those who care about lesbians reloaded (Was: SmellyWerewolf.com perfume & make-up discount)

[Steve Kemp]

On Sun Nov 23, 2008 at 22:17:44 +0100, Pierre Habouzit wrote:

> FWIW we had this discussion already:
> 
> http://lists.debian.org/debian-devel/2006/01/msg00920.html
> 
> Could we fucking stop repeating the same old discussions over and over
> and over ? every two year we troll about firmwares, bad jokes on d-d-a,
> what else ?
> 
> COULD WE PLEASE FUCKING LEARN FROM OUR PAST PLEASE ?

  If sexism keeps being repeated then I will continue to complain.
  Or quit.

  Firmware, etc, is unrelated.  No need for all caps.

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/



signature.asc
Description: Digital signature

Re: Adoption of Nix?

[Steve Kemp]

> > Yes, you are probably right: I don't understand how Nix may be useful for
> > Debian (and for GNU/Linux also).
>
> That's too bad for you. Shallow thinking doesn't get you anywhere.

  As promoter/recommender surely the onus is upon you to demonstrate:

1. Nix is good.
2. Nix is better than what currently exists.
3. Nix would be a good fit for Debian.

  I believe you'll struggle, not least because you do not seem to
 have a thorough understanding of what is actually involved in
 a packaging system.  (Perhaps a comparison to the auto-package
 format is in order?)

Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: libpango update broke iceape synaptic and more

[Steve Kemp]

On Tue Sep 04, 2007 at 11:54:23 -0500, Don wrote:

> I am using "sid" and yesterday my update/upgrade broke iceape, synaptic, and 
> some others.  I've had problems with libpango before, but this one has me 
> stumped.  I don't see anyone else having this problem, so I must conclude 
> something is wrong with my installation.

  I see it too, on my AMD64 system:

  [EMAIL PROTECTED]:~$ firefox 
  /usr/lib/iceweasel/firefox-bin: symbol lookup error: 
/usr/lib/libpangoft2-1.0.so.0: undefined symbol: g_once_init_enter_impl

  Interestingly the symbol is defined:

  [EMAIL PROTECTED]:~$ nm -D /usr/lib/libpangoft2-1.0.so.0 |grep g_once_
   U g_once_init_enter_impl
   U g_once_init_leave

  I ran firefox under strace and I can see the system load and open
 the correct .so so I'm a little stumped too.

  I can't see any open bug reports, so I'd suggest you submit one.
 FWIW I fetched the source and rebuilt it locally, but the problem
 persists..

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: libpango update broke iceape synaptic and more

[Steve Kemp]

On Wed Sep 05, 2007 at 00:43:46 +0200, Julien Cristau wrote:
> >   [EMAIL PROTECTED]:~$ firefox 
> >   /usr/lib/iceweasel/firefox-bin: symbol lookup error: 
> > /usr/lib/libpangoft2-1.0.so.0: undefined symbol: g_once_init_enter_impl
> > 
> >   Interestingly the symbol is defined:
> > 
> >   [EMAIL PROTECTED]:~$ nm -D /usr/lib/libpangoft2-1.0.so.0 |grep g_once_
> >U g_once_init_enter_impl
> >U g_once_init_leave
> > 
> U means undefined.  That symbol presumably comes from glib.

  Thanks for the hint.  I've now "solved" the problem.

  Running ldd against the named library I see this:

  libglib-2.0.so.0 => /lib/libglib-2.0.so.0 (0x2ac8b5c58000)

  That is *incorrect*,  I have the /lib/libglib* file upon my system
 and no idea where it came from!  The correct files are located in 
 /usr/lib/ - archiving /lib/libglib* made the problem go away.

  (This is the second time I've found my sid system having extra
 libraries in /lib.  The first time I thought it was my fault as
 I was working with .rpm files at the time - but nothing like that
 recently.  If anybody has any experience with this type of problem
 I'd love hints on tracking it down ...)

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Bits from the Security Team

[Steve Kemp]

On Fri Oct 19, 2007 at 17:36:21 +0200, Adrian von Bidder wrote:

> Allow me to point out the message at 
>  
> which is really a Bits from the Security Team.
> 
> Why is - once again - a message that I'd consider appropriate for d-d, or 
> perhaps even d-d-a (though I admit that the real information content is not 
> extremely high.  But still, it is information that Steve is active and 
> outlines some of the problems and ways how people can help) hidden on a 
> blog? 

  I don't believe that post contains significant new information,
 (except that I like pies!), and as such I didn't believe it deserved
 massive visibility.
 
  To be honest I'm a little disappointed that you chose to complain
 here about that, rather than commenting/mailing me personally.

> (Apologies if I'm just too quick and Steve posted his Bits to d-d or d-d-a 
> but the mail just hasn't reached me or the mail archives yet.)

  It hasn't been posted elsewhere.

  I'm happy to write more, later, and post to the devel-announc list,
 once I've got a chance to do so.  But even so the content would be
 largely known, and largely un-newsworthy.

  And to reiterate things slightly; If there were something that
 users/developers are supposed to know then it shouldn't be posted to just
 a random blog.  
  It should go to the development/announcement lists.  I don't believe I'm
 guilty of that here, and I don't believe anybody else has been guilty of
 that recently.
 
  (ie. I agree.  Fragmentation is something to be avoided).

Steve
-- 
http://www.steve.org.uk/


pgpUaUrLFx3t7.pgp
Description: PGP signature

Re: Bits from the Security Team

[Steve Kemp]

On Sat Oct 20, 2007 at 12:00:23 +0300, Lars Wirzenius wrote:
> 
> pe, 2007-10-19 kello 18:29 +0200, Adrian von Bidder kirjoitti:
> > Seriously:  I think exactly this kind of "not really much new stuff going 
> > on, but here's what we're continuing to do" kind of information should be 
> > more visible, because it, too, is valuable information to somebody who is 
> > not involved tightly in the Debian teams.
> 
> I do think the "Bits from" mails are a great thing, and getting them, say,
> monthly would be very nice, even if they just say "business as usual,
> Steve still likes pies".

   I agree.  I like reading them myself, which is why I posted my
  little entry with the subtitle I did.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Bits from the Security Team

[Steve Kemp]

On Fri Oct 19, 2007 at 18:29:46 +0200, Adrian von Bidder wrote:

> That you like pies is important.

  :)

> Though in the specific case of the security team, the flow of security
> updates is an indication that the team is working

  Yes, this is what I think too.

> Could've cc:ed you at least.  Apologies.

  No problem.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Is archive this list?

[Steve Kemp]

On Sun Jan 10, 2010 at 21:16:04 +0100, Andrzej Borucki wrote:
> Exists archive debian-devel@lists.debian.org ?Steve

http://lists.debian.org/debian-devel/

Steve
--
http://www.steve.org.uk/


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Package verification

[Steve Kemp]

On Wed, Oct 08, 2003 at 12:24:37AM +1000, Kim Lester wrote:

> There is no way to verify/correct the MODE, USER, GROUP, TYPE
> of any files installed in a pkg.

  That appears to be the case, partly because permissions may be changed
 from those files which are contained withing the .deb file via the
 postinst scripts.

  If you wanted to handle this yourself you could add a hook to apt,
 in the same way that 'apt-listchanges' does - so that new installations
 of packages would get their information logged somewhere.

  However if you're using this for a real enterprise system presumably
 you'd want all your sums/inode info/etc stored onto CD-ROM or of
 machine?

> One of the solutions I have implemented is a file containing:
> type(eg Dir, Sym, File), path, mode, uid, gid, symlink destination
> and in my case md5sum and file size (deb would use the sep md5sum file)
> [correct size is useful for humans :-)]

  Congratulations, you just reinvented tripwire.

  If this file can be updated, securely, at package install post your
 patch and we'll take it from there.

> This permits my command pkginfo -v to verify that a pkg is
> installed correctly and can even fix certain errors (eg mode/uid/gid)
> if requested.

   Tripwire's database, (and tiger's or any of the other systems which
  use a database like this), can also be used in such a way.

   I'd love to see dpkg be capable of doing this, but I really don't
  see that this is a huge stumbling block in the adoptation of Debian
  in the enterprise as your rant appears to suggest.

   I'd argue that the lack of Oracle support is more significant than
  the ability to natively verify package installs.

-- 
Steve
--
# Debian Security Audit Project
http://www.steve.org.uk/Debian/

Re: Bug#214036: im: imput doesn't work with Perl 5.8.1

[Steve Kemp]

On Tue, Oct 21, 2003 at 01:13:49AM +0900, Tatsuya Kinoshita wrote:

> With the perl 5.8.1 package, the line input operator (<>) causes
> "Bad file descriptor".  This problem is reproducible by the
> following sample code.
> 
>  
> #!/usr/bin/perl
> $file = "/etc/debian_version";
> open(FH, $file) or die "Cannot open $file";
> $! = 0;
> $line = ;
> if ($!) {
> print "System error: $!\n";
> }
> print "$line\n";
> close(FH);
>  
> 
> Is this a bug in the perl 5.8.1 pakcage?  Or a Perl's feature?
> What should I do?

  The following change makes the code work as expected:

@line = ;
print @line . "\n";

  [EMAIL PROTECTED]:~$ cat t.pl
  #!/usr/bin/perl -w
  use strict;
  my $file = "/etc/debian_version";
  open(FH, "<".$file) or die "Cannot open $file - $!";
  #$! = 0;
  my @line = ;
  if ($!) {
  print "System error: $!\n";
  } 
  print "@line\n";
  close(FH);

Steve
--
# Debian Security Audit Project
http://www.steve.org.uk/Debian/

Re: A case study of a new user turned off debian

[Steve Kemp]

On Mon, Nov 03, 2003 at 03:05:56PM -0500, Greg Stark wrote:

> All he had to do was install an older version of libc6 and every other package
> would have been happy. All the infrastructure is there to do this, the old
> packages are all on the ftp/http sites, the package may even be sitting in
> apt's cache. But there's no interface for it.

  Sure there is, 'dpkg --install $foo.deb'.  Doesn't that do exactly the
 correct thing, even at the expense of downgrading?

  If not I'm sure there's a force option for it.

> The only interface for rolling back is switching the entire machine to an
> earlier distribution and telling apt to try to downgrade -- which is unlikely
> to work. And worse, every time you run apt it only downloads and unpacks
> *more* packages, all of which, of course, fail as well.

  In the general case where you have intermingled dependencies perhaps
 that is necessary.  However for a single package that shouldn't be the
 case.
  I know that you cannot remove an essential package and do much
 afterwards (I once resorted to editting the installed list of packages
 such that libc wasn't marked as being installed.  I had a lot of fun
 before getting there and afterwards was even worse).

  However if you have an alternative package you should be able to force
 its installation; even if you have to do someting tedious like download
 a source package and rebuild it ..

Steve
---
# Debian Security Audit Project
http://www.steve.org.uk/Debian/


pgpVNIHdg5B8I.pgp
Description: PGP signature

Re: Bug#219139: ITP: cdcat -- a graphical (QT based) catalog program

[Steve Kemp]

On Tue, Nov 04, 2003 at 04:20:26PM +0100, Jorge Bernal (Koke) wrote:

> Package: wnpp
> Version: unavailable; reported 2003-11-04
> Severity: wishlist
> 
> * Package name: cdcat
>   Version : 0.92
>   Upstream Author : Peter Deak <[EMAIL PROTECTED]>
> * URL : http://cdcat.sf.net
> * License : GPL
>   Description : a graphical (QT based) catalog program

> It's already packaged and I will RFS. The package is at:
> 
> http://www.sindominio.net/koke/debian

  Please apply the following patch:

--- config.cpp-orig 2003-11-04 15:36:58.0 +
+++ config.cpp  2003-11-04 15:37:06.0 +
@@ -92,7 +92,7 @@
 #else
   if(getenv("HOME") == NULL)
 return 1;
-  sprintf(str,"%s/%s",getenv("HOME"),CONFIGFILE);
+  snprintf(str,sizeof(str)-1,"%s/%s",getenv("HOME"),CONFIGFILE);
#endif
 
   cf = fopen(str,"r");


  I'm not convinced that the database code is bug free, there appear to
 be a some assumptions made on the size of the tags which are not
 tested.

  I might have a look at this more thoroughly later.

Steve
--

Re: RFA: A lot of packages

[Steve Kemp]

On Fri, Nov 14, 2003 at 05:03:59PM +0100, Simon Richter wrote:

>  - uptimed (sponsor needed for Daniel Gubser, who helped out)

  I will sponsor Daniel; or failing that I'd take it over
 myself.  Whichever you both prefer.

Steve
--

Re: [debian enterprise] sub-project planning

[Steve Kemp]

On Tue, Dec 02, 2003 at 06:24:58AM +1100, Zenaan Harkness wrote:

> Great to hear. I started a web page at http://debian-enterprise.org/.

  Aren't we still waiting for clarification on the use of "Debian"
 in domain names, etc?  As highlighted by the Adamantix name changed?

> And as I put on the web page, a goal of debian-enterprise ("should be",
> IMHO) to explicitly support *for-profit* organisations. Let's make no
> bones about it - the goal is to make as much profit as possible, such
> that we might Do Good Things (TM).

  I'm agreeing with the ideas of the project, especially availability
 software and security.  

  As a related topic I've been working on "bootable Debian", some simple
 bootable CD-ROM's for different purposes,  a simple Mail server
 offering POP3/IMAP/SMTP and Spam filtering in a box and a complete
 Webserver on a CD for example.

  These sound similar to your turnkey server installaionst you mention.

Steve
--
# Debian Security Audit Project
http://www.steve.org.uk/Debian/

Re: development environment question

[Steve Kemp]

On Wed, Dec 03, 2003 at 10:48:57AM -0800, bruce wrote:

> Our goals:
>  * Provide Project Management
>  * Provide a Development Network of Servers
>  * Provide Test Servers
>  * Allow users to configure Test Servers as Required
>  * Allow users to build/execute/test their code on the Test Servers
> 
> Obviously, this kind of environment has to be carefully built/implemented.
> Our question is how can it be done? What are the tradeoffs that need to be
> made? Has anyone constructed a network close to this? Our initial thoughts
> were of University/Computer labs... But even these are a little more tied
> down...

  The obvious tradeoff is allowing users to signup vs security.

  Allowing users to configure test servers is the kind of thing that
 many ISPs are now offering with User Mode Linux (I have an UML host
 running www.steve.org.uk; it works nicely and I am unable to affect
 other hosted sites upon the same physical box).

  I would suggest that the closest thing I've seen to a
 build/execute/test box is the shell server collection on SourceForge
 which they call a "compile farm".  They allow a simple menu based
 login to multiple hosts running different OS's.

  I would love to work on an UML based version of this and I can see
 that it allows security and ease of use; however if you think of
 offering such a thing you should be aware that the barrier to entry is
 raised.  Rather than allowing a developer/team to login to one box
 you're expecting them to admin it too.  If the UML box is running
 telnet they and you become vulnerable.

  The only think a collection  of UML servers would not provide is a
 system of managing a project, however I would suggest that is a social
 process rather than a technical one, however I would suggest that is a

Steve
--
# Debian Security Audit Project
http://www.steve.org.uk/Debian/

Building a distribution from source?

[Steve Kemp]

  I wasn't going to post this, but it might be relevent to the
 ongoing custom distribution stuff that's happening.
  
  I've been experimenting with producing a hardened Debian derivitive
 as a small piece of paid work.  This mostly means compiling things with
 a stackguard compiler, using format guard, and enforcing policies, etc.

  (We know that stackguard isn't going to produce a completely 
 hardened environment; as all the return-into-libc type exploits will
 work.  Lets not discuss/flame about that.  Pretty please!)

  All of that part I'm happy with.  I have a modified glibc and compiler
 and am confident that I can recompile all the base packages and others that
 are necessary.  It's the process of installing after that after that I'm 
 a bit confused.

  If I wish to produce an installation CD-ROM identical to that used
 in woody, with my packages installed how do I do that?  Is there some
 tool that will allow me to create an ISO with my packages.

  I'm wondering if jigado, or using debootstrap from my apt repository
 should be the way to go?  Any pointers appreciated.

  The other approach which is simpler to manage but harder to install
 is to insist upon a stable installation, then have an apt repository
 with each package I've recompiled have a higher version number, or
 in a distribution of my own with a release file.  (eg like testing,
 but "steving" or similar.)

  The latter approach appears to be what Adamantix are doing.

Steve
--
Still Looking for work
Can make coffee well !


pgpoHrWJUjvqk.pgp
Description: PGP signature

Re: Building a distribution from source?

[Steve Kemp]

On Fri, Dec 05, 2003 at 12:10:44PM +1100, Russell Coker wrote:
> On Fri, 5 Dec 2003 10:39, Steve Kemp <[EMAIL PROTECTED]> wrote:
> > ? I've been experimenting with producing a hardened Debian derivitive
> > ?as a small piece of paid work. ?This mostly means compiling things with
> > ?a stackguard compiler, using format guard, and enforcing policies, etc.
> 
> Are you using any extra patches to GCC?  Or just a GCC built with the 
> propolice option?

  Yes I am using slightly modified patches from http://www.immunix.org/.

  The propolice is something that I shall be evaluating next.

> How difficult is it to bootstrap this?  Can you compile glibc with these 
> options without affecting anything else?

  So far I have built glibc with this modified GCC, (only so that I
 could apply the "FormatGuard" patches which are designed to combat
 format string attacks.  Recompiling glibc wasn't something that I
 really wanted to try on the PII 233Mhz machine I have as my test box!

  Bootstrapping was very simple just a matter of applying the patche to
 GCC and rebuilding it, then having installed it I rebuilt several test
 packages which were exploitable previously and failed to be exploitable
 afterwards.  (With the caveats that this patch doesnt protect against
 all attacks).

  I confess that I haven't rebuilt _all_ the interesting packages yet
 the kernel and X11 being the most likely to fail - but the packages
 that I did build, bash, perl, etc did compile with no observed side
 effects thus far.

Steve
--
# Debian Security Audit Project
http://www.steve.org.uk/Debian/

Re: Building a distribution from source?

[Steve Kemp]

On Thu, Dec 04, 2003 at 10:42:28PM -0500, Joey Hess wrote:
> That's what the debian-cd package is for.

   Thanks, that was exactly what I was looking for :)

Steve
--
Will code for food.  

Re: Building a distribution from source?

[Steve Kemp]

On Fri, Dec 05, 2003 at 10:20:19AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:

> > I believe that our GCC packages already have propolice patched in but not 
> > enabled.  Therefore it should be a much easier change to make for it to be 
> > included.
> 
> This is true, debian/patches has a line for propolice (currently commented 
> out)

  I've just spent several hours building a version of gcc v3.3 with this
 enabled, and tested it out on some packages.

  So far it appears to work, it will abort "attacks" and it hasn't
 demonstrated any obvious side effects.  I'm not sure that I can use it
 in practise, I will have to see how easy it is to get built under
 Debian Stable which really is my target environment.

  I'll continue playing with it and try to test it with more packages,
 reporting back here if there's anything interesting to say.

> "They're large patches, with no testing on most architectures.  They
> touch platform independent code.  If it really did do nothing without
> the option, and we were convinced of that, then maybe they could be
> applied - I'm not convinced."

  The naive thing for me to say is that no testing will happen until
 it is enabled and deployed.  I'm sure this has been considered though
 ..

Steve
--

Re: Building a distribution from source?

[Steve Kemp]

On Fri, Dec 05, 2003 at 06:37:47PM +0100, Jakob Lell wrote:

> maybe Adamantix is what you are wanting to do. It is based on Debian woody 
> and 
> uses kernel and gcc patches to improve security. At the moment you need to 
> install a normal Debian woody and then upgrade. However, you might create 
> installation CDs yourselve. For more information about Adamantix, see
> http://trusteddebian.org/

  It is certainly similar to what I would like to see/work on.

  But Adamantix there does seem little liklihood of their work coming
 back into Debian proper, and that's my single biggest problem with it.

  (Ignoring my personal dislike of RSBAC).

Steve
--

Re: how to handle multiple upstream changelogs

[Steve Kemp]

On Sun, Dec 07, 2003 at 03:18:54PM +0100, Tommaso Moroni wrote:

> The only idea I've come up with is to put the name of 
> the corresponding subdirectory before each changelog.
> Is there anyone who has resolved this problem in another
> way?

  I just took the "main" one and used that.

  Some packages I've made comprise of a library file and an
 executable which links to it, in that case I'd package them 
 seperately and that sidesteps the problem..

Steve
--
Will code for DVDs

Re: Need help: Idle X-user?

[Steve Kemp]

On Mon, Dec 08, 2003 at 07:09:59PM +0100, Dennis Stampfer wrote:

> Is there any way to querry how long a X-user is idle? If not, do you
> think it's okay to write something like "IDLE-Logout does not work
> with X" into Readme.Debian and into the config-file(,manpage, ...)?

  I'm not sure to be honest, but you could look at the code for 
 xscreensavers etc.

  As for the libraries and a dependency upon Xlibs you can get round
 this by having the package provide two binaries 'timoutd' and
 'timeoutd-x11' or something similar.

  That way users would install the one they want..

Steve
--
# Debian Security Audit Project
http://www.steve.org.uk/Debian/

Re: Building a distribution from source?

[Steve Kemp]

On Wed, Dec 10, 2003 at 07:44:55PM +0100, Peter Busser wrote:

> ``We''? Who is ``we''? It is unlikely that you are one of them royal people, 
> so
> I take it you meant to say:
> 
> Adamantix is not what I want to do, what I want to do is to improve Debian.

  That is correct, I agree with Russell.  What _I_ want to do is improve
 Debian.  if for a while I have to go it alone and demonstrate mycode
 and pacakges work then so be it, but the ultimate aim is to improve
 Debian.

> Fair enough. But if I were to improve Debian, I would put PaX in the default
> kernel source.

  PaX is interesting, ProPolice is more interesting.

> > > create installation CDs yourselve. For more information about Adamantix,
> > > see http://trusteddebian.org/
> > That URL is obsolete.

  Yes.

> Right, it is obsolete. Please use http://www.adamantix.org/ instead. Not that
> it makes any difference, because you end up with the same web page in front
> of you.

  But you loose the association with Debian "proper".

> > In fact the domain should probably be de-registered to avoid confusion.
> 
> If anyone appears to be confused here, it seems to be you (again).

  Fight amongst yourself if you wish.  Adamantix are clear that they
 are seprate from Debian as I believe they are.   Anything else is
 pointless bickering and semantics.

Steve
--

Re: Building a distribution from source?

[Steve Kemp]

On Thu, Dec 11, 2003 at 12:10:06PM +1100, Russell Coker wrote:

> Let me know when you have an apt repository that's in a usable state and I'll 
> recommend it on my SE Linux web pages.  I expect that anyone who is 
> interested in SE Linux will be interested in your work as well.

  This work has hit a snag with dependencies which I've currently hacked
 around.

  I want to use a patched compiler, so that's the thing that I started
 with.  I was a little optomistic originally as I was working on
 unstable.

  On stable there are two main approaches:

* Patch gcc-2.95 with the SSP code.
* Backport gcc-3.3 with the SSP code already included.

  So far I've been going down the second course, getting the latest
 Debian unstable package and hacking it to build on stable (strange
 issues with internal compiler errors when building the pascal code,
 and issues with building the -doc package).

  Once those problems were resolved getting gcc-3.3 built on Debian 
 stable was fairly trivial, just time consuming. 
 (8 hours from start of compile to finish was my fastest recorded
 time!)

  After that there are dependencies to be followed before it can be
 installed, I'm unsure if I can ignore them so far:

  gcc-3.3: Depends: binutils (>= 2.13.90.0.10) but 2.12.90.0.1-4 is installed
  libstdc++5-3.3-dev: Depends: libc6-dev (>= 2.3.1) but 2.2.5-11.5 is installed
 
  binutils is a simple one to build, only relying upon Debian stable,
 and a more recent modutils.

  modutils was simple to build, just requiring the new package
 "dpatch".

  After that the last dependencei is the libc6-dev package - getting
 v2.3.1 built on Debian stable appears to be involved.

  I have currently patched my UML image such that although libc6,
 libc6-dev and locales all are 2.5.5-11.5 they appear as 2.3.1, this
 satisfies the dependencies and allows things to proceed - but it's
 clearly the wrong solution.

  So .. progress is happening and I have a couple more routes to
 explore:

1.  Telling libstdc++ that it can get by on an older libc
2.  Abandoning this approach and getting the SSP code running on
   gcc-2.95

  I have the packages I've built, but until I solve the libc problem
 they are not fit to be distributed.

  I'll keep updating the new pages:

http://www.shellcode.org/Cat/

Steve
--

Announce - SSP/ProPolice compiler for Woody

[Steve Kemp]

Hi,

  Following the interest in my recent post about rebuilding
 Debian from source using a patched compiler I thought I'd
 announce the availability of gcc-3.3 with the SSP patches.

  (SSP is the new name for the work formerly called ProPolice).

  The packages may be downloaded via the following source:


#
#  SSP / ProPolice GCC and supporting packages.
#
deb http://people.debian.org/~skx/apt ./
deb-src http://people.debian.org/~skx/apt ./


  and the work itself is described at the following URL:

http://shellcode.org/Cat/

  Any feedback welcome.


Steve
--

Re: J?rg Schilling is damage; the community should route around him

[Steve Kemp]

On Sat, Oct 09, 2004 at 01:18:50PM +0200, Jose Carlos Garcia Sogo wrote:
> El s??b, 09-10-2004 a las 00:04 -0500, Branden Robinson escribi??:

> > It's time to fork.  Let us work with the rest of the community to
> > standardize on a new set of tools based on the last free version of
> > cdrtools, thank Mr. Schilling for his valuable contributions, and leave him
> > be to pursue his interests in proprietary software without interference
> > or argument from us.  He appears to regard placing his work under the plain
> > vanilla GNU GPL that works for so many projects as an act that he cannot
> > perform in good conscience.  Let us stop placing him in that uncomfortable
> > position.
> 
>   I agree with you. And I guess that the "good" direction would be
> pushing libburn, which seems a bit stalled right now. Also, DVD[-R[W],
> +R[W]] support should be added to it. On top of that library, it would
> be easier to build command line and GUI oriented programs, which could
> drop at that moment cdrecord.

  I wrote about this only a few days ago in a brief piece which was
 included in planet.d.o.

  At the time I was directed very quickly towards libburn.  Using
 a library seems a lot saner than  taking over any of the cdrecord 
 codebase.   If necessary a command line wrapper around the library
 could emulate the cdrecord command line options.

  I couldn't gain access to the libburn CVS repository, but I did
 download the .0.2 version and the test code worked for me.  I was
 able to burn an image using it fairly quickly, although I can't say
 how stable the code is generally.  (The API documentation was nice).

>   But what is needed there is people with time and access to different
> drives. Perhaps people behind dvd+rw-tools could be interested, and some
> company out there could sponsor this piece of software.

  I think a few individuals would be happy to host the code and work
 on it, but hardward testing really is the stumbling block - as is
 portability testing.

>   The problem with cdrecord is that it works, and though there are some
> glitches that people would like to see fixed, writing another different
> tool is only that: rewriting. And using the same language, i.e. there is
> no perl vs. python, perl vs. php, ...

  It does seem a little tedious reimplimenting code which already 
 exists, and mostly works.  This either suggests:

  1) It isn't worth doing, and we just put up with the maintainer.
  2) It shuld be done in a better way (library based?)
  3) Forking a free-er/older version.

  Given the vehemence of J?rg to SuSE and the other people 
 "illegally distributing inofficial versions (sic)" I strongly suggest
 option 3 is not a good idea - if nothign else it will lead to confusion
 amongst users.

  Perhaps having a Debian package of libburn would be a good starting
 point - then popular programs can be patched to work with it?

Steve
--



pgpqWvt3Dw3xh.pgp
Description: PGP signature

Re: Package idea, Debian-Firewall.

[Steve Kemp]

On Wed, Oct 13, 2004 at 06:13:36AM +0200, nicklas (smurfd) wrote:

> I have had  a package idea, for a long time now. The idea, was a
> package, containing a "Flush-all" firewall script. Adding this script to
> be ran at bootup. Just for the simplicity. I tend to keep forgetting to
> add it myself.

  I think anybody who knows enough to create a firewall will not
 omit the flushing.

> the postinst file looks like : 
> 
> #!/bin/sh
> set -e
> if [ "$1" = "configure" ]; then
> ln -s /etc/init.d/debian-firewall /etc/rc0.d/S20debian-firewall
> ln -s /etc/init.d/debian-firewall /etc/rc1.d/S20debian-firewall
> ln -s /etc/init.d/debian-firewall /etc/rc2.d/S20debian-firewall

  N!

  Use update-rc.d, please.

  http://www.debian-administration.org/?article=28

> and the prerm file looks like : 
> 
> #!/bin/sh
> set -e
> if [ "$1" = "remove" ]; then
> rm /etc/rc0.d/S20debian-firewall
> rm /etc/rc1.d/S20debian-firewall

  Again update-rc.d should be used here.

Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit

setuid/setgid binaries contained in the Debian repository.

[Steve Kemp]

Hi,

  I was wondering if there was a definitive list of all the setuid/setgid
 binaries which may be installed from the Debian archives.

  (Such a list would be very useful in prioritizing any examination of
 source code).

  I've partially worked my way through the list of packages which are 
 mentioned via the lintian warnings for 'setuid-binary' and 'setgid-binary'
 which I found at:

http://lintian.debian.org/reports/Tsetuid-binary.html
  and   http://lintian.debian.org/reports/Tsetgid-binary.html

  After that is there any location I could look at, or if not would there
 be any interest in such a thing?

Steve
-- 
www.steve.org.uk

Re: md5 checksums

[Steve Kemp]

On Mon, Apr 21, 2003 at 09:05:58AM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:

> It doesn't tackle the issue of dpkg _not_ storing filesystem permissions. 
> This makes it not feasible to easily recover the system after a 'chmod -R
> go-rwx /' besides reinstalling all the packages (that's why I pointed to 
> #187019)

  One of the things the standalone checksecurity package was going to do
 was maintain a `database` of file modes, permissions, and their
 checksums.

  Sadly this hasn't happened yet, but if it does get split away from the
 cron package then I would be happy to implement all the required
 features.

Steve
---



pgpNopy19SmKj.pgp
Description: PGP signature

Re: md5 checksums

[Steve Kemp]

On Mon, Apr 21, 2003 at 07:16:01PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:

> That's what Tiger calls 'signatures'. It's pretty easy to do at the moment, 
> but I have not updated signatures for Debian for quite some time. If you 
> intend to keep a database you also have to consider that for every patch 
> (i.e. security update in a DSA) you need to regenerate it..

  I was thinking of several forms of this, to do it properly on a WORM
 and a nightly cronjob that could highlight differences and changes
 throught the preceding day.

> Well, we discussed about this but no-one stepped over to implement it. I 
> believe the cron package maintainer would be very grateful if someone 
> implemented a 'checksecurity' package which fixed all its current bugs 
> (#102186, #171980, #177120, #31902, #46779, #54376, #59809, #138484, 
> #154390, #163813, #176090) taking over its maintenance.

  I agreed to take over this checksecurity package, when the maintain
 finds the time to split it out from cron.  There was some discussion
 about it recently upon debian-devel.

  I'll mail Steve Greenland about it tonight to see how it's going, or
 if I can help.

Steve
---

Re: md5 checksums

[Steve Kemp]

On Mon, Apr 21, 2003 at 07:50:11PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:

> Missed that mail. I remember the discussion on what should checksecurity 
> include though. Please notice I have include many of the modules we wanted 
> in Tiger.

  It may have been a private mail; the way I remember it Steve was going
 to split up the package into two, and I would take the security one.
 
  I'll have a re-read of my mails to make sure that's right.
  
  I remember that you had a lot of good suggestions, and that the idea
 was to create a simplist system which would work well as part of the
 base install; not a fully integrated all singing all dancing system
 like Tiger, tripwire, etc.  (Although certainly incorporating aspects
 of these and other tools).

Steve
---

Re: Do we need policy changes?

[Steve Kemp]

On Mon, Apr 21, 2003 at 10:11:48PM +0200, Martin Schulze wrote:

> Maybe the maintainer just has no clue about how UTF should work in
> that particular application and can't do much about it other than wait
> until upstream has a clue and implements it.

  I'm in this position, I'm upstream and maintainer for one package
 which has had a bug filed against it (gnump3d #180523).

  I know that the correct solution is to use UTF, but I'm really not
 that sure how to go about it.  Patches or even pointers to decent 
 documentation would be wonderful.

Steve
---

Re: security in testing

[Steve Kemp]

On Wed, May 14, 2003 at 03:04:10PM +0300, Kalle Kivimaa wrote:

> Why not? Testing would be my personal choice for running a desktop (or
> laptop) Linux, were I not otherwise involved with Debian development.
> The only bad thing is the non-existent security (I could live with
> occasional critical bug but the level of critical bugs in unstable is
> too much to bear for most users). There are, however, some pre-plans
> afoot regarding that (more or less running the same process as with
> stable, of course with different people responsible).

  What kind of pre-planning is taking place?  The idea of security
 updates for testing?

  Every time this appears to have been raised it's usually shot down
 very quickly; unless I've missed something.

Steve
---
www.steve.org.uk


pgpLOB6IOO6rM.pgp
Description: PGP signature

Re: security in testing

[Steve Kemp]

On Wed, May 14, 2003 at 02:20:51PM +0100, Colin Watson wrote:

> I haven't seen it be shot down. I've seen people saying "the
> infrastructure's there, it's just that nobody's actually doing the
> updates", though.

  Yes I've seen this mentioned previously also.  If it's a matter of
 finding people it should be obvious very quickly whether there are
 spare resources.

  I'm honestly not sure how much involvement would be necessary, I 
 guess unlike updates to stable there wouldn't be so many controls upon
 the testing archive, and uploads could be made directly without any
 real problem.

  If it just comes down to applying patches, and doing the rebuilds then
 it seems to be the kind of job a small team could manage; unless I'm
 missing something?

> However, I wasn't aware of any of the pre-plans Kalle refers to. I
> didn't think anyone had actually picked up this ball yet.

  Unless somebody steps forward just now I'll asusme that the ball is
 still dropped ;)

Steve
-- 


pgpYxgAV6f1vc.pgp
Description: PGP signature

Re: security in testing

[Steve Kemp]

On Wed, May 14, 2003 at 05:24:03PM +0300, Kalle Kivimaa wrote:

> "Pre-plans" in this case means that two people (one DD and one NM) have
> been talking about it "seriously." So, if you want to shoot the idea
> down, go ahead, no harm done :) And if someone else is thinking about
> picking up the ball, go ahead, the pre-planners are probably willing
> to join any other initiative as well.

  I certainly didn't intend to be part of any shoot-down, I was just
 wondering exactly what had been discussed, where it had been archived,
 and what exactly was involved in the proposal.

  If it's a matter of maintaining a proposed-updates-to-testing queue,
 and forcing uploads to that to go via a newly formed testing-security
 group then it doesn't seem like a lot of work to start picking 
 volunteers.

  The actually patching, testing, building and uploading will be an
 ongoing task though.  From my observer-only position it seems like
 the security team is usually stretched pretty thin, due to lack
 of members; and they have a pretty thankless task which is a shame
 because they do a great job.

  (I'm immune to this discussion on the whole; my boxes run stable
 at work and unstable at home).

Steve
---
www.steve.org.uk


pgpE6BEx55IEi.pgp
Description: PGP signature