On Sat, 26 Apr 2025 at 21:54, Arnout Vandecappelle wrote:
> On 12/04/2025 10:07, Russell Coker wrote:
> > Here are the results of running valgrind with a debugging build of every
> > relevant package installed:
> >
> > ==241689== Invalid read of size 8
> > ==241689==at 0x53A92E: UnknownInlined
On Sat, 26 Apr 2025 at 21:54, Arnout Vandecappelle wrote:
> On 12/04/2025 10:07, Russell Coker wrote:
> > Here are the results of running valgrind with a debugging build of every
> > relevant package installed:
> >
> > ==241689== Invalid read of size 8
> > ==241689==at 0x53A92E: UnknownInlined
On Sat, 26 Apr 2025 at 21:54, Arnout Vandecappelle wrote:
> On 12/04/2025 10:07, Russell Coker wrote:
> > Here are the results of running valgrind with a debugging build of every
> > relevant package installed:
> >
> > ==241689== Invalid read of size 8
> > ==241689==at 0x53A92E: UnknownInlined
4) unstable; urgency=medium
.
* d/rules: skip valgrind test due to #1100805 (Closes: #1103370)
Regards,
--
Christian Göttsche
4) unstable; urgency=medium
.
* d/rules: skip valgrind test due to #1100805 (Closes: #1103370)
Regards,
--
Christian Göttsche
I am currently running the following hardening settings:
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelT
I am currently running the following hardening settings:
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelT
yright: refer to URL instead of postal address in GPL license
Regards,
--
Christian Göttsche
yright: refer to URL instead of postal address in GPL license
Regards,
--
Christian Göttsche
Changes since the last upload:
selint (1.5.1-3) unstable; urgency=medium
.
* d/patches: dump valgrind output on test failure
Regards,
--
Christian Göttsche
Changes since the last upload:
selint (1.5.1-3) unstable; urgency=medium
.
* d/patches: dump valgrind output on test failure
Regards,
--
Christian Göttsche
er changes)
Regards,
--
Christian Göttsche
er changes)
Regards,
--
Christian Göttsche
> P.S. You may wish to disable DH_VERBOSE to save a little buildd time when
> doing
> releases.
Thanks again for taking a look.
DH_VERBOSE was disabled because I forgot to actually export it.
Also computing the PHP version only once in the latest mentors upload.
diff --git a/debian/rules b/deb
> P.S. You may wish to disable DH_VERBOSE to save a little buildd time when
> doing
> releases.
Thanks again for taking a look.
DH_VERBOSE was disabled because I forgot to actually export it.
Also computing the PHP version only once in the latest mentors upload.
diff --git a/debian/rules b/deb
/bootstrap.min.css
/usr/share/rspamd/www/js/lib/bootstrap.bundle.min.js
/usr/share/rspamd/www/js/lib/jquery.min.js
/usr/share/rspamd/www/js/lib/require.min.js
Best regards,
Christian Göttsche
Control: tags -1 -moreinfo
> Test 3 (build twice): Information only
> ...
> E: Failed autobuilding of package
Thanks for your review Phil.
I somehow overlooked the build twice failure in the salsa pipeline.
Now fixed in the lates mentors upload via
https://salsa.debian.org/cgzones/snuffleupagus/
Control: tags -1 -moreinfo
> Test 3 (build twice): Information only
> ...
> E: Failed autobuilding of package
Thanks for your review Phil.
I somehow overlooked the build twice failure in the salsa pipeline.
Now fixed in the lates mentors upload via
https://salsa.debian.org/cgzones/snuffleupagus/
> Sponsored. Please provide me with your salsa user name so I can add you
> to the git members.
Thanks for sponsoring.
My salsa handle is "cgzones", see
https://salsa.debian.org/cgzones/libapache-mod-evasive.
> Sponsored. Please provide me with your salsa user name so I can add you
> to the git members.
Thanks for sponsoring.
My salsa handle is "cgzones", see
https://salsa.debian.org/cgzones/libapache-mod-evasive.
Package: dhcpcd-base
Severity: important
Dear Maintainer,
when running dhcpcd with a custom allocator, such as hardened_malloc
or valogrind, it crashes with SIGSYS.
Backtrace on usage with hardened_malloc:
###
Program terminated with signal SIGSYS, Bad system call.
Download failed: Invalid
> With my very limited knowledge of selinux, I don't follow.
> Why it would need DAC_READ_SEARCH? If you can provide an example, it
> would be great.
postfix services like smtp, smtpd, postfix-master and tlsproxy need
access to `/var/spool/postfix/private/proxymap` and the parent
directory `/var/
the initial release:
snuffleupagus (0.11.0-1) unstable; urgency=medium
.
* Initial Release. (Closes: #894821)
Regards,
--
Christian Göttsche
the initial release:
snuffleupagus (0.11.0-1) unstable; urgency=medium
.
* Initial Release. (Closes: #894821)
Regards,
--
Christian Göttsche
control: owner -1 !
control: owner -1 !
,
Christian Göttsche
Hi Federico,
are you still interested in packaging snuffleupagus, since you
declared ownership of #894821 four years ago?
Otherwise I'd like to work on this package, I also created a packaging
over at https://salsa.debian.org/cgzones/snuffleupagus.
Kind regards,
Christian Göttsche
Hi Federico,
are you still interested in packaging snuffleupagus, since you
declared ownership of #894821 four years ago?
Otherwise I'd like to work on this package, I also created a packaging
over at https://salsa.debian.org/cgzones/snuffleupagus.
Kind regards,
Christian Göttsche
Source: libselinux
Version: 3.8-4
Severity: important
Dear Maintainer,
upstream tagged a new release containing a performance regression fix,
affecting semodule.
Please consider packaging the new version 3.8.1.
Kind regards,
Christian Göttsche
. SELinux policies where the different postfix
processes run in different domains and by not granting
CAP_DAC_READ_SEARCH they now fall back and require CAP_DAC_OVERRIDE.
So please also permit CAP_DAC_READ_SEARCH in the service file.
Kind regards,
Christian Göttsche
drop patches applied upstream
* d/control: bump to std version 4.7.2 (no further changes)
Regards,
--
Christian Göttsche
drop patches applied upstream
* d/control: bump to std version 4.7.2 (no further changes)
Regards,
--
Christian Göttsche
control: severity -1 normal
Kindly ping
Source: libselinux
Version: 3.8-4
Severity: important
Dear Maintainer,
upstream tagged a new release containing a performance regression fix,
affecting semodule.
Please consider packaging the new version 3.8.1.
Kind regards,
Christian Göttsche
,
Christian Göttsche
,
Christian Göttsche
___
SELinux-devel mailing list
SELinux-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/selinux-devel
,
Christian Göttsche
___
SELinux-devel mailing list
SELinux-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/selinux-devel
From: Christian Göttsche
capable() calls refer to enabled LSMs whether to permit or deny the
request. This is relevant in connection with SELinux, where a
capability check results in a policy decision and by default a denial
message on insufficient permission is issued.
It can lead to three
On Tue, 26 Nov 2024 at 12:36, Christian Göttsche
wrote:
>
> From: Christian Göttsche
>
> The function kunit_status_to_ok_not_ok() returns string literals, thus
> declare the return value as such.
>
> Reported by clang:
>
> ./include/kunit/test.h:143:10: warni
le, and drop version postfix
* d/evasive.conf: fix typo corrected also upstream (Closes: #833448)
* d/s/lintian-overrides: ignore long license line
* d/salsa-ci.yml: add basic CI configuration
Regards,
--
Christian Göttsche
le, and drop version postfix
* d/evasive.conf: fix typo corrected also upstream (Closes: #833448)
* d/s/lintian-overrides: ignore long license line
* d/salsa-ci.yml: add basic CI configuration
Regards,
--
Christian Göttsche
control: retitle -1 ITA: libapache-mod-evasive -- evasive module to
minimize HTTP DoS or brute force attacks
I intend to adopt the package libapache-mod-evasive.
See packaging at https://salsa.debian.org/cgzones/libapache-mod-evasive
control: retitle -1 ITA: libapache-mod-evasive -- evasive module to
minimize HTTP DoS or brute force attacks
I intend to adopt the package libapache-mod-evasive.
See packaging at https://salsa.debian.org/cgzones/libapache-mod-evasive
On Wed, 19 Feb 2025 at 14:12, Jeroen Ploemen wrote:
>
> Uploaded, thanks.
>
> A few minor things that didn't put enough weight on the scale to be a
> blocker for today's upload, but would be a good idea to fix as part
> of a future update:
> * control: weird line wrapping in the last paragraph of
On Wed, 19 Feb 2025 at 14:12, Jeroen Ploemen wrote:
>
> Uploaded, thanks.
>
> A few minor things that didn't put enough weight on the scale to be a
> blocker for today's upload, but would be a good idea to fix as part
> of a future update:
> * control: weird line wrapping in the last paragraph of
able; urgency=medium
.
* New upstream version 2.13
.
* d/control: bump to std version 4.7.0 (no further changes)
* d/tests/control: drop default dependency
* d/patches: rebase
* d/copyright: bump years
* d/salsa-ci.yml: enable build_twice job
Regards,
--
Christian Göttsche
able; urgency=medium
.
* New upstream version 1.5.1
.
* d/copyright:
- drop comment line
- bump years
* d/control: drop outdated versioned dependency
* d/patches: drop patches applied upstream
* d/salsa-ci.yml: enable build_twice job
Regards,
--
Christian Göttsche
able; urgency=medium
.
* New upstream version 1.5.1
.
* d/copyright:
- drop comment line
- bump years
* d/control: drop outdated versioned dependency
* d/patches: drop patches applied upstream
* d/salsa-ci.yml: enable build_twice job
Regards,
--
Christian Göttsche
able; urgency=medium
.
* New upstream version 2.13
.
* d/control: bump to std version 4.7.0 (no further changes)
* d/tests/control: drop default dependency
* d/patches: rebase
* d/copyright: bump years
* d/salsa-ci.yml: enable build_twice job
Regards,
--
Christian Göttsche
kB instead of KB in --si mode
- Fix supported range of uid/gid numbers
* d/copyright: bump years
Regards,
--
Christian Göttsche
kB instead of KB in --si mode
- Fix supported range of uid/gid numbers
* d/copyright: bump years
Regards,
--
Christian Göttsche
Please take a look at the proposal over at
https://salsa.debian.org/selinux-team/libselinux/-/merge_requests/11
Please take a look at the proposal over at
https://salsa.debian.org/selinux-team/libselinux/-/merge_requests/11
___
SELinux-devel mailing list
SELinux-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/selinux-devel
d/control: bump std-version to 4.7.0 (no further changes)
* d/copyright: bump year
* d/patches: close verbatim environment in tex file (Closes: #1092959)
* d/salsa-ci.yml: enable build-twice job
* d/watch: adjust to GitHub API change
Regards,
--
Christian Göttsche
d/control: bump std-version to 4.7.0 (no further changes)
* d/copyright: bump year
* d/patches: close verbatim environment in tex file (Closes: #1092959)
* d/salsa-ci.yml: enable build-twice job
* d/watch: adjust to GitHub API change
Regards,
--
Christian Göttsche
9)
.
* d/control:
- set myself as Maintainer (Closes: #1089284)
- bump to std version 4.7.0 (no further changes)
- switch from pkg-config to pkgconf
- add Vcs fields
* d/copyright: bump years and use https URL
* d/salsa-ci.yml: add standard salsa-ci configuration
Regards,
--
Christian Göttsche
9)
.
* d/control:
- set myself as Maintainer (Closes: #1089284)
- bump to std version 4.7.0 (no further changes)
- switch from pkg-config to pkgconf
- add Vcs fields
* d/copyright: bump years and use https URL
* d/salsa-ci.yml: add standard salsa-ci configuration
Regards,
--
Christian Göttsche
NETAVARK_DEFAULT_FW=nftables at build
time.
Best regards,
Christian Göttsche
Dec 16, 2024 10:14:21 Matthew Vernon :
> Hi,
>
> On 16/12/2024 01:25, Antonio Russo wrote:
>> On 11/24/24 08:18, Antonio Russo wrote:
>>> Dear Maintainer,
>>>
>>> After upgrading to pcre2 10.44-4, I get errors like this:
>>>
>>> Regex version mismatch, expected: 10.44 2024-06-07 actual: 10.42 2022
Dec 16, 2024 10:14:21 Matthew Vernon :
> Hi,
>
> On 16/12/2024 01:25, Antonio Russo wrote:
>> On 11/24/24 08:18, Antonio Russo wrote:
>>> Dear Maintainer,
>>>
>>> After upgrading to pcre2 10.44-4, I get errors like this:
>>>
>>> Regex version mismatch, expected: 10.44 2024-06-07 actual: 10.42 2022
(1.19 vs 1.21).
I intend to take ownership on no response around the 29th of December.
Thanks for your past work Eugene.
Best regards,
Christian Göttsche
default does
not change anything but adds a configuration setting
`zend.dlopen_deepbind` to support custom allocators.
Best regards,
Christian Göttsche
[1]: https://github.com/GrapheneOS/hardened_malloc/
[2]: https://github.com/php/php-src/issues/10670
[3]: https://github.com/php/php-src/pull
On Mon, 25 Nov 2024 at 12:31, Richard Weinberger wrote:
>
> - Ursprüngliche Mail -
> > Von: "Christian Göttsche"
> > capable() calls refer to enabled LSMs whether to permit or deny the
> > request. This is relevant in connection with SELinux, where a
From: Christian Göttsche
capable() calls refer to enabled LSMs whether to permit or deny the
request. This is relevant in connection with SELinux, where a
capability check results in a policy decision and by default a denial
message on insufficient permission is issued.
It can lead to three
Nov 25, 2024 17:17:19 Casey Schaufler :
> On 11/25/2024 3:38 AM, Christian Göttsche wrote:
>> Hi,
>>
>> I noticed that the `prop` parameter of `ima_match_rules()` is
>> currently unused (due to shadowing).
>> Is that by design or a mishap of the recent rework?
Hi,
I noticed that the `prop` parameter of `ima_match_rules()` is
currently unused (due to shadowing).
Is that by design or a mishap of the recent rework?
Related commits:
37f670a ("lsm: use lsm_prop in security_current_getsecid")
870b7fd ("lsm: use lsm_prop in security_audit_rule_match")
07f9d2
From: Christian Göttsche
The name member of the struct trace_event_call is assigned with
generated string literals; declare them pointer to read-only.
Reported by clang:
security/landlock/syscalls.c:179:1: warning: initializing 'char *' with an
expression of type 'const cha
From: Christian Göttsche
The function kunit_status_to_ok_not_ok() returns string literals, thus
declare the return value as such.
Reported by clang:
./include/kunit/test.h:143:10: warning: returning 'const char[3]' from a
function with result type 'char *'
C0
[...]
```
Many thanks for working on this tool!
Best regards,
Christian Göttsche
[1]: https://salsa.debian.org/systemd-team/systemd-netlogd
-- System Information:
Versions of packages licenserecon depends on:
ii dpkg-dev 1.22.11
ii libc6 2.40-3
ii licensecheck 3.3.
copyright: bump year
* d/patches: ignore failure on nonexistent utmp (Closes: #1085482)
* d/tests: skip tests if utmp file does not exist
Regards,
--
Christian Göttsche
copyright: bump year
* d/patches: ignore failure on nonexistent utmp (Closes: #1085482)
* d/tests: skip tests if utmp file does not exist
Regards,
--
Christian Göttsche
On Sat, 26 Oct 2024 at 17:18, Luca Boccassi wrote:
>
> On Sat, 26 Oct 2024 at 16:14, Christian Göttsche
> wrote:
> >
> > On Fri, 25 Oct 2024 at 18:49, Luca Boccassi wrote:
> > >
> > > On Fri, 25 Oct 2024 at 17:27, Christian Göttsche
> > >
On Sat, 26 Oct 2024 at 17:18, Luca Boccassi wrote:
>
> On Sat, 26 Oct 2024 at 16:14, Christian Göttsche
> wrote:
> >
> > On Fri, 25 Oct 2024 at 18:49, Luca Boccassi wrote:
> > >
> > > On Fri, 25 Oct 2024 at 17:27, Christian Göttsche
> > >
On Fri, 25 Oct 2024 at 18:49, Luca Boccassi wrote:
>
> On Fri, 25 Oct 2024 at 17:27, Christian Göttsche
> wrote:
> >
> > Package: wnpp
> > X-Debbugs-Cc: debian-de...@lists.debian.org,
> > pkg-systemd-maintain...@lists.alioth.debian.org
> > Owner: Chr
On Fri, 25 Oct 2024 at 18:49, Luca Boccassi wrote:
>
> On Fri, 25 Oct 2024 at 17:27, Christian Göttsche
> wrote:
> >
> > Package: wnpp
> > X-Debbugs-Cc: debian-de...@lists.debian.org,
> > pkg-systemd-maintain...@lists.alioth.debian.org
> > Owner: Chr
Package: wnpp
X-Debbugs-Cc: debian-de...@lists.debian.org,
pkg-systemd-maintain...@lists.alioth.debian.org
Owner: Christian Göttsche
Severity: wishlist
* Package name: systemd-netlogd
Version : 1.4.2
Upstream Contact: Susant Sahani
* URL : https://github.com/systemd
Package: wnpp
X-Debbugs-Cc: debian-devel@lists.debian.org,
pkg-systemd-maintain...@lists.alioth.debian.org
Owner: Christian Göttsche
Severity: wishlist
* Package name: systemd-netlogd
Version : 1.4.2
Upstream Contact: Susant Sahani
* URL : https://github.com/systemd
Package: wnpp
X-Debbugs-Cc: debian-de...@lists.debian.org,
pkg-systemd-maintain...@lists.alioth.debian.org
Owner: Christian Göttsche
Severity: wishlist
* Package name: systemd-netlogd
Version : 1.4.2
Upstream Contact: Susant Sahani
* URL : https://github.com/systemd
Package: gdu
Version: 5.25.0-1+b3
Severity: wishlist
Dear Maintainer,
please consider packaging version 5.29.0 with one year worth of work,
e.g. a no-delete and a non-unicode mode.
Regards,
Christian Göttsche
x27;t know if
firewalld uses some src:dbus specific internals, so whether such a
change would need some code changes or just a debian/control tweak.
Regards,
Christian Göttsche
x27;t know if
firewalld uses some src:dbus specific internals, so whether such a
change would need some code changes or just a debian/control tweak.
Regards,
Christian Göttsche
___
Pkg-utopia-maintainers mailing list
Pkg-utopia-maintainers@a
in version 3.7 for systems with SELinux
disabled:
https://github.com/SELinuxProject/selinux/commit/f398662ea19d2cf6db6cb791e3b787889e5af883
Thanks,
Christian Göttsche
p.s.:
For the packaging of checkpolicy please cherry-pick
https://github.com/SELinuxProject
in version 3.7 for systems with SELinux
disabled:
https://github.com/SELinuxProject/selinux/commit/f398662ea19d2cf6db6cb791e3b787889e5af883
Thanks,
Christian Göttsche
p.s.:
For the packaging of checkpolicy please cherry-pick
https://github.com/SELinuxProject
Control: tags -1 - moreinfo
On Sun, 14 Jul 2024 at 00:36, Phil Wyett wrote:
>
> Control: tags -1 + moreinfo
>
> Christian,
>
> Updated full review with all tests.
Many thanks for your review.
> Preamble...
>
> Thank you for taking the time to create this package and your contribution to
> the D
On Sat, 6 Jul 2024 at 21:33, Pierre Gruet wrote:
>
> Hello Christian,
>
> On Wed, 03 Jul 2024 17:04:44 +0100 Phil Wyett
> wrote:
> > Hi Christian,
> >
> > Preamble...
> >
> > Thanks for taking time to create this package and your contribution
> to Debian.
> >
> > The below review is for as
Support-CIDR-address-notation-in-nodecon-statement:
Support new CIDR nodecon syntax
Regards,
--
Christian Göttsche
Support-CIDR-address-notation-in-nodecon-statement:
Support new CIDR nodecon syntax
Regards,
--
Christian Göttsche
control: reopen -1
> Hmm... there seems to be a build issue on 32bit.
Fixed (together with a reproducibility issue) in the latest mentors upload.
control: reopen -1
> Hmm... there seems to be a build issue on 32bit.
Fixed (together with a reproducibility issue) in the latest mentors upload.
control: tags -1 unreproducible
> Building logrotate twice with pbuilder (part of reproducible builds) e.g.
> 'sudo
> pbuilder build --twice logrotate_-.dsc' results in a
> stray process at the end of the second build that requires manual intervention
> (hitting 'q' key) to exit and complete the
logrotate (3.22.0-1) unstable; urgency=medium
.
* New upstream version 3.22.0
.
* d/tests/control: drop redundant Depends
* d/control: bump to std version 4.7.0 (no further changes)
* d/upstream/signing-key.asc: add key for new release
Regards,
--
Christian Göttsche
logrotate (3.22.0-1) unstable; urgency=medium
.
* New upstream version 3.22.0
.
* d/tests/control: drop redundant Depends
* d/control: bump to std version 4.7.0 (no further changes)
* d/upstream/signing-key.asc: add key for new release
Regards,
--
Christian Göttsche
From: Christian Göttsche
Add the four syscalls setxattrat(), getxattrat(), listxattrat() and
removexattrat(). Those can be used to operate on extended attributes,
especially security related ones, either relative to a pinned directory
or on a file descriptor without read access, avoiding a
for a
salsa merge request.
Regards,
Christian Göttsche
diff --git a/debian/initramfs-tools/lvm2/hooks/lvm2
b/debian/initramfs-tools/lvm2/hooks/lvm2
index b28901a01..46a01b615 100755
--- a/debian/initramfs-tools/lvm2/hooks/lvm2
+++ b/debian/initramfs-tools/lvm2/hooks/lvm2
@@ -16,7 +16,7
Kindly ping.
Anything missing or unclear?
Regards,
Christian Göttsche
Kindly ping.
Anything missing or unclear?
Regards,
Christian Göttsche
From: Christian Göttsche
Add the four syscalls setxattrat(), getxattrat(), listxattrat() and
removexattrat(). Those can be used to operate on extended attributes,
especially security related ones, either relative to a pinned directory
or on a file descriptor without read access, avoiding a
On Tue, 2 Apr 2024 at 02:30, Colin Watson wrote:
>
> [I've CCed openssh-unix-dev for awareness, but set Mail-Followup-To to
> just debian-devel and debian-ssh to avoid potentially spamming them with
> a long discussion. If you choose to override this then that's your
> call, but please be mindful
On Tue, 2 Apr 2024 at 02:30, Colin Watson wrote:
>
> [I've CCed openssh-unix-dev for awareness, but set Mail-Followup-To to
> just debian-devel and debian-ssh to avoid potentially spamming them with
> a long discussion. If you choose to override this then that's your
> call, but please be mindful
1 - 100 of 767 matches
Mail list logo
