Re: Bug#797654: ITP: s3backer -- Amazon AWS S3-backed virtual hard disk device

September 1 2015 5:27 PM, "Nikolaus Rath" wrote: > Why compare it with something that has been unmaintained for years and is > not even in Debian? (Leaving alone the fact that there are at least 3 > projects calling themselves s3fs, but AFAIK they're all in similar > states). > > Contrasting it w

Re: Security concerns with minified javascript code

On Tue, Sep 01, 2015 at 06:05:09PM -0700, Russ Allbery wrote: > Healthy language communities have their own metadata systems and > standardized build systems that allow Debian packaging to be nearly > automated, *provided* that we use the same unit of distribution as > upstream. If we want to make

Re: Security concerns with minified javascript code

On Sep 01 2015, Josh Triplett wrote: > Nikolaus Rath wrote: >> I don't think 28 kB vs 73 kB is a difference that people will notice >> over the network in *most* situations. Even at just 100 kB/s that's >> 0.28 vs 0.73 seconds, and only when the page is first loaded. > > That's absolutely a critic

Re: Security concerns with minified javascript code

Josh Triplett writes: > That said, we absolutely do need to fix this in Debian: it's not OK to > build packages in main using tools not shipped in Debian, or to ship > precompiled files. As a start, it would help if when JavaScript folks > try to package the packages needed as part of their tool

Re: Security concerns with minified javascript code

Nikolaus Rath wrote: > I don't think 28 kB vs 73 kB is a difference that people will notice > over the network in *most* situations. Even at just 100 kB/s that's > 0.28 vs 0.73 seconds, and only when the page is first loaded. That's absolutely a critical difference, even on a faster connection. Mu

Bug#797720: ITP: python-ly -- Tool and Python library for manipulating LilyPond files

Package: wnpp Severity: wishlist Owner: Anthony Fok * Package name: python-ly Version : 0.9.2 Upstream Author : Wilbert Berendsen * URL : https://pypi.python.org/pypi/python-ly * License : GPL-2+ Programming Lang: Python Description : Tool and Python l

Bug#797713: ITP: python-stetl -- Streaming ETL - geospatial ETL framework for Python

Package: wnpp Severity: wishlist Owner: Bas Couwenberg * Package name: python-stetl Version : 1.0.8 Upstream Author : Just van den Broecke * URL : http://stetl.org/ * License : GPL-3+ Programming Lang: Python Description : Streaming ETL - geospatial ET

Re: Security concerns with minified javascript code

On Tue, 01 Sep 2015, Vincent Bernat wrote: > 1. Upstream may not ship this source but only the minified version > because the JS code is just a dependency and some upstream are used > to just ship the minified source. We can recover the original code > from another source but there is a risk th

Re: Security concerns with minified javascript code

❦ 1 septembre 2015 21:10 +0200, Didier 'OdyX' Raboud  : > I think we should take a strong move there and exercise (as well as > justify to the outer world) our free software right to recompile the > software that we ship to our users: this could mean to only merge & gzip > JS files if minifyi

Re: Polkit: prompt for root password

Am 01.09.2015 um 21:13 schrieb Jayson Willson: > Ehmm... I do not know. Probably, what I have done is not correct. As I > understand, if my user is NOT in sudo group, then su prompts for root > password (just as always), and polkit will also prompt for root > password, instead of my user's. Correc

Re: Polkit: prompt for root password

Ehmm... I do not know. Probably, what I have done is not correct. As I understand, if my user is NOT in sudo group, then su prompts for root password (just as always), and polkit will also prompt for root password, instead of my user's. However, sudo seems to be more flexible, and though I do no

Re: Security concerns with minified javascript code

Le mardi, 1 septembre 2015, 17.50:26 Vincent Bernat a écrit : > ❦ 1 septembre 2015 08:21 -0700, Nikolaus Rath : > >>> Couldn't we just use the non-minified versions in most situations? > >>> A > >> > >> Not for anything which has actual users over the network. > > > > Why? (Don't forget about

Re: Polkit: prompt for root password

Am 01.09.2015 um 20:54 schrieb Jayson Willson: > It seems to me, that such approach will increase security. If "sudo" and > "policykit" prompt for user password, then even if some other man knows > my user password, he can administer system, as he can both log into the > system and user sudo/polkit

Re: Security concerns with minified javascript code

❦ 1 septembre 2015 13:45 -0500, Gunnar Wolf  : >> uglifyjs is a KISS tool to minify. Unfortunately, many projects do not >> require only minification. They require transpiling (convert from ES6 to >> ES5 or from CoffeeScript/Typescript/... to vanilla JS) and dependency >> handling (through loade

Re: Polkit: prompt for root password

It seems to me, that such approach will increase security. If "sudo" and "policykit" prompt for user password, then even if some other man knows my user password, he can administer system, as he can both log into the system and user sudo/polkit, but if root password is required for using sudo/p

Re: Security concerns with minified javascript code

Vincent Bernat dijo [Fri, Aug 28, 2015 at 10:48:28AM +0200]: > >> What will happen is that maintainers will fallback to the second less > >> horrible solution and cripple the package (by using an older version of > >> the JS lib for example) to allow it to stay in main. > > > > Why would they want

Re: Security concerns with minified javascript code

Vincent Bernat dijo [Fri, Aug 28, 2015 at 11:54:43AM +0200]: > > I still find it hard to believe that *so* much code is required to > > minify JS. The excuse that JS is "moving fast" is nonsense. The reality > > would appear to be that nobody actually *cares* about the mess, they > > just use it. >

Re: Polkit: prompt for root password

Am 01.09.2015 um 20:29 schrieb Jayson Willson: > Thank you for your advice, I have found the way: > Comment out file > /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf, which overrides > /etc/polkit-1/localauthority.conf.d/50-localauthority.conf and makes > polkit consider members of "sudo"

Re: Polkit: prompt for root password

Thank you for your advice, I have found the way: Comment out file /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf, which overrides /etc/polkit-1/localauthority.conf.d/50-localauthority.conf and makes polkit consider members of "sudo" groups as administrators. Yours sincerely, Jayson W

Re: Security concerns with minified javascript code

On Tue, Sep 01, 2015 at 04:42:15PM +0200, Helmut Grohne wrote: > On Tue, Sep 01, 2015 at 08:15:19AM +0200, Guido Günther wrote: > > Couldn't we just use the non-minified versions in most situations? A > > heavily loaded wordpress site might not be good example but e.g. doxygen > > documentation pro

Bug#797704: ITP: pyhton-rows -- Python library for interface to tabular data, no matter the format

Package: wnpp Severity: wishlist Owner: Paulo Roberto Alves de Oliveira (aka kretcheu) * Package name: pyhton-rows Version : 0.1.0 Upstream Author : Álvaro Justen * URL : https://github.com/turicas/rows * License : GPL-3 Programming Lang: Python Descriptio

Re: system upgrade by systemd

Raphael Hertzog dijo [Wed, Aug 26, 2015 at 02:41:59PM +0200]: > > Please tell me which package is the one misbehaving and I gladly report it. > > But so far I have yet to figure that our. > > Are you sure that you did not shutdown your computer from GNOME and did > not pay attention to the new che

Re: Polkit: prompt for root password

2015-09-01 19:49 GMT+02:00 Jayson Willson : > I have also tried creating > /usr/share/polkit-1/rules.d/49-rootpw_global.rules with the same contents, > [...] The problem with that is simply that the PolicyKit in Debian Unstable/Testing/Stable does not read the JavaScript rules files. Only the ve

Bug#797702: ITP: grafana -- feature rich metrics dashboard and graph editor

Package: wnpp Severity: wishlist X-Debbugs-CC: debian-devel@lists.debian.org pkg-go-maintain...@lists.alioth.debian.org Owner: Dmitry Smirnov Package name: grafana Version: 2.1.3 License: Apache-2.0 Programming Lang: Go, JavaScript URL: http://grafana.org

Bug#797701: ITP: grafana-zabbix -- Zabbix datasource for Grafana dashboard

Package: wnpp Severity: wishlist X-Debbugs-CC: debian-devel@lists.debian.org Owner: Dmitry Smirnov Package name: grafana-zabbix Version: 2.0.1 Upstream Author : Alexander Zobnin License: Apache-2.0 Programming Lang: JavaScript URL: https://github.com/alexanderz

Re: Security concerns with minified javascript code

On Sep 01, Nikolaus Rath wrote: > I don't think 28 kB vs 73 kB is a difference that people will notice > over the network in *most* situations. Even at just 100 kB/s that's > 0.28 vs 0.73 seconds, and only when the page is first loaded. Yes, this is a non trivial difference when loading a web pag

Re: Polkit: prompt for root password

I have also tried creating /usr/share/polkit-1/rules.d/49-rootpw_global.rules with the same contents, as it seems like some other rules reside there. Still no result Yours sincerely, Jayson Willson 31.08.2015 13:49, Jayson Willson пишет: Hello everybody! I would like Polkit to prompt for _roo

Re: Security concerns with minified javascript code

* Raphael Hertzog [150901 12:57]: > Because we have alternative "compilers" (aka minifier) available to > recreate another minified file thas should work just as well. No. Debian does not allow you to ship a compiled C program that was compiled elsewhere; the maintainer or a buildd is responsibl

Re: Security concerns with minified javascript code

Hi, On Mon, 31 Aug 2015, Bas Wijnen wrote: > > I certainly do not want to move wordpress or publican to contrib because > > some of the javascript libraries that it uses can't be rebuilt from main. > > In that case, my question applies to you as well: why do you care for it to be > in main, if yo

Re: Security concerns with minified javascript code

On Sep 01 2015, Vincent Bernat wrote: > ❦ 1 septembre 2015 08:21 -0700, Nikolaus Rath  : > Couldn't we just use the non-minified versions in most situations? A >>> >>> Not for anything which has actual users over the network. >> >> Why? (Don't forget about gzip encoding). > > See: > https:

Bug#797692: ITP: aiocoap -- Python implementation of CoAP

Package: wnpp Severity: wishlist X-Debbugs-CC: debian-devel@lists.debian.org, debian-pyt...@lists.debian.org Package name: aiocoap Version: 0.1 Upstream Author: Maciej Wasilak , Christian Amsüss URL: https://github.com/chrysn/aiocoap

Re: Security concerns with minified javascript code

> On Mon, Aug 31, 2015 at 11:21:55AM -0400, Marvin Renich wrote: > > * Bas Wijnen [150830 07:53]: > > > On Sun, Aug 30, 2015 at 10:14:13AM +0200, Vincent Bernat wrote: > > > > Is that the preferred form of modification? It depends, but from the > > > > jQuery author point of view, it isn't: > > >

Re: Security concerns with minified javascript code

❦ 1 septembre 2015 08:21 -0700, Nikolaus Rath  : >>> Couldn't we just use the non-minified versions in most situations? A >> >> Not for anything which has actual users over the network. > > Why? (Don't forget about gzip encoding). See: https://mathiasbynens.be/demo/jquery-size -- Don't sacrif

Re: Security concerns with minified javascript code

On Sep 01 2015, Helmut Grohne wrote: > On Tue, Sep 01, 2015 at 08:15:19AM +0200, Guido Günther wrote: >> Couldn't we just use the non-minified versions in most situations? A >> heavily loaded wordpress site might not be good example but e.g. doxygen >> documentation probably doesn't suffer much fr

Re: Bug#797654: ITP: s3backer -- Amazon AWS S3-backed virtual hard disk device

On Sep 01 2015, Lennart Weller wrote: > Package: wnpp > Severity: wishlist > Owner: Lennart Weller > > * Package name: s3backer > Version : 1.4.1 > Upstream Author : Archie L. Cobbs > * URL : https://www.github.com/archiecobbs/s3backer > * License : GPL, OpenS

Re: Security concerns with minified javascript code

On Sep 01 2015, m...@linux.it (Marco d'Itri) wrote: > On Sep 01, Guido Günther wrote: > >> Couldn't we just use the non-minified versions in most situations? A > > Not for anything which has actual users over the network. Why? (Don't forget about gzip encoding). Best, -Nikolaus -- GPG encrypt

Re: Security concerns with minified javascript code

On Tue, Sep 01, 2015 at 08:15:19AM +0200, Guido Günther wrote: > Couldn't we just use the non-minified versions in most situations? A > heavily loaded wordpress site might not be good example but e.g. doxygen > documentation probably doesn't suffer much from non minified JS. I fail to see what pro

Bug#797676: ITP: python-kineticstools -- detecting DNA modifications from single molecule, real-time sequencing data

Package: wnpp Severity: wishlist Owner: Debian Med Packaging Team Control: block 787977 by -1 * Package name: python-kineticstools Version : 0.5.1 Upstream Author : Pacific Biosciences * URL : https://github.com/PacificBiosciences/kineticsTools * License : BSD

Bug#797675: ITP: python-pbalign -- maps Pacific Biosciences reads to reference sequences

Package: wnpp Severity: wishlist Owner: Debian Med Packaging Team Control: block 787977 by -1 * Package name: python-pbalign Version : 0.2.0 Upstream Author : Pacific Biosciences * URL : https://github.com/PacificBiosciences/pbalign * License : BSD Programmi

Re: Security concerns with minified javascript code

❦ 31 août 2015 11:21 -0400, Marvin Renich  : >> > However, this is a readable source code that will accomodate any >> > modification that a end user will deem necessary. > > I intentionally did not look at the file referred to above, and have no > idea whether I would consider it to be a "preferr

Bug#797658: ITP: blends-images -- Pure Blends Live System Image Components

Package: wnpp Severity: wishlist Owner: "Iain R. Learmonth" * Package name: blends-images Version : 0.1 Upstream Author : Debian Blends Team * URL : http://anonscm.debian.org/cgit/blends/blends-images.git/ * License : GPL-3+ Programming Lang: live-build conf

Re: Security concerns with minified javascript code

On Sep 01, Guido Günther wrote: > Couldn't we just use the non-minified versions in most situations? A Not for anything which has actual users over the network. > heavily loaded wordpress site might not be good example but e.g. doxygen > documentation probably doesn't suffer much from non minifi

Bug#797654: ITP: s3backer -- Amazon AWS S3-backed virtual hard disk device

Package: wnpp Severity: wishlist Owner: Lennart Weller * Package name: s3backer Version : 1.4.1 Upstream Author : Archie L. Cobbs * URL : https://www.github.com/archiecobbs/s3backer * License : GPL, OpenSSL Programming Lang: C Description : Amazon AWS

Re: How to read mail addressed to "root" from "root" user?

(this isn't about Debian development anymore. I've added a Cc to debian-user; if you have any follow-up questions, please drop the -devel Cc). On Mon, Aug 31, 2015 at 08:44:04PM +0300, Jayson Willson wrote: > Thank you very much for your answer! > Could you please tell me, why is it recommended to

Overriding/Masking system generators (Re: system upgrade by systemd)

Hi Dimitri Am 01.09.2015 um 05:57 schrieb Dimitri John Ledkov: > boot, whilst executing itself. And no upstream mechanisms are provided > to disable particular generators. > This is outdated/incorrect knowledge. systemd generators nowadays support being overwritten just like normal unit files.