Re: Switch on compiler hardening defaults

Kees Cook writes: > I would like to propose enabling[1] the GCC hardening patches that Ubuntu > uses[2]. Ubuntu has used it successfully for 1.5 years now (3 releases), > and many of the issues have already been fixed in packages that needed > adjustment[3]. After all this time, use of the hard

Re: unused parameters passed to maintainer scripts

Guillem Jover wrote: > What'd be the point of doing that? For example, simplicity. > The maintainer scripts have to be > called anyway for those cases, and the fact that no one uses them now or > in Debian, does not mean there's no use for this information in the > future or in other places. I al

Re: Bug#545691: diverting telinit

Manoj Srivastava wrote: > if [ "$(stat -c %d/%i /)" = "$(stat -Lc %d/%i /proc/1/root 2>/dev/null)" > ]; then It was brought to my attention [1], that apparently this check does not work on GNU/Hurd as it does not provide /proc/$PID/root Cheers, Michael [1] http://bugs.debian.org/cgi-bin/bu

Re: Switch on compiler hardening defaults

> On Monday 26 October 2009 09:22:26 Marco d'Itri wrote: > > > I would like to propose enabling[1] the GCC hardening patches that Ubuntu > > > uses[2]. > > > > Seconded. > > Thirded. > +1. Thanks for bringing this up, Michael pgpDxjsmOMyTR.pgp Description: PGP signature

Re: Bug#545691: diverting telinit

On Fri, Oct 23, 2009 at 12:43:18PM -0500, Manoj Srivastava wrote: > I created a elaborate test case tos ee if we are in a chroot, if > not if /proc/1 is actually /sbin/init, and that telinit exists (example > below). Why are they not able to ignore the errors from telinit? All checked pa

Re: Bug#545691: diverting telinit

On Mon, Oct 26, 2009 at 10:40:56AM +0100, Bastian Blank wrote: > On Fri, Oct 23, 2009 at 12:43:18PM -0500, Manoj Srivastava wrote: > > I created a elaborate test case tos ee if we are in a chroot, if > > not if /proc/1 is actually /sbin/init, and that telinit exists (example > > below). >

Re: Switch on compiler hardening defaults

On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote: > I would like to propose enabling[1] the GCC hardening patches that Ubuntu > uses[2]. How do they work? Do they also change the free-standing compiler or only the hosted one? There is a lot of software, which (I would say) missuse the hos

Re: Switch on compiler hardening defaults

On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote: > On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote: > > I would like to propose enabling[1] the GCC hardening patches that Ubuntu > > uses[2]. > > How do they work? Do they also change the free-standing compiler or only > the

Re: Bug#545691: diverting telinit

On Mon, Oct 26 2009, Michael Biebl wrote: > Manoj Srivastava wrote: >> if [ "$(stat -c %d/%i /)" = "$(stat -Lc %d/%i /proc/1/root >> 2>/dev/null)" ]; then > > It was brought to my attention [1], that apparently this check does > not work on GNU/Hurd as it does not provide /proc/$PID/root >

Re: Bug#545691: diverting telinit

On Mon, Oct 26 2009, Bastian Blank wrote: > On Mon, Oct 26, 2009 at 10:40:56AM +0100, Bastian Blank wrote: >> On Fri, Oct 23, 2009 at 12:43:18PM -0500, Manoj Srivastava wrote: >> > I created a elaborate test case tos ee if we are in a chroot, if >> > not if /proc/1 is actually /sbin/init,

Re: Bug#545691: diverting telinit

On Mon, Oct 26 2009, Bastian Blank wrote: > On Fri, Oct 23, 2009 at 12:43:18PM -0500, Manoj Srivastava wrote: >> I created a elaborate test case tos ee if we are in a chroot, if >> not if /proc/1 is actually /sbin/init, and that telinit exists (example >> below). > > Why are they not abl

Re: Switch on compiler hardening defaults

* Kees Cook: > I would like to propose enabling[1] the GCC hardening patches that Ubuntu > uses[2]. Seems a good idea to me. But I think we should defer the required full archive rebuild until we've got the hardening patch for operator new[] (which currently can return a heap block which is smal

Re: Packages relying on HOME when building

Le lundi 26 octobre 2009 à 01:17 +0100, Norbert Preining a écrit : > I would suggest on the contrary that HOME *will* be set by all scripts > to a newly created empty directory. I’d rather suggest that it will be set to a non-existent directory. If possible, one that cannot be created with the pe

Re: usplash-theme-debian uploaded to sid

Hi, On Samstag, 24. Oktober 2009, Frank Lin PIAT wrote: > SVG are extremely convenient, because it is possible to automatically > generate XPM/PNG bitmaps of various size (!) sure, but the result is not always the best or even good. still, it might be the way to go. > The next problem is to add

Re: unused parameters passed to maintainer scripts

On Mon, Oct 26 2009, Eugene V. Lyubimkin wrote: > Guillem Jover wrote: > >> What'd be the point of doing that? > For example, simplicity. Simplicity of the policy? Is it really that onerous Most people just let the helper packages create the maintainer scripts, of just program b example

Re: Packages relying on HOME when building

On 2009-10-26, Josselin Mouette wrote: > > --=-7ZxixtYBhhZyQIGhRFTI > Content-Type: text/plain; charset="UTF-8" > Content-Transfer-Encoding: quoted-printable > > Le lundi 26 octobre 2009 =C3=A0 01:17 +0100, Norbert Preining a =C3=A9crit = >:=20 >> I would suggest on the contrary that HOME *will* b

Re: usplash-theme-debian uploaded to sid

Hi Raphael, thanks for your comments! On Sonntag, 25. Oktober 2009, Raphael Geissert wrote: > First of all thanks for your work. > Second, while working on optimising the boot process I have found usplash > and splashy (basically any userspace splash screen) to have a high CPU > usage and actuall

Re: unused parameters passed to maintainer scripts

Manoj Srivastava wrote: > Simplicity of the policy?Is it really that onerous Most people > just let the helper packages create the maintainer scripts, of just > program b example. Yes, simplicity of the policy. From what I saw, no one helper package in sid have some business with 'in-fav

Re: perl and perl-modules; reflexive dependencies vs. archive bloat

On Sun, Oct 25, 2009 at 05:52:46PM -0700, Don Armstrong wrote: > On Sun, 25 Oct 2009, Peter Samuelson wrote: > > [Don Armstrong] > > > I actually suggested that perl-modules recommend perl, but that was > > > rejected for the reason that perl-modules doesn't do anything useful > > > without perl. >

Re: Packages relying on HOME when building

On Mon, Oct 26 2009, Sune Vuorela wrote: > On 2009-10-26, Josselin Mouette wrote: >> >> --=-7ZxixtYBhhZyQIGhRFTI >> Content-Type: text/plain; charset="UTF-8" >> Content-Transfer-Encoding: quoted-printable >> >> Le lundi 26 octobre 2009 =C3=A0 01:17 +0100, Norbert Preining a =C3=A9crit = >>:=20 >>

Re: unused parameters passed to maintainer scripts

On Mon, Oct 26 2009, Eugene V. Lyubimkin wrote: > Manoj Srivastava wrote: >> Simplicity of the policy?Is it really that onerous Most people >> just let the helper packages create the maintainer scripts, of just >> program b example. > Yes, simplicity of the policy. > > From what I saw, n

Re: Bug#545691: diverting telinit

On Mon, Oct 26, 2009 at 07:21:31AM -0500, Manoj Srivastava wrote: > On Mon, Oct 26 2009, Bastian Blank wrote: > > Why are they not able to ignore the errors from telinit? All checked > > packages uses this to ask init to reexecute itself and free old library > > references. Nothing in this is criti

Re: Switch on compiler hardening defaults

Hi, On Mon, Oct 26, 2009 at 01:36:28PM +0100, Florian Weimer wrote: > * Kees Cook: > > I would like to propose enabling[1] the GCC hardening patches that Ubuntu > > uses[2]. > > Seems a good idea to me. But I think we should defer the required > full archive rebuild until we've got the hardening

Re: Bug#545691: diverting telinit

On Mon, Oct 26 2009, Bastian Blank wrote: > On Mon, Oct 26, 2009 at 07:21:31AM -0500, Manoj Srivastava wrote: >> On Mon, Oct 26 2009, Bastian Blank wrote: >> > Why are they not able to ignore the errors from telinit? All checked >> > packages uses this to ask init to reexecute itself and free old

Re: unused parameters passed to maintainer scripts

Manoj Srivastava wrote: > >> But some of people-written snippets have, often doing it wrong. > > Can you point to some examples? Have you filed bug reports? I filed #552389, a good example (IMO) of confusing due to complexity. There are plenty of packages that do checks of parameters that

Re: Bug#545691: diverting telinit

On Mon, Oct 26, 2009 at 07:23:12AM -0500, Manoj Srivastava wrote: > On Mon, Oct 26 2009, Bastian Blank wrote: > > > On Mon, Oct 26, 2009 at 10:40:56AM +0100, Bastian Blank wrote: > >> On Fri, Oct 23, 2009 at 12:43:18PM -0500, Manoj Srivastava wrote: > >> > I created a elaborate test case t

Bug#552476: ITP: libgraphics-gnuplotif-perl -- A dynamic Perl interface to gnuplot

Package: wnpp Severity: wishlist Owner: Carlo Segre * Package name: libgraphics-gnuplotif-perl Version : 1.5 Upstream Author : Dr.-Ing. Fritz Mehner * URL : http://search.cpan.org/dist/Graphics-GnuplotIF/ * License : Artistic | GPL-1+ Programming Lang: Perl

Re: Bug#545691: diverting telinit

On Mon, Oct 26, 2009 at 11:22:35AM -0500, Manoj Srivastava wrote: > On Mon, Oct 26 2009, Bastian Blank wrote: > > > On Mon, Oct 26, 2009 at 07:21:31AM -0500, Manoj Srivastava wrote: > >> On Mon, Oct 26 2009, Bastian Blank wrote: > >> > Why are they not able to ignore the errors from telinit? All c

Re: Bug#545691: diverting telinit

On Mon, Oct 26, 2009 at 07:23:12AM -0500, Manoj Srivastava wrote: > On Mon, Oct 26 2009, Bastian Blank wrote: > > Oh, and this could be made even easier by defining file-based triggers > > in the package providing init instead of doing it in all the > > dependencies. > In which case it defi

Re: unused parameters passed to maintainer scripts

On Mon, Oct 26 2009, Eugene V. Lyubimkin wrote: > Manoj Srivastava wrote: >> >>> But some of people-written snippets have, often doing it wrong. >> >> Can you point to some examples? Have you filed bug reports? > I filed #552389, a good example (IMO) of confusing due to complexity. There

Re: Bug#545691: diverting telinit

On Mon, Oct 26 2009, Bastian Blank wrote: > Policy is not coupled with init or the libs. This is a problem between > the kernel and the policy tools. This is not totally true: init loads the initial policy, and that means that linking with new versions of selinux libs makes a difference

Re: Build logs from local builds

On Wed, Oct 21, 2009 at 01:27:05PM +0200, Samuel Thibault wrote: > I confirm that usually not having the i386 or amd64 log is often a > problem. > > One idea that was floating around was to have buildd always recompile > the package, even on archs the uploader has provided a binary version > for,

Re: Bug#545691: diverting telinit

On Mon, Oct 26, 2009 at 01:28:33PM -0500, Manoj Srivastava wrote: > On Mon, Oct 26 2009, Bastian Blank wrote: > > Policy is not coupled with init or the libs. This is a problem between > > the kernel and the policy tools. > This is not totally true: init loads the initial policy, and > tha

Re: Proposed mass prototypejs bug filing for multiple security issues

On Sun, Oct 18, 2009 at 08:43:35PM -0400, Michael S Gilbert wrote: > Here are the affected source packages: > - rails (embed) ~$ apt-file list rails | grep prototype.js rails: /usr/share/rails/actionpack/test/fixtures/public/javascripts/prototype.js rails: /usr/share/rails/railties/html/j

Re: Proposed mass prototypejs bug filing for multiple security issues

On Mon, 26 Oct 2009 14:04:06 -0500, Adam Majer wrote: > On Sun, Oct 18, 2009 at 08:43:35PM -0400, Michael S Gilbert wrote: > > Here are the affected source packages: > > - rails (embed) > > ~$ apt-file list rails | grep prototype.js > rails: > /usr/share/rails/actionpack/test/fixtures/pub

Bonjour ; Toute ma considération

I have a new email address!You can now email me at: roberto.com...@btinternet.com - Bonjour ! Je vous prie de bien vouloir m'excuser pour cette intrusion qui peut paraître surprenante à première vue d'autant plus qu'il n'existe aucune relation entre nous. Je voudrais vous proposer une affaire

Re: Build logs from local builds

On Mon, Oct 26 2009, Adam Majer wrote: > On Wed, Oct 21, 2009 at 01:27:05PM +0200, Samuel Thibault wrote: >> I confirm that usually not having the i386 or amd64 log is often a >> problem. >> >> One idea that was floating around was to have buildd always recompile >> the package, even on archs the

Re: Build logs from local builds

On 2009-10-26, Adam Majer wrote: > People are lazy and like myself don't want to sync pbuilder and > related stuff every time I want to upload something. Since my box is heard of cron? /Sune -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Tro

Re: Proposed mass prototypejs bug filing for multiple security issues

Hi! On Mon, 2009-10-26 at 15:39:37 -0400, Michael Gilbert wrote: > That list was taken from the secure-testing tracker's embedded code > copies list, which is hard to keep up to date and accurate. It could > use some more care and better maintaining; but code copies are > plentiful, making it ver

Re: Proposed mass prototypejs bug filing for multiple security issues

Michael S Gilbert wrote: > - asterisk (embed) It only shipped prototype as an example file, along with a demo webpage the used it. Since it was of limited usefulness and apparently also vulnerable, it has been removed from yesterday's upload (1:1.6.2.0~rc3-1). Thanks, Faidon -- To UNSU

Re: Switch on compiler hardening defaults

Hi. Ever thought about integrating PaX [0] per default in Debian? I'm however not sure how much this actually breaks ;) Cheers, Chris. [0] http://pax.grsecurity.net/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas..

Re: Build logs from local builds

On Mon, Oct 26, 2009 at 02:29:47PM -0500, Adam Majer wrote: > People are lazy and like myself don't want to sync pbuilder and > related stuff every time I want to upload something. Since my box is > rarely up to date, this can result in dependencies lagging > somewhat compared to official buildd. I

Bug#552499: ITP: svox -- Small Footprint TTS

Package: wnpp Severity: wishlist Owner: Mathieu Parent * Package name: svox Version : 1.6+1.4 Upstream Author : SVOX AG * URL : http://android.git.kernel.org/?p=platform/external/svox.git;a=summary * License : Apache v2 Programming Lang: C (some C++ and Java

Re: Proposed mass prototypejs bug filing for multiple security issues

Op Mon, 26 Oct 2009 23:11:08 +0100 schreef Guillem Jover : > You might find very useful to find this > kind of embedded copies. Althought it seems it's having some problem > right now (Peter CCed). Thanks for letting me know, source.d.n is running again. -- To UNSUBS

Re: Switch on compiler hardening defaults

On Tue, Oct 27, 2009 at 4:41 AM, Christoph Anton Mitterer wrote: > Ever thought about integrating PaX [0] per default in Debian? > I'm however not sure how much this actually breaks ;) Any idea if these patches will be merged upstream? -- bye, pabs http://wiki.debian.org/PaulWise -- To UNS

Walter Reed has invited you to open a Google mail account

I've been using Gmail and thought you might like to try it out. Here's an invitation to create an account. --- Walter Reed has invited you to open a free Gmail account. To accept this invitation and register for your account, vi

Bug#552515: ITP: muninpgplugins -- Munin plugins to monitor PostgreSQL

Package: wnpp Severity: wishlist Owner: "Rodolphe Quiédeville" * Package name: muninpgplugins Version : 0.2.2 Upstream Author : Cédric Villemain * URL : http://muninpgplugins.projects.postgresql.org/ * License : GPL Programming Lang: Perl Description

Re: Bug#545691: diverting telinit

On Tue, 27 Oct 2009, Bastian Blank wrote: > >         Which is why currently, as I  have said before, re-execing init > >  is opportunistic.  This may or may not be the case in the future. > > No. It is not. All the re-exec init calles are only to start it with > new libs and there is no change vi

Re: Bug#545691: diverting telinit

On Fri, Oct 23, 2009 at 05:41:28PM -0500, Manoj Srivastava wrote: > > In article <87r5sudn0p.fsf...@anzu.internal.golden-gryphon.com> you wrote: > >> [ "$(stat -c %d/%i /sbin/init)" = "$(stat -Lc %d/%i /proc/1/exe > >> 2>/dev/null)" ] ; then > >> # So, init exists, and there is a linuxy /p

Re: Bug#545691: diverting telinit

On Fri, Oct 23, 2009 at 06:43:32PM +, brian m. carlson wrote: > Last I checked, the kfreebsd-* architectures don't use /dev/initctl; I > think it's something like /etc/.initctl. They do, however, have a > linuxy proc. You should probably check with the porters as to what > location is appropr

Re: Switch on compiler hardening defaults

On mar., 2009-10-27 at 09:32 +0800, Paul Wise wrote: > On Tue, Oct 27, 2009 at 4:41 AM, Christoph Anton Mitterer > wrote: > > > Ever thought about integrating PaX [0] per default in Debian? > > I'm however not sure how much this actually breaks ;) > > Any idea if these patches will be merged ups