Re: Open then gates

]] Christoph Anton Mitterer | > Judging from the changelog of portmap, there's been a *lot* of discussion | > and angst over this decision over the years, and it wasn't one that was | > made easily. I think you're overstating this a bit as an example of a bad | > direction. | | Yes,.. but why "o

Re: Open then gates

Christian PERRIER wrote: > Quoting Russ Allbery (r...@debian.org): >> >> you must not understand how user-private groups work at all >> > Well I guess I do,... >> Given your complaints, actually, you don't appear to. [...] > Is there a mail in this thread that would explain all this? [...] ht

Re: Open then gates

> You need to explain clearly how the umask of 0002 is insecure. If you > have members in your user private group, then your group isn't private, > is it? UPG is designed to NOT have anyone else in your group except you. > So, adding the write bit on the group mode does not affect security in > the

Re: Bug#581434: UPG and the default umask

Santiago Vila wrote: [...] > Problems like that are expected to happen, and I think we should be > ready to fix them as they are found, so that the umask setting can > really be a choice of the system admin, not an imposition of certain > key programs who do not work well enough on systems having

debian/watch problem due to http://code.google.com download page's link format change

Hi, All Recently, code.google.com changed the download page link format. As a result, the old debian/watch file in packages whose upstream source code hosted on code.google.com did work anymore. Take the ibus project for example: $ cat ibus/debian/watch version=3 http://code.google.com/p/ibus/dow

Re: debian/watch problem due to http://code.google.com download page's link format change

* Asias He , 2010-05-15, 17:16: Recently, code.google.com changed the download page link format. As a result, the old debian/watch file in packages whose upstream source code hosted on code.google.com did work anymore. [...] The new download page contain the "detail" link, one has to follow the

Re: debian/watch problem due to http://code.google.com download page's link format change

Hi, On Sat, May 15, 2010 at 05:16:08PM +0800, Asias He wrote: > Hi, All > > Recently, code.google.com changed the download page link format. > As a result, the old debian/watch file in packages whose upstream source code > hosted on code.google.com did work anymore. > > Take the ibus project for

Re: bindv6only again

On Thu, May 13, 2010 at 06:39:46PM +0200, Tollef Fog Heen wrote: > ]] Salvo Tomaselli > > | On Thursday 13 May 2010 17:54:04 Tollef Fog Heen wrote: > | > Because it does not handle non-default values. This is just like an > | > application that didn't handle IFS or PATH being different from its

Re: Open then gates

On Fri, 2010-05-14 at 22:22 -0700, Russ Allbery wrote: > These are really odd complaints to bring against Debian given that these > are not Debian issues. Firefox, for example, works exactly the same way > everywhere. What do you want Debian to do, write our own web browser? > There are limits to

Re: Open then gates

On Sat, 2010-05-15 at 09:04 +0200, Tollef Fog Heen wrote: > You can make that argument for just about all the daemons that are > shipped in the distro. Yes :) > Should ssh not start by default or just listen > to localhost for instance? Personally,... I'd prefer the listen to localhost only (per

Re: Bug#581434: UPG and the default umask

On Sat, 2010-05-15 at 10:04 +0200, Andreas Metzler wrote: > #2 UPG with umask 022 is useless. Why is it? It makes that every user has its own group, and that other users can be added to it. This alone doesn't have any effect of course, as such added users have read rights anyway. But now it's easy

Bug#581729: [SQUEEZE] Document the umask change for new installs

Package: release-notes Severity: whishlist Tags: squeeze X-Debbugs-CC: debian-devel@lists.debian.org On Sat,15.May.10, 08:41:29, Christian PERRIER wrote: > More generally speaking, this umask change probably deserves to be > mentioned in the Release Notesalong with a good rationale about > w

Re: Open then gates

* Christoph Anton Mitterer [100515 12:53]: > > If regular users can add other people to groups on your system, you have > > way more serious security problems than user-private groups, and those > > security problems are not created by Debian. > Of course I talk about having this done by root. > I

Re: Bug#581434: UPG and the default umask

On Sat,15.May.10, 13:03:16, Christoph Anton Mitterer wrote: > On Sat, 2010-05-15 at 10:04 +0200, Andreas Metzler wrote: > > #2 UPG with umask 022 is useless. > Why is it? > It makes that every user has its own group, and that other users can be > added to it. > This alone doesn't have any effect of

Re: Bug#581729: [SQUEEZE] Document the umask change for new installs

On Sat, 2010-05-15 at 14:16 +0300, Andrei Popescu wrote: > for regular users Would have to double check it,... but doesn't the current change also affect root? Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature

Re: Open then gates

On Sat, 2010-05-15 at 13:22 +0200, Bernhard R. Link wrote: > Sorry, adding one user to the group of another is almost as stupid as > adding a script in /etc/cron.daily writeable by some user. If the user who owns the group allows it? What else should I do in your opinion? Cheers, Chris. smime.p

Re: Bug#581434: UPG and the default umask

On Sat, 2010-05-15 at 14:23 +0300, Andrei Popescu wrote: > Why is an own group needed for this? Can't the admin just create groups > as needed where both users shall belong? Well but that's always possible isn't it? So one could drop the concept of UPGs completely... Cheers, Chris. smime.p7s D

Bug#581732: ITP: ibus-table-xingyin -- provide structural and phonetic tables for IBus-Table on IBus framework

Package: wnpp Severity: wishlist Owner: Asias He * Package name: ibus-table-xingyin Version : ibus-table-xingyin-1.3.0.20100512 * URL : http://code.google.com/p/ibus/ * License : GPLv3 Programming Lang: Python Description : provide structural and phoneti

Re: Open then gates

On 15.05.2010 12:53, Christoph Anton Mitterer wrote: > udisks should have probably not exported the dm-crypt keys to normal > users, but it did. And why do you think this is a Debian specific problem is completely beyond me. This was an upstream bug, found by a fellow DD, and the quickly communi

Bug#581733: ITP: ibus-table-cangcan -- provide Cang Jie and derived tables & Cantonese and derived tables for IBus-Table on IBus framework

Package: wnpp Severity: wishlist Owner: Asias He * Package name: ibus-table-cangcan Version : ibus-table-cangcan-1.3.0.20100512 * URL : http://code.google.com/p/ibus/ * License : GPLv3 Programming Lang: Python Description : provide Cang Jie and derived t

Re: Open then gates

* Christoph Anton Mitterer [100515 13:29]: > On Sat, 2010-05-15 at 13:22 +0200, Bernhard R. Link wrote: > > Sorry, adding one user to the group of another is almost as stupid as > > adding a script in /etc/cron.daily writeable by some user. > If the user who owns the group allows it? What else sho

Re: Bug#581729: [SQUEEZE] Document the umask change for new installs

Hi Andrei, On Samstag, 15. Mai 2010, Andrei Popescu wrote: > Suggested text: Thanks for that! I have one small addition...: > This change can however create security and/or privacy issues if the > system administrator is not aware of it and adds users to the private > group of another user. Als

Re: Open then gates

On Sat, 2010-05-15 at 13:22 +0200, Michael Biebl wrote: > And why do you think this is a Debian specific problem is completely beyond > me. > > This was an upstream bug, found by a fellow DD, and the quickly communicated > to > upstream and fixed there. > I honestly don't see how you can blame D

Re: Bug#581729: [SQUEEZE] Document the umask change for new installs

On Sat, 2010-05-15 at 13:45 +0200, Holger Levsen wrote: > This paragraph should be accompanied by something like: > > Instead of adding users to other users private groups (which has issues as > explained above) it is recommend to create dedicated groups for these users > for collaboration. Per

Re: Bug#581434: UPG and the default umask

On Sat,15.May.10, 13:30:14, Christoph Anton Mitterer wrote: > On Sat, 2010-05-15 at 14:23 +0300, Andrei Popescu wrote: > > Why is an own group needed for this? Can't the admin just create groups > > as needed where both users shall belong? > Well but that's always possible isn't it? So one could d

Re: Bug#581729: [SQUEEZE] Document the umask change for new installs

On Saturday 15 May 2010 13:50:50 Christoph Anton Mitterer wrote: > On Sat, 2010-05-15 at 13:45 +0200, Holger Levsen wrote: > > This paragraph should be accompanied by something like: > > > > Instead of adding users to other users private groups (which has issues > > as explained above) it is recomm

Re: Open then gates

On Saturday 15 May 2010 13:47:43 Christoph Anton Mitterer wrote: > On Sat, 2010-05-15 at 13:22 +0200, Michael Biebl wrote: > > It just shows how such stuff can completely undermine security, and one > even haven't thought that this would possible. This applies to any change you make to a piece o

Re: debian/watch problem due to http://code.google.com download page's link format change

On Sat, May 15, 2010 at 5:48 PM, Osamu Aoki wrote: > Hi, > > I guess we need to generarize situation on sf.net to other popular > download sites.  This data is used mainly by uscan program. Yes. > When the watch file has an URL matching with the Perl regexp > "^http://sf\.net/";, the uscan progr

[OT] Re: Open then gates

On 15.05.2010 08:24, Russ Allbery wrote: > Christoph Anton Mitterer writes: >> And personally, I really do _not_ trust some of the CAs which are >> included/enabled per default. > > Having done business with several of them, I don't trust any commercial > CA. This is a way more fundamental probl

Re: Bug#581729: [SQUEEZE] Document the umask change for new installs

Le samedi 15 mai 2010 à 13:26:29 (+0200), Christoph Anton Mitterer a écrit : > Date: Sat, 15 May 2010 13:26:29 +0200 > From: Christoph Anton Mitterer > To: 581...@bugs.debian.org > Cc: debian-devel@lists.debian.org > Subject: Re: Bug#581729: [SQUEEZE] Document the umask change for new > installs

Re: Bug#581729: [SQUEEZE] Document the umask change for new installs

On Sat,15.May.10, 13:26:29, Christoph Anton Mitterer wrote: > On Sat, 2010-05-15 at 14:16 +0300, Andrei Popescu wrote: > > for regular users > Would have to double check it,... but doesn't the current change also > affect root? By default: # grep umask .bashrc umask 022 # Regards, Andrei -- Off

Re: [OT] Re: Open then gates

On Sat, May 15, 2010 at 8:34 PM, Eray Aslan wrote: > Amen.   PKI is a naive design and for all intents and purposes will > remain a pipe-dream.  All security relationships that is worth anything > is bilateral and no trusted third party is willing to accept enough risk > to warrent full trust. >

Re: Open then gates

On Sat, May 15, 2010 at 12:53:30PM +0200, Christoph Anton Mitterer wrote: > On Fri, 2010-05-14 at 22:22 -0700, Russ Allbery wrote: > > These are really odd complaints to bring against Debian given that these > > are not Debian issues. Firefox, for example, works exactly the same way > > everywhere

Re: Bug#581729: [SQUEEZE] Document the umask change for new installs

Le samedi 15 mai 2010 à 15:59:40 (+0300), Andrei Popescu a écrit : > Date: Sat, 15 May 2010 15:59:40 +0300 > From: Andrei Popescu > To: debian-devel@lists.debian.org > Cc: 581...@bugs.debian.org > Subject: Re: Bug#581729: [SQUEEZE] Document the umask change for new > installs > > On Sat,15.May.1

Re: debian/watch problem due to http://code.google.com download page's link format change

Am Samstag, den 15.05.2010, 17:16 +0800 schrieb Asias He: > Recently, code.google.com changed the download page link format. > As a result, the old debian/watch file in packages whose upstream source code > hosted on code.google.com did work anymore. > > Take the ibus project for example: > $ cat

Re: Bug#581729: [SQUEEZE] Document the umask change for new installs

On 05/15/2010 05:26 AM, Christoph Anton Mitterer wrote: > On Sat, 2010-05-15 at 14:16 +0300, Andrei Popescu wrote: >> for regular users > Would have to double check it,... but doesn't the current change also > affect root? This does, but root is also in his own UPG. If you add any user to the root

Re: Bug#581729: [SQUEEZE] Document the umask change for new installs

On Sat, 2010-05-15 at 15:59 +0300, Andrei Popescu wrote: > By default: > > # grep umask .bashrc > umask 022 > # Not in the most recent version of base-files, which does not update most of it files. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature

Re: [OT] Re: Open then gates

On Sat, 2010-05-15 at 21:01 +0800, Paul Wise wrote: > You might be interested in monkeysphere ...and in RFC 5081 I haven't had a detailed look on monkeyspehre so far, but it seemed at a first glance, that it does not use standardised technology, does it? Cheers, Chris. smime.p7s Description: S/

Re: Bug#581729: [SQUEEZE] Document the umask change for new installs

On 05/15/2010 05:50 AM, Christoph Anton Mitterer wrote: > On Sat, 2010-05-15 at 13:45 +0200, Holger Levsen wrote: >> This paragraph should be accompanied by something like: >> >> Instead of adding users to other users private groups (which has issues as >> explained above) it is recommend to creat

Bug#581747: ITP: libfakefs-ruby -- A fake file system to be used in unit tests

Package: wnpp Severity: wishlist Owner: Tobias Grimm X-Debbugs-CC: debian-devel@lists.debian.org Package name: libfakefs-ruby Version: 0.2.1 Upstream Author: Chris Wanstrath ch...@ozmm.org URL: http://github.com/defunkt/fakefs License: MIT Description: A fake fi

Re: Open then gates

On 05/15/2010 02:00 AM, Robert Klotzner wrote: > Also as far as I understood from a previous post, this change will only > affect > new installations, not existing ones. So even if a user misunderstood the > concept and added other users to his private group, this change does not > affect > hi

Re: debian/watch problem due to http://code.google.com download page's link format change

On Sat, May 15, 2010 at 9:27 PM, Daniel Leidert wrote: > > The URL at http://code.google.com/p/ibus/downloads/list itself tells you > everything you need: the version number. And you have a static download > location. So what you need to do is to rewrite the download URL to point > to http://ibus.

Re: Bug#581729: [SQUEEZE] Document the umask change for new installs

Le Sat, May 15, 2010 at 02:16:43PM +0300, Andrei Popescu a écrit : > The default 'umask' for new installs is changed > === > > Starting with base-files version 5.4 the default umask for new installs > is 0002 instead of 0022 for regular users (system us

Re: UPG and the default umask

Le Thu, May 13, 2010 at 11:48:19AM +0200, Santiago Vila a écrit : > > Yes, I think this change is important enough to be documented in > release notes. You might want to mention the possible gotchas, like, > for example, performing "scp -p" from a system with umask 002 to a > system without UPG wh

Bug#581760: ITP: myscreen -- A tab system and display system statistics for screen

Package: wnpp Severity: wishlist Owner: "Clément Mondon" * Package name: myscreen Version : 0.7 Upstream Author : Clément Mondon * URL : http://www.clement-mondon.fr/myscreen * License : GPL Programming Lang: C Description : A tab system and display s

Re: Open then gates

]] Christoph Anton Mitterer (Please respect my mail-followup-to, there's no need to Cc me on lists which I read. It'd also make your mails more readable if you leave a blank line between what you quote and your reply.) | On Sat, 2010-05-15 at 09:04 +0200, Tollef Fog Heen wrote: | > You can make

Re: Bug#581729: [SQUEEZE] Document the umask change for new installs

On Sun, 16 May 2010, Charles Plessy wrote: > Also, I have not seen on -devel that the idea of having a different > umask for system and regular users has been implemented in > base-files yet. I propose to not mention this until base-files is > updated to support it. The file /etc/profile is only

Re: Bug#581729: [SQUEEZE] Document the umask change for new installs

On 05/15/2010 10:47 AM, Santiago Vila wrote: > On Sun, 16 May 2010, Charles Plessy wrote: > >> Also, I have not seen on -devel that the idea of having a different >> umask for system and regular users has been implemented in >> base-files yet. I propose to not mention this until base-files is >> u

Re: Bug#581760: ITP: myscreen -- A tab system and display system statistics for screen

On Sat, May 15, 2010 at 17:59:37 (CEST), Clément Mondon wrote: > Package: wnpp > Severity: wishlist > Owner: "Clément Mondon" > > > * Package name: myscreen > Version : 0.7 > Upstream Author : Clément Mondon > * URL : http://www.clement-mondon.fr/myscreen > * License

Re: Parallellizing the boot in Debian Squeeze - ready for wider testing

On Sun, May 09, 2010 at 03:10:15AM +0200, Marco d'Itri wrote: > On May 07, Julien Cristau wrote: > > > - a decision to drop kfreebsd as a release architecture > > Since 1 and 2 aren't happening, I think we should consider going with > > the third option. > Me too, I believe that the people inter

Re: Parallellizing the boot in Debian Squeeze - ready for wider testing

On Sun, May 09, 2010 at 06:09:10PM -0700, Manoj Srivastava wrote: > > In speaking with upstart upstream, I understand that the argument against > > linking to libselinux is that, as the kernel is neutral wrt the choice of > > LSM, the init process should be also. Linking it against libselinux woul

Re: Parallellizing the boot in Debian Squeeze - ready for wider testing

[Steve Langasek] > Was this request ever actually made to the kfreebsd porters? I'm not sure > that it was, in which case it's rather unfair to say that they've had enough > time when they were never informed this was a pressing issue. One request was done last summer, see http://lists.debian.or

Re: UPG and the default umask

Hi! Russ Allbery wrote: > The purpose of UPG is not to use the user private group for any sort of > access control. Rather, the point is to put each user in a group where > they're the only member so that they can safely use a default umask of 002 > without giving someone else write access to all

Re: Parallellizing the boot in Debian Squeeze - ready for wider testing

On Fri, May 14 2010, Scott James Remnant wrote: >> One of my concerns about upstart is that systems that want to >> use SELinux and upstart _have_ to also use an initramfs, which is yet >> another component of the system that has to be audited. There have >> been patches proposed, and semi-reject

Re: Bug#581434: UPG and the default umask

Christoph Anton Mitterer schrieb: >> #2 UPG with umask 022 is useless. > Why is it? See . -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Bug#581434: UPG and the default umask

On Sat, 15 May 2010, Andreas Metzler wrote: > #4 We cannot reliably detect UPG-setups. (The setting > USERGROUPS=yes/no in /etc/adduser.conf is not relevant, e.g. in a > NIS szenario users are generated on the master system.) You don't need to detect UPG setups with 100% reliability; you can j

Re: UPG and the default umask

Willi Mann writes: > Russ Allbery wrote: >> The purpose of UPG is not to use the user private group for any sort of >> access control. Rather, the point is to put each user in a group where >> they're the only member so that they can safely use a default umask of >> 002 without giving someone el

Re: UPG and the default umask

On Sat, May 15, 2010 at 02:34:57PM -0700, Russ Allbery wrote: > Willi Mann writes: > > Russ Allbery wrote: > > >> The purpose of UPG is not to use the user private group for any sort of > >> access control. Rather, the point is to put each user in a group where > >> they're the only member so th

Re: UPG and the default umask

Roger Leigh writes: > On Sat, May 15, 2010 at 02:34:57PM -0700, Russ Allbery wrote: >> That's a good idea. I'm not sure if all UNIX group systems allow one >> to ask how many users are a member of a particular group, but if >> there's a way to ask that question at least in those group systems th

Re: Bug#581434: UPG and the default umask

Quoth Don Armstrong , on 2010-05-15 14:40:05 -0700: > You don't need to detect UPG setups with 100% reliability; you can > just do the following: > > 1. If there a possibility of this being a UPG setup: >2. If this user's group has the same name and GID as the user's name and > UID: Hrmbl.

Bug#581804: RFP: libcatalystx-leakchecker-perl -- Debug memory leaks in Catalyst applications

Package: wnpp Severity: wishlist X-Debbugs-CC: debian-devel@lists.debian.org,debian-p...@lists.debian.org * Package name: libcatalystx-leakchecker-perl Version : 0.06 Upstream Author : Florian Ragwitz , Tomas Doran * URL : http://search.cpan.org/dist/CatalystX-LeakChec

Re: Bug#581434: UPG and the default umask

Drake Wilson wrote: > Quoth Don Armstrong , on 2010-05-15 14:40:05 -0700: >> You don't need to detect UPG setups with 100% reliability; you can >> just do the following: >> 1. If there a possibility of this being a UPG setup: >>2. If this user's group has the same name and GID as the user's n