To put things in perspective, I just wonder how strong this 'fortress'
really is, and whether this strength is only in our perception or
whether it is real. Let me give just one example: A developer downloads
a tarball from an upstream source, configures it, and does make install,
yet has not even
On Fri, Feb 17, 2012 at 07:07:40PM +0100, Samuel Thibault wrote:
> Bastian Blank, le Fri 17 Feb 2012 19:02:59 +0100, a écrit :
> > On Fri, Feb 17, 2012 at 06:59:51PM +0100, Samuel Thibault wrote:
> > > Bastian Blank, le Fri 17 Feb 2012 18:52:10 +0100, a écrit :
> > > > I see this:
> > > > | Provide
Riku Voipio, le Sat 18 Feb 2012 10:48:56 +0200, a écrit :
> On Fri, Feb 17, 2012 at 07:07:40PM +0100, Samuel Thibault wrote:
> > Bastian Blank, le Fri 17 Feb 2012 19:02:59 +0100, a écrit :
> > > On Fri, Feb 17, 2012 at 06:59:51PM +0100, Samuel Thibault wrote:
> > > > Bastian Blank, le Fri 17 Feb 20
On Fri, Feb 17, 2012 at 07:28:49PM +, Ben Hutchings wrote:
> On Fri, Feb 17, 2012 at 07:41:03PM +0100, Mike Hommey wrote:
> > On Fri, Feb 17, 2012 at 06:08:59PM +, Ben Hutchings wrote:
> > > On Fri, Feb 17, 2012 at 07:00:32PM +0100, Mike Hommey wrote:
> > > > On Fri, Feb 17, 2012 at 06:40:2
Christoph Anton Mitterer:
> Hey.
>
> I've decided that I think it's important to CC this d-d:
> Debian has a good system of securing packages and making sure that only
> signed stuff comes to the user.
> Over time I've seen many holes in this:
> - packages that are just wrapper packages, download
Am Samstag, den 18.02.2012, 11:48 +0100 schrieb Thomas Koch:
> July 2011 VLC suffers from Companies spreading Malware bundled with VLC
This is no problem for us, because the malware was distributed on some
untrustworthy websites. We, as packagers, get the code directly from the
Videolan projec
* Christoph Anton Mitterer , 2012-02-18, 06:09:
I've decided that I think it's important to CC this d-d:
Debian has a good system of securing packages and making sure that only
signed stuff comes to the user.
Over time I've seen many holes in this:
- packages that are just wrapper packages, dow
On Sat, 18 Feb 2012 12:32:14 +0100
Jakub Wilk wrote:
> * Christoph Anton Mitterer , 2012-02-18, 06:09:
> >I've decided that I think it's important to CC this d-d:
> >Debian has a good system of securing packages and making sure that only
> >signed stuff comes to the user.
> >Over time I've seen
On Sat, 18 Feb 2012 11:48:27 +0100
Thomas Koch wrote:
> I think as a start it should be made a policy that any "wrapper" package that
> downloads code from the net must at least do a strong checksum check on the
> downloaded code.
Not possible to enforce as a 'MUST' because, by definition, thi
On Sat, 18 Feb 2012, Teus Benschop wrote:
> To put things in perspective, I just wonder how strong this 'fortress'
> really is, and whether this strength is only in our perception or
> whether it is real. Let me give just one example: A developer downloads
> a tarball from an upstream source, confi
Le vendredi 17 février 2012 à 22:13 +0100, Axel Beckert a écrit :
> Ben Hutchings wrote:
> > 'Let the user choose' is almost as stupid an idea for drivers as it
> > is for health insurance.
>
> I.e. it is a good idea?
This question would be funny if so many politicians weren’t spreading
such shi
Le samedi 18 février 2012 à 11:17 +0100, Samuel Thibault a écrit :
> As said in my very first mail, I've already done so in the repo, but
> asked the oss4 maintainers whether it's OK with them.
What should be OK for our users is to remove the *entire* OSS crap from
the Linux builds.
--
.''`.
Le samedi 18 février 2012 à 06:09 +0200, Christoph Anton Mitterer a
écrit :
> Personally I decided to use GNOME-fallback, but via the meta-packages I
> still got the GNOME shell... today
> I've noticed that it silently installs an extension, which (I can only
> assume this by the little
> descri
Jakub Wilk writes:
> Could you point us to those which were ignored or denied?
At least pbuilder still disables secure APT by default, see #579028.
Regards
Ansgar
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lis
Package: wnpp
Severity: wishlist
Owner: Hleb Valoshka <375...@gmail.com>
* Package name: ruby-kgio
Version : 2.7.2
Upstream Author : Eric Wong
* URL : http://bogomips.org/kgio/
* License : LGPL-2.1 or LGPL-3
Programming Lang: Ruby
Description : Kinder,
Package: wnpp
Severity: wishlist
Owner: Hleb Valoshka <375...@gmail.com>
* Package name: ruby-raindrops
Version : 0.8.0
Upstream Author : Eric Wong
* URL : http://raindrops.bogomips.org/
* License : LGPL-2.1 or LGPL-3
Programming Lang: Ruby
Description
Package: wnpp
Severity: wishlist
Owner: Hleb Valoshka <375...@gmail.com>
* Package name: ruby-aggregate
Version : 0.2.2
Upstream Author : Joseph Ruscio
* URL : http://github.com/josephruscio/aggregate
* License : MIT
Programming Lang: Ruby
Description :
Package: wnpp
Severity: wishlist
Owner: Alastair McKinstry
* Package name: python-cdo
Version : 1.5.4
Upstream Author : uwe.schulzwe...@zmaw.de
* URL : https://code.zmaw.de/projects/cdo
* License : GPL
Programming Lang: python
Description : python wrapp
Am 18.02.2012 10:11, schrieb Teus Benschop:
To put things in perspective, I just wonder how strong this
'fortress'
really is, and whether this strength is only in our perception or
whether it is real. Let me give just one example: A developer
downloads
a tarball from an upstream source, configu
Am 18.02.2012 13:14, schrieb Benjamin Drung:
This is no problem for us, because the malware was distributed on
some
untrustworthy websites. We, as packagers, get the code directly from
the
Videolan project.
So you meet them once in person and exchanged some kind of PKI/shared
secret etc?
Tha
Now that we have a concept of a “team upload”[0], I'd like to have
putting team's name in the changelog trailer officially deprecated.
This would:
1) allow to always identify person responsible for a particular upload;
2) help to avoid situations where (inadvertently) no human name is
mentioned
* Ansgar Burchardt , 2012-02-18, 14:14:
Could you point us to those which were ignored or denied?
At least pbuilder still disables secure APT by default, see #579028.
The bug is closed. Am I missing something?
But anyway, this is saddening. Hundreds (? - wild guess) of developers
have been b
Am 18.02.2012 13:32, schrieb Jakub Wilk:
I'll add to the list:
- Packages that download and run untrusted code at build time.
May I add a similar case...
Take the non-free flash as example... (yeah I know it's non-free and
not officially sec-supported)..
Even if it would use some SHA512 sums (h
Am 18.02.2012 14:34, schrieb Neil Williams:
>- packages that eventually run some code which was downloaded
>unsecured.
>debootstrap used to be like that, pbuilder, and some others
Only a bug if this happens by default.
It is perfectly acceptable to support an option to disable SecureApt
-
ju
Am 18.02.2012 14:40, schrieb Neil Williams:
I think as a start it should be made a policy that any "wrapper"
package that
downloads code from the net must at least do a strong checksum check
on the
downloaded code.
Not possible to enforce as a 'MUST' because, by definition,
third-party
websit
Am 18.02.2012 15:30, schrieb Josselin Mouette:
Personally I decided to use GNOME-fallback, but via the
meta-packages I
still got the GNOME shell... today
I've noticed that it silently installs an extension, which (I can
only
assume this by the little
description) does some software installatio
* Christoph Anton Mitterer , 2012-02-18, 16:19:
Take the non-free flash as example... (yeah I know it's non-free and
not officially sec-supported)..
Even if it would use some SHA512 sums (hardcoded into the package) to
verify the download (I don't know whether it does),.. the update
mechanism i
Hi.
On Sat, Feb 18, 2012 at 03:08:50PM +0100, Jakub Wilk wrote:
> Now that we have a concept of a “team upload”[0], I'd like to have
> putting team's name in the changelog trailer officially deprecated.
>
> This would:
> 1) allow to always identify person responsible for a particular upload;
To
Kumar Appaiah (18/02/2012):
> > This would:
> > 1) allow to always identify person responsible for a particular upload;
>
> To be very pedantic, the signature on the last upload should reveal
> this, right?
Not if the team upload is prepared by someone who then gets sponsored by
a DD (or a DM fr
Hello,
On Wed, 01 Feb 2012, Josselin Mouette wrote:
> Le mardi 31 janvier 2012 à 21:51 +0100, Andreas Tille a écrit :
> > I agree that an automatic solution would be prefered. However, as long
> > as such someone does not stand up and write such a program removing
> > existing solutions is .
>
Jakub Wilk writes:
> * Ansgar Burchardt , 2012-02-18, 14:14:
>>>Could you point us to those which were ignored or denied?
>>At least pbuilder still disables secure APT by default, see #579028.
>
> The bug is closed. Am I missing something?
pbuilder was changed to pass the --keyring argument to de
On Sat, 18 Feb 2012 16:25:20 +0200
Christoph Anton Mitterer wrote:
> Am 18.02.2012 14:40, schrieb Neil Williams:
> >> I think as a start it should be made a policy that any "wrapper"
> >> package that
> >> downloads code from the net must at least do a strong checksum check
> >> on the
> >> dow
On Fri, Feb 17, 2012 at 18:36:56 +0100, Mike Hommey wrote:
> Oh, so OSS4 provides an Alsa API that is not compatible with Alsa's.
> Awesome.
>
The oss4 package should die a painful death.
Cheers,
Julien
signature.asc
Description: Digital signature
On Sat, Feb 18, 2012 at 15:08:50 +0100, Jakub Wilk wrote:
> What do others think?
>
Yes please.
Cheers,
Julien
signature.asc
Description: Digital signature
Hi,
The attached patch against current util-linux cleans up hwclock
handling with the following changes:
• There are currently two init scripts, hwclockfirst.sh and
hwclock.sh. The reasons for these two originally existing
(/etc/localtime not being present until after /usr was
mounted AFAI
On Sat, 18 Feb 2012 15:59:38 +0200
Christoph Anton Mitterer wrote:
> Am 18.02.2012 10:11, schrieb Teus Benschop:
> > To put things in perspective, I just wonder how strong this
> > 'fortress'
> > really is, and whether this strength is only in our perception or
> > whether it is real. Let me giv
On Sat, Feb 18, 2012 at 03:59:23PM +, Roger Leigh wrote:
> Hi,
>
> The attached patch against current util-linux cleans up hwclock
> handling with the following changes:
• Also adds /etc/default/hwclock and hwclock(5) which permit
configuration without editing the initscript, and also
doc
Hi,
Jakub Wilk wrote:
> Now that we have a concept of a “team upload”[0], I'd like to have
> putting team's name in the changelog trailer officially deprecated.
Seconded.
Regards, Axel
--
,''`. | Axel Beckert , http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.c
On Sat, 18 Feb 2012 15:49:30 +, Neil Williams wrote:
> On Sat, 18 Feb 2012 16:25:20 +0200
> Christoph Anton Mitterer wrote:
>
> > Am 18.02.2012 14:40, schrieb Neil Williams:
> > >> I think as a start it should be made a policy that any "wrapper"
> > >> package that
> > >> downloads code fro
On Sat, Feb 18, 2012 at 3:08 PM, Jakub Wilk wrote:
> 1) allow to always identify person responsible for a particular upload;
> 2) help to avoid situations where (inadvertently) no human name is mentioned
> in a changelog entry at all.
>
> What do others think?
It would be very appropriate, in Deb
On Sat, Feb 18, 2012 at 11:48:27AM +0100, Thomas Koch wrote:
> What about a debhelper script that receives an URL (or set of mirror
> URLs) and a SHA1 and does the download and check?
Please use something stronger than SHA-1. SHA-1 has some weaknesses and
something like SHA-256 or SHA-512 should
Am 18.02.2012 16:18, schrieb Jakub Wilk:
The bug is closed. Am I missing something?
But anyway, this is saddening. Hundreds (? - wild guess) of
developers have been building their packages in insecure environment,
yet pbuilder maintainer and a member of Security Team believe that it
was a featur
Am 18.02.2012 19:03, schrieb brian m. carlson:
On Sat, Feb 18, 2012 at 11:48:27AM +0100, Thomas Koch wrote:
What about a debhelper script that receives an URL (or set of mirror
URLs) and a SHA1 and does the download and check?
Please use something stronger than SHA-1. SHA-1 has some weaknesses
Am 18.02.2012 18:45, schrieb Philip Hands:
He's talking about stuff like flash-nonfree (or whatever) where we
ship
a wrapper that wgets the actual tarball for you from the distributor,
and checks the checksum of whatever it ends up with.
Yes!
(perhaps if paranoid do the
download from elsewher
On Sat, Feb 18, 2012 at 04:31:19PM +0100, Ansgar Burchardt wrote:
> Jakub Wilk writes:
> > * Ansgar Burchardt , 2012-02-18, 14:14:
> >>>Could you point us to those which were ignored or denied?
> >>At least pbuilder still disables secure APT by default, see #579028.
> >
> > The bug is closed. Am I
On 02/18/2012 08:40 PM, Neil Williams wrote:
> On Sat, 18 Feb 2012 11:48:27 +0100
> Thomas Koch wrote:
>
>
>> I think as a start it should be made a policy that any "wrapper" package
>> that
>> downloads code from the net must at least do a strong checksum check on the
>> downloaded code.
>>
On 02/18/2012 09:30 PM, Josselin Mouette wrote:
> Plugin integrity is
> guaranteed by SSL, and extensions have been checked before being put on
> the website.
>
I feel much much safer now that I know that my plugin downloads
are protected by Diginotar ! :)
Thomas
--
To UNSUBSCRIBE, email to
On Sat, 18 Feb 2012, Neil Williams wrote:
> On Sat, 18 Feb 2012 16:25:20 +0200
> Christoph Anton Mitterer wrote:
> > Am 18.02.2012 14:40, schrieb Neil Williams:
> > >> I think as a start it should be made a policy that any "wrapper"
> > >> package that
> > >> downloads code from the net must at l
On Sat, 18 Feb 2012, Philip Hands wrote:
> On Sat, 18 Feb 2012 15:49:30 +, Neil Williams wrote:
> > On Sat, 18 Feb 2012 16:25:20 +0200
> > Christoph Anton Mitterer wrote:
> > > Am 18.02.2012 14:40, schrieb Neil Williams:
> > > >> I think as a start it should be made a policy that any "wrapper
On Sat, Feb 18, 2012 at 04:42:38PM -0200, Henrique de Moraes Holschuh wrote:
> > Against what? The source is only downloaded from upstream once per
> > upstream release, what is there to check against?
>
> Upstream VCS, previous releases (when the diff is small enough), request
> that upstream pub
On Feb 18, Roger Leigh wrote:
> • There are currently two init scripts, hwclockfirst.sh and
> hwclock.sh. The reasons for these two originally existing
Why do you still bother with init scripts? With very good approximation,
nowadays all systems which need hwclock (i.e. are not containers,
c
On Sat, Feb 18, 2012 at 08:00:28PM +0100, Marco d'Itri wrote:
> On Feb 18, Roger Leigh wrote:
>
> > • There are currently two init scripts, hwclockfirst.sh and
> > hwclock.sh. The reasons for these two originally existing
> Why do you still bother with init scripts? With very good approximatio
Package: wnpp
Severity: wishlist
Owner: Florian Schlichting
* Package name: libpackage-new-perl
Version : 0.07
Upstream Author : Michael R. Davis
* URL : http://search.cpan.org/perldoc?Package::New
* License : BSD
Programming Lang: Perl
Description : s
Le Sat, Feb 18, 2012 at 05:51:57PM +0100, Stefano Zacchiroli a écrit :
>
> It'd be nice if debbugs could understand "[ Debian Developer ]" lines
> and give credit to the appropriate individuals when closing bugs
> mentioned in changelogs. But I understand that's not entirely trivial to
> do, and I
On Sat, Feb 18, 2012 at 04:24:39PM +0100, Cyril Brulebois wrote:
> Kumar Appaiah (18/02/2012):
> > > This would:
> > > 1) allow to always identify person responsible for a particular upload;
> >
> > To be very pedantic, the signature on the last upload should reveal
> > this, right?
>
> Not if t
On Sat, Feb 18, 2012 at 08:01:14PM -0600, Kumar Appaiah wrote:
> On Sat, Feb 18, 2012 at 04:24:39PM +0100, Cyril Brulebois wrote:
> > Kumar Appaiah (18/02/2012):
> > > > This would:
> > > > 1) allow to always identify person responsible for a particular upload;
> > >
> > > To be very pedantic, th
Hi all,
2012/2/18 Julien Cristau :
> On Fri, Feb 17, 2012 at 18:36:56 +0100, Mike Hommey wrote:
>
>> Oh, so OSS4 provides an Alsa API that is not compatible with Alsa's.
>> Awesome.
>>
> The oss4 package should die a painful death.
2012/2/18 Josselin Mouette :
> Le vendredi 17 février 2012 à 22:1
57 matches
Mail list logo
