Vladimir Stavrinov writes:
> I believe due to this "long thread" all those bugs (or rather security
> vulnerability), apart from last only about using $RANDOM are fixed.
> At same time I think this small utility has less significant, and less
> bugs then most software already included in Debian h
On Wed, Apr 18, 2012 at 3:08 AM, Ben Finney wrote:
> Agreed. Vladimir, this long thread highlights the fact that you need to
> find a community for this code *first*, and fix many of the bugs that
> would be found that way, before presenting it as a package for inclusion
> in Debian.
I believe d
Matt Zagrabelny writes:
> Perhaps taking d-mentors@l.d.o off future replies could be done.
Agreed. Vladimir, this long thread highlights the fact that you need to
find a community for this code *first*, and fix many of the bugs that
would be found that way, before presenting it as a package for
Perhaps taking d-mentors@l.d.o off future replies could be done.
Thanks!
-mz
On Tue, Apr 17, 2012 at 3:17 PM, Timo Juhani Lindfors
wrote:
> Vladimir Stavrinov writes:
>> In some degree it is compensated by the fact, that double letters are
>> excluded as well as other combinations. This forces
Vladimir Stavrinov writes:
> In some degree it is compensated by the fact, that double letters are
> excluded as well as other combinations. This forces to to call $RANDOM
> again and again before pick up a symbol.
Calling $RANDOM again and again does not help at all. If you run
for i in $(seq
On Tue, Apr 17, 2012 at 09:40:50PM +0300, Timo Juhani Lindfors wrote:
> Now there is at least the problem that you are using the $RANDOM
Yes, I am aware of this already and will consider other solutions.
> variable of bash. It is easily predictable and should not be used to
In some degree it i
Vladimir Stavrinov writes:
> http://mentors.debian.net/debian/pool/main/r/rpg/rpg_1.0.4-1.dsc
Now there is at least the problem that you are using the $RANDOM
variable of bash. It is easily predictable and should not be used to
produce passwords.
--
To UNSUBSCRIBE, email to debian-mentors-requ
Timo Juhani Lindfors writes:
> [ Dropping extra people from Cc since this I don't think my reply is
> related rpg anymore. ]
Please also drop ‘debian-mentors’; the discussion has been off-topic
here for a long time.
--
\ “Working out the social politics of who you can trust and why |
On Wed, Apr 11, 2012 at 11:13:35PM +0300, Timo Juhani Lindfors wrote:
> Yep, you need to install the -dbg package. It'd be nice if we could just
Installation started, but it will take about 20 minutes.
Installed now, it brought no success:
root@mana:~# stap -e 'probe syscall.execve { printf("%s\
[ Dropping extra people from Cc since this I don't think my reply is
related rpg anymore. ]
Vladimir Stavrinov writes:
> root@mana:~# stap -e 'probe syscall.execve { printf("%s\n", argstr); }' -c
> 'rpg'
> semantic error: missing x86_64 kernel/module debuginfo under
> '/lib/modules/3.2.0-2-a
On Wed, Apr 11, 2012 at 11:00:27PM +0300, Timo Juhani Lindfors wrote:
> Vladimir Stavrinov writes:
> > I am on 3.2.0-2
>
> I'm on linux-image-3.2.0-1-amd64 3.2.4-1 and it works.
>
root@mana:~# stap -e 'probe syscall.execve { printf("%s\n", argstr); }' -c 'rpg'
semantic error: missing x86_64 ke
Vladimir Stavrinov writes:
> I am on 3.2.0-2
I'm on linux-image-3.2.0-1-amd64 3.2.4-1 and it works.
--
To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/84obqyujhg
On Wed, Apr 11, 2012 at 10:46:06PM +0300, Timo Juhani Lindfors wrote:
> Why? systemtap works with debian stable kernels.
I am on 3.2.0-2
***
### Vladimir Stavrinov
### vstavri...@gmail.com
***
--
To UNSUBSCRIBE, email to debian-mentors-requ...
Vladimir Stavrinov writes:
> Certainly! But to resolve last issue, I should compile custom kernel,
> while at this time I am using Debian binary kernel.
Why? systemtap works with debian stable kernels.
--
To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org
with a subject of "unsub
On Wed, Apr 11, 2012 at 10:16:15PM +0300, Timo Juhani Lindfors wrote:
> If you are going to maintain this package you really need to learn how
> to audit it for security issues :)
Certainly! But to resolve last issue, I should compile custom kernel,
while at this time I am using Debian binary ker
Vladimir Stavrinov writes:
> Don't worry, we have nowhere to rush. I can't check it myself, so I'll
> wait for You. Thank You for Your assistance.
If you are going to maintain this package you really need to learn how
to audit it for security issues :)
--
To UNSUBSCRIBE, email to debian-mentor
On Wed, Apr 11, 2012 at 08:15:56PM +0300, Timo Juhani Lindfors wrote:
>
> I'm too busy at least at the moment.
>
Don't worry, we have nowhere to rush. I can't check it myself, so I'll
wait for You. Thank You for Your assistance.
***
### Vladimir Stavrinov
### vstavr
Vladimir Stavrinov writes:
> Fixed. Please, check it again:
I'm too busy at least at the moment.
--
To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/848vi2w5o3@sau
On Wed, Apr 11, 2012 at 09:32:22AM +0300, Timo Juhani Lindfors wrote:
> It's the tr commands this time.
>
> $ stap -e 'probe syscall.execve { printf("%s\n", argstr); }' -c './rpg'
Fixed. Please, check it again:
http://mentors.debian.net/debian/pool/main/r/rpg/rpg_1.0.4-1.dsc
--
*
On Wed, Apr 11, 2012 at 09:32:22AM +0300, Timo Juhani Lindfors wrote:
> > Ok. Show me where You see password. What command in process list does show
> > password?
>
> It's the tr commands this time.
Thank You. I will fix this.
--
***
## Vladimir Stavrinov
## vstavri.
Vladimir Stavrinov writes:
> Ok. Show me where You see password. What command in process list does show
> password?
It's the tr commands this time.
$ stap -e 'probe syscall.execve { printf("%s\n", argstr); }' -c './rpg'
parketdufime
./rpg
/usr/bin/cut "-c" "7"
/usr/bin/tr "-d" "p"
/us
On Sun, Apr 08, 2012 at 01:00:09PM +0600, Andrey Rahmatullin wrote:
> Please clearly state somewhere that your software doesn't attempt to
> generate cryptographically secure passwords.
Thank You very much. This is one of two only valuable messages in this
thread. The paradox is that it is most s
On Sun, Apr 08, 2012 at 04:18:55PM +1000, Dmitry Smirnov wrote:
> Shortly after you published your RFS I tried 'rpg' but quickly discarded it
> because from the first look I found no new functionality. (pwgen is more
> feature rich)
It is not issue of functionality. Need to repeat again: the on
On Sun, Apr 08, 2012 at 04:24:19AM +0400, Vladimir Stavrinov wrote:
> As for security, I hope there are no such problems in last uploaded
> version.
Please clearly state somewhere that your software doesn't attempt to
generate cryptographically secure passwords.
--
WBR, wRAR
signature.asc
Descr
On Sunday 08 April 2012 12:58:08 Vladimir Stavrinov wrote:
> The problem is that I don't see this "review process" here. Instead, all of
> You are explaining what Debian is and what is not. But I've got no much
> new. You are trying to breach into opened door. But point is that all this
> discussio
Vladimir Stavrinov writes:
> The problem is that I don't see this "review process" here. Instead,
> all of You are explaining what Debian is and what is not. But I've got
> no much new. You are trying to breach into opened door. But point is
> that all this discussion have no relation to script i
On Sat, Apr 07, 2012 at 11:20:55PM -0300, Fernando Lemos wrote:
> to get rid of it. It's thus reasonable that we want to make sure
> packages are in good shape for entry in Debian. It's also natural that
It is very easy to execute this task: please, read this shell script. It
is short and simple
On Sat, Apr 7, 2012 at 10:28 PM, Vladimir Stavrinov
wrote:
> On Sun, Apr 08, 2012 at 10:08:08AM +1000, Ben Finney wrote:
>
>> barrier to entry there: Debian should be a coherent operating system
>
> Very good. But to keep system in "coherent" state You should not only
> build barrier on entry, but
On Sun, Apr 08, 2012 at 10:08:08AM +1000, Ben Finney wrote:
> barrier to entry there: Debian should be a coherent operating system
Very good. But to keep system in "coherent" state You should not only
build barrier on entry, but also remove packages that break such
coherence. And this should be n
On Sun, Apr 08, 2012 at 09:05:25AM +0900, Charles Plessy wrote:
> As a side note, I think that the comments about security in this
> thread are very relevant. If your package were accepted in Debian, it
> would need to meet Debian's and Debian's users expectations, not only
> your vision as an up
Vladimir Stavrinov writes:
> But for a last at least 15 years I've wrote tens of such scripts, that
> I am using for years in my work and life with enjoy and no problems.
> And now, I think, why don't make those lot of software available for
> Debian users? But I see: because there are army of fo
Le Sat, Apr 07, 2012 at 04:46:33PM +0400, Vladimir Stavrinov a écrit :
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659047
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652718
> http://mentors.debian.net/package/rpg
Hi,
There is no need to rename bugs and mentors uploads retroactive
On Sat, Apr 07, 2012 at 01:13:35PM -0300, Fernando Lemos wrote:
> maintainers to request removals before they leave Debian. You seem to
> have an overly simplified view of how the distribution works.
You don't let me know something new.
> Now, about the package in question. The alternative softw
On Sat, Apr 07, 2012 at 01:13:35PM -0300, Fernando Lemos wrote:
> First, If you're proposing a different algorithm for password
> generation, have you looked into contributing the algorithm to apg? If
> not, why?
Please also note that while apg generates secure passwords, rpg doesn't
care about su
On Sat, Apr 7, 2012 at 9:46 AM, Vladimir Stavrinov wrote:
>> ecosystem. Consider for instance that if one day you suddenly can not
>> contribute anymore, somebody else will need to care of the package. Summed
>> together, even removals takes time.
>
> It would be a nice behavior, if maintainer
On Sat, Apr 07, 2012 at 09:14:44AM +0900, Charles Plessy wrote:
> > What about "repagen" i.e. REadable PAssword GENerator ? Is it OK.?
>
> That is nice.
Good. But. There are too many things to be renamed:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659047
http://bugs.debian.org/cgi-bin/bug
Le Fri, Apr 06, 2012 at 07:04:08PM +0400, Vladimir Stavrinov a écrit :
> On Fri, Apr 6, 2012 at 3:34 AM, Charles Plessy wrote:
>
> > I also think that we should refrain from using short and common names for
> > the
>
> What about "repagen" i.e. REadable PAssword GENerator ? Is it OK.?
That is
On Sat, Apr 07, 2012 at 01:36:10AM +0400, Vladimir Stavrinov wrote:
> > rpg 1.0.2
>
> Ok. Show me where You see password. What command in process list does show
> password?
Please, check new version:
http://mentors.debian.net/debian/pool/main/r/rpg/rpg_1.0.3-1.dsc
*
On Sat, Apr 07, 2012 at 12:23:11AM +0300, Timo Juhani Lindfors wrote:
>
> rpg 1.0.2
Ok. Show me where You see password. What command in process list does show
password?
***
### Vladimir Stavrinov
### vstavri...@gmail.com
***
--
To UNSU
Vladimir Stavrinov writes:
> May be You are using old version? Please, show me output from:
>
> rpg -V
$ ./rpg -V
rpg 1.0.2
(C) Vladimir Stavrinov vstavri...@gmail.com, GPL
Just think about all the commands you execute. It shouldn't be too
difficult. I can disclose the right a
On Sat, Apr 07, 2012 at 12:22:05AM +0400, Vladimir Stavrinov wrote:
> How? It is impossible: to fix the last bug, I have removed grep at all
> and used shell variable editing instead. And I can't reproduce this bug.
> Please, show me where and how do You see password.
May be You are using old ver
On Fri, Apr 06, 2012 at 10:48:33PM +0300, Timo Juhani Lindfors wrote:
> Vladimir Stavrinov writes:
> > Fixed:
>
> Unfortunately not. I can still see the password. Writing security
How? It is impossible: to fix the last bug, I have removed grep at all
and used shell variable editing instead. And
Vladimir Stavrinov writes:
> Fixed:
Unfortunately not. I can still see the password. Writing security
sensitive software a shell script is quite challenging. I would really
urge you to improve some existing program instead.
--
To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org
wi
On Fri, Apr 6, 2012 at 3:34 AM, Charles Plessy wrote:
> I also think that we should refrain from using short and common names for the
What about "repagen" i.e. REadable PAssword GENerator ? Is it OK.?
--
To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org
with a subject of "unsu
On Thu, Apr 05, 2012 at 06:48:26PM +0400, Vladimir Stavrinov wrote:
> On Thu, Apr 05, 2012 at 05:35:21PM +0300, Timo Juhani Lindfors wrote:
>
> > When the generator prints "Vipeza" as a password it does
> >
> > /bin/grep "-qw" "vi"
>
> Yes, I see: it is another invocation of grep. Should be fix
Le Thu, Apr 05, 2012 at 07:05:16PM +0400, Vladimir Stavrinov a écrit :
>
> But there no package named rpg.
Hi,
I also think that we should refrain from using short and common names for the
packages. That there is no package named rpg does not say that it is free for
you, it says that there was
On Thu, Apr 05, 2012 at 10:56:19AM -0700, Russ Allbery wrote:
> Debian already has the apg package, which purports to do the same thing
> and is a compiled C binary, so doesn't have the various problems with
> grep. Is the readability of the passwords generated by rpg really
> sufficiently better
Vladimir Stavrinov writes:
> To advantage of this utility points it's name: "READABLE password
> generator". If You can read (i.e. to pronounce), then it is easy for
> remembering. But "readable" doesn't means "weak" - it is strong enough
> as long as dictionary is available for consulting to exc
On Thu, Apr 05, 2012 at 04:34:05PM +0200, Gergely Nagy wrote:
> the name. RPG is commonly the abbreviation for role playing game, and
There are many others:
>From The Free On-line Dictionary of Computing (26 July 2010) [foldoc]:
RPG
1. {Role-Playing Game}.
2. {Report Program Gen
On Thu, Apr 05, 2012 at 05:35:21PM +0300, Timo Juhani Lindfors wrote:
> When the generator prints "Vipeza" as a password it does
>
> /bin/grep "-qw" "vi"
Yes, I see: it is another invocation of grep. Should be fixed in similar
way. But it is more tricky, because here the stdin already used by g
Vladimir Stavrinov writes:
> I've ran rpg in continues loop, but no password was caught, because it
> fed to grep via stdin directly from shell. To be sure, please, test it
> again.
I can still see the password.
When the generator prints "Vipeza" as a password it does
/bin/grep "-qw" "vi"
/bin/
Vladimir Stavrinov writes:
> On Wed, Apr 04, 2012 at 01:39:07PM +0300, Timo Juhani Lindfors wrote:
>
>> I think rpg is very insecure since all local users of the system can see
>> the passwords that you generate. All they need to do is to look for the
>> "grep" commands that appear in the process
On Wed, Apr 04, 2012 at 01:39:07PM +0300, Timo Juhani Lindfors wrote:
> I think rpg is very insecure since all local users of the system can see
> the passwords that you generate. All they need to do is to look for the
> "grep" commands that appear in the process list.
Fixed. See:
http://mentors
Vladimir Stavrinov writes:
> First of all in most cases it is using on workstation where are no other
> live users then You (or hacker breached into Your system) . Second, it
> is used sporadically and rarely. To catch those passwords You need
> continuously watching and analyze process list for a
On Wed, Apr 04, 2012 at 01:41:43PM +0200, Ansgar Burchardt wrote:
> We also have pwgen which "generates pronounceable passwords" according
> to its man page.
As You can see, it is first utility mentioned here in this thread before apg,
and
again, I have used it too before apg. But it generates e
On 04/04/2012 01:09 PM, Vladimir Stavrinov wrote:
> I've used apg few years ago, but was not satisfied with it. That is
> exactly why I have started to write my own alternative. The main point
> was pronounceability.
We also have pwgen which "generates pronounceable passwords" according
to its man
On Wed, Apr 04, 2012 at 01:39:07PM +0300, Timo Juhani Lindfors wrote:
> I think rpg is very insecure since all local users of the system can see
> the passwords that you generate. All they need to do is to look for the
> "grep" commands that appear in the process list.
First of all in most cases
On Wed, Apr 04, 2012 at 12:22:44PM +0200, Bartosz FeÅski wrote:
> So basically this is another tool like the apg?
> http://packages.debian.org/sid/apg
I've used apg few years ago, but was not satisfied with it. That is
exactly why I have started to write my own alternative. The main point
was pr
Vladimir Stavrinov writes:
> To advantage of this utility points it's name: "READABLE password
> generator". If You can read (i.e. to pronounce), then it is easy for
> remembering. But "readable" doesn't means "weak" - it is strong enough
> as long as dictionary is available for consulting to excl
W dniu 04.04.2012 12:17, Vladimir Stavrinov pisze:
> To advantage of this utility points it's name: "READABLE password
> generator". If You can read (i.e. to pronounce), then it is easy for
> remembering. But "readable" doesn't means "weak" - it is strong enough
> as long as dictionary is available
To advantage of this utility points it's name: "READABLE password
generator". If You can read (i.e. to pronounce), then it is easy for
remembering. But "readable" doesn't means "weak" - it is strong enough
as long as dictionary is available for consulting to exclude words from
out of there.
--
-Oorspronkelijk bericht-
Van: Richard Laager [mailto:rlaa...@wiktel.com]
Verzonden: dinsdag 7 februari 2012 21:26
Aan: Bas van den Dikkenberg; 659...@bugs.debian.org
Onderwerp: Re: Bug#659047: RFS: rpg - Readable Password Generator
What advantages does this program have over pwgen
What advantages does this program have over pwgen (which has been around
for a long time and is already package)?
--
Richard
signature.asc
Description: This is a digitally signed message part
Oke ,
Won't do that again, my idea was tathe was the correct procedure.
-Oorspronkelijk bericht-
Van: Arno Töll [mailto:deb...@toell.net]
Verzonden: dinsdag 7 februari 2012 19:23
Aan: Debian Mentors; Bas van den Dikkenberg
Onderwerp: Re: RFS: rpg - Readable Password Gene
Burchardt [mailto:ans...@debian.org]
Verzonden: dinsdag 7 februari 2012 19:13
Aan: debian-mentors@lists.debian.org
CC: 652...@bugs.debian.org
Onderwerp: Re: RFS: rpg - Readable Password Generator
Hi,
> * Package name: rpg
> * URL : http://sourceforge.net/projects/rpg/
[...]
Hi,
> * Package name: rpg
> * URL : http://sourceforge.net/projects/rpg/
[...]
> rpg - Readable Password Generator
Does this offer anything over password generators already in Debian such
as pwgen, apg or gpw?
Regards,
Ansgar
--
To UNSUBSCRIBE, email to debian-mentors-requ..
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Bas,
On 07.02.2012 19:02, Bas van den Dikkenberg wrote:
> I am looking for a sponsor for my package "rpg".
please do not send out both, a RFS bug against the sponsorship-package
and a traditional RFS mail to debian-mentors. For now, you may cho
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Package: sponsorship-requests
Severity: normal
Dear mentors,
I am looking for a sponsor for my package "rpg".
* Package name: rpg
Version : 1.0.0-1
Upstream Author : Vladimir Stavrinov
* URL : http://sourceforge.net/pr
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dear mentors,
I am looking for a sponsor for my package "rpg".
* Package name: rpg
Version : 1.0.0-1
Upstream Author : Vladimir Stavrinov
* URL : http://sourceforge.net/projects/rpg/
* License : GPL
Section
69 matches
Mail list logo
