On 12/05/2013 07:43 PM, Jan Lieskovsky wrote:
From: "Ralf Corsepius"
Would you mind to explain why you guys are putting such an emphasize on
-Wformat-security?
Some possible ways how to look at it:
* because when all reported packages are patched, it would remove one
whole class of secur
Am 06.12.2013 10:37, schrieb Ralf Corsepius:
>>> IMO, -Wformat-security is almost negibile in comparison to these and you
>>> are making way too much noise about it than it deserves.
>>
>> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string [*]
>
> Yeah, a vulnerability - So what?
>
>
Hello,
I'd like to add abrt-cli package to the comps group 'standard'.
The package pulls core ABRT functionality for catching C/C++ crashes,
uncaught Python exceptions, Kernel oopses and VMCore processing.
There is a bugzilla bug requesting this change:
https://bugzilla.redhat.com/show_bug.cgi?
On Fri, 2013-12-06 at 10:37 +0100, Ralf Corsepius wrote:
> On 12/05/2013 07:43 PM, Jan Lieskovsky wrote:
>
> >> From: "Ralf Corsepius"
>
> >> Would you mind to explain why you guys are putting such an emphasize on
> >> -Wformat-security?
> >
> > Some possible ways how to look at it:
> > * because
Am 06.12.2013 11:30, schrieb Adam Williamson:
> On Fri, 2013-12-06 at 10:37 +0100, Ralf Corsepius wrote:
>> On 12/05/2013 07:43 PM, Jan Lieskovsky wrote:
>>
From: "Ralf Corsepius"
>>
Would you mind to explain why you guys are putting such an emphasize on
-Wformat-security?
>>>
>>> S
On 12/06/2013 09:56 AM, Jakub Filak wrote:
Hello,
I'd like to add abrt-cli package to the comps group 'standard'.
The package pulls core ABRT functionality for catching C/C++ crashes,
uncaught Python exceptions, Kernel oopses and VMCore processing.
There is a bugzilla bug requesting this chan
Compose started at Fri Dec 6 07:15:02 UTC 2013
Broken deps for armhfp
--
[avro]
avro-mapred-1.7.5-1.fc20.noarch requires hadoop-mapreduce
avro-mapred-1.7.5-1.fc20.noarch requires hadoop-client
[blueman]
blueman-1.23-7
On 12/06/13 at 11:57am, Reindl Harald wrote:
> but what is the plan if this does not work out for a unknown number
> of packages because upstream is not willing or able to "fix it" or
> only in a later release giving that the package is not buildable
> at all
Contingency mechanism: Revert changes
On 12/06/2013 11:30 AM, Adam Williamson wrote:
On Fri, 2013-12-06 at 10:37 +0100, Ralf Corsepius wrote:
On 12/05/2013 07:43 PM, Jan Lieskovsky wrote:
From: "Ralf Corsepius"
Would you mind to explain why you guys are putting such an emphasize on
-Wformat-security?
Some possible ways how to
On 12/06/2013 12:14 PM, "Jóhann B. Guðmundsson" wrote:
I would say that abrt should not be installed et all unless user has agreed to
it at install time.
+1
My mother would be puzzled, if ABRT would popup on her Fedora box.
--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Software Engineer, #brno, #d
On 12/06/2013 12:25 PM, Brendan Jones wrote:
On 12/06/2013 11:30 AM, Adam Williamson wrote:
On Fri, 2013-12-06 at 10:37 +0100, Ralf Corsepius wrote:
On 12/05/2013 07:43 PM, Jan Lieskovsky wrote:
From: "Ralf Corsepius"
Would you mind to explain why you guys are putting such an
emphasize on
On 12/04/13 at 07:10pm, Brendan Jones wrote:
> This is just a pain. Can someone explain to me why this is good?
>
> Original Message
> Subject: [Bug 1037125] hydrogen FTBFS if "-Werror=format-security" flag is
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1037125
Hi Brendan,
C
On 12/06/2013 12:59 PM, Dhiru Kholia wrote:
On 12/04/13 at 07:10pm, Brendan Jones wrote:
This is just a pain. Can someone explain to me why this is good?
Original Message
Subject: [Bug 1037125] hydrogen FTBFS if "-Werror=format-security" flag is
https://bugzilla.redhat.com/sh
On 12/06/2013 12:59 PM, Dhiru Kholia wrote:
Can you *really* pass a QByteArray object directly to printf (and similar
functions)?
Yes, as the format string argument, because the user-defined conversion
comparison operator to const char * kicks in.
--
Florian Weimer / Red Hat Product Securit
On 12/06/2013 01:26 PM, Florian Weimer wrote:
On 12/06/2013 12:59 PM, Dhiru Kholia wrote:
Can you *really* pass a QByteArray object directly to printf (and similar
functions)?
Yes, as the format string argument, because the user-defined conversion
comparison operator to const char * kicks in.
Dne 6.12.2013 12:39, Miroslav Suchý napsal(a):
On 12/06/2013 12:14 PM, "Jóhann B. Guðmundsson" wrote:
I would say that abrt should not be installed et all unless user has
agreed to it at install time.
+1
My mother would be puzzled, if ABRT would popup on her Fedora box.
Your mother will b
On Pá 6. prosinec 2013, 12:39:09 CET, Miroslav Suchý wrote:
On 12/06/2013 12:14 PM, "Jóhann B. Guðmundsson" wrote:
I would say that abrt should not be installed et all unless user has
agreed to it at install time.
I think abrt serves as good source of info in case of unexpected
crashes, whi
On 12/06/2013 01:59 PM, Václav Pavlín wrote:
I think abrt serves as good source of info in case of unexpected crashes, which
is quite important to have stable
system. So although being puzzled is not very nice, being disappointed by
crashing applications is much worse from my
point of view.
So
On 12/06/2013 12:51 PM, Vít Ondruch wrote:
Dne 6.12.2013 12:39, Miroslav Suchý napsal(a):
On 12/06/2013 12:14 PM, "Jóhann B. Guðmundsson" wrote:
I would say that abrt should not be installed et all unless user has
agreed to it at install time.
+1
My mother would be puzzled, if ABRT would po
On 12/05/2013 08:27 PM, Kevin Kofler wrote:
The vast majority of those warnings are actually false positives, not actual
security issues. Putting my upstream hat on, if asked to "fix" such a false
positive, I'd do one of:
(a) close the bug as INVALID/NOTABUG/WONTFIX or
(b) hardcode -Wno-error=for
On 12/06/2013 01:05 PM, Miroslav Suchý wrote:
On 12/06/2013 01:59 PM, Václav Pavlín wrote:
I think abrt serves as good source of info in case of unexpected
crashes, which is quite important to have stable
system. So although being puzzled is not very nice, being
disappointed by crashing applic
On 12/06/2013 02:06 PM, "Jóhann B. Guðmundsson" wrote:
On 12/06/2013 12:51 PM, Vít Ondruch wrote:
Dne 6.12.2013 12:39, Miroslav Suchý napsal(a):
On 12/06/2013 12:14 PM, "Jóhann B. Guðmundsson" wrote:
I would say that abrt should not be installed et all unless user has
agreed to it at install
On 12/06/2013 10:43 AM, Reindl Harald wrote:
Am 06.12.2013 10:37, schrieb Ralf Corsepius:
IMO, -Wformat-security is almost negibile in comparison to these and you
are making way too much noise about it than it deserves.
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string [*]
Yeah,
On 12/06/2013 12:14 PM, "Jóhann B. Guðmundsson" wrote:
On 12/06/2013 09:56 AM, Jakub Filak wrote:
Hello,
I'd like to add abrt-cli package to the comps group 'standard'.
The package pulls core ABRT functionality for catching C/C++ crashes,
uncaught Python exceptions, Kernel oopses and VMCore p
On 12/06/2013 02:08 PM, "Jóhann B. Guðmundsson" wrote:
On 12/06/2013 01:05 PM, Miroslav Suchý wrote:
On 12/06/2013 01:59 PM, Václav Pavlín wrote:
I think abrt serves as good source of info in case of unexpected
crashes, which is quite important to have stable
system. So although being puzzled
Dne 6.12.2013 14:05, Miroslav Suchý napsal(a):
On 12/06/2013 01:59 PM, Václav Pavlín wrote:
I think abrt serves as good source of info in case of unexpected
crashes, which is quite important to have stable
system. So although being puzzled is not very nice, being
disappointed by crashing applic
On 12/06/2013 02:10 PM, Ralf Corsepius wrote:
On 12/06/2013 12:14 PM, "Jóhann B. Guðmundsson" wrote:
On 12/06/2013 09:56 AM, Jakub Filak wrote:
Hello,
I'd like to add abrt-cli package to the comps group 'standard'.
The package pulls core ABRT functionality for catching C/C++ crashes,
uncaugh
On 12/06/2013 01:59 PM, Václav Pavlín wrote:
So try to look at it from broader perspective - I see more benefits in
having abrt installed.
Such as confidential business information being forwarded to RedHat and
being snooped by the NSA to forward it to your enterprise's competitor?
You migh
On 12/06/2013 01:14 PM, Vít Ondruch wrote:
Dne 6.12.2013 14:05, Miroslav Suchý napsal(a):
On 12/06/2013 01:59 PM, Václav Pavlín wrote:
I think abrt serves as good source of info in case of unexpected
crashes, which is quite important to have stable
system. So although being puzzled is not very
On 12/06/2013 02:14 PM, Jiri Moskovcak wrote:
On 12/06/2013 02:10 PM, Ralf Corsepius wrote:
On 12/06/2013 12:14 PM, "Jóhann B. Guðmundsson" wrote:
On 12/06/2013 09:56 AM, Jakub Filak wrote:
Hello,
I'd like to add abrt-cli package to the comps group 'standard'.
The package pulls core ABRT fu
On 06.12.2013 14:34, Ralf Corsepius wrote:
On 12/06/2013 02:14 PM, Jiri Moskovcak wrote:
On 12/06/2013 02:10 PM, Ralf Corsepius wrote:
On 12/06/2013 12:14 PM, "Jóhann B. Guðmundsson" wrote:
On 12/06/2013 09:56 AM, Jakub Filak wrote:
Hello,
I'd like to add abrt-cli package to the comps grou
On Fri, Dec 06, 2013 at 01:06:14PM +, "Jóhann B. Guðmundsson" wrote:
> >>My mother would be puzzled, if ABRT would popup on her Fedora box.
> >
> >Your mother will be puzzled with crashing application as well.
> >Better to explain ABRT and have less crashing applications then
> >the opposite.
>
On 12/06/2013 01:47 PM, Lukas Zapletal wrote:
We all do fix the application for his mother, after it's reported by
ABRT or any other means:-)
No not really our distribution is filled with just packagers that dont
know what to do with those reports...
ABRT should not be installed by default
Am 06.12.2013 14:08, schrieb Ralf Corsepius:
> On 12/06/2013 10:43 AM, Reindl Harald wrote:
>>
>> Am 06.12.2013 10:37, schrieb Ralf Corsepius:
> IMO, -Wformat-security is almost negibile in comparison to these and you
> are making way too much noise about it than it deserves.
htt
On 12/06/2013 02:07 PM, Przemek Klosowski wrote:
On 12/05/2013 08:27 PM, Kevin Kofler wrote:
The vast majority of those warnings are actually false positives, not actual
security issues. Putting my upstream hat on, if asked to "fix" such a false
positive, I'd do one of:
(a) close the bug as INVA
On 12/06/2013 02:34 PM, Ralf Corsepius wrote:
On 12/06/2013 02:14 PM, Jiri Moskovcak wrote:
On 12/06/2013 02:10 PM, Ralf Corsepius wrote:
On 12/06/2013 12:14 PM, "Jóhann B. Guðmundsson" wrote:
On 12/06/2013 09:56 AM, Jakub Filak wrote:
Hello,
I'd like to add abrt-cli package to the comps gr
On 06.12.2013 14:51, "Jóhann B. Guðmundsson" wrote:
On 12/06/2013 01:47 PM, Lukas Zapletal wrote:
We all do fix the application for his mother, after it's reported by
ABRT or any other means:-)
No not really our distribution is filled with just packagers that dont
know what to do with those
On 12/06/2013 02:57 PM, Reindl Harald wrote:
Am 06.12.2013 14:08, schrieb Ralf Corsepius:
On 12/06/2013 10:43 AM, Reindl Harald wrote:
Am 06.12.2013 10:37, schrieb Ralf Corsepius:
IMO, -Wformat-security is almost negibile in comparison to these and you
are making way too much noise about it
On 12/06/2013 02:45 PM, Michal Toman wrote:
On 06.12.2013 14:34, Ralf Corsepius wrote:
On 12/06/2013 02:14 PM, Jiri Moskovcak wrote:
ABRT does not send *any* information unless you agree to do it. Not even
the anonymous reports. It is true that the settings could be in Anaconda
and I think i
https://bugzilla.redhat.com/show_bug.cgi?id=1018330
--- Comment #1 from Iain Arnell ---
Unfortunately, I don't have time any more - please feel free to request branch
and maintain yourself.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
On 12/06/2013 04:07 PM, Ralf Corsepius wrote:
On 12/06/2013 02:45 PM, Michal Toman wrote:
On 06.12.2013 14:34, Ralf Corsepius wrote:
On 12/06/2013 02:14 PM, Jiri Moskovcak wrote:
ABRT does not send *any* information unless you agree to do it. Not even
the anonymous reports. It is true that
On 12/06/2013 12:26 PM, Dhiru Kholia wrote:
On 12/06/13 at 11:57am, Reindl Harald wrote:
but what is the plan if this does not work out for a unknown number
of packages because upstream is not willing or able to "fix it" or
only in a later release giving that the package is not buildable
at all
Main topic we covered today was the janitorial work for Base related
packages to do a build requires cleanup in the coming months.
I'll be sending out a separate email about that on Monday to explain the
ins and outs and hopefully with a bit more info/queries/statistics about
the whole idea. A
On Fri, 2013-12-06 at 02:21 +0100, Kevin Kofler wrote:
> QString line;
> line.fill( '-', 60 );
> qDebug( line.ascii() );
> As you can see, the format string being passed here is provably constant.
So fix the compiler.
- ajax
--
devel mailing list
devel@lists.fedoraproject.org
htt
Greetings.
systemd-208-9.fc20 was pushed into the base fedora 20 repos last night
(as it fixed a blocker bug for the upcoming release).
However, it was not signed properly, so Fedora 20 prerelease users
will see an error about the package not being signed.
This has already been corrected and
Petr Pisar wrote:
> On 2013-12-04, Kevin Kofler wrote:
>> Petr Pisar wrote:
>>> [snip] and GPLv2 and GPLv3+.
>>
>> Huh? WTF is upstream smoking there?
>>
> Upstream releases a tar ball bundling a lot of subprojects. Thus the
> complicated license. I do a licence review each new release and I alwa
On Mon, Dec 2, 2013 at 8:33 AM, Petr Vobornik wrote:
> This solution is much nicer and can be used by other font packages as well.
>
> Here's the new package: https://bugzilla.redhat.com/show_bug.cgi?id=1036754
Very awesome, thanks! I'll sponsor you and review. :-)
Luckily, I pushed off the we
Ralf Corsepius wrote:
> On 12/06/2013 12:26 PM, Dhiru Kholia wrote:
>> There is still plenty of time left before this flag is even enabled in
>> rawhide configuration by default.
> IMO, this plan has failed - period.
+1
Kevin Kofler
--
devel mailing list
devel@lists.fedoraproject.org
h
PS:
Przemek Klosowski wrote:
> | __attribute__((__format__(__printf, 1, 2)));
is also compiler-specific, which some upstreams also won't like. Of course,
it can be #ifdef-wrapped, but many upstreams try to avoid #ifdef as much as
possible.
Kevin Kofler
--
devel mailing list
devel@l
Przemek Klosowski wrote:
> Given that pretty much all those cases can be solved by either "%s" or
>
> | __attribute__((__format__(__printf, 1, 2)));
"pretty much all" maybe, but not all!
See e.g. the examples I have given in the FESCo ticket:
* a printf wrapper for logging which adds a timesta
On Fri, Dec 6, 2013 at 10:56 AM, Jakub Filak wrote:
> I'd like to add abrt-cli package to the comps group 'standard'.
>
> The package pulls core ABRT functionality for catching C/C++ crashes,
> uncaught Python exceptions, Kernel oopses and VMCore processing.
If -cli means no GUI, and thus no popu
Adam Jackson wrote:
> On Fri, 2013-12-06 at 02:21 +0100, Kevin Kofler wrote:
>
>> QString line;
>> line.fill( '-', 60 );
>> qDebug( line.ascii() );
>> As you can see, the format string being passed here is provably constant.
>
> So fix the compiler.
I don't think GCC will ever be a
Ben Boeckel wrote:
> Use the printf attribute on the function to fix this.
That doesn't work if I have to prepend a date to my format string.
Kevin Kofler
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: h
mrnuke (mr.nuke...@gmail.com) said:
> > Because packagers will just ignore it [...]
> >
> I think this is a childish argument, but let's take it. So what? You're
> going to start stepping on people's lawns and change things just because
> you want to impose your greater good?
Wow, nice mixed met
On Fri, Dec 6, 2013 at 4:50 PM, Ralf Corsepius wrote:
> On 12/06/2013 12:26 PM, Dhiru Kholia wrote:
>>
>> On 12/06/13 at 11:57am, Reindl Harald wrote:
>>>
>>> but what is the plan if this does not work out for a unknown number
>>> of packages because upstream is not willing or able to "fix it" or
Miroslav Suchý (msu...@redhat.com) said:
> On 12/06/2013 01:59 PM, Václav Pavlín wrote:
> >I think abrt serves as good source of info in case of unexpected crashes,
> >which is quite important to have stable
> >system. So although being puzzled is not very nice, being disappointed by
> >crashing
On Fri, Dec 06, 2013 at 07:57:04PM +0100, Kevin Kofler wrote:
> Ralf Corsepius wrote:
>
> > On 12/06/2013 12:26 PM, Dhiru Kholia wrote:
> >> There is still plenty of time left before this flag is even enabled in
> >> rawhide configuration by default.
> > IMO, this plan has failed - period.
>
> +1
On Fri, Dec 6, 2013 at 8:02 PM, Kevin Kofler wrote:
> See e.g. the examples I have given in the FESCo ticket:
> * a printf wrapper for logging which adds a timestamp in front of the
> format string, e.g.
> log("processed %d items", foo);
> which would be printed as
> 2013-12-06 19:00:00: p
On Fri, Dec 06, 2013 at 08:02:06PM +0100, Kevin Kofler wrote:
> * translatable format strings, e.g.
> printf(translate("processed %d items"), foo);
Translatable strings are handled just fine.
Try e.g.:
extern int my_printf (void *my_object, const char *my_format, ...)
__attribute__ ((format (
On Fri, Dec 06, 2013 at 02:27:05AM +0100, Kevin Kofler wrote:
> Michael scherer wrote:
> > Let's rather ask the contrary, why is this so much a issue to communicate
> > with upstream to fix things, and add patches ?
>
> The vast majority of those warnings are actually false positives, not actual
On Fri, 2013-12-06 at 16:07 +0100, Ralf Corsepius wrote:
> > This approach has been
> > working perfectly for many years and I don't think much has changed in
> > that area lately.
> There were reports of abrt sending out private and confidential
> information to the net and reports of abrt sen
On Fri, 2013-12-06 at 12:39 +0100, Miroslav Suchý wrote:
> On 12/06/2013 12:14 PM, "Jóhann B. Guðmundsson" wrote:
> > I would say that abrt should not be installed et all unless user has agreed
> > to it at install time.
>
> +1
>
> My mother would be puzzled, if ABRT would popup on her Fedora bo
On Fri, 2013-12-06 at 13:18 +, "Jóhann B. Guðmundsson" wrote:
> And what purpose does abrt serve if there aren't people fixing the issue
> it reports on the other end...
Well, that's easy enough to shoot down.
https://bugzilla.redhat.com/buglist.cgi?bug_status=CLOSED&classification=Fedora&l
On Fri, 2013-12-06 at 15:06 -0500, Darryl L. Pierce wrote:
> On Fri, Dec 06, 2013 at 02:27:05AM +0100, Kevin Kofler wrote:
> > Michael scherer wrote:
> > > Let's rather ask the contrary, why is this so much a issue to communicate
> > > with upstream to fix things, and add patches ?
> >
> > The vas
On Fri, Dec 06, 2013 at 12:08:22PM -0800, Adam Williamson wrote:
> On Fri, 2013-12-06 at 13:18 +, "Jóhann B. Guðmundsson" wrote:
>
> > And what purpose does abrt serve if there aren't people fixing the issue
> > it reports on the other end...
>
> Well, that's easy enough to shoot down.
>
>
On Fri, 2013-12-06 at 20:06 +0100, Miloslav Trmač wrote:
> On Fri, Dec 6, 2013 at 10:56 AM, Jakub Filak wrote:
> > I'd like to add abrt-cli package to the comps group 'standard'.
> >
> > The package pulls core ABRT functionality for catching C/C++ crashes,
> > uncaught Python exceptions, Kernel oo
On Thu, Dec 05, 2013 at 07:40:36PM -0600, mrnuke wrote:
> On 12/05/2013 11:38 AM, Michael scherer wrote:
> > On Wed, Dec 04, 2013 at 08:25:54PM -0600, mrnuke wrote:
> >>
> >> This change is Sofa King stupid. Why couldn't we have just enabled the
> >> warning without turning it into an error, THEN l
On Fri, 2013-12-06 at 13:51 +, "Jóhann B. Guðmundsson" wrote:
> No not really our distribution is filled with just packagers that
> dont
> know what to do with those reports...
So you're saying: "Our maintainers can't fix bugs, why bother filing
them at all?"? That doesn't make sense to me at
Am 06.12.2013 15:59, schrieb Ralf Corsepius:
> On 12/06/2013 02:57 PM, Reindl Harald wrote:
>> if arbitary users are allowed to call CLI applications from a webserver
> ?!? Calling cli-tools underneath of webservices is the norm on many
> webservers. Often these calls are wrapped into
> scripti
fre 2013-12-06 klockan 15:06 -0500 skrev Darryl L. Pierce:
> On Fri, Dec 06, 2013 at 02:27:05AM +0100, Kevin Kofler wrote:
> > Michael scherer wrote:
> > > Let's rather ask the contrary, why is this so much a issue to communicate
> > > with upstream to fix things, and add patches ?
> >
> > The vas
On 12/07/2013 03:39 AM, Reindl Harald wrote:
Am 06.12.2013 15:59, schrieb Ralf Corsepius:
On 12/06/2013 02:57 PM, Reindl Harald wrote:
if arbitary users are allowed to call CLI applications from a webserver
?!? Calling cli-tools underneath of webservices is the norm on many webservers.
Of
71 matches
Mail list logo
