sean finney wrote: > On Wednesday 13 February 2008 07:54:04 pm Luk Claes wrote: >> sean finney wrote: >>> hi everyone, >> Hi >> >>> okay, it looks like the problem was that the person who did the security >>> upload built the package in a sarge chroot without /proc mounted (i can >>> duplicate the problem unmounting /proc in my pbuilder chroot). >>> >>> so, my question is what are the next steps? can the security team just >>> trigger a rebuild/binNMU, or do we need another sourceful upload? if so >>> should i provide an update in debian/rules that checks for /proc to be >>> mounted just in case this happens again? > >> I think I can schedule binNMUs now though the buildds have to have proc >> mounted beforehand or the one signing has to be careful enough not to >> sign if it's not yet fixed with the binNMU. >> >> So I guess that's up to the Security Team to decide. > > i don't think this was a problem on any of the buildds this time around, > though someone ought to do a dpkg-deb --contents foo.deb | grep check_procs > on the debs "just to make sure"... or alternatively i could copy the check > from debian/rules in etch for a new upload. i'll go with whatever the > security peeps say.
For the etch version check_procs doesn't seem to be included in nagios-plugins and nagios-plugins-standard, but it's included for nagios-plugins-basic. For the sarge version it's only missing in the i386 version. >> You do check for a mounted proc in the unstable/testing/experimental >> version, right? I kind of remember seeing it as the check fails even if >> there is a proc mounted from outside the chroot... > > the etch and lenny/sid versions both have explicit checks for a mounted /proc > in debian/rules (test -d /proc/1), yes. This check indeed fails very reliably on the s390 experimental buildd, couldn't you check with 'test -d /proc/net' or something like that which would work ok? Cheers Luk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
