Re: to the mysterious consultant

[Susana Weir]

Hello,

Our database records indicate we will be able to appprove you
for a motrtgage / re-finnance for up to 450k for 3.6 deal.

If you are interested we advise you to act ASAP.

We need some information from you to finish up the process.
Use this unique URL 
http://www.regcmp.com/

Have a nice day,
Sincerly
Susana Weir
The staff


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: updated debian development diagram -- comments?

[Kevin Mark]

On Fri, Jan 07, 2005 at 05:14:56PM -0200, Otavio Salvador wrote:
> || On Mon, 3 Jan 2005 01:08:49 -0500
> || Kevin Mark <[EMAIL PROTECTED]> wrote: 
> 
> km> Hi Folks,
> km> I have updated my diagram on the debian developement model. Any comments
> km> appreciated! 
> 
> IMHO have one wrong information on that. When the package go to
> experimental, it comes from DD .deb like when it go to unstable and
> not from debian source. One of interpretions are wrong. The unstable
> interpretion (Debian source -> DD .deb -> unstable ) looks ok to me. I
> propse to change (Debian source -> DD .deb -> (experimental || unstable))
> 
> -- 
Hi Octavio and list members,
I have updated my diagram with 'icons'. It may need some more work to
make it look better. I tried to fit in on A4 paper. Not sure it fits as
I use US letter x-)
-Kev

-- 
counter.li.org #238656 -- goto counter.li.org and be counted!

(__)
(oo)
  /--\/
 / |||
*  /\---/\
   ~~   ~~
"Have you mooed today?"...


signature.asc
Description: Digital signature

The keychain package, its debconf templates, the security hole induced

[Martin Quinson]

Hello,

as part of my current effort of getting rid of packages using debconf
without providing support to translators, I had a bug repport against the
keychain package asking simply to drop this template:

Description: Information for people upgrading from versions prior to 2.0.
 With this new version of keychain, the output of ssh-agent will be
 redirected to the ~/.keychain/[hostname]-{c}sh files.  Any cron job or
 login script that uses keychain needs to be updated to use the new
 directory location.
 .
 For more information please read the man page.

IMHO, it's clearly a debconf abuse which should be changed to a
README.Debian entry. Moreover, the message is shown each time without even
checking whether the user upgrades from an old version or not (what a pitty
to show this on new installs). Not speaking from the fact that it's called
from postinst instead of config and will thus stop the installation process
right in the middle.

My bug was close with a laconic changelog entry:
  * l10n changes Closes: #235812,#259567,#262738,#266356,#274900,#192165

And now, I'm mad about this. 

A closer check to the package reveals that it's only useful if you want to
open a security risk on your machine. All info relatives to the ssh-agent
are written into a well known file, allowing cron jobs and attackers to use
them without prior knowledge of your passwords.

Dudes. There is a reason why those informations are not written to file by
ssh itself. If my local machine gets corrupted, I'm happy to see the
password I've set on my keys slowing down the attacker enough to allow me
dropping the ssh keys from remote hosts. 

You should at least speak about the potential security risk in the
description. 

I'd drop the package from the archive right away. I have several cron jobs
using ssh keys (a new key for each cron, without pass and allowed to do only
one specific command on the remote host).


So, please do at least the following to your package:
 - speak about the potential security hazard in description
 - check the pre-installed version before showing your crufty template (or
   use README.Debian, it's what it's good for)
 - use a proper config script instead of blocking the install with a db_get
   in the postinst (just read the debconf documentation)
 - do usefull changelog entries in your packages in the future.
 
 
Bye, Mt.


signature.asc
Description: Digital signature

Re: The keychain package, its debconf templates, the security hole induced

[Henrique de Moraes Holschuh]

On Fri, 21 Jan 2005, Martin Quinson wrote:
> Dudes. There is a reason why those informations are not written to file by
> ssh itself. If my local machine gets corrupted, I'm happy to see the

And it is because all of ssh-agent is a second-thought crap, as evidenced by
the fact that stock ssh-agent is not capable of "withholding keys unless
given explicit permission to act every time one request comes".

But it is still usefull as all heck crap.  I use it all the time, along with
keychain.  But certainly not without paying attention to what I am doing.

> You should at least speak about the potential security risk in the
> description. 

Agreed.

> I'd drop the package from the archive right away. I have several cron jobs
> using ssh keys (a new key for each cron, without pass and allowed to do only
> one specific command on the remote host).

This can very well be a much bigger security risk than doing what you
already do BUT using passphrases AND ssh-agent to reduce the window of
opportunity.

And avoiding keychain does not make it much more difficult to find out how
to talk to any in-memory ssh-agent anyway, you know.

NOR does it make it any more difficult to locate all unprotected keys in
your machine through a rgrep.

>  - speak about the potential security hazard in description
Or in README.Debian.

>  - check the pre-installed version before showing your crufty template (or
>use README.Debian, it's what it's good for)

Actually, that's NEWS.Debian material.  And yes, drop it from debconf
entirely.

>  - do usefull changelog entries in your packages in the future.

Seconded, thirdied, etc.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[Marc Haber]

On Thu, 20 Jan 2005 21:27:46 +0100, Osamu Aoki <[EMAIL PROTECTED]>
wrote:
>Relax, he did not say "rm -rf /" in postinst.

That would be postrm.

Greetings
Marc

-- 
-- !! No courtesy copies, please !! -
Marc Haber |   " Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: Reboot in postinst

[Marc Haber]

On 20 Jan 2005 14:45:52 -0800, Thomas Bushnell BSG <[EMAIL PROTECTED]>
wrote:
>Yes.  Debian packages are supposed to be able to be installed and
>start working without requiring any reboots.  We've made this work
>pretty well for libc and all kinds of hard cases; you can make it work
>for yours too I'm sure.

This prompts a question I have been wanting to ask for ages: When a
security update for, say, libc6, libssl or libz is installed, do I
need to restart services or not? That's one of the question you ask
three people and get five different answers.

Greetings
Marc

-- 
-- !! No courtesy copies, please !! -
Marc Haber |   " Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: Reboot in postinst

[Tino Keitel]

On Fri, Jan 21, 2005 at 11:03:08 +0100, Marc Haber wrote:
> On 20 Jan 2005 14:45:52 -0800, Thomas Bushnell BSG <[EMAIL PROTECTED]>
> wrote:
> >Yes.  Debian packages are supposed to be able to be installed and
> >start working without requiring any reboots.  We've made this work
> >pretty well for libc and all kinds of hard cases; you can make it work
> >for yours too I'm sure.
> 
> This prompts a question I have been wanting to ask for ages: When a
> security update for, say, libc6, libssl or libz is installed, do I
> need to restart services or not? That's one of the question you ask
> three people and get five different answers.

Yes, you should restart the services, since the libraries are loaded by
the service when the it starts, and an upgrade won't replace libraries
in running services.

Regards,
Tino


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[Scott James Remnant]

On Fri, 2005-01-21 at 11:03 +0100, Marc Haber wrote:

> On 20 Jan 2005 14:45:52 -0800, Thomas Bushnell BSG <[EMAIL PROTECTED]>
> wrote:
> >Yes.  Debian packages are supposed to be able to be installed and
> >start working without requiring any reboots.  We've made this work
> >pretty well for libc and all kinds of hard cases; you can make it work
> >for yours too I'm sure.
> 
> This prompts a question I have been wanting to ask for ages: When a
> security update for, say, libc6, libssl or libz is installed, do I
> need to restart services or not? That's one of the question you ask
> three people and get five different answers.
> 
In fact, after any upgrade to any major libraries on your system, you
should probably reboot.

libc6 is a good example, as every application on your system will have
it loaded.  After an upgrade, only those newly started applications will
have the new libc6; the old applications will still be running with the
old libc6.  This actually means that you're using more memory because
you have both copies of libc6 mapped in, and more disk space because the
old version is still open so hasn't actually been removed from the disk
yet.

Another example is GTK+ or xlibs, if you perform any upgrade of those
you should at least log out of your session; otherwise again you've got
two sets of all the libraries in memory and on disk.

Scott
-- 
Have you ever, ever felt like this?
Had strange things happen?  Are you going round the twist?


signature.asc
Description: This is a digitally signed message part

${lib}-dev, .pc and pkg-config

[Artur R. Czechowski]

Hello,
I would like to ask about common practice in packaging libraries, especially
their development files. There is a rather old tool like pkg-config.
It gives standarized interface[1] for getting compiler and linker flags.
What is your recomendation for adding a .pc files in -dev package?
What is your recomendation for using pkg-config in packages dependend on
specific -dev package?
Should be a .pc file provided in any case? Or only when library required
additional -I or -L flags for compiling/linking?

A small note about pkg-config in Junichi's Debian Library Packaging guide
would be helpful, I think.

Best regards
Artur

[1] if you are not familiar with this tool look into man pkg-config
-- 
Mężczyźni lepiej sprawdzają się w pracy zarobkowej, kobiety w pracach domowych
(np. małe stopy służą temu, by stać bliżej zlewozmywaka). 
/znalezione na news:pl.rec.humor.najlepsze/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: ${lib}-dev, .pc and pkg-config

[Rene Engelhard]

Hi,

Am Freitag, 21. Januar 2005 12:08 schrieb Artur R. Czechowski:
> pkg-config. It gives standarized interface[1] for getting compiler and
> linker flags. What is your recomendation for adding a .pc files in -dev
> package? What is your recomendation for using pkg-config in packages
> dependend on specific -dev package?
> Should be a .pc file provided in any case? Or only when library required
> additional -I or -L flags for compiling/linking?

I would add it neverthless. For example, when I write the configure checks for using system libs in OOo I simply use PKG_CHECK_MODULES(...) if it's there. Not packaging the .pc if it exists upstream would break them.

If upstream hasn't one, well,  if there's no -I and -L needed I don't see the point but when theer is either of them needed I would create one if there isn't already one or the old-style foo-config's...

Regards,

Rene
-- 
    
 /@ alf~-.   René Engelhard
 \/ __ .- |  SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nürnberg
  // //  @   [EMAIL PROTECTED] / Tel: +49-911-740 53 - 629

Re: Reboot in postinst

[Andreas Barth]

* Tino Keitel ([EMAIL PROTECTED]) [050121 13:02]:
> On Fri, Jan 21, 2005 at 11:03:08 +0100, Marc Haber wrote:
> > On 20 Jan 2005 14:45:52 -0800, Thomas Bushnell BSG <[EMAIL PROTECTED]>
> > wrote:
> > >Yes.  Debian packages are supposed to be able to be installed and
> > >start working without requiring any reboots.  We've made this work
> > >pretty well for libc and all kinds of hard cases; you can make it work
> > >for yours too I'm sure.

> > This prompts a question I have been wanting to ask for ages: When a
> > security update for, say, libc6, libssl or libz is installed, do I
> > need to restart services or not? That's one of the question you ask
> > three people and get five different answers.
 
> Yes, you should restart the services, since the libraries are loaded by
> the service when the it starts, and an upgrade won't replace libraries
> in running services.

I disagree. You should warn the administrator that he has to do that.
Especially just restarting ssh is _very_ wrong IMHO, because it can
easily kill the only access to a remote computer. Take a look how glibc
does it, that's fine IMHO.



Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: RFP: gtybalt -- computer algebra system (CAS) based on GiNaC with optional TeXmacs GUI

[Frank Küster]

"Kevin B. McCarty" <[EMAIL PROTECTED]> wrote:

> On 01/20/2005 05:24 PM, [EMAIL PROTECTED] wrote:
>
>> Avoid gnuplot if you can, the license is GPL-incompatible and not one we
>> should encourage (See bug #100612 for why).
>
> (Checks gnuplot license and #100612)
> Argh, that will teach me not to assume something with GNU in its name is
> GPLed.
>
> Do you have any suggestions for other function graphing programs /
> libraries I could suggest to upstream?

grace is a GPL'ed program that I use sometimes for interactive graph
creation, but it can also be scripted.e

>  Ideally they would be able to
> display functions of 2 or even 3 arguments.

This I don't know.

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer

Re: The keychain package, its debconf templates, the security hole induced

[Goswin von Brederlow]

Henrique de Moraes Holschuh <[EMAIL PROTECTED]> writes:

> On Fri, 21 Jan 2005, Martin Quinson wrote:
>> I'd drop the package from the archive right away. I have several cron jobs
>> using ssh keys (a new key for each cron, without pass and allowed to do only
>> one specific command on the remote host).
>
> This can very well be a much bigger security risk than doing what you
> already do BUT using passphrases AND ssh-agent to reduce the window of
> opportunity.
>
> And avoiding keychain does not make it much more difficult to find out how
> to talk to any in-memory ssh-agent anyway, you know.
>
> NOR does it make it any more difficult to locate all unprotected keys in
> your machine through a rgrep.

Even if you get hold of the key all you can do with it is exactly what
the cron job is doing anyway. The worst you can do is flood the
destination system with jobs, e.g. start a daily cron job every
second.

Limiting an ssh key to a specific command severly limits the damage
you can do with it. This should be a must for any key that is to be
used non interactively.

MfG
Goswin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[Andreas Barth]

* Andreas Barth ([EMAIL PROTECTED]) [050121 13:10]:
> * Tino Keitel ([EMAIL PROTECTED]) [050121 13:02]:
> > On Fri, Jan 21, 2005 at 11:03:08 +0100, Marc Haber wrote:
> > > On 20 Jan 2005 14:45:52 -0800, Thomas Bushnell BSG <[EMAIL PROTECTED]>
> > > wrote:
> > > >Yes.  Debian packages are supposed to be able to be installed and
> > > >start working without requiring any reboots.  We've made this work
> > > >pretty well for libc and all kinds of hard cases; you can make it work
> > > >for yours too I'm sure.
> 
> > > This prompts a question I have been wanting to ask for ages: When a
> > > security update for, say, libc6, libssl or libz is installed, do I
> > > need to restart services or not? That's one of the question you ask
> > > three people and get five different answers.
>  
> > Yes, you should restart the services, since the libraries are loaded by
> > the service when the it starts, and an upgrade won't replace libraries
> > in running services.

> I disagree. You should warn the administrator that he has to do that.
> Especially just restarting ssh is _very_ wrong IMHO, because it can
> easily kill the only access to a remote computer. Take a look how glibc
> does it, that's fine IMHO.

JFTR: I meant "You" as "the package maintainer". "You" as in
"Administrator of the local machine" should of course restart all code
using old libs. E.g.
  lsof | grep dpkg- | awk '{print $1, $8}' | sort +0
helps you to find out which ones.



Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: The keychain package, its debconf templates, the security hole induced

[Henrique de Moraes Holschuh]

On Fri, 21 Jan 2005, Goswin von Brederlow wrote:
> Henrique de Moraes Holschuh <[EMAIL PROTECTED]> writes:
> > This can very well be a much bigger security risk than doing what you
> > already do BUT using passphrases AND ssh-agent to reduce the window of
> > opportunity.
> 
> Even if you get hold of the key all you can do with it is exactly what
> the cron job is doing anyway. The worst you can do is flood the
> destination system with jobs, e.g. start a daily cron job every
> second.

That depends on what you're running on the other side, doesn't it? If it can
be exploited depending on what you do with it...

> Limiting an ssh key to a specific command severly limits the damage
> you can do with it. This should be a must for any key that is to be
> used non interactively.

Agreed.  But that is orthogonal to ssh-agent use, since ssh-agent use (and
keychain use) does NOT preclude specific command limiting.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[Adeodato Simó]

* Andreas Barth [Fri, 21 Jan 2005 13:13:51 +0100]:

> using old libs. E.g.
>   lsof | grep dpkg- | awk '{print $1, $8}' | sort +0
> helps you to find out which ones.

  There is also checkrestart from the debian-goodies package. Seems to
  do some more stuff, but don't know how much better it is.

-- 
Adeodato Simó
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
 
A celebrity is a person who works hard all his life to become well known,
then wears dark glasses to avoid being recognized.
-- Fred Allen


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: The keychain package, its debconf templates, the security hole induced

[Goswin von Brederlow]

Henrique de Moraes Holschuh <[EMAIL PROTECTED]> writes:

> On Fri, 21 Jan 2005, Goswin von Brederlow wrote:
>> Henrique de Moraes Holschuh <[EMAIL PROTECTED]> writes:
>> > This can very well be a much bigger security risk than doing what you
>> > already do BUT using passphrases AND ssh-agent to reduce the window of
>> > opportunity.
>> 
>> Even if you get hold of the key all you can do with it is exactly what
>> the cron job is doing anyway. The worst you can do is flood the
>> destination system with jobs, e.g. start a daily cron job every
>> second.
>
> That depends on what you're running on the other side, doesn't it? If it can
> be exploited depending on what you do with it...

The other side will be running sshd and with keys restricted to a
command the sshd strips away the command line and only executes the
command specified for the key.

If you add security holes into that command (like sloppy parsing of
the original command line) that is your own problem. You can always
leave the front door unlocked or the keys in the car.

I wish there would be more documentation on this subject in ssh and
maybe even save example code to extract options from the original
commandline. There could be an example for e.g. cvs or rsync.

>> Limiting an ssh key to a specific command severly limits the damage
>> you can do with it. This should be a must for any key that is to be
>> used non interactively.
>
> Agreed.  But that is orthogonal to ssh-agent use, since ssh-agent use (and
> keychain use) does NOT preclude specific command limiting.

Agreed.

> -- 
>   "One disk to rule them all, One disk to find them. One disk to bring
>   them all and in the darkness grind them. In the Land of Redmond
>   where the shadows lie." -- The Silicon Valley Tarot
>   Henrique Holschuh

MfG
Goswin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[David Schmitt]

On Friday 21 January 2005 11:03, Marc Haber wrote:
> This prompts a question I have been wanting to ask for ages: When a
> security update for, say, libc6, libssl or libz is installed, do I
> need to restart services or not? That's one of the question you ask
> three people and get five different answers.

I always use "lsof +L1" to view all open, unlinked files. This should include 
old versions of libraries.

Regards, David


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#291553: ITP: gnome-blosxom -- Gnome Bloxsom is a GUI based program to post entries to a Blosxom based weblog.

[Simon Morris]

Package: wnpp
Severity: wishlist


* Package name: gnome-blosxom
  Version : 1.0
  Upstream Author : Chris Ladd <[EMAIL PROTECTED]>
* URL : http://gnome-blosxom.sourceforge.net/
* License : GPL
  Description : Gnome Bloxsom is a GUI based program to post entries to a 
Blosxom based weblog.

Gnome Blosxom allows you to create blog posts and upload using FTP to
your blogsite.

The program requires Python version 2.2 or greater, PyGTK version 2.0 or
greater, and Gnome-Python for Gnome 2. It can optionally use PyGtkSpell
version 0.3.1 or greater for spell checking. More information about the
Bloxsom weblog application can be found at www.blosxom.com.

-- System Information:
Debian Release: 3.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.19-ac4
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[Colin Watson]

On Fri, Jan 21, 2005 at 01:06:55PM +0100, Andreas Barth wrote:
> I disagree. You should warn the administrator that he has to do that.
> Especially just restarting ssh is _very_ wrong IMHO, because it can
> easily kill the only access to a remote computer.

Restarting sshd doesn't kill existing sessions. You clearly have an
existing session because you're using it to upgrade.

I think it's better to restart sshd (and possibly have to clean up the
occasional problem) than to have it silently continue running using old
libraries with security issues.

Cheers,

-- 
Colin Watson   [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[Wouter Verhelst]

Op do, 20-01-2005 te 21:27 +0100, schreef Osamu Aoki:
> On Thu, Jan 20, 2005 at 07:35:42PM +0100, Wouter Verhelst wrote:
> > Op do, 20-01-2005 te 15:09 -0300, schreef Diogo Kollross:
> > > Is there a problem in using something like
> > > 
> > >   shutdown -r now
> > > 
> > > inside a postinst script of a package?
> > 
> > I was going to say something smart and funny, but it isn't coming.
> > 
> > What the hell have you been smoking?
> 
> Relax, he did not say "rm -rf /" in postinst.

Which is why I didn't call him crazy yet.

-- 
 EARTH
 smog  |   bricks
 AIR  --  mud  -- FIRE
soda water |   tequila
 WATER
 -- with thanks to fortune


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: The keychain package, its debconf templates, the security hole induced

[Colin Watson]

On Fri, Jan 21, 2005 at 10:22:02AM +0100, Martin Quinson wrote:
> A closer check to the package reveals that it's only useful if you want to
> open a security risk on your machine. All info relatives to the ssh-agent
> are written into a well known file, allowing cron jobs and attackers to use
> them without prior knowledge of your passwords.

This has no security impact whatsoever. ssh-agent creates its socket
directory mode 700; if you can write to the socket, you can also read
the environment variables necessary to talk to the agent out of the
output of 'ps xwwwe' (or even just go and have a look through /tmp), and
if you can't write to the socket, then there is no concern. Do not ever
rely on the extremely minor obscurity provided by not having the socket
path right in front of any attacker.

> Dudes. There is a reason why those informations are not written to file by
> ssh itself.

That reason is not for security purposes; it's simpler to pass them
round in the environment, that's all. The fact that the location of the
authentication socket is passed in the environment is NOT a defence of
ANY KIND; if you are relying on this for any kind of security whatsoever
then you should rethink your own security design.

Cheers,

-- 
Colin Watson   [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[Andreas Barth]

* Colin Watson ([EMAIL PROTECTED]) [050121 14:50]:
> On Fri, Jan 21, 2005 at 01:06:55PM +0100, Andreas Barth wrote:
> > I disagree. You should warn the administrator that he has to do that.
> > Especially just restarting ssh is _very_ wrong IMHO, because it can
> > easily kill the only access to a remote computer.

> Restarting sshd doesn't kill existing sessions. You clearly have an
> existing session because you're using it to upgrade.

Yes. But I prefer verifying that I can login again after each ssh
restart. So, I want to do that _only_ if I explicitly do it. (Others may
disagree.)



Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: The keychain package, its debconf templates, the security hole induced

[Colin Watson]

On Fri, Jan 21, 2005 at 07:42:07AM -0200, Henrique de Moraes Holschuh wrote:
> On Fri, 21 Jan 2005, Martin Quinson wrote:
> > Dudes. There is a reason why those informations are not written to file by
> > ssh itself. If my local machine gets corrupted, I'm happy to see the
> 
> And it is because all of ssh-agent is a second-thought crap, as evidenced by
> the fact that stock ssh-agent is not capable of "withholding keys unless
> given explicit permission to act every time one request comes".

SSH-ADD(1)BSD General Commands Manual   SSH-ADD(1)

 -c  Indicates that added identities should be subject to con-
 firmation before being used for authentication.  Confir-
 mation is performed by the SSH_ASKPASS program mentioned
 below.  Successful confirmation is signaled by a zero
 exit status from the SSH_ASKPASS program, rather than
 text entered into the requester.

This was added in OpenSSH 3.6.

Cheers,

-- 
Colin Watson   [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: The keychain package, its debconf templates, the security hole induced

[Henrique de Moraes Holschuh]

On Fri, 21 Jan 2005, Colin Watson wrote:
> On Fri, Jan 21, 2005 at 07:42:07AM -0200, Henrique de Moraes Holschuh wrote:
> > On Fri, 21 Jan 2005, Martin Quinson wrote:
> > > Dudes. There is a reason why those informations are not written to file by
> > > ssh itself. If my local machine gets corrupted, I'm happy to see the
> > 
> > And it is because all of ssh-agent is a second-thought crap, as evidenced by
> > the fact that stock ssh-agent is not capable of "withholding keys unless
> > given explicit permission to act every time one request comes".
> 
> SSH-ADD(1)BSD General Commands Manual   SSH-ADD(1)
> 
>  -c  Indicates that added identities should be subject to con-
>  firmation before being used for authentication.  Confir-
>  mation is performed by the SSH_ASKPASS program mentioned
>  below.  Successful confirmation is signaled by a zero
>  exit status from the SSH_ASKPASS program, rather than
>  text entered into the requester.
> 
> This was added in OpenSSH 3.6.

I stand corrected (and I am enabling that everywhere this instant!).

Thanks Colin!

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[Florian Weimer]

* Marc Haber:

> This prompts a question I have been wanting to ask for ages: When a
> security update for, say, libc6, libssl or libz is installed, do I
> need to restart services or not? That's one of the question you ask
> three people and get five different answers.

It depends.  If the bug is in a central part (like the DNS resolver),
you'd better reboot the machine, just to be sure.  Otherwise, you can
get away with restarting a few services.  When the bug is in a
short-running auxiliary program, no further action is required.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[Henrique de Moraes Holschuh]

On Fri, 21 Jan 2005, Andreas Barth wrote:
> Yes. But I prefer verifying that I can login again after each ssh
> restart. So, I want to do that _only_ if I explicitly do it. (Others may
> disagree.)

I disagree ;-)   The way it is done now, punishes lack of attention *IF* a
ssh bug breaks it, with annoying but non-dangerous situation.  If ssh is not
restarted, you are now in a dangerous situation if you forget to restart it.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[Henrique de Moraes Holschuh]

On Fri, 21 Jan 2005, David Schmitt wrote:
> On Friday 21 January 2005 11:03, Marc Haber wrote:
> > This prompts a question I have been wanting to ask for ages: When a
> > security update for, say, libc6, libssl or libz is installed, do I
> > need to restart services or not? That's one of the question you ask
> > three people and get five different answers.
> 
> I always use "lsof +L1" to view all open, unlinked files. This should include 
> old versions of libraries.

Not always. Try also a lsof -n | grep dpkg-new.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[Roberto Sanchez]

Quoting Henrique de Moraes Holschuh <[EMAIL PROTECTED]>:

> On Fri, 21 Jan 2005, Andreas Barth wrote:
> > Yes. But I prefer verifying that I can login again after each ssh
> > restart. So, I want to do that _only_ if I explicitly do it. (Others may
> > disagree.)
> 
> I disagree ;-)   The way it is done now, punishes lack of attention *IF* a
> ssh bug breaks it, with annoying but non-dangerous situation.  If ssh is
> not
> restarted, you are now in a dangerous situation if you forget to restart
> it.
> 

If the system is that important to the admin, he will pay attention to such
things.  Imagine that you are upgrading ssh for some security update over the
weekend.  If your system is in some colo or other remote location where you
are unable to access it until Monday morning, then you have a problem if ssh
dies on you.

I agree with Andreas.  Even with my machine at home, I always stay logged
in to my current ssh session, restart sshd and immediately try to login agian.
If there is a problem it is immediately apparent AND I know that an action I
took caused it.  I.e., I am not trying to figure out which package's postinst
did what.  I am also left with at least one active ssh session.  I do it this
way because even at home I dislike crawling under my desk to pull the monitor
and keyboard from my workstation to plug them into my headless server.

-Roberto


This message was sent using IMP, the Internet Messaging Program.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[sean finney]

On Fri, Jan 21, 2005 at 11:00:49AM +0100, Marc Haber wrote:
> On Thu, 20 Jan 2005 21:27:46 +0100, Osamu Aoki <[EMAIL PROTECTED]>
> wrote:
> >Relax, he did not say "rm -rf /" in postinst.
> 
> That would be postrm.

or, prerm, since it hasn't been rm'd yet.  postrm would be run after, if
only it still existed after the rm :)


sean


-- 


signature.asc
Description: Digital signature

Re: Bug#291495: ITP: blktool -- Program that does stuff with block devices

[Gaudenz Steinlin]

On Fri, Jan 21, 2005 at 12:00:30AM -0500, Eric Dorland wrote:
> Package: wnpp
> Severity: wishlist
> 
> * Package name: blktool
>   Version : 4
>   Upstream Author : Jeff Garzik <[EMAIL PROTECTED]>
> * URL : http://sourceforge.net/projects/gkernel/
> * License : GPL
>   Description : Program that does stuff with block devices

IMHO this short description is not very informative. Please be more
precise about what sort of "stuff" it does with block devices.
Suggestion: "Programm to query and change settings of block devices". 
> 
> blktool is used for querying and/or changing settings of a block device.
> It is like hdparm but a more general tool, as it works on SCSI, IDE and 
> SATA devices.
> 
> This code is still experimental and you should use it at your own risk
> as it could cause damage to your hardware.

Is it stable enough for inclusion in Debian? If it's experimental it
should probably go to experimental or at least be kept out of testing to
avoid having it in a release.

Gaudenz


signature.asc
Description: Digital signature

Re: Reboot in postinst

[David Sawyer]

This reminds me of a horror story at a place I used to work.  I was
browsing the 'Net on one of our production servers (this thing served
hundreds of banks around the world).  I was looking for some fix or SP
for NT.  I came across this site that started installing Flash Player.
 It installed it, then a window popped up saying that it was
restarting the system, OOPS!. No confirmation, no double checking,
just too bad so sad, bye bye.  It's funny now, but it caused lots of
damage at the time.

Moral of the story:  NEVER SHUTDOWN OR REBOOT WITHOUT ASKING.

Dave

On Thu, 20 Jan 2005 19:35:42 +0100, Wouter Verhelst <[EMAIL PROTECTED]> wrote:
> Op do, 20-01-2005 te 15:09 -0300, schreef Diogo Kollross:
> > Is there a problem in using something like
> >
> >   shutdown -r now
> >
> > inside a postinst script of a package?
> 
> I was going to say something smart and funny, but it isn't coming.
> 
> What the hell have you been smoking?
> 
> Hint: this isn't Windows. You don't need to reboot your system every
> time you move your mouse to "update the changes".
> 
> Why would you want to do this?
> 
> --
>  EARTH
>  smog  |   bricks
>  AIR  --  mud  -- FIRE
> soda water |   tequila
>  WATER
>  -- with thanks to fortune
> 
> 
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 
>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[Petter Reinholdtsen]

[David Sawyer]
> Moral of the story:  NEVER SHUTDOWN OR REBOOT WITHOUT ASKING.

Another moral might be to always test the stuff you plan to do on a
production server on a test-server first.  I fail to see how it is
sensible to browse the net on a production server.  And I fail to see
how it is smart to run as a privileged user when it isn't required to
do so.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[Henrique de Moraes Holschuh]

On Fri, 21 Jan 2005, Petter Reinholdtsen wrote:
> [David Sawyer]
> > Moral of the story:  NEVER SHUTDOWN OR REBOOT WITHOUT ASKING.

No. Never handle serious business like you'd handle your home's gateway
machine.

> Another moral might be to always test the stuff you plan to do on a
> production server on a test-server first.  I fail to see how it is
> sensible to browse the net on a production server.  And I fail to see
> how it is smart to run as a privileged user when it isn't required to
> do so.

Never mind the very idea of using anything Microsoft in such a scenario.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#291581: ITP: libhdate -- small C, C++ library for Hebrew dates and holidays

[Lior Kaplan]

Package: wnpp
Severity: wishlist
Owner: Lior Kaplan <[EMAIL PROTECTED]>

* Package name: libhdate
  Version : 0.10.1
  Upstream Author : Kobi Zamir <[EMAIL PROTECTED]>
* URL : http://libhdate.sourceforge.net
* License : GPL
  Description : small C, C++ library for Hebrew dates and holidays

 LibHdate is a small C, C++ library for Hebrew dates, holidays,
 and reading sequence (parasha).
 .
 This package contains files needed for the development of
 applications which use libhdate.
 .
 Homepage: http://libhdate.sourceforge.net/

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-1-686-smp
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[Ken Bloom]

On Thu, 20 Jan 2005 15:09:46 -0300, Diogo Kollross wrote:
> Is there a problem in using something like
> 
>   shutdown -r now
> 
> inside a postinst script of a package?

So I dist-upgrade, and it upgrades 12 packages. Your postinst runs before
any of the other 11. The computer reboots immediately in your postinst.
When do the other 11 postinst's run?

Besides the philosophical problems with rebooting without permission,
the administrator action that you're trying to avoid will be necessary
*anyway* when he has to apt-get -f install or dpkg --configure -a the
other 11 packages.

-Ken Bloom 

-- 
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[Joey Hess]

Roberto Sanchez wrote:
> If the system is that important to the admin, he will pay attention to such
> things.  Imagine that you are upgrading ssh for some security update over the
> weekend.  If your system is in some colo or other remote location where you
> are unable to access it until Monday morning, then you have a problem if ssh
> dies on you.

If your system is in a colo, it would be wise to have a backup login
method besides ssh. If my ssh breaks, I can log in via serial console,
an alternative ssh running on a high port (in a chrooted stable system
that I have to independently keep up-to-date), or (ssl) telnet.

-- 
see shy jo


signature.asc
Description: Digital signature

NPTL support in 2.4 kernel series?

[Martin Kittel]

Hi,
I am maintaining the packages of the MaxDB database system.
Recently upstream has converted the database kernel from 
linuxthread-style threading to NPTL. While -at least for i386- 
linuxthreads is still supported in MaxDB at this time, it will go away 
in one of the next releases.
As far as I know there is no NPTL support in 2.4 debian kernels (as for 
example in some RedHat 2.4 kernels). Is that correct?
In that case I will have to add a dependency on kernel-image-2.6 or does 
anyone know of a better way to express a dependency on NPTL style threading?

Thanks for your help,
Martin.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NPTL support in 2.4 kernel series?

[Miquel van Smoorenburg]

In article <[EMAIL PROTECTED]>,
Martin Kittel  <[EMAIL PROTECTED]> wrote:
>Hi,
>
>I am maintaining the packages of the MaxDB database system.
>
>Recently upstream has converted the database kernel from 
>linuxthread-style threading to NPTL. While -at least for i386- 
>linuxthreads is still supported in MaxDB at this time, it will go away 
>in one of the next releases.
>As far as I know there is no NPTL support in 2.4 debian kernels (as for 
>example in some RedHat 2.4 kernels). Is that correct?
>In that case I will have to add a dependency on kernel-image-2.6

Bad idea. On my systems, there is no kernel-image installed at all-
I compile them myself. I bet I'm not the only one.

>or does 
>anyone know of a better way to express a dependency on NPTL style threading?

You can check in the preinst if the running kernel is new enough,
but that is about all you can do.

Mike.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Reboot in postinst

[Gustavo Noronha Silva]

Em Sex, 2005-01-21 Ãs 14:56 +0100, Andreas Barth escreveu:
> Yes. But I prefer verifying that I can login again after each ssh
> restart. So, I want to do that _only_ if I explicitly do it. (Others may
> disagree.)

I always do test I can still login after restarting ssh. The trick is
using a diferent terminal for that ;).

See ya,

-- 
[EMAIL PROTECTED]: Gustavo Noronha 
 Debian:   *  

Re: Reboot in postinst

[Bernd Eckenfels]

On Fri, Jan 21, 2005 at 01:34:51PM -0500, Joey Hess wrote:
> If your system is in a colo, it would be wise to have a backup login
> method besides ssh.

Oh yes, especially  since my ssh regularly beaks  because of 2UsePam yes" and
"ListenAddress ::" while switching between stable and testing versions. And
I miss  that often (on the other hand I really think openssh could be a bit
more forgiving in respect to "ListenAddress ::" w/o -6.

Greetings
Bernd


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NPTL support in 2.4 kernel series?

[Lars Wirzenius]

pe, 2005-01-21 kello 20:11 +, Miquel van Smoorenburg kirjoitti:
> In article <[EMAIL PROTECTED]>,
> Martin Kittel  <[EMAIL PROTECTED]> wrote:
> >As far as I know there is no NPTL support in 2.4 debian kernels (as for 
> >example in some RedHat 2.4 kernels). Is that correct?
> >In that case I will have to add a dependency on kernel-image-2.6
> 
> Bad idea. On my systems, there is no kernel-image installed at all-
> I compile them myself. I bet I'm not the only one.
> 
> >or does 
> >anyone know of a better way to express a dependency on NPTL style threading?
> 
> You can check in the preinst if the running kernel is new enough,
> but that is about all you can do.

Since it is not possible to depend on a kernel package for this, I would
advise the following:

a) add a note about requiring NPTL and working with LinuxThreads to the
description of the package, and also to its README.Debian

b) checking in the preinst is reasonable; if NTPL is not in use, giving
a warning is enough, it should still be possible to install the package
(because people might want to install the package anyway, and only use
it when they are running the proper kernel)

c) checking for NPTL support at run-time is also good, so that it is
clear why things don't work (a wrapper script around the real program
binary, or something); this also protects against the package being
installed while NTPL support was available, and then run without it


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Is Daniel Lutz MIA?

[Chuan-kai Lin]

Hi all,

Does anyone know the status of Daniel Lutz?  I had mailed him a while
ago asking if he needs any help with the synergy package; the last
upload of the package was 14 months ago, with quite a few bugs open
that had not been dealt with, and a new major upstream stable release
had been made in the end of 2004.

Can anyone confirm that he is still active?  Granted synergy is still
in an okay shape, but if Daniel is indeed MIA, I will volunteer taking
over maintenance of the package.

-- 
Chuan-kai Lin
http://www.cs.pdx.edu/~cklin/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NPTL support in 2.4 kernel series?

[Martin Kittel]

Miquel van Smoorenburg wrote:
>>As far as I know there is no NPTL support in 2.4 debian kernels (as for 
>>example in some RedHat 2.4 kernels). Is that correct?
>>In that case I will have to add a dependency on kernel-image-2.6
> 
> Bad idea. On my systems, there is no kernel-image installed at all-
> I compile them myself. I bet I'm not the only one.
> 
That's what I do, too. But I am using kernel-package to compile my kernels, so
that in the end I am having a package installed that correctly provides the
dependency I need.

> 
> You can check in the preinst if the running kernel is new enough,
> but that is about all you can do.
> 
But this happens only after you have downloaded the whole package and leaves you
with a broken one. So I don't think that would be an acceptable solution.

Best wishes,

Martin.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NPTL support in 2.4 kernel series?

[Henning Makholm]

Scripsit Martin Kittel <[EMAIL PROTECTED]>

>> You can check in the preinst if the running kernel is new enough,
>> but that is about all you can do.

> But this happens only after you have downloaded the whole package
> and leaves you with a broken one. So I don't think that would be an
> acceptable solution.

It would be less acceptable to refuse installation for people who
prefer to install custom kernels themselves and bypass the packaging
system.

Remember that having a kernel image installed is no guarantee that it
is actually the same kernel that *runs*, so a dependency would not
prevent users from having a package that does not work.

-- 
Henning Makholm  "Gå ud i solen eller regnen, smil, køb en ny trøje,
   slå en sludder af med købmanden, puds dine støvler. Lev!"

Re: NPTL support in 2.4 kernel series?

[Martin Kittel]

Henning Makholm  makholm.net> writes:
> 
> Scripsit Martin Kittel  martin-kittel.de>
> 
> >> You can check in the preinst if the running kernel is new enough,
> >> but that is about all you can do.
> 
> > But this happens only after you have downloaded the whole package
> > and leaves you with a broken one. So I don't think that would be an
> > acceptable solution.
> 
> It would be less acceptable to refuse installation for people who
> prefer to install custom kernels themselves and bypass the packaging
> system.

I don't think that having a dependency on a kernel image is that much different
from having one on java2-runtime, that is basically provided only by packages
that were generated by scripts similar to kernel-package. The dependency at
least tells you in advance what you should expect.
And if you really want to bypass the packaging system, you can still force dpkg
to ignore the dependency.

> 
> Remember that having a kernel image installed is no guarantee that it
> is actually the same kernel that *runs*, so a dependency would not
> prevent users from having a package that does not work.
> 
Point taken, but neither does having a preinst-check. This extra-protection
would have to be added in the startup scripts.





-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NPTL support in 2.4 kernel series?

[Kurt Roeckx]

On Fri, Jan 21, 2005 at 07:51:22PM +0100, Martin Kittel wrote:
> Hi,
> 
> I am maintaining the packages of the MaxDB database system.
> 
> Recently upstream has converted the database kernel from 
> linuxthread-style threading to NPTL. While -at least for i386- 
> linuxthreads is still supported in MaxDB at this time, it will go away 
> in one of the next releases.

What is the problem with linuxthread?  Are there some problems
linuxthreads cause that go away when using NPTL?

Anyway, the package currently only supports i386, so I don't see
a problem with using linuxthread for now.  Please make sure that
you then atleast prevent it from using NPTL.


Kurt


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NPTL support in 2.4 kernel series?

[Martin Kittel]

Kurt Roeckx wrote:
What is the problem with linuxthread?  Are there some problems
linuxthreads cause that go away when using NPTL?
Upstream is switching to NPTL for performance reasons and because it 
allows them to clean up a lot of their threading code. Currently there 
is still support for linuxthread on i386, but it is likely to go away in 
one of the next releases.


Anyway, the package currently only supports i386, so I don't see
a problem with using linuxthread for now.  Please make sure that
you then atleast prevent it from using NPTL.
That is what I am doing already. Apart from that, I am working on 
packages for amd64 and ia64. If everything works out, I should have the 
first version in sid within the next couple of weeks.

Martin.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NPTL support in 2.4 kernel series?

[Joel Aelwyn]

On Fri, Jan 21, 2005 at 11:05:58PM +0100, Kurt Roeckx wrote:
> On Fri, Jan 21, 2005 at 07:51:22PM +0100, Martin Kittel wrote:
> > Hi,
> > 
> > I am maintaining the packages of the MaxDB database system.
> > 
> > Recently upstream has converted the database kernel from 
> > linuxthread-style threading to NPTL. While -at least for i386- 
> > linuxthreads is still supported in MaxDB at this time, it will go away 
> > in one of the next releases.
> 
> What is the problem with linuxthread?  Are there some problems
> linuxthreads cause that go away when using NPTL?
> 
> Anyway, the package currently only supports i386, so I don't see
> a problem with using linuxthread for now.  Please make sure that
> you then atleast prevent it from using NPTL.

*chokes*

I can only assume you have never done serious thread programming on
LinuxThreads, or never used NPTL, or are unfamiliar with POSIX threads.
But, in one extremely short summary: "Too many to count".

As for MaxDB, I can't comment, except to say that programming for the
two is very different, and I doubt the upstream will care to support
LinuxThreads for longer than they have to if it makes any significant use
of threading.
-- 
Joel Aelwyn <[EMAIL PROTECTED]>   ,''`.
 : :' :
 `. `'
   `-


signature.asc
Description: Digital signature

Re: updated debian development diagram -- comments?

[Otavio Salvador]

|| On Fri, 21 Jan 2005 04:19:03 -0500
|| Kevin Mark <[EMAIL PROTECTED]> wrote: 

km> On Fri, Jan 07, 2005 at 05:14:56PM -0200, Otavio Salvador wrote:
>> || On Mon, 3 Jan 2005 01:08:49 -0500
>> || Kevin Mark <[EMAIL PROTECTED]> wrote: 
>> 
km> Hi Folks,
km> I have updated my diagram on the debian developement model. Any comments
km> appreciated! 
>> 
>> IMHO have one wrong information on that. When the package go to
>> experimental, it comes from DD .deb like when it go to unstable and
>> not from debian source. One of interpretions are wrong. The unstable
>> interpretion (Debian source -> DD .deb -> unstable ) looks ok to me. I
>> propse to change (Debian source -> DD .deb -> (experimental || unstable))
>> 
>> -- 
km> Hi Octavio and list members,
km> I have updated my diagram with 'icons'. It may need some more work to
km> make it look better. I tried to fit in on A4 paper. Not sure it fits as
km> I use US letter x-)

Hello Kevin,

Interesting. I suggest to you include on these 'icons' a alpha channel
then it will merge better one with other when for example you use the
book (like source-package) and include the Debian Swril to be the
package-source.

-- 
O T A V I OS A L V A D O R
-
 E-mail: [EMAIL PROTECTED]  UIN: 5906116
 GNU/Linux User: 239058 GPG ID: 49A5F855
 Home Page: http://www.freedom.ind.br/otavio
-
"Microsoft gives you Windows ... Linux gives
 you the whole house."


pgpgLsk9T3uzs.pgp
Description: PGP signature

Re: NPTL support in 2.4 kernel series?

[Joel Aelwyn]

On Fri, Jan 21, 2005 at 09:14:00PM +, Henning Makholm wrote:
> Scripsit Martin Kittel <[EMAIL PROTECTED]>
> 
> >> You can check in the preinst if the running kernel is new enough,
> >> but that is about all you can do.
> 
> > But this happens only after you have downloaded the whole package
> > and leaves you with a broken one. So I don't think that would be an
> > acceptable solution.
> 
> It would be less acceptable to refuse installation for people who
> prefer to install custom kernels themselves and bypass the packaging
> system.
> 
> Remember that having a kernel image installed is no guarantee that it
> is actually the same kernel that *runs*, so a dependency would not
> prevent users from having a package that does not work.

I'm not saying depending on the kernel image is the right answer,
necessarily, though that's certainly codified as the correct one for
at least one non-Linux kernel (or rather, depending on something that
is Provided, by kernel policy, for definition the kernel compatibility
support).

However, is it really unreasonable to expect someone willing and able to
build their own kernel to at *least* be able and willing to set up an
equivs entry for the kernel provides?

It's not perfect, but it's protection from the grosses idiocies. At the
very least it should probably be a Recommends and a note that it's really
required that you have *some* source of NPTL (along with the script check
mentioned elsewhere).

Making it possible to install in a custom situation is good; making it
easy to install and create a broken one is not.
-- 
Joel Aelwyn <[EMAIL PROTECTED]>   ,''`.
 : :' :
 `. `'
   `-


signature.asc
Description: Digital signature

Re: NPTL support in 2.4 kernel series?

[Lars Wirzenius]

pe, 2005-01-21 kello 15:42 -0700, Joel Aelwyn kirjoitti:
> However, is it really unreasonable to expect someone willing and able to
> build their own kernel to at *least* be able and willing to set up an
> equivs entry for the kernel provides?

That won't help enough. You can have a kernel-image-2.6 package
installed, yet still run 2.4. Depends simply are not enough for this to
work. End result: you make people jump through hoops and don't get the
desired result anyway.

See my previous mail for better ways to tackle this.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NPTL support in 2.4 kernel series?

[Joel Aelwyn]

On Sat, Jan 22, 2005 at 12:53:43AM +0200, Lars Wirzenius wrote:
> pe, 2005-01-21 kello 15:42 -0700, Joel Aelwyn kirjoitti:
> > However, is it really unreasonable to expect someone willing and able to
> > build their own kernel to at *least* be able and willing to set up an
> > equivs entry for the kernel provides?
> 
> That won't help enough. You can have a kernel-image-2.6 package
> installed, yet still run 2.4. Depends simply are not enough for this to
> work. End result: you make people jump through hoops and don't get the
> desired result anyway.
> 
> See my previous mail for better ways to tackle this.

Sorry, I thought the rest of the message would have covered that. Yes,
using a script and some of the other tricks to ensure it doesn't try to run
on a 2.4 kernel are probably necessary.

Using a Depends wouldn't necessarily solve it, either, which is why I
said that it might also work as a Recommends, since the situation I'm
concerned about is not so much "Someone who knows enough to compile their
own kernel and fiddle with it all" but "Someone who runs aptitude to
install " and never thinks much about it.

There's only so much you can do for the former; for the latter, you can
do a lot more to avoid making it *easy* to set up a broken situation.
-- 
Joel Aelwyn <[EMAIL PROTECTED]>   ,''`.
 : :' :
 `. `'
   `-


signature.asc
Description: Digital signature

Re: NPTL support in 2.4 kernel series?

[Steve Greenland]

On 21-Jan-05, 12:51 (CST), Martin Kittel <[EMAIL PROTECTED]> wrote: 
> Hi,
> 
> I am maintaining the packages of the MaxDB database system.
> 
> [snip]
> In that case I will have to add a dependency on kernel-image-2.6 or does 
> anyone know of a better way to express a dependency on NPTL style threading?

I'm with Lars. Anyone installing DBMS who can't be bothered to read the
package description that says "requires kernel 2.6" is going to have
more problems than you can even think about solving with "Depends".

Steve

-- 
Steve Greenland
The irony is that Bill Gates claims to be making a stable operating
system and Linus Torvalds claims to be trying to take over the
world.   -- seen on the net


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Version woes (packaging SWT milestones)

[Shaun Jackman]

I'm packaging SWT for GTK version 3.1M4, which is a prerelease of 3.1.
I want to eventually package 3.1. What options do I have for numbering
the prerelease so that 3.1 is a greater version number? If I
understand epochs, I could name the next one 1:3.1, although I'm not
particularly fond of that solution. The version number has to be
greater than 3.0 and less than 3.1, so it seems to me that indicates
it must start with 3.0.x. Perhaps 3.0.3.1M4? Ugly. Any thoughts?

Cheers,
Shaun


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Version woes (packaging SWT milestones)

[Aaron M. Ucko]

Shaun Jackman <[EMAIL PROTECTED]> writes:

> it must start with 3.0.x. Perhaps 3.0.3.1M4? Ugly. Any thoughts?

Post-sarge, I believe 3.1~m4 should work.  For now, I'd probably call
it 3.0+3.1m4, which is slightly less ugly IMO than having dots
throughout.  (I've used a similar notation for FLTK prereleases.)

-- 
Aaron M. Ucko, KB1CJC (amu at alum.mit.edu, ucko at debian.org)
Finger [EMAIL PROTECTED] (NOT a valid e-mail address) for more info.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Re: Arabic Linguist

[Eizeno]

my name is eizen putrus i work in iraq for 17 m former titan linguist i 
work for JAG and i work with MI and interpet for 2 BG and i work with FBI 
and rebuilt the court sys in mousel and work with local tribe .e mail me at [EMAIL PROTECTED] or call me at 
909-944-3197 thank you
eizen putrus

Bug#291654: ITP: lnpd -- BrickOS (legOS) networking protocol daemon

[Stephen M Moraco]

Package: wnpp
Severity: wishlist


* Package name: lnpd
  Version : 0.9.0
  Upstream Author : Martin Cornelius <[EMAIL PROTECTED]>
* URL : http://brickos.sourceforge.net/
* License : Mozilla Public License v1.0
  Description : BrickOS logical network protocol daemon

The lnpd daemon along with its client library allow the user
to build client applications which can communicate with the
LEGO Mindstorms RCX which is running the BrickOS operating 
system.  Through this communication the user can download 
new programs, command the RCX, and or upload data generated
by a program running on the RCX.

NOTE: the lnpd software is found at the brickos site
and is currently being maintained by the brickos team, 
not the original author.

Stephen
--
Stephen M Moraco
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Release update: kde3.3, upload targets, kernels, infrastructure

[Kenshi Muto]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

Release-update of this month sounds really nice for me :-)

At Fri, 21 Jan 2005 20:11:03 -0800,
Steve Langasek wrote:
> Many of these security bugs have been fixed in unstable, and are just
> waiting to propagate to testing -- largely blocked by missing builds for
> the mipsel architecture.  This architecture has been hard pressed to
> keep up with the package volume over the past few months.  In the long
> term, additional build power is clearly needed for this architecture;
> but in the short term, I would encourage maintainers to think twice
> before uploading fixes for non-release critical bugs, to give some of
> these higher-priority builds a chance to complete.

I can offer buildd of mipsel and other architectures.
I'm trying to contact wanna-build maintainers (elmo, neuro, and
ftpmasters) since 2 week over ago, but anyone makes no reponse yet.
Is this another release blocker? :-)

Thanks,
- -- 
Kenshi Muto
[EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 

iEYEARECAAYFAkHx1j4ACgkQQKW+7XLQPLGS4QCeNC2TP0jluGWgQ0d8WdqixaL2
GNMAn2IBMV3VHR1+gKwKaxEy+g9jm1eS
=Ail7
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Re: Arabic Linguist

[Eizeno]

my name is eizen putrus i am former titan linguist i work in iraq for 17m i 
work in all lavel of the mill JAG and FBI and interpet for  2BG and 
rebuilt the court sys in mousel go to metting in city councel and work with ACO 
anti crruption office in mousel if you are looking for a linguistmy e amil is [EMAIL PROTECTED]  my phone is 
909-944-3197 thank you 
eizen putrus