Re: Real Life hits: need to give up packages for adoption

[Bas Zoetekouw]

Hi!

You wrote:

> * videogen
>   (easy pickings)

If no one else is interested, I'd like to take this one.  
It could take me a few weeks to find time to upload though, as Real Life
is getting in the way atm.

-- 
Kind regards,
++
| Bas Zoetekouw  | GPG key: 0644fab7 |
|| Fingerprint: c1f5 f24c d514 3fec 8bf6 |
| [EMAIL PROTECTED], [EMAIL PROTECTED] |  a2b1 2bae e41f 0644 fab7 |
++ 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian Mini-distro: how to recompile base-system and remove Java?

[Chris Boot]

On 29 May 2006, at 23:53, Daniel Ruoso wrote:


Em Seg, 2006-05-29 às 22:08 +0100, Chris Boot escreveu:

SLIND sounds interesting indeed, I've been using a buildroot-built
system for mine so it was difficult getting dpkg built in the first
place, but I've got it mostly all going. All the arch-independent
packages help a lot too.


In fact, I want it to work as a native debian system. This way,
buildroot causes a lot of problems (I think that's the motivation  
behind

SLIND). And they already have a binary base system which is a hell lot
of work already done... Mixing this with dpkg-cross, well... it's
perfect :)


So do I! I'm just using buildroot as a short-cut towards getting a  
basic debian base going. I know it's probably the wrong thing to do  
but it seemed a good idea at the time.



The challange is to compile the other packages that compose the
build-essential package list. With that, in theory, you can setup a
buildd.

That's what I'm aiming for as well, but unfortunately there's a hell
of a lot of dependencies in all that lot!


That's where SLIND helps more... the base system is already built.


Yes, I can see that could be handy. I'm guessing SLIND is based on  
woody?



There seem to be ways to build a minimal gcc built into the build
scripts, but I can't seem to be able to trigger these to successfully
build a compiler. It keeps dying with:


I think it's possible to just use dpkg-buildpackage -auclibc-i386 and
get a functional package (after some changes, probably)... I'm  
trying to

stay as close as I can from the stock debian packages.


Well ideally I'd like to have a complete system with the bare minimum  
number of patches required to make packages build & work on uclibc.  
Removing Java was an idea for a short-cut to get to that stage.



* libgdbm3
* libdb4.2 (I'm very near on finishing this one)
* perl (which depends on the two libs above)

I've built perl without having either of the two prerequisites
installed, works for most things and satisfies lots of  
dependencies! :-)


As I said, I aim to have a standard debian machine, so I do want to  
deal

with the dependencies correctly to have a real package.


Once again this is just a shortcut to get build-dependencies out of  
the way first. Once most of the packages are present this would be  
rebuilt to be the full package.



Maybe we could join forces to speed things along?


Sure... Actually, I think we should both join forces to emdebian,  
which

is doing a great job...


I've joined #emdebian on IRC but there's not a lot of activity.  
Sounds like a good idea though, and sounds like they could do with a  
hand.



What I do think it would be really nice is to have a "contrib-builds"
SLIND repository (like backports do). This would make things easier  
for

sharing this effort.


Many thanks,
Chris

--
Chris Boot
[EMAIL PROTECTED]
http://www.bootc.net/

Re: HOWTO rebuild the archive

[Goswin von Brederlow]

Wouter Verhelst <[EMAIL PROTECTED]> writes:

> On Mon, May 29, 2006 at 09:47:53PM +0200, Goswin von Brederlow wrote:
>> Or just dump all packages into the buildds queue file (as
>
> That would be ~buildd/build/REDO
>
>> package_version, one per line) and start it.
>
> That would be
>
> package_version distribution
>
> instead, as in
>
> nbd_1:2.8.4-2 unstable
>
> Whether doing it this way is a good idea, though, I don't know. Buildd
> surely wasn't designed for this.

It is much simpler than to set up wanna-build and a local archive but
you loose the tracking of package status that wanna-build would give
you.

It all depends how much work you want to invest and how long/often you
want to run this.

MfG
Goswin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Uploading packages built against testing?

[Goswin von Brederlow]

Thomas Viehmann <[EMAIL PROTECTED]> writes:

> Hendrik Sattler wrote:
>> Am Montag, 29. Mai 2006 21:16 schrieb Thomas Viehmann:
>>> Hendrik Sattler wrote:
 No, but you could manually set all stuff in Depends to the needed
 versions. That would also work for the buildds, I guess.
>>> And break at the next opportunity (binNMU, recompile, update in a
>>> hurry...).
>
>>  he automated shared lib dependency calculation surely works but does not 
>> always give optiomal results, e.g. it will pin to a specific libc (building 
>> packages of non-free apps is sometimes better done with setting the depends 
>> manually).
>>From a Debian point of view, correct and minimal dependencies is a
> (very) global problem, with correctness being a hard condition and
> minimal not. In particular, local optimization towards minimal that
> raise the probability of incorrect over package life time, are not a way
> to go.
> Experience shows automatism is asked for because the problem rate is far
> lower. It doesn't any harm, either, does it?
> Don't take my word for it, but do trust Steve's expert opinion. Debian
> is large enough to predict "there will be N errors" in every "the
> maintainer will have to be careful here", so your arguments are void...
>
>> binNMU & recompilation: won't break if the app really works with this older 
>> version and the lib must be ABI-compatible anyway.
> ... and this one is plainly wrong. binNMUs for rebuild against
> dependency libs which have changed ABI are not only possible but
> routinely done. Transition NMUs would be hard to get correct as well.

s/changed/extended/

Any ABI change must be acompanied by a soname change.

>> Automatism is good but not the only way to do stuff.
> For Debian packages taking clever shortcuts that are almost certain to
> fire back is inacceptable. We all do the "create a Debian package using
> ar" thing once, but we all agree that this isn't the way to do it.
>
> Kind regards
>
> T.

MfG
Goswin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian Mini-distro: how to recompile base-system and remove Java?

[Chris Boot]

On 30 May 2006, at 08:53, Alexander Shishkin wrote:


On 5/30/06, Chris Boot <[EMAIL PROTECTED]> wrote:

On 29 May 2006, at 23:53, Daniel Ruoso wrote:
Yes, I can see that could be handy. I'm guessing SLIND is based on
woody?

No, it is based on testing/unstable. Host part is mostly sarge (it was
in the 0.1 prerelease, now most of it is sid).


Well ideally I'd like to have a complete system with the bare minimum
number of patches required to make packages build & work on uclibc.
Removing Java was an idea for a short-cut to get to that stage.

What does Java have to do with compiling packages?


gcc-3.3 depends on gettext which depends on fastjar which is built by  
gcc-3.4


If one cuts out Java, gettext is that much smaller and easier to  
build, and so is gcc. Simple really.



Once again this is just a shortcut to get build-dependencies out of
the way first. Once most of the packages are present this would be
rebuilt to be the full package.

Once you want the build-dependencies back, I tell you, it will be a
pain you-know-where to put them in correct shape. And this is going to
happen once you get to the point of compinig X11 stuff and glib/gtk.


Just make a list of everything you have installed and rebuild each  
package one-by-one until you've covered everything. I can't see where  
the problem is.



Regards,
--
I am free of all prejudices. I hate every one equally.


--
Chris Boot
[EMAIL PROTECTED]
http://www.bootc.net/



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Uploading packages built against testing?

[Steve Langasek]

On Tue, May 30, 2006 at 10:00:21AM +0200, Goswin von Brederlow wrote:
> >> binNMU & recompilation: won't break if the app really works with this 
> >> older 
> >> version and the lib must be ABI-compatible anyway.
> > ... and this one is plainly wrong. binNMUs for rebuild against
> > dependency libs which have changed ABI are not only possible but
> > routinely done. Transition NMUs would be hard to get correct as well.

> s/changed/extended/

> Any ABI change must be acompanied by a soname change.

Er, that was exactly the point: binNMUs *are* done for soname-changing ABI
changes.  Hard-coding library dependencies is wrong, because the *names* of
the needed libraries may change with a rebuild.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


signature.asc
Description: Digital signature

Re: Renaming a package

[Simon Richter]

Hi,

Andreas Fester schrieb:


I create a new package with the new name which will
get uploaded to the NEW queue. This package replaces the
old package and conflicts with the old package:
Replaces: oldPackage
Conflicts: oldPackage (<< firstVersionOfNewPackage)


IIRC the correct way to do that is

Package: oldpkg
Depends: newpkg
Description: transitional dummy package

Package: newpkg
Replaces: oldpkg
Conflicts: oldpkg
Description: ...

You can easily build them from any source package you wish. If you also 
renamed the source package, the new source packages will "take over" the 
binary packages, and binaryless source packages are AFAIK handled by 
rene (archive cleanup tool).


   Simon


signature.asc
Description: OpenPGP digital signature

Re: Real Life hits: need to give up packages for adoption

[Simon Richter]

Hi,


* NTP server
  (some work required; currently, not-really-maintained by the Debian
  NTP Team, which consists of zero active members)


I'll take it.

   Simon


signature.asc
Description: OpenPGP digital signature

Re: Debian Mini-distro: how to recompile base-system and remove Java?

[Chris Boot]

On 30 May 2006, at 09:12, Alexander Shishkin wrote:


On 5/30/06, Chris Boot <[EMAIL PROTECTED]> wrote:

Just make a list of everything you have installed and rebuild each
package one-by-one until you've covered everything. I can't see where
the problem is.
In the real world (tm) building things by hand is not acceptable  
because of

a) complicated build dependencies which you do not want to think about
each time you rebuild world
b) the amount of work, considering at least 6 architectures (in
current slind) multiplied by the number of target packages (42 in
current slind, and increasing).
I mean, you typically want to build things according to their build- 
deps.


Of course, but I'm just talking about getting a basic environment set  
up from scratch. I realise slind removes the need for that now, but...


Chris

--
Chris Boot
[EMAIL PROTECTED]
http://www.bootc.net/



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian Mini-distro: how to recompile base-system and remove Java?

[Alexander Shishkin]

On 5/30/06, Chris Boot <[EMAIL PROTECTED]> wrote:

On 29 May 2006, at 23:53, Daniel Ruoso wrote:
Yes, I can see that could be handy. I'm guessing SLIND is based on
woody?

No, it is based on testing/unstable. Host part is mostly sarge (it was
in the 0.1 prerelease, now most of it is sid).


Well ideally I'd like to have a complete system with the bare minimum
number of patches required to make packages build & work on uclibc.
Removing Java was an idea for a short-cut to get to that stage.

What does Java have to do with compiling packages?


Once again this is just a shortcut to get build-dependencies out of
the way first. Once most of the packages are present this would be
rebuilt to be the full package.

Once you want the build-dependencies back, I tell you, it will be a
pain you-know-where to put them in correct shape. And this is going to
happen once you get to the point of compinig X11 stuff and glib/gtk.

Regards,
--
I am free of all prejudices. I hate every one equally.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian Mini-distro: how to recompile base-system and remove Java?

[Wartan Hachaturow]

On 5/30/06, Daniel Ruoso <[EMAIL PROTECTED]> wrote:

What I do think it would be really nice is to have a "contrib-builds"
SLIND repository (like backports do). This would make things easier for
sharing this effort.


Will be there Real Soon Now (tm). Hardware is already at the desk, I
just need to set up
wiki and stuff, and put it to the hoster's.

--
Regards, Wartan.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian Mini-distro: how to recompile base-system and remove Java?

[Alexander Shishkin]

On 5/30/06, Chris Boot <[EMAIL PROTECTED]> wrote:

Just make a list of everything you have installed and rebuild each
package one-by-one until you've covered everything. I can't see where
the problem is.

In the real world (tm) building things by hand is not acceptable because of
a) complicated build dependencies which you do not want to think about
each time you rebuild world
b) the amount of work, considering at least 6 architectures (in
current slind) multiplied by the number of target packages (42 in
current slind, and increasing).
I mean, you typically want to build things according to their build-deps.

--
I am free of all prejudices. I hate every one equally.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Renaming a package

[Steve Langasek]

On Tue, May 30, 2006 at 10:23:44AM +0200, Simon Richter wrote:

> Andreas Fester schrieb:

> >I create a new package with the new name which will
> >get uploaded to the NEW queue. This package replaces the
> >old package and conflicts with the old package:
> >Replaces: oldPackage
> >Conflicts: oldPackage (<< firstVersionOfNewPackage)

> IIRC the correct way to do that is

> Package: oldpkg
> Depends: newpkg
> Description: transitional dummy package

> Package: newpkg
> Replaces: oldpkg
> Conflicts: oldpkg
> Description: ...

*NO* *NO* *NO* *NO* *NO*.  Look closely at the package relationships you've
specified.  Why would you upload a package to the archive that *can never be
installed*?

Either you want a transitional package, in which case you want this
transitional package to be *installable* and pull in the new package
automatically, or you don't.  If you don't, oldpkg should cease to exist,
not get uploaded in a broken state.

It's ok to have

Package: newpkg
Replaces: oldpkg (<< dummyversion)

but I don't think there's ever a case where making newpkg Conflict: with any
version of oldpkg will help the user.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


signature.asc
Description: Digital signature

Re: Real Life hits: need to give up packages for adoption

[Zak B. Elep]

On 5/29/06, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:

I am sorry (and not happy with myself) that I've been procrastinating
about this for too long. This decision has not been easy. However,
I need to focus more on (a) work that actually feeds my kids, and
(b) time that is *not* spent hacking.


Awww... :(


* libdigest-hmac-perl, libdigest-sha1-perl, libdigest-md2-perl,
 libdigest-perl, libio-interface-perl, libio-socket-multicast-perl,
 libnet-xwhois-perl, libvideo-capture-v4l-perl


I'd like to take these up.

Cheers,

Zakame

--
Zak B. Elep  ||  http://zakame.spunge.org
[EMAIL PROTECTED]  ||  [EMAIL PROTECTED]
1486 7957 454D E529 E4F1  F75E 5787 B1FD FA53 851D


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Real Life hits: need to give up packages for adoption

[Christoph Haas]

Morning...

Matthias, your "From:" line appears to be missing. Or my MUA is b0rked.

On Mon, May 29, 2006 at 09:29:34PM +0200,  wrote:
> * NTP server
>   (some work required; currently, not-really-maintained by the Debian
>   NTP Team, which consists of zero active members)

I'd take my chance on this one. There is a large number of bugs open and
I believe that this package is very important. Still I'd like to have a
co-maintainer for the package. Anyone else interested? I'd create an SVN
repository on my server or alioth.

Kindly
 Christoph
-- 
~
~
".signature" [Modified] 1 line --100%--1,48 All


signature.asc
Description: Digital signature

Re: Debian Mini-distro: how to recompile base-system and remove Java?

[Alexander Shishkin]

On 5/30/06, Chris Boot <[EMAIL PROTECTED]> wrote:


Of course, but I'm just talking about getting a basic environment set
up from scratch. I realise slind removes the need for that now, but...

I'm not insisting on you using slind, I just want to convince people
to contribute to it. :)

--
I am free of all prejudices. I hate every one equally.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Shouldn't we have more ftp masters ?

[Petter Reinholdtsen]

[Benjamin Seidenberg]
> FYI:
> 12:33 < Ganneff> and for all those impatient waiting for NEW: i will
>  clear that in my jetlag time, in those nights i
>  cant sleep (ie 1st -> 2nd june, 2-> 3) :)

Sounds good, but do not really addresses the fundamental problem here,
which is that NEW processing at the moment is fragile and stops
completely when the single person handling NEW is busy elsewhere.

There are a lot of work in Debian depending on regular processing of
NEW packages (transitions, fixing dependencies, fixing build issues,
preparations for the stable release, etc), and we should thus strive
to make the processing as robust as possible to avoid slowing down
these processes.

Unfortunately I have no practical suggestion on how to improve it.
Adding more ftpmaster and -assistants might be one approach.
Improving the tools to handle new source packages differently from old
source packages with new package names (typically library renames etc)
might be another.  I do not know the procedures well enough to make
educated guesses. :)

The NEW processing have made progress the last few years, so I am
confident that we are moving in the right direction.  For examle the
transparency added not too long ago with the creation of
http://ftp-master.debian.org/new.html> helps me a lot when I
decide when to upload and when to expect my uploaded packages to make
it into the archive.  I really appreciate that, though I wish the
dates of individual uploads was shown and the sorting order was
different.  This are though minor issues, compared to the situation
earlier, when almost no-one knew the current NEW status.

Friendly,
-- 
Petter Reinholdtsen


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Renaming a package

[Simon Richter]

Hi,

Steve Langasek schrieb:


Package: oldpkg
Depends: newpkg
Description: transitional dummy package



Package: newpkg
Replaces: oldpkg
Conflicts: oldpkg
Description: ...



*NO* *NO* *NO* *NO* *NO*.  Look closely at the package relationships you've
specified.  Why would you upload a package to the archive that *can never be
installed*?


Hm, that used to be a "magic" combination that would let dpkg do the 
right thing.


   Simon


signature.asc
Description: OpenPGP digital signature

Re: Real Life hits: need to give up packages for adoption

[Simon Richter]

Hi,

Christoph Haas schrieb:


* NTP server
 (some work required; currently, not-really-maintained by the Debian
 NTP Team, which consists of zero active members)



I'd take my chance on this one. There is a large number of bugs open and
I believe that this package is very important. Still I'd like to have a
co-maintainer for the package. Anyone else interested? I'd create an SVN
repository on my server or alioth.


I have no problem with co-maintenance, but I'd have a problem with svn.

   Simon


signature.asc
Description: OpenPGP digital signature

Re: Real Life hits: need to give up packages for adoption

[Christoph Haas]

On Tue, May 30, 2006 at 11:25:58AM +0200, Simon Richter wrote:
> Christoph Haas schrieb:
> 
> >>* NTP server
> >> (some work required; currently, not-really-maintained by the Debian
> >> NTP Team, which consists of zero active members)
> 
> >I'd take my chance on this one. There is a large number of bugs open and
> >I believe that this package is very important. Still I'd like to have a
> >co-maintainer for the package. Anyone else interested? I'd create an SVN
> >repository on my server or alioth.
> 
> I have no problem with co-maintenance, but I'd have a problem with svn.

Suggestions? (Unless there are further volunteers we can as well take
this to PM.)

Kindly
 Christoph
-- 
~
~
".signature" [Modified] 1 line --100%--1,48 All


signature.asc
Description: Digital signature

Re: Renaming a package

[Michal Čihař]

Hi

On Tue, 30 May 2006 11:22:51 +0200
Simon Richter <[EMAIL PROTECTED]> wrote:

> Hi,
> 
> Steve Langasek schrieb:
> 
> >>Package: oldpkg
> >>Depends: newpkg
> >>Description: transitional dummy package
> > 
> >>Package: newpkg
> >>Replaces: oldpkg
> >>Conflicts: oldpkg
> >>Description: ...
> 
> > *NO* *NO* *NO* *NO* *NO*.  Look closely at the package relationships you've
> > specified.  Why would you upload a package to the archive that *can never be
> > installed*?
> 
> Hm, that used to be a "magic" combination that would let dpkg do the 
> right thing.

You should have versioned conflict for old version, otherwise these
packages can not be installed together.

-- 
Michal Čihař | http://cihar.com | http://blog.cihar.com


signature.asc
Description: PGP signature

Re: Renaming a package

[Goswin von Brederlow]

Simon Richter <[EMAIL PROTECTED]> writes:

> Hi,
>
> Andreas Fester schrieb:
>
>> I create a new package with the new name which will
>> get uploaded to the NEW queue. This package replaces the
>> old package and conflicts with the old package:
>> Replaces: oldPackage
>> Conflicts: oldPackage (<< firstVersionOfNewPackage)
>
> IIRC the correct way to do that is
>
> Package: oldpkg
> Depends: newpkg
> Description: transitional dummy package
>
> Package: newpkg
> Replaces: oldpkg
> Conflicts: oldpkg
> Description: ...

Package: newpkg
Replaces: oldpkg
Conflicts: oldpkg (<< version-of-dummy-package)
Provides: oldpkg
Description: ...

The conflict must be limited to non-dummy versions of oldpkg or the
dummy oldpkg becomes uninstallable (and therefore useless). The
Provides ensures that non-versioned depends on the old package keep
working if you remove the dummy package.

MfG
Goswin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: libdb transition policy?

[Gerfried Fuchs]

Hi!

 Sorry for late response.

* "Nikita V. Youshchenko" <[EMAIL PROTECTED]> [2006-05-24 12:10]:
>> However, contrary to what the NM templates suggest, symbol versioning
>> is not a cure-all for all ABI incompatibilities.  If libetpan returns
>> a DB_ENV * in its API, you need to port[1] all its dependencies to the
>> new Berkeley DB version.
> 
> No, libetpan uses libdb only internally, and does not export it.
> 
> So I guess the question is to people who maintain etpan-ng and 
> sylpheed-claws-gtk2 - is it safe for your packages if I will upload new 
> version of libetpan (without soname change or package name change) that 
> will link against libdb4.4?

 I don't know if anyone has tried to, but I spoke to Hoa (= upstream)
about the thing, and it was like I expected: libetpan uses libdb for its
cache files. If it can't read them (like, b0rked file, or incompatible
old db file) it would get regenerated anyway. So there is no
compatibility problem with changing the libdb in libetpan at all.

 Have fun with updating the library, it won't affect depending packages. :)
Some times are that easy to solve, you know?

 So long,
Alfie
-- 
So ist das Leben eben: Es muss Beben geben, ab und zu.
Noch eben standst Du in der Sonne -- uuh, da kommt der Regen
  -- Seeed, "Tide Is High"


signature.asc
Description: Digital signature

Re: Bug#367853: libdb transition policy?

[Nikita V. Youshchenko]

>  Have fun with updating the library, it won't affect depending packages.
> :) Some times are that easy to solve, you know?

Ok, will upload today :)


pgpHAIvddyz9K.pgp
Description: PGP signature

Re: [Debconf-discuss] list of valid documents for KSPs

[Manoj Srivastava]

On 28 May 2006, Thomas Bushnell stated:

> Perhaps my just-posted message has too many words to see my point.
>
> In the paragraph above, marked >>>, which was written by you, you
> speak of deception and forgery.  Nothing in the reports of the
> recent incident involving Martin suggests any deception and forgery.
> What about this incident makes you think that any kind of deception
> or forgery was going on?

I really think either you are deliberately being obtuse, or
 nothing I can say will get this through to you.  I fail to see how
 one can assert that there was no forgery going on -- do you
 automatically assume that if a shiney laminated document with some
 random issueing authority listed on it is not forged?  With a issuing
 authority which has entered into international agreements with other
 governments, there is some assurance that a minimum threshold of
 checks are built into the process of issueing travel documents.

Why do you think Bubba does the same thing?

On 29 May 2006, Henning Makholm verbalised:

> If a key-signing method needs any particularly trustworthy behavior
> from the people asking to have keys signed, it is broken, plan and
> simple. It was broken from day one, and it becomes neither more nor
> less broken because anybody in particular does not behave according
> to the rule.
> The entire _point_ of the web-of-trust is to not take people's claim
> about their identity at face value. It is a process rooted in
> _distrust_ and if the mechanisms end up with certified trust where
> none is warranted, the mechanisms are at fault.
> If you do your checks on a way that assume honesty on the signee's
> part, then your checks are broken. When you sign keys you should
> _assume_ that the unknown person who wants you to sign a key is
> dishonest about who he claims to be, and only sign if you see
> something that positively convince you otherwise.

On 28 May 2006, Daniel Dickinson verbalised:

> Er, is it just me or isn't the point of gnupg that there *are*
> people you *can't trust*.  We wouldn't be needing digital signatures
> if everybody honoured the 'gentleman's agreement' that we should
> only sign as ourselves (or at most as a pseudonym that can't be
> confused for a real person) in plaintext email.


On 28 May 2006, Thomas Bushnell told this:
> How is it "cracking" to use Bubba's documents? 

There is a certain sweet naivete in the above messages which
 is rather touching. It is also, of course, devoid of any touch with
 reality: all I can say, gentelmen, is that you have lead sheltered
 lives. There is no key signing protocol that is immune to an attack
 by an unscrupulous enough person:  if I had the inclination, and  a
 few thousands of dollars to burn, I could show up at a KSP with
 passports from half a dozen different countries, some of which would
 have been created with legitimate blanks from the country in
 question.

Nothing that a general software developer can do to check an
 ID is proof against a determined individual, we all assume that there
 is a gentleman's agreement in place that such an attack is not
 mounted.

Yes, there is a difference in degree in ID checks; and I still
 hold that presenting an ID for the purpose of testing the strengrh of
 the ID checks of the individual ratrher than to just legitimately get
 a signature on ones key is an act of bad faith: good faith would have
 been to present the official ID and extend the web of trust.


>So, if the ID says on it, "Bubba's Fake ID Shop", I'm not sure I see
> the problem. 

Dear boy, Bubba's ID's are likely to say Transnational
 Republic.  Or, if Bubba has been allowed to personally examine more
 Bewnjamins,  it could have read the federal republic of Germany. Or
 the united staateds. Or cameroon.

> In other words, Bubba sells forgeries, but the Transnational
> Republic does not.

Riiight.  And I know that how?

manoj
-- 
Suaviter in modo, fortiter in re. Se non e vero, e ben trovato.
Manoj Srivastava   <[EMAIL PROTECTED]>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Bug#367853: libdb transition policy?

[DINH Viêt Hoà]

On 30 May 2006, at 12:50, Gerfried Fuchs wrote:


Hi!

 Sorry for late response.

* "Nikita V. Youshchenko" <[EMAIL PROTECTED]> [2006-05-24 12:10]:
However, contrary to what the NM templates suggest, symbol  
versioning
is not a cure-all for all ABI incompatibilities.  If libetpan  
returns
a DB_ENV * in its API, you need to port[1] all its dependencies  
to the

new Berkeley DB version.


No, libetpan uses libdb only internally, and does not export it.

So I guess the question is to people who maintain etpan-ng and
sylpheed-claws-gtk2 - is it safe for your packages if I will  
upload new
version of libetpan (without soname change or package name change)  
that

will link against libdb4.4?


 I don't know if anyone has tried to, but I spoke to Hoa (= upstream)
about the thing, and it was like I expected: libetpan uses libdb  
for its

cache files. If it can't read them (like, b0rked file, or incompatible
old db file) it would get regenerated anyway. So there is no
compatibility problem with changing the libdb in libetpan at all.


In fact, I checked the code and it does not this, the database won't  
be regenerated but that might be a enhancement to implement in  
libetpan. Do we need a release to fix this ?

That means that cache files must be deleted by the user.

--
DINH Viêt Hoà

Re: Please revoke your signatures from MartinKraff's keys

[Manoj Srivastava]

On 27 May 2006, Lionel Elie Mamane verbalised:

> On Sat, May 27, 2006 at 05:19:21PM -0500, Manoj Srivastava wrote:
>> On 27 May 2006, Lionel Elie Mamane spake thusly:
>>> On Sat, May 27, 2006 at 02:04:31PM -0500, Manoj Srivastava wrote:
 On 27 May 2006, Lionel Elie Mamane stated:
>
> The US constitution applies only to USA citizens, right?
>
 Wrong

> That's precisely the issue. The standards of "reasonable" are
> different for minors than they are for 'normal' people.

Err, how does this have any bearing on "The US constitution
 applies only to USA citizens"?  Seems to me that you are wafflking
 around, having found no real grounds for your initial inflammatory
 statement. 

Also, you might come from a place where four year old citizens
 are allowed to vote, drive, and join the army, but I am happy  that
 in my country the government does see age as a factor in determining
 rights and duties. This is way off topic, though. 

>> Residency and voting are the two things that are indeed restricted
>> to citizens, and rightly so. ALl this case did was to talk about
>> whether an alien unlawfully in this country does not have a
>> constitutional right to continue to remain in the country when the
>> authorities have, according to the law, have commenced proceedings,
>> adjudicated cases, and are executing removal orders.
>
> What it says is that he/she cannot argue that the removal
> proceedings are being selectively enforced against him/her because
> of his/her opinions and speech, thereby nullifying these rights for
> this class of people.

No, it means that such an appeal has to be mounted post
 deportation proceedings. The fact that the person was here illegally
 was not in question; selectively deporting only some illegals is an
 issue. Well, if you are here illegally, you should expect to be
 deported -- you have no rights to stay here at all.

The fact that you have some to the attention of authorities ,
 and thus are facing deportation, but others who have not yet been
 caught are not being deported have no bearing on this. "Yes, I
 committed a crime, but so did those others" is not really much of a
 defense.

manoj
-- 
We're all in this alone. Lily Tomlin
Manoj Srivastava   <[EMAIL PROTECTED]>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Wouter Verhelst]

On Tue, May 30, 2006 at 06:28:32AM -0500, Manoj Srivastava wrote:
> On 28 May 2006, Thomas Bushnell stated:
> > Perhaps my just-posted message has too many words to see my point.
> >
> > In the paragraph above, marked >>>, which was written by you, you
> > speak of deception and forgery.  Nothing in the reports of the
> > recent incident involving Martin suggests any deception and forgery.
> > What about this incident makes you think that any kind of deception
> > or forgery was going on?
> 
> I really think either you are deliberately being obtuse, or
>  nothing I can say will get this through to you.  I fail to see how
>  one can assert that there was no forgery going on -- do you
>  automatically assume that if a shiney laminated document with some
>  random issueing authority listed on it is not forged?

  Forgery
[...]
 2. The act of forging, fabricating, or producing falsely; 
esp., the crime of fraudulently making or altering a
writing or signature puporting to be made by another; the
false making or material alteration of or addition to a
written instrument for the purpose of deceit and fraud;
as, the forgery of a bond. --Bouvier.
[1913 Webster]

What Martin Krafft showed you was, according to what he claimed, a
document that was made by the Transnational Republic. If he had changed
some things on that document, then it would have been a forgery;
however, he claims he has not, which would imply that it is not, in
fact, a forgery.

If such a document does not satisfy your definition for a sufficiently
convincing proof of ID, then that is your prerogative, and you are
certainly welcome to refuse to sign keys in such cases. But "It fails
the standards of Manoj Srivastava" is not the definition of "Forgery".
And it is *your* responsibility, not someone else's, to make sure that
the documents you check satisfy whatever standards you choose to uphold.
If you fail to acknowledge that, you may find that people (mostly
inexperienced people) will show you all sorts of things that do not
satisfy your desires for ID cards. On purpose or otherwise.

[...]
> > In other words, Bubba sells forgeries, but the Transnational
> > Republic does not.
> 
> Riiight.  And I know that how?

You could know that; you could just as well not know. If you do not
know, then it is your prerogative to decide not to sign anything based
on a TR ID card. But that doesn't make the person showing you that card
dishonest or a forger.

-- 
Fun will now commence
  -- Seven Of Nine, "Ashes to Ashes", stardate 53679.4


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Shouldn't we have more ftp masters ?

[Wouter Verhelst]

On Tue, May 30, 2006 at 11:04:29AM +0200, Petter Reinholdtsen wrote:
> 
> [Benjamin Seidenberg]
> > FYI:
> > 12:33 < Ganneff> and for all those impatient waiting for NEW: i will
> >  clear that in my jetlag time, in those nights i
> >  cant sleep (ie 1st -> 2nd june, 2-> 3) :)
> 
> Sounds good, but do not really addresses the fundamental problem here,
> which is that NEW processing at the moment is fragile and stops
> completely when the single person handling NEW is busy elsewhere.

There are two people, they are both on vacation.

[...]
> Friendly,

Whoa.

-- 
Fun will now commence
  -- Seven Of Nine, "Ashes to Ashes", stardate 53679.4


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: HOWTO rebuild the archive

[Wouter Verhelst]

On Tue, May 30, 2006 at 09:57:04AM +0200, Goswin von Brederlow wrote:
> Wouter Verhelst <[EMAIL PROTECTED]> writes:
> > Whether doing it this way is a good idea, though, I don't know. Buildd
> > surely wasn't designed for this.
> 
> It is much simpler than to set up wanna-build and a local archive but
> you loose the tracking of package status that wanna-build would give
> you.

My point exactly.

-- 
Fun will now commence
  -- Seven Of Nine, "Ashes to Ashes", stardate 53679.4


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: bits from the release team: release goals, python, X.org, amd64, timeline

[Wouter Verhelst]

On Tue, May 30, 2006 at 12:05:26PM +0200, Andreas Barth wrote:
> Timeline
> 
> 
> Now, let's please take a more detailed look at the time line:
> 
> 
>  Thu 15 Jun 06:
>  
> last chance to switch to gcc 4.1, python 2.4
> review architectures one more time
> last chance to add new architectures
> 
> RC bug count less than 300

Since m68k pretty much depends on the gcc-4.1 transition to make it in
again, I would suggest that we (as in, the m68k port) make the switch to
GCC4.1 as the default already. This will allow us to verify that stuff
actually builds and works, and to catch up with building those that fail
with ICE in gcc-4.0 before that time. Since m68k is not a release
architecture right now, this should not cause any problems for any other
port if the GCC 4.1 transition does not happen, but it will help if it
does.

Thoughts, objections?

-- 
Fun will now commence
  -- Seven Of Nine, "Ashes to Ashes", stardate 53679.4


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Manoj Srivastava]

On 30 May 2006, Wouter Verhelst spake thusly:

> On Tue, May 30, 2006 at 06:28:32AM -0500, Manoj Srivastava wrote:
>> On 28 May 2006, Thomas Bushnell stated:
>>> Perhaps my just-posted message has too many words to see my point.
>>>
>>> In the paragraph above, marked >>>, which was written by you, you
>>> speak of deception and forgery.  Nothing in the reports of the
>>> recent incident involving Martin suggests any deception and
>>> forgery.  What about this incident makes you think that any kind
>>> of deception or forgery was going on?
>>
>> I really think either you are deliberately being obtuse, or
>> nothing I can say will get this through to you.  I fail to see how
>> one can assert that there was no forgery going on -- do you
>> automatically assume that if a shiney laminated document with some
>> random issueing authority listed on it is not forged?
>
> What Martin Krafft showed you was,

How do I know that person actually was  Martin Krafft?

> according to what he claimed,

If I claim to be president George Clooney, and show you a
 document that proves I am such, and I earnestly claim it was not
 forged, but Bubba looked at all kinds of documentation that says I am
 such a person, you would proclaim from the roof tops that no forgery
 occurred? 

My goodness me.

> a document that was made by the Transnational Republic. If he had
> changed some things on that document, then it would have been a
> forgery; however, he claims he has not, which would imply that it is
> not, in fact, a forgery.

Riiigt. And I am Angelina Jolie.

You know, I give up.  Apparently there is no way I can convey
 the concept of trusted paths and trusted processes to the people so
 passionately arguing with me, and this is getting tedious.

I'll just have to accept that concepts of security and bad
 faith in this community are hard to get across.

As a final note: Look for motivation. Presenting documents
 from an untrusted source to trick the unwary into signing to show how
 weak the ID checks are is still a trick.

ALl I have heard people say that my processes should be
 resistant to evil-doers trying to trick me.

Very true.

I say people who try to trick me into signing a key based on
 an untrusted process of identity verification are evil doers.

manoj
-- 
A boss with no humor is like a job that's no fun.
Manoj Srivastava   <[EMAIL PROTECTED]>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Wouter Verhelst]

On Tue, May 30, 2006 at 07:49:34AM -0500, Manoj Srivastava wrote:
> On 30 May 2006, Wouter Verhelst spake thusly:
> 
> > On Tue, May 30, 2006 at 06:28:32AM -0500, Manoj Srivastava wrote:
> >> On 28 May 2006, Thomas Bushnell stated:
> >>> Perhaps my just-posted message has too many words to see my point.
> >>>
> >>> In the paragraph above, marked >>>, which was written by you, you
> >>> speak of deception and forgery.  Nothing in the reports of the
> >>> recent incident involving Martin suggests any deception and
> >>> forgery.  What about this incident makes you think that any kind
> >>> of deception or forgery was going on?
> >>
> >> I really think either you are deliberately being obtuse, or
> >> nothing I can say will get this through to you.  I fail to see how
> >> one can assert that there was no forgery going on -- do you
> >> automatically assume that if a shiney laminated document with some
> >> random issueing authority listed on it is not forged?
> >
> > What Martin Krafft showed you was,
> 
> How do I know that person actually was  Martin Krafft?

You already know that, though you can't be sure. Just as you can't be
sure that he was a forger, either.

> > according to what he claimed,
> 
> If I claim to be president George Clooney, and show you a
>  document that proves I am such, and I earnestly claim it was not
>  forged, but Bubba looked at all kinds of documentation that says I am
>  such a person, you would proclaim from the roof tops that no forgery
>  occurred? 

No, I wouln't do that. However, I wouldn't start proclaiming the
opposite from the roof tops, either, like you seem to do.

> > a document that was made by the Transnational Republic. If he had
> > changed some things on that document, then it would have been a
> > forgery; however, he claims he has not, which would imply that it is
> > not, in fact, a forgery.
> 
> Riiigt. And I am Angelina Jolie.

Oh, get real.

Why do you keep claiming that he did deliberately change things on this
Transnational Republic ID card?

It is your duty on a key signing party to proof your own identity to
other people, and to make sure that the proofs of identity other people
give you are sufficiently convincing to you.

Martin did that; he showed you a card which stated that he is Martin
Krafft. Of course that doesn't mean he actually _is_ Martin Krafft; you
have to check that card to make sure you have reason to believe the card
is telling the truth.

> You know, I give up.  Apparently there is no way I can convey
>  the concept of trusted paths and trusted processes

Sure there is. I couldn't agree with you more than that an ID card given
out by a body of people whom I'd never heard of before this discussion,
and that is _not_ a government, is not at all sufficient proof of ID for
me to sign their key. On the point of trusted paths, we agree.

However, "trusted processes" do not lie with people who are trying to
convince you of their identity. If you trust anyone to tell the truth
about their identity, which is what your argument implies, then you have
processes that are anything but trusted. It is you who would seem to
have to be educated about what "trusted processes" actually means, not
me.

-- 
Fun will now commence
  -- Seven Of Nine, "Ashes to Ashes", stardate 53679.4


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Frank Küster]

Manoj Srivastava <[EMAIL PROTECTED]> wrote:

> On 30 May 2006, Wouter Verhelst spake thusly:
>
>> On Tue, May 30, 2006 at 06:28:32AM -0500, Manoj Srivastava wrote:
>>> On 28 May 2006, Thomas Bushnell stated:
 Perhaps my just-posted message has too many words to see my point.

 In the paragraph above, marked >>>, which was written by you, you
 speak of deception and forgery.  Nothing in the reports of the
 recent incident involving Martin suggests any deception and
 forgery.  What about this incident makes you think that any kind
 of deception or forgery was going on?
>>>
>>> I really think either you are deliberately being obtuse, or
>>> nothing I can say will get this through to you.  I fail to see how
>>> one can assert that there was no forgery going on -- do you
>>> automatically assume that if a shiney laminated document with some
>>> random issueing authority listed on it is not forged?
>>
>> What Martin Krafft showed you was,
>
> How do I know that person actually was  Martin Krafft?

This is getting ridiculuous.  If what I've read about the incident is
correct, the same person also showed a German ID card with identical
information about the person.  Either you believe ID cards, then you
believe it was Martin Krafft.  Or you don't, then you shouldn't ask
people to revoke their signatures on Martin Krafft's key - when I signed
his key, I verified his identity with an ID that I trusted and still
trust.  Why should I revoke the signature or not sign his new key, when
you don't even know whether it was really him?

Regards, Frank
-- 
Frank Küster
Single Molecule Spectroscopy, Protein Folding @ Inst. f. Biochemie, Univ. Zürich
Debian Developer (teTeX)

Re: Real Life hits: need to give up packages for adoption

[Otavio Salvador]

Simon Richter <[EMAIL PROTECTED]> writes:

> Hi,
>
> Christoph Haas schrieb:
>
>>>* NTP server
>>>  (some work required; currently, not-really-maintained by the Debian
>>>  NTP Team, which consists of zero active members)
>
>> I'd take my chance on this one. There is a large number of bugs open and
>> I believe that this package is very important. Still I'd like to have a
>> co-maintainer for the package. Anyone else interested? I'd create an SVN
>> repository on my server or alioth.
>
> I have no problem with co-maintenance, but I'd have a problem with svn.

Maybe bzr or git?

-- 
O T A V I OS A L V A D O R
-
 E-mail: [EMAIL PROTECTED]  UIN: 5906116
 GNU/Linux User: 239058 GPG ID: 49A5F855
 Home Page: http://www.freedom.ind.br/otavio
-
"Microsoft gives you Windows ... Linux gives
 you the whole house."


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Shouldn't we have more ftp masters ?

[Otavio Salvador]

Wouter Verhelst <[EMAIL PROTECTED]> writes:

> On Tue, May 30, 2006 at 11:04:29AM +0200, Petter Reinholdtsen wrote:
>> 
>> [Benjamin Seidenberg]
>> > FYI:
>> > 12:33 < Ganneff> and for all those impatient waiting for NEW: i will
>> >  clear that in my jetlag time, in those nights i
>> >  cant sleep (ie 1st -> 2nd june, 2-> 3) :)
>> 
>> Sounds good, but do not really addresses the fundamental problem here,
>> which is that NEW processing at the moment is fragile and stops
>> completely when the single person handling NEW is busy elsewhere.
>
> There are two people, they are both on vacation.

But then, isn't the time to choose people to fulfill positions when
key people is in vacation?

IMHO, key people should always keep someone doing the job when going
out so the project don't slow down because of it. Our current, active,
ftpmaster are very receptive but this don't exclude the possibility of
them going to vacation together or at same time and the project slow
down a bit.

-- 
O T A V I OS A L V A D O R
-
 E-mail: [EMAIL PROTECTED]  UIN: 5906116
 GNU/Linux User: 239058 GPG ID: 49A5F855
 Home Page: http://www.freedom.ind.br/otavio
-
"Microsoft gives you Windows ... Linux gives
 you the whole house."


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Real Life hits: need to give up packages for adoption

[Christoph Haas]

On Tue, May 30, 2006 at 10:09:07AM -0300, Otavio Salvador wrote:
> Simon Richter <[EMAIL PROTECTED]> writes:
> 
> > Hi,
> >
> > Christoph Haas schrieb:
> >
> >>>* NTP server
> >>>  (some work required; currently, not-really-maintained by the Debian
> >>>  NTP Team, which consists of zero active members)
> >
> >> I'd take my chance on this one. There is a large number of bugs open and
> >> I believe that this package is very important. Still I'd like to have a
> >> co-maintainer for the package. Anyone else interested? I'd create an SVN
> >> repository on my server or alioth.
> >
> > I have no problem with co-maintenance, but I'd have a problem with svn.
> 
> Maybe bzr or git?

I'm currently looking into several systems. Usually I use Subversion and
svn-buildpackage but due to a lot of trouble with svn-buildpackage I
have moved away from repositories for my Debian packages lately.

Darcs looks like a nice competitor but has some issues regarding
checking in changes automatically (might as well be my ignorance but it
sounds like I need weird scripts and a .procmailrc to merge changes
automatically).

For git and bzr there don't seem to be sophisticated tools to build
packages (*-buildpackage). svn-buildpackage for example keeps the
upstream tarballs in one directory but still builds from the trunk/
which is pretty nice.

Well, well, all the RCS philosophy again. Too much choice.

Kindly
 Christoph
-- 
~
~
".signature" [Modified] 1 line --100%--1,48 All


signature.asc
Description: Digital signature

Re: [Debconf-discuss] list of valid documents for KSPs

[Manoj Srivastava]

On 30 May 2006, Wouter Verhelst stated:

> On Tue, May 30, 2006 at 07:49:34AM -0500, Manoj Srivastava wrote:
>> On 30 May 2006, Wouter Verhelst spake thusly:
>>
>>> On Tue, May 30, 2006 at 06:28:32AM -0500, Manoj Srivastava wrote:
 On 28 May 2006, Thomas Bushnell stated:
> Perhaps my just-posted message has too many words to see my
> point.
>
> In the paragraph above, marked >>>, which was written by you,
> you speak of deception and forgery.  Nothing in the reports of
> the recent incident involving Martin suggests any deception and
> forgery.  What about this incident makes you think that any kind
> of deception or forgery was going on?

 I really think either you are deliberately being obtuse, or
 nothing I can say will get this through to you.  I fail to see
 how one can assert that there was no forgery going on -- do you
 automatically assume that if a shiney laminated document with
 some random issueing authority listed on it is not forged?
>>>
>>> What Martin Krafft showed you was,
>>
>> How do I know that person actually was  Martin Krafft?
>
> You already know that, though you can't be sure. Just as you can't
> be sure that he was a forger, either.

I don't already know that. How could I?

>
>>> according to what he claimed,
>>
>> If I claim to be president George Clooney, and show you a document
>> that proves I am such, and I earnestly claim it was not forged, but
>> Bubba looked at all kinds of documentation that says I am such a
>> person, you would proclaim from the roof tops that no forgery
>> occurred?
>
> No, I wouln't do that. However, I wouldn't start proclaiming the
> opposite from the roof tops, either, like you seem to do.

I guess You can't read.  I have never stated that I know it is
 a forgery:  I can't since I do not have that data. I have stated I
 have absolutely no trust path to the identity proclaimed, so I am
 going to treat it as though it were; since there is, in my opinion,
 already an act of bad faith in play since someone is trying to trick
 people into signing keys based on a identification paper from less
 than trusted sources.

>
>>> a document that was made by the Transnational Republic. If he had
>>> changed some things on that document, then it would have been a
>>> forgery; however, he claims he has not, which would imply that it
>>> is not, in fact, a forgery.
>>
>> Riiigt. And I am Angelina Jolie.
>
> Oh, get real.

Great argument.

> Why do you keep claiming that he did deliberately change things on
> this Transnational Republic ID card?

Where did I make this claim? I know english is not your first
 language, but you know, these idiotic accusations are getting rather
 shrill.

I merely claim that I have no better proof that the person who
 claims to be Martin is martin, than you have that I am  Ms. Jolie in
 drag.

> It is your duty on a key signing party to proof your own identity to
> other people, and to make sure that the proofs of identity other
> people give you are sufficiently convincing to you.

> Martin did that; he showed you a card which stated that he is Martin
> Krafft. Of course that doesn't mean he actually _is_ Martin Krafft;
> you have to check that card to make sure you have reason to believe
> the card is telling the truth.

No, giving me Bubba's ID cards and putting the burden of proof
 on me does not absolve the evil doer from the fact that an attempt to
 trick people was in play.

Yes, people are resposible for their action. This applies
 equally to the person trying to trick the people.

You seem to be unable to see the distinction between the fact
 that people should be on guard againt evil doers. Let me see if I can
 dumb down an example.

See, if you go to a big city like New York, London, or Bombay,
 there are grifters, con-men, and pick pockets. You are expected to,
 as seasoned travellers, to be careful of how you carry your
 valuables, to make it harder for pick pockets to make off with
 them. If you fail, are you solely responsible?

Is the pick pocket blameless, since you obviously failed to
 guard against the pick pocket?

>> You know, I give up.  Apparently there is no way I can convey
>> the concept of trusted paths and trusted processes
>
> Sure there is. I couldn't agree with you more than that an ID card
> given out by a body of people whom I'd never heard of before this
> discussion, and that is _not_ a government, is not at all sufficient
> proof of ID for me to sign their key. On the point of trusted paths,
> we agree.

So far, so good.

> However, "trusted processes" do not lie with people who are trying
> to convince you of their identity. If you trust anyone to tell the
> truth about their identity, which is what your argument implies,
> then you have processes that are anything but trusted. It is you who
> would seem to have to be educated about what "trusted processes"

Re: [Debconf-discuss] list of valid documents for KSPs

[Wouter Verhelst]

On Tue, May 30, 2006 at 08:50:41AM -0500, Manoj Srivastava wrote:
> On 30 May 2006, Wouter Verhelst stated:
[...]
> > However, "trusted processes" do not lie with people who are trying
> > to convince you of their identity. If you trust anyone to tell the
> > truth about their identity, which is what your argument implies,
> > then you have processes that are anything but trusted. It is you who
> > would seem to have to be educated about what "trusted processes"
> > actually means, not me.
> 
> Fine. I'll see if I can procure a sample identity card from my
>  friends at work  and see if you can spot the difference.  I am
>  willing to bet about a thousand euros that you would not be able to
>  spot the fake.

Given how the exchange is preannounced, I might be willing to take that
bet ;-)

>  The only thing keeping you on your high horse about people in the
>  community being trustable is htat you apparently have never seen how
>  good fake documents can be.

I am fully aware that fake documents can be very good. However, your
example does not involve any fake document, only dishonesty.  A document
that belongs to a different person does not make a fake document.

-- 
Fun will now commence
  -- Seven Of Nine, "Ashes to Ashes", stardate 53679.4


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: glibc built with gcc-4.1 (update)

[Aurelien Jarno]

Aurelien Jarno a écrit :

Hi all,

As gcc-4.1 may be the default compiler soon (I hope so), I have tried to 
build the glibc with it.


Currently it builds and works on the following architectures:
amd64, hppa, i386, mips, mipsel, sparc

The packages are available [1], but a but outdated. It should not be a 
problem, as the changes are not so important between this version and 
the current one. It would be nice if some other people could test them, 
so the problems (if any) could be fixed.


It fails to build on powerpc, but I haven't investigated the problem yet.


I have fixed the problem, it now builds ok on powerpc. The packages are 
on available on [1]. They work fine on my machine.


I will build it on arm as soon as I get back home, as my machine is 
currently down.


I am looking for people to build an test it on alpha, ia64, m68k and 
s390. The source is available on the same place as the binaries [1].


glibc builds fine with gcc-4.1 on s390, but I haven't tested the 
resulting packages, they are available on [1]. The testsuite looks ok.


On arm, ia64 and alpha the glibc fails to build with gcc-4.1. I haven't 
found the time to investigate the problems now, but a quick look seems 
to say that on arm this is a glibc problem, whereas I suspect a problem 
with gcc-4.1 on ia64 and alpha. More to come as soon as I find some time...


I haven't done a build on m68k yet.

[1] http://people.debian.org/~aurel32/glibc

--
  .''`.  Aurelien Jarno | GPG: 1024D/F1BCDB73
 : :' :  Debian developer   | Electrical Engineer
 `. `'   [EMAIL PROTECTED] | [EMAIL PROTECTED]
   `-people.debian.org/~aurel32 | www.aurel32.net


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Shouldn't we have more ftp masters ?

[Michael Banck]

People, please move this thread over to -project

On Tue, May 30, 2006 at 10:13:37AM -0300, Otavio Salvador wrote:
> Wouter Verhelst <[EMAIL PROTECTED]> writes:
> > On Tue, May 30, 2006 at 11:04:29AM +0200, Petter Reinholdtsen wrote:
> >> [Benjamin Seidenberg]
> >> > FYI:
> >> > 12:33 < Ganneff> and for all those impatient waiting for NEW: i will
> >> >  clear that in my jetlag time, in those nights i
> >> >  cant sleep (ie 1st -> 2nd june, 2-> 3) :)
> >> 
> >> Sounds good, but do not really addresses the fundamental problem here,
> >> which is that NEW processing at the moment is fragile and stops
> >> completely when the single person handling NEW is busy elsewhere.
> >
> > There are two people, they are both on vacation.
> 
> But then, isn't the time to choose people to fulfill positions when
> key people is in vacation?

Only the ftp-assistants were on vacation, the ftp-masters were still
around.  I assume they evaluated the situation and decided it was not
critical enough to warrant further steps.

> IMHO, key people should always keep someone doing the job when going
> out so the project don't slow down because of it. Our current, active,
> ftpmaster are very receptive but this don't exclude the possibility of
> them going to vacation together or at same time and the project slow
> down a bit.

Well, it seems their vacations are over now or very soon, so this point
is moot.

Personally, I don't think this issue is enough to revoke ftp-master's
right to choose their staff among themselves, but rather push more
people onto their team without their consent.

Please follow-up on -project.


Michael

-- 
Michael Banck
Debian Developer
[EMAIL PROTECTED]
http://www.advogato.org/person/mbanck/diary.html


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: glibc built with gcc-4.1 (update)

[Ingo Juergensmann]

On Tue, May 30, 2006 at 04:31:33PM +0200, Aurelien Jarno wrote:

> I haven't done a build on m68k yet.

I tried it on akire, but was interrupted by real world issues. 
When you could give a more detailed HowTo (sbuild, dpkg-buildpackage,
whatever) I would retry... 

-- 
Ciao...//Fon: 0381-2744150 
  Ingo   \X/ SIP: [EMAIL PROTECTED]

gpg pubkey: http://www.juergensmann.de/ij/public_key.asc


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Manoj Srivastava]

On 30 May 2006, Frank Küster told this:

> Manoj Srivastava <[EMAIL PROTECTED]> wrote:
>
>> On 30 May 2006, Wouter Verhelst spake thusly:
>>
>>> On Tue, May 30, 2006 at 06:28:32AM -0500, Manoj Srivastava wrote:
 On 28 May 2006, Thomas Bushnell stated:
> Perhaps my just-posted message has too many words to see my
> point.
>
> In the paragraph above, marked >>>, which was written by you,
> you speak of deception and forgery.  Nothing in the reports of
> the recent incident involving Martin suggests any deception and
> forgery.  What about this incident makes you think that any kind
> of deception or forgery was going on?

 I really think either you are deliberately being obtuse, or
 nothing I can say will get this through to you.  I fail to see
 how one can assert that there was no forgery going on -- do you
 automatically assume that if a shiney laminated document with
 some random issueing authority listed on it is not forged?
>>>
>>> What Martin Krafft showed you was,
>>
>> How do I know that person actually was  Martin Krafft?
>
> This is getting ridiculuous.

With this I tend to agree.  Your credulity is unbelievable.

> If what I've read about the incident is correct, the same person
> also showed a German ID card with identical information about the
> person.

Holy batmobiles, man, how can you believe that? You weren't
 there.  How can you assert that there was a real ID by hearsay? Even
 if you go by the blog posting that opened this discussion, most of
 the people rpesent did not see this so called real ID. Even if the
 blog posting was not exaggerated, all you need is a bunch of people
 in cahoots to play a prank to assure you there was an ID -- and you
 fell for it.

How do you know this is not an ongoing prank to gull the
 community into believing there identiy of the person tunning this was
 not fake?

The best you can assert is that in your belief such a hoax
 would be unheard of, hard to credit, too much work.

I would have asserted that a DD would not try to trick people
 into signing keys, and not immediately dovulge such a trick before
 people signed keys -- expriment was over long before.


I'll post more about hat under a separate title.

manoj
-- 
One seldom sees a monument to a committee.
Manoj Srivastava   <[EMAIL PROTECTED]>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Red team attacks vs. cracking

[Manoj Srivastava]

Hi,

This is to forestall those of you who seem to be be arguing
 that the debconf6 KSP crack was a red team attack -- here is how that
 attack differed from a legitimate red team effort (I have been a
 member of red teams before, and have lead a number of red team
 attacks in my time).

  a) You talk to the chain of command. The DPL was present, the the
 person running the key signing come to mind.  The red team
 details the attack to the officer in charge, laying out the plan,
 so that the attack and response can be monitored
  b) No actual damage is done -- in this case, the web of trust should
 not be contaminated by actual keys being signed.  This could have
 been easily done by proclaiming the deception when the KSP was
 just over, and by sending an email to the debconf list, and to
 the devel list, and in the IRC channel.  The experiment was over
 by then -- people had challenged, or not, the key.
   c) Allow the blue team to dissect the attack. This could have been
  done easily by setting up in hacklab, allowing people toexamine
  the trick ID, the real ID, and have other people with german
  passports and the DPL assure us that there was no real attack in
  progress, and allow us all to examine the passport, if any, to
  assure us of the identity of the red team, belatedly.

None of these characteristics of a legitimate read team attack
 were in evidence. The disclosure came days later, in a blog posting,
 well after the web of trust was tainted by fake signatures.

My friends, I know read team attacks. Red teams are friends of
 mine. This, my friends, was no read team attack.

manoj
ps: udos to those who get the last para.
-- 
Garbage In, Gospel Out
Manoj Srivastava   <[EMAIL PROTECTED]>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Re: Re: screenshot with package description

[Michelle Konzack]

Hie Gonéri and *,

Am 2006-05-19 12:26:23, schrieb Gonéri Le Bouder:
> > However, another solution would be just place these JPGs and PNGs flat
> > on the server and have apt just download them and save them
> Yes, a public repository where people download the picture when they need it.

This was my idea too

> i have an Internet access (dialup or broadband)
> 1) I set a remote repository URL with apt-pixmap
> 2) I display the package description of a new package in Synaptic.
> 3) Synaptic download the index file from the repository
> 4) Synaptic parse the index
> 5) Synaptic download the screenshot(s) and logo and show them with their 
> descriptions
> 6) Synaptic remove the dowloaded picture unless specific setting in Synaptic
> 
> 
> If i'm an offline user:
> 1) I set a local repositroy from my medias with apt-pixmap
> 2) apt-pixmap copy the pixmap from the media in /var/cache/apt/pixmap. If the 
> media provide more than one size, I can select the prefered one.
> 3) I display the package description of a new package in Synaptic.
> 4) Synaptic read the index file from the local cache
> 5) Synaptic parse the index
> 6) Synaptic read the screenshot(s) and logo and show them with their 
> descriptions
> 
> 
> I think i'll have a server next week to begin to collect screenshots.
> 
> Regards,
> 
>   Gonéri

Greetings
Michelle Konzack


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSM LinuxMichi
0033/6/6192519367100 Strasbourg/France   IRC #Debian (irc.icq.com)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: glibc built with gcc-4.1 (update)

[Aurelien Jarno]

Ingo Juergensmann a écrit :

On Tue, May 30, 2006 at 04:31:33PM +0200, Aurelien Jarno wrote:



I haven't done a build on m68k yet.



I tried it on akire, but was interrupted by real world issues. 
When you could give a more detailed HowTo (sbuild, dpkg-buildpackage,
whatever) I would retry... 



Very easy:

dget http://people.debian.org/~aurel32/glibc/glibc_2.3.6-7+gcc41.dsc
dpkg-source -x glibc_2.3.6-7+gcc41.dsc
cd glibc-2.3.6
debuild or dpkg-buildpackage -rfakeroot

and wait a long time...

--
  .''`.  Aurelien Jarno | GPG: 1024D/F1BCDB73
 : :' :  Debian developer   | Electrical Engineer
 `. `'   [EMAIL PROTECTED] | [EMAIL PROTECTED]
   `-people.debian.org/~aurel32 | www.aurel32.net


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#369543: ITP: libdata-dump-perl -- Pretty printing of data structures

[Krzysztof Krzyzaniak (eloy)]

Package: wnpp
Severity: wishlist
Owner: "Krzysztof Krzyzaniak (eloy)" <[EMAIL PROTECTED]>

* Package name: libdata-dump-perl
  Version : 1.06
  Upstream Author : Gisle Aas <[EMAIL PROTECTED]>
* URL : 
http://mirrors.kernel.org/cpan/modules/by-module/Data/Data-Dump-1.06.tar.gz
* License : Perl: GPL/Artistic
  Programming Lang: Perl
  Description : Pretty printing of data structures

 Data::Dump provides a single function called dump() that takes a list
 of values as its argument and produces a string as its result.  The string
 contains Perl code that, when evaled, produces a deep copy of the
 original arguments.  The string is formatted for easy reading.
 .
 If dump() is called in a void context, then the dump is printed on
 STDERR instead of being returned.
 .
 If you don't like importing a function that overrides Perl's
 not-so-useful builtin, then you can also import the same function as
 pp(), mnemonic for "pretty-print".
   

Note: I know that Data::Dumper exists but Data::Dump is needed to upload new 
libdbix-class-schema-loader-perl package

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-1-686
Locale: LANG=pl_PL, LC_CTYPE=pl_PL (charmap=ISO-8859-2)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[Michael Banck]

Manoj,

On Tue, May 30, 2006 at 09:52:11AM -0500, Manoj Srivastava wrote:
> This is to forestall those of you who seem to be be arguing
>  that the debconf6 KSP crack was a red team attack -- here is how that
>  attack differed from a legitimate red team effort (I have been a
>  member of red teams before, and have lead a number of red team
>  attacks in my time).

I don't think this mail is on-topic on -devel, could you please repost
it on project?


thanks,

Michael

-- 
Michael Banck
Debian Developer
[EMAIL PROTECTED]
http://www.advogato.org/person/mbanck/diary.html


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Frank Küster]

Manoj Srivastava <[EMAIL PROTECTED]> wrote:

 What Martin Krafft showed you was,
>>>
>>> How do I know that person actually was  Martin Krafft?
>>
>> This is getting ridiculuous.
>
> With this I tend to agree.  Your credulity is unbelievable.
>
>> If what I've read about the incident is correct, the same person
>> also showed a German ID card with identical information about the
>> person.
>
> Holy batmobiles, man, how can you believe that? You weren't
>  there.  How can you assert that there was a real ID by hearsay? Even
>  if you go by the blog posting that opened this discussion, most of
>  the people rpesent did not see this so called real ID. Even if the
>  blog posting was not exaggerated, all you need is a bunch of people
>  in cahoots to play a prank to assure you there was an ID -- and you
>  fell for it.

Okay, so you don't believe the person present was actually Martin
Krafft; or at least you have serious doubts.

I am still waiting for you apology to the real Martin Krafft.

Regards, Frank
-- 
Frank Küster
Single Molecule Spectroscopy, Protein Folding @ Inst. f. Biochemie, Univ. Zürich
Debian Developer (teTeX)

Re: Real Life hits: need to give up packages for adoption

[Antti-Juhani Kaijanaho]

Christoph Haas wrote:

Darcs looks like a nice competitor but has some issues regarding
checking in changes automatically (might as well be my ignorance but it
sounds like I need weird scripts and a .procmailrc to merge changes
automatically).


You don't *need* them; you can choose to do that, but you can also 
choose otherwise.  There are two ways to give contributors "commit 
access" in darcs.  (I'm using quotes because in Darcs, "commit" is an 
ambiguous term and is usually avoided; I'm using it here to mean 
incorporating a change in a special project-wide shared repository.)


***

Way One
---

Set up an email address which feeds messages to darcs.  Darcs is capable 
of checking GnuPG signatures in these mails and only allowing known keys 
to "commit".  The contributor "commits" by using the "darcs send" command.


The upside is that the contributors do not need shell access to the 
server.  The downside is that setting this up is not very easy.


Way Two
---

Give contributors shell access to the server; make the shared repository 
writable by all these accounts.  The contributor "commits" by using the 
"darcs push" command.


The upside is that this is very easy to set up.  The downside is that 
you need to give contributors shell access.


(I suppose a restricted shell is possible.  I haven't investigated this.)

***

I personally prefer Way Two.  I have tried Way One, but it isn't worth 
the trouble most of the time.


What makes darcs special in my opinion is its support for second-class 
contributors: anybody can "darcs send" stuff to the project mailing list 
(if you've set stuff up for this; it's not very hard), the email is both 
human- and computer-readable: it can be eyeballed and it can be fed 
directly to darcs to incorporate the change to the local repository 
(from which it can be "committed" to the shared repository, if this is 
desired and one has the necessary "commit" privs).



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: glibc built with gcc-4.1 (update)

[Ingo Juergensmann]

On Tue, May 30, 2006 at 04:44:49PM +0200, Aurelien Jarno wrote:

> >I tried it on akire, but was interrupted by real world issues. 
> >When you could give a more detailed HowTo (sbuild, dpkg-buildpackage,
> >whatever) I would retry... 
> Very easy:
> dget http://people.debian.org/~aurel32/glibc/glibc_2.3.6-7+gcc41.dsc
> dpkg-source -x glibc_2.3.6-7+gcc41.dsc
> cd glibc-2.3.6
> debuild or dpkg-buildpackage -rfakeroot
> and wait a long time...

akire:/build/glibc/glibc-2.3.6# dpkg-buildpackage -rfakeroot | tee
../glibc-build-2006-05-30.log
dpkg-buildpackage: source package is glibc
dpkg-buildpackage: source version is 2.3.6-7+gcc41
dpkg-buildpackage: source changed by Aurelien Jarno <[EMAIL PROTECTED]>
dpkg-buildpackage: host architecture m68k
dpkg-buildpackage: source version without epoch 2.3.6-7+gcc41
 fakeroot debian/rules clean
dh_clean
rm -f debian/*.install*
[...]
rm -rf debian/include
 dpkg-source -b glibc-2.3.6
dpkg-source: building glibc using existing glibc_2.3.6.orig.tar.gz
dpkg-source: building glibc in glibc_2.3.6-7+gcc41.diff.gz
...

So, it's on its way... ;)

-- 
Ciao...//Fon: 0381-2744150 
  Ingo   \X/ SIP: [EMAIL PROTECTED]

gpg pubkey: http://www.juergensmann.de/ij/public_key.asc


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Thomas Bushnell BSG]

Manoj Srivastava <[EMAIL PROTECTED]> writes:

> I really think either you are deliberately being obtuse, or
>  nothing I can say will get this through to you.  I fail to see how
>  one can assert that there was no forgery going on -- do you
>  automatically assume that if a shiney laminated document with some
>  random issueing authority listed on it is not forged?  

What I have said is that there is no evidence of forgery, not a jot,
not a tittle, not a suggestion, not a hint.  What evidence of forgery
is there?  Please trot it out.  Spell it out for me, *please*.

I understand a forged document to be one which was not produced by the
organization which is claimed on its face, or which has been
materially altered from what the organization originally issued.  What
makes you think something of this sort is going on here?

What has been reported is that there was an ID from the Transnational
Republic presented.  Do you have any reason to suspect that this was
forged?

>>So, if the ID says on it, "Bubba's Fake ID Shop", I'm not sure I see
>> the problem. 
>
> Dear boy, Bubba's ID's are likely to say Transnational
>  Republic.  Or, if Bubba has been allowed to personally examine more
>  Bewnjamins,  it could have read the federal republic of Germany. Or
>  the united staateds. Or cameroon.

But the card presented *didn't* say "federal republic of germany", did
it?

>> In other words, Bubba sells forgeries, but the Transnational
>> Republic does not.
>
> Riiight.  And I know that how?

It doesn't matter, since an ID issued by the Transnational Republic
which says "Transnational Republic" is not a forgery.  If you think
this one was a forgery, then why?  Who do you think *did* issue it?
What on earth is your evidence that it is not really from the
Transnational Republic?

For my part, I wouldn't sign a key on the basis of such an ID, because
the Transnational Republic is not a real country and I don't know
enough about it to have the necessary confidence in its credentials.
But that doesn't make someone a fraud because he presents the
credential. 

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Thomas Bushnell BSG]

Manoj Srivastava <[EMAIL PROTECTED]> writes:

> If I claim to be president George Clooney, and show you a
>  document that proves I am such, and I earnestly claim it was not
>  forged, but Bubba looked at all kinds of documentation that says I am
>  such a person, you would proclaim from the roof tops that no forgery
>  occurred? 

No, that would be a forgery.

Do you have any reason to suspect that this is what happenned?

> You know, I give up.  Apparently there is no way I can convey
>  the concept of trusted paths and trusted processes to the people so
>  passionately arguing with me, and this is getting tedious.

We understand it just fine.  Nobody in their right mind should accept
the Transnational Republic ID without knowing a lot more about the
organization than I do.  Anyone who signed the key on that basis
should have egg on their face, and should seriously consider revoking
the signature.

But that *doesn't* make Martin a forger.

> As a final note: Look for motivation. Presenting documents
>  from an untrusted source to trick the unwary into signing to show how
>  weak the ID checks are is still a trick.

Once more, Manoj, did you buy the ID?  It's time for you to spell it
out.  Did you look at the Transnational Republic card, say "yep,
that's the right picture", and then go ahead and sign the key?  

And, for all we know, the Transnational Republic is a good source.  We
just don't know.  Only the people who know more about the organization
than you or I do can judge.  If I present my University of California
ID, that's a very good ID, but most people wouldn't know that, and
it's not unfair trickery of me to present it.

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Thomas Bushnell BSG]

Manoj Srivastava <[EMAIL PROTECTED]> writes:

> I guess You can't read.  I have never stated that I know it is
>  a forgery:  I can't since I do not have that data. I have stated I
>  have absolutely no trust path to the identity proclaimed, so I am
>  going to treat it as though it were; since there is, in my opinion,
>  already an act of bad faith in play since someone is trying to trick
>  people into signing keys based on a identification paper from less
>  than trusted sources.

Whether a source is trusted depends on the truster.  An ID might be an
excellent trusted path for one person and not for another.  For
example, my University of California ID.  Indeed, I might sign a
photograph affidavit of identity for a friend of mine.  People who
know me and know my signature would accept that as ID for the friend;
people who do not know me or do not know my signature should not
accept that as ID.

It is you that do not trust a Transnational Republic ID, and with good
reason.  You shouldn't trust it, and neither should or would I.  But
that does *not* mean that anyone who presents it is trying to trick
you.

>> Why do you keep claiming that he did deliberately change things on
>> this Transnational Republic ID card?
>
> Where did I make this claim? I know english is not your first
>  language, but you know, these idiotic accusations are getting rather
>  shrill.

You claim that there was forgery.  Or at least, you were claiming that.

> No, giving me Bubba's ID cards and putting the burden of proof
>  on me does not absolve the evil doer from the fact that an attempt to
>  trick people was in play.

What was the trick?  Exactly, please.  What fact were people being
tricked into believing?

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[Thomas Bushnell BSG]

Manoj Srivastava <[EMAIL PROTECTED]> writes:

> This is to forestall those of you who seem to be be arguing
>  that the debconf6 KSP crack was a red team attack -- here is how that
>  attack differed from a legitimate red team effort (I have been a
>  member of red teams before, and have lead a number of red team
>  attacks in my time).

I haven't heard anyone make such a claim.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Real Life hits: need to give up packages for adoption

[gregor herrmann]

On Mon, May 29, 2006 at 09:29:34PM +0200,  wrote:

> * libdigest-hmac-perl, libdigest-sha1-perl, libdigest-md2-perl,
>   libdigest-perl, libio-interface-perl, libio-socket-multicast-perl,
>   libnet-xwhois-perl, libvideo-capture-v4l-perl
>   (easy pickings; check for new Upstream)

I guess these packages would fit in the Debian Perl Group's
"collection".
If there are no objections I would start to move them over.

gregor
-- 
 .''`.   http://info.comodo.priv.at/ | gpg key ID: 0x00F3CFE4
 : :' :  debian: the universal operating system - http://www.debian.org/
 `. `'   member of https://www.vibe.at/ | how to reply: http://got.to/quote/
   `-NP: Dire Straits: Walk Of Life


signature.asc
Description: Digital signature

Re: Real Life hits: need to give up packages for adoption

[Hubert Chan]

On Mon, 29 May 2006 21:29:34 +0200, [EMAIL PROTECTED] (Unknown) said:

> * ufraw (need to package new Upstream; easy)

I can take this if nobody else wants it.

-- 
Hubert Chan - email & Jabber: [EMAIL PROTECTED] - http://www.uhoreg.ca/
PGP/GnuPG key: 1024D/124B61FA   (Key available at wwwkeys.pgp.net)
Fingerprint: 96C5 012F 5F74 A5F7 1FF7  5291 AF29 C719 124B 61FA


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Manoj Srivastava]

On 30 May 2006, Frank Küster verbalised:

> Manoj Srivastava <[EMAIL PROTECTED]> wrote:
>
> What Martin Krafft showed you was,

 How do I know that person actually was  Martin Krafft?
>>>
>>> This is getting ridiculuous.
>>
>> With this I tend to agree.  Your credulity is unbelievable.
>>
>>> If what I've read about the incident is correct, the same person
>>> also showed a German ID card with identical information about the
>>> person.
>>
>> Holy batmobiles, man, how can you believe that? You weren't there.
>> How can you assert that there was a real ID by hearsay? Even if you
>> go by the blog posting that opened this discussion, most of the
>> people rpesent did not see this so called real ID. Even if the blog
>> posting was not exaggerated, all you need is a bunch of people in
>> cahoots to play a prank to assure you there was an ID -- and you
>> fell for it.
>
> Okay, so you don't believe the person present was actually Martin
> Krafft; or at least you have serious doubts.

I didn't say that either. Why do people keep asserting
 stronger statements than I am making? Are finer distinctions a lost
 art?

I said: I have no way of knowing if that person was, or was
 not, Marting; but faced with an issue of identity verification and
 trust, the default position is to treat him as a bogey.  Is this
 really that hard to understand?


Based on this thread, I would think that Stave Langasek was
 dead on: any transitive trust in Debian's keyring is
 non-existenet. So, using the signed key as a mesure of trust in the
 identity of a NM candidate by the DAMS is probably misplaced trust;
 people are apparently pretty darned gullible  in our community.

The DAM's should revert to stronger requirements for
 meat space identity, at their own discretion.

manoj
-- 
"I'm growing older, but not up." Jimmy Buffett
Manoj Srivastava   <[EMAIL PROTECTED]>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Thomas Bushnell BSG]

Manoj Srivastava <[EMAIL PROTECTED]> writes:

> Based on this thread, I would think that Stave Langasek was
>  dead on: any transitive trust in Debian's keyring is
>  non-existenet. So, using the signed key as a mesure of trust in the
>  identity of a NM candidate by the DAMS is probably misplaced trust;
>  people are apparently pretty darned gullible  in our community.

The gullibility is in people who accept ID's that say "Transnational
Republic" (at least, without knowing more).

Now, Manoj, are you one of those people?

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Real Life hits: need to give up packages for adoption

[gregor herrmann]

On Tue, May 30, 2006 at 01:46:30AM -0700, Zak B. Elep wrote:

> >* libdigest-hmac-perl, libdigest-sha1-perl, libdigest-md2-perl,
> > libdigest-perl, libio-interface-perl, libio-socket-multicast-perl,
> > libnet-xwhois-perl, libvideo-capture-v4l-perl
> I'd like to take these up.

Oops, I just saw your mail now after writing my own offer.
Please just go ahead; unless you want to maintain the packages within
the Debian Perl Group, of course ;-)

gregor
 
-- 
 .''`.   http://info.comodo.priv.at/ | gpg key ID: 0x00F3CFE4
 : :' :  debian: the universal operating system - http://www.debian.org/
 `. `'   member of https://www.vibe.at/ | how to reply: http://got.to/quote/
   `-NP: Bob Dylan: I want you


signature.asc
Description: Digital signature

Re: Red team attacks vs. cracking

[Javier Fernández-Sanguino Peña]

On Tue, May 30, 2006 at 09:28:19AM -0700, Thomas Bushnell BSG wrote:
> Manoj Srivastava <[EMAIL PROTECTED]> writes:
> 
> > This is to forestall those of you who seem to be be arguing
> >  that the debconf6 KSP crack was a red team attack -- here is how that
> >  attack differed from a legitimate red team effort (I have been a
> >  member of red teams before, and have lead a number of red team
> >  attacks in my time).
> 
> I haven't heard anyone make such a claim.

Claiming that what Martin did was good since he was showing something useful
for our community is equivalent to saying it was a "red team attack". Nobody
used that term explicitly probably because they are unfamiliar with it. I
know what it means, I've done my share of pen-testing to companies.

I do agree with Manoj that this was *not* a legitimate experiment (i.e.
not a "red team" test) and that Martin *did* abuse our [0] trust [1]

I find this akin to people finding and exploiting web app vulnerabilities
(without being payed for by the company and without their approval). 
To "show" that webapps are vulnerable.

Regards

Javier

[0] The assistants to the KSP

[1] By not providing  a *proper* ID as required by the KSP organisers (and
all KSPs protocols I've read ). Notice that he himself has described his ID
as not being *proper* and that it was the whole point of his excercise.


signature.asc
Description: Digital signature

Re: Red team attacks vs. cracking

[Thomas Bushnell BSG]

Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> writes:

> Claiming that what Martin did was good since he was showing
> something useful for our community is equivalent to saying it was a
> "red team attack". Nobody used that term explicitly probably because
> they are unfamiliar with it. I know what it means, I've done my
> share of pen-testing to companies.

Perhaps some people have argued that it was good what he did; I have
not.  I have constrained my comments to arguing only that what he did
was not, so far as we know, either fraudulent or forgery.

What he did may have beneficial consequences, if it encourages people
to be more careful in the future, but certainly I would agree that
this does not justify it.

I am actually quite ambivalent about whether I think what he did was
wrong; I think to determine that I would need to read carefully what
the KSP organizers said.  Martin certainly should follow the protocols
established, but I would only count "established" as being what is
actually written down by the KSP organizers, and not just some kind of
general unspoken expectation.  (Where can I read about those written
protocols, if there are any?)

> I find this akin to people finding and exploiting web app vulnerabilities
> (without being payed for by the company and without their approval). 
> To "show" that webapps are vulnerable.

Indeed, if he did violate the written rules of the KSP, then it is
much like this.  (That still doesn't make it forgery, fraud, or
dishonesty, however.)

At the same time, we should *also* recognize that anyone who signed on
the basis of the Transnational Republic ID (unless they have more
information about that organization than the rest of us do) has *also*
broken the rules of the KSP.

Moreover, the harm caused by people who did not properly check the ID
is *worse* than the harm caused by not following the written KSP rules
(if indeed he didn't follow them).  So I ask, ONE MORE TIME, HOPING
FOR AN ANSWER:

Manoj, did you sign the key on the basis of the Transnational Republic
ID?

Javier, did you?

Thomas

Re: Red team attacks vs. cracking

[Joe Smith]

"Javier Fernández-Sanguino Peña" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]


Claiming that what Martin did was good since he was showing something 
useful
for our community is equivalent to saying it was a "red team attack". 
Nobody

used that term explicitly probably because they are unfamiliar with it. I
know what it means, I've done my share of pen-testing to companies.

I do agree with Manoj that this was *not* a legitimate experiment (i.e.
not a "red team" test) and that Martin *did* abuse our [0] trust [1]


Had Martin never mentioned this, it would have been a non-issue.
There is no real damage. While signatures may have been based on
a non-offical ID, Martin did indeed own the key in question, so
the end harm is zero. But Martin decided to publish this experiment.
Is this really a bad thing? He proved that KSP are bad for the web of trust.
A legitimate attacker could abuse the KSP just as easilly as Martin, but
would result in actual damage, and would most likely not have been caught.

So, if KSPs are not changed, then the Web of trust becomes effectively 
worthless.
Manoj should be far more concerned about that, then about Martin's 
demonstration
of this. 




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Real Life hits: need to give up packages for adoption

[Roberto C. Sanchez]

Christoph Haas wrote:
> 
> I'm currently looking into several systems. Usually I use Subversion and
> svn-buildpackage but due to a lot of trouble with svn-buildpackage I
> have moved away from repositories for my Debian packages lately.
> 
Out of curiousity, what problems have you encountered with
svn-buildpackage?  Personally, I have transitioned all the packages that
I maintain solo into it, as well as some of the package maintenance
teams I am on use it.  I have not encountered any problems.

The only problem I have encountered so far is that the Horde team uses
Arch, which I simply cannot understand.  I have spent quite a while
reading through the documentation and messing with it, but Arch seems to
me to not make any rational sense.

-Roberto

-- 
Roberto C. Sanchez
http://familiasanchez.net/~roberto


signature.asc
Description: OpenPGP digital signature

Invitation From Pingo.com

[Phone Card Partnership]

Dear Debian Devel, 

I’m personally emailing you today to discuss a partnership. I noticed 
that your web site debian.org has linked to Tel3. Pingo is a virtual 
VoIP calling card service that helps the world save on there long 
distance and international calls. 

I'm sending you this invitation to discuss a few partnership options;

1. Join Pingo Affiliate Program

Pingo will pay you up to 80% of the first sale plus a residual income 
(6 months) for every new customer that debian.org refers to Pingo!

Learn more about this partnership at Pingo’s affiliate marketing tips 
site. http://www.SuperAffiliateBluePrint.com

2.  Link to Pingo for a Phone Card

If you post this text link on your site. 

Save on http://www.pingo.com";>International prepaid calling 
cards with Pingo. 

I’ll be glad to give you a complimentary phone card good for about 3 
hours of international calls as a special thank you gift. 

3.  Post this Special Coupon Code on debian.org

As a way to save your website visitors money. Please post this special 
pingo coupon code. 

Save 10% on Pingo’s Virtual Calling Cards

Use Pingo Phone Coupon Code  “springcall06”

Thanks for your future partnership, 

Brian 

P.S. Don’t forget to email me back your link to Pingo so that I can 
send you your special phone card thank you gift. 

Brian
Affiliate Marketing Manager 
Pingo
20 Second Avenue
Burlington, Ma. 01803
Direct: 781 505-7865
[EMAIL PROTECTED] 
http://www.pingo.com
 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[Thomas Bushnell BSG]

"Joe Smith" <[EMAIL PROTECTED]> writes:

> So, if KSPs are not changed, then the Web of trust becomes
> effectively worthless.  Manoj should be far more concerned about
> that, then about Martin's demonstration of this.

Personally, I'm especially worried about the developers who were taken
in by the Transnational Republic ID.  So, can we have a "fess up" time
now?  Manoj, did you sign the key on this basis?

The people who we really shouldn't trust are the ones who thought the
Transnational Republic is a real country, or didn't bother to check.
Manoj has already admitted that he doesn't bother to check as a rule,
but hasn't said whether in fact he was taken in and signed the key on
this basis.

Manoj, you?

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[martin f krafft]

also sprach Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> [2006.05.30.1920 
+0200]:
> I do agree with Manoj that this was *not* a legitimate experiment (i.e.
> not a "red team" test) and that Martin *did* abuse our [0] trust [1]

I acknowledge this and would like to apologise to everyone.

My "experiment" was indeed not at all prepared. I am very pleased,
however, with the result. Should I ever conduct something similar in
the future (I don't have any plans), I will follow a protocol based
on the one suggested by Manoj.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
"menschen, welche rasch feuer fangen,
 werden schnell kalt und sind daher im ganzen unzuverlässig."
 - friedrich nietzsche


signature.asc
Description: Digital signature (GPG/PGP)

Re: Red team attacks vs. cracking

[martin f krafft]

also sprach Thomas Bushnell BSG <[EMAIL PROTECTED]> [2006.05.30.2002 +0200]:
> Personally, I'm especially worried about the developers who were
> taken in by the Transnational Republic ID.  So, can we have
> a "fess up" time now?  Manoj, did you sign the key on this basis?

He did not.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
"arguments are extremely vulgar,
 for everyone in good society
 holds exactly the same opinion."
-- oscar wilde


signature.asc
Description: Digital signature (GPG/PGP)

Re: Real Life hits: need to give up packages for adoption

[Andreas Metzler]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

In article <[EMAIL PROTECTED]> (gmane.linux.debian.devel.general) you wrote:
> On (29/05/06 21:29), [EMAIL PROTECTED] wrote:
[...]
>> * gnutls, gcrypt, libtasn1, libksba
>>   (security-critical, some work required, having a team for these
>>   packages would be ideal)

> I would like to be part of the team for these packages.

I had already invested a little bit of time in these,
http://downhill.aus.cc/debian/misc/ and would be happy to at least
give the packages a kick to get them into shape.
cu and- My elan might fail after some time, so a team really looks
good. -reas
- -- 
The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal
vision of the emperor's, and its inclusion in this work does not constitute
tacit approval by the author or the publisher for any such projects,
howsoever undertaken.(c) Jasper Ffforde
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEfIoXHTOcZYuNdmMRAouEAJ9cVXJeNXc6PBXlgd0MIkdsvRNTkQCcCrR+
dgqv9lYYtiGcGOD9JZxr7+s=
=FAh9
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Real Life hits: need to give up packages for adoption

[Christoph Haas]

On Tue, May 30, 2006 at 01:45:10PM -0400, Roberto C. Sanchez wrote:
> Christoph Haas wrote:
> > 
> > I'm currently looking into several systems. Usually I use Subversion and
> > svn-buildpackage but due to a lot of trouble with svn-buildpackage I
> > have moved away from repositories for my Debian packages lately.
> > 
> Out of curiousity, what problems have you encountered with
> svn-buildpackage?  Personally, I have transitioned all the packages that
> I maintain solo into it, as well as some of the package maintenance
> teams I am on use it.  I have not encountered any problems.

Yes, of course. Besides some minor things I don't quite like about
Subversion (merging looks like black magic for me and getting out old
revisions of a file means typing the full URL for no reason) these are
the actual problems I encountered with svn-buildpackage:

* svn-upgrade

Upgrading from a new upstream tarball has never worked here. Matthijs
Mohlmann and I are maintaining the "pdns" (PowerDNS) package in a
Subversion repository. That software isn't trivial but it's also no
rocket science. Still svn-upgrade choked and left us alone like
"something didn't work half way - what do you want to do?" and we ended
up with a borked repository. Up to now we made a backup of the
repository beforehand and took our chances. I believe we merged in the
upstream changes manually. I didn't want to understand what svn-upgrade
is doing under the hood so I felt left alone there.

* svn-inject

Injecting new packages through svn-inject fails here. I get errors about
the MKCOL method not being allowed on the remote WebDAV server. Perhaps
it's a problem that the Apache runs on Sarge while I'm developing on
Sid.

* svn-buildpackage

The main script for building a package works well here. Just that the
build-area doesn't seem to be tidied up automatically. A few failed
attempts of building a package and that directory grows here. But
building a package from the repository through pbuilder is very nice.


Kudos to Eduard Bloch though. The scripts are pretty sophisticated. And
I already spent some time getting it working with pbuilder (see [1]).

In the end I still favor Subversion over any other RCS. Although Simon
Richter made me try Git today. And I like to try out new things so I can
find better arguments against it. :)

> The only problem I have encountered so far is that the Horde team uses
> Arch, which I simply cannot understand.  I have spent quite a while
> reading through the documentation and messing with it, but Arch seems to
> me to not make any rational sense.

Neither to me. Bazaar (as made and used by the Ubuntu staff) seems to be
a "better arch". Still I couldn't be convinced to use it.

Disclaimer: I'm not a Subversion guru. So I might as well just be
ignorant.

Kindly
 Christoph

[1] http://workaround.org/moin/SvnBuildpackage
-- 
~
~
".signature" [Modified] 1 line --100%--1,48 All


signature.asc
Description: Digital signature

Re: Red team attacks vs. cracking

[Paul Johnson]

On Tuesday 30 May 2006 10:40, Joe Smith wrote:
> But Martin decided to publish this experiment.
> Is this really a bad thing? He proved that KSP are bad for the web of
> trust. 

Isn't what Martin and this thread actually demonstrated is that signing keys 
based on IDs you cannot reasonably authenticate as real, with a focus on 
quantity instead of quality among KSP participants is the real problem at 
hand?

Even the guy at 7-Eleven has the big book of north american ID cards with 
pictures and descriptions of what makes a real one for when they encounter an 
ID that they've never seen before.  Surely Debian can do as well as the guy 
selling cigarettes and beer at the 7-Eleven when it comes to verification...

-- 
Paul Johnson
Email and IM (XMPP & Google Talk): [EMAIL PROTECTED]
Jabber: Because it's time to move forward  http://ursine.ca/Ursine:Jabber


pgpLY2p77Nn1U.pgp
Description: PGP signature

Re: Red team attacks vs. cracking

[martin f krafft]

also sprach Paul Johnson <[EMAIL PROTECTED]> [2006.05.30.2120 +0200]:
> Even the guy at 7-Eleven has the big book of north american ID cards with 
> pictures and descriptions of what makes a real one for when they encounter an 
> ID that they've never seen before.  Surely Debian can do as well as the guy 
> selling cigarettes and beer at the 7-Eleven when it comes to verification...


  I once had the 7-Eleven guy refuse my German driver's licence,
  because it had "VOID" printed over it in this very book


The idea is a nice one, let's compile a book with descriptions of
valid IDs. However, this really won't help at all during a KSP.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Most Intelligent Customers Realise Our Software Only Fools Them.


signature.asc
Description: Digital signature (GPG/PGP)

Re: Renaming a package

[Andreas Fester]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Thanks for all your answers, my package successfully transformed
to its new name with apt-get dist-upgrade in my test environment :-)

One last question: would it be safe to say

Architecture: all

in the dummy transition package since it does not contain
any architecture specific files anymore, or is it better to
leave it as it is with "Architecture: any" to create
architecture specific packages?

Thanks,

Andreas

Andreas Fester wrote:
[...]
> Problem:
> 
> Upstream application (non-library) has changed its name.
> I want to reflect this new name in the debian
> package name while ensuring that apt-get dist-upgrade
> works seamless and pulls in the new package.
[...]

- --
Andreas Fester
mailto:[EMAIL PROTECTED]
WWW: http://www.littletux.net
ICQ: 326674288
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEfKAjZ3bQVzeW+rsRAvAjAJ4tt0rYSHmlywQO82aRQJih5DdhWwCgokrE
vtZ+1nRwH4/ltgXX8E8adtM=
=EZaw
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Renaming a package

[Adeodato Simó]

* Andreas Fester [Tue, 30 May 2006 21:42:27 +0200]:

> One last question: would it be safe to say

> Architecture: all

> in the dummy transition package since it does not contain
> any architecture specific files anymore, or is it better to
> leave it as it is with "Architecture: any" to create
> architecture specific packages?

Yes, Arch: all is not only safe, but what it should be. :)

-- 
Adeodato Simó dato at net.com.org.es
Debian Developer  adeodato at debian.org
 
One of my most productive days was throwing away 1000 lines of code.
-- Ken Thompson


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[Adam Borowski]

On Tue, May 30, 2006 at 12:20:14PM -0700, Paul Johnson wrote:
> Even the guy at 7-Eleven has the big book of north american ID cards with 
> pictures and descriptions of what makes a real one for when they encounter an 
> ID that they've never seen before.  Surely Debian can do as well as the guy 
> selling cigarettes and beer at the 7-Eleven when it comes to verification...

How can you check if an ID card is real based only on what is written
on the card, even if it has all the hallmarks mentioned in that book?

See, if you visit a bazaar, I bet a helpful guy with a Russian accent
can sell you a perfectly valid passport for less than $50.  Several
years ago, a friend of mine actually asked someone at the Stadion
10-lecia in Warsaw, and was led to a guy with a number of blank Polish
IDs for ~$25 each...

That's about what checking government-issued IDs is worth.

-- 
1KB // Microsoft corollary to Hanlon's razor:
//  Never attribute to stupidity what can be
//  adequately explained by malice.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Real Life hits: need to give up packages for adoption

[Christoph Haas]

On Tue, May 30, 2006 at 08:48:14PM +0200, I (Christoph Haas) wrote:
> * svn-inject
> 
> Injecting new packages through svn-inject fails here. I get errors about
> the MKCOL method not being allowed on the remote WebDAV server. Perhaps
> it's a problem that the Apache runs on Sarge while I'm developing on
> Sid.

It appears like MKCOL returns a 405 when a collection (apparently a
directory on the DAV server - I'm not a DAV expert) is already existing.
So removing the whole repository, re-creating it and then running
svn-inject works. I was sure that I injected into a blank repository -
apparently it wasn't totally blank.

Another strange issue is that the tarballs/ directory for upstream
tarballs it not automatically created and needs to be adjusted by hand
by editing the trunk/.svn/deb-layout file. Or it's just me not
understanding the mergeWithUpstream setting correctly.

Kindly
 Christoph
-- 
~
~
".signature" [Modified] 1 line --100%--1,48 All


signature.asc
Description: Digital signature

Re: glibc built with gcc-4.1 (update)

[Falk Hueffner]

Aurelien Jarno <[EMAIL PROTECTED]> writes:

> On arm, ia64 and alpha the glibc fails to build with gcc-4.1.

On Alpha the problem is:

{standard input}: Assembler messages:
{standard input}:341: Error: macro requires $at register while noat in effect
{standard input}:374: Error: macro requires $at register while noat in effect
{standard input}:438: Error: macro requires $at register while noat in effect
{standard input}:471: Error: macro requires $at register while noat in effect
make[3]: *** [/tmp/buildd/glibc-2.3.6/build-tree/alpha-libc/misc/ioperm.o] 
Error 1

Hrm. gcc puts .arch ev4 into the .s, and this overrides -mev6 for as.
I cannot really think of anything better than

--- ioperm.c~   2001-07-06 06:56:13.0 +0200
+++ ioperm.c2006-05-30 21:22:54.0 +0200
@@ -173,13 +173,13 @@
 static inline void
 stb_mb(unsigned char val, unsigned long addr)
 {
-  __asm__("stb %1,%0; mb" : "=m"(*(vucp)addr) : "r"(val));
+  __asm__(".arch ev6; stb %1,%0; mb" : "=m"(*(vucp)addr) : "r"(val));
 }
 
 static inline void
 stw_mb(unsigned short val, unsigned long addr)
 {
-  __asm__("stw %1,%0; mb" : "=m"(*(vusp)addr) : "r"(val));
+  __asm__("".arch ev6; stw %1,%0; mb" : "=m"(*(vusp)addr) : "r"(val));
 }
 
 static inline void
@@ -351,7 +351,7 @@
   unsigned long int addr = dense_port_to_cpu_addr (port);
   unsigned char r;
 
-  __asm__ ("ldbu %0,%1" : "=r"(r) : "m"(*(vucp)addr));
+  __asm__ (".arch ev6; ldbu %0,%1" : "=r"(r) : "m"(*(vucp)addr));
   return r;
 }
 
@@ -361,7 +361,7 @@
   unsigned long int addr = dense_port_to_cpu_addr (port);
   unsigned short r;
 
-  __asm__ ("ldwu %0,%1" : "=r"(r) : "m"(*(vusp)addr));
+  __asm__ (".arch ev6; ldwu %0,%1" : "=r"(r) : "m"(*(vusp)addr));
   return r;
 }
 
-- 
Falk


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Package Selection for Debian Live

[Nico Golde]

Hi,
* Daniel Baumann <[EMAIL PROTECTED]> [2006-05-30 22:19]:
> [ crosspost to live, -devel and -edu; replies please to -devel ]
> at the moment, we have two types of Live CD images:
> 
>   * the small one which contains only packages of standard priority,
>   * and three larger ones, each of which contains one of the common
> desktop-environments on it (gnome, kde, xfce).
> 
> Now, we would like to create a decent package selection which reflects,
> as well as possible, the users' desires. There should be one package
> selection for a 700MB CD-ROM, and one for a 4.5GB DVD-ROM. With the
> current squashfs compression, the actual filesystem size is about 3
> times bigger than the packed one. This means that there can be quite a
> few packages on it :) I'm open for your suggestions...

Would be useful if you could provide the package lists for 
the two images so we can see whats already included and send 
you patches.
Regards Nico
-- 
Nico Golde - JAB: [EMAIL PROTECTED] | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!


pgpd6unw4hlMs.pgp
Description: PGP signature

Re: Package Selection for Debian Live

[Michael Fisher]

Is it posible to have a minimum size image with a WM that can stay
below 125MB? This would be a great size for USB versions and versions
running under Qemu or VMWare. Just a thought.

desNotes

On 5/30/06, Daniel Baumann <[EMAIL PROTECTED]> wrote:

[ crosspost to live, -devel and -edu; replies please to -devel ]

Hi all,

at the moment, we have two types of Live CD images:

  * the small one which contains only packages of standard priority,
  * and three larger ones, each of which contains one of the common
desktop-environments on it (gnome, kde, xfce).

Now, we would like to create a decent package selection which reflects,
as well as possible, the users' desires. There should be one package
selection for a 700MB CD-ROM, and one for a 4.5GB DVD-ROM. With the
current squashfs compression, the actual filesystem size is about 3
times bigger than the packed one. This means that there can be quite a
few packages on it :) I'm open for your suggestions...

Regards,
Daniel

--
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/
___
live mailing list
live@lists.debian-unofficial.org
http://lists.debian-unofficial.org/cgi-bin/mailman/listinfo/live




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: glibc built with gcc-4.1 (update)

[Aurelien Jarno]

Falk Hueffner a écrit :

Aurelien Jarno <[EMAIL PROTECTED]> writes:



On arm, ia64 and alpha the glibc fails to build with gcc-4.1.



On Alpha the problem is:

{standard input}: Assembler messages:
{standard input}:341: Error: macro requires $at register while noat in effect
{standard input}:374: Error: macro requires $at register while noat in effect
{standard input}:438: Error: macro requires $at register while noat in effect
{standard input}:471: Error: macro requires $at register while noat in effect
make[3]: *** [/tmp/buildd/glibc-2.3.6/build-tree/alpha-libc/misc/ioperm.o] 
Error 1

Hrm. gcc puts .arch ev4 into the .s, and this overrides -mev6 for as.
I cannot really think of anything better than


Ok, thanks a lot, I will add it in the SVN soon.

Do you think it is a fix or a workaround? Or rather do you think this 
behaviour is correct?


--
  .''`.  Aurelien Jarno | GPG: 1024D/F1BCDB73
 : :' :  Debian developer   | Electrical Engineer
 `. `'   [EMAIL PROTECTED] | [EMAIL PROTECTED]
   `-people.debian.org/~aurel32 | www.aurel32.net


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Package Selection for Debian Live

[Török Edvin]

On 5/30/06, Daniel Baumann <[EMAIL PROTECTED]> wrote:

[ crosspost to live, -devel and -edu; replies please to -devel ]

Hi all,

at the moment, we have two types of Live CD images:

  * the small one which contains only packages of standard priority,
  * and three larger ones, each of which contains one of the common
desktop-environments on it (gnome, kde, xfce).

Now, we would like to create a decent package selection which reflects,
as well as possible, the users' desires. There should be one package
selection for a 700MB CD-ROM, and one for a 4.5GB DVD-ROM. With the
current squashfs compression, the actual filesystem size is about 3
times bigger than the packed one. This means that there can be quite a
few packages on it :) I'm open for your suggestions...

What I'd need on a Live CD-ROM:
* rescue tools:
  - parted
  - fdisk
  - mkfs.*
  - grub
- lvm management tools
* 386 and amd64 kernels on same cdrom (so that I can chroot into
pure64 installations)
* text editor:
  my favourites: vim, jed. (please no flames on this)
* compiler with at least libc-dev, libstdc++-dev
* it should be possible to debootstrap from CD
* networking:
dhcp, rp-pppoe , (nfs,)
* mc would be nice to have
* if it fits a minimalistic xorg with fluxbox, and gs/ghostview
. this is just a quick list I've come up with, I'm sure there is
plenty more that would be needed.

of course on the dvd I'd like to see openoffice.

Which packages of the above are currently on the live CD?


Regards,
Edwin


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Real Life hits: need to give up packages for adoption

[Daniel Baumann]

 wrote:
> * gnulib
>   (easy pickings; need to package new Upstream from CVS, every month or so)

I'll take that.

-- 
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: glibc built with gcc-4.1 (update)

[Falk Hueffner]

Aurelien Jarno <[EMAIL PROTECTED]> writes:

> Falk Hueffner a écrit :
>> Aurelien Jarno <[EMAIL PROTECTED]> writes:
>>
>>>On arm, ia64 and alpha the glibc fails to build with gcc-4.1.
>> On Alpha the problem is:
>> {standard input}: Assembler messages:
>> {standard input}:341: Error: macro requires $at register while noat in effect
>> {standard input}:374: Error: macro requires $at register while noat in effect
>> {standard input}:438: Error: macro requires $at register while noat in effect
>> {standard input}:471: Error: macro requires $at register while noat in effect
>> make[3]: *** [/tmp/buildd/glibc-2.3.6/build-tree/alpha-libc/misc/ioperm.o] 
>> Error 1
>> Hrm. gcc puts .arch ev4 into the .s, and this overrides -mev6 for as.
>> I cannot really think of anything better than
>
> Ok, thanks a lot, I will add it in the SVN soon.
>
> Do you think it is a fix or a workaround? Or rather do you think this
> behaviour is correct?

Well, the right thing to do would be to turn arch to ev6, and then
restore it to whatever it was previously; with this patch, it remains
turned on for the rest of the file and could potentially hide errors.
However, I don't think that's possible with gas. So given this
deficiency, I don't think there's a better way.

-- 
Falk


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[Paul Johnson]

On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> On Tue, May 30, 2006 at 12:20:14PM -0700, Paul Johnson wrote:
> > Even the guy at 7-Eleven has the big book of north american ID cards with
> > pictures and descriptions of what makes a real one for when they
> > encounter an ID that they've never seen before.  Surely Debian can do as
> > well as the guy selling cigarettes and beer at the 7-Eleven when it comes
> > to verification...
>
> How can you check if an ID card is real based only on what is written
> on the card, even if it has all the hallmarks mentioned in that book?

If you don't trust the ID, you don't sign the key.  But having the book to be 
able to get a bad feeling about the ID from sure beats the apparent current 
system of "Sign the key and hope the ID is for real."

> See, if you visit a bazaar, I bet a helpful guy with a Russian accent
> can sell you a perfectly valid passport for less than $50.  Several
> years ago, a friend of mine actually asked someone at the Stadion
> 10-lecia in Warsaw, and was led to a guy with a number of blank Polish
> IDs for ~$25 each...
>
> That's about what checking government-issued IDs is worth.

Perhaps in that part of the world, yes.

-- 
Paul Johnson
Email and IM (XMPP & Google Talk): [EMAIL PROTECTED]
Jabber: Because it's time to move forward  http://ursine.ca/Ursine:Jabber


pgpPuTShOxbea.pgp
Description: PGP signature

Re: Real Life hits: need to give up packages for adoption

[Roberto C. Sanchez]

Christoph Haas wrote:
> 
> Yes, of course. Besides some minor things I don't quite like about
> Subversion (merging looks like black magic for me and getting out old
> revisions of a file means typing the full URL for no reason) these are
> the actual problems I encountered with svn-buildpackage:
> 
> * svn-upgrade
> 
> Upgrading from a new upstream tarball has never worked here. Matthijs
> Mohlmann and I are maintaining the "pdns" (PowerDNS) package in a
> Subversion repository. That software isn't trivial but it's also no
> rocket science. Still svn-upgrade choked and left us alone like
> "something didn't work half way - what do you want to do?" and we ended
> up with a borked repository. Up to now we made a backup of the
> repository beforehand and took our chances. I believe we merged in the
> upstream changes manually. I didn't want to understand what svn-upgrade
> is doing under the hood so I felt left alone there.
> 
I guess I will need to watch out for that.  I have only had one upstream
upgrade so far since using svn-buildpackage, and I have not had this
happen.  Though, many of my packages are trivial to maintain.

> * svn-inject
> 
> Injecting new packages through svn-inject fails here. I get errors about
> the MKCOL method not being allowed on the remote WebDAV server. Perhaps
> it's a problem that the Apache runs on Sarge while I'm developing on
> Sid.
> 
Not sure.  I have shell access and use the svn+ssh method for my
Subversion access.

> * svn-buildpackage
> 
> The main script for building a package works well here. Just that the
> build-area doesn't seem to be tidied up automatically. A few failed
> attempts of building a package and that directory grows here. But
> building a package from the repository through pbuilder is very nice.
> 
I have noticed this as well.

> 
> Kudos to Eduard Bloch though. The scripts are pretty sophisticated. And
> I already spent some time getting it working with pbuilder (see [1]).
> 
Yes, it is just too bad that they did not use a respectable language,
like Python.  As it is, there are many features I would like to see
added, but all I can do is file wishlist bugs, as I don't anything about
Perl besides how to spell it.

Your link on getting svn-buildpackage and pbuilder working was
excellent.  I used as a guide as well when I needed to integrate the two.

> In the end I still favor Subversion over any other RCS. Although Simon
> Richter made me try Git today. And I like to try out new things so I can
> find better arguments against it. :)
> 
I agree that (and pardon my paraphrasing), subversion is the worst form
of revision control, except for all the others that have been tried.
Personally, none of the others make sense.

> 
>>The only problem I have encountered so far is that the Horde team uses
>>Arch, which I simply cannot understand.  I have spent quite a while
>>reading through the documentation and messing with it, but Arch seems to
>>me to not make any rational sense.
> 
> 
> Neither to me. Bazaar (as made and used by the Ubuntu staff) seems to be
> a "better arch". Still I couldn't be convinced to use it.
> 
> Disclaimer: I'm not a Subversion guru. So I might as well just be
> ignorant.
> 
Ditto.

-Roberto
-- 
Roberto C. Sanchez
http://familiasanchez.net/~roberto


signature.asc
Description: OpenPGP digital signature

Re: bits from the release team: release goals, python, X.org, amd64, timeline

[Steve Langasek]

On Tue, May 30, 2006 at 02:50:16PM +0200, Wouter Verhelst wrote:
> On Tue, May 30, 2006 at 12:05:26PM +0200, Andreas Barth wrote:
> > Timeline
> > 

> > Now, let's please take a more detailed look at the time line:

> >  Thu 15 Jun 06:

> > last chance to switch to gcc 4.1, python 2.4
> > review architectures one more time
> > last chance to add new architectures

> > RC bug count less than 300

> Since m68k pretty much depends on the gcc-4.1 transition to make it in
> again, I would suggest that we (as in, the m68k port) make the switch to
> GCC4.1 as the default already. This will allow us to verify that stuff
> actually builds and works, and to catch up with building those that fail
> with ICE in gcc-4.0 before that time. Since m68k is not a release
> architecture right now, this should not cause any problems for any other
> port if the GCC 4.1 transition does not happen, but it will help if it
> does.

> Thoughts, objections?

Since it seems gcc-4.1 is the only way to get m68k back up to building a
decent fraction of the archive, I think it's fair to switch to
gcc-4.1/g++-4.1 as the default now on m68k, yes.  From everything I hear, it
at least isn't going to be worse than the status quo.

I still wouldn't count gcc-4.1 build regressions in packages as
release-critical until at least one other architecture had switched to it as
default, even if m68k was otherwise ready to go as a release candidate, but
that shouldn't stop you from doing porter NMUs anyway.

BTW, can you tell me anything about the dip in
http://buildd.debian.org/stats/graph2-quarter-big.png for m68k?  Seems to be
heading in the wrong direction again for being a release candidate.  I see
12 buildds actively uploading packages for m68k, is this too few or is there
some other problem?

Cheers,
-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


signature.asc
Description: Digital signature

Package Selection for Debian Live

[Daniel Baumann]

[ crosspost to live, -devel and -edu; replies please to -devel ]

Hi all,

at the moment, we have two types of Live CD images:

  * the small one which contains only packages of standard priority,
  * and three larger ones, each of which contains one of the common
desktop-environments on it (gnome, kde, xfce).

Now, we would like to create a decent package selection which reflects,
as well as possible, the users' desires. There should be one package
selection for a 700MB CD-ROM, and one for a 4.5GB DVD-ROM. With the
current squashfs compression, the actual filesystem size is about 3
times bigger than the packed one. This means that there can be quite a
few packages on it :) I'm open for your suggestions...

Regards,
Daniel

-- 
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Real Life hits: need to give up packages for adoption

[Adam Borowski]

On Mon, May 29, 2006 at 09:29:34PM +0200, Matthias Urlichs wrote:
> * gnulib
>   (easy pickings; need to package new Upstream from CVS, every month or so)
I ported quite a lot of C software between IRIX/SunOS/AIX/Linux, so
I'll take it.

> * tcng
>   (some clean-up required)
I have some idea about bare tc -- two local ISPs run my scripts that
manage traffic shaping according to the customers' databases;
however, I haven't used tcng itself -- it looks interesting, though.
Unless someone else steps up, I can do it.

> * hashalot
>   (easy pickings)
Trivial; I can grab it if no one else does -- but if someone actually
uses it, that person of course has a priority.

Whee?
-- 
1KB // Microsoft corollary to Hanlon's razor:
//  Never attribute to stupidity what can be
//  adequately explained by malice.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: glibc built with gcc-4.1 (update)

[Thiemo Seufer]

Falk Hueffner wrote:
> Aurelien Jarno <[EMAIL PROTECTED]> writes:
> 
> > Falk Hueffner a écrit :
> >> Aurelien Jarno <[EMAIL PROTECTED]> writes:
> >>
> >>>On arm, ia64 and alpha the glibc fails to build with gcc-4.1.
> >> On Alpha the problem is:
> >> {standard input}: Assembler messages:
> >> {standard input}:341: Error: macro requires $at register while noat in 
> >> effect
> >> {standard input}:374: Error: macro requires $at register while noat in 
> >> effect
> >> {standard input}:438: Error: macro requires $at register while noat in 
> >> effect
> >> {standard input}:471: Error: macro requires $at register while noat in 
> >> effect
> >> make[3]: *** [/tmp/buildd/glibc-2.3.6/build-tree/alpha-libc/misc/ioperm.o] 
> >> Error 1
> >> Hrm. gcc puts .arch ev4 into the .s, and this overrides -mev6 for as.
> >> I cannot really think of anything better than
> >
> > Ok, thanks a lot, I will add it in the SVN soon.
> >
> > Do you think it is a fix or a workaround? Or rather do you think this
> > behaviour is correct?
> 
> Well, the right thing to do would be to turn arch to ev6, and then
> restore it to whatever it was previously; with this patch, it remains
> turned on for the rest of the file and could potentially hide errors.
> However, I don't think that's possible with gas. So given this
> deficiency, I don't think there's a better way.

FYI, the MIPS gas has

.set push
.set mips32
# ...
.set pop

which is very useful to handle such situations. Alpha gas at least
doesn't document anything similiar, but it might be useful to
implement such a feature for it.


Thiemo

Re: Red team attacks vs. cracking

[Linas Žvirblis]

Paul Johnson wrote:

>> See, if you visit a bazaar, I bet a helpful guy with a Russian accent
>> can sell you a perfectly valid passport for less than $50.  Several
>> years ago, a friend of mine actually asked someone at the Stadion
>> 10-lecia in Warsaw, and was led to a guy with a number of blank Polish
>> IDs for ~$25 each...
>>
>> That's about what checking government-issued IDs is worth.
> 
> Perhaps in that part of the world, yes.

Oh, THAT part of the world. Wait a minute, what part of the world? Can
you name any country in which you cannot buy fake IDs?

I might have misunderstood you, but you comment sounded like an insult
towards Eastern Europe.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[Stephen Gran]

This one time, at band camp, Paul Johnson said:
> On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> > See, if you visit a bazaar, I bet a helpful guy with a Russian
> > accent can sell you a perfectly valid passport for less than $50.
> > Several years ago, a friend of mine actually asked someone at the
> > Stadion 10-lecia in Warsaw, and was led to a guy with a number of
> > blank Polish IDs for ~$25 each...
> >
> > That's about what checking government-issued IDs is worth.
> 
> Perhaps in that part of the world, yes.

What are you talking about, "that part of the world"?  Teenagers where
you're from don't have fake IDs?  I know I did when I was a teenager in
Philadelphia.  They may not have been printed on authentic passport
blanks, but they were close enough to fool people who looked at them for
a living.

I'm not really sure why the idea that ID's are forgeable is so
surprising, though.
-- 
 -
|   ,''`.Stephen Gran |
|  : :' :[EMAIL PROTECTED] |
|  `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
 -


signature.asc
Description: Digital signature

Re: Package Selection for Debian Live

[Daniel Baumann]

Nico Golde wrote:
> Would be useful if you could provide the package lists for 
> the two images so we can see whats already included and send 
> you patches.

The small one contains the standard system only, means, packages which
have Priority: standard and nothing more. That's about 80MB (the image
size).

The other ones do contains:

kde:
kde kdm x-window-system-core

gnome:
gnome-desktop-environment gdm-themes gnome-cups-manager
gnome-themes-extras rhythmbox synaptic gnome-screensaver gdm
x-window-system-core

xfce:
xfce4 gdm x-window-system-core

> Regards Nico

-- 
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[Steve Langasek]

On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote:
> On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> > See, if you visit a bazaar, I bet a helpful guy with a Russian accent
> > can sell you a perfectly valid passport for less than $50.  Several
> > years ago, a friend of mine actually asked someone at the Stadion
> > 10-lecia in Warsaw, and was led to a guy with a number of blank Polish
> > IDs for ~$25 each...

> > That's about what checking government-issued IDs is worth.

> Perhaps in that part of the world, yes.

As opposed to California, where per the news story I heard a couple weeks
ago, a counterfeit state ID good enough to elude an arrest warrant can be
had for $100-$200?

Thanks for playing, you arrogant jerk.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


signature.asc
Description: Digital signature

Re: Package Selection for Debian Live

[Daniel Baumann]

Michael Fisher wrote:
> Is it posible to have a minimum size image with a WM that can stay
> below 125MB? This would be a great size for USB versions and versions
> running under Qemu or VMWare. Just a thought.

Yes, but those mini-images are separate thing we do anyway (or provide
an easy possiblity to create them yourself). Now we would like to fill a
700MB CD resp. a 4.5GB DVD with all the packages people may would like
to see on it.

-- 
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#369600: ITP: evolution-jescs -- Evolution Connector for Sun Java Enterprise System Calendar Server (SJESCS)

[Heikki Henriksen]

Package: wnpp
Severity: wishlist
Owner: Heikki Henriksen <[EMAIL PROTECTED]>

* Package name: evolution-jescs
  Version : 2.6.2
  Upstream Author : Several Authors
* URL : http://www.go-evolution.org/Evolution_JESCS
* License : GPL
  Programming Lang: C
  Description : Evolution Connector for Sun Java Enterprise System Calendar 
Server (SJESCS)

  The JESCS-connector adds support to evolution for Sun Java Enterprise
  System Calendar Server (SJESCS) 5.1 and above, and for the Web
  Calendar Access Protocol (WCAP) 2.0, 3.0, 3.1.

Note: 
  This will be maintained by the pkg-evolution-team

Cheers,
 Heikki

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (401, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-k7
Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Making init scripts use dash

[Steve Greenland]

On 29-May-06, 03:57 (CDT), Ralf Wildenhues <[EMAIL PROTECTED]> wrote: 
> FWIW, libtool scripts are a bit more complex.  Unrelated though,
> Libtool records the shell and its features; if you change /bin/sh
> from bash to dash, the installed /usr/bin/libtool will have its
> $echo setting wrong, and break occasionally. 

Then libtool is buggy[1] and needs to begin with "#!/bin/bash" or
"#!/bin/dash", and include the appropriate Depends.

Steve

[1] But you knew that.

-- 
Steve Greenland
The irony is that Bill Gates claims to be making a stable operating
system and Linus Torvalds claims to be trying to take over the
world.   -- seen on the net


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Package Selection for Debian Live

[Daniel Baumann]

Eric Cooper wrote:
> I suggest that you provide the same packages that Knoppix does (as long
> as they're free), since Knoppix has been out there with a real user
> community for several years now.  No need to reinvent the wheel.

True, but knoppix is i386/amd64 only. Debian Live works on i386/amd64
too, but at least on sparc and powerpc too. So I hope to get feedback
from all non-intel/non-amd users.

Currently, the images are not autobuilded for that archs. The buildds
used for powerpc and sparc in Debian are either machines and/or
configurations, which do not support building packages for sparc64 resp.
powerpc64 (it does work here on my local machines, which are capable of
building the 64 bit packages).

-- 
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[Paul Johnson]

On Tuesday 30 May 2006 14:26, Steve Langasek wrote:
> On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote:
> > On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> > > See, if you visit a bazaar, I bet a helpful guy with a Russian accent
> > > can sell you a perfectly valid passport for less than $50.  Several
> > > years ago, a friend of mine actually asked someone at the Stadion
> > > 10-lecia in Warsaw, and was led to a guy with a number of blank Polish
> > > IDs for ~$25 each...
> > >
> > > That's about what checking government-issued IDs is worth.
> >
> > Perhaps in that part of the world, yes.
>
> As opposed to California, where per the news story I heard a couple weeks
> ago, a counterfeit state ID good enough to elude an arrest warrant can be
> had for $100-$200?

California's it's own little world, generally speaking if you assume the worst 
in Americans, you're describing Californians.

-- 
Paul Johnson
Email and IM (XMPP & Google Talk): [EMAIL PROTECTED]
Jabber: Because it's time to move forward  http://ursine.ca/Ursine:Jabber


pgpalcZHcRjmu.pgp
Description: PGP signature

Re: Red team attacks vs. cracking

[Paul Johnson]

On Tuesday 30 May 2006 14:15, Linas Žvirblis wrote:
> Paul Johnson wrote:
> >> See, if you visit a bazaar, I bet a helpful guy with a Russian accent
> >> can sell you a perfectly valid passport for less than $50.  Several
> >> years ago, a friend of mine actually asked someone at the Stadion
> >> 10-lecia in Warsaw, and was led to a guy with a number of blank Polish
> >> IDs for ~$25 each...
> >>
> >> That's about what checking government-issued IDs is worth.
> >
> > Perhaps in that part of the world, yes.
>
> Oh, THAT part of the world. Wait a minute, what part of the world? Can
> you name any country in which you cannot buy fake IDs?
>
> I might have misunderstood you, but you comment sounded like an insult
> towards Eastern Europe.

No, I'm saying that the availability and penalties for a fake ID vary enough 
by international jurisdiction that what may be true for eastern Europe is not 
necessarily true for the rest of the world.  If you want to construe an 
observation about variations in availability of certain goods and services as 
an insult, so be it, but that was not the intent.

-- 
Paul Johnson
Email and IM (XMPP & Google Talk): [EMAIL PROTECTED]
Jabber: Because it's time to move forward  http://ursine.ca/Ursine:Jabber


pgpe5NisdV5Ce.pgp
Description: PGP signature

Re: Red team attacks vs. cracking

[Javier Fernández-Sanguino Peña]

On Tue, May 30, 2006 at 10:32:15AM -0700, Thomas Bushnell BSG wrote:
> I am actually quite ambivalent about whether I think what he did was
> wrong; I think to determine that I would need to read carefully what
> the KSP organizers said.  Martin certainly should follow the protocols
> established, but I would only count "established" as being what is
> actually written down by the KSP organizers, and not just some kind of
> general unspoken expectation.  (Where can I read about those written
> protocols, if there are any?)

From http://debconf6.debconf.org/ksp/ksp-dc6.html:

" The next step is to verify each participant's identity by checking
 preferably a passport or, alternatively, some other form of government
 issued ID. Please don't show very old, doubtful or easy-to-fake documents as
 people will not sign your key if you do so. "

I guess that answers the questions you brought up in your e-mail. An ID from
a political party is *not* a government issued ID and *is* a doubtful
document.

Regards

Javier


signature.asc
Description: Digital signature