Bug#495628: general: setting system users' homes in their data directory slower security scanning

[Christian Perrier]

Quoting alex bodnaru ([EMAIL PROTECTED]):
> Package: general
> Severity: normal
> 
> putting the home directory of users like postgres or especially backuppc 
> in their data directory makes routine scans of tiger over the homes directory 
> for user related suspect files work significantly slower.
> 
> there is no reason to scan those directories, since they contain structured 
> data only, but only accidental logins of those users may bring bad thing 
> here, 
> and this should be the second reason not to set their homedirs here.


Why don't you discuss this with the respective maintainers of these
packages?

I doubt that an overall policy about this is, at this very moment,
something that can really happen and I highly suspect that this bug
report just gets ignored by many (not judging its validity, which I
have no competent advice about).




signature.asc
Description: Digital signature

Re: Upcoming changes to supported architectures

[Joshua Cummings]

On Fri, 2008-08-15 at 11:32 +0200, Pierre Habouzit wrote:
> On Fri, Aug 15, 2008 at 05:25:38AM +, Steve Langasek wrote:
> > So the current architectures I see wishlist bugs for on ftp.d.o are s390x,
> > sh[34]{,eb}, netbsd-i386, and kfreebsd-{i386,amd64}.
> > 
> > Which of these are currently in a more releasable state than hurd-i386?
> 
>   kfreebsd has a fully working toolchain, and has a very good linux
> emulation layer which (modulo a relibtoolization for the harder cases)
> theorically allow an excellent archive coverage. Additionnally, having
> kfreebsd brings ZFS to Debian FWIW.
> 

Unfortunately, ZFS is not currently available in GNU/kFreeBSD, but,
depending on licensing issues, could possibly be supported eventually.

On the subject of the Linux compat layer; it's not being used for
porting purposes, and probably never will. 
kfreebsd-{i386|amd64} uses a proper, ported Glibc, so there won't be any
sort of support for just dropping in a GNU/Linux package and having the
emulation layer handle it.

In regard to a 'releasable state', kfreebsd-i386 is indeed getting very
close.


--
Joshua Cummings


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

please sign up this

[saptarshi masid]

http://www.rupeemail.in/rupeemail/invite.do?in=MTc0NTI3JSMlUWlndzkxYnpockd0SnE0REIwYW5reWZZSw==

Re: Upcoming changes to supported architectures

[Cyril Brulebois]

Joshua Cummings <[EMAIL PROTECTED]> (19/08/2008):
> Unfortunately, ZFS is not currently available in GNU/kFreeBSD, but,
> depending on licensing issues, could possibly be supported eventually.

For interested people, see [EMAIL PROTECTED] and
below.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Bug#495630: ITP: libfaketime -- report faked system time to programs

[Guus Sliepen]

On Tue, Aug 19, 2008 at 02:13:44AM -0400, Daniel Kahn Gillmor wrote:

> * Package name: libfaketime
>   Description : report faked system time to programs

There is already another package in Debian that provides similar functionality:
datefudge. Perhaps you can get both upstreams to merge there efforts?

-- 
Met vriendelijke groet / with kind regards,
  Guus Sliepen <[EMAIL PROTECTED]>


signature.asc
Description: Digital signature

Re: Upcoming changes to supported architectures

[Aurelien Jarno]

On Tue, Aug 19, 2008 at 06:59:24PM +1000, Joshua Cummings wrote:
> On Fri, 2008-08-15 at 11:32 +0200, Pierre Habouzit wrote:
> > On Fri, Aug 15, 2008 at 05:25:38AM +, Steve Langasek wrote:
> > > So the current architectures I see wishlist bugs for on ftp.d.o are s390x,
> > > sh[34]{,eb}, netbsd-i386, and kfreebsd-{i386,amd64}.
> > > 
> > > Which of these are currently in a more releasable state than hurd-i386?
> > 
> >   kfreebsd has a fully working toolchain, and has a very good linux
> > emulation layer which (modulo a relibtoolization for the harder cases)
> > theorically allow an excellent archive coverage. Additionnally, having
> > kfreebsd brings ZFS to Debian FWIW.
> > 
> 
> Unfortunately, ZFS is not currently available in GNU/kFreeBSD, but,
> depending on licensing issues, could possibly be supported eventually.

We almost have ZFS support, I have all the needed patches on my laptop,
I just need to polish them and do the upload... And find time for that.

As for the licensing issues, we disable all GPL drivers on the flavour
that has ZFS enabled.

-- 
  .''`.  Aurelien Jarno | GPG: 1024D/F1BCDB73
 : :' :  Debian developer   | Electrical Engineer
 `. `'   [EMAIL PROTECTED] | [EMAIL PROTECTED]
   `-people.debian.org/~aurel32 | www.aurel32.net


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#495643: Catalan DDTP issues

[Michael Bramer]

Package: general
Severity: normal
User: [EMAIL PROTECTED]
Usertags: i18n.debian.org
Usertags: ddtp

- Forwarded message from Guillem Jover <[EMAIL PROTECTED]> -

Date: Mon, 18 Aug 2008 22:15:03 +0300
From: Guillem Jover <[EMAIL PROTECTED]>
Subject: Catalan DDTP issues

Hi,

The Catalan Translation file seems to have duped entries, and I think
it's missing several others, like dacco-eng-users.s, as seen at:

  

I've not checked others, so it could be a general problem.


On the DDTSS we have 42 pending translations for stuff that's quite
specialized, which blocks translations for more important and common
packages. I guess this is due to the force fetch problems mentioned
before on the i18n list. Could someone please reset the pending list?

thanks,
guillem
- End forwarded message -

Gruss
Grisu
-- 
Michael Bramer  -- http://www.feuerwehr.kreuzau.de/wiki/
PGP: finger [EMAIL PROTECTED]  -- Linux Sysadmin   -- Use Debian Linux
"Wenn ich die Folgen geahnt hätte, wäre ich Uhrmacher geworden!"
 --- Albert Einstein



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#495643: Catalan DDTP issues

[Michael Bramer]

hi

see bug #495643

On Mon, Aug 18, 2008 at 10:15:03PM +0300, Guillem Jover wrote:
> Hi,
> 
> The Catalan Translation file seems to have duped entries, and I think
> it's missing several others, like dacco-eng-users.s, as seen at:
> 
>   
> 
> I've not checked others, so it could be a general problem.
> 
> 
> On the DDTSS we have 42 pending translations for stuff that's quite
> specialized, which blocks translations for more important and common
> packages. I guess this is due to the force fetch problems mentioned
> before on the i18n list. Could someone please reset the pending list?

thanks

i18n.d.n is still down... After a reboot/reconnection I can fix this...

Thanks for the report.

Gruss
Grisu
-- 
Michael Bramer  -- http://www.feuerwehr.kreuzau.de/wiki/
PGP: finger [EMAIL PROTECTED]  -- Linux Sysadmin   -- Use Debian Linux
"Wenn ich die Folgen geahnt hätte, wäre ich Uhrmacher geworden!"
 --- Albert Einstein



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#495648: ITP: fatrat -- a multi protocol and feature rich download manager with a Qt4 gui

[Cristian Greco]

Package: wnpp
Severity: wishlist
Owner: Cristian Greco <[EMAIL PROTECTED]>


* Package name: fatrat
  Version : 1.0
  Upstream Author : Lubos Dolezel 
* URL : http://fatrat.dolezel.info
* License : GPLv2 only
  Programming Lang: C++
  Description : a multi protocol and feature rich download manager with a 
Qt4 gui

Fatrat is a feature rich download manager written in C++ and built on
top of Qt4 library. It supports a lot of download and file exchange
protocols and is continuously extended. It also includes a plugin
system. Most relevant features are:

  * HTTP(S)/FTP downloads
  * FTP uploads
  * RSS feed support + special functions for TV shows and podcasts
  * BitTorrent support (including torrent creating, DHT, UPnP,
encryption etc.)
  * Torrent search
  * Support for SOCKS5 and HTTP proxies
  * RapidShare.com FREE downloads
  * RapidShare.com uploads
  * RapidShare.com link verification and folder extraction
  * RapidSafe link decoding
  * MD4/MD5/SHA1 hash computing
  * Remote control via Jabber
  * Remote control via a web interface
  * YouTube video downloading


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)


signature.asc
Description: Digital signature

Re: [Pkg-kde-extras] Amarok: SECURITY ISSUE in Debian Etch and Lenny

[Neil McGovern]

On Mon, Aug 18, 2008 at 07:31:29PM +0300, Modestas Vainius wrote:
> Hi,
> 
> pirmadienis 18 rugpjūtis 2008, thacrazze rašė:
> > in the Amarok package is a security issue
> >
> > It is fixed in Amarok 1.4.10
> >(http://secunia.com/advisories/31418/,
> > http://amarok.kde.org/en/releases/1/4/10)
> The fixed version has been in unstable for two days already. 1.4.10 is a new 
> upstream release but:
> 
> 1. The only real change since 1.4.9.1 is the security fix mentioned above and 
> updates to translations.
> 2. The big upstream tarball diff comes from the differences in 
> *autogenerated* 
> autotools stuff. However, autotools stuff is regenerated each time package is 
> built anyway so these differences can be safely ignored.
> 3. Packaging diff from 1.4.9.1-3 to 1.4.10-1 is just a new debian/changelog 
> entry.
> 

What about:
src/scripts/rbot/*
doc/ru/*

Why have these been deleted?

Neil
-- 
A. Because it breaks the logical sequence of discussion
Q. Why is top posting bad?
gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li B345BDD3


signature.asc
Description: Digital signature

Sajding Mitten, Georgia-Pacific, SertainTeed

[Benjamin Kroupa]

ПРОДАЖА И МОНТАЖ САЙДИНГА.

__

Наша компания продает высококачественный виниловый и цокольный сайдинг
производства США, Канады, России.

ЦЕНЫ на материалы - ниже рыночных.

Производим монтаж сайдинга в кратчайшие сроки. Работаем без выходных.
Цены на услуги монтажа Вас приятно удивят.

Замер. Расчет. Доставка. Монтаж .

__

Для более подробной информации, позвоните нашим менеджерам.

Телефоны менеджеров: 
 8(926)5669000

 8(926) 021 08 47


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Proposal for collaborative maintenance of CAS related apps in Debian

[Olivier Berger]

Hello.

We (Michele Baldessari and myself) are announcing a project for
collaborative maintenance of packages related to CAS (Central
Authentication Services) in Debian.

CAS is a popular SSO authentication framework for web applications [0].

There already exist some CAS client libraries in Debian (for Perl) [1],
but many other variants or implementations for other languages currently
lack in Debian.
Also, there's currently no packaging of the CAS server software in
Debian.

We propose that interested potential maintainers join us in a CAS
packaging team, to collaboratively maintain such packages in Debian.

You may find more details at
http://wiki.debian.org/Teams/DebianCASPackaging and in alioth :
http://alioth.debian.org/projects/pkg-cas/

Feel free to contact us for more details at
[EMAIL PROTECTED] .

[0] http://www.ja-sig.org/products/cas/
[1]
http://wiki.debian.org/Teams/DebianCASPackaging#head-604b7f77a51c360a7f19e099d54e0246f327110b

Best regards,
-- 
Olivier BERGER <[EMAIL PROTECTED]>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)


signature.asc
Description: Ceci est une partie de message	numériquement signée

Bug#495664: ITP: python-progressbar -- text progressbar library for Python

[Sandro Tosi]

Package: wnpp
Severity: wishlist
Owner: Sandro Tosi <[EMAIL PROTECTED]>

* Package name: python-progressbar
  Version : 2.2
  Upstream Author : Nilton Volpato
* URL : http://pypi.python.org/pypi/progressbar
* License : LGPL
  Programming Lang: Python
  Description : text progressbar library for Python

 This library provides a text mode progressbar. This is tipically used
 to display the progress of a long running operation, providing a
 visual clue that processing is underway.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#495643: Catalan DDTP issues

[Steve Langasek]

On Tue, Aug 19, 2008 at 10:28:21AM +, Michael Bramer wrote:

> see bug #495643

Why has this been filed on "general"?

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
[EMAIL PROTECTED] [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#495643: Catalan DDTP issues

[Michael Bramer]

On Tue, Aug 19, 2008 at 08:57:30AM -0700, Steve Langasek wrote:
> On Tue, Aug 19, 2008 at 10:28:21AM +, Michael Bramer wrote:
> 
> > see bug #495643
> 
> Why has this been filed on "general"?

see #388212

The bug is about the i18n debian infrastructure... Don asked for filling
this bugs to gerneral (see 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=388212#24). 

Did I made a mistake?

Gruss
Grisu
-- 
Michael Bramer  -- http://www.feuerwehr.kreuzau.de/wiki/
PGP: finger [EMAIL PROTECTED]  -- Linux Sysadmin   -- Use Debian Linux
"Wenn ich die Folgen geahnt hätte, wäre ich Uhrmacher geworden!"
 --- Albert Einstein



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Processed: tagging 495659, severity of 495659 is normal, reassign 495659 to general

[Debian Bug Tracking System]

Processing commands for [EMAIL PROTECTED]:

> # Automatically generated email from bts, devscripts version 2.10.35
> tags 495659 - security
Bug#495659: base: prevent unix 2038 oveflow
Tags were: security
Tags removed: security

> severity 495659 normal
Bug#495659: base: prevent unix 2038 oveflow
Severity set to `normal' from `critical'

> reassign 495659 general
Bug#495659: base: prevent unix 2038 oveflow
Bug reassigned from package `base' to `general'.

>
End of message, stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Processed: better name

[Debian Bug Tracking System]

Processing commands for [EMAIL PROTECTED]:

> retitle 495643 i18n.debian.org: [DDTP] Catalan DDTP issues
Bug#495643: Catalan DDTP issues
Changed Bug title to `i18n.debian.org: [DDTP] Catalan DDTP issues' from 
`Catalan DDTP issues'.

> stop
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#495678: ITP: pangomm -- C++ wrapper for pango

[Deng Xiyue]

Package: wnpp
Severity: wishlist
Owner: Deng Xiyue <[EMAIL PROTECTED]>

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

* Package name: pangomm
  Version : 2.13.7
  Upstream Author : Murray Cumming <[EMAIL PROTECTED]>
* URL : http://www.gtkmm.org/
* License : LGPL, GPL
  Programming Lang: C++
  Description : C++ wrapper for pango

 Pango is a library for layout and rendering of text, with an emphasis
 on internationalization. Pango can be used anywhere that text layout is
 needed.
 Pangomm is a C++ wrapper for pango, mainly used by gtkmm.

- -- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (300, 'experimental')
Architecture: i386 (i686)

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkiq9CcACgkQvfS9XUIPMAkh/QCfRVgSXQ1H4PNGWV3pBcsrv2b1
5s8An0eXMUoBLdx1bx3e7RPD/fQwrCiM
=Gjdz
-END PGP SIGNATURE-



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#495643: Catalan DDTP issues

[Steve Langasek]

On Tue, Aug 19, 2008 at 04:27:35PM +, Michael Bramer wrote:
> On Tue, Aug 19, 2008 at 08:57:30AM -0700, Steve Langasek wrote:
> > On Tue, Aug 19, 2008 at 10:28:21AM +, Michael Bramer wrote:

> > > see bug #495643

> > Why has this been filed on "general"?

> see #388212

> The bug is about the i18n debian infrastructure... Don asked for filling
> this bugs to gerneral (see 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=388212#24). 

> Did I made a mistake?

Apparently not; has that pseudopackage really gone uncreated for 2 years? :/

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
[EMAIL PROTECTED] [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

TECODRYER INDUSTRY COMPANY CO. ( FREE )

[TECODRYER & TECO KURUTMA]

Teco Dryer Company CO. 

Producing grain storage facilities, steel storage silos, corn and soybean 
drying machines, handling systems like bucket elevator, chain conveyor, helix, 
catwalks, prop towers for handling systems, and truck unloading lifts for the 
associations and establishments who takes part in stockbreeding, feed and 
industry sectors. One of the goals is to project these operations by national 
and international standards with our powerful technology and qualified and 
experienced work power. Second, our responsibility is to produce, assemble, and 
complete the duties after assembling.

Subjects of Production ;

Flat Bottom Grain Silos 
Grain Handling Systems
Hopper Bottom Grain Silos 
Tower Type Grain Drying Machine (12m.)
Tower Type Grain Drying Machine (17m.)
Horizontal Type Grain Drying Machine ( 13 sections + added floor)
Horizontal Type Grain Drying Machine (9 sections)
Horizontal Type Grain Drying Machine(13 sections) 
Horizontal Type Grain Drying Machine (6 sections ) 
Conical Bottom Silos 
Grain Cleaning Systems
Fertilizer Stores
Domestic and Industrial Waste Drying Foundations
Gasification
Vegetable Drying Machines

PLEASE CONTACT WiTH US

web: www.tecodryer.come-mail: [EMAIL PROTECTED]
Tel : +90322 233 89 80  Fax : +90322 233 89 83
Erkan AYMAN SALES ENGÝNEER
[EMAIL PROTECTED]  skype: erkan.ayman 
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#495628: general: setting system users' homes in their data directory slower security scanning

[Bryan Donlan]

On Tue, Aug 19, 2008 at 1:21 AM, alex bodnaru <[EMAIL PROTECTED]> wrote:
> Package: general
> Severity: normal
>
> putting the home directory of users like postgres or especially backuppc
> in their data directory makes routine scans of tiger over the homes directory
> for user related suspect files work significantly slower.

I'm not sure what tiger is...

> there is no reason to scan those directories, since they contain structured
> data only, but only accidental logins of those users may bring bad thing here,
> and this should be the second reason not to set their homedirs here.

... but logins for these users are disabled by default, and even if
they weren't, adding random dotfiles ought not to break anything
badly, surely?



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#495643: Catalan DDTP issues

[Luk Claes]

Michael Bramer wrote:
> On Tue, Aug 19, 2008 at 08:57:30AM -0700, Steve Langasek wrote:
>> On Tue, Aug 19, 2008 at 10:28:21AM +, Michael Bramer wrote:
>>
>>> see bug #495643
>> Why has this been filed on "general"?
> 
> see #388212
> 
> The bug is about the i18n debian infrastructure... Don asked for filling
> this bugs to gerneral (see 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=388212#24). 
> 
> Did I made a mistake?

Probably not, though filing bugs against general should not be
recommended IMHO.

Personally I would rather be able to file bugs against 'User's next to
(pseudo)packages which would probably solve the pseudo packages problem
in a cleaner way, would make them dynamic as they should be IMHO and
would not have the disadvantage of namespace issues...

Cheers

Luk



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Bug#495664: ITP: python-progressbar -- text progressbar library for Python

[Cyril Brulebois]

Sandro Tosi <[EMAIL PROTECTED]> (19/08/2008):
>  This library provides a text mode progressbar. This is tipically used

typically.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Bug#495643: Catalan DDTP issues

[Don Armstrong]

On Tue, 19 Aug 2008, Luk Claes wrote:
> Michael Bramer wrote:
> > On Tue, Aug 19, 2008 at 08:57:30AM -0700, Steve Langasek wrote:
> >> On Tue, Aug 19, 2008 at 10:28:21AM +, Michael Bramer wrote:
> >>
> >>> see bug #495643
> >> Why has this been filed on "general"?
> > 
> > see #388212
> > 
> > The bug is about the i18n debian infrastructure... Don asked for filling
> > this bugs to gerneral (see 
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=388212#24). 
> > 
> > Did I made a mistake?
> 
> Probably not, though filing bugs against general should not be
> recommended IMHO.

I basically need some way of knowing[0] that it's worth creating a
pseudo package before impacting the namespace; unfortunatly, general
is not really the right place, but it's the best we have now.

> Personally I would rather be able to file bugs againxst 'User's next
> to (pseudo)packages which would probably solve the pseudo packages
> problem in a cleaner way, would make them dynamic as they should be
> IMHO and would not have the disadvantage of namespace issues...

The way I've been thinking about resolving this is to create a misc
pseudopackage which has its own mailing list (or, alternatively, sends
its mails to /dev/null.[1])

Any bug which does not have an appropriate package or existing
pseudopackage can be assigned there, and usertags can be used to
separate out these bugs as desired.

It also means that -devel won't get these messages.

An alternative is to make the general pseudopackage just like this by
switching its mailing list away from -devel, but I think that is
slightly suboptimal.

[I should note that there's nothing stoping people from just assinging
bugs to packages as they see fit without regards to whether they exist
or not... though tbm usually does the hard work of reassigning them.]

Don Armstrong

0: Currently it's ftpmaster, actually, though this really because
they're in the best place to coordinate.
1: This decision would need some coordination with the rest of
listmaster, so.
-- 
I'm wrong to criticize the valor of your brave men. It's important to
die for one's country when it means being the subject of a king who
wears a ruffled collar or a pleated one.
 -- Cyrano de Bergerac

http://www.donarmstrong.com  http://rzlab.ucr.edu


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages

[Dmitry E. Oboukhov]

Package: lintian
Tags: patch, security
Severity: wishlist

Hello, lintan maintainers!
please, see full discussion in -devel:
http://lists.debian.org/debian-devel/2008/08/msg00271.html
for example, see the bug
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648
(if attacker makes symlink from /tmp/twiki to /etc/shadow, then
 he takes full access to the system (when twiki installs or
 upgrades))




Hi all!

I wrote the check script for the lintian package. This additional check
verifies the debian packages for the presents of the discussed bug.

Notes and additions are welcome.

patch has been placed in attache

PS: X11 also uses the /tmp/.X11-unix directory, which may  be  used  for
attacks, I don't known :(

but many scripts (in different packages) use /tmp/.X11-unix, if this  is
not a security problem, may be I must add ignoring for this directory in
the lintian script?

I don't known yet :(

DEO> This message about the error concerns a few packages  at  once.   I've
DEO> tested all the packages on my Debian mirror.  (post|pre)(inst|rm)  and
DEO> config scripts were tested.

DEO> In some packages I've discovered scripts with errors which may be used
DEO> by a user for damaging important system files.

DEO> For example if a script uses in its work a temp file which is  created
DEO> in /tmp directory, then every user can create symlink  with  the  same
DEO> name in this directory in order to  destroy  or  rewrite  some system
DEO> file.

DEO> I set Severity into grave for  this  bug.   The  table of  discovered
DEO> problems is below.
--
... mpd is off

. ''`. Dmitry E. Oboukhov
: :’  : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537
--- checks/symlink_attack	1970-01-01 03:00:00.0 +0300
+++ checks/symlink_attack	2008-08-19 23:11:44.0 +0400
@@ -0,0 +1,114 @@
+# symlink_attack -- lintian check script -*- perl -*-
+#
+# Copyright (C) 2008 Dmitry E. Oboukhov <[EMAIL PROTECTED]>
+# 
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+
+package Lintian::symlink_attack;
+use strict;
+use Tags;
+
+# check file
+# 
+# the parameters:
+#   1. name of check file
+#   2. error template
+#   3. warning template
+sub check_file($$$)
+{
+	my ($file_name, $err_tmpl, $warn_tmpl)[EMAIL PROTECTED];
+
+open my $file, '<', $file_name
+or die "Can not open file `$file_name': $!\n";
+
+$file_name =~ s/^..// if $file_name =~ m{^\./};
+$file_name =~ s{^debfiles/}{debian/};
+
+# read begin of shebang
+local $_;
+return unless 10 == read $file, $_, 10;
+return unless m{^#!\s*/};
+seek $file, 0, 0;
+
+$_ = <$file>;
+return unless m{^#!\s*(?:/\S+){2,}};
+
+# read all file content
+# (remove comments, join backslash-ended string)
+$_ = join '', map { s/#.*/\n/; s/\\$//; $_ } readline $file;
+
+# errors
+my $errors_found;
+if (m{>\s*/tmp/} or m{(?:^|[|\s])tee\s+(?:-\S+\s+)*/tmp/}m)
+{
+$errors_found=1;
+tag $err_tmpl, "$file_name (pipe)";
+}
+
+my @wh = m{(mount|mkdir|chown|chmod)\s[^;]*?/tmp/}g;
+# remove dups
+@wh = keys %{{ map {($_,0)} @wh }};
+if (@wh)
+{
+	$errors_found=1;
+tag $err_tmpl, "$file_name ($_)" for @wh;
+}
+
+# warnings
+unless ($errors_found)
+{
+tag $warn_tmpl, $file_name if m{\s+/tmp/};
+}
+}
+
+
+sub run 
+{
+	my ($package, $type)=(@_);
+
+my @check_files;
+
+# check maintainer scripts
+	if ($type eq 'source')
+	{
+	@check_files=
+	grep /(((pre|post)(inst|rm))|(config))(?:\.in)?$/,
+	glob ('debfiles/*');
+	}
+	else
+	{
+	@check_files=
+	grep /(((pre|post)(inst|rm))|(config))$/, glob ('control/*');
+	}
+check_file $_ => 'maint-scripts-uses-tmp-err', 
+'maint-scripts-uses-tmp-warn' for @check_files;
+
+# check binary all files in the package
+if ($type eq 'binary')
+{
+	chdir 'unpacked';
+	open my $dir, '-|', 'find -type f -executable'
+	or die "Can not start find: $!";
+	while(<$dir>)
+	{
+		chomp;
+	check_file $_ => 'scripts-uses-tmp-err', 'scripts-uses-tmp-warn';
+	}
+	chdir '..';
+}
+}
+
+1;
+
+# vim: syntax=perl ts=4 sw=4 expandtab
--- checks/symlink_attack.desc	1970-01-01 03:00:00.0 +0300
+++ checks/symlink_attac

Re: Bug#495705: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages

[Russ Allbery]

"Dmitry E. Oboukhov" <[EMAIL PROTECTED]> writes:

> Package: lintian
> Tags: patch, security
> Severity: wishlist
>
> Hello, lintan maintainers!
> please, see full discussion in -devel:
> http://lists.debian.org/debian-devel/2008/08/msg00271.html
> for example, see the bug
>   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648
>   (if attacker makes symlink from /tmp/twiki to /etc/shadow, then
>he takes full access to the system (when twiki installs or
>upgrades))
>
> I wrote the check script for the lintian package. This additional check
> verifies the debian packages for the presents of the discussed bug.

Lintian already checks for this.  If the current check is not sufficient
(which is certainly believable), it should be improved, rather than adding
a new, separate check.  See
possibly-insecure-handling-of-tmp-files-in-maintainer-script.

This, like various other checks, should be extended to more than just
maintainer scripts, which requires some additional infrastruture work on
the lintian script checking.

-- 
Russ Allbery ([EMAIL PROTECTED])   


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Bug#495643: Catalan DDTP issues

[Christian Perrier]

Quoting Steve Langasek ([EMAIL PROTECTED]):

> > Did I made a mistake?
> 
> Apparently not; has that pseudopackage really gone uncreated for 2 years? :/


Yes..:-)

But, actually, this is something we revived from the team work around
i18n at DC8.

With churro/i18n.debian.net doing more and more work these days, we
now really need something to report bugs against.

See Don's explanations about why reporting against general is the
currently recommended way even if suboptimal.




signature.asc
Description: Digital signature

Bug#495628: marked as done (general: setting system users' homes in their data directory slower security scanning)

[Debian Bug Tracking System]

Your message dated Wed, 20 Aug 2008 07:12:55 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#495628: general: setting system users' homes in their 
data directory slower security scanning
has caused the Debian Bug report #495628,
regarding general: setting system users' homes in their data directory slower 
security scanning
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
495628: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495628
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: general
Severity: normal

putting the home directory of users like postgres or especially backuppc 
in their data directory makes routine scans of tiger over the homes directory 
for user related suspect files work significantly slower.

there is no reason to scan those directories, since they contain structured 
data only, but only accidental logins of those users may bring bad thing here, 
and this should be the second reason not to set their homedirs here.


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash


--- End Message ---
--- Begin Message ---
Quoting alex bodnaru ([EMAIL PROTECTED]):
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
> many thanks for your answer, christian.
>
> i will sure repost to postgresql and backuppc.
>
> also, maybe tiger should not scan the home directories of system users (< 
> 1000).


As said, there is basically no point in reporting this to general. If
you think there's a bug in some packages, individual bugs should be
reported to those packages.

As I saw nobody objecting to this, I therefore close the general BR.




signature.asc
Description: Digital signature
--- End Message ---

Hardware compatibility test: draft proposal

[Wouter Verhelst]

Hi,

As I mentioned in my blog[1], I kindof like the suggestion that Bdale
came up with during Debconf that we write a hardware compatibility test
of sorts that hardware vendors could run on their own hardware to test
whether Debian works on their system. The rationale for such a test:
while most of us know how Debian works and how one should test whether
their hardware actually works with Debian, it is not reasonable to
expect the same of hardware vendors for /all/ GNU/Linux distributions
out there. According to Bdale, currently all other major operating
system vendors, including the commercial Linux distributions, already
provide such a test to the hardware vendors. For this purpose, it is
okay if such a test is interactive to some extent (after all, it is
something that you would run on a hardware prototype in a lab, not on
each and every production machine), although I'm thinking a hardware
compatibility test could be useful in more cases, where it might be
better if it wasn't interactive.

So, after more than twelve hours of boredom on an airplane and half a
night of not-being-able-to-sleep-due-to-jetlag, which is certainly
enough to think about this problem, I came up with the following things
such a system could need:

- It should be modular. People who maintain driver packages for
  particular hardware may want to write additional tests that a vendor
  may want to run; and if this particular package supports it, the
  driver package maintainer may want to provide pointers to a particular
  package so that an inexperienced user may be able to configure their
  hardware after running the test themselves.
- The different tests should each be able to communicate what type of
  hardware they test for, whether that particular piece of hardware has
  been found, and whether it actually works. The test of whether
  something works may require that network connectivity, hard disks, or
  other similar things are available in or to the system, as applicable.
- It should support a notion of what I'll call 'profiles'. A 'server'
  profile should check for different things than a 'desktop' or 'laptop'
  profile; e.g., it's usually okay if a server doesn't have graphical
  support or wireless drivers, while the same isn't true for a laptop.
- The vendor should be able to influence the score of a test by
  explicitly stating that particular hardware isn't available. If the
  vendor really wants to build a laptop without wireless drivers in this
  day and age, then it's obviously okay if no wireless drivers were
  detected. If, however, the vendor is not insane, then the failure to
  detect a wireless chipset should clearly influence the score.

So, that's probably it at this point. I should have a look at bdale's
talk once it becomes available at meetings-archive.debian.net, but that
doesn't yet seem to be the case. If someone who was at bdale's talk has
anything to add, that'd be welcome. If someone could think of anything
even without being at bdale's talk, that's welcome too, of course.

Now, with the above in mind, and after having considered Holger's
proposal to do this with Debian Live[2], I think the following generic
spec should cut it, but I'm open to other suggestions at this point.
It's also not very detailed yet, but since no code has been written yet,
that doesn't really matter at this point.

- A base package 'debian-hct' will provide a basic infrastructure for
  these tests to run in and an initscript that actually runs them. It
  will also contain some tests that are useful for /any/ system, such as
  "do we find something that looks like a harddisk controller" etc.
- Additional packages may provide tests. Packages that do so should say
  'Provides: hardware-compatibility-test' in their control file.
- Tests are found in /etc/hw-compat-tests. This directory will have
  subdirectories, one for each of 'hard disk controller', 'wired network
  interfaces', 'wireless network interfaces', etc. The scripts in this
  directory will run in asciibetical order, so that, e.g., drivers that
  need firmware to be loaded can ensure this firmware is actually loaded
  before allowing the generic test for this class of hardware to be ran.
- Scripts in the subdirectories, when ran, should end their output with
  on a single line the letter 'S', followed by a colon, followed by two
  numbers separated by a '/'; the first is the score, the second the
  maximum possible score for this script. All output that precedes the
  score is redirected to a file for the user to inspect later. Scripts
  should make sure to avoid having a line that starts with 'S:' in this
  preceding output, perhaps by escaping it with a leading space or some
  such (this leading space will not be stripped).
  - If no hardware is found that would be supported by the driver this
script checks for, then the second number, the maximum possible
score for this script is, by definition, 0.
  - If the hardware being tested for can only be suppor

Re: Some autobuilders wait for build-indep dependencies

[Wouter Verhelst]

On Sun, Aug 17, 2008 at 12:10:28PM +0200, Francisco Moya wrote:
[...]
> > Debian Policy only knows as much as what we put in it. Therefore it
> > isn't almighty, and it *certainly* isn't a stick to beat people with, as
> > you're trying to do here. The fact that some insanity isn't in
> > policy doesn't mean you should suddenly start doing it in your
> > package.
> 
> It was not my intention to use Policy as a stick but as the only
> authoritative argument I was willing to accept for destructive "DO NOT
> DO THAT" statements without further argumentation.

Well, I did give you two more paragraphs of argumentation, actually, but
okay.

[...]
> > Changing the behaviour o your debian/rules file based on the
> > architecture you're trying to build on, is a *very* bad idea,
> > policy or no policy. If you really, *really* must make sure that
> > build-indep isn't ran everywhere, then read Policy 4.9, `build',
> > paragraph 2:
> [...]
> > I'm sure you understand what I mean here.
> 
> Not really. This paragraph applies when the build target does not make
> much sense. But zeroc-ice builds a single tree and building the whole
> package does really make sense.

I think you're reading more in that paragraph than is meant; it says
"For some packages, notably ones where the same source tree is compiled
in different ways (...)", not "For packages where the same source tree
is compiled in different ways (...)", which to me suggests it can apply
to other cases too rather than just the given example.

YMMV, of course.

> In any case I think the next release will be acceptable to you, as long
> as it does more or less the same as package orsa.

Perhaps.

I do think that if you say "dpkg-buildpackage" without any argument, it
should either build all packages (if possible) or fail (if not possible
on that architecture or for some other reason). This makes it clear that
some particular thing isn't supported on a particular place, and makes
the lives of other people not familiar with your package easier. If your
setup will do this by having binary-indep depend on build-indep, then
yes, that sounds like something sane. If not, I seriously urge you to
reconsider. But as you rightly point out, there's nothing in policy to
back that up for me, so I'll shut up about that now.

What *is* in policy for me to ask you, though, is that if you do
something insane like not having 'dpkg-buildpackage' fail if
binary-indep can't be built for some reason, you should document that in
debian/README.source; see policy 4.14. Lucky me that proposal of mine
got into policy a few months ago :-)

-- 
 Home is where you have to wash the dishes.
  -- #debian-devel, Freenode, 2004-09-22


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#495736: ITP: instantbird -- instant messaging client based on XULrunner and libpurple

[William Pitcock]

Package: wnpp
Severity: wishlist
Owner: William Pitcock <[EMAIL PROTECTED]>

* Package name: instantbird
  Version : 0.1.2
  Upstream Author : Florian Quèze and Quentin Castier
* URL : http://www.instantbird.com/
* License : GPL
  Programming Lang: C, C++
  Description : instant messaging client based on XULrunner and libpurple
 Instantbird is an IM client based on Mozilla's XULrunner (the same
 platform that Iceweasel is based on). It supports connecting to all
 of the popular IRC networks through the use of libpurple, Pidgin's
 messaging core.
 .
 It supports all of the usual IM networks, like AIM, MSN, Jabber and so on.

-- System Information:
Debian Release: lenny/sid
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.24-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]