Re: usefulness of ITPs (Re: mosh ITP not done, just package name taken over)

[Paul Wise]

On Sat, Mar 31, 2012 at 4:10 AM, Goswin von Brederlow wrote:

> But are they always usefull? Does a package that is ready for upload
> already need an ITP? That is the question.

The point of an ITP is that it should be sent before starting the
packaging. If the package is already done then ... well ... yeah ...
you must have forgotten about what the I in ITP means and may as well
just upload.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/caktje6e9zglkaoqzmnfhgwwjnmjgaqpyje+zc3nvw4qy8u-...@mail.gmail.com

state of security hardening build flag efforts

[Kees Cook]

Hi,

With so many maintainers working to make sure that dpkg-buildflags
defaults are getting into their packages, I thought it might be fun to
see what sort of progress has been on security hardening build flags[1].

I took an optimistic approach to the data, since there are situations
where lacking stack-protector and fortify isn't a mistake[2]. I assume
that if any hardening features is found in any binary package, then the
source package was built with that feature intentionally enabled. For
collection, I used the amd64 architecture, and my approach was:

- report count of all source packages that produce at least 1 binary
  package that contains at least 1 ELF.
- report count of all source packages that produce at least 1 binary
  package that contains at least 1 ELF that is built with stack-protector.
- same again for fortify, relro, bindnow, and pie.

sources building ELFs: 9429
built with stackprotector: 1845 (19.6%)
built with fortify:1058 (11.2%)
built with relro:  1521 (16.1%)
built with bindnow: 385  (4.1%)
built with pie: 363  (3.4%)

This is very exciting! It was only a short time ago when just a handful
of packages were building with hardening options. Now we're almost to 20%
on stack-protector. :) Thank you everyone for your great work!

I'm going to work on getting this graphed daily, like the debhelper
statistics[3].

-Kees

[1] http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2] http://wiki.debian.org/Hardening#Validation
[3] 
http://www.chiark.greenend.org.uk/ucgi/~cjwatson/blosxom/debian/2010-07-10-debhelper-statistics-redux.html

-- 
Kees Cook@debian.org


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120401074937.gj8...@outflux.net

Re: [OT] NM vs. wicd

[Paul Wise]

On Sat, Mar 31, 2012 at 11:42 AM, Carlos Alberto Lopez Perez wrote:

> I had problems with my laptop also waking up mysteriously randomly on
> unknown events and I managed to solve it just disabling all wakeup
> events except PBTN

That sounds like an hack. Wouldn't it be better to log the resume
reason and figure out and fix the core issue?

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAKTje6HYdKBYpBGT09Y9Gs42xqJP0R8a=o_i1vsb7ietl9e...@mail.gmail.com

Re: On init in Debian

[Raphael Hertzog]

Hi,

On Sat, 31 Mar 2012, Russ Allbery wrote:
> Josselin Mouette  writes:
> 
> > I’ve not seen many people interested specifically in upstart in this
> > discussion, apart from Canonical employees.
> 
> For the record, I'm interested specifically in upstart because I think
> that alignment with Ubuntu is a major win for Debian in terms of the
> ecosystem and aiding our already extensive sharing of packages.
> 
> I don't consider that benefit to be overwhelming, and I could be convinced
> that systemd is the way to go even if it doesn't give us that if it's
> sufficiently technically better.  But I think it's an important thing to
> keep in mind.


But isn't Ubuntu switching to systemd?

https://plus.google.com/115547683951727699051/posts/MuB3MkCnieK


I don't know how much Ubuntu is attached to upstart but I would not be
surprised if they evaluated a switch to systemd seriously given the
traction that it seems to have in the upstream GNOME ecosystem.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Pre-order a copy of the Debian Administrator's Handbook and help
liberate it: http://debian-handbook.info/liberation/


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120401081944.gg15...@rivendell.home.ouaza.com

Re: Bugs for packages which don't exist anymore / missing maintainer

[Paul Wise]

Ideally the BTS would have a better way (probably involving the
version trees) to associate these bugs with source and or binary
packages still in the archive. Where it couldn't do that the usual
auto-archiving (but not closing since the package could be
reintroduced) would be appropriate. This would also solve problems we
currently have where all bugs are closed when a package is temporarily
removed from the archive and need to be manually reopened when the
package is reintroduced.

Until we live in an ideal world, people can and should triage these
bugs to determine the appropriate package and location for them.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAKTje6HOJ_9srTaGD0sd4JrfuEN9QVj0-eCGbc=UXjCa=60...@mail.gmail.com

Bug#666715: ITP: dedupdedup -- find duplicate programs for finding duplicate files

[Lars Wirzenius]

Package: wnpp
Severity: wishlist
Owner: Lars Wirzenius 

* Package name: dedupdedup
  Version : 1.0
  Upstream Author : Lars Wirzenius
* URL : http://liw.fi/dedupdedup/
* License : AGPLv3+
  Programming Lang: Python
  Description : find duplicate programs for finding duplicate files

dedupdedup is a program to find duplicate programs for finding duplicate
files on the filesystem. It looks through the Debian package archive
and the open ITP bugs to find programs that find duplicate files. It
can then optionally close the ITP bugs, and file bugs against
ftp-master.debian.org to get such programs to be removed from the
archive.

Not all duplicate file finder programs are exact copies of each other,
so dedupdedup embeds a simple AI system to compare programs, based on
package descriptions, --help output, and manual pages, to verify that
only the most complete of such programs remains.



-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120401084825.10835.7030.reportbug@havelock

Re: On init in Debian

[Marco d'Itri]

On Mar 31, Josselin Mouette  wrote:

> I’ve not seen many people interested specifically in upstart in this
> discussion, apart from Canonical employees.
I am interested in upstart and I am not a Canonical employee, but 
I refrained from discussing which init system is better because the 
urgent goal right now is to make everybody understand that they are all 
better than sysvinit.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

bug reports with urls in them

[Michael Welle]

Hello,

I just tried to report a bug. To show how one can reproduce
the bug I needed an url, I chose www.foo.org for that purpose. The
result:

:
140.211.15.34 failed after I sent the message.
Remote host said: 550-Blacklisted URL in message. (foo.org) in [black]. See
550 http://lookup.uribl.com.

WTF? Interesting user experience, bug reporters will like that big
time...

Regards
hmw

-- 
biff4emacsen - A biff-like tool for (X)Emacs
http://www.c0t0d0s0.de/biff4emacsen/biff4emacsen.html
Flood - Your friendly network packet generator
http://www.c0t0d0s0.de/flood/flood.html


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87r4w7ddg0@luisa.c0t0d0s0.de

Re: On init in Debian

[Adam Borowski]

On Sun, Apr 01, 2012 at 10:19:44AM +0200, Raphael Hertzog wrote:
> 
> But isn't Ubuntu switching to systemd?
> 
> https://plus.google.com/115547683951727699051/posts/MuB3MkCnieK
> 

The guy's reality distortion field is amazing.  "Last bastion", heh.
Interesting wording for "all but two distributions".

-- 
// If you believe in so-called "intellectual property", please immediately
// cease using counterfeit alphabets.  Instead, contact the nearest temple
// of Amon, whose priests will provide you with scribal services for all
// your writing needs, for Reasonable and Non-Discriminatory prices.


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120401091243.ga32...@angband.pl

Re: bug reports with urls in them

[martin f krafft]

also sprach Michael Welle  [2012.04.01. +0200]:
> I just tried to report a bug. To show how one can reproduce
> the bug I needed an url, I chose www.foo.org for that purpose.

See RFC2606.

-- 
 .''`.   martin f. krafft   Related projects:
: :'  :  proud Debian developer   http://debiansystem.info
`. `'`   http://people.debian.org/~madduckhttp://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems
 
"distrust all those who love you extremely
 upon a very slight acquaintance and without any visible reason."
  -- lord chesterfield


digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)

Re: bug reports with urls in them

[Andrey Rahmatullin]

On Sun, Apr 01, 2012 at 11:11:11AM +0200, Michael Welle wrote:
> I just tried to report a bug. To show how one can reproduce
> the bug I needed an url, I chose www.foo.org for that purpose.
You have example.com just for that.

> :
> 140.211.15.34 failed after I sent the message.
> Remote host said: 550-Blacklisted URL in message. (foo.org) in [black]. See
> 550 http://lookup.uribl.com.
Yes, it is listed there. 

> WTF? Interesting user experience, bug reporters will like that big
> time...
How many bug reporters will choose foo.org for their example URLs?

-- 
WBR, wRAR


signature.asc
Description: Digital signature

Re: bug reports with urls in them

[Russ Allbery]

Michael Welle  writes:

> I just tried to report a bug. To show how one can reproduce
> the bug I needed an url, I chose www.foo.org for that purpose. The
> result:

> :
> 140.211.15.34 failed after I sent the message.
> Remote host said: 550-Blacklisted URL in message. (foo.org) in [black]. See
> 550 http://lookup.uribl.com.

> WTF? Interesting user experience, bug reporters will like that big
> time...

The problem here is that foo.org is a real domain, and one that appears to
be owned by one of those domain parking companies that quite likely could
be doing lots of grey things with the domain.  A lot of those companies
are at the least spammers.

In this particular case, it's in a blacklist with a zero-false-positive
goal, which *probably* (although with blacklists it's always suspect)
means that there really was a spamvertised site or other direct spam usage
of that URL, although it's possible that the reports were from "generic"
URL usages similar to yours mixed in with spam.

There are various registered domains specifically for use for your purpose
(example.com, example.org, example.net, and others).  It's generally best
to use them for any generic example rather than a domain that could be
real.

-- 
Russ Allbery (r...@debian.org)   


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87k41zn730@windlord.stanford.edu

Re: bug reports with urls in them

[Michael Welle]

Hello,

martin f krafft  writes:

> also sprach Michael Welle  [2012.04.01. +0200]:
>> I just tried to report a bug. To show how one can reproduce
>> the bug I needed an url, I chose www.foo.org for that purpose.
>
> See RFC2606.
so you suggest a Debian user should consult RFCs before reporting a bug
in some software package that she or he is using?

Reards
hmw

-- 
biff4emacsen - A biff-like tool for (X)Emacs
http://www.c0t0d0s0.de/biff4emacsen/biff4emacsen.html
Flood - Your friendly network packet generator
http://www.c0t0d0s0.de/flood/flood.html


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87mx6vdd17@luisa.c0t0d0s0.de

Re: bug reports with urls in them

[Andrey Rahmatullin]

On Sun, Apr 01, 2012 at 11:20:04AM +0200, Michael Welle wrote:
> >> I just tried to report a bug. To show how one can reproduce
> >> the bug I needed an url, I chose www.foo.org for that purpose.
> > See RFC2606.
> so you suggest a Debian user should consult RFCs before reporting a bug
> in some software package that she or he is using?
A Debian user should probably try to not use suspicious URLs in bug
reports.

-- 
WBR, wRAR


signature.asc
Description: Digital signature

Re: bug reports with urls in them

[Michael Welle]

Hello,

Andrey Rahmatullin  writes:

> On Sun, Apr 01, 2012 at 11:11:11AM +0200, Michael Welle wrote:
>> I just tried to report a bug. To show how one can reproduce
>> the bug I needed an url, I chose www.foo.org for that purpose.
> You have example.com just for that.
>
>> :
>> 140.211.15.34 failed after I sent the message.
>> Remote host said: 550-Blacklisted URL in message. (foo.org) in [black]. See
>> 550 http://lookup.uribl.com.
> Yes, it is listed there. 
>
>> WTF? Interesting user experience, bug reporters will like that big
>> time...
> How many bug reporters will choose foo.org for their example URLs?
how many hosts are listed at uribl.com for whatever reasons and how many
of them are randomly chosen by bug reporters?

Regards
hmw

-- 
biff4emacsen - A biff-like tool for (X)Emacs
http://www.c0t0d0s0.de/biff4emacsen/biff4emacsen.html
Flood - Your friendly network packet generator
http://www.c0t0d0s0.de/flood/flood.html


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87iphjdcwc@luisa.c0t0d0s0.de

Re: state of security hardening build flag efforts

[Paul Wise]

On Sun, Apr 1, 2012 at 3:49 PM, Kees Cook wrote:

> This is very exciting! It was only a short time ago when just a handful
> of packages were building with hardening options. Now we're almost to 20%
> on stack-protector. :) Thank you everyone for your great work!

Very nice, thanks for pushing it!

> I'm going to work on getting this graphed daily, like the debhelper
> statistics[3].

If you do, please add that to the statistics wiki page:

http://wiki.debian.org/Statistics

BTW:

Under what circumstances do you think GCC upstream should be enabling
these options by default (as several distributions other than Debian
do)?

Do you have any stats about where packages had to avoid enabling these options?

Do you feel the frequency of that is low enough to enable these
options by default (in upstream or in distros)?

If you think that enabling them by default in GCC upstream is doable,
what kind of blockers and timeframe would we expect for that?

I would personally like binaries not built by debian/rules but built
on Debian systems to be hardened by default.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAKTje6F-9v=rQ7_ki5GFtGNn9DsizSADZQwvh_jSC=c6xcn...@mail.gmail.com

Re: bug reports with urls in them

[Andrey Rahmatullin]

On Sun, Apr 01, 2012 at 11:22:59AM +0200, Michael Welle wrote:
> >> I just tried to report a bug. To show how one can reproduce
> >> the bug I needed an url, I chose www.foo.org for that purpose.
> > You have example.com just for that.
> >
> >> :
> >> 140.211.15.34 failed after I sent the message.
> >> Remote host said: 550-Blacklisted URL in message. (foo.org) in [black]. See
> >> 550 http://lookup.uribl.com.
> > Yes, it is listed there. 
> >
> >> WTF? Interesting user experience, bug reporters will like that big
> >> time...
> > How many bug reporters will choose foo.org for their example URLs?
> how many hosts are listed at uribl.com for whatever reasons and how many
> of them are randomly chosen by bug reporters?
I don't have such data.

-- 
WBR, wRAR


signature.asc
Description: Digital signature

Re: bug reports with urls in them

[Michael Welle]

Hello,

Russ Allbery  writes:

> Michael Welle  writes:
>
>> I just tried to report a bug. To show how one can reproduce
>> the bug I needed an url, I chose www.foo.org for that purpose. The
>> result:
>
>> :
>> 140.211.15.34 failed after I sent the message.
>> Remote host said: 550-Blacklisted URL in message. (foo.org) in [black]. See
>> 550 http://lookup.uribl.com.
>
>> WTF? Interesting user experience, bug reporters will like that big
>> time...
>
> The problem here is that foo.org is a real domain, and one that appears to
> be owned by one of those domain parking companies that quite likely could
> be doing lots of grey things with the domain.  A lot of those companies
> are at the least spammers.
>
> In this particular case, it's in a blacklist with a zero-false-positive
> goal, which *probably* (although with blacklists it's always suspect)
> means that there really was a spamvertised site or other direct spam usage
> of that URL, although it's possible that the reports were from "generic"
> URL usages similar to yours mixed in with spam.
>
> There are various registered domains specifically for use for your purpose
> (example.com, example.org, example.net, and others).  It's generally best
> to use them for any generic example rather than a domain that could be
> real.
I personally don't like services that blacklist hostnames for reasons
that I can't control. IIRC even machines controlled by the big Linux
projects appeared on such blacklists in the past. If you design your
infrastructure around such services your design is f* up, IMO.

Anyways, what if I want to report a bug that happens if I use foo.org?


Regards
hmw

-- 
biff4emacsen - A biff-like tool for (X)Emacs
http://www.c0t0d0s0.de/biff4emacsen/biff4emacsen.html
Flood - Your friendly network packet generator
http://www.c0t0d0s0.de/flood/flood.html


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87ehs7dchm@luisa.c0t0d0s0.de

Re: bug reports with urls in them

[Michael Welle]

Hello,

Andrey Rahmatullin  writes:

> On Sun, Apr 01, 2012 at 11:20:04AM +0200, Michael Welle wrote:
>> >> I just tried to report a bug. To show how one can reproduce
>> >> the bug I needed an url, I chose www.foo.org for that purpose.
>> > See RFC2606.
>> so you suggest a Debian user should consult RFCs before reporting a bug
>> in some software package that she or he is using?
> A Debian user should probably try to not use suspicious URLs in bug
> reports.
so your try to tell Debian users which urls they have to use and which
they have not to use? I guess you can tell what's wrong with foo.org in
a sentence or two?

Regards
hmw

-- 
biff4emacsen - A biff-like tool for (X)Emacs
http://www.c0t0d0s0.de/biff4emacsen/biff4emacsen.html
Flood - Your friendly network packet generator
http://www.c0t0d0s0.de/flood/flood.html


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87aa2vdcd6@luisa.c0t0d0s0.de

Bug#666723: ITP: sptk -- speech signal processing toolkit

[Giulio Paci]

Package: wnpp
Severity: wishlist
Owner: Giulio Paci 

* Package name: sptk
  Version : 3.5
  Upstream Author : Keiichiro Oura 
* URL : http://sp-tk.sourceforge.net/
* License : BSD
  Programming Lang: (C, tcsh)
  Description : speech signal processing toolkit



-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120401104731.10704.47361.reportbug@geppetto

Bug#666724: ITP: sctk -- speech recognition scoring toolkit

[Giulio Paci]

Package: wnpp
Severity: wishlist
Owner: Giulio Paci 

* Package name: sctk
  Version : 2.4.0
  Upstream Author : Jon Fiscus 
* URL : http://www.nist.gov/speech/tools/
* License : Public Domain, GPL
  Programming Lang: C, C++, Perl
  Description : speech recognition scoring toolkit



-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120401105606.10931.62958.reportbug@geppetto

Re: Bugs for packages which don't exist anymore / missing maintainer

[Gergely Nagy]

"Manuel A. Fernandez Montecelo"  writes:

> So I have several related questions:
>
> 1) In general, what should the maintainers do to prevent such cases?
> I guess that one could reassign the bugs from the old package to the
> new one, but it seems obvious that this can be oversought easily,
> especially for libpackages where SOVERSION changes often.  Is there
> any automatic mechanism in place to try to prevent this?

Not that I know of, no. For packages that change name reasonably often
(or well, most library packages anyway), I'd think it would be best to
reassign the reports to the source package upon receipt, so that it
won't get lost.

One thing that comes to mind, is that when a binary or source package
gets removed from the archive (either manually, or automatically), the
appropriate piece of software could mail the maintainer of the old
package notifying him that some of the bugreports may become orphaned.

> 2) What to do now with all of these bug reports?  Reassign them to the
> related source package in unstable?  Contact QA? Nothing at all?

The best course of action would be to check whether the reported issue
is still valid, and reassign to the appropriate (source) package if it
is, -done@ otherwise.

If in doubt, contact QA.

-- 
|8]


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87sjgnu34a@luthien.mhp

Re: bug reports with urls in them

[Michael Banck]

On Sun, Apr 01, 2012 at 11:31:49AM +0200, Michael Welle wrote:
> Anyways, what if I want to report a bug that happens if I use foo.org?

We can discuss this again once this is actually the case.


Regards,

Michael


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20120401112740.gk9...@nighthawk.chemicalconnection.dyndns.org

Re: bug reports with urls in them

[Michael Welle]

Hello,

Michael Banck  writes:

> On Sun, Apr 01, 2012 at 11:31:49AM +0200, Michael Welle wrote:
>> Anyways, what if I want to report a bug that happens if I use foo.org?
>
> We can discuss this again once this is actually the case.
chances that users without technical background come back and report
that bug a second time (after figuring out what might be wrong) are slim
I think. 

Regards
hmw

-- 
biff4emacsen - A biff-like tool for (X)Emacs
http://www.c0t0d0s0.de/biff4emacsen/biff4emacsen.html
Flood - Your friendly network packet generator
http://www.c0t0d0s0.de/flood/flood.html


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87zkavbrpk@luisa.c0t0d0s0.de

Re: Bug#666715: ITP: dedupdedup -- find duplicate programs for finding duplicate files

[Ben Finney]

Lars Wirzenius  writes:

> * Package name: dedupdedup

Is it recommended to sing the name of this package in a Frank Sinatra
impression?

-- 
 \ “A man must consider what a rich realm he abdicates when he |
  `\   becomes a conformist.” —Ralph Waldo Emerson |
_o__)  |
Ben Finney


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87bonbhb21@benfinney.id.au

Re: On init in Debian

[Uoti Urpala]

Russ Allbery wrote:
> Josselin Mouette  writes:
> 
> > I’ve not seen many people interested specifically in upstart in this
> > discussion, apart from Canonical employees.
> 
> For the record, I'm interested specifically in upstart because I think
> that alignment with Ubuntu is a major win for Debian in terms of the
> ecosystem and aiding our already extensive sharing of packages.
> 
> I don't consider that benefit to be overwhelming, and I could be convinced
> that systemd is the way to go even if it doesn't give us that if it's
> sufficiently technically better.  But I think it's an important thing to
> keep in mind.

Alignment with Ubuntu could give short-term benefits. But using Upstart
would practically ensure that the init systems used by major
distributions would continue to differ. This is definitely not in the
long-term interest of the Linux ecosystem as a whole. Fedora will not
switch to a technically inferior system for the sake of compatibility
with Debian. On the other hand, I'm not aware of any reasons why Ubuntu
would need to keep its own init system, other than NIH and the
short-term cost of switching.

If it's determined that systemd is the best init system for Debian, then
IMO the most appropriate way to ensure "alignment" would be to put
pressure on Ubuntu to abandon Upstart. If Debian implements a well-tuned
systemd setup then adopting that in Ubuntu should not be too difficult.

To view this from another angle: the "major wins" of Debian-Ubuntu
alignment apply equally much or more to Ubuntu. Why should you consider
the Ubuntu decisions to be set in stone, and the Debian side obligated
to bear the costs of compatibility by adapting to Ubuntu decisions, even
if those decisions are considered suboptimal?



-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/1333287018.24970.55.camel@glyph.nonexistent.invalid

Bug#666754: ITP: aekeech6 -- duplicate duplicate program deduplicator

[Tollef Fog Heen]

Package: wnpp
Owner: Tollef Fog Heen 
Severity: wishlist

* Package name: aekeech6
  Version : π
  Upstream Author : Tollef Fog Heen
* URL or Web page : gopher://err.no/aekeech6
* License : 2-clause BSD
  Programming Lang: C
  Description : duplicate duplicate program deduplicator

After the recent torrent of deduplication programs on debian-devel, I
got bored of the lot of them and wrote a metadeduplication tool.

The way it works is it runs all of them, checks if they are functionally
equivalent and if so, files removal bugs against ftp.debian.org.

The name, like all good names, comes from pwgen.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are



--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87fwcnzelo@qurzaw.varnish-software.com

Re: bug reports with urls in them

[Fernando Lemos]

Hi,

On Sun, Apr 1, 2012 at 8:45 AM, Michael Welle  wrote:
> Hello,
>
> Michael Banck  writes:
>
>> On Sun, Apr 01, 2012 at 11:31:49AM +0200, Michael Welle wrote:
>>> Anyways, what if I want to report a bug that happens if I use foo.org?
>>
>> We can discuss this again once this is actually the case.
> chances that users without technical background come back and report
> that bug a second time (after figuring out what might be wrong) are slim
> I think.

How do you suggest we fix this? We certainly can't disable spam
filters or we'll be flooded with spam. If you follow debian-devel, you
must also know that a web reporting frontend was discussed in length
already, so hopefully this won't be brought up again.

I'm not sure it's a problem even worth discussing. The trouble of
coming up with a solution seems much bigger than the inconvenience of
missing an odd report here and there (I'd be curious to know how often
a report is wrongfully rejected).

Also, let's be practical. If the reporter doesn't realize something
went wrong with the report, he or she is most likely not very
tech-savvy. Those reports are still mostly useful, but in a sea of bug
reports, those are often the least useful. And if the reporter does
notice that the report has been wrongfully rejected but can't be
bothered to report it again, perhaps the issue wasn't such a big deal.

I'm not saying it's good that we miss reports like this, but we must
put things into perspective.

Regards,


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/canvyna98mkuj82x+snu+9pezocygrgn9kyvd73soox3xek9...@mail.gmail.com

Re: Bug#666715: ITP: dedupdedup -- find duplicate programs for finding duplicate files

[Ben Hutchings]

On Sun, 2012-04-01 at 09:48 +0100, Lars Wirzenius wrote:
> Package: wnpp
> Severity: wishlist
> Owner: Lars Wirzenius 
> 
> * Package name: dedupdedup
>   Version : 1.0

Where is this version?  I couldn't see any releases on the site you
refer to.

>   Upstream Author : Lars Wirzenius
> * URL : http://liw.fi/dedupdedup/
> * License : AGPLv3+
>   Programming Lang: Python
>   Description : find duplicate programs for finding duplicate files
> 
> dedupdedup is a program to find duplicate programs for finding duplicate
> files on the filesystem. It looks through the Debian package archive
> and the open ITP bugs to find programs that find duplicate files. It
> can then optionally close the ITP bugs, and file bugs against
> ftp-master.debian.org to get such programs to be removed from the
> archive.

This would be very useful, thanks.

> Not all duplicate file finder programs are exact copies of each other,
> so dedupdedup embeds a simple AI system to compare programs, based on
> package descriptions, --help output, and manual pages, to verify that
> only the most complete of such programs remains.

Can like this be generalised to dedupe web servers, window managers and
init systems?

Ben.

-- 
Ben Hutchings
I'm always amazed by the number of people who take up solipsism because
they heard someone else explain it. - E*Borg on alt.fan.pratchett


signature.asc
Description: This is a digitally signed message part

Bug#666758: ITP: librole-tiny-perl -- minimalist role composition Perl module

[Alessandro Ghedini]

Package: wnpp
Owner: Alessandro Ghedini 
Severity: wishlist
X-Debbugs-CC: debian-devel@lists.debian.org,debian-p...@lists.debian.org

* Package name: librole-tiny-perl
  Version : 1.00
  Upstream Author : Matt S. Trout 
* URL : http://search.cpan.org/dist/Role-Tiny/
* License : Artistic or GPL-1+
  Programming Lang: Perl
  Description : minimalist role composition Perl module

Role::Tiny is a Perl module to do minimalist role composition. Role composition
can be thought of as much more clever and meaningful multiple inheritance.

The basics of this implementation of roles is:
 * If a method is already defined on a class, that method will not be composed
   in from the role.
 * If a method that the role "requires" to be implemented is not implemented,
   role application will fail loudly.

Unlike Class::C3, where the last class inherited from "wins," role composition
is the other way around, where first wins. In a more complete system (see
Moose) roles are checked to see if they clash. The goal of this is to be much
simpler, hence disallowing composition of multiple roles at once.



-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4f786dcd.2266b40a.4c57.4...@mx.google.com

Re: Bug#666715: ITP: dedupdedup -- find duplicate programs for finding duplicate files

[Tollef Fog Heen]

]] Ben Hutchings 

> > Not all duplicate file finder programs are exact copies of each other,
> > so dedupdedup embeds a simple AI system to compare programs, based on
> > package descriptions, --help output, and manual pages, to verify that
> > only the most complete of such programs remains.
> 
> Can like this be generalised to dedupe web servers, window managers and
> init systems?

aekeech6 can, at least.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87bonbze08@qurzaw.varnish-software.com

Re: Bug#666754: ITP: aekeech6 -- duplicate duplicate program deduplicator

[Adam Borowski]

On Sun, Apr 01, 2012 at 04:55:15PM +0200, Tollef Fog Heen wrote:
> Package: wnpp
> 
> * Package name: aekeech6
>   Version : π

How is Knuth's health these days?

> * URL or Web page : gopher://err.no/aekeech6

That machine rejects connections on port 70.  Reading the source for that
thing could be interesting :p


-- 
// If you believe in so-called "intellectual property", please immediately
// cease using counterfeit alphabets.  Instead, contact the nearest temple
// of Amon, whose priests will provide you with scribal services for all
// your writing needs, for Reasonable and Non-Discriminatory prices.


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120401153623.ga1...@angband.pl

Re: Bug#666715: ITP: dedupdedup -- find duplicate programs for finding duplicate files

[Lars Wirzenius]

On Sun, Apr 01, 2012 at 05:08:06PM +0200, Tollef Fog Heen wrote:
> ]] Ben Hutchings 
> 
> > > Not all duplicate file finder programs are exact copies of each other,
> > > so dedupdedup embeds a simple AI system to compare programs, based on
> > > package descriptions, --help output, and manual pages, to verify that
> > > only the most complete of such programs remains.
> > 
> > Can like this be generalised to dedupe web servers, window managers and
> > init systems?
> 
> aekeech6 can, at least.

Given that yours is written in C and is therefore inflexible, and mine's
in Python and therefore easy to hack, isn't it obvious that mine's going
to be better in the long run?

Though I guess we could support both, and define an interchange format
for exchanging data between our two systems.

-- 
All my predictions will turn out to be false


signature.asc
Description: Digital signature

Re: Bug#666715: ITP: dedupdedup -- find duplicate programs for finding duplicate files

[Gergely Nagy]

Lars Wirzenius  writes:

> On Sun, Apr 01, 2012 at 05:08:06PM +0200, Tollef Fog Heen wrote:
>> ]] Ben Hutchings 
>> 
>> > > Not all duplicate file finder programs are exact copies of each other,
>> > > so dedupdedup embeds a simple AI system to compare programs, based on
>> > > package descriptions, --help output, and manual pages, to verify that
>> > > only the most complete of such programs remains.
>> > 
>> > Can like this be generalised to dedupe web servers, window managers and
>> > init systems?
>> 
>> aekeech6 can, at least.
>
> Given that yours is written in C and is therefore inflexible, and mine's
> in Python and therefore easy to hack, isn't it obvious that mine's going
> to be better in the long run?
>
> Though I guess we could support both, and define an interchange format
> for exchanging data between our two systems.

I object to both programs, as they both will require hacks to run under
Debian GNU/Emacs as that OS only supports elisp natively. Furthermore,
Lisp is _the_ best language, ever, anyway.

So I'd like to ask you both to drop your futile attempts at trying to be
better than what can be done with a few lines of lisp:

,
| (require 'os)
| (require 'ai)
| (find-dupes is-dup?)
`

But, since freedom of choice IS important, and not everyone has seen the
Light yet, I suppose we can maintain all three. But I strongly suggest
the interchange format to be lisp code. Or better yet, the interchange
format be the source of the emacs deduplicator itself.

-- 
|8]


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87obrbtpkl@luthien.mhp

Re: Bug#666715: ITP: dedupdedup -- find duplicate programs for finding duplicate files

[Lars Wirzenius]

On Sun, Apr 01, 2012 at 05:54:50PM +0200, Gergely Nagy wrote:
> But, since freedom of choice IS important, and not everyone has seen the
> Light yet, I suppose we can maintain all three. But I strongly suggest
> the interchange format to be lisp code.

I object to data file formats that are expressed in a Turing complete
language. I'd be happy with either XML encoded in JSON or the WAP
BXML format instead, though.

-- 
All my predictions will turn out to be false


signature.asc
Description: Digital signature

Re: Bugs for packages which don't exist anymore / missing maintainer

[Manuel A. Fernandez Montecelo]

2012/4/1 Gergely Nagy :
>> 2) What to do now with all of these bug reports?  Reassign them to the
>> related source package in unstable?  Contact QA? Nothing at all?
>
> The best course of action would be to check whether the reported issue
> is still valid, and reassign to the appropriate (source) package if it
> is, -done@ otherwise.
>
> If in doubt, contact QA.

OK, thanks to you and Paul for the reply.

Cheers.


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/capq4b8nw7vtpfoct+t0yc87chbyd8tojaytdrnb_ajgzg24...@mail.gmail.com

Re: bug reports with urls in them

[Ben Pfaff]

Fernando Lemos  writes:

> On Sun, Apr 1, 2012 at 8:45 AM, Michael Welle  wrote:
>> Michael Banck  writes:
>>
>>> On Sun, Apr 01, 2012 at 11:31:49AM +0200, Michael Welle wrote:
 Anyways, what if I want to report a bug that happens if I use foo.org?
>>>
>>> We can discuss this again once this is actually the case.
>> chances that users without technical background come back and report
>> that bug a second time (after figuring out what might be wrong) are slim
>> I think.
>
> How do you suggest we fix this? We certainly can't disable spam
> filters or we'll be flooded with spam. If you follow debian-devel, you
> must also know that a web reporting frontend was discussed in length
> already, so hopefully this won't be brought up again.

I doubt that a significant amount of spam contains valid Package:
or Version: pseudo-headers.  If I'm right, that could be used as
a criterion to accept email to sub...@bugs.debian.org that
otherwise appears to be spam.
-- 
Ben Pfaff 
http://benpfaff.org


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87398npfp1@blp.benpfaff.org

Re: bug reports with urls in them

[Michael Welle]

Hello,

Fernando Lemos  writes:

> Hi,
>
> On Sun, Apr 1, 2012 at 8:45 AM, Michael Welle  wrote:
>> Hello,
>>
>> Michael Banck  writes:
>>
>>> On Sun, Apr 01, 2012 at 11:31:49AM +0200, Michael Welle wrote:
 Anyways, what if I want to report a bug that happens if I use foo.org?
>>>
>>> We can discuss this again once this is actually the case.
>> chances that users without technical background come back and report
>> that bug a second time (after figuring out what might be wrong) are slim
>> I think.
>
> How do you suggest we fix this? We certainly can't disable spam
> filters or we'll be flooded with spam. If you follow debian-devel, you
> must also know that a web reporting frontend was discussed in length
> already, so hopefully this won't be brought up again.
ah, now that you mention that, nah, just kidding ;). Well, the short
answer is, I don't know how to fix the spam problem. I don't use such
blacklist services for the machines I'm responsible for - and I'm still
alive. I tried it a few years ago, but for me it causes more trouble
than that it helps.


> I'm not sure it's a problem even worth discussing. The trouble of
> coming up with a solution seems much bigger than the inconvenience of
> missing an odd report here and there (I'd be curious to know how often
> a report is wrongfully rejected).
And furthermore it would be interesting to see what one would gain using
such services. Either the service isn't used for this mailing list or
it is easy to fool by lacking the http:// part of the url. What would
happen if the bug report would been sent from that hostname? I hope it
would have been blocked ;).


> Also, let's be practical. If the reporter doesn't realize something
> went wrong with the report, he or she is most likely not very
> tech-savvy. Those reports are still mostly useful, but in a sea of bug
> reports, those are often the least useful. And if the reporter does
> notice that the report has been wrongfully rejected but can't be
> bothered to report it again, perhaps the issue wasn't such a big deal.
I agree only partly with that. Losing a bug report or two is one
thing. Imagine a potential or actual customer sending an email to a
company and getting a response like: 'Well, we don't know on which data
we form our opinion, but we think you are a nigerian scammer or you eat
kitten babies. Either way, we don't like you, go away.'. That's what's
happening. 


> I'm not saying it's good that we miss reports like this, but we must
> put things into perspective.
I tried to give perspective from a bug reporters point of view, who
simply want to report a bug without being interested in external
blacklist and stuff. 

Regards
hmw

-- 
biff4emacsen - A biff-like tool for (X)Emacs
http://www.c0t0d0s0.de/biff4emacsen/biff4emacsen.html
Flood - Your friendly network packet generator
http://www.c0t0d0s0.de/flood/flood.html


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87sjgnbdd6@luisa.c0t0d0s0.de

Re: pdiff for Translation files, increased times

[Filipus Klutiero]

Hi Joerg,

Joerg Jaspert wrote:


Hi

i took the BSP i am at right now to look at that pdiff shit, and after i
finished yelling at that code, we now are creating pdiff files for
changed Translation-*.bz2 too.


Thank you. This solves #659976.



That is, we just started, so there is only the pdiff for the -en file
available, but whenever the other languages get updates they will gain a
.diff too.

I have no idea if this is support in apt&friends already, but I'm using
the exact same stuff as for the other pdiff files, so shouldn't be too
hard to get into them if not yet.



It now is, although only in experimental. See #657902.


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4f788add.1060...@gmail.com

Anyone in direct contact with Peter S. Galbraith (psg)?

[Neil Williams]

I was investigating #633893 and tried to contact the maintainer but the
@debian.org email address bounced. I checked the MIA tools and found
some extra email addresses which didn't bounce but to which I've had no
reply since Sat, 17 Mar 2012 11:45:45. (Those email addresses
added back to the BCC: of this email.) My second email also bounced
from the @d.o address.

The only other people listed as uploaders on these packages are also
CC:'d.

The RC bug was since shown to be fixed, so it's closed. However, having
packages with a @d.o address which bounces isn't good. (Could easily
generate 20 RC bugs as per Policy 3.3)

Last seen:
http://lists.debian.org/debian-devel/2012/01/msg00397.html

As a first step to raising this with the MIA team, this is an attempt to
find out about Peter, to elicit a response so that the packages can be
updated or orphaned.

http://qa.debian.org/developer.php?login=psg

Packages concerned:
emacs-goodies-el g3data gri imgsizer jazip libforms libtcd mh-book mh-e
poster powstatd proj proj-ps-doc tcd-utils xcolmix xplot xtide
xtide-coastline xtide-data xwatch xtide-data-nonfree

Peter, if you are receiving email via these other email addresses but
just busy, please reply. If there is any way that the @d.o email address
forwarding can be fixed via db.debian.org, it would be very useful.
There's no forwarding set in db.debian.org currently.

-- 


Neil Williams
=
http://www.linux.codehelp.co.uk/



pgpPYkiFrSAvN.pgp
Description: PGP signature

Re: synaptic in gnome (wheezy, etc)

[Filipus Klutiero]

Hi songbird,

On 2012-03-27 14:04, songbird wrote:

hello,

   regarding your recent message about synaptic in
Gnome.

   i have been using it all along with wheezy in
Gnome.

   i dislike any other package manager i've tried.
i need a way to generate a download list so i can
get larger files via the library and USB stick
(slow connection here at home).

   as far as interface goes synaptic is intuitive and
mostly does what i need it to do.

   for troubles i use dpkg or aptitude to sort it out.
other helpful tools have been orphaner and apt-get.


Thank you. In the interest of transparency, please directly provide your 
opinion to debian-devel@lists.debian.org in the future.


   the only thing i'm hitting now that is a consistent
problem (but i'm not sure where it comes from) is that
the translations for testing,sid,experimental download
each time i check for updates instead of getting a
smaller diff (like the pdiffs that happen for the
package files).  as i am on a dialup that has changed
the check for updates from a 15 minute task (most
times) to a 45-60 minute task.  if you know of a bug
number i can track for this issue that would be helpful.
i haven't been able to find anything in the bug tracker
to follow.


I didn't, but I found this one: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657902
The issue is solved in experimental, but it will take some time before 
the solution reaches wheezy.
If you're on dialup though, 2 problems may affect you, the need to get 
descriptions for all languages if you didn't configure APT to download 
just English, and the need to update English descriptions. The latter 
problem will be solved by future APT versions, but to solve the former, 
you need to configure APT. I use


Acquire::Languages "en"; 


to do that. But then, see 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641967





   i'm not a C++ programmer yet (most of my experience
is with C and even most of that isn't recent so i'm
gradually getting back to it), but i can probably help
in some manner (testing at least).

   thanks and good luck,  :)


   songbird




--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4f789928.4050...@gmail.com

Re: Bug#666715: ITP: dedupdedup -- find duplicate programs for finding duplicate files

[Nick Leverton]

On Sun, Apr 01, 2012 at 04:40:22PM +0100, Lars Wirzenius wrote:
> On Sun, Apr 01, 2012 at 05:08:06PM +0200, Tollef Fog Heen wrote:
> > ]] Ben Hutchings 
> > > init systems?
> > 
> > aekeech6 can, at least.
> 
> Given that yours is written in C and is therefore inflexible, and mine's
> in Python and therefore easy to hack, isn't it obvious that mine's going
> to be better in the long run?
> 
> Though I guess we could support both, and define an interchange format
> for exchanging data between our two systems.

Is there not a risk that they would dedupe each other ?

Incidentally I note that dedupdedup has deduped this bug 

Nick


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120401180733.ga19...@leverton.org

Re: state of security hardening build flag efforts

[Kees Cook]

On Sun, Apr 01, 2012 at 05:24:00PM +0800, Paul Wise wrote:
> On Sun, Apr 1, 2012 at 3:49 PM, Kees Cook wrote:
> > I'm going to work on getting this graphed daily, like the debhelper
> > statistics[3].
> 
> If you do, please add that to the statistics wiki page:
> 
> http://wiki.debian.org/Statistics

Ah-ha, yes. I will do that. :)

> Under what circumstances do you think GCC upstream should be enabling
> these options by default (as several distributions other than Debian
> do)?

I haven't attempted to push these things to upstream yet, but I still
think it would be a great idea. Magnus Granberg from Gentoo maintains
a patch against gcc for Gentoo, and has made attempts to upstream it,
but I'm not sure where it stands:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-gccpatchset.git;a=tree;f=gcc-4.7.0/piepatch;hb=HEAD

> Do you have any stats about where packages had to avoid enabling these 
> options?

I have tried to encourage Ubuntu developers to keep track of stuff that
couldn't be trivially fixed here:
https://wiki.ubuntu.com/ToolChain/CompilerFlags#Problems

For everything else, I've tried to get patches either to the upstream
directly, or to Debian. The vast majority of those have been taken. It
was, honestly, a pretty short list since Gentoo did a ton of this
upstreaming of fixes when they started their hardening initiative. (RedHat
did a lot of work on hardening fixes too, but didn't tend to be very
effective at getting them upstreamed.)

I'm not sure how up to date that list, is though. I strongly suspect there
are things missing from it. :) But it's really just a handful of more
difficult problems vs the tens of thousands of packages in the archive.

Frankly, probably the most disruptive change was -Werror=format-security,
which wasn't enabled in Ubuntu (since fighting all the errors at once
seemed extremely daunting). Instead, I turned it on in hardening-wrapper,
and then via dpkg-buildflags to slowly ease it into the archive.

> Do you feel the frequency of that is low enough to enable these
> options by default (in upstream or in distros)?

Take my opinion with a grain of salt, as even I recognize that I'm a bit
of an extremist about this, but yes, absolutely. I succeeded in making
this happen in Ubuntu, and while the path is very different in Debian,
for package builds it is effectively "by default" now too (assuming
the package's build system is modern and the flags are passed into the
build correctly). As for the upstream compiler, I recognize they have
more users than just distro builders, but it seems to me that it is
irresponsible to not enable these features by default in the compiler. :)

Note that the default flags in both Ubuntu and Debian lack PIE (where
as Gentoo's hardening patchset includes PIE by default). The Debian
hardening documentation has encouraged maintainers to enable PIE too
if they have a sensitive package (daemons, media processors, browsers,
interpreters, etc), so it's not totally absent.

I'd like to see the default on architectures with enough general registers
(e.g. amd64) include PIE. The other archs, like i386, suffer quite a bit
(15% performance hit) in some cases, so while I think it should still be
the default there, it's not a decision I'm likely to be able to convince
more performance-sensitive people about.

I'd like to push for it on amd64 once more packages are building with
the default flags. We'd need the entire base system converted, though, to
deal with some of the build ordering problems with switching to PIE. The
problem is with shipped .a files: those object files must all be built
with -fPIE for them to link into a -pie binary. (i.e. all static users
of the .a need to be rebuilt after the .a is built.) It's doable, it
just needs to be done careful attention given to dependency ordering. I
don't think a specific flag-day would be needed.

> If you think that enabling them by default in GCC upstream is doable,
> what kind of blockers and timeframe would we expect for that?

I think the blockers are mostly political. There are no serious technical
blockers that I see (e.g. it _is_ enabled in the Ubuntu compiler). Getting
it into a form that upstream gcc would be happy about is the trick. I have
no sense of timeframe; I've not worked with the gcc upstream before.

> I would personally like binaries not built by debian/rules but built
> on Debian systems to be hardened by default.

Yup. I couldn't agree more, but that decision isn't mine and has already
been made.

-Kees

-- 
Kees Cook@debian.org


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120401182941.gm8...@outflux.net

Re: Bug#666715: ITP: dedupdedup -- find duplicate programs for finding duplicate files

[Russ Allbery]

Lars Wirzenius  writes:
> On Sun, Apr 01, 2012 at 05:54:50PM +0200, Gergely Nagy wrote:

>> But, since freedom of choice IS important, and not everyone has seen
>> the Light yet, I suppose we can maintain all three. But I strongly
>> suggest the interchange format to be lisp code.

> I object to data file formats that are expressed in a Turing complete
> language. I'd be happy with either XML encoded in JSON or the WAP BXML
> format instead, though.

It's ridiculous that we would even consider endorsing a blatant
reinvention of the wheel like WAP BXML rather than simply using ASN.1 as
our standard binary encoding.  Particularly since, as a bonus, that would
allow us to store our duplication information directly in the Debian
project LDAP servers without further encoding.

-- 
Russ Allbery (r...@debian.org)   


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87zkavxow6@windlord.stanford.edu

Re: [OT] NM vs. wicd

[Svante Signell]

On Sun, 2012-04-01 at 16:16 +0800, Paul Wise wrote:
> On Sat, Mar 31, 2012 at 11:42 AM, Carlos Alberto Lopez Perez wrote:
> 
> > I had problems with my laptop also waking up mysteriously randomly on
> > unknown events and I managed to solve it just disabling all wakeup
> > events except PBTN
> 
> That sounds like an hack. Wouldn't it be better to log the resume
> reason and figure out and fix the core issue?

Adding to the problems with NM, it is not even possible to edit or add a
connection: Failed to add new connection: (32) Insufficient privileges.

Looks like you have to start the graphical environment with: ConsoleKit,
used by e.g. GDM to be prompted for a root password?
I started X with gdm3, but still no possibility to edit any connections.
Very informative message, indeed. And evolution does not start when
using ifupdown.,.. Things are really progressing _against_ the user, no
doubt.


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/106600.8013.159.ca...@hp.my.own.domain

Re: [OT] NM vs. wicd

[Rémi Vanicat]

Svante Signell  writes:

> On Sun, 2012-04-01 at 16:16 +0800, Paul Wise wrote:
>> On Sat, Mar 31, 2012 at 11:42 AM, Carlos Alberto Lopez Perez wrote:
>> 
>> > I had problems with my laptop also waking up mysteriously randomly on
>> > unknown events and I managed to solve it just disabling all wakeup
>> > events except PBTN
>> 
>> That sounds like an hack. Wouldn't it be better to log the resume
>> reason and figure out and fix the core issue?
>
> Adding to the problems with NM, it is not even possible to edit or add a
> connection: Failed to add new connection: (32) Insufficient
> privileges.

in /etc/NetworkManager/system-connections you will find file describing
the connections available at system level. You can edit them, and
restart NM to use them.

[...]

-- 
Rémi Vanicat


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87bonbclru@debian.org

Re: Bug#666715: ITP: dedupdedup -- find duplicate programs for finding duplicate files

[Lars Wirzenius]

On Sun, Apr 01, 2012 at 11:55:53AM -0700, Russ Allbery wrote:
> It's ridiculous that we would even consider endorsing a blatant
> reinvention of the wheel like WAP BXML rather than simply using ASN.1 as
> our standard binary encoding.  Particularly since, as a bonus, that would
> allow us to store our duplication information directly in the Debian
> project LDAP servers without further encoding.

I don't like ASN.1 either, but your point about the LDAP server is
a good one. I've changed the code to produce ASN.1 records for anything
it finds, and will be opening a separate discussion to convert the WNPP
from debbugs into LDAP.

-- 
All my predictions will turn out to be false


signature.asc
Description: Digital signature

Should every package belong to a team ?

[Henri Le Foll]

overview
==
about teams
-
I hope that one day every package shall belong to one or more team.

So I propose that first every package which is taged orphaned,rfa, rfh 
shall belong to at least one team (different from QA)


about complexity

I think it could be interesting if each package could contain 
information about its complexity.
It would be easier for people wanting to maintain an easy package to 
find one.

So hopefully, it would attract new maintainers.

The project could have a snapshot of its global complexity.


my response
==
my previous proposition
---
http://lists.debian.org/debian-devel/2012/03/msg00768.html

followed by
--
http://lists.debian.org/debian-devel/2012/03/msg00794.html

--

>>> If I need help on my package, why should it belong to a team when I 
file a RFH?


If every packages which are taged orphaned,rfa or rfh, belonged to a team,
each team could have a page with the list of all the packages needing 
some attention.

So that the people who have the more chance to be interested in the package
would be better informed.
Someone interested to join a team could go to this page and find easily 
some easy packages to maintain.


--

>>>That's something that  is incredibly subjective,

I suggest that information about the difficulty of the package would be 
automatically

generated when you build the package. So that it won't be subjective.
Information about the langage(s) should also be included.

--

>>> bound to change as things arise

The complexity information would be relevant for one build and would be 
updated at each upload.
So, if after some time, the package requires custom rules, the 
complexity information would change.

We would also have an history of the complexity of the package.

The description of the difficulty of the package could/should be in the 
policy

and could change, if needed.

--

>>> and of limited utility

I have made a proposition about how the information could be displayed.
If everybody think it has no utility, it won't be implemented.

--

Henri LE FOLL

Re: Bug#666715: ITP: dedupdedup -- find duplicate programs for finding duplicate files

[Russ Allbery]

Lars Wirzenius  writes:

> I don't like ASN.1 either, but your point about the LDAP server is a
> good one. I've changed the code to produce ASN.1 records for anything it
> finds, and will be opening a separate discussion to convert the WNPP
> from debbugs into LDAP.

Oh, excellent.  Then we can reimplement the usertag system as LDAP
extended controls and enable multimaster bug replication with upstreams!

-- 
Russ Allbery (r...@debian.org)   


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87hax3xnm0@windlord.stanford.edu

Re: Bug#666715: ITP: dedupdedup -- find duplicate programs for finding duplicate files

[Lars Wirzenius]

On Sun, Apr 01, 2012 at 12:23:35PM -0700, Russ Allbery wrote:
> Lars Wirzenius  writes:
> 
> > I don't like ASN.1 either, but your point about the LDAP server is a
> > good one. I've changed the code to produce ASN.1 records for anything it
> > finds, and will be opening a separate discussion to convert the WNPP
> > from debbugs into LDAP.
> 
> Oh, excellent.  Then we can reimplement the usertag system as LDAP
> extended controls and enable multimaster bug replication with upstreams!

Rewriting Debbugs and Bugzilla to use an LDAP backend would be an
excellent GSoC project. Would anyone like to mentor that?

-- 
All my predictions will turn out to be false


signature.asc
Description: Digital signature

Bug#666790: ITP: python-regex -- alternative regular expression module

[Sandro Tosi]

Package: wnpp
Severity: wishlist
Owner: Sandro Tosi 

* Package name: python-regex
  Version : 0.1.20120323
  Upstream Author : Matthew Barnett 1
* URL : https://code.google.com/p/mrab-regex-hg/
* License : Python Software Foundation License
  Programming Lang: C, Python
  Description : alternative regular expression module

 This new regex implementation is intended eventually to replace Python's
 current re module implementation.
 .
 For testing and comparison with the current 're' module the new implementation
 is in the form of a module called 'regex'.



-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20120401204835.11456.83558.report...@zion.matrix.int

Re: Re: Preinstalled package manager(s) for PCs (wheezy)

[Filipus Klutiero]

Hi Jon,

Jon Dowland wrote:
A Debian "desktop" should be a superset of KDE-desktop | GNOME-desktop 
| LXDE-desktop etc. + things such as a GUI package manager. 


I am not sure what you mean by that, but task-desktop already looks like 
what you may have in mind. It recommends task-gnome-desktop | 
task-kde-desktop | task-lxde-desktop | task-xfce-desktop. It does not 
depend on them, however (but these packages themselves depend on 
task-desktop, so depending on them would create some kind of circular 
dependency).



--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4f78c850.7010...@gmail.com

Re: [OT] NM vs. wicd

[Michael Stapelberg]

Hi Svante,

Excerpts from Svante Signell's message of 2012-04-01 20:56:40 +0200:
> Adding to the problems with NM, it is not even possible to edit or add a
> connection: Failed to add new connection: (32) Insufficient privileges.
> 
> Looks like you have to start the graphical environment with: ConsoleKit,
> used by e.g. GDM to be prompted for a root password?
> I started X with gdm3, but still no possibility to edit any connections.
> Very informative message, indeed. And evolution does not start when
> using ifupdown.,.. Things are really progressing _against_ the user, no
> doubt.
Create a file called
/etc/polkit-1/localauthority/50-local.d/10-org-freedesktop-network-manager-settings.pkla
 
with the following contents:

[Allow user michael to create wireless connections for all users]
Identity=unix-user:michael
Action=org.freedesktop.NetworkManager.*
ResultAny=yes
ResultInactive=no
ResultActive=yes

Replacing 'michael' with your UNIX user name of course. Restart NM, and you
should be able to edit connections as you like. I do agree that this doesn’t
seem documented well.

Best regards,
Michael


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/114548-sup-2...@stapelberg.de

Re: Re: Preinstalled package manager(s) for PCs (wheezy)

[Filipus Klutiero]

Hi Goswin,

Goswin von Brederlow wrote:

Jon Dowland  writes:

>  On Fri, Mar 30, 2012 at 02:30:37PM +0200, Goswin von Brederlow wrote:
>>  Shouldn't there rather be a base-desktop that both KDE-desktop and
>>  GNOME-desktop depend on? A meta package that depends on everything any
>>  desktop should have.
>
>  I'm not sure if that's the right direction of dependency, conceptually.
>
>  The philosophy of (at least) the GNOME metapackages is (I think: but I
>  am not (yet) a Debian/GNOME team member) that they provide what upstream
>  GNOME provides.  So depending on a 'base-desktop' package would work
>  against that philosophy.
>
>  (It might turn out to be the most pragmatic thing to do.)

Gnome-desktop, not gnome. Gnome-desktop would depend on base-deskop and
gnome and maybe a few more gnome-ish things that aren't in gnome.


I'm not sure what you mean by "GNOME-desktop" / "KDE-desktop" as opposed 
to "gnome".
But task-gnome-desktop already depends on task-desktop. This is a 
tasksel task, but it's also a real package now (obviously, the 
advantages of tasksel should be integrated with regular package managers 
at one point, and we should merge tasksel tasks and regular metapackages).



--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4f78c9a7.2090...@gmail.com

Re: bug reports with urls in them

[Russell Coker]

On Mon, 2 Apr 2012, Michael Welle  wrote:
> I agree only partly with that. Losing a bug report or two is one
> thing. Imagine a potential or actual customer sending an email to a
> company and getting a response like: 'Well, we don't know on which data
> we form our opinion, but we think you are a nigerian scammer or you eat
> kitten babies. Either way, we don't like you, go away.'. That's what's
> happening. 

Actually companies do that all the time.  Some corporate web sites used to 
reject browsers other than IE.  Lots of corporate web sites can't provide full 
functionality without Flash installed, for example the .au site of almost 
every car company depended on Flash last time I checked.

I have debated this issue with web developers in the past and had them tell me 
that non-IE browsers are only used by 5% of the users and they think it's best 
to provide a good experience for the 95% even if it means rejecting the other 
5%.

So comparing Debian to a commercial organisation doesn't support your case at 
all.  Commercial organisations are more than willing to reject some customers 
if it makes things easy for them.

-- 
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201204020835.55272.russ...@coker.com.au

Re: state of security hardening build flag efforts

[Paul Wise]

On Mon, Apr 2, 2012 at 2:29 AM, Kees Cook wrote:

> Ah-ha, yes. I will do that. :)

Thanks

> I haven't attempted to push these things to upstream yet, but I still
> think it would be a great idea.
> ...

Thanks for the info! I hope someone manages to do this in the next decade.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/caktje6eppbw2sbs+6sswtr0v4crt5fpgswioraw1c_ejquk...@mail.gmail.com

Bug#666878: ITP: ruby-kramdown -- Fast, pure-Ruby Markdown-superset converter.

[Youhei SASAKI]

Package: wnpp
Owner: Youhei SASAKI 
Severity: wishlist

* Package name: ruby-kramdown
  Version : 0.13.5
  Upstream Author : Thomas Leithner 
* URL or Web page : http://kramdown.rubyforge.org/
* License : GPL-3+
  Description : Fast, pure-Ruby Markdown-superset converter.

The kramdown is yet-another-markdown-parser but fast, pure Ruby, using a
strict syntax definition and supporting several common extensions.

---
Youhei SASAKI 
  
GPG fingerprint:
  4096/RSA: 66A4 EA70 4FE2 4055 8D6A C2E6 9394 F354 891D 7E07



-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/877gxyx048.wl%uwab...@gfd-dennou.org