Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)
On Mon, Oct 15, 2012 at 02:58:15AM +0200, Christoph Anton Mitterer wrote: > > """ > > debsums is intended primarily as a way of determining what installed files > > have been locally modified by the administrator or damaged by media errors > > and is of limited use as a security tool. > > > > If you are looking for an integrity checker that can run from safe media, > > do integrity checks on checksum databases and can be easily configured to > > run periodically to warn the admin of changes see other tools such as: > > aide, integrit, samhain, or tripwire. > > """ > I never claimed (and already explicitly said that before) that it was > intended to be used for that,... or that I would do or recommend so... I never said you did. -- WBR, wRAR signature.asc Description: Digital signature
Bug#690520: ITP: thc-ipv6 -- Tools to play with IPv6
Package: wnpp Severity: wishlist Owner: Maykel Moya * Package name: thc-ipv6 Version : 2.0 Upstream Author : van Hauser * URL : http://www.thc.org/thc-ipv6/ * License : GPL Programming Lang: C Description : Tools to play with IPv6 A complete tool set to attack the inherent protocol weaknesses of IPV6 and ICMP6. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121015073411.19624.57467.report...@andrea.mmoya.org
Bug#690531: ITP: iraf -- Image Reduction and Analysis Facility
Package: wnpp Severity: wishlist Owner: Ole Streicher X-Debbugs-Cc: debian-devel@lists.debian.org, debian-scie...@lists.debian.org * Package name: iraf Version : 2.16 Upstream Author : IRAF programming group at the National Optical Astronomy Observatories * URL : http://iraf.noao.edu * License : mainly MIT, with no-ad clause Description : Image Reduction and Analysis Facility IRAF (an acronym for Image Reduction and Analysis Facility) is a collection of software written at the National Optical Astronomy Observatory (NOAO) geared towards the reduction of astronomical images in pixel array form. This is primarily data taken from imaging array detectors such as CCDs. IRAF was in Debian until ~2004 [1], packaged by Zed Pobre. An attempt was made by Justin Pryzby to put it back shortly later [2], but this was not successfull due to the complicated licensing of IRAF (several licenses, inclusing some non-free). However, recently IRAF simplified their license in that they use only three DFSG compatible licenses [3], with MIT covering most of the code. Since this is a quite huge package, I would appreciate help and sharing experiences on packaging. Also, if someone still keeps some results of Justin's packagin, please drop me a note. Cheers Ole [1] http://bugs.debian.org/232472 [2] http://bugs.debian.org/244711 [3] ftp://iraf.noao.edu/iraf/v216/COPYRIGHTS ftp://iraf.noao.edu/iraf/v216/LICENSES/UCAR ftp://iraf.noao.edu/iraf/v216/LICENSES/OpenSolaris_License-CDDL.pdf -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/507bcbc8.5040...@liska.ath.cx
Bug#690533: ITP: dvdwizard -- fully automated creation of a DVD-structure
Package: wnpp Severity: wishlist Owner: Alessio Treglia * Package name: dvdwizard Version : 0.7.1 Upstream Author : Joo Martin * URL : http://www.joonet.de/dvdwizard/ * License : GPL Programming Lang: Shell scripting Description : fully automated creation of a DVD-structure DVDwizard provides a wrapper-script which incorporates a fully automated creation of a DVD-structure with Chapters and menus from one or more mpeg-streams. This is done by several sub-scripts and various freely available tools. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121015093911.4096.7431.reportbug@Aspire-1410
Re: Bug#656858: libimage-exiftool-perl: new upstream version available
On Tue, Oct 02, 2012 at 07:05:30AM -0400, Phil Harvey wrote: > Mari is M.I.A. > > libimage-exiftool-perl needs a new maintainer. > > - Phil Please orphan this package. The maintainer seems to be no longer active. Regards -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121015125729.4eAAe0pME@outer-rim
Bug#690544: ITP: xts -- GNU R package for time series analysis
Package: wnpp Severity: wishlist Owner: Lifeng Sun X-Debbugs-Cc: debian-devel@lists.debian.org, debian-scie...@lists.debian.org * Package name: xts Version : 0.8-6 Upstream Author : Jeffrey A. Ryan Josh M. Ulrich * URL : http://r-forge.r-project.org/projects/xts/ * License : GPL-2 Description : GNU R package for time series analysis -- xts This package provide uniform handling of R's different time-based data classes by extending r-cran-zoo, maximizing native format information preservation and allowing for user level customization and extension, while simplifying cross-class interoperability. Cheers, Lifeng -- signature.asc Description: Digital signature
Bug#690546: ITP: performanceanalytics -- GNU R econometric package for performance and risk analysis
Package: wnpp Severity: wishlist Owner: Lifeng Sun X-Debbugs-Cc: debian-devel@lists.debian.org * Package name: performanceanalytics Version : 1.0.4.4 Upstream Author : Peter Carl, Brian G. Peterson, Kris Boudt, Eric Zivot * URL : http://r-forge.r-project.org/projects/returnanalytics/ * License : GPL-3 Description : GNU R econometric package for performance and risk analysis PerformanceAnalytics provides a collection of econometric functions for performance and risk analysis. It aims to aid practitioners and researchers in utilizing the latest research in analysis of non-normal return streams. In general, it is most tested on return (rather than price) data on a regular scale, but most functions will work with irregular return data as well, and increasing numbers of functions will work with P&L or price data where possible. Cheers, Lifeng -- signature.asc Description: Digital signature
Re: Bug#690544: ITP: xts -- GNU R package for time series analysis
On Mon, Oct 15, 2012 at 20:13:33 +0800, Lifeng Sun wrote: > Package: wnpp > Severity: wishlist > Owner: Lifeng Sun > X-Debbugs-Cc: debian-devel@lists.debian.org, debian-scie...@lists.debian.org > > * Package name: xts > Version : 0.8-6 > Upstream Author : Jeffrey A. Ryan > Josh M. Ulrich > * URL : http://r-forge.r-project.org/projects/xts/ > * License : GPL-2 > Description : GNU R package for time series analysis -- xts > > This package provide uniform handling of R's different time-based data > classes by extending r-cran-zoo, maximizing native format information > preservation and allowing for user level customization and extension, > while simplifying cross-class interoperability. > Any chance you could choose a better package name? Something that hints at this being related to R. xts to me is the X Test Suite, which has nothing to do with this. Thanks, Julien signature.asc Description: Digital signature
Re: Bug#690544: ITP: xts -- GNU R package for time series analysis
On 14:37 Mon 10/15/12 Oct , Julien Cristau wrote: > Any chance you could choose a better package name? Something that hints > at this being related to R. xts to me is the X Test Suite, which has > nothing to do with this. hmmm, rename it to r-cran-xts. Cheers, Lifeng -- -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121015125443.GB22283@string
Re: Bug#690544: ITP: xts -- GNU R package for time series analysis
2012/10/15 Julien Cristau : > On Mon, Oct 15, 2012 at 20:13:33 +0800, Lifeng Sun wrote: > >> Package: wnpp >> Severity: wishlist >> Owner: Lifeng Sun >> X-Debbugs-Cc: debian-devel@lists.debian.org, debian-scie...@lists.debian.org >> >> * Package name: xts >> Version : 0.8-6 >> Upstream Author : Jeffrey A. Ryan >> Josh M. Ulrich >> * URL : http://r-forge.r-project.org/projects/xts/ >> * License : GPL-2 >> Description : GNU R package for time series analysis -- xts >> >> This package provide uniform handling of R's different time-based data >> classes by extending r-cran-zoo, maximizing native format information >> preservation and allowing for user level customization and extension, >> while simplifying cross-class interoperability. >> > Any chance you could choose a better package name? Something that hints > at this being related to R. xts to me is the X Test Suite, which has > nothing to do with this. > > Thanks, > Julien Hi, r-cran-xts would fit existing naming scheme nicely. The same scheme could be used for performanceanalytics as well. Cheers, Balint -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAK0OdpzroVoBLM=qdmmkpsj-ufqj84upmp0omewmaxsxmke...@mail.gmail.com
Re: Bug#690544: ITP: xts -- GNU R package for time series analysis
On 15 October 2012 at 14:37, Julien Cristau wrote: | On Mon, Oct 15, 2012 at 20:13:33 +0800, Lifeng Sun wrote: | | > Package: wnpp | > Severity: wishlist | > Owner: Lifeng Sun | > X-Debbugs-Cc: debian-devel@lists.debian.org, debian-scie...@lists.debian.org | > | > * Package name: xts All (newer) R CRAN package use the r-cran-$foo naming style. Please follow suit here too. Dirk | > Version : 0.8-6 | > Upstream Author : Jeffrey A. Ryan | > Josh M. Ulrich | > * URL : http://r-forge.r-project.org/projects/xts/ | > * License : GPL-2 | > Description : GNU R package for time series analysis -- xts | > | > This package provide uniform handling of R's different time-based data | > classes by extending r-cran-zoo, maximizing native format information | > preservation and allowing for user level customization and extension, | > while simplifying cross-class interoperability. | > | Any chance you could choose a better package name? Something that hints | at this being related to R. xts to me is the X Test Suite, which has | nothing to do with this. | | Thanks, | Julien | application/pgp-signature [Press RETURN to save to a file] -- Dirk Eddelbuettel | e...@debian.org | http://dirk.eddelbuettel.com -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20604.2408.493280.118...@max.nulle.part
Re: Bug#690544: ITP: xts -- GNU R package for time series analysis
retitle 690546 ITP: r-cran-performanceanalytics -- GNU R econometric package
for performance and risk analysis
thanks
Hi,
On 08:02 Mon 10/15/12 Oct , Dirk Eddelbuettel wrote:
> All (newer) R CRAN package use the r-cran-$foo naming style. Please follow
> suit here too.
I followed the naming scheme and renamed {xts,performanceanalytics} to
r-cran-{xts,performanceanalytics}.
Thanks,
Lifeng
--
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20121015131715.GC22283@string
Report from the BSP in Alcester, GB
Between 12th and 14th October six Debian Developers and one contributor touched a total of 51 bugs: - 13 bugs received uploads or were in fact already fixed through uploads - 7 bugs were downgraded from RC - 11 removal requests were filed We also recruited one potential new package maintainer and consumed an alarming quantity of bacon. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/334dc3a99b55eb8fe8e299dd04b5d...@hogwarts.powdarrmonkey.net
Re: Report from the BSP in Alcester, GB
On Mon, Oct 15, 2012 at 02:51:24PM +0100, Jonathan Wiltshire wrote: > Between 12th and 14th October six Debian Developers and one contributor > touched a total of 51 bugs: > - 13 bugs received uploads or were in fact already fixed through >uploads > - 7 bugs were downgraded from RC > - 11 removal requests were filed I have a bug to report in your math implementation, I believe it may be of RC severity ;) Thanks to all you BSPers for your hard work on getting wheezy ready! -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)
On Sun, Oct 14, 2012 at 9:08 PM, Christoph Anton Mitterer wrote: >> If so, please submit >> bugs, and we will look at fixing them. Otherwise, speculation gets us >> nowhere and actually wastes time. > Well I had once a discussion (around March this year) here about > blockin/downgrade attacks... which, AFAICS, both are possible in secure > APT right now but there was no real outcome. > Unforunately it seems that people do not take these higher-level attacks > really serious even though the danger they impose is quite high. Are there bug reports with a clear description of the problem, preferably with a proposed fix? Discussion doesn't really get us anywhere. Useful info and actual efforts at fixing problems do. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=MOLY-7t_=-zboabthnmqg7j9h7wxbqs_k+2up6v84+...@mail.gmail.com
Bug#690591: ITP: kfreebsd-firmware-nonfree -- Nonfree firmware modules for kfreebsd kernel
Package: wnpp Severity: wishlist Owner: Christoph Egger * Package name: kfreebsd-9-firmware-nonfree Version : 9.0 Upstream Author : FreeBSD * URL : http://www.freebsd.org/ * License : multiple, nonfree Programming Lang: blobs, C Description : Nonfree firmware modules for kfreebsd kernel Firmware modules shipped by FreeBSD but stripped from the Debian package due to their non-free nature -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121015220421.60124.12009.report...@hel.hosts.sieglitzhof.net
Bug#690593: ITP: 2mandvd -- Video DVD creator
Package: wnpp Severity: wishlist Owner: Alessio Treglia * Package name: 2mandvd Version : 1.8.4 Upstream Author : GIBAULT Stéphane * URL : http://2mandvd.tuxfamily.org/ * License : GPL Programming Lang: C++ Description : simple DVD-Video creator 2ManDVD is the successor of ManDVD, an application for creating video DVDs from a wide variety of video formats. Using this application, one can also create eye-pleasing menus with video, audio, and chapters. . 2ManDVD can import all video formats supported by mencoder. . This package contains the main executable. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121015222103.17070.98639.reportbug@Aspire-1410
Re: Bug#690591: ITP: kfreebsd-firmware-nonfree -- Nonfree firmware modules for kfreebsd kernel
Hi! Ben Hutchings writes: > On Tue, 2012-10-16 at 00:04 +0200, Christoph Egger wrote: >> Package: wnpp >> Severity: wishlist >> Owner: Christoph Egger >> >> * Package name: kfreebsd-9-firmware-nonfree >> Version : 9.0 >> Upstream Author : FreeBSD >> * URL : http://www.freebsd.org/ >> * License : multiple, nonfree >> Programming Lang: blobs, C >> Description : Nonfree firmware modules for kfreebsd kernel >> >> Firmware modules shipped by FreeBSD but stripped from the Debian >> package due to their non-free nature > > Are these significantly different from the set of blobs included in > firmware-nonfree? Or do they need to be installed with different > filenames? Currently the only way freebsd really supports firmware loading is through kernel modules. SO the current idea is more like bundling some of these firmware modules in a package and build them separately from the ``normal'' freebsd tree. If we get real firmware loading into the FreeBSD kernel the linux firmware files might become usefull but this seems to be a OK solution to get hardware running. Regards Christoph -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87wqyrpd12@mitoraj.siccegge.de
Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)
On 15 October 2012 18:46, Michael Gilbert wrote: > On Sun, Oct 14, 2012 at 9:08 PM, Christoph Anton Mitterer wrote: >>> If so, please submit >>> bugs, and we will look at fixing them. Otherwise, speculation gets us >>> nowhere and actually wastes time. >> Well I had once a discussion (around March this year) here about >> blockin/downgrade attacks... which, AFAICS, both are possible in secure >> APT right now but there was no real outcome. >> Unforunately it seems that people do not take these higher-level attacks >> really serious even though the danger they impose is quite high. > > Are there bug reports with a clear description of the problem, > preferably with a proposed fix? Discussion doesn't really get us > anywhere. Useful info and actual efforts at fixing problems do. > So far no bugs or problems were uncovered. So nothing to file or fix ;-) I can think of adding SHA-3 hashes... but none of the tools support it yet, so it's future wishlist bug, which I am sure will be acted upon at an appropriate time and doesn't need a bug filed at present time. Regards, Dmitrijs. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/canbhlugzqkk5li8k4xr67g25dlntedivrxlwxatguzosfap...@mail.gmail.com
Discarding uploaded binary packages
I know this subject has been discussed on and off in the past, but there's new evidence that it's simply the right thing to do. Due to changes in upstream's build system, isc-dhcp recently started including build system paths in dhclient's search path. This got a security identifier, and we've fixed it, but really the only architecture affected was the one I built and uploaded. All of the packages built on the buildds were not since the PATH was something in /build vs. a home dir. Also, Ubuntu was not affected since all of their packages go through their buildds. Details in: http://bugs.debian.org/690532 Anyway, all of these build system path sanitization issues can be eliminated by using the buildds for all architectures, since paths will start with at least /build that requires root-level action to exist on users' systems. So, are we ready to do this? Best wishes, Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=MNag1=MZG3GiUCyGXsVRBjDKc62_WNLYHP5juXo=_4...@mail.gmail.com
Re: Discarding uploaded binary packages
Le 16 oct. 2012 04:59, "Michael Gilbert" a écrit : > > I know this subject has been discussed on and off in the past, but > there's new evidence that it's simply the right thing to do. > > Due to changes in upstream's build system, isc-dhcp recently started > including build system paths in dhclient's search path. This got a > security identifier, and we've fixed it, but really the only > architecture affected was the one I built and uploaded. All of the > packages built on the buildds were not since the PATH was something in > /build vs. a home dir. Also, Ubuntu was not affected since all of > their packages go through their buildds. Details in: > http://bugs.debian.org/690532 > > Anyway, all of these build system path sanitization issues can be > eliminated by using the buildds for all architectures, since paths > will start with at least /build that requires root-level action to > exist on users' systems. > > So, are we ready to do this? +1 ;-) I agree with this. We face some cases where delivered binary have issues related to build context. Though most should be discovered by maintainer testing before upload, it would be more valid with a complete rebuild. This is my opinion but I admit I have not followed previous discussions on the subject > > Best wishes, > Mike > > > -- > To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/CANTw=MNag1=MZG3GiUCyGXsVRBjDKc62_WNLYHP5juXo=_4...@mail.gmail.com >
Re: Discarding uploaded binary packages
also sprach olivier sallou [2012.10.16.0752 +0200]: > This is my opinion but I admit I have not followed previous discussions on > the subject http://lists.debian.org/debian-security/2004/09/msg00014.html We have not cared enough for almost 20 years that 9 out of 10 binary packages in use (i386 until 2005, amd64 since then) are built on machines that are individually maintained according to widely varying security standards to do anything about it, AFAICT. -- .''`. martin f. krafft Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduckhttp://vcs-pkg.org `- Debian - when you have better things to do than fixing systems #define emacs eighty megabytes and constantly swapping. digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
Re: Report from the BSP in Alcester, GB
On Mon, Oct 15, 2012 at 09:35:34AM -0700, Steve Langasek wrote: > On Mon, Oct 15, 2012 at 02:51:24PM +0100, Jonathan Wiltshire wrote: > > Between 12th and 14th October six Debian Developers and one contributor > > touched a total of 51 bugs: > > > - 13 bugs received uploads or were in fact already fixed through > >uploads > > - 7 bugs were downgraded from RC > > - 11 removal requests were filed > > I have a bug to report in your math implementation, I believe it may be of > RC severity ;) The math implementation is right (in case you accept summing up bugs and bacons) because you just droped the last number: JW> consumed an alarming quantity of bacon. 20 bacons - that's alarming. > Thanks to all you BSPers for your hard work on getting wheezy ready! Yep Andreas. -- http://fam-tille.de -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121016062811.ga15...@an3as.eu
