Re: Next steps for gitlab.debian (Re: GitLab B.V. to host free-software GitLab for Debian project)

[Pirate Praveen]

On Wednesday 08 June 2016 01:07 AM, Bastian Blank wrote:
>> - mapping groups and permissions from alioth to the new system 
> 
> Fusionforge also uses a similar group based permission system.
> 
> Okay, there is this (hacked in?) "allow every DD to write" permission
> that some groups use, which is only supported by gitlab EE.
> 

Bastian,

Which EE feature are you referring to? Is it "LDAP group synchronization
(also compatible with Active Directory)"?




signature.asc
Description: OpenPGP digital signature

Processed: Re: Bug#827306: general: won't open file browser/manager if several other programs are already open

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> reassign 827306 nautilus
Bug #827306 [general] general: won't open file browser/manager if several other 
programs are already open
Bug reassigned from package 'general' to 'nautilus'.
Ignoring request to alter found versions of bug #827306 to the same values 
previously set
Ignoring request to alter fixed versions of bug #827306 to the same values 
previously set
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
827306: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827306
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Re: Next steps for gitlab.debian (Re: GitLab B.V. to host free-software GitLab for Debian project)

[Bastian Blank]

On Thu, Jun 16, 2016 at 07:58:07PM +0530, Pirate Praveen wrote:
> On Wednesday 08 June 2016 01:07 AM, Bastian Blank wrote:
> >> - mapping groups and permissions from alioth to the new system 
> > Okay, there is this (hacked in?) "allow every DD to write" permission
> > that some groups use, which is only supported by gitlab EE.
> Which EE feature are you referring to? Is it "LDAP group synchronization
> (also compatible with Active Directory)"?

I thought about
http://docs.gitlab.com/ee/workflow/share_projects_with_other_groups.html

This allows a project to allow access to it's repos to a different
group.  An example would be pkg-perl and all DD.

The LDAP sync could fill the DD group. 

Bastian

-- 
The heart is not a logical organ.
-- Dr. Janet Wallace, "The Deadly Years", stardate 3479.4

Command line frontend for services that require single sign-on

[Enrico Zini]

Hello,

I have just prototyped this:
https://github.com/spanezz/debsso-client

Who would like to give it a try and make it grow?

From the README:

  # Debian Single Sign-On client
  
  Prototype client script for services behind the
  [Debian Single Sign-On](https://wiki.debian.org/DebianSingleSignOn).
  
  At the moment this is just a proof of concept to see if it can be done, and it
  looks promising.
  
  The script tries to get Single Sign-On keys out of 
  [the browser certificate 
storage](http://blog.avirtualhome.com/adding-ssl-certificates-to-google-chrome-linux-ubuntu/),
  and connect to  using them.
  
  The script needs to write the secret keys to a temporary directory, so make
  sure `$TMPDIR` points to volatile or encrypted storage.
  
  It requires `$DEBEMAIL` to be set to the Single Sign-On username.
  
  Dependencies: `libnss3-tools`, `openssl`, `python3-requests`.
  
  
  ## TODO
  
  This could become a lot of things:
  
   * a script to send signed statements to applications on `nm.debian.org`.
   * a script that negotiates new keys with sso.debian.org and pushes them into
 the browser, without the need for ``.
   * a script that removes expired keys from the browser.
   * a command line front end to all sort of Debian services that require
 authentication.


Enrico

-- 
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini 


signature.asc
Description: PGP signature

Re: Command line frontend for services that require single sign-on

[Paul Tagliamonte]

On Thu, Jun 16, 2016 at 11:43:05PM +0200, Enrico Zini wrote:
> Hello,
> 
> I have just prototyped this:
> https://github.com/spanezz/debsso-client
> 
> Who would like to give it a try and make it grow?

Hey, thanks, Enrico!

I've also documented steps to both export as a PKCS12 (which you can
easily split into an x509 cert and an RSA private key), which may help
avoid some of the work to extract it from a browser.

(That same guide has instructions on taking that PKCS12 blob and burn
certs into a Yubikey[1]. Yubikeys also have a handy feature of being
able to be read from OpenSC's PKCS11[2] driver, and even act as a PIV
device!

This would allow neat things like using libpam-pkcs11[3] to let any DD
log into a laptop (in-person porterbox in the DebConf hacklab!), or add
it to nss[4], for Chrome, or even stuff like scripts above, so you don't
have to munge certs.

It's also worth noting you can add user certs to Android phones by
adding them as a user cert (Looks hidden as a VPN thing ISTR), which
means we can even do Debian work from our phones!

Anyway, I'd just like folks to know this is super exciting, and having a
sane PKI system that lets DDs client-auth to services is *huge*, and we
should totally be building up awesome infra around this stuff. Maybe
even send OpenPGP signed CSRs to an automated CA to issue new client
certs?

WHO ELSE IS STOKED? I AM!

Can't wait to build around this amazing work, Enrico!
  paultag


[1]: https://wiki.debian.org/DebianSingleSignOn#Use_with_a_Yubikey_in_PIV_mode
[2]: https://packages.debian.org/unstable/opensc-pkcs11
[3]: https://packages.debian.org/unstable/libpam-pkcs11
[4]: <

signature.asc
Description: PGP signature

Work-needing packages report for Jun 17, 2016

[wnpp]

The following is a listing of packages for which help has been requested
through the WNPP (Work-Needing and Prospective Packages) system in the
last week.

Total number of orphaned packages: 740 (new: 6)
Total number of packages offered up for adoption: 175 (new: 1)
Total number of packages requested help for: 48 (new: 0)

Please refer to http://www.debian.org/devel/wnpp/ for more information.



The following packages have been orphaned:

   catdvi (#826917), orphaned 6 days ago
 Installations reported by Popcon: 793

   freedroidrpg (#826921), orphaned 6 days ago
 Description: RPG
 Reverse Depends: freedroidrpg
 Installations reported by Popcon: 291

   gnome-mastermind (#826926), orphaned 6 days ago
 Description: mastermind clone for gnome
 Installations reported by Popcon: 270

   gnubik (#826916), orphaned 6 days ago
 Description: Rubik's cube game
 Installations reported by Popcon: 222

   gxmessage (#826915), orphaned 6 days ago
 Description: xmessage clone based on GTK+
 Installations reported by Popcon: 558

   pipewalker (#826925), orphaned 6 days ago
 Description: puzzle game
 Installations reported by Popcon: 202

734 older packages have been omitted from this listing, see
http://www.debian.org/devel/wnpp/orphaned for a complete list.



The following packages have been given up for adoption:

   qct (#827169), offered 3 days ago
 Installations reported by Popcon: 157

174 older packages have been omitted from this listing, see
http://www.debian.org/devel/wnpp/rfa_bypackage for a complete list.



For the following packages help is requested:

   athcool (#278442), requested 4251 days ago
 Description: Enable powersaving mode for Athlon/Duron processors
 Installations reported by Popcon: 28

   awstats (#755797), requested 694 days ago
 Description: powerful and featureful web server log analyzer
 Installations reported by Popcon: 4167

   balsa (#642906), requested 1726 days ago
 Description: An e-mail client for GNOME
 Reverse Depends: balsa-dbg
 Installations reported by Popcon: 639

   cardstories (#624100), requested 1879 days ago
 Description: Find out a card using a sentence made up by another
   player
 Installations reported by Popcon: 5

   courier (#823807), requested 38 days ago
 Reverse Depends: courier-faxmail courier-filter-perl courier-imap
   courier-imap-ssl courier-ldap courier-mlm courier-mta
   courier-mta-ssl courier-pcp courier-pop (7 more omitted)
 Installations reported by Popcon: 2269

   cups (#532097), requested 2567 days ago
 Description: Common UNIX Printing System
 Reverse Depends: bluez-cups boomaga chromium
   cinnamon-settings-daemon cloudprint cups cups-backend-bjnp
   cups-browsed cups-bsd cups-client (62 more omitted)
 Installations reported by Popcon: 169153

   cyrus-sasl2 (#799864), requested 267 days ago
 Description: authentication abstraction library
 Reverse Depends: 389-ds-base 389-ds-base-libs 389-dsgw adcli
   autofs-ldap cairo-dock-mail-plug-in claws-mail
   claws-mail-acpi-notifier claws-mail-address-keeper
   claws-mail-archiver-plugin (130 more omitted)
 Installations reported by Popcon: 190242

   developers-reference (#759995), requested 656 days ago
 Description: guidelines and information for Debian developers
 Installations reported by Popcon: 19140

   devscripts (#800413), requested 261 days ago
 Description: scripts to make the life of a Debian Package maintainer
   easier
 Reverse Depends: apt-build apt-listdifferences aptfs arriero
   bzr-builddeb customdeb debci debian-builder debmake debpear (28 more
   omitted)
 Installations reported by Popcon: 13052

   ejabberd (#767874), requested 591 days ago
 Description: distributed, fault-tolerant Jabber/XMPP server written
   in Erlang
 Reverse Depends: ejabberd-contrib ejabberd-mod-cron
   ejabberd-mod-log-chat ejabberd-mod-logsession ejabberd-mod-logxml
   ejabberd-mod-message-log ejabberd-mod-muc-log-http
   ejabberd-mod-post-log ejabberd-mod-rest ejabberd-mod-s2s-log (3 more
   omitted)
 Installations reported by Popcon: 759

   fbcat (#565156), requested 2346 days ago
 Description: framebuffer grabber
 Installations reported by Popcon: 216

   fgetty (#823266), requested 45 days ago
 Description: console-only getty & login (issue with nis)
 Installations reported by Popcon: 2107

   freeipmi (#628062), requested 1848 days ago
 Description: GNU implementation of the IPMI protocol
 Reverse Depends: conman freeipmi freeipmi-bmc-watchdog
   freeipmi-ipmidetect freeipmi-ipmiseld freeipmi-tools ipmitool
   libfreeipmi-dev libfreeipmi16