Re: Packaging suggestion for the Universal Media Server program.
Aldrin P. S. Castro wrote... > I would very much like the Universal Media Server to be in the Debian > repositories. > He is a very good dlna server. It is done in Java. Unfortunately, by mailing debian-devel your suggestion will very likely not reach the people who might be willing to do the job. Debian's procedure to find someone for bringing software into the repository is called "Request for Packaging" (RFP). The document at https://wiki.debian.org/RFP describes the required steps and contains links to the details. Short version: After some checks you'll have to send an e-mail in a certain format, but the reportbug program will help you with that. Christoph signature.asc Description: Digital signature
Re: no-strong-digests-in-dsc MBF
On 19.01.2017 14:27, Holger Levsen wrote: > On Wed, Jan 18, 2017 at 10:14:46AM +1100, Stuart Prescott wrote: >> The hashes inside the .dsc file are not used in Debian once the package has >> been accepted by dak. >> >> * The trustable way of getting the source package is with apt-get source, >> when apt verifies the Release signature → hashes → Sources → hashes for each >> part of the source package: dsc, orig.tar.gz, diff.gz/diff.tar.xz > so this "trustable" way of getting the source packages relies on a piece > of software, dak, running 24/365 on a machine (administrated by some > volunteers in their free time) on the internet, to not to be compromised? > > I'm not sure I can really trust this very much. AIUI we never exported the .changes files either, which would have allowed an independent party to check if the files inserted came from a developer or not. > (and btw, let's drop md5sums for buster, "maybe", _completly_, or how long > do we want to be joked about?) I'm not sure why you say this. More than one hash is strictly better than just one. They are bad for bandwidth, sure. But I don't think the way they are used right now can be used for jokes except by quite ignorant people. Kind regards Philipp Kern signature.asc Description: OpenPGP digital signature
Re: no-strong-digests-in-dsc MBF
On Sat, Jan 21, 2017 at 06:31:44PM +0100, Philipp Kern wrote: > AIUI we never exported the .changes files either, which would have > allowed an independent party to check if the files inserted came from a > developer or not. yeah, I consider this another bug. > > (and btw, let's drop md5sums for buster, "maybe", _completly_, or how long > > do we want to be joked about?) > I'm not sure why you say this. More than one hash is strictly better > than just one. well, yes, that's true. OTOH, not throwing away the support for md5sums will never allow us to be sure that we're not still relying on md5sums somewhere. -- cheers, Holger signature.asc Description: Digital signature
Bug#852107: ITP: golang-github-nebulouslabs-go-upnp -- d
Package: wnpp Owner: Free Ekanayaka Severity: wishlist * Package name: golang-github-nebulouslabs-go-upnp Version : 0.0~git20160920.0.73e8530-1 Upstream Author : Nebulous Labs * URL or Web page : https://github.com/nebulouslabs/go-upnp * License : Expat Description : An opinionated interface to internet gateway devices The upnp package upnp provides a simple and opinionated interface to UPnP-enabled routers, allowing users to forward ports and discover their external IP address. This package is a dependency of the sia storage daemon (see ITP #847706).
Bug#852112: ITP: leaflet-geometryutil -- Leaflet utility functions on geometries
Package: wnpp Severity: wishlist Owner: Dominik George -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 * Package name: leaflet-geometryutil Version : 0.4.0 Upstream Author : Makina Corpus * URL : https://makinacorpus.github.io/Leaflet.GeometryUtil/ * License : BSD-3-clause Programming Lang: JavaScript Description : Leaflet utility functions on geometries Leaflet.GeometryUtil is a plugin for Leaflet, a JavaScript mapping library. . It provides many additional features regarding geometric calculations with geographic coordinates, using the Leaflet framework and types. Intended to be maintained inside pkg-javascript. -BEGIN PGP SIGNATURE- iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAliDqKAxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h dHVyYWxuZXQuZGUACgkQt5o8FqDE8pZFOQ//dTk68wZFEQE4rAvhHPYCrEqMy1to C/GaTpAlkrl55hBoZjTMh3LpjWoM+/BVxS1F+62etk/jqy6X2i1e0kcHWTpLMz+g lPezuVK5sT5U7tE131A3mBzFKBynvKd5j8nWSKJRhwrVpCrywKkx7hof4rCuZlU7 CDgY+mjrkhRj0dCQ/+iYLfXWFVgzvMCNyInXkVkeL63Oa1QaQj1ujvk+Qf/bnrNc f60l/JnMCTmlU3LzY8rpsm7LNwI8vClW0ALnIVNO3cPxf22QrfrVcMASgtBre5Wf hl5NF4XSRkJ4/PEgepAJJfV3zMHRvwDg8sFFjtBiQJItBH4YXUQIwrW4ujNM8Q0V X8pL09kOEL7YvnXd/C51GvBKBdLxmTGQowyDYkZXvw1uZturOjPNpZyibGgKLcfT bLA2h8a6XB77U48UMn+VeYCFHyIJF24tHPANjrfDo1MNWieG9lPiaTHlatygBIhF QWAdZ3KZKONKeDldb2hDMEPLbsVpKY3bUOp5qIDNOekNwBw+7U8TOa2ZCBRDCBGv zBWhKJyXwUACfopLzRpJGJRvkUASZWKUltiNhCe40RRqhLhjdEuvHf9MZRIO7Z8E nN/cyk2egu6S0dOmZ3H2zI3HRmd0+MavBQ1DMdQl5Vd9wtreiRKTCZQKUjez2X/C f8DA/PB+W5xbbnA= =9+Hl -END PGP SIGNATURE-
Bug#852113: ITP: golang-github-huin-goupnp -- Golang client for various UPnP services
Package: wnpp Owner: Free Ekanayaka Severity: wishlist * Package name: golang-github-huin-goupnp Version : 0.0~git20161025.0.97f671e-1 Upstream Author : John Beisley * URL or Web page : https://github.com/huin/goupnp * License : Expat Description : UPnP library for Go Golang client for various UPnP services. For most uses, it is recommended to use the code-generated packages under github.com/huin/goupnp/dcps. This package is a dependency of the sia storage daemon (see ITP #847706).
Bug#852124: ITP: golang-github-nebulouslabs-merkletree -- Go package for working with Merkle trees
Package: wnpp Owner: Free Ekanayaka Severity: wishlist * Package name: golang-github-nebulouslabs-merkletree Version : 0.0~git20160203.0.f01b2e9-1 Upstream Author : Nebulous Labs * URL or Web page : https://github.com/nebulouslabs/merkletree * License : Expat Description : Go package for working with Merkle trees Calculate merkle roots, build and verify proofs that data is in a merkle tree (http://en.wikipedia.org/wiki/Merkle_tree). This package is a dependency of the sia storage daemon (see ITP #847706).
please, let's *completely* drop md5sums for buster (was Re: no-strong-digests-in-dsc MBF)
Hi, I'm sorry but I want to amend myself… On Sat, Jan 21, 2017 at 05:34:41PM +, Holger Levsen wrote: > > > (and btw, let's drop md5sums for buster, "maybe", _completly_, or how long > > > do we want to be joked about?) > > I'm not sure why you say this. More than one hash is strictly better > > than just one. > well, yes, that's true. somewhat. as explained this, also can be harmful: > OTOH, not throwing away the support for md5sums > will never allow us to be sure that we're not still relying on md5sums > somewhere. and even Oracle does this better than Debian soon: "Oracle says that starting with April 18, 2017, Java (JRE) will treat all JAR files signed with the MD5 algorithm as unsigned, meaning they'll be considered insecure and blocked from running." - via https://developers.slashdot.org/story/17/01/21/0538232/ We really ought to do the same. I'm all for keeping sha1+sha256, but please let's *completely* drop md5sums for buster. -- cheers, Holger signature.asc Description: Digital signature
