Re: AMDGPU+OpenCL with Debian?
Hi Moritz, On 18.06.19 22:55, Moritz Mühlenhoff wrote: > You may find https://phabricator.wikimedia.org/T148843/#5078403 > (and later) interesting, This seems to require wikimedia authentication. Is there some information publicly available about it? Best wishes Michael signature.asc Description: OpenPGP digital signature
Re: Content Rating System in Debian
Dear Bagas, On 26.06.19 04:50, Bagas Sanjaya wrote: > Emmanuel Arias: >> IMO this idea represent a big work. And if you want to involved upstream, >> maybe will be a problem. Some upstream, could not be interest on participate >> because could be a "extra" work. But if we implement a content rating >> system, the freedom could be affected because the opinion on a package may >> be affected by this new system. > > Regarding freedom, yes it can be affected by CRS because CRS can limit > freedom to use programs for some users > (particularly non-adults). But CRS limit such freedom in order to protect > psychology users for long term from negative > impacts of programs they used. I don't think this problem is solvable by technical means at all. You need caring parents (need not be 'real parents' necessarily) to really protect children. Bye Michael signature.asc Description: OpenPGP digital signature
Re: Uninformative hyperlink in O: (package orphaning) bug reports
Hi Boyuan, On 27.06.19 21:38, Boyuan Yang wrote: [I'm also not sure what's the best mailing list for discussing this, devel, doc, mentors?] > I noticed that for all bug reports that orphan a package in Debian, a semi- > standard paragraph of words will be provided like this: > > > > ...Maintaining a package requires time and skills. Please only adopt this > package if you will have enough time and attention to work on it. > > If you want to be the new maintainer, please see > https://www.debian.org/devel/wnpp/#howto-o for detailed > instructions how to adopt a package properly > > > > However, https://www.debian.org/devel/wnpp/#howto-o provides almost zero > information for an enthusiast that want to adopt the package, i.e. there's no > detailed instruction on how to actually upload a package for a person not > quite familiar with Debian's packaging workflow. > > I'd suggest some kind of rewording on the website given that this link has > been posted everywhere in different BTS bug reports. Including a link to > https://mentors.debian.net/intro-maintainers might be a good idea. Anyway any > kind of improvement would be appreciated. That's a very good point you spotted there. This text actively discourage people from doing work and gives them no pointers to information re the "requred time and skills" would be. That clearly should be improved, maybe: Maintaining a package requires time and skills. Please have a look at https://mentors.debian.net/intro-maintainers for getting started. [and intro-maintainers should at first feature some welcoming words and then the right documentation for beginners (is that https://www.debian.org/doc/manuals/debmake-doc/index.en.html or https://www.debian.org/doc/manuals/maint-guide/index.en.html ?) Bye Michael signature.asc Description: OpenPGP digital signature
Re: Uninformative hyperlink in O: (package orphaning) bug reports
Hi Osamu, hi all, On 29.06.19 03:05, Osamu Aoki wrote: > On Fri, Jun 28, 2019 at 10:37:58AM +0200, Michael Kesper wrote: >> Maintaining a package requires time and skills. >> Please have a look at https://mentors.debian.net/intro-maintainers >> for getting started. >> >> [and intro-maintainers should at first feature some welcoming words and then >> the right documentation for beginners (is that >> https://www.debian.org/doc/manuals/debmake-doc/index.en.html or > > Yes. > >> https://www.debian.org/doc/manuals/maint-guide/index.en.html ?) > > No since I don't want to maintain 2 of them forever. I'd gladly change the mentors.debian.net site but you can only register as a mentor. ;) > If you see some important tutorial contents are missing in debmake-doc > which you can find them in maint-guide, please file a bug on debmake-doc > with proposed text. If it is something as guideline, you may propose > it to developers-reference. (FYI: I am trying to convert > developers-reference to sphinx now and working on a branch. Any > volunteer to help this is appreciated.) Is that branch on salsa? Bye Michael signature.asc Description: OpenPGP digital signature
Re: Uninformative hyperlink in O: (package orphaning) bug reports
Hi all, On 07.07.19 14:47, Osamu Aoki wrote: > On Sat, Jun 29, 2019 at 10:07:19AM +0200, Tobias Frost wrote: >> On Thu, Jun 27, 2019 at 03:38:48PM -0400, Boyuan Yang wrote:[snip] >> This text comes from a template we use in the MIA-Team. >> You can find it here: >> https://salsa.debian.org/qa/qa/blob/master/mia/templates/wnpp-orphan.mia >> >>> However, https://www.debian.org/devel/wnpp/#howto-o provides almost zero >>> information for an enthusiast that want to adopt the package, i.e. there's >>> no >>> detailed instruction on how to actually upload a package for a person not >>> quite familiar with Debian's packaging workflow. >>> >>> I'd suggest some kind of rewording on the website given that this link has >>> been posted everywhere in different BTS bug reports. Including a link to >>> https://mentors.debian.net/intro-maintainers might be a good idea. Anyway >>> any >>> kind of improvement would be appreciated. >> >> A MR would be indeed very welcome! ;-) > > OK. I will do so to request to add the following for 4 files: > > If you are a prospective Debian maintainer, you are encouraged to take > this package.> We need a volunteer like you. Please note that > maintaining a package requires time and skills. Please look at > https://mentors.debian.net/intro-maintainers to understand existing > practices first. If you are new to Debian packaging, please read a > tutorial document such as > https://www.debian.org/doc/manuals/debmake-doc/index.en.html and also > study how other Debian maintainers package similar packages. I think this is still starting a little bit negative, maybe like this? If nobody adopts this package it will vanish from Debian. Do you care for this package being part of Debian? If so, have a look at https://mentors.debian.net/intro-maintainers to understand best practices of maintaining a package. If you are new to Debian packaging, please read the tutorial https://www.debian.org/doc/manuals/debmake-doc/index.en.html and also study how other Debian maintainers package similar packages. Bye Michael signature.asc Description: OpenPGP digital signature
Re: Uninformative hyperlink in O: (package orphaning) bug reports
Hi again, On 09.07.19 09:17, Michael Kesper wrote: > I think this is still starting a little bit negative, maybe like this? > > If nobody adopts this package it will vanish from Debian. > Do you care for this package being part of Debian? ^^^ Maybe change this "package" to software, as I just realized that term is used a little bit too often here and users don't care about "packages" but about using software. > If so, have a look at https://mentors.debian.net/intro-maintainers to > understand best practices of maintaining a package. > If you are new to Debian packaging, please read the tutorial > https://www.debian.org/doc/manuals/debmake-doc/index.en.html and also > study how other Debian maintainers package similar packages. ^^^ Don't know exactly how to phrase that better. Bye Michael signature.asc Description: OpenPGP digital signature
Re: Notes on packaging PCYNLITX
Hi Bagas, On 12.07.19 14:52, Bagas Sanjaya wrote: > I've filed RFP for PCYNLITX sometimes ago [1]: [...] > - The script install wxWidgets library from third-party repository, not from > Debian. It use codelite repo (for Stretch): >> apt-add-repository 'deb http://repos.codelite.org/wx3.0.4/debian/ stretch >> libs' This is not how Debian works. It has to use the version in Debian and not install a custom one. Best wishes Michael signature.asc Description: OpenPGP digital signature
Re: git & Debian packaging sprint report
Hi Sean, hi all, On 12.07.19 09:00, Sean Whitton wrote: > On Fri 12 Jul 2019 at 04:30am +00, Scott Kitterman wrote: > >> Has there been any analysis of the security implications of this >> proposed service? > > Nothing formal, though of course we were thinking about it while we were > working on it. > >> If I am understanding the description correctly, the transformation >> from git tag (which is signed and can be verified) to a source package >> (which can be signed and verified) will happen on an internet facing >> server (typically this would happen on a local developer machine) and, >> unless there is additional magic around key management that isn't >> described in the blog post, the private key for a key the archive >> trusts would also be there. >> >> It seems to me that there is potential for a significant new attack >> surface that ought to be carefully assessed before this gets anywhere >> near wired up to feed into the archive from any kind of 'cloud' >> service. > > The current plan is for this machine to be firewalled such that it talks > only to salsa. For exactly the sort of reasons you describe, you won't > be able to use this with arbitrary git hosts. > > The only untrusted input is the git tags before their signature has been > verified against the Debian keyring. Maybe we could isolate fetching > and checking those tags from the part of the service which fetches the > whole git tree to produce a source package. Nonetheless it seems to me you are moving from trusting local signing to trusting upload by salsa, thereby making salsa more attractive for attackers. Best wishes Michael signature.asc Description: OpenPGP digital signature
Re: git & Debian packaging sprint report
Hi Sean, On 15.07.19 19:02, Sean Whitton wrote: > On Mon 15 Jul 2019 at 01:16PM +02, Michael Kesper wrote: > >> Nonetheless it seems to me you are moving from trusting local signing >> to trusting upload by salsa, thereby making salsa more attractive for >> attackers. > > I don't follow -- the git tag is PGP-signed, locally, by the uploader. > Just like how they would PGP-sign, locally, the .dsc and .changes. Ah ok, sorry, this wasn't clear to me. Michael signature.asc Description: OpenPGP digital signature
Re: Debian and our frenemies of containers and userland repos
Hi all, On 22.07.19 12:38, Enrico Weigelt, metux IT consult wrote: > COOS: just yet another special purpose distro, in that case for > docker hosts. neither the first, nor the last one to come. > Yocto: just yet another compile-yourself distro, focused on embeedded, > that happens to be hyped by certain corporations. > (for small/embedded devices, I'd really recommend ptxdist). > Alpine: yet another distro, optimized for running in small containers Just a shame it seems the default for everyone and their cat to use it as a base image. Recent article re Python container images: https://pythonspeed.com/articles/base-image-python-docker-images/ > Containerization is a valid approach for some kind of workloads > (eg. specific inhouse applications) that can be easily isolated from > the rest. But it comes with the price of huge redundancies (depending > on how huge some application stacks are). And unless everybody wants > to go back of maintaining everything on his own, we still need distros. > > If different applications need to deeply interact (eg. various plugin > stuff, applications calling each other, etc), containerization doesn't > help much. (eg: how can you have a pure texlive in one container and > extra things like fonts, document classes, etc, in separate ones ? :o) > > The whole point about containerization isn't about packaging and > deployment of individual applications - instead it's about automatizing > the rollout of fully-configured installations. Good points! Best Michael signature.asc Description: OpenPGP digital signature
Re: Salsa.d.o: Please support the implementation request for a global config option to change the default for "Custom CI config path" in Gitlab
Hi all,
On 27.07.19 20:11, Ian Jackson wrote:
> Bastian Blank writes ("Re: Salsa.d.o: Please support the implementation
> request for a global config option to change the default for "Custom CI
> config path" in Gitlab"):
>> The setting is per project, so it is available. For now I say that
>> changing this globally is too disruptive.
Could you please elaborate why you think so?
>> But as I wanted to try this something: Please describe why we _should not_
>> set such an option globally. This is just helping to see if you
>> understand both sides.
>
> The main downside I can think of making this change is that existing
> salsa gitlab ci users will have to either rename their file
> (preferred) or change their repo config.
I think as it's only a default, it should not influence already set values?
My 2 cents
Michael
signature.asc
Description: OpenPGP digital signature
Getting people of different teams together
Hi Steve, thanks for such a nicely written report (Summary of the Secure Boot BoF at DC19)! What I want to comment on: On 21.10.19 03:36, Steve McIntyre wrote: > The awkward bits > > > Time > > It's taken a *very* long time to get this into Debian. We've been > talking about this since ~2012, only in the archive in 2019. Why has > it taken seven years? > > This is a very complex topic that required cross-team collaboration > from (at least!) 5 different teams in Debian: Kernel, EFI, FTP, DSA, > buildd. > > Debian works really well when people can work independently - it's how > we have thousands of contributors working on tens of thousands of > different source packages without forever blocking each other. > > But here we had busy people (and teams) waiting on each other, > multiple times. There there were several different proposals and we > needed many rounds of discussions before we eventually got to our > solution. Huge progress was finally made during a sprint in April 2018 > in Germany when we had people from *all* the relevant teams together > in a room for the first time. It's amazing how much better things can > work when then feedback loop is measured in minutes rather than weeks! Could this be a "lessons learned" for Debian? Who could identify stuck processes and could gather involved parties together for a weekend/week or so? I presume that this is not the only issue where getting together (in person or not) and focussing on one issue makes the difference. Best wishes Michael signature.asc Description: OpenPGP digital signature
Re: According to one update package
Hi all, On 28.11.19 10:43, Andrej Shadura wrote: > On Thu, 28 Nov 2019 at 09:33, Ozgur Altinter (DHL TR) >> But when we checked from Debian Library we found out below link regarding to >> some Sudo update . > >> https://security-tracker.debian.org/tracker/CVE-2019-14287 > >> My first questions is this same vulnerability patch ? When I checked Only >> showing deb9u1 ,deb8u6 ,deb10u1. My system details are as follow. could you >> pls which one I can choice for my system ? > > You need to run apt update and apt upgrade, this will install all > recent updates (which you have skipped a lot) onto your system. Besides, you should prepare upgrading to a newer version of Debian. Debian Jessie will receive support until ~2020-06-30 only according to https://wiki.debian.org/DebianReleases Best wishes Michael signature.asc Description: OpenPGP digital signature
