Re: dpkg-sig support wanted?

[Florian Weimer] > > It should be replaced with "-". Beyond alphanumerics, only ".", > > "_", "-" are in the POSIX portable filename character set[1], and > > some systems do not allow the character "+" in file names. [Henning Makholm] > However there are already plenty of files with "+" in th

Re: dpkg-sig support wanted?

On Sat, Nov 26, 2005 at 10:59:57AM +0100, Florian Weimer wrote: > For the "exploits" we have seen so far to work, the malicious party > needs upload access to the archive and has to plant a specially > crafted package there, for which they have created an evil twin > package. (Same for attacking o

Bug#340934: lintian check for unneeded/transitive shlibs dependencies

Package: lintian Severity: wishlist Tags: patch Steve Langasek wrote in : > I would encourage you to read the presentation in question, but I will > also summarize here: due to accidents of history, the convention when > linking

Re: dpkg-sig support wanted?

On Fri, Nov 25, 2005 at 11:08:32PM -0600, Peter Samuelson wrote: > You may laugh if you wish, but I think it's annoying to have to move to > a hash function whose hexadecimal representation takes 64 bytes, which > doesn't leave much room on an 80-column line to describe what the hash > is hashing.

Re: Bug#340631: ITP: culmus-fancy -- Type1 Fancy Hebrew Fonts for X11

[Lior Kaplan] > * Package name: culmus-fancy > Description : Type1 Fancy Hebrew Fonts for X11 I understand that the 'culmus' package already exists, and other packages like 'lmodern' don't follow any particular name convention either, but could you consider naming this thing t1-culmus-f

Re: Bug#340624: ITP: sendcard -- web-based virtual greeting card (e-card) software

[Wesley J. Landaker] > As described by the upstream website (the rest of this is a quote): > > What is sendcard? > Sendcard is a multi-database (It currently supports 9 different > databases!) e-card or virtual postcard program written in PHP. Suitable > for large or small sites, it is very easy

Re: dpkg-sig support wanted?

[George Danchev] > Even using weak hash sum algorythms you can easily make the hash > collider life tremendously difficult by simply having more than one > (ok two should be enough) hash sums generated with _different_ > (weak?) algorythms on the same entity. What you have just defined is a new h

Re: dpkg-sig support wanted?

Scripsit Florian Weimer <[EMAIL PROTECTED]> > * Henning Makholm: >>> I wouldn't use real base64, though, because it would mean that you can >>> use its hashed output as a file name. >> Good point. One might replace "/" with "_" and omit the final "=". >> Having a "+" in the hash should be safe in

Re: Secret changes for binNMUs

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Banck <[EMAIL PROTECTED]> writes: > On Thu, Nov 24, 2005 at 11:02:36AM +, Roger Leigh wrote: >> Goswin von Brederlow <[EMAIL PROTECTED]> writes: >> >> > If you NEED to do a manual binNMU it is probably best to use sbuild >> > (the cvs

Re: Bug#340606: ITP: libsub-name-perl -- Assigns a new name to referenced sub

Henning Makholm wrote: Scripsit "Krzysztof Krzyzaniak (eloy)" <[EMAIL PROTECTED]> This module has only one function, which is also exported by default: subname NAME, CODEREF Assigns a new name to referenced sub. The name is only used for informative routines (caller, Carp, etc). Is this real

Re: dpkg-sig support wanted?

* Adeodato Simó: > * Florian Weimer [Thu, 24 Nov 2005 18:28:04 +0100]: > > Hi, > >> AFAIK, binary NMus aren't announced on debian-devel-changes. > > Binary-only uploads are announced in the appropriate > debian-devel-$ARCH-changes list. According to

Re: Heimdal autotools dramas

> "Gabor" == Gabor Gombas <[EMAIL PROTECTED]> writes: Gabor> It tests for the GLOB_QUOTE flag but that is not present in Gabor> glibc, so it decides that glibc's glob() function is not Gabor> good enough. See cf/broken-glob.m4. Arhh... This brings back memories. Now I just need t

Re: possible freetype transition; improved library handling needed for all C/C++ packages

On Thu, Nov 24, 2005 at 02:43:14PM +0100, Peter Eisentraut wrote: > Steve Langasek wrote: > > * Use Debian's libtool. > > kmldonkey links with the following libraries: -lkdeui -lkio. As shipped, > libtool expands that to every library under the sun. The new libtool > indeed reduces this to /usr/

Re: Secret changes for binNMUs

Hi, Henrique de Moraes Holschuh schrieb: > We really need another substvar with different semantics. http://lists.debian.org/debian-devel/2002/09/msg01251.html Simon signature.asc Description: OpenPGP digital signature

Re: master mail problems -- help needed

This one time, at band camp, Florian Weimer said: > * Stephen Gran: > > > I have IPv6 support in kernel and exim, > > Are you sure? "IPv6 socket creation failed: Address family not > supported by protocol" suggests something else. > > > but no IPv6 connectivity, > > master has even got an IPv6

Re: master mail problems -- help needed

* Stephen Gran: >> It probably makes sense to disable IPv6 support in Exim on master, >> independently of my current problem. I'm going to suggest this to >> postmaster@ once I figured out a good way to implement this. > > I doubt that's the problem. This is from my logs: > > 2005-08-10 13:33:46

Re: master mail problems -- help needed

This one time, at band camp, Florian Weimer said: > Hmm, speaking of MXes, mail delivery over IPv6 seems to be enabled on > master: > > router = dnslookup, transport = remote_smtp > host mail.enyo.de [2001:14b0:202:1::a7] MX=10 > host mail.enyo.de [212.9.189.167] MX=10 > > But master

Re: master mail problems -- help needed

This one time, at band camp, Florian Weimer said: > * Stephen Gran: > > > Once you know the retry rules, try > > /usr/sbin/exinext [EMAIL PROTECTED] > > > > That will tell you what's recorded in the retry database currently. > > exinext ist not SUID, and I haven't got sufficient permission on >

Re: master mail problems -- help needed

* Jeroen van Wolffelaar: >> I tried to debug it myself, using the information I could access on >> master, but I couldn't gather enough evidence to present to the >> postmasters so far. > > But other DD's can also only do a limited amount of research, the only > way to really find out is asking a

Re: master mail problems -- help needed

* Stephen Gran: > Once you know the retry rules, try > /usr/sbin/exinext [EMAIL PROTECTED] > > That will tell you what's recorded in the retry database currently. exinext ist not SUID, and I haven't got sufficient permission on master to access the retry database: [pid 29063] open("/var/spool/e

Re: master mail problems -- help needed

This one time, at band camp, Florian Weimer said: > >From time to time, master seems to bounce mail routed to mail.enyo.de > with the following error message: > > [EMAIL PROTECTED] > retry time not reached for any host after a long failure period > > Is anybody experiencing a similar proble

Re: dpkg-sig support wanted?

* Henning Makholm: >> I wouldn't use real base64, though, because it would mean that you can >> use its hashed output as a file name. > > Good point. One might replace "/" with "_" and omit the final "=". > Having a "+" in the hash should be safe in most contexts. It should be replaced with "-".

Re: master mail problems -- help needed

On Sat, Nov 26, 2005 at 02:00:48PM +0100, Florian Weimer wrote: > >From time to time, master seems to bounce mail routed to mail.enyo.de > with the following error message: > > [EMAIL PROTECTED] > retry time not reached for any host after a long failure period > > Is anybody experiencing a

Re: Heimdal autotools dramas

On Sat, Nov 26, 2005 at 11:44:48AM +1100, Brian May wrote: > The Heimdal configure script correctly detects that glob() is present > in libc6, but appears to build glob.c anyway, and it also installs > glob.h. It tests for the GLOB_QUOTE flag but that is not present in glibc, so it decides that g

Re: Bug#340428: octave2.9 - lists mailing list as uploader in changelog

* Bastian Blank [Thu, 24 Nov 2005 23:45:02 +0100]: > On Thu, Nov 24, 2005 at 10:48:39PM +0100, Rafael Laboissiere wrote: > > Yes, I have been doing things wrongly in the past, but this is not the > > case anymore. The Changed-By fields are correct now. See, for instance, > > my last upload: > >

Mailing list vs. real person name in debian/changelog entries

I am moving from debian-devel to debian-policy a discussion that started in this bug report: http://bugs.debian.org/340428 and continued in the thread: http://lists.debian.org/debian-devel/2005/11/msg01378.html I hope it is appropriate to post this here in debian-policy. My apologie

Re: Secret changes for binNMUs

Henrique de Moraes Holschuh <[EMAIL PROTECTED]> wrote: > On Sat, 26 Nov 2005, Andreas Metzler wrote: >> Henrique de Moraes Holschuh <[EMAIL PROTECTED]> wrote: >> [...] >>> Meanwhile, I am using this: unversioned depends and two conflicts: (<< >>> {Upstream-Version}), (>= {Upstream-Version}.1). >>

Re: Secret changes for binNMUs

* Henrique de Moraes Holschuh [Sat, 26 Nov 2005 08:42:41 -0200]: > Yes. It is just a matter of which one you like better. You could also have > one depends and one conflicts instead of two conflicts or two depends. Versioned conflicts are said to increase apt's trouble to upgrade from one sta

Re: dpkg-sig support wanted?

Scripsit Florian Weimer <[EMAIL PROTECTED]> > * Henning Makholm: >> Why wait for the world to settle? Would there be anything wrong with >> writing a sha256sum program that outputs base64 right now? > I wouldn't use real base64, though, because it would mean that you can > use its hashed output a

Re: dpkg-sig support wanted?

* Steinar H. Gunderson: > On Sat, Nov 26, 2005 at 10:59:57AM +0100, Florian Weimer wrote: >> So? If SHA256 is so much better, why is that nobody can prove it, or >> at least can provide some evidence which supports that claim? "The >> numbers are bigger" is the main argument at this point, which

master mail problems -- help needed

>From time to time, master seems to bounce mail routed to mail.enyo.de with the following error message: [EMAIL PROTECTED] retry time not reached for any host after a long failure period Is anybody experiencing a similar problem? I tried to debug it myself, using the information I could ac

Re: Bug#340428: octave2.9 - lists mailing list as uploader in changelog

On Sat, Nov 26, 2005 at 10:53:16AM +0100, Rafael Laboissiere wrote: > * Bastian Blank <[EMAIL PROTECTED]> [2005-11-26 00:43]: > > > On Fri, Nov 25, 2005 at 09:01:24AM +0100, Rafael Laboissiere wrote: > > > * Bastian Blank <[EMAIL PROTECTED]> [2005-11-24 23:45]: > > > > | Maintainer: Debian/IA64 Bu

Re: dpkg-sig support wanted?

On Sat, Nov 26, 2005 at 10:59:57AM +0100, Florian Weimer wrote: > So? If SHA256 is so much better, why is that nobody can prove it, or > at least can provide some evidence which supports that claim? "The > numbers are bigger" is the main argument at this point, which is > awfully similar to the u

Re: dpkg-sig support wanted?

* Henning Makholm: > Scripsit Peter Samuelson <[EMAIL PROTECTED]> > >> You may laugh if you wish, but I think it's annoying to have to move to >> a hash function whose hexadecimal representation takes 64 bytes, which >> doesn't leave much room on an 80-column line to describe what the hash >> is h

Re: dpkg-sig support wanted?

Scripsit Peter Samuelson <[EMAIL PROTECTED]> > You may laugh if you wish, but I think it's annoying to have to move to > a hash function whose hexadecimal representation takes 64 bytes, which > doesn't leave much room on an 80-column line to describe what the hash > is hashing. Maybe by the time

Re: Remove

Scripsit Benjamin Seidenberg <[EMAIL PROTECTED]> > Suggestion: Why don't all the readers of debian-devel put something > like this on their blogs: Good idea (but probably not Debian-specific blogs). One should not probably not copy this exact text; I imagine Google will think higher of the links

Re: dpkg-sig support wanted?

On Fri, 25 Nov 2005 12:50:41 -0800, Thomas Bushnell BSG <[EMAIL PROTECTED]> wrote: >Goswin von Brederlow <[EMAIL PROTECTED]> writes: >> The archive signing key gives absolutely no integrity ensurance on the >> deb package. The only thing it insures is that the file was not >> altered _after_ leavin

Re: Secret changes for binNMUs

On Sat, 26 Nov 2005, Andreas Metzler wrote: > Henrique de Moraes Holschuh <[EMAIL PROTECTED]> wrote: > [...] > > Meanwhile, I am using this: unversioned depends and two conflicts: (<< > > {Upstream-Version}), (>= {Upstream-Version}.1). > > Depends: foo (>={Upstream-Version}), foo (<< {Upstream-Ver

Re: dpkg-sig support wanted?

* Thiemo Seufer: >> A: Why do you lock your car up[1]? >> >> B: Because it looks like having it locked is better then not having it >> locked. >> >> A: Sorry, but that's a snake oil rationale. Anybody can pick the lock >> and break in. Anybody can smash a window and break in. etc. > > Wrong, it

Re: Bug#340428: octave2.9 - lists mailing list as uploader in changelog

* Bastian Blank <[EMAIL PROTECTED]> [2005-11-26 00:43]: > On Fri, Nov 25, 2005 at 09:01:24AM +0100, Rafael Laboissiere wrote: > > * Bastian Blank <[EMAIL PROTECTED]> [2005-11-24 23:45]: > > > | Maintainer: Debian/IA64 Build Daemon <[EMAIL PROTECTED]> > > > | Changed-By: Debian Octave Group <[EMAIL

Re: dpkg-sig support wanted?

* Anthony Towns: > On Fri, Nov 25, 2005 at 07:59:40PM +0100, Florian Weimer wrote: >> * Anthony Towns: >> > (I'm amazed the security "crisis" we're having is about deb sigs >> > *again*, when we're still relying on md5sum which has a public exploit >> > available now...) >> These exploits are irre

Re: dpkg-sig support wanted?

On Saturday 26 November 2005 01:13, Anthony Towns wrote: > On Fri, Nov 25, 2005 at 07:59:40PM +0100, Florian Weimer wrote: > > * Anthony Towns: > > > (I'm amazed the security "crisis" we're having is about deb sigs > > > *again*, when we're still relying on md5sum which has a public exploit > > > a

Re: Secret changes for binNMUs

Henrique de Moraes Holschuh <[EMAIL PROTECTED]> wrote: [...] > Meanwhile, I am using this: unversioned depends and two conflicts: (<< > {Upstream-Version}), (>= {Upstream-Version}.1). Depends: foo (>={Upstream-Version}), foo (<< {Upstream-Version}.1) instead should also work without the need for