[Bringing this bug to the eyes of debian-devel readers]
On Wed, Mar 03, 2010 at 08:34:48PM +0100, Ana Guerrero wrote:
> Package: ftp.debian.org
>
>
> Hi,
>
> While trying to sort of the Section field for the apps included in kdeedu,
> I started to wonder if we are missing a subsection in the ar
Vincent Bernat writes:
> Russ Allbery disait:
>> Well, I'm personally not directly involved with Python development, but
>> it seems like a lot of people are upset with the way that the python
>> package is being maintained. We do have a procedure for this: it falls
>> under the jurisdiction of
On Tue, Mar 9, 2010 at 08:09, Vincent Bernat wrote:
> Some respectable people keep telling us that the problem is handled and
> the solution will come soon.
But OTOH very very few advances are made during these months, that
doesn't encourage to believe that "soon" is really soon now.
> Going
On 09/03/10 at 08:05 +0100, Sandro Tosi wrote:
> On Tue, Mar 9, 2010 at 07:44, Lucas Nussbaum wrote:
> > Last time I investigated the python problems, it was quite clear that
> > the situation wasn't as black and white as some people seem to think.
>
> Mind to share the results of your investigat
OoO En cette nuit nuageuse du mardi 09 mars 2010, vers 01:14, Russ
Allbery disait :
>>> Maybe the group of people doing that work should also be the people who
>>> decide when Python 2.6 will be uploaded, if the current maintainer
>>> isn't able or willing to coordinate the work for whateve
Package: wnpp
Severity: wishlist
Owner: Daniel Kahn Gillmor
I'm in the process of packaging the perl implementation of the
Monkeysphere's cryptographic validation agent:
* Package name: msva-perl
Version : 0.1
Upstream Author : Daniel Kahn Gillmor
* URL : http://web.
On Tue, Mar 9, 2010 at 07:44, Lucas Nussbaum wrote:
> Last time I investigated the python problems, it was quite clear that
> the situation wasn't as black and white as some people seem to think.
Mind to share the results of your investigations (even if probably a
bit outdated)?
Thanks,
--
Sand
On 08/03/10 at 16:14 -0800, Russ Allbery wrote:
> Sandro Tosi writes:
> > On Mon, Mar 8, 2010 at 21:53, Russ Allbery wrote:
>
> >> Maybe the group of people doing that work should also be the people who
> >> decide when Python 2.6 will be uploaded, if the current maintainer
> >> isn't able or wi
Joey Hess writes:
> Russ Allbery wrote:
>> It's also always worth bearing in mind that while a really good
>> attacker can do all sorts of complex things that make them very hard to
>> find, most attackers are stupid and straightforward.
> It's stupid and straightforward to install /usr/local/bi
Russ Allbery wrote:
> It's also always worth bearing in mind that while a really good attacker
> can do all sorts of complex things that make them very hard to find, most
> attackers are stupid and straightforward.
It's stupid and straightforward to install /usr/local/bin/ls. debsums
will not dete
Harald Braumann writes:
> On Mon, Mar 08, 2010 at 05:59:13PM -0500, Joey Hess wrote:
>> That's one missing link. The other one is that there are innumerable
>> ways for an attacker to inject bad behavior/backdoors onto a system
>> without touching binaries originating from dpkg.
> Signatures don
On Mon, Mar 08, 2010 at 05:59:13PM -0500, Joey Hess wrote:
> Russ Allbery wrote:
> > The missing link, in this validation scenario, is how to get a signed copy
> > of the MD5 checksums of the files in the package.
>
> That's one missing link. The other one is that there are innumerable
> ways for
On Mon, Mar 08, 2010 at 11:04:24PM +0100, Frank Lin PIAT wrote:
> On Mon, 2010-03-08 at 12:59 -0800, Russ Allbery wrote:
> > 1. Strengthen the integrity check so that it could potentially be useful
> >for security purposes as well as for simple integrity checking.
>
> It would be much easier i
Charles Plessy writes:
> After the patch to the Dev. Ref. is accepted, I will submit a simple
> patch to Lintian. I do not think that it is necessary for Lintian to
> cross-check if the DD doing the team upload is really a team member.
I agree.
--
Russ Allbery (r...@debian.org) <
Dear all,
I have updated http://wiki.debian.org/TeamUpload and submitted #573110
to the Developers Reference.
I tend to manage my priorities by caring first of the packages listed
in my QA page, and then the other packages of my team. But if I add
myself as an uploader to all the packages I touch
[Russ Allbery]
> Can anyone confirm the comment in the bug log that setuid shouldn't
> even be required to do what libgcrypt is doing here, namely locking
> memory so that it's not swapped to disk?
Well, I didn't test, but from 'man mlock':
| Since Linux 2.6.9, no limits are placed on the am
On Mon, Mar 8, 2010 at 16:27:37 -0800, Russ Allbery wrote:
> Can anyone confirm the comment in the bug log that setuid shouldn't even
> be required to do what libgcrypt is doing here, namely locking memory so
> that it's not swapped to disk?
>
linux-2.6/include/linux/resource.h:#define MLOCK_LIM
Roger Leigh writes:
> The issue here is that upstream don't appear to want to fix it, because
> the change in behaviour could break backward compatibility and
> potentially introduce security exploits into programs relying on this
> side-effect of gcrypt. Any change would require the use of a ne
On Tue, 9 Mar 2010, Joey Hess wrote:
> Russ Allbery wrote:
> > The missing link, in this validation scenario, is how to get a signed
> > copy of the MD5 checksums of the files in the package.
>
> That's one missing link. The other one is that there are innumerable
> ways for an attacker to inject
On Mon, Mar 08, 2010 at 03:50:37PM -0800, Steve Langasek wrote:
> On Tue, Mar 09, 2010 at 10:34:37AM +1100, Brian May wrote:
> > Unfortunately, gcrypt is used by gnutls, which is used in ldap, which
> > is frequently used in PAM and NSS. So this is an issue. There might be
> > other NSS and PAM mod
Sandro Tosi writes:
> On Mon, Mar 8, 2010 at 21:53, Russ Allbery wrote:
>> Maybe the group of people doing that work should also be the people who
>> decide when Python 2.6 will be uploaded, if the current maintainer
>> isn't able or willing to coordinate the work for whatever reason?
> Yes, th
On Mon, Mar 8, 2010 at 21:53, Russ Allbery wrote:
> Sandro Tosi writes:
>
>> So, three months are passed since the last email to the original thread
>> and 1 week from this last ping, and there are still no public
>> information about the "currently discussion ongoing about how to move
>> forward
On Tue, Mar 09, 2010 at 10:34:37AM +1100, Brian May wrote:
> Unfortunately, gcrypt is used by gnutls, which is used in ldap, which
> is frequently used in PAM and NSS. So this is an issue. There might be
> other NSS and PAM modules that use it too.
> What is the solution? Should we go back to usin
Hello,
A number of packages, such as openldap have been changed to support
gnutls, instead of openssl, to avoid licensing issues in openssl.
However, it appears that gnutls uses libgcrypt, and libgcrypt has
several serious design issues.
1. libgcrypt doesn't cleanup properly on dlclose, and app
Some transitions for which there was an upload block in place have been
completed and the block has been automatically lifted:
The following transitions were removed:
Looking at transition: xz-utils-transition
Source: xz-utils
New Version: 4.999.9beta+20100212-4
Responsible: Marc Brockschmidt
Russ Allbery wrote:
> The missing link, in this validation scenario, is how to get a signed copy
> of the MD5 checksums of the files in the package.
That's one missing link. The other one is that there are innumerable
ways for an attacker to inject bad behavior/backdoors onto a system
without touc
Frank Lin PIAT writes:
> On Mon, 2010-03-08 at 12:59 -0800, Russ Allbery wrote:
>> 1. Strengthen the integrity check so that it could potentially be useful
>>for security purposes as well as for simple integrity checking.
> Yes, this is the intended goal. Imagine the following scenario:
> 1.
On Mon, 2010-03-08 at 12:59 -0800, Russ Allbery wrote:
> Frank Lin PIAT writes:
>
> > Find a patch attached, for a smooth transition from DEBIAN/md5sums to a
> > recent checksum.
>
> > The way it is implemented, is that the dh_md5sums is a symlink to the
> > new dh_checksums. The new helper comp
Frank Lin PIAT writes:
> Find a patch attached, for a smooth transition from DEBIAN/md5sums to a
> recent checksum.
> The way it is implemented, is that the dh_md5sums is a symlink to the
> new dh_checksums. The new helper computes both md5sum (for
> compatibility/transition) and a new checksum
Sandro Tosi writes:
> So, three months are passed since the last email to the original thread
> and 1 week from this last ping, and there are still no public
> information about the "currently discussion ongoing about how to move
> forward".
> Nice, let's keep this hidden, so that only the secre
On Mon, Mar 1, 2010 at 01:59, Ben Finney wrote:
> Luk Claes writes:
>
>> There is currently discussion ongoing about how to move forward,
>> though due to the complex nature of the current situation (where also
>> lots of FUD etc is on the lists), it is being dealt in private.
>
> Nearly three mo
On Mon, 08 Mar 2010, Brian Nelson wrote:
> Don Armstrong writes:
> > So there's a period on upgrade where the file has been overwritten
> > with an file before the new file has been generated?
> >
> > That's just wrong.
>
> Why? Considering the old hash file may be invalid anyway after
> you've u
On Mon, 2010-03-08 at 12:21 -0500, Joey Hess wrote:
> Frank Lin PIAT wrote:
> > Note regarding the patch:
> > I have tried to make the patch so it isn't too intrusive (for
> > instance, dh_checksums is a symlink to dh_md5sums even though it
> > should be the other way around).
>
> Symlink di
Jan Hauke Rahm writes:
> Not quite. 5.12 recommends a way to deal with team maintenance but is
> not enough here. Reading 5.12 (list as maintainer, the one who feels
> responsible as uploader) still allows having no uploader when noone
> feels responsible.
> I'd like to see a clear and unmistakl
On Mon, Mar 08, 2010 at 09:28:11AM -0800, Russ Allbery wrote:
> Jan Hauke Rahm writes:
>
> > There is just one thing that bothers me: this new feature would invite
> > teams to actually put noone in the uploaders list. The team would be
> > maintainer and no real person would be listed in the pa
Frank Lin PIAT wrote:
> Note regarding the patch:
> I have tried to make the patch so it isn't too intrusive (for
> instance, dh_checksums is a symlink to dh_md5sums even though it
> should be the other way around).
Symlink direction seems irrelevant.
I'd probably just make dh_md5sums call
Charles Plessy writes:
> Are there other persons interested? Shall I go ahead and submit a patch
> to Lintian and the Developers Reference (plus perhaps the Policy to
> include a footnote containing the special changelog lines for NMU, QA,
> security and team uploads)?
Just for the record, in ge
Jan Hauke Rahm writes:
> There is just one thing that bothers me: this new feature would invite
> teams to actually put noone in the uploaders list. The team would be
> maintainer and no real person would be listed in the package.
Lintian attempts to detect this but may not be able to depending
retitle 540215 Introduce dh_checksums
tag 540215 +patch
thanks
On Thu, 2010-03-04 at 20:08 +0100, Tollef Fog Heen wrote:
> Frank Lin PIAT wrote:
> > What about a transitional dh_md5sums that would produce md5sum AND
> > invoke dh_sha ?
>
> Or call it dh_checksums or something so we don't have to
Don Armstrong writes:
> On Sat, 06 Mar 2010, Andreas Metzler wrote:
>> Russ Allbery wrote:
>> > Figuring out a better solution for why the files in
>> > /var/lib/ispell and /var/lib/aspell are excluded from the md5sums
>> > generation because they change after installation is probably
>> > neede
On Mon, Mar 08, 2010 at 10:40:47PM +0900, Charles Plessy wrote:
> Are there other persons interested? Shall I go ahead and submit a
> patch to Lintian and the Developers Reference (plus perhaps the Policy
> to include a footnote containing the special changelog lines for NMU,
> QA, security and tea
Jan Hauke Rahm wrote:
> Hi Charles,
>
> On Mon, Mar 08, 2010 at 10:40:47PM +0900, Charles Plessy wrote:
>> Are there other persons interested? Shall I go ahead and submit a patch to
>> Lintian and the Developers Reference (plus perhaps the Policy to include a
>> footnote containing the special cha
Hi Charles,
On Mon, Mar 08, 2010 at 10:40:47PM +0900, Charles Plessy wrote:
> Are there other persons interested? Shall I go ahead and submit a patch to
> Lintian and the Developers Reference (plus perhaps the Policy to include a
> footnote containing the special changelog lines for NMU, QA, secur
Le Sun, Mar 07, 2010 at 02:42:02PM +0100, Niels Thykier a écrit :
>
> In my team (pkg-java) we seem to treat these upload as completely normal
> Maintainer Uploads; meaning that the "Team Uploader" is not restricted
> to "minimal changes" but may[1] fix whatever needs to be done (e.g. fix
> lintia
On Mon, Mar 08, 2010 at 10:47:18AM +0100, Agustin Martin wrote:
> On Fri, Mar 05, 2010 at 02:07:01PM -0600, Peter Samuelson wrote:
> >
> > [Russ Allbery]
> > > Figuring out a better solution for why the files in /var/lib/ispell
> > > and /var/lib/aspell are excluded from the md5sums generation bec
On Fri, Mar 05, 2010 at 11:45:38AM -0800, Russ Allbery wrote:
> Don Armstrong writes:
> > On Wed, 03 Mar 2010, Wouter Verhelst wrote:
>
> >> In this day and age of completely and utterly broken MD5[0], I think we
> >> should stop providing these files, and maybe provide something else
> >> instea
On Fri, Mar 05, 2010 at 02:07:01PM -0600, Peter Samuelson wrote:
>
> [Russ Allbery]
> > Figuring out a better solution for why the files in /var/lib/ispell
> > and /var/lib/aspell are excluded from the md5sums generation because
> > they change after installation is probably needed if we're going
47 matches
Mail list logo
