On Mon, Jul 02, 2012 at 05:42:13PM +0100, Steve McIntyre wrote:
> As you might have seen from recent discussions about the Fedora and
> Ubuntu strategies for how to deal with EFI and Secure Boot, there are
> potentially major issues in the area. In Debian we don't (yet) have a
> plan, so it's high
[Michael Gilbert]
>> Are you aware of my proposal to do this, mentioned on debian-security
>> and also drafted on http://wiki.debian.org/CPEtagPackagesDep >?
>
> Does this actually cover embedded code copies? The spec probably
> needs to get something like an "XBS-Embeds-Source-From-CPE" tag for
On Mon, Jul 2, 2012 at 1:59 PM, Petter Reinholdtsen wrote:
>
> [Silvio Cesare]
>> I recently ran the tool and cross referenced identified code copies with
>> Debian's security tracking of affected packages by CVE. I did this for all
>> CVEs in 2010, 2011, and 2012.
>
> This sound like a job that co
]] Wouter Verhelst
> Yes, freedesktop people have given up on many useful things, which is a
> shame in my opinion (consider the fact that dbus can't be restarted on a
> running system without causing breakage).
There's no «freedesktop people». fdo is a set of fairly loosely
associated projects
On Mon, Jul 02, 2012 at 08:27:05PM +0600, Alexander E. Patrakov wrote:
> So in reality, I am on the fence. The quoted solution is easier and it
> seems to work well enough. But for some reason, freedesktop folks
> invented this for desktop systems:
> http://fedoraproject.org/wiki/Features/OfflineSy
Package: wnpp
Severity: wishlist
Owner: Radostan Riedel
* Package name: clipper
Version : 2.1+20100511
Upstream Author : Kevin Cowtan
* URL : http://www.ysbl.york.ac.uk/~cowtan/clipper/clipper.html
* License : GNU LGPL v2.1
Programming Lang: C++
Descripti
Package: wnpp
Severity: wishlist
Owner: Radostan Riedel
* Package name: gpp4
Version : 1.3.1
Upstream Author : Morten Kjeldgaard
* URL : https://launchpad.net/gpp4
* License : GNU LGPL v3
Programming Lang: C, Fortran
Description : A standalone, drop-i
Package: wnpp
Severity: wishlist
Owner: Radostan Riedel
* Package name: mmdb
Version : 1.23.2.1
Upstream Author : Morten Kjeldgaard
* URL : http://launcpad.net/mmdb
* License : GNU LGPL v3
Programming Lang: C++
Description : Macromolecular coordinate
Hey folks,
As you might have seen from recent discussions about the Fedora and
Ubuntu strategies for how to deal with EFI and Secure Boot, there are
potentially major issues in the area. In Debian we don't (yet) have a
plan, so it's high time that we had some discussion. I've set up a BoF
at DebCo
On Thu, Jun 28, 2012 at 04:42:10PM +0200, Guus Sliepen wrote:
> I believe our current way of responding to ITPs for software that
> duplicates the functionality other software that is already in Debian
> is wrong. We have a very lengthy discussion everytime such an ITP
> happen, but usually they ch
On 02/07/12 15:27, Alexander E. Patrakov wrote:
> The quoted solution is easier and it
> seems to work well enough. But for some reason, freedesktop folks
> invented this for desktop systems:
> http://fedoraproject.org/wiki/Features/OfflineSystemUpdates .
I think you mean "Fedora folks". freedeskt
On Mon, Jul 2, 2012 at 4:38 AM, Bastian Blank wrote:
> Can this tool be used to identify all code copies, regardless of CVE?
Indeed, we plan to run it over the whole archive on a regular basis
and link to the results from the PTS.
Silvio, thanks a lot for your work, I'm looking forward to sponso
> While it might work for some, there's a much simpler way to minimize
> daemon downtime: Avoid stopping a daemon in the prerm, and instead
> restart it in the postinst. Downtime then becomes < 1 second per daemon
> (less than a kexec reboot).
> However, the daemon then needs to be audited to ensur
Michael Hanke writes ("Re: Improving our response to "duplicate" packages in
Debian"):
> I think this is approaching the problem from the wrong end. Instead of
> preserving the status quo and asking oracles to predict the future we
> should have better means of _removing_ software that has proven
Para: debian-devel@lists.debian.org
El Club de Programado*res- Asociación Civil, invita a participar del curso
'Carrera de Desarrollo Web' que se dictará los días Martes de 18 a 20 hs a
partir del 10 de julio de 2012, en Laboratorio Congreso, Entre Ríos 166 piso 14
1- Temario a desarrollar
Alexander E. Patrakov wrote:
> A technology exists that can keep downtime to a minimum. It is called
> "btrfs snapshots", see below for the details. After Wheezy, Debian
> should support it natively in installer, dpkg and apt/aptitude.
That is a rather complicated solution. It has very significant
On Mon, July 2, 2012 13:38, Silvio Cesare wrote:
> On Mon, Jul 2, 2012 at 8:27 PM, Bernd Zeimetz wrote:
>> The ia32-libs stuff are all false positives (assuming the package was
>> updated after the security fixes came out, I'm not 100% sure about that
>> :) And the openssl source is expected to c
Last I checked, ia32-libs on squeeze didn't have the openssl patches for
0.9.8. I may have to check more thoroughly to be sure. It might have some
other vulns as well.
--
Silvio
On Mon, Jul 2, 2012 at 8:27 PM, Bernd Zeimetz wrote:
> On 07/02/2012 10:53 AM, Silvio Cesare wrote:
> > Hi,
> > [ ...
Package: wnpp
Severity: wishlist
Owner: Radostan Riedel
* Package name: cctbx
Version : 2012.05.08.2305
Upstream Author : Luc J. Bourhis
Nathaniel Echols
Ralf W. Grosse-Kunstleve
* URL : http://cctbx.sourceforge.net
* License
On Mon, Jul 02, 2012 at 06:53:54PM +1000, Silvio Cesare wrote:
> I recently ran the tool and cross referenced identified code copies with
> Debian's security tracking of affected packages by CVE. I did this for all
> CVEs in 2010, 2011, and 2012.
Can this tool be used to identify all code copies,
On 07/02/2012 10:53 AM, Silvio Cesare wrote:
> Hi,
> [ ... ]
> Now some of these cases are going to be false positives. From looking at
> the results, many of the vulns were probably fixed but have not been
> reported in the security tracker. The report tries to be self
> explanatory and justify wh
> Note that I just did a quick test with kexec-tools in sid on two boxes,
> and kexec failed miserably, so maybe it works perfectly elsewhere, but
> I'm unsure if it's a good idea to rely on it.
Well, the proposed method (if the /var issue is solved) would work
with a plain reboot, too. If the ker
Hi,
I have been working on a tool called Clonewise
(http://www.github.com/silviocesare/Clonewise and http://www.FooCodeChu.com)
to automatically identify code copies in Linux and try to infer if any of
these code copies are causing security issues because they haven't been
updated. The goal is for
* Vincent Danjean , 2012-07-02, 10:19:
python-support also create symlink/compile bytecode in /var
FWIW, python-support hasn't been using /var since 2009:
$ ls -ld /var/lib/python-support
lrwxrwxrwx 1 root root 18 Jun 5 16:15 /var/lib/python-support ->
/usr/lib/pymodules
--
Jakub Wilk
--
Le 02/07/2012 08:48, Alexander E. Patrakov a écrit :
> 2012/7/2 Philipp Kern :
>> Alexander,
>> it is not sufficient on a Debian system to just branch off the root
>> filesystem
>> given that important state information of the package manager is stored in
>> /var.
>
> Yes, this seems to be a vali
On lun., 2012-07-02 at 11:11 +0600, Alexander E. Patrakov wrote:
> 3) Then a kexec-based reboot should happen, using the new subvolume as
> the root filesystem.
Note that I just did a quick test with kexec-tools in sid on two boxes,
and kexec failed miserably, so maybe it works perfectly elsewher
26 matches
Mail list logo
