rrange for redirects to archive.org
when you hit those pages, but that has not been set up either.
But to me the weirdest thing is that quite a few complained and there
was no real response rationalizing the decision.
Kind regards
Philipp Kern
[1]
https://sal
essed). Back of the
envelope math says that'd be 600 GB/d of raw syslog log traffic. We
should have a very good reason for collecting this much data.
Kind regards
Philipp Kern
Kind regards
Philipp Kern
key usage transparency log, I think that's fine - but
that'd require an actual proposal, with code integrated into dak. Or
optimally more generically in a way where we could also reuse it for
other signatures like the ones generated for images.
Kind regards
Philipp Kern
5 people
to support it.
If we really make this about how to communicate, maybe we should be
bolder and consider solutions like Discourse. Which would also have
built-in chilling support to discourage from posting too frequently on a
topic in favor of addressing multiple points at once.
Kind regards
Philipp Kern
ly.
Mine doesn't wrap properly either, especially on wide screens. Neither
Thunderbird nor Roundcube. 80 characters are perfectly readable,
long-lines are increasingly annoying to read.
I can see how that part is a "me" problem. But it also worked perfectly
fine before.
Kind regards
Philipp Kern
burns up. How is the backup situation? What's
the restore process?
DSA is doing a daily file backup run using Bacula. PostgreSQL is
continuously streamed to the archive server and is probably 10 mins out
of date in the worst case - unless something breaks.
Kind regards
Philipp Kern
a LoRA. It's not like
inference requires a GPU.
But then again saying things like "oh, look, I could easily answer the
NM templates with this" is the context you want to put this work in.
Kind regards
Philipp Kern
order to gain the project's trust.
(In job interviews candidates already regularly use LLMs in the
background to answer the questions. There I think it's still noticable
when people claim knowledge that they do not have. In offline
communication all bets are off.)
Kind regards
Philipp Kern
On 2024-12-19 05:13, Sean Whitton wrote:
> On Sun 15 Dec 2024 at 11:21pm +01, Philipp Kern wrote:
>> Or introduce some subtle bugs that get ironed out only when it sees
>> usage.
>
> Indeed, but this work can end up being very costly. A lot of knowledge
> might be built
e see in testing, if not unstable. That
would also not give you a version that has either feature parity nor bug
freeness - unless you count keeping it installed locally on your
machines and never getting updates again.
Kind regards
Philipp Kern
s fine.)
Kind regards
Philipp Kern
Kind regards
Philipp Kern
? I.e. it would be legit for a program to output in
French or Chinese in the C.UTF-8 locale and have a translation to English?
Kind regards
Philipp Kern
d what a username is and think that it reflects
how someone wants to be called - as their default assumption.
Kind regards
Philipp Kern
PS: My personal, ignorant, Latin-world opinion is that it is probably
too hard for most people to type each others' usernames if UTF-8 were to
be allowed.
package built
previously (it might also have been miscompiled).
In enterprise environments the answer is pinning >= 1000. And keeping
packages simple enough that downgrades keep working.
I remember a couple of times where the Release team stepped in and
reverted maintainer actions that were unfortunately timed - which comes
with a large risk of conflict.
We have fared ok with the current approach, but it is not an environment
of "rollback first, ask questions later" - the overhead is high.
Kind regards
Philipp Kern
er to roll back. That is very heavyweight today. And that many
Debian services do not have appropriate staging environments is also a
problem - orthogonal to code review but related to testing practices.
Kind regards
Philipp Kern
n. Making builds something based off tasks
(e.g. in a pipeline) when a package is uploaded rather than diffing the
archive and trying to match the intent is something I would have wanted
to see for a long time.
Kind regards
Philipp Kern
too messy. But then that's a different ask
from a weak-depends, as well.
Kind regards
Philipp Kern
Package: wnpp
Severity: wishlist
Owner: Philipp Kern
* Package name: yubikey-touch-detector
Version : 1.11.0-1
Upstream Author : Maxim Baz
* URL : https://github.com/maximbaz/yubikey-touch-detector
* License : ISC
Programming Lang: Go
Description
Package: wnpp
Severity: wishlist
Owner: Philipp Kern
* Package name: golang-github-vtolstov-go-ioctl
Version : 0.0~git20151206.6be9cce-1
Upstream Author : Vasiliy Tolstov
* URL : https://github.com/vtolstov/go-ioctl
* License : MIT
Programming Lang: Go
Package: wnpp
Severity: wishlist
Owner: Philipp Kern
* Package name: golang-github-esiqveland-notify
Version : 0.13.3-1
Upstream Author : Eivind Siqveland Larsen
* URL : https://github.com/esiqveland/notify
* License : BSD-3-clause
Programming Lang: Go
Package: wnpp
Severity: wishlist
Owner: Philipp Kern
* Package name: wego
Version : 2.3-1
Upstream Author : Markus Teich
* URL : https://github.com/schachmat/wego
* License : ISC
Programming Lang: Go
Description : weather app for the terminal
wego is
Package: wnpp
Severity: wishlist
Owner: Philipp Kern
* Package name: golang-github-schachmat-ingo
Version : 0.0~git20170403.a4bdc07-1
* URL : https://github.com/schachmat/ingo
* License : ISC
Programming Lang: Go
Description : persistent storage for
ying bit was the systemd service that was
still in a failed state even though the failure condition resolved
itself <1s later.
Kind regards
Philipp Kern
[1] https://www.agwa.name/blog/post/beware_the_ipv6_dad_race_condition
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705996
change.)
Kind regards
Philipp Kern
l give you the account name of the domain "owner".
What I'd suggest is a CNAME for _acme-challenge.storm instead of putting
TXT records into Debian LDAP.
Kind regards
Philipp Kern
OpenPGP_0x50C3634D3A291CF9.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
On 7/17/24 2:15 PM, Brian Smith wrote:
Good luck with that. Getting my key signed was the most difficult part
of becoming a Debian Maintainer. I couldn't find anyone in Central Texas
to do so and finally got mine signed at SC18.
Key endorsements[1] exist these days.
Kind regards
Philipp
s not entirely surprising that the compiler then finds more
efficient ways to do operations using the new instructions, which will
then fail execution with invalid opcode.
I'm with Andrey that the bug should be reopened and RC'ed because this
is effectively producing a miscompilation
C or Debian bug) or example error message or a pointer to possible
miscompilation.
Kind regards
Philipp Kern
y
need to be in the archive to make a point.
Kind regards
Philipp Kern
s a marginal benefit if you execute the build outside of the
VM as well. But it'd shield us more from supply chain issues.
Kind regards
Philipp Kern
ts be owned by d-i is the common setup.
Kind regards
Philipp Kern
t that now is the appropriate
time to report those bugs).
I fixed libinfinity upstream - but would still need to make an upload.
It's quite ironic, given that all certs but one had an expiry around the
year 3000.
Kind regards
Philipp Kern
akes it less secure in my book.)
Kind regards
Philipp Kern
p). If you have stages because intermediate builds incorporate
bits of other packages and re-export them into build environments
(unlikely?) or if you need to shepherd a lot of failed builds and try to
debug what happened, then it becomes a lot more toilsome and
labor-intensive.
Kind regards
Philipp Kern
otocol and bump its version. ssh-h3?
Both the paper and the project are very new - so there should not be
that many things referring to it yet.
Kind regards
Philipp Kern
Package: wnpp
Severity: wishlist
Owner: Philipp Kern
X-Debbugs-Cc: debian-devel@lists.debian.org, pk...@debian.org
* Package name: nsncd
Version : 1.4.1 (plus patches[1])
* URL : https://github.com/twosigma/nsncd
* License : Apache 2.0
Programming Lang: Rust
redirected to d-d and not posted
to d-d-a.
Kind regards
Philipp Kern
way with multiple conflicting systems to put configuration in and how we
merge the files when updates are installed. There would need to be some
deeper primitives to make this happen.
Kind regards
Philipp Kern
aries. I remember openssh installing a syscall filter for its auth
binary and then it failed with certain PAM modules (see also your
allow_ypbind example). So we should also not be too limiting when
sandboxing daemons.
Kind regards
Philipp Kern
is too short to manually provision IP addresses on servers.
Kind regards
Philipp Kern
ractice[1].
Ubuntu^WCanonical has been doing its own development in this space as
well with netplan. Ubuntu will continue to do its own fixes to glue
things together.
Kind regards
Philipp Kern
[1] With notable exceptions like doko maintaining the toolchain - and
I'm sure I'm not crediting e
s
accurately on real hardware.
Kind regards
Philipp Kern
r dak to temporarily export that component
into both its own and non-free proper. That'd decouple the migration on
the user side.
Kind regards
Philipp Kern
c64el-porterbox*
# requesting: uid
#
# jwilk, users, debian.org
dn: uid=jwilk,ou=users,dc=debian,dc=org
uid: jwilk
Kind regards
Philipp Kern
either. It does pick a winner manually in the resolver
and it looks random (or rather in "apt showpkg" order). But it's not
like it didn't work.
Kind regards
Philipp Kern
[1]
https://www.debian.org/doc/debian-policy/ch-relationships.html#virtual-packages-provides
7;s more flexible by design - to get newer versions from experimental
if necessary.
Kind regards
Philipp Kern
[1] This might require an overall agreement across Debian at times. But
that seems to be more relevant for dependencies than build-dependencies.
ghtly
different HTTP header.
If there are API clients talking to it, it might be slightly more
involving to setup - but it's not like other people haven't had to deal
with getting OIDC tokens for various APIs before. :)
Kind regards
Philipp Kern
rprising" (less surprising?) is
obviously false. "No change" is always less surprising than any change,
whatever the rationale is.
It can also be unsurprising from an end-user's perspective. For someone
new to the system. So that line of argument does not really hold.
Kind regards
Philipp Kern
nt of ancient server-side
implementations when the right kinds of switches are passed to it (e.g.
KexAlgorithms and HostKeyAlgorithms). I have yet to be unable to
actually connect to a target - even if it means fiddling increasingly
with flags.
Kind regards
Philipp Kern
at they are
doing[1]. I just fear that it won't actually solve your denylisting
problem at hand. People will keep not specifying it. Can't popcon go and
just accept reports for packages in the archive somehow?
Kind regards
Philipp Kern
[1] Although most might disable popcon anyway.
ent. FAI's setup-storage is obviously better. But good
riddance to the lack of sensible debugging of the shell script horror
story that is the existing system. :)
Kind regards
Philipp Kern
ions. That's inherent to the design. If
you want more guarantees, you need to move from discretionary access
control (based on the identity at the time of process (tree) creation)
to mandatory access control (e.g. SELinux).
Kind regards
Philipp Kern
to use in
the future.
Kind regards
Philipp Kern
[1] https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
some (somewhat insecure)
defense in depth if we wanted to, but maybe the world just agreed that
you need to get your clock roughly correct. ;-)
Kind regards
Philipp Kern
.
Except for the security archive, where https can prevent a
man-in-the-middle from serving you outdated information and thus deprive
you from updates.
For a week until Valid-Until expires. Note that the denial of service
equally works for HTTPS, it's just more noisy.
Kind regards
Philipp Kern
On 2021-08-12 17:56, Marc Haber wrote:
On Thu, 12 Aug 2021 13:44:24 +0200, Philipp Kern
wrote:
On 2021-08-12 12:23, Polyna-Maude Racicot-Summerside wrote:
Now if people start doing stuff they don't master than it's not
privilege escalation but much more something like another
man
every
one fighting for themselves.
Now of course there's value in people having this knowledge and
companies should recognize this value. But from communication and
awareness we learn, no?
Kind regards
Philipp Kern
[1] E.g. thinking of https://debian-handbook.info/browse/stable/
t feels like a different, more
general problem.
Kind regards
Philipp Kern
e with NEW
processing for both for the maintainer and to the FTP team.
I do recall that the FTP masters would've been generally open to have
such an auto-approver (but maybe I'm wrong), but that no-one stepped up
yet to code it up?
Kind regards
Philipp Kern
ing a vote
process and be obstructionist than it is to upload a compromised
package. :)
Kind regards
Philipp Kern
on in that case (4.2.2.5).
A single person being able to block consensus of basically everyone else
feels like opening up the process to unconstructive behavior.
Kind regards
Philipp Kern
s are
introduced by blindly updating debhelper compat levels - staying
at a deprecated compat level is better than a not properly tested
compat bump.
To be fair: You can assert statically if the compat bump did not
introduce any changes (by compiling twice).
Kind regards
Philipp Kern
nt of view. But I don't think it
makes a strong case for availability of libre firmware for wifi cards.
Especially if you care about spectral efficiency, i.e. using a shared
medium efficiently.
Kind regards
Philipp Kern
[1]
https://libreplanet.org/wiki/LinuxLibre:Devices_that_require_non-free_firmware
at the question here is. You get NAT. You even get NAT to
your WiFi - i.e. you can use it as a glorified USB WiFi device (at least
with Android). I have successfully either fixed or installed Debian
through a cell phone in the past because there was no other way at hand.
Kind regards
Philipp Kern
rmware in non-free, of course, as it needs to be signed
for the most common DSPs - and cannot be rebuilt reproducibly. I guess
we are not the target here either but instead it's for vendors basing
their firmware on one common architecture. So even when we get close, we
don't seem to get all the way. :(
Kind regards
Philipp Kern
the buildd network it is also still an unsolved question how to allow
build-depending on a (small, allowlisted) subset of non-free.
Kind regards
Philipp Kern
a delta scheme
might only make that worse.
Kind regards
Philipp Kern
[1] https://cor3ntin.github.io/posts/abi/
an
> maintainers.
Given the whole source code trust story it'd be better if dak were to do
it by itself rather than relying on an external service to do it.
(Or we make it culturally allowed to do it using client-side tooling, as
long as it is a no-change-but-debian/changelog upload.)
Kind
sible for someone who
> *only* uses main to download the source, install the build dependencies,
> and successfully build the package themselves. Doing *that* must not
> require anything outside of main.
Somewhat ironically not depending on anything but main is also true for
non-free and contrib. (At least when you want it to be built by the
official builders.)
Kind regards
Philipp Kern
rather than not using it) - but they are free to reactivate it. It
>> feels like just checking for @debian.org is good enough, IMO.
>
> Well, DMs don't have debian.org email addresses.
Sure, but I'd expect that state to be temporary, no?
Kind regards
Philipp Kern
ate in the first place? Everyone
who got access to a debian.org email address has been an OSS contributor
of sorts. Which leaves those who opted out of the email address entirely
(rather than not using it) - but they are free to reactivate it. It
feels like just checking for @debian.org is good enough, IMO.
Kind regards
Philipp Kern
signature.asc
Description: OpenPGP digital signature
l, it looks like GNU which was last updated in 2015 (both tarball and
CVS) and despite GNU redirecting to a github.io page it doesn't look
like there is any more up-to-date repository of it either. So I'm not
sure if maintenance is a great argument here. Although I will note that
Archlinux does not actually patch it.
Kind regards
Philipp Kern
Package: wnpp
Severity: normal
I intend to orphan the icon-naming-utils package.
Last upstream release was 11 years ago. There is effectively no churn in
this package. It is also a required build dependency for a bunch of icon
themes:
# Broken Build-Depends:
extra-xdg-menus: icon-naming-utils
gn
owners have to do this today for good reasons. That pushes the cost
elsewhere of course. On the other hand it's not the worst idea to
require signatures on all commits instead.
Kind regards
Philipp Kern
ts that.
I mean I don't want to suggest that buying hardware is required, but
that's literally what they were designed for. Automatically dealing with
origin information sanely and then a touch signs you in. OTPs are as
fishable as passwords.
Kind regards
Philipp Kern
to look at potential whitelisting code, but I think last time
someone tried a big refactoring and introduction of tests was required
of them prior to the contribution - which is a high bar after getting
dak to run properly for development purposes first.)
Kind regards
Philipp Kern
re, for which allowlist and rejectlist are
terms that actually describe what is happening in most contexts.
Of course communities also build up some slang to see who is "in" the
group and who is "out". But it actually makes things more accessible to
others if you describe things as they are.
Kind regards
Philipp Kern
that journalctl's (and also
systemctl status') performance reading journal files is still pretty
awful on spinning rust[1]. At times this makes me go to text logs
instead because slicing the files using tail and grep is much, much
faster.
Kind regards
Philipp Kern
[1] I think this
oice for *periodic jobs* that we
should document as the default unless there is a reason to use something
else. It does not need to be cron, though.
Kind regards
Philipp Kern
voted and if
those people are the most active in the project. But I don't think that
this is particularly useful distinction. For the best we know the others
did not care enough to vote (or were unable to for technical reasons)
and were thus ok with any outcome. Also we welcome people to join the
proj
be the correct solution for
consistent versioning across all architectures. Ubuntu exclusively does
those and I still struggle how we would build such a service in Debian
without facing exactly the same concerns as tag2upload. Maybe if dak
itself would do it?
Kind regards
Philipp Kern
On 2019-10-07 13:43, Johannes Schauer wrote:
Quoting Philipp Kern (2019-10-07 13:21:36)
On 10/7/2019 1:17 PM, Shengjing Zhu wrote:
> On Mon, Oct 7, 2019 at 6:29 PM Simon McVittie wrote:
>> On Mon, 07 Oct 2019 at 07:22:53 +0200, Johannes Schauer wrote:
>>> Specifically, curren
ke bootstrapping faster rather
than trusting random binaries on the internet. (Unless we grow an
"assemble an image from debs" service on, say, ftp-master.)
Kind regards
Philipp Kern
s probably worth pointing out that Firefox's use of Cloudflare's DoH
endpoint is governed by a different policy outlined here:
https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/
Per that policy, other third parties can only get the data with
Mozilla's written permissions. And APNIC (or any other third party) is
not mentioned.
Kind regards
Philipp Kern
ould be. Some can be addressed through wrapper scripts,
but then it's odd to anyone familiar with Debian.
Obviously I'm not bound to that format being "3.0 (native)" but some
"3.0 (dumb)" that just tars up the whole tree without caring about the
version scheme would then be nice to have as a replacement. ;-)
Kind regards
Philipp Kern
e
sysv generator as well as daemon options not being sufficiently tightly
speced out in native unit files. After all, you do want to give daemons
some time to stop. But at least with systemd you know when the process
has exited.
Also I mostly saw this taking a long time around deactivation of devices
(swap, crypto). (Although I question why you'd disable swap given the
consequence of getting everything back in, but alas.)
Kind regards
Philipp Kern
d you can deny service
startup, which is also what the builders do.
Kind regards
Philipp Kern
e pinned systemd-sysv to
> -100 to avoid repeating the last unfortunate incident where I had to drive
> to the colo facility.
You want dbus-x11 instead of dbus-user-session then, I think.
Kind regards
Philipp Kern
ey have set for themselves.
Kind regards
Philipp Kern
d, but that
might not be universally accepted, I guess.
Kind regards
Philipp Kern
On 2019-08-07 18:51, Jeremy Stanley wrote:
On 2019-08-07 10:19:00 +0200 (+0200), Marc Haber wrote:
On Mon, 05 Aug 2019 22:29:41 +0200, Philipp Kern wrote:
[...]
> I'd still expect a Cloud/Compute provider to offer default
> images in any case that could be preconfigured appropria
On 2019-08-06 13:43, Bill Allombert wrote:
On Mon, Aug 05, 2019 at 10:29:41PM +0200, Philipp Kern wrote:
And finally, the load spikes: Upthread it was mentioned that
RandomizedDelaySec exists. Generally this should be sufficient to even
out
such effects. I understand that there is a case
gize that I think of this in terms of systemd primitives. But the
tool was written for a reason and a lot of thought went into it.
Kind regards
Philipp Kern
the logs.
Obviously, I don't think it is a good idea to break this for
non-systemd users because of difficulties making it work properly
with systemd. Perhaps I have misunderstood you ?
To be honest, that's something that the compatibility/init diversity
folks then need to figure out.
Kind regards
Philipp Kern
ks
except sometimes when the filters need to be adjusted. And as you can
see Gentoo deals with that just fine and we could accept some breakage
in unstable too, as long as the migration of the breaking library is
stopped until the fix for the dependencies is in.
Kind regards
Philipp Kern
one
rather than its main process. But it's also not doing the environment
cleanup AFAICS.
Kind regards and thanks for making all of us more secure! :)
Philipp Kern
ally that would have been solved by
InRelease...
Kind regards
Philipp Kern
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926035
InRelease files (not to mention that it doubles the
traffic for no-change cases), I'm surprised they aren't using InRelease
files yet.
Given the timeline, shouldn't we also get oldstable to ship an InRelease
file?
Kind regards
Philipp Kern
1 - 100 of 750 matches
Mail list logo
