Bug#714134: ITP: python-django-discover-runner -- alternative Django test runner

Package: wnpp Severity: wishlist Owner: Thomas Goirand * Package name: python-django-discover-runner Version : 1.0 Upstream Author : Jannis Leidel * URL : https://pypi.python.org/pypi/django-discover-runner * License : BSD Programming Lang: Python Descript

Re: download of source packages alarmed clamav

On Tuesday, June 25, 2013 11:06:26 PM Russ Allbery wrote: > Joey Hess writes: > > So, the tarball could be fixed to rot-13 the virus files stored in it, > > and re-rotate them when the test suite is run. (If virus scanners > > perhaps try rot-13, then instead encrypt the viruses with a key include

Re: download of source packages alarmed clamav

Joey Hess writes: > So, the tarball could be fixed to rot-13 the virus files stored in it, > and re-rotate them when the test suite is run. (If virus scanners > perhaps try rot-13, then instead encrypt the viruses with a key included > in the source package, but that's probably overkill.) That's

Re: download of source packages alarmed clamav

Russ Allbery wrote: > Given that the whole point of those files is to test clamav, I would hope > that they would trigger clamav's detection. If not, that would be a bug > in clamav, no? However, the point of the pymilter source package is not to test clamav, it's to distribute the source to pymi

Re: Python 3.3 Status?

On Tuesday, June 25, 2013 07:59:03 PM Nikolaus Rath wrote: > Hi, > > I'm a bit confused about the current status of Python 3.3. If I'm not > mistaken, python3.3 is available in unstable, but not included in the > py3versions output, so none of the packaged python3-* extension modules > include .so

Python 3.3 Status?

Hi, I'm a bit confused about the current status of Python 3.3. If I'm not mistaken, python3.3 is available in unstable, but not included in the py3versions output, so none of the packaged python3-* extension modules include .so's for Python 3.3. Can someone tell me if that's deliberate or acciden

Re: download of source packages alarmed clamav

On Tue, Jun 25, 2013 at 11:04:40AM -0700, Austin English wrote: > [...] > FYI, some Windows viruses work under Wine (which can do whatever your > normal user can do, unless you're using AppArmor or something similar > to restrict it). That's not entirely true -- a Windows-based keylogger wouldn't

Hope to use ticket system for maintaining/requesting cdn.debian.net

Hi all, I am developing and operating cdn.debian.net. I would like to discuss about using the ticket system for maintaining cdn.debian.net. I think BTS and/or github are the best way. Could you show your idea? 1) BTS of debian: It is better way of tracking by debian way. However, cdn.debian.net

Bug#714120: ITP: libjs-chosen -- select box enhancer for jQuery and Protoype

Package: wnpp Severity: wishlist Owner: David Prévot * Package name: libjs-chosen Version : 0.9.11 Upstream Author : Patrick Filler * URL : http://harvesthq.github.io/chosen/ * License : Expat Programming Lang: JavaScript Descript

Bug#714118: ITP: php-composer -- Dependency Manager for PHP

Package: wnpp Severity: wishlist Owner: ar * Package name: php-composer Version : 1.0.0-alpha7 Upstream Author : Nils Adermann , Jordi Boggiano * URL : http://getcomposer.org/ * License : MIT Programming Lang: PHP Description : Dependency Manager for

Re: Reporting 1.2K crashes

Hi, > I understand. But two weeks might be a bit too short for the majority > of those crashes. Many upstream authors don't get paid for working on > their software. I first want to clarify the purpose of the two-week delay to make sure we are on the same page.We do not expect upstream developers

Re: Reporting 1.2K crashes

On Tue, 25 Jun 2013 11:46:04 -0700, Russ Allbery wrote: >Marc Haber writes: > >> Will you also check Debian unstable? It is much easier to have a package >> in unstable fixed, and I suspect that not every crash you find will be a >> security relevant one. > >I suspect most of them won't be, actua

Re: Reporting 1.2K crashes

On Tue, 25 Jun 2013 14:06:42 -0400, Alexandre Rebert wrote: >On Tue, Jun 25, 2013 at 11:38 AM, Marc Haber > wrote: >> Additionally, I guess that the vast majority of crahes you have found >> will be upstream bugs which the Debian maintainer would have to >> forward upstream. Will you take efforts

Bug#714110: ITP: python-memprof -- memory profiler for Python

Package: wnpp Severity: wishlist Owner: Javi Merino * Package name: python-memprof Version : 0.2.2 Upstream Author : Jose M. Dana * URL : http://jmdana.github.io/memprof/ * License : GPLv3 Programming Lang: Python Description : memory profiler for Pyth

Re: Reporting 1.2K crashes

]] Alexandre Rebert > Hi, > > Thanks for all the feedback and comments. I tried to address all them below. > > > The crash.sh script seems to set LD_LIBRARY_PATH. Is that actually > > needed? I'd prefer something that doesn't need something like that, > > since being able to crash apps if you

Re: Reporting 1.2K crashes

Hello, Is it possible to use/download Mayhem from somewhere? On Tue, Jun 25, 2013 at 7:28 AM, Alexandre Rebert < alexandre.reb...@gmail.com> wrote: We found the bugs using Mayhem [1], an automatic bug finding system > that we've been developing in David Brumley's research lab for a > couple of

Re: download of source packages alarmed clamav

* Scott Kitterman , 2013-06-25, 08:04: These are real-life viruses that should not be distributed using Debian's FTP server (IMHO). This comes up periodically. They aren't real. I hope so! Do we even have any real viruses that are DFSG-free? -- Jakub Wilk -- To UNSUBSCRIBE, email to debian

Re: Reporting 1.2K crashes

On 25 June 2013 19:21, Alexandre Rebert wrote: > Hi, > > On Tue, Jun 25, 2013 at 2:03 PM, Dmitrijs Ledkovs > wrote: >> From Ubuntu point of view, we'd also be interested in a similar >> analysis. Unlike Debian we provide automatically generated packages >> with debug symbols. >> Similar to debian

Re: Reporting 1.2K crashes

Marc Haber writes: > Will you also check Debian unstable? It is much easier to have a package > in unstable fixed, and I suspect that not every crash you find will be a > security relevant one. I suspect most of them won't be, actually, or at least will be difficult to exploit. A lot of command

Re: download of source packages alarmed clamav

Darac Marjal writes: > On Tue, Jun 25, 2013 at 08:04:00AM -0400, Scott Kitterman wrote: >>> These are real-life viruses that should not be distributed using >>> Debian's FTP server (IMHO). >> This comes up periodically. They aren't real. > It would appear they're real enough to trigger clamav's

Re: Reporting 1.2K crashes

Hi, On Tue, Jun 25, 2013 at 2:03 PM, Dmitrijs Ledkovs wrote: > From Ubuntu point of view, we'd also be interested in a similar > analysis. Unlike Debian we provide automatically generated packages > with debug symbols. > Similar to debian, we would most interested for development series to > be t

Re: download of source packages alarmed clamav

> On Tue, Jun 25, 2013 at 08:04:00AM -0400, Scott Kitterman wrote: > > This comes up periodically. They aren't real. [Darac Marjal] > It would appear they're real enough to trigger clamav's detection, > which was the problem the OP was having. Yes. It is not really a fixable problem. The test

Re: Hardening Flags for sg3-utils

On Tuesday 25 June 2013 09:47 PM, Nick Andrik wrote: > Would it be that you need this? > > DPKG_EXPORT_BUILDFLAGS = 1 > include /usr/share/dpkg/buildflags.mk > > -- > =Do- > N.AND > Don't know what was wrong. Maybe just the lack of sleep. Your suggestion works. Thank you. -- Ritesh Raj Sarraf |

Re: Reporting 1.2K crashes

Hi, On Tue, Jun 25, 2013 at 11:38 AM, Marc Haber wrote: > Will you also check Debian unstable? It is much easier to have a > package in unstable fixed, and I suspect that not every crash you find > will be a security relevant one. We actually already did :) We re-ran all the crashes on debian un

Re: download of source packages alarmed clamav

On Tue, Jun 25, 2013 at 5:05 AM, Scott Kitterman wrote: > > > Marius Gavrilescu wrote: > >>On Tue, Jun 25, 2013 at 10:19:46AM +0200, Harald Dunkel wrote: >>> These are real-life viruses that should not be distributed >>> using Debian's FTP server (IMHO). >> >>Even if they wre real, they would be

Re: Reporting 1.2K crashes

> Without diminishing the value of bugreports against our stable release, > I would be more interested in such reports against the software material > for our future stable; aka software from unstable; did you have such > plans in mind? That's a good point that has been raised by other people as w

Re: Reporting 1.2K crashes

Hi Le mardi, 25 juin 2013 07.28:10, Alexandre Rebert a écrit : > I am a security researcher at Carnegie Mellon University, and my team > has found thousands of crashes in binaries downloaded from debian > wheeze packages. After contacting ow...@bugs.debian.org, Don > Armstrong advised us to contac

Re: Hardening Flags for sg3-utils

On Tue, Jun 25, 2013 at 09:40:33PM +0530, Ritesh Raj Sarraf wrote: > Following the Hardening wiki, I have build-dep the hardening-includes > package and enabled the hardening flags as follows : > If I bump the debhelper version to > 9, I do see the correct build flags. So, why don't you just do

Re: Reporting 1.2K crashes

On Tuesday 25 June 2013 10:54:21 Alexandre Rebert wrote: > Hi, [snip] > > Would it be possible to initially publish all the bug reports on your > > web site under some random URL and then mail that to the maintainer > > with a clearly indicated date when they will be made public? > > Good point. I

Re: Hardening Flags for sg3-utils

Or probably this section for older debhelper: http://wiki.debian.org/HardeningWalkthrough#Older_debhelper -- =Do- N.AND -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.o

Re: Hardening Flags for sg3-utils

Would it be that you need this? DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk -- =Do- N.AND 2013/6/25 Ritesh Raj Sarraf : > Hi, > > Following the Hardening wiki, I have build-dep the hardening-includes > package and enabled the hardening flags as follows : > > rrs@zan:/var/tm

Hardening Flags for sg3-utils

Hi, Following the Hardening wiki, I have build-dep the hardening-includes package and enabled the hardening flags as follows : rrs@zan:/var/tmp/sg3-utils (build)$ cat debian/rules #!/usr/bin/make -f # debian/rules file for the sg3-utils package # This has to be exported to make some magic below

Re: Reporting 1.2K crashes

On Tue, 25 Jun 2013 01:28:10 -0400, Alexandre Rebert wrote: >I am a security researcher at Carnegie Mellon University, and my team >has found thousands of crashes in binaries downloaded from debian >wheeze packages. After contacting ow...@bugs.debian.org, Don Armstrong >advised us to contact you b

Re: Reporting 1.2K crashes

On Tue, Jun 25, 2013 at 10:54 PM, Alexandre Rebert wrote: > The reports are not public yet. Since you are a developer included in > dd-list, we will send you an email containing the crash information > for the programs you are developing. You will receive the email 1 week > before the crash is sub

Re: Reporting 1.2K crashes

Hi Alexandre, (Just replying regarding the point I had raised.) [...] > > Can one also access, even before you go and file bugs, information for other > > packages? I cannot actually find any reports for the package listed in the > > dd-list under my name in your Packages, Runs, nor Programs page

Re: Reporting 1.2K crashes

Hi, Thanks for all the feedback and comments. I tried to address all them below. > The crash.sh script seems to set LD_LIBRARY_PATH. Is that actually > needed? I'd prefer something that doesn't need something like that, > since being able to crash apps if you load a broken library isn't very >

Bug#714076: ITP: core -- intuitive network emulator that interacts with real nets

Package: wnpp Severity: wishlist Owner: Joao Eriberto Mota Filho * Package name: core Version : 4.6 Upstream Author : Boeing Company, by Jeffrey M. Ahrenholz * URL : http://cs.itd.nrl.navy.mil/work/core * License : Simplified BSD Programming Lang: C, C++, P

Re: download of source packages alarmed clamav

On Tue, Jun 25, 2013 at 08:04:00AM -0400, Scott Kitterman wrote: > > > Harald Dunkel wrote: > > >On Tue, 25 Jun 2013 10:54:53 +0300 > >Marius Gavrilescu wrote: > > > >> On Tue, Jun 25, 2013 at 09:52:26AM +0200, Harald Dunkel wrote: > >> > Its not a warning. The download failed. > >> > >> Yes,

Re: download of source packages alarmed clamav

Marius Gavrilescu wrote: >On Tue, Jun 25, 2013 at 10:19:46AM +0200, Harald Dunkel wrote: >> These are real-life viruses that should not be distributed >> using Debian's FTP server (IMHO). > >Even if they wre real, they would be "real-life" MS Windows viruses in >emails in a debian package. Fo

Re: download of source packages alarmed clamav

Harald Dunkel wrote: >On Tue, 25 Jun 2013 10:54:53 +0300 >Marius Gavrilescu wrote: > >> On Tue, Jun 25, 2013 at 09:52:26AM +0200, Harald Dunkel wrote: >> > Its not a warning. The download failed. >> >> Yes, I should have said failure. Anyway, the probable cause >> is the existence of emails w

Bug#714062: ITP: libstring-compare-constanttime-perl -- module for protecting string comparison from timing attacks

Package: wnpp Severity: wishlist Owner: Alexandre Mestiashvili * Package name: libstring-compare-constanttime-perl Version : 0.300 Upstream Author : Doug Hoyte * URL : https://metacpan.org/module/String::Compare::ConstantTime * License : Artistic or GPL-1 Pro

Bug#714058: ITP: cc65 -- Cross compiler and toolchain for 6502-based systems

Package: wnpp Severity: wishlist Owner: John Paul Adrian Glaubitz * Package name: cc65 Version : 2.13.3 Upstream Author : Ullrich von Bassewitz * URL : http://www.cc65.org/ * License : zlib and non-free Programming Lang: C Description : Cross compiler

Re: download of source packages alarmed clamav

On Tue, 25 Jun 2013 10:54:53 +0300 Marius Gavrilescu wrote: > On Tue, Jun 25, 2013 at 09:52:26AM +0200, Harald Dunkel wrote: > > Its not a warning. The download failed. > > Yes, I should have said failure. Anyway, the probable cause > is the existence of emails with viruses as tests in the packa

Re: download of source packages alarmed clamav

On Tue, Jun 25, 2013 at 10:19:46AM +0200, Harald Dunkel wrote: > These are real-life viruses that should not be distributed > using Debian's FTP server (IMHO). Even if they wre real, they would be "real-life" MS Windows viruses in emails in a debian package. For someone to get "infected" they wo

Re: download of source packages alarmed clamav

On Tue, 25 Jun 2013 10:46:23 +0300 Marius Gavrilescu wrote: > > That package contains a directory named test/ with emails with spam, viruses > and similar. This might have caused the clamav warning. > Its not a warning. The download failed. Regards Harri -- To UNSUBSCRIBE, email to debian-

Re: download of source packages alarmed clamav

On Tue, Jun 25, 2013 at 09:52:26AM +0200, Harald Dunkel wrote: > Its not a warning. The download failed. Yes, I should have said failure. Anyway, the probable cause is the existence of emails with viruses as tests in the package. -- Marius Gavrilescu signature.asc Description: Digital signature

Re: download of source packages alarmed clamav

Forgot to list-reply. On Tue, Jun 25, 2013 at 08:47:56AM +0200, Harald Dunkel wrote: > I doubt that sending a virus complies to the DFSG, so the question > is whether these source packages have been compromised? That package contains a directory named test/ with emails with spam, viruses and simi

Re: download of source packages alarmed clamav

Harald Dunkel writes: > I doubt that sending a virus complies to the DFSG, so the question > is whether these source packages have been compromised? The test/ directory in pymilter_0.9.3.orig.tar.gz contains some sample viruses on purpose. I can't comment on other source packages since you didn't

download of source packages alarmed clamav

Hi folks, I am running a transparent http proxy integrated with clamav. Problem: If I run "apt-get source pymilter", then I get # apt-get source pymilter Reading package lists... Done Building dependency tree Reading state information... Done NOTICE: 'pymilter' packaging is maintained in the 'Svn

Re: vision: easily move all my data and config to a new machine

On Sun, Jun 23, 2013 at 09:28:07PM +0100, Philip Hands wrote: > If etckeeper were to check in the unmodified versions of the packaged > conffiles in a branch called 'dpkg-dist' (or whatever) then it would be > trivial to do a diff. > > Presumably it would be possible to do this in one of the hook