Hi
The GitLab on salsa.debian.org identifies itself as 16.1.5. This
version is way outside of the three month security support schedule.
Upstream supports the latest three version (so currently 16.6, 16.5 and
16.4) at every one time.[1]
So right now we are running a mission critical service
On Tue, Oct 18, 2022 at 07:25:39AM -0700, Russ Allbery wrote:
> This is probably my security brain from my day job, but I would prefer to
> be able to drop permissions that I'm not currently using, as long as I can
> get them back easily. It reduces the blast radius of mistakes and
> compromises.
Hi Adrian
On Sat, Mar 12, 2022 at 01:27:03AM +0200, Adrian Bunk wrote:
> Out of curiousity I started looking at various aspects of GDPR
> compliance in Debian, and what I saw in the Privacy Policy[2] made me
> worry that the lawyer has not yet been involved enough in ensuring that
> privacy in
On Tue, Sep 28, 2021 at 08:37:15PM +0530, Manoj Singh wrote:
> For FIPS(federal information processing standards), required all python
> code in bytecode format(.pyc) instead of plain source .py.
All Python source is compiled into bytecode during installation.
Bastian
--
We have found all life
Hi Jonathan
On Mon, Aug 31, 2020 at 06:21:10PM +0200, Jonathan Carter wrote:
> * Have accounts with the major hosting providers so that
> they can also create new instances whenever there's a
> new request from a developer
I opened an issue for the AWS side of that:
Hi Steve
On Sun, Nov 29, 2020 at 03:53:24PM +, Steve McIntyre wrote:
> Have people been pushing the other way - to remove the suffix? Just
> curious.
That was me. It's because of the maintenance overhead. That name
restriction isn't a feature of upstream GitLab. It requires to function
-
Hi Jonathan
On Mon, Aug 31, 2020 at 06:21:10PM +0200, Jonathan Carter wrote:
> The services ran under the debian.net domain are typically run by
> individual Debian Developers or small teams, and range from a toy
> service to something that's short lived or even a service that's even
> considered
Hi
On Wed, Jul 08, 2020 at 06:23:23PM +0200, Geert Stappers wrote:
> Please let us known what you choose ( IRC , dummy account or friend )
> Letting known "fixed" is also fine.
It's fixed now. I also tried to document the problem in question:
Hi Luca
On Wed, Apr 08, 2020 at 03:18:58PM +, Luca Filipozzi wrote:
> > - Salsa, how should it work together.
> Gitlab can use OIDC as an OmniAuth provider.
And here the problems begin.
Sure, just using it as OmniAuth provider works. But this only provides
authentication.
But, as Sam
Hi Zhu
On Wed, Apr 08, 2020 at 07:50:22PM +0800, Shengjing Zhu wrote:
> 1. Can you still keep the "-guest" enforcement, so it's still easy to
> recognize who is DD or not on salsa?
No. The guest suffix was meant to avoid collisions with Debian
accounts. And the tool used to enforce it is
Hi Paul
On Tue, Apr 07, 2020 at 03:20:52PM +, Paul Wise wrote:
> It sounds like the answer is no, but does Salsa, Keycloak or
> LemonLDAP::NG support TLS client certs?
No, Salsa does not support TLS client certs.
> So it sounds like Debian would be switching our SSO authentication
>
Hi Luca
On Mon, Apr 06, 2020 at 04:09:38PM +, Luca Filipozzi wrote:
> That said, please consider an approach that would see keycloak used as
> an idenitity broker, allowing external users to create accounts using
> social identities that are then promoted to full Debian identities (in
> LDAP)
Dear Debian fellows
Enrico (for NM and sso.debian.org) and I (for Salsa) intend to implement the
following plan. At the same time we declare the following services as EOL:
- sso.debian.org and
- parts of the Salsa self service interface.
We asked DPL, NM, DSA and the Salsa admins already for
Hi Matthew
On Sun, Dec 29, 2019 at 04:59:27AM +, Matthew Garrett wrote:
> Just in case anyone's wondering - I checked with Mary-Anne Wolf (who I
> met at Libreplanet some years ago) and she didn't send this mail.
> Someone faked her identity.
This mail was sent via the same way as the
Hi Michael
On Tue, Oct 08, 2019 at 04:41:41PM +0200, Bastian Blank wrote:
> > - GitHub takes efforts to provide root cause analysis & lessons learned
We are all volunteers, which is not the case for GitHub employees. So
thank you for volunteering to help the Salsa admins with com
Hi Michael
On Tue, Oct 08, 2019 at 02:49:32AM -0500, Michael Lustfield wrote:
> - It's significantly more stable
> + I've seen "GitLab is not responding" more times than I can keep track of
> + I've also seen a large number of 500 and 504 errors (at least 1x/wk)
We have around 0,1% failure
Hi folks
A small update on the current state.
On Fri, Jul 05, 2019 at 11:12:53AM +0200, Bastian Blank wrote:
> For AWS this change could not be finished in time for the Buster
> release. We have contracts and accounts ready. However Amazon did not
> yet manage to associate this
On Tue, Jul 23, 2019 at 11:59:59PM +0200, Adam Borowski wrote:
> Big fat enormous NO! gbp is a workaround for the biggest evil in our
> packaging: quilt. Watching pro-git-only talks on the Debconf, I got the
> impression that if we dropped the VCS-in-VCS approach, there'd be no need
> for most
On Wed, Jul 24, 2019 at 01:46:36AM +0200, Thomas Goirand wrote:
> On 7/23/19 11:59 PM, Adam Borowski wrote:
> > Big fat enormous NO! gbp is a workaround for the biggest evil in our
> > packaging: quilt. Watching pro-git-only talks on the Debconf, I got the
> > impression that if we dropped the
Hi folks
I would like to share with you the state of our new cloud provider
relations and accounts for Debian.
At the last cloud team sprint, we decided to switch how we want to
handle contractual relations with cloud providers. In the past they
where either held by individuals (for AWS) or
On Tue, Mar 19, 2019 at 10:50:04PM +0100, Gilles Filippini wrote:
> Are these incompatible changes from security updates advertised somewhere?
>
> On a related matter we've just experienced at $work a scientific
> software breakage after a recent jessie security upgrade.
Jessie does not longer
On Thu, Apr 14, 2016 at 09:02:18AM +, Peter Palfrader wrote:
> You could argue (and I have), that that file-based redirects are not
> ideal if your update is downloading lots of little files. The latency
> hit of many redirects is non-trivial.
My last test showed problems with httpredir
On Tue, Feb 04, 2014 at 10:15:42PM +0100, Daniel Pocock wrote:
I'm just wondering if people have further feedback about the Debian SIP
service
I was not able to get it work with telepathy from Jessie. It always
aborts the TLS connection with an Unknown CA alert (and does not
inform the user
On Sun, Oct 20, 2013 at 05:41:39PM +0200, Lucas Nussbaum wrote:
B. Powerful machine for d-i development (expected cost: 1.5k-2k EUR?)
=
The estimation is a bit too large for a decent desktop machine.
1. performing more
[Cc ignored]
On Tue, Mar 26, 2013 at 01:32:34PM -0400, Paul Tagliamonte wrote:
Anyone play with the linux-libre[1] project?
They are fanatic.
Does the kernel team know
about this stuff?
Yes. See #484365.
It seems like we're
On Sun, May 22, 2011 at 01:02:23PM +0800, Thomas Goirand wrote:
And here's my follow-up with some of the answers:
On 05/21/2011 08:00 PM, Bastian Blank wrote:
You realize that you just leaked d-private without asking first?
They can already declare Debian a supported system. They have to do
On Wed, Jul 14, 2010 at 02:16:59PM +, Clint Adams wrote:
I'd like the people in the buildd-admins-are-doing-the-right-thing
camp to describe the ideal workflow for solving architecture-specific
issues with the ksh[0] package.
[0] https://buildd.debian.org/pkg.cgi?pkg=ksh
The maintainer
On Fri, Jul 03, 2009 at 10:28:24AM +0200, Goswin von Brederlow wrote:
Last I heart s390 planed to drop 31bit support and go fully 64bit.
This was the plan. However I don't know if it is the best solution. The
fact is: only Debian and SuSE still supports a complete 31bit userland.
RHEL is
On Sat, Aug 30, 2008 at 10:54:59PM -0700, Steve Langasek wrote:
On Sun, Aug 31, 2008 at 01:16:32AM +0200, Bastian Blank wrote:
Negotiate auth does not provide confidentiality or integrity protection
different to the normal use of kerberos.
Well, ok, but you're negotiating *authentication
On Sat, Aug 30, 2008 at 06:19:32PM -0700, Russ Allbery wrote:
Well, having your browser spontaneously authenticate you to any system
keyed in your local realm or in a realm with which you have cross-realm
trust is something of a leak of personal information.
This may change in the future. The
On Sat, Aug 30, 2008 at 02:32:08PM +0200, Peter Palfrader wrote:
- install sendfile/saft on all machines so you can do
sendfile foo.tar.gz [EMAIL PROTECTED]
The crypto stuff could be alleviated by using ipsec between all our
servers. But that works even less well than you'd expect.
On Sat, Aug 30, 2008 at 05:46:16PM +0200, Peter Palfrader wrote:
On Sat, 30 Aug 2008, Bastian Blank wrote:
On Sat, Aug 30, 2008 at 02:32:08PM +0200, Peter Palfrader wrote:
The crypto stuff could be alleviated by using ipsec between all our
servers. But that works even less well than
On Sat, Aug 30, 2008 at 06:48:57PM +0200, Wouter Verhelst wrote:
(for some infathomable reason, the firefox developers consider Negotiate
authentication to be unsafe with untrusted and/or non-SSL hosts. Dunno
why that is, and never saw a compelling argument...)
Negotiate auth does not provide
On Sat, May 31, 2008 at 08:41:54PM +0200, Frans Pop wrote:
[1] With one exception: mails with large attachments may be accepted by
the BTS, but not reach the maintainer. For example, lists.d.o has a size
limit, while bugs.d.o does not (#475682).
You have to make a point somewhere. Everything
On Sun, Jun 01, 2008 at 12:22:14AM +0900, Charles Plessy wrote:
5.11.1 When and how to do an NMU
I propose to add NMUs are usually not appropriate for team-maintained
packages. Consider sending a patch to the BTS instead. to the bullet
list.
And we are they not able to respond to the bug
On Tue, Apr 29, 2008 at 12:16:28PM +0200, Adeodato Simó wrote:
* Mike Hommey [Tue, 29 Apr 2008 11:54:59 +0200]:
FWIW, I think NMUing a package shouldn't end up with a sourceful upload
but should instead have a .diff.gz, whether it's a native package or not.
100% agreed. (Assuming you mean a
On Mon, May 28, 2007 at 08:38:24AM +0200, Joey Schulze wrote:
I can understand the latter. However, maybe it was just a mistake and
waldi didn't want to remove Sven but accidently removed one line too much
or something? He'll probably speak up and explain things.
I already said that I can't
On Fri, May 18, 2007 at 01:10:15PM +0200, Frans Pop wrote:
- sparc32 deprecation? No fix yet for the cmpxchg problem.
For now I only want to disable it.
In that thread there was some opposition to the idea, but I've not seen
anybody making the commitment to maintain sparc32, so dropping it
On Sun, Mar 18, 2007 at 10:22:59PM +1100, Hamish Moffatt wrote:
Note that the nvidia drivers don't seem to compile with = 2.6.19, due
to linux/config.h being renamed to linux/autoconf.h (I think).
The direct usage of linux/config.h is discuraged since .12 or so.
Bastian
--
Insufficient facts
On Sat, Feb 24, 2007 at 03:04:10PM +0100, Josip Rodin wrote:
(BTW, I've recently offered a better sparc machine for use by the project,
it's a prospective solution for that problem.)
See this list some time ago. Debian have a Sun T2000 available.
Bastian
--
Love sometimes expresses itself in
On Sun, Nov 26, 2006 at 04:49:37PM +, Bill Allombert wrote:
I propose to set up a lintian.debian.org-equivalent for sparc on this
machine, but this requires 10GB of diskspace and a local mirror. Tell me
if you think it is possible/a good idea.
Define local mirror? There is a mirror one
On Sat, Sep 02, 2006 at 04:24:24PM +0200, martin f krafft wrote:
Don't porters work on DSA-controlled machines?
Nope. They are controlled by the porters themself.
Bastian
--
Fascinating is a word I use for the unexpected.
-- Spock, The Squire of Gothos, stardate 2124.5
--
42 matches
Mail list logo