[arch-dev-public] Signoff report for [testing]

[Arch Website Notification]

=== Signoff report for [testing] ===
https://www.archlinux.org/packages/signoffs/

There are currently:
* 24 new packages in last 24 hours
* 0 known bad packages
* 0 packages not accepting signoffs
* 5 fully signed off packages
* 39 packages missing signoffs
* 2 packages older than 14 days

(Note: the word 'package' as used here refers to packages as grouped by
pkgbase, architecture, and repository; e.g., one PKGBUILD produces one
package per architecture, even if it is a split package.)


== New packages in [testing] in last 24 hours (24 total) ==

* bash-4.3.033-1 (i686)
* iproute2-3.18.0-1 (i686)
* bash-4.3.033-1 (x86_64)
* iproute2-3.18.0-1 (x86_64)
* cabal-install-1.20.0.4-1 (i686)
* ecasound-2.9.1-4 (i686)
* ghc-7.8.4-1 (i686)
* kdebindings-korundum-4.14.3-2 (i686)
* kdebindings-qtruby-4.14.3-2 (i686)
* rrdtool-1.4.8-5 (i686)
* ruby-2.2.0-1 (i686)
* subversion-1.8.11-2 (i686)
* vim-7.4.560-1 (i686)
* weechat-1.0.1-2 (i686)
* cabal-install-1.20.0.4-1 (x86_64)
* ecasound-2.9.1-4 (x86_64)
* ghc-7.8.4-1 (x86_64)
* kdebindings-korundum-4.14.3-2 (x86_64)
* kdebindings-qtruby-4.14.3-2 (x86_64)
* rrdtool-1.4.8-5 (x86_64)
* ruby-2.2.0-1 (x86_64)
* subversion-1.8.11-2 (x86_64)
* vim-7.4.560-1 (x86_64)
* weechat-1.0.1-2 (x86_64)


== Incomplete signoffs for [core] (5 total) ==

* bash-4.3.033-1 (i686)
0/1 signoffs
* iproute2-3.18.0-1 (i686)
0/1 signoffs
* xz-5.0.8-1 (i686)
0/1 signoffs
* bash-4.3.033-1 (x86_64)
0/2 signoffs
* iproute2-3.18.0-1 (x86_64)
0/2 signoffs

== Incomplete signoffs for [extra] (34 total) ==

* cabal-install-1.20.0.4-1 (i686)
0/1 signoffs
* ecasound-2.9.1-4 (i686)
0/1 signoffs
* ghc-7.8.4-1 (i686)
0/1 signoffs
* kdebindings-korundum-4.14.3-2 (i686)
0/1 signoffs
* kdebindings-qtruby-4.14.3-2 (i686)
0/1 signoffs
* lirc-1:0.9.1.a-11 (i686)
0/1 signoffs
* mplayer-37344-1 (i686)
0/1 signoffs
* nvidia-343.36-5 (i686)
0/1 signoffs
* nvidia-304xx-304.125-5 (i686)
0/1 signoffs
* nvidia-340xx-340.65-6 (i686)
0/1 signoffs
* pulseaudio-5.99.2-1 (i686)
0/1 signoffs
* qemu-2.2.0-1 (i686)
0/1 signoffs
* rrdtool-1.4.8-5 (i686)
0/1 signoffs
* ruby-2.2.0-1 (i686)
0/1 signoffs
* subversion-1.8.11-2 (i686)
0/1 signoffs
* vim-7.4.560-1 (i686)
0/1 signoffs
* weechat-1.0.1-2 (i686)
0/1 signoffs
* cabal-install-1.20.0.4-1 (x86_64)
0/2 signoffs
* ecasound-2.9.1-4 (x86_64)
0/2 signoffs
* ghc-7.8.4-1 (x86_64)
0/2 signoffs
* kdebindings-korundum-4.14.3-2 (x86_64)
0/2 signoffs
* kdebindings-qtruby-4.14.3-2 (x86_64)
0/2 signoffs
* lirc-1:0.9.1.a-11 (x86_64)
0/2 signoffs
* mplayer-37344-1 (x86_64)
0/2 signoffs
* nvidia-343.36-5 (x86_64)
1/2 signoffs
* nvidia-304xx-304.125-5 (x86_64)
0/2 signoffs
* nvidia-340xx-340.65-6 (x86_64)
0/2 signoffs
* pulseaudio-5.99.2-1 (x86_64)
0/2 signoffs
* qemu-2.2.0-1 (x86_64)
0/2 signoffs
* rrdtool-1.4.8-5 (x86_64)
0/2 signoffs
* ruby-2.2.0-1 (x86_64)
0/2 signoffs
* subversion-1.8.11-2 (x86_64)
0/2 signoffs
* vim-7.4.560-1 (x86_64)
0/2 signoffs
* weechat-1.0.1-2 (x86_64)
0/2 signoffs


== Completed signoffs (5 total) ==

* linux-3.18.1-1 (i686)
* lz4-127-1 (i686)
* linux-3.18.1-1 (x86_64)
* lz4-127-1 (x86_64)
* xz-5.0.8-1 (x86_64)


== All packages in [testing] for more than 14 days (2 total) ==

* qemu-2.2.0-1 (i686), since 2014-12-11
* qemu-2.2.0-1 (x86_64), since 2014-12-11


== Top five in signoffs in last 24 hours ==

1. dan - 2 signoffs

Re: [arch-dev-public] [arch-commits] Commit in xz/trunk (PKGBUILD)

[Pierre Schmitz]

Am 28.12.2014 10:36, schrieb Andreas Radke:

What's the plan with xz update? Will you push 5.2.0 with smp
support right after the 5.0.8 update?

-Andy


Yes, that's the plan. Atm I only have very limited internet access and 
no current repo snapshot.


Greetings,

Pierre

--
Pierre Schmitz, https://pierre-schmitz.com

Re: [arch-dev-public] Proposal: enabling full ASLR on x86_64 via hardening-wrapper

[Pierre Schmitz]

Am 26.12.2014 01:56, schrieb Allan McRae:
I am not in favour of using the hardening script because I don't find 
it

adheres to what we consider KISS.  Our build system is supposed to be
simple and entirely transparent when looking at the PKGBUILD and 
default

makepkg.conf.  Any user can run abs and makepkg and get (roughly)
the same package.


I agree, using such hacks kind of violates the kiss principle and our 
policy to follow upstream and don't patch or fork. I suggest to revistd 
this proposal once the needed changes are available upstream.


Greetings,

Pierre

--
Pierre Schmitz, https://pierre-schmitz.com

Re: [arch-dev-public] Proposal: enabling full ASLR on x86_64 via hardening-wrapper

[Daniel Micay]

On 31/12/14 04:47 AM, Pierre Schmitz wrote:
 Am 26.12.2014 01:56, schrieb Allan McRae:
 I am not in favour of using the hardening script because I don't find it
 adheres to what we consider KISS.  Our build system is supposed to be
 simple and entirely transparent when looking at the PKGBUILD and default
 makepkg.conf.  Any user can run abs and makepkg and get (roughly)
 the same package.
 
 I agree, using such hacks kind of violates the kiss principle and our
 policy to follow upstream and don't patch or fork. I suggest to revistd
 this proposal once the needed changes are available upstream.

It's not necessarily going to land upstream. The fact that it can be
done without changes to GCC via build systems or hardening scripts is
the main reason it has been rejected in the past.

On a package-by-package basis, carrying out-of-tree patches for missing
SSP, RELRO and/or _FORTIFY_SOURCE is a lot less simple than simply
adding makedepends=(hardening-wrapper). Lack of full ASLR in a package
with a prominent attack surface is a higher priority bug than the other
flags, but since it's a problem nearly across the board there's little
point in filing them.

I gave up on doing this manually almost as soon as I started:

https://wiki.archlinux.org/index.php/DeveloperWiki:Security#Packages_not_respecting_flags

If I could I would just write a high latency version of
hardening-wrapper where it files a bug when CFLAGS / LDFLAGS wasn't
respected rather than just injecting the flags itself. Not going to work
thanks to stuff like autoconf.



signature.asc
Description: OpenPGP digital signature