Bug#289560: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)

[Javier Fernández-Sanguino Peña]

On Mon, Jan 10, 2005 at 10:33:00AM +0100, Bram Moolenaar wrote:
> 
> Javier -
> 
> > > Did you contact the original authors, Darren Hiebert and Neil
> > > Schemenauer?
> > 
> > No, I didn't. I was not sure if they were still active. Do you want me to 
> > forward this?
> 
> Yes.  They are the authors, thus I hesitate to change their work without
> at least trying to contact them.

At least one of the mail addresses ([EMAIL PROTECTED]) bounces.

Regards

Javier


signature.asc
Description: Digital signature

Bug#289560: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)

[Javier Fernández-Sanguino Peña]

On Mon, Jan 10, 2005 at 11:01:57AM +0100, Javier Fernández-Sanguino Peña wrote:
> At least one of the mail addresses ([EMAIL PROTECTED]) bounces.

The other author address ([EMAIL PROTECTED]) bounces too.

Regards

Javier


signature.asc
Description: Digital signature

Bug#289703: nessusd doesn't start with no error message

[Javier Fernández-Sanguino Peña]

On Mon, Jan 10, 2005 at 05:01:36PM +0100, Petr Nekula wrote:
> Here is ending part of strace output:
> 
(... useless, since it straces the initd and does not follow (-f) the 
children process ... )

> If I could help you sending any other information, please let me know.

Yes, please provide a trace of the nessus daemon itself. Run (as root) 
'strace -f nessusd -D'. Also please provide the information available in 
/var/log/nessus/nessusd.messages. There might be relevant error messages 
there

Also, was this a freshly installed nessus installation or was it upgraded 
from a previous version?

Regards

Javier


signature.asc
Description: Digital signature

Bug#289703: nessusd doesn't start with no error message

[Javier Fernández-Sanguino Peña]

> Hello,
> 
> here is another part of strace output using 'strace -f nessusd -D'. I 
> hope I have cutted it at the right place, otherway I can bzip2 and send 
> full log, which have about 3MB unzipped:

Sorry, should have asked you to do 'strace -f nessusd' (without the -D, 
since otherwise the nessud goes into background mode). 

Regards

Javier


signature.asc
Description: Digital signature

Bug#289703: nessusd doesn't start with no error message

[Javier Fernández-Sanguino Peña]

On Tue, Jan 11, 2005 at 12:23:43PM +0100, Petr Nekula wrote:
> 
> Hello,
> 
> here is requested output:

Hello,

> getpid()= 4026
> write(2, "*** \'ca_file\' is not set - did y"..., 55*** 'ca_file' is not 
> set - did you run nessus-mkcert ?
> ) = 55
> write(1, "\rAll plugins loaded "..., 55^MAll plugins 
> loaded  

This last message says it all. You did not run 'nessus-mkcert' did you? If 
you did, and this was an upgrade, you probably did not merge the changes 
introduced by it to your nessusd.conf. Do you have a 
/etc/nessusd/nessusd.conf.dpkg-old file? What is the output of running (as 
root) 'grep ca_file /etc/nessusd.conf/*' ?

I might add a warning in the init.d script about this issue since, without 
a certificate, nessusd will not run from the init.d script at all.

Regards

Javier


signature.asc
Description: Digital signature

Bug#289703: nessusd doesn't start with no error message

[Javier Fernández-Sanguino Peña]

retitle 289703 nessusd: Init.d script does not warn if nessusd didn't start 
properly
severity 289703 wishlist
thanks

On Tue, Jan 11, 2005 at 04:20:32PM +0100, Petr Nekula wrote:
> Yes, that's the point. After running nessus-mkcert, everything is 
> running fine.
> 
> Before running it ca_file variable was only in nessusd.conf.dkpg-old

Then I guess you upgraded from an old version, were given the option to use 
the new nessusd.conf and overwrite yours (including your ca_file)

> Maybe it should be good idea to include some warning into init.d script 
> and/or into /var/log/nessus/nessusd.messages .

I'm not sure why it doesn't log to nessusd.messages (it should). But since 
nessusd cannot start without a proper configuration, I will probably 
introduce a check in the init.d script.

Actually, I've been trying to find time to modify the preinst so that it
will fold in this kind of automatic changes introduced by nessus-mkcert to
a new nessusd.conf configuration file (if a different one is provided by 
the package). That's not as easy as it seems, however, and for the moment 
is something that the admin must do himself. 

> Thanks very much for your quick solution of this problem.

No problem.

Javier


signature.asc
Description: Digital signature

Bug#289845: xdvizilla: subtle syntax error.

[Javier Fernández-Sanguino Peña]

On Tue, Jan 11, 2005 at 03:55:44PM +0100, Frank Küster wrote:
> > According to the bash (and ksh) manual, group commands must be terminated
> > by `;' or newline.  
> 
> Thanks for pointing that out, you are right that there is an error in
> the last patch to xdvizilla.

Yep. My patch was broken, noticed it when doing other patches but forgot to 
report this to this bug. I did say the patch was untested, did I?

> > The following patch restores the correct behaviour:
> >
> > --- xdvizilla.old   2004-12-23 17:39:17.0 +0100
> > +++ xdvizilla.new   2005-01-11 11:22:41.0 +0100
> > @@ -33,7 +33,10 @@
> >  case "$FILETYPE" in
> >  
> >*"gzip compressed data"*)
> > -FILE=`mktemp -t xdvizilla.XX` || { echo "$0: Cannot create 
> > temporary file"; exit 1 }
> > +FILE=`mktemp -t xdvizilla.XX` || {
> > +   echo "$0: Cannot create temporary file"
> > +   exit 1
> > +}
> 
> Is there a specific reason why you chose the reformatting, instead of
> just adding a `;' before the closing parenthesis? Or is it just the
> overlong lines?

I think that (wrapped by mailer, it's just a long line)

  FILE=`mktemp -t xdvizilla.XX` || { echo "$0: Cannot create temporary 
file"; exit 1; }

Should work fine. Actually, so would:

FILE=`mktemp -t xdvizilla.XX || tempfile --prefix=xdvizilla` || { echo "$0: 
Cannot create temporary file" >2; exit 1; }

Which might be even better if the patch is to be used in some systems that 
don't have mktemp and have tempfile (Debian has both). It will also send 
the error to STDERR, where it belongs. I've tested this (standalone) :-)

I've introduced these changes into the attached patch, I've actually tested 
it this time, and it works fine. It has only one minor issue, the error 
messages related to the temporary file creation will not be shown when 
running xdvizilla through mozilla as there is no tty to send them too 
(maybe xmessage should be used instead?)

I've also fixed two things:

1.- I believe the temporary files (and directory) should always be removed
(regardless of -no-rm being used) and I've introduced a trap to do so. In 
some circunstances (script being aborted before it finishes) the tempfiles 
might lie around

2.- xdvizilla will happily try to work even if the file does not exist. 
I've fixed this with a simple [ ! -e ] check.

Regards

Javier


--- xdvizilla.orig  2005-01-11 16:29:40.0 +0100
+++ xdvizilla   2005-01-11 16:34:37.0 +0100
@@ -28,12 +28,18 @@
 fi
 
 FILE=$1
+if [ ! -e "$FILE" ] ; then
+  xmessage -nearmouse '$0: $FILE does not exist!'
+  exit 1
+fi
+  
 FILETYPE=`file "$FILE"`
 
 case "$FILETYPE" in
 
   *"gzip compressed data"*)
-FILE=`mktemp -t xdvizilla.XX` || { echo "$0: Cannot create temporary 
file"; exit 1 }
+FILE=`mktemp -t xdvizilla.XX || tempfile --prefix=xdvi` || { echo "$0: 
Cannot create temporary file" >&2; exit 1; }
+trap "rm -f -- \"$FILE\";" 0 1 2 3 13 15 
 gunzip -c "$1" > $FILE
 [ -n "$NO_RM" ] || rm -f -- "$1"
 NO_RM=
@@ -41,7 +47,8 @@
 ;;
 
   *"compressed data"* | *"compress'd data"*)
-FILE=`mktemp -t xdvizilla.XX` || { echo "$0: Cannot create temporary 
file"; exit 1 }
+FILE=`mktemp -t xdvizilla.XX || tempfile --prefix=xdvi` || { echo "$0: 
Cannot create temporary file" >&2; exit 1; }
+trap "rm -f -- \"$FILE\";" 0 1 2 3 13 15 
 uncompress -c "$1" > $FILE
 [ -n "$NO_RM" ] || rm -f -- "$1"
 NO_RM=
@@ -60,22 +67,21 @@
 case "$FILETYPE" in
 
   *" tar archive")
-TARDIR=`mktemp -t -d xdvitar.XX` || { echo "$0: Cannot create 
temporary directory"; exit 1 }
-mkdir $TARDIR
+TARDIR=`mktemp -t -d xdvitar.XX` || { echo "$0: Cannot create 
temporary directory"; >&2 exit 1; }
+trap "rm -f -- \"$FILE\"; rm -rf -- \"$TARDIR\"; " 0 1 2 3 13 15 
 cat "$FILE" | (cd $TARDIR; tar xf -)
 DVINAME=`tar tf "$FILE" | grep '\.dvi$' | head -1`
-[ -n "$NO_RM" ] || rm -f -- "$FILE"
 if [ -z "$DVINAME" ]; then
   xmessage -nearmouse "Tar file does not contain a dvi file"
 else
   (cd $TARDIR; "$DIR"xdvi -safer "$DVINAME")
 fi
-rm -rf $TARDIR
   ;;
 
   *)
 "$DIR"xdvi -safer "$FILE"
-[ -n "$NO_RM" ] || rm -f -- "$FILE"
   ;;
 
 esac
+
+exit 0


signature.asc
Description: Digital signature

Bug#289876: remove me from callwave, and then google me harder

[Javier Fernández-Sanguino Peña]

On Tue, Jan 11, 2005 at 02:40:41PM +, paddy wrote:
> The remedy seems simple, and has already been brought to the attention of
> debian-www without apparent comment in a posting currently archived at:
> 
> http://lists.debian.org/debian-www/2004/12/msg00331.html

The comment does not actually include a page, I'm not going to waste my 
time writting one. It might get included into the website if someone else 
does it, though.

Regards

Javier


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#256523: harden-doc: Section on RPC needs clarification

[Javier Fernández-Sanguino Peña]

On Sun, Jun 27, 2004 at 11:47:40AM -0500, Aarre Laakso wrote:
> Package: harden-doc
> Severity: minor
> Tags: patch
> 

Thanks, I've included the patch along with some changes to that section. 
I'll close the bug as soon as I upload a new harden-doc package.

Sorry for the delay, regards

Javier


signature.asc
Description: Digital signature

Bug#289876: remove me from callwave, and then google me harder

[Javier Fernández-Sanguino Peña]

On Wed, Jan 12, 2005 at 10:47:00AM +, paddy wrote:
> 
> First of all, I'm not a DD - I don't know if this has any bearing, but I
> thought I'd best get it up front.

There's no need to be a DD to contribute to Debian :-)

> I'd happily write such a page.  I imagine it should be as short and simple
> as possible. How big is the manual I'm supposed to have read before I
> can do this? Would something like the following help?

I think it does, actually. It moves the point from "nobody has written a 
page yet" to "do we want to?"

> Perhaps it doesn't need to be a page on it's own, and could form part of an
> FAQ.  

I think there is no mailing list FAQ yet. Maybe it should be written and 
available from lists.debian.org

> I do not know how this would interact with search engine weighting.

Unknown, search engines don't (fully) disclose the algorithms they use.

> For that matter, putting up a page such as I suggest might make things worse.
> I do not pretend to know.

Well, I think it makes thing worse, but maybe things need to get worse
before they start getting better. I really don't know. Maybe even having
Debian be the first hit on "hot babes" can derive people that would be
happily watching pXrn to contributing in an universal OS. Who knows

BTW. You did not CC: [EMAIL PROTECTED], I'm not sure if this is 
deliberate or not, do you mind if I bounce this mail there?

:-)

Regards

Javier


signature.asc
Description: Digital signature

Bug#290104: snort-pgsql: Installation script ask user to initialaze database before initialization file is created.

[Javier Fernández-Sanguino Peña]

severity 290104 minor
merge 290104 205683
thanks 

On Wed, Jan 12, 2005 at 08:38:11PM +0100, Harald Thingelstad wrote:
> 
> Installed several programs in a batch, and when configuration screens
> appeared in debconf, initialization file was not yet there.
()

Already reported, please see #205683, #219696, #265735, and #265878.
I will merge this bug.

Regards

Javier


signature.asc
Description: Digital signature

Bug#271567: Can you disables the "locking" of the keyboard, mouse, ...

[Javier Fernández-Sanguino Peña]

On Wed, Jan 12, 2005 at 10:51:16PM -0200, Gustavo Noronha Silva wrote:
> After reading your e-mail, I think that sounds like a sensible proposal.
> I'll wait for some input from the involved maintainers and do the
> change, if noone has a problem with it.

Quick and dirty hacki:

How about having this be configurable through something like 
/etc/gksu.conf and include a wrapper script to read it?
That would introduce a way (since gksu does not seem to have an 
alternative) for average users to have the default behaviour (which is a 
good idea) and for users that need this option to enable it per default.

The gtksu application could either read that or have a wrapper that (if 
that file contained and $OPTIONS):

/etc/gksu.conf
---
#!/bin/sh
# Uncomment this if using a  CJK environment
#OPTIONS="--default-grab"
---

And here's /usr/bin/gksu:

---
#!/bin/sh
program=/usr/bin/gksu-real
config=/etc/gtksu.conf
[ -r "$config" ] && . $config
if [ -x $program ] ; then
if [ -n "$OPTIONS" ]; then
exec $program $OPTIONS $*
else
exec $program $*
fi
else
echo "This script is a wrapper for $program but I can't find it on 
the system" >&2
exit 1
fi
---

Better solution:
- Have gksu source a /etc/gksu.conf file directly
- Have gksu obtain additional configuration from user's Xdefault or through 
the GNOME registry?

IMHO --disable-grab should _not_ be a default option, since it actually
prevents an eavesdropping attack (which can be a remote attack thanks to
X11's networking capabilities). However, there should be a way (and there
is none currently AFAIK) for users that need it to enable it either on a
per user or per system basis.

Notice that Osamu's proposal (having it as default) does not include a way 
for system admins/users to disable it if needed be.


The more Debian will be targeted to desktop environments the more you will
have desktop installations in which the user is also the administrator and
will be using gksu/gnome-sudo/similar stuff a lot. We want to prevent that
extended usage (whenever that happens) of "swithc to root" applications
from introducing new vulnerabilities^Wconcerns because of our insecure
default setup. 

I'm actually quite sympathetic for this kind of applications, since we 
should also strive to have the users avoid running an X environment as 
root user. But please, deploy them in the most secure way possible (or do 
not deploy them and introduce a false sense of security).

I understand that if the user is running malware there is nothing that
prevents the intruder from sidestepping this method and introduce a
different way to capture root's password, but at least you are making it (a
little bit) more difficult than just running an X keylogger.


Regards


Javier


signature.asc
Description: Digital signature

Bug#197934: Xpaint 2.7.0 packages built and tested, should I NMU?

[Javier Fernández-Sanguino Peña]

On Tue, Jan 04, 2005 at 03:58:56PM +0100, Florian Ernst wrote:
> Hello Javier,
> 
> I read in  you were going to NMU
> xpaint. Do you still have any plans regarding this?
> 

No, I don't. I actually don't know where I dropped those.

> If not I'd like to take over (together with Hugo Vanwoerkom) by
> packaging the newest upstream release, now that the package has been
> orphaned for quite some time...

Please do.

Regards

Javier


signature.asc
Description: Digital signature

Bug#287899: Vdr should not be released unless this bug is fixed

[Javier Fernández-Sanguino Peña]

severity 287899 critical
tags 287899 security
thanks

(Setting this bug as higher severity after discussing with the security 
team and the maintainer)

The vdr package, as it is currently, should not be accepted into sarge 
unless the daemon runs as a non-root user. There are several troublesome 
issues with running vdr as root and even the upstream user discourages 
this (please read the INSTALL file).

Also notice that the patch provided to this bug is not correct:

1.- the postinst will not check if the user exists before creating. It 
should do something like:
---

   CREATEUSER=vdr
   CREATEGROUP=vdr
if ! getent group | grep -q "^$CREATEGROUP:" ; then
  echo -n "Adding group $CREATEGROUP.."
  addgroup --quiet --system $HONEYUSERGROUP
  echo "..done"
fi
   if ! getent passwd | grep -q "^$CREATEUSER:"; then
  echo -n "Adding user $CREATEUSER.."
  adduser --system --home /var/lib/vdr --shell /bin/false \
  --gecos "VDR user" --no-create-home \
  --disabled-login --disabled-password \
  --ingroup $CREATEGROUP \
  $CREATEUSER
  echo "...done"
   fi
---

2.- The postrm should remove this user/group combination if they exist. 
This is usually done as follows (for user, similar for group):
---
# find first and last SYSTEM_UID numbers
 for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v "^#"`; do
case $LINE in
   FIRST_SYSTEM_UID*)
  FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
   ;;
   LAST_SYSTEM_UID*)
  LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
   ;;
   *)
   ;;
esac
 done
 # remove  system account if necessary
 CREATEDUSER=vdr
 if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then
if USERID=`getent passwd $CREATEDUSER | cut -f 3 -d ':'`; then
   if [ -n "$USERID" ]; then
  if [ "$FIST_SYSTEM_UID" -le "$USERID" ] && \
 [ "$USERID" -le "$LAST_SYSTEM_UID" ]; then
deluser --quiet $CREATEDUSER || true
  fi
   fi
fi
 fi
---


Regards

Javier


signature.asc
Description: Digital signature

Bug#287899: Vdr should not be released unless this bug is fixed

[Javier Fernández-Sanguino Peña]

On Sun, Jan 16, 2005 at 10:48:39PM +0100, Thomas Schmidt wrote:
> 
> I also think that it would be the best to just keep the user, because 
> other packages will use it too (vdradmin and some plugins).

The user, if created by the package, should be removed. If other packages 
depend on it, they should depend on the package. As for the directories 
that belong to the user, just do a 

find $directory -uid $CREATEDUID -exec chown root:root {} \;

For all of the directories, once you have the UID.

The standard procedure when creating users (check other packages) is to add 
them in postinst and remove them in postrm, please do it properly.

Regards

Javier


signature.asc
Description: Digital signature

Bug#290808: tiger: Don't report problems that aren't problems for Debian

[Javier Fernández-Sanguino Peña]

On Sun, Jan 16, 2005 at 04:05:51PM -0500, Justin Pryzby wrote:
> Package: tiger
> Severity: wishlist
> 
> 
> WRT bug #290803, it would be nice if tiger would not report "root
> security hole" when that does not apply to Debian systems, or if it
> would give a warning, or include "on Debian, this is intentional".
> Modifying that string should be moderately easy.

That's what /etc/tiger/tiger.ignore is for. If you find stuff that doesn't 
apply to Debian systems please tell me which warning it is and I will add 
it to the default lines there.

Regards

Javier


signature.asc
Description: Digital signature

Bug#290974: apache: Temporary usage bugs that can be used in symlink attacks

[Javier Fernández-Sanguino Peña]

Package: apache
Version: 1.3.33-2
Priority: grave
Tags: security sid sarge

Hi, I've found unsafe uses of /tmp in some of Apache's scripts in the 
source, one of this (check_forensic) is installed in Debian's apache-utils 
package and IMHO should be fixed. They are rather low risk, but I have to 
set the priority to grave in any case (since they qualify)

The fix is rather straightforward (use mktemp or tempfile instead of the $$ 
construct and add a trap to remove the temporary files) and it is needed, 
specially for check_forensic.

In the check_forensic script, for example, an attacker could just monitor
/tmp/ usage and construct symlinks to the fc-XX.$$ as soon as "sees" that
the fc-all.$$ file is being used. 

I've verified that none of these issues affect woody's Apache 
(1.3.26-0woody6). The fnm.sh script was there but it is not installed with 
any package and the check_forensic script was introduced later on.

The attached (untested) patch should fix these issues, hope it helps. 
Please fix fnm.sh even if not being installed in any Debian packages, just 
to ease the work of automatic source-code review tools.


Regards


Javier
diff -Nru build-tree-apache.orig/apache_1.3.33/src/helpers/fmn.sh 
build-tree-apache/apache_1.3.33/src/helpers/fmn.sh
--- build-tree-apache.orig/apache_1.3.33/src/helpers/fmn.sh 2004-02-16 
23:23:09.0 +0100
+++ build-tree-apache/apache_1.3.33/src/helpers/fmn.sh  2005-01-18 
00:51:03.0 +0100
@@ -24,8 +24,8 @@
 modfile=$1
 
 #   the part from the Configure script
-tmpfile=${TMPDIR-/tmp}/fmn.tmp.$$
-rm -f $tmpfile
+tmpfile=`mktemp -t fmn.XX || tempfile --prefix=fmn` || { echo "$0: Cannot 
create temporary file" >&2; exit 1; }
+trap "rm -f -- \"$tmpfile\";" 0 1 2 3 13 15
 modname=''
 ext=`echo $modfile | sed 's/^.*\.//'`
 modbase=`echo $modfile | sed 's/\.[^.]*$//'`
@@ -52,8 +52,8 @@
 modname=`echo $modbase | sed 's/^.*\///' | \
 sed 's/^mod_//' | sed 's/^lib//' | sed 's/$/_module/'`
 fi
-rm -f $tmpfile
 
 #   output: the name of the module structure symbol
 echo "$modname"
 
+exit 0
diff -Nru build-tree-apache.orig/apache_1.3.33/src/support/check_forensic 
build-tree-apache/apache_1.3.33/src/support/check_forensic
--- build-tree-apache.orig/apache_1.3.33/src/support/check_forensic 
2005-01-18 00:49:23.0 +0100
+++ build-tree-apache/apache_1.3.33/src/support/check_forensic  2005-01-18 
00:53:32.0 +0100
@@ -7,9 +7,14 @@
 
 F=$1
 
-cut -f 1 -d '|' $F  > /tmp/fc-all.$$
-grep + < /tmp/fc-all.$$ | cut -c2- | sort > /tmp/fc-in.$$
-grep -- - < /tmp/fc-all.$$ | cut -c2- | sort > /tmp/fc-out.$$
+all=`mktemp -t fcall.XX || tempfile --prefix=fcall` || { echo "$0: Cannot 
create temporary file" >&2; exit 1; }
+in=`mktemp -t fcin.XX || tempfile --prefix=fcin` || { echo "$0: Cannot 
create temporary file" >&2; exit 1; }
+out=`mktemp -t fcout.XX || tempfile --prefix=fcout` || { echo "$0: Cannot 
create temporary file" >&2; exit 1; }
+trap "rm -f -- \"$all\" \"$in\" \"$out\";" 0 1 2 3 13 15
+
+cut -f 1 -d '|' $F  > $all
+grep + < $all | cut -c2- | sort > $in
+grep -- - < $all | cut -c2- | sort > $out
 # use -i instead of -I for GNU xargs
-join -v 1 /tmp/fc-in.$$ /tmp/fc-out.$$ | xargs -ixx egrep "^\\+xx" $F
-rm /tmp/fc-all.$$ /tmp/fc-in.$$ /tmp/fc-out.$$
+join -v 1 $in $out | xargs -ixx egrep "^\\+xx" $F
+exit 0

Bug#291096: libevent: Version 1.0 breaks backwards compatibility (breaks farpd)

[Javier Fernández-Sanguino Peña]

Package: libevent1
Version: 1.0-1.1
Priority: important
Tags: upstream sid

Libevent 1.0 breaks backward compatibility and some applications (like 
farpd) will not compile or work. 

Starting farpd comes up with the following error:

 farpd: relocation error: farpd: undefined symbol: event_sigcb

And compiling it shows up:

$ make
gcc  -I/usr/include  -o arpd  arpd.o -L/usr/lib -ldumbnet -L/usr/lib 
-levent -L/usr/lib -lpcap -L/usr/lib -ldumbnet
arpd.o(.text+0x14de): En la función `terminate_handler':
: undefined reference to `event_gotsig'
arpd.o(.text+0x1750): En la función `main':
: undefined reference to `event_sigcb'

The signal handler got moved to an internal location in the library and 
it's no longer exported. This bug has been fixed in libevent 1.0b (released 
2005-01-13) and is needed before this version moves into sarge (or it will 
break some applications there), that's why I'm setting this at important 
priority.

Regards

Javier


signature.asc
Description: Digital signature

Bug#291148: [PROPOSAL] Add a 'status' option in init.d scripts

[Javier Fernández-Sanguino Peña]

Package: debian-policy
Version: 3.6.1.1
Priority: wishlist
Tags: patch

[ Note: I understand that this status suggestion is covered (without a
valid example in #208010) but I believe that LSB compliance also forces
some other things (like exit codes) which is still under discussion.
That's why I'm opening this up as a different bug report and not
following up there. If this is fixed through applying the patch at
#208010 please consider the example change introduced in the 
patch attached (which actually has a 'status' function that works
although there is obviously room for improvement) ] 

I would like a new option to be added to init.d scripts: 'status' 
which basicly tells what status is the service currently in 
(either running or dead).

This option is quite handy when you want to determine the system status
(instead of blindly trying 'restart' and see what happens). It is
also useful also to determine if the start-stop-daemon call
succeeded and left a running program. Currently most init.d scripts
will happily start up services which are not correctly configured
and admins will not notice that they didn't start up until they
check the service itself (is it running? what do the logs say?).

I would appreciate more consistent behaviour here, one thing I like of
other distributions is that you actually get to see if the system
starts up succesfully just by looking at the boot sequence. In Debian,
many init.d scripts just don't check wether they left a running
service. This 'status' option proposal is a first step towards enforcing
init.d scripts to do so.

I've attached a patch with the proposal including both the 
description and a change to the sample init.d script implementing it.
Please consider this for Debian's policy.

Regards

Javier
--- policy.sgml.orig2005-01-19 01:10:37.0 +0100
+++ policy.sgml 2005-01-19 01:13:05.0 +0100
@@ -5382,7 +5382,7 @@
 
  restart
  stop and restart the service if it's already running,
- otherwise start the service
+ otherwise start the service,
 
  reload
  cause the configuration of the service to be
@@ -5392,13 +5392,17 @@
  force-reload
  cause the configuration to be reloaded if the
  service supports this, otherwise restart the
- service.
+ service,
+
+ status
+ show the status of the service (either running
+  or dead).

 
The start, stop, restart, and
force-reload options should be supported by all
scripts in /etc/init.d, the reload
-   option is optional.
+and status option are optional.
  
 
  
@@ -5678,19 +5682,42 @@
   . /etc/default/bind
 fi
 
+# Function used to determine if the program is alive
+is_alive () {
+   ret=1
+   if [ -r "/var/run/named.pid" ] ; then
+  pid=`cat /var/run/named.pid`
+  if [ -e /proc/$pid ] ; then
+ procname=`/bin/ps h -p $pid -C bind`
+ [ -n "$procname" ] && ret=0
+  fi
+   fi
+   return $ret
+}
+# Print output based on status 
+print_status() {
+   if is_alive; then
+  echo "."
+   else
+  echo "failed."
+  exit 1
+   fi
+}
+
+
 
 case "$1" in
 start)
   echo -n "Starting domain name service: named"
   start-stop-daemon --start --quiet --exec /usr/sbin/named \
 -- $PARAMS
-  echo "."
+  print_status
   ;;
 stop)
   echo -n "Stopping domain name service: named"
   start-stop-daemon --stop --quiet  \
 --pidfile /var/run/named.pid --exec /usr/sbin/named
-  echo "."
+  print_status
   ;;
 restart)
   echo -n "Restarting domain name service: named"
@@ -5698,13 +5725,22 @@
 --pidfile /var/run/named.pid --exec /usr/sbin/named
   start-stop-daemon --start --verbose --exec /usr/sbin/named \
 -- $PARAMS
-  echo "."
+  print_status
   ;;
 force-reload|reload)
   echo -n "Reloading configuration of domain name service: named"
   start-stop-daemon --stop --signal 1 --quiet  \
 --pidfile /var/run/named.pid --exec /usr/sbin/named
-  echo "."
+  print_status
+  ;;
+status)
+  echo -n "Status of domain name service: "
+  if is_alive ; then
+ echo "alive."
+  else
+ echo "dead."
+  exit 1
+  fi
   ;;
 *)
   echo "Usage: /etc/init.d/bind " \


signature.asc
Description: Digital signature

Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)

[Javier Fernández-Sanguino Peña]

>* added a new patch (stolen from Ubuntu) which modifies vimspell.sh and
>  tcltags.sh so they use mktemp instead of insecure $$ construction to
>  create temporary files (CAN-2005-0069) (closes: #289560)

A few comments and questions regarding this entry:

- the scripts seem to be ancient and no longer supported by either their 
authors nor vim maintainer and have been removed upstream.

- I understand that Ubuntu's patch might be simpler, but I actually wrote 
the patch based on what's done in vim's tcltutor script. There were some 
reasons I wrote it which have been disregarded (mostly compatibility 
reasons for things that don't have mktemp/tempfile)
(I can't find it in Ubuntu's bugzilla 5633 but found it in our BTS #291125)

- no credit is given to me, which I would have appreciated

- Ubuntu's patch for tcltags will remove the temporary file *twice* (once
on exit, once after the trap is called) as the last line of the script has
not been removed (rm $tmp_tagfile) as I did in my patch.

Regards


Javier


signature.asc
Description: Digital signature

Bug#287899: Vdr should not be released unless this bug is fixed

[Javier Fernández-Sanguino Peña]

On Tue, Jan 18, 2005 at 11:38:55PM +0100, Thomas Schmidt wrote:
> 
> Well, it seems that there are different opinions in this case - some
> developers (you for example) say that system users should be removed
> when the package is purged, some say that it is no problem if the
> user is not deleted.

Yes, you are right, this is not policy (yet). If you believe this is the 
best decission, no problem. But please note that most of the discussions 
related to this issue is that a user might live files which then will not 
belong to anybody. If vdr's handling of files is managed so that the files 
it creates are located in directories that will be purged it shouldn't be 
an issue (unless the admin decides to 'su - vdr' and touch files here and 
there, but we can't cope for all situations).

Of course, that probably would mean restricting the GRAB command so that it 
would only create files in a given directory ;)

Regards

Javier


signature.asc
Description: Digital signature

Bug#291177: [PROPOSAL] Policy for user/groups creation/removal in package maintainer scripts

[Javier Fernández-Sanguino Peña]

Package: debian-policy
Version: 3.6.1.1
Priority: wishlist

There is currently no policy on how should per-package users be created and 
removed. Eeven though the 'UID and GID classes' sections determines that 
packages _should_ use adduser --system in some occasions it doesn't 
describe why a package would want to do that.

IMHO it would be worthwhile writing in the policy that:

- maintainers should strive to make daemons run as non-root users
(this helps reduce the severity of many security bugs)

- maintainers scripts should create a system user for their daemon in
postinst.  User creation should not fail if the user already exists
(example code should be provided here, since this is sometimes not done
properly in maintainer scripts). Maintainer scripts can ask to the admin if 
the user already exists.

- maintainers scripts can remove users on purge of the package. 
This  should only be done if the files created by the user are being
removed in purge too.

- package configuration files (under /etc) should not be owned by the 
package user (this is to prevent attacks to daemons that might introduce a 
way to modify their own configuration). In some occasions access to a file 
(since it includes sensitive information) needs to be restricted, for this, 
a group should be created and the files should be chowned root:group.
(note that there is some *buggy* software in which the daemon needs to 
write to its configuration files)

For reference here are some relevant discussions:
(there are probably many more)

http://lists.debian.org/debian-policy/2003/05/msg00022.html
http://lists.debian.org/debian-devel/2001/09/msg01960.html
http://lists.debian.org/debian-devel/2004/08/msg01798.html
http://lists.debian.org/debian-devel/2004/05/msg01156.html
http://lists.debian.org/debian-devel/2003/11/msg02231.html
http://lists.debian.org/debian-devel/1996/05/msg00159.html
http://lists.debian.org/debian-user/1996/05/msg00106.html
http://lists.debian.org/debian-mentors/2004/10/msg00338.html

If others agree I can go forward, write a proposal text for this and 
provide a patch.

Regards

Javier


signature.asc
Description: Digital signature

Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)

[Javier Fernández-Sanguino Peña]

On Wed, Jan 19, 2005 at 10:24:20AM +0100, Martin Pitt wrote:
> I read your patch, but I deliberately wrote my own very simple
> version, because:

Martin, just to get things straight, my comments are not directed 
towards you, but towards the vim maintainer.

> 
> - I wanted to avoid the tempfile race in any case, so if mktemp is not
>   available, the script should rather fail than be vulnerable. mktemp
>   is shipped in a required package, so we can assume it is there.

It would be best if instead of 

tmp_tagfile=`mktemp -t tcltagXX` || exit 1 

you had used

tmp_tagfile=`mktemp -t tcltagXX` || { echo "$0: error creating the 
temporary file" >&2; exit 1 ;}

IMHO

> - A security update must be as simple and unintrusive as possible. I
>   do not care about the widest possible upstream portability in
>   security updates, the solution only needs to work on the platforms
>   we support.

Well, in the Debian case (not Ubuntu's) the patch was not intented to be
used as a DSA (since even if the code is in stable, it's in
/usr/share/doc).  I wasn't complaining about the Ubuntu update, but about
the use of Ubuntu's patch in Debian when mine could be used instead for the
sid upload (and would've been more consistent with upstream source)

> > - no credit is given to me, which I would have appreciated
> 
> I credited you in the announcement [1] since you found the bug.

I was mentioning Debian's changelog, not Ubuntu's advisory.
Actually, all my statements are with how this bug has been handled by the 
Debian maintainer, which takes no action until an Ubuntu advisory is 
released.

In any case, no use in arguing this when there is so many things to work on 
(and so many similar security bugs to report)

Regards

Javier


signature.asc
Description: Digital signature

Bug#290385: Libevent 1.0b now in Debian (this bug no longer stands)

[Javier Fernández-Sanguino Peña]

tags 290385 fixed
thanks

I uploaded libevent 1.0b to Debian yesterday but failed to close this bug 
in the upload. It no longer stands (since 1.0b fixes a bug which 1.0a 
doesn't :-)

Regards

Javier


signature.asc
Description: Digital signature

Bug#291177: [PROPOSAL] Policy for user/groups creation/removal in package maintainer scripts

[Javier Fernández-Sanguino Peña]

On Wed, Jan 19, 2005 at 09:54:50AM -0200, Henrique de Moraes Holschuh wrote:
> On Wed, 19 Jan 2005, Javier Fernández-Sanguino Peña wrote:
> > There is currently no policy on how should per-package users be created and 
> > removed. Eeven though the 'UID and GID classes' sections determines that 
> > packages _should_ use adduser --system in some occasions it doesn't 
> 
> Make it *must* use adduser --system, *if* they add an user at all.

Some packages might need to use a hardcoded UID (and there's a UID range
for those) those don't use 'adduser --system'

> 
> > - maintainers scripts should create a system user for their daemon in
> > postinst.  User creation should not fail if the user already exists
> > (example code should be provided here, since this is sometimes not done
> > properly in maintainer scripts). Maintainer scripts can ask to the admin if 
> > the user already exists.
> 
> Maintainer scripts can ask about an already existing user *if and only if*
> it is not a system user...  no more useless, aggravating postinst prompts,
> please.

True. I would love to see a sample for that so that postinst scripts would 
reuse that. Actually, it could even be integrated into a dh_adduser script, 
couldn't it?

Regards

Javier


signature.asc
Description: Digital signature

Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)

[Javier Fernández-Sanguino Peña]

On Wed, Jan 19, 2005 at 12:04:06PM +0100, Martin Pitt wrote:
> > IMHO
> 
> There is no need for this. mktemp generates an error message on its
> own, so this would only write two messages.

Mktemp might not be available. The || test would actually check wether 
mktemp fails (not common) and wether it's available. My message is 
associated with the later.

> 
> > In any case, no use in arguing this when there is so many things to work on 
> > (and so many similar security bugs to report)
> 
> Right, I just wanted to point out above mktemp behavior, since this
> seems to be a common misconception.

Understood, but you don't cover the event of mktemp not being available. 
The bash would output a message but an unknowledgeable user wouldn't know 
what's amiss.

> 
> Thanks for your great work and have a nice day!

Thank you for your work.

Regards

Javier


signature.asc
Description: Digital signature

Bug#286385: clarifying the scope of exploit of this bug

[Javier Fernández-Sanguino Peña]

On Wed, Jan 19, 2005 at 01:42:32PM -0500, Joey Hess wrote:
> I don't understand how these bugs can be exploited. Both programs
> contain code like this:

You are right, I didn't notice the -e. However

The fixps script also has:

fixps_sed=$tmpdir/fixps.sed
(...)
  file=$tmpdir/stdin.ps
  cat >$file
(...)
: >$fixps_sed
(...)

Similar code is found in psmandup.

The umask is not properly defined to avoid symlink attacks, a user just has
to check when a temporary directory is created and create those files
before they are used. 

You could argue that a script should not protect user's with insecure
umasks, but the standard way of creating temporary directories is by first
setting a 077 umask, and mktemp honors that (BTW the "we don't protect
users with unsafe umasks has been discussed in other similar bug reports")

I rather see all scripts in Debian using either mktemp and tempfile instead
of $$ for temporary files, it will make it much easier to do source code 
auditing for this same bug in the future.

Regards

Javier


signature.asc
Description: Digital signature

Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)

[Javier Fernández-Sanguino Peña]

> I hope I'll find time next weekend for a new upload.

There's no hurry, take your time, these scripts have been in Debian for 
ages. You can even wait until the next upstream version is released, no 
sense in making two uploads to fix these.

Regards

Javier


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#290974: acknowledged by developer (Bug#290974: fixed in apache 1.3.33-3)

[Javier Fernández-Sanguino Peña]

reopen 290974
tags 290974 sarge
thanks

A few comments on this:

>* (Thom May)
>  - Security fix - fix tempfile usage in check_forensic (Closes: #290974)

- Please help track this bugs in sarge by tagging them
- fmn.sh was not fixed. Even if not used in the Debian package I would 
appreciate if it was patched too, helps in source code reviews.
- Please forward the full bug report upstream (if not already done)

Regards

Javier


signature.asc
Description: Digital signature

Bug#291373: gs-gpl: Insecure usage of /tmp in auxiliary scripts

[Javier Fernández-Sanguino Peña]

Package: gs-gpl
Version: 8.01-5
Priority: minor
Tags: security patch

While doing a source code audit I've noticed a number of unsafe usage of
/tmp in some of gs-gpl's scripts. Some of they are used in distibution or
building of the package and one (ps2epsi) seems targeted at users, none of
them seem to be included in the Debian binary package which is built from
these sources. Ps2epsi, however seems to be distributed with gs-common.

As for ps2epsi, this was recently fixed in gs-common (see #278282 and 
CAN-2004-0967)

I believe this /tmp usage should be removed from the package altogether
since it might introduces security vulnerabilities in developer's build 
systems.

Attached is a proposed (untested) patch which tries to fix this issues. For 
the Tcl/tk code I've used the sample at http://wiki.tcl.tk/772, it seems 
that tcl does not provide a mktemp() implementation. Consider this patch as 
a sample, to be improved upon.

Hope this is useful, please forward it upstream.

Regards

Javier
diff -Nru gs-gpl-8.01.orig/lib/ps2epsi gs-gpl-8.01/lib/ps2epsi
--- gs-gpl-8.01.orig/lib/ps2epsi2002-02-21 22:49:28.0 +0100
+++ gs-gpl-8.01/lib/ps2epsi 2005-01-20 09:09:31.0 +0100
@@ -1,7 +1,9 @@
 #!/bin/sh
 # $Id: ps2epsi,v 1.9 2002/02/21 21:49:28 giles Exp $
 
-tmpfile=/tmp/ps2epsi$$
+tmpfile=`mktemp -t ps2epsi.XX || tempfile --prefix=ps2epsi` || { echo "$0: 
Cannot create temporary file" >&2; exit 1; }
+trap "rm -f -- \"$tmpfile\";" 0 1 2 3 13 15
+
 
 export outfile
 
@@ -52,7 +54,6 @@
' U="$USERNAME$LOGNAME"  F=1 - F=2 "${infile}" >$tmpfile
 
 gs -q -dNOPAUSE -dSAFER -dDELAYSAFER -r72 -sDEVICE=bit -sOutputFile=/dev/null 
$tmpfile ps2epsi.ps $tmpfile <"${infile}" 1>&2
-rm -f $tmpfile
 
 (
 cat << BEGINEPS
diff -Nru gs-gpl-8.01.orig/toolbin/3way.tcl gs-gpl-8.01/toolbin/3way.tcl
--- gs-gpl-8.01.orig/toolbin/3way.tcl   2002-02-21 23:44:45.0 +0100
+++ gs-gpl-8.01/toolbin/3way.tcl2005-01-20 09:20:34.0 +0100
@@ -25,7 +25,29 @@
 # produces a report for merging the olddir/branchdir changes into maindir.
 
 proc filesame {f1 f2} {
-set t /tmp/t
+# There is no Tcl builtin for temporary files
+# This is taken from http://wiki.tcl.tk/772
+switch $tcl_platform(platform) {
+   unix {
+   set tmpdir /tmp   # or even $::env(TMPDIR), at times.
+   } macintosh {
+   set tmpdir $::env(TRASH_FOLDER)  ;# a better place?
+   } default {
+   set tmpdir [pwd]
+   catch {set tmpdir $::env(TMP)}
+   catch {set tmpdir $::env(TEMP)}
+   }
+}
+set t [file join $tmpdir [pid]]
+set access [list RDWR CREAT EXCL TRUNC]
+set perm 0600
+if {[catch {open $t $access $perm} fid ]} {
+# something went wrong
+error "Could not open tempfile."
+ }
+if {[catch {close $t} err]} {
+ error "Failed closing temporary file: $err"
+}
 if {![catch {exec diff $f1 $f2 > $t}]} {
return 1
 }
@@ -50,6 +72,9 @@
break
 }
 close $in
+if {![catch {exec rm $t}]} {
+ error "Failed removing temporary file"
+}
 return $same
 }
 
diff -Nru gs-gpl-8.01.orig/toolbin/gsindent gs-gpl-8.01/toolbin/gsindent
--- gs-gpl-8.01.orig/toolbin/gsindent   2002-02-21 23:44:45.0 +0100
+++ gs-gpl-8.01/toolbin/gsindent2005-01-20 09:21:46.0 +0100
@@ -21,12 +21,13 @@
 # The perl invocations work around a bug in GNU indent.
 
 if [ $# -ne 0 ]; then
+tempfile=`mktemp -t || tempfile` || { echo "$0: Cannot create temporary 
file" >&2; exit 1; }
 for f in $*
 do
-   $0 < $f > /tmp/$$
+   $0 < $f > $tempfile
cp -p $f $f.bak
if ( test ! -e $f~ ) then cp -p $f $f~; fi
-   mv /tmp/$$ $f
+   mv $tempfile $f
 done
 exit
 fi
diff -Nru gs-gpl-8.01.orig/toolbin/gssubst gs-gpl-8.01/toolbin/gssubst
--- gs-gpl-8.01.orig/toolbin/gssubst2002-02-21 23:44:45.0 +0100
+++ gs-gpl-8.01/toolbin/gssubst 2005-01-20 09:24:18.0 +0100
@@ -35,7 +35,27 @@
 }
 puts "$from => $to"
 flush stdout
-set tmp /tmp/[pid]
+switch $tcl_platform(platform) {
+   unix {
+   set tmpdir /tmp   # or even $::env(TMPDIR), at times.
+   } macintosh {
+   set tmpdir $::env(TRASH_FOLDER)  ;# a better place?
+   } default {
+   set tmpdir [pwd]
+   catch {set tmpdir $::env(TMP)}
+   catch {set tmpdir $::env(TEMP)}
+   }
+}
+set tmp [file join $tmpdir [pid]]
+set access [list RDWR CREAT EXCL TRUNC]
+set perm 0600
+if {[catch {open $tmp $access $perm} fid ]} {
+# something went wrong
+   error "Could not open tempfile."
+}
+if {[catch {close $tmp} err]} {
+   error "Failed closing temporary file: $err"
+}
 foreach f [lreplace $argv 0 1] {
 if {![file exists $f~]} {exec cp -p $f $f~}
 exec perl -pe "s\{\\b${from}\\b\}\{${to}\}g" < $f > $tmp
diff -Nru gs-gpl-8.01.orig/toolbin/makeset.tcl gs-gpl-8.01/t

Bug#291376: cdrtools: Unsafe recommendation (and implementation) of debugging in rscsi

[Javier Fernández-Sanguino Peña]

Package: cdrtools
Version: 4:2.01+01a01-2
Priority: minor
Tags: security patch

Cdrtools has some code (and default configuration) that suggests users that 
want to debug its behaviour to open up a can of worms associate to insecure 
temporary files usage. The Debug file defined in the configuration will 
just be fopened() without any checks and is thus vulnerable to symlink 
attacks.

The attached patch tries to fix this minor bug (not many users will really 
enabled DEBUG) by introducing a check in rscsi.c to avoid being vulnerable 
to symlink attacks and by modifying the provided config file telling users 
to use safe locations for debug files. The patch introduces a DoS condition 
(if somebody has created the file the program will exit) and that's why 
users are suggested (in the comments of the configuration file) to use a 
safe location (not /tmp) for debugging.

Regards

Javier
diff -Nru cdrtools-2.01+01a01.old/rscsi/rscsi.c 
cdrtools-2.01+01a01/rscsi/rscsi.c
--- cdrtools-2.01+01a01.old/rscsi/rscsi.c   2003-11-26 01:28:27.0 
+0100
+++ cdrtools-2.01+01a01/rscsi/rscsi.c   2005-01-20 12:41:21.0 +0100
@@ -163,8 +163,19 @@
debug_name = *argv;
 #endif
 
-   if (debug_name != NULL)
-   debug_file = fopen(debug_name, "w");
+   if (debug_name != NULL) {
+   /* Try to be careful when opening debug files, might be
+* created in an unsafe location 
+* */
+   int fd = open(debug_name, O_CREAT | O_EXCL | O_TRUNC | O_RDWR, 
0600);
+   if (fd > -1) 
+   debug_file = fdopen(fd, "w");
+   else {
+   rscsirespond(-1, geterrno());
+   exit(EX_BAD);
+   }
+   }
+

if (argc > 0) {
if (debug_file == 0) {
diff -Nru cdrtools-2.01+01a01.old/rscsi/rscsi.dfl 
cdrtools-2.01+01a01/rscsi/rscsi.dfl
--- cdrtools-2.01+01a01.old/rscsi/rscsi.dfl 2000-11-14 02:24:03.0 
+0100
+++ cdrtools-2.01+01a01/rscsi/rscsi.dfl 2005-01-20 12:42:57.0 +0100
@@ -9,10 +9,11 @@
 
 # 
 # The file where debug info should go to.
-# If you don't like debugging (e.g. for speed) comment out
-# the this line.
+# This is commented out by default to speed up the program.
+# If you enable it make sure you substitute SAFE_DIR to a safe directory
+# to debug to.
 #
-#DEBUG=/tmp/RSCSI
+#DEBUG=SAFE_DIR/rscsi.dbg
 
 #
 # Each USER= entry adds the listed user to the users who may run rscsi


signature.asc
Description: Digital signature

Bug#291378: mysql-server: Security fixes pending in experimental version

[Javier Fernández-Sanguino Peña]

Package: mysql-server
Version: 4.1.7-2
Priority: grave
Tags: experimental

Just a quick note to tell that there are several symlink vulnerabilities in
the experimental version of mysql-server which have been fixed in sid's. 
This includes (but is not limited to) mysqlaccess (#291122), and
mysql_install_db.sh

Just so these are reviewed before the package is moved into sid (although 
they are fixed upstream, so a new version should fix them too)

Regards

Javier


signature.asc
Description: Digital signature

Bug#291389: tcl: No tempfile/mktemp/mkstemp implementation in toolkit language

[Javier Fernández-Sanguino Peña]

Package: tcl8.4
Version: 8.4.9-1
Priority: wishlist
Tags: security upstream

As part of a security audit review done by the Debian Security Audit Team 
[1] I've found a number of bugs related to insecure usage of temorary 
files. Things like:

set tmpf /tmp/something[pid]
catch {eval exec someprogram > $tmpf} 

or
set filename "/tmp/something_[pid]"
file delete $filename
set fid [open $filename w]

are quite common, as well as insecure. Shell or Perl programmers who do
this can be hitten by a cluebat because they don't use the standard
tempfile creation mechanisms, that is: mktemp|||tempfile and File::Temp. 
That is not the case for tcl programmers since the tcl language lacks a
tempfile() or mktemp() implementation. 

I'm going to start reporting these bugs and provide patches for them, but 
patches are rather intrusive because of this lack of standarisation on how 
tempfiles (and directories) should be created when programming in Tcl/Tk.

It would be great if Debian developers could help Tcl upstream developers 
in providing a proper implementation for this, thus closing TIP #210 
(http://www.tcl.tk/cgi-bin/tct/tip/210.html). For the time being I will be 
using the recommendations defined in Tcl's wiki (http://wiki.tcl.tk/772) 
even if that means having to write big (an intrusive) patches to fix simple 
scripts :(

Regards

Javier

[1] http://www.debian.org/security/audit


signature.asc
Description: Digital signature

Bug#293037: honeyd: FTBFS (amd64/gcc-4.0): invalid lvalue in assignment

[Javier Fernández-Sanguino Peña]

tags 293037 confirmed pending upstream
thanks

On Mon, Jan 31, 2005 at 09:33:34PM +0100, Andreas Jochens wrote:
> Package: honeyd
> Severity: normal
> Tags: patch
> 
> When building 'honeyd' on amd64 with gcc-4.0,
> I get the following error:

Thanks, I've forwarded this upstream and he has acknowledged this as a bug. 
It will be fixed in the next honeyd release.

Regards

Javier


signature.asc
Description: Digital signature

Bug#293842: lifelines: Duplicate files with lifelines-reports

[Javier Fernández-Sanguino Peña]

Package: lifelines
Version: 3.0.40-1
Priority: important
Tags: patch

The lifelines packages contains all the files under /usr/share/lifelines/ 
that the package lifelines-reports also provides thus making installation 
of both packages impossible. If you unpack the .deb file and check its 
contents you will see the following:

lifelines
`-- usr
(...)
|-- sbin
`-- share
|-- doc
|   `-- lifelines
(...)
|-- lifelines
|   |-- 2ppage.ll
|   |-- 4gen1.ll
|   |-- 6gen1.ll
|   |-- 8gen1.ll
|   |-- BW_descendants.ll
|   |-- CREDIT
|   |-- README

(...)

The same .ll files are provided in lifelines-reports. Attached is a patch 
that should fix this issue, it also provides other reports (provided in 
subdirectories) into the lifelines-report package.

BTW, shouldn't lifelines "Recommend:" lifelines-reports?

Regards

Javier
--- rules.orig  2005-02-06 10:37:12.0 +0100
+++ rules   2005-02-06 10:41:51.0 +0100
@@ -116,8 +116,12 @@
cp $(CURDIR)/debian/add-ons/llines $(DESTDIR)/usr/bin/llines 
chmod 755 $(DESTDIR)/usr/bin/llines 
chmod 755 $(DESTDIR)/usr/share/lifelines/gen_index
-   cp reports/*.ll `pwd`/debian/lifelines-reports/usr/share/lifelines
-   chmod 644 `pwd`/debian/lifelines-reports/usr/share/lifelines/*.ll
+   # Copy all the contents of the reports directory to the
+   # lifelines-report package
+   rm -rf $(DESTDIR)/usr/share/lifelines/
+   cp -a reports/* `pwd`/debian/lifelines-reports/usr/share/lifelines
+   find `pwd`/debian/lifelines-reports/usr/share/lifelines/ -type f \
+   -exec chmod 644 {} \;
cp $(CURDIR)/.linesrc $(CURDIR)/linesrc
 
# Icon for menus


signature.asc
Description: Digital signature

Bug#294127: mozilla-firefox: Insecure /tmp usage in /usr/lib/mozilla-firefox/run-mozilla.sh

[Javier Fernández-Sanguino Peña]

Package: mozilla-firefox
Version: 1.0+dfsg.1-4
Priority: normal
Tags: patch security

The run-mozilla.sh script provided at /usr/lib/mozilla creates temporary
files when running with 'debugging' enabled in an unsafe way. Please see
the attached patch for a proposed fix.

I'm not setting this as a higher priority since that code is not intented 
for end users, and the broken code only is executed if debugging is 
enabled. Something which, probably, only a few users will do.

Regards

Javier

--- run-mozilla.sh.orig 2005-02-08 01:52:35.0 +0100
+++ run-mozilla.sh  2005-02-08 01:54:27.0 +0100
@@ -249,16 +249,18 @@
fi
 if [ -x "$debugger" ] 
 then
-echo "set args ${1+"$@"}" > /tmp/mozargs$$ 
+   tmpfile=`mktemp -t` || { echo "Cannot create temporary file" >&2; exit 
1; }
+   trap " [ -f \"$tmpfile\" ] && /bin/rm -f -- \"$tmpfile\"" 0 1 2 3 13 15
+echo "set args ${1+"$@"}" > $tmpfile
 # If you are not using ddd, gdb and know of a way to convey the arguments 
 # over to the prog then add that here- Gagan Saksena 03/15/00
 case `basename $debugger` in
-gdb) echo "$debugger $prog -x /tmp/mozargs$$"
-$debugger "$prog" -x /tmp/mozargs$$
+gdb) echo "$debugger $prog -x $tmpfile"
+$debugger "$prog" -x $tmpfile
exitcode=$?
 ;;
-ddd) echo "$debugger --debugger \"gdb -x /tmp/mozargs$$\" $prog"
-$debugger --debugger "gdb -x /tmp/mozargs$$" "$prog"
+ddd) echo "$debugger --debugger \"gdb -x $tmpfile\" $prog"
+$debugger --debugger "gdb -x $tmpfile" "$prog"
exitcode=$?
 ;;
 *) echo "$debugger $prog ${1+"$@"}"
@@ -266,7 +268,6 @@
exitcode=$?
 ;;
 esac
-/bin/rm /tmp/mozargs$$
 else
 echo "Could not find a debugger on your system." 
 fi


signature.asc
Description: Digital signature

Bug#294128: alsa-utils: Concerns due to unsafe /tmp usage in alsaconf

[Javier Fernández-Sanguino Peña]

Package: alsa-utils
Version: 1.0.8-1
Priority: important
Tags: security upstream

While doing a security audit review of Debian packages for unsafe usage of 
/tmp I've found this in alsa-utils' alsaconf:

   CARDID_DB=/var/tmp/alsaconf.cards
if [ ! -r $CARDID_DB ]; then
use_modinfo_db=1
fi
(...)
if [ $use_modinfo_db = 1 ]; then
xecho "Building card database.."
build_card_db $CARDID_DB
fi

build_card_db is a function in alsaconf that starts like this:

build_card_db () {
MODDIR=/lib/modules/`uname -r`
last_driver=""
echo -n > $1
(...)

This code is prone to a race condition since the CARDID_DB file is not 
created inmediately, but created later on. Since alsaconf can only be used 
by root this means that a rogue local user could have root overwrite any 
files through a symlink attack by exploiting that race condition. Notice, 
also, that the test for CARDID_DB is [ -r ] when it should really be [ -e ]

I'm not sure how to best fix this (since CARDID_DB seems to be created 
under /var/tmp so it's not removed after reboots) but it looks like it 
should, at least, check if the file exists and create it inmediately 
afterwards. Also, the script should use the 'noclobber' and -e options for 
additional safety.

Regards

Javier


signature.asc
Description: Digital signature

Bug#292019: removal judgement for binstats

[Javier Fernández-Sanguino Peña]

On Thu, Feb 24, 2005 at 05:51:36PM +0100, Gaudenz Steinlin wrote:
> Hi Javier
> 
(...)
> 
> Below you find my report about binstats. Your package makejail depends
> on binstats and I wanted to ask you if you would like to adopt it.

Let me review the current status. I will probably adopt it.

Thanks for the info.

Regards

Javier


signature.asc
Description: Digital signature

Bug#297216: mozilla-browser: Insecure /tmp usage in /usr/lib/mozilla/run-mozilla.sh

[Javier Fernández-Sanguino Peña]

Package: mozilla-browser
Version: 2:1.7.5-1
Priority: normal
Tags: patch security

The run-mozilla.sh script provided at /usr/lib/mozilla/ creates temporary
files when running with 'debugging' enabled in an unsafe way. Please see
the attached patch for a proposed fix.

I'm not setting this as a higher priority since that code is not intented 
for end users, and the broken code only is executed if debugging is 
enabled. Something which, probably, only a few users will do.

BTW, I also submitted this bug against mozilla-firefox as #294127 which has 
an identical run-mozilla.sh script

Regards

Javier


--- run-mozilla.sh.orig 2005-02-08 01:52:35.0 +0100
+++ run-mozilla.sh  2005-02-08 01:54:27.0 +0100
@@ -249,16 +249,18 @@
fi
 if [ -x "$debugger" ] 
 then
-echo "set args ${1+"$@"}" > /tmp/mozargs$$ 
+   tmpfile=`mktemp -t` || { echo "Cannot create temporary file" >&2; exit 
1; }
+   trap " [ -f \"$tmpfile\" ] && /bin/rm -f -- \"$tmpfile\"" 0 1 2 3 13 15
+echo "set args ${1+"$@"}" > $tmpfile
 # If you are not using ddd, gdb and know of a way to convey the arguments 
 # over to the prog then add that here- Gagan Saksena 03/15/00
 case `basename $debugger` in
-gdb) echo "$debugger $prog -x /tmp/mozargs$$"
-$debugger "$prog" -x /tmp/mozargs$$
+gdb) echo "$debugger $prog -x $tmpfile"
+$debugger "$prog" -x $tmpfile
exitcode=$?
 ;;
-ddd) echo "$debugger --debugger \"gdb -x /tmp/mozargs$$\" $prog"
-$debugger --debugger "gdb -x /tmp/mozargs$$" "$prog"
+ddd) echo "$debugger --debugger \"gdb -x $tmpfile\" $prog"
+$debugger --debugger "gdb -x $tmpfile" "$prog"
exitcode=$?
 ;;
 *) echo "$debugger $prog ${1+"$@"}"
@@ -266,7 +268,6 @@
exitcode=$?
 ;;
 esac
-/bin/rm /tmp/mozargs$$
 else
 echo "Could not find a debugger on your system." 
 fi






signature.asc
Description: Digital signature

Bug#297488: autoconf: Autoupdate removes temporary file twice and mktemp fix

[Javier Fernández-Sanguino Peña]

Package: autoconf
Version: 2.13-53
Severity: normal
Tags: patch 

Removing the same temporary file twice is bad programming practice (and can
have unexpected consequences) , it seems that when autoconf's autoupdate
was patched to fix a security bug a programming bug was introduced.

Also, since mktemp already implements (through -t) a way to use either /tmp 
or $TMPDIR, it's not a good idea to force it to use /tmp even though the 
user might want all his temporary files in $TMPDIR. 

Both issues are fixed in the attached patch, which should speak fo 
itself.

Regards

Javier


autoconf-autoupdate.sh
Description: Bourne shell script


signature.asc
Description: Digital signature

Bug#297746: harden-doc: configuring iptables firewall section needs to be updated

[Javier Fernández-Sanguino Peña]

> 5.14 Adding firewall capabilities
> 5.14.1 Firewalling the local system
> 5.14.3.1 Doing it the Debian way
> 
> since i'm going to be doing this on a few machines anyway in the
> next couple days, i can provide a patch for you if you like.

Feel free to send me a patch for this. As for the "recommended policies" 
there are none, since the iptables maintainer forces people to use external 
mechanisms to generate the firewall configuration :-(

In any case, last time I looked 'save_active' worked (even though "save
active" is now used). Please take into account that people running woody
systems use this document so, if there are changes between releases, they
should be documented as such, please don't just tell me to change
'save_active' to 'save active'.

Also, please consider fixing some of the 'FIXME's in that section :-)

Regards

Javier


signature.asc
Description: Digital signature

Bug#297889: tiger: should depend on newer version of sed

[Javier Fernández-Sanguino Peña]

On Thu, Mar 03, 2005 at 01:23:48PM +0100, Christoph Martin wrote:
> Package: tiger
> Version: 1:3.2.1-19
> Severity: important
> 
> 
> tiger is not working correctly with version 3.02-8 of sed from woody.
> Please depend on version 4.1.2-8 from sid.
> 

What is the specific issue you encountered? I would appreciate if you could
detail the information more...

Regards

Javier


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#298114: Nvi: Improved init.d recover file that fixes security bugs

[Javier Fernández-Sanguino Peña]

Package: nvi
Version: 1.79-21
Priority: grave
Tags: security patch woody sid
Justification: local DoS

(Note: The bugs I talk about in this report have been present in Debian's
nvi for ages. Actually, OpenBSD provides an alternate 'recover'
implementation (attached) written in Perl that fixes most of this stuff in
probably a better way since it includes additional cheks than my patch to
the init.d file (also attached).)

Doing a security audit review of /tmp usage I've found that the
/etc/init.d/nviboot (it is also provided with other names in woody in the
nvi-m17n source package) is not coded in order to prevent some situations
that could be forced by local users to generate unexpected events. The fact
that this script runs as root on startup makes the bugs serious even if a
direct attack is not self evident.

The script has the following issues:

- Will run even if the binary and directory it uses are not available
- Will interpret any file even if it has been created by non-interactive 
users that do not normally create vi.recover files
- Will follow symlinks
- Will work with directories, even if this generates errors later on (when 
trying to read from them)
- PATH is unset

All of these are fixed in the attached patch.

If you think that the patch is not worth it, consider the following 
hypotheses:

- A local user symlinks "recover.test" to /dev/zero: will cause a DoS when
the system whenever the system starts up. This is a local attack.

- A remote user compromises a service server in which mail use is
restricted to a given group (this is non-standard configuration, can be 
implemented through capabitities or just chmoding 660 /usr/sbin/sendmail 
or whatever it points to) and creates a "recover.test" file with:
.
To: hacker
From: root
X-vi-recover-path: /etc/passwd

System rebooted!

.
.

He will get a mail whenever the system is rebooted. This can also be used 
by local users to play tricks on other users ("I just got a mail from 
root saying I should change my password to '11'" :-)

- A bug is found in exim's implementation of sendmail -t (buffer overflow
when parsing headers?). When 'sendmail -t' is run with a rogue
'recover.hackme' file a local user can attempt a privilege escalation when
the server is rebooted since 'sendmail -t' will be run on whatever is in 
/var/tmp/vi.recover as root.

- A local user creates a "recover.test" directory: error on startup


The patch:

- will delete any symlink files found in /var/tmp/vi.recover

- will refuse to work with directories that resemble recover files

- will call the sendmail binary with lower (nobody) privileges to prevent a 
bug in sendmail from becoming a privilege escalation possibility.

- will delete any files found if they don't below to a "Joe user". It has 
the cavea that root nvi recover sessions will also be removed (probably 
one of the few admin user which will use nvi often). This behaviour can be 
switched on or off.

- will set a proper PATH

Please include this patch or a similar one in the next release.
BTW, an alternative for the "won't send mails of admin users" it to not 
honor the content of the recover file and mail to the owner of the file 
(instead of to whomever the file says to in its 'To:' 'Resent-To', 'Bcc:', 
'Cc:', 'Resent-Cc:' and 'Resent-Bcc:'

Thanks

Javier

--

--- init.orig   2005-03-01 00:18:16.0 +0100
+++ init2005-03-01 00:49:38.0 +0100
@@ -3,8 +3,20 @@
 #
 # Script to recover nvi edit sessions.
 #
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
 RECDIR=/var/tmp/vi.recover
 SENDMAIL=/usr/sbin/sendmail
+SYSTEMUIDS="no"
+
+[ ! -x "$SENDMAIL" ] && exit 0
+[ ! -d "$RECDIR" ] && exit 0
+
+FIRST_UID=""
+if [ -r /etc/adduser.conf ] ; then
+   FIRST_UID=`grep ^FIRST_UID /etc/adduser.conf | awk -F = '{print $2}'`
+fi
+# Sane default
+[ -z "$FIRST_UID" ] && FIRST_UID=1000
 
 case "$1" in
   start)
@@ -18,8 +30,15 @@
 # would only happen if some loser is playing games with
 # embedded spaces in vi recovery file names
 i=$RECDIR/${i#$RECDIR/}
+   # Nvi editor backup files should not be symlinks.
+   # Delete them
+   if test -L $i ; then
+   rm $i
+   continue
+   fi
+
# Only test files that are readable.
-   if test ! -r $i; then
+   if test ! -r $i -o test ! -f $i; then
continue
fi
 
@@ -27,7 +46,17 @@
# execute bit set or are zero length.  Delete them.
if test -x $i -o ! -s $i; then
rm $i
+   continue
fi
+
+
+   # Files that belong to administrative users are
+   # discarded
+   if [ "$SYSTEMUIDS" = "no" ] &&

Bug#120640: Please review this bug

[Javier Fernández-Sanguino Peña]

On Sun, Mar 06, 2005 at 03:17:11PM +0100, Ola Lundqvist wrote:
> I can not reproduce the stalling process anymore.
> It is not very good at determining the os though. But that is an
> other issue.

Yes, actually that's #182896. I've looked into it this weekend, and have 
produced some preliminary code. I have yet to integrate it with Cheops so 
that it can actually work out and (maybe) also use some nice xpm files for 
those OS that Cheops doesn't have an xpm file for.

In any case, it'll take a while to fix since the current queso code is 
merged into Cheops in a nice way and I would actually like to do this with 
nmap too (instead of just running 'nmap -O -F $ip' and parsing the result). 
I would appreciate help in this, however, and I will probably mark the bug 
accordingly.

> So I'm closing this bug now.

Thanks, one less bug.

Regards

Javier


signature.asc
Description: Digital signature

Bug#298423: cheops: FTBFS: missing Build-Depends

[Javier Fernández-Sanguino Peña]

On Mon, Mar 07, 2005 at 02:26:07PM +0100, Kaare Hviid wrote:
> Package: cheops
> Version: 0.61-11
> Severity: serious
> 
> FTBFS in pbuilder and apparently all buildds:
> 
> gcc -g -O2 -Wall -DDEFAULT_PATH=\"/usr/share/cheops\" 
> -DLIB_PATH=\"/usr/lib/cheops\" -I/usr/include/gtk-1.2 -I/usr/include/glib-1.2 
> -I/usr/lib/glib/include -DINET6 -O2 -D_REENTRANT -Dlinux -I. -I/usr/include 
> -DSNMP -DHAS_GMODULE  -DINET6 -O2 -D_REENTRANT -Dlinux -I. -I/usr/include  -c 
> -o nmap-mod.o nmap-mod.c
> nmap-mod.c:48:18: pcap.h: No such file or directory
> 
> Adding "libpcap0.8-dev" to Build-Depends appears to do the trick.

Actually I fixed that already (by removing the pcap include). See 0.61-12,
uploaded this morning. But thanks for noticing. 

Regards

Javier


signature.asc
Description: Digital signature

Bug#292176: Patch for this bug (temporary)

[Javier Fernández-Sanguino Peña]

severity 296311 serious
merge 292176 296311
tags 292176 patch
thanks

Attached is a patch to temporarily fix this issue. A long term fix would 
mean:

- relocating the icons, but I'm not sure if that would break KDE's 
standards.

What's the standard in KDE related to icons of use only by an application? 
Should the kde_icondir value be redefined when configuring knetfilter so it 
points to /usr/share/icons/knetfilter instead of /usr/share/icons ?


- renaming the icons so that they are knetfilter specific. Names like 
'mark.png' 'probe.png' 'play.png' and 'stop.png are bound to have similar 
issues with other applications that provide KDE icons.


Regards

Javier
diff -Nru knetfilter-3.3.1.old/debian/changelog 
knetfilter-3.3.1/debian/changelog
--- knetfilter-3.3.1.old/debian/changelog   2005-03-08 10:19:27.0 
+0100
+++ knetfilter-3.3.1/debian/changelog   2005-03-08 10:18:30.0 +0100
@@ -1,3 +1,14 @@
+knetfilter (3.3.1-1.1) unstable; urgency=medium
+
+  * NMU for RC bugs.
+  * Conflict on kxsldbg which provides the same (mark) icon. This is
+  a temporary solution, however, either the icons should be renamed or
+  their location should be changed. The names are so generic that this
+  is bound to happen with other packages in the future. (Closes: #296311,
+  #292176)
+
+ -- Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]>  Tue,  8 Mar 2005 
10:16:52 +0100
+
 knetfilter (3.3.1-1) unstable; urgency=low
 
   * New upstream release (Closes: #289420).
diff -Nru knetfilter-3.3.1.old/debian/control knetfilter-3.3.1/debian/control
--- knetfilter-3.3.1.old/debian/control 2005-03-08 10:19:27.0 +0100
+++ knetfilter-3.3.1/debian/control 2005-03-08 10:18:49.0 +0100
@@ -9,6 +9,7 @@
 Architecture: any
 Section: net
 Depends: ${shlibs:Depends}, iptables
+Conflicts: kxsldbg
 Description: GUI for configuring the 2.4 kernel IP Tables
  Knetfilter is a GUI to configure your 2.4 kernel IP firewalling,
  masquerading and NAT rules.
Los ficheros binarios knetfilter-3.3.1.old/debian/.control.swp y 
knetfilter-3.3.1/debian/.control.swp son distintos


signature.asc
Description: Digital signature

Bug#279483: Fix and NMU

[Javier Fernández-Sanguino Peña]

tags 279483 patch pending
thanks 

The attached patch should fix this, I'm making a NMU upload as this RC bug 
has been over 4 months unanswered.

Regards

Javier
diff -Nru susv3-6/debian/changelog susv3-6.1/debian/changelog
--- susv3-6/debian/changelog2004-10-26 23:57:11.0 +0200
+++ susv3-6.1/debian/changelog  2005-03-08 09:48:58.0 +0100
@@ -1,3 +1,13 @@
+susv3 (6.1) unstable; urgency=low
+
+  * NMU. 0-day as this is a rather easy fix and there has been no response
+from the maintainer since this was brought up 4 months ago.
+  * Do not preserve ownership or users when untarring the downloaded files
+by using --no-same-owner --no-same-permissions
+(Closes: #279483)
+
+ -- Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]>  Tue,  8 Mar 2005 
09:47:32 +0100
+
 susv3 (6) unstable; urgency=low
 
   * Initial release (Closes: #274957)
diff -Nru susv3-6/debian/postinst susv3-6.1/debian/postinst
--- susv3-6/debian/postinst 2003-12-18 16:57:04.0 +0100
+++ susv3-6.1/debian/postinst   2005-03-08 09:47:28.0 +0100
@@ -7,7 +7,7 @@
 echo Fetching file...
 wget -P $TMPDIR 
http://www.opengroup.org/onlinepubs/007904975/download/susv3.tar.bz2
 echo Untaring...
-bunzip2 -cd $TMPDIR/susv3.tar.bz2 | tar xf - -C /usr/share/doc/susv3
+bunzip2 -cd $TMPDIR/susv3.tar.bz2 | tar xf - -C /usr/share/doc/susv3 
--no-same-permissions --no-same-owner
 
 rm -rf $TMPDIR
 


signature.asc
Description: Digital signature

Bug#298530: knetfilter: No manpages

[Javier Fernández-Sanguino Peña]

Package: knetfilter
Version: 3.3.1-1
Priority: normal

There are no manpages for some of the binaries in this package, most 
notably, there is no 'knetfilter' manpage at all:

$ lintian knetfilter_3.3.1-1.1_i386.deb
W: knetfilter: binary-without-manpage getip
W: knetfilter: binary-without-manpage getloop
W: knetfilter: binary-without-manpage getnetmask
W: knetfilter: binary-without-manpage kiptables-restore
W: knetfilter: binary-without-manpage kiptables-save
W: knetfilter: binary-without-manpage knetfilter

Regards

Javier


signature.asc
Description: Digital signature

Bug#298533: kdelibs4-dev: Unsafe use of temporary file in dcopidlng script

[Javier Fernández-Sanguino Peña]

Package: kdelibs4-dev
Version: 4:3.3.2-2
Priority: normal
Tags: patch security

Reviewing the Gentoo advisory GLSA 200503-14 [0] which refers to
CAN-2005-0365 I've checked out to see if our dcopidlng script was
vulnerable to the symlink attack found by Davide Madrisan even though it 
does not use /tmp (that's why I'm setting this bug as 'normal' severity 
instead of as 'important')

It seems ours (see version above) is not because the temporary file is 
created in the local directory (instead of in /tmp) directly, however, the 
creation does provide a way for a race condition.

I think the attached patch is a better fix for this issue than the one 
provided by Gentoo [1]. There are several bugs in Gentoo's fix:

1- The file is removed twice (once in the trap and once at the end of the 
fix)
2- Leaving temporary files in the home directory might not be good. Mktemp 
-t is better since users can set their TMPDIR environment variable to point 
to "/home/user/tmp" if they want to, but users without a home directory 
(think chroot) will work in any case (failsback to /tmp)
3- The temporafy file is still being create in an unsafe way (but in a safe 
directory), mktemp does this better

So, please use the attached patch (and maybe forward it upstream) for a 
next release.

Regards

Javier


[0] http://www.gentoo.org/security/en/glsa/glsa-200503-14.xml
[1] http://bugs.gentoo.org/attachment.cgi?id=51120&action=view
--- dcopidlng.orig  2005-03-08 10:49:43.0 +0100
+++ dcopidlng   2005-03-08 10:51:08.0 +0100
@@ -1,15 +1,16 @@
 #!/bin/sh
 
-trap "rm -f dcopidlng.stderr.$$"
+tmpfile=`mktemp -t dcopidlng.XX` || { echo "$0: Cannot create temporary 
file" >&2; exit 1;  }
+trap " [ -f \"$tmpfile\" ] && /bin/rm -f -- \"$tmpfile\"" 0 1 2 3 13 15
 
 if test -z "$KDECONFIG"; then
 KDECONFIG=kde-config
 fi
 LIBDIR="`$KDECONFIG --install data --expandvars`/dcopidlng"
-perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1 2> 
dcopidlng.stderr.$$
+perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1 2> 
$tmpfile
 RET=$?
 if [ $RET -ne 0 ]
 then
-   cat dcopidlng.stderr.$$ >&2
+   cat $tmpfile >&2
 fi
 exit $RET


signature.asc
Description: Digital signature

Bug#298536: Openssh: Revised spanish debconf translation

[Javier Fernández-Sanguino Peña]

Package: openssh
Version: 1:3.8.1p1-8.sarge.4
Priority: wishlist
Tags: patch l10n

Please find attached a revised spanish translation for the OpenSSH package 
including the new debconf warnings.

Regards

Javier

#
# openssh debconf translation to spanish
# Copyright (C) 2003 Software in the Public Interest
# This file is distributed under the same license as the  package.
#
# Changes:
# - Initial translation
#Carlos Valdivia Yagüe <[EMAIL PROTECTED],etsit.upm.es>, 2003
# - Revision
#Javier Fernandez-Sanguino Peña <[EMAIL PROTECTED]>, 2004
#
#
#  Traductores, si no conoce el formato PO, merece la pena leer la 
#  documentación de gettext, especialmente las secciones dedicadas a este
#  formato, por ejemplo ejecutando:
# info -n '(gettext)PO Files'
# info -n '(gettext)Header Entry'
#
# Equipo de traducción al español, por favor lean antes de traducir
# los siguientes documentos:
# 
# - El proyecto de traducción de Debian al español
#   http://www.debian.org/intl/spanish/coordinacion
#   especialmente las notas de traducción en
#   http://www.debian.org/intl/spanish/notas
#
# - La guía de traducción de po's de debconf:
#   /usr/share/doc/po-debconf/README-trans
#   o http://www.debian.org/intl/l10n/po-debconf/README-trans
#
msgid ""
msgstr ""
"Project-Id-Version: openssh 3.6.1p2-11\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2004-10-06 13:54+0100\n"
"PO-Revision-Date: 2005-03-08 11:46+0100\n"
"Last-Translator: Javier Fernandez-Sanguino Peña <[EMAIL PROTECTED]>\n"
"Language-Team: Debian L10n Spanish \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=ISO-8859-15\n"
"Content-Transfer-Encoding: 8bit\n"

#. Type: boolean
#. Description
#: ../templates.master:4
msgid "Generate new configuration file"
msgstr "Generar un nuevo fichero de configuración"

#. Type: boolean
#. Description
#: ../templates.master:4
msgid ""
"This version of OpenSSH has a considerably changed configuration file from "
"the version shipped in Debian 'Potato', which you appear to be upgrading "
"from. I can now generate you a new configuration file (/etc/ssh/sshd."
"config), which will work with the new server version, but will not contain "
"any customisations you made with the old version."
msgstr ""
"Esta versión de OpenSSH tiene un fichero de configuración considerablemente "
"diferente del incluido en Debian 'Potato', que es la versión desde la que "
"parece estar actualizando. Puede crear automáticamente un nuevo fichero de "
"configuración (/etc/ssh/sshd_config), que funcionará con la nueva versión "
"del servidor, pero no incuirá las modificaciones que hiciera en la versión "
"antigua."

#. Type: boolean
#. Description
#: ../templates.master:4
msgid ""
"Please note that this new configuration file will set the value of "
"'PermitRootLogin' to yes (meaning that anyone knowing the root password can "
"ssh directly in as root). It is the opinion of the maintainer that this is "
"the correct default (see README.Debian for more details), but you can always "
"edit sshd_config and set it to no if you wish."
msgstr ""
"Además, recuerde que este nuevo fichero de configuración dirá sí en la "
"opción «PermitRootLogin», por lo que cualquiera que conozca la contraseña de "
"root podrá entrar mediante ssh directamente como root. En opinión del "
"mantenedor ésta es la opción predeterminada más adecuada (puede leer README."
"Debian si quiere conocer más detalles), pero siempre puede editar "
"sshd_config y poner no si lo desea."

#. Type: boolean
#. Description
#: ../templates.master:4
msgid ""
"It is strongly recommended that you let me generate a new configuration file "
"for you."
msgstr ""
"Es muy recomendable que permita que se genere un nuevo fichero de "
"configuración ahora."

#. Type: boolean
#. Description
#: ../templates.master:23
msgid "Allow SSH protocol 2 only"
msgstr "Permitir sólo la versión 2 del protocolo SSH"

#. Type: boolean
#. Description
#: ../templates.master:23
msgid ""
"This version of OpenSSH supports version 2 of the ssh protocol, which is "
"much more secure.  Disabling ssh 1 is encouraged, however this will slow "
"things down on low end machines and might prevent older clients from "
"connecting (the ssh client shipped with \"potato\" is affected)."
msgstr ""
"Esta versión de OpenSSH soporta la versión 2 del protocolo ssh, que es mucho "
"más segura que la anterior. Se recomienda desactivar la versión 1, aunque "
"funcionará más lento en máquinas modestas y puede impedir que se conecten "
"clientes antiguos, como, por ejemplo, el incluido en «potato»."

#. Type: boolean
#. Description
#: ../templates.master:23
msgid ""
"Also please note that keys used for protocol 1 are different so you will not "
"be able to use them if you only allow protocol 2 connections."
msgstr ""
"También tenga en cuenta que las claves utilizadas para el protocolo 1 son "
"diferentes, por lo que no podrá usarlas si únicamente permite conexiones "
"mediante la versión 2 del protocolo."

#. Type: bool

Bug#147558: Patch for these bugs

[Javier Fernández-Sanguino Peña]

unmerge 167367
tags 167367 patch
tags 147558 patch
thanks

(Reviewing old bug reports) 

First off, I'm unmerging 167367 from the other bug reports as, after 
reading http://www.amanda.org/docs/install.html the issue with amanda is 
not related to the problem of not converting numeric ports to a proper 
xinetd conf but, actually, might be because 'groups = yes' needs to be 
specified here.

The attached patch should fix both issues (the port issue and the Amanda 
issue), it's slightly tested by myself with a modified inetd.conf file and 
seems to work OK.

Regards

Javier
--- xinetd-2.3.13.old/xinetd/xconv.pl   2003-02-27 23:16:25.0 +0100
+++ xinetd-2.3.13/xinetd/xconv.pl   2005-03-08 16:09:28.0 +0100
@@ -40,6 +40,9 @@
print "\tflags   = NAMEINARGS\n";
print "\tsocket_type = $command[1]\n";
print "\tprotocol= $command[2]\n";
+   if( $command[0] =~ /^\d+$/ ) {
+   print "\tport= $command[0]\n";
+   }
if( grep /no/, $command[3] ) {
print "\twait= no\n";
} else {
@@ -50,9 +53,28 @@
if( defined $user[1] ) {
print "\tgroup   = $user[1]\n";
}
+   # Amanda is a special case, it needs this, see
+   # http://www.amanda.org/docs/install.html and 
+   # Bug report #167367
+   if ( $command[6] =~ /usr\/lib\/amanda/ ) {
+   print "\tgroups  = yes\n";
+   }
if( grep /internal/, $command[5] ) {
print "\ttype= INTERNAL\n";
print "\tid  = $command[0]-$command[1]\n";
+   } elsif ( $command[5] =~ /\/usr\/sbin\/tcpd/ ){
+   # Tcp wrapping is already implemented in xinetd
+   print "\tserver  = $command[6]\n";
+   if ( defined $command[7] ) {
+   print "\tserver_args = ";
+   $i = 7;
+   while( defined $command[$i] ) {
+   print "$command[$i] ";
+   $i++;
+   }
+   print "\n";
+   }
+   
} else {
print "\tserver  = $command[5]\n";
print "\tserver_args = ";


signature.asc
Description: Digital signature

Bug#279484: Bug#279483: Fix and NMU

[Javier Fernández-Sanguino Peña]

On Tue, Mar 08, 2005 at 09:00:34AM -0500, Justin Pryzby wrote:
> On Tue, Mar 08, 2005 at 10:22:54AM +0100, Javier Fernández-Sanguino Peña 
> wrote:
> > tags 279483 patch pending
> > thanks 
> > 
> > The attached patch should fix this, I'm making a NMU upload as this RC bug 
> > has been over 4 months unanswered.
> Same as #279484 (susv2).  Are you planning on NMU that too?  BTW; I
> talked to the maintainer Jan 13, 2005, and he indicated that he hoped
> to upload shortly (but appears to have been bitten by Real Life).

I was not aware of it, but now that I see it I will fix with the attached 
patch.

Regards

Javier
diff -Nru susv2-1/debian/changelog susv2-1.1/debian/changelog
--- susv2-1/debian/changelog2004-10-26 23:55:44.0 +0200
+++ susv2-1.1/debian/changelog  2005-03-08 16:19:55.0 +0100
@@ -1,3 +1,13 @@
+susv2 (1.1) unstable; urgency=low
+
+  * NMU. 0-day as this is a rather easy fix and there has been no response
+from the maintainer since this was brought up 4 months ago.
+  * Do not preserve ownership or users when untarring the downloaded files
+by using --no-same-owner --no-same-permissions
+   (Closes: #279484)
+
+ -- Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]>  Tue,  8 Mar 2005 
16:19:20 +0100
+
 susv2 (1) unstable; urgency=low
 
   * Initial release (Closes: #274956)
diff -Nru susv2-1/debian/files susv2-1.1/debian/files
--- susv2-1/debian/files1970-01-01 01:00:00.0 +0100
+++ susv2-1.1/debian/files  2005-03-08 16:22:04.0 +0100
@@ -0,0 +1 @@
+susv2_1.1_all.deb contrib/doc extra
diff -Nru susv2-1/debian/postinst susv2-1.1/debian/postinst
--- susv2-1/debian/postinst 2003-12-18 17:02:25.0 +0100
+++ susv2-1.1/debian/postinst   2005-03-08 16:21:58.0 +0100
@@ -7,7 +7,7 @@
 echo Fetching file...
 wget -P $TMPDIR 
http://www.opengroup.org/onlinepubs/007908799/download/susv2.tar.bz2
 echo Untaring...
-bunzip2 -cd $TMPDIR/susv2.tar.bz2 | tar xf - -C /usr/share/doc/susv2
+bunzip2 -cd $TMPDIR/susv2.tar.bz2 | tar xf - -C /usr/share/doc/susv2 
--no-same-permissions --no-same-owner
 
 rm -rf $TMPDIR
 
diff -Nru susv2-1/debian/susv2/DEBIAN/control 
susv2-1.1/debian/susv2/DEBIAN/control
--- susv2-1/debian/susv2/DEBIAN/control 1970-01-01 01:00:00.0 +0100
+++ susv2-1.1/debian/susv2/DEBIAN/control   2005-03-08 16:22:04.0 
+0100
@@ -0,0 +1,12 @@
+Package: susv2
+Version: 1.1
+Section: contrib/doc
+Priority: extra
+Architecture: all
+Depends: wget, bzip2
+Installed-Size: 48
+Maintainer: Jeff Bailey <[EMAIL PROTECTED]>
+Description: Fetch and install SUSv2 documentation
+ The Single Unix Specifications are not permitted to be generally
+ redistributed, so this is an installer that fetches them and installs
+ them in a Debian appropriate way.
diff -Nru susv2-1/debian/susv2/DEBIAN/md5sums 
susv2-1.1/debian/susv2/DEBIAN/md5sums
--- susv2-1/debian/susv2/DEBIAN/md5sums 1970-01-01 01:00:00.0 +0100
+++ susv2-1.1/debian/susv2/DEBIAN/md5sums   2005-03-08 16:22:04.0 
+0100
@@ -0,0 +1,3 @@
+44a0ac8bc9ebad239546f5135ee7baae  usr/share/doc/susv2/copyright
+ba3166e16ff3fb8f5ffafa16f5c4639f  usr/share/doc/susv2/changelog.gz
+21eff40c006987ecaf747ddff5430d46  usr/share/doc-base/susv2
diff -Nru susv2-1/debian/susv2/DEBIAN/postinst 
susv2-1.1/debian/susv2/DEBIAN/postinst
--- susv2-1/debian/susv2/DEBIAN/postinst1970-01-01 01:00:00.0 
+0100
+++ susv2-1.1/debian/susv2/DEBIAN/postinst  2005-03-08 16:22:04.0 
+0100
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+set -e
+
+TMPDIR=$(mktemp -td) || exit 1
+
+echo Fetching file...
+wget -P $TMPDIR 
http://www.opengroup.org/onlinepubs/007908799/download/susv2.tar.bz2
+echo Untaring...
+bunzip2 -cd $TMPDIR/susv2.tar.bz2 | tar xf - -C /usr/share/doc/susv2 
--no-same-permissions --no-same-owner
+
+rm -rf $TMPDIR
+
+## Note: Keep debhelper token after so that files exist when they're being
+## registered.
+
+# Automatically added by dh_installdocs
+if [ "$1" = configure ] && which install-docs >/dev/null 2>&1; then
+   install-docs -i /usr/share/doc-base/susv2
+fi
+# End automatically added section
+
diff -Nru susv2-1/debian/susv2/DEBIAN/prerm susv2-1.1/debian/susv2/DEBIAN/prerm
--- susv2-1/debian/susv2/DEBIAN/prerm   1970-01-01 01:00:00.0 +0100
+++ susv2-1.1/debian/susv2/DEBIAN/prerm 2005-03-08 16:22:04.0 +0100
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -e
+
+# Automatically added by dh_installdocs
+if [ "$1" = remove ] || [ "$1" = upgrade ] && \
+   which install-docs >/dev/null 2>&1; then
+   install-docs -r susv2
+fi
+# End automatically added section
+
+
+## Note:  Keep debhelper token before so that this package behaves
+## like other packages - The files should still exist when the debhelper
+## bits runs.
+
+rm -rf /usr/share/doc/susv2/susv2
+
Los ficheros binarios susv2-1/debian/susv2/usr/share/doc/susv2/cha

Bug#279484: Bug#279483: Fix and NMU

[Javier Fernández-Sanguino Peña]

On Tue, Mar 08, 2005 at 11:06:28AM -0500, Justin Pryzby wrote:
> Okay.  FYI it appears that dh_clean was not called, as your patch
> includes things I would not expect (and which were not present in the
> other patch), such as DEBIAN/ and debian/files.  I'm not familiar with
> cdbs, so I'm not going to try to debug it.

Don't try, it's actually because I run the diff while the package was 
building. The attached diff is the correct one.

Regards

Javier
diff -Nru susv2-1/debian/changelog susv2-1.1/debian/changelog
--- susv2-1/debian/changelog2004-10-26 23:55:44.0 +0200
+++ susv2-1.1/debian/changelog  2005-03-08 16:19:55.0 +0100
@@ -1,3 +1,13 @@
+susv2 (1.1) unstable; urgency=low
+
+  * NMU. 0-day as this is a rather easy fix and there has been no response
+from the maintainer since this was brought up 4 months ago.
+  * Do not preserve ownership or users when untarring the downloaded files
+by using --no-same-owner --no-same-permissions
+   (Closes: #279484)
+
+ -- Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]>  Tue,  8 Mar 2005 
16:19:20 +0100
+
 susv2 (1) unstable; urgency=low
 
   * Initial release (Closes: #274956)
diff -Nru susv2-1/debian/postinst susv2-1.1/debian/postinst
--- susv2-1/debian/postinst 2003-12-18 17:02:25.0 +0100
+++ susv2-1.1/debian/postinst   2005-03-08 16:21:58.0 +0100
@@ -7,7 +7,7 @@
 echo Fetching file...
 wget -P $TMPDIR 
http://www.opengroup.org/onlinepubs/007908799/download/susv2.tar.bz2
 echo Untaring...
-bunzip2 -cd $TMPDIR/susv2.tar.bz2 | tar xf - -C /usr/share/doc/susv2
+bunzip2 -cd $TMPDIR/susv2.tar.bz2 | tar xf - -C /usr/share/doc/susv2 
--no-same-permissions --no-same-owner
 
 rm -rf $TMPDIR
 


signature.asc
Description: Digital signature

Bug#298622: [INTL:es] Revised spanish debconf translation

[Javier Fernández-Sanguino Peña]

Package: netbase
Version: 4.20
Priority: wishlist
Tags: l10n patch

Please find attached a revised version of the spanish debconf translation 
in netbase. There were a few typos that are fixed by this version. I'm 
CCing the previous translator in case he wants to comment on it.

Regards

Javier
#
#Translators, if you are not familiar with the PO format, gettext
#documentation is worth reading, especially sections dedicated to
#this format, e.g. by running:
# info -n '(gettext)PO Files'
# info -n '(gettext)Header Entry'
#
#Some information specific to po-debconf are available at
#/usr/share/doc/po-debconf/README-trans
# or http://www.debian.org/intl/l10n/po-debconf/README-trans
#
#Developers do not need to manually edit POT or PO files.
#
# Carlos Valdivia Yagüe <[EMAIL PROTECTED]>, 2003
# Javier Fernández-Sanguino <[EMAIL PROTECTED]>, 2005
#
msgid ""
msgstr ""
"Project-Id-Version: netbase 4.20\n"
"POT-Creation-Date: 2003-03-08 17:41-0300\n"
"PO-Revision-Date: 2005-03-08 22:34+0100\n"
"Last-Translator: Javier Fernández-Sanguino <[EMAIL PROTECTED]>\n"
"Language-Team: Debian L10n Spanish \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=ISO-8859-15\n"
"Content-Transfer-Encoding: 8bit\n"

#. Description
#: ../netbase.templates:3
msgid "Important hint for users of radius software"
msgstr "Consejo importante para los usuarios de radius"

#. Description
#: ../netbase.templates:3
msgid ""
"The official port numbers of the radius service have been changed from 1645 "
"and 1646 to 1812 and 1813. If you use the radius service please make sure "
"that the client and server software both use the same port numbers."
msgstr ""
"Los puertos oficiales del servicio de radius han cambiado del 1645 y 1646 al "
"1812 y 1813. Si utiliza el servicio de radius, asegúrese de que tanto el "
"cliente como el servidor usen el mismo puerto."

#. Description
#: ../netbase.templates:10
msgid "The old portmapper is still running."
msgstr "Aún se está ejecutando el portmapper antiguo"

#. Description
#: ../netbase.templates:10
msgid ""
"The old portmapper is still running. This will cause problems, mainly that "
"\"/etc/init.d/portmap stop\" won't actually do anything. To fix this, I'm "
"going to try to forcibly stop portmap, and then restart it."
msgstr "Aún está funcionando el portmapper antiguo. Esto le causará problemas, 
entre otros el hecho de que «/etc/init.d/portmap stop» no parará el servicio. 
Se se va a intentar parar el portmapper a la fuerza para arreglaro, y se 
reiniciará a continuación."

#. Description
#: ../netbase.templates:17
msgid "/etc/init.d/netbase has been split."
msgstr "Se ha troceado /etc/init.d/netbase"

#. Description
#: ../netbase.templates:17
msgid "/etc/init.d/netbase is no longer required or used."
msgstr "Ya no se utiliza /etc/init.d/netbase."

#. Description
#: ../netbase.templates:17
msgid ""
"/etc/init.d/portmap (provided by the portmap package) now handles stopping "
"and starting the portmapper, /etc/init.d/inetd (provided by the netkit-inetd "
"package) handles stopping and starting inetd, and /etc/init.d/networking "
"handles spoof protection."
msgstr "/etc/init.d/portmap (incluido en el paquete portmap) inicia y para el 
portmapper, /etc/init.d/inetd (incluido en el paquete netkit-inetd) inicia y 
para el demonio inetd, y /etc/init.d/networking maneja la protección contra 
spoofing."

#. Description
#: ../netbase.templates:27
msgid "/etc/init.d/network superseded by /etc/network/interfaces"
msgstr "/etc/init.d/network ha sido reemplazado por /etc/network/interfaces"

#. Description
#: ../netbase.templates:27
msgid ""
"/etc/init.d/network is no longer directly supported. You may, of course, "
"continue using it to setup your networking, however new Debian installs will "
"use the ifup/ifdown commands to configure network interfaces based on the "
"settings in /etc/network/interfaces."
msgstr "Ya no se da soporte a /etc/init.d/network. Por supuesto, puede seguir 
usándolo para manejar su configuración de red, sin embargo, las instalaciones 
nuevas de Debian usarán las órdenes «ifup/ifdown» para configurar las 
interfaces de red, para ello se basarán en el contenido de 
/etc/network/interfaces."

#. Description
#: ../netbase.templates:27
msgid ""
"If you do convert to using /etc/network/interfaces in place of /etc/init.d/"
"network you will probably want to remove /etc/init.d/network and the /etc/"
"rcS.d/S40network symlink. These will not be touched by netbase or other "
"Debian packages in future."
msgstr ""
"Si pasa a usar /etc/network/interfaces en lugar de /etc/init.d/network "
"es probable que quiera borrar /etc/init.d/network y el enlace simbólico "
"/etc/rcS.d/S40network. Estos ficheros y enlaces ya no los tocará netbase "
"u otros paquetes Debian en el futuro."

#. Description
#: ../netbase.templates:27
msgid ""
"See the interfaces(5), ifup(8), and ifdown(8) man pages, and the comments "
"in /etc/network/interfaces, for in

Bug#298637: harden-doc: e.g., English HTML only

[Javier Fernández-Sanguino Peña]

tags 298637 wontfix
thanks

On Wed, Mar 09, 2005 at 05:53:08AM +0800, Dan Jacobson wrote:
> Package: harden-doc
> Version: 3.0.1.2
> Severity: wishlist
> 
> A common user might just want
> $ du /usr/share/doc/harden-doc/html/securing-debian-howto/*.en.*|
> awk '{m+=$1};END{print m}'
> 612
> 
> It's too bad that he has to get the whole 7616 blocks.
> Not sure the way to do this.

Well, I could break the package into the different languages, but it's not 
worth the effort, really, I don't want to provide (yet) different 
per-language packages.

Regards

Javier


signature.asc
Description: Digital signature

Bug#355064: avahi-daemon

[Javier Fernández-Sanguino Peña]

On Sat, Mar 04, 2006 at 11:07:25AM +0100, Loïc Minier wrote:
>  I'm doing my final pass on the deb-sec part of this discussion, I don't
>  intend to participate much further, no new arguments are popping up.

Quite sincerily, this discussion is getting nowhere. There are sufficient
arguments in this discussion to drive a truck through a wall, you just don't
want to heed them.

Some facts:

- rhythmbox does not mention music sharing *at*all* in the package
  description. Even the GUI doesn't mention this (when starting it up
  for the first time) nor the documentation (in it's 'Introduction')

- rhythmbox does not work properly if the discovery service (provided by
  ahavi-daemon) is not installed [1]

- music sharing on the same LAN is not something most desktop users want to
  do (most households in European countries have a single PC per household)

- (history shows...) network services, even if properly designed, are open to
  exploitation (the "all software has bugs" corollary)

So, IMHO:

- a default GNOME install should *not* install a network service, even if that
  enabled new features to the users. Consequently, if rhythmbox is part of
  the GNOME task, it should not pull in ahavi-daemon automatically 
  (a "Recommends:" is automatic for aptitude, not for apt-get, and aptitude
  is the tool we suggest in our Release Notes for upgrades)

- if rhythmbox has to be a part of the GNOME task, it should lower the
  ahavi-daemon dependency to a Suggests:

- rhythmbox should be fixed, if it doesn't work without ahavi-daemon, to
  popup a window when you try to share music [2] and tell the user what 
  steps it needs to take to enable that

I'm CC'ing this to the bug report and open bugs to rhythmbox accordingly.

Regards

Javier


[1] Or so does "Loïc Minier" say, whileas, I've found that I only see this
when starting it up and all the features work just fine for me:
(rhythmbox:25826): Rhythmbox-WARNING **: Unable to start mDNS browsing

[2] It currently just says this when you set this on the Preferences:

(rhythmbox:25826): Rhythmbox-WARNING **: Unable to notify network of
music sharing



signature.asc
Description: Digital signature

Bug#355234: rhythmbox: No mention on why the ahavi-daemon is needed

[Javier Fernández-Sanguino Peña]

Package: rhythmbox
Version: 0.9.3.1-1
Severity: normal

Rhythmbox maintainer said [1] that one of the important features of
rhythmbox, and the reason why it tries to pull in avahi-daemon through
Recommends:, is that the music sharing feature is very important in this
software.

However:

- there is no mention of music sharing capabilities (or it being a required
  feature) in the package description
- music sharing is not described in the software documentation ("Music
  Player Manual"):

  $ grep -ri sharing /usr/share/gtk-doc/html/rhythmbox/
  $

- the README.Debian file does not explain why avahi-daemon is Recommend:ed

If music sharing is an (important) feature of the program it should be
documented. If a network service is required, and should be installed by
Debian users, it should be documented in the README.Debian file.

Regards

Javier


[1] In the discussion in debian-security started at
http://lists.debian.org/debian-security/2006/02/msg00060.html


signature.asc
Description: Digital signature

Bug#355238: rhythmbox: A user cannot see why he cannot "share" music

[Javier Fernández-Sanguino Peña]

Package: rhythmbox
Version: 0.9.3.1-1

When a user that has installed rhythmbox (through apt-get, which does not 
pull in Recommends:) starts up the application he gets a warning in STDERR:

(rhythmbox:25826): Rhythmbox-WARNING **: Unable to start mDNS browsing


If the user goes to Edit->Preferences->Sharing and marks 'Share my music'
another error shows up in STDERR:

(rhythmbox:25826): Rhythmbox-WARNING **: Unable to notify network of
music sharing

Users starting rhythmbox from an application menu in GNOME will *not* see
those warnings and will, indeed, wonder what does that option do (if they
don't have ahavi, nothing at all).

The application should, when that option is enabled, show a popup window
stating that it cannot do music sharing and (in Debian) state that you need
to have 'avahi-daemon' installed in order for that feature to work.

Regards

Javier


signature.asc
Description: Digital signature

Bug#355239: rhythmbox: Please lower avahi-daemon to Suggests:

[Javier Fernández-Sanguino Peña]

Package: rhythmbox
Version: 0.9.3.1-1
Package: wishlist

To a 'standard' user of rhythmbox [1], that just wants to play music, there is
really no need to share music services on a LAN. Base on #355234 this does
not seem to be even a documented or required feature but the fact that the
package Recommends: avahi-daemon gets some users (those that use aptitude,
instead of apt-get) to automatically install a network daemon service which,
as discussed in the debian-security [2] mailing list is a rather controversial
feature.

IMHO Rhythmbox should Suggest: and not Recommend: ahavi-daemon.

I'm filing as a different bug than #355064, since that one  asks the Gnome
maintainers to remove rhythmbox from the task, which is a different thing
altogether (although it was open for the very same reason: a user package
pulling in an unrequired network service)

Regards

Javier

[1] Whatever that is
[2] http://lists.debian.org/debian-security/2006/02/msg00060.html




signature.asc
Description: Digital signature

Bug#355238: rhythmbox: A user cannot see why he cannot "share" music

[Javier Fernández-Sanguino Peña]

On Sat, Mar 04, 2006 at 12:29:18PM +0100, Loïc Minier wrote:
> On Sat, Mar 04, 2006, Javier Fernández-Sanguino Peña wrote:
> > The application should, when that option is enabled, show a popup window
> > stating that it cannot do music sharing and (in Debian) state that you need
> > to have 'avahi-daemon' installed in order for that feature to work.
> 
>  I don't think that it's the sensible thing to do, the widgets, should
>  be disabled instead, and the requirement documented in the manual.

Well, if I enable a widget and then it disables automatically then I will get
a strange look in my face ("why did that happen?") an error window, IMHO, it's
the best way to tell the user why it didn't happen (and why the widget
is not enabled).

Regards

Javier


signature.asc
Description: Digital signature

Bug#355064: avahi-daemon

[Javier Fernández-Sanguino Peña]

On Sat, Mar 04, 2006 at 01:41:14PM -0500, Joey Hess wrote:
> > - a default GNOME install should *not* install a network service, even if 
> > that
> >   enabled new features to the users. Consequently, if rhythmbox is part of
> >   the GNOME task, it should not pull in ahavi-daemon automatically 
> >   (a "Recommends:" is automatic for aptitude, not for apt-get, and aptitude
> >   is the tool we suggest in our Release Notes for upgrades)
> 
> Does aptitude actually pull in new recommends when upgrading a package?
> IIRC it did not.

Well, since rhythmbox is part of the gnome task, and it was already included
in the gnome meta-package in sarge I guess you are correct (now).

However, for sid users, notice that rhythmbox depended on avahi-daemon from
version 0.9.2-3 (2006-01-22) until version 0.9.3-1 (2006-02-05).

So, any sid user that upgraded his system (even from sarge or etch) in those
two weeks (from January the 22nd to February the 5th) they *will* have avahi
installed regardless.

Also, any user that does a limite install and then installs the gnome
meta-package (not the gnome-desktop task with tasksel) will pull in avahi
too.

Regards

Javier


signature.asc
Description: Digital signature

Bug#276419: Announcing changes in su

[Javier Fernández-Sanguino Peña]

On Sun, Mar 05, 2006 at 02:06:45AM +0100, Nicolas François wrote:
> Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]>
> samhain-2.0.10a/init/samhain.start.in

That (upstream) code is not used in the Debian package (the init script used
is  samhain-2.0.10a/debian/samhain.init

Regards

Javier


signature.asc
Description: Digital signature

Bug#374732: noshell: runas crashes

[Javier Fernández-Sanguino Peña]

On Wed, Jun 21, 2006 at 01:35:00AM +0200, Mrten wrote:
> i could attach strace if you want one?

Yes please, if you also use gdb to print out a dump trace it would be useful.

Thanks

Javier


signature.asc
Description: Digital signature

Bug#374732: noshell: runas crashes

[Javier Fernández-Sanguino Peña]

On Wed, Jun 21, 2006 at 10:23:49AM +0200, Mrten wrote:
> Om 08:01 op woensdag 21 juni 2006, Javier Fernández-Sanguino Peña:
> 
> > On Wed, Jun 21, 2006 at 01:35:00AM +0200, Mrten wrote:
> >> i could attach strace if you want one?
> 
> > Yes please, if you also use gdb to print out a dump trace it would be 
> > useful.
> 
> here you go...

It lookis like its the libc that's segfaulting, not runas. Could you please
use ltrace (instead of strace) to debug it and send me the output?

Thanks

Javier


signature.asc
Description: Digital signature

Bug#324978: GPL'ed vlc out of Etch

[Javier Fernández-Sanguino Peña]

On Wed, Jun 21, 2006 at 05:15:07PM +0200, Pierre Morin wrote:
> It doesn't seem to be a problem for other distros,
> does it ?

Other distros ship non-free software and violate license conditions in free
software. And your point is?

Regards

Javier


signature.asc
Description: Digital signature

Bug#375312: [EMAIL PROTECTED]: Suggestions for Securing-debian-howto, section 4.2.1]

[Javier Fernández-Sanguino Peña]

Package: harden-doc

>From the debian-doc ML:

- Forwarded message from Christophe Sahut <[EMAIL PROTECTED]> -

From: Christophe Sahut <[EMAIL PROTECTED]>
Date: Wed, 21 Jun 2006 15:40:40 +0200
To: debian-doc@lists.debian.org
Subject: Suggestions for Securing-debian-howto, section 4.2.1
User-Agent: Thunderbird 1.5.0.2 (X11/20060516)
List-Id: 

Hi,

 I think that this line :

 # lsof | grep dpkg- | awk '{print $1, $8}' | sort +0

should be replaced by something like :

 # lsof | grep  | awk '{print $1, $8}' | sort

I think that "dpkg-" is misleading.

Another suggestion is to replace $8 in awk by $9, and to pipe the 
command to 'uniq'.

Something like :

 # lsof | grep  | awk '{print $1, $9}' | sort | uniq

($8 print the node on sarge, I'm not sure it's the most usefull)

Regards,
--
Christophe Sahut


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]


- End forwarded message -


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#375705: http://www.debian.org/debian.css makes pages wider than the screen

[Javier Fernández-Sanguino Peña]

On Tue, Jun 27, 2006 at 05:25:51PM +, Miernik wrote:
> Package: www.debian.org
> Severity: normal
> 
> The CSS code in http://www.debian.org/debian.css will always make the
> page wider than browser window width, which results in an horizontal
> scrollbar, for example in Konqueror:

This doesn't seem to happen in Mozilla or Eiphany, however. There is no 
horizontal
scrollbar in the main page and I don't see it even if a resize the window (to
491 pixels wide in Epiphany or 422 pixels wide in Mozilla).

Regards

Javier


signature.asc
Description: Digital signature

Bug#372650: dbconfig-common: [INTL:es] Updated spanish translation

[Javier Fernández-Sanguino Peña]

Package: dbconfig-common
Version: 1.8.16
Priority: wishlist
Tags: l10n

Please use the attached file to update the Spanish translation of
dbconfig-common [1].

Thanks!

Javier


[1] It is based in the latest SVN copy as of June 10th, 2006
#
# dbconfig-common translation to spanish
# Copyright (C) 2005 Software in the Public Interest, SPI Inc.
# This file is distributed under the same license as the dbconfig-common 
# package.
#
# Changes:
# - Initial translation
# Javier Fernández-Sanguino, 2005
#
#
#  Traductores, si no conoce el formato PO, merece la pena leer la 
#  documentación de gettext, especialmente las secciones dedicadas a este
#  formato, por ejemplo ejecutando:
# info -n '(gettext)PO Files'
# info -n '(gettext)Header Entry'
#
# Equipo de traducción al español, por favor lean antes de traducir
# los siguientes documentos:
# 
# - El proyecto de traducción de Debian al español
#   http://www.debian.org/intl/spanish/coordinacion
#   especialmente las notas y normas de traducción en
#   http://www.debian.org/intl/spanish/notas
#
# - La guía de traducción de po's de debconf:
#   /usr/share/doc/po-debconf/README-trans
#   o http://www.debian.org/intl/l10n/po-debconf/README-trans
#
# Si tiene dudas o consultas sobre esta traducción consulte con el último
# traductor (campo Last-Translator) y ponga en copia a la lista de
# traducción de Debian al español ()
#
msgid ""
msgstr ""
"Project-Id-Version: dbconfig-common\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2006-06-09 02:07+0200\n"
"PO-Revision-Date: 2006-06-10 23:46+0200\n"
"Last-Translator: Javier Fernandez-Sanguino <[EMAIL PROTECTED]>\n"
"Language-Team: Debian Spanish \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=ISO-8859-15\n"
"Content-Transfer-Encoding: 8bit\n"

#. Type: boolean
#. Description
#: ../dbconfig-common.templates:4
msgid "Keep \"administrative\" database passwords in debconf?"
msgstr ""
"¿Desea guardar las contraseñas de «administración» de la base de datos en "
"debconf?"

#. Type: boolean
#. Description
#: ../dbconfig-common.templates:4
msgid ""
"By default, you will be prompted for all administrator-level database "
"passwords when you configure, upgrade, or remove applications with dbconfig-"
"common.  These passwords will not be stored in debconf for any longer than "
"they are needed."
msgstr "Cuando configure, actualice o elimine una aplicación con 
«dbconfig-common» se le solicitarán las contraseñas de acceso de administración 
de la base de datos. Estas contraseñas sólo se almacenará en debconf durante el 
tiempo que sean necesarias."

#. Type: boolean
#. Description
#: ../dbconfig-common.templates:4
msgid ""
"This behavior can be disabled, in which case the passwords will remain in "
"the debconf password database.  The debconf password database is protected "
"by unix file permissions, though this is less secure and thus not the "
"default setting."
msgstr "Puede deshabilitar este comportamiento de forma que las contraseñas se 
almacenarán en la base de datos de contraseñas de debconf. Esta base de datos 
de contraseñas está protegida con los permisos estándar de Unix. Esta opción no 
es segura y no es el valor por omisión."

#. Type: boolean
#. Description
#: ../dbconfig-common.templates:4
msgid ""
"If you would rather not be bothered by for an administrative password every "
"time you upgrade a database application with dbconfig-common, you should "
"choose this option.  Otherwise, you should refuse this option."
msgstr ""
"Si no quiere que se le pregunte una contraseña de administración cada vez "
"que actualiza una aplicación con «dbconfig-common» que acceda a una base de "
"datos debería escoger esta opción. Sino, debería rechazarla."

#. Type: boolean
#. Description
#: ../dbconfig-common.templates:22
msgid "Configure database for ${pkg} with dbconfig-common?"
msgstr "¿Desea configurar la base de datos para ${pkg} con «dbconfig-common»?"

#. Type: boolean
#. Description
#: ../dbconfig-common.templates:22
msgid ""
"${pkg} must have a database installed and configured before it can be used.  "
"If you like, this can be handled with dbconfig-common."
msgstr ""
"Es necesario tener una base de datos instalada y configurada para ${pkg} "
"antes de poder utilizar éste. Puede gestionar esto a través «dbconfig-"
"common» si lo desea."

#. Type: boolean
#. Description
#: ../dbconfig-common.templates:22
msgid ""
"If you are an advanced database administrator and know that you want to "
"perform this configuration manually, or if your database has already been "
"installed and configured, you should refuse this option.  Details on what "
"needs to be done should most likely be provided in /usr/share/doc/${pkg}."
msgstr ""
"Si vd. es un administrador de bases de datos avanzado o si la base de datos "
"ya está instalada y configurada quizás quiera realizar esta configuración "
"manualmente, y debería rechazar esta opción. Probablemente podrá encontrar "
"los detalles de las operaciones que de

Bug#372700: euro-support-x depends on removed xfonts-base-transcoded

[Javier Fernández-Sanguino Peña]

On Sun, Jun 11, 2006 at 09:42:28AM +0200, Andreas Barth wrote:
> Package: euro-support-x
> Version: 1.33
> Severity: serious
> 
> Hi,
> 
> this package depends on the removed xfonts-base-transcoded.

When was this package removed? It still shows up in
http://packages.debian.org/unstable/x11/xfonts-base-transcoded
and is available in both sid and testing (in xorg-x11 6.9.0.dfsg.1-6)

Is there any replacement? 

Regards

Javier


signature.asc
Description: Digital signature

Bug#372700: euro-support-x depends on removed xfonts-base-transcoded

[Javier Fernández-Sanguino Peña]

On Sun, Jun 11, 2006 at 09:42:28AM +0200, Andreas Barth wrote:
> this package depends on the removed xfonts-base-transcoded.

BTW, this package did not depend: on it, xfonts-base-transcoded was in the
Recommends: line so I don't see why this bug would qualify as serious.

In any case, a new package has been uploaded removing the xfonts-transcoded
references...

Regards

Javier


signature.asc
Description: Digital signature

Bug#372700: euro-support-x depends on removed xfonts-base-transcoded

[Javier Fernández-Sanguino Peña]

On Sun, Jun 11, 2006 at 12:49:04PM -0700, Steve Langasek wrote:
> > When was this package removed? It still shows up in
> > http://packages.debian.org/unstable/x11/xfonts-base-transcoded
> > and is available in both sid and testing (in xorg-x11 6.9.0.dfsg.1-6)
> 
> It's been removed from unstable for a week.  I'm not sure where you're
> seeing that it's available in unstable, but that's bad information.

Well, I'm seeing it at packages.debian.org and my local package cache.

> > Is there any replacement? 
> 
> No, it was dropped because it was considered obsolete.  Is there a reason
> your package needs to depend on these?

Not really, I will remove it from the package and upload a new version.

Regards

Javier


signature.asc
Description: Digital signature

Bug#372700: euro-support-x depends on removed xfonts-base-transcoded

[Javier Fernández-Sanguino Peña]

On Mon, Jun 12, 2006 at 10:53:29AM +0200, Andreas Barth wrote:
> * Javier Fernández-Sanguino Peña ([EMAIL PROTECTED]) [060611 23:47]:
> > On Sun, Jun 11, 2006 at 09:42:28AM +0200, Andreas Barth wrote:
> > > this package depends on the removed xfonts-base-transcoded.
> > 
> > BTW, this package did not depend: on it, xfonts-base-transcoded was in the
> > Recommends: line so I don't see why this bug would qualify as serious.
> 
> Eh? I think you should seriously check your package cache. According to
> the information on ftp-master in the packages-file:

I got confused with user-euro-es...

Javier


signature.asc
Description: Digital signature

Bug#373721: honeyd: depending on non-existent package libdnsres0

[Javier Fernández-Sanguino Peña]

On Thu, Jun 15, 2006 at 11:35:36AM +0200, Michael Prokop wrote:
> 
> # apt-get install honeyd
> [...]
> The following packages have unmet dependencies:
>   honeyd: Depends: libdnsres0 but it is not installable

It's in the NEW queue [1], it was a requirement for this release. Hopefully the
ftp masters will process that one soon...

In the meantime, if you want those packages I could put up a copy at
people.debian.org

Javier

[1] http://ftp-master.debian.org/new.html


signature.asc
Description: Digital signature

Bug#403539: smsclient: [INTL:es] Spanish po-debconf translation

[Javier Fernández-Sanguino Peña]

Package: smsclient
Version: 2.0.8z-7
Priority: minor
Tags: patch l10n

Attached is the translation of this package's templates to Spanish, done by
Jose Ignacio Méndez González and updated by myself. Please include it in the
next
upload.

Thanks

Javier
# smsclient po-debconf translation to spanish
# This file is distributed under the same license as the smsclient package.
#
# Changes:
# - Initial translation
#   Jose Ignacio Méndez González <[EMAIL PROTECTED]>, 2006
# - Revision and update
#   Javier Fernández-Sanguino , 2006
#
#
#  Traductores, si no conoce el formato PO, merece la pena leer la 
#  documentación de gettext, especialmente las secciones dedicadas a este
#  formato, por ejemplo ejecutando:
# info -n '(gettext)PO Files'
# info -n '(gettext)Header Entry'
#
# Equipo de traducción al español, por favor lean antes de traducir
# los siguientes documentos:
#
# - El proyecto de traducción de Debian al español
#   http://www.debian.org/intl/spanish/
#   especialmente las notas y normas de traducción en
#   http://www.debian.org/intl/spanish/notas
#
# - La guía de traducción de po's de debconf:
#   /usr/share/doc/po-debconf/README-trans
#   o http://www.debian.org/intl/l10n/po-debconf/README-trans
#
# Si tiene dudas o consultas sobre esta traducción consulte con el último
# traductor (campo Last-Translator) y ponga en copia a la lista de
# traducción de Debian al español ()
#
msgid ""
msgstr ""
"Project-Id-Version: smsclient 2.0.8z-7\n"
"Report-Msgid-Bugs-To: [EMAIL PROTECTED]"
"POT-Creation-Date: 2006-07-22 15:16+0100\n"
"PO-Revision-Date: 2006-12-17 21:17+0100\n"
"Last-Translator: Javier Fernández-Sanguino <[EMAIL PROTECTED]>\n"
"Language-Team: Debian Spanish \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. Type: note
#. Description
#: ../templates:1001
msgid "Configuration-Files partially moved"
msgstr "Se han movido parcialmente los archivos de configuración"

#. Type: note
#. Description
#: ../templates:1001
msgid ""
"If you are upgrading this package from a version prior to 2.0.8z please be "
"aware, that the config files containing phone numbers etc. has been moved "
"for /etc/smsclient/services to /usr/share/smsclient/services."
msgstr "Si está actualizando este paquete desde una versión anterior a la 
2.0.8z, por favor tenga en cuenta que se han movido los archivos de 
configuración que contienen números de teléfono,etc desde 
«/etc/smsclient/services» a «/usr/share/smsclient/services»."

#. Type: note
#. Description
#: ../templates:1001
msgid "You may need to move any locally changed config file as well."
msgstr ""
"Puede que necesite mover también cualquier archivo de configuración que haya 
"
"cambiado localmente."


signature.asc
Description: Digital signature

Bug#403845: debian-goodies: Missing manpage for dzgrep

[Javier Fernández-Sanguino Peña]

Package: debian-goodies
Version: 0.27

This package is missing a manpage for the dzgrep utility.

Javier


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#403844: debian-goodies: Missing manpage for dfgrep

[Javier Fernández-Sanguino Peña]

Package: debian-goodies
Version: 0.27

This package is missing a manpage for the dfgrep utility.

Javier


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#403843: debian-goodies: Missing manpage for degrep

[Javier Fernández-Sanguino Peña]

Package: debian-goodies
Version: 0.27

This package is missing a manpage for the degrep utility.

Javier


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#403950: harden-doc: typo ("Quick Reference Guide")

[Javier Fernández-Sanguino Peña]

On Wed, Dec 20, 2006 at 10:05:47PM +0100, Francesco Poli wrote:
> The problem is: why is that document referred to as the "Quick
> Reference Guide"?
> I thought the official title was "Debian Reference"!

Because the "old" name was "Quick Reference Guide". Will fix.

Javier


signature.asc
Description: Digital signature

Bug#403866: Checking All The Reference URLs

[Javier Fernández-Sanguino Peña]

On Wed, Dec 20, 2006 at 11:17:53AM +0200, Ozer Sarilar wrote:
> Since the manual at the website is essentially the same as the harden-doc
> package i guess it won't be a problem.

It's not a problem, the manual in the website is actually more current than
the harden-doc package.

> I will attach the report for the checkbot package for the time being.
> Also included is the file "
> harden-doc-3.9_Link_Corrections_Sorted_By_Chapters.txt" which has the
> corrected links for the files in this package.
> If they are useful, they can be integrated into the corresponding sgml files
> and sent/uploaded for review.

I will take some time to review those fixes and integrate them with the SGML
files myself.  I'm planning to do a major overhaul of the manual this month.

Thanks

Javier


signature.asc
Description: Digital signature

Bug#404084: mysql-dsfg-5.0: [INTL:es] Updated spanish po-debconf translation

[Javier Fernández-Sanguino Peña]

Package: mysql-dfsg-5.0
Version: 5.0.30-2

Attached is an updated of the Spanish po-debconf translation, fixing
untranslated and fuzzy strings. Sorry for not noticing this with the previous
bug and sending an updated file the very first time.

Regards

Javier

# mysql-dfsg-5 translation to spanish
# Copyright (C) 2005 Software in the Public Interest, SPI Inc.
# This file is distributed under the same license as the  package.
#
# Changes:
# - Initial translation
#   Jesus Aneiros , 2006
# - Updated
#   Javier Fernandez-Sanguino, 2006
# - Revision
#   Nacho Barrientos Arias
#   Fernando Cerezal
#   David Martínez Moreno
#   Ricardo Mones
#   Carlos Galisteo
#   Javier Fernandez-Sanguino
#
#
#  Traductores, si no conoce el formato PO, merece la pena leer la 
#  documentación de gettext, especialmente las secciones dedicadas a este
#  formato, por ejemplo ejecutando:
# info -n '(gettext)PO Files'
# info -n '(gettext)Header Entry'
#
# Equipo de traducción al español, por favor lean antes de traducir
# los siguientes documentos:
#
# - El proyecto de traducción de Debian al español
#   http://www.debian.org/intl/spanish/
#   especialmente las notas y normas de traducción en
#   http://www.debian.org/intl/spanish/notas
#
# - La guía de traducción de po's de debconf:
#   /usr/share/doc/po-debconf/README-trans
#   o http://www.debian.org/intl/l10n/po-debconf/README-trans
#
# Si tiene dudas o consultas sobre esta traducción consulte con el último
# traductor (campo Last-Translator) y ponga en copia a la lista de
# traducción de Debian al español ()
msgid ""
msgstr ""
"Project-Id-Version: mysql-dfsg-5.0_5.0.24-3\n"
"Report-Msgid-Bugs-To: [EMAIL PROTECTED]"
"POT-Creation-Date: 2006-12-19 00:57+0100\n"
"PO-Revision-Date: 2006-12-21 18:54+0100\n"
"Last-Translator: Javier Fernández-Sanguino <[EMAIL PROTECTED]>\n"
"Language-Team: Debian l10 Spanish \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. Type: boolean
#. Description
#: ../mysql-server-5.0.templates:1001
msgid "Do you really want to downgrade?"
msgstr "¿Desea realmente instalar una versión anterior?"

#. Type: boolean
#. Description
#: ../mysql-server-5.0.templates:1001
msgid ""
"WARNING: The file /var/lib/mysql/debian-*.flag exists. This indicates that a "
"mysql-server package with a higher version has been installed before. It can "
"not be guaranteed that this version can use its data."
msgstr ""
"ATENCIÓN: El archivo /var/lib/mysql/debian-*.flag existe. Esto indica que ya "
"se instaló una versión superior del paquete mysql-server. No se puede "
"garantizar que esta versión pueda usar sus datos."

#. Type: note
#. Description
#: ../mysql-server-5.0.templates:2001
msgid "Important note for NIS/YP users!"
msgstr "¡Nota importante para los usuarios de NIS/YP!"

#. Type: note
#. Description
#: ../mysql-server-5.0.templates:2001
msgid ""
"To use mysql you must install an equivalent user and group to the following "
"and ensure yourself that /var/lib/mysql has the right permissions (the uid/"
"gid may be different)."
msgstr ""
"Para utilizar mysql debe instalar un usuario y grupo equivalente al "
"siguiente y asegurarse de que /var/lib/mysql tiene los permisos correctos "
"(los valores del «uid» y del «gid» pueden ser diferentes)."

#. Type: note
#. Description
#: ../mysql-server-5.0.templates:2001
msgid ""
"/etc/passwd:  mysql:x:100:101:MySQL Server:/var/lib/mysql:/bin/false"
msgstr ""
"/etc/passwd:  mysql:x:100:101:MySQL Server:/var/lib/mysql:/bin/false"

#. Type: note
#. Description
#: ../mysql-server-5.0.templates:2001
msgid "/etc/group:   mysql:x:101:"
msgstr "/etc/group:   mysql:x:101:"

#. Type: note
#. Description
#: ../mysql-server-5.0.templates:2001
msgid "/var/lib/mysql:   drwxr-xr-x   mysqlmysql"
msgstr "/var/lib/mysql:   drwxr-xr-x   mysqlmysql"

#. Type: boolean
#. Description
#: ../mysql-server-5.0.templates:3001
msgid "Remove the databases used by all MySQL versions?"
msgstr "¿Eliminar las bases de datos utilizadas por todas las versiones de 
MySQL?"

#. Type: boolean
#. Description
#: ../mysql-server-5.0.templates:3001
msgid ""
"The script is about to remove the data directory /var/lib/mysql. If it is "
"planned to just install a higher MySQL version or if a different mysql-"
"server package is already using it, the data should be kept."
msgstr "Este guión va a eliminar el directorio de datos «/var/lib/mysql». 
Debería mantener los datos si tiene planificado instalar una versión de MySQL 
superior o ya hay un paquete «mysql-server» que los está utilizando."

#. Type: boolean
#. Description
#: ../mysql-server-5.0.templates:4001
msgid "Should MySQL start on boot?"
msgstr "¿Debería ejecutarse MySQL al iniciarse el sistema?"

#. Type: boolean
#. Description
#: ../mysql-server-5.0.templates:4001
msgid ""
"The MySQL can start automatically on boot time or only if you manually type "
"

Bug#404106: ifplugd: [INTL:es] Updated spanish po-debconf translation

[Javier Fernández-Sanguino Peña]

Package: ifplugd
Version: 0.28-2.1
Priority: minor
Tags: l10n patch

Attached is an update for the Spanish po-debconf translation of this package.
Please apply it in the next upload.

Thanks

Javier
#
# ifplugd debconf translation to spanish
# Copyright (C) 2005-2006 Software in the Public Interest
# This file is distributed under the same license as the ifplugd package.
#
# Changes:
# - Initial translation
#   Lucas Wall <[EMAIL PROTECTED]>, 2005
# - Revision and update
#   Javier Fernandez-Sanguino, 2006
#
#
#  Traductores, si no conoce el formato PO, merece la pena leer la 
#  documentación de gettext, especialmente las secciones dedicadas a este
#  formato, por ejemplo ejecutando:
# info -n '(gettext)PO Files'
# info -n '(gettext)Header Entry'
#
# Equipo de traducción al español, por favor lean antes de traducir
# los siguientes documentos:
#
# - El proyecto de traducción de Debian al español
#   http://www.debian.org/intl/spanish/coordinacion
#   especialmente las notas de traducción en
#   http://www.debian.org/intl/spanish/notas
#
# - La guía de traducción de po's de debconf:
#   /usr/share/doc/po-debconf/README-trans
#   o http://www.debian.org/intl/l10n/po-debconf/README-trans
#
msgid ""
msgstr ""
"Project-Id-Version: ifplugd\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2006-11-24 07:23+0100\n"
"PO-Revision-Date: 2006-12-21 19:44+0100\n"
"Last-Translator: Javier Fernandez-Sanguino <[EMAIL PROTECTED]>\n"
"Language-Team: Debian Spanish \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. Type: string
#. Description
#: ../ifplugd.templates:1001
msgid "static interfaces to be watched by ifplugd:"
msgstr "interfaces estáticas que serán supervisadas por ifplugd:"

#. Type: string
#. Description
#: ../ifplugd.templates:1001
msgid ""
"Specify the interfaces to control here, separated by spaces. Ifplugd "
"processes will be started for each of these interfaces when the ifplugd "
"initscript is called with the \"start\" argument. You may use the magic "
"string \"auto\" to make the initscript start or stop ifplugd processes for "
"ALL eth and wlan interfaces that are available according to /proc/net/dev.  "
"Note that the list of interfaces appearing in /proc/net/dev may depend on "
"which kernel modules you have loaded."
msgstr "Indique las interfaces que desea sean supervisadas, separándolas con 
espacios. Cuando se llame al programa de arranque de «ifplugd» con el 
parámetro «start» se creará un proceso de «ifplugd» por cada interfaz 
aquí indicada. Puede utilizar la palabra «auto» para que el programa de 
arranque tome en cuenta TODAS las interfaces «eth» y «wlan» disponibles 
según indique «/proc/net/dev». Tenga en cuenta que la lista de interfaces 
disponible en «/proc/net/dev» dependerá de los módulos del núcleo que haya 
cargado."

#. Type: string
#. Description
#: ../ifplugd.templates:1001
msgid ""
"You should not add interfaces that are hotplugged (USB or PCMCIA) here, you "
"will be asked for those in the next question."
msgstr "Aquí no debe añadir los interfaces que son «hotplug» (USB o PCMCIA) 
aquí. Se le preguntará sobre éstos en la siguiente pregunta."

#. Type: string
#. Description
#: ../ifplugd.templates:2001
msgid "hotplugged interfaces to be watched by ifplugd:"
msgstr "interfaces «hotplug» que serán supervisadas por ifplugd:"

#. Type: string
#. Description
#: ../ifplugd.templates:2001
msgid "Specify the hotplugged interfaces to control here, separated by spaces."
msgstr "Introduzca la lista de interfaces «hotplug» que deben ser 
supervisadas, separándolas con espacios."

#. Type: string
#. Description
#: ../ifplugd.templates:2001
msgid ""
"You may use the magic string \"all\" to make the hotplug script start an "
"ifplugd process for any hotplugged interface."
msgstr "Puede utilizar la palabra «all» para que el script de hotplug ejecute 
un proceso «ifplugd» para cada una de las interfaces «hotplug»."

#. Type: string
#. Description
#: ../ifplugd.templates:2001
msgid ""
"Hotplugged interfaces are usually interfaces on PCMCIA or WLAN adapters."
msgstr ""
"Las interfaces «hotplug» son, en la mayoría de los casos, las interfaces en 
"
"los adaptadores PCMCIA y WLAN."

#. Type: string
#. Description
#: ../ifplugd.templates:3001
msgid "arguments to ifplugd:"
msgstr "parámetros para ifplugd:"

#. Type: string
#. Description
#: ../ifplugd.templates:3001
msgid ""
"You can give arguments to the ifplug daemon here. See the man page for a "
"description or call ifplugd -h."
msgstr "Aquí puede introducir parámetros para «ifplugd». Puede ver una 
descripción de los posibles parámetros en la página de manual de «ifplugd» 
o ejecutando «ifplugd -h»."

#. Type: select
#. Choices
#: ../ifplugd.templates:4001
msgid "none"
msgstr "ninguna"

#. Type: select
#. Choices
#: ../ifplugd.templates:4001
msgid "suspend"
msgstr "suspender"

#. Type: select
#. C

Bug#403866: Checking All The Reference URLs

[Javier Fernández-Sanguino Peña]

On Thu, Dec 21, 2006 at 06:32:09PM +0200, Ozer Sarilar wrote:
> If it is convinient for you i could integrate the corrected links into the
> corrsponding sgml files then you can review them.

If you can send patches to the existing sgml files that would be great (the
footnotes, BTW, are integrated with the chapters, even if they get "included"
in a separate HTML file)

> If that would ease your job i could help with editing sgml files.

That would ease my job but I still would like to review all the links (and
maybe make changes to the content if it is not longer relevant)

Regards

Javier


signature.asc
Description: Digital signature

Bug#404151: user-es: Please do not ship this with etch (maintainer request)

[Javier Fernández-Sanguino Peña]

Package: euro-support
Version: 0.37
Severity: grave

I've missed to adapt this package to the latest glibc's changes (which
introduced /etc/default/locale) and most of its work is already done by
localization-config. 

Thus, I would like this package to be removed from etch (but not sid) until
such a time I can update it to make it really useful (again) for Spanish
users.

RM, please consider this bug a request to remove from etch before the
release. If I have time to improve the package and put it in a shape I'm
confident with I will make a new upload closing this bug (although I doubt I
will have time before etch release, as I have my hands full with other, more
important, Debian work)

Thanks

Javier


signature.asc
Description: Digital signature

Bug#404166: portmap: Inconsistent encoding of the Spanish debconf translation

[Javier Fernández-Sanguino Peña]

tags 404166 pending
thanks

On Fri, Dec 22, 2006 at 07:45:02AM +0100, Christian Perrier wrote:
> The debian/po/es.po file for portmap uses inconsistent encoding.

Oops. I mixed my standard template. Thanks for spotting this. I have fixed it
locally, before I make an upload I will ask for translation updates (since
some languages are fuzzy).

Regards

Javier


signature.asc
Description: Digital signature

Bug#403826: This translation will be included in the next upload

[Javier Fernández-Sanguino Peña]

tags 403826 pending
thanks

I've added this translation to the new upload I'm preparing to Portmap,
should be uploaded in a week or so.

Javier


signature.asc
Description: Digital signature

Bug#404212: debian-cd: Provide a documentation CD with manuals and available translations

[Javier Fernández-Sanguino Peña]

Package: debian-cd
Version: N/A; reported 2006-12-22
Priority: wishlist

I would really like to have debian-cd generate  a 'documentation media' (DVD
or CD) which could be used to read documentation without having to install
the system.  That documentation media would contain *both* the english and
available translations of, at least:

- The Release Notes
- The Installation Guide
- The Refence Guide
- The User Guide
- The Project History
- The FAQ
- The Securing Debian Manual
- The Reference Card
- The Quick Reference
- The APT Howto

Content could be extracted (in an automatic way) from both the website [1]
and/or from the Debian packages providing them [2]. 

Unfortunately, the ftp site (as used in the 'add-bin-doc' script) is not an
option because #172482 has not been considered and, consequently, the 'doc'
directory in the mirrors do not contain translations or DDP manuals which are
not provided (yet) in Debian packages. 

Also, there are all the issues around 'byhand' processing. See, for example
where is doc-debian 3.1.4 (has been sitting in incoming for
byhand processing for a month).

By providing all that content in easily printable format it would make it
easier for users that do not have good broadband access and have not yet
installed Debian to go through or print those manuals before even starting
installation.

This could also fix the issue that, in past releases, official CD images have
_not_ provide content useful for non-English speakers in the /doc directory
(look at, for example, the FAQ)

Having all that content in one place makes it more easier for users to find
and take profit of (you'll see below that the document to package mapping is
not at all evident for a novice user).

Just my wishlist :)

Javier

[1] Some of these are available under http://www.debian.org/doc/manuals/, or, 
more
precisely, from /org/www.debian.org/www/doc/manuals , and the
release-specific info is at http://www.debian.org/releases/etch/
(/org/www.debian.org/www/releases/etch)

The Reference Card is at http://people.debian.org/~debacle/refcard/

[2] By extracing all of /usr/share/doc/${package} to the CD.
The FAQ = doc-debian
The Installation Guide = installation-guide-XXX
The Refence Guide = debian-reference-XX
The Quick Refence = quick-reference-XX
The Project History = 
The APT HOWTO = apt-howto-XX
The Securing Debian Manual = harden-doc



signature.asc
Description: Digital signature

Bug#404151: user-es: Please do not ship this with etch (maintainer request)

[Javier Fernández-Sanguino Peña]

reassign 404151 user-es
thanks

On Sat, Dec 23, 2006 at 02:33:07PM -0800, Steve Langasek wrote:
> Also, this bug has 'user-es' in the title, but is filed against
> euro-support.  user-euro-es (from the user-es source package) has a
> dependency on euro-support, so euro-support can't be removed from etch
> without also removing user-es.  Which packages is this request intended to
> apply to?

Should be user-es, not euro-support. Sorry for the confusion, I don't know
what I was thinkign of.

Javier


signature.asc
Description: Digital signature

Bug#404151: user-es: Please do not ship this with etch (maintainer request)

[Javier Fernández-Sanguino Peña]

On Sat, Dec 23, 2006 at 02:30:17PM -0800, Steve Langasek wrote:
> > localization-config will not be in etch as well
> 
> Javier, does this mean that euro-support might want to be kept around in
> etch after all?  Or is the necessary work actually done by the installer
> now?

Well, euro-support serves two purposes:

- provide documentation on how to enable euro-support. This documentation
  needs an important review since, in most cases, d-i will setup an UTF-8
  lcaole and, consequently, there's no need to do anything to have the euro
  char. It is primarily oriented to help users switch from ISO-8859-1 to
  ISO-8859-15 for *old* users (those that do not use an UTF-8 locale).

- help the user test if his system prints the euro character.

It does not (in any way) change the user's system (like localization-config
does automatically or user-es does through its 'castellanizar' script).

So I guess it could be kept for etch (no harm in doing so), I might allocate
some time to fix the first point above in time for the etch release.

Regards

Javier


signature.asc
Description: Digital signature

Bug#397132: Reopen, this bug is not closed (in Debian)

[Javier Fernández-Sanguino Peña]

reopen 397132
thanks

This bug is *not* closed for update-notifier, an upload to update-manager
(a different package) closed this bug but the strings in 'update-notifier'
are still missing my updated translation.

Could you please upload a new version of update-notifier fixing this
translation? 

Thanks

Javier

PS: BTW, what are the differences between update-manager and update-notifier?


signature.asc
Description: Digital signature

Bug#397132: Reopen, this bug is not closed (in Debian)

[Javier Fernández-Sanguino Peña]

On Tue, Dec 26, 2006 at 07:15:25PM -0200, Gustavo Noronha Silva wrote:
> Em Mon, 25 Dec 2006 23:38:09 +0100
> Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> escreveu:
> 
> > Could you please upload a new version of update-notifier fixing this
> > translation? 
> 
> OK, so I was looking at the latest es.po for our update-notifier package
> and there are some differences from the es.po file you sent. Would you
> mind updating the file once more? I'm attaching the latest version,
> with the patches I applied for it to become more Debian-friendly.

Could you please send me the POT (update-notifier.pot?) file instead of the
PO file, that way I can (more easily) merge my version with it and provide
you with an updated translation.

Thanks

Javier


signature.asc
Description: Digital signature

Bug#404707: poker-network: [INTL:es] Spanish po-debconf translation

[Javier Fernández-Sanguino Peña]

Package: poker-network
Version: 1.0.32-1
Priority: minor
Tags: patch l10n

Attached is the translation of this package's templates to Spanish, done by
Jose Ignacio Méndez González and updated by myself. Please include it in the
next
upload.

Thanks

Javier
# Spanish/Spain translation of poker-network.
# This file is distributed under the same license as the poker-network package.
#
# Initial translator:
#  - Jose Ignacio Méndez González <[EMAIL PROTECTED]>, 2006.
# Updated by:
#  - Javier Fernández-Sanguino <[EMAIL PROTECTED]>, 2006
#
#
#
#  Traductores, si no conoce el formato PO, merece la pena leer la 
#  documentación de gettext, especialmente las secciones dedicadas a este
#  formato, por ejemplo ejecutando:
# info -n '(gettext)PO Files'
# info -n '(gettext)Header Entry'
#
# Equipo de traducción al español, por favor lean antes de traducir
# los siguientes documentos:
#
# - El proyecto de traducción de Debian al español
#   http://www.debian.org/intl/spanish/
#   especialmente las notas y normas de traducción en
#   http://www.debian.org/intl/spanish/notas
#
# - La guía de traducción de po's de debconf:
#   /usr/share/doc/po-debconf/README-trans
#   o http://www.debian.org/intl/l10n/po-debconf/README-trans
#
# Si tiene dudas o consultas sobre esta traducción consulte con el último
# traductor (campo Last-Translator) y ponga en copia a la lista de
# traducción de Debian al español ()
msgid ""
msgstr ""
"Project-Id-Version: poker-network 1.0.32-1\n"
"Report-Msgid-Bugs-To: [EMAIL PROTECTED]"
"POT-Creation-Date: 2006-11-30 12:19+0100\n"
"PO-Revision-Date: 2006-12-27 19:31+0100\n"
"Last-Translator: Javier Fernández-Sanguino <[EMAIL PROTECTED]>\n"
"Language-Team: Debian l10n Spanish \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. Type: multiselect
#. Description
#: ../poker-web.templates:1001
msgid "Web server(s) to reconfigure automatically:"
msgstr "Servidor/es web a reconfigurar automáticamente:"

#. Type: multiselect
#. Description
#: ../poker-web.templates:1001
msgid ""
"poker-web supports any web server that PHP does, but this automatic "
"configuration process only supports Apache."
msgstr ""
"poker-web da soporte a cualquier servidor web que tenga soporte de PHP, pero "
"este proceso de configuración automática sólo da soporte a Apache."

#. Type: boolean
#. Description
#: ../poker-web.templates:2001
msgid "Restart ${webserver} now?"
msgstr "¿Quiere que reinicie ${webserver} ahora?"

#. Type: boolean
#. Description
#: ../poker-web.templates:2001
msgid ""
"Remember that in order to activate the new configuration ${webserver} has to "
"be restarted. You can also restart ${webserver} manually executing /etc/init."
"d/${webserver} restart"
msgstr "Recuerde, que para activar la nueva configuración ${webserver} tiene 
que reiniciarse. Usted también puede reiniciar ${webserver} manualmente 
ejecutando «/etc/init.d/${webserver} restart»."

#. Type: string
#. Description
#: ../poker-web.templates:3001
msgid "Hostname or IP address of the poker-network server:"
msgstr "Nombre o dirección IP del servidor poker-network:"

#. Type: string
#. Description
#: ../poker-web.templates:3001
msgid ""
"The poker-network server for which poker-web provides a web based interface. "
"It will be queried via its SOAP interface."
msgstr ""
"El servidor de poker-network cuyo poker-web proporciona una interfaz basada "
"en web, Recibirá peticiones a través de su interfaz SOAP."

#. Type: boolean
#. Description
#: ../python-poker-network.templates:1001
msgid "Do you want to configure and run the poker-network server?"
msgstr "¿Quiere configurar y ejecutar el servidor de poker-network?"

#. Type: boolean
#. Description
#: ../python-poker-network.templates:1001
msgid ""
"If you want to configure and run a poker-network server, make sure you have "
"administrative rights on a running MySQL server. If you do not want to run "
"the poker-network server on this machine, you will be prompted for the "
"hostname or the IP address of a running poker-network server."
msgstr ""
"Si usted quiere configurar y ejecutar un servidor de poker-network, "
"asegúrese de que tiene permisos de administrador en el servidor MySQL. Si no "
"quiere ejecutar el servidor de poker-network en este equipo, se le pedirá el "
"nombre del servidor o la dirección IP de un servidor poker-network que se "
"esté ejecutando."

#. Type: note
#. Description
#: ../python-poker-network.templates:2001
msgid "Skipping poker-network server installation"
msgstr "Omitiendo instalación del servidor poker-network"

#. Type: note
#. Description
#: ../python-poker-network.templates:2001
msgid ""
"If you want to run poker-network at a later time, you will need to configure "
"it by hand or by running dpkg-reconfigure python-poker-network."
msgstr "Si quiere ejecutar poker-network más tarde, necesitará configurarlo 
manualmente o ejecutando «dpkg-reconfigure python-pok

Bug#404789: playmidi: [INTL:es] Spanish po-debconf translation

[Javier Fernández-Sanguino Peña]

Package: playmidi
Version: 2.4debian-6
Priority: minor
Tags: patch l10n

Attached is the translation of this package's templates to Spanish, done by
Jose Ignacio Méndez González and updated by myself. Please include it in the
next
upload.

Thanks

Javier
# playmidi po-debconf translation to spanish
# This file is distributed under the same license as the playmidi package.
#
# Changes:
# - Initial translation
#Jose Ignacio Méndez González <[EMAIL PROTECTED]>, 2006.
# - Revision
#Javier Fernández-Sanguino , 2006
#
#
#  Traductores, si no conoce el formato PO, merece la pena leer la 
#  documentación de gettext, especialmente las secciones dedicadas a este
#  formato, por ejemplo ejecutando:
# info -n '(gettext)PO Files'
# info -n '(gettext)Header Entry'
#
# Equipo de traducción al español, por favor lean antes de traducir
# los siguientes documentos:
#
# - El proyecto de traducción de Debian al español
#   http://www.debian.org/intl/spanish/
#   especialmente las notas y normas de traducción en
#   http://www.debian.org/intl/spanish/notas
#
# - La guía de traducción de po's de debconf:
#   /usr/share/doc/po-debconf/README-trans
#   o http://www.debian.org/intl/l10n/po-debconf/README-trans
#
# Si tiene dudas o consultas sobre esta traducción consulte con el último
# traductor (campo Last-Translator) y ponga en copia a la lista de
# traducción de Debian al español ()
# 
msgid ""
msgstr ""
"Project-Id-Version: playmidi 2.4debian-6\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2006-11-08 04:32+0100\n"
"PO-Revision-Date: 2006-12-28 10:42+0100\n"
"Last-Translator: Javier Fernández-Sanguino <[EMAIL PROTECTED]>\n"
"Language-Team: Debian Spanish \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. Type: string
#. Description
#: ../templates:1001
msgid "Options for playmidi when invoked through MIME?"
msgstr "¿Qué opciones deben fijarse en playmidi cuando se invoque a través 
de MIME?"

#. Type: string
#. Description
#: ../templates:1001
msgid ""
"This package sets up a MIME entry which allows your mail user agent and "
"other applications to play MIDI files.  As playmidi doesn't have a proper "
"configuration file yet, you'll need to specify any options required for it "
"to work with your sound hardware."
msgstr "Este paquete instala una entrada de MIME que permite reproducir 
archivos MIDI a su agente de usuario de correo así como a otras aplicaciones. 
Debe especificar cualquier opción que sea necesaria para tratar con su 
hardware de sonido, ya que playmidi no tiene aún un fichero de configuración 
como tal."

#. Type: string
#. Description
#: ../templates:1001
msgid ""
"If you have an external MIDI device or an Ensoniq SoundScape, Turtle Beach "
"WaveFront or WaveBlaster sound card, use `-e'."
msgstr ""
"Si tiene un dispositivo MIDI externo o una tarjeta de sonido Ensoniq "
"SoundScape, Turtle Beach, WaveFront o WaveBlaster use «-e»."

#. Type: string
#. Description
#: ../templates:1001
msgid "If you have a Sound Blaster AWE32, use `-a'."
msgstr "Si tiene una Sound Blaster AWE32 use «-a»."

#. Type: string
#. Description
#: ../templates:1001
msgid "If you have a Gravis Ultrasound, use `-g'."
msgstr "Si tiene una Gravis Ultrasound use «-g»."

#. Type: string
#. Description
#: ../templates:1001
msgid ""
"Otherwise, try leaving this blank -- many cards will work without extra "
"flags. If you change your mind later, edit `/etc/playmidi/playmidi.conf'."
msgstr "De otra forma, intente dejar esto en blanco; muchas tarjetas no 
funcionan sin opciones extra. Puede editar el archivo 
«/etc/playmidi/playmidi.conf» si cambia de opinión."


signature.asc
Description: Digital signature

Bug#404787: pnm2ppa: [INTL:es] Spanish po-debconf translation

[Javier Fernández-Sanguino Peña]

Package: pnm2ppa
Version: 1.12-15
Priority: minor
Tags: patch l10n

Attached is the translation of this package's templates to Spanish, done by
César Gómez Martín. Please include it in the next upload.

Thanks

Javier

# pnm2ppa po-debconf translation to Spanish
# Copyright (C) 2005 Software in the Public Interest
# This file is distributed under the same license as the pnm2ppa package.
#
# Changes:
#  - Initial translation
# César Gómez Martín <[EMAIL PROTECTED]>
#
#   Traductores, si no conoce el formato PO, merece la pena leer la
#   documentación de gettext, especialmente las secciones dedicadas a este
#   formato, por ejemplo ejecutando:
#  info -n '(gettext)PO Files'
#  info -n '(gettext)Header Entry'
# Equipo de traducción al español, por favor, lean antes de traducir
# los siguientes documentos:
#
#  - El proyecto de traducción de Debian al español
#http://www.debian.org/intl/spanish/
#especialmente las notas de traducción en
#http://www.debian.org/intl/spanish/notas
#
#  - La guía de traducción de po's de debconf:
#/usr/share/doc/po-debconf/README-trans
#o http://www.debian.org/intl/l10n/po-debconf/README-trans
#
msgid ""
msgstr ""
"Project-Id-Version: pnm2ppa\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2006-10-29 04:33+0100\n"
"PO-Revision-Date: 2006-12-28 10:34+0100\n"
"Last-Translator: César Gómez Martín <[EMAIL PROTECTED]>\n"
"Language-Team: Spanish \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. Type: boolean
#. Description
#: ../templates:1001
msgid "Would you like debconf to configure pnm2ppa?"
msgstr "¿Quiere que debconf configure pnm2ppa?"

#. Type: boolean
#. Description
#: ../templates:1001
msgid ""
"You can have debconf perform some simple configuration steps for your "
"default pnm2ppa setup (edited in your /etc/pnm2ppa.conf file)."
msgstr "Puede dejar que debconf realice unos pasos sencillos para configurar su 
instalación de pnm2ppa por omisión (editando su fichero 
«/etc/pnm2ppa.conf»)."

#. Type: select
#. Description
#: ../templates:2001
msgid "What model of HP Deskjet printer do you use?"
msgstr "¿Qué modelo de impresora HP Deskjet utiliza?"

#. Type: select
#. Description
#: ../templates:2001
msgid ""
"The pnm2ppa printer filter behaves differently depending upon which HP "
"DeskJet model you use. Choose your model of printer for the default "
"configuration file /etc/pnm2ppa.conf."
msgstr ""
"El filtro de impresión pnm2ppa se comporta de forma distinta dependiendo del "
"modelo de HP Deskjet que use. Escoja el modelo de su impresora para el "
"fichero de configuración por omisión /etc/pnm2ppa.conf."

#. Type: boolean
#. Description
#: ../templates:3001
msgid "Would you like debconf to create magicfilter filters?"
msgstr "¿Le gustaría que debconf creara los filtros «magicfilter»?"

#. Type: boolean
#. Description
#: ../templates:3001
msgid ""
"Magicfilter is a customizable, extensible automatic printer filter. It uses "
"its own magic database (a la file(1)) to decide how to print out a given "
"print job.  Debconf can run the custom pnm2ppa script called \"update-"
"magicfilter\" to generate a default set of filters for color and black-and-"
"white printing."
msgstr "Magicfilter es un filtro de impresión automático configurable y 
extensible. Utiliza su propia base de datos mágica (al estilo de file(1)) para 
decidir como debe imprimir un trabajo de impresión. Debconf puede ejecutar el 
script personalizado pnm2ppa llamado «update-magicfilter» para generar un 
conjunto de filtros por defecto para impresión en color y en blanco y negro."

#. Type: boolean
#. Description
#: ../templates:3001
msgid ""
"The template filter is found in /usr/share/pnm2ppa/ as \"pnm2ppa-magicfilter."
"in\".  update-magicfilter uses sed to replace @OPTIONS@ from the template "
"and place the resulting filters in /etc/magicfilter.  Additionally, symbolic "
"links are created from the generated pnm2ppa filters to pbm2ppa filters (the "
"deprecated predecessor to pnm2ppa)."
msgstr "El filtro plantilla se encuentra en /usr/share/pnm2ppa/ como 
«pnm2ppa-magicfilter.in». update-magicfilter utiliza sed para reemplazar 
@OPTIONS@ de la plantilla y colocar los filtros resultantes en 
/etc/magicfilter. Adicionalmente se crean enlaces simbólicos de los filtros 
pnm2ppa generados a los filtros pbm2ppa (el predecesor obsoleto de pnm2ppa)."

#. Type: boolean
#. Description
#: ../templates:3001
msgid ""
"The only thing left for you to do is run magicfilterconfig to generate your /"
"etc/printcap."
msgstr ""
"Sólo tiene que ejecutar magicfilterconfig para generar su fichero/etc/"
"printcap."


signature.asc
Description: Digital signature

Bug#404792: noflushd: [INTL:es] Spanish po-debconf translation

[Javier Fernández-Sanguino Peña]

Package: noflushd
Version: 2.7.5-5
Priority: minor
Tags: patch l10n

Attached is the translation of this package's templates to Spanish, done by
César Gómez Martín. Please include it in the next upload.

Thanks

Javier

# noflushd po-debconf translation to Spanish
# Copyright (C) 2005 Software in the Public Interest
# This file is distributed under the same license as the noflushd package.
#
# Changes:
#  - Initial translation
# César Gómez Martín <[EMAIL PROTECTED]>
#  - Revisión
# Carlos Galisteo
# Javier Fernández-Sanguino
#
#   Traductores, si no conoce el formato PO, merece la pena leer la
#   documentación de gettext, especialmente las secciones dedicadas a este
#   formato, por ejemplo ejecutando:
#  info -n '(gettext)PO Files'
#  info -n '(gettext)Header Entry'
# Equipo de traducción al español, por favor, lean antes de traducir
# los siguientes documentos:
#
#  - El proyecto de traducción de Debian al español
#http://www.debian.org/intl/spanish/
#especialmente las notas de traducción en
#http://www.debian.org/intl/spanish/notas
#
#  - La guía de traducción de po's de debconf:
#/usr/share/doc/po-debconf/README-trans
#o http://www.debian.org/intl/l10n/po-debconf/README-trans
#
msgid ""
msgstr ""
"Project-Id-Version: noflushd\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2006-12-15 04:33+0100\n"
"PO-Revision-Date: 2005-08-12 17:07+0100\n"
"Last-Translator: César Gómez Martín <[EMAIL PROTECTED]>\n"
"Language-Team: Debian l10n Spanish \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=iso-8859-1\n"
"Content-Transfer-Encoding: 8bit\n"

#. Type: string
#. Description
#: ../noflushd.templates:1001
msgid "Default idle timeout in minutes:"
msgstr "Tiempo en minutos por omisión para pasar a estado ocioso:"

#. Type: string
#. Description
#: ../noflushd.templates:1001
msgid ""
"When a disk has been inactive for this many minutes, noflushd tries to spin "
"it down."
msgstr ""
"Noflushd intenta desacelerar un disco cuando ha estado inactivo durante la "
"cantidad de minutos especificada."

#. Type: string
#. Description
#: ../noflushd.templates:1001
msgid ""
"Instead of a single value, you can also enter a comma-separated list of "
"timeouts. Whenever noflushd receives a HUP signal, it switches to the next "
"timeout in the list."
msgstr ""
"Puede introducir una lista de tiempos de expiración separándolos con comas "
"en lugar de introducir sólo un valor. Noflush cambiará al siguiente tiempo "
"de expiración indicado en la lista cuando reciba una señal «HUP»."

#. Type: string
#. Description
#: ../noflushd.templates:2001
msgid "Disks to monitor for inactivity:"
msgstr "Discos a los que monitorizar la inactividad:"

#. Type: string
#. Description
#: ../noflushd.templates:2001
msgid ""
"All the disks given in this list will be spun down when inactive. Each disk "
"here is represented by its device node, eg. /dev/hda for the first IDE disk. "
"Multiple entries must be separated by space."
msgstr ""
"Se desacelararán todos los discos de esta lista cuando no estén activos. "
"Cada disco de estos está representado por su nodo de dispositivo, por "
"ejemplo /dev/hda es el primer disco IDE. Si se introducen varios discos "
"deben ir separados por un espacio."

#. Type: string
#. Description
#: ../noflushd.templates:2001
msgid ""
"If this entry is empty, noflushd tries to auto-detect and monitor all disks "
"on the system."
msgstr ""
"Noflushd intenta auto-detectar y monitorizar todos los discos del sistema si "
"deja este valor en blanco."

#. Type: boolean
#. Description
#: ../noflushd.templates:3001
msgid "Use arbitrary noflushd command line parameters?"
msgstr "¿Usar parámetros arbitrarios de linea de órdenes?"

#. Type: boolean
#. Description
#: ../noflushd.templates:3001
msgid ""
"All command line options given here will be passed verbatim to noflushd on "
"startup. This option is for advanced users. Please refer to the noflushd man "
"page for a list of all possible parameters."
msgstr ""
"Todas las opciones de linea de órdenes dadas aquí se pasarán literalmente a "
"noflushd en el arranque. Esta opción es para usuarios avanzados. Por favor, "
"consulte la página de manual de noflushd para ver la lista de parámetros "
"posibles."

#. Type: string
#. Description
#: ../noflushd.templates:4001
msgid "Advanced startup options:"
msgstr "Opciones avanzadas de arranque:"

#. Type: string
#. Description
#: ../noflushd.templates:4001
msgid ""
"A default timeout and a list of disks to monitor are enough for simple uses "
"of noflushd. If you don't need more options, just leave this blank. Noflushd "
"will then use a simple configuration scheme."
msgstr ""
"La mayoría de los usuarios de noflushd utilizarán el tiempo de expiración "
"por omisión y una lista de discos a monitorizar. Deje este campo en blanco "
"si no necesita más opciones. Si hace esto, noflush utilizará un esquema de "
"configuración simple."

#. Type: string
#. Description
#: ../nofl

Bug#404798: mediawiki1.7: [INTL:es] Updated spanish po-debconf translation

[Javier Fernández-Sanguino Peña]

Package: mediawiki1.7
Version: 1.7.1-5
Priority: minor
Tags: l10n patch

Attached is the Spanish po-debconf translation of this package.
Please apply it in the next upload.

Thanks

Javier
# mediawiki1.7 po-debconf translation to Spanish
# Copyright (C) 2006 Software in the Public Interest, SPI Inc.
# This file is distributed under the same license as the mediawiki17 package.
#
# Changes:
# - Initial translation
#   Jose Ignacio Méndez González <[EMAIL PROTECTED]>, 2006.
# - Revision and update
#   Javier Fernández-Sanguino , 2006
#
#
#  Traductores, si no conoce el formato PO, merece la pena leer la 
#  documentación de gettext, especialmente las secciones dedicadas a este
#  formato, por ejemplo ejecutando:
# info -n '(gettext)PO Files'
# info -n '(gettext)Header Entry'
#
# Equipo de traducción al español, por favor lean antes de traducir
# los siguientes documentos:
#
# - El proyecto de traducción de Debian al español
#   http://www.debian.org/intl/spanish/
#   especialmente las notas y normas de traducción en
#   http://www.debian.org/intl/spanish/notas
#
# - La guía de traducción de po's de debconf:
#   /usr/share/doc/po-debconf/README-trans
#   o http://www.debian.org/intl/l10n/po-debconf/README-trans
#
# Si tiene dudas o consultas sobre esta traducción consulte con el último
# traductor (campo Last-Translator) y ponga en copia a la lista de
# traducción de Debian al español ()
#
# 
msgid ""
msgstr ""
"Project-Id-Version: mediawiki1.7 1.7.1-5 \n"
"Report-Msgid-Bugs-To: [EMAIL PROTECTED]"
"POT-Creation-Date: 2006-11-01 15:41+0100\n"
"PO-Revision-Date: 2006-12-28 11:40+0100\n"
"Last-Translator: Javier Fernández-Sanguino <[EMAIL PROTECTED]>\n"
"com>\n"
"Language-Team: Debian Spanish \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. Type: multiselect
#. Description
#: ../templates:1001
msgid "Web server(s) that should be configured automatically:"
msgstr "Servidor/es web que se deberían configurar automáticamente:"

#. Type: boolean
#. Description
#: ../templates:2001
msgid "Perform automatic upgrade from mediawiki1.5?"
msgstr "¿Desea realizar una actualización automática desde mediawiki1.5?"

#. Type: boolean
#. Description
#: ../templates:2001
msgid "You are upgrading from mediawiki1.5."
msgstr "Está vd. actualizando desde mediawiki1.5."

#. Type: boolean
#. Description
#: ../templates:2001
msgid ""
"This package will install its files in a new location:\n"
" /var/lib/mediawiki1.7\n"
"Then you need to upgrade your old mediawiki1.5."
msgstr ""
"Este paquete instalará sus ficheros en una nueva ubicación:\n"
" /var/lib/mediawiki1.7\n"
"Una vez hecho esto deberá actualizar su antiguo mediawiki1.5."

#. Type: boolean
#. Description
#: ../templates:2001
msgid ""
"This package provides a script to do this automatically. The script will "
"make a backup of your database, upgrade it, and prepare a new configuration "
"file for your new mediawiki. You will still be able to use this script "
"later, by calling, as root, /usr/share/mediawiki1.7/debian-scripts/upgrade-"
"mediawiki1.5"
msgstr "Este paquete ofrece un programa que lo hace de forma automática. El 
script hace una copia de seguridad de su base de datos, la actualiza, y prepara 
un nuevo fichero de configuración para su nuevo mediawiki. Puede utilizar 
éste programa más adelante ejecutando, como root, 
«/usr/share/mediawiki1.7/debian-scripts/upgrade-mediawiki1.5»."

#. Type: string
#. Description
#: ../templates:3001
msgid "Administrative user for mediawiki1.7:"
msgstr "Usuario administrador para mediawiki1.7:"

#. Type: string
#. Description
#: ../templates:3001
msgid ""
"Please provide a mysql account that has administrative access to your old "
"mediawiki1.5 database."
msgstr "Indique la cuenta mysql que tiene acceso como administrador a su 
antigua base de datos mediawiki1.5."

#. Type: string
#. Description
#: ../templates:3001
msgid "If you don't know any account, the root user is sufficient."
msgstr "Si no sabe qué cuenta es, debería ser suficiente con hacerlo como 
root."

#. Type: string
#. Description
#: ../templates:3001
msgid ""
"An AdminSettings.php file will be generated, and this file will be removed "
"if you gave the root account, obviously."
msgstr "Se generará un fichero AdminSettings.php, y este fichero se borrará 
si indicó la cuenta de root, obviamente."

#. Type: password
#. Description
#: ../templates:4001
msgid "Administrative password for mediawiki1.7:"
msgstr "Contraseña del usuario administrador para mediawiki1.7:"

#. Type: password
#. Description
#: ../templates:4001
msgid "Please give the password for the account you specified."
msgstr "Indique la contraseña para la cuenta que especificó."


signature.asc
Description: Digital signature

Bug#404800: motion: [INTL:es] Spanish po-debconf translation

[Javier Fernández-Sanguino Peña]

Package: motion
Version: 3.2.3-2
Priority: minor
Tags: patch l10n

Attached is the translation of this package's templates to Spanish, done by
Jose Ignacio Méndez González and updated by myself. Please include it in the
next
upload.

Thanks

Javier
# motion po-debconf translation to spanish
# This file is distributed under the same license as the  package.
#
# Changes:
# - Initial translation
#Jose Ignacio Méndez González <[EMAIL PROTECTED]>
# - Revision
#   Fernando Cerezal
#   Javier Fernández-Sanguino
#
#
#  Traductores, si no conoce el formato PO, merece la pena leer la 
#  documentación de gettext, especialmente las secciones dedicadas a este
#  formato, por ejemplo ejecutando:
# info -n '(gettext)PO Files'
# info -n '(gettext)Header Entry'
#
# Equipo de traducción al español, por favor lean antes de traducir
# los siguientes documentos:
#
# - El proyecto de traducción de Debian al español
#   http://www.debian.org/intl/spanish/
#   especialmente las notas y normas de traducción en
#   http://www.debian.org/intl/spanish/notas
#
# - La guía de traducción de po's de debconf:
#   /usr/share/doc/po-debconf/README-trans
#   o http://www.debian.org/intl/l10n/po-debconf/README-trans
#
# Si tiene dudas o consultas sobre esta traducción consulte con el último
# traductor (campo Last-Translator) y ponga en copia a la lista de
# traducción de Debian al español ()
#
msgid ""
msgstr ""
"Project-Id-Version: motion VERSION\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2006-11-10 04:32+0100\n"
"PO-Revision-Date: 2006-12-28 11:32+0100\n"
"Last-Translator: Jose Ignacio Méndez González <[EMAIL PROTECTED]"
"com>\n"
"Language-Team: Debian Spanish \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. Type: note
#. Description
#: ../motion.templates:1001
msgid "Location of Motion's config files has changed"
msgstr "Se ha cambiado la situación de los archivos de configuración de 
Motion"

#. Type: note
#. Description
#: ../motion.templates:1001
msgid ""
"The default location of Motion's configuration files has moved from /etc/ "
"to /etc/motion/. So if you already have a motion.conf in /etc/ from a "
"previous installation of Motion, you should move this to /etc/motion/ in "
"order for it to take effect whenever Motion is used."
msgstr "La situación por omisión de los archivos de configuración de Motion 
se ha movido de /etc/ a /etc/motion/. Por tanto, si usted ya tiene un 
motion.conf en /etc/ de una instalación anterior de Motion, debe mover éste a 
/etc/motion/ para que se considere cuando se utilice Motion."

#. Type: note
#. Description
#: ../motion.templates:1001
msgid ""
"The same thing goes for any thread*.conf files you may have. You should move "
"these to /etc/motion/ as well (in this case, also remember to update the "
"path to the thread*.conf files inside motion.conf)."
msgstr "Lo mismo sucede para cualquier archivo thread*.conf que tenga. Usted 
debe mover éstos también a /etc/motion/ (en este caso, recuerde también 
actualizar la ruta de los archivos thread*.conf dentro del archivo 
motion.conf)."


signature.asc
Description: Digital signature

Bug#397132: Reopen, this bug is not closed (in Debian)

[Javier Fernández-Sanguino Peña]

On Thu, Dec 28, 2006 at 08:02:53AM -0200, Gustavo Noronha Silva wrote:
> Em Tue, 26 Dec 2006 22:32:04 +0100
> Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> escreveu:
> 
> > Could you please send me the POT (update-notifier.pot?) file instead
> > of the PO file, that way I can (more easily) merge my version with it
> > and provide you with an updated translation.
> 
> There you go!

Attached is the updated translation.

By the way, I find the followin string slightly confusing:

> msgid "Software packages volume detected"
> msgstr ""

It was more clear when it explicitly mentioned a CD. Maybe it should be
changed to say something like "A CD or DVD providing software packages has
been detected" or something like that, or does it apply to other information
sources? (such as network-mounted or hard disk volumes that can be accessed
through file:/// URIs)

Regards

Javier
# translation of update-notifier to Spanish
# This file is distributed under the same license as the update-notifier 
package.
#  Copyright (C) 2004 Lukas Lipka <[EMAIL PROTECTED]>
#(C) 2004 Michael Vogt <[EMAIL PROTECTED]>
#(C) Canonical
#(C) 2004 Michiel Sikkes <[EMAIL PROTECTED]>
# Jorge Bernal <[EMAIL PROTECTED]>, 2005.
# Jorge Bernal <[EMAIL PROTECTED]>, 2005.
# Javier Fernandez-Sanguino <[EMAIL PROTECTED]>, 2006
#
msgid ""
msgstr ""
"Project-Id-Version: update-notifier\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2006-08-19 00:36-0300\n"
"PO-Revision-Date: 2006-12-28 12:01+0100\n"
"Last-Translator: Javier Fernández-Sanguino <[EMAIL PROTECTED]>\n"
"Language-Team: Debian Spanish \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms:  nplurals=2; plural=(n != 1);\n"

#: ../src/eggtrayicon.c:133
msgid "Orientation"
msgstr "Orientación"

#: ../src/eggtrayicon.c:134
msgid "The orientation of the tray."
msgstr "La orientación en el panel."

#: ../src/hal.c:27
msgid "Software packages volume detected"
msgstr "Se ha detectado un volumen de paquetes software"

#: ../src/hal.c:30
msgid ""
"A volume with software packages has "
"been detected.\n"
"\n"
"Would you like to open it with the package manager?"
msgstr ""
"Se ha detectado un volumen con paquetes 
de software \n"
"\n"
"¿Desea arrancar la aplicación del gestor de paquetes?"

#: ../src/hal.c:38 ../src/update.c:20
msgid "Start package manager"
msgstr "Arrancar el gestor de paquetes"

#: ../src/hooks.c:46
msgid "Information about newly installed packages available"
msgstr "Disponible información sobre los nuevos paquetes instalados"

#: ../src/hooks.c:47
msgid "Click on the notification icon to show the information"
msgstr "Pulse en el icono de notificación para mostrar la información."

#: ../src/hooks.c:509
msgid "Information about newly installed packages available\n"
msgstr "Disponible información sobre los nuevos paquetes instalados<\n"

#: ../src/hooks.c:510
msgid "Click on the notification icon to show the available information.\n"
msgstr "Pulse este icono para mostrar la información disponible.\n"

#. Create and show the notification
#: ../src/reboot.c:41 ../src/reboot.c:82
msgid "System restart required"
msgstr "Es necesario reiniciar el sistema"

#: ../src/reboot.c:42
msgid ""
"To complete the update of your system, restart your system.\n"
"\n"
"Click on the notification icon to restart your system."
msgstr ""
"Debe reiniciar el sistema para completar la actualización.\n"
"\n"
"Pulse en el icono de notificación para reiniciarlo."

#: ../src/reboot.c:83
msgid "Click on the notification icon to restart your computer"
msgstr "Pulse en el icono de notificación para reiniciar su sistema"

#: ../src/update.c:15
msgid "Show updates"
msgstr "Mostrar actualizaciones"

#: ../src/update.c:18
msgid "Install all updates"
msgstr "Instalar todas las actualizaciones"

#: ../src/update.c:19
msgid "Check for updates"
msgstr "Buscar actualizaciones"

#: ../src/update.c:116
#, c-format
msgid "There is %i update available"
msgid_plural "There are %i updates available"
msgstr[0] "Hay %i actualización disponible"
msgstr[1] "Hay %i actualizaciones disponibles"

#: ../src/update.c:121
msgid "Click on the notification icon to show the update"
msgid_plural "Click on the n

Bug#404803: update-notifier: Could be less strict when running on unstable systems

[Javier Fernández-Sanguino Peña]

Package: update-notifier
Version: 0.42.12-2+b1
Priority: wishlist

When update-notifier is being run in an unstable system it is always saying
that there are new updates since, obviously, unstable is in an ever changing
state.

I know it's difficult to distinguish, since the priority= of updates is not
available unless you read the changelogs, but could it make a distinction
between updates being available for 'important' vs. 'optional' or 'extra'
componentes installed.

The message could be something like this:

"There are updates for ${type} components of your system"

Where ${type} could be substituted by 'important', 'optional', 'extra' or a
combination of those ('important and optional', 'optional and extra' etc.)

Regards

Javier



signature.asc
Description: Digital signature

Bug#404805: update-notifier: Not clear when it is necessary to really reboot the system

[Javier Fernández-Sanguino Peña]

Package: update-notifier
Version: 0.42.12-2+b1
Priority: wishlist

Update-notifier suggests that the system needs to be restarted without giving
any indication if this is because:

- a new kernel has been installed
- a basic component (such as the libc) has been updgraded

I understand (from looking into the sources) that it is checking out the
/var/run/reboot-required but it is not clear to me who is supposed to do
this.

For example, I see this:

$ find  /var/lib/dpkg/info/ -type f -exec grep -l 
/usr/share/update-notifier/notify-reboot-required {} \;
/var/lib/dpkg/info/dbus.postinst
/var/lib/dpkg/info/initscripts.postinst

Certainly, a dbus update does not require a reboot of the full system (but it
might require a desktop restart).  As for initscripts, reading the postinst
code it is clear to me why it needs to be restarted.

Could there be some way for the scripts using
/usr/share/update-notifier/notify-reboot-required to add a message explaining
*why* they think a reboot is required? 

Should there should be a 
/usr/share/update-notifier/notify-desktop-restart-required program which could 
be used by core desktop components to tell you that you have to restart the 
*desktop* and not the system? (it looks like that should be done by Dbus)

Regards


Javier



signature.asc
Description: Digital signature

Bug#404810: update-notifier: Provide more information on how the "need to reboot" mechanism works

[Javier Fernández-Sanguino Peña]

Package: update-notifier
Version: 0.42.12-2+b1
Priority: wishlist

Update-notifier suggests that the system needs to be restarted but it
depends on packages telling so by using the
/usr/share/update-notifier/notify-reboot-required script on postinst.

Unless update-notifier provides good enough information for both users and
maintainers on when can they expect that notification to show up you will get
bugs like #393851 (is probably something specific to the user's environment)
or #397269 (which is a bug in the package sending the notification and
not on update-notifier itself)

It would be wise to document (attached is a first attempt at doing so) what
users can expect from this features and how maintainers can implement this.

Please provide this README file in the package. And, when a manpage is
written, point to it to make clear what the expectations on notifications are
and how they should be handled.

Thanks

Javier


update-notifier provides a notification icon in the notification area and warns
the user about updates being available, and allowing them to run update-manager.

One of its features is to tell the user that the system needs to be
rebooted after an upgrade. This feature is useful for critical packages
which need this to be done to implement new features (which cannot
be implemented in place) or to replace core system functionality. 
This includes the kernel, the libc and some other libraries and packages.

This feature is based on the /usr/share/update-notifier/notify-reboot-required
script. This script needs to be executed by the packages on their postinst
script, once this script is run (it creates the /var/run/reboot-required file)
a notification will appear to the user at his desktop telling them that a
reboot is required, and allowing them to reboot after the package manager is
done "applying changes".

Notice that update-notifier does not try to determine, itself if a system
update is really required. It depends on the packages telling it to notify the
user. 

FAQ
---

1.- After a reboot the system still shows that a "reboot is required"

If you are certain that you rebooted the system (and not just the 
desktop system) then you can manually remove the /var/run/reboot-required file
to remove the notification.


2.- Why isn't /var/run/reboot-required removed on boot?


The /etc/init.d/bootclean initscript removes all files from /var/run
upon system boot up, so you should not be seing this notification after
a reboot.

If this file is not removed on boot it might be because:

- /var/run/ is special in you system 
- /etc/init.d/bootclean is not being executed in the startup sequence
  (maybe the /etc/rcS.d/S36mountall-bootclean.sh symlink is missing)

In order to see if you system should remove the file try going into
single-user mode ('init 1') and then run /etc/init.d/bootclean start?

3.- Why don't I get a notification if XX is installed/upgraded?
The upgrade is not effective until a full system reboot!

The maintainer has to introduce a call in the package's postinst to
notifiy update-notifier. File a bug in the Bug Tracking system asking him
to introduce the following code:

---
# trigger an update notification which recommends to reboot
[ -x /usr/share/update-notifier/notify-reboot-required ] && \
/usr/share/update-notifier/notify-reboot-required || true
---

if the reboot is only needed when upgrading to a given version the maintainer
should add this instead:

---
# a reboot is needed to make XYZ work. Flag  using notify-reboot-required. 
# cannot do this on postinst because of XYZ.
if dpkg --compare-versions "$PREV_VER" lt "SOME_VERSION_HERE" \
 && [ -x /usr/share/update-notifier/notify-reboot-required ]; then
 /usr/share/update-notifier/notify-reboot-required
 fi
fi
---

4.- Will update-notifier tell me I need to reboot when I install a 
security upgrade of a library?

This functionality is not implemented in update-notifier itself.

Unless the maintainer has implemented 3) above no. In most library upgrade
cases (even security updates) a full system reboot is not needed. You just
need to restart all the daemons using the library to completely apply
the security update. Of course, you could reboot the system to force the
daemons to use the new upgraded library but that is certainly overkill.

If you are a system administrator and want to know what daemon services need to
be restarted after a library upgrade use the 'checkrestart' utility in the
'debian-goodies' package.


5.- I'm a maintainer, how can I use this nice feature?

Implement 3) before some user sends you a bug report asking for this feature.


signature.asc
Description: Digital signature