Re: The Debian Mentors Project

[tony mancill]

On Tue, 13 May 2003, Daniel K. Gebhart wrote:

> Matthew Palmer <[EMAIL PROTECTED]> wrote Tue, May 13, 2003 at 08:36:12AM 
> +1000:
> > *very* serious problem for anyone who starts relying on the binary packages
> > uploaded to m.d.n.  What sort of protections do you have in place or plan to
> > put in place to protect against this sort of thing?
>
> The mentors project is not something like apt-get.org! Hosting stable
> and safe packages is not our goal. We are responsible for the contact
> between maintainers and sponsors. Not between maintainers and users.

Appropos of this and Colin's statement, my suggestion is to make only a
deb-src URL available on the site, and to only host source packages.  For
packages destined for the Debian archive, it's critical that they be
reviewed as source, and that they build from source.  I do a fair amount
of sponsoring, and never have need for a binary of the package being
sponsored.

Cheers,
tony
<[EMAIL PROTECTED]

LIQUIDACION DE KITES IMPORTADAS

[DOMINICANOS]

Title: Welcome to Adobe GoLive 6






  
  







  







  


  
  


  
LA CUARESMA TERMINO, 
PERO SIEMPRE HABRA VIENTO PARA VOLAR ESTAS UNICAS E INCREIBLES 
CHICHIGUAS

  
Aprovecha 
esta gran oferta de chichiguas (kites) importadas que tenemos en 
liquidacion. APRESURESE, que el inventario es limitado y ademas hay 
otras variedades disponibles. Si compra mas de una le haremos un 
descuento aun mayor.

  







  



  


  

  

  







  



  BOOMEREsta es una chichigua Foil acrobatica bastante 
  rapida y poderosa, mide 2 mts de largo, no tiene piezas rigidas y esta 
  diseñada con el mismo concepto de un paracaidas, es muy facil de manejar y 
  con grandes vientos puede producir una traccion de hasta 200 lbs, ideal 
  para quienes se inician y excelente para intermedios y avanzados. Incluye 
  lineas de Dacron con mandos y winder. En su mini estuche adquiere un 
  tamaño menor que el de un doble litro de refresco. PRECIO: RD$2,800


  CUBOTRIXEste es el cajon que comprabas cuando niño, pero 
  con todas las caracteristicas de la era moderna. Es ideal para jovenes y 
  adultos, requiere un poco mas de viento, en playa es espectacular. El 
  material es nylon estilo paracaidas de gran durabilidad. Viene empacado en 
  bolsa listo para volar. Incluye cuerda e instructivo, las varillas son de 
  pino de 5 y 8mm. PRECIO: RD$725.00


  



  


  

  

  



  


  

  

  







  



  KOHLYChichigua de la clase Delta, por su tamaño es ideal 
  para niños y jovenes, muy facil de elevar y manejar. Viene empacado en 
  bolsa lista para volar. El material es nylon de gran durabilidad y las 
  varillas son de madera de pino. Incluye cuerda e instructivo. PRECIO: RD$495.00


  BABY 
  BOOMEREsta es muy parecida a la BOOMER, no tiene piezas rigidas, 
  por tanto es inrrompible, al igual que lo otros modelos tambien incluye su 
  hilo e instructivo. PRECIO: 
  RD$495.00


  







  







  



  PARA MAS 
  INFORMACION:CELULAR: 696-8411[EMAIL PROTECTED]


  

(no subject)

[LIONHEAR]

Bug#193125: RFA: jnethack -- The dungeon exploration game JNetHack (nethack with Japanese l10n)

[Kenshi Muto]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Package: wnpp
Severity: normal

The development of jNethack goes jnethack.sourceforge.jp, but I haven't
make a enough time to follow and maintain.

Current package is based on 1.1.5, but CVS version is 3.4.1-0.1.
Instead of dropping GTK+ mode support, CVS version added GNOME and QT
mode.
It is a good way to imitate Nethack package's do (separating packages,
elegant rules, and so on).
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 

iEYEARECAAYFAj7AY7cACgkQQKW+7XLQPLE+YACfe3/6cdHpMZFyzJfz+GW13RoH
78QAn3sqdWj0Dlu1uHR4ezwZqU+geIwk
=p04z
-END PGP SIGNATURE-

Re: The Debian Mentors Project

[Joe Nahmias]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ivo Marino wrote:

Checking application/pgp-signature: FAILURE
- -- Start of PGP signed section.
> On Tue, 13 May 2003, Matthew Palmer wrote:
> > It appears as though anyone who has an account can upload any package they
> > like.  While this isn't a pressing problem for sponsors (since they'll be
> > collecting source and checking the signatures on the .dsc), this could be a
> > *very* serious problem for anyone who starts relying on the binary packages
> > uploaded to m.d.n.  What sort of protections do you have in place or plan to
> > put in place to protect against this sort of thing?
> >
> If someone can allready point out an eventual solution for this problem
> we'll open to consider any suggestion in order to improve the system.

If I may make a suggestion, a user should only be able to upload a
package that either:

a) doesn't appear in the repository

- -or-

b) already has the uploader as maintainer

- -or-

c) has a RFA/O bug filed in WNPP


That should provide a first line of defense against trojan packages.


Just my $0.02.  Thanks again for the great service!


Joe Nahmias, DD wannabe
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+wGkTKl23+OYWEqURAgQXAJ9eGulgQVmFNXWWKA4wjsXsE6rBpQCgzmXU
HZOK/xdP8In+D2KLotkkSdk=
=MZ9j
-END PGP SIGNATURE-

Re: The Debian Mentors Project

[Matthew Palmer]

On Tue, 13 May 2003, Daniel K. Gebhart wrote:

> Matthew Palmer <[EMAIL PROTECTED]> wrote Tue, May 13, 2003 at 08:36:12AM 
> +1000:
> > *very* serious problem for anyone who starts relying on the binary packages
> > uploaded to m.d.n.  What sort of protections do you have in place or plan to
> > put in place to protect against this sort of thing?
> 
> The mentors project is not something like apt-get.org! Hosting stable
> and safe packages is not our goal. We are responsible for the contact
> between maintainers and sponsors. Not between maintainers and users.

>From the front page of mentors.debian.net:

"Welcome to the debian-mentors public software repository. In short terms
this is a free (no costs, no obligations) server which allows maintainers of
Debian GNU/Linux packages to offer them here. Other Debian users are invited
to download these packages using the handy apt-get utility."

I'll highlight a part for you:

"Other Debian users are invited to download these packages".

Care to try again?


-- 
---
#include 
Matthew Palmer, Geek In Residence
http://ieee.uow.edu.au/~mjp16

Re: noicon.xpm?

[Gustavo Noronha Silva]

Em Mon, 12 May 2003 21:24:42 +0200, Wouter Verhelst <[EMAIL PROTECTED]> 
escreveu:

> 
> Will adding an icon remove that confusion? Perhaps those people, or
> others, will think that menu options with the famous 'swirl' icon are
> enabled, while others are not. I mean, the swirl has some kind of motion
> in it, so it surely must mean it's activated, right?

Yes, perhaps yes. I really don't think adding default icons is The Right
Thing, but I still think that'd be better than nothing. It's a matter
of taste and opinion, I guess. I think the debian swirl is ok as a default
icon on my gnome menu, while Christian thinks it's ugly.

> I mean, what did you think? That you can understand how computers work
> by looking at the interface? Like "Oh, that's a computer? Ah, now I see
> how the C programming language works!"

Nah, I know that's not the case. But I still believe the default icons
would make the menu look more consistent (I'm using them =P)

[]s!

-- 
[EMAIL PROTECTED]: Gustavo Noronha 
Debian:   *  
Dúvidas sobre o Debian? Visite o Rau-Tu: http://rautu.cipsga.org.br

Re: Non-Official Fix of APT

[Otavio Salvador]

Adam Heath <[EMAIL PROTECTED]> writes:

> On Mon, 12 May 2003, Otavio Salvador wrote:
>
>> I've sent one version to solve all serious (#192409, #192458), and one
>> grave bug(#131779) to my repository[1].
>>
>> All patches applied on this version already was sent to the BTS and
>> are waiting the merge for some Deity person.
>
> And the patches are?

#192409, #192458 and #131779

> The one to fix the ::Scan issue *must* rename the existing Scan
> method to Scan_internal(or some such), and make a new Scan that
> matches the old api signature, and calls Scan_internal in a loop.

Why doesn't change the code to check the return value?

> ps: you should have cc'd -deity.

Sorry. My fail.

-- 
O T A V I OS A L V A D O R
-
 E-mail: [EMAIL PROTECTED]  UIN: 5906116
 GNU/Linux User: 239058 GPG ID: 49A5F855
 Home Page: http://www.freedom.ind.br/otavio
-

Re: can touch(1) readonly files

[Bernd Eckenfels]

On Tue, May 13, 2003 at 03:02:05AM +0200, Wouter Verhelst wrote:
> > $ chmod -w f; touch -d 'next year' f; ls -l f
> > -r--r--r-- 1 jidanni jidanni 666 2004-05-13 03:02 f
> 
> You can only do that if you have write permissions to the directory the
> file is in; if not:

which is not quite true:

gast:sandbox> ls -la 
drwxrwxrwx2 ecki ecki   28 May 13 03:30 .
drwxrwxr-x  217 ecki ecki45056 May 13 03:28 ..
-r--r--r--1 ecki ecki0 May 13 03:28 bla
-rw-r--r--1 gast ecki0 May 13 03:29 fasel
-rw-rw-rw-1 ecki gast0 May 13 03:30 bar
gast:sandbox> id
uid=1010(gast) gid=1010(gast) groups=1010(gast)
gast:sandbox> touch bla
touch: cannot touch `bla': Permission denied
gast:sandbox> touch fasel
gast:sandbox> touch bar
gast:sandbox> ls -la
drwxrwxrwx2 ecki ecki   28 May 13 03:30 .
drwxrwxr-x  217 ecki ecki45056 May 13 03:28 ..
-r--r--r--1 ecki ecki0 May 13 03:28 bla
-rw-r--r--1 gast ecki0 May 13 03:32 fasel
-rw-rw-rw-1 ecki gast0 May 13 03:32 bar


as you can see "gast" can only touch fasel and bar, but not bla. bla is
neighter owned nor writeable by gast, even tough the dir is world-writeable.

> This is because those timestamps are saved in the directory inode

this is because the timestamp and the permission is saved in the file-inode,
and the dir entry has no info about that.

This is btw a "feature" of the kernel, not core-utils.

Greetings
Bernd

Re: can touch(1) readonly files

[Wouter Verhelst]

On Tue, May 13, 2003 at 03:10:58AM +0800, Dan Jacobson wrote:
> Gentlemen, what's the deal where one can change the dates on read-only files?
> $ chmod -w f; touch -d 'next year' f; ls -l f
> -r--r--r-- 1 jidanni jidanni 666 2004-05-13 03:02 f

You can only do that if you have write permissions to the directory the
file is in; if not:

[EMAIL PROTECTED]:/usr$ touch -d 'next year' doc; ls -ld doc .
touch: setting times of `doc': Operation not permitted
drwxr-xr-x   16 root root  472 Apr 28 03:21 .
drwxr-xr-x2 root root 7568 May 13 02:42 doc

This is because those timestamps are saved in the directory inode
instead of in the file inode, so closing down permissions on the file
won't prevent anyone from tampering with timestamps.

-- 
wouter at grep dot be
"An expert can usually spot the difference between a fake charge and a
full one, but there are plenty of dead experts." 
  -- National Geographic Channel, in a documentary about large African beasts.


pgpHlYLrJQsi4.pgp
Description: PGP signature

Re: The Debian Mentors Project

[Colin Watson]

On Mon, May 12, 2003 at 05:41:40PM -0600, Jack Moffitt wrote:
> Ivo Marino wrote:
> > Of course we can't actually ensure that all uploaded packages on the
> > system are secure, for now we trust the testers of the system but in
> > future we'll introduce higher security standards.
> > 
> > If someone can allready point out an eventual solution for this problem
> > we'll open to consider any suggestion in order to improve the system.
> 
> Perhaps an easy thing to do would just be to show whether or not a
> pckage is signed by a key which is signed by a real debian developer.
> Ie, use the web of trust.  Then at least one can be reasonable sure that 
> the maintainer is real.

Surely getting that signature is the whole point of the system in the
first place?

I'd be half-inclined to make the download password-protected; anyone can
get a valid password just by asking, but the expectation is that only
developers should be downloading the packages, and this discourages
people from shoving it into apt lines.

-- 
Colin Watson  [EMAIL PROTECTED]