Re: Accepted kaffe 1:1.1.1-1 (i386 source)

[Mark Brown]

On Fri, Aug 29, 2003 at 12:24:37AM +0200, Bernd Eckenfels wrote:
> On Thu, Aug 28, 2003 at 10:41:54PM +0100, Mark Brown wrote:

> > That doesn't help all that much - it's also important see why the bug
> > has been closed.

> Because it is fixed... 

The trick is working out why the maintainer believes the bug to be
fixed.

> > whatever it was I was trying to do when I generated the error rather
> > than by fixing the error handling.

> it wont help you, if it says "print a helpful error message". If you realy

Which is rather easily distinguishable from "Support $STRANGE_REQUEST"
and that's the kind of difference I'm talking about.  It's also a bit
confusing if the bug has been closed in an unexpected fashion - for
example, by supporting a feature with a slightly different syntax to
that expected.  Bug reports aren't always models of clarity and
sometimes maintainers don't always immediately grasp the issues being
discussed.  A few words of explanation can avoid a lot of head
scratching and confusion.

The more informative and helpful the changelog the less chance the
easier it is to resolve any confusion that arises.

> care that much, look up the patch.

"New upstream release, diff only 1.2M!".  

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."

Re: Accepted galeon 1.3.7.20030825-1 (i386 source)

[Georg Nikodym]

On Wed, 27 Aug 2003 15:30:44 -0400
[EMAIL PROTECTED] (Allan Wind) wrote:

> On 2003-08-27T09:38:47+0200, Andreas Tille wrote:
> > Moreover I do not like the new hot keys because I was comfortable
> > with
> >   {,}  to go  {back,foreward}
> > which was replaced by some other keys which are used in my special
> > environment for a different purpose.
> 
> Sounds like gnome vs emacs text editing short cuts.  You can switch
> between the two with:
> 
> GNOME | Applications | Desktop Prefences | Keyboard Shortcuts

You know, I've been reading people say this over and over again.  Please
stop because in the case of galeon it has not been true since 1.2.

-g


pgp2PWtVp4EPM.pgp
Description: PGP signature

Re: MEI Whitelist Autoresponse

[Karsten M. Self]

on Thu, Aug 28, 2003 at 01:03:37AM -0700, Adam McKenna ([EMAIL PROTECTED]) 
wrote:

> Also, I don't have any hard data to support this, but it's obvious to
> me that the volume of mail generated by virus scanners in response to
> Sobig.f eclipses the volume of TMDA challenges by at least a factor of
> 10.  So far, I haven't received *one* TMDA challenge that was due to
> Sobig, but I've received *hundreds* of messages from virus scanners
> all over the net.
> 
> So, I guess we should add virus scanners to the list of verboten
> software.

My own inbox supports this statement.  140 responses to Sobig.F mails,
of which 43 are virus or other content-based autoresponders, and 97
being delivery failure messages or other autoresponders (e.g.:  ISP help
desk).

The bounces can be reduced.  The virus responses are irresponsible, and
have been for almost two years as the number of sender-spoofing emails
has grown.  I LART a fair number of the responders, report them to
spam-reporting systems, and frequently bounce the mail to the AV
vendor(s) responsible with a nastygram (procmail recipies).

Strongly encouraging virus autoresponders be disabled is also an
independent campaign I've been active in and plan to take to the IT
media mainstream.

Peace.

-- 
Karsten M. Self http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
I managed to love simultaneously -- and this is not easy -- women
and justice.
-- Albert Camus, _The Fall_


pgp0a13OgRHJC.pgp
Description: PGP signature

Re: Accepted kaffe 1:1.1.1-1 (i386 source)

[Andreas Metzler]

Adam Heath <[EMAIL PROTECTED]> wrote:
[...]
>>* New upstream release closes many bugs. (Closes: #51230, #61264,
>>  #75800, #77869, #116802, #141597, #158743, #170021, #170059,
>>  #193263, #196254, #197617, #202779, #81389, #200434, #196867)
>>* /usr/lib/jni is now checked for JNI libraries. (Closes: #167936)

> This is not a proper changelog entry.
[...]
> The BTS sends these close messages to the submitter when the bug is closed.
> However, the email above has no reason as to why the bug was closed.  It's not
> sufficient to just say a new upstream version was uploaded, which just happens
> to fix the bug.  As a submitter, would you feel satisified that you had just
> gotten such a mail?

Probably yes because the mail would start with
This is an automatic notification regarding your Bug report #xxx
"with this helpful subject" has been closed.

OTOH anybody else reading the changelog will be disatisfied.
cu andreas

Re: Accepted kaffe 1:1.1.1-1 (i386 source)

[Mark Brown]

On Thu, Aug 28, 2003 at 07:37:05PM +0200, Andreas Metzler wrote:
> Adam Heath <[EMAIL PROTECTED]> wrote:

> > to fix the bug.  As a submitter, would you feel satisified that you had just
> > gotten such a mail?

> Probably yes because the mail would start with
> This is an automatic notification regarding your Bug report #xxx
> "with this helpful subject" has been closed.

That doesn't help all that much - it's also important see why the bug
has been closed.  One of the common misunderstandings I've seen is bugs
about poor error handling and diagnostics being closed by supporting
whatever it was I was trying to do when I generated the error rather
than by fixing the error handling.

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."

Thank You for contacting vis@wildtangent.com

[VIS]

For Questions or Feedback on WildTangent Visualizers, please visit: 
 

Re: Accepted kaffe 1:1.1.1-1 (i386 source)

[Pierre THIERRY]

> > As a submitter, would you feel satisified that you had just gotten
> > such a mail?
> Yes, I would.  I would then know that I could fetch the new release to
> see if the problem was really fixed in this release.

I must agree with Adam, and IIRC, there has alreadu been said on that
list that it is an improper use of the changelog.

As a bug sumbitter, I don't want to review source code each time I want
to know if a bug is actually corrected. Simply because for some
packages, I'm just unable to understand their code (being because of the
language used or the complexity...).

And the changelog should be something readable by a human being. making
it clearer can only be a Good Thing.

Explicitly,
le Moine Fou
-- 
[EMAIL PROTECTED]
OpenPGP 0xD9D50D8A


pgpBPVY8zsxs0.pgp
Description: PGP signature

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Karsten M. Self]

on Fri, Aug 29, 2003 at 12:03:34AM +1000, Russell Coker ([EMAIL PROTECTED]) 
wrote:
> On Thu, 28 Aug 2003 21:35, Karsten M. Self wrote:
> > Which is a damned good reason for Debian not to package
> > viruses and spam mailers.  Or tools which can be readily subverted as
> > such.
> 
> My Postal program can be used for DOS attacks on mail servers, and has been 
> used for such on at least one occasion (*).

"Can be used" and "is designed to do when used as directed" has already
been dealt with and dismissed as a separate case from the one under
consideration.

My understanding of postal is that it is launched at the direction of a
local user.  While this could be embedded into other mechanisms (cgi,
procmail, etc.), it's not packaged or designed specifically for this.

Peace.

-- 
Karsten M. Self http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   Spread the real scoop on Xenu and The Church of Scientology, link
   http://xenu.net/";;>Scientology on your website.


pgpDK1orK2Wyr.pgp
Description: PGP signature

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Karsten M. Self]

on Thu, Aug 28, 2003 at 03:09:48PM +0200, Andreas Metzler ([EMAIL PROTECTED]) 
wrote:
> Karsten M. Self  wrote:
> [...]
> > SpamAssassin achieves a false-positive rate (non-spam reported as spam)
> > of 5% with a default threshold of 5.  This can be dramatically improved
> > using a whitelist, to ~98% in my experience.  This is not the best
> > performance of all filters, so makes a somewhat generous threshold.
> 
> >http://www.spamassassin.org/dist/rules/STATISTICS.txt
> >http://freshmeat.net/articles/view/964/
> 
> > So a spam-reduction system user would at worst see a typical rate of 2%
> > of spam to be manually disposed of.
> [...]
> 
> You are mixing up percentages. "5% non-spam reported as spam" ... can
> be ... improved to ~98% ...

Correct.  And yes, I was thinking "false-negative".  Spam not flagged as
spam.

What I meant to say was this:

  - Currently feasible content-based filters + whitelists can achieve a
spam rate of 2% of spam passing to the inbox, by independent tests.

  - A C-R system should then target having no more than 2% of challenges
sent be misdirected (based on spoofed headers, etc.).  At this rate,
it's still transferring burden inappropriately, but at a level that
matches a reasonable-case technological alternative.  This also
achieves a secondary goal in the interests of C-R proponents of
keeping the incidence of false challenges low enough that recipients
would be likely to respond to the challenge.


> When I last checked my personal rate with spamassassin 2.55 with
> default rules and no DNS lists or razor (but including a rather well
> trained bayesian filter) and a default threshold of 5, I came up with
> these numbers[1]:
> * 0% false positives, i.e. ham sorted  into the spam folder
> * 10% of the spam was not recognized as such and I had to filter it
>   out by hand.

I use a whitelisting system.  It's based on Lars Wizenius's spamfilter
package, my local add being a shell script to scan messages for sender
to add to white, black, gray, or spam lists.  Mail from previously
unknown senders ends up in a "grey" box.  The principle is the same as
C-R, except that assessment is done by me, rather than a third party.

Peace.

-- 
Karsten M. Self http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   Verio webhosting?  Guaranteed downtime:
 http://www.wired.com/news/politics/0,1283,57011,00.html
 http://www.dowethics.com/r/environment/freedom.html


pgp7SQrlsknKk.pgp
Description: PGP signature

Re: New release of ifupdown planned

[Christian Perrier]

Quoting Thomas Hood ([EMAIL PROTECTED]):
> The ifupdown package hasn't been touched by its maintainer for over
> two years and it is about time some of its problems were addressed.
> 
> Since the maintainer of ifupdown doesn't answer repeated attempts
> to contact him by e-mail, I suppose it is appropriate to report
> here that there is a group of people working on a new ifupdown
> release.  Please contact me if you are interested or would like to
> help.  We would like to have a release ready well before the

As bug reporter and translator, I'm interested in getting 200786
fixed. It is very easy to do so, as the patch is there.

Maybe have a look to see whether other translations for debconf
templates are already sitting in the BTS. If so, they probably need
some work as they are against "old-style" debconf templates. I'd be
glad to help incorporating those.

This is the only field I can really help.

(CC to list)

Re: MEI Whitelist Autoresponse

[Peter Whysall]

on Thu, Aug 28, 2003, Adam McKenna ([EMAIL PROTECTED]) wrote:
> So, I guess we should add virus scanners to the list of verboten software.

How about we qualify that; "virus scanners that stupidly send email" ?

P.

-- 
[EMAIL PROTECTED]
The IWETHEY project: http://www.iwethey.org


pgp0MEXmH8lzK.pgp
Description: PGP signature

Re: DebToo: Debian, Gentoo-style

[Goswin von Brederlow]

Diego Calleja =?ISO-8859-15?Q?Garc=EDa?= <[EMAIL PROTECTED]> writes:

> El Wed, 27 Aug 2003 22:22:28 +1000 Glenn McGrath <[EMAIL PROTECTED]> escribió:
> 
> > Source based distro's are more bandwidth friendly as the source can be
> > reused to produce new revisions of existing packages.
> > 
> > As a developer i would _much_ rather have a cache of old source code
> > than a cache of stale binaries.
> 
> Or not. For sid I'd choose binary; woody would benefit from source. I think.
> 
> Take into account the time you waste compiling. What do you want to
> pay, bandwith or CPU usage? The answer isn't the same for everybody...
> (if we want to touch perfection)

And calculate the amount of time you need to run the programm (if its
faster at all) to save the time spend compiling it.

> > USE settings are the best packaging innovation since apt.
> > 
> > Optimised binaries wont run slower than non-optimised binaries.
> 
> It depends a lot of what "optimizations" you do. (It'd be interesting
> to measure gentoo's systems compiled from scratch with -O3. They even
> compile kernels with -O3; this has been measured and kernels are slower)

Which holds true for many cases.

> The main problem with debian vs optimizations is that we compile for i386
> code, which sucks. Most of the debian people use i586/i686 systems today.
> Why are we compiling code for a small minority that still uses a 486 as
> routing box? I386 could very well be a subproyect. I don't think
> any i386 needs X 4.3 with gnome/kde, so why are providing binaries
> optimized for a machines which aren't going to use them?

Actually Debian does not support i386 anymore for compatibility
reasons with other linux distriibutions. You canget the basics running
but anything that uses c++ will fail. And whats Debian without apt?

I'm not sure how much, if at all, would be gained by compiling
everything for i486.

Also note that for some cpu intensive libraries optimized versions are
used, like openssl. Debian supports that fully and if you have another
candidate talk to the maintainer. Its easy to do and in the case of
openssl the speed improvement was a factor of 11 iirc for the most
drastic arch.

> > We have the begginings of support for user optimised binaries, but we
> > have a long way to go before catching upto gentoo.
> > 
> > We shouldnt be so wrapped up in our own importance that it blinds us to
> > the community. Gentoo is doing something right.
> 
> I'm already doing optimised binaries in Debian. It's already there
> (Just too complex).
> 
> I don't like gentoo 100%. It does some good things, but it doesn't do most
> of them in the right way; IMHO.
> 
> 
> To start with; we don't want to make a distro which has to be recompiled.
> Binary packages are cool for installations.
> (Gentoo could do this as a subset of their system "get that specific
> architecture; get a standard USE selection, make packages and burn a iso
> which installs 100% binary packages")
> 
> Some issues with a USE flag for me are:
> 
> o USE benefits would have to be measured. What's the cost of everything
>   depending of everything? How configurable can be a gentoo system;
>   that it can justify a USE flag? Can't we compile things with everything
>   compiled in; and just provide binary packages for some specific options?
> 
> o It's THE reason why gentoo doesn't provide binary packages.(Actually; gentoo
>   could solve this with a good p2p-based distribution system for packages. 
> It'd
>   be also cool to have a p2p method for apt and download optimised binaries...
>   we could keep the MD5s at debian.org and check against them before 
> installing)

Its being thought about / worked on. An extension of bittorrent in
this case.

> o If you change a flag in a package; you should recompile all the 
> dependencies.
>   This is important. This makes reconfiguration of a system REALLY _hard_ 
> (Gee,
>   I got this new hardware which supports X feature and now I'll recompile 200
>   libraries). Do we want this just to get a 'better' package system?

That shouldn't be so harsh. The libraries iterface should stay the
same when changing just minor flags and when you add more libs to be
linked into the lib (say adding jpeg support ot imagelib) all apps
should eigther depend on the libjpeg and get recompiled that way or
should not have to care.

Most flags can be handled internally in a package or autoprobed at
runtime.

It would still be hell to get a dependency moddel for it and get it
right. Far too many combinations to test to notice all bugs.

> o If at the end you need a USE flag because it allows a good configuration;
>   what you really should do? Write a new package system because apt sucks?
>   Or fix your software because it doesn't allow dynamic configuration of some
>   settings?
> 
> (NOTE: I'm not suggesting gentoo sucks; just wondering what people thinks...)
> 
> o I've other things in mind, but I've to sleep.
> 
> 
> (I think at the end we'll come with this conclusion:

Re [9]:

[wubucat]

Title: ppE






Debian-devel TIVtG Miss QUj .
I wish IUl H
wNMZyeocXpi Great.
  

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Adam McKenna]

On Thu, Aug 28, 2003 at 10:27:43AM -0700, Rick Moen wrote:
> Quoting Adam McKenna ([EMAIL PROTECTED]):
> 
> > I suggest you take these suggestions to the TMDA worker's mailing list at 
> > tmda.net, and file wishlist bugs against TMDA for each desired feature.
> 
> This is an attempt to change the subject:  The issue at hand is the
> cited maintenance (and acceptance) issues concerning the Debian package.
> 
> If on the other hand the above was just a novel way to say "No" and dig
> in your heels, there are more direct (and concise) ways to do it, ja?

I don't intend to implement Karsten's requests myself, so it makes sense 
that he take his beef upstream.  I am happy to forward his wishlist bugs 
upstream, but since I do not have as fervent a desire to see them 
implemented, Karsten will probably be a better advocate.

--Adam
-- 
Adam McKenna  <[EMAIL PROTECTED]>  <[EMAIL PROTECTED]>

Re: DebToo: Debian, Gentoo-style

[Joey Hess]

Goswin von Brederlow wrote:
> Best would be if you could easily select the additional features
> compiled in, like jpeg support.
> 
> You select gimp and it sees no libjpeg. It suggests libjpeg and one
> has the choice. If libjpeg is then installed all packages that can use
> libjpeg will also pop up and ask to be rebuild to take advantage of
> it. That would be nice but a big change to debians sources.

dlopened libraries (ie, plugins) are a much better way to handle this.

-- 
see shy jo


pgpDxTDcKlruc.pgp
Description: PGP signature

Re: Sarge+1: ideas for Experimental V1.2 (or is that 0.2?)

[Goswin von Brederlow]

Andreas Barth <[EMAIL PROTECTED]> writes:

> * Goswin von Brederlow ([EMAIL PROTECTED]) [030828 03:50]:
> > Andreas Barth <[EMAIL PROTECTED]> writes:
> > > We've often had whining here about sid breaking something production
> > > critical. Well, sid is not meant to be used for that, but enough
> > > people do. (In other words: I don't trust the users enough that they
> > > will make the right choices.) So, in theory you're right. In practice
> > > users will manage to break.
> 
> > The problem is that woody is to old for many users. Thats why they use
> > sid. Experimental and sid would be just days/weeks apart
> > versionwise. There would be no big need for users to choose
> > experimental.
> 
> Really? The latest glibc in sarge is from 2003-03-22, and there are
> currently 1103 packages waiting for glibc.

What has that got to do with anything?

Packages from experimental should never move into sid as said
repeadetly on this thread. And recompiling sources for sid solves any
such mass blockage as caused by a glibc update.

> > > Only way out. But - who wants on-the-fly autobuilding can do that also
> > > now. Perhaps a bit of infrastructure can be added for this (e.g. new
> > > build-depends-headers like:
> > > build-depends-woody: ... which supersede the original b-d header if
> > > builded under woody). But in general you can build packages quite easy
> > > today with apt-get source package, apt-get build-dep package, cd
> > > directory, dpkg-buildpackage -rfakeroot. Perhaps you should package an
> > > easy script for that, but that's all that can be done for that.
> 
> > Build-depends are fine for it. It just need some nicer way to set this
> > up for the user. It needs to run with a single command preferably. At
> > the moment you have to do an update, look ast an upgrade (but don#t do
> > it), get sources of all packages and compile, dpkg -i the debs.
> 
> #! /bin/sh
> cd /clean/place/to/build
> apt-get update
> apt-get source $1
> apt-get build-dep $1
> cd $1*
> dpkg-buildpackage -uc -b
> dpkg -i ../*.deb
> 
> (Well, if you want binary packages to be selectable, you need a few
> more code-lines, same for compiling only when necessary, and for
> better inclusion into normal apt-get-process.)

That pollutes your client with -dev packages. It also removes packages
that build-conflict and it fails quite a lot.

For on-the-fly compiling a chroot is pretty much a must in my opinion.

MfG
Goswin

PS: Seen the "FTBFS: tries to write to /foobar" like bugreports?

Re: ITA freedict

[Bob Hilliard]

Steve Langasek <[EMAIL PROTECTED]> writes:

 . . .

> LOCPATH=/tmp/usr/lib/locale dictfmt --locale
> ($LOCALE_NAME).$(LOCALE_CHAR= SET) ought to have the desired effect.
> All locale-related glibc functions should respect the value of LOCPATH

 Thanks, Steve.  It works as advertised now.  I had set the value
of LOCPATH earlier in the rules file, but I didn't export it.  PEBCAK!

Regards,

Bob
-- 
   _
  |_)  _  |_Robert D. Hilliard<[EMAIL PROTECTED]>
  |_) (_) |_)   1294 S.W. Seagull Way <[EMAIL PROTECTED]>
Palm City, FL 34990 USA   GPG Key ID: 390D6559 

Re: Accepted galeon 1.3.7.20030825-1 (i386 source)

[Georg Nikodym]

On Thu, 28 Aug 2003 13:28:40 -0400
[EMAIL PROTECTED] (Allan Wind) wrote:

> On 2003-08-28T13:20:20-0400, Georg Nikodym wrote:
> > You know, I've been reading people say this over and over again. 
> > Please stop because in the case of galeon it has not been true since
> > 1.2.
> 
> It worked for me with Galeon 1.3.7, and I guess for those other
> people... ;-)

Indeed ;-)  I'm prepared to accept that this might be a local problem
since I don't run all of the gnome tripe (I use pwm).  But galeon _does_
cause gconfd to run which is from whence I thought this configuration
info comes.  And yes, my keyboard shortcuts are most definitely set to
Emacs.

Thanks anyway.

/me considers the pain involved in moving to firebird

-g


pgpyNE9HC8fsL.pgp
Description: PGP signature

Re: Accepted galeon 1.3.7.20030825-1 (i386 source)

[Allan Wind]

On 2003-08-28T13:20:20-0400, Georg Nikodym wrote:
> You know, I've been reading people say this over and over again.  Please
> stop because in the case of galeon it has not been true since 1.2.

It worked for me with Galeon 1.3.7, and I guess for those other
people... ;-)


/Allan
-- 
Allan Wind
P.O. Box 2022
Woburn, MA 01888-0022
USA


pgpqRtYZzm2rO.pgp
Description: PGP signature

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Rick Moen]

Quoting Adam McKenna ([EMAIL PROTECTED]):

> I suggest you take these suggestions to the TMDA worker's mailing list at 
> tmda.net, and file wishlist bugs against TMDA for each desired feature.

This is an attempt to change the subject:  The issue at hand is the
cited maintenance (and acceptance) issues concerning the Debian package.

If on the other hand the above was just a novel way to say "No" and dig
in your heels, there are more direct (and concise) ways to do it, ja?

-- 
Cheers,  "The only good goth is a shoggoth"
Rick Moen   -- Alistair J.R. Young, in r.a.sf.w.r-j
[EMAIL PROTECTED]

Re: On packages depending on up-to-date data (was Re: Snort: Mass Bug Closing)

[Javier Fernández-Sanguino Peña]

On Tue, Aug 26, 2003 at 01:29:31AM +0200, Javier Fernández-Sanguino Peña wrote:
> [Short version: see the patch below.]

(after a few days w/o answers from Snort's maintainer)

Sander, any comments wrt to this patch? Please at least say wether you are 
going to forward this to Snort maintainers or use it in order to not break 
snort packages on upgrades. 

(grumble, grumble)

Thanks.

Javi


pgpVMMl6QErYP.pgp
Description: PGP signature

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Wouter Verhelst]

On Fri, Aug 29, 2003 at 01:42:53AM +1000, Russell Coker wrote:
> On Fri, 29 Aug 2003 01:32, Wouter Verhelst wrote:
> > > I disagree with your conclusions regarding putting viruses in Debian.  I
> > > think it would be a useful service for people who analyse such things to
> > > have copies of viruses in usable form.
> >
> > The EICAR.COM test pattern exists solely for that purpose. I wouldn't
> > have any problem with putting testpatterns in packages that are supposed
> > to do some security tests (or something similar), but putting viruses in
> > the Debian archive is a bad idea.
> 
> Test patterns can't be executed and thus miss most of the value of a live 
> virus for analysis purposes.

Ah, *that* kind of analysis :-)

> I know that most people would disagree with me strongly on this issue, so I 
> wouldn't bother pushing it even if it wasn't for the issue of Debian packages 
> not being for arbitary binaries.
> 
> > If I misunderstood you, please ignore this mail :-)
> 
> I think you simply disagree with me so greatly on this issue that you 
> couldn't 
> believe I meant what I said.

No, I really misunderstood you. In fact, I keep a copy of all viruses
that are sent to me in a directory on my mailserver. Think of it as a
collection; not that I would analyse them, but they could become handy
for other purposes.

> It's no big deal.  As I have other reasons for thinking that live viruses 
> don't belong in Debian we can at least agree to not have them, even though we 
> disagree on the reasons for not having them.

:-)

[...]

-- 
Wouter Verhelst
Debian GNU/Linux -- http://www.debian.org
Nederlandstalige Linux-documentatie -- http://nl.linux.org
"Stop breathing down my neck." "My breathing is merely a simulation."
"So is my neck, stop it anyway!"
  -- Voyager's EMH versus the Prometheus' EMH, stardate 51462.


pgpM7zJ5H7RS1.pgp
Description: PGP signature

Re: New release of ifupdown planned

[Branden Robinson]

On Thu, Aug 28, 2003 at 02:14:13PM +1000, Anthony Towns wrote:
> On Wed, Aug 27, 2003 at 09:36:31PM +0200, Thomas Hood wrote:
> > Since the maintainer of ifupdown doesn't answer repeated attempts
> > to contact him by e-mail, I suppose it is appropriate to report
> > here that there is a group of people working on a new ifupdown
> > release.  
> 
> The term is "an ifupdown NMU".
> 
> You certainly should not be considering hijacking it.

Why not?  *If* you're acting just like a vanished maintainer with
respect to that package, but are prominently visible elsewhere in the
Project, what does that tell us about your relative level of commitment
to ifupdown?

Is that level of commitment to the package measurably higher or lower
than that of a person who is not active in the project at all?  If
higher, how do we objectively measure that?

Guy Maor said he didn't need people taking over his packages either, and
then promptly went back to completel ignoring them and being utterly
inactive in the Project.  They've since been hijacked, and are
maintained by people who appear to actually give a damn.

Whether a package has been orphaned is not something that can be
determined simply from examining its Maintainer: field.

-- 
G. Branden Robinson|Computer security is like an onion:
Debian GNU/Linux   |the more you dig in, the more you
[EMAIL PROTECTED] |want to cry.
http://people.debian.org/~branden/ |-- Cory Altheide


pgpN6HhVGgerG.pgp
Description: PGP signature

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Chad Walstrom]

On Thu, Aug 28, 2003 at 12:35:25PM +0100, Karsten M. Self wrote:
> Thanks to all who've commented on this topic.  Interesting reading.

Likewise, Karsten.  That was a very well written rebuttal to a C-R
systems.  You followed up with suggetions on using C-R only as a last
resort in a mail management tool and only after a modest attempt at
detecting spoofed headers was made.  I think you've hit upon the core of
the issue: no one filtering techniqueue is bullet-proof on its own.  The
author of TMDA acknowledges this on the TMDA website.  It really
shouldn't be used as a sledgehammer solution.

-- 
Chad Walstrom <[EMAIL PROTECTED]>   http://www.wookimus.net/
   assert(expired(knowledge)); /* core dump */


pgpeSkyhtZvsW.pgp
Description: PGP signature

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Adam McKenna]

On Thu, Aug 28, 2003 at 05:10:07PM +0100, Mark Brown wrote:
> On Thu, Aug 28, 2003 at 08:21:22AM -0700, Adam McKenna wrote:
> > On Thu, Aug 28, 2003 at 12:35:25PM +0100, Karsten M. Self wrote:
> 
> > >   - TMDA should carry a warning to the user about possible consequences
> > > of activating the C-R mechanism, including sending spam, risking
> 
> > Sorry, but no.  I will not do this.  The user presumably knows what he is
> > installing.
> 
> It's entirely reasonable to ask that the documentation be improved to
> cover the problems that may arise from using the package.  Saying that
> the user already knows what the package does isn't entirely helpful
> since the user may be looking at the package trying to see if it's
> something worth investigating rather than already being an expert user.

I've already stated that I am more than willing to add documentation.  What I
will not do is put in some sort of scary warning that makes people change
their mind about using the software.  They can go look at Karsten's website
if they want that.  And no, I'm not putting in a link.

--Adam
-- 
Adam McKenna  <[EMAIL PROTECTED]>  <[EMAIL PROTECTED]>

Undelivered mail: Thank you!

[DrWeb-DAEMON]

Dear User,

the message with following attributes has not been delivered,
because contains an infected object.

Sender = debian-devel@lists.debian.org (may be forged)
Recipients = [EMAIL PROTECTED] 
Subject = Thank you!
Message-ID = h7SGGNrS075610

Antivirus filter report:
--- Dr.Web report ---
Following virus(es) has been found:
infected with Win32.HLLM.Reteras


Dr.Web detailed report:
drweb.tmp_Pzo2nL/[text/plain] - Ok
drweb.tmp_Pzo2nL/wicked_scr.scr infected with Win32.HLLM.Reteras


Dr.Web scanning statistic:
Infected : 1

--- Dr.Web report ---

The original message was stored in archive record named: 
drweb.quarantined_dcYF9x 
In order to receive the original message, please send request to 
<[EMAIL PROTECTED]>, referring to the archive record 
name given above.

---
   Antivirus service provided by Dr.Web(R) Daemon for Unix
   (http://www.drweb.ru, http://www.dials.ru/english)
Уважаемый Отправитель debian-devel@lists.debian.org !

Сообщение, отправленное с Вашего адреса (возможно вирусом 
с другого компьютера) по адресу(ам) [EMAIL PROTECTED] 
инфицировано и не было доставлено.

--- Dr.Web report ---
Найден(ы) следующий(е) вирус(ы):
infected with Win32.HLLM.Reteras


Детализированный отчет Dr.Web:
drweb.tmp_Pzo2nL/[text/plain] - Ok
drweb.tmp_Pzo2nL/wicked_scr.scr infected with Win32.HLLM.Reteras


Статистика сканирования Dr.Web:
Infected : 1

--- Dr.Web report ---

Ваше сообщение сохранено в карантине под именем:
drweb.quarantined_dcYF9x

Чтобы получить это сообщение, обратитесь к администратору
по адресу <[EMAIL PROTECTED]>, указав имя, под которым
Ваше сообщение сохранено в карантине.

---
   Антивирусная защита почтовых серверов
   Dr.Web(R) Daemon for Unix (разработан в Daniloff's Labs)
   (http://www.drweb.ru, http://www.DialogNauka.ru)
Received: from ns.rnd.runnet.ru [195.208.245.251]
	by asterix.rsu.ru (Dr.Web Sendmail filter 4.29.10a)
	id h7SGGNrS075610; Thu, 28 Aug 2003 20:16:23 MSD
Received: from LAB3 ([202.120.48.12])
	by ns.rnd.runnet.ru (8.12.6p2/8.9.3) with ESMTP id h7SGG7Ar085168
	for <[EMAIL PROTECTED]>; Thu, 28 Aug 2003 20:16:13 +0400 (MSD)
Message-Id: <[EMAIL PROTECTED]>
From: 
To: <[EMAIL PROTECTED]>
Subject: Thank you!
Date: Fri, 29 Aug 2003 0:17:29 +0800
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="_NextPart_000_04D44F22"

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Russell Coker]

On Thu, 28 Aug 2003 21:35, Karsten M. Self wrote:
> Which is a damned good reason for Debian not to package
> viruses and spam mailers.  Or tools which can be readily subverted as
> such.

My Postal program can be used for DOS attacks on mail servers, and has been 
used for such on at least one occasion (*).

I disagree with your conclusions regarding putting viruses in Debian.  I think 
it would be a useful service for people who analyse such things to have 
copies of viruses in usable form.  I am not requesting them only because 
arbitary archives of files don't belong in Debian.  Debian packages are for 
programs that comprise parts of the distribution and for data files used for 
them, not arbitary other data.

I believe that Linux based tools for auditing network security belong in 
Debian.  We rightly have nmap and nessus, other tools of a similar nature 
also belong in Debian.

If DMCA issues prevent distribution of such things through the US then they 
can go in non-US.


(*)  An idiot complained to me because the URL for Postal was in the headers 
of the thousands of messages they received.  It didn't occur to them that the 
URL was there to inform any victim of an attack of what they were facing, and 
is also intended to be a conveniant header string that can be blocked in a 
mail server to stop such an attack.  Presumably other more intelligent people 
had their servers attacked by Postal and were smart enough to configure their 
header checks without bothering me.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Re: MEI Whitelist Autoresponse

[Dave Carrigan]

On Thu, Aug 28, 2003 at 01:03:37AM -0700, Adam McKenna wrote:

> Also, I don't have any hard data to support this, but it's obvious to me
> that the volume of mail generated by virus scanners in response to Sobig.f
> eclipses the volume of TMDA challenges by at least a factor of 10.  So far, 
> I haven't received *one* TMDA challenge that was due to Sobig, but I've 
> received *hundreds* of messages from virus scanners all over the net.

Yes, and every single administrator that's configured their virus
scanner to bounce to envelope deserves a swift kick upside the head. 

> So, I guess we should add virus scanners to the list of verboten software.

No, but they should be configured to *not* bounce to envelope sender.

As for email challenges, I've actually received a lot of them. Every
single one of them so far has been for messages I have not sent (spam
and viruses with my forged email address). I no longer read them, but
dump them just like I dump the 'virus in your email' messages. So, if I
ever send mail to a legitimate person who has CR, he's never going to
get my message, because I refuse to waste my time reading CR requests
any more.

-- 
Dave Carrigan
Seattle, WA, USA
[EMAIL PROTECTED] | http://www.rudedog.org/ | ICQ:161669680
UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-C++-DNS-PalmOS-PostgreSQL-MySQL

Re: Accepted kaffe 1:1.1.1-1 (i386 source)

[Petter Reinholdtsen]

[Adam Heath]
> As a submitter, would you feel satisified that you had just gotten
> such a mail?

Yes, I would.  I would then know that I could fetch the new release to
see if the problem was really fixed in this release.

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Mark Brown]

On Thu, Aug 28, 2003 at 08:21:22AM -0700, Adam McKenna wrote:
> On Thu, Aug 28, 2003 at 12:35:25PM +0100, Karsten M. Self wrote:

> >   - TMDA should carry a warning to the user about possible consequences
> > of activating the C-R mechanism, including sending spam, risking

> Sorry, but no.  I will not do this.  The user presumably knows what he is
> installing.

It's entirely reasonable to ask that the documentation be improved to
cover the problems that may arise from using the package.  Saying that
the user already knows what the package does isn't entirely helpful
since the user may be looking at the package trying to see if it's
something worth investigating rather than already being an expert user.

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."

automated response

[spambox]

This email has been detected by Preferred Designs mail server as a Virus or 
Spam!
Your email was deleted and did not reach its destination. This is a courtesy to 
our customers in a continuing effort to rid the internet of spam and viruses. 
For information please visit http://www.preferreddesigns.com

化工行业信息！

[kd3000]

尊敬的女士/先生您好：

请原谅我们用此方式给您带来信息！


我们是深圳市金迪尔科技公司。在化工网站得到了您的联系邮址，让我有机会向您介绍一下我们的产品化工生产管理系列软件―――“化工生产管理专家”和化工配方生产管理软件！


这个软件是用于化工厂的化工配方生产管理及与配方生产有关的原材料、产成品、中间品等物资的库存管理、销售订单管理、分检管理等等，这些一系列与生产管理息息相关的管理软件。

欢迎访问我们公司网站 http://www.kd3000.net

如果您对这个产品有兴趣，可以直接下载使用。

下载地址：http://kd3000.net/hg/index.htm


由于化工厂配方计算和生产方式有不同，网上《通用生产管理软件》是适合普通化工厂家使用的。我们还有相应的分类行业版本。如：对提炼型生产流程的配方计算（例如活性炭生产厂家）；对按容器大小生产流程的配方计算支持（例如高分子聚合生产厂家）；精细化工行业专版等。

您也可以直接发EMAIL或电话咨询，我们将向您提交适合您的分类版本。
联系电话：0755-83629498  83634372  联系人：李小姐陈先生
[EMAIL PROTECTED]


感谢你浏览此信！顺祝生意兴隆！

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Russell Coker]

On Fri, 29 Aug 2003 01:32, Wouter Verhelst wrote:
> > I disagree with your conclusions regarding putting viruses in Debian.  I
> > think it would be a useful service for people who analyse such things to
> > have copies of viruses in usable form.
>
> The EICAR.COM test pattern exists solely for that purpose. I wouldn't
> have any problem with putting testpatterns in packages that are supposed
> to do some security tests (or something similar), but putting viruses in
> the Debian archive is a bad idea.

Test patterns can't be executed and thus miss most of the value of a live 
virus for analysis purposes.

I know that most people would disagree with me strongly on this issue, so I 
wouldn't bother pushing it even if it wasn't for the issue of Debian packages 
not being for arbitary binaries.

> If I misunderstood you, please ignore this mail :-)

I think you simply disagree with me so greatly on this issue that you couldn't 
believe I meant what I said.

It's no big deal.  As I have other reasons for thinking that live viruses 
don't belong in Debian we can at least agree to not have them, even though we 
disagree on the reasons for not having them.


PS Before someone raises the issue of license of viruses.  I believe that 
anyone who distributes a virus does so with the desire that it be installed 
on as many systems as possible and that the implied license permits you to 
have a copy of it for whatever purposes you desire.  People who wish to limit 
the use of their software in any way should make it refrain from installing 
itself on hundreds of thousands of machines without the consent of the 
owners.  :-#

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Adam McKenna]

On Thu, Aug 28, 2003 at 12:35:25PM +0100, Karsten M. Self wrote:
> #2, Misplaced burden, is the reason for the 'grave' severity.

People have a right to ask that unkown people that e-mail them confirm the
e-mail.  I'm sorry you don't agree with this, but your opinion is hardly
justification for a grave bug.

>   - TMDA should carry a warning to the user about possible consequences
> of activating the C-R mechanism, including sending spam, risking
> blacklisting or registration in spam-reduction services such as
> SpamCop, and a likelihood that some, and perhaps a majority of
> challenges will not be responded to.  The warning should require the
> user to assume full responsibility for doing so.

Sorry, but no.  I will not do this.  The user presumably knows what he is
installing.

>   - Configuration templates for C-R challenges _must_ incorporate virus
> and spam filtering, _prior_ to issuing a C-R challenge.  Preferably,
> tests against obvious header spoofing, if possible, should be
> performed.  Debian tmda packages _must_ depend on corresponding spam
> and virus filters, if this functionality isn't built into TMDA.
> 
>   - Additional strong validation mechanisms, including RFC 2015 PGP
> signed mail and S/MIME signatures, _must_ be used to validate
> sender, including use of web of trust to identify a reasonable
> probability of trusted user status.
> 
>   - If possible, TMDA should be moved to SMTP-time filtering, so that
> mail rejection occurs at SMTP time.  As SMTP doesn't offer a
> protocol for challenge-response, this introduces interesting
> challenges for TMDA's developers.
> 
>   - TMDA's performance _must_ be independently validated and the target
> maximum of 2% challenges to spoofed addresses be confirmed.
> 
> 
> 
> I'm not going to pretend that these are easy fixes.  I'm not a user of
> this package.  I _am_ negatively impacted by it, however, and if it
> continues to display similarly poor consideration of security, abuse,
> and adverse side effects, I fear for Debian, SPI, and the generosity of
> our sponsors.  I do feel the remedies are necessary and advised.  They
> should be communicated upstream, naturally.

I suggest you take these suggestions to the TMDA worker's mailing list at 
tmda.net, and file wishlist bugs against TMDA for each desired feature.

--Adam

-- 
Adam McKenna  <[EMAIL PROTECTED]>  <[EMAIL PROTECTED]>

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Wouter Verhelst]

On Fri, Aug 29, 2003 at 12:03:34AM +1000, Russell Coker wrote:
> On Thu, 28 Aug 2003 21:35, Karsten M. Self wrote:
> > Which is a damned good reason for Debian not to package
> > viruses and spam mailers.  Or tools which can be readily subverted as
> > such.
> 
> My Postal program can be used for DOS attacks on mail servers, and has been 
> used for such on at least one occasion (*).
> 
> I disagree with your conclusions regarding putting viruses in Debian.  I 
> think 
> it would be a useful service for people who analyse such things to have 
> copies of viruses in usable form.

The EICAR.COM test pattern exists solely for that purpose. I wouldn't
have any problem with putting testpatterns in packages that are supposed
to do some security tests (or something similar), but putting viruses in
the Debian archive is a bad idea.

If I misunderstood you, please ignore this mail :-)

-- 
Wouter Verhelst
Debian GNU/Linux -- http://www.debian.org
Nederlandstalige Linux-documentatie -- http://nl.linux.org
"Stop breathing down my neck." "My breathing is merely a simulation."
"So is my neck, stop it anyway!"
  -- Voyager's EMH versus the Prometheus' EMH, stardate 51462.


pgptsKOmtCJUL.pgp
Description: PGP signature

Re: Accepted kaffe 1:1.1.1-1 (i386 source)

[Adam Heath]

reopen 51230
reopen 61264
reopen 75800
reopen 77869
reopen 116802
reopen 141597
reopen 158743
reopen 170021
reopen 170059
reopen 193263
reopen 196254
reopen 197617
reopen 202779
reopen 81389
reopen 200434
reopen 196867
thanks

On Wed, 27 Aug 2003, Ean R. Schuessler wrote:

> -BEGIN PGP SIGNED MESSAGE-
>
> Format: 1.7
> Date: Wed, 27 Aug 2003 17:18:37 -0500
> Source: kaffe
> Binary: kaffe
> Architecture: source i386
> Version: 1:1.1.1-1
> Distribution: unstable
> Urgency: low
> Maintainer: Ean R. Schuessler <[EMAIL PROTECTED]>
> Changed-By: Ean R. Schuessler <[EMAIL PROTECTED]>
> Description:
>  kaffe  - A JVM to run Java bytecode
> Closes: 51230 61264 75800 77869 81389 116802 141597 158743 167936 170021 
> 170059 193263 196254 196867 197617 200434 202779
> Changes:
>  kaffe (1:1.1.1-1) unstable; urgency=low
>  .
>* New upstream release closes many bugs. (Closes: #51230, #61264,
>  #75800, #77869, #116802, #141597, #158743, #170021, #170059,
>  #193263, #196254, #197617, #202779, #81389, #200434, #196867)
>* /usr/lib/jni is now checked for JNI libraries. (Closes: #167936)

This is not a proper changelog entry.

A proper entry is as follows:

* New upstream release.
  * no longer does foo when bar happens. Closes: #12345
  * wrapper script rewritten to not use $$ in tempfile names.  Closes: #12345

Please, everyone remember, a changelog documents *changes*.  It's not a tool
to close bugs automatically.

The BTS sends these close messages to the submitter when the bug is closed.
However, the email above has no reason as to why the bug was closed.  It's not
sufficient to just say a new upstream version was uploaded, which just happens
to fix the bug.  As a submitter, would you feel satisified that you had just
gotten such a mail?

Bug#207643: ITP: monster-masher -- GPL'ed mash'em-up action game for GNOME

[Sven Luther]

Package: wnpp
Version: unavailable; reported 2003-08-28
Severity: wishlist

* Package name: monster-masher
  Version : 1.2
  Upstream Author : Ole Laursen <[EMAIL PROTECTED]>
* URL : http://www.cs.auc.dk/~olau/monster-masher/
* License : GPL
  Description : GPL'ed mash'em-up action game for GNOME

 Monster Masher is a GPL'ed mash'em-up action game for GNOME. Each
 level contains a number of blocks and monsters. You're a little gnome
 running around. By pushing the blocks you can mash the monsters one at
 a time. There are various power-ups and different kinds of monsters.

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux iliana 2.4.21 #2 SMP jeu aoû 14 13:48:07 CEST 2003 i686
Locale: LANG=fr_FR.ISO-8859-1, LC_CTYPE=fr_FR.ISO-8859-1

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Hamish Moffatt]

On Wed, Aug 27, 2003 at 05:35:14PM +0200, Florian Weimer wrote:
> That's why it's better to get rid of generic MX secondaries (IOW
> secondaries which are not under you administrative control).  The

Which is fine if you're lucky enough to have root on a set of
conveniently distributed hosts...

> example, you might want to defer a message from a sender whose
> temporarily domain doesn't have any MX (or A) record.  If you do this,
> significant numbers of messages will pile up in the queues of your
> secondary MXes, and their operators won't be happy about that.

So I discovered with recently RBL shutdowns :-)


Hamish
-- 
Hamish Moffatt VK3SB <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>

Re: Bits from the RM

[Sven Luther]

On Thu, Aug 28, 2003 at 01:44:09PM +0100, Colin Watson wrote:
> On Thu, Aug 28, 2003 at 01:31:51PM +0200, Sven Luther wrote:
> > On Wed, Aug 27, 2003 at 06:31:03PM -0500, Branden Robinson wrote:
> > > IMO, people who can't keep up with debian-x in its current state
> > > probably don't have the time to be the kind of committer who can
> > > measurably help me get 4.3.0 into sarge.
> > 
> > Well, that is something, but notice that due to the big number of mostly
> > uninformative 'processed' and other BTS mail, i missed the original pm2
> > bug you then forwarded to me, which would not have happened if debian-x
> > was not so high volume. Face it, if you don't read it each day, you can
> > quickly get 100+ new mails, which makes it a bit difficult to follow.
> > 
> > I understand your need to have this info available in the mailing list,
> > but interested people could as well subscribe to the PTS, no need to
> > duplicate things. Replies could still be set to the list or something.
> 
> You could filter out "X-PTS-Keyword: bts-control" ...

Yes, and maybe i will, altough i have been trying to read all of it, but still
its not the nicest solution.

Friendly,

Sven Luther

Bug#207624: ITP: tetrinet -- client and server for tetrinet, a networked tetris version

[Gerfried Fuchs]

* Josselin Mouette <[EMAIL PROTECTED]> [2003-08-28 13:06]:
> Le jeu 28/08/2003 à 12:35, Gerfried Fuchs a écrit :
>>  About the name of the package: Discussable, but I don't really know
>> what to use else. The package is simply called tetrinet upstream.
> 
> Why not split into tetrinet-server and tetrinet-client?

 The server binary has only 16k compared to 61k client binary, and I
dislike the idea of the overhead for this small packages.  Beside that,
I don't think that I will provide an init.d script for it neither,
doesn't make much sense IMNSHO.

 I talked with fabbione a little bit about it, maybe I will leave out
the tetrinet-server binary completely, it doesn't offer anything fancy
anyway so people who like to have their own server running should rather
use tetrinetx.

 If I leave it out I might consider naming the package tetrinet-client
as a whole (for the binary -- I guess I'll stick with tetrinet for the
source package).

 I am wait for a reaction from upstream too currently. I will consider
his ideas on the topic, too.

 So long, and thanks for the input.
Alfie
-- 
"Kaum wird das Wetter schlechter und die Tage kürzer, fallen die
Newbies über das Netz her wie die Blätter von den Bäumen."
 (Ulf Schaefer in de.talk.jokes)


pgpFJLMwRKM7F.pgp
Description: PGP signature

Bug#207640: ITP: xoops -- XOOPS is a dynamic oject-oriented web portal system written in PHP

[Francesco Paolo Lovergine]

Package: wnpp
Version: unavailable; reported 2003-08-28
Severity: wishlist

* Package name: xoops
  Version : 2.0.3
  Upstream Author : Kazumi Ono, Goghs Cheng, et al,
See [EMAIL PROTECTED]
* URL : http://www.xoops.org/
* License : GPL
  Description : XOOPS is a dynamic oject-oriented web portal system written 
in PHP

  XOOPS  is a  dynamic OO  (Object  Oriented) based  open source  portal
  script written in PHP. XOOPS is the ideal tool for developing small to
  large  dynamic community  websites, intra  company portals,  corporate
  portals, weblogs and much more.

  The goals  with XOOPS team  is to  create a Content  Management System
  (CMS) for users  and developers that installs out of  the box offering
  unparalleled ease of  use, support and management. The  XOOPS CMS will
  be  extendable by  the use  of modules  installable through  a unified
  admin interface.  The ultimate goal of  the XOOPS team is  to take the
  best features of  current CMS's and roll them into  an Open Source CMS
  that's  easy to  use,  extendable and  unparalleled  in the  Free/Open
  Source Community.


-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux klecker 2.4.21-3-686 #1 Sun Jul 20 16:11:09 EST 2003 i686
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED]

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Andreas Metzler]

Karsten M. Self  wrote:
[...]
> SpamAssassin achieves a false-positive rate (non-spam reported as spam)
> of 5% with a default threshold of 5.  This can be dramatically improved
> using a whitelist, to ~98% in my experience.  This is not the best
> performance of all filters, so makes a somewhat generous threshold.

>http://www.spamassassin.org/dist/rules/STATISTICS.txt
>http://freshmeat.net/articles/view/964/

> So a spam-reduction system user would at worst see a typical rate of 2%
> of spam to be manually disposed of.
[...]

You are mixing up percentages. "5% non-spam reported as spam" ... can
be ... improved to ~98% ...

I would not use a filter which would tag 98% of my regular mail as
spam.

Perhaps you wanted to write 2%? No, does not match either, because the
last sentence does not talk about false-positive at all, it talks
about false negatives, i.e. spam that was tagged as non-spam.

When I last checked my personal rate with spamassassin 2.55 with
default rules and no DNS lists or razor (but including a rather well
trained bayesian filter) and a default threshold of 5, I came up with
these numbers[1]:
* 0% false positives, i.e. ham sorted  into the spam folder
* 10% of the spam was not recognized as such and I had to filter it
  out by hand.

Of course the numbers depend a lot on the people you are communicating
with, if your partners used Lotus Notes and sended everything in html
you might get false positives with score 5.

A properly trained bogofilter will give better results but is not
as effective as site wide service an requires more work to keep it
properly trained.
cu andreas
[1] I am quite happy with these, I can live with ~10 spams per day in
my inbox.
-- 
Hey, da ist ein Ballonautomat auf der Toilette!
Unofficial _Debian-packages_ of latest unstable _tin_
http://www.logic.univie.ac.at/~ametzler/debian/tin-snapshot/

Re: New release of ifupdown planned

[Anthony Towns]

On Wed, Aug 27, 2003 at 09:50:12PM -0700, Joshua Kwan wrote:
> On Thu, Aug 28, 2003 at 02:14:13PM +1000, Anthony Towns wrote:
> > The term is "an ifupdown NMU".
> For crying out loud, it's been NMUed four times in a row already..

Yes, all of which were checked over by me first, and done with approval.

> > You certainly should not be considering hijacking it.
> Why not? 

Because it's not remotely necessary or appropriate.

Cheers,
aj

-- 
Anthony Towns <[EMAIL PROTECTED]> 
I don't speak for anyone save myself. GPG signed mail preferred.

   ``Is this some kind of psych test?
  Am I getting paid for this?''


pgp2QxOQaffBO.pgp
Description: PGP signature

Bug#207624: ITP: tetrinet -- client and server for tetrinet, a networked tetris version

[Gerfried Fuchs]

* Alex de Landgraaf <[EMAIL PROTECTED]> [2003-08-28 13:52]:
> Would like to note that tetrinetx and gtetrinet are already in Debian.
> Tetrinetx is the game server voor tetrinet, gtetrinet is the gtk
> tetrinet client.

 I'm fully aware of this.

> Maybe something like tetrinet-ncurses is in order?

 Considering it, yes.

> In any way, having two tetrinet servers would probably break something

 Would break what? Sorry, we have tons of other servers doubled, like
apache and roxen; exim, postfix and sendmail; inetd and xinetd; xdm,
wdm, gdm and kdm...  What shall be different in this very case? Please
be a little bit more verbose...

> (and is redundant),

 Like the above.  Please don't say that if you haven't compared the
posibilities of the different things, otherwise your statement is moo.
I must confess that I haven't checked the real abilities of
tetrinet-server in this package but from what I see currently is that it
is very limited.  On the other hand, it is included in the upstream
source so it would maybe distract the upstream author if he see that it
is not included in the binary package.

> so at least take a look at tetrinetx and contact its maintainer to
> sync things...

 Can you sync postfix with exim, please? Sorry, this sounds strange...
It is not a spin off of tetrinetx, that's the way things work in the
open source/free software community. Different people try their own
approach. Only time will tell which will stay and which will pass away.
I for myself don't like to judge these things and say: "let's kill this
off, it looks moo".

 Hell, you made me defend that little 16k piece of crap, well done :-)

 So long,
Alfie
-- 
 hat einer von euch schon bind9 installiert?
<_eis> das neue root kit? :->
  -- #debian.de


pgp8A30x8oLlz.pgp
Description: PGP signature

Re: Bits from the RM

[Colin Watson]

On Thu, Aug 28, 2003 at 01:31:51PM +0200, Sven Luther wrote:
> On Wed, Aug 27, 2003 at 06:31:03PM -0500, Branden Robinson wrote:
> > IMO, people who can't keep up with debian-x in its current state
> > probably don't have the time to be the kind of committer who can
> > measurably help me get 4.3.0 into sarge.
> 
> Well, that is something, but notice that due to the big number of mostly
> uninformative 'processed' and other BTS mail, i missed the original pm2
> bug you then forwarded to me, which would not have happened if debian-x
> was not so high volume. Face it, if you don't read it each day, you can
> quickly get 100+ new mails, which makes it a bit difficult to follow.
> 
> I understand your need to have this info available in the mailing list,
> but interested people could as well subscribe to the PTS, no need to
> duplicate things. Replies could still be set to the list or something.

You could filter out "X-PTS-Keyword: bts-control" ...

-- 
Colin Watson  [EMAIL PROTECTED]

Bug#207636: ITP: libjabber-ruby -- Ruby client library for the Jabber instant messaging platform

[Idan Sofer]

Package: wnpp
Version: unavailable; reported 2003-08-28
Severity: wishlist

* Package name: libjabber-ruby
  Version : 0.4.0
  Upstream Author : Richard Kilmer <[EMAIL PROTECTED]>
* URL : http://rubyforge.org/projects/jabber4r
* License : BSD style
  Description : Ruby client library for the Jabber instant messaging 
platform

An implementation of the Jabber instant messaging platform client in Ruby

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux sufa 2.4.21-3-686 #1 Sun Jul 20 16:11:09 EST 2003 i686
Locale: LANG=C, LC_CTYPE=C

VIRUS IN IHRER MAIL

[virusalert]

  V I R U S   A L A R M

Unser Virenscanner fand den

W32/[EMAIL PROTECTED]

Virus in Ihrer eMail zu den folgenden Empfaengern:

-> [EMAIL PROTECTED]

Der Versand dieser eMail wurde gestoppt!

Bitte ueberpruefen Sie Ihr System auf Viren,
oder bitten Sie Ihren Systemadministrator dies zu erledigen.


Zu Ihrer Information sind hier noch einmal die SMTP Header
von Ihrer infizierten eMail:

>From 
- BEGIN HEADERS -
Received: from localhost ([127.0.0.1]:36703 ident=root)
by bigmama.rosomm-partner.net with esmtp (Exim 4.12)
id 19sLOD-0001Fd-00
for [EMAIL PROTECTED]; Thu, 28 Aug 2003 13:56:33 +0200
Received: from mail.vianetworks.de
by localhost with POP3 (fetchmail-5.9.0)
for [EMAIL PROTECTED] (single-drop); Thu, 28 Aug 2003 13:56:33 +0200 
(CEST)
Received: from mail.du.gtn.com ([unix socket])
by mail.du.gtn.com (Cyrus v2.1.13) with LMTP; Thu, 28 Aug 2003 13:53:23 
+0200
X-Sieve: CMU Sieve 2.2
Received: from IPC-1 (chello080108074196.3.11.vie.surfer.at [80.108.74.196])
by mail.du.gtn.com (8.12.9/8.12.9) with ESMTP id h7SBqr7T029139
for <[EMAIL PROTECTED]>; Thu, 28 Aug 2003 13:52:53 +0200 (MET DST)
Message-Id: <[EMAIL PROTECTED]>
From: 
To: <[EMAIL PROTECTED]>
Subject: Re: Re: My details
Date: Thu, 28 Aug 2003 13:52:54 +0200
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_005AB6C4"
-- END HEADERS --

Re: Accepted galeon 1.3.7.20030825-1 (i386 source)

[Sven Luther]

On Wed, Aug 27, 2003 at 10:21:22PM +0200, Dagfinn Ilmari Mannsåker wrote:
> Matijs van Zuijlen <[EMAIL PROTECTED]> writes:
> 
> >> That's over two months (and two releases) old. The current galeon in
> >> unstable is 1.3.7.20030813-1, which has the "Add bookmark to" submenu at
> >> the top of the bookmark menu.
> >
> > I only have the "Add bookmark" submenu, not the "Add bookmark to"
> > submenu (not the "to"), and I'm running 1.3.7.20030813-1. The "Add
> > bookmark to" menu items used to appear in every bookmark folder, to add
> > bookmarks to that particular bookmark folder.
> 
> Sorry, my memory was playing tricks on me. I remembered seing that menu
> recently, but that was in Mozilla, which I had forgotten that I had used
> a bit lately (only Galeon 1.2.x on the cs lab computers).
> 
> You can, hower, right-click on a folder in the bookmark menu to get the
> sub-menu containing "Add bookmark here".

But not to a particular place in the corresponding folder, so you only
append it, and then have to fire up the bookmark editor to move it to
its right place.

That said, it is a huge improvement from the time that there was no add
bookmark here in the bookmarks folders at all.

Would a add before/after or something such be so difficult to implement ?

Friendly,

Sven Luther

Re: Sarge+1: ideas for Experimental V1.2 (or is that 0.2?)

[Andreas Barth]

* Goswin von Brederlow ([EMAIL PROTECTED]) [030828 13:20]:
> Andreas Barth <[EMAIL PROTECTED]> writes:
> > Really? The latest glibc in sarge is from 2003-03-22, and there are
> > currently 1103 packages waiting for glibc.

> What has that got to do with anything?

This was the part of the mail were we discussed about binary
distribution. For this this is a valid argument. For source-only of
course not, as I always said.


> For on-the-fly compiling a chroot is pretty much a must in my opinion.

It would certainly be a valuable contribution to provide a package
that makes back-compilation easier. But we shifted the goal more than
just a bit.


Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Steve Lamb]

Just some additional data points as I have been following this and other
related C-R threads for a while now.

On Thu, 28 Aug 2003 12:35:25 +0100
"Karsten M. Self"  wrote:
[ Snip ]
> Specific to my own experience:  over half the C-R challenges (TMDA or
> otherwise) I've received have been for mail I didn't send.  I expect
> this trend to increase in both magnitude and percentage.  I'm likely to
> either ignore messages or filter them with other spam.

The only C-R challenges I've gotten were when I actually responded to Alan
Conner on D-U by accident.  He had a habit of setting his reply-to and
Sylpheed-Claws honored it.  Normally I hit reply and get the list.  This
accounts for 3 C-R ever.  Since they I've gotten at least a hundred or so in
recent days thanks to the virus going around.

[ Snip ]
 
> More chillingly, other users post Sobig.F stats:
 
> TMDA and Sobig.F virus - praise
> Sven Neuhaus <[EMAIL PROTECTED]>
> Thu, 21 Aug 2003 17:04:09 +0200
> http://mla.libertine.org/tmda-users/2003-08/msg00120.html
 
> In the last 3 days, I received more than 4000 copies of the Sobig.F
> virus.  Thanks to TMDA, I didn't even notice it until today (when I
> noticed the 330megs in my pending folder).
 
> That's 4,000 innocent parties spammed with C-R challenges, if I'm
> interpreting what the meaning of 330 MiB in the pending folder is.

This... is scary.  Within hours of one machine trying to hit me I had
blacklisted him at the firewall and implored my secondary MX to do the same. 
It was because each instance of a bounce or the virus itself was 100k.  Praise
for being ignorant of 4Gb of traffic being moved!?  Praise for moving 4Gb in
bounces?  That's bordering on criminal.

[ Snippage ]

> This then leaves a small number of messages daily to be assessed -- they
> are not viruses, spam, or on an existing whitelist.
 
> My question at this point is:  why not simply look at the damned mail
> and figure out for yourself whether or not it's worth reading?  We're
> probably talking something like a couple of items, a few times a week.

I posted a message to d-u a few weeks back with hard stats about that
narrow band.  I think it came down to 4 a week as my rough estimate.  And, so
far, not a single piece in that band was legitimate.  I was in the process of
adjusting sa-exim's limitations downward since the band wasn't so narrow any
more.  With Bayesian filters on, razor checked and auto-learning set to -2 and
+5 for ham and spam respectively my average ham score was quickly approaching
-5 and my average spam score was pushing well over 6 with very little, if
anything, in between.  I think I saw 1-2 pieces a day with scores between
those two points.  I figure if I adjusted my scores downward I would have been
able to cut that close to 1 every 10 days or so.

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
   PGP Key: 8B6E99C5   | main connection to the switchboard of souls.
---+-


pgpxadPeDtMVs.pgp
Description: PGP signature

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Karsten M. Self]

on Thu, Aug 28, 2003 at 08:56:36AM +0200, Rico -mc- Gloeckner ([EMAIL 
PROTECTED]) wrote:
> On Wed, Aug 27, 2003 at 05:40:46PM -0700, Don Armstrong wrote:
> > If possible, perhaps you could consider whitelisting common debian.org
> > address by default? [Things like [EMAIL PROTECTED], [EMAIL PROTECTED],
> > [EMAIL PROTECTED], etc.]
> 
> And would probably defeat the purpose since spammers would know which
> adresses they have to spoof into the From: Header.
> 
> Furthermore, if spammers got that, it might happen that they use
> debian.org adresses as sensible default for From: Adresses which will
> raise the amount of Bounces to debian.org. That sounds like a great way
> for the Project to shoot itself into the feet.

That would be an example of #0.  With a twist.

Peace.

-- 
Karsten M. Self http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   GNU/Linux web browsing mini review:  Galeon.  Kicks ass.
 http://galeon.sourceforge.org/


pgp4TDCrFo7tX.pgp
Description: PGP signature

Re: Bits from the RM

[Sven Luther]

On Wed, Aug 27, 2003 at 06:31:03PM -0500, Branden Robinson wrote:
> On Mon, Aug 25, 2003 at 09:58:31PM +0200, Sven Luther wrote:
> > On Wed, Aug 20, 2003 at 08:11:55PM -0500, Branden Robinson wrote:
> > > Interested parties, please catch up on the last month's worth of traffic
> > > to the debian-x mailing list to get a feel for the environment.
> > 
> > Maybe you could split the debian-x list some, it would make reading it
> > easier. The signal to noise ratio has rather much degraded there these
> > last month, especially with all the control.bugs.debian processed mails
> > going to it.
> 
> IMO, people who can't keep up with debian-x in its current state
> probably don't have the time to be the kind of committer who can
> measurably help me get 4.3.0 into sarge.

Well, that is something, but notice that due to the big number of mostly
uninformative 'processed' and other BTS mail, i missed the original pm2
bug you then forwarded to me, which would not have happened if debian-x
was not so high volume. Face it, if you don't read it each day, you can
quickly get 100+ new mails, which makes it a bit difficult to follow.

I understand your need to have this info available in the mailing list,
but interested people could as well subscribe to the PTS, no need to
duplicate things. Replies could still be set to the list or something.

At least splitting the automatically generated stuff to a second write
only list would be nice, setting the reply-to or whatever of it to
debian-x, this would be for SVN logs and bug report traffic.
Or maybe lower the quantity of messages the bug report sends, no need to
really include the processed messages, they don't really add that much
information.

Notice i just send to david a 4.2.1 upstream glint_drv.o with debugging
log enabled, let's see what this will bring us as information.

> I will be availing myself more of "help" tags, though, so people could
> always scan the xfree86 bug list for bugs tagged "help", and volunteer
> to help in specific cases.  Effort could be coordinated simply via
> [EMAIL PROTECTED]

Yep.

Friendly,

Sven Luther

Re: DebToo: Debian, Gentoo-style

[Andreas Barth]

* Goswin von Brederlow ([EMAIL PROTECTED]) [030828 13:05]:
> Actually Debian does not support i386 anymore for compatibility
> reasons with other linux distriibutions. You canget the basics running
> but anything that uses c++ will fail. And whats Debian without apt?

The debian kernels support i486 emulation. (Don't know if switched on
by default, but it's at least in the source.)


Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Re: DebToo: Debian, Gentoo-style

[Brian May]

On Thu, Aug 28, 2003 at 04:29:09AM +0200, Diego Calleja Garc?a wrote:
> Take into account the time you waste compiling. What do you want to
> pay, bandwith or CPU usage? The answer isn't the same for everybody...
> (if we want to touch perfection)

Consider the amount of resources mirrors could save by only mirroring
the source code, and not binaries for 10+ platforms...

Of course there are downsides either way, but there is no dispute
that the size of the Debian archive is huge, and mirrors are struggling
to keep up as a result.
-- 
Brian May <[EMAIL PROTECTED]>

NEED HELP: Making woody LSB compliant

[Martin Schulze]

Moin!

I've received several requests to update woody in order to make it
compliant with the LSB (which version btw.?), including one from the
DPL.  Hence, it may be worth discussing the possibility.

Below are several tasks where YOUR HELP is required.

According to Anthony we need


Updated alien
Updated glibc
Updated kernel-(headers|source|image) 2.4.19
Updated pax

The glibc changes are in unstable and upstream CVS, and have
already been tested in released versions of Red Hat, SuSE and
probably other distributions.

The kernel changes have been tested everywhere that runs 2.4.19.

The pax changes are straightforward and have been tested in both
testing and unstable for a couple of months.

The alien changes have been in testing and unstable for a similar
amount of time.

Changes in the kernel most probably means that the security updates
would have to be altered again.  Same thing for glibc.

Unfortunately I can't find the source for the above packages.

I also remember some talk about start-stop-daemon having to be
altered.  What about this one?

There's also an upload to woody-proposed-updates of the lsb package
which says "Support LSB 1.2 in woody.  Includes all changes through
1.2-6 in sid."


HELP REQUIRED
-

Task: Find source for the above packages

Task: Review and discuss the changes against original packages

Task: Review the LSBvN and discuss whether only these four packages
  need to be updated or whether more require an update

Task: Find out whether the lsb package is required

Task: Review the changes in the lsb package

Task: Find out which LSB spec we would like to meet, v1.9 is out for
  reviewing


The discussion of the above items should take place on the newly
created debian-lsb list.  I'm only starting the discussion on
debian-devel and debian-release in order to attract more people and
since only one mail has been sent to the -lsb list yet, so it may not
be widely known.

Regards,

Joey

-- 
WARNING: Do not execute!  This call violates patent DE10108564.
http://www.elug.de/projekte/patent-party/patente/DE10108564

wget -O patinfo-`date +"%Y%m%d"`.html http://patinfo.ffii.org/

Please always Cc to me when replying to me on the lists.


pgppaCfijHbFm.pgp
Description: PGP signature

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Karsten M. Self]

First note:  ISP mailbox overflow due to Sobig.F knocked me off a few
Debian lists, I've just resubscribed.  I've got a partial copy of this
thread thanks to a friend who forwarded it to me.  I've also been
following the discussion in the d-d archives and BTS.

Thanks to all who've commented on this topic.  Interesting reading.

Adam:  my email is [EMAIL PROTECTED]  I've set the $EMAIL
environment variable 'bug' uses.



General response to those who've suggested that general distaste for
software is sufficient cause for a grave bug filing.  Specious.  The
current response is on mark:  behaviour which doesn't maliciously affect
other users or third parties should be exempted.  _Bugs_ which can be
exploited to do same would be grounds.

See:  
http://lists.debian.org/debian-devel/2003/debian-devel-200308/msg03635.html


General response to those noting that there is software which _can_ be
configured in such a way that users shoot themselves or others in the
foot.  A configuration concern, but not necessarily a bug.  If this
isn't a design intent, or isn't a default configuration, then a grave
bug is unwarranted.  Warning documentation, or an "important" debconf
screen requiring input along the lines of "Yes, I understand that this
setting may cause grave harm and accept full responsibility" might be
(and probably is) appropriate.

See:
http://lists.debian.org/debian-devel/2003/debian-devel-200308/msg03637.html


General response to those who claim that user interest is sufficient to
include a package in Debian.  Above and beyond comments by Joey Hess,
there is this to consider:  including a package in Debian both offers
the support and infrastructure Debian, SPI, and various sponsoring
organizations provide, _and_ puts these entities at risk for malfeasance
which may be conducted, intentionally or otherwise, as a result of this
package.  Which is a damned good reason for Debian not to package
viruses and spam mailers.  Or tools which can be readily subverted as
such.

See:
http://lists.debian.org/debian-devel/2003/debian-devel-200308/msg03680.html



on Wed, Aug 27, 2003 at 01:34:53PM -0700, Adam McKenna ([EMAIL PROTECTED]) 
wrote:
> On Wed, Aug 27, 2003 at 07:49:27PM +0100, Colin Watson wrote:
> > On Wed, Aug 27, 2003 at 12:30:07PM -0400, Joey Hess wrote:
> > > Adam McKenna wrote:
> > > > The arguments are facile and specious, I do not intend to waste my
> > > > precious time responding to them.
> > 
> > That's a shame. I don't believe Karsten to be in the habit of putting
> > forward specious arguments.
> 
> Well, let's see, I'll try to be brief:

An admission:  the "Considered Harmful" essay is a general argument
against C-R systems, not specifically TMDA.  TMDA does share some,
though not all faults.  Not all of these should be considered grave.
Some are.

> #0, #1, #2 and #11 are basically opinion and rhetoric.  Karsten has
> stated that he has a 'religious' objection to CR, and I'm not willing
> to have a debate about it.  I've already noted some of the places that
> Karsten can go if he wants a debate.

#0 (Weak verification) is a statement of established fact:  SMTP headers
are readily forged, as is adequately discussed in this thread.

#1 (Mistaken interpretation) is a statement of opinion, but weighs
strongly on other factors, in particular #2 and #4.

#2, I'll get back to.

#11 (techno-economic underpinnings) is largely irrelevant to the current
discussion, though it weighs on the merits of pain and harm created
through C-R systems, relative to the benefits, and existence of
currently feasible alternatives.



> #3 blames CR for actions taken by an ISP (IOW, user configuration error).

(Privacy violation)

Subpoenability or other data leakage of personal communications data
which is enabled by virtue of a systems design (C-R's requirement that a
whitelist be maintained online or nearline at the SMTP server for proper
operation) is a risk in both the United States and other countries under
current legal doctrine.  While not a grave bug, it warrants a warning
in documentation.  Better would be a requirement to notify users in an
ISP situation of this risk, though I'm not sure this can be mandated
under DFSG software licenses.

For a related issue of security and logs, see:
http://cryptome.org/no-logs.htm

In a broader sense, for "configuration errors" which are made by a large
class of users, blame cannot be laid entirely on them.  There was a
tradition in the early industrial age to blame "accidents" -- as acts of
God -- either on, well, God (He didn't seem to mind) or workers.  This
until principles of scientific management (Taylorism) and statistical
process control were developed, and it could be shown that accident
rates in different situations varied wildly.  Bog-obvious now, but a big
leap at the time.

Today, a major issue in computer security and administration are the
plague of ills launched forth from Microsoft platforms.  We've seen the
Internet brought to its knees three times this ye

Re: DebToo: Debian, Gentoo-style

[Tom Badran]

On Thursday 28 Aug 2003 03:29, Diego Calleja García wrote:
> Optimised binaries wont run slower than non-optimised binaries.

This simply isnt true. I have some code that takes a serious performance hit 
when any sort of loop unrolling is used (pentium III systems) as the 
instruction cache is too small for this case (more noticeable with icc rahter 
than gcc).

Tom

-- 
 ^__^   Tom Badran
 (oo)\__Imperial College
(__)\   )\/\
||w |   
|| ||   Using Debian SID


pgpMOGAeGLdIt.pgp
Description: signature

Bug#207624: ITP: tetrinet -- client and server for tetrinet, a networked tetris version

[Gerfried Fuchs]

Package: wnpp
Severity: wishlist


* Package name: tetrinet
  Version : 0.10
  Upstream Author : Andrew Church <[EMAIL PROTECTED]>
* URL : http://achurch.org/tetrinet/
* License : Public Domain
  Description : client and server for tetrinet, a networked tetris version

Included in this package you will find tetrinet which is a ncurses
client and tetrinet-server which is the server program. Together you can
use them to play tetrinet with friends over the internet.

The client requires 48 lines at least, but you get only one chat line
during the game, then.

The server doesn't seem to accept any special options or have a
configuration file, just one room with specials enabled.

 Don't take this description too serious, it won't be the final one for
the package, just a quick shot about what's going on (but still better
than those single line long descriptions :-/ ).

 About the name of the package: Discussable, but I don't really know
what to use else. The package is simply called tetrinet upstream.

 Please Cc me on replies (or keep the bug address in the list) so I
don't miss any valueable informations, I scan debian-devel only through
the archive.

 So long,
Alfie
-- 
"Die Leude wolln dass was passiert,
 die Leude wolln dass Bass masiert,
 die Leude wolln das krass serviert:
 Die Leude wolln uns!"-- 5 Sterne Deluxe, "Die Leude"

Re: Your details

[webmaster]

ÄúºÃ£¬ÄúµÄÐÅÏ¢ÎÒÃÇÒÑÊÕµ½£¬ÇëÉÔºò¡£
»òÕßÄú¿É·ÃÎÊÎÒÃǵÄÍøÕ¾ http://www.chinappmarket.com 
Á˽â¸üÏêϸµÄÐÅÏ¢¡£

http://www.chinappmarket.com

Re: MEI Whitelist Autoresponse

[Santiago Vila]

On Wed, 27 Aug 2003, Aaron Lehmann wrote:

> On Wed, Aug 27, 2003 at 08:30:05AM -0400, [EMAIL PROTECTED] wrote:
> > Your message to [EMAIL PROTECTED] has been quarantined!
> >
> > You only need to do this once, but this time, you must verify
> > that you are a human.
>
> I almost wonder if someone sent this intentionally in light of the
> TDMA bug thread.
>
> Either way, it presents a convincing argument.

For me, it's a convincing argument that this list (debian-devel) should
only be open to subscribers and registered people (via the "whitelist")
The listmaster reports that they have no less than 42 different checks
for anti-virus notices and dozens more for other random crap, and as
everybody will clearly see, it's still not enough to have the list clean
and probably it will never be.

Not that I'm in favor or against C-R systems, but I think our mailing
lists should not multiply the stupidity of people by several thousands.

Re: MEI Whitelist Autoresponse

[Colin Watson]

On Thu, Aug 28, 2003 at 01:03:37AM -0700, Adam McKenna wrote:
> On Thu, Aug 28, 2003 at 08:20:52AM +0200, Marc Haber wrote:
> > On Wed, 27 Aug 2003 21:39:43 -0700, Adam McKenna <[EMAIL PROTECTED]>
> > wrote:
> > >Yes, it does present a very good example of poorly written C-R software.
> > >Paul should switch to TMDA.
> > 
> > In which way would have TMDA avoided sending a challenge to the
> > header-from: of a sobig.f instance?
> 
> TMDA doesn't send challenges to From: addresses, it sends them to the
> envelope sender (Return-Path) address.

FWIW, the From: and envelope sender of every sample of Sobig.F I have
are identical.

-- 
Colin Watson  [EMAIL PROTECTED]

Verify yMCsfzvc for REMOVETHISWORD debian-devel@lists.debian.org

[Piers Lauder]

Hi!

Your message has been received, but it hasn't been delivered to me
yet.  As I don't have any record of you sending me mail from this
address before, I need to verify that you're not a spammer. Please
reply and alter the Subject line to remove the word REMOVETHISWORD,
and your previous message will be delivered, as will all your future
messages.

Thanks, and apologies for the inconvenience.

Piers Lauder.

 Original Message 

Received: by staff.cs.usyd.edu.au with postie; Thu, 28 Aug 2003 19:32:22 +1000
Received: from 210.22.153.106 by staff.cs.usyd.edu.au.; Thu, 28 Aug 2003 
19:32:17 +1000
X-Claimed-Received: from RND22
From: 
To: <[EMAIL PROTECTED]>
Subject: Thank you!
Date: Thu, 28 Aug 2003 17:30:43 +0800
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_2338D7A5"

This is a multipart message in MIME format

--_NextPart_000_2338D7A5
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

See the attached file for details
--_NextPart_000_2338D7A5--



(staff_Postmaster: this mail was forwarded by "[EMAIL PROTECTED]".)

Verify yMCsfzvc for REMOVETHISWORD debian-devel@lists.debian.org

[Piers Lauder]

Hi!

Your message has been received, but it hasn't been delivered to me
yet.  As I don't have any record of you sending me mail from this
address before, I need to verify that you're not a spammer. Please
reply and alter the Subject line to remove the word REMOVETHISWORD,
and your previous message will be delivered, as will all your future
messages.

Thanks, and apologies for the inconvenience.

Piers Lauder.

 Original Message 

Received: by staff.cs.usyd.edu.au with postie; Thu, 28 Aug 2003 19:32:22 +1000
Received: from 210.22.153.106 by staff.cs.usyd.edu.au.; Thu, 28 Aug 2003 
19:32:17 +1000
X-Claimed-Received: from RND22
From: 
To: <[EMAIL PROTECTED]>
Subject: Thank you!
Date: Thu, 28 Aug 2003 17:30:43 +0800
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_2338D7A5"

This is a multipart message in MIME format

--_NextPart_000_2338D7A5
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

See the attached file for details
--_NextPart_000_2338D7A5--



(staff_Postmaster: this mail was forwarded by "[EMAIL PROTECTED]".)

Verify yMCsfzvc for REMOVETHISWORD debian-devel@lists.debian.org

[Piers Lauder]

Hi!

Your message has been received, but it hasn't been delivered to me
yet.  As I don't have any record of you sending me mail from this
address before, I need to verify that you're not a spammer. Please
reply and alter the Subject line to remove the word REMOVETHISWORD,
and your previous message will be delivered, as will all your future
messages.

Thanks, and apologies for the inconvenience.

Piers Lauder.

 Original Message 

Received: by staff.cs.usyd.edu.au with postie; Thu, 28 Aug 2003 19:32:22 +1000
Received: from 210.22.153.106 by staff.cs.usyd.edu.au.; Thu, 28 Aug 2003 
19:32:17 +1000
X-Claimed-Received: from RND22
From: 
To: <[EMAIL PROTECTED]>
Subject: Thank you!
Date: Thu, 28 Aug 2003 17:30:43 +0800
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_2338D7A5"

This is a multipart message in MIME format

--_NextPart_000_2338D7A5
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

See the attached file for details
--_NextPart_000_2338D7A5--



(staff_Postmaster: this mail was forwarded by "[EMAIL PROTECTED]".)

Re: MEI Whitelist Autoresponse

[Josselin Mouette]

Le jeu 28/08/2003 à 10:03, Adam McKenna a écrit :
> > In which way would have TMDA avoided sending a challenge to the
> > header-from: of a sobig.f instance?
> 
> TMDA doesn't send challenges to From: addresses, it sends them to the
> envelope sender (Return-Path) address.

Nice, but sobig.f also forges the return-path.

> Also, I don't have any hard data to support this, but it's obvious to me
> that the volume of mail generated by virus scanners in response to Sobig.f
> eclipses the volume of TMDA challenges by at least a factor of 10.  So far, 
> I haven't received *one* TMDA challenge that was due to Sobig, but I've 
> received *hundreds* of messages from virus scanners all over the net.
> 
> So, I guess we should add virus scanners to the list of verboten software

询价

[Alison]

请报上海到纽约的运费及相关费用，并告知贵司的联系方式。

货物如下：

FROM SHANGHAI TO:   NEW YORK
Description of GoodsQuantityG/WeightN/Weight
Measurement
T-Shirt10 cartons   21 kgs  53 x 33 x 55
Wrist Roller Set   20 cartons   28.5 kgs43.5 x 
34.5 x 54
Wrist Wraps10 cartons   33 kgs  74 x 44 x 
29.5
Hand Gripper5 cartons   41 kgs  77 x 43.5 x 
45

GROSS WEIGHT:  1315 KGS 
MEASUREMENT:4.29 M3 

Bug#202419: any idea of hwen this will be uploaded?

[Jordi Mallach]

Package: wnpp
Version: unavailable; reported 2003-08-28
Followup-For: Bug #202419

Hi Leo,

My brother just got a webcam. Do you have packages ready? If so, can you upload 
them or provide an URL?

Thanks,
Jordi

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux foc 2.4.21 #1 dj ago 28 10:43:33 CEST 2003 i686
Locale: LANG=ca_ES, LC_CTYPE=ca_ES

Re: MEI Whitelist Autoresponse

[Adam McKenna]

On Thu, Aug 28, 2003 at 08:20:52AM +0200, Marc Haber wrote:
> On Wed, 27 Aug 2003 21:39:43 -0700, Adam McKenna <[EMAIL PROTECTED]>
> wrote:
> >Yes, it does present a very good example of poorly written C-R software.
> >Paul should switch to TMDA.
> 
> In which way would have TMDA avoided sending a challenge to the
> header-from: of a sobig.f instance?

TMDA doesn't send challenges to From: addresses, it sends them to the
envelope sender (Return-Path) address.

But to answer your question, it is trivial to create a filter that drops such
messages instead of sending challenges.  I have updated my personal filters 
to make sure this doesn't happen again, and other users of TMDA should do 
the same.

Also, I don't have any hard data to support this, but it's obvious to me
that the volume of mail generated by virus scanners in response to Sobig.f
eclipses the volume of TMDA challenges by at least a factor of 10.  So far, 
I haven't received *one* TMDA challenge that was due to Sobig, but I've 
received *hundreds* of messages from virus scanners all over the net.

So, I guess we should add virus scanners to the list of verboten software.

--Adam

-- 
Adam McKenna  <[EMAIL PROTECTED]>  <[EMAIL PROTECTED]>

Re: Sarge+1: ideas for Experimental V1.2 (or is that 0.2?)

[Andreas Barth]

* Goswin von Brederlow ([EMAIL PROTECTED]) [030828 03:50]:
> Andreas Barth <[EMAIL PROTECTED]> writes:
> > We've often had whining here about sid breaking something production
> > critical. Well, sid is not meant to be used for that, but enough
> > people do. (In other words: I don't trust the users enough that they
> > will make the right choices.) So, in theory you're right. In practice
> > users will manage to break.

> The problem is that woody is to old for many users. Thats why they use
> sid. Experimental and sid would be just days/weeks apart
> versionwise. There would be no big need for users to choose
> experimental.

Really? The latest glibc in sarge is from 2003-03-22, and there are
currently 1103 packages waiting for glibc.


> > Only way out. But - who wants on-the-fly autobuilding can do that also
> > now. Perhaps a bit of infrastructure can be added for this (e.g. new
> > build-depends-headers like:
> > build-depends-woody: ... which supersede the original b-d header if
> > builded under woody). But in general you can build packages quite easy
> > today with apt-get source package, apt-get build-dep package, cd
> > directory, dpkg-buildpackage -rfakeroot. Perhaps you should package an
> > easy script for that, but that's all that can be done for that.

> Build-depends are fine for it. It just need some nicer way to set this
> up for the user. It needs to run with a single command preferably. At
> the moment you have to do an update, look ast an upgrade (but don#t do
> it), get sources of all packages and compile, dpkg -i the debs.

#! /bin/sh
cd /clean/place/to/build
apt-get update
apt-get source $1
apt-get build-dep $1
cd $1*
dpkg-buildpackage -uc -b
dpkg -i ../*.deb

(Well, if you want binary packages to be selectable, you need a few
more code-lines, same for compiling only when necessary, and for
better inclusion into normal apt-get-process.)


Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Re: NMUs applying sleeping wishlist bugs about translation

[Christian Perrier]

Quoting Manoj Srivastava ([EMAIL PROTECTED]):

>   No one is holding a gun to your head. You are a volunteer, and
>  can't be forced to NMU. 

You are a volunteer and can't be forced to fix bugs... :-)

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

[Rico -mc- Gloeckner]

On Wed, Aug 27, 2003 at 05:40:46PM -0700, Don Armstrong wrote:
> If possible, perhaps you could consider whitelisting common debian.org
> address by default? [Things like [EMAIL PROTECTED], [EMAIL PROTECTED],
> [EMAIL PROTECTED], etc.]

And would probably defeat the purpose since spammers would know which
adresses they have to spoof into the From: Header.

Furthermore, if spammers got that, it might happen that they use
debian.org adresses as sensible default for From: Adresses which will
raise the amount of Bounces to debian.org. That sounds like a great way
for the Project to shoot itself into the feet.

-- 
| Rico -mc- Gloeckner  |  mv ~/.signature `finger [EMAIL PROTECTED] |
|  Encrypted Mails preferred:   1024D/61F05B8C |
|  3D67 D42F 2D50 4B68 1D62   E999 EFCB CDFF 61F0 5B8C |

Re: MEI Whitelist Autoresponse

[Marc Haber]

On Wed, 27 Aug 2003 21:39:43 -0700, Adam McKenna <[EMAIL PROTECTED]>
wrote:
>Yes, it does present a very good example of poorly written C-R software.
>Paul should switch to TMDA.

In which way would have TMDA avoided sending a challenge to the
header-from: of a sobig.f instance?

Greetings
Marc

-- 
-- !! No courtesy copies, please !! -
Marc Haber  |   " Questions are the | Mailadresse im Header
Karlsruhe, Germany  | Beginning of Wisdom " | Fon: *49 721 966 32 15
Nordisch by Nature  | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29

Resume

[Ravi Lohia]

  
Ravinder Lohia
305, Vastu Shilp, Opp. Parsi Colony, 
Pump House, Andheri(E), Mumbai- 400093

Ph- 
022-28215733
RESUME
 
Work 
Experience 
:   
10 years
 
March, 2003- Present   
:   
Nutek India Pvt. Ltd., Mumbai, 
India.
    
Project Manager
Reporting to- V.P.  
/ Manager (Commercial)    

Company Deals in Telecom Projects Worldwide having employee strength 
of 800+. Gives Total Solutions like Planning & Design, Implementation, Site 
Leasing & Acquisition, Site Construction, Equipment Installation, Testing 
& Integration, Network Optimization, Operation & 
Maintenance
My Job:

  Successfully Run & Complete the 
  Project. 
  Understand the Scope of Work of new project, 
  Calculation as per the available & to be purchased Manpower & Tools. 
  Negotiation with Customer & Manager- Commercial to finalize Quotation 
  & get the Purchase Order. 
  Make Budget & get the approval from Manager- 
  Finance for New Tool Purchase, New Manpower appointment. 
  Making Project in MS Project – Definition, Working 
  time, Working days, and Target date, assigning Manpower & Tools to the 
  project. 
  Task- List, Organize, Schedule, assigning Manpower 
  & Tools to the task. 
  Track & Check the progress of the project. Make 
  changes in the project as per the issues associated with the 
  project. 
  Quality Audit. 
  Making final Report of the project- Completed, 
  Incomplete, Critical Tasks. Profit & Loss Account. 
  Attendance, Payroll of Manpower. 
  Track of Manpower & Tools Available, Issued, 
  Required. 
  Track of Cash Requisitions, Project Expenses, 
  Bills, Timesheets and Job Completion Reports Submitted by 
  Manpower. 
  Preparation of Bills with the help of Manager- 
  Finance. 
  Keeping track of Quotations, Purchase Requisitions 
  / Purchase Orders, Bills, and Outstanding Payments. 
  Report to M.D.- Monthly Revenue 
  Sheet. 
  Account settlement of Manpower with the help of 
  Accounts dept. 
  Finding new project 
  opportunities. 
  Keeping updated record of Manpower’s Work 
  Experience.
 
 
 
September, 1999 – Feb, 2003       
:   
Inpas Network, Mumbai, 
India.
    
Manager- Marketing & Sales
Reporting 
to- M.D.
Company Deals in Complete Computer Solutions, System Integration, 
Hardware, Software, Networking, etc.
My Job:

  Dealing with All Distributors, Dealers, Resellers, 
  Showrooms, System Integrators, IT Solution Providers, Corporate, and End users 
  in Mumbai. 
  Keeping Track of all new Computer Products, Price, 
  Availability, Future, Quality, Demand, etc. 
  Planning of Advertising, Sales Promotion, Advance 
  Ideas. 
  Designed Web Sites www.neerjamarwaha.com, www.netlogies.com, www.inpas.com, www.inpas.net, www.inpas.org, www.drbagla.com, www.heavylifters.org, www.rtcipl.com 
 
July 7, 
1993 – August, 1999  
:   
Ashita Telesystems P.Ltd., Mumbai, 
India
    
Manager-Marketing & Sales
Reporting 
to – M.D.
Company 
deals in 
Sale of Computers, Office Automation Products, Fax 
M/C, Pagers, Caller ID, Casio Products (Distributor) & New Consumer 
Electronics Product (FMCG).
My Job: 

· 
Whenever a new Computer, 
Electronics or Telecom Product comes in the market (Search from the Internet) 
discuss all the aspects of the Product (Features, Specifications, Market, Cost 
Effectiveness, Operation, etc.) Marketing Strategies, Advertising planning with 
M.D.
· 
Design Brochure (with the 
help of PhotoShop, PageMaker),Prepare Price List, Give training to Sales Team, 
Keep Record of Sales & Generate Market for the Product (Mass Mailing- Fax, 
Post, Electronic, Advertising, Cold Calls)
· 
If Marketing & Sales 
Team finds any Technical Problem in the field, help them out with 
best.
· 
Handled End-User, Dealers, 
Retailers, Corporate Clients, Customer Support (Satisfaction) & Exhibitions 
(Demo & Sale).
· 
Designed the Structure of 
Customer Database, Sales Figure, Daily Reports (Pending Payments & Stock) 

· 
Control over Accounts, 
Cash, Inventory Control (Stock Position & Requirement), Sales 
Co-Coordinator,
· 
Managed Personnel 
administration, including interviews, orientation, and ongoing personnel needs. 
Office Administration.
· 
Gathered and analyzed 
database of dealers, retailers, and corporate clients in order to develop future 
marketing plans.
· 
Co-coordinated and 
implemented marketing efforts involving executive staff, field operations, and 
advertising strategy.
· 
Designed the Company’s 
Web-Site:
http://www.casioindia.com 

and done efforts to make the site 
popular by e mailing, adding URL to various search 
engines.
· 
Once Company had some 
Sales Tax Problem, so learn

Re: MEI Whitelist Autoresponse

[Aaron Lehmann]

On Wed, Aug 27, 2003 at 08:30:05AM -0400, [EMAIL PROTECTED] wrote:
> Your message to [EMAIL PROTECTED] has been quarantined!
> 
> You only need to do this once, but this time, you must verify
> that you are a human.

I almost wonder if someone sent this intentionally in light of the
TDMA bug thread.

Either way, it presents a convincing argument.

Re: MEI Whitelist Autoresponse

[Adam McKenna]

On Wed, Aug 27, 2003 at 09:26:34PM -0700, Aaron Lehmann wrote:
> On Wed, Aug 27, 2003 at 08:30:05AM -0400, [EMAIL PROTECTED] wrote:
> > Your message to [EMAIL PROTECTED] has been quarantined!
> > 
> > You only need to do this once, but this time, you must verify
> > that you are a human.
> 
> I almost wonder if someone sent this intentionally in light of the
> TDMA bug thread.
> 
> Either way, it presents a convincing argument.

Yes, it does present a very good example of poorly written C-R software.
Paul should switch to TMDA.

--Adam

-- 
Adam McKenna  <[EMAIL PROTECTED]>  <[EMAIL PROTECTED]>

Re: looking for nco maintainer Brain Mays

[Brian May]

I assume that the subject line was a typo and that you were
actually looking for "Brian Mays" and not "Brain Mays"? ;-)

(note: I do not fit either criteria...)
-- 
Brian May <[EMAIL PROTECTED]>

Re: New release of ifupdown planned

[Joshua Kwan]

On Thu, Aug 28, 2003 at 02:14:13PM +1000, Anthony Towns wrote:
> The term is "an ifupdown NMU".

For crying out loud, it's been NMUed four times in a row already..

> You certainly should not be considering hijacking it.

Why not? Do you have a new maintainer release which acknowledges NMUs,
incorporates some fixes you have accumulated for the vast number of bugs
that this package has? Is this a call for comaintenance (which I would
definitely recommend for a package of this importance?)

If not, maybe you should pass it on.

-- 
Joshua Kwan


pgpdSNhdBBwGY.pgp
Description: PGP signature

Re: NMUs applying sleeping wishlist bugs about translation

[Joel Baker]

On Wed, Aug 27, 2003 at 07:37:12PM -0400, Stephen Frost wrote:
> * Joel Baker ([EMAIL PROTECTED]) wrote:
> > This argument would carry more weight with me if it were possible to either
> > A) test the upload *completely* before making it (IE, catch all possible
> > FTBFS bugs or other quirks that happen when dealing with the build daemons,
> > many of which even a sane chroot build can't catch), or B) to back out an
> > upload and say "Well, damn. It has an FTBFS bug that I can't fix; I should
> > file a bug on *that*, and back out to the last known good copy".
> 
> Or file the FTBFS bug and if the maintainer isn't going to do anything
> and no one is willing to actually maintain it then have it orphaned to
> QA and/or removed.

And that's the point. Some folks are asserting that the NMUer is
responsible not only for filing the bug (as anyone who notices it should
generally be expected to do), but for *fixing* it. Right then, since now
there is a broken situation in unstable (in that usually at least one arch
now has *no* binaries for it). Whether or not the NMU actually caused it,
or merely exposed it.
-- 
Joel Baker <[EMAIL PROTECTED]>,''`.
Debian GNU NetBSD/i386 porter: :' :
 `. `'
   `-


pgpR6IE8XbibO.pgp
Description: PGP signature