Re: Package Selection for Debian Live

[Pedro Macanas]

- Original Message - 
From: "Daniel Baumann" <[EMAIL PROTECTED]>

To: 
Cc: ; 
Sent: Tuesday, May 30, 2006 9:51 PM
Subject: Package Selection for Debian Live



[ crosspost to live, -devel and -edu; replies please to -devel ]

Hi all,

at the moment, we have two types of Live CD images:

 * the small one which contains only packages of standard priority,
 * and three larger ones, each of which contains one of the common
   desktop-environments on it (gnome, kde,



xfce).


There is no  XFCE version (see  http://live.debian.net/wiki/Download ). 
Previously there was a XFCE version.


Now, we would like to create a decent package selection which reflects, as 
well as possible, the users' desires. There should be one package 
selection for a 700MB CD-ROM, and one for a 4.5GB DVD-ROM.


I would create a 50 Mb version (lightweight version), to be installed in USB 
keydrives (in a similar way to Damn Small Linux). The user could select 
between different window managers.



With the
current squashfs compression, the actual filesystem size is about 3
times bigger than the packed one. This means that there can be quite a
few packages on it :) I'm open for your suggestions...


The suggested window manager selector in a X environment.

Regards. 



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

apt-update-stat.pl analyse changes in Debian software repository

[Liu Yubao]

The little Perl script can calculate how heavy a package depends on other
packages and is depended by other packages, they are depicted by
depends_score and rdepends_score.

Another purpose (also my original purpose) is to analyse the changes
in unstable version, so I can know whether it's safe to update my desktop
pc. I can also know which packages are changed actively.

I found there are many circular dependence between packages, I regard
direct circular dependent packages as one "package", but I don't know
how to calculate properly depends_score and rdepends_score for indirect
circular dependent packages, I set these scores all to - 1.

Another question is there are some missing packages like perl-api, where
are they?

Each sub command of apt-update-stat.pl will take about 40 seconds on
my PC (P4 2.80GHz/512M), and don't try "Data::Dumper" for *all* Packages
files, it's very very very slow.


apt-update-stat.pl
Description: Binary data

Re: [Debconf-discuss] list of valid documents for KSPs

[Theodore Tso]

On Tue, May 30, 2006 at 07:49:34AM -0500, Manoj Srivastava wrote:
> > What Martin Krafft showed you was,
> 
> How do I know that person actually was  Martin Krafft?

So if you have no idea whether or not someone was Martin Krafft, how
can you ask everyone to revoke all signatures for Martin Krafft as you
did earlier.  That is really unreasonable.

Does that mean that if someone shows up at an future keysigning party
at OLS, for example, with an Transational Republic ID which has the
name "Manoj Srivastava", that everyone would be therefore be entitled
to demand on debian-devel that all signatures for "Manoj Srivastava"
should now be revoked?  After all, we have no idea if anyone who might
or might not have been "Manoj Srivastava" might or might not have
produced an identification documents that may or may not have been
false.   We don't know!

Do you see how rediculous this is?  How irrational you are being?

Let me try to spell it out another way.  Either the entity at the the
KSP who was allegedly Martin Krafft was indeed Martin Krafft, or he
was not.  It must be one or the other; you seem to be arguing things
both ways, and you don't get to do that.

If he was Martin Krafft, then he didn't carry out any attack!  No
identity was forged, and no harm was done.  Maybe he presented
identification that you wouldn't accept, but that is not intrinsically
wrong!  If the entity was indeed Martin Krafft, then that entity broke
no criminal, civil, nor moral laws.

If he was not Martin Krafft, then the real Martin Krafft was not
culpable, and your arguments that the real Martin Krafft should
therefore be censured in any way shape or form is not just.  And as
I've shown, if someone showing up with forged identity papers is
enough to demand that all signatures on a key be revoked, it would be
trivially easy for me or anyone else to arrange to have someone show
up at OLS with forged identity papers with your name, and carry out a
fairly devasting denial of service attack.

> I say people who try to trick me into signing a key based on
>  an untrusted process of identity verification are evil doers.

And I say, as have others, that "untrusted process of identity
verification" is by definition not an absolute term.  So how can you
say that someone is an evil doer just because they present a form of
identity which happens to be untrusted by *you*.  What if someone
presents an University ID?  That isn't an government ID; does that
mean they are evil?  Quick, consign them to the Nineth Circle of Hell,
reserved for traitors and people who commit treason!  I say this is
insanity.  And obviously argument by assertion is a valid form of
argument, since you seem to use it liberally.  :-)

> A boss with no humor is like a job that's no fun.

I guess you don't see how ironic your signature line is

- Ted


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#369654: ITP: ttf-nafees -- nafees free OpenType Urdu fonts

[Mohammed Adnène Trojette]

Package: wnpp
Severity: wishlist
Owner: "Mohammed Adnène Trojette" <[EMAIL PROTECTED]>

* Package name: ttf-nafees
  Version : 1.2
  Upstream Author : Center for Research in Urdu Language Processing (CRULP, 
http://www.crulp.org/)
* URL : http://www.crulp.org/nafeesWebNaskh.html
* License : GPL
  Programming Lang: TrueType Font
  Description : nafees free OpenType Urdu fonts

 This is a free OpenType Urdu font (Nafees Web Naskh), designed and
 developed by the Center for Research in Urdu Language Processing
 (CRULP, http://www.crulp.org/) at National University of Computer and
 Emerging Sciences (http://www.nu.edu.pk/).

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.1
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)

Re: Renaming a package

[Mike Hommey]

On Tue, May 30, 2006 at 04:12:31PM -0700, Steve Langasek <[EMAIL PROTECTED]> 
wrote:
> > Hm, that used to be a "magic" combination that would let dpkg do the 
> > right thing.
> 
> I've heard this stated before, but if it was ever true, it's definitely not
> the case with apt (or with britney), and it's not mentioned in policy.  I
> suppose it's possible that dselect had some magic handling here that I've
> never seen, but at least for the majority of users, a package in this
> configuration isn't useful for transitioning, it's just broken, because it
> depends on a package that conflicts with it.

IIRC, the magic works (except it also needs provides:)... in the case
where there is *NO* dummy package.

Mike


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Real Life hits: need to give up packages for adoption

[Matthias Urlichs]

Hi,

thanks for the numerous offers and replies.

I forgot to mention that most (if not all) of these are managed with
git. I don't use dpatch or similar tools - managing patches is the SCM's
job.

The archives mostly are on netz.smurf.noris.de; if "your" package is
not, and you're interested in working with git (or importing into your
own SCM), drop me a line and I'll push it.

The package build script I use is called "b.debuild", it's in the
sourcemgr.git archive.


Still open:
> * kforth
>   (new Upstream)


Taken:
> 
> * festival, speech-tools
Franz Pletz

> * gnutls, gcrypt, libtasn1, libksba
>   (security-critical, some work required, having a team for these
>   packages would be ideal)
Andreas Metzler, Eric Doland, James Westby

> * NTP server
Christoph Haas, Simon Richter

> * libdigest-hmac-perl, libdigest-sha1-perl, libdigest-md2-perl,
>   libdigest-perl, libio-interface-perl, libio-socket-multicast-perl,
>   libnet-xwhois-perl, libvideo-capture-v4l-perl
Zak B. Elep

> * python-docutils
martin f krafft

> * python-imaging
Matthias Klose

> * gnulib
Daniel Baumann

> * gnupg2[1]
Eric Dorland, Franz Pletz

> * hashalot
Adam Borowski

> * tcng
Adam Borowski

> * ufraw
Hubert Chan

> * videogen
Bas Zoetekouw

[1] I agreed with James Troup that the package will revert to him when
gnupg2 is actually ready to supersede gnupg -- whenever *that* is.
(I assume that this will be open to negotiation when the time comes.)

-- 
Matthias Urlichs   |   {M:U} IT Design @ m-u-it.de   |  [EMAIL PROTECTED]
Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de
 - -
"I wake up every morning and I wish I were dead, and so does Jim."
 [Tammy Fae Bakker]


signature.asc
Description: Digital signature

Re: [Debconf-discuss] list of valid documents for KSPs

[Henning Makholm]

Scripsit Manoj Srivastava <[EMAIL PROTECTED]>

> Nothing that a general software developer can do to check an
>  ID is proof against a determined individual, we all assume that there
>  is a gentleman's agreement in place that such an attack is not
>  mounted.

If you _really_ believed that you could depend on people keeping any
gentleman's agreement, the whole charade of holding a KSP would be
completely pointless.

The only reason to hold a KSP is that one _does not_ believe that
people are capable of keeping gentlemen's agreements.

And you calling me and others naive for pointing out this obvious fact
is not going to change it.

>  good faith would have been to present the official ID and extend
>  the web of trust.

A security mechanism that only works in the non-presense of fraudsters
is no security mechanism at all.

-- 
Henning Makholm "I can get fat! I can sing!"


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: adding ddccontrol to debian

[Luc Verhaegen]

On Wed, May 31, 2006 at 12:46:08AM +0200, Fabrice Lorrain wrote:
> Hi,
> 
> In the last 5 months, I encountered twice LCD flat screens without 
> hardware control or with half functionnal hardware control.
> 
> The proper way to configure those screens was with software through the 
> ddc protocol. The only software I'm aware of working under linux is 
> ddccontrol [1] which is not in sid yet.
> 
> Bored DD's might take some pleasure to warm the current frozen ITP [2].
> Users eyes might bless your name for that in the etch time.
> 
> @+,
>   Fab
> 
> [1] http://ddccontrol.sourceforge.net/
> [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322774
> 
Imho there should be an X implementation of this:
* driver side should be possible entirely from within the ddc module: 
the ddc module could probe and initialise the ddci slave address for the 
driver when handed the I2C bus for ddc and could handle everything else 
from there.
* most work will be in the actual utility and the backend used for that.
But then, mode related control is very much unchartered territory for X.

Luc Verhaegen.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[Henning Makholm]

Scripsit Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]>

> I do agree with Manoj that this was *not* a legitimate experiment (i.e.
> not a "red team" test) and that Martin *did* abuse our [0] trust [1]

A KSP that depends on there being any pre-existing trust to abuse is
*completely worthless* as a KSP whether or not that trust is abused
or not.

Shooting the messenger will not change that, however loudly you try to
make it look as if it was his fault that the thing is so broken that
"betrayal of trust" is even a meaningful term to apply to any behavior
a KSP participant coul exhibit.

-- 
Henning Makholm  "Jeg har tydeligt gjort opmærksom på, at man ved at
   følge den vej kun bliver gennemsnitligt ca. 48 år gammel,
   og at man sætter sin sociale situation ganske overstyr og, så
   vidt jeg kan overskue, dør i dybeste ulykkelighed og elendighed."


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[Thomas Bushnell BSG]

Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> writes:

> On Tue, May 30, 2006 at 10:32:15AM -0700, Thomas Bushnell BSG wrote:
>> I am actually quite ambivalent about whether I think what he did was
>> wrong; I think to determine that I would need to read carefully what
>> the KSP organizers said.  Martin certainly should follow the protocols
>> established, but I would only count "established" as being what is
>> actually written down by the KSP organizers, and not just some kind of
>> general unspoken expectation.  (Where can I read about those written
>> protocols, if there are any?)
>
> From http://debconf6.debconf.org/ksp/ksp-dc6.html:
>
> " The next step is to verify each participant's identity by checking
>  preferably a passport or, alternatively, some other form of government
>  issued ID. Please don't show very old, doubtful or easy-to-fake documents as
>  people will not sign your key if you do so. "
>
> I guess that answers the questions you brought up in your e-mail. An ID from
> a political party is *not* a government issued ID and *is* a doubtful
> document.

Indeed, but it doesn't sound like he violated the rules.  This was
worded as a suggestion, not as a demand.  Indeed, notice that the
people who signed the key violated it just as much as he did.  Where
is the hue and cry against them?

I still want to know who they are, because it is *their* signatures I
have to start distrusting.

Thomas

Re: adding ddccontrol to debian

[Roberto C. Sanchez]

Fabrice Lorrain wrote:
> 
> Hi Roberto.
> 
> Thanks a lot for the quick answer and your work on this package.
> 
> @+,
> Fab
> 

No problem.

-Roberto

-- 
Roberto C. Sanchez
http://familiasanchez.net/~roberto


signature.asc
Description: OpenPGP digital signature

Bug#322762: marked as done (/usr/doc still exists (transition tracking bug))

[Debian Bug Tracking System]

Your message dated Tue, 30 May 2006 17:32:20 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#322762: fixed in vgacardgames 1.3.1-14
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Package: general
Severity: normal

In 1999, Debian began moving /usr/doc to /usr/share/doc to comply with
the FHS. Due to unfortunate dpkg issues at the time, we couldn't simply
move the directory and be done with it, but decided to move things
peicemeil by updating all packages. Due to some silly concerns about
users having to look in two places during the transition, we decided to
start by making /usr/doc/ -> /usr/share/doc/ symlinks.

In 2001, putting any documentation in /usr/doc became a serious policy
violation. The symlinks were still allowed.

In 2002, we completed the first stage of the transition, released woody
with complete /usr/share/doc and /usr/doc directories, and policy was
changed to not require the /usr/doc symlinks. debhelper was changed to
stop adding postinst and postrm fragments to manage the links, and so
most packages only needed a recompile to finish the transition.

We are now in the final, worst stages of this transition, when the few
remaining links in /usr/doc are due to packages that either use
debhelper and are so unmaintained they've not been updated since 2002,
or do not use debhelper and have not been modified to remove the code,
or worst, have been modified to remove the code, but botched it.

Policy is expected to be changed soon to make any files in /usr/doc a
serious bug. For now it is a normal bug.

A typical Debian unstable system today will have a dozen or two of these
symlinks left. This tracking bug is here because that is ugly and we
should completely finish the transition.

Set any bugs about /usr/doc stuff to being blockers of this bug report.
Use this as a tracking/coordination bug for the remainder of the transition.

Note that once this transition is complete we will need to do something
in base-files to remove the /usr/doc directory, if it is empty. It won't
be empty in all cases, for example a user might have non-debian or old
packages that have not transitioned still installed. This bug can be
reassigned to base-files to deal with that last step once it is no
longer blocked by any other bugs.

-- 
see shy jo


signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: vgacardgames
Source-Version: 1.3.1-14

We believe that the bug you reported is fixed in the latest version of
vgacardgames, which is due to be installed in the Debian FTP archive:

vgacardgames_1.3.1-14.diff.gz
  to pool/main/v/vgacardgames/vgacardgames_1.3.1-14.diff.gz
vgacardgames_1.3.1-14.dsc
  to pool/main/v/vgacardgames/vgacardgames_1.3.1-14.dsc
vgacardgames_1.3.1-14_i386.deb
  to pool/main/v/vgacardgames/vgacardgames_1.3.1-14_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
RISKO Gergely <[EMAIL PROTECTED]> (supplier of updated vgacardgames package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.7
Date: Wed, 31 May 2006 02:03:32 +0200
Source: vgacardgames
Binary: vgacardgames
Architecture: source i386
Version: 1.3.1-14
Distribution: unstable
Urgency: low
Maintainer: RISKO Gergely <[EMAIL PROTECTED]>
Changed-By: RISKO Gergely <[EMAIL PROTECTED]>
Description: 
 vgacardgames - Four SVGAlib card games
Closes: 322762
Changes: 
 vgacardgames (1.3.1-14) unstable; urgency=low
 .
   * rebuild because of /usr/doc transition (closes: #322762)
   * tidy up the manpages
   * dh_compat 1->4 transition
Files: 
 1c9a2fd02a86046db8df08c15246d859 587 games optional vgacardgames_1.3.1-14.dsc
 3fb79ab7e316facdac0d0341c268b791 4380 games optional 
vgacardgames_1.3.1-14.diff.gz
 07e1d207e581e15aaa30079e1a0bad24 36762 games optional 
vgacardgames_1.3.1-14_i386.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEfOK0O0PrGO4KNccRAmQFAJoDXTpkMXcNhb93Np+dahiuJ00e3ACfUSYP
CaE8rEAIjV63nkoZ/WWYWOc=
=k/Ws
-END PGP SIGNATURE-

--- End Message ---

Re: adding ddccontrol to debian

[Fabrice Lorrain]

Roberto C. Sanchez a écrit :

Fabrice Lorrain wrote:


Hi,

In the last 5 months, I encountered twice LCD flat screens without
hardware control or with half functionnal hardware control.

The proper way to configure those screens was with software through the
ddc protocol. The only software I'm aware of working under linux is
ddccontrol [1] which is not in sid yet.

Bored DD's might take some pleasure to warm the current frozen ITP [2].
Users eyes might bless your name for that in the etch time.

@+,
   Fab

[1] http://ddccontrol.sourceforge.net/
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322774





Fabrice,

The current ITP is not frozen :-)

I have a package ready at the moment.  However, it only cleanly builds
with the version of gcc in Sarge.  I have been assured by upstream that
a new release is forthcoming which fixes the build issues with gcc 4.x.
 Once it is out, the package will be updated and uploaded.

-Roberto



Hi Roberto.

Thanks a lot for the quick answer and your work on this package.

@+,
Fab


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Steve Langasek]

On Tue, May 30, 2006 at 06:28:32AM -0500, Manoj Srivastava wrote:
> Nothing that a general software developer can do to check an
>  ID is proof against a determined individual, we all assume that there
>  is a gentleman's agreement in place that such an attack is not
>  mounted.

I assume no such thing.  I maintain a healthy degree of skepticism regarding
the true motives and identities of everyone, including those whose keys I've
signed.  It just doesn't interfere with my ability to work with people in
advancement of Debian's goals, because I recognize that statistically it
can't *matter*: assuming the worst about people is no better than assuming
the best, because it basically requires throwing away all collaboration in a
project like this in spite of the fact that in over 10 years of Debian's
existence there hasn't been a single recorded instance of a package
trojaning.

But this is far from assuming that there's a gentleman's agreement in place
-- a gentleman's agreement with people I don't know to be gentlemen in the
first place is worth the paper it's printed on.  OTOH, a gentleman's
agreement with people I know *not* to be gentlemen is worth exactly the
same, so I have no reason to wish to penalize someone for "cracking" a KSP
in this manner.  When I sign a key, I am not asserting that I know beyond
any doubt that the keyholder is who they claim to be -- I am only asserting
that, *to the best of my ability*, I have verified this.  Anyone who thinks
that the best of my ability includes detecting any and all forged IDs is
pretty delusional, but the best of my ability *should* include confirming
that an ID is a form of ID that I'm capable of recognizing, which means that
I failed miserably at this KSP.

> > In other words, Bubba sells forgeries, but the Transnational
> > Republic does not.

> Riiight.  And I know that how?

In other better words, Bubba is known to sell forgeries, but the
Transnational Republic is not known to sell them.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


signature.asc
Description: Digital signature

Re: Red team attacks vs. cracking

[Jacob S]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 30 May 2006 15:09:25 -0700
Paul Johnson <[EMAIL PROTECTED]> wrote:

> On Tuesday 30 May 2006 14:15, Linas Žvirblis wrote:
> > Paul Johnson wrote:
> > >> See, if you visit a bazaar, I bet a helpful guy with a Russian
> > >> accent can sell you a perfectly valid passport for less than
> > >> $50.  Several years ago, a friend of mine actually asked someone
> > >> at the Stadion 10-lecia in Warsaw, and was led to a guy with a
> > >> number of blank Polish IDs for ~$25 each...
> > >>
> > >> That's about what checking government-issued IDs is worth.
> > >
> > > Perhaps in that part of the world, yes.
> >
> > Oh, THAT part of the world. Wait a minute, what part of the world?
> > Can you name any country in which you cannot buy fake IDs?
> >
> > I might have misunderstood you, but you comment sounded like an
> > insult towards Eastern Europe.
> 
> No, I'm saying that the availability and penalties for a fake ID vary
> enough by international jurisdiction that what may be true for
> eastern Europe is not necessarily true for the rest of the world.  If
> you want to construe an observation about variations in availability
> of certain goods and services as an insult, so be it, but that was
> not the intent.

We have to remember, after all, that severe fines and penalties are
enough to deter people from doing bad things on the black market. This
is why there are no illegal drugs in the United States.

Jacob
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEfOHgkpJ43hY3cTURAtDDAKCEXnPZ7UQqM4s0pYaqvStc4huZfwCgjynU
HNxQg1SXgAQ7+Y/iHqAZWFo=
=a9NF
-END PGP SIGNATURE-

Re: bits from the release team: release goals, python, X.org, amd64, timeline

[Fabrice Lorrain]

Steve Langasek a écrit :

On Tue, May 30, 2006 at 11:50:28PM +0200, Fabrice Lorrain wrote:


What is the current status of nfsv4 in testing.
What can we expect for etch ?
- does people from debian kernel-team follow the current dev (CITI 
patch, krb5p support reintroduce in late 2.6.17 etc...) ?
- What is the current status of userland tools (nfs-utils + CITI 
patch,  kerberos, idmap, librpcsecgss [1])




And more generaly what nfsv4 feature could we count on for etch.



It seems [2] that Trond Myklebust was at Debconf and from his mail 
Dapper is more or less in shape... If it's not an ongoing work, maybe 
time for the grab-ubuntu-patch-merge-an-improved-debian-version dance 
(at DD's discretion,).



You'll want to direct these questions to the respective maintainers, not to
the release team.



Ack.

As I'm not particularily interrested by a private discussion with 
"respective maintainers". cc and followup to d-devel.


To sum up, I'm interressed to know what status of nfsv4 support we can 
expect for etch.
As information on the subject in {www,lists,wiki}.debian.org is pretty 
thin a public status report from DD's concerned ((kernel-team, 
nfs-utils, {MIT,Heimal}-kerberos) might benefit everybody.


Thanks.

Fab


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[Paul Johnson]

On Tuesday 30 May 2006 16:02, Javier Fernández-Sanguino Peña wrote:
> We are not talking about national security or public safety here, if Martin
> wanted to prove that attacks against KSPs can happen he could have managed
> his attack in an open way (as Manoj said "contact management and get their
> approval") and then use that to enlighten us all.

On the other hand, in real life, people who are out there to deliberately harm 
the web of trust for whatever reason do not do so by contacting management 
and getting approval first.  Attacks in the real world don't happen with 
warning, so why should security only happen with warning or by accident?

-- 
Paul Johnson
Email and IM (XMPP & Google Talk): [EMAIL PROTECTED]
Jabber: Because it's time to move forward  http://ursine.ca/Ursine:Jabber


pgpOC7Ci6vBBk.pgp
Description: PGP signature

Re: Red team attacks vs. cracking

[Steve Langasek]

On Tue, May 30, 2006 at 03:11:23PM -0700, Paul Johnson wrote:
> On Tuesday 30 May 2006 14:26, Steve Langasek wrote:
> > On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote:
> > > On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> > > > See, if you visit a bazaar, I bet a helpful guy with a Russian accent
> > > > can sell you a perfectly valid passport for less than $50.  Several
> > > > years ago, a friend of mine actually asked someone at the Stadion
> > > > 10-lecia in Warsaw, and was led to a guy with a number of blank Polish
> > > > IDs for ~$25 each...
> > > >
> > > > That's about what checking government-issued IDs is worth.

> > > Perhaps in that part of the world, yes.

> > As opposed to California, where per the news story I heard a couple weeks
> > ago, a counterfeit state ID good enough to elude an arrest warrant can be
> > had for $100-$200?

> California's it's own little world, generally speaking if you assume the 
> worst 
> in Americans, you're describing Californians.



-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


signature.asc
Description: Digital signature

Re: Red team attacks vs. cracking

[Tyler MacDonald]

Javier Fern?ndez-Sanguino Pe?a <[EMAIL PROTECTED]> wrote:
> > Is this really a bad thing? He proved that KSP are bad for the web of trust.
> > A legitimate attacker could abuse the KSP just as easilly as Martin, but
> > would result in actual damage, and would most likely not have been caught.
> 
> Ask yourself: is it a good thing to covertly attack X? Is it good to then
> publish of the results [1] claiming^Wboasting that you have broken X? Do you
> really need to be proven that X can be broken?
> 
> Now change X to "KSP" or "Web server of company Y" or "(your country's)
> national security servers". What are your answers?

I have no opinion that I wish to state in this *particular* case,
but in general, I support it.

I like this page:

http://www.dataloss.net/papers/how.defaced.apache.org.txt

From the bottom of the page:

"We would like to compliment the Apache admin team on their swift response
when they found out about the deface, and also on their approach, even
calling us 'white hats' (we were at the most 'grey hats' here, if you ask
us)."

I'm not saying everybody should be as accommodating as the ASF when
their security gets compromised, but if somebody *does* hack you, then tells
you how they did it, and they doesn't invade your privacy or do any harm to
your stuff, then they have done you a service.

> [1] I will call it "publish" even if it was done in a rather obscure way.
> Not all developers are required to read Martin's blog, they are only
> required to read d-devel-announce

If Martin didn't tell the debian team right away after he illegally
crossed the fence, then that was irresponsible, but I still have no opinion
as to what should be done with him.

- Tyler


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Renaming a package

[Steve Langasek]

On Tue, May 30, 2006 at 11:22:51AM +0200, Simon Richter wrote:

> Steve Langasek schrieb:

> >>Package: oldpkg
> >>Depends: newpkg
> >>Description: transitional dummy package

> >>Package: newpkg
> >>Replaces: oldpkg
> >>Conflicts: oldpkg
> >>Description: ...

> >*NO* *NO* *NO* *NO* *NO*.  Look closely at the package relationships you've
> >specified.  Why would you upload a package to the archive that *can never 
> >be installed*?

> Hm, that used to be a "magic" combination that would let dpkg do the 
> right thing.

I've heard this stated before, but if it was ever true, it's definitely not
the case with apt (or with britney), and it's not mentioned in policy.  I
suppose it's possible that dselect had some magic handling here that I've
never seen, but at least for the majority of users, a package in this
configuration isn't useful for transitioning, it's just broken, because it
depends on a package that conflicts with it.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


signature.asc
Description: Digital signature

Re: adding ddccontrol to debian

[Roberto C. Sanchez]

Fabrice Lorrain wrote:
> Hi,
> 
> In the last 5 months, I encountered twice LCD flat screens without
> hardware control or with half functionnal hardware control.
> 
> The proper way to configure those screens was with software through the
> ddc protocol. The only software I'm aware of working under linux is
> ddccontrol [1] which is not in sid yet.
> 
> Bored DD's might take some pleasure to warm the current frozen ITP [2].
> Users eyes might bless your name for that in the etch time.
> 
> @+,
> Fab
> 
> [1] http://ddccontrol.sourceforge.net/
> [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322774
> 
> 

Fabrice,

The current ITP is not frozen :-)

I have a package ready at the moment.  However, it only cleanly builds
with the version of gcc in Sarge.  I have been assured by upstream that
a new release is forthcoming which fixes the build issues with gcc 4.x.
 Once it is out, the package will be updated and uploaded.

-Roberto

-- 
Roberto C. Sanchez
http://familiasanchez.net/~roberto


signature.asc
Description: OpenPGP digital signature

adding ddccontrol to debian

[Fabrice Lorrain]

Hi,

In the last 5 months, I encountered twice LCD flat screens without 
hardware control or with half functionnal hardware control.


The proper way to configure those screens was with software through the 
ddc protocol. The only software I'm aware of working under linux is 
ddccontrol [1] which is not in sid yet.


Bored DD's might take some pleasure to warm the current frozen ITP [2].
Users eyes might bless your name for that in the etch time.

@+,
Fab

[1] http://ddccontrol.sourceforge.net/
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322774


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[Javier Fernández-Sanguino Peña]

On Tue, May 30, 2006 at 01:40:39PM -0400, Joe Smith wrote:
> Is this really a bad thing? He proved that KSP are bad for the web of trust.
> A legitimate attacker could abuse the KSP just as easilly as Martin, but
> would result in actual damage, and would most likely not have been caught.

Ask yourself: is it a good thing to covertly attack X? Is it good to then
publish of the results [1] claiming^Wboasting that you have broken X? Do you
really need to be proven that X can be broken?

Now change X to "KSP" or "Web server of company Y" or "(your country's)
national security servers". What are your answers?

In the place I work at, attacks are only done either on your head (that's
what attack trees [0] and risk analysis are for) or with the keyboard (or
phone) after whomever is in charge of X has asked for, acknowledged and
*approved* the attack. Why?  Because given enough resources (money, time, you
name it) most attacks will succeed against X. So the question is not *if* you
can break X but *when* and *how* can you break it. The attack is introduced
to see if there could be changes implemented to make it more difficult for a
wannabe attacker or to detect an ongoing attack and, consequently, minimise
the risk.

We are not talking about national security or public safety here, if Martin
wanted to prove that attacks against KSPs can happen he could have managed
his attack in an open way (as Manoj said "contact management and get their
approval") and then use that to enlighten us all.

What he did is wrong (and dishonest), even if the end result is "good": these
long threads, knowledgeable people discussing the effectiveness of KSPs and
non-knowledgeable people getting a clue. You might think that "the ends
justify the means" [2], I don't.

Regards

Javier

[0] http://www.schneier.com/paper-attacktrees-ddj-ft.html

[1] I will call it "publish" even if it was done in a rather obscure way.
Not all developers are required to read Martin's blog, they are only required
to read d-devel-announce

[2] Google found this Wired article for me, which is nice:
http://www.wired.com/news/politics/0,1283,58082,00.html


signature.asc
Description: Digital signature

Re: Real Life hits: need to give up packages for adoption

[Tilman Koschnick]

On Tue, 2006-05-30 at 20:48 +0200, Christoph Haas wrote:
> * svn-upgrade
> 
> Upgrading from a new upstream tarball has never worked here. Matthijs
> Mohlmann and I are maintaining the "pdns" (PowerDNS) package in a
> Subversion repository. That software isn't trivial but it's also no
> rocket science. Still svn-upgrade choked and left us alone like
> "something didn't work half way - what do you want to do?" and we ended
> up with a borked repository. Up to now we made a backup of the
> repository beforehand and took our chances. I believe we merged in the
> upstream changes manually. I didn't want to understand what svn-upgrade
> is doing under the hood so I felt left alone there.

Does the upstream tar ball contain symbolic links? svn-upgrade calls
svn_load_dirs, a contrib script from the subversion package, to get the
new upstream version into the repository. Before version 1.3.0-1,
svn_load_dirs didn't know how to handle symbolic links.

Cheers, Til


signature.asc
Description: This is a digitally signed message part

Re: Red team attacks vs. cracking

[Adam Borowski]

On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote:
> On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> > On Tue, May 30, 2006 at 12:20:14PM -0700, Paul Johnson wrote:
> > > Even the guy at 7-Eleven has the big book of north american ID cards with
> > > pictures and descriptions of what makes a real one for when they
> > > encounter an ID that they've never seen before.
> > How can you check if an ID card is real based only on what is written
> > on the card, even if it has all the hallmarks mentioned in that book?
> If you don't trust the ID, you don't sign the key.  But having the book to be 
> able to get a bad feeling about the ID from sure beats the apparent current 
> system of "Sign the key and hope the ID is for real."

What I mean is, it makes no sense to believe that IDs provide any
real security.  I would rather trust some common sense.  A brief
Google search on the person's name where you look at page 6 and pick
something that the person whose key you're signing should know.

For example, my name is pretty popular, but it's still pretty easy to
pick a reference to me.  Taking a few random links yields:

* an ELinks patch for a bug with xterm detection
=> ask me what was wrong

* a translation of a task from the Polish Olympiad in Informatics,
  the task was authored by me
=> ask me to briefly describe a solution for the task

* a Usenet-to-webforum mirror of r.g.r.nethack with a post about
  "termrec", my enhanced implementation of ttyrec
=> you can assume that the upstream of a piece of software will know
   its inner workings pretty well

Generally, you can learn a few things about the person you're trying
to impersonate, but there is no way you can know everything.  And the
real person can describe things in detail...


Thus, given:
A) someone with a government-issued ID, or
B) someone with a random card that bears a photo: a chess club card,
   a Transnational Republic passport, etc
I see hardly any difference between person A and B.  I would trust
common sense, not any passport.


> > See, if you visit a bazaar, I bet a helpful guy with a Russian accent
> > can sell you a perfectly valid passport for less than $50.
> > [...]
> > That's about what checking government-issued IDs is worth.
> Perhaps in that part of the world, yes.

Yes, you're right.  In the US, the ID may set me back perhaps even
$100 or more.  And the point is...?

Cheers and schtuff,
-- 
1KB // Microsoft corollary to Hanlon's razor:
//  Never attribute to stupidity what can be
//  adequately explained by malice.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[Javier Fernández-Sanguino Peña]

On Tue, May 30, 2006 at 10:32:15AM -0700, Thomas Bushnell BSG wrote:
> I am actually quite ambivalent about whether I think what he did was
> wrong; I think to determine that I would need to read carefully what
> the KSP organizers said.  Martin certainly should follow the protocols
> established, but I would only count "established" as being what is
> actually written down by the KSP organizers, and not just some kind of
> general unspoken expectation.  (Where can I read about those written
> protocols, if there are any?)

From http://debconf6.debconf.org/ksp/ksp-dc6.html:

" The next step is to verify each participant's identity by checking
 preferably a passport or, alternatively, some other form of government
 issued ID. Please don't show very old, doubtful or easy-to-fake documents as
 people will not sign your key if you do so. "

I guess that answers the questions you brought up in your e-mail. An ID from
a political party is *not* a government issued ID and *is* a doubtful
document.

Regards

Javier


signature.asc
Description: Digital signature

Re: Red team attacks vs. cracking

[Paul Johnson]

On Tuesday 30 May 2006 14:15, Linas Žvirblis wrote:
> Paul Johnson wrote:
> >> See, if you visit a bazaar, I bet a helpful guy with a Russian accent
> >> can sell you a perfectly valid passport for less than $50.  Several
> >> years ago, a friend of mine actually asked someone at the Stadion
> >> 10-lecia in Warsaw, and was led to a guy with a number of blank Polish
> >> IDs for ~$25 each...
> >>
> >> That's about what checking government-issued IDs is worth.
> >
> > Perhaps in that part of the world, yes.
>
> Oh, THAT part of the world. Wait a minute, what part of the world? Can
> you name any country in which you cannot buy fake IDs?
>
> I might have misunderstood you, but you comment sounded like an insult
> towards Eastern Europe.

No, I'm saying that the availability and penalties for a fake ID vary enough 
by international jurisdiction that what may be true for eastern Europe is not 
necessarily true for the rest of the world.  If you want to construe an 
observation about variations in availability of certain goods and services as 
an insult, so be it, but that was not the intent.

-- 
Paul Johnson
Email and IM (XMPP & Google Talk): [EMAIL PROTECTED]
Jabber: Because it's time to move forward  http://ursine.ca/Ursine:Jabber


pgpe5NisdV5Ce.pgp
Description: PGP signature

Re: Red team attacks vs. cracking

[Paul Johnson]

On Tuesday 30 May 2006 14:26, Steve Langasek wrote:
> On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote:
> > On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> > > See, if you visit a bazaar, I bet a helpful guy with a Russian accent
> > > can sell you a perfectly valid passport for less than $50.  Several
> > > years ago, a friend of mine actually asked someone at the Stadion
> > > 10-lecia in Warsaw, and was led to a guy with a number of blank Polish
> > > IDs for ~$25 each...
> > >
> > > That's about what checking government-issued IDs is worth.
> >
> > Perhaps in that part of the world, yes.
>
> As opposed to California, where per the news story I heard a couple weeks
> ago, a counterfeit state ID good enough to elude an arrest warrant can be
> had for $100-$200?

California's it's own little world, generally speaking if you assume the worst 
in Americans, you're describing Californians.

-- 
Paul Johnson
Email and IM (XMPP & Google Talk): [EMAIL PROTECTED]
Jabber: Because it's time to move forward  http://ursine.ca/Ursine:Jabber


pgpalcZHcRjmu.pgp
Description: PGP signature

Re: Package Selection for Debian Live

[Daniel Baumann]

Eric Cooper wrote:
> I suggest that you provide the same packages that Knoppix does (as long
> as they're free), since Knoppix has been out there with a real user
> community for several years now.  No need to reinvent the wheel.

True, but knoppix is i386/amd64 only. Debian Live works on i386/amd64
too, but at least on sparc and powerpc too. So I hope to get feedback
from all non-intel/non-amd users.

Currently, the images are not autobuilded for that archs. The buildds
used for powerpc and sparc in Debian are either machines and/or
configurations, which do not support building packages for sparc64 resp.
powerpc64 (it does work here on my local machines, which are capable of
building the 64 bit packages).

-- 
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Making init scripts use dash

[Steve Greenland]

On 29-May-06, 03:57 (CDT), Ralf Wildenhues <[EMAIL PROTECTED]> wrote: 
> FWIW, libtool scripts are a bit more complex.  Unrelated though,
> Libtool records the shell and its features; if you change /bin/sh
> from bash to dash, the installed /usr/bin/libtool will have its
> $echo setting wrong, and break occasionally. 

Then libtool is buggy[1] and needs to begin with "#!/bin/bash" or
"#!/bin/dash", and include the appropriate Depends.

Steve

[1] But you knew that.

-- 
Steve Greenland
The irony is that Bill Gates claims to be making a stable operating
system and Linus Torvalds claims to be trying to take over the
world.   -- seen on the net


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#369600: ITP: evolution-jescs -- Evolution Connector for Sun Java Enterprise System Calendar Server (SJESCS)

[Heikki Henriksen]

Package: wnpp
Severity: wishlist
Owner: Heikki Henriksen <[EMAIL PROTECTED]>

* Package name: evolution-jescs
  Version : 2.6.2
  Upstream Author : Several Authors
* URL : http://www.go-evolution.org/Evolution_JESCS
* License : GPL
  Programming Lang: C
  Description : Evolution Connector for Sun Java Enterprise System Calendar 
Server (SJESCS)

  The JESCS-connector adds support to evolution for Sun Java Enterprise
  System Calendar Server (SJESCS) 5.1 and above, and for the Web
  Calendar Access Protocol (WCAP) 2.0, 3.0, 3.1.

Note: 
  This will be maintained by the pkg-evolution-team

Cheers,
 Heikki

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (401, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-k7
Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Package Selection for Debian Live

[Daniel Baumann]

Michael Fisher wrote:
> Is it posible to have a minimum size image with a WM that can stay
> below 125MB? This would be a great size for USB versions and versions
> running under Qemu or VMWare. Just a thought.

Yes, but those mini-images are separate thing we do anyway (or provide
an easy possiblity to create them yourself). Now we would like to fill a
700MB CD resp. a 4.5GB DVD with all the packages people may would like
to see on it.

-- 
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[Steve Langasek]

On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote:
> On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> > See, if you visit a bazaar, I bet a helpful guy with a Russian accent
> > can sell you a perfectly valid passport for less than $50.  Several
> > years ago, a friend of mine actually asked someone at the Stadion
> > 10-lecia in Warsaw, and was led to a guy with a number of blank Polish
> > IDs for ~$25 each...

> > That's about what checking government-issued IDs is worth.

> Perhaps in that part of the world, yes.

As opposed to California, where per the news story I heard a couple weeks
ago, a counterfeit state ID good enough to elude an arrest warrant can be
had for $100-$200?

Thanks for playing, you arrogant jerk.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


signature.asc
Description: Digital signature

Re: Package Selection for Debian Live

[Daniel Baumann]

Nico Golde wrote:
> Would be useful if you could provide the package lists for 
> the two images so we can see whats already included and send 
> you patches.

The small one contains the standard system only, means, packages which
have Priority: standard and nothing more. That's about 80MB (the image
size).

The other ones do contains:

kde:
kde kdm x-window-system-core

gnome:
gnome-desktop-environment gdm-themes gnome-cups-manager
gnome-themes-extras rhythmbox synaptic gnome-screensaver gdm
x-window-system-core

xfce:
xfce4 gdm x-window-system-core

> Regards Nico

-- 
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[Stephen Gran]

This one time, at band camp, Paul Johnson said:
> On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> > See, if you visit a bazaar, I bet a helpful guy with a Russian
> > accent can sell you a perfectly valid passport for less than $50.
> > Several years ago, a friend of mine actually asked someone at the
> > Stadion 10-lecia in Warsaw, and was led to a guy with a number of
> > blank Polish IDs for ~$25 each...
> >
> > That's about what checking government-issued IDs is worth.
> 
> Perhaps in that part of the world, yes.

What are you talking about, "that part of the world"?  Teenagers where
you're from don't have fake IDs?  I know I did when I was a teenager in
Philadelphia.  They may not have been printed on authentic passport
blanks, but they were close enough to fool people who looked at them for
a living.

I'm not really sure why the idea that ID's are forgeable is so
surprising, though.
-- 
 -
|   ,''`.Stephen Gran |
|  : :' :[EMAIL PROTECTED] |
|  `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
 -


signature.asc
Description: Digital signature

Re: Red team attacks vs. cracking

[Linas Žvirblis]

Paul Johnson wrote:

>> See, if you visit a bazaar, I bet a helpful guy with a Russian accent
>> can sell you a perfectly valid passport for less than $50.  Several
>> years ago, a friend of mine actually asked someone at the Stadion
>> 10-lecia in Warsaw, and was led to a guy with a number of blank Polish
>> IDs for ~$25 each...
>>
>> That's about what checking government-issued IDs is worth.
> 
> Perhaps in that part of the world, yes.

Oh, THAT part of the world. Wait a minute, what part of the world? Can
you name any country in which you cannot buy fake IDs?

I might have misunderstood you, but you comment sounded like an insult
towards Eastern Europe.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: glibc built with gcc-4.1 (update)

[Thiemo Seufer]

Falk Hueffner wrote:
> Aurelien Jarno <[EMAIL PROTECTED]> writes:
> 
> > Falk Hueffner a écrit :
> >> Aurelien Jarno <[EMAIL PROTECTED]> writes:
> >>
> >>>On arm, ia64 and alpha the glibc fails to build with gcc-4.1.
> >> On Alpha the problem is:
> >> {standard input}: Assembler messages:
> >> {standard input}:341: Error: macro requires $at register while noat in 
> >> effect
> >> {standard input}:374: Error: macro requires $at register while noat in 
> >> effect
> >> {standard input}:438: Error: macro requires $at register while noat in 
> >> effect
> >> {standard input}:471: Error: macro requires $at register while noat in 
> >> effect
> >> make[3]: *** [/tmp/buildd/glibc-2.3.6/build-tree/alpha-libc/misc/ioperm.o] 
> >> Error 1
> >> Hrm. gcc puts .arch ev4 into the .s, and this overrides -mev6 for as.
> >> I cannot really think of anything better than
> >
> > Ok, thanks a lot, I will add it in the SVN soon.
> >
> > Do you think it is a fix or a workaround? Or rather do you think this
> > behaviour is correct?
> 
> Well, the right thing to do would be to turn arch to ev6, and then
> restore it to whatever it was previously; with this patch, it remains
> turned on for the rest of the file and could potentially hide errors.
> However, I don't think that's possible with gas. So given this
> deficiency, I don't think there's a better way.

FYI, the MIPS gas has

.set push
.set mips32
# ...
.set pop

which is very useful to handle such situations. Alpha gas at least
doesn't document anything similiar, but it might be useful to
implement such a feature for it.


Thiemo

Re: Real Life hits: need to give up packages for adoption

[Adam Borowski]

On Mon, May 29, 2006 at 09:29:34PM +0200, Matthias Urlichs wrote:
> * gnulib
>   (easy pickings; need to package new Upstream from CVS, every month or so)
I ported quite a lot of C software between IRIX/SunOS/AIX/Linux, so
I'll take it.

> * tcng
>   (some clean-up required)
I have some idea about bare tc -- two local ISPs run my scripts that
manage traffic shaping according to the customers' databases;
however, I haven't used tcng itself -- it looks interesting, though.
Unless someone else steps up, I can do it.

> * hashalot
>   (easy pickings)
Trivial; I can grab it if no one else does -- but if someone actually
uses it, that person of course has a priority.

Whee?
-- 
1KB // Microsoft corollary to Hanlon's razor:
//  Never attribute to stupidity what can be
//  adequately explained by malice.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: bits from the release team: release goals, python, X.org, amd64, timeline

[Steve Langasek]

On Tue, May 30, 2006 at 02:50:16PM +0200, Wouter Verhelst wrote:
> On Tue, May 30, 2006 at 12:05:26PM +0200, Andreas Barth wrote:
> > Timeline
> > 

> > Now, let's please take a more detailed look at the time line:

> >  Thu 15 Jun 06:

> > last chance to switch to gcc 4.1, python 2.4
> > review architectures one more time
> > last chance to add new architectures

> > RC bug count less than 300

> Since m68k pretty much depends on the gcc-4.1 transition to make it in
> again, I would suggest that we (as in, the m68k port) make the switch to
> GCC4.1 as the default already. This will allow us to verify that stuff
> actually builds and works, and to catch up with building those that fail
> with ICE in gcc-4.0 before that time. Since m68k is not a release
> architecture right now, this should not cause any problems for any other
> port if the GCC 4.1 transition does not happen, but it will help if it
> does.

> Thoughts, objections?

Since it seems gcc-4.1 is the only way to get m68k back up to building a
decent fraction of the archive, I think it's fair to switch to
gcc-4.1/g++-4.1 as the default now on m68k, yes.  From everything I hear, it
at least isn't going to be worse than the status quo.

I still wouldn't count gcc-4.1 build regressions in packages as
release-critical until at least one other architecture had switched to it as
default, even if m68k was otherwise ready to go as a release candidate, but
that shouldn't stop you from doing porter NMUs anyway.

BTW, can you tell me anything about the dip in
http://buildd.debian.org/stats/graph2-quarter-big.png for m68k?  Seems to be
heading in the wrong direction again for being a release candidate.  I see
12 buildds actively uploading packages for m68k, is this too few or is there
some other problem?

Cheers,
-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


signature.asc
Description: Digital signature

Re: Real Life hits: need to give up packages for adoption

[Roberto C. Sanchez]

Christoph Haas wrote:
> 
> Yes, of course. Besides some minor things I don't quite like about
> Subversion (merging looks like black magic for me and getting out old
> revisions of a file means typing the full URL for no reason) these are
> the actual problems I encountered with svn-buildpackage:
> 
> * svn-upgrade
> 
> Upgrading from a new upstream tarball has never worked here. Matthijs
> Mohlmann and I are maintaining the "pdns" (PowerDNS) package in a
> Subversion repository. That software isn't trivial but it's also no
> rocket science. Still svn-upgrade choked and left us alone like
> "something didn't work half way - what do you want to do?" and we ended
> up with a borked repository. Up to now we made a backup of the
> repository beforehand and took our chances. I believe we merged in the
> upstream changes manually. I didn't want to understand what svn-upgrade
> is doing under the hood so I felt left alone there.
> 
I guess I will need to watch out for that.  I have only had one upstream
upgrade so far since using svn-buildpackage, and I have not had this
happen.  Though, many of my packages are trivial to maintain.

> * svn-inject
> 
> Injecting new packages through svn-inject fails here. I get errors about
> the MKCOL method not being allowed on the remote WebDAV server. Perhaps
> it's a problem that the Apache runs on Sarge while I'm developing on
> Sid.
> 
Not sure.  I have shell access and use the svn+ssh method for my
Subversion access.

> * svn-buildpackage
> 
> The main script for building a package works well here. Just that the
> build-area doesn't seem to be tidied up automatically. A few failed
> attempts of building a package and that directory grows here. But
> building a package from the repository through pbuilder is very nice.
> 
I have noticed this as well.

> 
> Kudos to Eduard Bloch though. The scripts are pretty sophisticated. And
> I already spent some time getting it working with pbuilder (see [1]).
> 
Yes, it is just too bad that they did not use a respectable language,
like Python.  As it is, there are many features I would like to see
added, but all I can do is file wishlist bugs, as I don't anything about
Perl besides how to spell it.

Your link on getting svn-buildpackage and pbuilder working was
excellent.  I used as a guide as well when I needed to integrate the two.

> In the end I still favor Subversion over any other RCS. Although Simon
> Richter made me try Git today. And I like to try out new things so I can
> find better arguments against it. :)
> 
I agree that (and pardon my paraphrasing), subversion is the worst form
of revision control, except for all the others that have been tried.
Personally, none of the others make sense.

> 
>>The only problem I have encountered so far is that the Horde team uses
>>Arch, which I simply cannot understand.  I have spent quite a while
>>reading through the documentation and messing with it, but Arch seems to
>>me to not make any rational sense.
> 
> 
> Neither to me. Bazaar (as made and used by the Ubuntu staff) seems to be
> a "better arch". Still I couldn't be convinced to use it.
> 
> Disclaimer: I'm not a Subversion guru. So I might as well just be
> ignorant.
> 
Ditto.

-Roberto
-- 
Roberto C. Sanchez
http://familiasanchez.net/~roberto


signature.asc
Description: OpenPGP digital signature

Re: Red team attacks vs. cracking

[Paul Johnson]

On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> On Tue, May 30, 2006 at 12:20:14PM -0700, Paul Johnson wrote:
> > Even the guy at 7-Eleven has the big book of north american ID cards with
> > pictures and descriptions of what makes a real one for when they
> > encounter an ID that they've never seen before.  Surely Debian can do as
> > well as the guy selling cigarettes and beer at the 7-Eleven when it comes
> > to verification...
>
> How can you check if an ID card is real based only on what is written
> on the card, even if it has all the hallmarks mentioned in that book?

If you don't trust the ID, you don't sign the key.  But having the book to be 
able to get a bad feeling about the ID from sure beats the apparent current 
system of "Sign the key and hope the ID is for real."

> See, if you visit a bazaar, I bet a helpful guy with a Russian accent
> can sell you a perfectly valid passport for less than $50.  Several
> years ago, a friend of mine actually asked someone at the Stadion
> 10-lecia in Warsaw, and was led to a guy with a number of blank Polish
> IDs for ~$25 each...
>
> That's about what checking government-issued IDs is worth.

Perhaps in that part of the world, yes.

-- 
Paul Johnson
Email and IM (XMPP & Google Talk): [EMAIL PROTECTED]
Jabber: Because it's time to move forward  http://ursine.ca/Ursine:Jabber


pgpPuTShOxbea.pgp
Description: PGP signature

Re: glibc built with gcc-4.1 (update)

[Falk Hueffner]

Aurelien Jarno <[EMAIL PROTECTED]> writes:

> Falk Hueffner a écrit :
>> Aurelien Jarno <[EMAIL PROTECTED]> writes:
>>
>>>On arm, ia64 and alpha the glibc fails to build with gcc-4.1.
>> On Alpha the problem is:
>> {standard input}: Assembler messages:
>> {standard input}:341: Error: macro requires $at register while noat in effect
>> {standard input}:374: Error: macro requires $at register while noat in effect
>> {standard input}:438: Error: macro requires $at register while noat in effect
>> {standard input}:471: Error: macro requires $at register while noat in effect
>> make[3]: *** [/tmp/buildd/glibc-2.3.6/build-tree/alpha-libc/misc/ioperm.o] 
>> Error 1
>> Hrm. gcc puts .arch ev4 into the .s, and this overrides -mev6 for as.
>> I cannot really think of anything better than
>
> Ok, thanks a lot, I will add it in the SVN soon.
>
> Do you think it is a fix or a workaround? Or rather do you think this
> behaviour is correct?

Well, the right thing to do would be to turn arch to ev6, and then
restore it to whatever it was previously; with this patch, it remains
turned on for the rest of the file and could potentially hide errors.
However, I don't think that's possible with gas. So given this
deficiency, I don't think there's a better way.

-- 
Falk


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Real Life hits: need to give up packages for adoption

[Daniel Baumann]

 wrote:
> * gnulib
>   (easy pickings; need to package new Upstream from CVS, every month or so)

I'll take that.

-- 
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Package Selection for Debian Live

[Török Edvin]

On 5/30/06, Daniel Baumann <[EMAIL PROTECTED]> wrote:

[ crosspost to live, -devel and -edu; replies please to -devel ]

Hi all,

at the moment, we have two types of Live CD images:

  * the small one which contains only packages of standard priority,
  * and three larger ones, each of which contains one of the common
desktop-environments on it (gnome, kde, xfce).

Now, we would like to create a decent package selection which reflects,
as well as possible, the users' desires. There should be one package
selection for a 700MB CD-ROM, and one for a 4.5GB DVD-ROM. With the
current squashfs compression, the actual filesystem size is about 3
times bigger than the packed one. This means that there can be quite a
few packages on it :) I'm open for your suggestions...

What I'd need on a Live CD-ROM:
* rescue tools:
  - parted
  - fdisk
  - mkfs.*
  - grub
- lvm management tools
* 386 and amd64 kernels on same cdrom (so that I can chroot into
pure64 installations)
* text editor:
  my favourites: vim, jed. (please no flames on this)
* compiler with at least libc-dev, libstdc++-dev
* it should be possible to debootstrap from CD
* networking:
dhcp, rp-pppoe , (nfs,)
* mc would be nice to have
* if it fits a minimalistic xorg with fluxbox, and gs/ghostview
. this is just a quick list I've come up with, I'm sure there is
plenty more that would be needed.

of course on the dvd I'd like to see openoffice.

Which packages of the above are currently on the live CD?


Regards,
Edwin


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Package Selection for Debian Live

[Michael Fisher]

Is it posible to have a minimum size image with a WM that can stay
below 125MB? This would be a great size for USB versions and versions
running under Qemu or VMWare. Just a thought.

desNotes

On 5/30/06, Daniel Baumann <[EMAIL PROTECTED]> wrote:

[ crosspost to live, -devel and -edu; replies please to -devel ]

Hi all,

at the moment, we have two types of Live CD images:

  * the small one which contains only packages of standard priority,
  * and three larger ones, each of which contains one of the common
desktop-environments on it (gnome, kde, xfce).

Now, we would like to create a decent package selection which reflects,
as well as possible, the users' desires. There should be one package
selection for a 700MB CD-ROM, and one for a 4.5GB DVD-ROM. With the
current squashfs compression, the actual filesystem size is about 3
times bigger than the packed one. This means that there can be quite a
few packages on it :) I'm open for your suggestions...

Regards,
Daniel

--
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/
___
live mailing list
live@lists.debian-unofficial.org
http://lists.debian-unofficial.org/cgi-bin/mailman/listinfo/live




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Package Selection for Debian Live

[Nico Golde]

Hi,
* Daniel Baumann <[EMAIL PROTECTED]> [2006-05-30 22:19]:
> [ crosspost to live, -devel and -edu; replies please to -devel ]
> at the moment, we have two types of Live CD images:
> 
>   * the small one which contains only packages of standard priority,
>   * and three larger ones, each of which contains one of the common
> desktop-environments on it (gnome, kde, xfce).
> 
> Now, we would like to create a decent package selection which reflects,
> as well as possible, the users' desires. There should be one package
> selection for a 700MB CD-ROM, and one for a 4.5GB DVD-ROM. With the
> current squashfs compression, the actual filesystem size is about 3
> times bigger than the packed one. This means that there can be quite a
> few packages on it :) I'm open for your suggestions...

Would be useful if you could provide the package lists for 
the two images so we can see whats already included and send 
you patches.
Regards Nico
-- 
Nico Golde - JAB: [EMAIL PROTECTED] | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!


pgpd6unw4hlMs.pgp
Description: PGP signature

Re: glibc built with gcc-4.1 (update)

[Aurelien Jarno]

Falk Hueffner a écrit :

Aurelien Jarno <[EMAIL PROTECTED]> writes:



On arm, ia64 and alpha the glibc fails to build with gcc-4.1.



On Alpha the problem is:

{standard input}: Assembler messages:
{standard input}:341: Error: macro requires $at register while noat in effect
{standard input}:374: Error: macro requires $at register while noat in effect
{standard input}:438: Error: macro requires $at register while noat in effect
{standard input}:471: Error: macro requires $at register while noat in effect
make[3]: *** [/tmp/buildd/glibc-2.3.6/build-tree/alpha-libc/misc/ioperm.o] 
Error 1

Hrm. gcc puts .arch ev4 into the .s, and this overrides -mev6 for as.
I cannot really think of anything better than


Ok, thanks a lot, I will add it in the SVN soon.

Do you think it is a fix or a workaround? Or rather do you think this 
behaviour is correct?


--
  .''`.  Aurelien Jarno | GPG: 1024D/F1BCDB73
 : :' :  Debian developer   | Electrical Engineer
 `. `'   [EMAIL PROTECTED] | [EMAIL PROTECTED]
   `-people.debian.org/~aurel32 | www.aurel32.net


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Package Selection for Debian Live

[Daniel Baumann]

[ crosspost to live, -devel and -edu; replies please to -devel ]

Hi all,

at the moment, we have two types of Live CD images:

  * the small one which contains only packages of standard priority,
  * and three larger ones, each of which contains one of the common
desktop-environments on it (gnome, kde, xfce).

Now, we would like to create a decent package selection which reflects,
as well as possible, the users' desires. There should be one package
selection for a 700MB CD-ROM, and one for a 4.5GB DVD-ROM. With the
current squashfs compression, the actual filesystem size is about 3
times bigger than the packed one. This means that there can be quite a
few packages on it :) I'm open for your suggestions...

Regards,
Daniel

-- 
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Real Life hits: need to give up packages for adoption

[Christoph Haas]

On Tue, May 30, 2006 at 08:48:14PM +0200, I (Christoph Haas) wrote:
> * svn-inject
> 
> Injecting new packages through svn-inject fails here. I get errors about
> the MKCOL method not being allowed on the remote WebDAV server. Perhaps
> it's a problem that the Apache runs on Sarge while I'm developing on
> Sid.

It appears like MKCOL returns a 405 when a collection (apparently a
directory on the DAV server - I'm not a DAV expert) is already existing.
So removing the whole repository, re-creating it and then running
svn-inject works. I was sure that I injected into a blank repository -
apparently it wasn't totally blank.

Another strange issue is that the tarballs/ directory for upstream
tarballs it not automatically created and needs to be adjusted by hand
by editing the trunk/.svn/deb-layout file. Or it's just me not
understanding the mergeWithUpstream setting correctly.

Kindly
 Christoph
-- 
~
~
".signature" [Modified] 1 line --100%--1,48 All


signature.asc
Description: Digital signature

Re: Red team attacks vs. cracking

[Adam Borowski]

On Tue, May 30, 2006 at 12:20:14PM -0700, Paul Johnson wrote:
> Even the guy at 7-Eleven has the big book of north american ID cards with 
> pictures and descriptions of what makes a real one for when they encounter an 
> ID that they've never seen before.  Surely Debian can do as well as the guy 
> selling cigarettes and beer at the 7-Eleven when it comes to verification...

How can you check if an ID card is real based only on what is written
on the card, even if it has all the hallmarks mentioned in that book?

See, if you visit a bazaar, I bet a helpful guy with a Russian accent
can sell you a perfectly valid passport for less than $50.  Several
years ago, a friend of mine actually asked someone at the Stadion
10-lecia in Warsaw, and was led to a guy with a number of blank Polish
IDs for ~$25 each...

That's about what checking government-issued IDs is worth.

-- 
1KB // Microsoft corollary to Hanlon's razor:
//  Never attribute to stupidity what can be
//  adequately explained by malice.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Renaming a package

[Adeodato Simó]

* Andreas Fester [Tue, 30 May 2006 21:42:27 +0200]:

> One last question: would it be safe to say

> Architecture: all

> in the dummy transition package since it does not contain
> any architecture specific files anymore, or is it better to
> leave it as it is with "Architecture: any" to create
> architecture specific packages?

Yes, Arch: all is not only safe, but what it should be. :)

-- 
Adeodato Simó dato at net.com.org.es
Debian Developer  adeodato at debian.org
 
One of my most productive days was throwing away 1000 lines of code.
-- Ken Thompson


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Renaming a package

[Andreas Fester]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Thanks for all your answers, my package successfully transformed
to its new name with apt-get dist-upgrade in my test environment :-)

One last question: would it be safe to say

Architecture: all

in the dummy transition package since it does not contain
any architecture specific files anymore, or is it better to
leave it as it is with "Architecture: any" to create
architecture specific packages?

Thanks,

Andreas

Andreas Fester wrote:
[...]
> Problem:
> 
> Upstream application (non-library) has changed its name.
> I want to reflect this new name in the debian
> package name while ensuring that apt-get dist-upgrade
> works seamless and pulls in the new package.
[...]

- --
Andreas Fester
mailto:[EMAIL PROTECTED]
WWW: http://www.littletux.net
ICQ: 326674288
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEfKAjZ3bQVzeW+rsRAvAjAJ4tt0rYSHmlywQO82aRQJih5DdhWwCgokrE
vtZ+1nRwH4/ltgXX8E8adtM=
=EZaw
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: glibc built with gcc-4.1 (update)

[Falk Hueffner]

Aurelien Jarno <[EMAIL PROTECTED]> writes:

> On arm, ia64 and alpha the glibc fails to build with gcc-4.1.

On Alpha the problem is:

{standard input}: Assembler messages:
{standard input}:341: Error: macro requires $at register while noat in effect
{standard input}:374: Error: macro requires $at register while noat in effect
{standard input}:438: Error: macro requires $at register while noat in effect
{standard input}:471: Error: macro requires $at register while noat in effect
make[3]: *** [/tmp/buildd/glibc-2.3.6/build-tree/alpha-libc/misc/ioperm.o] 
Error 1

Hrm. gcc puts .arch ev4 into the .s, and this overrides -mev6 for as.
I cannot really think of anything better than

--- ioperm.c~   2001-07-06 06:56:13.0 +0200
+++ ioperm.c2006-05-30 21:22:54.0 +0200
@@ -173,13 +173,13 @@
 static inline void
 stb_mb(unsigned char val, unsigned long addr)
 {
-  __asm__("stb %1,%0; mb" : "=m"(*(vucp)addr) : "r"(val));
+  __asm__(".arch ev6; stb %1,%0; mb" : "=m"(*(vucp)addr) : "r"(val));
 }
 
 static inline void
 stw_mb(unsigned short val, unsigned long addr)
 {
-  __asm__("stw %1,%0; mb" : "=m"(*(vusp)addr) : "r"(val));
+  __asm__("".arch ev6; stw %1,%0; mb" : "=m"(*(vusp)addr) : "r"(val));
 }
 
 static inline void
@@ -351,7 +351,7 @@
   unsigned long int addr = dense_port_to_cpu_addr (port);
   unsigned char r;
 
-  __asm__ ("ldbu %0,%1" : "=r"(r) : "m"(*(vucp)addr));
+  __asm__ (".arch ev6; ldbu %0,%1" : "=r"(r) : "m"(*(vucp)addr));
   return r;
 }
 
@@ -361,7 +361,7 @@
   unsigned long int addr = dense_port_to_cpu_addr (port);
   unsigned short r;
 
-  __asm__ ("ldwu %0,%1" : "=r"(r) : "m"(*(vusp)addr));
+  __asm__ (".arch ev6; ldwu %0,%1" : "=r"(r) : "m"(*(vusp)addr));
   return r;
 }
 
-- 
Falk


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[martin f krafft]

also sprach Paul Johnson <[EMAIL PROTECTED]> [2006.05.30.2120 +0200]:
> Even the guy at 7-Eleven has the big book of north american ID cards with 
> pictures and descriptions of what makes a real one for when they encounter an 
> ID that they've never seen before.  Surely Debian can do as well as the guy 
> selling cigarettes and beer at the 7-Eleven when it comes to verification...


  I once had the 7-Eleven guy refuse my German driver's licence,
  because it had "VOID" printed over it in this very book


The idea is a nice one, let's compile a book with descriptions of
valid IDs. However, this really won't help at all during a KSP.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Most Intelligent Customers Realise Our Software Only Fools Them.


signature.asc
Description: Digital signature (GPG/PGP)

Re: Red team attacks vs. cracking

[Paul Johnson]

On Tuesday 30 May 2006 10:40, Joe Smith wrote:
> But Martin decided to publish this experiment.
> Is this really a bad thing? He proved that KSP are bad for the web of
> trust. 

Isn't what Martin and this thread actually demonstrated is that signing keys 
based on IDs you cannot reasonably authenticate as real, with a focus on 
quantity instead of quality among KSP participants is the real problem at 
hand?

Even the guy at 7-Eleven has the big book of north american ID cards with 
pictures and descriptions of what makes a real one for when they encounter an 
ID that they've never seen before.  Surely Debian can do as well as the guy 
selling cigarettes and beer at the 7-Eleven when it comes to verification...

-- 
Paul Johnson
Email and IM (XMPP & Google Talk): [EMAIL PROTECTED]
Jabber: Because it's time to move forward  http://ursine.ca/Ursine:Jabber


pgpLY2p77Nn1U.pgp
Description: PGP signature

Re: Real Life hits: need to give up packages for adoption

[Christoph Haas]

On Tue, May 30, 2006 at 01:45:10PM -0400, Roberto C. Sanchez wrote:
> Christoph Haas wrote:
> > 
> > I'm currently looking into several systems. Usually I use Subversion and
> > svn-buildpackage but due to a lot of trouble with svn-buildpackage I
> > have moved away from repositories for my Debian packages lately.
> > 
> Out of curiousity, what problems have you encountered with
> svn-buildpackage?  Personally, I have transitioned all the packages that
> I maintain solo into it, as well as some of the package maintenance
> teams I am on use it.  I have not encountered any problems.

Yes, of course. Besides some minor things I don't quite like about
Subversion (merging looks like black magic for me and getting out old
revisions of a file means typing the full URL for no reason) these are
the actual problems I encountered with svn-buildpackage:

* svn-upgrade

Upgrading from a new upstream tarball has never worked here. Matthijs
Mohlmann and I are maintaining the "pdns" (PowerDNS) package in a
Subversion repository. That software isn't trivial but it's also no
rocket science. Still svn-upgrade choked and left us alone like
"something didn't work half way - what do you want to do?" and we ended
up with a borked repository. Up to now we made a backup of the
repository beforehand and took our chances. I believe we merged in the
upstream changes manually. I didn't want to understand what svn-upgrade
is doing under the hood so I felt left alone there.

* svn-inject

Injecting new packages through svn-inject fails here. I get errors about
the MKCOL method not being allowed on the remote WebDAV server. Perhaps
it's a problem that the Apache runs on Sarge while I'm developing on
Sid.

* svn-buildpackage

The main script for building a package works well here. Just that the
build-area doesn't seem to be tidied up automatically. A few failed
attempts of building a package and that directory grows here. But
building a package from the repository through pbuilder is very nice.


Kudos to Eduard Bloch though. The scripts are pretty sophisticated. And
I already spent some time getting it working with pbuilder (see [1]).

In the end I still favor Subversion over any other RCS. Although Simon
Richter made me try Git today. And I like to try out new things so I can
find better arguments against it. :)

> The only problem I have encountered so far is that the Horde team uses
> Arch, which I simply cannot understand.  I have spent quite a while
> reading through the documentation and messing with it, but Arch seems to
> me to not make any rational sense.

Neither to me. Bazaar (as made and used by the Ubuntu staff) seems to be
a "better arch". Still I couldn't be convinced to use it.

Disclaimer: I'm not a Subversion guru. So I might as well just be
ignorant.

Kindly
 Christoph

[1] http://workaround.org/moin/SvnBuildpackage
-- 
~
~
".signature" [Modified] 1 line --100%--1,48 All


signature.asc
Description: Digital signature

Re: Real Life hits: need to give up packages for adoption

[Andreas Metzler]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

In article <[EMAIL PROTECTED]> (gmane.linux.debian.devel.general) you wrote:
> On (29/05/06 21:29), [EMAIL PROTECTED] wrote:
[...]
>> * gnutls, gcrypt, libtasn1, libksba
>>   (security-critical, some work required, having a team for these
>>   packages would be ideal)

> I would like to be part of the team for these packages.

I had already invested a little bit of time in these,
http://downhill.aus.cc/debian/misc/ and would be happy to at least
give the packages a kick to get them into shape.
cu and- My elan might fail after some time, so a team really looks
good. -reas
- -- 
The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal
vision of the emperor's, and its inclusion in this work does not constitute
tacit approval by the author or the publisher for any such projects,
howsoever undertaken.(c) Jasper Ffforde
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEfIoXHTOcZYuNdmMRAouEAJ9cVXJeNXc6PBXlgd0MIkdsvRNTkQCcCrR+
dgqv9lYYtiGcGOD9JZxr7+s=
=FAh9
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[martin f krafft]

also sprach Thomas Bushnell BSG <[EMAIL PROTECTED]> [2006.05.30.2002 +0200]:
> Personally, I'm especially worried about the developers who were
> taken in by the Transnational Republic ID.  So, can we have
> a "fess up" time now?  Manoj, did you sign the key on this basis?

He did not.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
"arguments are extremely vulgar,
 for everyone in good society
 holds exactly the same opinion."
-- oscar wilde


signature.asc
Description: Digital signature (GPG/PGP)

Re: Red team attacks vs. cracking

[martin f krafft]

also sprach Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> [2006.05.30.1920 
+0200]:
> I do agree with Manoj that this was *not* a legitimate experiment (i.e.
> not a "red team" test) and that Martin *did* abuse our [0] trust [1]

I acknowledge this and would like to apologise to everyone.

My "experiment" was indeed not at all prepared. I am very pleased,
however, with the result. Should I ever conduct something similar in
the future (I don't have any plans), I will follow a protocol based
on the one suggested by Manoj.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
"menschen, welche rasch feuer fangen,
 werden schnell kalt und sind daher im ganzen unzuverlässig."
 - friedrich nietzsche


signature.asc
Description: Digital signature (GPG/PGP)

Re: Red team attacks vs. cracking

[Thomas Bushnell BSG]

"Joe Smith" <[EMAIL PROTECTED]> writes:

> So, if KSPs are not changed, then the Web of trust becomes
> effectively worthless.  Manoj should be far more concerned about
> that, then about Martin's demonstration of this.

Personally, I'm especially worried about the developers who were taken
in by the Transnational Republic ID.  So, can we have a "fess up" time
now?  Manoj, did you sign the key on this basis?

The people who we really shouldn't trust are the ones who thought the
Transnational Republic is a real country, or didn't bother to check.
Manoj has already admitted that he doesn't bother to check as a rule,
but hasn't said whether in fact he was taken in and signed the key on
this basis.

Manoj, you?

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Invitation From Pingo.com

[Phone Card Partnership]

Dear Debian Devel, 

I’m personally emailing you today to discuss a partnership. I noticed 
that your web site debian.org has linked to Tel3. Pingo is a virtual 
VoIP calling card service that helps the world save on there long 
distance and international calls. 

I'm sending you this invitation to discuss a few partnership options;

1. Join Pingo Affiliate Program

Pingo will pay you up to 80% of the first sale plus a residual income 
(6 months) for every new customer that debian.org refers to Pingo!

Learn more about this partnership at Pingo’s affiliate marketing tips 
site. http://www.SuperAffiliateBluePrint.com

2.  Link to Pingo for a Phone Card

If you post this text link on your site. 

Save on http://www.pingo.com";>International prepaid calling 
cards with Pingo. 

I’ll be glad to give you a complimentary phone card good for about 3 
hours of international calls as a special thank you gift. 

3.  Post this Special Coupon Code on debian.org

As a way to save your website visitors money. Please post this special 
pingo coupon code. 

Save 10% on Pingo’s Virtual Calling Cards

Use Pingo Phone Coupon Code  “springcall06”

Thanks for your future partnership, 

Brian 

P.S. Don’t forget to email me back your link to Pingo so that I can 
send you your special phone card thank you gift. 

Brian
Affiliate Marketing Manager 
Pingo
20 Second Avenue
Burlington, Ma. 01803
Direct: 781 505-7865
[EMAIL PROTECTED] 
http://www.pingo.com
 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Real Life hits: need to give up packages for adoption

[Roberto C. Sanchez]

Christoph Haas wrote:
> 
> I'm currently looking into several systems. Usually I use Subversion and
> svn-buildpackage but due to a lot of trouble with svn-buildpackage I
> have moved away from repositories for my Debian packages lately.
> 
Out of curiousity, what problems have you encountered with
svn-buildpackage?  Personally, I have transitioned all the packages that
I maintain solo into it, as well as some of the package maintenance
teams I am on use it.  I have not encountered any problems.

The only problem I have encountered so far is that the Horde team uses
Arch, which I simply cannot understand.  I have spent quite a while
reading through the documentation and messing with it, but Arch seems to
me to not make any rational sense.

-Roberto

-- 
Roberto C. Sanchez
http://familiasanchez.net/~roberto


signature.asc
Description: OpenPGP digital signature

Re: Red team attacks vs. cracking

[Joe Smith]

"Javier Fernández-Sanguino Peña" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]


Claiming that what Martin did was good since he was showing something 
useful
for our community is equivalent to saying it was a "red team attack". 
Nobody

used that term explicitly probably because they are unfamiliar with it. I
know what it means, I've done my share of pen-testing to companies.

I do agree with Manoj that this was *not* a legitimate experiment (i.e.
not a "red team" test) and that Martin *did* abuse our [0] trust [1]


Had Martin never mentioned this, it would have been a non-issue.
There is no real damage. While signatures may have been based on
a non-offical ID, Martin did indeed own the key in question, so
the end harm is zero. But Martin decided to publish this experiment.
Is this really a bad thing? He proved that KSP are bad for the web of trust.
A legitimate attacker could abuse the KSP just as easilly as Martin, but
would result in actual damage, and would most likely not have been caught.

So, if KSPs are not changed, then the Web of trust becomes effectively 
worthless.
Manoj should be far more concerned about that, then about Martin's 
demonstration
of this. 




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Red team attacks vs. cracking

[Thomas Bushnell BSG]

Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> writes:

> Claiming that what Martin did was good since he was showing
> something useful for our community is equivalent to saying it was a
> "red team attack". Nobody used that term explicitly probably because
> they are unfamiliar with it. I know what it means, I've done my
> share of pen-testing to companies.

Perhaps some people have argued that it was good what he did; I have
not.  I have constrained my comments to arguing only that what he did
was not, so far as we know, either fraudulent or forgery.

What he did may have beneficial consequences, if it encourages people
to be more careful in the future, but certainly I would agree that
this does not justify it.

I am actually quite ambivalent about whether I think what he did was
wrong; I think to determine that I would need to read carefully what
the KSP organizers said.  Martin certainly should follow the protocols
established, but I would only count "established" as being what is
actually written down by the KSP organizers, and not just some kind of
general unspoken expectation.  (Where can I read about those written
protocols, if there are any?)

> I find this akin to people finding and exploiting web app vulnerabilities
> (without being payed for by the company and without their approval). 
> To "show" that webapps are vulnerable.

Indeed, if he did violate the written rules of the KSP, then it is
much like this.  (That still doesn't make it forgery, fraud, or
dishonesty, however.)

At the same time, we should *also* recognize that anyone who signed on
the basis of the Transnational Republic ID (unless they have more
information about that organization than the rest of us do) has *also*
broken the rules of the KSP.

Moreover, the harm caused by people who did not properly check the ID
is *worse* than the harm caused by not following the written KSP rules
(if indeed he didn't follow them).  So I ask, ONE MORE TIME, HOPING
FOR AN ANSWER:

Manoj, did you sign the key on the basis of the Transnational Republic
ID?

Javier, did you?

Thomas

Re: Red team attacks vs. cracking

[Javier Fernández-Sanguino Peña]

On Tue, May 30, 2006 at 09:28:19AM -0700, Thomas Bushnell BSG wrote:
> Manoj Srivastava <[EMAIL PROTECTED]> writes:
> 
> > This is to forestall those of you who seem to be be arguing
> >  that the debconf6 KSP crack was a red team attack -- here is how that
> >  attack differed from a legitimate red team effort (I have been a
> >  member of red teams before, and have lead a number of red team
> >  attacks in my time).
> 
> I haven't heard anyone make such a claim.

Claiming that what Martin did was good since he was showing something useful
for our community is equivalent to saying it was a "red team attack". Nobody
used that term explicitly probably because they are unfamiliar with it. I
know what it means, I've done my share of pen-testing to companies.

I do agree with Manoj that this was *not* a legitimate experiment (i.e.
not a "red team" test) and that Martin *did* abuse our [0] trust [1]

I find this akin to people finding and exploiting web app vulnerabilities
(without being payed for by the company and without their approval). 
To "show" that webapps are vulnerable.

Regards

Javier

[0] The assistants to the KSP

[1] By not providing  a *proper* ID as required by the KSP organisers (and
all KSPs protocols I've read ). Notice that he himself has described his ID
as not being *proper* and that it was the whole point of his excercise.


signature.asc
Description: Digital signature

Re: Real Life hits: need to give up packages for adoption

[gregor herrmann]

On Tue, May 30, 2006 at 01:46:30AM -0700, Zak B. Elep wrote:

> >* libdigest-hmac-perl, libdigest-sha1-perl, libdigest-md2-perl,
> > libdigest-perl, libio-interface-perl, libio-socket-multicast-perl,
> > libnet-xwhois-perl, libvideo-capture-v4l-perl
> I'd like to take these up.

Oops, I just saw your mail now after writing my own offer.
Please just go ahead; unless you want to maintain the packages within
the Debian Perl Group, of course ;-)

gregor
 
-- 
 .''`.   http://info.comodo.priv.at/ | gpg key ID: 0x00F3CFE4
 : :' :  debian: the universal operating system - http://www.debian.org/
 `. `'   member of https://www.vibe.at/ | how to reply: http://got.to/quote/
   `-NP: Bob Dylan: I want you


signature.asc
Description: Digital signature

Re: [Debconf-discuss] list of valid documents for KSPs

[Thomas Bushnell BSG]

Manoj Srivastava <[EMAIL PROTECTED]> writes:

> Based on this thread, I would think that Stave Langasek was
>  dead on: any transitive trust in Debian's keyring is
>  non-existenet. So, using the signed key as a mesure of trust in the
>  identity of a NM candidate by the DAMS is probably misplaced trust;
>  people are apparently pretty darned gullible  in our community.

The gullibility is in people who accept ID's that say "Transnational
Republic" (at least, without knowing more).

Now, Manoj, are you one of those people?

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Manoj Srivastava]

On 30 May 2006, Frank Küster verbalised:

> Manoj Srivastava <[EMAIL PROTECTED]> wrote:
>
> What Martin Krafft showed you was,

 How do I know that person actually was  Martin Krafft?
>>>
>>> This is getting ridiculuous.
>>
>> With this I tend to agree.  Your credulity is unbelievable.
>>
>>> If what I've read about the incident is correct, the same person
>>> also showed a German ID card with identical information about the
>>> person.
>>
>> Holy batmobiles, man, how can you believe that? You weren't there.
>> How can you assert that there was a real ID by hearsay? Even if you
>> go by the blog posting that opened this discussion, most of the
>> people rpesent did not see this so called real ID. Even if the blog
>> posting was not exaggerated, all you need is a bunch of people in
>> cahoots to play a prank to assure you there was an ID -- and you
>> fell for it.
>
> Okay, so you don't believe the person present was actually Martin
> Krafft; or at least you have serious doubts.

I didn't say that either. Why do people keep asserting
 stronger statements than I am making? Are finer distinctions a lost
 art?

I said: I have no way of knowing if that person was, or was
 not, Marting; but faced with an issue of identity verification and
 trust, the default position is to treat him as a bogey.  Is this
 really that hard to understand?


Based on this thread, I would think that Stave Langasek was
 dead on: any transitive trust in Debian's keyring is
 non-existenet. So, using the signed key as a mesure of trust in the
 identity of a NM candidate by the DAMS is probably misplaced trust;
 people are apparently pretty darned gullible  in our community.

The DAM's should revert to stronger requirements for
 meat space identity, at their own discretion.

manoj
-- 
"I'm growing older, but not up." Jimmy Buffett
Manoj Srivastava   <[EMAIL PROTECTED]>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Real Life hits: need to give up packages for adoption

[Hubert Chan]

On Mon, 29 May 2006 21:29:34 +0200, [EMAIL PROTECTED] (Unknown) said:

> * ufraw (need to package new Upstream; easy)

I can take this if nobody else wants it.

-- 
Hubert Chan - email & Jabber: [EMAIL PROTECTED] - http://www.uhoreg.ca/
PGP/GnuPG key: 1024D/124B61FA   (Key available at wwwkeys.pgp.net)
Fingerprint: 96C5 012F 5F74 A5F7 1FF7  5291 AF29 C719 124B 61FA


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Real Life hits: need to give up packages for adoption

[gregor herrmann]

On Mon, May 29, 2006 at 09:29:34PM +0200,  wrote:

> * libdigest-hmac-perl, libdigest-sha1-perl, libdigest-md2-perl,
>   libdigest-perl, libio-interface-perl, libio-socket-multicast-perl,
>   libnet-xwhois-perl, libvideo-capture-v4l-perl
>   (easy pickings; check for new Upstream)

I guess these packages would fit in the Debian Perl Group's
"collection".
If there are no objections I would start to move them over.

gregor
-- 
 .''`.   http://info.comodo.priv.at/ | gpg key ID: 0x00F3CFE4
 : :' :  debian: the universal operating system - http://www.debian.org/
 `. `'   member of https://www.vibe.at/ | how to reply: http://got.to/quote/
   `-NP: Dire Straits: Walk Of Life


signature.asc
Description: Digital signature

Re: Red team attacks vs. cracking

[Thomas Bushnell BSG]

Manoj Srivastava <[EMAIL PROTECTED]> writes:

> This is to forestall those of you who seem to be be arguing
>  that the debconf6 KSP crack was a red team attack -- here is how that
>  attack differed from a legitimate red team effort (I have been a
>  member of red teams before, and have lead a number of red team
>  attacks in my time).

I haven't heard anyone make such a claim.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Thomas Bushnell BSG]

Manoj Srivastava <[EMAIL PROTECTED]> writes:

> I guess You can't read.  I have never stated that I know it is
>  a forgery:  I can't since I do not have that data. I have stated I
>  have absolutely no trust path to the identity proclaimed, so I am
>  going to treat it as though it were; since there is, in my opinion,
>  already an act of bad faith in play since someone is trying to trick
>  people into signing keys based on a identification paper from less
>  than trusted sources.

Whether a source is trusted depends on the truster.  An ID might be an
excellent trusted path for one person and not for another.  For
example, my University of California ID.  Indeed, I might sign a
photograph affidavit of identity for a friend of mine.  People who
know me and know my signature would accept that as ID for the friend;
people who do not know me or do not know my signature should not
accept that as ID.

It is you that do not trust a Transnational Republic ID, and with good
reason.  You shouldn't trust it, and neither should or would I.  But
that does *not* mean that anyone who presents it is trying to trick
you.

>> Why do you keep claiming that he did deliberately change things on
>> this Transnational Republic ID card?
>
> Where did I make this claim? I know english is not your first
>  language, but you know, these idiotic accusations are getting rather
>  shrill.

You claim that there was forgery.  Or at least, you were claiming that.

> No, giving me Bubba's ID cards and putting the burden of proof
>  on me does not absolve the evil doer from the fact that an attempt to
>  trick people was in play.

What was the trick?  Exactly, please.  What fact were people being
tricked into believing?

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Thomas Bushnell BSG]

Manoj Srivastava <[EMAIL PROTECTED]> writes:

> If I claim to be president George Clooney, and show you a
>  document that proves I am such, and I earnestly claim it was not
>  forged, but Bubba looked at all kinds of documentation that says I am
>  such a person, you would proclaim from the roof tops that no forgery
>  occurred? 

No, that would be a forgery.

Do you have any reason to suspect that this is what happenned?

> You know, I give up.  Apparently there is no way I can convey
>  the concept of trusted paths and trusted processes to the people so
>  passionately arguing with me, and this is getting tedious.

We understand it just fine.  Nobody in their right mind should accept
the Transnational Republic ID without knowing a lot more about the
organization than I do.  Anyone who signed the key on that basis
should have egg on their face, and should seriously consider revoking
the signature.

But that *doesn't* make Martin a forger.

> As a final note: Look for motivation. Presenting documents
>  from an untrusted source to trick the unwary into signing to show how
>  weak the ID checks are is still a trick.

Once more, Manoj, did you buy the ID?  It's time for you to spell it
out.  Did you look at the Transnational Republic card, say "yep,
that's the right picture", and then go ahead and sign the key?  

And, for all we know, the Transnational Republic is a good source.  We
just don't know.  Only the people who know more about the organization
than you or I do can judge.  If I present my University of California
ID, that's a very good ID, but most people wouldn't know that, and
it's not unfair trickery of me to present it.

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Thomas Bushnell BSG]

Manoj Srivastava <[EMAIL PROTECTED]> writes:

> I really think either you are deliberately being obtuse, or
>  nothing I can say will get this through to you.  I fail to see how
>  one can assert that there was no forgery going on -- do you
>  automatically assume that if a shiney laminated document with some
>  random issueing authority listed on it is not forged?  

What I have said is that there is no evidence of forgery, not a jot,
not a tittle, not a suggestion, not a hint.  What evidence of forgery
is there?  Please trot it out.  Spell it out for me, *please*.

I understand a forged document to be one which was not produced by the
organization which is claimed on its face, or which has been
materially altered from what the organization originally issued.  What
makes you think something of this sort is going on here?

What has been reported is that there was an ID from the Transnational
Republic presented.  Do you have any reason to suspect that this was
forged?

>>So, if the ID says on it, "Bubba's Fake ID Shop", I'm not sure I see
>> the problem. 
>
> Dear boy, Bubba's ID's are likely to say Transnational
>  Republic.  Or, if Bubba has been allowed to personally examine more
>  Bewnjamins,  it could have read the federal republic of Germany. Or
>  the united staateds. Or cameroon.

But the card presented *didn't* say "federal republic of germany", did
it?

>> In other words, Bubba sells forgeries, but the Transnational
>> Republic does not.
>
> Riiight.  And I know that how?

It doesn't matter, since an ID issued by the Transnational Republic
which says "Transnational Republic" is not a forgery.  If you think
this one was a forgery, then why?  Who do you think *did* issue it?
What on earth is your evidence that it is not really from the
Transnational Republic?

For my part, I wouldn't sign a key on the basis of such an ID, because
the Transnational Republic is not a real country and I don't know
enough about it to have the necessary confidence in its credentials.
But that doesn't make someone a fraud because he presents the
credential. 

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Real Life hits: need to give up packages for adoption

[Antti-Juhani Kaijanaho]

Christoph Haas wrote:

Darcs looks like a nice competitor but has some issues regarding
checking in changes automatically (might as well be my ignorance but it
sounds like I need weird scripts and a .procmailrc to merge changes
automatically).


You don't *need* them; you can choose to do that, but you can also 
choose otherwise.  There are two ways to give contributors "commit 
access" in darcs.  (I'm using quotes because in Darcs, "commit" is an 
ambiguous term and is usually avoided; I'm using it here to mean 
incorporating a change in a special project-wide shared repository.)


***

Way One
---

Set up an email address which feeds messages to darcs.  Darcs is capable 
of checking GnuPG signatures in these mails and only allowing known keys 
to "commit".  The contributor "commits" by using the "darcs send" command.


The upside is that the contributors do not need shell access to the 
server.  The downside is that setting this up is not very easy.


Way Two
---

Give contributors shell access to the server; make the shared repository 
writable by all these accounts.  The contributor "commits" by using the 
"darcs push" command.


The upside is that this is very easy to set up.  The downside is that 
you need to give contributors shell access.


(I suppose a restricted shell is possible.  I haven't investigated this.)

***

I personally prefer Way Two.  I have tried Way One, but it isn't worth 
the trouble most of the time.


What makes darcs special in my opinion is its support for second-class 
contributors: anybody can "darcs send" stuff to the project mailing list 
(if you've set stuff up for this; it's not very hard), the email is both 
human- and computer-readable: it can be eyeballed and it can be fed 
directly to darcs to incorporate the change to the local repository 
(from which it can be "committed" to the shared repository, if this is 
desired and one has the necessary "commit" privs).



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: glibc built with gcc-4.1 (update)

[Ingo Juergensmann]

On Tue, May 30, 2006 at 04:44:49PM +0200, Aurelien Jarno wrote:

> >I tried it on akire, but was interrupted by real world issues. 
> >When you could give a more detailed HowTo (sbuild, dpkg-buildpackage,
> >whatever) I would retry... 
> Very easy:
> dget http://people.debian.org/~aurel32/glibc/glibc_2.3.6-7+gcc41.dsc
> dpkg-source -x glibc_2.3.6-7+gcc41.dsc
> cd glibc-2.3.6
> debuild or dpkg-buildpackage -rfakeroot
> and wait a long time...

akire:/build/glibc/glibc-2.3.6# dpkg-buildpackage -rfakeroot | tee
../glibc-build-2006-05-30.log
dpkg-buildpackage: source package is glibc
dpkg-buildpackage: source version is 2.3.6-7+gcc41
dpkg-buildpackage: source changed by Aurelien Jarno <[EMAIL PROTECTED]>
dpkg-buildpackage: host architecture m68k
dpkg-buildpackage: source version without epoch 2.3.6-7+gcc41
 fakeroot debian/rules clean
dh_clean
rm -f debian/*.install*
[...]
rm -rf debian/include
 dpkg-source -b glibc-2.3.6
dpkg-source: building glibc using existing glibc_2.3.6.orig.tar.gz
dpkg-source: building glibc in glibc_2.3.6-7+gcc41.diff.gz
...

So, it's on its way... ;)

-- 
Ciao...//Fon: 0381-2744150 
  Ingo   \X/ SIP: [EMAIL PROTECTED]

gpg pubkey: http://www.juergensmann.de/ij/public_key.asc


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Frank Küster]

Manoj Srivastava <[EMAIL PROTECTED]> wrote:

 What Martin Krafft showed you was,
>>>
>>> How do I know that person actually was  Martin Krafft?
>>
>> This is getting ridiculuous.
>
> With this I tend to agree.  Your credulity is unbelievable.
>
>> If what I've read about the incident is correct, the same person
>> also showed a German ID card with identical information about the
>> person.
>
> Holy batmobiles, man, how can you believe that? You weren't
>  there.  How can you assert that there was a real ID by hearsay? Even
>  if you go by the blog posting that opened this discussion, most of
>  the people rpesent did not see this so called real ID. Even if the
>  blog posting was not exaggerated, all you need is a bunch of people
>  in cahoots to play a prank to assure you there was an ID -- and you
>  fell for it.

Okay, so you don't believe the person present was actually Martin
Krafft; or at least you have serious doubts.

I am still waiting for you apology to the real Martin Krafft.

Regards, Frank
-- 
Frank Küster
Single Molecule Spectroscopy, Protein Folding @ Inst. f. Biochemie, Univ. Zürich
Debian Developer (teTeX)

Re: Red team attacks vs. cracking

[Michael Banck]

Manoj,

On Tue, May 30, 2006 at 09:52:11AM -0500, Manoj Srivastava wrote:
> This is to forestall those of you who seem to be be arguing
>  that the debconf6 KSP crack was a red team attack -- here is how that
>  attack differed from a legitimate red team effort (I have been a
>  member of red teams before, and have lead a number of red team
>  attacks in my time).

I don't think this mail is on-topic on -devel, could you please repost
it on project?


thanks,

Michael

-- 
Michael Banck
Debian Developer
[EMAIL PROTECTED]
http://www.advogato.org/person/mbanck/diary.html


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#369543: ITP: libdata-dump-perl -- Pretty printing of data structures

[Krzysztof Krzyzaniak (eloy)]

Package: wnpp
Severity: wishlist
Owner: "Krzysztof Krzyzaniak (eloy)" <[EMAIL PROTECTED]>

* Package name: libdata-dump-perl
  Version : 1.06
  Upstream Author : Gisle Aas <[EMAIL PROTECTED]>
* URL : 
http://mirrors.kernel.org/cpan/modules/by-module/Data/Data-Dump-1.06.tar.gz
* License : Perl: GPL/Artistic
  Programming Lang: Perl
  Description : Pretty printing of data structures

 Data::Dump provides a single function called dump() that takes a list
 of values as its argument and produces a string as its result.  The string
 contains Perl code that, when evaled, produces a deep copy of the
 original arguments.  The string is formatted for easy reading.
 .
 If dump() is called in a void context, then the dump is printed on
 STDERR instead of being returned.
 .
 If you don't like importing a function that overrides Perl's
 not-so-useful builtin, then you can also import the same function as
 pp(), mnemonic for "pretty-print".
   

Note: I know that Data::Dumper exists but Data::Dump is needed to upload new 
libdbix-class-schema-loader-perl package

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-1-686
Locale: LANG=pl_PL, LC_CTYPE=pl_PL (charmap=ISO-8859-2)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Re: Re: screenshot with package description

[Michelle Konzack]

Hie Gonéri and *,

Am 2006-05-19 12:26:23, schrieb Gonéri Le Bouder:
> > However, another solution would be just place these JPGs and PNGs flat
> > on the server and have apt just download them and save them
> Yes, a public repository where people download the picture when they need it.

This was my idea too

> i have an Internet access (dialup or broadband)
> 1) I set a remote repository URL with apt-pixmap
> 2) I display the package description of a new package in Synaptic.
> 3) Synaptic download the index file from the repository
> 4) Synaptic parse the index
> 5) Synaptic download the screenshot(s) and logo and show them with their 
> descriptions
> 6) Synaptic remove the dowloaded picture unless specific setting in Synaptic
> 
> 
> If i'm an offline user:
> 1) I set a local repositroy from my medias with apt-pixmap
> 2) apt-pixmap copy the pixmap from the media in /var/cache/apt/pixmap. If the 
> media provide more than one size, I can select the prefered one.
> 3) I display the package description of a new package in Synaptic.
> 4) Synaptic read the index file from the local cache
> 5) Synaptic parse the index
> 6) Synaptic read the screenshot(s) and logo and show them with their 
> descriptions
> 
> 
> I think i'll have a server next week to begin to collect screenshots.
> 
> Regards,
> 
>   Gonéri

Greetings
Michelle Konzack


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSM LinuxMichi
0033/6/6192519367100 Strasbourg/France   IRC #Debian (irc.icq.com)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Red team attacks vs. cracking

[Manoj Srivastava]

Hi,

This is to forestall those of you who seem to be be arguing
 that the debconf6 KSP crack was a red team attack -- here is how that
 attack differed from a legitimate red team effort (I have been a
 member of red teams before, and have lead a number of red team
 attacks in my time).

  a) You talk to the chain of command. The DPL was present, the the
 person running the key signing come to mind.  The red team
 details the attack to the officer in charge, laying out the plan,
 so that the attack and response can be monitored
  b) No actual damage is done -- in this case, the web of trust should
 not be contaminated by actual keys being signed.  This could have
 been easily done by proclaiming the deception when the KSP was
 just over, and by sending an email to the debconf list, and to
 the devel list, and in the IRC channel.  The experiment was over
 by then -- people had challenged, or not, the key.
   c) Allow the blue team to dissect the attack. This could have been
  done easily by setting up in hacklab, allowing people toexamine
  the trick ID, the real ID, and have other people with german
  passports and the DPL assure us that there was no real attack in
  progress, and allow us all to examine the passport, if any, to
  assure us of the identity of the red team, belatedly.

None of these characteristics of a legitimate read team attack
 were in evidence. The disclosure came days later, in a blog posting,
 well after the web of trust was tainted by fake signatures.

My friends, I know read team attacks. Red teams are friends of
 mine. This, my friends, was no read team attack.

manoj
ps: udos to those who get the last para.
-- 
Garbage In, Gospel Out
Manoj Srivastava   <[EMAIL PROTECTED]>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Manoj Srivastava]

On 30 May 2006, Frank Küster told this:

> Manoj Srivastava <[EMAIL PROTECTED]> wrote:
>
>> On 30 May 2006, Wouter Verhelst spake thusly:
>>
>>> On Tue, May 30, 2006 at 06:28:32AM -0500, Manoj Srivastava wrote:
 On 28 May 2006, Thomas Bushnell stated:
> Perhaps my just-posted message has too many words to see my
> point.
>
> In the paragraph above, marked >>>, which was written by you,
> you speak of deception and forgery.  Nothing in the reports of
> the recent incident involving Martin suggests any deception and
> forgery.  What about this incident makes you think that any kind
> of deception or forgery was going on?

 I really think either you are deliberately being obtuse, or
 nothing I can say will get this through to you.  I fail to see
 how one can assert that there was no forgery going on -- do you
 automatically assume that if a shiney laminated document with
 some random issueing authority listed on it is not forged?
>>>
>>> What Martin Krafft showed you was,
>>
>> How do I know that person actually was  Martin Krafft?
>
> This is getting ridiculuous.

With this I tend to agree.  Your credulity is unbelievable.

> If what I've read about the incident is correct, the same person
> also showed a German ID card with identical information about the
> person.

Holy batmobiles, man, how can you believe that? You weren't
 there.  How can you assert that there was a real ID by hearsay? Even
 if you go by the blog posting that opened this discussion, most of
 the people rpesent did not see this so called real ID. Even if the
 blog posting was not exaggerated, all you need is a bunch of people
 in cahoots to play a prank to assure you there was an ID -- and you
 fell for it.

How do you know this is not an ongoing prank to gull the
 community into believing there identiy of the person tunning this was
 not fake?

The best you can assert is that in your belief such a hoax
 would be unheard of, hard to credit, too much work.

I would have asserted that a DD would not try to trick people
 into signing keys, and not immediately dovulge such a trick before
 people signed keys -- expriment was over long before.


I'll post more about hat under a separate title.

manoj
-- 
One seldom sees a monument to a committee.
Manoj Srivastava   <[EMAIL PROTECTED]>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: glibc built with gcc-4.1 (update)

[Aurelien Jarno]

Ingo Juergensmann a écrit :

On Tue, May 30, 2006 at 04:31:33PM +0200, Aurelien Jarno wrote:



I haven't done a build on m68k yet.



I tried it on akire, but was interrupted by real world issues. 
When you could give a more detailed HowTo (sbuild, dpkg-buildpackage,
whatever) I would retry... 



Very easy:

dget http://people.debian.org/~aurel32/glibc/glibc_2.3.6-7+gcc41.dsc
dpkg-source -x glibc_2.3.6-7+gcc41.dsc
cd glibc-2.3.6
debuild or dpkg-buildpackage -rfakeroot

and wait a long time...

--
  .''`.  Aurelien Jarno | GPG: 1024D/F1BCDB73
 : :' :  Debian developer   | Electrical Engineer
 `. `'   [EMAIL PROTECTED] | [EMAIL PROTECTED]
   `-people.debian.org/~aurel32 | www.aurel32.net


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: glibc built with gcc-4.1 (update)

[Ingo Juergensmann]

On Tue, May 30, 2006 at 04:31:33PM +0200, Aurelien Jarno wrote:

> I haven't done a build on m68k yet.

I tried it on akire, but was interrupted by real world issues. 
When you could give a more detailed HowTo (sbuild, dpkg-buildpackage,
whatever) I would retry... 

-- 
Ciao...//Fon: 0381-2744150 
  Ingo   \X/ SIP: [EMAIL PROTECTED]

gpg pubkey: http://www.juergensmann.de/ij/public_key.asc


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: glibc built with gcc-4.1 (update)

[Aurelien Jarno]

Aurelien Jarno a écrit :

Hi all,

As gcc-4.1 may be the default compiler soon (I hope so), I have tried to 
build the glibc with it.


Currently it builds and works on the following architectures:
amd64, hppa, i386, mips, mipsel, sparc

The packages are available [1], but a but outdated. It should not be a 
problem, as the changes are not so important between this version and 
the current one. It would be nice if some other people could test them, 
so the problems (if any) could be fixed.


It fails to build on powerpc, but I haven't investigated the problem yet.


I have fixed the problem, it now builds ok on powerpc. The packages are 
on available on [1]. They work fine on my machine.


I will build it on arm as soon as I get back home, as my machine is 
currently down.


I am looking for people to build an test it on alpha, ia64, m68k and 
s390. The source is available on the same place as the binaries [1].


glibc builds fine with gcc-4.1 on s390, but I haven't tested the 
resulting packages, they are available on [1]. The testsuite looks ok.


On arm, ia64 and alpha the glibc fails to build with gcc-4.1. I haven't 
found the time to investigate the problems now, but a quick look seems 
to say that on arm this is a glibc problem, whereas I suspect a problem 
with gcc-4.1 on ia64 and alpha. More to come as soon as I find some time...


I haven't done a build on m68k yet.

[1] http://people.debian.org/~aurel32/glibc

--
  .''`.  Aurelien Jarno | GPG: 1024D/F1BCDB73
 : :' :  Debian developer   | Electrical Engineer
 `. `'   [EMAIL PROTECTED] | [EMAIL PROTECTED]
   `-people.debian.org/~aurel32 | www.aurel32.net


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Wouter Verhelst]

On Tue, May 30, 2006 at 08:50:41AM -0500, Manoj Srivastava wrote:
> On 30 May 2006, Wouter Verhelst stated:
[...]
> > However, "trusted processes" do not lie with people who are trying
> > to convince you of their identity. If you trust anyone to tell the
> > truth about their identity, which is what your argument implies,
> > then you have processes that are anything but trusted. It is you who
> > would seem to have to be educated about what "trusted processes"
> > actually means, not me.
> 
> Fine. I'll see if I can procure a sample identity card from my
>  friends at work  and see if you can spot the difference.  I am
>  willing to bet about a thousand euros that you would not be able to
>  spot the fake.

Given how the exchange is preannounced, I might be willing to take that
bet ;-)

>  The only thing keeping you on your high horse about people in the
>  community being trustable is htat you apparently have never seen how
>  good fake documents can be.

I am fully aware that fake documents can be very good. However, your
example does not involve any fake document, only dishonesty.  A document
that belongs to a different person does not make a fake document.

-- 
Fun will now commence
  -- Seven Of Nine, "Ashes to Ashes", stardate 53679.4


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Manoj Srivastava]

On 30 May 2006, Wouter Verhelst stated:

> On Tue, May 30, 2006 at 07:49:34AM -0500, Manoj Srivastava wrote:
>> On 30 May 2006, Wouter Verhelst spake thusly:
>>
>>> On Tue, May 30, 2006 at 06:28:32AM -0500, Manoj Srivastava wrote:
 On 28 May 2006, Thomas Bushnell stated:
> Perhaps my just-posted message has too many words to see my
> point.
>
> In the paragraph above, marked >>>, which was written by you,
> you speak of deception and forgery.  Nothing in the reports of
> the recent incident involving Martin suggests any deception and
> forgery.  What about this incident makes you think that any kind
> of deception or forgery was going on?

 I really think either you are deliberately being obtuse, or
 nothing I can say will get this through to you.  I fail to see
 how one can assert that there was no forgery going on -- do you
 automatically assume that if a shiney laminated document with
 some random issueing authority listed on it is not forged?
>>>
>>> What Martin Krafft showed you was,
>>
>> How do I know that person actually was  Martin Krafft?
>
> You already know that, though you can't be sure. Just as you can't
> be sure that he was a forger, either.

I don't already know that. How could I?

>
>>> according to what he claimed,
>>
>> If I claim to be president George Clooney, and show you a document
>> that proves I am such, and I earnestly claim it was not forged, but
>> Bubba looked at all kinds of documentation that says I am such a
>> person, you would proclaim from the roof tops that no forgery
>> occurred?
>
> No, I wouln't do that. However, I wouldn't start proclaiming the
> opposite from the roof tops, either, like you seem to do.

I guess You can't read.  I have never stated that I know it is
 a forgery:  I can't since I do not have that data. I have stated I
 have absolutely no trust path to the identity proclaimed, so I am
 going to treat it as though it were; since there is, in my opinion,
 already an act of bad faith in play since someone is trying to trick
 people into signing keys based on a identification paper from less
 than trusted sources.

>
>>> a document that was made by the Transnational Republic. If he had
>>> changed some things on that document, then it would have been a
>>> forgery; however, he claims he has not, which would imply that it
>>> is not, in fact, a forgery.
>>
>> Riiigt. And I am Angelina Jolie.
>
> Oh, get real.

Great argument.

> Why do you keep claiming that he did deliberately change things on
> this Transnational Republic ID card?

Where did I make this claim? I know english is not your first
 language, but you know, these idiotic accusations are getting rather
 shrill.

I merely claim that I have no better proof that the person who
 claims to be Martin is martin, than you have that I am  Ms. Jolie in
 drag.

> It is your duty on a key signing party to proof your own identity to
> other people, and to make sure that the proofs of identity other
> people give you are sufficiently convincing to you.

> Martin did that; he showed you a card which stated that he is Martin
> Krafft. Of course that doesn't mean he actually _is_ Martin Krafft;
> you have to check that card to make sure you have reason to believe
> the card is telling the truth.

No, giving me Bubba's ID cards and putting the burden of proof
 on me does not absolve the evil doer from the fact that an attempt to
 trick people was in play.

Yes, people are resposible for their action. This applies
 equally to the person trying to trick the people.

You seem to be unable to see the distinction between the fact
 that people should be on guard againt evil doers. Let me see if I can
 dumb down an example.

See, if you go to a big city like New York, London, or Bombay,
 there are grifters, con-men, and pick pockets. You are expected to,
 as seasoned travellers, to be careful of how you carry your
 valuables, to make it harder for pick pockets to make off with
 them. If you fail, are you solely responsible?

Is the pick pocket blameless, since you obviously failed to
 guard against the pick pocket?

>> You know, I give up.  Apparently there is no way I can convey
>> the concept of trusted paths and trusted processes
>
> Sure there is. I couldn't agree with you more than that an ID card
> given out by a body of people whom I'd never heard of before this
> discussion, and that is _not_ a government, is not at all sufficient
> proof of ID for me to sign their key. On the point of trusted paths,
> we agree.

So far, so good.

> However, "trusted processes" do not lie with people who are trying
> to convince you of their identity. If you trust anyone to tell the
> truth about their identity, which is what your argument implies,
> then you have processes that are anything but trusted. It is you who
> would seem to have to be educated about what "trusted processes"

Re: Real Life hits: need to give up packages for adoption

[Christoph Haas]

On Tue, May 30, 2006 at 10:09:07AM -0300, Otavio Salvador wrote:
> Simon Richter <[EMAIL PROTECTED]> writes:
> 
> > Hi,
> >
> > Christoph Haas schrieb:
> >
> >>>* NTP server
> >>>  (some work required; currently, not-really-maintained by the Debian
> >>>  NTP Team, which consists of zero active members)
> >
> >> I'd take my chance on this one. There is a large number of bugs open and
> >> I believe that this package is very important. Still I'd like to have a
> >> co-maintainer for the package. Anyone else interested? I'd create an SVN
> >> repository on my server or alioth.
> >
> > I have no problem with co-maintenance, but I'd have a problem with svn.
> 
> Maybe bzr or git?

I'm currently looking into several systems. Usually I use Subversion and
svn-buildpackage but due to a lot of trouble with svn-buildpackage I
have moved away from repositories for my Debian packages lately.

Darcs looks like a nice competitor but has some issues regarding
checking in changes automatically (might as well be my ignorance but it
sounds like I need weird scripts and a .procmailrc to merge changes
automatically).

For git and bzr there don't seem to be sophisticated tools to build
packages (*-buildpackage). svn-buildpackage for example keeps the
upstream tarballs in one directory but still builds from the trunk/
which is pretty nice.

Well, well, all the RCS philosophy again. Too much choice.

Kindly
 Christoph
-- 
~
~
".signature" [Modified] 1 line --100%--1,48 All


signature.asc
Description: Digital signature

Re: Shouldn't we have more ftp masters ?

[Michael Banck]

People, please move this thread over to -project

On Tue, May 30, 2006 at 10:13:37AM -0300, Otavio Salvador wrote:
> Wouter Verhelst <[EMAIL PROTECTED]> writes:
> > On Tue, May 30, 2006 at 11:04:29AM +0200, Petter Reinholdtsen wrote:
> >> [Benjamin Seidenberg]
> >> > FYI:
> >> > 12:33 < Ganneff> and for all those impatient waiting for NEW: i will
> >> >  clear that in my jetlag time, in those nights i
> >> >  cant sleep (ie 1st -> 2nd june, 2-> 3) :)
> >> 
> >> Sounds good, but do not really addresses the fundamental problem here,
> >> which is that NEW processing at the moment is fragile and stops
> >> completely when the single person handling NEW is busy elsewhere.
> >
> > There are two people, they are both on vacation.
> 
> But then, isn't the time to choose people to fulfill positions when
> key people is in vacation?

Only the ftp-assistants were on vacation, the ftp-masters were still
around.  I assume they evaluated the situation and decided it was not
critical enough to warrant further steps.

> IMHO, key people should always keep someone doing the job when going
> out so the project don't slow down because of it. Our current, active,
> ftpmaster are very receptive but this don't exclude the possibility of
> them going to vacation together or at same time and the project slow
> down a bit.

Well, it seems their vacations are over now or very soon, so this point
is moot.

Personally, I don't think this issue is enough to revoke ftp-master's
right to choose their staff among themselves, but rather push more
people onto their team without their consent.

Please follow-up on -project.


Michael

-- 
Michael Banck
Debian Developer
[EMAIL PROTECTED]
http://www.advogato.org/person/mbanck/diary.html


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Shouldn't we have more ftp masters ?

[Otavio Salvador]

Wouter Verhelst <[EMAIL PROTECTED]> writes:

> On Tue, May 30, 2006 at 11:04:29AM +0200, Petter Reinholdtsen wrote:
>> 
>> [Benjamin Seidenberg]
>> > FYI:
>> > 12:33 < Ganneff> and for all those impatient waiting for NEW: i will
>> >  clear that in my jetlag time, in those nights i
>> >  cant sleep (ie 1st -> 2nd june, 2-> 3) :)
>> 
>> Sounds good, but do not really addresses the fundamental problem here,
>> which is that NEW processing at the moment is fragile and stops
>> completely when the single person handling NEW is busy elsewhere.
>
> There are two people, they are both on vacation.

But then, isn't the time to choose people to fulfill positions when
key people is in vacation?

IMHO, key people should always keep someone doing the job when going
out so the project don't slow down because of it. Our current, active,
ftpmaster are very receptive but this don't exclude the possibility of
them going to vacation together or at same time and the project slow
down a bit.

-- 
O T A V I OS A L V A D O R
-
 E-mail: [EMAIL PROTECTED]  UIN: 5906116
 GNU/Linux User: 239058 GPG ID: 49A5F855
 Home Page: http://www.freedom.ind.br/otavio
-
"Microsoft gives you Windows ... Linux gives
 you the whole house."


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Real Life hits: need to give up packages for adoption

[Otavio Salvador]

Simon Richter <[EMAIL PROTECTED]> writes:

> Hi,
>
> Christoph Haas schrieb:
>
>>>* NTP server
>>>  (some work required; currently, not-really-maintained by the Debian
>>>  NTP Team, which consists of zero active members)
>
>> I'd take my chance on this one. There is a large number of bugs open and
>> I believe that this package is very important. Still I'd like to have a
>> co-maintainer for the package. Anyone else interested? I'd create an SVN
>> repository on my server or alioth.
>
> I have no problem with co-maintenance, but I'd have a problem with svn.

Maybe bzr or git?

-- 
O T A V I OS A L V A D O R
-
 E-mail: [EMAIL PROTECTED]  UIN: 5906116
 GNU/Linux User: 239058 GPG ID: 49A5F855
 Home Page: http://www.freedom.ind.br/otavio
-
"Microsoft gives you Windows ... Linux gives
 you the whole house."


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Frank Küster]

Manoj Srivastava <[EMAIL PROTECTED]> wrote:

> On 30 May 2006, Wouter Verhelst spake thusly:
>
>> On Tue, May 30, 2006 at 06:28:32AM -0500, Manoj Srivastava wrote:
>>> On 28 May 2006, Thomas Bushnell stated:
 Perhaps my just-posted message has too many words to see my point.

 In the paragraph above, marked >>>, which was written by you, you
 speak of deception and forgery.  Nothing in the reports of the
 recent incident involving Martin suggests any deception and
 forgery.  What about this incident makes you think that any kind
 of deception or forgery was going on?
>>>
>>> I really think either you are deliberately being obtuse, or
>>> nothing I can say will get this through to you.  I fail to see how
>>> one can assert that there was no forgery going on -- do you
>>> automatically assume that if a shiney laminated document with some
>>> random issueing authority listed on it is not forged?
>>
>> What Martin Krafft showed you was,
>
> How do I know that person actually was  Martin Krafft?

This is getting ridiculuous.  If what I've read about the incident is
correct, the same person also showed a German ID card with identical
information about the person.  Either you believe ID cards, then you
believe it was Martin Krafft.  Or you don't, then you shouldn't ask
people to revoke their signatures on Martin Krafft's key - when I signed
his key, I verified his identity with an ID that I trusted and still
trust.  Why should I revoke the signature or not sign his new key, when
you don't even know whether it was really him?

Regards, Frank
-- 
Frank Küster
Single Molecule Spectroscopy, Protein Folding @ Inst. f. Biochemie, Univ. Zürich
Debian Developer (teTeX)

Re: [Debconf-discuss] list of valid documents for KSPs

[Wouter Verhelst]

On Tue, May 30, 2006 at 07:49:34AM -0500, Manoj Srivastava wrote:
> On 30 May 2006, Wouter Verhelst spake thusly:
> 
> > On Tue, May 30, 2006 at 06:28:32AM -0500, Manoj Srivastava wrote:
> >> On 28 May 2006, Thomas Bushnell stated:
> >>> Perhaps my just-posted message has too many words to see my point.
> >>>
> >>> In the paragraph above, marked >>>, which was written by you, you
> >>> speak of deception and forgery.  Nothing in the reports of the
> >>> recent incident involving Martin suggests any deception and
> >>> forgery.  What about this incident makes you think that any kind
> >>> of deception or forgery was going on?
> >>
> >> I really think either you are deliberately being obtuse, or
> >> nothing I can say will get this through to you.  I fail to see how
> >> one can assert that there was no forgery going on -- do you
> >> automatically assume that if a shiney laminated document with some
> >> random issueing authority listed on it is not forged?
> >
> > What Martin Krafft showed you was,
> 
> How do I know that person actually was  Martin Krafft?

You already know that, though you can't be sure. Just as you can't be
sure that he was a forger, either.

> > according to what he claimed,
> 
> If I claim to be president George Clooney, and show you a
>  document that proves I am such, and I earnestly claim it was not
>  forged, but Bubba looked at all kinds of documentation that says I am
>  such a person, you would proclaim from the roof tops that no forgery
>  occurred? 

No, I wouln't do that. However, I wouldn't start proclaiming the
opposite from the roof tops, either, like you seem to do.

> > a document that was made by the Transnational Republic. If he had
> > changed some things on that document, then it would have been a
> > forgery; however, he claims he has not, which would imply that it is
> > not, in fact, a forgery.
> 
> Riiigt. And I am Angelina Jolie.

Oh, get real.

Why do you keep claiming that he did deliberately change things on this
Transnational Republic ID card?

It is your duty on a key signing party to proof your own identity to
other people, and to make sure that the proofs of identity other people
give you are sufficiently convincing to you.

Martin did that; he showed you a card which stated that he is Martin
Krafft. Of course that doesn't mean he actually _is_ Martin Krafft; you
have to check that card to make sure you have reason to believe the card
is telling the truth.

> You know, I give up.  Apparently there is no way I can convey
>  the concept of trusted paths and trusted processes

Sure there is. I couldn't agree with you more than that an ID card given
out by a body of people whom I'd never heard of before this discussion,
and that is _not_ a government, is not at all sufficient proof of ID for
me to sign their key. On the point of trusted paths, we agree.

However, "trusted processes" do not lie with people who are trying to
convince you of their identity. If you trust anyone to tell the truth
about their identity, which is what your argument implies, then you have
processes that are anything but trusted. It is you who would seem to
have to be educated about what "trusted processes" actually means, not
me.

-- 
Fun will now commence
  -- Seven Of Nine, "Ashes to Ashes", stardate 53679.4


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Manoj Srivastava]

On 30 May 2006, Wouter Verhelst spake thusly:

> On Tue, May 30, 2006 at 06:28:32AM -0500, Manoj Srivastava wrote:
>> On 28 May 2006, Thomas Bushnell stated:
>>> Perhaps my just-posted message has too many words to see my point.
>>>
>>> In the paragraph above, marked >>>, which was written by you, you
>>> speak of deception and forgery.  Nothing in the reports of the
>>> recent incident involving Martin suggests any deception and
>>> forgery.  What about this incident makes you think that any kind
>>> of deception or forgery was going on?
>>
>> I really think either you are deliberately being obtuse, or
>> nothing I can say will get this through to you.  I fail to see how
>> one can assert that there was no forgery going on -- do you
>> automatically assume that if a shiney laminated document with some
>> random issueing authority listed on it is not forged?
>
> What Martin Krafft showed you was,

How do I know that person actually was  Martin Krafft?

> according to what he claimed,

If I claim to be president George Clooney, and show you a
 document that proves I am such, and I earnestly claim it was not
 forged, but Bubba looked at all kinds of documentation that says I am
 such a person, you would proclaim from the roof tops that no forgery
 occurred? 

My goodness me.

> a document that was made by the Transnational Republic. If he had
> changed some things on that document, then it would have been a
> forgery; however, he claims he has not, which would imply that it is
> not, in fact, a forgery.

Riiigt. And I am Angelina Jolie.

You know, I give up.  Apparently there is no way I can convey
 the concept of trusted paths and trusted processes to the people so
 passionately arguing with me, and this is getting tedious.

I'll just have to accept that concepts of security and bad
 faith in this community are hard to get across.

As a final note: Look for motivation. Presenting documents
 from an untrusted source to trick the unwary into signing to show how
 weak the ID checks are is still a trick.

ALl I have heard people say that my processes should be
 resistant to evil-doers trying to trick me.

Very true.

I say people who try to trick me into signing a key based on
 an untrusted process of identity verification are evil doers.

manoj
-- 
A boss with no humor is like a job that's no fun.
Manoj Srivastava   <[EMAIL PROTECTED]>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: bits from the release team: release goals, python, X.org, amd64, timeline

[Wouter Verhelst]

On Tue, May 30, 2006 at 12:05:26PM +0200, Andreas Barth wrote:
> Timeline
> 
> 
> Now, let's please take a more detailed look at the time line:
> 
> 
>  Thu 15 Jun 06:
>  
> last chance to switch to gcc 4.1, python 2.4
> review architectures one more time
> last chance to add new architectures
> 
> RC bug count less than 300

Since m68k pretty much depends on the gcc-4.1 transition to make it in
again, I would suggest that we (as in, the m68k port) make the switch to
GCC4.1 as the default already. This will allow us to verify that stuff
actually builds and works, and to catch up with building those that fail
with ICE in gcc-4.0 before that time. Since m68k is not a release
architecture right now, this should not cause any problems for any other
port if the GCC 4.1 transition does not happen, but it will help if it
does.

Thoughts, objections?

-- 
Fun will now commence
  -- Seven Of Nine, "Ashes to Ashes", stardate 53679.4


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: HOWTO rebuild the archive

[Wouter Verhelst]

On Tue, May 30, 2006 at 09:57:04AM +0200, Goswin von Brederlow wrote:
> Wouter Verhelst <[EMAIL PROTECTED]> writes:
> > Whether doing it this way is a good idea, though, I don't know. Buildd
> > surely wasn't designed for this.
> 
> It is much simpler than to set up wanna-build and a local archive but
> you loose the tracking of package status that wanna-build would give
> you.

My point exactly.

-- 
Fun will now commence
  -- Seven Of Nine, "Ashes to Ashes", stardate 53679.4


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Shouldn't we have more ftp masters ?

[Wouter Verhelst]

On Tue, May 30, 2006 at 11:04:29AM +0200, Petter Reinholdtsen wrote:
> 
> [Benjamin Seidenberg]
> > FYI:
> > 12:33 < Ganneff> and for all those impatient waiting for NEW: i will
> >  clear that in my jetlag time, in those nights i
> >  cant sleep (ie 1st -> 2nd june, 2-> 3) :)
> 
> Sounds good, but do not really addresses the fundamental problem here,
> which is that NEW processing at the moment is fragile and stops
> completely when the single person handling NEW is busy elsewhere.

There are two people, they are both on vacation.

[...]
> Friendly,

Whoa.

-- 
Fun will now commence
  -- Seven Of Nine, "Ashes to Ashes", stardate 53679.4


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Debconf-discuss] list of valid documents for KSPs

[Wouter Verhelst]

On Tue, May 30, 2006 at 06:28:32AM -0500, Manoj Srivastava wrote:
> On 28 May 2006, Thomas Bushnell stated:
> > Perhaps my just-posted message has too many words to see my point.
> >
> > In the paragraph above, marked >>>, which was written by you, you
> > speak of deception and forgery.  Nothing in the reports of the
> > recent incident involving Martin suggests any deception and forgery.
> > What about this incident makes you think that any kind of deception
> > or forgery was going on?
> 
> I really think either you are deliberately being obtuse, or
>  nothing I can say will get this through to you.  I fail to see how
>  one can assert that there was no forgery going on -- do you
>  automatically assume that if a shiney laminated document with some
>  random issueing authority listed on it is not forged?

  Forgery
[...]
 2. The act of forging, fabricating, or producing falsely; 
esp., the crime of fraudulently making or altering a
writing or signature puporting to be made by another; the
false making or material alteration of or addition to a
written instrument for the purpose of deceit and fraud;
as, the forgery of a bond. --Bouvier.
[1913 Webster]

What Martin Krafft showed you was, according to what he claimed, a
document that was made by the Transnational Republic. If he had changed
some things on that document, then it would have been a forgery;
however, he claims he has not, which would imply that it is not, in
fact, a forgery.

If such a document does not satisfy your definition for a sufficiently
convincing proof of ID, then that is your prerogative, and you are
certainly welcome to refuse to sign keys in such cases. But "It fails
the standards of Manoj Srivastava" is not the definition of "Forgery".
And it is *your* responsibility, not someone else's, to make sure that
the documents you check satisfy whatever standards you choose to uphold.
If you fail to acknowledge that, you may find that people (mostly
inexperienced people) will show you all sorts of things that do not
satisfy your desires for ID cards. On purpose or otherwise.

[...]
> > In other words, Bubba sells forgeries, but the Transnational
> > Republic does not.
> 
> Riiight.  And I know that how?

You could know that; you could just as well not know. If you do not
know, then it is your prerogative to decide not to sign anything based
on a TR ID card. But that doesn't make the person showing you that card
dishonest or a forger.

-- 
Fun will now commence
  -- Seven Of Nine, "Ashes to Ashes", stardate 53679.4


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Please revoke your signatures from MartinKraff's keys

[Manoj Srivastava]

On 27 May 2006, Lionel Elie Mamane verbalised:

> On Sat, May 27, 2006 at 05:19:21PM -0500, Manoj Srivastava wrote:
>> On 27 May 2006, Lionel Elie Mamane spake thusly:
>>> On Sat, May 27, 2006 at 02:04:31PM -0500, Manoj Srivastava wrote:
 On 27 May 2006, Lionel Elie Mamane stated:
>
> The US constitution applies only to USA citizens, right?
>
 Wrong

> That's precisely the issue. The standards of "reasonable" are
> different for minors than they are for 'normal' people.

Err, how does this have any bearing on "The US constitution
 applies only to USA citizens"?  Seems to me that you are wafflking
 around, having found no real grounds for your initial inflammatory
 statement. 

Also, you might come from a place where four year old citizens
 are allowed to vote, drive, and join the army, but I am happy  that
 in my country the government does see age as a factor in determining
 rights and duties. This is way off topic, though. 

>> Residency and voting are the two things that are indeed restricted
>> to citizens, and rightly so. ALl this case did was to talk about
>> whether an alien unlawfully in this country does not have a
>> constitutional right to continue to remain in the country when the
>> authorities have, according to the law, have commenced proceedings,
>> adjudicated cases, and are executing removal orders.
>
> What it says is that he/she cannot argue that the removal
> proceedings are being selectively enforced against him/her because
> of his/her opinions and speech, thereby nullifying these rights for
> this class of people.

No, it means that such an appeal has to be mounted post
 deportation proceedings. The fact that the person was here illegally
 was not in question; selectively deporting only some illegals is an
 issue. Well, if you are here illegally, you should expect to be
 deported -- you have no rights to stay here at all.

The fact that you have some to the attention of authorities ,
 and thus are facing deportation, but others who have not yet been
 caught are not being deported have no bearing on this. "Yes, I
 committed a crime, but so did those others" is not really much of a
 defense.

manoj
-- 
We're all in this alone. Lily Tomlin
Manoj Srivastava   <[EMAIL PROTECTED]>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Bug#367853: libdb transition policy?

[DINH Viêt Hoà]

On 30 May 2006, at 12:50, Gerfried Fuchs wrote:


Hi!

 Sorry for late response.

* "Nikita V. Youshchenko" <[EMAIL PROTECTED]> [2006-05-24 12:10]:
However, contrary to what the NM templates suggest, symbol  
versioning
is not a cure-all for all ABI incompatibilities.  If libetpan  
returns
a DB_ENV * in its API, you need to port[1] all its dependencies  
to the

new Berkeley DB version.


No, libetpan uses libdb only internally, and does not export it.

So I guess the question is to people who maintain etpan-ng and
sylpheed-claws-gtk2 - is it safe for your packages if I will  
upload new
version of libetpan (without soname change or package name change)  
that

will link against libdb4.4?


 I don't know if anyone has tried to, but I spoke to Hoa (= upstream)
about the thing, and it was like I expected: libetpan uses libdb  
for its

cache files. If it can't read them (like, b0rked file, or incompatible
old db file) it would get regenerated anyway. So there is no
compatibility problem with changing the libdb in libetpan at all.


In fact, I checked the code and it does not this, the database won't  
be regenerated but that might be a enhancement to implement in  
libetpan. Do we need a release to fix this ?

That means that cache files must be deleted by the user.

--
DINH Viêt Hoà