Re: Introducing http.debian.net, Debian's mirrors redirector
> Hi, > After several iterations to solve problems related to Debian's mirrors > network, I am happy to announce a fully-functional solution that solves many > of the shortcomings of previous iterations: http://http.debian.net > http.debian.net works as the key component of a content distribution > network. For a given requested file, it uses several factors to choose one or > multiple mirrors that can serve the request. Those factors include the > freshness of the mirror, the network and geographic location, etc. > How can you use it? > An entry in /etc/apt/sources.list for stable would look like: > deb http://http.debian.net/debian stable main > It supports backports mirrors and others. Except CD image mirrors, they are > *not* supported. > More details, comparison to other approaches, and more information can be > found at: > http://http.debian.net/ > Oh, and, please help package and maintain mirrorbrain, which would allow a > similar service to be provided for CD images. > Thanks for reading. > P.S. contrary to wheezy, http.debian.net's development will not freeze. It > is under continuous development, and more users and developers are welcome! I've tried to use the service. 2/3 requests - 501 error. unusable. :( -- . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Back to technical discussion? Yes! (was: network-manager as default? No!)
>> User MUST study each OS he uses. JM> No, he must not. The OS must adapt to the user’s needs, not the JM> opposite. Create OS that can even be used by stupid and only stupid will use that. >> If he doesn't want he will be >> forced to pay the other people who will tune his (user's) system. JM> A lot of users actually pay for that indeed. I don’t see this as a JM> problem, especially since it gets me to eat every day. I said we shouldn't care about people who choose to pay You money against (instead) to learn something. >> There is no discrimination here. JM> Who talks about discrimination? It’s just being stubborn insisting that JM> people do the things you say while you are in no position to order them. >> I'm not a guru, but I don't understand why Debian must be broken to >> please a user who doesn't want to read anything. JM> If Debian could not be used without reading a manual, then I would call JM> it broken. There is only one thing that can be used without reading a manual. It is a breast. All the other devices (and things, substances, etc) required to be studied. -- . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Back to technical discussion? Yes! (was: network-manager as default? No!)
>> Well, actually configuring a wireless network with wpa_supplicant and >> ifupdown is not hard at all and does not require too much time, _if_ a >> user has developed a good habbit of reading documentation first. JM> It seems to be a common belief between some developers that users should JM> have to read dozens of pages of documentation before attempting to do JM> anything. JM> I’m happy that not all of us share this elitist view of software. I JM> thought we were building the Universal Operating System, not the JM> Operating System for bearded gurus. User MUST study each OS he uses. If he doesn't want he will be forced to pay the other people who will tune his (user's) system. There is no discrimination here. I'm not a guru, but I don't understand why Debian must be broken to please a user who doesn't want to read anything. -- . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Flaming as a way to reach technical quality? No! (was: network-manager as default? No! (was: Bits from the Release Team - Kicking off Wheezy))
On 08:18 Mon 04 Apr , Raphael Hertzog wrote: RH> Hi, RH> On Mon, 04 Apr 2011, Dmitry E. Oboukhov wrote: >> Stupid scheme (intended for stupid users) should be based on ifupdown >> but shouldn't replace it. RH> Please refrain from calling people "stupid users" just because they use a RH> software that you don't like. There was a way "User can do anything", the way was replaced by the way "User can do something in list". Obviously that this action has been done for stupid users. Yes, the old scheme *had* some defects, but new scheme *is* a defect. But Ok, %s/stupid/ordinary/g I agree that we must think about ordinary users but I disagree that we must waste good instruments to please these users. -- . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Flaming as a way to reach technical quality? No! (was: network-manager as default? No! (was: Bits from the Release Team - Kicking off Wheezy))
>>> If you mean the ifupdown-based configuration, then I cannot agree that >>> it is "really disastrous" (I would agree that the network-manager >>> approach is really disastrous, however) as at least in my cases (which >>> are not so trivial) ifupdown works okay (and if not then at least I >>> would know ways how to workaround problems). >> >> You say Network Manager is disastrous, when it manifestly works quite >> well for quite a number of people. It is hard to take you seriously, >> when you say things that are so clearly wrong. SM> Be it clearly wrong or not, I strongly disbelieve that a tool with a SM> hard-wired logic such a network-manager may seem a reasonable SM> replacement for such a configurable tool as ifupdown. I fully agree that. It is wrong tendency to replace rich, functional, certified mechanizm by stupid scheme. Stupid scheme (intended for stupid users) should be based on ifupdown but shouldn't replace it. -- . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Bug#612718: ITP: libanyevent-dbd-pg-perl -- AnyEvent interface to DBD::Pg's async interface
Package: wnpp Severity: wishlist Owner: "Dmitry E. Oboukhov" * Package name: libanyevent-dbd-pg-perl Version : 0.03 Upstream Author : Mons Anderson, * URL : http://search.cpan.org/~mons/AnyEvent-DBD-Pg/lib/AnyEvent/DBD/Pg.pm * License : Artistic or GPL-1+ Programming Lang: Perl Description : AnyEvent interface to DBD::Pg's async interface This perl-module can be used inside AnyEvent application to access postgresql database in non-blocking mode. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110210080506.23244.66589.reportbug@apache
Bug#610602: RFP: libanyevent-dbi-perl -- asynchronous DBI access
Package: wnpp Severity: wishlist X-Debbugs-CC: debian-devel@lists.debian.org,debian-p...@lists.debian.org * Package name: libanyevent-dbi-perl Version : 2.1 Upstream Author : Marc Lehmann , Adam Rosenstein * URL : http://search.cpan.org/dist/AnyEvent-DBI/ * License : Artistic or GPL-1+ Programming Lang: Perl Description : asynchronous DBI access This module implements asynchronous DBI access by forking or executing separate "DBI-Server" processes and sending them requests. It means that you can run DBI requests in parallel to other tasks. -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Debian Policy "10.7.4 Sharing configuration files" question
TAGG> so for example samba smb.conf isn't conffile, too, sorry for mistake -- ... mpd playing: WASP - The Horror . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Debian Policy "10.7.4 Sharing configuration files" question
AGG> But maintainer disagrees with me arguing that preinst asks user, and AGG> that's user who modify /etc/hosts (using preinst, eah). This action is done only if user afrees. There are a lot packages which do this. Policy says: The maintainer scripts must not alter a conffile of *any* package, including the one the scripts belong to. any == any so for example samba must have RC by Alexander's logic, because samba asks user to change its config. exim must have RC, too, etc. And all the other packages which have wizards inside maintainer scripts. -- ... mpd playing: WASP - My Tortured Eyes . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
emdebian.org
Does anybody know what happened to emdebian.org? $ curl www.emdebian.org curl: (7) couldn't connect to hos $ telnet www.emdebian.org 80 Trying 88.198.202.189... telnet: Unable to connect to remote host: No route to host $ ping 88.198.202.189 PING 88.198.202.189 (88.198.202.189) 56(84) bytes of data. From 78.46.78.47 icmp_seq=2 Destination Host Unreachable ^C --- 88.198.202.189 ping statistics --- 4 packets transmitted, 0 received, +1 errors, 100% packet loss, time 2999ms -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Buildd & binary-indep
JB> The problem is that build-indep and build-arch JB> are not required targets, and there is no easy way of checking whether JB> they exist. http://www.us.debian.org/doc/debian-policy/ch-source.html#s-debianrules =quote Since an interactive debian/rules script makes it impossible to auto-compile that package and also makes it hard for other people to reproduce the same binary package, all required targets must be non-interactive. At a minimum, required targets are the ones called by dpkg-buildpackage, namely, clean, binary, binary-arch, binary-indep, and build. It also follows that any target that these targets depend on must also be non-interactive. =quote So if buildd calls binary-arch then it can build only architecture packages. -- . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100925192225.ga5...@nbw.dhome.lan
Re: Buildd & binary-indep
>> If this package is built it wants more than one gigabyte (~1.2-1.4G) >> RAM to build. So there are two buildd servers can't build >> *architecture:all* packages. So this package can't pass into testing >> for a long time (more than 120 days). SG> What about building this architecture:all package only in binary-indep? SG> Like in the attached patch... This way, the buildds won't try to build them. SG> Cheers, SG> -- SG> Stéphane SG> diff -u wordnet-3.0/debian/rules wordnet-3.0/debian/rules SG> --- wordnet-3.0/debian/rules SG> +++ wordnet-3.0/debian/rules SG> @@ -31,7 +31,7 @@ SG> rm -f goldendict-wordnet.dsl goldendict-wordnet.dsl.dz SG> rm -f goldendict-wordnet_abrv.dsl goldendict-wordnet.bmp SG> -build/goldendict-wordnet:: goldendict-wordnet.dsl.dz goldendict-wordnet_abrv.dsl goldendict-wordnet is binary-indep package, so it must be built in binary-indep target :) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Buildd & binary-indep
>> There is one src-package which builds a few packages with architecture >> -all and -any. http://packages.qa.debian.org/w/wordnet.html >> >> If this package is built it wants more than one gigabyte (~1.2-1.4G) >> RAM to build. So there are two buildd servers can't build >> *architecture:all* packages. So this package can't pass into testing >> for a long time (more than 120 days). AB> This raises the question why binary-indep targets are built when not needed. Yes :) So I wrote the subject :) AB> If so, you could build it in qemu. It seems that Debian doesn't contain all files which are nessesary to install Debian in qemu. Could You give me a link to how to install debian/armel(etc) in qemu? -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Buildd & binary-indep
There is one src-package which builds a few packages with architecture -all and -any. http://packages.qa.debian.org/w/wordnet.html If this package is built it wants more than one gigabyte (~1.2-1.4G) RAM to build. So there are two buildd servers can't build *architecture:all* packages. So this package can't pass into testing for a long time (more than 120 days). Does anybody have mipsel and (or) armel host (or virtual host)? Could anybody make an bin-NMU? -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Bug#584419: RFP: libjs-jquery-cookie -- jQuery cookie plugin
Package: wnpp Severity: wishlist X-Debbugs-CC: debian-devel@lists.debian.org, pkg-javascript-de...@lists.alioth.debian.org * Package name: libjs-jquery-cookie Upstream Author : Klaus Hartl * URL : http://plugins.jquery.com/project/Cookie * License : MIT and GPL Programming Lang: JavaScript Description : jQuery cookie plugin A simple, lightweight utility plugin for reading, writing and deleting cookies. -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Bug#584403: RFP: libjs-jquery-treetable -- jQuery treeTable plugin
Package: wnpp Severity: wishlist X-Debbugs-CC: debian-devel@lists.debian.org, pkg-javascript-de...@lists.alioth.debian.org * Package name: libjs-jquery-treetable Upstream Author : Ludo van den Boom * URL : http://plugins.jquery.com/project/treetable * License : MIT and GPL Programming Lang: JavaScript Description : jQuery treeTable plugin The treeTable plugin allows you to display a tree in a table, i.e. a directory structure or a nested list. Each branch in this tree can be collapsed and expanded, just like in a file explorer in most modern operating systems. Features - Display a data tree in a table column. - As unobtrusively as possible. - Optional collapse/expand behavior on branches (think of how a directory structure works in most file explorers). - Prepared for drag & drop of branches/nodes. - Unlimited tree depth. -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Bug#584127: RFP: libjs-jquery-tablesorter -- Flexible client-side table sorting
Package: wnpp Severity: wishlist X-Debbugs-CC: debian-devel@lists.debian.org, pkg-javascript-de...@lists.alioth.debian.org * Package name: libjs-jquery-tablesorter Upstream Author : Christian Bach * URL : http://tablesorter.com * License : MIT and GPL Programming Lang: JavaScript Description : Flexible client-side table sorting tablesorter is a jQuery plugin for turning a standard HTML table with THEAD and TBODY tags into a sortable table without page refreshes. tablesorter can successfully parse and sort many types of data including linked data in a cell. It has many useful features including: * Multi-column sorting * Parsers for sorting text, URIs, integers, currency, floats, IP addresses, dates (ISO, long and short formats), time. Add your own easily * Support for ROWSPAN and COLSPAN on TH elements * Support secondary "hidden" sorting (e.g., maintain alphabetical sort when sorting on other criteria) * Extensibility via widget system * Cross-browser: IE 6.0+, FF 2+, Safari 2.0+, Opera 9.0+ * Small code size -- ... mpd playing: U.D.O. - Poezd Po Rossii (Live 2008) . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: #573127 sphinxsearch should use prefix for utlilities
RS> sphinxsearch is a package that provides binaries like searchd, indexer, etc. RS> I received bug report #573127 which has the correct RS> intention behind it that the binaries should be RS> prefixed. RS> The problem I am seeing is that any change like this RS> would affect modules, plugins, and a lot of programs RS> that interact with SphinxSearch. My particular use case RS> is in Rails where searchd is a hardcoded value in RS> plugins that interact with the daemon. I think now there are few programs which have dependencies on sphinxsearch. On new program we can file bugreports :) I think that the patch of Rails will be simple. RS> What I want to do is mark the bug as wontfix and Conflicts mongosearch-*. I think it would be wrong idea. User would want install both packages. Also, next time we will be able to find out other searchd/indexer programs and will be forced to add another conflicts. I think that this problem should be resolved now, when we have few users and few dependencies. RS> But I am looking for second opinions. What do you think? Another way: using prefixes in deb-package and add alternative for name searchd/indexer/etc. But this case You should file a bugreport for mnogosearch-* to to the same. -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Bug#578518: RFP: libmojolicious-perl -- A next generation web framework for the Perl programming language.
Package: wnpp Severity: wishlist X-Debbugs-CC: debian-devel@lists.debian.org,debian-p...@lists.debian.org * Package name : libmojolicious-perl Version : 0.24 Upstream Author : Sebastian Riedel * License : Artistic License version 2.0 * URL : http://search.cpan.org/~kraih/Mojolicious-0.24/lib/Mojolicious.pm URL : http://mojolicious.org/ Description : A next generation web framework for the Perl programming language. Back in the early days of the web there was this wonderful Perl library called CGI.pm, many people only learned Perl because of it. It was simple enough to get started without knowing much about the language and powerful enough to keep you going, learning by doing was much fun. While most of the techniques used are outdated now, the idea behind it is not. Mojolicious is a new attempt at implementing this idea using state of the art technology. Features * An amazing MVC web framework supporting a simplified single file mode through Mojolicious::Lite. * Very clean and Object Oriented pure Perl API without any hidden magic and no requirements besides Perl 5.8.1. * Full stack HTTP 1.1 and WebSocket client/server implementation with IPv6, TLS, IDNA, pipelining, chunking and multipart support. * Builtin async IO and prefork web server supporting epoll, kqueue, hot deployment and UNIX domain socket sharing, perfect for embedding. * CGI, FastCGI and PSGI support. * Fresh code, based upon years of experience developing Catalyst. * Powerful out of the box with RESTful routes, plugins, sessions, signed cookies, static file server, testing framework, Perl-ish templates, JSON, I18N, first class Unicode support and much more for you to discover! Mojolicious The Mojolicious web framework is all about minimalism and simplicity. True to its Perlish roots making simple things easy and hard things possible. A project can be started as a single file web application using Mojolicious::Lite and later grow to a well structured Mojolicious application. -- ... mpd playing: Halloween - 1988 - Keeper Of The 7 Keys 2 - 10 Keeper Of The Seven Keys.mp3 . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Flag images
MH> On the other hand, one application will want 16x10 icons, another one MH> 24x15, another one may have some effects applied on the flags to better MH> fit the UI design, etc. May be the size must be included into path? like flags/countires//16x10/ flags/countires//24x15/ etc? Is package name nessesary to be in path or not? -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Re: Flag images
>> I read through the links you provided. There was a cogent argument >> against using flags to symbolize a language. I would accept that. >> However, while I understand your argument about losing contributors, >> I'm not completely convinced that using a flag chosen by country X to >> represent country X is a bad idea. bmc> Country codes are not assigned solely to countries. What flag do we use bmc> to represent .pr? Or .je? .an? .cx? .tw? generally speaking country codes can activate people as flags. For example there are many countries which aren't recognition by other or U.N.O, for ex england appropriation of islands or a few muslim countries, etc Thereby the internet domain names must be banned ;) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Flag images
On 03:37 Tue 16 Feb , Paul Wise wrote: PW> On Tue, Feb 16, 2010 at 3:14 AM, Dmitry E. Oboukhov wrote: >> new version of rtpg (rtpg2) will have language button and geoIP peer's >> information with country's flag etc. PW> Sounds like a fairly pointless feature to me. Unfortunately that seems PW> to be common in torrent clients these days. The language button PW> likewise sounds less than useful since HTTP content negotiation does PW> the same job automatically. >> Why should I avoid adding flags? I looked through Your links but I >> didn't understand why using flags is a bad way? I have found full >> free flag collection, flags occur in many packages and I think it is >> the obvious method to separate geo information. PW> I'd encourage you to read the whole LWN thread, but in short: to PW> prevent nationalistic or political disputes from affecting Debian. PW> As an example of the practical effects of flags in the context of PW> Debian; a number of years ago we lost our kernel maintainer, partially PW> because KDE in Debian included a flag of a country the maintainer (and PW> his government) disapproved of. A team formed to replace him, but PW> losing contributors still sucks. Hgm.. When I saw KDE (it was 1.xx version) it contained lang switcher which used flags as language indicator. What happened to it? How is this task resolved now? In my project flags wont be required but i would upload/maintain separated flags package (it is already in NEW stage). Yes, flags can activate some people, for example I hate our current russian flag which was used by traitor army of Vlasov in Great Patriotic War and now is using our occupation government, but it is usually practice to use flags as indicators and I don't know other alternatives - I'm using it. We wanted to add flags package and add suggest or recommend level of dependence into our package. But If it is so meaningful theme may be it must be noticed in debian-policy? -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Flag images
> I wish to use my country's flag to refer to my language... > Don't. There are many languages not associated with countries or in > use in many different countries. Also, some flags are considered > very political, and are thus very controversial. For example, the > government of mainland China (People's Republic of China) bans > software that includes the Taiwanese (Republic of China) flag, and > many muslim people frown upon the Israeli flag. Also, new > governments sometimes change flags, which is sometimes resisted and > hated by some patriotic circles who preferred the previous > government. Is it really so big problem? Looks like as non-issue, farfetched. Hgm. Who can tell anything about it? -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Flag images
>> I'm going to add into debian a few new (my) projects which need flag >> images and so I want to add a package which contains flag set. PW> Are you sure they need flags? Which package and what exactly will the PW> flags represent? PW> I would personally suggest to avoid adding flags to Debian where possible. new version of rtpg (rtpg2) will have language button and geoIP peer's information with country's flag etc. Why should I avoid adding flags? I looked through Your links but I didn't understand why using flags is a bad way? I have found full free flag collection, flags occur in many packages and I think it is the obvious method to separate geo information. PW> Some background to my opinion: PW> http://lwn.net/Articles/333623/ PW> https://fedoraproject.org/wiki/Package_Maintainers_Flags_Policy PW> http://lists.fedoraproject.org/pipermail/legal/2009-January/thread.html#501 PW> http://lwn.net/Articles/334519/ -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Flag images
There are many packages in debian contain flag images. For example: awstats - /usr/share/awstats/icon/flags/ b2evolution - /usr/share/b2evolution/rsc/flags/h10px bygfoot - /usr/share/games/bygfoot/support_files/pixmaps/symbols deluge-common - /usr/share/pyshared/deluge/data/pixmaps/flags etc I'm going to add into debian a few new (my) projects which need flag images and so I want to add a package which contains flag set. There is one question: where these images can be placed? Standard place is /usr/share/ or /usr/share/pixmaps/... or /usr/share/icons, but all of these variants don't include flag specific. I think that it would be nice to separate such directory and place flags into in. for example /usr/share/flags or /usr/share/pixmaps/flags Then packages could use (and people could seek) this place as shared place for identical tasks. Now I want to add a package which contains these icons: http://www.famfamfam.com/lab/icons/flags/ Is it meaning to use separating directory like /usr/share/flags or /usr/share/pixmaps/flags or not? If Yes which of these variants will be better? -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Bug#554694: FTBFS with binutils-gold
per.o: in function HotkeyWrapper::init():hotkeywrapper.cc:344: error: undefined reference to 'XFree' PF> /usr/bin/ld: build/hotkeywrapper.o: in function HotkeyWrapper::init():hotkeywrapper.cc:345: error: undefined reference to 'XCloseDisplay' PF> /usr/bin/ld: build/hotkeywrapper.o: in function HotkeyWrapper::nativeKey(int):hotkeywrapper.cc:501: error: undefined reference to 'XStringToKeysym' PF> /usr/bin/ld: build/hotkeywrapper.o: in function HotkeyWrapper::unregister():hotkeywrapper.cc:509: error: undefined reference to 'XSync' PF> /usr/bin/ld: build/hotkeywrapper.o: in function HotkeyWrapper::unregister():hotkeywrapper.cc:514: error: undefined reference to 'XFree' PF> /usr/bin/ld: build/hotkeywrapper.o: in function HotkeyWrapper::unregister():hotkeywrapper.cc:515: error: undefined reference to 'XCloseDisplay' PF> collect2: ld returned 1 exit status PF> make[1]: *** [goldendict] Error 1 -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: ReBuild-Depends?
>> I have a package which contains a code like following:
>>
>> #include
>>
>> FILE *file_handle;
>>
>> int foo(int something, const char *fmt, ...)
>> {
>> // some statements
>>
>> va_list ap;
>> int res = vfprintf(file_handle, fmt, ap);
>> va_end(ap);
>> return res;
>> }
>>
>> This code works fine by libc wouldn't be rebuilt (new versions, or new
>> gcc - this moment is ambiguous to me).
>> Then this code begins segfaulting into this place.
>> If we try to rebuild our package, it will begin to work fine again.
GvB> Should that work at all?
GvB> man va_arg:
GvB> va_end()
GvB> Each invocation of va_start() must be matched by a corresponding invo-
GvB> cation of va_end() in the same function. After the call va_end(ap) the
GvB> variable ap is undefined. Multiple traversals of the list, each brack-
GvB> eted by va_start() and va_end() are possible. va_end() may be a macro
GvB> or a function.
GvB> You need to call va_start() before the vfprintf or not call va_end().
GvB> Does that solve the problem?
Yes, my first _mail_ contained a mistake, src-code didn't.
Full code here: http://svn.uvw.ru/mhddfs/trunk/src/debug.c
--
... mpd is off
. ''`. Dmitry E. Oboukhov
: :’ : email: un...@debian.org jabber://un...@uvw.ru
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
signature.asc
Description: Digital signature
Re: ReBuild-Depends?
GJ> On Thu, 2009-10-29 at 18:33:12 +0300, Dmitry E. Oboukhov wrote:
>> I have a package which contains a code like following:
>>
>> #include
>>
>> FILE *file_handle;
>>
>> int foo(int something, const char *fmt, ...)
>> {
>> // some statements
>>
>> va_list ap;
GJ> Seems you are missing a va_start call here.
Oh, I wrote this example directly in a mail-client and forgot it.
Sorry.
full code here:
http://svn.uvw.ru/mhddfs/trunk/src/debug.c
va_list/va_start/va_end are present.
If we try to use a binary which was compiled a long time ago, it will
segfault. Rebuilding resolves segfaults. I think that problem is in
binary incompatibility between different builds in macrofunction.
>> int res = vfprintf(file_handle, fmt, ap);
>> va_end(ap);
>> return res;
>> }
GJ> regards,
GJ> guillem
--
... mpd is off
. ''`. Dmitry E. Oboukhov
: :’ : email: un...@debian.org jabber://un...@uvw.ru
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
signature.asc
Description: Digital signature
Re: ReBuild-Depends?
>> Could we add 'ReBuild-Depends' statement into debian/control to >> rebuild like packages when depends rebuild? But such kind of depends >> require some changes in buildd system. JV> This is only needed when the dependencies change something that would JV> require a rebuild, not necessarily every time they're updated. We have JV> a process to handle that -- binNMUs. JV> http://wiki.debian.org/binNMU Oh, no binNMU is a hand-held process. I want something works automatically :) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
ReBuild-Depends?
I have a package which contains a code like following:
#include
FILE *file_handle;
int foo(int something, const char *fmt, ...)
{
// some statements
va_list ap;
int res = vfprintf(file_handle, fmt, ap);
va_end(ap);
return res;
}
This code works fine by libc wouldn't be rebuilt (new versions, or new
gcc - this moment is ambiguous to me).
Then this code begins segfaulting into this place.
If we try to rebuild our package, it will begin to work fine again.
I don't want to add a version-depends to libc, but if i ask someuser
for upgrade package, he will at short notice send me a mail about
segfault.
Could we add 'ReBuild-Depends' statement into debian/control to
rebuild like packages when depends rebuild? But such kind of depends
require some changes in buildd system.
I don't know how this problem can be resolved :(
--
... mpd is off
. ''`. Dmitry E. Oboukhov
: :’ : email: un...@debian.org jabber://un...@uvw.ru
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
signature.asc
Description: Digital signature
Re: What happened to ftp-master.debian.org:NEW ?
>> A few days ago i uploaded a package. but >> http://ftp-master.debian.org/new.html hasn't contained any information >> about it. Last package has a date 26 Oct. Is any script hangs up? JHR> http://lists.debian.org/debian-infrastructure-announce/2009/10/msg3.html JHR> And why didn't you ask ftp-mas...@d.o? :) Thanks for Your answer. I didn't want disturb ftp-masters: they could be very busy with _known_ problems. Your mail confirmed it :) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
What happened to ftp-master.debian.org:NEW ?
A few days ago i uploaded a package. but http://ftp-master.debian.org/new.html hasn't contained any information about it. Last package has a date 26 Oct. Is any script hangs up? - Forwarded message from Archive Administrator - Date: Mon, 26 Oct 2009 19:00:47 + From: Archive Administrator To: "Dmitry E. Oboukhov" Subject: firecookie_0.9.1-1_i386.changes is NEW (new) firecookie_0.9.1-1.diff.gz optional web (new) firecookie_0.9.1-1.dsc optional web (new) firecookie_0.9.1.orig.tar.gz optional web (new) xul-ext-firecookie_0.9.1-1_all.deb optional web extension for Firebug to view and manage cookies in your browser Cookie manager for Firebug. Use this extension to create a new cookie, delete existing cookies, see list of cookies for current site, manage cookies permissions and a lot more. Changes: firecookie (0.9.1-1) unstable; urgency=low . * Initial release (closes: #552427); Override entries for your package: Announcing to debian-devel-chan...@lists.debian.org Closing bugs: 552427 Your package contains new components which requires manual editing of the override file. It is ok otherwise, so please be patient. New packages are usually added to the override file about once a week. You may have gotten the distribution wrong. You'll get warnings above if files already exist in other distributions. - End forwarded message - -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
RFH: fluxbox -- Highly configurable and low resource X11 Window manager
Package: wnpp Severity: normal Unfortunately, now I do not have enough time to maintain this package properly, so help/comaintain would be appreciated. I adopted fluxbox when it had more than 120 bugs. Now it has 34 bugs, i think that the most part of them (or of the last of them) is unreproducible. But I couldn't find time to separate/fix its. If anybody wants we also could create pkg-fluxbox team :) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
OpenVZ - deb-packages
Hi all! I need OpenVZ 2.6.27 with ppp-features available. I was on the point of building the package, but I am not very good in building of kernels and the current openvz is built somehow strange: apt-get source linux-image-2.6.26-2-openvz-686 gets an src-package with no mentions of openvz in debian/control in it. I've also planned to finish the zsh-completions for vzctl for openVZ and to write a script using debootstrap for creating a guest system. However I haven't understood yet how the -openvz packages get into Debian. 1. Have I understood correctly that openvz doesn't have its own Source in Debian now and it is simply added/removed from linux-source as the need arises? How should I act and with whom should I communicate if I want to add something to the package? 2. May be somebody has already built openvz 2.6.27 (with ppp-features). Could You share the link on repository? -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Orphaning debmirror
GvB> I'm still looking for a new maintainer of debmirror and I'm GvB> considering orphaning the package now if nobody steps up. some time i had a bad connection to internet and tried to use debmirror and conditions forced me to write a patch for debmirror. but it wasnt applied with strange formulation: it isn't necessary. Now i am using my own scripts and not have a wish to see to debmirror :) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Bug#538857: rocksndiamonds: post-installation fails
On 19:39 Tue 28 Jul , Moritz Muehlenhoff wrote: MM> On Mon, Jul 27, 2009 at 09:15:00PM +0400, Dmitry E. Oboukhov wrote: >>>> The site www.artsoft.org is (temporary?) down. Why do You think it >>>> must be another way? Postinst returns error code because it can't >>>> download resource. Other packages (for example msttcorefonts) have >>>> the same behaviour. >> GLB>>> Do You think I shouldn't have report that problem? >> I think this is site's problem, i considered a few packages which >> download something from somewhere and all of them return errorcode >> when downloading fail. >> >> Of course we can complain of something like: >> - our provider provides us with bad connection; >> - the website we have link on is down. >> but does it refer to the specific package? Hmm... >> >> But I still don't know is this behavior is right. If the script >> doesn't return failcode, somebody could post the bug like 'I had no >> fail when I installed the package, but it doesn't work', even if he >> had seen the error message. >> >> I Cc-ed the mail to debian-devel: may be somebody gives us advice. MM> Again, as in the case of the broken rott download, the correct MM> fix is to add support for the media files to game-data-packager MM> instead of adding a postinst. a few years ago rocksndiamonds was removed from debian because media files isn't free. I haven't seen the other way to download them from postinst: each of new upstream versions must replace the previous, so downloading have to be started by upgrade system (postinst) rocksndiamonds has the dialog screen which asks user if he agrees or not to download. If he agrees, downloading can finish with failcode (if user has network's problems, or root site is down) -- ... mpd paused: Manowar - Call To Arms . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Bug#538857: rocksndiamonds: post-installation fails
>> The site www.artsoft.org is (temporary?) down. Why do You think it >> must be another way? Postinst returns error code because it can't >> download resource. Other packages (for example msttcorefonts) have >> the same behaviour. GLB> Do You think I shouldn't have report that problem? I think this is site's problem, i considered a few packages which download something from somewhere and all of them return errorcode when downloading fail. Of course we can complain of something like: - our provider provides us with bad connection; - the website we have link on is down. but does it refer to the specific package? Hmm... But I still don't know is this behavior is right. If the script doesn't return failcode, somebody could post the bug like 'I had no fail when I installed the package, but it doesn't work', even if he had seen the error message. I Cc-ed the mail to debian-devel: may be somebody gives us advice. -- ... mpd paused: Helloween - Guardians . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: lilo about to be dropped?
WP> No, the answer is always the second one. If they add a scheduler (why not? :-\) into the grub it will be become Linux. -- ... mpd paused: Accept - Can't Stand The Night . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: lilo about to be dropped?
OS> I also share the feeling that a lot of people still uses LILO; if OS> possible I do belive it should be kept. I use lilo, I like lilo. I don't like grub because it has unlogically config, unlogically behavior, strange reconfig-system. I don't like the programs with perverse intellect. Grub is not unixway. I shall use lilo until it is possible. Dear, lilo maintainers! Please don't remove lilo*.deb from debian. -- ... mpd paused: Accept - Can't Stand The Night . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: is it a DFSG breach or not?
On 08:50 Mon 26 Jan , Stefano Zacchiroli wrote: SZ> On Sat, Jan 24, 2009 at 10:23:33PM +0300, Dmitry E. Oboukhov wrote: >> However it seems that there's no source of this JS in public access, SZ> Why so? SZ> I think this is the key of the issue. sources are found. see http://lists.debian.org/debian-devel/2009/01/msg00589.html :) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: is it a DFSG breach or not?
>> Judging by the apt-file output the same JS is used in a few more packages: >> >> $ apt-file search yahoo-dom-event.js PW> ... >> Am I right? Please help me to make a decision: what is better to do? PW> Remove the file from the binary package and depend on the yui package: PW> http://lintian.debian.org/tags/embedded-javascript-library.html yes yes, but this file is 30kb yui package is 7Mb -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
is it a DFSG breach or not?
I am asked to act as a sponsor of phpunit [*] package. However there's a situation that needs an advice. There's JS in the package that was run through the filter which deletes comments and spaces. In fact it is like Java script passed through obfuscator. I suggested to maintainer to replace this JS by the JS source and use the filter (if it is necessary) in the moment of fulfilling debian/rules. However it seems that there's no source of this JS in public access, though JS itself is distributed by BSD license. Judging by the apt-file output the same JS is used in a few more packages: $ apt-file search yahoo-dom-event.js bugzilla3: /usr/share/bugzilla3/web/js/yui/yahoo-dom-event.js - lenny [1] gallery2: /usr/share/gallery2/lib/yui/yahoo-dom-event.js - lenny/sid [2] phpunit: /usr/share/php/PHPUnit/Util/Report/Template/yahoo-dom-event.js - lenny/question package [*] yui: /usr/share/yui/html/yahoo-dom-event/yahoo-dom-event.js - lenny/sid [3] and everywhere in the same form. JS - is an interpreter language, _theoretically_ it is possible to _restore_ the source, but if following DFSG then in fact the source is not included into archive. This is a bug of the Serious level (at least for Debian/main). Am I right? Please help me to make a decision: what is better to do? 1. to became a sponsor of the package 2. to post Serious bugs to [1] [2] [3] [*] packages 3. to move the package to non-free (there's no source) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: un...@debian.org jabber://un...@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Check on DD
On 09:42 Thu 23 Oct , W. van den Akker wrote: WvdA> Hi, WvdA> I am trying to get in contact with the DD who maintains the Scid package. WvdA> From end of may until now he is non-responsive. WvdA> I want to take over the maintainership of Scid and some other packages because WvdA> there are new upstream versions available. WvdA> Can somebody of you DD check if the maintainer of Scid has been active or is WvdA> inactive. WvdA> Besides that I have a non-responsive mia (at) qa.debian.org. Posted 3 mails WvdA> but have no real answers back WvdA> Please advise WvdA> You may reply on my private email if needed. send mail to [EMAIL PROTECTED] for orphan this package :) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : email: [EMAIL PROTECTED] jabber://[EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Can't connect to bugs.debian.org:80 (connect: Connection refused)
On 01:23 Thu 04 Sep , [EMAIL PROTECTED] wrote: jjo> Urg..., as titled. bug #50 has been posted? ;) -- . ''`. Dmitry E. Oboukhov : :’ : email: [EMAIL PROTECTED] jabber://[EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Bug#496429: The possibility of attack with the help of symlinks in some Debian packages
NW>>> An attacker would be insane to select this example as a NW>>> vehicle. NW>> NW>> Attacker can use many ways (all variants from this list, for ex), one of NW>> its can work. Why you think that this variant is not work? NW> Because it is in the documentation, not the script. Didn't you read the NW> reply? It is not a route of attack, it is AN EXAMPLE in the NW> documentation! This script marked as executable. User can start its. if it is an example, please chmod a-x to it ;) -- . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Bug#496386: The possibility of attack with the help of symlinks in some Debian packages
TK>> Quoting Steve Langasek ([EMAIL PROTECTED]): TK>>> This is far below the quality I expect from a mass bug filing that's been TK>>> reviewed by debian-devel. Mass bugfilings at RC severity need to be held TK>>> to TK>> TK>> Even though I overread the thread when Dmitry posted his intent to TK>> -devel, I feel like there was *no* strong agreement that this MBF was TK>> really wished and welcomed. TK> Yes, this mass bug filing is of bad quality and should not have happened as TK> such. However: TK>> If I come on any such bug on packages I maintain or co-maintain, I TK>> will immediately downgrade the bug report in such way, mentally TK>> thanking the bug submitter for the extra work and ranting about yet TK>> another nice method to delay the release. TK> I would like to ask maintainers not to do this. I've quickly checked just a TK> number of these bugs and, between the false positives, already found a TK> handfull of genuine, true positive issues. Checking where the bug comes from TK> usually doesn't take a lot of time, so while I share the annoyance, you are TK> already annoyed, so better turn it into something useful by double-checking TK> the code rather than downgrading them out of hand. Thank You for your encouragement :) More 10 packages already patched and uploaded :) All, please again, be understanding to possible mistakes. :) -- . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Bug#496429: The possibility of attack with the help of symlinks in some Debian packages
NW> An attacker would be insane to select this example as a NW> vehicle. Attacker can use many ways (all variants from this list, for ex), one of its can work. Why you think that this variant is not work? -- . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Package: lintian
Tags: patch, security
Severity: wishlist
Hello, lintan maintainers!
please, see full discussion in -devel:
http://lists.debian.org/debian-devel/2008/08/msg00271.html
for example, see the bug
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648
(if attacker makes symlink from /tmp/twiki to /etc/shadow, then
he takes full access to the system (when twiki installs or
upgrades))
Hi all!
I wrote the check script for the lintian package. This additional check
verifies the debian packages for the presents of the discussed bug.
Notes and additions are welcome.
patch has been placed in attache
PS: X11 also uses the /tmp/.X11-unix directory, which may be used for
attacks, I don't known :(
but many scripts (in different packages) use /tmp/.X11-unix, if this is
not a security problem, may be I must add ignoring for this directory in
the lintian script?
I don't known yet :(
DEO> This message about the error concerns a few packages at once. I've
DEO> tested all the packages on my Debian mirror. (post|pre)(inst|rm) and
DEO> config scripts were tested.
DEO> In some packages I've discovered scripts with errors which may be used
DEO> by a user for damaging important system files.
DEO> For example if a script uses in its work a temp file which is created
DEO> in /tmp directory, then every user can create symlink with the same
DEO> name in this directory in order to destroy or rewrite some system
DEO> file.
DEO> I set Severity into grave for this bug. The table of discovered
DEO> problems is below.
--
... mpd is off
. ''`. Dmitry E. Oboukhov
: :’ : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
--- checks/symlink_attack 1970-01-01 03:00:00.0 +0300
+++ checks/symlink_attack 2008-08-19 23:11:44.0 +0400
@@ -0,0 +1,114 @@
+# symlink_attack -- lintian check script -*- perl -*-
+#
+# Copyright (C) 2008 Dmitry E. Oboukhov <[EMAIL PROTECTED]>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+package Lintian::symlink_attack;
+use strict;
+use Tags;
+
+# check file
+#
+# the parameters:
+# 1. name of check file
+# 2. error template
+# 3. warning template
+sub check_file($$$)
+{
+ my ($file_name, $err_tmpl, $warn_tmpl)[EMAIL PROTECTED];
+
+open my $file, '<', $file_name
+or die "Can not open file `$file_name': $!\n";
+
+$file_name =~ s/^..// if $file_name =~ m{^\./};
+$file_name =~ s{^debfiles/}{debian/};
+
+# read begin of shebang
+local $_;
+return unless 10 == read $file, $_, 10;
+return unless m{^#!\s*/};
+seek $file, 0, 0;
+
+$_ = <$file>;
+return unless m{^#!\s*(?:/\S+){2,}};
+
+# read all file content
+# (remove comments, join backslash-ended string)
+$_ = join '', map { s/#.*/\n/; s/\\$//; $_ } readline $file;
+
+# errors
+my $errors_found;
+if (m{>\s*/tmp/} or m{(?:^|[|\s])tee\s+(?:-\S+\s+)*/tmp/}m)
+{
+$errors_found=1;
+tag $err_tmpl, "$file_name (pipe)";
+}
+
+my @wh = m{(mount|mkdir|chown|chmod)\s[^;]*?/tmp/}g;
+# remove dups
+@wh = keys %{{ map {($_,0)} @wh }};
+if (@wh)
+{
+ $errors_found=1;
+tag $err_tmpl, "$file_name ($_)" for @wh;
+}
+
+# warnings
+unless ($errors_found)
+{
+tag $warn_tmpl, $file_name if m{\s+/tmp/};
+}
+}
+
+
+sub run
+{
+ my ($package, $type)=(@_);
+
+my @check_files;
+
+# check maintainer scripts
+ if ($type eq 'source')
+ {
+ @check_files=
+ grep /(((pre|post)(inst|rm))|(config))(?:\.in)?$/,
+ glob ('debfiles/*');
+ }
+ else
+ {
+ @check_files=
+ grep /(((pre|post)(inst|rm))|(config))$/, glob ('control/*');
+ }
+check_file $_ => 'maint-scripts-uses-tmp-err',
+'maint-scripts-uses-tmp-warn' for @check_files;
+
+# check binary all files in the package
+if ($type eq 'binary')
+{
+ chdir 'unpacked';
+ open my $dir, '-|', 'find -type f -executable'
+ or die "Can not start find: $!";
+ while(<$dir>)
+ {
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Report of sid: http://uvw.ru/report.sid.txt -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On 18:42 Wed 13 Aug , Brian May wrote:
> Dmitry E. Oboukhov wrote:
>> qemu makes mount the directory /tmp/mount.$$. Attacker creates many
>> symlinks /tmp/dir.\d+ -> /etc and if qemu
>> (/usr/sbin/qemu-make-debian-root) starts then /etc goes
>> out from root directory tree. The result: system is unusable.
>>
> I might be dense, but I don't get this.
> Attacker does:
> [EMAIL PROTECTED]:/tmp# ln -s /etc /tmp/mount-1234
> Then the genuine user does:
> [EMAIL PROTECTED]:/tmp# mkdir /tmp/mount-1234
> mkdir: cannot create directory `/tmp/mount-1234': File exists
> strace shows:
> mkdir("/tmp/pmount-1234", 0777) = -1 EEXIST (File exists)
> So, ok, this means the process can't continue any more (denial of
> service attack), and if the process does continue this is a problem,
> otherwise I can't see how this would bring the entire system down.
> Brian May
yes, set -e directive is present in this script :)
of cource
the report is needed to be verified by hand
for make separate by severity levels :)
I'll added few directives for check verifying scripts for 'set -e' :)
--
... mpd is off
. ''`. Dmitry E. Oboukhov
: :’ : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
signature.asc
Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Some people wrote to me: your script is bad, it detects qemu, but qemu
is bugfree.
ok, looking qemu:
qemu makes mount the directory /tmp/mount.$$. Attacker creates many
symlinks /tmp/dir.\d+ -> /etc and if qemu
(/usr/sbin/qemu-make-debian-root) starts then /etc goes
out from root directory tree. The result: system is unusable.
example of script for attacker:
perl -e 'symlink("/etc", "/tmp/mount.$_") for ($$ .. $$ + 1)'
instead /etc attacker may select any system directory, for example /var,
/usr or even /.
of course I may be mistaken but I don't use qemu, sorry.
--
... mpd is off
. ''`. Dmitry E. Oboukhov
: :’ : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
signature.asc
Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
report for etch: http://uvw.ru/report.etch.txt 107 packages :( On 18:23 Tue 12 Aug , Dmitry E. Oboukhov wrote: TDEO> The script in attach looks through a mirror of a specified distributive TDEO> and makes a search of '>\s*/tmp/' and 'tee [^|]*/tmp/' constructions. TDEO> It finds less errors then I've found earlier however the results of its TDEO> work are more accurate. TDEO> The script looks through all the files of packages marked as executable. TDEO> That is even if the script is in /usr/share/doc and is marked as TDEO> executable it will be tested nevertheless. TDEO> The full viewing of a mirror takes a few hours. TDEO> Later I shall publish the reports on lenny (already attached) and etch. TDEO> :) TDEO> attaches: TDEO> report of lenny: http://uvw.ru/report.lenny.txt TDEO> script: http://uvw.ru/find_the_bug2.sh -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
EVL>>> The idea behind libpam-tmpdir is that it creates a subdirectory of /tmp EVL>>> that is only accessible by that user, and then sets TMPDIR and other EVL>>> variables to that. Hence, it doesn't matter nearly as much if you EVL>>> create a non-random filename, because nobody but you can access it. EVL>> EVL>> Yes, but EVL>> scripts must use $TMPDIR instead '/tmp' or mktemp/tempfile utils :) EVL> tempfile uses $TMPDIR by default :) sorry, scripts must use $TMPDIR or _must_ _use_ mktemp/tempfile ;) -- ... mpd playing: U.D.O. - Animal House . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
nk /usr/lib/scilab-4.1.2/util/scidoc /usr/lib/scilab-4.1.2/util/scidem Package: scratchbox2 Version: 1.99.0.24-1 /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings Package: sendmail-base Version: 8.14.3-5 /usr/sbin/checksendmail /usr/bin/expn Package: sgml2x Version: 1.0.0-11.1 /usr/bin/rlatex Package: smsclient Version: 2.0.8z-10 /usr/share/doc/smsclient/examples/contrib/mail2sms-shell/mail2sms.sh Package: sng Version: 1.0.2-5 /usr/bin/sng_regress Package: socat Version: 1.6.0.1-1 /usr/share/doc/socat/examples/readline.sh Package: sympa Version: 5.3.4-5 /usr/lib/cgi-bin/sympa/wwsympa.fcgi /usr/lib/sympa/bin/sympa.pl Package: tiger Version: 1:3.2.2-3.1 /usr/lib/tiger/util/genmsgidx Package: vdr-dbg Version: 1.6.0-5 /usr/bin/vdrleaktest Package: wims Version: 3.62-13 /var/lib/wims/public_html/bin/coqweb /var/lib/wims/bin/account.sh Package: xara-gtk-byte Version: 1.0.25 /usr/bin/xara Package: xastir Version: 1.9.2-1 /usr/lib/xastir/get-maptools.sh /usr/lib/xastir/get_shapelib.sh Package: xcal Version: 4.1-18.3 /usr/bin/pscal Package: xdialog Version: 2.3.1-2 /usr/share/doc/xdialog/examples/checklist /usr/share/doc/xdialog/examples/editbox /usr/share/doc/xdialog/examples/inputbox /usr/share/doc/xdialog/examples/install-wrapper /usr/share/doc/xdialog/examples/kernel /usr/share/doc/xdialog/examples/menubox /usr/share/doc/xdialog/examples/radiolist /usr/share/doc/xdialog/examples/set-time /usr/share/doc/xdialog/examples/textbox Package: xen-utils-3.2-1 Version: 3.2.1-2 /usr/lib/xen-3.2-1/bin/qemu-dm.debug Package: xmcd Version: 2.6-19.3 /usr/share/xmcd/scripts/ncsarmt /usr/share/xmcd/scripts/ncsawrap -- ... mpd playing: U.D.O. - Holy . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
>>> A while ago, the use of libpam-tmpdir was suggested in order to mitigate >>> some of these attacks. It would be nice to see it in use by default, some >>> day. >> >>> Obviously there will always be some programs that don't look at the >>> TMPDIR environment variable and directly use /tmp. >> write file to /tmp/filename == write file to $TMPDIR/filename >> both cases are security holes if TMPDIR=/tmp :) > The idea behind libpam-tmpdir is that it creates a subdirectory of /tmp > that is only accessible by that user, and then sets TMPDIR and other > variables to that. Hence, it doesn't matter nearly as much if you > create a non-random filename, because nobody but you can access it. Yes, but scripts must use $TMPDIR instead '/tmp' or mktemp/tempfile utils :) -- ... mpd playing: U.D.O. - Midnight Mover . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
SM> A while ago, the use of libpam-tmpdir was suggested in order to mitigate SM> some of these attacks. It would be nice to see it in use by default, some SM> day. SM> Obviously there will always be some programs that don't look at the SM> TMPDIR environment variable and directly use /tmp. write file to /tmp/filename == write file to $TMPDIR/filename both cases are security holes if TMPDIR=/tmp :) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On 13:45 Mon 11 Aug , Joey Hess wrote:
JH> Dmitry E. Oboukhov wrote:
JH>> os-prober_1.17 os-prober
/tmp/mounted-map (pipe)
JH>>
/tmp/raided-map (pipe)
JH> os-prober writer to $OS_PROBER_TMP/{mounted-map.raided-map,etc}, which is
created by:
JH> if [ -z "$OS_PROBER_TMP" ]; then
JH> if type mktemp >/dev/null 2>&1; then
JH> export OS_PROBER_TMP="$(mktemp -d /tmp/os-prober.XX)"
JH> trap "rm -rf $OS_PROBER_TMP" EXIT HUP INT QUIT TERM
JH> else
JH> export OS_PROBER_TMP=/tmp
JH> fi
JH> fi
package: os-prober_1.17_i386.deb
file: /usr/bin/os-prober
$ grep '/tmp/' bin/os-prober
grep "^/dev/" /proc/mounts | parse_proc_mounts >/tmp/mounted-map || true
: >/tmp/raided-map
grep "^md" /proc/mdstat | parse_proc_mdstat >/tmp/raided-map || true
if grep -q "^$mapped" /tmp/raided-map ; then
if ! grep -q "^$mapped " /tmp/mounted-map ; then
mpoint=$(grep "^$mapped " /tmp/mounted-map | cut -d " " -f 2)
type=$(grep "^$mapped " /tmp/mounted-map | cut -d " " -f 3)
Oldstable 1.04
Stable 1.17 - in my list :)
Testing 1.26
Unstable1.27
script writes the /tmp/mounted-map and the /tmp/raided-map by pipe.
new version (1.26) writes to $OS_PROBER_TMP/raided-map :)
JH> This use of mktemp -d should be secure.
JH> mktemp is a required package, so the insecure code path should only ever
run inside
JH> a d-i environment, which has no non-root users.
--
... mpd is off
. ''`. Dmitry E. Oboukhov
: :’ : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
signature.asc
Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
JC>>> just by looking at the name. JC>> JC>> If program A writes file FILENAME and user1 and user2 can make (write) JC>> symlinks 'FILENAME' then name of program A is not important. JC>> JC> If that program is in a udeb, then user1 and user2 don't exist, so it's JC> not a security problem. Yes, udeb is my mistake :) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
MdI> just by looking at the name. If program A writes file FILENAME and user1 and user2 can make (write) symlinks 'FILENAME' then name of program A is not important. user1 creates symlink FILENAME to ~user2/.gnupg/file, then user2 starts program A and destroy his .gnupg/file, etc this is security problem -- ... mpd playing: WASP - Scared To Death . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On 14:05 Mon 11 Aug , Steve Kemp wrote: SK> Great work. If you have the time to see if any of these are included SK> in stable (etch) please could you do so? I checked only the packages of last version. I'll few new checks... SK> It might be that we'd need to release a security update, or at least SK> a package for the next point release. (I guess severity "grave" and SK> a tag of "security" will ensure the same thing happens for SK> testing/lenny.) Altogether 47 packages. I could be mistaken in some of them (I could miss some and count some of them as error by mistake) when seeing them through by hand, however I think that it will be almost the same number in reality. -- ... mpd playing: WASP - Hold On To My Heart . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
mafft-homologs /tmp/_vf$$
(pipe)
mailscanner_4.55.10-3 trend-autoupdate.new
/tmp/opr.ini.$$ (write)
/tmp/lpt$NEWVER.zip (write, move to /etc/iscan)
gpsdrive_2.09-2.1 geo-code/tmp/geo$$
(tempfile)
(gpsdrive-scripts) /tmp/geo.yahoo
(pipe)
/tmp/geo.coords (cp)
geo-nearest
/tmp/geocaching.loc (cp)
/tmp/geo$$.* |
/tmp/geo.* (pipe, write..)
flamethrower_0.1.8-1flamethrower
/tmp/multicast.tar.$$ (write, rm)
dist_3.70-31patcil /tmp/cil$$
(pipe)
paddiff /tmp/pdo$$ (cp)
/tmp/pdn$$ (cp)
crip_3.7-3 editcomment
/tmp/$1.tag.tmp (pipe, mv)
freebsd-sendpr_3.113+5.3sendbug /tmp/pr.$$ (mv)
apertium_3.0.7+1-1 apertium
/tmp/$$odtsalida.zip (write)
aview_1.3.0rc1-8asciiview
/tmp/aview$$.pgm (mkfifo, pipe)
fwbuilder_2.1.19-3 fwb_install
/tmp/ssh-agent.$$ (pipe)
mgetty-fax_1.1.36-1.2 faxspool/tmp/faxsp.$$
(pipe)
mindi_2.20-2mindi
/tmp/spongebob.squarepants.txt (pipe)
/tmp/parted2fdisk.log (touch)
/tmp/mke2fs.$$
(pipe)
/tmp/$$.mk
(pipe)
/tmp/*.img,
/tmp/*.mpt..
multi-gnome-terminal_1.6.2 mgt-helper
/tmp/$WHOAMI.debug (pipe)
/tmp/$WHOAMI.env (pipe)
--
... mpd is off
. ''`. Dmitry E. Oboukhov
: :’ : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
signature.asc
Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On 10:57 Mon 11 Aug , Dmitry E. Oboukhov wrote:
DEO> Package: mplayer nws ppp twiki
DEO> Severity: grave
DEO> Tags: security
DEO> This message about the error concerns a few packages at once. I've
DEO> tested all the packages on my Debian mirror. (post|pre)(inst|rm) and
DEO> config scripts were tested.
DEO> In some packages I've discovered scripts with errors which may be used
DEO> by a user for damaging important system files.
DEO> For example if a script uses in its work a temp file which is created
DEO> in /tmp directory, then every user can create symlink with the same
DEO> name in this directory in order to destroy or rewrite some system
DEO> file.
DEO> I set Severity into grave for this bug. The table of discovered
DEO> problems is below.
DEO> +--+-+--
DEO> |package | script | file for attack
DEO> +--+-+--
DEO> | mplayer-1.0~rc2 | config | /tmp/HACK (pipe)
DEO> | | |
DEO> | nws-2.13 | postinst | /tmp/nws.debug (cp)
DEO> | | |
DEO> | ppp-2.4.4rel | postinst | /tmp/probe-finished (rm -f, pipe)
DEO> | | postinst | /tmp/ppp-errors (rm -f, pipe)
DEO> | ppp-udeb | /etc/ppp/ip-up | /tmp/resolv.conf.tmp (cp)
DEO> | | |
DEO> | twiki-4.1.2 | postinst | /tmp/twiki (chmod 1777, chown)
DEO> +--+-+--
additional table again
muttprint_0.72d-9 muttprint /tmp/muttprint.log (write)
myspell-tools_3.1-20i2myspell /tmp/i2my$$.1 (pipe)
noip2_2.1.7-10 noip2 /tmp/noip2 (write)
plait_1.5.2-1 plait /tmp/cut.$$ (pipe)
plait /tmp/head.$$ (pipe, mv)
pvpgn_1.8.1-1.1 pvpgn-support-installer
/tmp/pvpgn-support-1.0.tar.gz (cp)
radiance_3R9+20080530-3 dayfact /tmp/gsf$$ (pipe)
/tmp/tl$$.pic (pipe)
/tmp/ds$$.pic (pipe)
/tmp/tfa$$ (pipe)
optics2rad /tmp/opt.fmt (pipe)
/tmp/out$$.fmt (pipe)
raddepend /tmp/sed$$ (pipe)
screenie_1.30.0-5 screenie/tmp/.screenie.$$ (pipe)
sdm-terminal_0.4.0b-3 sdm-login /tmp/sdm.autologin.once (touch)
sng_1.0.2-5 sng_regress /tmp/recompiled$$.png (pipe)
/tmp/decompiled$$.sng (pipe)
/tmp/canonicalized$$.sng (pipe)
systemimager-server_3.6.3dfsg1-3
si_mkbootserver
/tmp/*.inetd.conf (pipe)
/tmp/* (rsync, sh)
tau_2.16.4-1.1 tau_cc /tmp/makefile.tau.$USER.$$ (pipe)
tau_cxx /tmp/makefile.tau.$USER.$$ (pipe)
tau_f90 /tmp/makefile.tau.$USER.$$ (pipe)
winkeydaemon_1.0.1-1winkeydaemon
/tmp/.winkey/keyer_busy (touch)
--
... mpd is off
. ''`. Dmitry E. Oboukhov
: :’ : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
signature.asc
Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On 10:57 Mon 11 Aug , Dmitry E. Oboukhov wrote:
DEO> Package: mplayer nws ppp twiki
DEO> Severity: grave
DEO> Tags: security
DEO> This message about the error concerns a few packages at once. I've
DEO> tested all the packages on my Debian mirror. (post|pre)(inst|rm) and
DEO> config scripts were tested.
DEO> In some packages I've discovered scripts with errors which may be used
DEO> by a user for damaging important system files.
DEO> For example if a script uses in its work a temp file which is created
DEO> in /tmp directory, then every user can create symlink with the same
DEO> name in this directory in order to destroy or rewrite some system
DEO> file.
DEO> I set Severity into grave for this bug. The table of discovered
DEO> problems is below.
DEO> +--+-+--
DEO> |package | script | file for attack
DEO> +--+-+--
DEO> | mplayer-1.0~rc2 | config | /tmp/HACK (pipe)
DEO> | | |
DEO> | nws-2.13 | postinst | /tmp/nws.debug (cp)
DEO> | | |
mplayer & nws - mistake, sorry
DEO> | ppp-2.4.4rel | postinst | /tmp/probe-finished (rm -f, pipe)
DEO> | | postinst | /tmp/ppp-errors (rm -f, pipe)
DEO> | ppp-udeb | /etc/ppp/ip-up | /tmp/resolv.conf.tmp (cp)
DEO> | | |
DEO> | twiki-4.1.2 | postinst | /tmp/twiki (chmod 1777, chown)
DEO> +--+-+--
additional table:
package script in usr/bin file for attack
or etc
or /usr/sbin
arb_0.0.20071207.1-4arb-kill
/tmp/arb_pids_${USER}_*
/tmp/arb_pids_*_* (rm -f)
newsgate_1.6-23 mkmailpost /tmp/mmp$$
(pipe, rm -f)
libalps-bin_1.2.2-1 changestylesheet/tmp/tmp$$
(pipe)
convert2html/tmp/input$$
(pipe)
convert2text/tmp/input$$
(pipe)
extractgp
/tmp/archive2plot$$.xsl (pipe)
/tmp/archive$$
(pipe)
/tmp/plot$$
(pipe)
extracthtml
/tmp/archive2plot$$.xsl (pipe)
/tmp/plot$$
(pipe)
/tmp/archive$$
(pipe)
extracttext /tmp/archive$$
(pipe)
/tmp/archive2plot$$.xsl (pipe)
/tmp/plot$$
(pipe)
transformall/tmp/archive$$
(pipe)
/tmp/plot$$
(pipe)
netdisco-mibs-installer_1.0 netdisco-mibs-install
/tmp/netdisco-mibs-0.6.tar.gz (unpack)
netdisco-mibs-download
/tmp/netdisco-mibs-0.6.tar.gz (write)
cman_2.20080801-1 fence_apc_snmp /tmp/apclog
(append)
nvidia-cg-toolkit_2.0.0015 nvidia-cg-toolkit-installer
/tmp/nvidia-cg-toolkit-manifest (w)
osdsh_0.7.0-9 osdshconfig /tmp/osdsh.$uid
(fifo)
os-prober_1.17 os-prober
/tmp/mounted-map (pipe)
/tmp/raided-map
(pipe)
netmrg_0.20-1 rrdedit /tmp/$1.xml
(pipe)
xcal_4.1-18 pscal /tmp/pscal$$
(pipe, rm -f)
tkusr_0.82 tkusr /tmp/tkusr.pgm
(w)
tkman_2.2-3 tkman /tmp/ll (pipe)
/tmp/tkman$$
mysql-client-5.1mysqlbug
/tmp/failed-mysql-bugreport (mv)
libpam-mount_0.43-1 passwdehd
/tmp/passwdehd.$$ (pipe, mv)
libmyspell-dev_3.1-18 i2myspell /tmp/i2my$$.1
(pipe)
jailer_0.4-9updatejail
/tmp/$$.updatejail (pipe, append)
ltp_20060918-2.1ltpmenu
/tmp/runltp.mainme
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On 10:27 Mon 11 Aug , Steve Kemp wrote: SK> On Mon Aug 11, 2008 at 10:57:56 +0400, Dmitry E. Oboukhov wrote: SK>> I set Severity into grave for this bug. The table of discovered SK>> problems is below. SK> Great work. SK> I don't think there should be any objection to a mass-filing for SK> security sensitive bugs - and from the sounds of it you'll only be SK> filing a few bugs, not a mass of them. see additional table (next post) I 'll complete check few packages (5-8) again in few minutes/hours :) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Package: mplayer nws ppp twiki Severity: grave Tags: security This message about the error concerns a few packages at once. I've tested all the packages on my Debian mirror. (post|pre)(inst|rm) and config scripts were tested. In some packages I've discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlink with the same name in this directory in order to destroy or rewrite some system file. I set Severity into grave for this bug. The table of discovered problems is below. +--+-+-- |package | script | file for attack +--+-+-- | mplayer-1.0~rc2 | config | /tmp/HACK (pipe) | | | | nws-2.13 | postinst | /tmp/nws.debug (cp) | | | | ppp-2.4.4rel | postinst | /tmp/probe-finished (rm -f, pipe) | | postinst | /tmp/ppp-errors (rm -f, pipe) | ppp-udeb | /etc/ppp/ip-up | /tmp/resolv.conf.tmp (cp) | | | | twiki-4.1.2 | postinst | /tmp/twiki (chmod 1777, chown) +--+-+-- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
packages with perl-modules, CPAN, Policy
Thank you for many links on dh-make-perl whick you sent me privately, but for all that I mean another class of problems: 1. dh-make-perl For example we build with itshelpthepackage libwww-mechanize-perl. Excellent! The package is built. But it's not a package, its a template for package! i.e. If one tries to build it in pbuilder system, then the build will not be fulfilled successfully. Why does it happen? Because dh-make-perl left the field (Indep-)?Build-Depends empty. If there's created a unambiguous search of the package according to its name then it will be possible to introduce such an opportunity in dh-make-perl. 2. Thank you for many links on apt-cache search, but I mean rather another class of problems :) Start the command apt-cache --full search -- -perl|less and see hoe many packages haven't the modules' names in description. Thereafter there exists the complexity of search, for example one can't find libio-compress-zlib-perl according to modules' names IO::Uncompress::Gunzip, IO::Uncompress::Unzip. Besides very often a single deb-package includes many different perl modules, which are by all means not included into Description. i.e. At present it is very hard to write an utility of the search of a name of deb-package according to a name of Perl-module. Bringing into service the possibility of the unambiguous search according to the module name will give an opportunity to improve dh-make-perl and write utilities such as I described in my first mail etc. signature.asc Description: Digital signature
packages with perl-modules, CPAN, Policy
May be I'm re-inventing the wheel, if so, please criticize. I write to the Mail List and not to BTS, may be later I'l make a post to BTS. I dislike very much to watch how the admins I'm acquainted with install perl-modules with the help of the command perl -MCPAN -e shell, however there's no other way out when the package is not included into deb-repositary. Many of them simply can't build a deb-package. Is it possible to take this work under control of the control system? I think if in the system of controlling the packages there would be an opportunity of univocal (single-valued) search of a deb-package according to the name of a perl-module [1], then it would give the following opportunity (and besides the simple ease of search of a package name (sometimes it is rather hard to find a deb-package in repository according to the name of perl-module)): it would be possible to write a script (working for example under debconf control)) with the following characteristics: 1. when refreshing of any of packages with perl-modules its call would be organized (by analogy with update-menu) 2. this script would scan the directories with the modules installed and taken from cpan and make their list 3. having a list of modules it would make a search [1] of deb-packages containing such modules and if the search is successful it would offer to install them (with the help of the blocks of debconf dialogue) 4. it would delete the modules installed from CPAN that were replaced by the modules from deb-packages. So when refreshing the system the modules installed from cpan would be replaced by the modules from deb-packages (if they've appeared). I could take up and write such a script however at first it is necessary to create a univocal search [1], and its realization (may be somebody will offer the better decision, won't he) demands to change the policy a bit. I offer to include new fields into debian/contol, for example: Export-Perl-Modules: WWW::Mechanize, WWW::Mechanize::Image, ... These fields may be filled in by hand or it is better to entrust this function to dh_perl (or a new utility of such kind). Also it would be good if the same utility installes in #DEBHELPER# section the call of a script described above, let it be called update-perl-modules. However these are the details of realization which are deserve to be discussed only after the principle decision of the question [1]: adding of a field to the debian/control file. This is the question I offer to discuss. PS: may be there are the same problems with installing the modules for other languages and may be we should discuss there not only an additional field Export-Perl-Modules, but also, for example, Export-(Python|TCL|Ruby|\w+)-Modules? I would like to subject this idea to the criticism from DDs who maintain perl-modules for Debian for a long time. I delved deeply into these problems only recently and so I may offer to solve the problems which have been already solved. Then correct me ;) Dmitry signature.asc Description: Digital signature
Bug#476909: suggestions on reorganisation of the stardict package.
Package: stardict
Severity: normal
Hi, Andrew Lee and Anthony Fok!
I use stardict, I like this dictionary very much, but there is a great
discomfort: at every new installation it is necessary to download the
dictionaries from the site http://stardict.sourceforge.net by hand and
to install them.
It would be nice if the deb-package included the dictionaries from this
site, however it is most likely impossible because mostly they will not
correspond to DFSG.
I have a proposal to you:
to modify the package thus it has configure and template scripts for
debconf, which would allow users to choose and install the dictionaries
automatically (dpkg-reconfigure).
I've written a small script (it is attached) which creates a list of
what to download and where from: according to the results of the work of
this script one may generate the menu for choosing). Some time later I
would be able to complete the work on this system [1].
However now I have to choose whether to make a fake package only for
automatisation of downloading the dictionaries for stardict or to work
further on the stardict package.
Here I need your agreement or disagreement about working on the stardict
package: in the first case you'll include the results of my work into
package and add me to the Uploaders group and in the second one I'll
make a retitle of this bug in ITP: staridct-dicts [1].
Please inform me what is your opinion on this subject.
Sincerely yours, Dmitry
PS: notes:
[1] _example_ of staridct-dicts.deb uploaded to:
http://uvw.ru/debian/unstable/stardict/
#!/usr/bin/perl
use warnings;
use strict;
package MechUTF8;
use base qw(WWW::Mechanize);
use Encode qw(encode decode);
sub content
{
my $self=shift;
my $content=$self->SUPER::content(@_);
$self->response->header('Content-Type')=~/charset=([\w\d\-]+)/
and $content=encode(utf8=>decode($1=>$content));
return $content;
}
package main;
use URI;
use File::Basename qw(basename);
use Getopt::Std qw(getopts);
my $server="http://stardict.sourceforge.net";;
my $durl="$server/Dictionaries.php";
sub die_if_error($$)
{
my ($browser, $errtxt)[EMAIL PROTECTED];
$browser->success and return;
die sprintf "$errtxt, server status: %s\n",
$browser->status;
}
sub usage()
{
print <', $opts{o}
or die "Can not create file $opts{o}: $!\n";
$|=1;
}
$|=1; select STDERR; $|=1; select STDOUT;
my $browser=new MechUTF8;
$opts{v} and print STDERR "Getting $durl ...\n";
$browser->get($durl);
die_if_error $browser, "Can not get categories list from $server";
my %ans=
map { m{href="(.*?)".*?>\s*(.*?)\s*<}s; ($2, "$server/$1") }
$browser->content=~m{()}sgi;
for (sort keys %ans)
{
unless ($ans{$_}=~m{$server/Dictionaries_})
{
delete $ans{$_};
next;
}
$opts{v} and print STDERR "\tGetting $ans{$_} ...\n";
$browser->get($ans{$_});
die_if_error $browser, "Can not get category `$_'";
my $content=$browser->content;
for ($content)
{
s[][]sig;
s[<\s*(?:/)?\s*(?:font|span|strong|b|b|br).*?>][ ]sig;
}
my %dlist=
map { $$_[0]=~s[\s*(.*?)\s*<.*][$1]; ($$_[0], $$_[1]) }
grep { $$_[1] !~ /rpm$/i }
map { $$_[1]=~s/\?.*//s; $_ }
map { ($$_[1]=~m[.*\s*tarbal]si)?[$$_[0], $1]:() }
map { [ $$_[0], "$$_[1] $$_[2]" ] }
grep { @$_ == 4 or @$_ == 3 }
map { [ m[()]sig ] }
$content=~m{()}sig;
for my $url (values %dlist)
{
my $basename=basename(URI->new($url)->path);
$url={file=>$basename, url=>$url, section=>$_};
}
$opts{v} and
printf STDERR "\t\tfound %d tarbal-links for download\n",
scalar keys %dlist;
unless (%dlist)
{
delete $ans{$_};
next;
}
printf "%s\n",
join "\t",
$dlist{$_}{section},
$_,
$dlist{$_}{file},
$dlist{$_}{url} for sort keys %dlist;
}
keys %ans or
die "Can not find categories list in $durl\n";
exit 0;
signature.asc
Description: Digital signature
Steffen Joeris (white@) is wanted ;)
> Maybe he could answer if you try and contact white@, rather than [EMAIL > PROTECTED] Upss.. :) sorry the typo was only in subject. I send my mails to him with the command 'Reply' so there' s no typos there. :) > Anyway, he gave away some of his packages, because of his being busy, > which might explain a lag (in case your typo was only in this Subject:). signature.asc Description: Digital signature
Steffen Joeris (while@) is wanted ;)
Does anybody know where Steffen Joeris is? He has not answered my mails for a month+ already. Is everything OK with him? signature.asc Description: Digital signature
gcc-snapshot for testing
>> I needed to test the building of one of my packages with gcc4.3. >> However it turns out that gcc-snapshot from unstable contains the critical >> bug, which makes impossible using it. At the same time the previous >> version of the gcc-snapshot deb-package has been already deleted from >> unstable. >> >> As a result I spent two days on building of the previous version of >> gcc-snapshot (I've got rather slow hardware) in order to make a patch >> for FTBFS-bug instead of 15 minutes. :) >> >> May be it would be better to enable the passing of gcc-snapshot into >> testing but not to included it in stable releases? >> It will allow to have a working instrument in such situations. >> JC> http://snapshot.debian.net/gcc-snapshot Thank You for the link, however I consider my proposal actual nevertheless. Because using of testing area will provide some guarantees for the gcc-snapshot package to be workable. signature.asc Description: Digital signature
gcc-snapshot for testing
I needed to test the building of one of my packages with gcc4.3. However it turns out that gcc-snapshot from unstable contains the critical bug, which makes impossible using it. At the same time the previous version of the gcc-snapshot deb-package has been already deleted from unstable. As a result I spent two days on building of the previous version of gcc-snapshot (I've got rather slow hardware) in order to make a patch for FTBFS-bug instead of 15 minutes. :) May be it would be better to enable the passing of gcc-snapshot into testing but not to included it in stable releases? It will allow to have a working instrument in such situations. signature.asc Description: Digital signature
problems with BTS?
On 14:52 Mon 25 Jun , Dmitry E. Oboukhov wrote: > - Forwarded message from "Dmitry E. Oboukhov" <[EMAIL PROTECTED]> - > Date: Mon, 25 Jun 2007 11:39:22 +0400 > From: "Dmitry E. Oboukhov" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: problems with BTS? > User-Agent: Mutt/1.5.13 (2006-08-11) > Hi! > For some reason I've got a problem with adding the messages into BTS. > I,ve sent a patch to dhelp, > Message-ID: <[EMAIL PROTECTED]> > sent a bug to apt-howto-ru, > Message-ID: <[EMAIL PROTECTED]> > But no information has been added. Could You find out whether my address > was included into spam filter (or what is the cause of such situation)? > - End forwarded message - my IP's (domains): 193.233.71.179 ( avanto.org ) 81.9.63.169 ( uvw.ru ) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
problems with BTS?
- Forwarded message from "Dmitry E. Oboukhov" <[EMAIL PROTECTED]> - Date: Mon, 25 Jun 2007 11:39:22 +0400 From: "Dmitry E. Oboukhov" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: problems with BTS? User-Agent: Mutt/1.5.13 (2006-08-11) Hi! For some reason I've got a problem with adding the messages into BTS. I,ve sent a patch to dhelp, Message-ID: <[EMAIL PROTECTED]> sent a bug to apt-howto-ru, Message-ID: <[EMAIL PROTECTED]> But no information has been added. Could You find out whether my address was included into spam filter (or what is the cause of such situation)? - End forwarded message - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
offtopic] to sub scribe on BTS messages
>> I would like to receive BTS messages with a certain prefix (for example, >> all the messages with the prefix ITP). Some ITP messages are dubbed into >> debian-devel mailing list, but not all of them. >> >> So the question is whether it is possible to subscribe on the messages >> of a certain pattern in BTS (for example, ITP, RFP, etc) or not. If it >> is possible, then how? > Easiest to just subscribe to debian-bugs-dist and use a procmail > recipe to discard all messages that you aren't interested in. thanks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
offtopic] to sub scribe on BTS messages
Hi! I would like to receive BTS messages with a certain prefix (for example, all the messages with the prefix ITP). Some ITP messages are dubbed into debian-devel mailing list, but not all of them. So the question is whether it is possible to subscribe on the messages of a certain pattern in BTS (for example, ITP, RFP, etc) or not. If it is possible, then how? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
UNSUSCRIBE
man procmailrc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
fluxbox
I perfectly understand what experimental is. I mean rather another problem: the new package version has been realised, and this version maintains different charsets in locales. This option is very important for not-Englishspeaking users. But maintainer is lazy to commit this version to Debian. The version in experimental hasn't any extravagant dependences or problems with building/upgrade/compatibility with previous versions. As far as I understand maintainer placed it into experimental only because the new version (0.9.15) in original is also called RC2:1.0. Probably he supposed that RC would soon be replaced with Release, but it may take a few years more. In the context of Etch release I think it is very important to work on maintaining of UTF-8 and internationalization on the whole. Especially as the upstream version gives such possibility. The question is: what can be done if maintainer doesn't busy himself with the package and doesn't answer the messages and bug-reports? It is impossible to make a commit while maintainer hasn't denied his responsibility, but it would be very desirable to solve the problem. On 20:46 Tue 13 Feb , Greg Folkert wrote: GF> On Wed, 2007-02-14 at 01:30 +0300, Dmitry E. Oboukhov wrote: >> Hi! >> There's the following problem with the fluxbox package. >> >> The locale in the etch distributive ia already set into UTF-8 as >> default. Fluxbox has been maintaining UTF-8 for a long time. >> >> From July in experimental/ there had been 0.9.15version with >> full maintaining of UTF-8. >> >> But in spite of the sent bug >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397482 >> maintainer shows no sign of life and doesn't pay attention on >> personal messages. GF> Dmitry, experimental isn't for putting things into Sid or Testing or GF> Stable. GF> I am sure yoush hasn't done a thing with it, as Experimental packages GF> don't need to be maintained, period. GF> Experimental is experimental. If you don't understand what the word GF> means, please go look it up. In terms of Debian, it MAY be used for GF> testing new ways to package things. It may also be used to put newer GF> versions into the pool without screwing up a freeze. But your July issue GF> is far before the Etch Freeze. GF> Which in turn means (to me) it was either a courtesy thing that got put GF> in Experimental, or that it isn't as easy as you'd think to "fix it up" GF> to get that or a newer version into Etch. Perhaps, doing the upgrade GF> from Woody-Etch would break, or maybe the version in Sarge is completely GF> incompatible and has to be handled gingerly and is causing lots of GF> heartache. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
fluxbox
Hi! There's the following problem with the fluxbox package. The locale in the etch distributive ia already set into UTF-8 as default. Fluxbox has been maintaining UTF-8 for a long time. From July in experimental/ there had been 0.9.15version with full maintaining of UTF-8. But in spite of the sent bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397482 maintainer shows no sign of life and doesn't pay attention on personal messages. It will be a shame if fluxbox is added into Etch without maintaining of UTF-8 only because of maintainer's laziness. What can be done? I see two variants there: 1. to write a patch for maintaining UTF-8 in that version (i.e. in testing, but I can do this only for Russian language, and this work seems having no future to me) 2. to move fluxbox from experimental into unstable/testing without maintainer's taking part in it The latter variant isn't nice but it is desirable to solve this problem the sooner the better. Please advise what to do. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
