Fixing src:ucf environmnent variable insecurity in [old]stable
Hello, I recently completed salvaging of src:ucf[1]. As part of code cleanup I discovered a variable inherited from the environment which is then passed to eval[2]. Unintended code execution is trivial to demonstrate. To my mind, this is a coding oversight. As the patch in #1089015 shows, the fix is simple and obvious. But I want to be sure that nobody is using inheritance of this variable as an undocumented 'feature' before merging the suggested patch. The Security Team have already been consulted and are content for this to be handled through stable-pu. For completeness, unstable and testing are no longer affected as virtually all uses of eval have been removed. Thanks Mark [1] https://bugs.debian.org/1086847 [2] https://bugs.debian.org/1089015 signature.asc Description: PGP signature
Bug#1068245: ITP: iwgtk -- lightweight graphical frontend to iwd
Package: wnpp Severity: wishlist Owner: Mark Hindley X-Debbugs-Cc: debian-devel@lists.debian.org * Package name: iwgtk Version : 0.9 Upstream Contact: Jesse Lentz * URL : https://github.com/J-Lentz/iwgtk * License : GPL3+ Programming Lang: C Description : Lightweight graphical frontend to iwd iwgtk is a lightweight gtk4 frontend to iwd which provides similar functionality to that of iwctl. Features include viewing and connecting to available networks, managing known networks, provisioning new networks via WPS or Wi-Fi Easy Connect and an indicator (tray) icon displaying connection status and signal strength. Mark
Policy consensus on transition when removing initscripts.
Hello friends and colleagues, Debian Policy no longer requires that packages which provide a systemd .service file also provide an initscript. This permits maintainers who so wish to remove initscripts from their packages. However, initscripts remain used and useful[1], and uncoordinated removal can have significant effects on users' systems[2]. With the encouragement of the Technical Committee[3] and despite some unavoidable deficiencies resulting consequent on keeping initscripts without their intended package[4], orphan-sysvinit-scripts has collected and maintained some dropped initscripts. However, the process surrounding this has not been defined in Policy. Indeed, #975075[5] contains a number of suggestions that have not yet been followed through. The most recent proposal[6] for updating the Policy with a requirement to use tmpfiles.d(5) states "Init systems other than ``systemd`` should allow providing the same functionality as appropriate for each system, for example managing the directories from the init script shipped by the package." This creates an inconsistency whereby non-systemd inits are required to provide functionality in their initscript, but that initscript is not required to be present. To avoid breakage of existing systems and facilitate ongoing support for non-systemd inits, I would like to establish a consensus for - stating that initscripts remain useful. - requiring a coordinated transition of any initscript a maintainer wishes to drop to the orphan-sysvinit-scripts package and providing the relevant copyright information. Best wishes Mark [1] they continue to be used by sysvinit, openrc and runit which are all viable non-systemd inits at the time of writing. [2] https://bugs.debian.org/1038903 is the most recent example of which I am aware. [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975075#311 [4] See Bugs/Limitations in https://salsa.debian.org/matthew/orphan-sysvinit-scripts/-/blob/master/README.org [5] https://bugs.debian.org/975075 [6] https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=945269;filename=0001-Define-service-directories-and-tmpfiles.d-interfaces.patch;msg=160 -- Mark Hindley GPG: 506C 15A4 2B0A F5A0 A854 23EE D28A 45BF 3287 D649 signature.asc Description: PGP signature
Re: Upgrade package from init script to Systemd, move config folder
On Thu, Apr 27, 2023 at 09:02:38AM +0800, Paul Wise wrote: > On Wed, 2023-04-26 at 22:44 +0300, Boian Bonev wrote: > > > OTOH it is an un-favor to move or remove it > ... > > It is better to keep the init script in place. Absolutely. > Another option is the orphan-sysvinit-scripts package: Which is still the second best option. Despite Matthew's best efforts, having the init script in a separate package causes several issues. See Bugs/Limitations in the orphan-sysvinit-scripts README[1]. Please leave the init script in place. Mark [1] https://salsa.debian.org/matthew/orphan-sysvinit-scripts/-/blob/master/README.org -- Mark Hindley GPG: 506C 15A4 2B0A F5A0 A854 23EE D28A 45BF 3287 D649
Bug#1016038: ITP: sysd-openrc -- Translator to convert systemd units to openrc scripts.
Package: wnpp Severity: wishlist Owner: Mark Hindley X-Debbugs-Cc: debian-devel@lists.debian.org, m...@kayg.org, ope...@packages.debian.org sysvi...@packages.debian.org * Package name: sysd-openrc Version : Unversioned upstream Upstream Author : K Gopal Krishna * URL : https://salsa.debian.org/kayg/systemd-unit-translator * License : BSD simplified 2 clause Programming Lang: Bash Description : Translator to convert systemd units to openrc scripts. This was developed as part of the 2020 Google Summer of Code. It is useful as part of exploring ways of deriving generic runlevel control scripts for non-systemd init systems from unit files. Mark
Bug#1006977: ITP: open-plc-tools -- Toolkit for powerline network adapters with Atheros chipsets
Package: wnpp Severity: wishlist Owner: Mark Hindley * Package name: open-plc-tools Version : 0.0.6 Upstream Author : Qualcomm Atheros, Inc. * URL : https://github.com/qca/open-plc-utils * License : Clear BSD Programming Lang: C Description : Toolkit for powerline network adapters with Atheros chipsets Includes tools for manipulation and modification of pib and nvm files as well as tools to upload/flash them to the adapter chipset.
Bug#976048: ITP: seatd -- Minimal user, seat and session management daemon
Package: wnpp Severity: wishlist Owner: Mark Hindley * Package name: seatd Version : 0.4.0 Upstream Author : Kenny Levinsen * URL : https://git.sr.ht/~kennylevinsen/seatd * License : Expat Programming Lang: C Description : Flexible user, seat and session management daemon Supports runtime switching between backend implementations. Currently this includes seatd itself, elogind and systemd-logind.
Re: Bug#905388: Devuan has working packages, but they need work wrt systemd
owner ! retitle ITP: elogind -- The systemd project's "logind", extracted to a standalone package thanks I am working on packaging elogind 239.1 for Debian based on my work for Devuan, so I am happy to take ownership of this bug. The WIP git repro is at https://git.devuan.org/LeePen/elogind/tree/debian_WIP. Mark
Re: Migrating away from ucf without dpkg prompting
Steve, Many thanks for your input on this. On Thu, Aug 23, 2018 at 10:52:24AM -0700, Steve Langasek wrote: > And dropping ucf handling is certainly not required for addressing Policy > 4.1.3 compatibility, which is what you mention in the changelog. > > Why do you think it's necessary here to revert to a conffile? I didn't think it was necessary. But having addressed the 4.1.3 prohibition of AUTOSTART=0|1 in /etc/default/apt-cacher, that file was no longer being modified in the postinst. Therefore it *could* revert to being a normal conffile. I suppose I thought simpler handling and dropping an unnecessary dependency was a step forward. But I am happy to be told I am wrong ;) Thanks. Mark
Migrating away from ucf without dpkg prompting
Hello, I am working on fixing bug #905178 which is caused by moving away from using ucf to manage /etc/default/apt-cacher back to handling it as a standard dpkg conffile. I have a working solution which avoids unnecessary prompting. This is to remove the ucf version of the file in the preinst unless it is modified. dpkg then installs the new version without prompting. Can I check that this is the correct way to address it, or should I take an alternative approach? Many thanks. Mark
Re: Re: Standards 4.1.3 and apt-cacher
> It is a bit overzealous, but I think you have another problem. Your package > will override local admin on upgrades (if they changed the config manually) by > calling update-rc.d and update-inetd. I think you need to change it to not do > so. I don't know much about update-inetd but the pattern for update-rc.d > should be something like this: > > > if [ $1 = configure ] || [ $1 == abort-upgrade ] ; then > db_get apt-cacher/mode > case "$RET" in > daemon) > update_rc_args="apt-cacher defaults" > ;; > inetd) > manual) > update_rc_args="apt-cacher defaults-disabled" > ;; > esac > fi > if [ $1 = reconfigure ] ; then > db_get apt-cacher/mode > case "$RET" in > daemon) > update_rc_args="apt-cacher enable" > ;; > inetd) > update_rc_args="apt-cacher disable" > ;; > manual) > update_rc_args="" #do nothing > ;; > esac > fi > if [ -n "$update_rc_args" ] ; then > update-rc.d $update_rc_args > fi Felipe, Many thanks for this. Your point is well made and I have now got a working version that lintian doesn't complain about. However, in trying to understand more fully when postinst is called with configure and reconfigure arguments, it appears that reconfigure is not currently supported at all. It is not mentioned in the Policy and ancient bug #215549 was closed as wontfix. So although reconfigure is in the postinst skeleton the distinction is not observed. The only possible way to distinguish is using the hack that DEBCONF_RECONFIGURE=1 is set in the postinst environment. See debconf-devel(7). Or am I missing something? Mark
Standards 4.1.3 and apt-cacher
Hello, I am trying to upgrade apt-cacher to Standards version 4.1.3. In particular using DISABLED=yes|no in /etc/defaults is now prohibited. apt-cacher can be run as a daemon or from /etc/inetd.conf and this configuration is set in response to a debconf question. I have a working version of the postinst which I believe complies with the new policy by no longer changing a value in /etc/default/apt-cacher, however it contains multiple calls to update-rc.d (one to register the init file and then calls to enable/disable as appropriate in response to db_get). This produces the lintian error: duplicate-updaterc.d-calls-in-postinst. Is my approach flawed or is lintian being overzealous? Any other suggestions? A pruned version of postinst is below. Thanks for your help. Mark # Split of standard dh_installinit block. invoke-rc.d at end of script if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then if [ -x "/etc/init.d/apt-cacher" ]; then update-rc.d apt-cacher defaults >/dev/null fi fi case "$1" in reconfigure|configure) db_get apt-cacher/mode case "$RET" in daemon) echo "Setup apt-cacher running as standalone daemon." update-inetd --remove "3142\s.+/usr/sbin/apt-cacher" # PCRE update-rc.d apt-cacher enable > /dev/null ;; inetd) echo "Setup apt-cacher running from /etc/inetd.conf." update-inetd --add "3142\tstream\ttcp\tnowait\twww-data\t/usr/sbin/apt-cacher\tapt-cacher\t-i" update-rc.d apt-cacher disable > /dev/null ;; manual) # Disable inetd and daemon update-inetd --remove "3142\s.+/usr/sbin/apt-cacher" # PCRE update-rc.d apt-cacher disable > /dev/null cat <&2 exit 1 ;; esac if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then if [ -x "/etc/init.d/apt-cacher" ]; then invoke-rc.d apt-cacher start || exit $? fi fi exit 0
Re: Bug#365995: ITP: pfm -- Postgresql client application using Tcl/Tk to design forms to input data and link between related tables allowing easy navigation within a database.
On Thu, May 04, 2006 at 10:39:30AM +0100, Mark Hindley wrote: > Package: wnpp > Severity: wishlist > Owner: Mark Hindley <[EMAIL PROTECTED]> > > Sorry! Other details should read: * Package name: pfm Version : 1.2.5 Upstream Author : Willem Herremans <[EMAIL PROTECTED]> * URL : http://gborg.postgresql.org/project/pfm/projdisplay.php * License : GPL Description : Postgresql client application using Tcl/Tk to design forms to input data and link between related tables allowing easy navigation within a database. pfm (Postgres Forms) is a client for PostgreSQL. It uses Tcl/Tk to create forms to access the database. Complex relationships between tables can be easily explored. . The PostgreSQL server can be remote or local. Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#365995: ITP: pfm -- Postgresql client application using Tcl/Tk to design forms to input data and link between related tables allowing easy navigation within a database.
Package: wnpp Severity: wishlist Owner: Mark Hindley <[EMAIL PROTECTED]> * Package name: pfm Version : x.y.z Upstream Author : Name <[EMAIL PROTECTED]> * URL : http://www.example.org/ * License : (GPL, LGPL, BSD, MIT/X, etc.) Description : Postgresql client application using Tcl/Tk to design forms to input data and link between related tables allowing easy navigation within a database. (Include the long description here.) -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (400, 'testing'), (300, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.16.1 Locale: LANG=en_GB, LC_CTYPE=iso_8859_1 (charmap=ISO-8859-1) (ignored: LC_ALL set to en_GB) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
