Bug#312813: ITP: newton -- personal desktop wiki applet for the GNOME desktop environment
Package: wnpp Severity: wishlist Owner: Martin Braure de Calignon <[EMAIL PROTECTED]> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * Package name: newton Version : 0.0.7 Upstream Author : Dennis Craven <[EMAIL PROTECTED]> * URL : http://newton.sourceforge.net/ * License : GPL Description : personal desktop wiki applet for the GNOME desktop environment Newton is a desktop wiki applet for the GNOME2 desktop environment. You enter your notes and information in a simple wiki-like syntax and Newton formats it in rich HTML for you! It is designed to make the creation of richly formatted documents of any type as simple and quick as possible. .. Newton requires no web server (and therefore is not shared) to use. Just add the applet to your panel and it is ready to use. You make notes using a simple wiki markup, and the program renders the resulting HTML in an embedded gecko widget. - -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (950, 'unstable'), (200, 'testing'), (25, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.11-1-686 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCqVWdcHEx8cor214RAtXdAKC6LwxgKqi68A+Xpyqk8gwOFaESNQCeJtqJ w141BSaWiwPNE6S4jLBh3hA= =UypG -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation
Le mardi 07 juin 2005 à 05:10 +0200, Nicolas Schoonbroodt a écrit :
> So...(sorry for English)
> lot of conversation about my plugin on your mailling list.
>
> And also a bug report on sourceforge, related to your remark.
> My message will be not complete (because it's 4.50 am here and that I
> must be at school at 8am)
>
> First of all, you speak of tex2im depandency. This is not needed since
> version 0.3. Now I make the next system calls :
> (yep, it's not a good way, for example if /tmp doesn't exist for example)
> FILE_SOMETHING represent /tmp/gaimTeX.something
>
> chdir("/tmp")
> system("latex -interaction=nonstopmode " FILE_TEX)
> system("dvips -o" FILE_PS " -E " FILE_DVI)
> system("convert " FILE_PS " " FILE_PNG)
>
> and finaly a I do a
> system("rm -rf /tmp/GaimTeX.*") somewhere
>
> If you can tell me where you find the tex2im depandancy (README,
> INSTALL, ...) It can help me for remove it in the next version.
>
> Now, about the security problem...
>
> Yes, I know it's possible to have some problems with latex call. But If
> someone send
> $$\input{/etc/passwd}$$
> he will see (at best) the local /etc/passwd file, and the receiver, the
> local /etc/passwd. So not the same.
>
> And in reality, he well see nothing. One of the (the principal?) author
> of kopeteTeX (which is compatible, for respond to one of the first
> question)(the develloper is Olivier Goffart) as given me an advice, that
> was to blacklist some command.
>
> I have blacklisted the same command than kopetetex, that is :
> > #define NB_BLACKLIST (42)
> > #define BLACKLIST
> > {"\\def","\\let","\\futurelet","\\newcommand","\\renewcomment","\\else","\\fi","\\write","\\input","\\include","\\chardef","\\catcode","\\makeatletter","\\noexpand","\\toksdef","\\every","\\errhelp","\\errorstopmode","\\scrollmode","\\nonstopmode","\\batchmode","\\read","\\csname","\\newhelp","\\relax","\\afterground","\\afterassignment","\\expandafter","\\noexpand","\\special","\\command","\\loop","\\repeat","\\toks","\\output","\\line","\\mathcode","\\name","\\item","\\section","\\mbox","\\DeclareRobustCommand"}
>
> So (in normal case) all of this command will not be "authorised"
> (in fact, if you send a message like :
> normal text \input in normal text $$equation$$ normal text $$equation $$
> (or with the blacklisted command in the $$equation part$$) the message
> _will not_ be transform using latex compiler. (with the is_blacklisted
> function)
>
> If some other command have to be blacklisted, I hear you.
>
> If you have any suggestion with security problem (for example error in
> my code, or latex hack to "eviter" (french word, don't know in English)
> this security), you can continue the discussion here, I will read it.
>
> Also other bug can be posted on sourceforge, for example.
>
> Nicolas Schoonbroodt
Considering Nicolas Schoonbroodt (upstream author) 's mail,
do you think I can package it and ask for someone to upload it (on
mentors of course) ? Or do you think there is still security problem in
his software ?
I've read the sources, there is, as Nicolas said, a blacklist of command
that can't be use.
I send him a bug because there's a typo (\\renewcomment instead of \
\renewcommand).
Thank you all for your comments, I'll be more aware next time of
eventually security problems.
--
Martin Braure de Calignon
(error3)
"Active member of Amaya fan club, and of her tatoo"
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation
Le mardi 07 juin 2005 à 05:10 +0200, Nicolas Schoonbroodt a écrit :
MMmmm these are good news :-),
> If you can tell me where you find the tex2im depandancy (README,
> INSTALL, ...) It can help me for remove it in the next version.
Well, I've just looked into your files.
I can now said that I've made a mistake. You're plugin seems to doesn't
use tex2im now.
But I know what makes me missunderstand :
in README file :
"README:This is a plugin for Gaim [1] that allows you to display LaTeX
[2] output into your IMs. This plugin needs the tex2im tool [3]."
>
> Now, about the security problem...
(...)
> I have blacklisted the same command than kopetetex, that is :
> > #define NB_BLACKLIST (42)
> > #define BLACKLIST
> > {"\\def","\\let","\\futurelet","\\newcommand","\\renewcomment","\\else","\\fi","\\write","\\input","\\include","\\chardef","\\catcode","\\makeatletter","\\noexpand","\\toksdef","\\every","\\errhelp","\\errorstopmode","\\scrollmode","\\nonstopmode","\\batchmode","\\read","\\csname","\\newhelp","\\relax","\\afterground","\\afterassignment","\\expandafter","\\noexpand","\\special","\\command","\\loop","\\repeat","\\toks","\\output","\\line","\\mathcode","\\name","\\item","\\section","\\mbox","\\DeclareRobustCommand"}
>
Great :-)
Why not define a WHITELIST instead of a BLACKLIST ? isn't it more
secured ?
> So (in normal case) all of this command will not be "authorised"
> (in fact, if you send a message like :
> normal text \input in normal text $$equation$$ normal text $$equation $$
> (or with the blacklisted command in the $$equation part$$) the message
> _will not_ be transform using latex compiler. (with the is_blacklisted
> function)
Ok thanks
>
> If some other command have to be blacklisted, I hear you.
Well, I don't know LaTeX enough to gives you more commands (if there's
any)
>
> If you have any suggestion with security problem (for example error in
> my code, or latex hack to "eviter" (french word, don't know in English)
avoid no ? ;-) but I'm french too so it's not a problem for me to
understand
> this security), you can continue the discussion here, I will read it.
>
> Also other bug can be posted on sourceforge, for example.
Ok, I think we can know close my bug report on sourceforge no ?
>
> Nicolas Schoonbroodt
Thank you very much for your help,
I hope I will be able to package it in Debian
--
Martin Braure de Calignon
(error3)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation
Le lundi 06 juin 2005 à 13:11 -0700, H. S. Teoh a écrit : > On Mon, Jun 06, 2005 at 04:00:47PM -0400, Daniel Jacobowitz wrote: > > > > Make a version which generates the image on the sending side? > [...] > > That would be a *very* nice plugin. The bad thing about the current > plugin isn't only the security concern: it requires that the recipient > have the plugin installed. If the image is generated on the sending > side, it solves the security problem, and also makes it possible to > send (La)TeX fragments to arbitrary recipients with no additional > hassle. I think this is worth considering. > Of course, it would be nice, but does gaim know how to insert an image in the conversation ? For me, (with jabber protocol), the "insert image" icon is disabled. Of course, I can send the image, but it is less usefull... -- Martin Braure de Calignon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation
Le lundi 06 juin 2005 à 14:28 -0400, Anthony DeRobertis a écrit : > Roberto C. Sanchez wrote: > Ummm, I think you've missed my point. The thread is discussing a GAIM > (instant message client) plugin. So that script is not run by you, it is > run by an arbitrary stranger sending you an instant message, but on your > machine and as you. That's why its a problem. > > Looks like if you installed this package, I could send you an IM and > overwrite an arbitrary file on your machine. > > [This is just judging from the code snippet posted; don't have time to > fully audit the software.] > > Well, you're right. So I think I won't package it. Do I have to do something special with the BTS ? Close the bug ? add a wont-fix tag ? Cheers, -- Martin Braure de Calignon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation
Le dimanche 05 juin 2005 à 20:42 -0700, Daniel Burrows a écrit : > On Sunday 05 June 2005 03:37 am, Bill Allombert wrote: > > Sound like a potential security nightmare to me. LaTeX is a full > > programming language. > > Well, in principle it would be possible to just parse a subset of LaTeX [0] > and get reasonable results. If they're calling LaTeX directly, though, that > could definitely spell trouble. > > Daniel > Quoting tex2im code: (...) latex -interaction=batchmode out.tex > /dev/null cd "$homedir" dvips -o $tmpdir/out.eps -E $tmpdir/out.dvi 2> /dev/null (...) convert +adjoin -antialias -transparent $color1 -density $resolution $tmpdir/out.eps $tmpdir/out.$format (...) ##### So they directly use latex. -- Martin Braure de Calignon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation
Le samedi 04 juin 2005 à 19:00 -0400, Roberto C. Sanchez a écrit : > On Sat, Jun 04, 2005 at 07:43:00PM +0200, Martin Braure de Calignon wrote: > > Package: wnpp > > Severity: wishlist > > Owner: Martin Braure de Calignon <[EMAIL PROTECTED]> > > > > * Package name: gaim-latex > > Version : 0.3 > > Upstream Author : Nicolas Schoonbroodt > > * URL : http://sourceforge.net/projects/gaim-latex > > * License : GPL > > Description : gaim plugin wich translate LaTeX code into image in > > conversation > > > > Provides the use of LaTeX code in conversation in gaim. The code is > > converted in image by tex2im script (imagemagick) and the image is sent to > > your contact. > > > This totally rocks! Please get this in soon. > > -Roberto > Of course it rocks, it is really usefull when you have some equations and things like that in a conversation. But I have a question. I'have quickly done first package. gaim-latex use a tex2im script that is from another source. Do I have to make two packages, one for tex2im and one for gaim-latex or do I have to just include this script in gaim-latex package (I think the first is the best, but I want to be sure)? For those who can't wait the official upload of this soft, I put the files here (but the packages are not finished, but seem to work): http://www.enseirb.fr/~braurede/deb_dev/gaim-latex/ and http://www.enseirb.fr/~braurede/deb_dev/tex2im/ I've tried it, it is just a little slow. Be carefull, according to the REAMDE file, it can't be use with gaim-encryption at the same time (but both can be installed of course). Cheers, -- Martin Braure de Calignon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation
Le samedi 04 juin 2005 à 20:18 +0200, Florent Bayle a écrit : > Le Samedi 4 Juin 2005 19:43, Martin Braure de Calignon a écrit : > [...] > > Provides the use of LaTeX code in conversation in gaim. The code is > > converted in image by tex2im script (imagemagick) and the image is sent to > > your contact. > [...] > > Just a little mistake : according to the author of gaim-latex, the image is > not sent to your contact, just the LaTeX code, and your contact have to had > gaim-latex (or kopetex ?) to translate the LaTeX code in image. > Yes you're true, it's a misunderstood of me. I'll change it in few hours. Thank you very much :-) -- Martin Braure de Calignon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation
Package: wnpp Severity: wishlist Owner: Martin Braure de Calignon <[EMAIL PROTECTED]> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * Package name: gaim-latex Version : 0.3 Upstream Author : Nicolas Schoonbroodt * URL : http://sourceforge.net/projects/gaim-latex * License : GPL Description : gaim plugin wich translate LaTeX code into image in conversation Provides the use of LaTeX code in conversation in gaim. The code is converted in image by tex2im script (imagemagick) and the image is sent to your contact. - -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (950, 'unstable'), (200, 'testing'), (25, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.11-1-686 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCoegkcHEx8cor214RAl/eAJ994oHvvC7VO82CkTpuf4SdsIZCvgCbBlj8 NmDSgOGKG0JerwYCNEpG5VQ= =zNQ4 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Questions about apt-get upgrade/install semantic
Gunnar Wolf a écrit : > > >It is not only that - It is because apt-get is an infrastructure >manager, not an individual package manager. dpkg does work on single >packages, but apt-get works on the whole collection - and it could >lead to inconsistencies if you let apt-get do a half-assed job and >upgrade just one out of many packages - There might be dependencies >down there, and this kind of command would not follow them (or would >be inconsistent with the user's wishes of upgrading _only_ that). > >Greetings, > > > Well, ok for that, but I was speaking of the non-trivial upgrade. I mean when upgrade e.g. samba, I want to upgrade it and, of course all its needed dependency upgrade. dpkg of course is great for installing a package alone. But I was wondering why apt-get install does an upgrade if I don't have the latest version (that is ok the default behaviour) and why apt-get upgrade doesn't do that thing. It seemed to be strange... But what everyone says in this thread can justify such a thing. But I would find more logical to do install to install a package... If it is already installed, why not, upgrade it... but it is an upgrade and not an installation. So I whish that apt-get upgrade do the same as apt-get install (well I know that upgrade roughly consists in removing the package and installing the new one). Cheers ;) , -- Martin Braure de Calignon "Debian addict, active member of Amaya (Amayita)'s fan club (and fan of her tatoo)" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Questions about apt-get upgrade/install semantic
Guido Heumann a écrit : >Martin Braure de Calignon schrieb: > > >>Daniel J. Axtens a écrit : >> >> >> >> >>>>and not >>>>"apt-get upgrade " >>>> >>>> >>>> >>>> >>>Possibly because apt-get upgrade is used to upgrade the whole system, >>>not just one package. My guess is that the developers didn't want to >>>overload the upgrade command. >>> >>>HTH, >>>Daniel >>> >>> >>> >>> >>> >>Yes, ok for that. But when I want to upgrade a package, it is not really >>logical to use "install", because the package is already installed, no ? >> >> >> > >If you think of "upgrading" as "installing the newest version" of a >package, then it becomes more logical IMO. You can specify the version >number of a package to be installed with "apt-get install >package=version", and without explicit version argument it's simply the >default behaviour to install the newest version. > >HTH, >Guido > > > > If it is the default behaviour of "apt-get install" (and it is), it should be mentionned in the man, or be mentionned more explicitly. I've just seen that there is already a bug report about this feature for upgrade (see #74067). Cheers, -- Martin Braure de Calignon "Debian addict, active member of Amaya (Amayita)'s fan club (and fan of her tatoo)" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Questions about apt-get upgrade/install semantic
Daniel J. Axtens a écrit : >>and not >>"apt-get upgrade " >> >> > >Possibly because apt-get upgrade is used to upgrade the whole system, >not just one package. My guess is that the developers didn't want to >overload the upgrade command. > >HTH, >Daniel > > > Yes, ok for that. But when I want to upgrade a package, it is not really logical to use "install", because the package is already installed, no ? -- Martin Braure de Calignon "Debian addict, active member of Amaya (Amayita)'s fan club (and fan of her tatoo)" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Questions about apt-get upgrade/install semantic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello DDs, I wonder why when you want to upgrade one package, you have to do : "apt-get install " and not "apt-get upgrade " Is there a reason for that ? It makes me more sens to upgrade the package when I want to upgrade it... No ? Thanks - -- Martin Braure de Calignon "Debian addict, active member of Amaya (Amayita)'s fan club (and fan of her tatoo)" -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCelB/cHEx8cor214RAi8jAKCKl+UHuB9gMQc9hR3x+juLT4SyoACfZ4oi Kse4M2WrvsO2eFjkxNeu/M4= =kKed -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Descripack, I would prefer another name (Debscripack ? Debscription ?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, Last summer, the LSM2004 took place in Bordeaux, organized by ABUL. The president of the ABUL, Pierre Jarillon asked me to contact debian about a documentation project. Well, why me ? because I'm using debian a lot :-P Pierre Jarillon and I have already spoken of this project with some DD. It would be great to see if this project interests debian and if it is integrated in the distrib. Let me explain further : The project consists on having documentation and translated documentation for all free software (or most part). This documentation would present the software (with a short and a long description, like in debian). I know that DDTP exists and that it is near that (for package description). But the project (named Descripack), has the avantage of beeing distrib independant. Another advantage, is that the project would be based on a DB and with a frontend to update it like wiki-engines. So it would be easy for people to modify description of package, translate it and other things. P. Jarillon insists on the fact that the description must be lambda-user adapted (not developper). But IMHO, it's already the fact for most package... But it's true that when I imagine a simple user who wants to listen to his mp3 files, he search for "mp3 and player". The list of result is very impressive, and it's difficult for him to choice which of package he has better to install. Lots of possibilities can be imagined for helping him / teach him how to choose a package. One of these possibility is, for sure, an adapted documentation (adapted to his language). One can imagine a way of getting translation/description and co. from the descripack database directly by apt or other possibilities (but I don't know really how to include this in apt... It seems difficult..). If you have some idea about it, and if you are interested in this project, don't be affraid of sending ideas, or why not injuries :-P. Mandrake seems to be interested by the project, and it could be a way of normalizing package description. And of course a way of showing that distribution can walk in the same (good) way (the way of Debian of course :P). With that, all the distrib could have the same description of package, which is an important point I think (but not fundamental). Others informations are available on http://pjarillon.free.fr/docs/descripack/ The description are from mdk and PLF. Well I hope that I won't be virtualy killed after this mail (for the english or for the content) :-) - -- Martin Braure de Calignon "Debian addict, active member of Amaya (Amayita)'s fan club (and fan of her tatoo)" "! Debian-women as DPL !" "I now live in a banana republic :-/ " -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCLuiecHEx8cor214RAtv1AJ9xD22OkprJ6f3iHxyHVu513l4/owCg0Rv1 onYJ3SndTpjcRjkwYl32xDY= =m9xB -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#297961: ITP: gaim-themes -- Smiley themes collection for gaim
Package: wnpp Severity: wishlist Owner: Martin Braure de Calignon <[EMAIL PROTECTED]> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * Package name: gaim-themes Version : 0.1 Upstream Authors : SeanEgan <[EMAIL PROTECTED]> LX_Xero <[EMAIL PROTECTED]> GnomePro <[EMAIL PROTECTED]> Chromakode <[EMAIL PROTECTED]> Damog <[EMAIL PROTECTED]> Jer <[EMAIL PROTECTED]> xOvni <[EMAIL PROTECTED]> * URL : http://gaim.sourceforge.net/ * License : GPL Description : Smiley themes collection for gaim This package provides few differents smiley theme for Gaim They have been downloaded from http://gaim.sourceforge.net It includes only free themes. . Homepage: http://gaim.sourceforge.net/ - -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (200, 'testing'), (25, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.10-1-686 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCJ1Y8cHEx8cor214RAomRAJ0XoUD9OmDc0UROzeIs47wCwagSoQCgilPM RPss701ndi30SAO6rWbOSiE= =hTDy -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
