Re: Bits from the RM
On Tue, Dec 02, 2003 at 05:09:37PM +1000, Anthony Towns wrote: What happens if say there are simply not enough people interested in GNOME for example, and the RC counts rise, and rise at an increasing rate, and we never release again? That's not a very interesting hypothetical -- there're plenty of people interested in getting Gnome to work on Debian. The aim is to focus on *fixing* the bugs, not remove the packages, and while threats can motivate sometimes (although they often do the opposite too), it's not really where we want to focus our attention or energies. I agree that GNOME is not a very good example here. Let me propose another: The ARM port. I realize the examples thus far have been in regard to packages, not ports, but at what point does it make sense to say OK, the foo port has held up the release of sarge by virtue of not having a working installer. It is going to be removed from the list of supported platforms for sarge. A quick look at http://www.debian.org/devel/debian-installer/ports-status indicates that, for some platforms, the situation is pretty grim. ARM, for example, hasn't been touched since March, and doesn't even have a working kernel for the installer. m68k is not a whole lot better, but has at least seen some recent activity. Where are the people who originally thought it would be fun to port Debian to some of these architectures? How long do we wait for them? Clearly AJ's message to debian-devel-announce on August 19 announcing a release goal of December 1 didn't inspire any new activity. This gives the appearance that the ARM port maintainers simply don't care if sarge gets released at all. This is very discouraging. I don't want to come across sounding too harsh; I run Debian on a number of architectures besides x86 and appreciate its multi-platform support. But, if those who work on Debian on a given platform are no longer interested in putting in the effort necessary to maintain that architecture, we really should rethink our committment to it. noah pgpw6AT1yxzYE.pgp Description: PGP signature
Re: New release of ifupdown planned
On Wed, Aug 27, 2003 at 09:36:31PM +0200, Thomas Hood wrote: The ifupdown package hasn't been touched by its maintainer for over two years and it is about time some of its problems were addressed. Thanks for taking the initiative on this. I'd noticed it's neglect a while back but didn't have time to do anything about it. Since the maintainer of ifupdown doesn't answer repeated attempts to contact him by e-mail, I suppose it is appropriate to report here that there is a group of people working on a new ifupdown release. Please contact me if you are interested or would like to help. We would like to have a release ready well before the deadline for sarge. I'd especially like to see bug 168776 closed. There's even a patch attached to it. This message should also be considered to be a query as to the whereabouts of the missing maintainer for the purposes of section 7.4 of the developer's reference Dealing with inactive and/or unreachable maintainers. AJ is definitely around... In fact it's been less than 24 hours since he's posted to this list... AJ? noah pgpfF7LWCRUjo.pgp Description: PGP signature
Re: On packages depending on up-to-date data (was Re: Snort: Mass Bug Closing)
On Mon, Aug 25, 2003 at 01:56:40PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote: That's not correct, it cannot detected _new_ potentially harmful traffic. There's quite a lot of potentially harmful traffic (stable) snort can detect. The fact that it's not up-to-date does not mean that it's useless, it means that it won't detect new attacks (but it will detect old attacks). Depending on your security policy that might, or might not, be enough. No. New attacks represent security threats. Old attacks represent curiosities, at best (i.e. have you seen any Redhat 6.2 rpc.statd attacks lately?) An intrusion detection system that can not detect known intrusions is not useful. It's dangerous in the same way that turning syslog off is dangerous: Well, there's nothing in the logs, so the system must be fine If you have a specific policy that allows you to only be interested in ancient attacks, good for you. We cannot expect our users to be in such a position. noah pgpXVAqht4O5f.pgp Description: PGP signature
Re: Snort: Mass Bug Closing
On Sun, Aug 24, 2003 at 08:59:06AM -0600, Jamin W. Collins wrote: Before you object to this rather 'rude' bughandling, please keep in mind that version 1.8.4 of snort, which is in stable, has 3 severe security exploits, So, why hasn't a security update been released for it? Largely this is because snort should simply be removed from stable completely, as it is not useful, even if the security exploits are fixed. Snort depends on a set of rules to detect potentially malicious traffic. Obviously this set of rules needs to be updates on a regular basis in order to keep up with new security issues. The problem is that the version of snort in stable is old enough that the upstream maintainers are no longer releasing new rulesets for it. Thus, it can't detect potentially harmful traffic. A person responsible for the security of a system or network of systems needs to know if attacks on current vulnerabilities are being made on his system at least as bad as he needs to know that two year old vulnerabilities are being probed. snort 1.8.4 cannot report such activity, and can only lead to a false sense of security. Thus, trusting an old version of snort is more dangerous than not using it at all, IMHO. In the case of tools like snort, I strongly believe that we either need to remove it from stable or permit new upstream versions to be released for stable with point releases. noah pgpcNGk76ZOYD.pgp Description: PGP signature
Re: Debian
On Sun, Aug 24, 2003 at 06:19:22PM +0100, Gavin Thomas wrote: hi there, i'm new to Debian and i would like to learn Debian and help out with Development, i have spare time on my hands and i would like to use that spare time wizely, please can you send me some information. Check out the list of bugs holding up the next release. Currently it can be found at http://lists.debian.org/debian-devel-announce/2003/debian-devel-announce-200308/msg00015.html Find one or more that you think you can fix. Log your fix with the bug, by sending it to bug_number@bugs.debian.org. At this point in time, that really is the best way you can contribute to the project. The developers and users will appreciate your help. noah pgppMty4ZAzWd.pgp Description: PGP signature
Re: Snort: Mass Bug Closing
On Mon, Aug 25, 2003 at 02:27:41AM +0100, Steve Kemp wrote: (Essentially apt-get + apt-cache for snort rules. Clearly packaging a single rule file within one package is a gross misuse of resources but it might be sufficient if they were signed and hosted somewhere sensible..) Such a system as you describe would be fine, and should somehow be incorporated into the Debian release design (especially since snort is by no means the only package that would benefit) but it doesn't get you around the current issue, which is that there simply are no new rules being developed for woody's snort. I can think off-hand of at least one other security related tool that needs frequent updating of a ruleset: nessus. It is an active probing tool that scans a network for vulnerable systems. If it doesn't have a current set of rules, it may fail to identify vulnerable systems, leading to the same issues that snort has. noah pgp0miX4DCekT.pgp Description: PGP signature
Re: About NM and Next Release
On Wed, Aug 06, 2003 at 05:29:54PM +0300, Halil Demirezen wrote: Debian Maintainers are becoming too elite. However, outside world becoming more excluded. And Debian finally is becoming so obsolete. Everybody has an opinion on this matter. I don't usually even bother posting mine, but here goes anyway Your conclusion that long DAM wait times leads to slow releases has little or no basis in fact. You do not need to have completed the NM process to contribute to Debian. In fact, I believe the whole DAM process would be more effective if we *required* that you made non-trivial contributions to Debian *before* the DAM would create an account for you. Additionally (strictly my opinion here, others will undoubtedly disagree), I believe that Debian's long release times are caused by it being too big, rather than not big enough. Too many developers, too many packages, too many architectures, all that. There are signs that others feel the same way (e.g. the number of people who complain every time somebody submits an ITP for yet another web based image gallery or something like that seems to be going up). So, if you want to see Debian release sooner, go fix some RC bugs. You don't need to have completed the NM process to do that, and doing that might actually help you get through the NM process quicker. noah pgpUmXDyKjrYQ.pgp Description: PGP signature
Re: Future releases of Debian
On Fri, Jul 25, 2003 at 01:37:15PM -0400, Aaron M. Ucko wrote: The reason I havn't offered them for general Debian machines is that there are already (generally better) machines available on better connections. Last I checked, there weren't any public mips or mipsel machines. You checked too long ago. Casals.debian.org is an SGI Indigo2, MIPS R4000 CPU. Williams.debian.org and vaughan.debian.org will be MIPSel boxes, as soon as Sun ships them to me, I get them online, and the sysadmin team gets them configured. Supposedly I'll have the boxes within a week or so. noah
Re: Why is openoffice in Contrib?
On Tue, Dec 10, 2002 at 04:49:17PM -0500, Daniel Burrows wrote: So much for write-once, run-anywhere. Did anyone ever believe that? I'm curious as to whether the Java classes as distributed with the Sun JRE would work with one of the other JREs out there. Not that it would help the status of OpenOffice at all, but it would lend a bit of credence to the write-once, run-anywhere claims. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpskkYBxNuYa.pgp Description: PGP signature
Re: racoon ISAKMP implementation for IPsec
On Tue, Dec 03, 2002 at 08:01:02AM -0800, Steve Dunham wrote: No ITP, but I did manage to get this to compile against the 2.5.50 kernel source tree. It seems to work, but the other side of my tunnel is down at the moment (he upgraded his kernel but didn't rebuild freeswan). Cool, thanks. I've filed the ITP and will possibly make an upload once I've managed to test things. I might hold off, though, until Alexey separates the IPsec tools from iputils, which he said he'll do. It shouldn't matter, considering that these tools and the kernel they support are under heavy development You'll also need the setkey program from iputils to do IPSEC. Both of these (and the library) need headers from a recent kernel source tree. Yeah, I'm pretty familar with the KAME IPsec tools, having used them on Free and NetBSD. I'm actually really excited to see them available for Linux, as I much prefer them to FreeS/WAN. I'll probably build a libipsec package and an ipsec-tools package, or something like that. I haven't thought too deeply about it yet. I've attached my changes to get racoon to compile, in case you're interested. Mostly tweaks because our glibc has functions that the source doesn't think __linux__ has. Cool, thanks. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpzRDGEmQEnn.pgp Description: PGP signature
racoon ISAKMP implementation for IPsec
I just downloaded the latest upstream source for the iputils packages and noticed that they it now contains quite a bit of IPsec code. In particular, this includes libipsec and racoon. Racoon is the KAME ISAKMP (IPsec key exchange protocol) implementation. I haven't investigated further, but considering the upstream author's involvement in Linux kernel network development, I'd take this as a sign that racoon will be the official ISAKMP implementation for the recently merged kernel IPsec code. I haven't seen any mention of racoon on this list, nor in wnpp. The iputils release notes indicate that racoon will eventually be moved to a separate source package that should be packaged separately from the iptuils Debian packages. I will maintain the racoon and libipsec packages, since I haven't seen any sign of other people offering to do so. If I missed an ITP, please let me know. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpkBqw0Xy1eM.pgp Description: PGP signature
Re: Are we losing users to Gentoo?
On Tue, Nov 26, 2002 at 04:41:45PM +0200, Riku Voipio wrote: Something is seriously wrong, if a single bug that affects a single arch can stop everyone else from forward. We need a way to get packages that are broken on some platform into the distrubution while the developers of the arch sort out the problem. Not the way it is happening currently, that everyone has to wait the platform to fix itself before updated packages get into distribution. That brings up a whole different set of problems, none of which are any easier to fix. For example: We would then basically have a separate, potentially out of sync, testing distribution for each platform. If a package is allowed to move in to testing on e.g. i386 without the same package moving to testing on one of the other platforms, then the archive will blow up to unmanagable size. Keeping things coordinated would be really difficult, and we'd probably end up slowing the release cycle even further. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpTyaoSWvyWB.pgp Description: PGP signature
Re: Are we losing users to Gentoo?
On Mon, Nov 25, 2002 at 04:52:16PM +, Bruce Stephens wrote: Releases tend to be out of date. But that's a feature: releases need to be composed of well tested stable packages. Yes they do, but the software in the packages is just as important as the packaging job. If you look back at slink, you see that it shipped with GNOME 0.3.something. The GNOME developers certainly didn't claim that 0.3 was well tested and stable. It was a development snapshot. And yet, GNOME 1.0 had already been released by the time slink shipped, and this version did carry the stable claim. Debian users had to put up with buggy, unfinished software if they wanted to use the stable version of the OS. Sacrificing up-to-date software for stable packaging often does not necessarily result in a stable system. IMHO there is too much emphasis put on packaging in Debian. Package management has always been our strength, but perhaps it occupies too much of our time. (Of course, I must now add that I can't claim to have a solution for any perceived problems in our development system.) noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpVGkyyqvBni.pgp Description: PGP signature
Re: Are we losing users to Gentoo?
On Mon, Nov 25, 2002 at 08:41:43PM +0200, Riku Voipio wrote: So, debian is coming the netbsd of Linuxes.. Sure a novel goal to support rare hardware, but why does ot have to come at the expense of commodity hardware owners? That's an interesting comparison. If you look at NetBSD, you'll see that they have a very similar problem to us: They have a really slow release cycle. I think at some point it really does come down to the size of the OS. At some point, I suspect that the Debian community is going to have to decide what it wants. Will it be frequent, up-to-date releases, or will it be support for every platform we can get our hands on? I don't think we can have both. People will undoubtedly say something to the effect of well, if somebody's willing to do the work to support some new architecture, we shouldn't discourage them. They're not interfering with our ability to do our work. Is that necessarily true, though? It's been pretty clearly stated that Debian will not release sarge until the new installer is ready. How long will we wait for the various ports to get to an installable state? If we wait indefinitely, that haven't the ports that aren't yet ready interfered with the users and developers of the other ports we support?' I really wonder when debian-installer will be in a releasable state on something like ARM or mipsel or s390. I'm not convinced we will make a release before 2005. (As an aside, yes, I have started investigating porting debian-installer to non-x86 architectures. This is not because I give a flying fuck about them, but because I can't stand the thought that it might take us 2 years to release sarge. Personally, I'd rather drop support (in sarge, not necessarily sid) for archs that aren't installable by some deadline.) noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgptPN8T46VY1.pgp Description: PGP signature
letters in upstream version numbers
Lintian gives errors when looking at a package with letters at the beginning of the upstream version number. Ch. 4 of policy indicates that the upstream version can't begin with a letter. However, it doesn't really indicate what should be done in case an upstream version does begin with letters. In the case of the latest iputils package, it is ss010824. Should I just drop the letters from the version number, or is there some other preferred way of making it comply with policy. It might be worth it to add some text to policy clarifying this issue. Thanks. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpQpFoEXi1bN.pgp Description: PGP signature
Re: Potato to Woody upgrade problem
On Mon, Sep 24, 2001 at 11:53:38AM -0400, Dale Scheetz wrote: I copied XF86Config from my old Woody system into the newly upgraded system and, while startx works just fine, wdm starts up but doesn't start the server, or log any messages in /var/log/wdm.log. (the log file exists, but is empty) (current version of wdm is: 1.20-11.2) What's in /etc/X11/default-display-manager and /etc/X11/wdm/Xservers? noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Re: Why why why!!???
On Fri, May 04, 2001 at 11:33:58AM -0400, Jaldhar H. Vyas wrote: Oh crap. Ok guys it's been a lot of fun. I really enjoyed working with you and meeting some of you in person but now that Debian is going to be shut down I'll have to look for another operating system. Does anyone know if Microsoft Windows is any good? This should probably not have been sent to the person that originally sent in the erroneous hack notification. We can make fun of their idiocy all we want, but we shouldn't email them personally with it. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpGBq0UD5RKD.pgp Description: PGP signature
Re: Work-needing packages report for May 4, 2001
retitle 86871 ITA: snarf -- command line URL grabber snarf (#86871), orphaned 71 days ago Description: A command-line URL grabber I'll take this. It's one of the first packages I install on a new system, and I use it all the time. Plus I know the guy who wrote it. And anybody who thinks wget is a good replacement for snarf hasn't read http://www.xach.com/snarf/comparison-table.php3 8^) noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Re: dm management of wm listings (kdm/gdm/etc..)
On Thu, May 03, 2001 at 03:11:19AM -0600, Ivan E. Moore II wrote: Problem: Desktop Managers like kdm and gdm support Window Manager listings so that users can choose what they want to login in using. There currently is no common way for wm's to register themselves with each/any/all dm's that may be installed on the system. Since every window manager / session manager is already registered with the alternatives system, I see no reason why the other display managers can't do what wdm already does. It includes a script, update_wdm_wmlist which essentially just greps the output of 'update-alternatives --display x-window-manager' and 'update-alternatives --display x-session-manager' and populates its menu based on that. Since all window managers and desktop environments are already registered with the alternatives system, I don't see any reason to complicate things any further. noah -- wdm maintainer -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpvheyvVZYGx.pgp Description: PGP signature
Re: dm management of wm listings (kdm/gdm/etc..)
On Thu, May 03, 2001 at 05:20:55PM +0200, Michel Dänzer wrote: Since every window manager / session manager is already registered with the alternatives system, I see no reason why the other display managers can't do what wdm already does. It includes a script, update_wdm_wmlist which essentially just greps the output of 'update-alternatives --display x-window-manager' and 'update-alternatives --display x-session-manager' and populates its menu based on that. Does this handle window managers which are installed after wdm, and if yes how? It does. /etc/init.d/wdm checks for 'auto-update-wmlist' in /etc/X11/wdm/wdm.options. If found, it runs the script to update the menu entry (found in /etc/X11/wdm/wdm-config). It does the same thing in /etc/X11/wdm/Xreset, so when an X session ends, the menu is updated with any changes before wdm comes up again. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpWLojNWHkde.pgp Description: PGP signature
Re: testing ipv6 tools
On Sat, Jan 06, 2001 at 10:46:09PM +, Philip Blundell wrote:
Pierfrancesco Caci [EMAIL PROTECTED] wrote:
connect(4, {sin_family=AF_INET6, sin6_port=htons(1025), inet_pton(AF_INET6,
f
e80::250:4ff:fe38:a630, sin6_addr), sin6_flowinfo=htonl(0)}}, 24) = -1
EINVA
L (Invalid argument)
What version of the kernel are you running? Your ping6 is using old-style
struct sockaddr_in6, but I would have hoped that would be OK.
I am seeing the same behavior with kernel 2.4.0/unstable. I've not
found a way around it yet. I've got one unstable box working fine with
IPv6, but 2 others simply won't do it.
Another odd symptom is that the machines that return invalid argument
when trying to ping the link local address can't react properly to
router advertisements. The box on which IPv6 does work is able to
auto-configure itself with no problems at all. The other 2 never get
their global scope addresses. I know they're seeing the router
advertisements because I've watched the solicitation/advertisement
conversation through tcpdump...
One of these non-functioning systems has been set up specifically to try
and debug this problem, so if anybody is willing to give me some
pointers we can try just about anything with it.
noah
--
___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html
pgpofG4qGvuJ1.pgp
Description: PGP signature
