Re: Source Code One Line Change [patch] and Copyright holder

2011-08-26 Thread Samuel Thibault
Nanakos V. Chrysostomos, le Fri 26 Aug 2011 12:50:05 +0300, a écrit :
 The upstream author and developer of this
 software claims that I am not intended to add my name for such a small
 change to the Copyright holders of the file and he should ask for legal
 advise. What is your opinion? Is this right?

This is too simple a change to get copyrights on it. Even if the
implication may be huge. Of course you get credits for the bug fix
(thanks!), but this is not what copyright protects.

Samuel


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110826103645.ge5...@type.irill.org



Re: Source Code One Line Change [patch] and Copyright holder

2011-08-26 Thread Tollef Fog Heen
]] Nanakos V. Chrysostomos 

| recently I have contributed a on-line patch [0] that resolves a
| significant and major security bug in a PAM module. I added myself to the
| Copyright holders of the file and added this change to the changelog file
| as you can easily see in [1]. The upstream author and developer of this
| software claims that I am not intended to add my name for such a small
| change to the Copyright holders of the file and he should ask for legal
| advise. What is your opinion? Is this right?

I think he's in the right, your contribution does not really consist of
any significant creative effort.

I'm also unable to reproduce your bug.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87zkiwqvmx@qurzaw.varnish-software.com



Re: Source Code One Line Change [patch] and Copyright holder

2011-08-26 Thread Nanakos V. Chrysostomos


Hi, 
I agree that the change is not Copyrightable. The bug
is there and its easyli reproducable.

Cheers,
Chris



 ]] Nanakos V. Chrysostomos 


 | recently I have contributed a on-line patch [0] that resolves
a 
 | significant and major security bug in a PAM module. I added
myself to 
 the 
 | Copyright holders of the file and
added this change to the changelog 
 file 
 | as you can
easily see in [1]. The upstream author and developer of this 
 |
software claims that I am not intended to add my name for such a small 
 | change to the Copyright holders of the file and he should ask for
legal 
 | advise. What is your opinion? Is this right? 


 I think he's in the right, your contribution does not really
consist of 
 any significant creative effort. 
 
 I'm also unable to reproduce your bug. 
 
 -- 
 Tollef Fog Heen 
 UNIX is user friendly, it's just picky
about who its friends are 
 
 
 -- 

To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org 

with a subject of unsubscribe. Trouble? Contact 

listmas...@lists.debian.org 
 Archive: 

http://lists.debian.org/87zkiwqvmx@qurzaw.varnish-software.com 
 



Re: Source Code One Line Change [patch] and Copyright holder

2011-08-26 Thread Tollef Fog Heen
]] Nanakos V. Chrysostomos 

(please follow normal mailing list conventions and quote properly.)

Hi,

| I agree that the change is not Copyrightable. The bug
| is there and its easyli reproducable.

If it is so easily reproducible you should improve the description.  I
can't reproduce it by using pam_yubico with login and just pressing C-d
for my password, at least.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87vctkqrhr@qurzaw.varnish-software.com



Re: Source Code One Line Change [patch] and Copyright holder

2011-08-26 Thread Nanakos V. Chrysostomos


Yes of course.
Authentication succeeded when no password
was given, unless use_first_pass was being used.
This is fatal if pam_yubico is considered 'sufficient' in the PAM
configuration.

Use the configuration for pam_yubico below for su, for
example:

auth  
sufficient  pam_yubico.so id=1 debug
authfile=/etc/yubikey_whatever_u_have

When doing su
- and prompts for Yibikey for 'root' just press
Ctrl-D.

Cheers,
Chris.



 ]]
Nanakos V. Chrysostomos 
 
 (please follow
normal mailing list conventions and quote properly.) 
 

Hi, 
 
 | I agree that the change is not
Copyrightable. The bug 
 | is there and its easyli reproducable.

 
 If it is so easily reproducible you should improve
the description. I 
 can't reproduce it by using pam_yubico with
login and just pressing C-d 
 for my password, at least. 
 
 -- 
 Tollef Fog Heen 
 UNIX is user
friendly, it's just picky about who its friends are 
 


 -- 
 To UNSUBSCRIBE, email to
debian-devel-requ...@lists.debian.org 
 with a subject of
unsubscribe. Trouble? Contact 

listmas...@lists.debian.org 
 Archive: 

http://lists.debian.org/87vctkqrhr@qurzaw.varnish-software.com 
 
 




-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/24257.194.177.215.120.1314362787.squir...@www.wired-net.gr



Re: Source Code One Line Change [patch] and Copyright holder

2011-08-26 Thread Nanakos V. Chrysostomos


Yes of course.
Authentication succeeded when no password
was given, unless use_first_pass was being used.
This is fatal if pam_yubico is considered 'sufficient' in the PAM
configuration.

Use the configuration for pam_yubico below for su, for
example:

auth  
sufficient  pam_yubico.so id=1 debug
authfile=/etc/yubikey_whatever_u_have

When doing su
- and prompts for Yubikey for 'root' just press
Ctrl-D.

Cheers,
Chris.



 ]]
Nanakos V. Chrysostomos 
 
 (please follow
normal mailing list conventions and quote properly.) 
 

Hi, 
 
 | I agree that the change is not
Copyrightable. The bug 
 | is there and its easyli reproducable.

 
 If it is so easily reproducible you should improve
the description. I 
 can't reproduce it by using pam_yubico with
login and just pressing C-d 
 for my password, at least. 
 
 -- 
 Tollef Fog Heen 
 UNIX is user
friendly, it's just picky about who its friends are 
 


 -- 
 To UNSUBSCRIBE, email to
debian-devel-requ...@lists.debian.org 
 with a subject of
unsubscribe. Trouble? Contact 

listmas...@lists.debian.org 
 Archive: 

http://lists.debian.org/87vctkqrhr@qurzaw.varnish-software.com 
 
 




-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/16075.194.177.215.120.1314362812.squir...@www.wired-net.gr



Re: Source Code One Line Change [patch] and Copyright holder

2011-08-26 Thread Russell Coker
On Fri, 26 Aug 2011, Nanakos V. Chrysostomos nana...@wired-net.gr wrote:
 recently I have contributed a on-line patch [0] that resolves a
 significant and major security bug in a PAM module. I added myself to the
 Copyright holders of the file and added this change to the changelog file

Regardless of the issue of whether you can claim copyright on a single line 
(which AFAIK has never been tested by a court) there is the issue of whether 
it's reasonable to make such a claim by community standards.

I know that I'm not the only person here who has sent in many patches that are 
much more significant without asking for credit in the copyright file.  It 
seems to be a common expectation that one doesn't make such claims about small 
patches.

Fixing security flaws is a really good thing to do.  Send in lots more patches 
like that and you can count on getting a good reputation for it, even if you 
don't end up in any copyright files.

-- 
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201108262347.40797.russ...@coker.com.au



Re: Source Code One Line Change [patch] and Copyright holder

2011-08-26 Thread Samuel Thibault
Russell Coker, le Fri 26 Aug 2011 23:47:40 +1000, a écrit :
 Fixing security flaws is a really good thing to do.  Send in lots more 
 patches 
 like that and you can count on getting a good reputation for it, even if you 
 don't end up in any copyright files.

Reputation is actually way more useful than owning copyright, yes :)

Samuel


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110826135306.gs5...@type.irill.org



Re: Source Code One Line Change [patch] and Copyright holder

2011-08-26 Thread Tollef Fog Heen
]] Nanakos V. Chrysostomos 

| Authentication succeeded when no password
| was given, unless use_first_pass was being used.
| This is fatal if pam_yubico is considered 'sufficient' in the PAM
| configuration.

It also requires you to use the client mode (which is the default) and not the 
challenge
response mode, which explains why I couldn't reproduce your issue.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87r548qnp0@qurzaw.varnish-software.com



Re: Source Code One Line Change [patch] and Copyright holder

2011-08-26 Thread Nanakos V. Chrysostomos
I think you are right. Thanks for mentioning that.

Cheers,
Chris.


 On Fri, 26 Aug 2011, Nanakos V. Chrysostomos nana...@wired-net.gr
 wrote:
 recently I have contributed a on-line patch [0] that resolves a
 significant and major security bug in a PAM module. I added myself to
 the
 Copyright holders of the file and added this change to the changelog
 file

 Regardless of the issue of whether you can claim copyright on a single
 line
 (which AFAIK has never been tested by a court) there is the issue of
 whether
 it's reasonable to make such a claim by community standards.

 I know that I'm not the only person here who has sent in many patches that
 are
 much more significant without asking for credit in the copyright file.  It
 seems to be a common expectation that one doesn't make such claims about
 small
 patches.

 Fixing security flaws is a really good thing to do.  Send in lots more
 patches
 like that and you can count on getting a good reputation for it, even if
 you
 don't end up in any copyright files.

 --
 My Main Blog http://etbe.coker.com.au/
 My Documents Bloghttp://doc.coker.com.au/




-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/58456.194.177.215.120.1314366926.squir...@www.wired-net.gr



Re: Source Code One Line Change [patch] and Copyright holder

2011-08-26 Thread Nanakos V. Chrysostomos


This is the default and proposed installation in the README file. Many
many people claim until now (I have received plenty of email's!!!) that
they use this installation and could never imagine that there was
such a bug for more than a year now. Another guy reported that he has
installed pam_yubico module to more than 130 CentOS server's and you could
easily imagine what the consequences will be if someone has discovered the
bug and solely used it for his own profit.

Cheers,
Chris.

 ]] Nanakos V. Chrysostomos 


 | Authentication succeeded when no password 
 | was
given, unless use_first_pass was being used. 
 | This is fatal if
pam_yubico is considered 'sufficient' in the PAM 
 |
configuration. 
 
 It also requires you to use the
client mode (which is the default) and not 
 the challenge 
 response mode, which explains why I couldn't reproduce your issue.

 
 -- 
 Tollef Fog Heen 
 UNIX is
user friendly, it's just picky about who its friends are 
 
 
 -- 
 To UNSUBSCRIBE, email to
debian-devel-requ...@lists.debian.org 
 with a subject of
unsubscribe. Trouble? Contact 

listmas...@lists.debian.org 
 Archive: 

http://lists.debian.org/87r548qnp0@qurzaw.varnish-software.com 
 



Re: Source Code One Line Change [patch] and Copyright holder

2011-08-26 Thread Nanakos V. Chrysostomos


This is the default and proposed installation in the README file. Many
many people claim until now (I have received plenty of email's!!!) that
they use this installation and could never imagine that there was
such a bug for more than a year now. Another guy reported that he has
installed pam_yubico module to more than 130 CentOS server's and you could
easily imagine what the consequences will be if someone has discovered the
bug and solely used it for his own profit.

Cheers,
Chris.

 ]] Nanakos V. Chrysostomos 


 | Authentication succeeded when no password 
 | was
given, unless use_first_pass was being used. 
 | This is fatal if
pam_yubico is considered 'sufficient' in the PAM 
 |
configuration. 
 
 It also requires you to use the
client mode (which is the default) and not 
 the challenge 
 response mode, which explains why I couldn't reproduce your issue.

 
 -- 
 Tollef Fog Heen 
 UNIX is
user friendly, it's just picky about who its friends are 
 
 
 -- 
 To UNSUBSCRIBE, email to
debian-devel-requ...@lists.debian.org 
 with a subject of
unsubscribe. Trouble? Contact 

listmas...@lists.debian.org 
 Archive: 

http://lists.debian.org/87r548qnp0@qurzaw.varnish-software.com 
 



This is the default and proposed installation in the README file. Many
many people claim until now (I have received plenty of email's!!!) that
they use this installation and could never imagine that there was
such a bug for more than a year now. Another guy reported that he has
installed pam_yubico module to more than 130 CentOS server's and you could
easily imagine what the consequences will be if someone has discovered the
bug and solely used it for his own profit.

Cheers,
Chris.

 ]] Nanakos V. Chrysostomos 


 | Authentication succeeded when no password 
 | was
given, unless use_first_pass was being used. 
 | This is fatal if
pam_yubico is considered 'sufficient' in the PAM 
 |
configuration. 
 
 It also requires you to use the
client mode (which is the default) and not 
 the challenge 
 response mode, which explains why I couldn't reproduce your issue.

 
 -- 
 Tollef Fog Heen 
 UNIX is
user friendly, it's just picky about who its friends are 
 
 
 -- 
 To UNSUBSCRIBE, email to
debian-devel-requ...@lists.debian.org 
 with a subject of
unsubscribe. Trouble? Contact 

listmas...@lists.debian.org 
 Archive: 

http://lists.debian.org/87r548qnp0@qurzaw.varnish-software.com 
 

This is the default and proposed installation in the README file. Many
many people claim until now (I have received plenty of email's!!!) that
they use this installation andcould never imagine that there was
such a bug for more than a year now. Another guy reported that he has
installed pam_yubico module to more than 130 CentOS server's and you could
easily imagine what the consequences will be if someone has discovered the
bug and solely used it for his own profit.Cheers,Chris. ]] Nanakos V. Chrysostomos 
 | Authentication succeeded when no password  | was
given, unless use_first_pass was being used.  | This is fatal if
pam_yubico is considered 'sufficient' in the PAM  |
configuration.   It also requires you to use the
client mode (which is the default) and not  the challenge  response mode, which explains why I couldn't reproduce your issue.
  --  Tollef Fog Heen  UNIX is
user friendly, it's just picky about who its friends are--  To UNSUBSCRIBE, email to
debian-devel-requ...@lists.debian.org  with a subject of
unsubscribe. Trouble? Contact 
listmas...@lists.debian.org  Archive: 
http://lists.debian.org/87r548qnp0@qurzaw.varnish-software.com  

Re: Source code

2011-01-04 Thread Nikita V. Youshchenko
 On Mon, Jan 03, 2011 at 04:55:52PM -0800, Don Armstrong wrote:
  On Tue, 04 Jan 2011, Stephen Grant Brown wrote:
   I would like to install dpkg under Windows Vista.
 
  This is almost certainly going to be an exercise in pain.

 For building it, maybe, but not for getting it prebuilt. Cygwin ports
 has a version:
 (From ftp://sourceware.org/pub/cygwinports/portslist.txt)

 dpkg   1.15.7.2-1

Some years ago there was an attempt to port Debian to windows kernel. If I 
remember correctly, blocking problem was that windows does not allow to 
replace opened files, which dpkg deeply depends on.

Nikita


signature.asc
Description: This is a digitally signed message part.


Re: Source code

2011-01-04 Thread Olaf van der Spek
On Tue, Jan 4, 2011 at 3:30 PM, Nikita V. Youshchenko yo...@debian.org wrote:
 On Mon, Jan 03, 2011 at 04:55:52PM -0800, Don Armstrong wrote:
  On Tue, 04 Jan 2011, Stephen Grant Brown wrote:
   I would like to install dpkg under Windows Vista.
 
  This is almost certainly going to be an exercise in pain.

 For building it, maybe, but not for getting it prebuilt. Cygwin ports
 has a version:
 (From ftp://sourceware.org/pub/cygwinports/portslist.txt)

 dpkg                                               1.15.7.2-1

 Some years ago there was an attempt to port Debian to windows kernel. If I
 remember correctly, blocking problem was that windows does not allow to
 replace opened files, which dpkg deeply depends on.

Renaming open files works, so that should no longer be a problem.

Olaf


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/aanlkti=_jp-wd6mskwuo4pcd0snvk2uy6fusn_zjj...@mail.gmail.com



Re: Source code

2011-01-04 Thread Olaf van der Spek
On Tue, Jan 4, 2011 at 7:20 PM, Ian Jackson
ijack...@chiark.greenend.org.uk wrote:
 Olaf van der Spek writes (Re: Source code):
 Renaming open files works, so that should no longer be a problem.

 They have to be able to be deleted.

Why?

Olaf


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/aanlktimg-z3yxmvgqozp=w-fvw-scum3stn2gr93g...@mail.gmail.com



Re: Source code

2011-01-04 Thread Ian Jackson
Olaf van der Spek writes (Re: Source code):
 Renaming open files works, so that should no longer be a problem.

They have to be able to be deleted.

But this is just the start of your woes.  I advise against the attempt.

Ian.


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/19747.25833.743537.319...@chiark.greenend.org.uk



Re: Source code

2011-01-04 Thread brian m. carlson
On Tue, Jan 04, 2011 at 07:22:26PM +0100, Olaf van der Spek wrote:
 On Tue, Jan 4, 2011 at 7:20 PM, Ian Jackson
 ijack...@chiark.greenend.org.uk wrote:
  Olaf van der Spek writes (Re: Source code):
  Renaming open files works, so that should no longer be a problem.
 
  They have to be able to be deleted.
 
 Why?

Because lots of programs expect something like

  fd = open(/tmp/foo, O_WRONLY|O_CREAT|O_EXCL);
  unlink(/tmp/foo);
  write(fd, data, 4);

to succeed.  This is how Unix filesystem semantics work and pretty much
always have.  POSIX allows unlink(2) to return EBUSY, but that's not at
all Unixy.  The only case I can see for EBUSY is what NetBSD and OpenBSD
do: restrict unlinking a mount point.  (This is also the only case for
EBUSY on Solaris, Ultrix, and HP-UX.)

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187


signature.asc
Description: Digital signature


Re: Source code

2011-01-04 Thread Olaf van der Spek
On Tue, Jan 4, 2011 at 8:45 PM, brian m. carlson
sand...@crustytoothpaste.net wrote:
 Because lots of programs expect something like

  fd = open(/tmp/foo, O_WRONLY|O_CREAT|O_EXCL);
  unlink(/tmp/foo);
  write(fd, data, 4);

 to succeed.  This is how Unix filesystem semantics work and pretty much
 always have.  POSIX allows unlink(2) to return EBUSY, but that's not at
 all Unixy.  The only case I can see for EBUSY is what NetBSD and OpenBSD
 do: restrict unlinking a mount point.  (This is also the only case for
 EBUSY on Solaris, Ultrix, and HP-UX.)

unlink will probably return an error, but since that's not checked,
that snippet will succeed.
WRONLY seems weird, what's the purpose of a snippet like this?

Olaf


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/aanlktiknvk8a=uukoo2ceogclrcybyuejom+lkp9s...@mail.gmail.com



Re: Source code

2011-01-04 Thread brian m. carlson
On Tue, Jan 04, 2011 at 08:55:41PM +0100, Olaf van der Spek wrote:
 On Tue, Jan 4, 2011 at 8:45 PM, brian m. carlson
 sand...@crustytoothpaste.net wrote:
  Because lots of programs expect something like
 
   fd = open(/tmp/foo, O_WRONLY|O_CREAT|O_EXCL);
   unlink(/tmp/foo);
   write(fd, data, 4);
 
  to succeed.  This is how Unix filesystem semantics work and pretty much
  always have.  POSIX allows unlink(2) to return EBUSY, but that's not at
  all Unixy.  The only case I can see for EBUSY is what NetBSD and OpenBSD
  do: restrict unlinking a mount point.  (This is also the only case for
  EBUSY on Solaris, Ultrix, and HP-UX.)
 
 unlink will probably return an error, but since that's not checked,
 that snippet will succeed.
 WRONLY seems weird, what's the purpose of a snippet like this?

It was an example, so I omitted error checking.  And, yes, it probably
should have been O_RDWR.  AFAIK, the only way Windows has anything
resembling Unix filesystem semantics (or Unix semantics in general) is
Services for Unix, since the Win32 API on which mingw32 and cygwin are
based just does not support them.  And even that does not allow
setuid/setgid programs by default.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187


signature.asc
Description: Digital signature


Re: Source code

2011-01-04 Thread Roberto C . Sánchez
On Tue, Jan 04, 2011 at 08:55:41PM +0100, Olaf van der Spek wrote:
 On Tue, Jan 4, 2011 at 8:45 PM, brian m. carlson
 sand...@crustytoothpaste.net wrote:
  Because lots of programs expect something like
 
   fd = open(/tmp/foo, O_WRONLY|O_CREAT|O_EXCL);
   unlink(/tmp/foo);
   write(fd, data, 4);
 
  to succeed.  This is how Unix filesystem semantics work and pretty much
  always have.  POSIX allows unlink(2) to return EBUSY, but that's not at
  all Unixy.  The only case I can see for EBUSY is what NetBSD and OpenBSD
  do: restrict unlinking a mount point.  (This is also the only case for
  EBUSY on Solaris, Ultrix, and HP-UX.)
 
 unlink will probably return an error, but since that's not checked,
 that snippet will succeed.
 WRONLY seems weird, what's the purpose of a snippet like this?
 
There are several reasons to do something like that.  One is that in the
event of the process (or even entire OS) crashing, cleanup of the disk
space is essentially automatic, because once no open file descriptors
reference, the OS reclaims it.

Another reason to do something like that is to give you a more secure
temporary file.  By adding mktemp() (or something similar) into the
example Brian gave, you can defend against attacks that depend on file
name collisions.  By quickly unlinking, the file will no longer appear
in directory listings, making exploits of the data written to the file
more challenging (not impossible, just more challenging).

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


signature.asc
Description: Digital signature


Re: Source code

2011-01-03 Thread Don Armstrong
On Tue, 04 Jan 2011, Stephen Grant Brown wrote:
 I would like to install dpkg under Windows Vista.

This is almost certainly going to be an exercise in pain.
 
 /home/Stephen/src/dpkg-1.14.30/lib/nfmalloc.c:67: undefined reference to
 `_obstck_free'
 ../lib/libdpkg.a(nfmalloc.o): In function `nfobstack_init':
 /home/Stephen/src/dpkg-1.14.30/lib/nfmalloc.c:43: undefined reference to
 `__obsack_begin'
 ../lib/libdpkg.a(nfmalloc.o): In function `nfstrnsave':
 /home/Stephen/src/dpkg-1.14.30/lib/nfmalloc.c:62: undefined reference to
 `__obsack_newchunk'

You aren't linking with GNU libc for whatever reason.

 Where do I find the source code for `_obstck_free', `__obsack_begin'
 etcetera.

http://www.eglibc.org/home
or
http://www.gnu.org/software/libc/


Don Armstrong

-- 
Who is thinking this?
I am.
 -- Greg Egan _Diaspora_ p38

http://www.donarmstrong.com  http://rzlab.ucr.edu


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110104005552.gk4...@rzlab.ucr.edu



Re: Source code

2011-01-03 Thread Kumar Appaiah
On Mon, Jan 03, 2011 at 04:55:52PM -0800, Don Armstrong wrote:
 On Tue, 04 Jan 2011, Stephen Grant Brown wrote:
  I would like to install dpkg under Windows Vista.
 
 This is almost certainly going to be an exercise in pain.

For building it, maybe, but not for getting it prebuilt. Cygwin ports
has a version:
(From ftp://sourceware.org/pub/cygwinports/portslist.txt)

dpkg   1.15.7.2-1

HTH.

Kumar
-- 
...Unix, MS-DOS, and Windows NT (also known as the Good, the Bad, and
the Ugly).
-- Matt Welsh


signature.asc
Description: Digital signature


Re: source code forensic practices

2007-01-30 Thread Florian Weimer
* Yaroslav Halchenko:

 The question is: are there any helper tools for doing source code
 validation subject to possibly available snippets of code which might be
 for illegal activity (ie sending out private information, or serve as
 backdoors, etc)?

There are several commercial bug finding tools and services.  I don't
know how good they are at detecting logic bombs and similar things.

 May be some language specific tools (JS, Java, python)
 which could catch snippets intended for data transmission/receival? 

Java is doable at least, but due to their dynamic nature, JavaScript
and Python are in a completely different league.  JavaScript is
extremely obnoxious because you can easily download scripts from the
Net, triggered from self-modifying code.  In fact, this is a common
practice in the online advertising world.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: source code forensic practices

2007-01-30 Thread Yaroslav Halchenko

 * Yaroslav Halchenko:

  The question is: are there any helper tools for doing source code
  validation subject to possibly available snippets of code which might be
  for illegal activity (ie sending out private information, or serve as
  backdoors, etc)?

 There are several commercial bug finding tools and services.  I don't
 know how good they are at detecting logic bombs and similar things.
some googling helped me to find some interesting pieces

from 1995: MCF: A Malicious Code Filter
http://seclab.cs.ucdavis.edu/papers/llo95.ps

Unfortunately articles such as Detecting and Removing Malicious Code
http://www.securityfocus.com/infocus/1610
do not list about any source code analysis.

This one
http://www.dsv.su.se/research/seclab/pages/pdf-files/2005-x-208.pdf
seems to be quite nice but talks about MS Access source code analysis
but it referred me to another interesting reading

Secure Software Development and Code Analysis Tools
http://www.sans.org/reading_room/whitepapers/securecode/389.php

Unfortunately I have to agree with

When a programmer intends to cause harm developing software, he will try to 
obfuscate
the code to hide it in many line codes. There are even automated tools that any
programmer could use to obfuscate code (they can also be used to avoid reverse
engineering). Essentially, when an auditor finds code with non-sense structures 
or that is
particularly difficult to follow it could point him to two different 
conclusions, first, that
the programmer intends to obfuscate the code, or second, that the system wasn't 
properly
programmed, since it not only makes security analysis complex, but maintenance 
as well.
Many times we hear that so many tools have been developed and the complexity of
choosing the right one makes it even harder to effectively protect an 
information
technology environment. Ashyby's law on requisite variety, variety kills 
variety
(referenced by Louise Yngstr�m in [LY03]) is in my opinion a realistic approach 
to
security in today's environment. We can not today, and probably never will, 
rely on a
silver bullet tool that will resolve all our security issues. This is due to 
the high level of
complexity we are facing; therefore we need several tools that can cope with 
several
different and specific problems.

Just wanted to share and see if there is any opinion/ideas on how to
give at least some assurance that the software which we package is safe
to use. Most of the time we are to rely on how obvious is a good intent
of the upstream authors from our subjective judgment.

-- 
  .-.
=--   /v\  =
Keep in touch// \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko  /(   )\   ICQ#: 60653192
   Linux User^^-^^[17]




Re: source code forensic practices

2007-01-30 Thread Thomas Viehmann
Hi Yaroslav,

Yaroslav Halchenko wrote:
 I ITPed a package which unfortunately ended up not providing original
 sources (sources everybody gets were indentation removed). Unreasonable
 denial of providing original source forced me to question good intent of
 the author to provide useful and spam/crap-free software. Since I could
 not possibly to examine that code, I've decided to look at other
 software written by the same author, and which has original source code,
 which probably nobody else ever examined anyways.

regardless of any possible outcome of your audit, I'm not sure that it's
a very good idea to include such code in Debian. IMO the results of your
analysys cast a shadow on the author's intend to provide free software
in the spirit of DFSG. There have been issues with upstream authors in
the the past and it seems these things offer a huge amount of agony we
best avoid.
That said, if you feel like it, you could approach the author and
potentially advocate better release practices to him.

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: Source code for unpacking Debian archives

2005-09-01 Thread Florian Weimer
* Tommy Nordgren:

 Where can I find the source code for unpacking .deb files, when
 downloading them via http or ftp?

Have a look at the dpkg source code.  Alternatively, use ar, gunzip
and tar.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: Source code for unpacking Debian archives

2005-09-01 Thread Christoph Berg
Re: Tommy Nordgren in [EMAIL PROTECTED]
 Where can I find the source code for unpacking .deb files, when
 downloading them via http or ftp?

ar t package.deb
ar x ...

OTOH, the dpkg sources can be compiled on non-Debian and non-Linux OSs.

Christoph
-- 
[EMAIL PROTECTED] | http://www.df7cb.de/


signature.asc
Description: Digital signature


Re: Source code for unpacking Debian archives

2005-09-01 Thread Colin Watson
On Thu, Sep 01, 2005 at 01:29:27PM +0200, Tommy Nordgren wrote:
 Where can I find the source code for unpacking .deb files, when
 downloading them via http or ftp?
 
 Please email a copy of any replies. I'm not subsribed.
 
 I wan't to do this because my own OS don't contain any built in support
 tools for Debian Archives

$ cat /usr/share/doc/debian/source-unpack.txt
HOW TO UNPACK A DEBIAN SOURCE PACKAGE

There are two kinds of Debian source packages: old ones and new ones.

A. Old ones look like this:
  hello-1.3-4.tar.gz
  hello-1.3-4.diff.gz
 You unpack them by untarring the .tar.gz.  There is NO need to apply
 the diff.

B. New ones look like this:
  hello_1.3-11.dsc
  hello_1.3-11.diff.gz
  hello_1.3-11.orig.tar.gz - note the `.orig' part
 Here you MUST use dpkg-source or apply the diff manually - see below.

 If you have `dpkg-source' you should put the files in the same
 directory and type `dpkg-source -x whatever.dsc'.

 If you do not you can extract the Debian source as follows:
   1. untar P_V.orig.tar.gz.
   2. rename the resulting P-V.orig directory to P-V.  If some other
  directory results, rename *it* to P-V.
   3. mkdir P-V/debian.
   4. apply the diff with patch -p0.
   5. do `chmod +x P-V/debian/rules'
 (where P is the package name and V the version.)

C. There are some packages where the Debian source is the upstream
 source.  In this case there will be no .diff.gz and you can just use
 the .tar.gz.  If a .dsc is provided you can use `dpkg-source -x'.

 -- Ian Jackson [EMAIL PROTECTED]  Sat, 31 Aug 1996

-- 
Colin Watson   [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: Source code for unpacking Debian archives

2005-09-01 Thread Eduard Bloch
#include hallo.h
* Tommy Nordgren [Thu, Sep 01 2005, 01:29:27PM]:
 Where can I find the source code for unpacking .deb files, when
 downloading them via http or ftp?
 
 Please email a copy of any replies. I'm not subsribed.
 
 I wan't to do this because my own OS don't contain any built in support
 tools for Debian Archives

unp -u foo.deb

Eduard.

-- 
mechanix anyone from the MIA team around? tbm?
Ganneff sounds nice. how long do you have to be MIA to get into that team? :)
mhp you need to have a pgp key, I suppose. and no gpg one, and only a bo box
Np237 yes, but it must be expired


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: Source code for unpacking Debian archives

2005-09-01 Thread John Hasler
Tommy Nordgren writes:
 I wan't to do this because my own OS don't contain any built in support
 tools for Debian Archives

You want the 'alien' program.  It should be available for your
distribution.
-- 
John Hasler


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: source code on sh4

2003-08-29 Thread Adrian von Bidder
On Friday 29 August 2003 10:29,  wrote:
 debian-develHi

Where can I find the source code on sh4 for Debian linux

http://www.m17n.org/linux-sh/debian/ and go from there.

greetings
-- vbi

-- 
Sterility is inherited. If your parents never had kids, odds are you
wont either.
-- William R. James in news.admin.net-abuse.email


pgp04io0V5TgU.pgp
Description: signature