Re: gnome-swallow_1.2-2_source.changes REJECTED
On 14-Nov-05, 20:22 (CST), Pierre THIERRY [EMAIL PROTECTED] wrote: You trust them, but not any user of Debian will want to trust them so much. Some will want some degree of confidence that the binaries are clean... Then they need to download the source, examine it, and build the binary. Whether or not the original upload included a binary does not change that. Steve -- Steve Greenland The irony is that Bill Gates claims to be making a stable operating system and Linus Torvalds claims to be trying to take over the world. -- seen on the net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: gnome-swallow_1.2-2_source.changes REJECTED
Scribit Manoj Srivastava dies 11/11/2005 hora 22:35: You gotta start trusting somewhere. Our web of trust starts with the Developers in the keyring, we trust these people not to muck with the binaries. You trust them, but not any user of Debian will want to trust them so much. Some will want some degree of confidence that the binaries are clean... Would it cost too much to implement? Doubtfully, Nowhere man -- [EMAIL PROTECTED] OpenPGP 0xD9D50D8A signature.asc Description: Digital signature
Re: gnome-swallow_1.2-2_source.changes REJECTED
Scribit Josselin Mouette dies 12/11/2005 hora 18:37: It was already suggested to accept only source+binary uploads, but to rebuild the binaries on the upload's architecture anyway. Has there been a consensus on rejecting that solution? Curiously, Nowhere man -- [EMAIL PROTECTED] OpenPGP 0xD9D50D8A signature.asc Description: Digital signature
Re: gnome-swallow_1.2-2_source.changes REJECTED
Le vendredi 11 novembre 2005 à 23:19 +0100, Jose Carlos Garcia Sogo a écrit : Sorry, Joss, but I can't believe disk space can be a problem nowadays. Of course you can be short of disk space, but a 160GB HDD is quite affordable, and you can cache Debian lot of times there. I can't believe I'm reading this. -- .''`. Josselin Mouette/\./\ : :' : [EMAIL PROTECTED] `. `'[EMAIL PROTECTED] `- Debian GNU/Linux -- The power of freedom signature.asc Description: This is a digitally signed message part
Re: gnome-swallow_1.2-2_source.changes REJECTED
Le samedi 12 novembre 2005 à 02:29 +0100, Pierre THIERRY a écrit : And I see a rationale for allowing them: what prevents a DD to upload binaries that include exploits or some trojan code, along with a clean source? It was already suggested to accept only source+binary uploads, but to rebuild the binaries on the upload's architecture anyway. -- .''`. Josselin Mouette/\./\ : :' : [EMAIL PROTECTED] `. `'[EMAIL PROTECTED] `- Debian GNU/Linux -- The power of freedom signature.asc Description: This is a digitally signed message part
Re: gnome-swallow_1.2-2_source.changes REJECTED
On Fri, Nov 11, 2005 at 12:18:00AM +0100, Joerg Jaspert wrote: On 10469 March 1977, Josselin Mouette wrote: I can't see the rationale for rejecting source uploads, and they used to be accepted in the past. Because people then fuck up their packages even more. No, they havent been accepted in the past. Ubuntu does that, Debian not. They were accepted by katie in the past, but strongly discouraged by the i386 buildd admin. Been there, done that. Nowadays, I think that pbuilder and friends have mostly alleviated the need for source-only uploads, but Josselin seems to disagree. Daniel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: gnome-swallow_1.2-2_source.changes REJECTED
Le vendredi 11 novembre 2005 à 00:55 +0100, Bernd Eckenfels a écrit : In article [EMAIL PROTECTED] you wrote: Why is this the case ? I'm running with experimental GNOME packages; if I upload a binary package depending on them, it will be uninstallable on unstable systems. How can you test your packages if you dont build them? I can test the version I have built against experimental GNOME libraries. They don't differ much from unstable ones, but the shlibs were bumped. For me, it's exactly similar to the fact I can't test packages on architectures other than mine. -- .''`. Josselin Mouette/\./\ : :' : [EMAIL PROTECTED] `. `'[EMAIL PROTECTED] `- Debian GNU/Linux -- The power of freedom signature.asc Description: This is a digitally signed message part
Re: gnome-swallow_1.2-2_source.changes REJECTED
On 11/10/05, Peter Samuelson [EMAIL PROTECTED] wrote: [Josselin Mouette] I can't see the rationale for rejecting source uploads, and they used to be accepted in the past. It's the first line of defense against people uploading things that don't build, wasting various infrastructure resources. Shouldn't that be dealt with by having the infrastructure first deal with packages that have already been build on other architectures? Perhaps what you need is for someone to set up an autobuilder queue that doesn't upload packages but just returns them to you somehow, with logs, so you can sign and upload yourself. Of course this autobuilder queue should be under control of Debian developers, lest we have another round of flames about uploading untrusted binaries. I think it has been suggested before to simply route the uploaded binaries to /dev/null and rebuild anyway.
Re: gnome-swallow_1.2-2_source.changes REJECTED
[Brian Nelson] Oh, so Ubuntu packages are fucked up more by their maintainers more than Debian packages are? Yes, or so it's been alleged. Not being a user of ubuntu unstable, I can't confirm or deny. signature.asc Description: Digital signature
Re: gnome-swallow_1.2-2_source.changes REJECTED
El jue, 10-11-2005 a las 23:43 +0100, Josselin Mouette escribió: Le jeudi 10 novembre 2005 à 23:00 +0100, Adeodato Simó a écrit : * Josselin Mouette [Thu, 10 Nov 2005 22:45:20 +0100]: (And don't tell me to use pbuilder, I don't have the disk space nor the bandwidth for it.) Why bandwidth? Several systems exist to cache debs so they don't have to be fetched from the net each time they're used (apt-cacher, apt-proxy, or even a shared /var/cache/apt/archives). And here comes the lack of disk space... Sorry, Joss, but I can't believe disk space can be a problem nowadays. Of course you can be short of disk space, but a 160GB HDD is quite affordable, and you can cache Debian lot of times there. Cheers, -- Jose Carlos Garcia Sogo [EMAIL PROTECTED] signature.asc Description: Esta parte del mensaje está firmada digitalmente
Re: gnome-swallow_1.2-2_source.changes REJECTED
Scribit Josselin Mouette dies 10/11/2005 hora 22:45: Le jeudi 10 novembre 2005 à 13:32 -0800, Debian Installer a écrit : Rejected: source only uploads are not supported. I can't see the rationale for rejecting source uploads, and they used to be accepted in the past. And I see a rationale for allowing them: what prevents a DD to upload binaries that include exploits or some trojan code, along with a clean source? Isn't a buildd compilation more secure WRT this issue? (I don't try to say it's perfectly secure, I think admins of the buildd could do the trick also...) I suspect that is has already been discussed, so could someone give me URIs of messages/web pages on the subject if it is the case? BTW, is there any infrastructure to check against that? Would it be possible, or consume way much of resources (and first CPU of the buildd)? Doubtfully, Nowhere man -- [EMAIL PROTECTED] OpenPGP 0xD9D50D8A signature.asc Description: Digital signature
Re: gnome-swallow_1.2-2_source.changes REJECTED
On Sat, 12 Nov 2005 02:29:56 +0100, Pierre THIERRY [EMAIL PROTECTED] said: Scribit Josselin Mouette dies 10/11/2005 hora 22:45: Le jeudi 10 novembre 2005 à 13:32 -0800, Debian Installer a écrit : Rejected: source only uploads are not supported. I can't see the rationale for rejecting source uploads, and they used to be accepted in the past. And I see a rationale for allowing them: what prevents a DD to upload binaries that include exploits or some trojan code, along with a clean source? Isn't a buildd compilation more secure WRT this issue? (I don't try to say it's perfectly secure, I think admins of the buildd could do the trick also...) Of Robert Pike C compiler trojan trick ... You gotta start trusting somewhere. Our web of trust starts with the Developers in the keyring, we trust these people not to muck with the binaries. manoj -- The more the change, the more it is the same thing. -- Alphonse Karr Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/%7Esrivasta/ 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: gnome-swallow_1.2-2_source.changes REJECTED
Le jeudi 10 novembre 2005 à 13:32 -0800, Debian Installer a écrit : Rejected: source only uploads are not supported. Why is this the case ? I'm running with experimental GNOME packages; if I upload a binary package depending on them, it will be uninstallable on unstable systems. I can't see the rationale for rejecting source uploads, and they used to be accepted in the past. (And don't tell me to use pbuilder, I don't have the disk space nor the bandwidth for it.) -- .''`. Josselin Mouette/\./\ : :' : [EMAIL PROTECTED] `. `'[EMAIL PROTECTED] `- Debian GNU/Linux -- The power of freedom signature.asc Description: This is a digitally signed message part
Re: gnome-swallow_1.2-2_source.changes REJECTED
* Josselin Mouette [Thu, 10 Nov 2005 22:45:20 +0100]: (And don't tell me to use pbuilder, I don't have the disk space nor the bandwidth for it.) Why bandwidth? Several systems exist to cache debs so they don't have to be fetched from the net each time they're used (apt-cacher, apt-proxy, or even a shared /var/cache/apt/archives). Cheers, -- Adeodato Simó EM: dato (at) the-barrel.org | PK: DA6AE621 Listening to: Matthew Kimball - I don't want to fall in love We learned that the Linux load average rolls over at 1024. And we actually found this out empirically. -- H. Peter Anvin from kernel.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: gnome-swallow_1.2-2_source.changes REJECTED
Le jeudi 10 novembre 2005 à 23:00 +0100, Adeodato Simó a écrit : * Josselin Mouette [Thu, 10 Nov 2005 22:45:20 +0100]: (And don't tell me to use pbuilder, I don't have the disk space nor the bandwidth for it.) Why bandwidth? Several systems exist to cache debs so they don't have to be fetched from the net each time they're used (apt-cacher, apt-proxy, or even a shared /var/cache/apt/archives). And here comes the lack of disk space... -- .''`. Josselin Mouette/\./\ : :' : [EMAIL PROTECTED] `. `'[EMAIL PROTECTED] `- Debian GNU/Linux -- The power of freedom signature.asc Description: This is a digitally signed message part
Re: gnome-swallow_1.2-2_source.changes REJECTED
[Josselin Mouette] I can't see the rationale for rejecting source uploads, and they used to be accepted in the past. It's the first line of defense against people uploading things that don't build, wasting various infrastructure resources. Perhaps what you need is for someone to set up an autobuilder queue that doesn't upload packages but just returns them to you somehow, with logs, so you can sign and upload yourself. Of course this autobuilder queue should be under control of Debian developers, lest we have another round of flames about uploading untrusted binaries. signature.asc Description: Digital signature
Re: gnome-swallow_1.2-2_source.changes REJECTED
On Thu, Nov 10, 2005 at 11:43:26PM +0100, Josselin Mouette wrote: Le jeudi 10 novembre 2005 à 23:00 +0100, Adeodato Simó a écrit : * Josselin Mouette [Thu, 10 Nov 2005 22:45:20 +0100]: (And don't tell me to use pbuilder, I don't have the disk space nor the bandwidth for it.) Why bandwidth? Several systems exist to cache debs so they don't have to be fetched from the net each time they're used (apt-cacher, apt-proxy, or even a shared /var/cache/apt/archives). And here comes the lack of disk space... Why not get someone else that has sufficient bandwidth/diskspace to build it in a pbuilder and upload for you? -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto pgp49yrUQS1Kr.pgp Description: PGP signature
Re: gnome-swallow_1.2-2_source.changes REJECTED
On Thu, Nov 10, 2005 at 04:49:08PM -0600, Peter Samuelson wrote: [Josselin Mouette] I can't see the rationale for rejecting source uploads, and they used to be accepted in the past. It's the first line of defense against people uploading things that don't build, wasting various infrastructure resources. Perhaps what you need is for someone to set up an autobuilder queue that doesn't upload packages but just returns them to you somehow, with logs, so you can sign and upload yourself. Of course this autobuilder queue should be under control of Debian developers, lest we have another round of flames about uploading untrusted binaries. I don't want to speak for him, but Anibal has a pbuilder that he kindly let me use while he was sponsoring my packages. I just had to email the URL to the .dsc file to [EMAIL PROTECTED] and then it would download, build and email me the report. Maybe he (or someone else) would be willing to make something like that more widely available. If nothing else, maybe someone can provide the recipe and then someone else can set one up. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto pgphwenO99dZl.pgp Description: PGP signature
Re: gnome-swallow_1.2-2_source.changes REJECTED
Le jeudi 10 novembre 2005 à 17:49 -0500, Roberto C. Sanchez a écrit : Why not get someone else that has sufficient bandwidth/diskspace to build it in a pbuilder and upload for you? That's the obvious solution, but it just makes things more complicated. I was wondering the rationale behind refusing source-only uploads. Working around human issues by removing functionality has never proved to be efficient. -- .''`. Josselin Mouette/\./\ : :' : [EMAIL PROTECTED] `. `'[EMAIL PROTECTED] `- Debian GNU/Linux -- The power of freedom
Re: gnome-swallow_1.2-2_source.changes REJECTED
On Thu, Nov 10, 2005 at 10:45:20PM +0100, Josselin Mouette wrote: I can't see the rationale for rejecting source uploads, and they used to be accepted in the past. AFAIK, this is false. Source-only uploads were never allowed in Debian. Gruesse, -- Frank Lichtenheld [EMAIL PROTECTED] www: http://www.djpig.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: gnome-swallow_1.2-2_source.changes REJECTED
On 10469 March 1977, Josselin Mouette wrote: Rejected: source only uploads are not supported. I can't see the rationale for rejecting source uploads, and they used to be accepted in the past. Because people then fuck up their packages even more. No, they havent been accepted in the past. Ubuntu does that, Debian not. -- bye Joerg dilinger i just managed to procrastinate an extra 30 mins by reading an article on how not to procrastinate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: gnome-swallow_1.2-2_source.changes REJECTED
Joerg Jaspert [EMAIL PROTECTED] writes: On 10469 March 1977, Josselin Mouette wrote: Rejected: source only uploads are not supported. I can't see the rationale for rejecting source uploads, and they used to be accepted in the past. Because people then fuck up their packages even more. No, they havent been accepted in the past. Ubuntu does that, Debian not. Oh, so Ubuntu packages are fucked up more by their maintainers more than Debian packages are? -- Captain Logic is not steering this tugboat. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: gnome-swallow_1.2-2_source.changes REJECTED
In article [EMAIL PROTECTED] you wrote: Why is this the case ? I'm running with experimental GNOME packages; if I upload a binary package depending on them, it will be uninstallable on unstable systems. How can you test your packages if you dont build them? Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]