Re: qtpfsgui for Debian

2007-10-31 Thread Martin Schulze 
Sune Vuorela wrote:
 On Tuesday 30 October 2007, Joey Schulze wrote:
  For a friend I've just installed qtpfsgui on etch and wonder if there are
  plans to include this package in sid-lenny already?
 
 Hi!
 
 We have currently no plans to package it, so you are most welcome to package 
 it if you feel it should be in debian.

I'm sorry, but I'd probably be the worst person maintaining a KDE-oriented
package.

Regards,

Joey

-- 
Life is a lot easier when you have someone to share it with.  -- Sean Perry


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#325254: kdegraphics packages broken on sarge/powerpc because of kdelibs4 dependency

2005-08-27 Thread Martin Schulze 
Adeodato Simó wrote:
 severity 325254 serious
 reassign 325254 kdegraphics,security.debian.org
 retitle 325254 kdegraphics 3.3.2-2sarge1/powerpc uninstallable because of 
 dependency on kdelibs4 (= 4:3.3.2-6.2)
 notfound 325254 4:3.3.2-2
 found 325254 4:3.3.2-2sarge1
 thanks
 
 * Jochen Antesberger [Fri, 26 Aug 2005 19:25:32 -0500]:
 
  Package: kdegraphics
  Version: 4:3.3.2-2
  Severity: important
 
  *** Please type your report below this line *** The security updates
  for the kdegraphics packages for Sarge on powerpc cannot be installed
  because they depend on kdelibs4 = 4:3.3.2-6.2 while only =
  4:3.3.2-6.1 is available.

ARGS.  An advisory for kdelibs is pending but missing the mips build.

Why the )*(#%$ does a KDE package depend on the exact Debian version
of another KDE package?  That should not be the case in the first place.

  I suppose the correct kdelibs4 package needs to be supplied by the
  security servers as well to allow the new packages to be installed and
  the security gap being closed on the powerpc architecture.

Will happen soon.

Regards,

Joey

-- 
No question is too silly to ask, but, of course, some are too silly
to answer.   -- Perl book

Please always Cc to me when replying to me on the lists.

CAN-2005-1920: information leak in kate / kwrite

2005-07-23 Thread Martin Schulze 
Hi,

did you notice http://www.kde.org/info/security/advisory-20050718-1.txt?

I'm building an update for sarge now.  Can you tell me which version
of the package will have the fix included in sid?

Regards,

Joey

-- 
Long noun chains don't automatically imply security.  -- Bruce Schneier

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

CAN-2005-0404: information leak in kmail

2005-04-13 Thread Martin Schulze 
Please make sure a correction to this makes it into sarge.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0404

Reference: MLIST:[kmail-devel] 20050215 [Bug 96020] HTML Allows Spoofing of 
Emails Content
Reference: 
URL:http://mail.kde.org/pipermail/kmail-devel/2005-February/015490.html
Reference: MISC:http://bugs.kde.org/show_bug.cgi?id=96020
Reference: MISC:http://www.securiteam.com/unixfocus/5GP0B0AFFE.html
Reference: URL:http://secunia.com/advisories/14925


Regards,

Joey


-- 
Those who don't understand Unix are condemned to reinvent it, poorly.

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#293754: kleopatra does not install

2005-02-05 Thread Martin Schulze 
Package: kleopatra
Version: 3.3.1-3
Tags: sid sarge
Severity: serious

The package should at least be installable when it is in the Debian archive,
even if it is a contrib package.

# apt-get install kleopatra
Reading Package Lists... Done
Building Dependency Tree... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.

Since you only requested a single operation it is extremely likely that
the package is simply not installable and a bug report against
that package should be filed.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
  kleopatra: Depends: gpgsm but it is not installable
E: Broken packages

There is no such package as gpgsm and it is not listed in permitted fake
packages (/org/ftp.debian.org/testing/data/testing/FauxPackages).

Regards,

Joey

-- 
Testing? What's that? If it compiles, it is good, if it boots up, it is perfect.

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#287201: [patch] KDE ftp kioslave applies to woody as well

2005-01-07 Thread Martin Schulze 
Adeodato Simó wrote:
 * Martin Schulze [Thu, 06 Jan 2005 16:49:21 +0100]:
 
  Please
   . update the package in sid
   . mention the CVE id from the subject in the changelog
   . tell me the version number of the fixed package
   . use priority=high
   . no need to upload into sarge directly, except the version in
 sid is not meant to go into testing
 
   I recommend that you don't wait for the unstable package to be
   uploaded, since we need to hold it up until the latest kdebase and
   arts packages are built on all arches (#98 and #88 in the sparc queue,
   #18 and #14 in mipsel, the m68k buildd that picked kdebase is fast).

I won't wait unless I get a notice.

   Of course, you may want to mail us just before the stable security
   update happens, in case we're ready to go then. Is there an ETA for it
   already?

It depends how fast packages are built on our 11 architectures and
if there are problems.  For example, on i386 I just noticed:

Checking kdelibs3_2.2.2-13.woody.13_i386.deb against stable
~~~
Files in second .deb but not in first
-
/usr/lib/libgmcop.la
/usr/lib/libgmcop.so
/usr/lib/libgmcop.so.0
/usr/lib/libgmcop.so.0.0.0

I have no idea where this library comes from.

Regards,

Joey

-- 
There are lies, statistics and benchmarks.

Please always Cc to me when replying to me on the lists.

Bug#287201: [patch] KDE ftp kioslave applies to woody as well

2005-01-06 Thread Martin Schulze 
Moritz Muehlenhoff wrote:
 Hi,
 this applies to woody as well. Attached you can find the backported upstream
 patch against 2.2.2. BTW, this is CAN-2004-1165.
 
 Cheers,
 Moritz

 diff -Naur kdelibs-2.2.2.orig/kio/ftp/ftp.cc kdelibs-2.2.2/kio/ftp/ftp.cc
 --- kdelibs-2.2.2.orig/kio/ftp/ftp.cc Wed Jan  5 12:29:07 2005
 +++ kdelibs-2.2.2/kio/ftp/ftp.cc  Wed Jan  5 12:28:25 2005
 @@ -596,6 +596,14 @@
  {
assert( sControl  0 );
  
 +  if ( cmd.find( '\r' ) != -1 || cmd.find( '\n' ) != -1)
 +  {
 +kdWarning(7102)  Invalid command received (contains CR or LF): 
 + cmd.data()  endl;
 +error( ERR_UNSUPPORTED_ACTION, m_host );
 +return false;
 +  }
 +
QCString buf = cmd;
buf += \r\n;

Thanks, that was on my agenda as well.  Working on it now.

Please
 . update the package in sid
 . mention the CVE id from the subject in the changelog
 . tell me the version number of the fixed package
 . use priority=high
 . no need to upload into sarge directly, except the version in
   sid is not meant to go into testing

Regards,

Joey

-- 
Let's call it an accidental feature.  -- Larry Wall

Bug#278173: kpdf: CAN-2004-0888: arbitrary code execution

2004-10-25 Thread Martin Schulze 
Package: kpdf
Version: 3.3.0-2
Severity: critical
Tags: security, sid, sarge

Please see DSA 573
http://www.kde.org/info/security/advisory-20041021-1.txt

I can provide a patch for xpdf if that's required, contact me privately.

Regards,

Joey

-- 
There are lies, statistics and benchmarks.

Please always Cc to me when replying to me on the lists.

Bug#268016: [CAN-2004-0746] Konqueror Cross-Domain Cookie Injection

2004-08-25 Thread Martin Schulze 
Package: konqueror
Version: 3.2.3-1
Severity: grave
Tags: security upstream sarge

Web sites operating under the affected domains can set HTTP
cookies in such a way that the Konqueror web browser will send them
to all other web sites operating under the same domain.
A malicious website can use this as part of a session fixation
attack. See e.g. http://www.acros.si/papers/session_fixation.pdf

Affected are all country specific secondary top level domains that
use more than 2 characters in the secondary part of the domain name
and that use a secondary part other than com, net, mil, org, gov,
edu or int. Examples of affected domains are .ltd.uk, .plc.uk and
.firm.in

KDE versions up to KDE 3.2.3 inclusive. KDE 3.3 is not affected.

There is 3.2.3-1 in sid for some architectures, but they will probably
replaced soon by 3.3.0-1 which is said to be not vulnerable.

Regards,

Joey

-- 
There are lies, statistics and benchmarks.

Please always Cc to me when replying to me on the lists.

KDE Security Advisory: URI Handler Vulnerabilities

2004-05-17 Thread Martin Schulze 
Hi,

could you tell me which version of kdelibs, kdenetwork (or another
package if another one is affected) fixes this problem in unstable?

http://www.kde.org/info/security/advisory-20040517-1.txt

If you apply the patch, please mention CAN-2004-0411 in the
changelog file so we can easier track this security problem.

Regards,

Joey

-- 
Reading is a lost art nowadays.  -- Michael Weber

Re: KDE3 - Debian/experimental distribution proposal (was: yes i am alive ;)

2002-10-19 Thread Martin Schulze 
Moin Ralf!

Ralf Nolden wrote:
 well, as much as this would work out, someone has to do the work actually. 
 And 
 regarding the experimental distribution - that brings your work environment 
 to a highly unstable state, not to speak about the packagers having to build 
 the packages on this system.

The experimental distribution is designed for exactly this: Store
packages that are not yet suitable for unstable.  Packages don't need
to be uber-unstable to be uploaded to experimental, though.  It could
also be used as a staging area to store the packages before everything
is sorted out so they can be uploaded into unstable properly.

Another advantage of using experimental is that everything would
already be in the Debian archive: overrides, package names for the
BTS, files in the pool etc. pp.  This would mean that these packages
could already use the Debian package infrastructure, even though they
are not yet part of unstable.  However, I doubt that experimental is
autobuilt, so it'll require manual attention.

This will make it easer to upload all relevant packages into unstable
afterwards.

 Now, let's please be reasonable about what can be done easily and what is 
 desireable. Have a quick look at the current state:

Please take into account that quick and easy solutions are often not
good and promising solutions.  Going the proper path, however, sounds
much better to me and will probably be less painful for the future.

 The other thing is what version of Debian users want to run KDE on. I myself 

This is a completely different story, unfortunately.

You'll have to separate two issues: unstable/sid and woody.

Let's talk about woody first.  The woody distribution was released in
July and will stay stable until it will be removed from the Debian
servers and moved to the Debian archive.  Updates will address only
security and very serious problems.  KDE has no chance to get updated
in woody except for security concerns (which will happen).  However,
no new version of KDE will be included in woody.

This is nothing to worry about.  This ensures that the stable
distribution doesn't change too much during its lifetime.  All
installations and systems will more or less be the same.

If you would like to provide newer KDE packages for woody, which would
probably be a benefit from a users perspective, you'll need to bypass
the Debian server.  For this purpose, being able to add a line like
deb http://debian.kde.org woody main to apt.sources, would probably
the best and most logical solution (or switch the name to kde.debian.org/net).

Addressing unstable should be the long-term goal for all KDE packages,
since this will be the basis for the next stable distribution of
Debian, which will be released in the future.  Once all problems are
sorted out, packages should be uploaded into the unstable
distribution.

Providing preliminary Debian packages on external resources will help
developing packages for unstable.  Using the experimental distribution
of Debian will enable them to use the Debian infrastructure as well.

 My idea would be better to create a debian.kde.org website to collect all 
 this 
 information and to host a permanent official build on ftp.kde.org. That can 
 be the releases as they are plus additional applications that are provided 
 for those builds. We can sort those in into ftp if we like to, and that is 
 the easiest way to provide people a one-liner for their sources.list to 
 update regularly.

Having a native source for additional information, howtos, guidelines
etc. is always a benefit.  If such documentation is rather static and
less of a moving target and also dedicated for end-users, it may be
worth considering the use of www.debian.org.  This will
automatically add translations and is the native source for
information addressing Debian.

To conclude and since this mail is already quite long, from a core
developer's perspective I would like to see:

 1. debian.kde.org or kde.debian.org store more recent packages for
woody for those who would like to run a more recent version than
the one which is supplied with woody.  This could run on a
debian.org host (e.g. klecker) or on a kde.org host, and would be
an unofficial packges source.

 2. In order to provide new packages for the unstable distribution I'd
like to see the experimental distribution of Debian used, since
this enables using the entire infrastructure of Debian except for
the buildds.

 3. Storing additional information on an easy to remember host like
debian.kde.org or kde.debian.org is always good.  However, it
should probably be decided whether some information would also be
suited for www.debian.org.

Regards,

Joey

-- 
Every use of Linux is a proper use of Linux.  -- Jon Maddog Hall

Please always Cc to me when replying to me on the lists.

Re: KDE3 - Debian/experimental distribution proposal (was: yes i am alive ;)

2002-10-19 Thread Martin Schulze 
ReMoin!

Ralf Nolden wrote:
  Ralf Nolden wrote:
   well, as much as this would work out, someone has to do the work
   actually. And regarding the experimental distribution - that brings your
   work environment to a highly unstable state, not to speak about the
   packagers having to build the packages on this system.
 
  The experimental distribution is designed for exactly this: Store
  packages that are not yet suitable for unstable.  Packages don't need
  to be uber-unstable to be uploaded to experimental, though.  It could
  also be used as a staging area to store the packages before everything
  is sorted out so they can be uploaded into unstable properly.
 Yepp.
 
  Another advantage of using experimental is that everything would
  already be in the Debian archive: overrides, package names for the
  BTS, files in the pool etc. pp.  This would mean that these packages
  could already use the Debian package infrastructure, even though they
  are not yet part of unstable.  However, I doubt that experimental is
  autobuilt, so it'll require manual attention.
 That means more work than putting KDE into unstable I guess.

No, it should be easier, once the packages have demonstrated their
quality in experimental since the Debian infrastructure is already
used.  One thing that keeps new packages out of the archive is missing
overrides lines.  I'd expect that it is easier for the ftp people to
copy overrides lines from experimental to unstable than creating new
ones which requires thinking and considerations.

Of course, it's more work than simply dumping the packages into a
directory and not care about them anymore.  However, that won't help
very much anyway.

  This is a completely different story, unfortunately.
 Yes, understood. But I have to have a build for woody due to our customer 
 demand (at credativ where I'm working now). So those builds are made anyway 
 and are provided at the same time by KDE for woody users. I'm not speaking 
 about updating KDE in woody.

Copying these builds into a properly designed and apt-get'able area
will probably be a benefit for many users.

  If you would like to provide newer KDE packages for woody, which would
  probably be a benefit from a users perspective, you'll need to bypass
  the Debian server.  For this purpose, being able to add a line like
  deb http://debian.kde.org woody main to apt.sources, would probably
  the best and most logical solution (or switch the name to
  kde.debian.org/net).
 Yes, something like this. We'll have to go through the webserver stuff at KDE 
 first or just use ftp.kde.org for that.

I noticed that http://ftp.kde.org/ doesn't work, so you may want to
add this in order to make the archive fully apt-get'able including the
use of the http get method through web proxies.

  Having a native source for additional information, howtos, guidelines
  etc. is always a benefit.  If such documentation is rather static and
  less of a moving target and also dedicated for end-users, it may be
  worth considering the use of www.debian.org.  This will
  automatically add translations and is the native source for
  information addressing Debian.
 Yay!! I didn't think debian was so developer friendly to KDE stuff :-)) 

*smirk* Did I say anything wrong? :)

   2. In order to provide new packages for the unstable distribution I'd
  like to see the experimental distribution of Debian used, since
  this enables using the entire infrastructure of Debian except for
  the buildds.
 Ok. Could you help providing the necessary steps get going so we can upload 
 packages ?

In the debian/changelog line use something like:

kdegraphics (4:2.2.2-6.8) experimental; urgency=low

and upload the package to ftp-master.debian.org or use an upload
queue.  Noël and Michael can probably help with this step.

Regards,

Joey

-- 
Every use of Linux is a proper use of Linux.  -- Jon Maddog Hall

Please always Cc to me when replying to me on the lists.