Bug#711855: RFS: aircrack-ng/1:1.1-6
On 11/06/13 02:47, Paul Wise wrote: On Tue, Jun 11, 2013 at 12:48 AM, Carlos Alberto Lopez Perez wrote: I'm not sure if beta versions are welcome on Debian or should be avoided if possible. My understanding is that it should be avoided if possible. The main thing is that packages uploaded to unstable are destined for the next Debian stable release and should thus be suitable for release in Debian stable in the maintainer's opinion (and the release/security teams). In general, releases blessed by upstreams as final are probably more likely to be suitable for stable than ones they designate as beta. Obviously this varies between upstreams, some are more diligent than others and keep their tree suitable for stable at all times. Ultimately it is the choice of the Debian maintainer whether or not a beta version is suitable for stable or not. One example of getting it wrong; some years ago a beta of apache or a beta some apache related thing (I forget) was released in Debian stable. Upstream made an change between the beta release and the final release that made Debian incompatible with various other distros. In hindsight, shipping the beta was a bad idea; this is one reason why we tend to be conservative about this. In this case I would guess the risks are probably low as long as 1.2~beta1 has been verified to work, since aircrack-ng is mostly an end-user tool. I was thinking in uploading this minor revision of 1.1 to unstable first (mainly to close #688158) and later packaging 1.2~beta1 for experimental. Sounds like a good plan to me. The changes look good to me, uploaded. Thanks a lot :) For the next upload, you may want to look at the links on the PTS page and run some automated checkers over the package: http://packages.qa.debian.org/a/aircrack-ng.html http://wiki.debian.org/HowToPackageForDebian#Check_points_for_any_package Looks like a great battery of tests. I will definitively try it. Another couple of things for the future of this package: Replace the embedded copy of oui.txt with one shared by many packages. Which package contains such oui file? Is there any package shipping generic oui files to be shared or is every package shipping just his own oui file? Also aircrack don't knows how to parse the raw oui file. The oui file should be grepped for (hex) and leading/trailing spaces should be removed. A script (airodump-ng-oui-update) is shipped with the package to download the latest oui file and convert it to the format that aircrack understands. I guess patching aircrack to understand the raw oui file shouldn't be that difficult. The question is if there is any package shipping a generic oui file that is meant to be shared for the rest of the packages on the system, and not is only shipped for its own use. I won't feel confident relying in the oui file shipped by another package unless that oui file is shipped with generic purposes. Switch from hardening-includes to standard debhelper compat 9, which automatically includes hardening flags. wrap-and-sort -sa would make diffs of debian/control easier to understand. BTW, your OpenPGP key doesn't appear to have an expiry date. It is a good idea to set one and set reminders for the date when you should extend your key expiry date. Please see the relevant sections of this document: https://we.riseup.net/riseuplabs+paow/openpgp-best-practices I have AES encrypted revocation certificates already generated that I store in different places. In case I lost my private key I can just revoke it. I find the usage of an expiration date a bit annoying, because if someone don't updates regularly his keyring he can have my key expired even if I renewed it, and he could run into trouble to encrypt the mail to me. Not everyone is tech savvy. This already has happened with some friends. Regards! signature.asc Description: OpenPGP digital signature
Bug#711855: RFS: aircrack-ng/1:1.1-6
On Wed, 2013-06-12 at 03:10 +0200, Carlos Alberto Lopez Perez wrote: Which package contains such oui file? Is there any package shipping generic oui files to be shared or is every package shipping just his own oui file? None yet, all packages that need it ship a copy of it, possibly in a different form. See these bugs for the current status (not good): http://bugs.debian.org/522741 http://bugs.debian.org/522642 http://bugs.debian.org/481296 I have AES encrypted revocation certificates already generated that I store in different places. In case I lost my private key I can just revoke it. A revocation certificate isn't enough; there are plenty of situations where you want the key to become invalid and you won't be able to access those revocation certificates; most of them involve accidental death or permanent loss of mental faculties. I find the usage of an expiration date a bit annoying, because if someone don't updates regularly his keyring he can have my key expired even if I renewed it, and he could run into trouble to encrypt the mail to me. Not everyone is tech savvy. This already has happened with some friends. Not regularly updating your keyring is a security issue because you will miss key revocations. Having a key expiry is a good way to find people who are vulnerable to this issue and inform them that they need to change their practices. With parcimonie and tor installed, they basically don't need to think about it any more. The OpenPGP best practices document covers this and several other things: https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#make-sure-you-are-receiving-regular-key-updates -- bye, pabs http://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#711855: RFS: aircrack-ng/1:1.1-6
On 12/06/13 03:28, Paul Wise wrote: On Wed, 2013-06-12 at 03:10 +0200, Carlos Alberto Lopez Perez wrote: Which package contains such oui file? Is there any package shipping generic oui files to be shared or is every package shipping just his own oui file? None yet, all packages that need it ship a copy of it, possibly in a different form. See these bugs for the current status (not good): http://bugs.debian.org/522741 http://bugs.debian.org/522642 http://bugs.debian.org/481296 Interesting. I would keep an eye on this bugs. I think is a great idea to have this file shipped by only one package, ready for others to use. I find the usage of an expiration date a bit annoying, because if someone don't updates regularly his keyring he can have my key expired even if I renewed it, and he could run into trouble to encrypt the mail to me. Not everyone is tech savvy. This already has happened with some friends. Not regularly updating your keyring is a security issue because you will miss key revocations. Makes sense. I didn't thought about this from that perspective Having a key expiry is a good way to find people who are vulnerable to this issue and inform them that they need to change their practices. With parcimonie and tor installed, they basically don't need to think about it any more. The OpenPGP best practices document covers this and several other things: I didn't know about parcimonie, looks like a must-have tool :) I will look at setting an expire date on my key. Thanks! signature.asc Description: OpenPGP digital signature
Bug#711855: RFS: aircrack-ng/1:1.1-6
Package: sponsorship-requests Severity: normal Dear mentors, I am looking for a sponsor for my package aircrack-ng * Package name: aircrack-ng Version : 1:1.1-6 Upstream Author : Thomas d'Otreppe tdotre...@aircrack-ng.org * URL : http://www.aircrack-ng.org * License : GPL-2 Section : net It builds those binary packages: aircrack-ng - wireless WEP/WPA cracking utilities To access further information about this package, please visit the following URL: http://mentors.debian.net/package/aircrack-ng Alternatively, one can download the package with dget using this command: dget -x http://mentors.debian.net/debian/pool/main/a/aircrack-ng/aircrack-ng_1.1-6.dsc Changes since the last upload: * Remove unused Build-Depends on obsolete libnl-dev (Closes: #688158) * Add 019-fix-spelling-manpages.diff (Closes: #697346) * Add 020-ignore-negative-one.diff (Adds an option ignore-negative-one to workaround broken channel handling) * Add 021-fix-airodump-ng-oui-update.diff (Recently the oui file included some leading spaces that makes it not recognizable by airodump-ng. Fix it) * Update airodump-ng-oui.txt file Regards! signature.asc Description: OpenPGP digital signature
Bug#711855: RFS: aircrack-ng/1:1.1-6
Hello, Why not work on aircrack-ng 1.2~beta1 instead ? -- أحمد المحمودي (Ahmed El-Mahmoudy) Digital design engineer GPG KeyID: 0xEDDDA1B7 GPG Fingerprint: 8206 A196 2084 7E6D 0DF8 B176 BC19 6A94 EDDD A1B7 signature.asc Description: Digital signature
Bug#711855: RFS: aircrack-ng/1:1.1-6
On Mon, Jun 10, 2013 at 02:12:02PM +0200, Carlos Alberto Lopez Perez wrote: * Remove unused Build-Depends on obsolete libnl-dev (Closes: #688158) ---end quoted text--- Why is netlink support disabled ? -- أحمد المحمودي (Ahmed El-Mahmoudy) Digital design engineer GPG KeyID: 0xEDDDA1B7 GPG Fingerprint: 8206 A196 2084 7E6D 0DF8 B176 BC19 6A94 EDDD A1B7 signature.asc Description: Digital signature
Bug#711855: RFS: aircrack-ng/1:1.1-6
On 10/06/13 15:18, أحمد المحمودي wrote: On Mon, Jun 10, 2013 at 02:12:02PM +0200, Carlos Alberto Lopez Perez wrote: * Remove unused Build-Depends on obsolete libnl-dev (Closes: #688158) ---end quoted text--- Why is netlink support disabled ? 1.1 don't supports netlink. Only 1.2~beta1 or superior supports it http://trac.aircrack-ng.org/changeset/2204 signature.asc Description: OpenPGP digital signature
Bug#711855: RFS: aircrack-ng/1:1.1-6
On 10/06/13 14:50, أحمد المحمودي wrote: Hello, Why not work on aircrack-ng 1.2~beta1 instead ? That's a good question. I'm not sure if beta versions are welcome on Debian or should be avoided if possible. My understanding is that it should be avoided if possible. I was thinking in uploading this minor revision of 1.1 to unstable first (mainly to close #688158) and later packaging 1.2~beta1 for experimental. signature.asc Description: OpenPGP digital signature
Bug#711855: RFS: aircrack-ng/1:1.1-6
On Tue, Jun 11, 2013 at 12:48 AM, Carlos Alberto Lopez Perez wrote: I'm not sure if beta versions are welcome on Debian or should be avoided if possible. My understanding is that it should be avoided if possible. The main thing is that packages uploaded to unstable are destined for the next Debian stable release and should thus be suitable for release in Debian stable in the maintainer's opinion (and the release/security teams). In general, releases blessed by upstreams as final are probably more likely to be suitable for stable than ones they designate as beta. Obviously this varies between upstreams, some are more diligent than others and keep their tree suitable for stable at all times. Ultimately it is the choice of the Debian maintainer whether or not a beta version is suitable for stable or not. One example of getting it wrong; some years ago a beta of apache or a beta some apache related thing (I forget) was released in Debian stable. Upstream made an change between the beta release and the final release that made Debian incompatible with various other distros. In hindsight, shipping the beta was a bad idea; this is one reason why we tend to be conservative about this. In this case I would guess the risks are probably low as long as 1.2~beta1 has been verified to work, since aircrack-ng is mostly an end-user tool. I was thinking in uploading this minor revision of 1.1 to unstable first (mainly to close #688158) and later packaging 1.2~beta1 for experimental. Sounds like a good plan to me. The changes look good to me, uploaded. For the next upload, you may want to look at the links on the PTS page and run some automated checkers over the package: http://packages.qa.debian.org/a/aircrack-ng.html http://wiki.debian.org/HowToPackageForDebian#Check_points_for_any_package Another couple of things for the future of this package: Replace the embedded copy of oui.txt with one shared by many packages. Switch from hardening-includes to standard debhelper compat 9, which automatically includes hardening flags. wrap-and-sort -sa would make diffs of debian/control easier to understand. BTW, your OpenPGP key doesn't appear to have an expiry date. It is a good idea to set one and set reminders for the date when you should extend your key expiry date. Please see the relevant sections of this document: https://we.riseup.net/riseuplabs+paow/openpgp-best-practices -- bye, pabs http://wiki.debian.org/PaulWis -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6HSsdfNCPOTrj2MGu4fqc0m2bE9yLbmX3NbfamS2N7=w...@mail.gmail.com
