Re: What to do about negligent maintainers?
Tollef Fog Heen wrote: I am not sure what we should do with problems like this. Not doing anything sends a signal that DDs are held to a different standard than DMs and NMs. I don't think that is a signal we should send. Agreed. At least in terms of packaging expectations, DDs' should be equal to DMs'. Ideally, we should be able to ask the maintainer to scale back and they do so. However, what should we do if they either don't respond or disagree? The TC can already rule over maintainership so perhaps that is enough and we don't need any more procedures or rules to handle those cases? What about adding some informal rule like this to dev-ref (or wherever): after n unacknowledged NMUs the package may be taken over without it being considered a hostile takeover, more like updating to reflect the de-facto maintainer. The new maintainer would in turn be free to RFA the package, request removal, team-maintain it or whatever. This would have the benefit of requiring some work from complainers and making it look less like idle finger-pointing, possibly reducing the social friction that happens anytime someone complains about someone else's work, regardless of the complaint's merits. Asking for TC intervention is also an option, but it's IMHO a bit extreme. Though I still find it better than the other proposed alternatives (DAM intervention, GR, whatever). Cheers -- Leo costela Antunes [insert a witty retort here] -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Löschung meiner Daten
Dirk Neumann wrote: OK. I deleted all your posts from my mua. Is it enough to wait for my backups getting automatically deleted or should I modify them? My sister won't read your message, she had unsubscribed in the past. Should I inform her to look into her mail archives? Sarcasm might not be the best way to communicate with someone that may not understand the limitations inherent to our list system or our policy towards it. Cheers -- Leo costela Antunes [insert a witty retort here] -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Summary of the debian-devel BoF at Debconf9
Russ Allbery wrote: Michael Banck mba...@debian.org writes: I think the most effective way of tackling this would be if we could somehow reassure people that the loudest voice isn't going to carry the day in discussions of project technical direction. I think the fear that if one doesn't keep rebutting one's position will be steamrolled is what drives much of the repetitive discussion in those large threads. Agreed, but given the fast branching nature of email lists it seems inevitable that arguments will be repeated at different points, perhaps in response to different people joining the discussion, even if the intention isn't to hammer a point to oblivion but instead to genuinely counter a new point. The fact that referencing other emails on the thread isn't ideal (doesn't guarantee full context; demands shift of attention from current thread) also contributes to this problem. I don't presume to know an easy solution to this, but perhaps encouraging a public policy of moving to another format as soon as possible (Wiki?) could help provide a central point of reference and discussion, where all arguments could be arranged and linked in a single place. As a bonus, encouraging anonymous edits to the wiki (or at least leaving the author's name just in the history and not right next to the argument) could help avoid some biased reactions against certain arguments based on author: IMHO reading the From line of emails before the content can affect us in ways we don't even notice. Of course this could all be in vain and all it achieves could be turning petty insistence on a point into petty wiki redacting wars, but might be interesting to try. Cheers -- Leo costela Antunes [insert a witty retort here] -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Summary of the debian-devel BoF at Debconf9
Hi, Ben Finney wrote: Bernhard R. Link brl...@debian.org writes: Perhaps there is a way to […] discourage all meta-discussion or mentioning of fallacy, ad-hominem or strawman on the other lists. Perhaps you have a better way of succinct terms to use when challenging those logical fallacies? Surely you're not saying you want such fallacies to go unchallenged in the forums where they appear? I believe he meant only that these keywords tend to denote a crossing into the realm of meta-discussion, where the point in question ceases to be discussed, and instead the arguments themselves become points of contention. It doesn't mean the arguments are worthless, but indicates a certain departure from the main point, which could mean this branch of the discussion has started to dilute - so to speak - the thread and therefore could be taken somewhere else, in order to keep the central thread concise. Please note I'm not showing my endorsement for this idea, just clarifying what my interpretation of it was. Cheers -- Leo costela Antunes [insert a witty retort here] -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Summary of the debian-devel BoF at Debconf9
Manoj Srivastava wrote: But really, the divergence from the discussion happened earlier, when the discussion degenerated into name calling (which is what ad hominem attacks are), or strawman attacks, which tend to derail the discussion by standing up irrelevant positions and arging against that, leading to thread bloat. Absolutely. The original idea - at least the part with which I agree - is only that the appearance of the terms are a probable indication of digression. It doesn't necessarily attribute the blame of digressing to the one who mentioned the magic meta-words or to the one who provoked them into being uttered. Indeed, leaving logical fallacies unchallenged does nore to harm the discussion than pointing them out and trying to bring the thread back to a logical discussion; and leaving ad hominem attacks unchallenged poisons the discussion environment to the point that it detracts from the discussion itself. That's beyond my (and AFAICT Bernhard's) point. I agree they shouldn't be left unchallenged - at least in most cases - and haven't said they should. The point is only noting the digression and collectively suggesting taking it outside (hopefully not in the knuckle-dragging sense). What to do to practically achieve this after that digression has been collectively noted, OTOH, is a matter to which I don't feel I have any useful solution... I believe I'm not the only one who feels an email saying let's calm down and get back to the point to be pretty much useless, specially after hitting the point of ad-hominem attacks or accusations thereof. Cheers -- Leo costela Antunes [insert a witty retort here] -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: On cadence and collaboration
Julien BLACHE wrote: Discussing the validity of security policies is not the point of this thread, so let's leave it at that, please. It is exactly the point of this thread if you use it as an argument against a common freeze cycle. This was only an example, there are others, nitpicking on this one (or any other, for that matter) is pointless. It's OK to bring it up as an argument, but not to counter it? Counter-argument != nitpicking. I wholeheartedly agree there are other examples, pro and con, but since you brought this up as an argument, there's nothing pointless in countering it. Cheers -- Leo costela Antunes [insert a witty retort here] -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: On cadence and collaboration
Julien BLACHE wrote: That'd break common enterprise setups like having 2 firewalls running different distributions. Not sure how you get around that once all the distros commonly used/accepted in the enterprise world agree on shipping the same version of server software. Using two different versions of software is IMO no boon to security for a series of reasons: - Having a single compromised firewall is enough. - There's no guarantee the different versions won't be affected by the same security issues. - There's more management work to follow the possible vulnerabilities, which could be seen as making attack surface bigger. - Not to mention the lack of support, which has already been used as an argument: since it's unlikely upstream would provide security updates for two versions the burden would fall on the distro and the timeframe for exploits gets a bit bigger. But even if I'm wrong - which I could easily concede - this doesn't serve as argument, since you could just as easily use two different versions of the same distribution, specially in scenarios where you can deploy LTS and STS versions concurrently. This would ease the management overhead and still keep the theoretical security gains. Cheers -- Leo costela Antunes [insert a witty retort here] signature.asc Description: OpenPGP digital signature
Re: Debian Membership
[I'm only subscribed to -project, but keeping the cross-post] Frans Pop wrote: The effort needed to go through the NM procedure also has an IMO import security aspect: it's quite unlikely that a black hat would be willing to make that effort to get in a position where (s)he could introduce trojaned packages into the archive. IMHO that's a false notion of security through laziness :). The cost/benefit of waiting some months (years?) and doing some easy work (at least for a black hat with enough technical expertise to write something that could get through NEW unnoticed) is pretty tempting. I'd say the only real deterrents to this sort of thing are NEW security checks and a good identity check when signing someone's key, but of course even those can be subverted. Not to mention the almost mythical 1000 eyeballs make any bug shallow effect, which should apply - at least tangentially - to security as well... Just my 0,2€. Cheers -- Leo costela Antunes [insert a witty retort here] signature.asc Description: OpenPGP digital signature
Re: Debian Membership
[still not subscribed to -newmaint, just keeping the cross-post] Frans Pop wrote: On Saturday 14 March 2009, Leo 'costela' Antunes wrote: IMHO that's a false notion of security through laziness :). Black hats are lazy too. They go after easy targets for maximum profit. Getting into Debian currently takes a certain amount of demonstrated dedication to the project through actual hard work. You should not underestimate that. I do agree it plays a role, but I don't think we should overestimate its deterring factor either, so I wouldn't use it as an argument against careful reworking of the NM process. (though I do see the value of pointing it out!) That's useless IMO: just upload the first version of a package without the trojan and include it in -2 after it has passed NEW. True. [...] and a good identity check when signing someone's key [...] Which only helps to sanction the black hat after his misdeeds have been discovered. It does nothing to prevent them. But this should fit with the lazy argument above. If you consider the time and work it takes to automatically infect potentially millions of Debian machines a deterrent, then certainly the trouble of your actions being easily traced back to you should act as just as big (if not greater) a deterrent. Not to mention the almost mythical 1000 eyeballs make any bug shallow effect, which should apply - at least tangentially - to security as well... Only AFTER a bug has been detected. My point is about prevention. The risk that a trojan will remain undetected for an extended period is quite large if you select the packages to put it in a bit carefully. Agreed. The point - which I should have made clearer - was just that the chance of a trojan being caught this way is directly proportional to the user base of the infected package and thus also to the amount damage it could make (which I guess is exactly what you mean by select the packages carefully :) ). Cheers -- Leo costela Antunes [insert a witty retort here] signature.asc Description: OpenPGP digital signature
Re: Re-thinking Debian membership
Lars Wirzenius wrote: Having hundreds of (potentially unsafe) keys with upload rights to our archive, which isn't actually needed in many many cases is one thing; allowing all these keys to approve or delete members is another. Since any changes need to be easy to undo, and we need safeguards around such decisions anyway, I don't see a problem. For example, there could be a time-delay between adding a new member and the time when they can actually log in. Ditto for removing a member. Or implementing something like the suggestion from Michael Hanke[0], making the process open, but not immediate. Giving enough time and opportunity to those currently working to filter changes _in_, to start filtering changes _out_. However, I don't get how the interaction between DAM approval and the free-for-all editing of keyring is supposed to work out. If any DD (or whatever you call if) has the right to make changes to the keyring, what's the use of DAM endorsement vs veto counting? I figure this could be implemented automatically, like a .commands file with multiple signers as endorsements and another (possibly also multi-signed) .commands file as a veto. And I second the thought that counting just votes as keep-alive is perhaps too strict. Aside from that, I agree with the idea. Cheers [0] http://lists.debian.org/debian-project/2008/10/msg00154.html -- Leo costela Antunes [insert a witty retort here] signature.asc Description: OpenPGP digital signature
Re: Bits from the DPL: FTP assistants, marketing team, init scripts, elections
Felipe Augusto van de Wiel (faw) wrote: [1]OpenPuppets made a [2]genie for us. :-) 1. http://www.openpuppets.com/ 2. http://www.openpuppets.com/fondos/8c.png I for one enjoy the openpuppets logo's line of thought, though not this particular rendition of it. Cheers -- Leo costela Antunes [insert a witty retort here] signature.asc Description: OpenPGP digital signature
Re: linhdd concerns
Steve Langasek wrote: No, that would be a security hole. Even making it setgid disk would be a security hole, since the disk group has write access to all disk devices. I didn't mean a simple wrapper around the binary, I meant a wrapper around the binary with a specific set of arguments, locking the used to a single read-only operation (which seems to be what the front end needs). Now that you mention it, my original thought would still pose a security threat in case the fdisk could somehow be exploited through the wrapper, but then again this is precisely the same level of security any other setuid binary in the system has. Cheers -- Leo costela Antunes [insert a witty retort here] signature.asc Description: OpenPGP digital signature
Re: linhdd concerns
Anthony Towns wrote:
Given the description of abs_fdisk on the linhdd site:
] 0.4 release now includes a customized version of fdisk (called
] abs_fdisk). Why? Well, daealing with SATA (scsi) in /proc was a bear --
] and the ease with which fdisk gave me the needed drive info made me wish
] I could use fdisk. Just that on Slackware and Absolute, which I use,
] you can only run fdisk as root. So -- I downloaded util-linux and
] changed the source code for fdisk so that it would not srite anythig
] to drives, just return the drive info. Renamed it abs_fdisk (because I
] wrote it sort of specifically for Absolute Linux, and Eureka!, Use fdisk
] as non-root user safely.
makes it sound to me like you should be packaging abs_fdisk separately and
having linhdd Depend: on it; or, ideally, getting util-linux patched so
its fdisk can support the same features as abs_fdisk.
What information does linhdd need from fdisk?
Fdisk seems to run just fine as a normal user on Debian. The issues
seems to be that /dev/{s,h}d* are directly readable only by members of
the group 'disk'.
Perhaps instead of packaging this 'abs_fdisk', which AFAICT is just a
read-only non-root fdisk, you could just create a setuid wrapper to
the normal fdisk and use it from linhdd?
Cheers
--
Leo costela Antunes
[insert a witty retort here]
signature.asc
Description: OpenPGP digital signature
Re: Making Debian work: a question of trust indeed
Sam Hocevar wrote: So, please let me know whether we'll have to fight, or if a few things can still go smoothly. This is certainly no longer something about which I can afford to wait 2 months between each answer from you. Though I'm distant enough from the project to usually stay away from personal involvement, I can imagine this to be a serious issue. However, after reading the email through, I feel it could perhaps have been written in a less belligerent tone. Specially since it comes from the DPL, with the DPL hat on (as I understood from the From of the message). I know I'm fighting against the natural tide here, but just I'm trying to stop a possible flamewar before it starts, if at all possible, so couldn't this issue (of which I have no particular knowledge) be addressed in a somewhat different pace? If you disagree with my opinion that the tone of the email is perhaps a little too aggressive, please just disregard this email. I have no intention of lighting the fire myself. Hopefully I'm just being over-cautious. Cheers -- Leo costela Antunes [insert a witty retort here] signature.asc Description: OpenPGP digital signature
Re: Debian, lists and discrimination
On Sex, 2004-08-06 at 09:09, MJ Ray wrote: To me, the most obvious fix is to replace debian-women with something like debian-equality or debian-welcome, to try to get people active against discrimination rather than actively promoting blatent sexism. I'm don't know how much the Debian girls are being positive or negative about the whole debian-women initiative, I don't even know who they are, but I agree with the name change for all the cited reasons and for the sake of clarity. Maybe debian-unisex ? =] Cheers -- Leo Costela [EMAIL PROTECTED] | [EMAIL PROTECTED] | [EMAIL PROTECTED] you must cut down the mightiest tree in the forest... with... a herring! signature.asc Description: This is a digitally signed message part
Re: Debian, lists and discrimination
On Sex, 2004-08-06 at 16:09, Daniel Ruoso wrote: You just don't care about the problem that debian-women is trying to deal. I think you're being over defensive. If I understood Jaldhar H. Vyas right, I agree with him. What I understand is: Debian (as a Project, in it's Social Contract or Policy or any other defining document) doesn't NEED to tend any minority's social aspect. Our only commitment is with software quality and integration. Nevertheless, we CAN (and maybe SHOULD) tend to the technical aspects that affect any group, not necessarily a minority, and that's what I believe debian-women is about (of course, correct me if I'm off the tracks here). If that's what debian-women is really about, then more power to them! If not, I don't quite agree with it's existence since I don't think Debian is an NGO with a social agenda, but then again, me not liking it is not gonna change anything. I just don't understand why you want to stop them doing that... Nobody said anything about stoping them (at least I didn't read it and I certainly didn't say it), I just think that if they want to serve the purpose I explained above, a change in the project name would only improve the acceptance rate of the initiative and overall attract more help and less prejudice. And I say all this with a non-beligerant tone. Cheers -- Leo Costela [EMAIL PROTECTED] | [EMAIL PROTECTED] | [EMAIL PROTECTED] you must cut down the mightiest tree in the forest... with... a herring! signature.asc Description: This is a digitally signed message part
Re: debian com kernel bsd
[answer in pt_BR only] Hadiel, Primeiramente, essa lista de discussão é somente em inglês. Para questões em português, use a lista debian-user-portuguese@lists.debian.org Quanto à sua pergunta, já existem versões da Debian funcionando com kerneis BSD, mas eu - pessoalmente - nunca usei nenhuma dessas versões e portanto não sei o quão completas ou funcionais elas são. Vale a pena conferir pessoalmente: http://www.debian.org/ports/netbsd/ Abraço On Qui, 2004-07-15 at 13:45, hadiel wrote: queria apenas saber se possível mesmo utilizar kernel bsd no debian, ou se é apenas um projeto. muito obrigado hadiel miranda -- Leo Costela [EMAIL PROTECTED] | [EMAIL PROTECTED] | [EMAIL PROTECTED] you must cut down the mightiest tree in the forest... with... a herring! signature.asc Description: This is a digitally signed message part
Re:
[replying in pt_BR only] pt_BR Bom dia Esta lista não é destinada a este tipo de discussão, ela é uma lista para discussões específicas do projeto Debian e sua língua oficial é o inglês. Caso tenha dúvidas sobre a Debian e esteja procurando auxílio, por favor vá ao canal de IRC #debian-br ou envie emails à lista [EMAIL PROTECTED] A Debian em si não vende nenhum produto, mas disponibiliza tanto suas coleções de software quanto suas documentações para re-distribuição. A documentação que você procura pode estar disponível em http://www.br.debian.org/doc/ /pt_BR On Seg, 2004-02-16 at 11:31, Leo Bueno wrote: Bom dia Gostaria de saber se vcs, vendem algum livro sobre o DEBIAN, ou até mesmo sobre o Linux, pois estou muito interessado em aprender mais sobre o Sistema Operacional --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.585 / Virus Database: 370 - Release Date: 11/02/2004 -- Leo Costela [EMAIL PROTECTED] | [EMAIL PROTECTED] | [EMAIL PROTECTED] you must cut down the mightiest tree in the forest... with... a herring! signature.asc Description: This is a digitally signed message part
Re: security.debian.org down?
On Ter, 2004-02-03 at 14:00, John Goerzen wrote: seem easy enough to at least log on to the machine that hosts *the* www.debian.org and vi a couple of files. I don't think it's THAT easy, but I do agree that we could exploit (oh geez, did I say that word?!) the possibility of fortifying our backups, making our mirrors search for a second update route in case of a problem. DISCLAIMER: I have no idea how the mirrors are set up, if their set up prohibits such thing, please explain Cheers -- Leo Costela [EMAIL PROTECTED] | [EMAIL PROTECTED] | [EMAIL PROTECTED] you must cut down the mightiest tree in the forest... with... a herring! signature.asc Description: This is a digitally signed message part
