Re: Salsa as authentication provider for Debian
On Mon, 13 Apr 2020, Sam Hartman wrote:
> >>>>> "Luca" == Luca Filipozzi writes:
>
> Luca> This is why having a central approach to account creation,
> Luca> rather than distributed, is worth considering. I'm in favour
> Luca> of usernames not changing because one's role changes but that
> Luca> does not mean I'm favour of divergent namespaces.
>
> I don't think anyone here is in favor of divergent namespaces. I think
> a lot of us think it would be reasonable if salsa became the place at
> which names were reserved
Except it's a huge, intensely integrated code-base that currently is
very hip. Just like alioth was a few years ago. Small is beautiful.
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `-https://www.debian.org/
Re: Support WKD (and WKS) for @debian.org email addresses?
On Wed, 07 Nov 2018, W. Martin Borgert wrote: > Do we want WKD for debian.org, like gentoo.org and kernel.org? > > TIA for your opinions & Cheers I'd look at code that generates WKD and dane information for users that enable it in ldap. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `-https://www.debian.org/
Re: Debian System Administration team sprint report
On Thu, 08 Feb 2018, Chris Lamb wrote:
> Hi Julien,
>
> Thank you for such a detailed report; really appreciated.
>
> > The traffic for security.debian.org currently peaks at around 25Gbps
> > globally for just the linux kernel in a single suite.
>^^^
>
> I think I'm parsing this correctly (25GBps after we push a kernel
> security update?), but could you rephrase it just in case?
security.debian.org traffic from just the pool/updates/main/l/linux
directory peaks at 25Gbps when a security update is released.
> > The snapshot.debian.org mirror hosted by LeaseWeb has been running out
> > of disk space.
>
> Aw, does that mean we "lost" incoming archive data?
leaseweb is a mirror of the master copy at sanger.
That also ran out of space a while ago but breaking up a mirror over 2
external storage arrays into individual devices provided the extra room
there, so we should be fine.
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `-https://www.debian.org/
Re: Emeritus status, and email forwarding
On Wed, 15 Nov 2017, Michael Stone wrote:
> On Wed, Nov 15, 2017 at 11:53:18AM +, Ian Jackson wrote:
> > Unfortunately it would mean that such people would still need some
> > kind of login on Debian systems, so that they could update the email
> > forwarding. But it wouldn't have to have the wide powers of an active
> > DD/DM account.
>
> Unless this turns into a extremely popular option it seems like updating
> could be done manually, with no need for a complicated technical solution.
Without a key in a keyring that somebody maintains, authenticating such
requests, even manually, is going to be a PITA.
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `-https://www.debian.org/
Re: No port 443 (https) available at "security.debian.org"-repository
On Tue, 25 Jul 2017, Chris Lamb wrote:
> Zeiha,
>
> > your repositories on "debian.org" (especially "http://security.debian.org/;
> > !!) are not!
> In short, there's no need for SSL. Please see
> <https://wiki.debian.org/SecureApt> for the technical details.
>
We still want to provide this eventually, but it's Hard and Far From
Trivial.
Mails like the one from the OP are hugely demotivating to everybody who
is actually doing work on this. The only thing they do is help delay it
even more.
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `-https://www.debian.org/
Re: please fix archive.debian.net (was: Expired HTTPS cert)
On Mon, 06 Mar 2017, Peter Palfrader wrote: > Hi Frank, > > > The HTTPS certificate for archive.debian.net expired on 19 February > > 2017, and due to HSTS this cannot be bypassed by clients. > > DSA is getting bombarded on its various channels about a > misconfiguration on your service. This is causing real pains for us. > > Please fix your service. I have pointed DNS away from the broken archive.debian.net service for now. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `-https://www.debian.org/
Re: shutting down httpredir.debian.org?
On Mon, 25 Apr 2016, David Kalnischkies wrote:
> > I'll try in unstable first as this was a LXC guest with jessie.
>
> Be careful that this isn't behind a cache/proxy or such as these usually
> don't bother with SRV and instead rely on the (permanent?) HTTP redirect
^^
> recently added.
permanent seems like a bad idea. fixed in dsa-puppet git.
Cheers,
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `-https://www.debian.org/
Re: shutting down httpredir.debian.org?
Christian Rohmann schrieb am Donnerstag, dem 14. April 2016:
> It might sound like a very non technical argument: But what apart from
> mirrorbrain which is that powerful, free and field-proven is there as
> alternative? I would rather work on getting pull requests ready
> resolving the various little bugs and annoyances than to discuss
> something completely different once again. It's not like mirrorbrain is
> fundamentally unfit to work as good mirror redirector for Debian.
You could argue (and I have), that that file-based redirects are not
ideal if your update is downloading lots of little files. The latency
hit of many redirects is non-trivial.
Regardless, currently httpredir.debian.org is in a bad shape, and users
get errors when they are using it. This is unacceptable and it needs
fixing.
Even pointing the name to a single server that works, such as
ftp.debian.org, would be better than the status quo.
If we want to maintain some form of geographic closeness for it, then
pointing it to deb.debian.org seems like something we could try.
Raphael indicated that he plans to fix httpredir and keep maintaining
it. If that actually works out, maybe we don't need to change anything.
We will see.
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `-https://www.debian.org/
Re: shutting down httpredir.debian.org?
On Tue, 12 Apr 2016, Raphael Geissert wrote: > - the main code contributors (Simon and yours truly) have been > EBUSY/ENOTIME for a while - Simon, please correct me if I'm wrong [*] > What I propose is: > 1. to fix the recent regressions and perform some maintenance on the > service in an attempt[1] to reduce the user-visible errors. Before the > end of April. > 2. define the next steps towards improving the service - can be done > in an open way in the mirrors ML. Starting today, with no ending date. > 3. organise a sprint in order to ensure that time is available to work > on the service. Perhaps during SunCamp, as people such as weasel also > appear to be interested in participating - so let's say end of May. Do you expect [*] to change in the near future? The current status has existed for a while, and whishful thinking hasn't helped to improve it. What is needed here is continuous work be put into improving and maintaining the service. A one-off rush won't be sufficient. [Currently SunCamp already has release move stuff on the list of things that need doing.] Cheers, -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `-https://www.debian.org/
Re: shutting down httpredir.debian.org?
On Tue, 12 Apr 2016, Raphael Hertzog wrote:
> On Tue, 12 Apr 2016, Peter Palfrader wrote:
> > So, it appears as if currently nobody has time or the energy to take
> > care of httpredir.debian.org properly.
> >
> > I suggest we shut down the service for now. If, at some future point,
> > somebody wants to maintain again we can always start it up again.
>
> Will you make httpredir point to a normal mirror so as not to break
> systems relying on it? (Or even to the geolocalized DNS entries if we
> still have that)
>
> If yes, then it's certainly a sensible thing to do.
I agree that breaking existing uses (of at least /debian) should be
avoided, and that, therefore, pointing it to some working system would
be the way to go.
> I'd like also to note that once we have proper by-hash package indices in
> Debian too, it's entirely reasonable to rely on MirrorBrain as HTTP
> redirector. I use it for Kali for more than 3 years already.
>
> http://mirrorbrain.org
Looks exciting at first glance. Need to look at it in more detail.
Cheers,
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `-https://www.debian.org/
shutting down httpredir.debian.org?
Hi, we keep getting reports of httpredir.debian.org not working correctly, such as intermittently just sending errors or redirecting to mirrors that are out of date. Only a few of those make it to the BTS, some make it to mirr...@debian.org, and there are several on various IRC channels. I suspect quite a few make it to Raphael, since that's still the contact point listed on the website (not an email address there, either - just a link to blogspot). When there is a response - and there isn't always - it's usually "nobody currently maintains httpredir, sorry". So, it appears as if currently nobody has time or the energy to take care of httpredir.debian.org properly. I suggest we shut down the service for now. If, at some future point, somebody wants to maintain again we can always start it up again. Opinions? -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `-https://www.debian.org/
Re: Namespace question - data.debian.org
On Wed, 16 Dec 2015, Iain R. Learmonth wrote:
> Hi Steve,
>
> On Wed, Dec 16, 2015 at 09:56:02AM +, Steve McIntyre wrote:
> > To me, they sound more like *metadata* maybe:
> > metadata.debian.{net,org} maybe?
>
> This sounded great to me until I realised metadata.debian.org is already
> claimed by ftp-master by way of ftp-master.metadata.debian.org.
Yes, but there can be other metadata things. that's why it's
ftp-master.metadata.debian.org and not just
metadata.debian.org.
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `-https://www.debian.org/
Re: moving to usergroups
On Sat, 17 Oct 2015, Peter Palfrader wrote: > On Sat, 17 Oct 2015, Peter Palfrader wrote: > > > On Fri, 16 Oct 2015, Peter Palfrader wrote: > > > > > 1 create, for each user in the Debian LDAP, a group named like the > > >user. > > > 2 Make the primary group for each user their corresponding group. > > > 3 Make their former primary group (Debian, guest) a supplementary > > >group. > > > > I have done #3 already. This means teams can adapt their scripts > > accordingly. #1 and #2 will follow shortly. > > And I've done #1 and #2 for user weasel. The others will follow > shortly. Here's the proposed ldiff: > > weasel@valiant:~$ ssh draghi.debian.org ./usergroups/make-groups | publish > https://www.palfrader.org/volatile/2015-10-17-usPyPBKssQY/stdin And done. Thanks for following along from at home. Cheers, -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `-https://www.debian.org/
Re: moving to usergroups
On Fri, 16 Oct 2015, Peter Palfrader wrote: > 1 create, for each user in the Debian LDAP, a group named like the >user. > 2 Make the primary group for each user their corresponding group. > 3 Make their former primary group (Debian, guest) a supplementary >group. I have done #3 already. This means teams can adapt their scripts accordingly. #1 and #2 will follow shortly. Cheers, -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `-https://www.debian.org/
Re: moving to usergroups
On Sat, 17 Oct 2015, Peter Palfrader wrote:
> On Fri, 16 Oct 2015, Peter Palfrader wrote:
>
> > 1 create, for each user in the Debian LDAP, a group named like the
> >user.
> > 2 Make the primary group for each user their corresponding group.
> > 3 Make their former primary group (Debian, guest) a supplementary
> >group.
>
> I have done #3 already. This means teams can adapt their scripts
> accordingly. #1 and #2 will follow shortly.
And I've done #1 and #2 for user weasel. The others will follow
shortly. Here's the proposed ldiff:
weasel@valiant:~$ ssh draghi.debian.org ./usergroups/make-groups | publish
https://www.palfrader.org/volatile/2015-10-17-usPyPBKssQY/stdin
[ and
https://www.palfrader.org/volatile/2015-10-17-LEkh6i0sLHY/make-groups
if you're curious ]
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `-https://www.debian.org/
moving to usergroups
Hi, I'd like to change all LDAP user accounts to have a per-user group as their primary group. Currently, on debian.org infrastructure, users have as their primary group either gid Debian (800), or gid guest (6). This, of course, results in their files being owned by that group by default. This is somewhat ugly for the case where people have their account upgraded from guest to DD status[1], because the account ends up with files being owned by the "wrong" group. Furthermore, this prevents people from having 002 as their umask by default, which is at times a problem when people also actively work in team-owned filesystem trees. Therefore I propose to: - create, for each user in the Debian LDAP, a group named like the user. - Make the primary group for each user their corresponding group. - Make their former primary group (Debian, guest) a supplementary group. This would require adapting all scripts that currently rely on the gid field to tell if somebody is a DD. They would have to change their filter/condition from e.g. gidNumber=800 to supplementaryGid=Debian. (Note that supplementaryGid is a multi-value field.) Comments/suggestions/concerns? Grüße, weasel 1. The reverse transition has also been observed with people retiring but still needing access to porter systems but it's a lot rarer. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `-https://www.debian.org/
Re: State of the debian keyring
On Mon, 24 Feb 2014, Ian Jackson wrote: Gunnar Wolf writes (Re: State of the debian keyring): Our tools (and I don't only mean keyring-maint, but our projectwide tools) support only one key per person. And frankly, I do not see a case where adding a second one would increase security. Yes, it could make the transition a little bit easier, but I don't think it is a change we should push. (Or maybe I misunderstood your suggestion). I think this is a bug. I'm also not convinced it's actually correct. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140225061442.gt24...@anguilla.noreply.org
Re: Possibly moving Debian services to a CDN
On Sat, 08 Feb 2014, Simon Paillard wrote: I don't think Debian should shut down the mirror network; at least on a national level. For example, right now I am configuring Debian AMIs within China, and the only mirror I can access from there is ftp.cn.debian.org. I don't want the current mirror network be dropped in favor of a CDN, for the same good reason of being independent of a too little group of CDN providers willing/able to carry Debian. The goal should be that we provide users with the best means to get packages quickly: low latency for requests, high bandwidth for transfers, and soon after a dinstall run. Users shouldn't have to pick their mirror manually, they shouldn't have to update their configuration if anything breaks - nothing they would pick should ever visibly break for end-users. A user should be able to tell their system give me debian [, I don't care where it comes from]. In the end it matters little how we achieve these goals, but we should work towards them. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140208131607.gb25...@anguilla.noreply.org
Re: Possibly moving Debian services to a CDN
On Sat, 08 Feb 2014, Simon Paillard wrote: In the end it matters little how we achieve these goals, but we should work towards them. We disagree on this, but in my opinion, we already achieve this with http.d.n (except it's not DSA-sponsored and as consequence not official). http.d.n is a nice idea, but I think the redirects are expensive latency wise. Even worse, it fails the 'must not visibly break' requirement. We regularly see broken apt-get runs with http.d.n in our sources.lists. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140208143335.gc25...@anguilla.noreply.org
Re: Debian services and Debian infrastructure
On Sat, 08 Feb 2014, Thomas Goirand wrote: It'd be super nice to have the archive rebuild jobs running on the Debian infrastructure rather than on AWS for example. I agree, and it has been proposed several times over the last few years. To say there was no interest whatsoever would overstate the amount of excitement those suggestions have received. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140207171630.gb3...@anguilla.noreply.org
Re: Debian Enhancement Proposals website temporarly broken.
On Sun, 19 Jan 2014, Charles Plessy wrote: Le Fri, Jan 03, 2014 at 02:54:51PM +0900, Charles Plessy a écrit : Le Thu, Dec 26, 2013 at 07:33:41PM +0100, Martin Zobel-Helas a écrit : assuming the content is entirely static, we could move dep.debian.net to dillon.debian.org. Would that be an option for you? I see that ikiwiki is installed on dillon.d.o and is used for dsa.d.o, but I am not sure if the same can be done for dep.d.n, because in our case we have the additional constraint that any Debian developer must be able to commit to the repository on alioth.d.o and trigger a rebuild of the wiki. Since gcc is not installed on dillon.d.o, ikiwiki wrappers can not be compiled, which rules out the use of the ikiwiki pingee plugin. Or would you install gcc ? The alternatives are to stay on Alioth (and install libimage-magick-perl), or host the ikiwiki somewhere else, or fall back to a simpler solution such as abandonning ikiwiki and using wiki.debian.org instead. Hi Martin and DSA team, do you think it would be possible to install libimage-magick-perl on Alioth or to help me to mirror a git or svn repository between Alioth and dillon.debian.org, or shall I move dep.debian.net on a third party infrastructure or a wiki.debian.org ? Wiki.debian.org might be a good fit. If you want to move it onto static/dillon, we can also do that. Just state your preference. If you decide you like static: - we'll make an /srv/deb.d.n tree - can you provide a metapackage (snippet) and/or patch against http://anonscm.debian.org/gitweb/?p=mirror/debian.org.git;a=blob;f=debian/control;h=8beb53a995e57e2cc9a719ec5f705b1a914a780d;hb=HEAD so we know the depdencies of the deb.debian.net build process. Just because something is already installed don't leave it out. Maybe you want to (partially) copy the -dsa.d.o one. - As for getting the data onto dillon, can't you just clone/checkout the git/svn tree there? Cheers, weasel -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140119131150.gq13...@anguilla.noreply.org
Re: Updating the Policy Editors delegation
On Mon, 06 Jan 2014, Raphael Hertzog wrote: On Mon, 06 Jan 2014, Russ Allbery wrote: Ian Jackson ijack...@chiark.greenend.org.uk writes: This is all very well but I think de jure they aren't a delegated team, and the distinction is defined in the constitution. This is not trivially bypassable, because a delegated team is one who derives their powers from the DPL and the constitution limits the powers of the DPL. I believe that deciding on the mechanisms and machinery whereby the project as a whole will work out its technical policy (as opposed to disputes over the contents of that policy itself) falls nicely under 5.1.4 and 5.1.9, particularly the latter. Agreed, the role of policy editors is to maintain a document. The fact that it's also uploaded in Debian as a package is just a technicality. But whether or not that document has any meaning or influence is a question for the ftp-masters, release team, and tech-ctte. The power of the policy maintainers comes from them being listened to by various teams, but those teams can revoke that and listen to somebody else or come up with their own documents as and when they see fit. Cheers, -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140106191930.ga13...@anguilla.noreply.org
Re: Debian Enhancement Proposals website temporarly broken.
On Fri, 27 Dec 2013, Luca Filipozzi wrote: On Fri, Dec 27, 2013 at 12:33:40AM +0100, Andreas Tille wrote: Hi, On Thu, Dec 26, 2013 at 07:33:41PM +0100, Martin Zobel-Helas wrote: assuming the content is entirely static, we could move dep.debian.net to dillon.debian.org. What about using dep.debian.org? I think that's they idea. The underlying box is dillon. That's where a number of static debian.org websites live. Also a few debian.net. Just because it is on static.d.o doesn't mean it needs to be .org. It can be either. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131227114816.gk23...@anguilla.noreply.org
Report from the DSA Team Sprint 2013-06
Comrades! We just finished a very productive Debian System Administration team sprint in LinuxHotel, Essen, Germany. All six of the current DSA members (Faidon, Luca, Martin, Peter, Stephen, Tollef) and our recruit (Hector) were present. This was the first time that all of us have met in person as whole team. We would like to thank the University of British Columbia (specifically Electrical Computer Engineering and Information Technology) for their generous donation that more than offsets the cost this sprint, and LinuxHotel for hosting us at their open source rates. The primary goals of the meeting were (1) to review the previous year's action items, (2) to refresh the Five Year Plan for Debian's Infrastructure, (3) to work on mail routing and (4) discuss a plethora of other business. Status report on items from last year's post[lists:dsa-oslo]: - o) Hosting Virtualization: A very significant and very welcome contribution of physical (a rack-full of equipment) and virtual assets (co-location and bandwidth) from Bytemark has allowed us to accelerate some of our virtualization plans and, more importantly, handle our ongoing storage challenge.[www:bm-don] At this point, we consider bytemark, grnet, man-da and ubcece to be our primary data centers and we continue to make progress in migrating services from physical to virtual machines at these data centers using the 'ganeti' toolsuite. We recently migrated the majority of kvm based virtual machines to ganeti. Over the past year, we replaced equipment at man-da, primarily, and moved several core services on to virtual machines (eg. master, mail relays, the BTS). Over the next year, we plan to replace equipment at GRNET, and move the remaining services there and at other locations onto virtual machines where appropriate. o) Content Delivery Network: Last year we noted that several of the end-user facing services that Debian provides just consist of static data served from web-servers. Very often that only was a single machine and thus a single point of failure. We have worked on deploying a content delivery network for static data and are now serving mozilla.debian.net, planet.debian.org, www.debian.org, bits.debian.org, news.debian.net, backports.debian.org and ftp-master.metadata.debian.org off a set of machines all over the world. We seem to have reached the primary goal of providing machine and hosting redundancy. More CDN related ideas and experiments are mentioned further down (in this year's bullet points). o) Single-Sign-On: With the help of alioth admins, we now could, in theory, authenticate alioth users via Debian's SSO server, in addition to all the debian.org people in our LDAP. This will open opportunities for several web services to give even broader access. We are in progress of deploying this to some of our web based services. Stay tuned. o) Disaster Recovery: Over the last year we have deployed bacula and are starting to make full backups of more of our systems. We are still far away from having complete backups of everything but we're getting there. We discussed how to extend the backup space available at our primary backup storage host, beethoven. Since the system can still take a couple SATA disks we probably will look into purchasing these before we consider adding external storage. o) User and Group Management: Last year we estimated the number of active shell accounts to be on the order of 50.000 over all users/hosts. We still would like to disable unused accounts as described in last year's summary mail but nothing has happened to actually implement that. Help welcome. [www:bm-don] http://www.debian.org/News/2013/20130404 [lists:dsa-oslo] https://lists.debian.org/debian-project/2012/03/msg00032.html A selection of even more things that we discussed: -- o) CDNs redux: Debian currently has multiple content delivery networks. The most obvious one is the archive mirror network. Second, we have the 'static cdn' network described above which is used by mozilla.debian.net, planet, www and more. Third, we have the geolocation-aware security mirror network. During the sprint, we experimented using a third-party CDN for the security mirror network and for the Debian website to determine whether it could be a viable option for Debian. Specifically, we examined what integration challenges we might face should we desire to move in that direction. The experiment showed that we can use a CDN for the http side of the security network, but our DNS structure is giving us some problems. Most CDNs use a CNAME record to point users at the closest node using techniques such as anycast DNS or GeoDNS. Our challenge is that the DNS name
Re: UBC-ECE maintenance window June 9th/10th
On Sun, 03 Jun 2012, Peter Palfrader wrote: Therefore, all of our systems at UBC-ECE will be unavailable on June 9th, from around 8:00 local time to about 20:00 local time - 17:00 UTC until 05:00 UTC on Sunday. Actually, 08:00 local time in Vancouver is 17:00 in WLT - weasel local time not in UTC. In UTC that would be 15:00 with an end time still 12 hours after the start. We hope everything will come back up nicely, else things might take a little longer still. Cheers, weasel -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120603215136.gq13...@anguilla.noreply.org
Re: Please draft a policy for planet.debian.org
On Thu, 11 Nov 2010, Tshepang Lekhonkhobe wrote: while on that topic, maybe each package on package.qa.d.o should have a flattr button ;-) And one for the packages.d.o guys. And one for the QA guys. And one for DSA. And one for the mirror people. And the ftp-team. And the buildd and wanna-build folks. At which point is this getting silly? Nothing in Debian is a one-man-show. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2010121142.gk10...@anguilla.noreply.org
Re: Merkel going away
On Sun, 05 Sep 2010, Stephen Gran wrote: merkel.debian.org, aka nm.debian.org, qa.debian.org, etc., has become increasingly unstable over the past few months. Due to upcoming changes in the hosting for all the machines hosted at Fort Collins, we have decided to ask the hoster to leave it turned off when they move the other machines. Just a short update here. It looks like the people at FtC haven't moved any of our gear as originally scheduled, and probably won't be doing anything at least this year. New date is probably early next year, we'll see. In the meantime, nm has moved to nono, qa to quantz. The dd accessible copy of ftp-master is still on merkel. Cheers, weasel -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101103124138.gf20...@anguilla.noreply.org
Re: Squeeze, firmware and installation
On Wed, 05 May 2010, Arto Jantunen wrote: Kurt Roeckx k...@roeckx.be writes: It seems the kernel team has moved alot of firmware to non-free, which means that more people will need to use pieces from non-free to be able to use their computer. So I was wondering what the state is of everything, and what issues people will run into, specially when installing. I'm also wondering what people think about adding some firmware to our official installation media. Hmm. Is the release already so close that it's time to have this flamewar again? Shouldn't we wait a month or two for maximal effect? Seriously speaking, to me it seems very clear that non-free firmware will not be present on official installer images. Then again, the installer team has made it very easy to inject firmware during installation on machines where it's needed. Have they? It's the most painful thing every time I need to setup a new box. It's the most time consuming part too, easily doubling or trippling the time, if not worse, it takes to install a new system. Most if the time it involves re-creating installer media because debian can't be arsed to be useful by default. Is that what you mean with very easy? -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100505191052.gu16...@anguilla.noreply.org
Re: snapshot.debian.{net,org} and spending Debian money
On Fri, 25 Sep 2009, Andreas Tille wrote: provide this info there and ask the .jp admins to also put some information about the status online. Unlikely. The person who operated s.d.n is overworked as it is. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Opera in your repos
On Sat, 08 Aug 2009, Tollef Fog Heen wrote: ]] Matthew Johnson | We would need a licence which allowed it to be redistributed by Debian | and used by all of our users. The reference for this is Debian Policy | 2.2.3 and 2.3: We need the redistribution bit, I don't think we need it to be allowed to be used by all users. Non-commercial is fine in non-free, or at least was, last time I checked. I wouldn't be surprised if our requirements have increased even in that regard in recent years. At least nowadays I mostly expect stuff that has weird licenses about modification and following redistribution in non-free. I hardly expect stuff that one is not even allowed to use. But maybe that's just me. :) Cheers, -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: dsa meeting minutes
On Tue, 21 Jul 2009, Peter Palfrader wrote: (again, internal work notes) dsa 20090720 - get rid of sarti hosted at rapidswitch (weasel talks to philh) - mirror planet to a different machine so we can reboot things more easily (mirroradm/Ganneff) - setup manpages.debian.net - maybe integrate into packages.d.o or maybe lintian. Ganneff talks to djpig - source.d.o on stabile (zobel+dsa - noel) - data.d.o pending on new ftp-master. zobel/luca/taggart/HP - backup.d.o (bartok running out of warranty/disk space) possible hosters/people to talk to maybe use one of the nordicgaming dl360s - cd-builder.d.o. bzed - tk. we think status is that cd folks basically just need to say when they want the machine and we can get one. hosted at maswan - security/synproxy.as - talk to Andrew Lee (zobel, sgran). done. - bugs frontend MX - don+weasel will maybe look at that during debconf/camp - alioth - to a blade @ luca - move root auth keys into puppet - rotate all passwords (weasel) - setup host based firewalls. move it into puppet/some centralized thing. merge different hosts' config into one. sgran+Ganneff. - verdi: - shut down all remainging service processes, (sgran) - dd disks - powerdown - have andi pick up old hw - experimental - it should move into d.o w-b and onto d.o buildds (that's something for wbadm to push) - raff will go away for a couple of days whenever ftc moves to houston wb probably should move away from raff before that happens so it's available during that time. kvm on dijkstra. zobel-luk/philk - we should have all buildds to debian.org. needs to be pushed by wbadm. dsa can take over and help. maybe some hosts need to be moved to more acceptable hosting - kfreebsd porter host (weasel) - get rid of spontini because it's slow. zobel/sgran - need a ud-ldap talk / discussion - pergolesi is back, still no eric access ud-ldap - move host related DNS records into ldap - A, , MX, HINFO, that kind of stuff - auto generate sshdist's authorized_keys from ldap - move the information contained in generate.conf into ldap - make ud-* tools log, i.e. create an audit log - move echelon away from ud-ldap/ldap - DAM/Ganneff - move ud-* functionality into a library, so that the logic is contained in a single place, to be used to by the ud-* shell tools and a web interface and stuff. sgran/zack - ud-generate should probably create a new directory to write out its stuff so we do not carry around old crap for forever. - ud-generate/ud-replicate should do sane locking - partial exports to hosts - rename db into db-master, - make db-master's ldap accessible only from localhost and a couple of d.o machines (say master, people) - make a new db that is a replica of db-master, publicly accessible - fingerd moves to the public db. (for dsa talk/open discussion: is anybody using ldap directly, what for, etc) puppet - nsswitch.conf - sshd_config - environments for testing stuff mail - all buildds/porterboxes to move to hub layout - maybe masquerate all outgoing @hostname.d.o mail as @d.o. - in any case, stop doing local m...@hostname.debian.org mail for all hosts except for master.d.o - should unconditionally go to ldap forward address - no .forward/.procmail stuff - split debian.org from master.debian.org mail handling - abuse/postmaster at virtual domains should always go to DSA (in addition to the team if they configured it in their aliases) (for dsa talk/open discussion: what kind of granularity do we need for the anti spam stuff? Do most people really want to set their own blacklists or should we just make it a boolean. Some people will always bitch, try to do it right for most and do not get carried away by a few loud complainers) hosting - paravoid will ask if he can take the bladecenter he might also provide storage -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
dsa metting minutes
(again, internal work notes) dsa 20090720 - get rid of sarti hosted at rapidswitch (weasel talks to philh) - mirror planet to a different machine so we can reboot things more easily (mirroradm/Ganneff) - setup manpages.debian.net - maybe integrate into packages.d.o or maybe lintian. Ganneff talks to djpig - source.d.o on stabile (zobel+dsa - noel) - data.d.o pending on new ftp-master. zobel/luca/taggart/HP - backup.d.o (bartok running out of warranty/disk space) possible hosters/people to talk to maybe use one of the nordicgaming dl360s - cd-builder.d.o. bzed - tk. we think status is that cd folks basically just need to say when they want the machine and we can get one. hosted at maswan - security/synproxy.as - talk to Andrew Lee (zobel, sgran). done. - bugs frontend MX - don+weasel will maybe look at that during debconf/camp - alioth - to a blade @ luca - move root auth keys into puppet - rotate all passwords (weasel) - setup host based firewalls. move it into puppet/some centralized thing. merge different hosts' config into one. sgran+Ganneff. - verdi: - shut down all remainging service processes, (sgran) - dd disks - powerdown - have andi pick up old hw - experimental - it should move into d.o w-b and onto d.o buildds (that's something for wbadm to push) - raff will go away for a couple of days whenever ftc moves to houston wb probably should move away from raff before that happens so it's available during that time. kvm on dijkstra. zobel-luk/philk - we should have all buildds to debian.org. needs to be pushed by wbadm. dsa can take over and help. maybe some hosts need to be moved to more acceptable hosting - kfreebsd porter host (weasel) - get rid of spontini because it's slow. zobel/sgran - need a ud-ldap talk / discussion - pergolesi is back, still no eric access -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: DAM and NEW queues processing
On Sun, 28 Jun 2009, Stephen Gran wrote: This one time, at band camp, Bernd Zeimetz said: Don Armstrong wrote: On Wed, 24 Jun 2009, Steve Langasek wrote: Ok - then I guess my problem is that the list of names included in these is so non-notable (and is empty most weeks anyway...) that it doesn't register at all with me. Would it be enough to just have a special automated mail congratulating new developers on -newmaint (or modify the subject of this mail to congratulate them?) I'd be happy to modify the cronjob to send such mails to -project, if the interest is large enough. Does anybody want to come up with a proper wording? When we (DSA) add an account with the ud-ldap tools, it already sends an automated email to the new DD. It could also potentially mail -project or something with some simple template. The downside of doing it that way is we have none of the NM process information available. Yeah, that email is pretty useless for most people. The only interesting piece of information in 10+k of email would be the To-line. weasel -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: DAM queues processing
On Thu, 25 Jun 2009, Lucas Nussbaum wrote: On 25/06/09 at 22:37 +0200, Emilio Pozuelo Monfort wrote: [...] - DAM reviews the application (wait4) - DAM creates the account - Key added to the keyring - Shell access to developer machines [...] - I don't know why there is wait4. I guess it's because DAM members process people in batches, but IMHO if you have already reviewed an application and accepted it, the account should be immediately created? Is there a (good) reason for this delay? - I have no idea whether the keyring and machine access stuff take another big delay. wait4 used to be a big problem in the past, because the person managing the keyring and creating the accounts was not responsive enough. It was solved a year or so ago by splitting the tasks differently. DAM now reviews the application, and submits RT tickets for the keyring addition and the account creation. Those tickets are processed by DSA (for the account) and keyring-maint (for the keyring), and both of those teams are responsive currently. (the above is my perception of how things work, so I might be wrong, but it's not properly documented anywhere anyway.) Correct. There is no 'DAM creates the account' step. If you want to have a step there it's 'DAM sends request to keyring-maint/DSA', but I suppose that's identical to finishes review with a positive result. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: DAM and NEW queues processing
On Fri, 26 Jun 2009, Faidon Liambotis wrote: Something is definitely wrong here, IMHO. Maybe it's your assumption or assertion that the only point of NEW is checking the copyright file. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: DAM and NEW queues processing
Bernd Zeimetz schrieb am Dienstag, dem 23. Juni 2009: Lucas Nussbaum wrote: On 23/06/09 at 12:06 +0200, Bernd Zeimetz wrote: No way. Most reports show that a lot of NMs don't know about a lot of things asked during the NM process. This is true even for those who are DM already. Is that really problem? We need people who take the right decisions (and that includes asking questions when they don't know or are not sure about something), not people who can repeat all our documentation from memory. 80% or more of the questions are questions about daily tasks, so yes, you're supposed to know that from brain. Or you should at least have heard something about it, which is another things the NM process is for: educate people. That being said, having to be a DM for some time before tying up the resources for the whole NM process does sound like a good idea. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: DAM queues processing
On Tue, 23 Jun 2009, Stefano Zacchiroli wrote: On Tue, Jun 23, 2009 at 02:29:20PM +0200, Bernd Zeimetz wrote: What you miss is that I move all problematic candidates to DAM with the comment I'm not entirely happy, but its your job to decide... OK, then what I'm proposing is to identify one single entity where the decision is taken. Either is FD or is DAM. It's DAM. DAM has always been the position that decides who is a DD and who isn't. The whole FD/NM thing is just an advisory board to the DAM if you want to call it that. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: DAM queues processing
On Tue, 23 Jun 2009, Emilio Pozuelo Monfort wrote: From an NM point of view, my feeling is: I hope the Keyring Maintainers and the DSA don't feel like reviewing everything *again* to add my key to the keyring and to give me access to the developer machines Speaking with my DSA hat on, the DAM informs us (keyring and DSA team) that there is a new developer. Once the new person's key is in the keyring we then simply create the account. There's nothing to *review* per se since the DAM has already decided that said new user is a DD and our policy is to give every DD access to project machines*. Cheers, weasel *) So, while who or who is not a DD is DAM's authority, deciding who or who will not have shells on d.o machines is DSA's. So in theory DSA could of course decide that we mistrust a given person to such an extend that we will not grant him shell access to project machines. That person would still be a DD by the DAM's fiat, they just wouldn't have a shell on d.o machines. But then things must be really really wrong to have gotten that far. Hopefully not very likely. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: debian 2.0
On Fri, 12 Jun 2009, Jens Schüßler wrote: * Fabian Mühlemann fabia...@quicknet.ch wrote: Ist es noch möglich die Debian v2.0 Hamm zu downloaden? Wenn dies noch möglich ist, könnten sie mir einen Link zu dem angegebenen Betriebssystem schicken? http://archive.debian.net/hamm/ http://ftp.de.debian.org/archive/debian/dists/hamm/ The official place is of course http://archive.debian.org/ and there http://archive.debian.org/debian/dists/hamm/ -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: state of the DSA nation
On Sat, 28 Mar 2009, Peter Palfrader wrote: = vancouver = We got a nice msa2ki storage from HP at UBC/ECE. Currently it's resyncing/growing its raid because I want to see how it handles stuff. Once this is done we can start moving stuff onto kvm domains on dijkstra - the blade we also got. Things I want to put there as a start: - an i386 or amd64 buildd or both, depending on what wbadm needs. - move buildd/wannabuild from raff to a domain so we rely less on FtC and old servers that are long out of warranty. dijkstra is now running geo2, brahms (amd64 buildd, pending setup by buildd folks), duarte (bts mirror, to maybe become master), and valente (to become volatile master) Luca also managed to get a system with lots of storage (on the order of 10 to 20t) from one of the Professors at UBC. Unfortunately the system itself is too old to have modern CPUs that do virtualisation stuff, and it only has 6 or so gigs of ram. Still waiting on that. = darmstadt = Unger, the dl360 in darmstadt, germany, has two raid controllers. Currently the disks are on the p400 controller which does not have a battery backed cache. We should move the disks to the p800 (see RT#1129). Still waiting on that. Once that is done we should move db.debian.org (i.e. our ldap) onto a kvm domain on unger. unger already has one trusted system, handel, our puppet master. db.d.o moved to draghi, running on unger. liszt is still on etch. The upgrade ticket is owned by zobel who is also listmaster, so that makes sense. zobel did most of the move recently. still pending puppetisation. = helsinki = On piatti the piuparts team got piuparts running again. That means that piatti now is quite loaded. piatti is once again running just piuparts. Piatti hosts udd, and it has bugs and packages mirrors tho I removed them both from dns because piatti's load spiked into the hundreds. udd moved to re-installed samosa after db.d.o was moved to dragi. Moving non-piuparts stuff of piatti and thereby dedicating piatti solely to piuparts again is also preferable because piuparts does lots of stuff as root, and so do its admins. = ftc = nagios from samosa should probably move to spohr, which appears to be our public dsa services that are not all that security critical-box these days. done. That'll leave samosa free. Once buildd is in vancouver, raff only has keyring left, but that should be easy to move; and raff still has morgue files from ftp-master, they can be moved elsewhere also. no change so far. So we could move udd from piatti to its own dedicated host (either raff or samosa) - see #1241. DDE can move onto the same host, away from merkel, if desired by dde-adm. done, see above. = csail/mit = Noahm at CSAIL/MIT still has 3 of the old HP servers we got two months ago in his to-setup queue (they are from the same batch as the dl360 that is schein, now hosted at ISC and being security.us). IIRC we will have two dl360 (senfl and rore) and one dl380 (carver). Disk-wise I don't know/remember how they will be. Probably at least 74g (2x74g raid1) in the dl360s, and 180g (6x36g raid5) in the dl380. Once they are online we should think of moving individual services around. rore is packages mirror, carver is not running reliably (RT#1385), senfl not racked/accessible/whatever. = munich = verdi is a really really old box: dual pentium III 700mhz, 512mb of ram, raid5 of 4 18g disks one of which failed half a year ago and hasn't been replaced yet. verdi hosts volatile-master. volatile should maybe be integrated into the ftp archive proper - I sent an email regarding that a few months back to the volatile folks. If that does not happen we need to move it to a new host, then we can decommission verdi. zobel is preparing a move of volatile master to valente (running on dijkstra in canada). archive integration stalled due to volatile and ftp-master not communicating all that well. = karlsruhe = wieck and schumann - dell servers from november or so - are sponsored by 11. wieck is acting as a security mirror for a while now. schumann has been made into a kvm host and is currently hosting one domain: chopin. chopin will become new security-master (currently klecker) once the ftp folks are done setting stuff up. still pending ftp-master love. we can setup another kvm domain on it (we have 2 more ip addresses) for other security stuff. fw mentioned a couple of months back that he wants a place for security-tracker.d.n. This could be it. white (steffen joeris) also wants a home for testing-security.d.n. They can probably live on the same kvm domain. stalled due to no/missing input from testing-security folks. = minnesota = saens isn't doing anything since we moved ftp.d.o to kassia. We were talking about making it a mail relay at one point, but it doesn't look like there'll be any progress
Re: state of the DSA nation
On Fri, 15 May 2009, Frans Pop wrote: On Friday 15 May 2009, Peter Palfrader wrote: == s390 == we have two porterboxes here. zelenka is new and fast and has nice network but is a little short on disk space. raptor has more diskspace but the network is too restricted - we can't even get to our puppet master from it and the local admin is not helpful. I suggest we ask zelenka sponsors (zivit) nicely if we can have more disk, and we get rid of raptor. done. So that explains why we've lost daily D-I builds for s390. Someone on the D-I team will need to action there. Um, what? -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
forums.debian.net disabled
forums.debian.net is a debian.net service run by a set of DDs for the community. It's not an official Debian service run or maintained by the project or DSA (then it would be forums.debian.org). Nevertheless it was hosted on debian.org hardware since sometime last year because the original system it was on was an under-the-desk kind of server that was falling apart and the forum admins wanted to continue to provide this service. DSA gave them access to tartini.debian.org, which was unused at the time. Since then, this system has been dedicated to running forums.debian.net; it was decided to not use tartini for any other services due to security concerns. This afternoon DSA received reports that forums.debian.net might have been compromised: registered users had been email spammed from the forums software. forums.debian.net has therefore been disabled. It is not known when or if or how forums.debian.net will return. We currently have no reason to believe that tartini itself was compromised. For DSA, Peter signature.asc Description: Digital signature
Re: Genericly-named debian.net domains for private use (was Re: Point to semi-official backported packages?)
On Wed, 08 Apr 2009, Adeodato Simó wrote: + Bernd Zeimetz (Wed, 01 Apr 2009 03:18:33 +0200): Stefano Zacchiroli wrote: On Sat, Mar 28, 2009 at 10:00:46AM +0100, Adeodato Simó wrote: Wouldn't it be just better to point those domains to the respective project-wide efforts? I'd appreciate opinions on the matter. AOL. Looks like the rule is quite simple too: for any $X.debian.org, $X.debian.net should point to $X.debian.org. (A reasonable exception could be www.debian.net containing a list of .debian.net names.) Implementing this rule would be very appreciated. Adding DSA to the loop to see if this is something they want to standardize or regulate. That single rule doesn't scale, there are non-abusive users of clashes right now (buildd, www), and it wouldn't solve the backports thing. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Genericly-named debian.net domains for private use
On Wed, 08 Apr 2009, Felipe Augusto van de Wiel (faw) wrote: I'm just wondering if we should discuss more about the rules or if DSA will propose rules for adoption with some migration period. While I personally thing many of the debian.net entries are questionable, I certainly don't want to be the person that will have to run after people if they violate some rules. I have better things to do with my time. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Genericly-named debian.net domains for private use (was Re: Point to semi-official backported packages?)
On Sat, 28 Mar 2009, Adeodato Simó wrote: I think you mean backports.org, backports.debian.net is not what you think it is. Despite its name, backports.d.n is a personal backports archive for Daniel Bauman. I really don't get why it's appropriate for a developer to use such generic names for their personal stuff. git.debian.net seems to be Daniel's too. Wouldn't it be just better to point those domains to the respective project-wide efforts? I'd appreciate opinions on the matter. I couldn't agree more. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
state of the DSA nation
with at least two ethernet ports we could probably
ask xs4all to put it next to klecker and we could access it that way.
If that ever works out we could re-install klecker with amd64 userland.
I see no reason why we would want to move www-master away from klecker
tho.
= osuosl =
rietz' storage subsystem is really weird. It seems to hang for seconds
to minutes at times. Maybe rietz is really really overloaded or the
hardware is not well.
rietz currently is bugs-master and syncproxy.na.
I suggest we move bugs-master to a kvm domain on dijkstra (don said
that'd be fine).
Once that happened we can re-setup it with amd64 userland, and then
re-setup syncproxy.na. Ganneff said that'd be ok with him, tho we might
miss a mirrorpulse or two in the process.
= summary =
Services which could/should move or need a new home:
[not sure we should move qa at all, but we could]
qa.d.o - currently on merkel- new dl* at mit, or
{raff,samosa} once empty
bugs.qa - currently on merkel - new dl* at mit, or
{raff,samosa} once empty
packages.qa - currently on master - new dl* at mit, or
{raff,samosa} once empty
[qa probably needs a debian mirror tho, so maybe leaving
them on merkel or at least in FtC is not the worst idea]
db.debian.org - from samosa - kvm domain on unger
(darmstadt)
nagios - from samosa- spohr
udd - from piatti - {raff,samosa}
dde - from merkel - {raff,samosa} (to udd)
nm.d.o - currently on merkel- new dl* at mit, or
{raff,samosa} once empty
bugs mirror - from piatti - new dl* at mit, or
{raff,samosa} once empty
packages mirror - from piatti - new dl* at mit, or
{raff,samosa} once empty
volatile-master - from verdi - if it needs a new host.
- kvm domain on dijkstra
(vancouver)
buildd/wannabuild - from raff - kvm domain on dijkstra
(vancouver)
i386 buildd/amd64 buildd - NEW - kvm domain on dijkstra
(vancouver)
security-master - from klecker - chopin
security-tracker.d.n - NEW - kvm domain on schumann
testing-security.d.n - NEW - kvm domain on schumann
security mirror - NEW - saens
bugs-master - rietz - kvm domain on dijkstra
(vancouver)
= snapshot =
still waiting for a summary from hw-don folks.
= durin =
durin is a non-debian.org box or xen domain in darmstadt iirc, run by
the german cabal. zobel mentioned he'd like to move several services
off it onto debian.org systems. Do we have a list somewhere?
= arch specific stuff =
== arm ==
elara and europe were arm buildds up until the lenny release. Now they
are no longer needed as such. Decide if we want to keep one as a porter
box in leu of agnesi (which has weird network).
(#1064, #1083, #1065)
== m68k ==
finally get rid of crest and kullervo (#1132).
== powerpc ==
bruckner is quite old and slow, and we got pescetti as a porterbox now.
Return to the owner?
== s390 ==
we have two porterboxes here. zelenka is new and fast and has nice
network but is a little short on disk space. raptor has more diskspace
but the network is too restricted - we can't even get to our puppet
master from it and the local admin is not helpful. I suggest we ask
zelenka sponsors (zivit) nicely if we can have more disk, and we get rid
of raptor.
== hppa ==
new hpp buildd in the queue (#1177). not as fast as peri and penalosa
but hopefully stable. Also gives us location redundancy (peri and
penalosa are both at ftc.)
== sparc ==
waldi is still sitting on debian's t1000 at osuosl. last status I heard
was that he wanted to install solaris on it. I'm way past caring about
it by now.
fabbione brought up a potential t2000 a while ago (#1144) - ping him
again.
= other stuff =
there are still a couple of porter chroots to upgrade. feel free to do
that.
not all that many hosts still on etch.
weasel
--
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `-http://www.debian.org/
--
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: state of the DSA nation
On Sat, 28 Mar 2009, Frans Pop wrote: On Saturday 28 March 2009, Peter Palfrader wrote: [note to -project readers: this mail was written with -admin as an intended audience in mind and not you, but I figured I'd CC you anyways. Please excuse the style and terseness of some items.] Thanks! It's nice to have some sort of idea what's going on. Question: what about gluck? IIRC there's still some things (lintian.d.o for example) living on that. Yup. it is also www (when www isn't klecker), and cvs (webwml probably is the only thing left), and MX for admin (I think that only does a couple of expanders for commits tho) and has some admin related docs (those which aren't in our dsa-passwords git or on the dsa.debian.org wiki), and according to dns also ddtp (not sure what its status is), and planet, and popcon, and search. I currently don't see any pressing needs to change any of that (tho we will probably want to move the admin related docs away from it slowly - no need to have stuff spread out over 3 different places). weasel -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: state of the DSA nation
On Sat, 28 Mar 2009, Peter Palfrader wrote: = osuosl = rietz' storage subsystem is really weird. It seems to hang for seconds to minutes at times. Maybe rietz is really really overloaded or the hardware is not well. rietz currently is bugs-master and syncproxy.na. I suggest we move bugs-master to a kvm domain on dijkstra (don said that'd be fine). Once that happened we can re-setup it with amd64 userland, and then re-setup syncproxy.na. Ganneff said that'd be ok with him, tho we might miss a mirrorpulse or two in the process. It also still has women.debian.org. It might make sense to move that to widor, which is where wiki moved to. Need to find out who is responsible for women.d.o. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Creating a public list for wanna-build team? Input needed.
On Wed, 18 Feb 2009, Adeodato Simó wrote: In #512780 (http://bugs.debian.org/512780), we've requested the creation of a debian-wbadm list to serve as a role address and discussion umbrella for the wanna-build team. That sounds like a good idea. The name Joey suggested might be better, but it probably does not matter all that much. Additionally, listmaster has also suggested that we use a teams.debian.net list for this purpose. I don't agree with this for the reasons stated in the bug report. Feel free to comment on this issue as well. What's the difference anyway? weasel -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: new RT addresses
On Thu, 05 Feb 2009, Adeodato Simó wrote: The short version is that rt+...@rt.d.o and rt-comment+...@rt.d.o accept mail. Is there a difference between the two? Which one should be used, and when? Replies (rt+nnn) are public, comments (rt-comment+nnn) are only visible to the queue owners. So probably you always want to use replies. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
new RT addresses
Hi, FYI, Luca patched our exim and rt setup in such a way that you can now send email to existing tickets more easily. The short version is that rt+...@rt.d.o and rt-comment+...@rt.d.o accept mail. There is no subject tag or ticket number in the subject required. Bonus points if you avoid mentioning such addresses in places where spiders can find and subsequently spam them. I believe nothing has changed for creating new tickets via email (i.e. still include a subject tag of '[Debian RT]' somewhere in the subject when mailing qu...@rt. For motivation and more details see ticket #777. Cheers, weasel -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
ports.debian.org
So, we have a ports.debian.org in DNS and the only service associated with it is an apache redirect to some place on our website. I think of removing it, so if anybody knows of any reason why I shouldn't please let me know. Thanks, weasel -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: obsolete CVS repositories (was: Release notes)
On Sun, 26 Oct 2008, Guillem Jover wrote: Could you also update dak's README to point to: http://ftp-master.debian.org/git/dak.git instead of the obsolete bzr repo? Last time I asked it was still in use for the arch specific package list. I could probably add a README, but moving it to obsolete and making it a-w not so much. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: obsolete CVS repositories (was: Release notes)
On Sun, 26 Oct 2008, Guillem Jover wrote: On Sun, 2008-10-26 at 10:27:20 +0100, Peter Palfrader wrote: On Sun, 26 Oct 2008, Guillem Jover wrote: Could you also update dak's README to point to: http://ftp-master.debian.org/git/dak.git instead of the obsolete bzr repo? Last time I asked it was still in use for the arch specific package list. I could probably add a README, but moving it to obsolete and making it a-w not so much. Right, but there's already a README file stating exactly that, except that it points to the obsolete bzr repo instead of the git one. Yup, saw that and in fact updated it before you replied :) Cheers -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re-thinking Debian membership
On Sat, 25 Oct 2008, Stefano Zacchiroli wrote: On Fri, Oct 24, 2008 at 02:49:13PM +0200, Michael Hanke wrote: Thinking about this again, 'public' access to the keyring could also be a way to address the 'large number of inactive developers' -- _if_ they exist. Anyone could trigger the removal of anybody (using the staging approach outlined above) -- cleaning the keyring becomes much like mass bug reporting (and maybe should even follow the same procedure, ie. announce what you want, let it be discussed publicly, ...) No, we already have a procedure for that. If you want to help over with that, step in and help the currently understaffed MIA team. If somebody wanted to tackle the issue right now, there's also the echelon information in LDAP. Together with a list of people who have neither set a new password since the SSL thing nor uploaded ssh keys we might get a list of candidates. Contact DSA if you want to look into it (echelon is public, keys can be found in /var/lib/misc on project machines, passwords you'll have to ask for). -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
obsolete CVS repositories (was: Release notes)
(Re obsolete cvs repositories on gluck aka cvs.d.o) (if you got BCCed, congratulations, you are in one of the affected cvs groups.) On Wed, 08 Oct 2008, Raphael Hertzog wrote: [debbugs] Don responded, it moved to bzr: http://bugs.debian.org/debbugs-source/ http://wiki.debian.org/Teams/Debbugs moved. debian-openoffice $ apt-cache showsrc openoffice.org | grep Vcs Vcs-Bzr: http://bzr.debian.org/pkg-openoffice/packages/openofficeorg/2.4.1/unstable Vcs-Svn: svn://svn.gnome.org/svn/ooo-build/branches/debian-2-4-1 Moved to -obsolete. debian-doc Badly named webpage (http://www.debian.org/doc/cvs) is up-to-date and gives: svn://svn.debian.org/ddp/manuals/trunk http://svn.debian.org/viewsvn/ddp/ Done. deity, $ apt-cache showsrc apt | grep Vcs Vcs-Bzr: http://bzr.debian.org/apt/debian-sid/ Moved to -obsolete. and tetex tetex is gone replaced by texlive: http://wiki.debian.org/Teams/TeXTaskForce They don't use Vcs-* fields apparently but they use svn: http://svn.debian.org/viewsvn/debian-tex/ svn://svn.debian.org/debian-tex/ Ditto. moved to, similar to what is available from the READMEs in /srv/cvs.debian.org/cvs/qa. Can you provide that? HTH. Thanks. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re-thinking Debian membership
On Fri, 24 Oct 2008, Lars Wirzenius wrote: * The keyrings shall be maintained in a way that allows any member to change them, Since you refused to explain on IRC, please explain the rationale and use-cases here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Developer Status
On Thu, 23 Oct 2008, Martín Ferrari wrote: For example, I think that a NM should be given login privileges because that's many times needed to solve bugs. Theoretically being DD is not a prerequisite to getting shells on debian systems. Practically it is since we have no infrastructure to maintain such people's keys etc. Having NMs in a keyring, maintained by keyring-maint, would probably solve this, and we could provide access to our porter machines when there is the need. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Developer Status
On Thu, 23 Oct 2008, Raphael Geissert wrote: Having NMs in a keyring, maintained by keyring-maint, would probably solve this, and we could provide access to our porter machines when there is the need. What about getting every maintainer's key in a keyring and LDAP? it would finally allow for a better management system to take place The LDAP is DSA's tool for managing shell accounts and per-user email setup. It deals primarily in terms of people, who have a uid, a name, a forwarding email address, a PGP key (fingerprint), etc. Maintainers are concept of packages and thus leans more towards the ftpmaster side who, if I understand correctly, already maintain a list of all maintainers somewhere in their database. Maintainers are also often role accounts, like I guess Debian OCaml Maintainers. Therefore I don't think trying to get this particular piece of information into the debian LDAP would be particularly straight forward. Also I question what good it would actually do. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Developer Status
On Fri, 24 Oct 2008, Faidon Liambotis wrote: For example, there's nothing special about a DC. No upload rights, no vote rights, no debian.org logins. Well, they won't get automatic shells on project machines, but I don't see why they wouldn't get an account if whatever it is they are doing requires it. This could be maintaining a buildd, some other service like packages or forums.d.o or any other number of things. This proposal would add infrastructure that allows us to give accounts to just such people. Right now, without keyring, ID check or anything it's still theoretically possibly to give such contributers access, practically tho it means it just isn't done. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Release notes
On Tue, 07 Oct 2008, Raphael Hertzog wrote: Question is: why is that still available? Probably because nobody bothers to tell DSA when services are no longer required. There are still 2 users of cvs.debian.org (webwml, dak/srcdep), otherwise I would have requested it to go away. https://rt.debian.org/Ticket/Display.html?id=146 But you can disable all the other modules in the web interface at least and remove write rights in all other repositories. I need information where debbugs, debian-openoffice, debian-doc, deity, and tetex moved to, similar to what is available from the READMEs in /srv/cvs.debian.org/cvs/qa. Can you provide that? -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Release notes
On Sun, 05 Oct 2008, Cyril Brulebois wrote: Raphael Hertzog [EMAIL PROTECTED] (05/10/2008): http://cvs.debian.org/ddp/manuals.sgml/release-notes/?root=debian-doc This link is wrong. DDP uses SVN nowadays. Question is: why is that still available? Probably because nobody bothers to tell DSA when services are no longer required. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh.upload.debian.org
On Tue, 30 Sep 2008, Stefano Zacchiroli wrote: On Tue, Sep 30, 2008 at 09:17:44AM +0100, Simon Huggins wrote: Your second mail (the one referenced in this thread) said: Can please someone tell me exactly for the sake of what, we are having this sub-thread? It just looks pointless to me ... It's just the usual nit-picking on anybody who actually does anything to improve our infrastructure. It's pretty common around here, people probably use it to show how much they care about the project and how, if only we would let them, they could do it all so much better. Also see bike-shedding. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh.upload.debian.org
On Tue, 30 Sep 2008, MJ Ray wrote: Posting a simple mail like I can't predict why we might want to move it, but it seems like a possibility we should leave open and yes, ftp-master was a symbolic name, but isn't the best one now. Please use the new symbolic names. a few messages back might have stopped this. It also isn't accurate. The name was changed for the very reason that upload place should be uncoupled from archive maint place, for the few times where ries does go down. It was proposed when this happened last time, a few weeks back. Just because *you* don't get it doesn't mean it's stupid. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
people.debian.org - ravel change
Hi, as previously announced people.debian.org will move to ravel.debian.org. Currently we plan to change DNS on Thursday (2008-09-18) around noon UTC. If you have any questions please don't hesitate to ask. Cheers, Peter http://lists.debian.org/debian-devel-announce/2008/08/msg00012.html https://dsawiki.debian.org/dsawiki/2008-newpeople signature.asc Description: Digital signature
changes to the use of sudo on project machines
[please follow up to -project or -admin or just me, depending on what seems more appropriate.] Hi, if you use sudo on project machines this will affect you. The short version: If you want to use sudo in the future, go to http://db.debian.org/ and set a sudo password for you. A slightly longer version: We are trying to limit the exposure of login and ldap passwords on project machines. Currently everybody who is using sudo on a project machine has to use their login and ldap password, which in case of a compromise can be used to access other machines and change the user's settings in ldap. Since sudo uses the pam library to authenticate users, we can make use of a dedicated passwords file using libpam-pwdfile for authentication to sudo. Userdir-ldap (http://db.debian.org) has been modified to allow users to set a (per host if desired) password for their use of sudo. After setting a new sudo password on the web interface this change has to be confirmed by sending a signed mail - the web interface should instruct you accordingly. This confirmation is intended to prevent an attacker who has learned a login/ldap password to elevate this to sudo-access. We are slowly updating the machines to use the new config. Please see https://dsawiki.debian.org/dsawiki/New-Sudo for per machine progress status. Cheers, weasel [is there a list that all buildd admins are on?] -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: people.debian.org to move to ravel
On Mon, 01 Sep 2008, Lionel Elie Mamane wrote: It is. Limiting an attacker's ability to easily jump from one compromised box to another is something we really want to have. Not tomorrow, but eventually. I'm not sure the no-passwords policy helps much by itself; I get the impression people will just put a ssh key in their homes on Debian machines and add it to the authorized keys in LDAP. Should DSA learn of this they will have had an account on debian.org hardware for the longest time, just like storing your gpg key on d.o hardware will result in it being removed from the keyring for good. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: transfering files between *.debian.org hosts (was: people.debian.org to move to ravel)
On Sat, 30 Aug 2008, Steve Langasek wrote: Well, the underlying premise here is, of course, that certain routinely useful capabilities need to be taken out of the hands of the users because they won't use them responsibly[1]. But we're already talking about hard policy changes to stop users from doing things they shouldn't do in the first place (== using passwords when logging in to Debian servers from their systems), so I don't think you should underestimate the capacity of developers to be cleverly stupid when security is concerned. I don't think that using the password per se on debian hosts is an evil thing to do. I have to do it dozens of time almost every day for sudo. And I don't think nopasswd entries in the sudoers file would be all that much better. Or we could start shipping a pam pwdfile table for use with sudo. Maybe we should do that anyway, regardless of what comes from this discussion. Also I agree, if somebody willfully compromises security there's nothing we, or anyone, can do. Having your inter-host file transfers sandboxed, such that you have to log in to the host on each end in order to get the files copied to the place you want them, would be a serious nuisance, and in particular, it would not allow for good use of rsync as a time- and bandwidth- saving technique. Having to start a separate ssh agent for Debian systems would also not be user-friendly. How often do you do that, seriously? I can't think off-hand of the last time I had to rsync large amounts of data as weasel between debian hosts. I don't rule out that it happens, I would just like to know if it's a daily routine. Kerberized ssh with ticket forwarding is one of the better ones in this regard, because it doesn't require typing a password across the wire and the delegated credentials have a limited lifetime. I fail to see how this is better than ssh agent forwarding. This might be because I never really did much with ticket forwarding but I always thougt the idea was to forward a TGT, so it again would give you access to all hosts, for much longer than you are logged in probably. RSA auth forwarding is also good by this standard, because the credentials are only available while the user's initial connection is active and there are methods for requiring user confirmation for each instance of authentication forwarding. Agree on the available only temporary. I don't think many people use the confirmation of each instance of agent use (not forwarded use, I don't think that's possible, is it?). I did that a while ago but it got so annoying since I ssh to hosts hundreds of times a day. Anything that involves sending your password across the wire, or storing RSA keys on the Debian host, is pretty obviously not good. Anything that involves sending a password over the wire that can be used to access shells on other machines should be avoided, agreed. But if you don't find these arguments persuasive, then of the options proposed, I think AFS is the best. (Or you could use Samba with Kerberos sign+seal... :) The nice property of AFS is that it allows for a more decentralized setup, if I understand things correctly. I.e. you would not rely on a single server in a single location. 1. And more likely the user will fetch a full TGT on the source host when they want to copy stuff to another host since the default mode of login will probably stay ssh keys. Well, a way around that is to not give users kinit on the Debian hosts, and/or implement ACLs on the KDC that prohibit issuing TGTs to Debian hosts. Not sure how feasable that would be, and what it would help if you can just forward a TGT to a debian host. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Addition to DSA team
Hi, this is to let you know that we in DSA have invited Martin Zobel-Helas zobel to join us. Fortunately for us he accepted, so with a bit of luck we can now go back to doing nothing and let the rookie do all the work. Cheers, weasel signature.asc Description: Digital signature
transfering files between *.debian.org hosts (was: people.debian.org to move to ravel)
[Let's move this to debian-project since there is no debian-admin-public-bikeshedding. I hope mutt doesn't eat my Mail-Followup-To header.] On Thu, 28 Aug 2008, Peter Palfrader wrote: I generally avoid using password authentication to Debian hosts, *except* in the particular case of scp'ing files from one Debian host to another because That being said we are evaluating means that will allow simple file transfers. So, there are a few ideas floating around: - Tell people to only load the debian.org key into an agent, and use -c when doing that so they have to confirm each use of that key. Then forward that agent to the debian host when they want to copy files. pros: + works right now. + no problems with existing firewalls. cons: - Sure, as if people would ever do that. - install sendfile/saft on all machines so you can do sendfile foo.tar.gz [EMAIL PROTECTED] Unfortunately sendfile doesn't use crypto, so who knows what happens to the stuff you send. And it's yet another network facing server - I don't know if anybody ever did a real audit on it either. Also, I have no idea if it's still actively maintained these days. Lack of crypto seems to suggest that there certainly isn't any new development going on, and hasn't in ages. pros: + simple to use, + easy to implement cons: - no confidentiality, - no integrity checking, - maintainence status? - might cause problems with existing firewalls. The crypto stuff could be alleviated by using ipsec between all our servers. But that works even less well than you'd expect. - use uucp. UUCP stands for Unix to Unix Copy and was built for exactly this purpose. It allows one to copy files to remote systems. We can make it use ssh as a transport so its reasonably secure against non-local adversaries. Unfortunately it stores files in the public spool on the target host, where it can be read by any local user (maybe even copied by remote users using uucp) and overwritten by any remote user using uucp. pros: + probably not hard to use, + not hard to implement + no problems with existing firewalls. cons: - no confidentialy to local users (and local users on peers) - files can be overwritten by other users so you can't be sure you get the file on the target host that you wanted. - progress of copy status is not immediately apparent - setup afs Using AFS would allow us to use a shared /afs/debian.org tree on all our systems. AFS does all the magic crypto stuff so you don't have to worry about Eve sniffing or Mallory tampering with packets. Setting up AFS is a big chunk of work. It would require us first to setup a kerberos realm, to integrate it into ud-ldap so that new krb principals are created with ud-ldap users, and that ud-ldap users can set krb passwords, which probably should be different from their ldap password. On the user side once logged in you'd have to get a kerberos ticket using your krb password, then alog to get access to your /afs/debian.org/transfer/$user or whatever. We will not put homedirs onto AFS (that would completely torpedo the initial goal), it would simply provide a transfer area. pros: + AFS is cool + once we have a krb realm we could maybe also use it for other stuff like all those web services that require logins. How good is krb support in browsers these days? cons: - integrating krb and afs into ud-ldap is a lot of work - setting up afs will be a lot of work too - little prior experience with afs - AFS suffers from the not-a-filesystem syndrome: file access control is not unix-like and will confuse users. - might cause problems with existing firewalls. What other options did we forget? -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: transfering files between *.debian.org hosts (was: people.debian.org to move to ravel)
[Trimming lists] On Sat, 30 Aug 2008, Bastian Blank wrote: On Sat, Aug 30, 2008 at 02:32:08PM +0200, Peter Palfrader wrote: - install sendfile/saft on all machines so you can do sendfile foo.tar.gz [EMAIL PROTECTED] The crypto stuff could be alleviated by using ipsec between all our servers. But that works even less well than you'd expect. The machines needs to check DNSSEC or the names can be spoofed which makes ipsec mood. Or you use only resolvers that you have a trusted (i.e. ipsec) connection to and those need to have a complete axfr'ed zone. As hinted in the original email, I don't think ipsec (or stunnel) are useful solutions to help us make sendfile suck less. - setup afs pros: + AFS is cool Yeah. You can make read-only snapshots for backup purposes. Probably not useful for a transfer share. But if it ever grows beyond that that might be useful. - AFS suffers from the not-a-filesystem syndrome: file access control is not unix-like and will confuse users. Also other parts are not really POSIX-like. Hardlinks or so. Direct consequence of its permission model I'd assume. What other options did we forget? - Setup Kerberos, allow it as an additional ssh login variant Circumvents the entire idea behind this exercise: Assuming an attacker already has control over one host we want to make it as hard as possible for them to jump to other hosts. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: transfering files between *.debian.org hosts (was: people.debian.org to move to ravel)
On Sat, 30 Aug 2008, Bastian Blank wrote: Or you use only resolvers that you have a trusted (i.e. ipsec) connection to and those need to have a complete axfr'ed zone. Then we can drop the whole ud-ldap thing and use centralized authentication. Um. I don't see why that follows. I don't think it matters however. :) ipsec/stunnel etc aren't the solution. What other options did we forget? - Setup Kerberos, allow it as an additional ssh login variant Circumvents the entire idea behind this exercise: Assuming an attacker already has control over one host we want to make it as hard as possible for them to jump to other hosts. Nope. It is the same that ssh with key auth. Anything an attacker can get is a short-term secret in form of a forwarded ticket. The service ticket themself is useless for anything else then the direct connection between the user and the server. But it allows them to get a shell on the target server. Even if only for a short term[1]. This means we lose. 1. And more likely the user will fetch a full TGT on the source host when they want to copy stuff to another host since the default mode of login will probably stay ssh keys. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Misc development news (#8)
On Wed, 11 Jun 2008, Tollef Fog Heen wrote: * Philip Hands | While this is initially for our (DSA's) benefit, in that it makes applying | global changes easier, it's also for user's benefit. -- compare the | effort required to ensure that there are no copies of a key (that was | on a stolen laptop, say), on every debian host you _might_ have copied | it to, to the effort of sending a single mail and knowing you're done. That's one way to look at it. For some of us, it means debian SSH keys have to be handled specifically and not through $RCS update through cron so it comes out as more, not less, work. Oh yes. I was particularly fond of people who automatically restored compromised authorized_keys after I had moved them away. It made my life so much more interesting. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Misc development news (#8)
On Sun, 01 Jun 2008, Mohammed Adnène Trojette wrote: On Sun, Jun 01, 2008, Peter Palfrader wrote: know it. I suppose etc/motd will eventually be updated to point to it also. What's the use if you can't manage to login? Is this just to show that you have no idea what this is about, or that you didn't read the email I did send to d-d-a three weeks ago? (hint: how would you place that file there in the first place?) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Misc development news (#8)
On Sun, 01 Jun 2008, Philip Hands wrote: If there's some reason that you want specific keys to only give access to specific hosts, and if the reason justifies the effort, I suppose it would be possible to come up with a way of tagging which hosts any particular key should give access to in LDAP -- is that why you're worried about the loss of this feature? Actually, that's already on the TODO list. Something like adding 'host=samosa,gluck,merkel in front of your key and having that key only exported to the named hosts. Probably ok for interactive keys, for stuff that's command locked however the symlink[1] approach we currently use is probably easier on the user. That way they can edit their own file and can immediately test stuff. 1. (See /ssh-keys on gluck and tail -n2 /etc/ssh/sshd_config) -- weasel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Misc development news (#8)
[EMAIL PROTECTED] dropped] On Sat, 31 May 2008, Steve Langasek wrote: I think this is a great example of why announcements like this should be sent to debian-devel-announce in the first place, instead of being relegated to the debian-infrastructure-announce list that most developers aren't subscribed to. - d-d-a is the list that all developers are supposed to be subscribed to, which means that's the list where announcements of general interest *should* go. It's not development related tho. And most people really don't need to know it. I suppose etc/motd will eventually be updated to point to it also. This is information that does need to go to /all/ developers, not just to the infrastructure-announce list Well, you can't please all of them. Frankly, I think most of the posts to d-d-a have no place on that list in the first place. If it's the list DD are required to subscribe to we should try to also send stuff there that they *read*. I hardly read all of the posts sent there. What's the number of affected DDs here? 10? 20? I think dia was the appropriate for that mail. The pointer in buxy's mail was also fine, tho I wouldn't have placed it quite as prominently. The use of ~user/.ssh/authorized_keys files has been disabled since DSA1571 was announced. While our initial plan was to allow them again eventually some bad experience with DDs' key handling has led us to reconsider that intent. ... that means? What bad key handling was seen that warrants such a policy change? People submitting known bad keys to ldap and stuffing those in their authorized_keys files also. What else did you think it meant? -- weasel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
please clean up your home directory on gluck (people.d.o)
Once again the filesystem that hosts /org and /home on gluck.debian.org (aka people.debian.org and cvs.debian.org) was coming close to being full. Black choppers have been dispatched to some offenders and with the help of elite units we already have reclaimed some disk space but there's probably still a lot of stuff just that we could do without. So, please check if there is anything in your home directory (or in one of the /org/ directories that you work on) that you no longer need or that you didn't even know about and don't want anyway (Like that 1.5 gigabyte spam folder that just happens to have accumulated). Please remove that cruft. Thanks, Peter PS: While 600 gigs may seem large, over half of it is used by the archive mirror (that isn't easy to get rid of) and some other things in /org, leaving the over 1000 developer accounts with only a mere 250 gigs amoung them. So please be considerate with your use of disk space. signature.asc Description: Digital signature
Re: No buildd redundancy for alpha/mips/mipsel
On Thu, 29 Nov 2007, Tim Cutts wrote: I knew Peter had been working on it, but I didn't know that the machine was available for use, since I wasn't notified when he finished. Hey, I'm only the local admin, what do I know... :-) | Subject: [rt.debian.org #59] New alpha porter machine ready for setup | From: Peter Palfrader via RT [EMAIL PROTECTED] | Reply-To: [EMAIL PROTECTED] | In-Reply-To: | References: [EMAIL PROTECTED] | Message-ID: [EMAIL PROTECTED] | Precedence: bulk | X-RT-Loop-Prevention: rt.debian.org | RT-Ticket: rt.debian.org #59 | Managed-by: RT 3.6.1 (http://www.bestpractical.com/rt/) | RT-Originator: [EMAIL PROTECTED] | To: [EMAIL PROTECTED] | MIME-Version: 1.0 | Content-Type: text/plain; charset=utf-8 | Content-Transfer-Encoding: 8bit | X-RT-Original-Encoding: utf-8 | Date: Mon, 12 Nov 2007 10:21:03 -0700 | X-RT-Original-Encoding: utf-8 | | albeniz.debian.org should have been setup and be ready for use. Thanks | for helping the Debian project. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Popularity contest
On Fri, 16 Sep 2005, Sven Luther wrote: On Fri, Sep 16, 2005 at 02:21:28PM +0200, Henning Makholm wrote: Scripsit David Moreno Garza [EMAIL PROTECTED] On Fri, 2005-09-16 at 00:04 +0200, Henning Makholm wrote: No. Why not? What would be the point? Promote the use of popcon and therefor, have some useful statistics on the usage of packages? Again, why would that be relevant precisely on the package search page? There seems to be no logical connection to popcon from that page at all - except insofar that the package search page and popcon both have somthing to do with Debian, but by that reasoning all Debian pages ought to link to each other. I really don't see what the specific connection beteen package search and popcon should be. Simply add the popularity context data for each package into the page of the package, with an how this info was obtained kind of link to popcon ? developer.php on qa[1] already has all this information. If we add popcon to packages.debian.org, then why not all the rest? I think having all this stuff at developer.php is sufficient, adding it to packages.d.o too does not add anything. Or maybe one should add a link to developer.php from packages? Peter 1. http://qa.debian.org/developer.php?login=weaselcomaint=yes -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bibliothek
Ralf Postler schrieb am Montag, dem 22. März 2004: mal eine Frage: Ich würde gerne eine von einem Offiziellen Händler gekaufte aktuelle Version von Debian an meine Stadtbibliothek (Erlangen) verschenken. Ist das ohne Einschränkung ok, bzw. gibts was zu beachten? Make sure that it only contains main and that the sources always go with the binary CDs, so that you don't run into any GPL issues. Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ signature.asc Description: Digital signature
Re: Bug#210879: marked as done (constitution.txt: revise odd language -- K Developers... not integers)
On Wed, 03 Dec 2003, Joel Baker wrote: FWIW, while I'm not sure if I agree with the assertion that it is a problem, I do think the submitter deserves some level of justification for why it isn't left open/wontfix, Because there is no problem. We need at least some real number developers is perfectly clear language. If some law requires 2/3 majority to pass a parliament, the world does not come to an end either if the number of representatives is not divisible by 3. Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ signature.asc Description: Digital signature
Re: check this.
On Mon, 01 Dec 2003, Vyacheslav Mukha wrote: Which kernel do you have installed? uname -r uname -r 2.4.18-bf2.4 You are running a kernel that has known security issues. You should install a kernel that has fixed those problems. Please see the following URL for this (I think) specific problem: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0127 Debian woody has fixed kernels which fixed this privilige escalation: kernel-image-2.4.18-1-something. apt-cache search kernel-image should give you a list of available kernel images (note that the -1 after 18 is important). Install the one that suites your system. Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ signature.asc Description: Digital signature
Re: check this.
On Mon, 01 Dec 2003, Rafa Forcada wrote: El lun, 01-12-2003 a las 16:42, Peter Palfrader escribió: On Mon, 01 Dec 2003, Vyacheslav Mukha wrote: This exploit work on my Debian woody 3.r1 and get root . May be that script is instrument . Which kernel do you have installed? It worked on my debian woody 3.r1 too. [EMAIL PROTECTED]:~/temp$ uname -r 2.4.20 [EMAIL PROTECTED]:~/temp$ ./kptrace sh-2.05a# whoami root You are running a kernel that has known security issues. You should install a kernel that has fixed those problems. Please see the following URL for this (I think) specific problem: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0127 Debian woody has fixed kernels which fixed this privilige escalation: kernel-image-2.4.18-1-something. apt-cache search kernel-image should give you a list of available kernel images (note that the -1 after 18 is important). 2.4.20 suggests you built your own kernel however. Upgrading to 2.4.23 could be a good idea. HTH Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ signature.asc Description: Digital signature
Re: debian moherboards
On Tue, 12 Aug 2003, Robert Ribnitz wrote: - If you put raid, look to get two identical (same model) disks for RAID 1 wrong - get two different disks of the same size. Peter -- Cannot verify the sig? Update 94C09C7F from subkeys.pgp.net. pgpHSZy44zuIc.pgp Description: PGP signature
Debian Logo (was: V'z gbb ynml sbe n fhowrpg)
On Sun, 09 Mar 2003, Scott Evans wrote: Hi, I dont know if this email is to the correct department, if not please could you email me to let me know where to send it. I am currently studying in University and have to write a report on Debian. Would it be possible to use your logon on this report, which will be handed in to my lecturer. It will not be used for any other purpose. http://www.debian.org/logos/ Using the Debian Open Use Logo should be ok I guess. Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ pgprcmlpS74jk.pgp Description: PGP signature
Re: comment on User Review of Debian GNU/Linux
On Tue, 04 Mar 2003, Adam DiCarlo wrote: Actaully, there are security team updates available for sarge; just put this in sources.list: deb http://security.debian.org/ sarge/updates main contrib non-free This is wrong. http://www.debian.org/security/faq#testing The sarge/updates will probably get used during freeze, but testing is currently _NOT_ supported by the debian security team. Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ pgpoBZBsuIiIG.pgp Description: PGP signature
Re: Debian keyring analysis
On Fri, 07 Feb 2003, Lars Wirzenius wrote: ti, 04-02-2003 kello 23:49, Peter Palfrader kirjoitti: On Tue, 04 Feb 2003, Lars Wirzenius wrote: I was bored at work today, and wrote a quick-and-dirty Python script for analyzing the Debian keyrings. You are awayre of http://people.debian.org/~weasel/weboftrust/ ? Nope, I wasn't, thanks for the link. If I understood correctly, that page lists statistics for the which keys in the strongly connected set are closer to other keys than others. It doesn't explicitly list the keys that are not in the strongly connected set. Not yet. I've wanted to do this for a long time but never got around. And Martin stopped kicking me about it as well :). I'm not very good at GPG/PGP web-of-trust things. Would it be good to try to include all keys in Debian's keyring in the strongly connected set? This should strengthen they web-of-trust within Debian, yes? Yes and Yes. cu Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ pgpojmdtoRofZ.pgp Description: PGP signature
Re: Debian keyring analysis
On Tue, 04 Feb 2003, Lars Wirzenius wrote: I was bored at work today, and wrote a quick-and-dirty Python script for analyzing the Debian keyrings. You are awayre of http://people.debian.org/~weasel/weboftrust/ ? yours, peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ pgpjCP4U7ogxO.pgp Description: PGP signature
Re: Debian as a social group and how to develop it better
On Mon, 02 Dec 2002, Xavian-Anderson Macpherson wrote: On Monday 2002 December 02 02:50, Martin Schulze wrote: I just tried to find SONAME using man. How can I find out what this is? Will the LSB eliminate this? What about the new UnitedLinux distribution. Because the distribution uses different libraries and stuff. That's what I am complaining about. Stop using different libraries. How do you suggest to get over a hundret different linux distributions to always run the same version of each library? yours, peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ pgpIGTt4qO7X5.pgp Description: PGP signature
Re: Debian as a social group and how to develop it better
On Mon, 02 Dec 2002, Xavian-Anderson Macpherson wrote: On Monday 2002 December 02 10:13, Martin Schulze wrote: Xavian-Anderson Macpherson wrote: On Monday 2002 December 02 02:50, Martin Schulze wrote: Why (if everything is the same), would anyone have to recomplie for binaries, if the binaries were made once by the packagers and remained in their original condition? Because, and your assumption es totally wrong, nothing is the same, rather than everything. I was specifically speaking in the context of my (perfect world) example. I said IF!! Not IS!! I know everything IS NOT the same. That's why I wrote this! Here, let me make this simple. If ALL of linux, were handled in the same way as the KERNEL, - it would not work on (n-1) architectures out of the box but would require huge patching - there would be even more distributions than there are ATM. Am I correct that Linus is the only one who approves of the changes to the kernel? No. Different people handle different branches. And then there are even more semi- and un- official versions distributed from ftp.kernel.org and other places. Also be aware that one cannot build _the_ binary image which works in all possible scenarios. There are reasons to build things differently. The same applies to other software as well. Also be aware that software which builds for and works on ia32 does not automagically work on all other platforms as well. In short what you want is not possible and probably never will. Not even in a perfect world. yours, peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ pgpSpoGIxAfXV.pgp Description: PGP signature
Re: Debian as a social group and how to develop it better
On Mon, 02 Dec 2002, Xavian-Anderson Macpherson wrote: How much is necessity much. yours, peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ pgpNWk9H8dPea.pgp Description: PGP signature
Re: Debian as a social group and how to develop it better
On Mon, 02 Dec 2002, Xavian-Anderson Macpherson wrote: Debian packages tend to be more true to the original source than those of other large distributions. This is why I said no one should have the right to do this. There needs to be a rigid air-traffic control system, just as there is on any major airport. If you want to change course, you have to get permission first, not after you have already crashed! Sorry, but that simply doesn't work. It might in a perfect world but we are _far_ from that. Upstream loses interest in their work but bugs need to get fixes still. Sometimes upstream has /interesting/ ideas about where files should be (like everything below /var/MTA/ or something like that). This violates every idea of a normal Unix system tree - we fix this if possible. There are several other good reasons for distributions overriding upstream. _PLEASE_ get some experience before you tell us we've been wrong since forever. What you're doing now is only demonstrating that you've never ever maintained a system with even slightly special needs. (This is by no means intended as an offence). yours, peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ pgpblHXHRMpXy.pgp Description: PGP signature
Re: debian cd-image mirrors and US export restrictions
On Tue, 05 Nov 2002, Andrew Lau wrote: On Mon, Nov 04, 2002 at 11:32:15PM +0100, Harald K. wrote: In contrast to the package servers, the debian cd image mirrors are not separated according to this circumstances. Also the ones located in the US are containing the non-us variant of the first iso image. I dont understand why the US exports regulations seems to have no influence on the distributing of the cd images, which contain US sensitive software packages. If anyone has an idea on this topic, I would be gratefull for any remark. Since last year, the US export restrictions have been lifted Andrea, I think the OP's was asking why US mirrors offer the non-US ISO image for download. Harald, did I misunderstand you? yours, peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ pgpkoJTtBZwDv.pgp Description: PGP signature
Re: Bug#159511: project: debian smtp servers should be able to support secure SMTP (SSL/TLS)
On Wed, 04 Sep 2002, Wichert Akkerman wrote: Previously Noel Koethe wrote: please support secure SMTP (rfc2487) to have a secure and private communication on none-official mailinglists. FWIW, SPI already supports this :) Then it would be nice if master (and its backups) would support it too, not just murphy for the lists. It's a pitty that SPI (-private) mail travels encrypted to spi-inc, from there in plain to master, in plain to my MX to be forwarded encrypted again to my box. On a side note I doubt murphy could handle the load of also doing TLS for its amount of mail. I'm looking forward to beeing proven wrong. yours, peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ pgpM75ogicIKb.pgp Description: PGP signature
Re: admins: please clarify /etc/motd on auric
On Fri, 30 Aug 2002, Henrique de Moraes Holschuh wrote: the local time and our own time. The cronjobs are in local time anyway, Which is annoying as well, but we have to cope with that :-) We could set the system timezone to GMT. hint, hint. yours, peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/
Re: admins: please clarify /etc/motd on auric
On Fri, 30 Aug 2002, Mark Brown wrote: On Fri, Aug 30, 2002 at 09:13:34AM +0200, Martin Schulze wrote: Branden Robinson wrote: I assume this means local time for auric, but it might be nice to add the timezone identifier. Oh come on! If you ask somebody on the street for the current time, do you expect him to answer with a note that it's Hong Kong time instead of local time? What other time than local would make sense when not stated differently? On a system like auric that's used by people from many different timezones as part of a wordwide project it could just as well be UTC. In any case, it would be more helpful to specify which timezone is being talked about - off hand I've no idea what timezone auric is in. Which reminds me that it would be a good idea to have all debian.org systems have their TZ as GMT. Is there any reason why this isn't done? yours, peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ pgpQvHLV9k7VL.pgp Description: PGP signature
Re: irc.debian.org
On Fri, 16 Aug 2002, Josip Rodin wrote: Once again, what do you people think? I would welcome a move to OFTC too. yours, peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ pgpPyVgwEnpxc.pgp Description: PGP signature
Re: Project Adamastor - Portugal
[CCed, as I'm not sure you are on debian-project] Hi Pedro, On Fri, 15 Mar 2002, Pedro Cavaco wrote: The Project Adamastor is Portuguese project with the function of publish and promote Linux Operating System. Our work is not supported for no one, and we don't have any support or payment for do that, we do this with free spirit of learning and promotion of Linux, we fight to get Linux more close of all. In the way of this things, we would like to request if possible to you Debian Linux Distribution if is possible to send to us a orginal (box) of Debian to us (Project Adamastor). We know we can download the OS Debian from the site on internet, but please help our project and out motivations. Tank You Debian developers are unpaid volunteers too who build and improve the distribution in their spare time. We are not a company like Red Hat or SuSE and as such we don't have a boxed set (we don't even sell our distribution) There are third parties that put the ISOs we provide on CDs and sell them in a nice box, often with a good handbook or telephone support. Perhaps one of them (check out [1]) can help you. Hope that helps, if you still have questions please reply to debian-project@lists.debian.org. yours, peter 1. http://www.debian.org/CD/vendors/ PS: | Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], Neither the database admin, nor the listmasters are the correct contact for issues like this. debian-project should be just fine. What is support@ for anyway? -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/
Re: Progress; How create a mail list for Woody Users?
On Sun, 23 Sep 2001, tluxt wrote: Thus, applying the principles of accuracy, and the procession from general toward specific, gives us the result for the name: debian-woody-user. I don't like the name for various reasons: - woody is just the name of the next release and current testing distribution. What do you suggest should happen to this list once woody becomes stable and we have a new testing, once woody is no longer stable. - We are splitting debian-user. Therefore new lists should have the name debian-user-*. yours, peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' :By professionals, | `. `' for professionals http://www.palfrader.org/ | `-http://www.debian.org/
Re: RFD: Separate mailing list for users running testing?
Hi tluxt! On Fri, 14 Sep 2001, tluxt wrote: Actually, the more I think about what such a list should be about, and what it's name should be, the more I think we should have two lists: debian-woody-user debian-sid-user It should be debian-user-woody debian-user-sid _or_ debian-user-testing debian-user-unstable if anything at all (I don't comment on the necessity as I don't read -user currently). The latter two having the advantage that we need not rename the lists once woody gets stable and a new testing is forked. The debian-user- naming scheme makes it more clear that those are _user_ lists, born from debian-user (compare this to your favorite newsgroup hirachy) and also sorts nicely. yours, peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' :By professionals, | `. `' for professionals http://www.palfrader.org/ | `-http://www.debian.org/ pgpI3Nl2XxkLN.pgp Description: PGP signature
