Re: [squeeze] permission to upload thunar-volman
On 02/26/2011 06:01 PM, Yves-Alexis Perez wrote: On Sat, 2011-02-26 at 18:00 -0600, Ron Johnson wrote: Isn't it auto*run* which opens a vulnerability, and thus should be disabled by default? Autorun can leads to somehow direct exploitation. Right. Disabling automount& autobrowse seem to be security overkill. Autobrowse means a file manager is opened, which, by default, tries to make thumbnails of files, which, in turn, can lead to code execution by exploiting bugs in pdf parsers. Ah. Turn off thumbnailing of removable media? -- I prefer banana-flavored energy bars made from tofu. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d699b13.6060...@cox.net
Re: [squeeze] permission to upload thunar-volman
On 02/26/2011 05:32 PM, Yves-Alexis Perez wrote: On Sat, 2011-02-26 at 18:00 +, Adam D. Barratt wrote: [snip] Apologies if I'm missing something obvious, but what's the motivation for making this change in stable? The changelog for the proposed upload and the corresponding upload to unstable don't provide any further information afaics (hence the suspicion that I'm missing something). There have been recent news about security issues with automount stuff (linked with vulnerabilities in pdf parsers and thumbnailers). It doesn't warrant a DSA, but I think it's safer to ship thunar-volman with automount/autobrowse/autorun disabled by default. Isn't it auto*run* which opens a vulnerability, and thus should be disabled by default? Disabling automount & autobrowse seem to be security overkill. -- I prefer banana-flavored energy bars made from tofu. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d699401.8070...@cox.net
Re: imminent 2.6.26 sid upload
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/23/08 18:41, Steve Langasek wrote: > On Wed, Jul 23, 2008 at 08:07:25PM -0300, Otavio Salvador wrote: > >>> That's just adding an arbitrary 5 days delay. Uploading to experimental >>> won't uncover new issues, because nobody uses packages in experimental. > >> Uploading it to sid, will make a revertion to .25 much harder if >> needed. Besides that, we'd need to know if it _at least_ builds on all >> architectures and then be ready to upload meta packages... > > No, it really would be a waste of time. 2.6.25 is already in testing, so > t-p-u is still there as an update path; but no one on the kernel side is > really considering 2.6.25 to be an option for lenny, and the sooner we get > 2.6.26 into unstable the sooner we can get everything smoothed out for > lenny. 2.6.26 has updated udf code for reading Blue-Ray disks, and ISOs burned on them. So, even now, people need a kernel that will read them, and I'm eagerly awaiting that kernel to be loaded to experimental or sid. - -- Ron Johnson, Jr. Jefferson LA USA "Kittens give Morbo gas. In lighter news, the city of New New York is doomed." -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkiL1uQACgkQS9HxQb37XmdpYACg2V4tBV0gqa7ejekbeKnXlnIU zc8AoLncNev69qcxrJerE+SqLj1S6Dw8 =GsoX -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bug#395252: ignore bug 395252 'mplayer embeds ffmpeg' for lenny
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/18/08 10:11, Mike Hommey wrote: > On Wed, Jun 18, 2008 at 02:09:06PM +0200, A Mennucc wrote: [snip] >> >> 2) Another point is that >> http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file&rev=0&sc=0 >> lists many packages which ship embedded copies. One example is >> mozilla/iceweasel/iceape. Iceweasel had 9 security bugs in Etch. >> Iceweasel has ~500 bugs (!!). So iceweasel should be kept out of >> Lenny, since it contains embedded copies of code and is quite >> buggy. But no one is ever posting this RC bug. Why? Beats me. > > Note iceweasel 3.0, which is planned for Lenny, while it contains > embedded copy of code, does *not* use it. Find another example. Contains embedded code, but doesn't use it? And it hasn't been/can't be stripped out? (I've been in the industry long enough to know that that is a symptom of serious, systemic problems within the application.) - -- Ron Johnson, Jr. Jefferson LA USA "Kittens give Morbo gas. In lighter news, the city of New New York is doomed." -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkhZKBcACgkQS9HxQb37XmfWKgCfTdrP3H7ZgCZBuVnskZosm+f0 egMAoNo0n3zXvh6OBQcczLoox/H7ZLmD =CMCA -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Considerations for lilo removal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/16/08 04:19, Mike Hommey wrote: > On Mon, Jun 16, 2008 at 10:57:32AM +0200, Frans Pop wrote: >> We still very regularly get installation reports where people use lilo >> rather than grub, so it must still have a fairly significant user base. I >> would say that the activity on the bug report shows the same. > > OTOH, aren't most of these choosing lilo over grub only doing so by > habit ? Does it matter? Debian doesn't just have one web broswer, one MUA, one IM app, one scripting language, one word processor, one movie player, etc, etc, etc. So why should it only have one boot loader? - -- Ron Johnson, Jr. Jefferson LA USA "Kittens give Morbo gas. In lighter news, the city of New New York is doomed." -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkhWNnIACgkQS9HxQb37XmdjQACghOfpn0VHd4bTToJmCM2XCaBx Sv8AoLQ+vE3tpCOKd0DkG6k5yFNLruXN =fOMf -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: flashplugin-nonfree 9.0.48.0.1etch1 for Stable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/26/07 17:30, Neil McGovern wrote: > On Thu, Jul 26, 2007 at 08:28:41AM +0200, Bart Martens wrote: >> Hi Stable Debian-Release, >> Hi Security Team, >> > > Not speaking in any official capacity here, but: > > Lets have a look at the vulnerabilities which still affect etch: > CVE-2007-2022 - "Unspecified vulnerability ... unspecified impact and > remote attack vectors." but looks like a keylogger if > someone visits a malicious webpage. > CVE-2007-3456 - "Unspecified vulnerability .. related to an input > validation error." - arbitrary code execution. > > So fairly serious. > > It seems that 9.0.45.0 was only for Mac/Windows, and 9.0.47.0/9.0.48.0 > is only for linux. > AFAICT, 9.0.48.0 is 9.0.31.0 + security fixes (as described in > APSB07-12[0]), except for sparc, which implements the 9.0.31.0 features > for that arch (probably a good thing). It apparently also has some feature upgrade(s)/bug fixes, because .48 plays New York Times videos, whereas .31 would not. >> 1. We could flashplugin-nonfree 9.0.48.0.1etch1 to Stable soon. The >> only change is the update of the MD5 checksums. Obviously the upstream >> Flash plugin itself may have been modified heavily, no idea. >> 2. I can create a special flashplugin-nonfree package for Stable to >> remove the insecure plugin from the Stable systems, notifying the users >> of this removal, and suggesting them to use Backports. > > I'd suggest heavy testing (if this hasn't been done already) on the > 9.0.48.0 package with the aim of working out if new features have been > added. > > If not, then it may be possible that this really is a bugfix only > release, and IMO would be suitable for an update. > > Neil > [0] http://www.adobe.com/go/apsb07-12 - -- Ron Johnson, Jr. Jefferson LA USA Give a man a fish, and he eats for a day. Hit him with a fish, and he goes away for good! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGqfGzS9HxQb37XmcRAuonAJ9Qfa21ZzjG6N3jDD3JfApiMTmEWQCfUv5V YHJfmcYzfGdRZHAmi5Q21gk= =Fjm9 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: etch and kernels2.4
On 06/20/07 09:28, Michelle Konzack wrote: [snip] If you have suggestions (in general HOW to replace the current computers to more modern Hardware) please let me know. The TWO 19" SPARC are working perfectly too, but are too expensive for my customers. Get local people to install an air conditioner in the DC? -- Ron Johnson, Jr. Jefferson LA USA Give a man a fish, and he eats for a day. Hit him with a fish, and he goes away for good! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: etch and kernels2.4
On 06/17/07 10:13, Michelle Konzack wrote: Am 2007-06-13 16:59:23, schrieb Pierre Habouzit: If people were reading release notes, we wouldn't have this problem, as etch release notes ask users to install a 2.6 kernel already. My problem is, that I have several Mainboards which refuse to work with the Debian-Kernles and SMP compiled in so there was NO WAY to install a 2.6 kernel. (I had upgraded and reboted but it does not more start with the new 2.6 Kernel) What happened when you rolled your own 2.6 kernel, with the necessary chipset/etc drivers? -- Ron Johnson, Jr. Jefferson LA USA Give a man a fish, and he eats for a day. Hit him with a fish, and he goes away for good! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: BIND 8 deprecation for the release notes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/11/07 13:24, Andrew M.A. Cater wrote: > On Thu, Jan 11, 2007 at 07:30:39PM +0100, Moritz Muehlenhoff wrote: >> Roberto C. Sanchez wrote: Sure, but python2.5 is not really usable: almost all the python modules a= >>> re compiled only for python2.4. For postgresql you are right and I'm wrong, but I suppose that there are other examples in the archive where the only= >>> a major release is released. =20 Anyway, my question still applies. :) =20 >>> That got me wondering and it appears that Etch will ship with Apache >>> 1.3.34? Why? It is considered a legacy release by ASF? Is the Debian >>> security team really willing to support it for another 2-3 years? > If you have a large webserver farm / custom modules for Apache / your > third party application has hooks into Apache 1.3, you may still want > it. Apache 2 will be what many will install: it may be useful to retain > the choice. > >> The same goes for bind8, only that I didn't receive a >> sustantial reply at all... > > Again: if your infrastructure / expertise is in BIND 8 and you can't > afford to move? For some small group of users that may be reason enough. Would popcon statistics be (imperfect but) useful in this situation? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFpp05S9HxQb37XmcRAqaGAJ9/8eumYwDJdi4xqJ1Z4qC5zxaWswCeM7ZN qpue8jMyA+hUnLxrjMTFaQQ= =NqW9 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: new mplayer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/21/06 10:26, Joseph Smidt wrote: > I understand the freeze is probably too soon, but I need mplayer for making > movies I need for my physics research. Please allow this mplayer into > Etch. deb http://www.debian-multimedia.org testing main - -- Ron Johnson, Jr. Jefferson LA USA Is "common sense" really valid? For example, it is "common sense" to white-power racists that whites are superior to blacks, and that those with brown skins are mud people. However, that "common sense" is obviously wrong. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFE+bgS9HxQb37XmcRAu3UAKDOFhXkHTU4bE388LS3bNrqlnDaXQCglQbK ME+XP8I1yfuZ6FqJvb6fkBE= =13Ie -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: postgresql transition/upgrade strategy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/11/06 09:43, Peter Eisentraut wrote: > Because of the transition to the multi-version postgresql packaging, we will > have the situation in etch that someone who just does "apt-get install > postgresql" (as has been the custom for many years) will always end up with > the old version 7.4 instead of the newer 8.1. (The reason that postgresql > points to postgresql-7.4 is so that people's servers will continue running, > because postgresql is 7.4 in sarge.) > > Now a couple of people have expressed worries about that and I was asked to > bring it up on -release. > > A couple of ideas that have been thrown around: > > - Prevent new installations of postgresql (without -x.y); allow only upgrades. > > - Depend on both 7.4 and 8.1. > > None of these or any of the more crazy ones are particularly appealing, > though. Speaking as a user, I'd prefer having to specify the -x.y during the apt-get. It removes the ambiguity. - -- Ron Johnson, Jr. Jefferson LA USA Is "common sense" really valid? For example, it is "common sense" to white-power racists that whites are superior to blacks, and that those with brown skins are mud people. However, that "common sense" is obviously wrong. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFBYM/S9HxQb37XmcRAkpyAJ0e9RJ860bee4ahxCg6aZ2ifDSBHwCeNDM+ brZVI6Sp6d7+cq03+EUoRnQ= =Ju2J -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Etch timeline is unrealistic because non-free firmware is NOT being dealt with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
George Danchev wrote:
> On Saturday 05 August 2006 17:30, Marco d'Itri wrote:
>> In linux.debian.kernel Ron Johnson <[EMAIL PROTECTED]> wrote:
>>>> I see that the lawyers of SuSE and Red Hat do not believe this to be
>>>> true or at least do not consider it a problem, and this is enough for
>>>> me to ignore the opinion of the debian-legal@ armchair lawyers.
>>> Could they have signed license agreements that we (not being
>>> executives of RHAT and Novell) don't know about?
>> While it may be possible in theory, it's also very hard to believe.
Because?
> If there are any signed license agreements, then they will probably drop some
> notes in the {src}.rpm packages themselves they distribute to give their
> users a clue, since these users are the most interested end to be aware of
> that legal situation.
Do any Debianites read SRC.RPM packages?
- --
Ron Johnson, Jr.
Jefferson LA USA
Is "common sense" really valid?
For example, it is "common sense" to white-power racists that
whites are superior to blacks, and that those with brown skins
are mud people.
However, that "common sense" is obviously wrong.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE1mafS9HxQb37XmcRAhFkAJ46nS1OMTb8wfh8o8BhLJcFyBmacACguNyX
E3zH8yiy+axVb6EsSoCsfx8=
=mfDp
-END PGP SIGNATURE-
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Etch timeline is unrealistic because non-free firmware is NOT being dealt with
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marco d'Itri wrote: > On Aug 04, Goswin von Brederlow <[EMAIL PROTECTED]> wrote: > >>>> think not? Prove it by proposing a GR. More importantly, the release team >>> I had such a plan, but no time to implement it currently. >> How do you handle the fact that it is a license violation making the >> thing illegal to distribute? > I see that the lawyers of SuSE and Red Hat do not believe this to be > true or at least do not consider it a problem, and this is enough for > me to ignore the opinion of the debian-legal@ armchair lawyers. Could they have signed license agreements that we (not being executives of RHAT and Novell) don't know about? - -- Ron Johnson, Jr. Jefferson LA USA Is "common sense" really valid? For example, it is "common sense" to white-power racists that whites are superior to blacks, and that those with brown skins are mud people. However, that "common sense" is obviously wrong. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE1ANpS9HxQb37XmcRAmswAKDF5zCi6C4FIzDfGHvz2RPj2OgfaACbBwj8 A1nxGf1PgNvdXV1bwL090zM= =5gfY -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Requalification of Alpha for etch
On Sun, 9 Oct 2005 00:06:35 +0200 Jan-Benedict Glaw <[EMAIL PROTECTED]> wrote: > On Sun, 2005-10-09 00:00:37 +0200, Falk Hueffner > <[EMAIL PROTECTED]> wrote: > > John Goerzen <[EMAIL PROTECTED]> writes: > > > > > On Sat, Oct 08, 2005 at 07:40:15PM +0200, Falk Hueffner > > > wrote: I saw on the wiki page a mention that HP sells new > > > systems at insane prices. But the link didn't give > > > pricing. Do you know what new systems sell for? > > > > I don't really recall, but it was way beyond being an actual > > option. > > You can buy big iron these days, but probably not desktop-sized > boxes. http://h18002.www1.hp.com/alphaserver/workstations.html http://h18002.www1.hp.com/alphaserver/workstations/ds15/ -- - Ron Johnson, Jr. Temporarily not of Jefferson, LA USA PGP Key ID 8834C06B I prefer encrypted mail. "You cannot feed the hungry on statistics." David Lloyd George, British prime minister -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: To block GNOME 2.10 or not
On Fri, 2005-06-17 at 09:30 +0200, Josselin Mouette wrote: > Hi, > > the GNOME team is facing a dillema regarding the migration of GNOME 2.10 > to sarge. The issue comes from #313219 : basically, gnomeVFS 2.10 ^ Do you mean Sarge or testing? (Realizing that Sarge was testing for so long that there's lots of sarge<->testing muscle memory.) [snip] -- ------------- Ron Johnson, Jr. Jefferson, LA USA PGP Key ID 8834C06B I prefer encrypted mail. "The one function that TV news performs very well is that when there is no news we give it to you with the same emphasis as if it were." David Brinkley signature.asc Description: This is a digitally signed message part
Re: May I suggest a New Name for Debian unstable? :(
On Thu, 2005-01-20 at 19:24 +0100, Sebastian Ley wrote: > * Stephen Pinker wrote: > > Debian unstable... it just has a bad sound to it. :( > > ...for a reason! The name should and does indicate that newbies better stay > away from it. On the other hand we have the short and nice codename "Sid" for > unstable... So call it "expert"? Sid is definitely usable by a power-user able to stomach the occa- sional bump in the road. Maybe my computer needs are just limited, but I find Sid very usable and having a low-enough bug count for an excellent desktop experience. -- --------- Ron Johnson, Jr. Jefferson, LA USA PGP Key ID 8834C06B I prefer encrypted mail. When Swedes start committing terrorism, I'll become suspicious of Scandinavians. signature.asc Description: This is a digitally signed message part
Re: May I suggest a New Name for Debian unstable? :(
On Thu, 2005-01-20 at 19:24 +0100, Sebastian Ley wrote: > * Stephen Pinker wrote: > > Debian unstable... it just has a bad sound to it. :( > > ...for a reason! The name should and does indicate that newbies better stay > away from it. On the other hand we have the short and nice codename "Sid" for > unstable... So call it "expert"? Sid is definitely usable by a power-user able to stomach the occa- sional bump in the road. Maybe my computer needs are just limited, but I find Sid very usable and having a low-enough bug count for an excellent desktop experience. -- --------- Ron Johnson, Jr. Jefferson, LA USA PGP Key ID 8834C06B I prefer encrypted mail. When Swedes start committing terrorism, I'll become suspicious of Scandinavians. signature.asc Description: This is a digitally signed message part
Re: Preparation of the next stable Debian GNU/Linux update (III)
On Sat, 2004-12-18 at 20:22 +0100, Martin Schulze wrote: > Ron Johnson wrote: > > On Sat, 2004-12-18 at 19:53 +0100, Santiago Vila wrote: > > > Not directly related to 3.0r4, but while we are at it: > > > > > > Would be possible to remove packages in security.debian.org which are > > > already part of 3.0r3? > > > > Isn't that "not correct", since someone who installs from 3.0 or > > 3.0r[123] disks will need all of the packages in security.d.o to > > be able to upgrade to the latest secure revisions? > > In general yes, but normally you also have the regular links to > http.us.debian.org, no? Well, it's moot in my case (I track sid). -- - Ron Johnson, Jr. Jefferson, LA USA PGP Key ID 8834C06B I prefer encrypted mail. "All else being equal, you're safer traveling in a passenger vehicle that's larger and heavier than in one that's smaller and lighter." http://www.carsafety.org/vehicle_ratings/sfsc.htm signature.asc Description: This is a digitally signed message part
Re: Preparation of the next stable Debian GNU/Linux update (III)
On Sat, 2004-12-18 at 19:53 +0100, Santiago Vila wrote: > Not directly related to 3.0r4, but while we are at it: > > Would be possible to remove packages in security.debian.org which are > already part of 3.0r3? Isn't that "not correct", since someone who installs from 3.0 or 3.0r[123] disks will need all of the packages in security.d.o to be able to upgrade to the latest secure revisions? -- ------------- Ron Johnson, Jr. Jefferson, LA USA PGP Key ID 8834C06B I prefer encrypted mail. "Fair is where you take your cows to be judged." Unknown signature.asc Description: This is a digitally signed message part
Re: Upload of GNOME 2.8 to unstable
On Tue, 2004-11-16 at 13:12 +0100, Wouter Verhelst wrote: > Op di, 16-11-2004 te 12:57 +0100, schreef Martin Schulze: > > Wouter Verhelst wrote: > > > It is. This is a myth which orignated due to the fact that my > > > wanna-build documentation at > > > http://people.d.o/~wouter/wanna-build-states used to say wanna-build > > > incorporates urgency in its ordering, but I was mistaken. It has been > > > fixed in the mean time, but it appears this is a myth which isn't easily > > > forgotten > > > > Just to get this straight, you fixed your documentation, the > > buildd/wanna-build > > handling hasn't been fixed, right? > > Yes. Because buildd/wanna-build was never broken (in this regards), right? -- - Ron Johnson, Jr. Jefferson, LA USA PGP Key ID 8834C06B "Man, I'm pretty. Hoo Hah!" Johnny Bravo signature.asc Description: This is a digitally signed message part
