Re: ia32-libs security support

2008-04-27 Thread Rich Healey 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dominic Hargreaves wrote:
> Hello,
> 
> I'm shortly going to be deploying a new general purpose login host on
> etch. As our old system is i386 and our new system amd64, I have
> installed the ia32-libs package, to give user-compiled code a chance of
> working, but having inspected the contents of the package, it seems to
> contain quite a lot of .so files repackaged from the i386 binaries, and
> I'm concerned that these won't be security supported (I've seen no
> security updates for this package).
> 
> Is my analysis correct, and I shouldn't install this package in a
> production environment?
> 
> Thanks,
> Dominic.
> 

Correct me if i'm wrong, but code compiled natively on the amd64 machine
should work fine.

It's the precompiled i386 code that will cause issues, assuming that
you'd install the same lib packages for the amd64 machine as you would i386.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIFXOKLeTfO4yBSAcRAhGvAJ9xboqM4dEfZtloettd56uBsHtcdACggzgz
EoW/GC7Ix4lFWtS2w89ZWX4=
=9qpH
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: ia32-lib plans and security support for same

2008-04-27 Thread Joerg Jaspert 
On 11369 March 1977, Goswin von Brederlow wrote:

> FTP-master asked me on irc to get permission from you (debian-security)
> for splitting up ia32-libs into multiple source packages before going
> any further.

I asked to get the opinion from the security team about the new package
scheme, as they will have the fun to also support that stuff in case
there are security bugs in one of the packages.

Instead of one package to deal with (ia32-libs) its included code copies
the current new scheme would make that a whole number of packages more.

> FTP-master rejected the first upload of the split packages saying among
> other things:

The whole reject was longer and, if you are interested, can be found on
merkel, /org/ftp.debian.org/queue/reject/ia32-alsa-lib_1.0.16-2+2_ia64.reason


-- 
bye, Joerg
[Es geht doch nichts ueber deutsche Uebersetzungen]
hurd:/# updatedb
hurd:/# /servers/socket/2: Der Übersetzer ist gestorben
-- Message-ID: <[EMAIL PROTECTED]>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

ia32-lib plans and security support for same

2008-04-27 Thread Goswin von Brederlow 
Hi,

FTP-master asked me on irc to get permission from you (debian-security)
for splitting up ia32-libs into multiple source packages before going
any further.

The ia32-libs package provides 32bit i486 legacy support for amd64 and
ia64 so that users can run software that is only available in
32bit. Among others this includes rar, wine, acrobat reader, mplayer
with windows dlls (sometimes you still need those), wine, google
earth, skipe, znes. According to popcon 94% of the amd64/ia64 users
have ia32-libs installed so the demand for 32bit support is still
high.

We, the ia32-libs team, plan to split up ia32-libs into multiple
source packages because it has become too big to keep track of it all.

Too name some numbers we currently have:

ia32-libs contains 116 debs from 106 sources and ia32-libs-gtk
contains 19 debs from 15 sources and more have been requested to
support additional software. In total this makes 440MiB:

-rw-r--r-- 1 mrvn mrvn  499 Apr 25 02:12 ia32-libs_2.4.dsc
-rw-r--r-- 1 mrvn mrvn 319M Apr 25 02:12 ia32-libs_2.4.tar.gz
-rw-r--r-- 1 mrvn mrvn  28M Apr 25 02:20 ia32-libs_2.4_amd64.deb
-rw-r--r-- 1 mrvn mrvn  32M Apr 25 02:13 ia32-libs_2.4_ia64.deb
-rw-r--r-- 1 mrvn mrvn 2.6M Apr 25 02:13 ia32-libs-dev_2.4_ia64.deb
-rw-r--r-- 1 mrvn mrvn  671 Apr 24 15:59 ia32-libs-gtk_2.2.dsc
-rw-r--r-- 1 mrvn mrvn  50M Apr 24 15:58 ia32-libs-gtk_2.2.tar.gz
-rw-r--r-- 1 mrvn mrvn 4.2M Apr 24 15:58 ia32-libs-gtk_2.2_amd64.deb
-rw-r--r-- 1 mrvn mrvn 4.2M Apr 28 01:43 ia32-libs-gtk_2.2_ia64.deb

There is currently (for Lenny at least) no way around having dummy
packages that contain source and precompiled debs and we have to live
with that ugliness for now. This mail isn't about that.

This mail is about how many dummy packages we have. Our plan is to
have one dummy package per source package. The dummy package have a
"ia32-" prefix before their original name to keep the namespaces
separate. The depends, provides, replaces, conflicts Fields as well as
the shlibs and symbols files are adjusted to match.

Advantages:
- trivial to check if the ia32-* package is up to date
- small packages allowing for a quick update/test/upload cycle
- we can keep in sync with unstable and testing
- no 440MiB upload to update a 1MiB library
- correct dependencies safeguarding the testing transition and updates
- bug-reports go to the individual package and not all pile onto
  ia32-libs
- maintainer, if willing, can maintain the ia32-libfoo package
  themself ensuring simultaneous updates

Disadvantages:
- 120 source packages instead of 2 huge ones



FTP-master rejected the first upload of the split packages saying among
other things:

Joerg Jaspert <[EMAIL PROTECTED]> writes:

> - The included complete copy of the source *and* the existing i386
>   binary is something that is really bad. Yes, we get in trouble if we
>   don't include the source for packages on the archive, but it is still
>   a *very* strong point against this packaging scheme.
>   We (as in ftp-team), but even more the security team are against them.

and quotes from a mail he got:

> 4/ Hard to handle for security team
>
> Those packages are not built from sources. This make them hard to handle
> for the security team.

One goal of the split is to actually simplify the handling. Currently
all libs are combined in ia32-libs and ia32-libs-gtk and even noticing
if any of them is affected by a maintainer or security upload is a
problem.

With the split packages there is a simple 1:1 mapping of the name so
it is trivial to check if ia32-foo exists when foo is updated. Lets
say zlib has a security upload:

rmadison ia32-zlib
 ia32-zlib | 1:1.2.3.3.dfsg-12+5 |  unstable | source

After seeing that ia32-zlib exists there are 2 ways to update the
package. First you download the source, unpack it and go into the
directory. Then you

a) put the security repository into /etc/ia32-libs-tools/sources.list
   run 'debian/rules update' to fetch the latest source and debs
   (debian/changelog will be recreated from the security upload so it
   already has all the right info)

or

b) replace *deb, *dsc, *diff.gz and *.tar.gz with the new files
   add changelog entry with new version

and finally you build the package using 'dpkg-buildpackage -aia64' or
'dpkg-buildpackage -aamd64' (if you aren't on one of those archs
anyway).



I hope you feel that this will simplify matters not just for us but
also for you and will allow this package split continue.

Hope to hear from you soon,
Goswin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Contents.gz files in security repositories

2008-04-27 Thread Timothy G Abbott 
I would like to have a script that generates a list of all the kernels in 
a given Debian release so that I can build a kernel module (openafs) for 
all the stock kernels, and currently it uses


apt-file search --package-only --regexp "/usr/src/.*/\.config"

to find all such kernel headers packages.  However, it doesn't find 
security update kernels because the security update repositories don't 
have a Contents.gz file.


Why aren't Contents.gz files generated for the security repositories on 
security.debian.org?


-Tim Abbott


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]