Re: Debian Packages
Hello, I saw Samuel already replied to the most important points. I want to add the following: - please contribute only packages that you are willing to maintain over some time, we don't want one-time contributions introducing new packages. One-time contributions are fine for bugfixes and version upgrades not so much for new packages (unless someone else — like Samuel ;-) — is also interested in helping with the package). - pick one or two package at a time and go through them, try to select packages that have a chance to go through NEW (no license issue, no dirty hacks like downloading dependencies during build time) Let us know the packages that you want to work one and we create the project in the pkg-security team and we grant you access to those projects. - for packages that you import from Kali, please reuse the exact same orig.tar.gz or change the upstream version to avoid file conflicts on the Kali side when we import Debian packages Welcome in the team! On Sun, 01 Aug 2021, Polyna-Maude Racicot-Summerside wrote: > Hi, > I've already (for myself) ported many to Debian many packages that are > only on Kali. > Some of them may not have the quality to pass the tests done by Lintian > or obey to Debian guidelines. > Anyway, I'd be more than interested in giving times to help out. > > I'm on the step of contacting a local Debian member to have myself > authenticated in "real life" with my id cards. > > If there's anything that I could do as a start ? > > I've seen you as maintainer of many of the Debian security packages. > > I know there's another person wanting to port the "seclists" package > over to Debian. I've told him that I've already done this for my > personal use and offered to check against each other the differences > between both result we may have in the results. > For myself, I've noted that SecLists is not maintained anymore by OWASP. > > If you ever want to take a look at all I've done, let me know how would > it be easier for you. > > I could simply put the files online (.dsc / .deb) ? > > And if I can give a hand in any way... > > I do programing mostly in C/C++ but mostly in ADA (95/2003). > I've done some PHP for personal work too. > > The first ones are used by security tools for their fast and effective > way of doing things. But today I've seen tools written in nearly all > language possible. > > Thanks for your time and just let you know that you work is greatly > appreciated. > > Sincerely, > -- > Polyna-Maude R.-Summerside > -Be smart, Be wise, Support opensource development > -- ⢀⣴⠾⠻⢶⣦⠀ Raphaël Hertzog ⣾⠁⢠⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋The Debian Handbook: https://debian-handbook.info/get/ ⠈⠳⣄ Debian Long Term Support: https://deb.li/LTS signature.asc Description: PGP signature
Re: Debian Packages
Hi, On 2021-08-02 4:30 p.m., Samuel Henrique wrote: > Hello, > >>> The best thing you could do, from our POV, is to push your packaging >>> files to salsa, under your user. But hosting your work anywhere and in >>> any way can be helpful, it's gonna be up to the people working on >>> those packages to check it out, though. >>> Guilherme (who's working on seclists) mentioned he would like to see >>> what you've done in the other thread. >>> >> Not too sure how does Salsa work for "outsider" ? > > You can do pretty much anything under your user on salsa (just like > when you use gitlab or github), you are only limited to not pushing > changes to other people's/teams projects (but you can always create > your own under your user). > >> Those are the packages I made for Buster. >> >> Some of them are local compile of buster-backports, some of them may be >> from testing, and some may not be related to security. >> Mostly everything related to security comes from Kali. > > I checked out seclists and I don't think I understand, that packaging > probably didn't come from Kali cause it's missing some important > things from Kali's packaging of seclists around that time. I couldn't > identify what changes there were required for the Debian packaging, > eg.: why didn't you use Kali's package instead? > > My suggestion is to identify a package which you think it's the > closest to be ready for Debian and then work on that. But it's > important to check what are the differences in your packaging vs > Kali's to evaluate if it's better to start from scratch (based on > Kali's packaging) or continue with your version. > zoneminder zaproxy cuckoo winexe wordlists webshells veil-* metasploit-framework (?) I think I saw a Debian repository for this one beef-xss john johnny linux-exploit-suggester Those are some example that first comes to mind. Again, they may not be update to date with Kali or whatever else. This was only a project I did on my spare time for my own purpose. Came to mind some other may be interested when I saw the message about SecLists not so long ago. Probably it would have been better to keep them for myself too. Everything I did can be done by anyone who has a spare half hour. > Thank you, > > -- > Samuel Henrique > -- Polyna-Maude R.-Summerside -Be smart, Be wise, Support opensource development OpenPGP_signature Description: OpenPGP digital signature
Re: Debian Packages
Hi, On 2021-08-02 4:30 p.m., Samuel Henrique wrote: > Hello, > >>> The best thing you could do, from our POV, is to push your packaging >>> files to salsa, under your user. But hosting your work anywhere and in >>> any way can be helpful, it's gonna be up to the people working on >>> those packages to check it out, though. >>> Guilherme (who's working on seclists) mentioned he would like to see >>> what you've done in the other thread. >>> >> Not too sure how does Salsa work for "outsider" ? > > You can do pretty much anything under your user on salsa (just like > when you use gitlab or github), you are only limited to not pushing > changes to other people's/teams projects (but you can always create > your own under your user). > Thanks for the information, I'll give it a deeper look today. >> Those are the packages I made for Buster. >> >> Some of them are local compile of buster-backports, some of them may be >> from testing, and some may not be related to security. >> Mostly everything related to security comes from Kali. > > I checked out seclists and I don't think I understand, that packaging > probably didn't come from Kali cause it's missing some important > things from Kali's packaging of seclists around that time. I couldn't > identify what changes there were required for the Debian packaging, > eg.: why didn't you use Kali's package instead? If you look at the link I gave you, it goes into a folder that is name something like 2018.xx.xx, so it is based on a version of SecLists that was made on this specific date. I don't remember why, but if I hadn't used Kali's version, maybe it didn't exist at this moment. Regarding this particular software (SecLists), it ain't much of artwork for doing the install packages as it is only to put some files into specific folders. Could update from the latest version (not on OWASP site but on danielmiesle) in a matter of minutes for getting the watch file done. I haven't looked at this package since the time I build it because I haven't used it much. I do simple have a git copy of the repository laying around. For me it's a bit like the exploitdb/exploitdb-bin-sploits/exploitdb-papers. If you look over at some other software, for example Sandbox Cuckoo (cuckoo) or Metasploit Framework, I've used as much I could from Kali. Already that I find pretty much a waste of manpower all the forks running around, I'm not going to write something other have already done. Here's a list of some local git repository I have. You can see that there's a Kali related ones to most of them. They we're the basis for the packages themselves. I've looked and these packages are still uploading. Some may already be in Debian... exploitdb-bin-sploits johnny nikto social-engineer-toolkit veil-kali wpscan-kali armitage-kali exploitdb-papers johnny-kali nmap-debian sqldict-kali w3afzaproxy beef-xssfuzzdb keepassxcnmap-kali sqlninja-kaliwebshells-kali burpsuite-kali hash-identifier-kali kismet-kali oscanner-kali sqlsus-kali winexe davtest john libdvdcssOWASP theharvester wordlists-kali exploitdb john-kali metasploit SecLists veil wpscan > > My suggestion is to identify a package which you think it's the > closest to be ready for Debian and then work on that. But it's > important to check what are the differences in your packaging vs > Kali's to evaluate if it's better to start from scratch (based on > Kali's packaging) or continue with your version. > > You can also identify which of those packages have improvements > performed over Kali's packaging, write down what those improvements > are[0], and then only upload the packages which have these > improvements. Unfortunately it might be unlikely that someone will > have time to go through all of your packages looking for those > improvements, as basing the packaging on Kali's is already quite a > good baseline. > I didn't create any package "from scratch" unless the package hold a name that doesn't exist inside Kali. I'm quite amazed not finding any reference to the base Debian package for SecLists. Even more that there<'s clearly nothing to do for maintaining this package. It's like a documentation package except it goes into a different folder. Maybe the package didn't exist in Kali when I started doing this. Like I already said, this started in 2018 (and earlier). For curiosity, I'll take a look at when did Kali started having a SecLists package. > [0] I suggest sending this summary here as well, as we can help > identify which ones could save the most time. > > Thank you, > > -- > Samuel Henrique > -- Polyna-Maude R.-Summerside -Be smart, Be wise, Support opensource development OpenPGP_signature Description: OpenPGP digital signature
Re: Debian Packages
Hello, > > The best thing you could do, from our POV, is to push your packaging > > files to salsa, under your user. But hosting your work anywhere and in > > any way can be helpful, it's gonna be up to the people working on > > those packages to check it out, though. > > Guilherme (who's working on seclists) mentioned he would like to see > > what you've done in the other thread. > > > Not too sure how does Salsa work for "outsider" ? You can do pretty much anything under your user on salsa (just like when you use gitlab or github), you are only limited to not pushing changes to other people's/teams projects (but you can always create your own under your user). > Those are the packages I made for Buster. > > Some of them are local compile of buster-backports, some of them may be > from testing, and some may not be related to security. > Mostly everything related to security comes from Kali. I checked out seclists and I don't think I understand, that packaging probably didn't come from Kali cause it's missing some important things from Kali's packaging of seclists around that time. I couldn't identify what changes there were required for the Debian packaging, eg.: why didn't you use Kali's package instead? My suggestion is to identify a package which you think it's the closest to be ready for Debian and then work on that. But it's important to check what are the differences in your packaging vs Kali's to evaluate if it's better to start from scratch (based on Kali's packaging) or continue with your version. You can also identify which of those packages have improvements performed over Kali's packaging, write down what those improvements are[0], and then only upload the packages which have these improvements. Unfortunately it might be unlikely that someone will have time to go through all of your packages looking for those improvements, as basing the packaging on Kali's is already quite a good baseline. [0] I suggest sending this summary here as well, as we can help identify which ones could save the most time. Thank you, -- Samuel Henrique
Re: Debian Packages
Hi, On 2021-08-02 12:21 p.m., Samuel Henrique wrote: > Hello Polyna-Maude, > > I'm gonna reply here even though I'm not Raphaël, > >> I've already (for myself) ported many to Debian many packages that are >> only on Kali. >> Some of them may not have the quality to pass the tests done by Lintian >> or obey to Debian guidelines. >> Anyway, I'd be more than interested in giving times to help out. > > Awesome, > >> I'm on the step of contacting a local Debian member to have myself >> authenticated in "real life" with my id cards. > > Just don't worry too much about it, it is important to get your gpg > key signed but that's not a blocker for contributing, it will only be > required once you start the DM process, and even on that case we have > ways around it (key endorsements, if you used to sign all your > commits). > >> If there's anything that I could do as a start ? >> >> I've seen you as maintainer of many of the Debian security packages. >> >> I know there's another person wanting to port the "seclists" package >> over to Debian. I've told him that I've already done this for my >> personal use and offered to check against each other the differences >> between both result we may have in the results. >> For myself, I've noted that SecLists is not maintained anymore by OWASP. >> >> If you ever want to take a look at all I've done, let me know how would >> it be easier for you. >> >> I could simply put the files online (.dsc / .deb) ? >> And if I can give a hand in any way... > I've checked and they are uploading, all is good. *seclists* is done. You'll find a package named cuckoo, it's a virtual machine used for doing malware testing. It depends on virtualbox. You'll find a folder named python and ruby they contain the packages for those two that are needed. For example cuckoo require many ruby dependencies (or python). If any of them seems not be install because you can't find the dependencies in my package, let me know and I'll see if they got misplaced. I have a bunch of package for stretch that didn't seem like needed to be compiled back. Maybe some are missing... If you get a 403 on a folder, it's because it is still being uploaded. Apache doesn't display empty folder. I'm available for all problems you may have. > > > -- > Samuel Henrique > -- Polyna-Maude R.-Summerside -Be smart, Be wise, Support opensource development OpenPGP_signature Description: OpenPGP digital signature
Re: Debian Packages
Hi, On 2021-08-02 12:21 p.m., Samuel Henrique wrote: > Hello Polyna-Maude, > > I'm gonna reply here even though I'm not Raphaël, > >> I've already (for myself) ported many to Debian many packages that are >> only on Kali. >> Some of them may not have the quality to pass the tests done by Lintian >> or obey to Debian guidelines. >> Anyway, I'd be more than interested in giving times to help out. > > Awesome, > >> I'm on the step of contacting a local Debian member to have myself >> authenticated in "real life" with my id cards. > ok > Just don't worry too much about it, it is important to get your gpg > key signed but that's not a blocker for contributing, it will only be > required once you start the DM process, and even on that case we have > ways around it (key endorsements, if you used to sign all your > commits). > >> If there's anything that I could do as a start ? >> >> I've seen you as maintainer of many of the Debian security packages. >> >> I know there's another person wanting to port the "seclists" package >> over to Debian. I've told him that I've already done this for my >> personal use and offered to check against each other the differences >> between both result we may have in the results. >> For myself, I've noted that SecLists is not maintained anymore by OWASP. >> >> If you ever want to take a look at all I've done, let me know how would >> it be easier for you. >> >> I could simply put the files online (.dsc / .deb) ? >> And if I can give a hand in any way... > http://cogniscience.ca/ I shall be uploaded all done by the end of the day. Hoping that my shared hosting security scanner won't flag some of the files. If I see it does then I'll put them on my server (one that I have complete control over). I already had the DNS set for the shared hosting. My server is not on DNS (prevent at least a level of scanning). > The best thing you could do, from our POV, is to push your packaging > files to salsa, under your user. But hosting your work anywhere and in > any way can be helpful, it's gonna be up to the people working on > those packages to check it out, though. > Guilherme (who's working on seclists) mentioned he would like to see > what you've done in the other thread. > Not too sure how does Salsa work for "outsider" ? I'll let Guillherme know but it shall be finished uploading soon. Those are the packages I made for Buster. Some of them are local compile of buster-backports, some of them may be from testing, and some may not be related to security. Mostly everything related to security comes from Kali. Some package may be some version from debian-multimedia that I didn't like the bloating too. At least it shall show that I can modify and patch source code when needed ;-) Some of it may have had some "dirty hack" done to get it working. Everything that was build since mid 2020 can be considered better than everything else (I discovered better way and cleaner way of doing things, respecting the Debian policy to explain modifications, publishing a watch file, etc). > With regards to contributions, I'm just taking a guess based on my > limited understanding of what you have there, but you could try to > upload one of the packages you've worked on to Debian. > http://cogniscience.ca/ > Thank you! > > > -- > Samuel Henrique > -- Polyna-Maude R.-Summerside -Be smart, Be wise, Support opensource development OpenPGP_signature Description: OpenPGP digital signature
Re: Debian Packages
Hello Polyna-Maude, I'm gonna reply here even though I'm not Raphaël, > I've already (for myself) ported many to Debian many packages that are > only on Kali. > Some of them may not have the quality to pass the tests done by Lintian > or obey to Debian guidelines. > Anyway, I'd be more than interested in giving times to help out. Awesome, > I'm on the step of contacting a local Debian member to have myself > authenticated in "real life" with my id cards. Just don't worry too much about it, it is important to get your gpg key signed but that's not a blocker for contributing, it will only be required once you start the DM process, and even on that case we have ways around it (key endorsements, if you used to sign all your commits). > If there's anything that I could do as a start ? > > I've seen you as maintainer of many of the Debian security packages. > > I know there's another person wanting to port the "seclists" package > over to Debian. I've told him that I've already done this for my > personal use and offered to check against each other the differences > between both result we may have in the results. > For myself, I've noted that SecLists is not maintained anymore by OWASP. > > If you ever want to take a look at all I've done, let me know how would > it be easier for you. > > I could simply put the files online (.dsc / .deb) ? > And if I can give a hand in any way... The best thing you could do, from our POV, is to push your packaging files to salsa, under your user. But hosting your work anywhere and in any way can be helpful, it's gonna be up to the people working on those packages to check it out, though. Guilherme (who's working on seclists) mentioned he would like to see what you've done in the other thread. With regards to contributions, I'm just taking a guess based on my limited understanding of what you have there, but you could try to upload one of the packages you've worked on to Debian. Thank you! -- Samuel Henrique
Debian Packages
Hi, I've already (for myself) ported many to Debian many packages that are only on Kali. Some of them may not have the quality to pass the tests done by Lintian or obey to Debian guidelines. Anyway, I'd be more than interested in giving times to help out. I'm on the step of contacting a local Debian member to have myself authenticated in "real life" with my id cards. If there's anything that I could do as a start ? I've seen you as maintainer of many of the Debian security packages. I know there's another person wanting to port the "seclists" package over to Debian. I've told him that I've already done this for my personal use and offered to check against each other the differences between both result we may have in the results. For myself, I've noted that SecLists is not maintained anymore by OWASP. If you ever want to take a look at all I've done, let me know how would it be easier for you. I could simply put the files online (.dsc / .deb) ? And if I can give a hand in any way... I do programing mostly in C/C++ but mostly in ADA (95/2003). I've done some PHP for personal work too. The first ones are used by security tools for their fast and effective way of doing things. But today I've seen tools written in nearly all language possible. Thanks for your time and just let you know that you work is greatly appreciated. Sincerely, -- Polyna-Maude R.-Summerside -Be smart, Be wise, Support opensource development OpenPGP_signature Description: OpenPGP digital signature