Bug#160529: ASK is RFPed
Hello Robert, Larry, First of all, my sincere apologies for taking so long to respond. I've been traveling frequently and for some reason, the original sender (Robert?) did not respond to the confirmation message. I believe your anti-spam system classified the confirmation as spam and you never saw it... Hmmm... Got to think of a way to prevent that... Yes, I am interested in your help with ASK+Debian. I packaged ASK myself but I'm not an "expert" in packaging .deb files, as you can see. :) Can you verify if indeed your anti-spam system classified the confirmation as spam? That seems to be the case. Also, I had a period of about a week when my domain didn't resolve, due to provider problems. :(((. Could have been that as well. > retitle 160529 RFP: ask -- Active Spam Killer > thanks > > Ok, It's been a week and got no response from Marco Paganigi. > > I won't package or even sponsor ASK in such a situation. I'm retitling this > bug to RFP. Hmmm... What's RFP? Again, sorry for all this confusion. Regards, Paga > > -- > Robert Millan > > "[..] but the delight and pride of Aule is in the deed of making, and in the > thing made, and neither in possession nor in his own mastery; wherefore he > gives and hoards not, and is free from care, passing ever on to some new > work." > > -- J.R.R.T, Ainulindale (Silmarillion) > -- Marco Paganini | UNIX / Linux / Networking [EMAIL PROTECTED] | PGP: http://www.paganini.net/pgp/ http://www.paganini.net | Magnus Frater te spectat...
Bug#160529: ASK is RFPed
Hello Robert, > I don't have any anti-spam system as of now, but I do recieve a lot of junk > mail, so I could have mistakenly deleted it. What was the subject? It could be. The subject was probably something like: Please Confirm (#12345678901234567890123456789012) Some people argue it looks a lot like spam. In any case, the email remained queued and I was able to "fish" it out of the queue. > We need someone to maintain the package, if you're not an "expert" that's no > big deal, you can always learn as you go (and we'll help you on it). Being a > debian maintainer implies some dedication though. Would you like to be the ASK > maintainer in debian? That would be interesting. My idea is to remodel the Makefile to generate the package correctly, minimizing friction. What else is expected of my if I'm a Debian maintainer? Sorry for my ignorance, I'm a happy Debian user, but I don't have a clue of what being a Debian mainteiner means. > It means "Request For Package". The former status was ITP, "Intent To > Package". > If you intend to maintain ASK for Debian, then please set it back to ITP and > set yourself as ITPer by mailing to [EMAIL PROTECTED] and saying: > > retitle 160529 ITP: ask -- Active Spam Killer > submitter 160529 Marco Paganini <[EMAIL PROTECTED]> I'll do as soon as I know that I can provide good service to the community. I do intend to be the maintainer, but I need to know if my (at the moment) rather busy schedule won't damage my image as a maintainer (I think not, but...). Again, can you point me to a document on the duties of a Debian package maintainer? Regards, Paga > thanks > > -- > Robert Millan > > "[..] but the delight and pride of Aule is in the deed of making, and in the > thing made, and neither in possession nor in his own mastery; wherefore he > gives and hoards not, and is free from care, passing ever on to some new > work." > > -- J.R.R.T, Ainulindale (Silmarillion) -- Marco Paganini | UNIX / Linux / Networking [EMAIL PROTECTED] | PGP: http://www.paganini.net/pgp/ http://www.paganini.net | Magnus Frater te spectat...
Bug#160529: ASK is RFPed
Hi Robert, > I suggest you keep it in the Subject, but not replacing the original one. For > example if my message has subject "Foobar", then the response could be > something like "Re: foobar (blah)", where "blah" is the code number. That is an option as well. But if that's the case, I'll have to reduce the size of the MD5 signature. Some mailers wrap, cut and do other strange things to the Subject line. > If you want to ITP, retitle the bug ASAP to avoid confusion. Just did. > > When you think the package is in shape (try running lintian on it), send me > the sources (orig.tar.gz, diff.gz and dsc) on private mail. I'll sponsor > it. I did and it just says: W: ask: prerm-does-not-remove-usr-doc-link W: ask: postinst-does-not-set-usr-doc-link W: ask: readme-debian-is-debmake-template W: ask: unusual-interpreter ./usr/bin/ask.py #!python2.2 W: ask: unusual-interpreter ./usr/bin/asksetup.py #!python2.2 W: ask: unusual-interpreter ./usr/bin/askversion.py #!python2.2 W: ask: unusual-interpreter ./usr/bin/asksenders.py #!python2.2 I'll try to fix those issues, even though I think I've stumbled upon the python issue before (python *is* really called python2.2, but lintian insists that there's something fishy about it). > P.S: please keep the CC to [EMAIL PROTECTED] Curiosity: What's this address? Regards, Paga > > -- Robert Millan > > "[..] but the delight and pride of Aule is in the deed of making, and in > the thing made, and neither in possession nor in his own mastery; wherefore > he gives and hoards not, and is free from care, passing ever on to some new > work." > > -- J.R.R.T, Ainulindale (Silmarillion) -- Marco Paganini | UNIX / Linux / Networking [EMAIL PROTECTED] | PGP: http://www.paganini.net/pgp/ http://www.paganini.net | Magnus Frater te spectat...
Bug#160529: ASK is RFPed
> > I did and it just says: > > > > W: ask: prerm-does-not-remove-usr-doc-link > > W: ask: postinst-does-not-set-usr-doc-link > > Not really important. Is there a way to "remove" these, just like in lint? Something inside the package itself that tells lintian to ignore those? > > W: ask: readme-debian-is-debmake-template > > Either remove README.Debian or add some notes to it. OK. > > W: ask: unusual-interpreter ./usr/bin/ask.py #!python2.2 > > W: ask: unusual-interpreter ./usr/bin/asksetup.py #!python2.2 > > W: ask: unusual-interpreter ./usr/bin/askversion.py #!python2.2 > > W: ask: unusual-interpreter ./usr/bin/asksenders.py #!python2.2 > > That should be "#!/usr/bin/python2.2" (or better, 2.3). That's the thing: Python's documentation suggests the use of "env", to make the physical location of python irrelevant. But the question is: How do I tell lintian that "env" is OK? Regards, Paga -- Marco Paganini | UNIX / Linux / Networking [EMAIL PROTECTED] | PGP: http://www.paganini.net/pgp/ http://www.paganini.net | Magnus Frater te spectat...
Bug#160529: ASK is RFPed
On Sun, Sep 28, 2003 at 04:25:03PM +, Robert Millan wrote: > I'm not sure if you should remove them. Please paste the full lintian > warning. W: ask: prerm-does-not-remove-usr-doc-link N: N: The technical committee chose the symlink transition method to move N: from FSSTND to FHS. This transition involves setting the link in the N: postinst script and removing it in the prerm script. Here is an N: example (/bin/sh): N:if [ \( "$1" = "upgrade" -o "$1" = "remove" \) -a -L /usr/doc/pkg ]; then N: rm -f /usr/doc/pkg N:fi N: The test for this is not perfect. If you are setting the link, please N: send the line of code to us so we can improve the test. N: W: ask: postinst-does-not-set-usr-doc-link N: N: The technical committee chose the symlink transition method to move N: from FSSTND to FHS. This transition involves setting the link in the N: postinst script and removing it in the prerm script. Here is an N: example (/bin/sh): N:if [ "$1" = "configure" ]; then N: if [ -d /usr/doc -a ! -e /usr/doc/pkg -a -d /usr/share/doc/pkg ]; then N: ln -sf ../share/doc/pkg /usr/doc/pkg N: fi N:fi N: The test for this is not perfect. If you are setting the link, please N: send the line of code to us so we can improve the test. N: > > > > W: ask: unusual-interpreter ./usr/bin/ask.py #!python2.2 > > > > > > That should be "#!/usr/bin/python2.2" (or better, 2.3). > > > > That's the thing: Python's documentation suggests the use of "env", to > > make the physical location of python irrelevant. But the question is: > > How do I tell lintian that "env" is OK? > > Sometimes Debian's policy disagrees with upstream's (in this case Python's > upstream). In these cases your package should always follow Debian's policy > rather than upstream's. I fixed this one. The problem is that when I packaged ASK for the first time, the "python" package meant "Python 2.1" and due to some bugs in 2.1, I had to _require_ Python 2.2. But then comes the catch: If I put /usr/bin/python2.2 as the interpreter (back then, the interpreter location for Python 2.2), and "Requires: Python2.2 (>=2.2.0)", lintian complained that this is an "unusual interpreter" (even without the env). Then, I tried the interpreter as "/usr/bin/python". Lintian would then complain that even though this was a python script, python was not a requirement (because the package name was python2.2, not python). It seems OK now, as "python" refers to python2.2 and a symlink exists under /usr/bin/python pointing to the correct version. > On this situation, Debian policy follows the FHS standard (you should read > that > too, btw), which mandates the physical location of python should be > "/usr/bin/". Since the location of phyton is standarised in Debian, the > use of relative path may not be needed. /me reads the FHS. Just when I got used to fsstnd... :) > Again, the full lintian warning message seems relevant here. I'll modify it once more to declare the "templates" as configuration files. Some people modify the originals. Having them overwritten on upgrade is a bad idea... Regards, Paga > -- > Robert Millan > > "[..] but the delight and pride of Aule is in the deed of making, and in the > thing made, and neither in possession nor in his own mastery; wherefore he > gives and hoards not, and is free from care, passing ever on to some new > work." > > -- J.R.R.T, Ainulindale (Silmarillion) -- Marco Paganini | UNIX / Linux / Networking [EMAIL PROTECTED] | PGP: http://www.paganini.net/pgp/ http://www.paganini.net | Magnus Frater te spectat...
Bug#160529: ASK is RFPed
Hi Robert, > Ah, ok. Safely ignorable, it's for upgrading from pre-FHS packages IIRC. Just > make sure your docs are in /usr/share/doc/ and not in /usr/doc/. OK. Perfect. > > I fixed this one. The problem is that when I packaged ASK for the first > > time, > > the "python" package meant "Python 2.1" and due to some bugs in 2.1, I had > > to > > _require_ Python 2.2. But then comes the catch: If I put /usr/bin/python2.2 > > as the interpreter (back then, the interpreter location for Python 2.2), > > and "Requires: Python2.2 (>=2.2.0)", > > If you mean the entry for debian/control, that'd be "Depends: python2.2" if > you really need 2.2 or "Depends: python (>= 2.2)" if any later version will > work. Exactly what I did. The problem, at the time, is that there was no package called "python" with version >=2.2. Python 2.2's package was called "python2.2", hence the confusion. But it's all OK now. I require "python (>=2.2)" > > > > Again, the full lintian warning message seems relevant here. > > > > I'll modify it once more to declare the "templates" as configuration > > files. Some people modify the originals. Having them overwritten on upgrade > > is a bad idea... > > Do you refer to /usr/bin/ask.py and such? You can't set these as conffiles, > since all stuff in /usr could well be read-only. No. This one is immutable. The templates are in fact text files that the average user may choose to change. I cheched the FHS and it's not very clear to me where I should put those files? /var/lib? Note that they're usually copied into the user's home directory for use. We can think of them as "skeleton" files, but they may be edited directly. > Btw, I suggest you rename it to /usr/bin/ask. We tend to remove the language > extensions such as .pl or .sh when installing stuff in /usr/bin. It is strictly necessary? I really don't like having the extension, but I fear "ask" is too common a name to be under /usr/bin without causing conflict. Another concern is to break existing scripts. Opinions? One question: I need to make ask dependent on some kind of MTA. What should I use? "Depends: mta" ? Is there anything "virtual" called mta that resolves to any of them? Regards, Paga > > -- > Robert Millan > > "[..] but the delight and pride of Aule is in the deed of making, and in the > thing made, and neither in possession nor in his own mastery; wherefore he > gives and hoards not, and is free from care, passing ever on to some new > work." > > -- J.R.R.T, Ainulindale (Silmarillion) -- Marco Paganini | UNIX / Linux / Networking [EMAIL PROTECTED] | PGP: http://www.paganini.net/pgp/ http://www.paganini.net | Magnus Frater te spectat...
Bug#164344: Bug#160529: (ITP of ASK) should not be packaged
> See also the mailloop this package created here: > > http://lists.debian.org/debian-boot/2004/08/thrd5.html#02087 > > (750 mails at a very fast rate to a mailinglist with well over 500 > subscribers, meaning ~400.000 spam-caused autoresponses in half a day), > and, see also the opinion of Branden Robinson on this software: > > http://lists.debian.org/debian-devel-announce/2004/08/msg00015.html Notice that this mail-loop was created by a clueless user inserting the mailing-list address on the "blacklist" (something that we urge users not to do). There is really no protection against this kind of behavior. A similar situation can happen for many reasons, including a badly configured procmail rule, for instance. Regards, Marco Paganini > > --Jeroen > > -- > Jeroen van Wolffelaar > [EMAIL PROTECTED] > http://jeroen.A-Eskwadraat.nl -- Marco Paganini | UNIX / Linux / Networking [EMAIL PROTECTED] | PGP: http://www.paganini.net/pgp/ http://www.paganini.net | Magnus Frater te spectat...
Bug#160529: acknowledged by developer (should not be packaged)
On Thu, Oct 07, 2004 at 05:33:05PM -0700, Debian Bug Tracking System wrote: > This is an automatic notification regarding your Bug report > #160529: ITP: ask -- Active Spam Killer, > which was filed against the wnpp package. > > It has been closed by one of the developers, namely > martin f krafft <[EMAIL PROTECTED]>. > > With reference to > > http://kmself.home.netcom.com/Rants/challenge-response.html > > (especially at the bottom) > > I think this package should not be in Debian. Therefore I am closing > this bug. Before I go any further, please keep in mind that it is not my intention to create any kind of flame wars over the topic. In all honesty, I've been very busy lately to give attention to ASK, other than fixing bugs. If it is decided that the project shouldn't ever be in Debian, I'll not pursue the matter any further. I developed ASK for personal use, a few years ago. I gave copies of ASK to a few friends, who suggested new features and fixes. After a while, I decided to release ASK as a free-software challenge-response solution to spam. Despite some minor problems, ASK has generally received good responses from its user base. One day, I woke up with the "research" of Mr. Karsten in my mailbox. Quite to my surprise, I discovered he had made an incredible effort to post his results to every place where prospective ASK users could see them, including the main ASK user's mailing list, the ASK-announce mailing-list (an announcement only list), the ASK message feedback section on freshmeat.net, and on the users, bugs and feature-enhancement forums of sourceforge.net. Personally, I find his attitude childish and gratuitously aggressive towards me and the other users/developers of ASK. Posting off-topic messages to support and bug forums is, to say the least, a demonstration of bad net citizenship. To make matters even more embarrassing, his "paper" contains gross misconceptions, and presents his opinions or bias against some tools as the absolute truth. As it is usual in these situations, he's able to generate a lot of heat, but no light. But again, it is a free world, so let's allow Mr. Karsten to enjoy himself with the results of his work. My big concern, however, is with what I saw here today, when Mr. Krafft closed the ITP because he "Does not think this package should be in Debian", based on the aforementioned report by Mr. Karsten. So, my question is, what is the criteria to have a project adopted in Debian? Should new projects should be denied based on personal opinions of a few, or reports of questionable accuracy? I'd hate to learn that this is the policy, as it would cast a shadow of doubt on the trust I have in the Debian project. Sincerely Marco Paganini > > --=20 > Please do not CC me when replying to lists; I read them! > =20 > .''`. martin f. krafft <[EMAIL PROTECTED]> > : :' :proud Debian developer, admin, and user > `. `'` > `- Debian - when you have better things to do than fixing a system > =20 > Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! > > --zYM0uCDKw75PZbzx > Content-Type: application/pgp-signature; name="signature.asc" > Content-Description: Digital signature > Content-Disposition: inline > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.5 (GNU/Linux) > > iD8DBQFBZdyIIgvIgzMMSnURAmXiAJ9Cwc2AqTzzgFPfEd+E19i7Tm3IYgCfTnnd > d/WtPmKbinYQgb5vGAelB/w= > =5wEu > -END PGP SIGNATURE- > > --zYM0uCDKw75PZbzx-- -- Marco Paganini | UNIX / Linux / Networking [EMAIL PROTECTED] | PGP: http://www.paganini.net/pgp/ http://www.paganini.net | Magnus Frater te spectat...
Bug#164344: Bug#160529: (ITP of ASK) should not be packaged
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Branden, On Thu, Oct 14, 2004 at 03:25:54PM -0500, Branden Robinson wrote: >> Notice that this mail-loop was created by a clueless user inserting the >> mailing-list address on the "blacklist" (something that we urge users not to >> do). There is really no protection against this kind of behavior. A similar >> situation can happen for many reasons, including a badly configured procmail >> rule, for instance. >Of course there is protection against it. > >Each message that ASK sends out should include a cookie, consisting of the >hash of a characteristic of the message plus a local secret that can stay >invariant on a per-installation basis. > >You can use a simple symmetric encryption algorithm using the local cookie >plus the message's unique identifier (the Message-ID would work well if you >create that yourself per the appropriate RFC) as a key. You encipher the >same message for every outbound ASK mail, for instance: "THIS MESSAGE >GENERATED BY ACTIVE SPAM KILLER." > >When you get a purported ASK message back, you have the ciphertext, and the >message-specific part of the key in plaintext alongside it (e.g., the >Message-Id). This is a good idea, and implemented to some degree in ASK. The problem is that *nothing* is guaranteed to survive a reply. Adding a cookie to the body of the email is not 100% foolproof, as there's no guarantee that the reply will contain the cookie. Adding a specific header with the cookie will also take us nowhere, as headers mostly discarded in replies. One option is the Message-ID header, but my experiments showed that a large population of MUAs (many versions of MS Out-Of-Luck, for instance) trash the Message-ID and don't put it in the "In-Reply-To" field when responding to an email. The only "guaranteed" way to know if an email is a reply to something you sent is to use VERPs, but this creates enormous difficulties for users that do not have full email control in their servers (users). In any case, the original problem with the mailing list has nothing to do with this, but rather with insanity of one of ASK's users. ASK has a whitelist, an ignorelist and a blacklist. The blacklist sends back a "nastygram" informing the user that we do not want to receive further messages from him/her. Unfortunately (and yes, this is my fault), I never imagined someone would add a mailing-list to his blacklist (sounds just too insane, doesn't it?). Well, it happened, and I'm now dumping the blacklist feature entirely to protect the community from people who use it incorrectly. Regards, Paga - -- Marco Paganini | UNIX / Linux / Networking [EMAIL PROTECTED] | PGP: http://www.paganini.net/pgp/ http://www.paganini.net | Magnus Frater te spectat... -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFBbvhaL2FWjNfH2XwRAi8RAJ95GWsVh1VXLAY1+dV1KVzsL0v+ZQCePUrs AD287f/yXBWkspLE39jayKQ= =zbzz -END PGP SIGNATURE-
Bug#164344: Bug#160529: (ITP of ASK) should not be packaged
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Oct 15, 2004 at 01:06:04AM -0500, Branden Robinson wrote: >> ASK has a whitelist, an ignorelist and a blacklist. The blacklist sends back >> a "nastygram" informing the user that we do not want to receive further >> messages from him/her. Unfortunately (and yes, this is my fault), I never >> imagined someone would add a mailing-list to his blacklist (sounds just too >> insane, doesn't it?). Well, it happened, and I'm now dumping the blacklist >> feature entirely to protect the community from people who use it incorrectly. > >My original rant was based on two things: > >1) You seemed to be unaware of a certain lesson from history[1]. >2) Anything that claims to be a "spam killer" is going to attract > apoplectic and irrational people who will stop at nothing to sate their > desire for vigilante justice against spammers. Many of these people are > simply not mature enough to take into account the innocent bystanders > they may inconvenience by using your software to vent their spleens. > In my opinion, it was poor judgement on your part to hand people this > sort of loaded weapon. People *will* be insane. People *will* be > stupid. I realize you've already acknowledged that this was an error on > your part -- I am not trawling for an apology. > >I would withdraw my objection if ASK as packaged in Debian will omit >whatever part of the code autoreplies with a nastygram. If dropping the >blacklist entirely will achieve that, then that's fine with me. That's the intention. I'll be releasing beta 2.5.1 soon, already without the blacklist "nastygram" feature. Email addresses in the blacklist will be automatically ignored, of course. This should keep a reasonable degree of backwards compatibility while minimizing this kind of situation. I take any email loop possibilities very seriously. Despite Karsten's "paper" saying otherwise, ASK has protection against mail loops and it will also do all kinds of heuristics to prevent the confirmation from being sent to a mailing-list. Of course, nothing can be done against spoofed addresses. If someone spoofs your address, you will receive a confirmation challenge, even though you never sent the original email. This, unfortunately, is a problem with SMTP and there is nothing that can be done about it with the current technology. I, for myself, receive tons of "mailer-daemon" bounces from spammers and virii. Honestly, I don't think ASK adds too much to the problem. >I don't want to try to micromanage how your code is written or how its >eventual Debian package maintainer does his or her job -- my position is >simply to exhort people (as strongly as I need to) not to make it easy for >idiots to attack Debian's mailing lists. Things that send automatic >replies to mail messages is, if not designed for abuse, easily perverted to >it -- if one doesn't take fairly elaborate precautions like the one I >described. I understand your position, and believe me, I agree with it. Regards, Paga - -- Marco Paganini | UNIX / Linux / Networking [EMAIL PROTECTED] | PGP: http://www.paganini.net/pgp/ http://www.paganini.net | Magnus Frater te spectat... -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBcbkJL2FWjNfH2XwRAqJRAJ9BSFHRhiOeLKYT1jmEbd3NI4eqZQCeNy7/ urj186cJh/UG5OTHKIjkMGc= =tGuV -END PGP SIGNATURE-
Bug#160529: ask package in debian
Hi Peter, Someone else was helping me package ASK for Debian, but after a period of "Blackout" on my part, I lost contact. At the moment, my makefiles will generate a .deb package file. If you want, I can send you the source package so you can tell me if it works fine. It would be great if you could help me maintain the package. Regards, Paga On Sun, Jun 13, 2004 at 04:05:24PM +0400, Peter Novodvorsky wrote: > > Hi, Paga! > > It seems that package was ITPed more than half a year ago, but it is > not in Debian archives yet. I'd like to see it in Debian archives and > I'm also ready to maintain it if you give up. Just FYI. > > Peter. > > > -- > Antispam protection: don't remove_these_lines_if you're not in my whitelist > (replying first time). If you do, you'll have to make additional operation > replying your own reply (and getting in my spammers whitelist). Sorry > for inconvenience. > -- Marco Paganini | UNIX / Linux / Networking [EMAIL PROTECTED] | PGP: http://www.paganini.net/pgp/ http://www.paganini.net | Magnus Frater te spectat...
