[gentoo-dev] how to handle sensitive files when generating binary packages
there are many files out there that contain critical information about your
system ... lets look at /etc/shadow
baselayout installs this file, yet it is not listed in CONTENTS for a very
good reason ... if someone were to run `quickpkg baselayout` and post the
file somewhere, they could easily have done so without realizing the
implications. social engineering on irc for example would be trivial to
accomplish this and say hello to my little root shell.
however, there are certainly cases where the admin fully knows what they're
doing and they want to create a binary package of their system with these
sensitive files ... so where to meet in the middle.
mayhaps we need a new function to be run in src_install() to label files
as "sensitive" ... so baselayout would do:
esosensitive /etc/{fstab,group,passwd,shadow}
and then we expand the format of CONTENTS in the vdb:
priv /etc/fstab
any other potential ideas ? (pretend my idea here isnt the greatest thing
since Robot Chicken)
-mike
signature.asc
Description: This is a digitally signed message part.
[gentoo-dev] Last rites for dev-cpp/orbitcpp
--- package.mask20 Jun 2007 01:17:34 - 1.7379 +++ package.mask20 Jun 2007 01:38:02 - @@ -25,6 +25,7 @@ # Masked for bug #182612 dev-cpp/libbonobomm dev-cpp/libbonobouimm +dev-cpp/orbitcpp With dev-cpp/libbonobomm being masked, nothing else depends on dev-cpp/orbitcpp, and its last upstream release was back in 2004. If you really need any of these old C++ gnome bindings then raise your argument in bug #182612 -- Mart Raudsepp Gentoo Developer Mail: [EMAIL PROTECTED] Weblog: http://planet.gentoo.org/developers/leio signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Last rites for dev-cpp/{libbonobomm,libbonobouimm}
On Tue, 2007-06-19 at 21:20 -0400, Daniel Gryniewicz wrote: > Nothing in the tree depends on the, they don't currently build, and the > last upstream release was 2003. > > Daniel > Forgot: scheduled to be removed Jul 19; bug #182612 Daniel -- [EMAIL PROTECTED] mailing list
[gentoo-dev] Last rites for dev-cpp/{libbonobomm,libbonobouimm}
Nothing in the tree depends on the, they don't currently build, and the last upstream release was 2003. Daniel -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Determining ebuild stability and the 30 day suggestion (was: QA issue: No stable skype in Tree)
On Tue, 2007-06-19 at 05:32 +0300, Mart Raudsepp wrote: > Hey, > > On E, 2007-06-18 at 11:34 -0700, Chris Gianelloni wrote: > > Also, remember that stabilization is *supposed* to be about the > > stabilization of the *ebuild* and not the *package* itself. > > This sentence made me personally start looking at the policy in a > different way as far as stabilization and waiting for a set amount of > days is concerned. > > Does this mean that, when for example there are pure bug fix releases in > GNOME packages with no ebuild changes whatsoever, then we can consider, > without hesitation so much, to ask stabilization of these much sooner > than 30 days? Or the new version just has updated translations, which is > cool too (unless it's a very long building package) to get into the > hands of our world-wide users earlier with no practical chance of > breakage. Honestly, yes. It means exactly that. If you, as the maintainer, feel that it can go stable sooner, then ask for it. Just remember that in the end, it is you that is responsible for the package and to your users, so use your best judgement. I wouldn't recommend this for a large number of packages, but, as you said, if it were a few updated translations or something else that is fairly trivial, I see no real reason to wait some predetermined amount of time for what is really no more than a simple data change. > Right now it is a rare exception to ask stabilization earlier than 30 > days, but should we do that more often for cases like I made an example > of (upstream following a strict bug-fixes/translations only rule as well > for the versions in question)? Again, it is really up to you, as the maintainer. I have asked for stabilization of packages in the past very quickly if the changes were quite minor. There have been a couple cases where the only change from upstream was applying the patches we were already applying in the tree to the official release and pushing out a new tarball. Think of it like this. You have foo-0.4.1 in the tree. You find a couple bugs, patch them up, and send them to upstream. You make foo-0.4.1-r1 with your patches, and it eventually becomes stable. Now, upstream makes foo-0.4.2, which is just your patches applied to 0.4.1 and the version number bumped. How much additional testing do you think that this needs? After all, the code is the same (minus the version stamp... ;p) so there's nothing new to test. This is why the discretion is left up to the maintainer. We expect the maintainer to be aware of things like this and act accordingly, using their own judgement and (un)common sense. -- Chris Gianelloni Release Engineering Strategic Lead Alpha/AMD64/x86 Architecture Teams Games Developer/Council Member/Foundation Trustee Gentoo Foundation signature.asc Description: This is a digitally signed message part
[gentoo-dev] Re: Re: Re: QA issue: No stable skype in Tree
Chris Gianelloni wrote: > On Mon, 2007-06-18 at 23:49 +0100, Steve Long wrote: > Alright. I've had about enough of your constant and pointless bashing > of everything that we do. Seriously. Grow up. > > Take a step back and come back after you've decided to actually be > *useful* or don't come back, at all. I could really care less which you > choose at this point because your constant pot shots at us make the rest > of your comments completely worthless and tainted. > Er actually, I was taking pot shots at you specifically, wrt your recent outburst against the proctors, which for a Council member just seemed insane, and further for ignoring the technical similarity between the situation with this, and the new ion3 license. In that case, tuomov was insisting that releases be updated promptly, as is the case with games and is the case with Skype. ion3 has never been in stable, so never caused this "QA issue" but it was exactly the same demand from the license-holder. I have no issue with the vast majority of Gentoo devs, who seem like a really cool, hard-working bunch, and produce a great distro. You, sir, however, need to take a break after the work on the new release, as your recent outbursts seem indicative of burn-out, imo. > As for policy, nobody said that policy discussions aren't sometimes > technical. There also is *not* another list for this currently, so > there's nowhere else to go with it, especially considering that current > policy does state for Gentoo developers to ask these sort of questions > on this list. As for whether or not to continue this discussion or not, > this _is_ *our* list. We can do with it as we please. If the Gentoo > developers as a whole decided to dedicate this list to pink ponies, we > can. As I see it, this is still a discussion on how to work around the > policies in place with a *TECHNICAL SOLUTION* for this package, which > falls in line perfectly with this list. > Er do what you want with your list, just please stop being so rude and then getting so sensitive about what users say. You set the tone. >> Er what? Some of us don't wish to be "at the mercy of" anyone, especially >> not some corporation nicking VOIP. That's why we use GNU software. > > No, it is why *you* use *free* software. > No I meant GNU, or Free with a capital F. Or are you going to tell me what I mean as well as ignore my actual point (which was that this is the same technical issue, with the same technical solution.) > Nobody is forcing you to install it, either, so your point is moot. It > is being offered for the people that *do* want it. Also, I dare you to > look at how much software on your system is *not* GNU. Oh crap! > Portage isn't GNU! It must be evil!!!11one1!! > Er, you do know what GPL stands for don't you? > Seriously. Please take a few moments to think about what you're writing > before doing so. Maybe if you had said something about FSF-approved or > OSI-approved, but GNU? We aren't Debian. Jeez, someone needs to find out who runs gnu.org (aka the FSF.) Don't you wish you sometimes stopped for a minute before hitting send? Didn't we at one point agree that reply-to munging doesn't help? Seriously, mate, I am not your enemy. > Less than 1/25th of the > software on my system is GNU. Less than 1/25th. How those > megalomaniacs can possibly even imply that we owe them recognition on > every Linux system is beyond me. I'm just waiting for the annual "You > should change your name to Gentoo GNU/Linux" email. ;] > Dream on: I have better things to do with my time, so I am now ignoring this whole thread, as I have had to ignore several recently. If you wish to email me off-list, feel free, or chat to me in #friendly-coders or pm whenever you like - my nick is igli. Thanks for the good work you do for Gentoo; please, consider a fortnight off. Please flame off-list. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Determining ebuild stability and the 30 day suggestion
On Tuesday 19 June 2007 06:40, Luis Francisco Araujo wrote: > I use to ask for stabilization of the new version of a package > immediately if it is supposed to fix an *important* security problem in > the package, so that way we spread as soon as possible the new fix to > our users. > > Not sure if this is documented somewhere as an exception to the 30 days > rule, but i have not had problems so far and the stabilization teams > have been willing to help me in such a cases. We (the security team) ask for stabilization sooner than 30 days according to our policy¹. AFAIR it has only resulted in a few glitches now and then. When they happen they should be assigned to us to fix any regression. ¹ http://www.gentoo.org/security/en/vulnerability-policy.xml -- Sune Kloppenborg Jeppesen Gentoo Linux Security Team -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Re: Pony Colour Schemes [was: QA issue: No stable skype in Tree]
On 6/19/07, Ryan Hill <[EMAIL PROTECTED]> wrote:
Andrew Gaffney wrote:
> Chris Gianelloni wrote:
>> If the Gentoo developers as a whole decided to dedicate this list to
>> pink ponies, we can.
>
> Are pretty purple ponies acceptable as well?
As *everybody* knows, purple ponies aren't pretty.
Well, maybe a little bit.
OMG PONIES111SHIFT
Sorry. Couldn't help myself.
*hums* I see a red door and i want to paint it blpink...
*twitch*
--
Kent
ruby -e '[1, 2, 4, 7, 0, 9, 5, 8, 3, 10, 11, 6, 12, 13].each{|x|
print "enNOSPicAMreil [EMAIL PROTECTED]"[(2*x)..(2*x+1)]}'
--
[EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Re: Re: QA issue: No stable skype in Tree
On 6/19/07, Steve Long <[EMAIL PROTECTED]> wrote: Chris Gianelloni wrote: > On Mon, 2007-06-18 at 06:01 +0100, Steve Long wrote: >> Stephen Bennett wrote: >> > Not everyone sees that as a reason not to use a potentially useful >> > piece of software. We're not debian. >> >> Could you clarify whether this is indeed a Gentoo QA issue, or in fact a >> licensing issue? If the latter case, this discussion should prob'y go to >> the new -project ml if and when, or indeed the user forums. > > The "problem" with skype is really a problem with our policy. The > policy is really designed for open source software which we can actually > "fix" when we find a problem. Yeah and that's kinda the whole argument against closed-source. I fail to see how that's the problem of a Free software distro? Further, if it's a policy issue, why are you guys continuing the thread? Oh I see, when it's stuff *you* care about, it's development. Cool. I'll try not respond directly to the trollish like statement, and will try to keep my response as non-troll-like as possible ( i might fail..but if so, its because of my earlier defilement I underwent when I voluntarily installed IE in linux/wine :( ) I think its fine to discuss such issues as long we are calm and rational about it. Half the discussion is to as whether or not this is a policy problem, and not purely a technical one, as afaik, theres no ML dedicated to discussing which ML something should be on :) Lets try the similarities between say, SunJava and Skype, both having alternatives ( ie: blackdown ), ( im talking about the JVM here, which to the best of my knowledge is not yet OSS ). Both are restricted by upstream in licensing that wont permit us to host the files ourself. To the best of my knowledge, neither Java or Skype have any source available that we can fix ourselves. The discussion question is, if java for some reason of insanity, were to release a new version, which gentoo deemed 'unstable', and then a week later prohibit all downloads of prior versions, what would we do?. The fact is, that regardless of 'policy', people want Java, and many servers using Java may be utilizing software which they had to pay for, in their JVM. ( And you guys have all seen how cross-version friendly java stuff can be right? 1.4->1.5 gave me good times... ) And it would be senseless for us to say 'hmm... java's not OSS free, lets take it out of gentoo altogether, considering that until now, it had been quite satisfactory in portage. I'm probably as much an OpenSource / FreeSoftware advocate as the rest of this ML ( I had a friend order me a Chë Stallman T' from literally the other side of the world ), and windows & Microsoft drive me nuts, but as painful as it is for me to say this, I believe if there was a non-opensource static Linux-native build of internet explorer, and Microsofts licensing permitted it, that there would be one day an ebuild in portage for it ( it would probably be permanently hard masked tho, under 'this is suspicious enemy software' which would require you to set SELL_MY_SOUL="YES" in make.conf ), because fact of the matter is, people without windows still need that evil little tyke to test websites so that the lesser informed greater percentage of the population ( ~80% ) who still use it to surf won't run screaming from your site and never return. IMO, Gentoo is in the middle of the grey lands between "only use opensource" , and "you corporate weenie". While Gentoo does actively encourage opensource software, it still permits you to be the one who wears the pants, the one to make the decision, making Gentoo your own project, not some elitist dev's extremist ideals, and this opens up the user base, and helps produce a migration path by giving the user something they're familiar with, like, and use, while we create something better and progressively coax them into using it, and thus further spreading the good opensource futher than it otherwise would. *whimpers* i think that is all... nobody torch me please :) > With the closed-source stuff, our policy > should be a bit more lax since we're at the mercy of the upstream. Er what? Some of us don't wish to be "at the mercy of" anyone, especially not some corporation nicking VOIP. That's why we use GNU software. > Also, remember that our policy says that 30 days is *suggested* before > stabilization. The maintainer has the authority to ask for > stabilization sooner, even the same day the package is put into the > tree, if there is sufficient reason for doing so. > Whatever; the point is y'all were much more vicious about someone offering all the code under the GPL.. Honestly, this whole email makes me wonder why you work in FOSS. tuomov only wanted to be sure updates were issued promptly. What exactly is the technical difference? >> As for potentially useful, so was Internet Explorer, last time I looked >> at what you could do with its Object Model. I still ain't voting to bring >> it to Gent
