Re: [gentoo-dev] Jeeves IRC replacement now alive - Willikins
On Wed, 06 Aug 2008, Robin H. Johnson wrote: > Hi folks, > > Sorry that it's taken this long to get completed, but the Jeeves > replacement, Willikins, is finally 99% done, and ready to join lots of > channels. > Whee! Thanks Robbat! > Getting the bot out there > - > If you would like to have the new bot in your #gentoo-* channel, would > each channel founder/leader please respond to this thread, stating the > channel name, and that they are the contact for any problems/troubles. > /j #gentoo-security for sure ! Cheers, -- Raphael Marichez aka Falco pgpKCfTCQygu6.pgp Description: PGP signature
Re: [gentoo-dev] SSL certificates in binary packages
On Tue, 21 Aug 2007, Natanael Copa wrote: > Hi, > > I use the gentoo framework to build binary packages. I noticed that most > packages creates the ssl certificate during src_install(). This makes > all binary packages contain the ssl certs which is a security threat. Hi, If you are really concerned by security, then you do not want to use such automatically-generated certificates. They generally contains fake CN names (e.g. "CN=localhost") and they are not expected in a PKI environment: they can't be checked nor trusted. You will generate your own certificates with your own root CA, your own CRL and your own policy. > > The net-nds/openldap package has understood this and calls docert from > pkg_postinst() and even includes this comment: > > # You cannot build SSL certificates during src_install that will make > # binary packages containing your SSL key, which is both a security > risk > # and a misconfiguration if multiple machines use the same key and > cert. i guess openldap generates self-signed certificates with generic CN names, and this problem is not solved this way. Cheers, -- Raphael Marichez aka Falco Gentoo/Security pgpFMUZAbAj3h.pgp Description: PGP signature
Re: [gentoo-dev] app-arch/rpm needs a maintainer
On Mon, 20 Aug 2007, Caleb Tennis wrote: > Title says it all. There are a lot of open bugs, and I'm trying to clear up > some > sys-libs/db dependency issues. Does anyone use this package and want to > maintain > it? Hi Caleb, i guess this is the reason why x11-misc/hotkeys has been dropped from portage too. We would have appreciated beeing warned through p.mask or -dev, or receiving an explanation in the commit message. Other major distros still maintain this package, and are able to compile it against db-4.2 [1] (thanks to ulm on IRC for the link). Unless you see a downside, i propose one of us (ulm|falco) take care of x11-libs/hotkeys, restore the deleted ebuild, and upgrade to a db-4.2 compatible version in a reasonably short timeframe. [1] http://www.mail-archive.com/[EMAIL PROTECTED]/msg109363.html Cheers, -- Raphael Marichez aka Falco pgp4NH50JiDZl.pgp Description: PGP signature
[gentoo-dev] www-apps/dokuwiki maintainer needed
Hi, www-apps/dokuwiki is without an ebuild maintainer and has an open security bug #163781 that corresponds to several vulnerabilities https://bugs.gentoo.org/show_bug.cgi?id=163781 CVE-2006-6965 CVE-2006-5099 CVE-2006-5098 CVE-2006-4679 CVE-2006-4675 CVE-2006-4674 CVE-2006-2945 CVE-2006-2878 Anyone willing to take care of this package in the future, please update metadata.xml and CC yourself on the bug. -- Raphael Marichez aka Falco pgprquxeGB6Pp.pgp Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007, Kevin F. Quinn wrote: > I think if we're to promote packages that have security issues on an > arch, we need to be very clear that we're not making reasonable efforts > to ensure that arch is free of known exploits. > I agree. The term "promote" is perhaps a little bit exaggerated, but a vulnerabilities monitoring is useful only if it's exhaustive - so far as possible. If, say, 5% of security weaknesses are voluntarily kept in portage, that means that the security concerned users can't rely on GLSAs and package.mask: they should rely on their own security vulnerabilities monitoring, and that means we've failed. But a "temporary masking GLSA" which would not cover all arches may be acceptable, without abuse. I still prefer see vulnerable packages in p.mask with a 2-lines short comment and the bug number. Cheers, -- Raphael Marichez aka Falco pgpVFyU0ilqVU.pgp Description: PGP signature
[gentoo-dev] www-servers/yaws needs a new maintainer
Hi, www-servers/yaws is without an ebuild maintainer and has an open security bug #159602 https://bugs.gentoo.org/show_bug.cgi?id=159602 Anyone willing to take care of this package in the future, please update metadata.xml and CC yourself on the bug. -- Raphael Marichez aka Falco pgpIXVqM7nRyt.pgp Description: PGP signature
[gentoo-dev] app-doc/chmlib - call for maintainer
Hi, app-doc/chmlib is without an active ebuild maintainer and has an open security bug [1] Anyone willing to take care of this package in the future, please update metadata.xml and CC yourself on the bug. [1] https://bugs.gentoo.org/show_bug.cgi?id=143181 cheers -- Raphael Marichez aka Falco Gentoo Linux Security Team pgpLUuAS53kxx.pgp Description: PGP signature
Re: [gentoo-dev] help
/me gives some help to Dan sorry --> [] -- Raphael Marichez aka Falco pgp2puNJzRcLr.pgp Description: PGP signature
Re: [gentoo-dev] Assigning bugs to treecleaners
> If you want to sync just part of the tree, look into setting '--exclude' > or '--exclude-from' options via PORTAGE_RSYNC_EXTRA_OPTS in make.conf. > See rsync(1) and make.conf(5). Never tried it myself, but it should > work. i'm using it on my laptop and it works very well :) i've saved 320Mo ! but a single decrease of 20% can't compensate for an annual increase of about 10~20% (PS: France wins 3-1 :D ) cheers -- Raphael Marichez aka Falco pgpE6OSSk4a1z.pgp Description: PGP signature
Re: [gentoo-dev] Assigning bugs to treecleaners
> > I have to admit - I'd never heard of the project until now (so maybe I'm > not alone...?). same for me (i'm a new dev, but i have been reading and learning www.gentoo.org for a while now :) ) IMHO this seems a good idea. The portage tree is growing every week, every month, and it doesn't really suit for the very little systems (embedded linux) nowadays. Furthermore, with the old 2.0-portage, the syncing and caching had become really long. So this project sounds sane. It's rather new, isn't it ? cheers -- Raphael Marichez aka Falco pgpcFnu8ItlBO.pgp Description: PGP signature
Re: [gentoo-dev] New Security Dev : Falco
> Hi Everyone, Hi all, > > Please extend a warm welcome to Raphael Marichez aka Falco, our newest > addition to the Security team. thanks to all for your nice welcome, here and on IRC ! > He is also fond of horse-riding, bird-watching, Belgian beers, French > cheese and wine. if you have a trip near Paris, don't hesitate to come and sample one or two high-quality beers :) i hope to be helpful to the sec-team and our users' safety. I'd really like Gentoo to be considered as one of the most secured distros and suitable for production servers ! (the hardened-team makes a wonderful job for this purpose too) Cheers -- Raphael Marichez aka Falco pgpmv6OBsaFrn.pgp Description: PGP signature