Re: [gentoo-dev] Jeeves IRC replacement now alive - Willikins
On Wed, 06 Aug 2008, Robin H. Johnson wrote: Hi folks, Sorry that it's taken this long to get completed, but the Jeeves replacement, Willikins, is finally 99% done, and ready to join lots of channels. Whee! Thanks Robbat! Getting the bot out there - If you would like to have the new bot in your #gentoo-* channel, would each channel founder/leader please respond to this thread, stating the channel name, and that they are the contact for any problems/troubles. /j #gentoo-security for sure ! Cheers, -- Raphael Marichez aka Falco pgpKCfTCQygu6.pgp Description: PGP signature
Re: [gentoo-dev] SSL certificates in binary packages
On Tue, 21 Aug 2007, Natanael Copa wrote: Hi, I use the gentoo framework to build binary packages. I noticed that most packages creates the ssl certificate during src_install(). This makes all binary packages contain the ssl certs which is a security threat. Hi, If you are really concerned by security, then you do not want to use such automatically-generated certificates. They generally contains fake CN names (e.g. CN=localhost) and they are not expected in a PKI environment: they can't be checked nor trusted. You will generate your own certificates with your own root CA, your own CRL and your own policy. The net-nds/openldap package has understood this and calls docert from pkg_postinst() and even includes this comment: # You cannot build SSL certificates during src_install that will make # binary packages containing your SSL key, which is both a security risk # and a misconfiguration if multiple machines use the same key and cert. i guess openldap generates self-signed certificates with generic CN names, and this problem is not solved this way. Cheers, -- Raphael Marichez aka Falco Gentoo/Security pgpFMUZAbAj3h.pgp Description: PGP signature
Re: [gentoo-dev] app-arch/rpm needs a maintainer
On Mon, 20 Aug 2007, Caleb Tennis wrote: Title says it all. There are a lot of open bugs, and I'm trying to clear up some sys-libs/db dependency issues. Does anyone use this package and want to maintain it? Hi Caleb, i guess this is the reason why x11-misc/hotkeys has been dropped from portage too. We would have appreciated beeing warned through p.mask or -dev, or receiving an explanation in the commit message. Other major distros still maintain this package, and are able to compile it against db-4.2 [1] (thanks to ulm on IRC for the link). Unless you see a downside, i propose one of us (ulm|falco) take care of x11-libs/hotkeys, restore the deleted ebuild, and upgrade to a db-4.2 compatible version in a reasonably short timeframe. [1] http://www.mail-archive.com/[EMAIL PROTECTED]/msg109363.html Cheers, -- Raphael Marichez aka Falco pgp4NH50JiDZl.pgp Description: PGP signature
[gentoo-dev] www-apps/dokuwiki maintainer needed
Hi, www-apps/dokuwiki is without an ebuild maintainer and has an open security bug #163781 that corresponds to several vulnerabilities https://bugs.gentoo.org/show_bug.cgi?id=163781 CVE-2006-6965 CVE-2006-5099 CVE-2006-5098 CVE-2006-4679 CVE-2006-4675 CVE-2006-4674 CVE-2006-2945 CVE-2006-2878 Anyone willing to take care of this package in the future, please update metadata.xml and CC yourself on the bug. -- Raphael Marichez aka Falco pgprquxeGB6Pp.pgp Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007, Kevin F. Quinn wrote: I think if we're to promote packages that have security issues on an arch, we need to be very clear that we're not making reasonable efforts to ensure that arch is free of known exploits. I agree. The term promote is perhaps a little bit exaggerated, but a vulnerabilities monitoring is useful only if it's exhaustive - so far as possible. If, say, 5% of security weaknesses are voluntarily kept in portage, that means that the security concerned users can't rely on GLSAs and package.mask: they should rely on their own security vulnerabilities monitoring, and that means we've failed. But a temporary masking GLSA which would not cover all arches may be acceptable, without abuse. I still prefer see vulnerable packages in p.mask with a 2-lines short comment and the bug number. Cheers, -- Raphael Marichez aka Falco pgpVFyU0ilqVU.pgp Description: PGP signature
[gentoo-dev] www-servers/yaws needs a new maintainer
Hi, www-servers/yaws is without an ebuild maintainer and has an open security bug #159602 https://bugs.gentoo.org/show_bug.cgi?id=159602 Anyone willing to take care of this package in the future, please update metadata.xml and CC yourself on the bug. -- Raphael Marichez aka Falco pgpIXVqM7nRyt.pgp Description: PGP signature
[gentoo-dev] app-doc/chmlib - call for maintainer
Hi, app-doc/chmlib is without an active ebuild maintainer and has an open security bug [1] Anyone willing to take care of this package in the future, please update metadata.xml and CC yourself on the bug. [1] https://bugs.gentoo.org/show_bug.cgi?id=143181 cheers -- Raphael Marichez aka Falco Gentoo Linux Security Team pgpLUuAS53kxx.pgp Description: PGP signature
Re: [gentoo-dev] Assigning bugs to treecleaners
I have to admit - I'd never heard of the project until now (so maybe I'm not alone...?). same for me (i'm a new dev, but i have been reading and learning www.gentoo.org for a while now :) ) IMHO this seems a good idea. The portage tree is growing every week, every month, and it doesn't really suit for the very little systems (embedded linux) nowadays. Furthermore, with the old 2.0-portage, the syncing and caching had become really long. So this project sounds sane. It's rather new, isn't it ? cheers -- Raphael Marichez aka Falco pgpcFnu8ItlBO.pgp Description: PGP signature
Re: [gentoo-dev] Assigning bugs to treecleaners
If you want to sync just part of the tree, look into setting '--exclude' or '--exclude-from' options via PORTAGE_RSYNC_EXTRA_OPTS in make.conf. See rsync(1) and make.conf(5). Never tried it myself, but it should work. i'm using it on my laptop and it works very well :) i've saved 320Mo ! but a single decrease of 20% can't compensate for an annual increase of about 10~20% (PS: France wins 3-1 :D ) cheers -- Raphael Marichez aka Falco pgpE6OSSk4a1z.pgp Description: PGP signature
Re: [gentoo-dev] help
/me gives some help to Dan sorry -- [] -- Raphael Marichez aka Falco pgp2puNJzRcLr.pgp Description: PGP signature
Re: [gentoo-dev] New Security Dev : Falco
Hi Everyone, Hi all, Please extend a warm welcome to Raphael Marichez aka Falco, our newest addition to the Security team. thanks to all for your nice welcome, here and on IRC ! He is also fond of horse-riding, bird-watching, Belgian beers, French cheese and wine. if you have a trip near Paris, don't hesitate to come and sample one or two high-quality beers :) i hope to be helpful to the sec-team and our users' safety. I'd really like Gentoo to be considered as one of the most secured distros and suitable for production servers ! (the hardened-team makes a wonderful job for this purpose too) Cheers -- Raphael Marichez aka Falco pgpmv6OBsaFrn.pgp Description: PGP signature
