Re: [gentoo-dev] Jeeves IRC replacement now alive - Willikins

2008-08-07 Thread Raphael Marichez 
On Wed, 06 Aug 2008, Robin H. Johnson wrote:

> Hi folks,
> 
> Sorry that it's taken this long to get completed, but the Jeeves
> replacement, Willikins, is finally 99% done, and ready to join lots of
> channels.
> 

Whee!

Thanks Robbat!




> Getting the bot out there
> -
> If you would like to have the new bot in your #gentoo-* channel, would
> each channel founder/leader please respond to this thread, stating the
> channel name, and that they are the contact for any problems/troubles.
> 


/j #gentoo-security for sure !


Cheers,
-- 
Raphael Marichez aka Falco


pgpKCfTCQygu6.pgp
Description: PGP signature

Re: [gentoo-dev] SSL certificates in binary packages

2007-08-22 Thread Raphael Marichez 
On Tue, 21 Aug 2007, Natanael Copa wrote:

> Hi,
> 
> I use the gentoo framework to build binary packages. I noticed that most
> packages creates the ssl certificate during src_install(). This makes
> all binary packages contain the ssl certs which is a security threat.


Hi,

If you are really concerned by security, then you do not want to use
such automatically-generated certificates. They generally contains fake
CN names (e.g. "CN=localhost") and they are not expected in a PKI
environment: they can't be checked nor trusted. You will generate your
own certificates with your own root CA, your own CRL and your own
policy.

> 
> The net-nds/openldap package has understood this and calls docert from
> pkg_postinst() and even includes this comment:
> 
>   # You cannot build SSL certificates during src_install that will make
> # binary packages containing your SSL key, which is both a security 
> risk
> # and a misconfiguration if multiple machines use the same key and 
> cert.

i guess openldap generates self-signed certificates with generic CN
names, and this problem is not solved this way.

Cheers,
-- 
Raphael Marichez aka Falco
Gentoo/Security


pgpFMUZAbAj3h.pgp
Description: PGP signature

Re: [gentoo-dev] app-arch/rpm needs a maintainer

2007-08-20 Thread Raphael Marichez 
On Mon, 20 Aug 2007, Caleb Tennis wrote:

> Title says it all.  There are a lot of open bugs, and I'm trying to clear up 
> some
> sys-libs/db dependency issues.  Does anyone use this package and want to 
> maintain
> it?


Hi Caleb,

i guess this is the reason why x11-misc/hotkeys has been dropped from
portage too. We would have appreciated beeing warned through p.mask or
-dev, or receiving an explanation in the commit message.

Other major distros still maintain this package, and are able to compile
it against db-4.2 [1] (thanks to ulm on IRC for the link). Unless you
see a downside, i propose one of us (ulm|falco) take care of
x11-libs/hotkeys, restore the deleted ebuild, and upgrade to a db-4.2
compatible version in a reasonably short timeframe.

[1]
http://www.mail-archive.com/[EMAIL PROTECTED]/msg109363.html

Cheers,
-- 
Raphael Marichez aka Falco


pgp4NH50JiDZl.pgp
Description: PGP signature

[gentoo-dev] www-apps/dokuwiki maintainer needed

2007-03-15 Thread Raphael Marichez 

Hi,

www-apps/dokuwiki is without an ebuild maintainer and has an open
security bug #163781 that corresponds to several vulnerabilities

https://bugs.gentoo.org/show_bug.cgi?id=163781
CVE-2006-6965
CVE-2006-5099
CVE-2006-5098
CVE-2006-4679
CVE-2006-4675
CVE-2006-4674
CVE-2006-2945
CVE-2006-2878

Anyone willing to take care of this package in the future, please update
metadata.xml and CC yourself on the bug.


-- 
Raphael Marichez aka Falco


pgprquxeGB6Pp.pgp
Description: PGP signature

Re: [gentoo-dev] A Gentle Reminder

2007-02-11 Thread Raphael Marichez 
On Sun, 11 Feb 2007, Kevin F. Quinn wrote:

> I think if we're to promote packages that have security issues on an
> arch, we need to be very clear that we're not making reasonable efforts
> to ensure that arch is free of known exploits.
> 

I agree. The term "promote" is perhaps a little bit exaggerated, but a
vulnerabilities monitoring is useful only if it's exhaustive - so far as
possible.

If, say, 5% of security weaknesses are voluntarily kept in portage, that
means that the security concerned users can't rely on GLSAs and
package.mask: they should rely on their own security vulnerabilities
monitoring, and that means we've failed.

But a "temporary masking GLSA" which would not cover all arches may be
acceptable, without abuse. I still prefer see vulnerable packages in
p.mask with a 2-lines short comment and the bug number.



Cheers,
-- 
Raphael Marichez aka Falco


pgpVFyU0ilqVU.pgp
Description: PGP signature

[gentoo-dev] www-servers/yaws needs a new maintainer

2007-02-09 Thread Raphael Marichez 
Hi,


www-servers/yaws is without an ebuild maintainer and has an open
security bug #159602

https://bugs.gentoo.org/show_bug.cgi?id=159602

Anyone willing to take care of this package in the future, please update
metadata.xml and CC yourself on the bug.



-- 
Raphael Marichez aka Falco


pgpIXVqM7nRyt.pgp
Description: PGP signature

[gentoo-dev] app-doc/chmlib - call for maintainer

2006-08-08 Thread Raphael Marichez 
Hi,

app-doc/chmlib is without an active ebuild maintainer and has an open security 
bug [1]

Anyone willing to take care of this package in the future, please update 
metadata.xml and CC yourself on the bug.

[1] https://bugs.gentoo.org/show_bug.cgi?id=143181

cheers
-- 

Raphael Marichez aka Falco
Gentoo Linux Security Team


pgpLUuAS53kxx.pgp
Description: PGP signature

Re: [gentoo-dev] help

2006-06-27 Thread Raphael Marichez 

/me gives some help to Dan


sorry   --> []
-- 

Raphael Marichez aka Falco


pgp2puNJzRcLr.pgp
Description: PGP signature

Re: [gentoo-dev] Assigning bugs to treecleaners

2006-06-27 Thread Raphael Marichez 
> If you want to sync just part of the tree, look into setting '--exclude'
> or '--exclude-from' options via PORTAGE_RSYNC_EXTRA_OPTS in make.conf.
> See rsync(1) and make.conf(5).  Never tried it myself, but it should
> work.

i'm using it on my laptop and it works very well :)

i've saved 320Mo !

but a single decrease of 20% can't compensate for an annual increase of about 
10~20%



(PS: France wins 3-1 :D )

cheers
-- 

Raphael Marichez aka Falco


pgpE6OSSk4a1z.pgp
Description: PGP signature

Re: [gentoo-dev] Assigning bugs to treecleaners

2006-06-27 Thread Raphael Marichez 

>
> I have to admit - I'd never heard of the project until now (so maybe I'm
> not alone...?). 

same for me (i'm a new dev, but i have been reading and learning 
www.gentoo.org for a while now :)  )

IMHO this seems a good idea. The portage tree is growing every week, every 
month, and it doesn't really suit for the very little systems (embedded 
linux) nowadays. Furthermore, with the old 2.0-portage, the syncing and 
caching had become really long.
So this project sounds sane. It's rather new, isn't it ?

cheers
-- 

Raphael Marichez aka Falco


pgpcFnu8ItlBO.pgp
Description: PGP signature

Re: [gentoo-dev] New Security Dev : Falco

2006-06-26 Thread Raphael Marichez 
> Hi Everyone,

Hi all,

>
> Please extend a warm welcome to Raphael Marichez aka Falco, our newest
> addition to the Security team.

thanks to all for your nice welcome, here and on IRC !

> He is also fond of horse-riding, bird-watching, Belgian beers, French
> cheese and wine.

if you have a trip near Paris, don't hesitate to come and sample one or two 
high-quality beers :)

i hope to be helpful to the sec-team and our users' safety. I'd really like 
Gentoo to be considered as one of the most secured distros and suitable for 
production servers ! (the hardened-team makes a wonderful job for this 
purpose too)

Cheers
-- 

Raphael Marichez aka Falco


pgpmv6OBsaFrn.pgp
Description: PGP signature