Re: [gentoo-user] Re: gentoo older versions
I may need more time for doing this - currently for time constraint i have switched over to some other distro. Thanks for the info Mark. On Thu, May 7, 2009 at 12:37 PM, Mark Shields wrote: > On Sat, May 2, 2009 at 1:23 PM, William Hubbs wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On Sat, May 02, 2009 at 10:14:45AM -0700, Nitin Kanaskar wrote: >>> Ok - I am not clear about the terminology - >>> packages, versions... >>> But i need to install gentoo 2004/2005 - if this >>> is right. I am a graduate student doing research on >>> vulnerabilities, exploits and IDS. Hence I am looking >>> for older gentoo installations which i know have >>> some vulnerabilities. >>> If i have to build whole OS from source, I am willing >>> to do that - but could not find any resource on that >>> old stuff. >> >> Gentoo, as a distribution, is versionless. The 2004/2005 you are >> referring to are versions of our release media. What you would have to >> do is find out which packages and which versions of the packages you >> want to work with and see if we still have them in the tree. >> >> William >> -BEGIN PGP SIGNATURE- >> Version: GnuPG v2.0.11 (GNU/Linux) >> >> iEYEARECAAYFAkn8gawACgkQblQW9DDEZThqXwCgs9ZSKvDZbRgd9bzmDxe9wA36 >> ccUAoIrd1uKpHzEvlRXRbBEzearyYKYS >> =cPF9 >> -END PGP SIGNATURE- >> >> > > That isn't entirely accurate. If you can get a livecd, or a minimal > cd + package cd (distfiles), and just not upgrade portage, he would be > able to use it fine. > > -- > - Mark Shields > >
Re: [gentoo-user] Re: gentoo older versions
On Sat, May 2, 2009 at 1:23 PM, William Hubbs wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Sat, May 02, 2009 at 10:14:45AM -0700, Nitin Kanaskar wrote: >> Ok - I am not clear about the terminology - >> packages, versions... >> But i need to install gentoo 2004/2005 - if this >> is right. I am a graduate student doing research on >> vulnerabilities, exploits and IDS. Hence I am looking >> for older gentoo installations which i know have >> some vulnerabilities. >> If i have to build whole OS from source, I am willing >> to do that - but could not find any resource on that >> old stuff. > > Gentoo, as a distribution, is versionless. The 2004/2005 you are > referring to are versions of our release media. What you would have to > do is find out which packages and which versions of the packages you > want to work with and see if we still have them in the tree. > > William > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.11 (GNU/Linux) > > iEYEARECAAYFAkn8gawACgkQblQW9DDEZThqXwCgs9ZSKvDZbRgd9bzmDxe9wA36 > ccUAoIrd1uKpHzEvlRXRbBEzearyYKYS > =cPF9 > -END PGP SIGNATURE- > > That isn't entirely accurate. If you can get a livecd, or a minimal cd + package cd (distfiles), and just not upgrade portage, he would be able to use it fine. -- - Mark Shields
[gentoo-user] Re: gentoo older versions
Nitin Kanaskar gmail.com> writes: > I would definitely give this a thought - sounds > interesting and challenging. OK, If you like just pop onto gentoo embedded... gentoo-embed...@lists.gentoo.org James
Re: [gentoo-user] Re: gentoo older versions
James... I would definitely give this a thought - sounds interesting and challenging. Thanks a lot, Nitin On Mon, May 4, 2009 at 8:56 AM, James wrote: > Nitin Kanaskar gmail.com> writes: > > >> Thank you so much Dale again - but i >> would try to follow links given by Neil - >> thank you Neil - and chk in the cvs repositories. >> Really appreciate your willingness to help. > > Hello Nitin, > > After reading your thread, you seem to be a bit > flexible in what you pursue as opportunities > for security analysis. Just a suggestion, but, > in lieu of pursuing a very 'well worn path' of > vulnerability assessments, might you be interested > in exploring an alternative? > > > If so, consider testing for security vulnerabilities > on a variety of embedded (Gentoo) linux devices/architectures? > > > You'll find embedded linux on a variety of hardware, > very rich in opportunities for exploits. There are > far fewer folks to test and fix problems, and many > of the builds are barely able to support the > arch, let alone robust security analysis. You > could easily distinguish your self and provide a > huge service to the gentoo community, not to mention > working with some very sharp minds who > inhabit this space. > > > For example, you could test the vulnerability > difference between the various C libraries, > with all else being the same. Or look at vulnerability > differences between soft-float and using builds > based on hardware, just to name a few. Certainly with > a quick survey of the space, you can come up > with lots of ideas that would yield lots of > uniquely interesting information, and blaze a new path. > Gentoo on ARM is a HUGE opportunity for distinction. > > > Here are a few links for your perusal: > > http://www.gentoo.org/proj/en/base/embedded/index.xml > > http://www.gentoo.org/proj/en/base/embedded/handbook/ > > http://tinderbox.dev.gentoo.org/ > > http://slonopotamus.org/gentoo-on-n8x0 > > http://en.gentoo-wiki.com/wiki/TinyGentoo > > http://wiki.debian.org/ArmEabiPort > > http://www.codesourcery.com/sgpp/lite/arm/portal/target_arc...@template=faq#q_gnu_linux_long_long > > http://martinwguy.co.uk/martin/tech/Maverick/ > > Just a suggestion > > hth, > James > > > >
[gentoo-user] Re: gentoo older versions
Nitin Kanaskar gmail.com> writes: > Thank you so much Dale again - but i > would try to follow links given by Neil - > thank you Neil - and chk in the cvs repositories. > Really appreciate your willingness to help. Hello Nitin, After reading your thread, you seem to be a bit flexible in what you pursue as opportunities for security analysis. Just a suggestion, but, in lieu of pursuing a very 'well worn path' of vulnerability assessments, might you be interested in exploring an alternative? If so, consider testing for security vulnerabilities on a variety of embedded (Gentoo) linux devices/architectures? You'll find embedded linux on a variety of hardware, very rich in opportunities for exploits. There are far fewer folks to test and fix problems, and many of the builds are barely able to support the arch, let alone robust security analysis. You could easily distinguish your self and provide a huge service to the gentoo community, not to mention working with some very sharp minds who inhabit this space. For example, you could test the vulnerability difference between the various C libraries, with all else being the same. Or look at vulnerability differences between soft-float and using builds based on hardware, just to name a few. Certainly with a quick survey of the space, you can come up with lots of ideas that would yield lots of uniquely interesting information, and blaze a new path. Gentoo on ARM is a HUGE opportunity for distinction. Here are a few links for your perusal: http://www.gentoo.org/proj/en/base/embedded/index.xml http://www.gentoo.org/proj/en/base/embedded/handbook/ http://tinderbox.dev.gentoo.org/ http://slonopotamus.org/gentoo-on-n8x0 http://en.gentoo-wiki.com/wiki/TinyGentoo http://wiki.debian.org/ArmEabiPort http://www.codesourcery.com/sgpp/lite/arm/portal/target_arc...@template=faq#q_gnu_linux_long_long http://martinwguy.co.uk/martin/tech/Maverick/ Just a suggestion hth, James
Re: [gentoo-user] Re: gentoo older versions
Thank you so much Dale again - but i would try to follow links given by Neil - thank you Neil - and chk in the cvs repositories. Really appreciate your willingness to help. On Sat, May 2, 2009 at 3:44 PM, Dale wrote: > Nitin Kanaskar wrote: >> Thanks a lot Dale for your help. >> But I would go for other OS - debian, opensuse, fedora...- >> or recent gentoo releases. >> Thanks a lot all of you for your inputs. >> >> > > How about a Mandrake 9.1? I may have that as well. LOL It's just a > thought. I'm a pack rat so I keep everything, some time to much > everything. I do flush tho. o_O > > Dale > > :-) :-) > >
Re: [gentoo-user] Re: gentoo older versions
Nitin Kanaskar wrote: > Thanks a lot Dale for your help. > But I would go for other OS - debian, opensuse, fedora...- > or recent gentoo releases. > Thanks a lot all of you for your inputs. > > How about a Mandrake 9.1? I may have that as well. LOL It's just a thought. I'm a pack rat so I keep everything, some time to much everything. I do flush tho. o_O Dale :-) :-)
Re: [gentoo-user] Re: gentoo older versions
On Sat, 2 May 2009 19:45:53 +0200, Alan McKinnon wrote: > 2. All gentoo ebuilds ever shipped are in cvs or svn somewhere. It was > Neil Bothwick or Iain Buchanan who recently posted a URL, with luck the > right man will see this and report. There's a CVS link on the Gentoo home page, and you can get into the attic from there. > However, I do not know of a way to > extract the entire portage tree as it was at a point in time. This too > will be problematic. As it's a CVS repository, it should be possible to do exactly that. -- Neil Bothwick Yes, I've heard of "decaf." What's your point? signature.asc Description: PGP signature
Re: [gentoo-user] Re: gentoo older versions
On Sat, 2 May 2009 10:14:45 -0700, Nitin Kanaskar wrote: > Ok - I am not clear about the terminology - > packages, versions... > But i need to install gentoo 2004/2005 - if this > is right. I am a graduate student doing research on > vulnerabilities, exploits and IDS. Hence I am looking > for older gentoo installations which i know havecover > some vulnerabilities. I have Gentoo 1.4 on a DVD somewhere, complete with portage tree and distfiles, and a couple of other versions. They are Linux Format cover DVDs but I could remove the copyrighted material from them. -- Neil Bothwick WinErr 010: Reserved for future mistakes by our developers signature.asc Description: PGP signature
Re: [gentoo-user] Re: gentoo older versions
Thanks a lot Dale for your help. But I would go for other OS - debian, opensuse, fedora...- or recent gentoo releases. Thanks a lot all of you for your inputs. On Sat, May 2, 2009 at 1:25 PM, Dale wrote: > KH wrote: >> Nitin Kanaskar schrieb: >> >>> Ok - I am not clear about the terminology - >>> packages, versions... >>> But i need to install gentoo 2004/2005 - if this >>> is right. I am a graduate student doing research on >>> vulnerabilities, exploits and IDS. Hence I am looking >>> for older gentoo installations which i know have >>> some vulnerabilities. >>> If i have to build whole OS from source, I am willing >>> to do that - but could not find any resource on that >>> old stuff. >>> >>> Hope I am clear about why I am looking for >>> such old stuff. >>> >>> Nitin >>> >>> >> >> hi, >> >> there should be the iso of xbox gentoo from 2005 available. >> >> >> http://ftp.uni-erlangen.de/pub/mirrors/gentoo/experimental/x86/xbox/livecd/ >> >> Also the old ebuilds (not the sources) should be somewhere to find. I >> read that they are kept. >> >> I might also have a 2005 iso from an minimal cd left but I am not >> absolutly sure about that. >> >> kh >> >> >> > I !may! have a Gentoo 1.4 CD somewhere. I would have to look around and > see if I can find it tho. Let me know if you want me to look. I would > have to copy it and mail it tho, if you are in the USA of course. I > don't have a way to upload it or serve it up. > > Dale > > :-) :-) > >
Re: [gentoo-user] Re: gentoo older versions
KH wrote: > Nitin Kanaskar schrieb: > >> Ok - I am not clear about the terminology - >> packages, versions... >> But i need to install gentoo 2004/2005 - if this >> is right. I am a graduate student doing research on >> vulnerabilities, exploits and IDS. Hence I am looking >> for older gentoo installations which i know have >> some vulnerabilities. >> If i have to build whole OS from source, I am willing >> to do that - but could not find any resource on that >> old stuff. >> >> Hope I am clear about why I am looking for >> such old stuff. >> >> Nitin >> >> > > hi, > > there should be the iso of xbox gentoo from 2005 available. > > > http://ftp.uni-erlangen.de/pub/mirrors/gentoo/experimental/x86/xbox/livecd/ > > Also the old ebuilds (not the sources) should be somewhere to find. I > read that they are kept. > > I might also have a 2005 iso from an minimal cd left but I am not > absolutly sure about that. > > kh > > > I !may! have a Gentoo 1.4 CD somewhere. I would have to look around and see if I can find it tho. Let me know if you want me to look. I would have to copy it and mail it tho, if you are in the USA of course. I don't have a way to upload it or serve it up. Dale :-) :-)
Re: [gentoo-user] Re: gentoo older versions
Nitin Kanaskar schrieb: > Ok - I am not clear about the terminology - > packages, versions... > But i need to install gentoo 2004/2005 - if this > is right. I am a graduate student doing research on > vulnerabilities, exploits and IDS. Hence I am looking > for older gentoo installations which i know have > some vulnerabilities. > If i have to build whole OS from source, I am willing > to do that - but could not find any resource on that > old stuff. > > Hope I am clear about why I am looking for > such old stuff. > > Nitin > hi, there should be the iso of xbox gentoo from 2005 available. http://ftp.uni-erlangen.de/pub/mirrors/gentoo/experimental/x86/xbox/livecd/ Also the old ebuilds (not the sources) should be somewhere to find. I read that they are kept. I might also have a 2005 iso from an minimal cd left but I am not absolutly sure about that. kh
Re: [gentoo-user] Re: gentoo older versions
* Nitin Kanaskar (nitinv...@gmail.com) [02.05.09 19:15]: > Ok - I am not clear about the terminology - > packages, versions... > But i need to install gentoo 2004/2005 - if this > is right. I am a graduate student doing research on > vulnerabilities, exploits and IDS. Hence I am looking > for older gentoo installations which i know have > some vulnerabilities. > If i have to build whole OS from source, I am willing > to do that - but could not find any resource on that > old stuff. > Are you totally aware of what gentoo is about? You always build the Gentoo OS from source. From upstream source! That's the hole point of gentoo. And since you are able to do a vast amount of choices, I think there is no gentoo installation alike in the world, especially when it comes to binaries. Also there is no defined set of software versions, which could make a version of gentoo, as the binary dist have. Everything is in fluent change and update. So there are no "old" installations exept those someone forgot over the time. > Hope I am clear about why I am looking for > such old stuff. > Gentoo could be helpful to build such old stuff, the ebuilds are all in the cvs and if you have got the upstream tarball, you can easily rebuild the vulnerable software. But beware of some nasty depandency problems. Sebastian -- " Religion ist das Opium des Volkes. " | _ ASCII ribbon campaign Karl Marx | ( ) against HTML e-mail s...@sti@N GÜNTHER | X against M$ attachments mailto:sam...@guenther-roetgen.de | / \ www.asciiribbon.org pgpkmlzA8HpQn.pgp Description: PGP signature
Re: [gentoo-user] Re: gentoo older versions
On Sat, May 2, 2009 at 1:14 PM, Nitin Kanaskar wrote: > Ok - I am not clear about the terminology - > packages, versions... > But i need to install gentoo 2004/2005 - if this > is right. I am a graduate student doing research on > vulnerabilities, exploits and IDS. Hence I am looking > for older gentoo installations which i know have > some vulnerabilities. > If i have to build whole OS from source, I am willing > to do that - but could not find any resource on that > old stuff. > > Hope I am clear about why I am looking for > such old stuff. i hope you are already a subscriber of the great mailing list: full-disclosure i dont think gentoo/portage is the easiest software to look at for old vulnerabilities, reason is, portage will syncronise with current 'version' so you probably want to look at older version of the portage package or older version of some other software. if you prefer to go toward some other software, checkout insecure.org(nmap's former official website) there is a section for mailing lists and links to that full disclosure list with archives. High volume list, vulnerabilites are disclosed about all kinds of software (90% linux software and some of other OSes). Good luck!
Re: [gentoo-user] Re: gentoo older versions
Looking at all replies - I think working on older gentoo would most likely cause problems. I am thinking of going for latest livecd - 2008 release. On Sat, May 2, 2009 at 10:45 AM, Alan McKinnon wrote: > On Saturday 02 May 2009 19:14:45 Nitin Kanaskar wrote: >> Ok - I am not clear about the terminology - >> packages, versions... >> But i need to install gentoo 2004/2005 - if this >> is right. I am a graduate student doing research on >> vulnerabilities, exploits and IDS. Hence I am looking >> for older gentoo installations which i know have >> some vulnerabilities. >> If i have to build whole OS from source, I am willing >> to do that - but could not find any resource on that >> old stuff. > > I may have a copy of the 2005.0 livecd lying around somewhere. If I find it, > I'll put a copy on my ftp server for you. > > But I see some problems with what you are trying to do: > > 1. source repositories for code changes over time. 2004/2005 ebuilds may have > SRC_URIs that simply do not exist any more. Major packages (such as most of > system) will likely not be a problem, but minor packages may well be > problematic. > > 2. All gentoo ebuilds ever shipped are in cvs or svn somewhere. It was Neil > Bothwick or Iain Buchanan who recently posted a URL, with luck the right man > will see this and report. However, I do not know of a way to extract the > entire portage tree as it was at a point in time. This too will be > problematic. > > > -- > alan dot mckinnon at gmail dot com > >
Re: [gentoo-user] Re: gentoo older versions
I just noticed gentoo linux security site - - www.gentoo.org/security/en/ which mentions some very recent vulnerability reports in latest gentoo packages. That means i can play with these new gentoo packages for vulnerability and exploit analysis. Nikos - please correct me if you think i am going wrong. On Sat, May 2, 2009 at 10:30 AM, Nikos Chantziaras wrote: > Nitin Kanaskar wrote: >> >> Ok - I am not clear about the terminology - >> packages, versions... >> But i need to install gentoo 2004/2005 - if this >> is right. I am a graduate student doing research on >> vulnerabilities, exploits and IDS. Hence I am looking >> for older gentoo installations which i know have >> some vulnerabilities. >> If i have to build whole OS from source, I am willing >> to do that - but could not find any resource on that >> old stuff. >> >> Hope I am clear about why I am looking for >> such old stuff. > > That's not really feasible. You should look into older versions of > something like Debian, Fedora, (open)SUSE or something else instead. > > >
Re: [gentoo-user] Re: gentoo older versions
On Saturday 02 May 2009 19:14:45 Nitin Kanaskar wrote: > Ok - I am not clear about the terminology - > packages, versions... > But i need to install gentoo 2004/2005 - if this > is right. I am a graduate student doing research on > vulnerabilities, exploits and IDS. Hence I am looking > for older gentoo installations which i know have > some vulnerabilities. > If i have to build whole OS from source, I am willing > to do that - but could not find any resource on that > old stuff. I may have a copy of the 2005.0 livecd lying around somewhere. If I find it, I'll put a copy on my ftp server for you. But I see some problems with what you are trying to do: 1. source repositories for code changes over time. 2004/2005 ebuilds may have SRC_URIs that simply do not exist any more. Major packages (such as most of system) will likely not be a problem, but minor packages may well be problematic. 2. All gentoo ebuilds ever shipped are in cvs or svn somewhere. It was Neil Bothwick or Iain Buchanan who recently posted a URL, with luck the right man will see this and report. However, I do not know of a way to extract the entire portage tree as it was at a point in time. This too will be problematic. -- alan dot mckinnon at gmail dot com
[gentoo-user] Re: gentoo older versions
Nitin Kanaskar wrote: Ok - I am not clear about the terminology - packages, versions... But i need to install gentoo 2004/2005 - if this is right. I am a graduate student doing research on vulnerabilities, exploits and IDS. Hence I am looking for older gentoo installations which i know have some vulnerabilities. If i have to build whole OS from source, I am willing to do that - but could not find any resource on that old stuff. Hope I am clear about why I am looking for such old stuff. That's not really feasible. You should look into older versions of something like Debian, Fedora, (open)SUSE or something else instead.
Re: [gentoo-user] Re: gentoo older versions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, May 02, 2009 at 10:14:45AM -0700, Nitin Kanaskar wrote: > Ok - I am not clear about the terminology - > packages, versions... > But i need to install gentoo 2004/2005 - if this > is right. I am a graduate student doing research on > vulnerabilities, exploits and IDS. Hence I am looking > for older gentoo installations which i know have > some vulnerabilities. > If i have to build whole OS from source, I am willing > to do that - but could not find any resource on that > old stuff. Gentoo, as a distribution, is versionless. The 2004/2005 you are referring to are versions of our release media. What you would have to do is find out which packages and which versions of the packages you want to work with and see if we still have them in the tree. William -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.11 (GNU/Linux) iEYEARECAAYFAkn8gawACgkQblQW9DDEZThqXwCgs9ZSKvDZbRgd9bzmDxe9wA36 ccUAoIrd1uKpHzEvlRXRbBEzearyYKYS =cPF9 -END PGP SIGNATURE-
Re: [gentoo-user] Re: gentoo older versions
Ok - I am not clear about the terminology - packages, versions... But i need to install gentoo 2004/2005 - if this is right. I am a graduate student doing research on vulnerabilities, exploits and IDS. Hence I am looking for older gentoo installations which i know have some vulnerabilities. If i have to build whole OS from source, I am willing to do that - but could not find any resource on that old stuff. Hope I am clear about why I am looking for such old stuff. Nitin On Sat, May 2, 2009 at 9:47 AM, Grant Edwards wrote: > On 2009-05-02, Grant Edwards wrote: >> On 2009-05-02, Nitin Kanaskar wrote: >> >>> I am looking for older versions of gentoo - 1.x, 2.x,... >> >> Gentoo doesn't have "versions". Individual packages have >> versions. > > After a bit of googling, it looks like the snapshots/CDs did > have "version numbers" prior to about 5 years ago. After that > they were just labelled according to year. [Still, they're not > really "versions" the way that other distros have versions.] > >>> I browsed source repositories - gentoo, gentoo-src, gentoo-x86 >>> - could not find/identify it. > > Old versions of packages aren't kept in the portage tree > forever. If you're looking for old versions of the CD images, > it looks like they're only kept around for a couple years. > > -- > Grant > > > >
[gentoo-user] Re: gentoo older versions
On 2009-05-02, Grant Edwards wrote: > On 2009-05-02, Nitin Kanaskar wrote: > >> I am looking for older versions of gentoo - 1.x, 2.x,... > > Gentoo doesn't have "versions". Individual packages have > versions. After a bit of googling, it looks like the snapshots/CDs did have "version numbers" prior to about 5 years ago. After that they were just labelled according to year. [Still, they're not really "versions" the way that other distros have versions.] >> I browsed source repositories - gentoo, gentoo-src, gentoo-x86 >> - could not find/identify it. Old versions of packages aren't kept in the portage tree forever. If you're looking for old versions of the CD images, it looks like they're only kept around for a couple years. -- Grant
Re: [gentoo-user] Re: gentoo older versions
Grant Edwards wrote: > On 2009-05-02, Nitin Kanaskar wrote: > > >> I am looking for older versions of gentoo - 1.x, 2.x,... >> > > Gentoo doesn't have "versions". Individual packages have > versions. > > >> I browsed source repositories - gentoo, gentoo-src, gentoo-x86 >> - could not find/identify it. >> > > You're going to have to explain what "it" is. > > Since he is going back to some really old stuff, several years it looks like, wouldn't he have trouble with some stuff even existing any more? Doesn't the really old stuff get removed from the tree? Would he be able to get the correct ebuilds to even tell portage how to install the old versions? I'm not sure I get the reason for this. Dale :-) :-)
[gentoo-user] Re: gentoo older versions
On 2009-05-02, Nitin Kanaskar wrote: > I am looking for older versions of gentoo - 1.x, 2.x,... Gentoo doesn't have "versions". Individual packages have versions. > I browsed source repositories - gentoo, gentoo-src, gentoo-x86 > - could not find/identify it. You're going to have to explain what "it" is. -- Grant