[Savannah-users] Savannah security software updates (was: Multiple GPG keys on Savannah)
Bob Proulx writes:
> Asher Gordon wrote:
>> I see. It's too bad Savannah doesn't host the GnuPG git repository,
>> because then I could point out how ironic it is that Savannah hosts
>> GnuPG but still uses an old version! :-)
>
> I'll own that one. I really push for having an alive security patch
> process and using a software distribution package management system
> makes that much easier than building everything from scratch.
> [...]
I was just making a joke (perhaps not a very good one :-) ). I wasn't
trying to criticize Savannah. But of course, security *is* important.
> The terrible irony would be that a security vulnerability would get
> found, reported, known by the malicious, fixed upstream, and we might
> still be running a stale old copy that we had not realized needed to
> be updated if we are not paying attention and get compromised. On the
> other hand the daily distro package upgrade keeps things simple.
Yes, using distro packages is probably a good idea. Might I suggest
moving to Debian eventually? I know it's not FSF-endorsed, but "main"
has only free software. Debian stable ("buster" currently) has
reasonably recent software versions and is stable and secure. Of course,
it would probably be a lot of work to migrate Savannah to Debian, and it
might not be worth it. Another major downside would be that you don't
get the cool ASCII logo on login. :-)
Asher
--
well there ya go. say something stupid in irc and have it
immortalised forever in someone's .sig file
signature.asc
Description: PGP signature
Re: [Savannah-users] Multiple GPG keys on Savannah
Ineiev writes: > Yes, you can upload as many keys as you reasonably want. OK, thanks. > This means that Savannah won't be able to use your ECDSA key to send > you encrypted emails; it still should use your RSA key for that > (depending on your account configuration). Alright, that's fine (that's why I have the RSA key!) > The respective part of Savannah runs Trisquel 7, and it comes with > GnuPG 2.0 series which doesn't support ECC anyway; however, we should > update it before 2020, and then... I see. It's too bad Savannah doesn't host the GnuPG git repository, because then I could point out how ironic it is that Savannah hosts GnuPG but still uses an old version! :-) Thanks, Asher -- A witty saying proves nothing, but saying something pointless gets people's attention. signature.asc Description: PGP signature
[Savannah-users] Multiple GPG keys on Savannah
Hello, I have an ECDSA key (ed25519) and and RSA key (rsa4096). I prefer to use the ECDSA key since it is smaller and faster but still secure. I have the RSA key in case people cannot use my ECDSA key (since ECC is still relatively new). Is it OK to upload both keys? Or will that cause problems? Currently, I have both keys uploaded [1]. As a side note, when testing the keys, Savannah's gpg fails to import the ECDSA key since it is too old (1.4.16). For example, when I try to test both keys, it imports the RSA one successfully, but not the ECDSA one: gpg: keyring `/tmp/tmp.ZgLckPobWs/secring.gpg' created gpg: keyring `/tmp/tmp.ZgLckPobWs/pubring.gpg' created gpg: key 54608E68: no valid user IDs gpg: this may be caused by a missing self-signature gpg: /tmp/tmp.ZgLckPobWs/trustdb.gpg: trustdb created gpg: key 41420C38: public key "Asher Gordon " imported gpg: Total number processed: 2 gpg: w/o user IDs: 1 gpg: imported: 1 (RSA: 1) I would suggest updating Savannah's GnuPG since it is so old. I am still able to upload the keys even though they don't pass the test, though. Asher Footnotes: [1] https://savannah.nongnu.org/people/viewgpg.php?user_id=141542 -- Hi! I'm a .signature virus! Copy me into your ~/.signature to help me sprea= d! signature.asc Description: PGP signature
Re: [Savannah-users] Messed up CVS repository
Bob Proulx writes: > I know this might no longer be important to you now but I hate to > leave things like this half done and so wanted to make it right > regardless. Yes, I am the same way, but I didn't want to bother you. :-) > Asher Gordon wrote: >> But I think I'll probably switch to git or something similar instead as >> someone else suggested. So I guess I could just disable CVS and enable >> git or similar and we can forget about the CVS repository? > > Yes. Exactly so. > > Git is the more popular revision control system these days. There is > a lot of support for it. I have done it. So far, git seems pretty cool. Thanks for your help, Asher -- Reader, suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself. -- Mark Twain signature.asc Description: PGP signature
Re: [Savannah-users] Discussion of version control systems
Paul Smith writes: > So simply removing all files in a directory will cause the directory to > no longer be created when you check out the commits where those files > don't exist. I see. That sounds good to me. > It does mean that you can't add an empty directory to Git. This is > very rarely an issue. And if I ever do run into that issue, I could always put a file .empty or something in there. Or better, a README explaining the use of the empty directory. But yes, I don't see any situation where I would need that. Thank you, Paul for your explanation and Marcus for your suggestion. I think I will switch to git. Asher -- Steal this tagline. I did. signature.asc Description: PGP signature
[Savannah-users] Discussion of version control systems (was: Messed up CVS repository)
Hi Marcus, Marcus Müller writes: > I hope I'm not stepping on anyone's toes here, but especially of > you're new to CVS, it might be a good idea to learn one of the newer > versioning tools instead. With git being the dominant species there, > and it having "adapters" for things like CVS and svn, that's what I > would recommend. Thanks. I'll consider switching. I especially like that (if I understand correctly) distributed version control systems like git allow you to make commits even when you are not connected to the internet. From the man pages git-mv(1) and git-rm(1), it looks like it is possible to move files and directories and remove files. But it wasn't clear whether or not you could remove directories. Do you know if this is possible? It would be a nice feature to have in case I ever make this mistake again. :-) Best, Asher -- Reader, suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself. -- Mark Twain signature.asc Description: PGP signature
Re: [Savannah-users] Messed up CVS repository
Hello Bob, Bob Proulx writes: > Since this is a new project that has only just recently been uploaded > I see no reason not to correct things manually. Normally I would > suggest either writing to savannah-hackers-public and asking for > assistence from there or filing a support ticket. But I am reading > your message here and can do it. OK, good to know. Next time I'll do it like that. > Please give your project a clean checkout and see if things are as you > would like them to be. If not let us know! :-) The dead files are indeed gone, but the empty directories are still there (in ViewVC and when you checkout without -P). But I think I'll probably switch to git or something similar instead as someone else suggested. So I guess I could just disable CVS and enable git or similar and we can forget about the CVS repository? Thank you for your help, Asher -- well there ya go. say something stupid in irc and have it immortalised forever in someone's .sig file signature.asc Description: PGP signature
[Savannah-users] Messed up CVS repository
Hello, I recently created a new project using CVS (https://savannah.nongnu.org/projects/magic-square) and I accidentally imported my entire directory tree including files which should not be imported (i.e. compiled and automatically generated files). I removed these files with "cvs remove", but if I understand correctly, directories cannot be removed with CVS. These directories (as well as all the unnecessary dead files) are bothering me. Would it be possible to reset the CVS repository to its initial state so I can start over and only import what I need? Sorry for the inconvenience! I am still pretty new to CVS and version control systems in general. Also, just to be clear, it's the Sources repository, not the Web Pages repository. Thanks in advance, Asher P.S. I know you can use the -P option to prune empty directories, but they are still in the repository and everyone who wanted to check out the repository would have to use -P. The directories are also visible in ViewVC. -- A witty saying proves nothing, but saying something pointless gets people's attention. signature.asc Description: PGP signature
Re: [Savannah-users] Unable to add skill to job
Bob Proulx writes: > Yes. In the threaded view those message ids are referred to by > another message, yours in this case, and therefore the archive knows > they exist but they are missing from the archive. Those missing > messages are my replies to you where my message was signed and was > filtered out. You have them in your mailbox because you had sent a > direct reply to me and therefore I returned the action with a direct > reply to you. And because your message was signed my Mutt client > replied with a signed message. But they are missing from the archive > due to the misconfiguration which filtered out content type parts that > were not in the list of text type parts. I see. Thanks for the clarification. > I am surprised that gnus is not respecting the Mail-Followup-To > header. Since I am subscribed to the list I prefer to get replies > there and set the header to direct replies there. But that is a > different problem. Actually, it was respecting that header, but I did not realize what was happening, so I thought it was just some strange feature and I added the CC manually. Sorry about that! :P -- Hi! I'm a .signature virus! Copy me into your ~/.signature to help me sprea= d! signature.asc Description: PGP signature
Re: [Savannah-users] Unable to add skill to job
Bob Proulx writes: > I think maybe I found the problem. There was a filter enabled that > deleted message parts that were not text/plain. That's certainly not > good. I deleted that filter and will sign this message as a test. If > it goes through okay then that was the problem. I have no idea why > that filter was enabled. Yes, your message seemed to work. Thanks for fixing it! There is also one more strange thing: two of the messages in the archive show up as "Message not available". Perhaps that was part of the filter problem? Asher -- Hi! I'm a .signature virus! Copy me into your ~/.signature to help me sprea= d! signature.asc Description: PGP signature
Re: [Savannah-users] Unable to add skill to job
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Bob Proulx writes: > however I didn't see any other messages from you from any address and > I can't find anything in the logs. So I can't say anything specific > about whatever previous message you sent. From this end it looks like > it didn't arrive. I tried sending another message signed with PGP/MIME and I think you got it, but it didn't seem to go to the mailing list. > Using signed messages PGP or SMIME will not affect the process one way > or the other. It has no effect at all on the approval or denial. I used Gnus to send the message, and I used C-c RET C-s (mml-secure-message-sign) to sign it using PGP/MIME. For this message, I used C-c RET s o (mml-secure-message-sign-pgp) to sign it using PGP. My understanding is that there is inline PGP (which is what I'm using now), PGP/MIME (which uses the message headers), and S/MIME. Inline PGP works, but PGP/MIME doesn't seem to work. I haven't tried S/MIME, but I could try that if it's helpful. When I look at the raw messages, the one signed with plain PGP has a header (along with others of course) which looks like this: Content-Type: text/plain The same header on the message signed with PGP/MIME looks like this: Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" The message signed with PGP/MIME also has the following *below* the =-=-= line: Content-Type: text/plain My guess is that Mailman sees the "multipart/signed" Content-Type header and doesn't know how to handle that, so it just throws the message away. Maybe I should report this as a bug to Mailman? Asher - -- Hi! I'm a .signature virus! Copy me into your ~/.signature to help me sprea= d! -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEQn4qb6HrHy5ieeQ5RwhCFkFCDDgFAly4Ct8ACgkQRwhCFkFC DDjJrg//RW/1J6H3trCIGlzHOMS4K/KbDuIu8+1Gbo4c9zgcrxO83++8GcyYCUDm Kn9xwXeL+rcdYh2lHzHSKJY8oA2vBxVLtBU8p2X30RwmOy6Xjt2TejCMDSlHqKyJ W5M5//H2L4xDdMeVcK2f915yeXhG8glGvH/FZXPTF5Q6hmpEzwwKPzY/WxkboqUt VIB6Bpt3Iab1TGECQtegV1foc1pMPq6QT56nLF9GX7aF/5A8Qg/Vj3NvQgWD4zhi V3t/PT5OvaBU+j9iLoMlBW9zsDGud5jE9yPJb3rWw+Bbyv7RtLZ6bw0aXQuOiLLO jz4ZBEjvKG+N8xYkxjVr0+rRB4IfASHaXmokMKwb0EXIckZP8XEiJhIbvV1OXEdW QA1Cymfjffg2mrYXsPBxummBgIah7pIfza1Ek6V8KgmvVfXpdVzJtT4GeCLCKvTw B981j1YIdzQtVcLNDAfv9NuPQ3/A0n48p5zJXC9Q2ZwM5wsYQSMvu7xNLoMKKECa l86mK3hWDf/LEDEeVW+/eZBlHmCc15b4ZjjOs9hsKA8kxYMCb4AkBi2XO9EM5Pur ZQN4IffADaZK7B1lBQyh9IOm20NIMDqcGE+kZaPrKjFHIGBBH7XXv4mvZ0/QL2HX 1qMomQMt/+moEa1t4b8w3sDV1wGWWqXdDOiEL3sPmzO4KSDbC1Y= =KjdX -END PGP SIGNATURE-
Re: [Savannah-users] Unable to add skill to job
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Ineiev writes: > Thank you, fixed; the problem was with Savannah PHP code. It works now; thank you very much! - -- Hi! I'm a .signature virus! Copy me into your ~/.signature to help me sprea= d! -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEQn4qb6HrHy5ieeQ5RwhCFkFCDDgFAly3tEgACgkQRwhCFkFC DDiMkRAAqP35Zj3lsNiEKxEfyUYrXy9SDLJKRDlslNHiHPkQ4nfRiehyXMy2DgmH 3n07X64Y2cT9KxP1l03IMkHnX13z611h2qpHXuX40BowdHnEX5t4BeUZE52Es13S coFundrX0RTR9OdKx+0EYQXBvNfdrcBc/0bR22BSR2LNAhe1tKWZZzEcGYmGksQX 7Ew+dm2iM6r8QAZf/Q9if97pPxsrQedQ3csulqsG7Y69ZqYeY/hJg4AyXdtYja2u ILvm8YJXc7ni70OjuFGy4PovtJ9ywLYZImrSLJEmhjhuBkHedotJu2ei33bpQR1f Ih1SzP7k+F72QU3jS0naFOLfj+aoPYNqXT3cOt7y0bybFqcpXDJdqEL7Zy/hcLiz 3hztovI5Ve4L6s3YeSmze/YHfZbLXwqAGvv6q7PA0q+WWg3plheotWY8uTI4Xvyy QpacFP89Cp1/NKfVuVpo6GUO+zbge7zeCU0pAIbtjij6BPKVVFTpk0V7W9WKsE1V Ox3wQvY5ntLxTAV7/WL+7XjHtp3xS/7ChXFZK4CGWAOmJht0UEblF0J47t/SPCn7 SgUlqpH8Xu9ToVsVwy0ICfvokJAToHS5lVY0acnzxRdrSrDOQaVAIJUXAmtAlzb+ si1rBemqUhTkdPT5QnJzE0CDvtdFvEarkVBvyEK+cxbDrqghJXE= =u2dL -END PGP SIGNATURE-
[Savannah-users] Unable to add skill to job
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello, I attempted to send a message to the savannah-users mailing list, but it didn't seem to work. I attached a signature using PGP/MIME, perhaps that was the problem? Anyway, I'll use just PGP this time. Here is the message I attempted to send: My email address was formerly asd...@protonmail.ch, in case you were wondering. I added this job a few days ago: https://savannah.nongnu.org/people/viewjob.php?group_id=11921&job_id=671 But I am not able to add a skill to it. I'm not sure what I'm doing wrong. I selected the "Skill", "Level", and "Experience", but when I click "Add Skill", it takes me to https://savannah.nongnu.org/people/editjob.php and reports "Error: No group chosen: nogroup". I thought it could be a problem with my browser (I'm using Tor Browser), but I tried with GNOME Web with the same result. Thanks for your help, Asher - -- Hi! I'm a .signature virus! Copy me into your ~/.signature to help me sprea= d! -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEQn4qb6HrHy5ieeQ5RwhCFkFCDDgFAly2dKYACgkQRwhCFkFC DDhwGRAAoeBJPbxL/5vcUS4KaD/FfMlSHNCn7V04r9fWjCyCvfPHTF7L5gNAXJBo OpHkZtJMt2yMXd44Wh9L3CLzXpiQJF1VtjS4sOq2ZHLZsffAhFxdqlQumunKldlX Gt/4PkvbFmhCF9enjaeC7/ZL1++RreHeJwo5Xb9p3U4bc0Kng9JPTXhyXslKlJ8D akRW+eNXhBqqTJEl5ImzB+KBx2uD74cXdp9ARWox7XjaeJCT0+0DNMKq1SmM+90i wb0mOMMinMVyFcoHtuWAVTZq+eEGv3dcWwN4UcgaubQnE5D9iNSMwCuQk1PH3wGb McmbAk5ZcDhCGItLStnFpKcVeIQe75BxgClaHnO4X5CEHEwApTkMWucscjXYNm/h ftXlmYFPD0vzcWI7AYpOLad3H7UAXpeXCEqEnzKm3ZvrJ8sMgfscf09bkmHGui5+ Ycuy6QvmK0s2jHZQhln3abiQB0hiYpPopFfaTleKZqb4XtLd5xGwMwDQje+Afn4q SPh5xcTFF0keq6N81Umf+Lc6sw2EkwK4q0zYPlHJDIrzUgvDPmxPGyfAVD0/EJ9q 8IqegVfDirfOT7hWSufxUD4ITVHDvWFkljS3d6dbpSFcJnBdAvecUOuLlrnhe16i gABy4fXUjtEC1+xL1LXeAnaDRGreH6N8cZMKRJc9OsDcFz0Xhk8= =DqrQ -END PGP SIGNATURE-
Re: [Savannah-users] Unable to upload release tarball to Download Area
Bob Proulx wrote: > I have one more task to complete before I can look at sshfs access. > Sorry. Today moving the storage back-end for the vcs system from the > old storage to the new storage. I must concentrate on it first. Then > I will come back and look at user remote access to the download areas. No problem. Take your time. Thanks again for your great work! Asher
Re: [Savannah-users] Unable to upload release tarball to Download Area
Bob Proulx wrote: > That's just normal. Many projects enable all of the checkboxes which > includes a download area but then never do anything with them. I see. That makes sense. Also, I figured out how to copy symlinks and remove files with rsync, but it's a bit inconvenient, and sshfs would still be nice. Asher
Re: [Savannah-users] Unable to upload release tarball to Download Area
Bob Proulx wrote: > I have gained an understanding now. I know what needs to be done to > solve the problem. At root cause I had broken one of the cron scripts > in moving it from system to system. It wasn't updating a timestamp > which caused a monitoring script in the redirector to think the mirror > was out of sync when it was not. It needs to look not at the absolute > age but the relative age however. The reference should be the > upstream source, which is known to the redirector, not the time now. > And there needs to be a fallback when there are no mirrors. That's pretty complicated! I also noticed that many of the directories in https://download.savannah.nongnu.org/releases/ are empty. Is that part of the migration? > I remember > there being new restrictions on file deletion that didn't exist > before. Therefore sshfs might just not be allowed through the command > filter at this time. That's too bad. Is it possible it will be in the future? Or if not, is there another way to perform more complex tasks in directories than simply uploading files? Specifically, I have in mind creating symlinks. I don't believe that is possible with scp. It would also be nice to be able to delete files in case I accidentally upload the wrong file or something. > As you might imagine it isn't allowed to run arbitrary commands. > Therefore all of the ssh commands are filtered through an sv_membersh > filter before being allowed through. Couldn't sv_membersh allow commands like mv, cp, rm, ln, and whatever sshfs and co. need, but make sure that they only operate on the project directory? Does each Savannah user get his/her own user/group? If not, I think that may be a good idea so you could run more commands, but only under the unprivileged user account. Of course, you should probably call the users something like sv-user-USER where USER is the Savannah username, otherwise a user named "root" would be very problematic. I hope my suggestions help. Asher
Re: [Savannah-users] Unable to upload release tarball to Download Area
> I am getting pretty close to having the mirror problem understood. At > the moment my brains are leaking out my ears from trying to get my > mind wrapped around it. Sounds painful! ;-) I am now having problems with sftp and sshfs. See below: $ mkdir mnt $ sshfs asd...@dl.sv.nongnu.org:/releases/c2py mnt Enter passphrase for key '/home/asher/.ssh/id_rsa': remote host has disconnected $ sftp asd...@dl.sv.nongnu.org:/releases/c2py Enter passphrase for key '/home/asher/.ssh/id_rsa': Connection closed (scp still works fine) Are these also related to the same bug? It would be nice to use sshfs because I could easily manage the directory as if it were local. Also, rsync works if I do not use `-a'. However, if I do use `-a', it gets stuck at "sending incremental file list" (you need `-v' to see the message). Hopefully this information will help you fix the bug(s). Thank you very much for your great work on Savannah! Asher
Re: [Savannah-users] Unable to upload release tarball to Download Area
Bob Proulx wrote: > In the meantime I have created that directory for you. Asher you > should be able to upload to it at this time. Please try it again and > let us know if it is working for you or not. It is working now. Thank you, Jan and Bob, for you help. Asher
Re: [Savannah-users] Unable to upload release tarball to Download Area
> I have tried uploading using scp as described here: https://savannah.gnu.orI > have uploaded my SSH and GPG public keys. > g/maintenance/DownloadArea/ It seems I accidentally pasted something in the middle of that URL. :P It was meant to read https://savannah.gnu.org/maintenance/DownloadArea/
[Savannah-users] Unable to upload release tarball to Download Area
Hello,
I'm very new to Savannah, and I recently added a new project, c2py
https://savannah.nongnu.org/projects/c2py. I'm trying to upload a release
tarball to the Download Area, but it is not working. The "Download Area" link
on the project page links to https://savannah.nongnu.org/files/?group=c2py
which redirects to https://download.savannah.nongnu.org/releases/c2py/ but that
page is a 404.
I have tried uploading using scp as described here: https://savannah.gnu.orI
have uploaded my SSH and GPG public keys.
g/maintenance/DownloadArea/
scp c2py-0.0.1rc5.tar.gz asd...@dl.sv.nongnu.org:/releases/c2py/
Enter passphrase for key '/home/asher/.ssh/id_rsa':
scp: /releases/c2py/: Is a directory
The "Is a directory" message indicates (somewhat counter-intuitively) that
/releases/c2py/ does not exist on the Savannah server. If I try uploading
multiple files at once (my tarball and its signature), it prints a more
intuitive message (since it expects the destination to be a directory with
multiple sources), but still does not work:
scp c2py-0.0.1rc5.tar.gz{,.sig} asd...@dl.sv.nongnu.org:/releases/c2py/
Enter passphrase for key '/home/asher/.ssh/id_rsa':
scp: /releases/c2py/: No such file or directory
Again, I'm a Savannah newbie, and I'm probably doing something obviously wrong.
Thanks for your help,
Asher
P.S. I have uploaded my SSH and GPG public keys to my account, if it helps.
