martin's apport test stuff simple bug triaging
Hi all, First of all it was really cool to see Martin Pitt making some tests for apport ( really cool) and then asking/telling people to run them so he sees how things pan out in the real world. https://bugs.launchpad.net/ubuntu/+source/apport/+bug/122688/ an off-shoot of this which gave him some clues which lead to :- https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.20/+bug/74691 Now its really cool that martin made those tests even without finding the GNU debugger issue on i386 kernel. In fact I would love to do more tests like that as it helped him makes me love apport even more :) (although its his baby) The other thing which I found is if I as a user give a call , then I'm open to simple bug confirmation sometimes it pays off. For e.g. Jerome asked me to see if two games slune balazar I'm able to launch if not report them to the respective bug-reports (and gave bug report nos.) or file anew subscribing him. While this might be a one-off event but there are probably quite a few of these one-off events where one needs to download install launch or launch and do couple of steps. Typically when you ask people on the channel you are given something like this :- https://bugs.launchpad.net/ubuntu/+bugs?field.searchtext=orderby=datecreatedsearch=Searchfield.status%3Alist=Newfield.status%3Alist=Confirmedfield.status%3Alist=In+Progressfield.status%3Alist=Incompletefield.status%3Alist=Fix+Committedfield.assignee=field.bug_reporter=field.omit_dupes=onfield.has_patch=field.has_no_package=start=4575 which makes most of users like me very afraid as we don't know which we will be capable of or not. Although I might not have the right words or the right answer here are couple of things which I feel might make the procedure better/cool. 1. Have a filter by distribution and/or releases. So let's say I wanna have an overview of all bugs filed after gutsy tribe 1 onwards . Right now thats very hard to know, the filter should work while filing the bug so it makes easier. 2. perhaps have a gutsy-users or something like that on freenode so people can do simple bug triaging like I did with jerome or something close to that so the guys can work on more confirmed bugs. As always comments, suggstions, flames all are welcome. -- Shirish Agarwal This email is licensed under http://creativecommons.org/licenses/by-nc/3.0/ 065C 6D79 A68C E7EA 52B3 8D70 950D 53FB 729A 8B17 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Checksums Done Right
On Fri, Jun 29, 2007 at 05:04:14PM -0700, Scott Beardsley wrote: Most Ubuntu packages (95% - my estimate) come with MD5 checksums at the file level (in a file called md5sums in control.tar.gz). debsums uses these (well actually a cache stored in /var/lib/dpkg/info/*.md5sums) for doing a *rough* verification that what is installed matches what *should* be installed. This is great until md5 collision attacks[1] and kernel-based rootkits are used on your system (common these days). Do you have any references to the use of md5 collision attacks being common? The Wang and Yu attack requires the binaries to be the same size and to differ only in very controlled ways. It's not difficult to construct examples of collisions, but I'm not aware of anyone demonstrating the ability to replace an arbitrary binary with a trojaned one with the same md5sum. We have been working on a to-be-open-sourced product we are calling Checksums Done Right (CDR). A colleague gave a talk last week that included some notes about CDR[2]. Basically we've processed the md5sums files in dapper, edgy, and feisty and dumped it into a database. When we update our mirror we update our database. The mirror seems like the best place to offer this type of verification service. We have used it to verify binaries on Xen installations by taking LVM snapshots of the virtualized machine and sending checksums to the mirror using ssh all from the dom0. Our tests show that we can verify a system installation (libraries, binaries, and kernel modules) of up to 12k files in around 4 seconds. This theoretically scales to 5k full machine scans per mirror per day. It's possible that I'm missing the point here, but what guarantees do you have that you can trust your Dom0? -- Matthew Garrett | [EMAIL PROTECTED] -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: MOTU meeting in 4 hours!
On 6/29/07, Sarah Hobbs [EMAIL PROTECTED] wrote: There's a MOTU[0] meeting in 4 hours. The agenda[1] has a tentative list of discussion topics. [0] https://wiki.ubuntu.com/MOTU [1] https://wiki.ubuntu.com/MOTU/Meetings Hope to see you there! The minutes of this meeting are now available at https://wiki.ubuntu.com/MOTU/Meetings/2007-06-30. -- Emmet HIKORY -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss