[jira] [Comment Edited] (SLING-11317) Rewriter configuration gets "lost" in ProcessorManagerImpl when package with another configuration gets deployed
[ https://issues.apache.org/jira/browse/SLING-11317?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17540149#comment-17540149 ] Martin Schulze edited comment on SLING-11317 at 5/22/22 4:16 PM: - PR: https://github.com/apache/sling-org-apache-sling-rewriter/pull/7/files [~kwin] Would you have a look? was (Author: JIRAUSER282297): (Draft) PR: https://github.com/apache/sling-org-apache-sling-rewriter/pull/7/files > Rewriter configuration gets "lost" in ProcessorManagerImpl when package with > another configuration gets deployed > > > Key: SLING-11317 > URL: https://issues.apache.org/jira/browse/SLING-11317 > Project: Sling > Issue Type: Bug >Reporter: Martin Schulze >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > On our AEM 6.5 instance (org.apache.sling.rewriter-1.2.2, but nothing major > happened with this class since this version) we have multiple rewriter > configurations and sometimes after a deployment of another package with a > rewriter configuration, a configurations is not triggered anymore and the > instance has to be restarted to get it working again. > I've tracked the issue down and found the issue lies in the > {{ProcessorManagerImpl}} [0]. There are two fields, {{processors}} and > {{orderedProcessor}}, which are supposed to be mostly (inactive configs are > not in the {{orderedProcessors}}) "in sync", which is important because later > on there is an {{updateProcessor}} method [2], where the updated config has > to be found in the {{processors}} field, but they diverge from the start, in > the addProcessor [1] method, the added config never reaches the > {{processors}} field, because the newConfigs local variable never gets added > to the processors field. This lead to the issue, that in the updateProcessor > method, which gets triggered through the ResourceChangeListener, a > configuration gets wrongfully deleted [3]. > [0] > https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java > [1] > https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L240 > [2] > https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L299 > [3] > https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L378 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (SLING-11317) Rewriter configuration gets "lost" in ProcessorManagerImpl when package with another configuration gets deployed
[ https://issues.apache.org/jira/browse/SLING-11317?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17540149#comment-17540149 ] Martin Schulze commented on SLING-11317: (Draft) PR: https://github.com/apache/sling-org-apache-sling-rewriter/pull/7/files > Rewriter configuration gets "lost" in ProcessorManagerImpl when package with > another configuration gets deployed > > > Key: SLING-11317 > URL: https://issues.apache.org/jira/browse/SLING-11317 > Project: Sling > Issue Type: Bug >Reporter: Martin Schulze >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > On our AEM 6.5 instance (org.apache.sling.rewriter-1.2.2, but nothing major > happened with this class since this version) we have multiple rewriter > configurations and sometimes after a deployment of another package with a > rewriter configuration, a configurations is not triggered anymore and the > instance has to be restarted to get it working again. > I've tracked the issue down and found the issue lies in the > {{ProcessorManagerImpl}} [0]. There are two fields, {{processors}} and > {{orderedProcessor}}, which are supposed to be mostly (inactive configs are > not in the {{orderedProcessors}}) "in sync", which is important because later > on there is an {{updateProcessor}} method [2], where the updated config has > to be found in the {{processors}} field, but they diverge from the start, in > the addProcessor [1] method, the added config never reaches the > {{processors}} field, because the newConfigs local variable never gets added > to the processors field. This lead to the issue, that in the updateProcessor > method, which gets triggered through the ResourceChangeListener, a > configuration gets wrongfully deleted [3]. > [0] > https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java > [1] > https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L240 > [2] > https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L299 > [3] > https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L378 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (SLING-11317) Rewriter configuration gets "lost" in ProcessorManagerImpl when package with another configuration gets deployed
[ https://issues.apache.org/jira/browse/SLING-11317?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17536434#comment-17536434 ] Martin Schulze commented on SLING-11317: [~kwin] I will provide a PR. > Rewriter configuration gets "lost" in ProcessorManagerImpl when package with > another configuration gets deployed > > > Key: SLING-11317 > URL: https://issues.apache.org/jira/browse/SLING-11317 > Project: Sling > Issue Type: Bug >Reporter: Martin Schulze >Priority: Major > > On our AEM 6.5 instance (org.apache.sling.rewriter-1.2.2, but nothing major > happened with this class since this version) we have multiple rewriter > configurations and sometimes after a deployment of another package with a > rewriter configuration, a configurations is not triggered anymore and the > instance has to be restarted to get it working again. > I've tracked the issue down and found the issue lies in the > {{ProcessorManagerImpl}} [0]. There are two fields, {{processors}} and > {{orderedProcessor}}, which are supposed to be mostly (inactive configs are > not in the {{orderedProcessors}}) "in sync", which is important because later > on there is an {{updateProcessor}} method [2], where the updated config has > to be found in the {{processors}} field, but they diverge from the start, in > the addProcessor [1] method, the added config never reaches the > {{processors}} field, because the newConfigs local variable never gets added > to the processors field. This lead to the issue, that in the updateProcessor > method, which gets triggered through the ResourceChangeListener, a > configuration gets wrongfully deleted [3]. > [0] > https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java > [1] > https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L240 > [2] > https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L299 > [3] > https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L378 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Updated] (SLING-11317) Rewriter configuration gets "lost" in ProcessorManagerImpl when package with another configuration gets deployed
[ https://issues.apache.org/jira/browse/SLING-11317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Martin Schulze updated SLING-11317: --- Description: On our AEM 6.5 instance (org.apache.sling.rewriter-1.2.2, but nothing major happened with this class since this version) we have multiple rewriter configurations and sometimes after a deployment of another package with a rewriter configuration, a configurations is not triggered anymore and the instance has to be restarted to get it working again. I've tracked the issue down and found the issue lies in the {{ProcessorManagerImpl}} [0]. There are two fields, {{processors}} and {{orderedProcessor}}, which are supposed to be mostly (inactive configs are not in the {{orderedProcessors}}) "in sync", which is important because later on there is an {{updateProcessor}} method [2], where the updated config has to be found in the {{processors}} field, but they diverge from the start, in the addProcessor [1] method, the added config never reaches the {{processors}} field, because the newConfigs local variable never gets added to the processors field. This lead to the issue, that in the updateProcessor method, which gets triggered through the ResourceChangeListener, a configuration gets wrongfully deleted [3]. [0] https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java [1] https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L240 [2] https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L299 [3] https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L378 was: On our AEM 6.5 instance (org.apache.sling.rewriter-1.2.2, but nothing major happened with this class since this version) we have multiple rewriter configurations and sometimes after a deployment of another package with a rewriter configuration, a configurations is not triggered anymore and the instance has to be restarted to get it working again. I've tracked the issue down and found the issue lies in the {{ProcessorManagerImpl}} [0]. There are two fields, {{processors}} and {{orderedProcessor}}, which are supposed to be mostly (inactive configs are not in the {{orderedProcessors}}) "in sync", which is important because later on there is an {{updateProcessor}} method [2], where the updated config has to be found in the {{processors}} field, but they diverge from the start, in the addProcessor [1] method, the added config never reaches the {{processors}} field, because the newConfigs local variable never gets added to the processors field. This lead to the issue, that in the updateProcessor method, which gets triggered through the ResourceChangeListener, a configuration gets wrongfully deleted [3]. [0] https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java [1] https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L240 [2] https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L299 [3] https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L378 > Rewriter configuration gets "lost" in ProcessorManagerImpl when package with > another configuration gets deployed > > > Key: SLING-11317 > URL: https://issues.apache.org/jira/browse/SLING-11317 > Project: Sling > Issue Type: Bug >Reporter: Martin Schulze >Priority: Major > > On our AEM 6.5 instance (org.apache.sling.rewriter-1.2.2, but nothing major > happened with this class since this version) we have multiple rewriter > configurations and sometimes after a deployment of another package with a > rewriter configuration, a configurations is not triggered anymore and the > instance has to be restarted to get it working again. > I've tracked the issue down and found the issue lies in the > {{ProcessorManagerImpl}} [0]. There are two fields, {{processors}} and > {{orderedProcessor}}, which are supposed to be mostly (inactive configs are > not in the {{orderedProcessors}}) "in sync", which is important because later > on there is an {{updateProcessor}} method [2], where the updated config has
[jira] [Created] (SLING-11317) Rewriter configuration gets "lost" in ProcessorManagerImpl when package with another configuration gets deployed
Martin Schulze created SLING-11317: -- Summary: Rewriter configuration gets "lost" in ProcessorManagerImpl when package with another configuration gets deployed Key: SLING-11317 URL: https://issues.apache.org/jira/browse/SLING-11317 Project: Sling Issue Type: Bug Reporter: Martin Schulze On our AEM 6.5 instance (org.apache.sling.rewriter-1.2.2, but nothing major happened with this class since this version) we have multiple rewriter configurations and sometimes after a deployment of another package with a rewriter configuration, a configurations is not triggered anymore and the instance has to be restarted to get it working again. I've tracked the issue down and found the issue lies in the {{ProcessorManagerImpl}} [0]. There are two fields, {{processors}} and {{orderedProcessor}}, which are supposed to be mostly (inactive configs are not in the {{orderedProcessors}}) "in sync", which is important because later on there is an {{updateProcessor}} method [2], where the updated config has to be found in the {{processors}} field, but they diverge from the start, in the addProcessor [1] method, the added config never reaches the {{processors}} field, because the newConfigs local variable never gets added to the processors field. This lead to the issue, that in the updateProcessor method, which gets triggered through the ResourceChangeListener, a configuration gets wrongfully deleted [3]. [0] https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java [1] https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L240 [2] https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L299 [3] https://github.com/apache/sling-org-apache-sling-rewriter/blob/master/src/main/java/org/apache/sling/rewriter/impl/ProcessorManagerImpl.java#L378 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Updated] (OAK-9653) Adding the index tag option interferes with regex properties, leads to return zero results
[ https://issues.apache.org/jira/browse/OAK-9653?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Martin Schulze updated OAK-9653: Description: I've experienced this behavior und the following circumstances: * Query with an index tag option ("option (index tag x)") * The index the tag has an regex property with REGEX_ALL_PROPS What happens is that the resulting query to lucene, which can be inspected in [1] is: {noformat} +:ancestors:/test +:indexTag:x{noformat} So the {{:indexTag}} will be added to the Lucene index as a property, because {{:indexTag}} matches the regex, which can be inspected in [2] I've added a failing unit test for this in [0]. I've also tried to come around with a custom regex which excludes every node which starts with a colon ( regex: {{{}"^[^:\\/][^\\/]*$"{}}}). This leads to another problem where the index won't be selected (because the potential propery ":indexTag" does not matches the regex) and the query will traverse. [0] [https://github.com/apache/jackrabbit-oak/pull/448/files] [1] [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-lucene/src/main/java/org/apache/jackrabbit/oak/plugins/index/lucene/LucenePropertyIndex.java#L340] [2] [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-search/src/main/java/org/apache/jackrabbit/oak/plugins/index/search/IndexDefinition.java#L1500] was: I've experienced this behavior und the following circumstances: * Query with an index tag option ("option (index tag x)") * The index the tag has an regex property with REGEX_ALL_PROPS What happens is that the resulting query to lucene, which can be inspected in [1] is: {noformat} +:ancestors:/test +:indexTag:x{noformat} So the {{:indexTag}} will be added to the Lucene index as a property, because {{:indexTag}} matches the regex, which can be inspected in [2] I've added a failing unit test for this in [0], where I just copied the \{{descendantTest}} and added the IndexTag I've also tried to come around with a custom regex which excludes every node which starts with a colon ( regex: {{{}"^[^:\\/][^\\/]*$"{}}}). This leads to another problem where the index won't be selected and the query will traverse. [0] [https://github.com/apache/jackrabbit-oak/pull/448/files] [1] [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-lucene/src/main/java/org/apache/jackrabbit/oak/plugins/index/lucene/LucenePropertyIndex.java#L340] [2] [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-search/src/main/java/org/apache/jackrabbit/oak/plugins/index/search/IndexDefinition.java#L1500] > Adding the index tag option interferes with regex properties, leads to return > zero results > -- > > Key: OAK-9653 > URL: https://issues.apache.org/jira/browse/OAK-9653 > Project: Jackrabbit Oak > Issue Type: Bug > Components: indexing >Affects Versions: 1.40.0 >Reporter: Martin Schulze >Priority: Major > > I've experienced this behavior und the following circumstances: > * Query with an index tag option ("option (index tag x)") > * The index the tag has an regex property with REGEX_ALL_PROPS > What happens is that the resulting query to lucene, which can be inspected in > [1] is: > {noformat} > +:ancestors:/test +:indexTag:x{noformat} > So the {{:indexTag}} will be added to the Lucene index as a property, because > {{:indexTag}} matches the regex, which can be inspected in [2] > I've added a failing unit test for this in [0]. > I've also tried to come around with a custom regex which excludes every node > which starts with a colon ( regex: {{{}"^[^:\\/][^\\/]*$"{}}}). This leads to > another problem where the index won't be selected (because the potential > propery ":indexTag" does not matches the regex) and the query will traverse. > [0] [https://github.com/apache/jackrabbit-oak/pull/448/files] > [1] > [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-lucene/src/main/java/org/apache/jackrabbit/oak/plugins/index/lucene/LucenePropertyIndex.java#L340] > [2] > [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-search/src/main/java/org/apache/jackrabbit/oak/plugins/index/search/IndexDefinition.java#L1500] -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Updated] (OAK-9653) Adding the index tag option interferes with regex properties, leads to return zero results
[ https://issues.apache.org/jira/browse/OAK-9653?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Martin Schulze updated OAK-9653: Description: I've experienced this behavior und the following circumstances: * Query with an index tag option ("option (index tag x)") * The index the tag has an regex property with REGEX_ALL_PROPS What happens is that the resulting query to lucene, which can be inspected in [1] is: {noformat} +:ancestors:/test +:indexTag:x{noformat} So the {{:indexTag}} will be added to the Lucene index as a property, because {{:indexTag}} matches the regex, which can be inspected in [2] I've added a failing unit test for this in [0], where I just copied the \{{descendantTest}} and added the IndexTag I've also tried to come around with a custom regex which excludes every node which starts with a colon ( regex: {{{}"^[^:\\/][^\\/]*$"{}}}). This leads to another problem where the index won't be selected and the query will traverse. [0] [https://github.com/apache/jackrabbit-oak/pull/448/files] [1] [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-lucene/src/main/java/org/apache/jackrabbit/oak/plugins/index/lucene/LucenePropertyIndex.java#L340] [2] [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-search/src/main/java/org/apache/jackrabbit/oak/plugins/index/search/IndexDefinition.java#L1500] was: I've experienced this behavior und the following circumstances: * Query with an index tag option ("option (index tag x)") * The index the tag has an regex property with REGEX_ALL_PROPS What happens is that the resulting query to lucene, which can be inspected in [1] is: {noformat} +:ancestors:/test +:indexTag:x{noformat} So the \{{:indexTag}} will be added to the Lucene index as a property, because {{:indexTag}} matches the regex, which can be inspected in [2] I've added a failing unit test for this in [0]. I've also tried to come around with a custom regex which excludes every node which starts with a colon ( regex: {{"^[^:\\/][^\\/]*$"}}). This leads to another problem where the index won't be selected and the query will traverse. [0] [https://github.com/apache/jackrabbit-oak/pull/448/files] [1] [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-lucene/src/main/java/org/apache/jackrabbit/oak/plugins/index/lucene/LucenePropertyIndex.java#L340] [2] https://github.com/apache/jackrabbit-oak/blob/trunk/oak-search/src/main/java/org/apache/jackrabbit/oak/plugins/index/search/IndexDefinition.java#L1500 > Adding the index tag option interferes with regex properties, leads to return > zero results > -- > > Key: OAK-9653 > URL: https://issues.apache.org/jira/browse/OAK-9653 > Project: Jackrabbit Oak > Issue Type: Bug > Components: indexing >Affects Versions: 1.40.0 >Reporter: Martin Schulze >Priority: Major > > I've experienced this behavior und the following circumstances: > * Query with an index tag option ("option (index tag x)") > * The index the tag has an regex property with REGEX_ALL_PROPS > What happens is that the resulting query to lucene, which can be inspected in > [1] is: > {noformat} > +:ancestors:/test +:indexTag:x{noformat} > So the {{:indexTag}} will be added to the Lucene index as a property, because > {{:indexTag}} matches the regex, which can be inspected in [2] > I've added a failing unit test for this in [0], where I just copied the > \{{descendantTest}} and added the IndexTag > I've also tried to come around with a custom regex which excludes every node > which starts with a colon ( regex: {{{}"^[^:\\/][^\\/]*$"{}}}). This leads to > another problem where the index won't be selected and the query will traverse. > [0] [https://github.com/apache/jackrabbit-oak/pull/448/files] > [1] > [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-lucene/src/main/java/org/apache/jackrabbit/oak/plugins/index/lucene/LucenePropertyIndex.java#L340] > [2] > [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-search/src/main/java/org/apache/jackrabbit/oak/plugins/index/search/IndexDefinition.java#L1500] -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Updated] (OAK-9653) Adding the index tag option interferes with regex properties, leads to return zero results
[ https://issues.apache.org/jira/browse/OAK-9653?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Martin Schulze updated OAK-9653: Summary: Adding the index tag option interferes with regex properties, leads to return zero results (was: WIP: Adding the index tag option interferes with regex properties, leads to return zero results) > Adding the index tag option interferes with regex properties, leads to return > zero results > -- > > Key: OAK-9653 > URL: https://issues.apache.org/jira/browse/OAK-9653 > Project: Jackrabbit Oak > Issue Type: Bug > Components: indexing >Affects Versions: 1.40.0 > Reporter: Martin Schulze >Priority: Major > > I've experienced this behavior und the following circumstances: > * Query with an index tag option ("option (index tag x)") > * The index the tag has an regex property with REGEX_ALL_PROPS > What happens is that the resulting query to lucene, which can be inspected in > [1] is: > {noformat} > +:ancestors:/test +:indexTag:x{noformat} > So the \{{:indexTag}} will be added to the Lucene index as a property, > because {{:indexTag}} matches the regex, which can be inspected in [2] > I've added a failing unit test for this in [0]. > I've also tried to come around with a custom regex which excludes every node > which starts with a colon ( regex: {{"^[^:\\/][^\\/]*$"}}). This leads to > another problem where the index won't be selected and the query will traverse. > [0] [https://github.com/apache/jackrabbit-oak/pull/448/files] > [1] > [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-lucene/src/main/java/org/apache/jackrabbit/oak/plugins/index/lucene/LucenePropertyIndex.java#L340] > [2] > https://github.com/apache/jackrabbit-oak/blob/trunk/oak-search/src/main/java/org/apache/jackrabbit/oak/plugins/index/search/IndexDefinition.java#L1500 -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Created] (OAK-9653) WIP: Adding the index tag option interferes with regex properties, leads to return zero results
Martin Schulze created OAK-9653: --- Summary: WIP: Adding the index tag option interferes with regex properties, leads to return zero results Key: OAK-9653 URL: https://issues.apache.org/jira/browse/OAK-9653 Project: Jackrabbit Oak Issue Type: Bug Components: indexing Affects Versions: 1.40.0 Reporter: Martin Schulze I've experienced this behavior und the following circumstances: * Query with an index tag option ("option (index tag x)") * The index the tag has an regex property with REGEX_ALL_PROPS What happens is that the resulting query to lucene, which can be inspected in [1] is: {noformat} +:ancestors:/test +:indexTag:x{noformat} So the \{{:indexTag}} will be added to the Lucene index as a property, because {{:indexTag}} matches the regex, which can be inspected in [2] I've added a failing unit test for this in [0]. I've also tried to come around with a custom regex which excludes every node which starts with a colon ( regex: {{"^[^:\\/][^\\/]*$"}}). This leads to another problem where the index won't be selected and the query will traverse. [0] [https://github.com/apache/jackrabbit-oak/pull/448/files] [1] [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-lucene/src/main/java/org/apache/jackrabbit/oak/plugins/index/lucene/LucenePropertyIndex.java#L340] [2] https://github.com/apache/jackrabbit-oak/blob/trunk/oak-search/src/main/java/org/apache/jackrabbit/oak/plugins/index/search/IndexDefinition.java#L1500 -- This message was sent by Atlassian Jira (v8.20.1#820001)
[plasma-nm] [Bug 396530] New: [OpenVPN] Why not use the nmcli importer?
https://bugs.kde.org/show_bug.cgi?id=396530 Bug ID: 396530 Summary: [OpenVPN] Why not use the nmcli importer? Product: plasma-nm Version: unspecified Platform: Other OS: Linux Status: UNCONFIRMED Severity: normal Priority: NOR Component: general Assignee: jgrul...@redhat.com Reporter: martin.schu...@vireso.de Target Milestone: --- When importing an OpenVPN configuration file from the UI with TCP enabled, the resulting configuration differs from the one that is loaded via nmcli. Obviously, each project has its own parser, this is rather confusing. Why isn't the cli parser used as a backend for the GUI import as well? -- You are receiving this mail because: You are watching all bug changes.
D14130: Parse protocol in port option
martinschulze created this revision. Restricted Application added a project: Plasma. Restricted Application added a subscriber: plasma-devel. martinschulze requested review of this revision. REPOSITORY R116 Plasma Network Management Applet BRANCH feature/parse_protocol_flag REVISION DETAIL https://phabricator.kde.org/D14130 AFFECTED FILES vpn/openvpn/openvpn.cpp To: martinschulze Cc: plasma-devel, ragreen, Pitel, ZrenBot, lesliezhai, ali-mohamed, jensreuterberg, abetts, sebas, apol, mart
Bug#284752: Seems fixed
Seems to be fixed in 1.13.5-1 and before. Regards Joey -- In the beginning was the word, and the word was content-type: text/plain Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#283839: Seems fixed
This problem seems to be fixed in 1.13.5-1 and the version before as well. Regards Joey -- In the beginning was the word, and the word was content-type: text/plain Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#773585: php-elisp: Wrong indention of function arguments in subsequent lines
Hi Ola! Ola Lundqvist wrote: Hi Please try drupal mode or any other of the variants. How? I think the command is enable-(mode name) In interactive mode M-x shows: Possible completions are: enable-command enable-flow-control enable-theme Regards Joey -- In the beginning was the word, and the word was content-type: text/plain Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Prospective Trusted Organizations - FFIS
martin f krafft wrote: 3. In § 10 Abs. 8 it is stated that the minutes of the members' meetings are to be made publicly available. Yet, the last set of minutes linked online² is from 2006. § 10 Abs. 2 states that such a meeting must take place once every two years. Where can I find the minutes for 2008, 2010, and 2012? The last members' meeting has been held in 2009. How did you handle re-elections and approval of the budget since then? Both, election and approval of past treasurer activities will be handled on the next member meeting, hopefully this year. Regards Joey -- The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140618215558.gu15...@finlandia.home.infodrom.org
Re: Prospective Trusted Organizations - FFIS
martin f krafft wrote: I have one question about Joey's responses regarding FFIS: * The organization has decision-making processes that explicitely delegate decisions on Debian assets to the Debian Project Leader true. For completeness: where is this explicitly defined? Nowhere. ffis e.V. supports Free Software in general, a small number of Free Software projects in particular, and maintains close relationship to the projects they are supporting, be it via an auditor, project leader or via a contact person within the project. We also have to be very careful with incoming and outgoing money so that neither money nor the charity status is lost. I also have a few questions about the FFIS association, especially with regards to your bylaws.¹ I have already sent these questions to vorstand@ on 31 July and info@ on 9 April, but have not received a reply to date. 1. In § 7 Abs. 6 (of your minutes) it is stated that the board meets publicly and that such meetings are publicly announced; where are these announcements made? Is there a record? The board of directors currently has no such board meetings. They are held on demand when issues are due that require a dedicated board meeting. 2. In § 7 Abs. 7 it is stated that minutes of those meetings are made publicly available within two weeks of such meetings. I cannot find any such minutes online². Where should I look? Most communication within the board of directors is held via mail these days. Most if not all issues touch sensible issues, such as private communication with supported projects, donation issues that may cause problems etc. These cannot be made public. 3. In § 10 Abs. 8 it is stated that the minutes of the members' meetings are to be made publicly available. Yet, the last set of minutes linked online² is from 2006. § 10 Abs. 2 states that such a meeting must take place once every two years. Where can I find the minutes for 2008, 2010, and 2012? The last members' meeting has been held in 2009. Since then no changes have been made to the association. Minutes have been written and are available on the web server as well. However, not yet linked properly. That will be fixed. Thanks for the note. 4. Have there been exceptional/extraordinary meetings (cf. § 10 Abs. 3)? Could you please make the minutes public? There haven't. Regards Joey -- Long noun chains don't automatically imply security. -- Bruce Schneier -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140531191114.gt15...@finlandia.home.infodrom.org
Re: Prospective Trusted Organizations - FFIS
Lucas Nussbaum wrote: Hi Joey, On 11/03/14 at 11:58 +0100, Lucas Nussbaum wrote: == The organization should be reliable, sustainable, and reactive == * The organization has several people sharing the role of treasurer in order to react quickly to requests in all circumstances true. I was actually surprised by this: I've always thought that you were the only really active person behind FFIS. Could you elaborate a bit on FFIS' internal organization? I couldn't find that information on FFIS' website, but maybe I just missed something. ffis e.V. as an official association ('eingetragener Verein') has a board of directors ('Vorstand') consiting of at least three people. Currently we have six, see http://www.ffis.de/Verein/vorstand.html. I'm only the one who is answering your mails. :) Regards, Joey -- Unix is user friendly ... It's just picky about its friends. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140325095928.gd...@finlandia.home.infodrom.org
[OpenRISC] Fwd: {DSL 1} Hosting and Infrastructure
Original-Nachricht Message-ID: 521a6970.3080...@gmail.com Date: Sun, 25 Aug 2013 22:30:40 +0200 From: Martin Schulze martin.s.schu...@gmail.com User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 MIME-Version: 1.0 To: Openrisc openr...@lists.opencores.org Subject: {DSL 1} Hosting and Infrastructure X-Enigmail-Version: 1.5.2 OpenPGP: id=01EA0616 Content-Type: multipart/signed; micalg=pgp-sha1; protocol=application/pgp-signature; boundary=KjaHngqIt6IMbWbdn6A1TlpTl4c35hJQU I am looking for a git repository, a place in a bug tracker and a static download location for documentation and an eclipse update site. I'm not sure if it's good to start a new project at opencores.org because a java/eclipse project doesn't fit the usual categories. signature.asc Description: OpenPGP digital signature ___ OpenRISC mailing list OpenRISC@lists.openrisc.net http://lists.openrisc.net/listinfo/openrisc
[OpenRISC] Fwd: {DSL - 0} Introduction
Forwarded to the other list. Sorry for that, next mails will be sent to both. Original-Nachricht Message-ID: 521a5d17.20...@gmail.com Date: Sun, 25 Aug 2013 21:37:59 +0200 From: Martin Schulze martin.s.schu...@gmail.com User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 MIME-Version: 1.0 To: openr...@lists.opencores.org openr...@lists.opencores.org Subject: {DSL - 0} Introduction X-Enigmail-Version: 1.5.2 OpenPGP: id=01EA0616 Content-Type: multipart/signed; micalg=pgp-sha1; protocol=application/pgp-signature; boundary=FVPjhBBXxKs9vePkeW6TMORN3I1Jqa580 Hi all, last year I asked for interest in a configuration language for the OpenRISC architecture and got a positive resonance. So I started the work on my bachelor thesis and was abled to develop a starting point. There is still a lot of work to do, but I hopefully be able to present a working eclipse plugin that can generate the wishbone and toplevel files as well as the quartus tcl scripts. At the moment I am not allowed to publish my thesis and source code. I have to wait for my final exam, but I want to ask some questions. I want to get into discussion with you and don't want to get confused, so I will split things up into some small mails and tag them. Here some details about me, just if someone is interested: I study technical information engineering at the Cologne University of Applied Sciences. I recently registered for the master course and am interested in open source SoPC development. This is the first part. Beware of spam. Best regards Martin signature.asc Description: OpenPGP digital signature ___ OpenRISC mailing list OpenRISC@lists.openrisc.net http://lists.openrisc.net/listinfo/openrisc
[OpenRISC] Fwd: {DSL 2} License
Original-Nachricht Message-ID: 521a6e1d.9090...@gmail.com Date: Sun, 25 Aug 2013 22:50:37 +0200 From: Martin Schulze martin.s.schu...@gmail.com User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 MIME-Version: 1.0 To: Openrisc openr...@lists.opencores.org Subject: {DSL 2} License X-Enigmail-Version: 1.5.2 OpenPGP: id=01EA0616 Content-Type: multipart/signed; micalg=pgp-sha1; protocol=application/pgp-signature; boundary=7eKmm55N7QFrxMmLXCu4MDwUkNEmX0EgP I'm not sure what's the best license, LGPL or Eclipse Public License. The latter could be more suitable for the eclipse ecosystem. Your oppinion? signature.asc Description: OpenPGP digital signature ___ OpenRISC mailing list OpenRISC@lists.openrisc.net http://lists.openrisc.net/listinfo/openrisc
[OpenRISC] {DSL 3} Registered Wishbone Buses
I stumbled over two implementations of the Wishbone Bus, one multiplexed and one registered. I wonder if the registered bus is used and if this distinction is important for different FPGA vendors or ASIC use. signature.asc Description: OpenPGP digital signature ___ OpenRISC mailing list OpenRISC@lists.openrisc.net http://lists.openrisc.net/listinfo/openrisc
Re: [TYPO3-german] Chinesisch als Sprache??
Hallo Peter, wir haben das mal für Landingpages umgesetzt. Mit spanisch, portugiesisch, russisch (kyrillisch) und chinesisch. TYPO3 4.5.22, utf-8. Die Texte wurden von uns entsprechend zum Übersetzungsbüro geliefert, also was ist title, h1, erster Absatz, Bildunterschrift, alt-tag, title-tag u.s.w. Die übersetztenTexte wurden vom Übersetzungsbüro als Textdokument zurückgeliefert und uns blieb noch per Copy-Paste alles einzufügen. Gruß Martin typo3-german-boun...@lists.typo3.org schrieb am 29.05.2013 09:20:31: Von: Peter Schäfer typo3.newsli...@online.de An: typo3-german@lists.typo3.org Datum: 29.05.2013 09:25 Betreff: [TYPO3-german] Chinesisch als Sprache?? Gesendet von: typo3-german-boun...@lists.typo3.org Hallo Liste, ich habe ein Projekt (TYPO3 4.5.14 - alles auf UTF-8) in dem schon jetzt folgende Sprachen einwandfrei laufen: Deutsch, Englisch, Spanisch und Russisch. Jetzt soll auch noch Chinesisch hinzu. Hat jemand von euch schon Erfahrungen damit? Gibt es dabei irgendwas besonderes zu beachten? Ich stell mir schon allein die Texteingabe ohne entsprechende Kenntnisse und Tastaturen ziemlich heikel vor. Obwohl das vermutlich ehr nicht mein Problem sein wird, da ich nicht übersetze ;-) Bin für jeden input dankbar... Danke und Gruß Peter ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german
Re: [TYPO3-german] Bannermanager
Hallo Gerhard, wir verwenden die EXT:macina_banners [1] mit TYPO3 4.5. Diese hat auch eine Doku [2] und min. die aufgezählten Funktionen. [1] http://typo3.org/extensions/repository/view/macina_banners [2] http://typo3.org/extension-manuals/macina_banners/1.5.3/view/ Gruß Martin typo3-german-boun...@lists.typo3.org schrieb am 11.01.2013 08:45:41: Von: Gerhard Obermayr des...@cgc.at An: German TYPO3 Userlist typo3-german@lists.typo3.org Datum: 11.01.2013 08:45 Betreff: [TYPO3-german] Bannermanager Gesendet von: typo3-german-boun...@lists.typo3.org Hallo Leute, ich verwende seit Jahren in diversen Projekten für Werbezwecke die Extension Webesse Banner Manager. Die letzte Version wurde von Luke Chiam vor 5 Jahren ins Netz gestellt und seither nicht mehr gewartet. An sich gut zu gebrauchen ist sie nun doch schon in die Jahre gekommen. Sie hat alle Funktionen, die man braucht - siehe der Banner auf Hauptplatz von Stadt Haag http://www.hauptplatz.stadthaag.at links unten. Start- Stopzeit, Verlinkung, Zähler etc. Leider ist sie aber mit den neueren Versionen von TYPO3 nicht mehr ganz kompatibel. Im BE werden jede Menge Fehlereinträge gemacht: Core: Error handler (FE): PHP : mysql(): This function is deprecated; use mysql_query() instead in /var/www/vhosts/hauptplatz.stadthaag.at/httpdocs/typo3conf/ext/ ws_banner/pi1/class.tx_wsbanner_pi1.php line 69 Core: Error handler (FE): PHP : mysql(): This function is deprecated; use mysql_query() instead in /var/www/vhosts/hauptplatz.stadthaag.at/httpdocs/typo3conf/ext/ ws_banner/pi1/class.tx_wsbanner_pi1.php line 36 Die Erweiterung sollte also einen neuen Schliff bekommen, aber das kann ich nicht. Und die Einträge nerven, denn die werden scheinbar bei jedem Zugriff gemacht ... Ich bin deshalb auf der Suche nach einer anderen Extension, die das gleiche macht. Aber bei den meisten auffindbaren Erweiterungen gibt es keine Beschreibung dazu und ich möchte nicht alle immer erst installieren und dann wieder löschen, wenn´s nichts ist ... Daher die Frage: Kann mir jemand gleiches oder ähnliches aber kompatibles empfehlen? Oder hat jemand den Webesse Banner Manager schon angepasst oder umgeschrieben, so dass keine Fehler geschrieben werden? -- Liebe Grüße aus Haag Gerhard Obermayr ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german
Re: [TYPO3-german] OT: Kopiergeschwindigkeit
Hallo Matze, laut Wikipedia [1], [2] und Eigenangaben [3], [4] nein. 1und1 hauptsächlich in Karlsruhe, S4Y hauptsächlich in Straßburg [1] http://de.wikipedia.org/wiki/United_Internet [2] http://de.wikipedia.org/wiki/Server4you [3] http://www.1und1.de/UnternehmenRechenzentren [4] http://www.server4you.de/technik/high-speed-datacenter.php Gruß Martin typo3-german-boun...@lists.typo3.org schrieb am 30.10.2012 14:17:59: Von: Matze Hoppe mat.ho...@gmx.de An: typo3-german@lists.typo3.org Datum: 30.10.2012 14:20 Betreff: [TYPO3-german] OT: Kopiergeschwindigkeit Gesendet von: typo3-german-boun...@lists.typo3.org Hi, Öhmm, wie ist sowas möglich: Sonne:~ # scp -r /home/export.sql www.mond.de:/home/ Password: export.sql 100% 39MB 7.9MB/s 00:05 Stehen 1und1 und Server4You im selbem RZ? ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german
Re: [TYPO3-german] indexed_search: Häufig gesuchte Begriffe?
Hallo Hendrik, schau Dir mal die EXT:np_indexed_search_stat [1] an. Ansonsten in der DB in den Tabellen die mit index_ anfangen. [1] http://typo3.org/extensions/repository/view/np_indexed_search_stat Gruß Martin typo3-german-boun...@lists.typo3.org schrieb am 30.10.2012 14:45:40: Von: Hendrik h.reim...@neonaut.de An: typo3-german@lists.typo3.org Datum: 30.10.2012 14:50 Betreff: [TYPO3-german] indexed_search: Häufig gesuchte Begriffe? Gesendet von: typo3-german-boun...@lists.typo3.org Hi, speichert indexed_search die Suchbegriffe so dass man herausfiltern könnte welche Begriffe am meisten gesucht werden (z.B. für eine Tag Cloud)? Danke Gruß Hendrik ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german
Re: [TYPO3-german] CSV-Tabelle in FE-User-Liste importieren
Hallo Stefan, 1. Die csv-Datei so umbauen, wie es die Tabelle fe_users erwartet 2. Dann mit phpMyAdmin in die Tabelle importieren. Gruß Martin typo3-german-boun...@lists.typo3.org schrieb am 08.10.2012 15:26:37: Von: kont...@k2-potsdam.de An: typo3-german@lists.typo3.org Datum: 08.10.2012 16:02 Betreff: [TYPO3-german] CSV-Tabelle in FE-User-Liste importieren Gesendet von: typo3-german-boun...@lists.typo3.org Hallo zusammen, für ein Intranetprojekt sollen zahlreiche Frontenduser angelegt werden. Die Liste der Mitglieder (ca. 350) liegt mir als Tabelle im csv-Format vor. Gibt es eine Möglichkeit, diese Datensätze automatisiert als FE-User zu übernehmen, damit ich die nicht alle händisch abtippen/kopieren muss? Wenn ja - wie funktionierts? Habe sowas noch nie probiert. Herzliche Grüße, Stefan -- k² Potsdam kompetenz für kommunikation www.k2-potsdam.de kont...@k2-potsdam.de Tel. 0331/86 749 883 Funk 0172/514 3825 ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german
Re: [TYPO3-german] Tagcloud-Extension
Hallo Manfred, Es würde mich mal interessieren, ob denn niemand tagclouds verwendet? Sonst müßte doch wenigstens mal ein Hinweis darauf kommen ob es geht oder eben nicht geht. Wir verwenden oft die ext: Cumulus Tagcloud. https://typo3.org/extensions/repository/view/t3m_cumulus_tagcloud/ Keywords und Verlinkung werden manuell gepflegt und das Ding läuft am Ende per Flash. Gruß Martin ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german
Re: [TYPO3-german] Tagcloud-Extension
Hallo Manfred, ginge das auch ohne Flash? Denn erstens hätte ich die Site gerne ohne Flash und zweitens will ich mich mit dem Flash Gedöns nicht auch noch beschäftigen. Da brauche ich ja wieder irgendwelche Tools für. Soweit ich weiß, gibt es die Extension nur so. Aber frag doch mal die Entwickler. Tools brauchten wir keine dafür. Außer Du meinst Flash-Plugins für Browser. Läuft aber dadurch auch nur auf Devices und/oder Browsern, die auch Flash verarbeiten. http://www.typo3-macher.de/?id=393 Gruß Martin ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german
Re: [TYPO3-german] Tagcloud-Extension
Hallo Björn, Und das Teil ist auch ohne TV gut im Template einzubinden? Damit komme ich nämlich (also der Anleitung) nicht so 100% klar. Und wie werden die Suchbegriffe pro Seite hinterlegt? Wir verwenden _kein_ TV. Die Cumulus-Tagcloud wird in der Seitenansicht als Plug-In eingefügt und konfiguriert. Keywords anlegen: Allgemein: Die Suchbegriffe könntest Du pro Page in je einem Sysordner anlegen und in den Plug-In-Einstellungen wählst Du dann den jeweiligen Sysordner aus. Speziell: Bestimmte Keywords sollen nur auf dieser Page erscheinen, dann kannst Du die Keywords in der Listenansicht auf dieser Page anlegen. Gruß Martin ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german
Re: [TYPO3-german] Tagcloud-Extension
Hallo Björn, Leider gefällt unserem Kunden die Extension nicht. Er wünscht sich eine andere TagCloud als die Flash-Variante. Gibt’s da tatsächlich nichts anderes? Ist hier [1] nichts dabei, was den Anforderungen entspricht? [1] https://typo3.org/extensions/repository/?id=23L=0q=tagcloud Gruß Martin %NOTRAILER% Boundary-Scan-Schnuppertag, 11.09.2012 AOI-Grundlagenseminar, 11. - 13.09.2012 electronica/productronica India 2012, 11. - 14.09.2012 Automotive Testing Expo China 2012, 18. - 20.09.2012 FED-Konferenz, 20. - 22.09.2012 Inspection Days 2012, 25. - 26.09.2012 Sitz der Gesellschaft: GÖPEL electronic GmbH, Göschwitzer Straße 58/60, D-07745 Jena Geschäftsführer: Holger Göpel, Manfred Schneider, Thomas Wenzel Registergericht: Amtsgericht Jena HR B 201550 ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german
Re: [Debconf-team] Transfering DC12 funds to Nicaragua
Gunnar Wolf wrote: Martin Schulze dijo [Wed, Jun 13, 2012 at 12:00:16AM +0200]: If that's a quote, then a quote should be sufficient. is that also fine if thats in spanish? Oh dear! Please ask them to issue it in English. We issue donation receipts, receipts etc. in English as well, so should a company in Nicaragua, no? As a Mexican, I can assure you it is quite hard you will get a quote in English, sorry. Specially from companies not used to have international interactions. if not, how official needs the translation to be? That's a good question... I usually think positive, thus, I assume (hope?) that people at the Finanzamt will accept a printout (or PDF) that consists of both the Spanish and German/English translation of text as appendix to the quote/invoice. Would a Spanish document + translation + signature of trust on the transaction by one or several of us Spanish speakers do? I hope so. That said, just do it. If it looks sane it should be ok. Regards, Joey -- The only stupid question is the unasked one. ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
Re: [Debconf-team] Transfering DC12 funds to Nicaragua
Holger Levsen wrote: Hi Norman, On Freitag, 8. Juni 2012, Norman García Aguilar wrote: I would like to know what is the procedure in order to transfer DebConf12 money from SPI/FISS to Nicaragua. We are very close to DebConf12 and we need to pay some things. The payments we need to do are: [...] We have all the transfer information ready. We need to know who are the persons in charge and what is the procedure to make the request to SPI/FFIS. Thank you darst, I really don't know what is the procedure so that's why I'm asking, Acording to the budget: * The venue cost is 11,519.34USD, and we would like to pay 50%, which is 5,759.67. * The food cost is 15,675.00 USD, and we would need 50% before DebConf starts, which is 7837.00 * We need money to order bags and shirts, for those we have in our budget 3,600, we will need it all before DebConf. This give you a total of USD 17196.67. In FISS we have at this time EUR11247.69, with a exchange rate of 1.3 is USD14621.99, and we will need the USD3,558.25 we have in SPI at this time. All the money, as you may know, will go to ISIC, our legal representation here in Nicaragua for DebConf12. I'm not sure, or rather, I dont think, ffis can just transfer money to ISIC, without anything. So I'm cc:ing them. Indeed. That said, do you have invoices from the hotel, food, etc, that we can pass to ffis? That would be helpful. For such high sums the hotels should be able to issue invoices. Regards, Joey -- Every use of Linux is a proper use of Linux. -- Jon 'maddog' Hall ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
Re: [Debconf-team] Transfering DC12 funds to Nicaragua
Holger Levsen wrote: Hi, On Freitag, 8. Juni 2012, Norman García Aguilar wrote: We can give a quote from venue, food and t-shirt/bags, we will have the invoices once we pay. I think ffis needs the invoices _before_, or? Of course! Regards, Joey -- Every use of Linux is a proper use of Linux. -- Jon 'maddog' Hall ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
Re: [Debconf-team] Transfering DC12 funds to Nicaragua
Jimmy Kaplowitz wrote: On Fri, Jun 08, 2012 at 01:45:02PM -0600, Norman García Aguilar wrote: Nobody will give us invoices if we don't pay, at least UCA told us today that as a education entity (University) they doesn't have invoices, they will give us oficial receipt once we pay them, before that they can only give us a quote. And as I can remember, when I buy something, companies will give a receipt every time I make a payment and when I cancel the total amount then they give an invoice. So, we will not get an invoice if we don't pay, at least, we can give you quotes. I think the confusion here is merely terminology, for both SPI and FFIS. When you say quotes, do you mean something that means DebConf12 is obligated to pay .XX cordobas to us by June YY for the purpose of , even if there may be more payments in either direction later to finalize things? In that case, if you give each organization quotes, receipts, and invoices as they are available, it will probably meet all the requirements. Hopefully FFIS agrees - I certainly am less familiar with their needs than SPI's. If that's a quote, then a quote should be sufficient. Regards, Joey -- Every use of Linux is a proper use of Linux. -- Jon 'maddog' Hall ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
Re: [Debconf-team] Transfering DC12 funds to Nicaragua
Holger Levsen wrote: Hi, On Freitag, 8. Juni 2012, Martin Schulze wrote: I think ffis needs the invoices _before_, or? Of course! On Freitag, 8. Juni 2012, Norman García Aguilar wrote: Nobody will give us invoices if we don't pay, [...] So, we will not get an invoice if we don't pay, at least, we can give you quotes. And now? See the response from Jimmy and me. Regards, Joey -- Every use of Linux is a proper use of Linux. -- Jon 'maddog' Hall ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
Re: Finding sponsors for Debian
Arno Töll wrote: as somebody who pushed $work to donate money to Debian (i.e. via FFIS), I always wondered about the financial merits of these donations. As much as I am involved to work within Debian, I have no clue what you used our money for. I am probably not literally interested what for you spent the money we donated, but I think sponsors would appreciate or be more interested to donate if they could see in a more popular advertisement what Debian spends money for (i.e. something more handsome than SPI board minutes) and possibly getting little thank you post cards or some merchandise (e.g. a coffee mug or a T-Shirt) as a symbolic acknowledgement of gratidude. Here are some hints: http://lists.debian.org/debian-announce/2010/msg4.html http://www.debian.org/News/2009/20090208 There are probably more if one searches more. Regards, Joey -- If nothing changes, everything will remain the same. -- Barne's Law -- To UNSUBSCRIBE, email to debian-vote-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120312213527.gi2...@finlandia.home.infodrom.org
Re: Finding sponsors for Debian
Arno Töll wrote: as somebody who pushed $work to donate money to Debian (i.e. via FFIS), I always wondered about the financial merits of these donations. As much as I am involved to work within Debian, I have no clue what you used our money for. I am probably not literally interested what for you spent the money we donated, but I think sponsors would appreciate or be more interested to donate if they could see in a more popular advertisement what Debian spends money for (i.e. something more handsome than SPI board minutes) and possibly getting little thank you post cards or some merchandise (e.g. a coffee mug or a T-Shirt) as a symbolic acknowledgement of gratidude. Here are some hints: http://lists.debian.org/debian-announce/2010/msg4.html http://www.debian.org/News/2009/20090208 There are probably more if one searches more. Regards, Joey -- If nothing changes, everything will remain the same. -- Barne's Law -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120312213527.gi2...@finlandia.home.infodrom.org
Bug#633038: sysklogd: /run transition: Please switch to /run/sendsigs.omit.d
Roger Leigh wrote: On Thu, Jul 07, 2011 at 11:36:57PM +0100, Roger Leigh wrote: Source: sysklogd Version: 1.5-6.1 Severity: important Your package is currently using/lib/init/rw/sendsigs.omit.d which is now deprecated and pending removal. Please update your package to use /run/sendsigs.omit.d with a versioned dependency on initscripts, as detailed below. Ping? Has any work been done on this? /lib/init/rw will be removed in the next two weeks. This requires your package to make this transition, since it's currently blocking the completion of the /run transition. Please upload a fixed package, or it will require an NMU. Priority raised. Thanks for the reminder. Regards, Joey -- Life is a lot easier when you have someone to share it with. -- Sean Perry -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [TYPO3-german] TYPO3-Events als Kalender
Hallo Peter, habe letztens diesen Link [1] gelesen. [1] http://t3n.de/news/grosser-barcamp-uberblick-alle-un-konferenzen-255252/ Gruß Martin typo3-german-boun...@lists.typo3.org schrieb am 27.10.2011 09:03:09: Von: Peter Linzenkirchner li...@lisardo.de An: German TYPO3 Userlist typo3-german@lists.typo3.org Datum: 27.10.2011 09:03 Betreff: Re: [TYPO3-german] TYPO3-Events als Kalender Gesendet von: typo3-german-boun...@lists.typo3.org Hallo Basti, danke, aber die meine ich nicht :-) Ich suche nicht nach einer Extension, sondern einen echten - gepflegten Kalender - mit real existierenden TYPO3-Terminen. Nicht, um ihn in TYPO3 einzubauen, sondern um den Kalender zu konsultieren, wenn ich wissen will, wann der nächste TYPO3-Event in Deutschland ist. Faktisch also einen abonnierbaren Kalender oder eine ics-Datei, den ich in mein iCal importieren kann. Ich weiß, dass es da was gibt, weil ich das bis vor kurzem sogar in Gebrauch hatte. Leider ist mir der Link abhanden gekommen und ich weiß ihn nicht mehr. Vielleicht weiß ihn ja hier jemand. Danke, Peter Am 26.10.2011 um 23:56 schrieb Basti: die Ext heisst cal www.typo3-calendar.org/ grüße -- TYPO3 - TIPS - ANLEITUNGEN - NEWS unter: http://blog.ingeniumdesign.de/ TYPO3 Webdesign Agentur Wiesbaden - Frankfurt unter: http://www.ingeniumdesign.de/ Facebook Fan http://www.facebook.com/ingeniumdesign/ -- Am 26.10.2011 22:10, schrieb Peter Linzenkirchner: Hallo, ich hatte mal die URL zu einem TYPO3-Kalender mit allen TYPO3- Events in Deutschland. Leider weiß ich die nicht mehr - kann mir jemand auf die Sprünge helfen? Vielen Dank Peter -- Xing: http://www.xing.com/profile/Peter_Linzenkirchner Web: http://www.typo3-lisardo.de Facebook: http://tinyurl.com/lisardo-multimedia ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german -- Xing: http://www.xing.com/profile/Peter_Linzenkirchner Web: http://www.typo3-lisardo.de Facebook: http://tinyurl.com/lisardo-multimedia ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german
[TYPO3-german] Antwort: Links von Ergebnisseite der indexed_search verweist immer auf Startseite
Hallo Rainer, in einer 4.4.10 hat mir [1] geholfen. [1] http://typo3-freelancer-berlin.de/typo3-blog/artikel/indexed-search-pagebrowser-funktioniert-nicht.html Gruß Martin typo3-german-boun...@lists.typo3.org schrieb am 14.09.2011 12:32:55: Von: Rainer Schleevoigt rai...@webmasterei-hamburg.de An: typo3-german@lists.typo3.org Datum: 14.09.2011 12:33 Betreff: [TYPO3-german] Links von Ergebnisseite der indexed_search verweist immer auf Startseite Gesendet von: typo3-german-boun...@lists.typo3.org Hallo, ist mir fast peinlich, aber der Titel sagt es schon. Hat einer/eine eine Idee? Gruß Rainer -- Dipl.-Ing. Rainer Schleevoigt Webmasterei Hamburg iPhone/Android Developer Certified TYPO3 Integrator 22303 Hamburg Novalisweg 10 ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german
Re: [TYPO3-german] Antwort: Links von Ergebnisseite der indexed_search verweist immer auf Startseite
in einer 4.4.10 hat mir [1] geholfen. [1] http://typo3-freelancer-berlin.de/typo3-blog/artikel/indexed- search-pagebrowser-funktioniert-nicht.html Gruß Martin habe jetzt die id der Form von tx_indexedsearch auf indexedsearchform gesetzt – es bringt aber leider nichts. Die Suche klappt, auch die Links zu den Seiten, allerding sind die Links zu Paginierung falsch. In der Form: [alt] input type=hidden name=tx_indexedsearch[pointer] value=0 / [neu] input type=hidden name=tx_indexedsearch[pointer] id= tx_indexedsearch_pointer value=0 / %NOTRAILER% Automotive Testing Expo China: 14. - 16. September Inspection Days: 27. - 28. September in Jena Sitz der Gesellschaft: GÖPEL electronic GmbH, Göschwitzer Straße 58/60, D-07745 Jena Geschäftsführer: Holger Göpel, Manfred Schneider, Thomas Wenzel Registergericht: Amtsgericht Jena HR B 201550 ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german
Re: [TYPO3-german] Mehrere Domains in einer Typo3
Guten Morgen, Rs gibt eine EXT, die die Browsersprache ausliest und dann umschaltet. Name zZnicht parat. EXT rlmp_language_detection http://typo3.org/extensions/repository/view/rlmp_language_detection/current/ Gruß Martin Automotive Testing Expo China: 14. - 16. September Inspection Days: 27. - 28. September in Jena Sitz der Gesellschaft: GÖPEL electronic GmbH, Göschwitzer Straße 58/60, D-07745 Jena Geschäftsführer: Holger Göpel, Manfred Schneider, Thomas Wenzel Registergericht: Amtsgericht Jena HR B 201550 ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german
Re: [TYPO3-german] A/B-Test
Hallo Martin, schau Dir mal das Website-Optimierungstool von Google an, [1] und [2]. [1] http://www.google.com/support/websiteoptimizer/bin/static.py?page=guide.csguide=29619topic=29624 [2] https://www.google.com/analytics/siteopt Gruß, Martin typo3-german-boun...@lists.typo3.org schrieb am 07.09.2011 15:07:09: Von: Martin Holtz typo3ng_2...@martinholtz.de An: typo3-german@lists.typo3.org Datum: 07.09.2011 15:10 Betreff: [TYPO3-german] A/B-Test Gesendet von: typo3-german-boun...@lists.typo3.org Hi, hat jemand Erfahrungen damit, wie man sinnvoll A/B-Tests in TYPO3 einbindet? Ggf. sogar Hinweise bzgl. Multivarianter Analyse? Wenn nur Design Änderungen via CSS getestet würden, dann könnte man dieses via Cookie und Condition einfach lösen. Wenn aber jetzt auch Texte geändert werden sollen, dann fehlt mir da der Ansatz. Hat jemand eine Idee dazu? danke gruß, martin -- Martin Holtz - elemente websolutions http://www.elemente-websolutions.ms http://wiki.typo3.org/Ts45min - TypoScript in 45 minutes http://wiki.typo3.org/De:ts45min - (auch in Deutsch) ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german Mit freundlichen Grüßen / Kind regards Martin Schulze Webdesign __ GÖPEL electronic GmbH Göschwitzer Straße 58/60 07745 Jena / Germany Tel.: +49-3641-6896-742 Fax: +49-3641-6896-944 E-Mail: m.schu...@goepel.com http://www.goepel.com AOI Grundlagenseminar: 6. - 8. September in Jena Automotive Testing Expo China: 14. - 16. September Inspection Days: 27. - 28. September in Jena Sitz der Gesellschaft: GÖPEL electronic GmbH, Göschwitzer Straße 58/60, D-07745 Jena Geschäftsführer: Holger Göpel, Manfred Schneider, Thomas Wenzel Registergericht: Amtsgericht Jena HR B 201550 ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german
Re: [Debconf-team] DebConf payments
Richard Darst wrote: Joey, Is FFIS capable of making direct bank transfers (to Bosnia and Herzegovina banks) to pay for some of our hotels? I had heard that FFIS might only able to do reimbursements, not the initial payments, but Holger was not sure so I thought I would check. The amount would be on the order of 1000??? and to two different bank accounts, from the DebConf earmark. We can provide invoices and all the documentation you need for tax purposes. Then this should be doable. Please try to get IBAN and SWIFT codes. Regards, Joey -- The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
Re: [Debconf-team] DebConf payments
If the receipient can provide SWIFT/BIC and IBAN codes, we can easily pay the bill. We'd require the bill, of course. A preview of the bill sent via fax to +49 441 777884 before the paper version is sent to us would be helpful. If the contry is not part of swiftland the transfer will take a while and require some paperwork. We've recently done that to reimburse a person. For this, we'd require the exact bank name bank address bank number if possible account number account owner Stefano Zacchiroli wrote: On Wed, Jul 20, 2011 at 09:58:06AM -0400, Richard Darst wrote: Is FFIS capable of making direct bank transfers (to Bosnia and Herzegovina banks) to pay for some of our hotels? I had heard that FFIS might only able to do reimbursements, not the initial payments, but Holger was not sure so I thought I would check. While we are at it: I've the same questions for the French transportation company. In the plans, they will be invoicing me personally, I'll then pay them and ask for reimbursement to FFIS. But as we're talking of a bit less than 4'300 EUR, I'd very much prefer to have to pay out of my pocket (although I *could* do that if there is no other option). Please ask if they can invoice ffis e.V. directly. France is in SWIFT land, so paying would be easily doable via the online interface. I'd like to know if the above if possible in two different situations: 1) doing the direct payment assuming an invoice to FFIS is emitted; 2) doing the direct payment assuming an invoice to myself is emitted. I'd like to know both as I very much doubt that the French transportation company will be happy/able to emit an invoice to some non-French entity. This would be only possible for 1. Regards, Joey -- The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
Bug#618680: [php-maint] Bug#618680: php-image-barcode: Uses depreciated methods
Hi! Tobias Frost wrote: Am Montag, den 18.07.2011, 12:14 +0200 schrieb Martin Schulze: Well, I only use the return-to-webbrowser feature Looking back, I can only quote the one who wrote the patch: See http://pear.php.net/bugs/bug.php?id=10594. However, looking at the code I have to assume that you are right. It should probably be... + return null; } else { +return $img; - $img = null; } + return $img; That looks a lot better to me. (the final return seems to be never reached btw.) Regards, Joey -- Whenever you meet yourself you're in a time loop or in front of a mirror. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#618680: [php-maint] Bug#618680: php-image-barcode: Uses depreciated methods
Hi! Tobias Frost wrote: --- alt/Barcode.php 2011-03-17 18:54:24.0 +0100 +++ barcode/Barcode.php 2011-03-17 17:23:02.0 +0100 @@ -77,7 +77,10 @@ return PEAR::raiseError(Unable to find draw method in '$classname' class); } -@$obj = new $classname(); +@$obj = new $classname(); $img = $obj-draw($text, $imgtype); @@ -107,8 +110,9 @@ break; } } else { -return $img; + $img = null; } + return $img; } } ? I wonder if you are aware that this patch effectively results in the function returning NULL when $bSendToBrowser is set to false (e.g. if the programmer would like to store the image into a file instead of sending it to the browser directly). Regards, Joey -- Unix is user friendly ... It's just picky about its friends. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Upcoming Squeeze point release 6.0.2
Alexander Reichle-Schmehl wrote: Hi! Am 09.06.2011 00:09, schrieb Philipp Kern: the second Squeeze point release (6.0.2) is now scheduled for Saturday, June 25th. Bad timing; Meike and I will not be available on that weekend. Joey, are you available? Yep. I'm available that weekend. Regards, Joey -- Linux - the choice of a GNU generation. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110613173058.gz27...@finlandia.home.infodrom.org
[Ltsp-discuss] ltsp -default xsession
Hi, I am a teacher at a secondary school in Germany and I am responsible for the IT. I just set up an edubuntu (11.04) with LTSP to test if this would be an alternative to the existing infrastructure. So the first impression is awesome, nearly everything works out of the box - authentication using an existing LDAP database, mounting of of the home directories ... great. But there is a little problem: In our test environment we have low end thin client hardware and the default session is unity. Installing LXDE on the server works fine and now I have the choice to start LXDE or unity - on the server and on the clients. For the daily use by the students I would like to set LXDE as default. I tried to adjust the lts.conf file but nothing changed. Best regards Martin -- __ Martin Schulze Bitte senden Sie mir keine Word- oder PowerPoint-Anhänge. http://www.gnu.org/philosophy/no-word-attachments.de.html http://www.fsf.org/campaigns/opendocument http://de.windows7sins.org smime.p7s Description: S/MIME Cryptographic Signature -- EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev_ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
Re: [Debconf-team] DebConf invoicing / account setup
Hi! Richard Darst wrote: I'm working to get DebConf all set up. Can I have access to the DebConf11 earmark once it is set up? Holger will reply to this stating what access I should have (view access is the main thing I would like). I've never used the FFIS interface before, so let me know what you need to get set up, and any other instructions (my pgp id is 0xBD356740). Account created. I'll send you details in a private mail. This year, I'll also be involved in sending you sponsor invoices. Would you like all invoices to go only through me? How does this usually work? After someone send you contact information, do you send the invoices directly to the sponsor, or back to us to distribute to the sponsor? It's best to know beforehand who should be authorised. This can be a list of persons and doesn't need to be limited to only one person. For sending invoices we'll need the invoice data (name, address, sum, subject). We'll then create the invoices. We'll need to negotiate whether to send the invoice on paper or as PDF file, and if we send them to the attendee/sponsor or if he hand over the invoices to you. Both is fine with us and we've done both for different events already. For companies located in Germany it may also be of interest to receive a donation receipt after donating money. It is invoice XOR donation receipt. Regards, Joey -- The only stupid question is the unasked one. ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
Re: [Debconf-team] DebConf11 earmark at FFIS
Richard Darst wrote: Joey (or FFIS treasurer), We are starting the DebConf11 process, and I was wondering if we could get a DebConf11 earmark created at FFIS? Also, could I get access to view the DebConf11 earmark? Holger can reply to this vouching for both creation and my view access... Sure. Who shall get access to the account and who should be authorized to acknowledge payments and reimbursements? Regards, Joey -- Experience is something you don't get until just after you need it. ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
Re: [Debconf-team] DebConf11 earmark at FFIS
Holger Levsen wrote: Hi Joey the other people at ffis! On Mittwoch, 13. April 2011, Richard Darst wrote: We are starting the DebConf11 process, and I was wondering if we could get a DebConf11 earmark created at FFIS? Also, could I get access to view the DebConf11 earmark? Holger can reply to this vouching for both creation and my view access... Yup, he's right. Also we would like to have lea...@debian.org to have access (plus the Debian auditor, if there is one. AIUI currently there is none.) Done for zack and luk. If possible, we would like to have a DebConfX earmark created each year, where This is easy. the usual DebConf people plus the DPL/auditor have access. The creation should For this we may need a reminder. be done 2-6 months in advance, when we needed. Each year, this earmark should also be deleted (on request by us, approx. 2 months after the conf ended) and the money moved to the regular Debian account. That's fine. (Hopefully soon, I'll let you know what to do with the remaining DebConf10 earmark.) Please merge it with the Debian earmark/account now. If we have any other expenses to do, we will have to ask the DPL to authorize these spendings. Closing the earmark now will allow us to finally finish DC10 :) Done. Grüße, Joey -- Experience is something you don't get until just after you need it. ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
Re: [Fwd: Deutsche Debian-Webseite : Koordinatoren und Sachbearbeiter]
Martin Eberhard Schauer wrote: Hallo, Helge hat ganz richtig bemerkt, dass die unten Erwähnten am besten wissen, wie es um Ihre aktuelle Mitwirkung bei der Übersetzung der Webseiten steht. Von Holger weiß ich, was er tut (zumindest im Rahmen seiner Beteiligung an debian-l10n-german). Martin ## Beim Entwurf einer Mail an debian-i18n bin ich auf zwei Stellen gestoßen, die mir auf den ersten Blick widersprüchlich erscheinen. http://www.debian.org/intl/German/#website Übersetzungskoordinator(en): Frank Lichtenheld dj...@debian.org Martin Schulze j...@debian.org http://www.debian.org/intl/German/credits_website Aktuelle Übersetzungsarbeit: * Gerfried Fuchs Gerfried sollte aktuelle eher anstatt meiner auch bei den Koordinatoren aufgefuehrt werden. Grüße, Joey -- Ten years and still binary compatible. -- XFree86 -- To UNSUBSCRIBE, email to debian-l10n-german-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110412201256.gp21...@finlandia.home.infodrom.org
[SECURITY] [DSA 2206-1] New mahara packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 2206-1secur...@debian.org http://www.debian.org/security/ Martin Schulze March 29th, 2011http://www.debian.org/security/faq - -- Package: mahara Vulnerability : several CVE IDs: CVE-2011-0439 CVE-2011-0440 Debian-specific: no Two security vulnerabilities have been discovered in Mahara, a fully featured electronic portfolio, weblog, resume builder and social networking system: CVE-2011-0439 A security review commissioned by a Mahara user discovered that Mahara processes unsanitized input which can lead to cross-site scripting (XSS). CVE-2011-0440 Mahara Developers discovered that Mahara doesn't check the session key under certain circumstances which can be exploited as cross-site request forgery (CSRF) and can lead to the deletion of blogs. For the old stable distribution (lenny) these problems have been fixed in version 1.0.4-4+lenny8. For the stable distribution (squeeze) these problems have been fixed in version 1.2.6-2+squeeze1. For the unstable distribution (sid) these problems have been fixed in version 1.2.7. We recommend that you upgrade your mahara package. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: [18]http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFNklbuW5ql+IAeqTIRAhZRAJ0cCEjrrHQLSCpRkSFmzaPxIQTSYACgkbgO Q39fgM7gZJVNSLXVFU2k2wA= =io3e -END PGP SIGNATURE-
[Full-disclosure] [SECURITY] [DSA 2206-1] New mahara packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 2206-1secur...@debian.org http://www.debian.org/security/ Martin Schulze March 29th, 2011http://www.debian.org/security/faq - -- Package: mahara Vulnerability : several CVE IDs: CVE-2011-0439 CVE-2011-0440 Debian-specific: no Two security vulnerabilities have been discovered in Mahara, a fully featured electronic portfolio, weblog, resume builder and social networking system: CVE-2011-0439 A security review commissioned by a Mahara user discovered that Mahara processes unsanitized input which can lead to cross-site scripting (XSS). CVE-2011-0440 Mahara Developers discovered that Mahara doesn't check the session key under certain circumstances which can be exploited as cross-site request forgery (CSRF) and can lead to the deletion of blogs. For the old stable distribution (lenny) these problems have been fixed in version 1.0.4-4+lenny8. For the stable distribution (squeeze) these problems have been fixed in version 1.2.6-2+squeeze1. For the unstable distribution (sid) these problems have been fixed in version 1.2.7. We recommend that you upgrade your mahara package. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: [18]http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFNklbuW5ql+IAeqTIRAhZRAJ0cCEjrrHQLSCpRkSFmzaPxIQTSYACgkbgO Q39fgM7gZJVNSLXVFU2k2wA= =io3e -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Secure-testing-commits] r16453 - data/CVE
Author: joey Date: 2011-03-29 22:14:36 + (Tue, 29 Mar 2011) New Revision: 16453 Modified: data/CVE/list Log: [DSA 2206-1] New mahara packages fix several vulnerabilities Modified: data/CVE/list === --- data/CVE/list 2011-03-29 21:15:26 UTC (rev 16452) +++ data/CVE/list 2011-03-29 22:14:36 UTC (rev 16453) @@ -3052,8 +3052,10 @@ - php5 5.3.6-1 (bug #618489) NOTE: Debian-specific CVE-2011-0440 (Cross-site request forgery (CSRF) vulnerability in Mahara 1.2.x before ...) + {DSA-2206-1} - mahara 1.2.7-1 CVE-2011-0439 (Cross-site scripting (XSS) vulnerability in Mahara 1.2.x before 1.2.7 ...) + {DSA-2206-1} - mahara 1.2.7-1 CVE-2011-0438 (nslcd/pam.c in nss-pam-ldapd 0.8.0 PAM module returns a success code ...) - nss-pam-ldapd not-affected (Only affects 0.8.0, which was only uploaded to experimental) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
Re: [Debconf-team] Extra money we forgot we had
Richard Darst wrote: On Thu, Feb 17, 2011 at 01:19:57AM +0100, Martin Schulze wrote: No. You (leader@, auditor@) will need to do this on their own. If you want to keep track of the money separately, you'd better keep it marked Debconfn and give leader@, auditor@ authority over it as well. That is what I thought, and why I asked. Of course, the way to keep balances separate is to put them is separate accounts. It seems that with regards to Zack the question is rather if money should be tracked separately - as it has been in the past. Thus, I encourage you all to think about how the DebConf share of Debian money will be tracked. My first reaction is I don't want to be the one doing it. I was going to try to make better money management my goal this year, but if the safest tool for it is taken away, I'm not sure if I want to be the one attempting this anymore. You can always open your favourite spreasheet (sc, lscs, ocalc, gnumeric etc.) and track incoming and outgoing money. That's how we did this in the past before organisations like ffis were able to earmark money and provide a digital view to the money. How do you all imagine the DebConf/Debian money separation would work if accounts are merged? It seems that for Zack there should be no separation at all. Maybe you all should first discuss whether Debian and Debconf money should be tracked differently or whether Debian organises Debconf donations for Debconf are just donations for Debian. Stefano Zacchiroli wrote: The basic principle which is at stake here is that DebConf/Debian money should *not* be separated. There are two reasons for that: 1) sponsors donate money to DebConf because it's the Debian conference; 2) in past years Debian has poured into DebConf something like 70'000$ (very approximate number, reconstructed by others in the past on this list), if you want a sharp distinction, one might imagine Debian claiming back that money, which would be very unpleasant for everybody. At least a large part of it could be moved back to Debian... Getting back to your question, I believe that DebConf should be an event which, in an *amortized* way, costs no money. To cover up for the years in which the costs are higher than raised money, Debian money should be used as a bank for DebConf organization. To me this sounds more like it would would be helpful for you all if the money would continue to be earmarked differently in the future but that the Debian project leader and accountant should get a view to that money as well. In case that the conference doesn't end up with a sum of zero surplus money would be moved to the Debian pool. I case of a negative sum the leader approves to move money from the Debian pool to the conference pool. Keeping track of the cost year after year is up to the conference budget, which already exists and should allow everybody (including people outside Debian, for transparency) to see the income/outcome money year after year. Considering all this, I fail to see why merging accounts *at FFIS* makes thing any worse. It seems to me that it'll be easier for you to keep the accounts separate. The problem that you (leader@) doesn't have an overview on what's going on at the conference part can be solved quite easily by extending your account. There's one more thing that might help you in this discussion. Let's assume the accounts are merged. How do the Debconf organisers get to know the actual balance and can track incoming money? Either they get a view over the entire Debian money as well, or they query leader@ or auditor@ . Regards, Joey -- The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
Re: [Debconf-team] Extra money we forgot we had
Stefano Zacchiroli wrote: to know the actual total amount of reserves would need to check two accounts instead of one. Maybe it's easier to write this as relation like in databases: account/login 1 n earmarks for money The auditors account is totally separate from your account. Both can view some projects. They can be the same, but the could be different, they could also be several of which some are shared. I've made a poor choice of words above. account was not meant to be a synonym of login, but rather account in the bank sense, as in savings account. So what I meant above was that it would be handier if we could see the total amount of savings in a single table, instead of having to check 2 distinct tables and sum up money. Maybe I don't understand this in detail as (a) there is only one bank account for ffis used for donations, and that if your account is able to view both the Debian and the Debconf earmarking you do get one overview table with the sum of both earmarks and a total sum. To me this sounds exactly like what you are looking for. ... as I wrote, maybe I don't really understand the discussion. Regards, Joey -- This is GNU/Linux Country. On a quiet night, you can hear Windows reboot. ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
Re: Erste übersetze Webseiten gehen bald offline - Schreibzugriff auf webwml?
Holger Wansing wrote: Hallo, Holger Wansing li...@wansing-online.de wrote: Helge Kreutzmann deb...@helgefjell.de wrote: Da es derzeit keinen wirklich aktiven Übersetzer der Debian-Website gibt, d.h. keinen der gezielt diese Änderungen nachvollzieht, werden wahrscheinlich bald die ersten übersetzen deutschen Seiten verschwinden. ich beabsichtige, mich in Zukunft um diese Baustelle kümmern. Ich würde es begrüßen, direkt mit eigenem Schreibzugriff auf das CVS zu starten, weil: [...] Ich werde daher für webwml auf Alioth ein Beitrittsgesuch stellen. Entsuchuldige die Verzoegerung, ich habe Dich jetzt zum Projekt hinzugefuegt. Du muesstest jetzt lesenden und schreibenden Zugriff auf das Repository der Webseiten haben. Grüße, Joey -- MIME - broken solution for a broken design. -- Ralf Baechle -- To UNSUBSCRIBE, email to debian-l10n-german-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110224142634.gt2...@finlandia.home.infodrom.org
Re: [Debconf-team] Extra money we forgot we had
Hi! Stefano Zacchiroli wrote: On Fri, Feb 18, 2011 at 06:28:38PM +0100, Martin Schulze wrote: To me this sounds more like it would would be helpful for you all if the money would continue to be earmarked differently in the future but that the Debian project leader and accountant should get a view to that money as well. AFAIK, this is what is already happening on the other side of the ocean (i.e. at SPI): money are all together, with specific DebConf earmark. I presume DebConf people could know the earmark by asking the SPI treasurer. The anomaly of the present situation at FFIS is to have 2 separate accounts, instead of the earmarking. No. We do have earmarkings, otherwise you won't be able to see anything. It's just that the leader account is limited to Debian and Holger's account is limited to Debconf. Maybe all you want to have is that the Debian project leader and accountant should get a view to that money as well. I already wrote that it's no problem to enrich the leader account with Debconf information. Note that the problem of two separate accounts is not only of visibility (although that is the most pressing one). The other problem is that I still consider that in case of some emergency---say $n servers failing tomorrow at the same time---Debian should be able to use DebConf money to buy back those servers, without having to wait for the authorization of the liaisons people for the DebConf account (which are not the same liaisons people for the Debian account). That's a political question you (DPL and Debconf orga) need to solve, nothing that can be solved technically. Current SPI setting allows for that, while current FFIS setting (i.e. the split) does not. Obviously, I hope something like the above will *never* happen, but that doesn't mean we shouldn't be worried about similar scenarios. Sorry, but... Why didn't you just ask? The same is possible here as well - as I've outlined several days ago as well. So, is this all? Then all Debconf people need to do is (a) decide that leader@ and auditor@ should be able to view Debconf money as well - AND - (b) authorise leader@ for payments. Signed mails are welcome. Regards, Joey -- The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
Re: [Debconf-team] Extra money we forgot we had
Stefano Zacchiroli wrote: Current SPI setting allows for that, while current FFIS setting (i.e. the split) does not. Obviously, I hope something like the above will *never* happen, but that doesn't mean we shouldn't be worried about similar scenarios. Sorry, but... Why didn't you just ask? The same is possible here as well - as I've outlined several days ago as well. Same reason as above: it shouldn't be me asking for that. That's rediculous. If you would like to have access and view, you should ask. We cannot process your request unless the Debconf people agree, though, howver putting them in Cc will give them a chance to agree and disagree. Two of them have agreed already if I remember correctly. So, is this all? Then all Debconf people need to do is (a) decide that leader@ and auditor@ should be able to view Debconf money as well - AND - (b) authorise leader@ for payments. That would solve the problems outlined in this thread, but it would still be worse than the merge, for a very simple reason: either me or the auditors, to know the actual total amount of reserves would need to check two accounts instead of one. It's clearly doable, but it's also clearly less handy than the merge situation. Nope. Maybe it's easier to write this as relation like in databases: account/login 1 n earmarks for money The auditors account is totally separate from your account. Both can view some projects. They can be the same, but the could be different, they could also be several of which some are shared. Additionally, keeping the separation will further the feeling in the community that DebConf and Debian are two separate entities, while they That's up to you. You don't need to tell the community that you're tracking money separately. You also don't need to try to get an even sum after each Debconf, however you wrote earlier that you would like this. Seems you are separating money already. All in all, I observe we're now re-discussing things from scratch---starting from Richard's mail---while at the beginning of this thread it seemed to me we agreed in going ahead with the merge. I'm sorry. I hope that I don't add more confusion. I'm only trying to help and offer possibilities and answer questions if somebody asks. Additionally, it occurs to me that you're discussing things that can be solved much easier than you think - or I'm unable to parse some of the mails. Regards, Joey -- The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
Re: [Debconf-team] Extra money we forgot we had
Clint Adams wrote: On Fri, Feb 18, 2011 at 09:47:50PM +0100, Stefano Zacchiroli wrote: That would solve the problems outlined in this thread, but it would still be worse than the merge, for a very simple reason: either me or the auditors, to know the actual total amount of reserves would need to check two accounts instead of one. It's clearly doable, but it's also clearly less handy than the merge situation. Is there a technical difference in the process of FFIS merging the accounts versus the DPL assuming control of both accounts, authorizing all the funds in the DebConf account to be transferred to the Debian account, and then closing the DebConf account afterwards? Yes. A lot. The difference is between: UPDATE account_details SET earmark = 'Debian' WHERE earmark = 'Debconf'; DELETE FROM account_authority WHERE earmark = 'Debconf'; DELETE FROM account_views WHERE earmark = 'Debconf'; versus INSERT INTO account_authority (earmark,name) ('Debconf','Zack'); If there is, are there any legal implications to either option? None. Regards, Joey -- The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
Re: [Debconf-team] Extra money we forgot we had
Holger Levsen wrote: Hi, On Samstag, 12. Februar 2011, Stefano Zacchiroli wrote: So, if this is consensus (as I believe), it looks like the proper solution of merging DebConf FFIS account into the Debian one is just at hand. I'd like to receive comments on this. I agree and the comments below assume we have consensus on this :-) On FFIS side, I guess there is a single liaison person who is authorized to take decision on the DebConf account, is that you Holger? There were three people, Michael Schultheiss, Jörg Jaspert and me. Since this is a general decision, I assume that Ganneff and Michael are fine with joining the money? If yes, and unless there are objections, please ask FFIS to do the merge (noting down the DebConf earmark, which might come handy for future DebConf budgets). Ok, will do so in seven days to give people time to object. On Freitag, 11. Februar 2011, Martin Schulze wrote: No problem from our side. Thank you Joey and everybody at ffis e.V. for supporting us so well for so long! There are two options you may want to discuss further: (a) move Debconf10 money to Debian account or (b) keep Debconf10 money where it is and add permission to view it for leader@d.o and auditor@d.o (same for upcoming Debconfs) I'll keep my hands off until your decision. Regards, Joey -- Debian automatically detects USB sticks. This is so non-Debian. -- Joey ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
Re: [Debconf-team] Extra money we forgot we had
Hi Richard! Richard Darst wrote: On Tue, Feb 15, 2011 at 12:32:39PM +0100, Martin Schulze wrote: There are two options you may want to discuss further: (a) move Debconf10 money to Debian account If you did this, could you keep track of the money which was raised/spend for DebConf separately from the other Debian money? I think this would be one of the keys for DebConf accountability. No. You (leader@, auditor@) will need to do this on their own. If you want to keep track of the money separately, you'd better keep it marked Debconfn and give leader@, auditor@ authority over it as well. Regards, Joey -- Whenever you meet yourself you're in a time loop or in front of a mirror. ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
Re: [Debconf-team] Extra money we forgot we had
Holger Levsen wrote: Hi, Joey, please comment on this, what options do you see for us? On Freitag, 11. Februar 2011, Stefano Zacchiroli wrote: No, I cannot see *debconf* money at FFIS and that is the main problem I'm trying to solve. The same is true for auditors, which make the problem even worse. At the very minimum, I want read access to that money for me and the auditors. In the past Debconf organisators were different than the Debian project and thus money is not shared per default. If it is fine for Debconf people, you can get a view to that part as well with regards to ffis e.V. The same applies for the current Debian auditor. Moreover, as DPL, I'd like also to have write access to those money, just in case something bad happen and I need to pay something on those money. That's something you'll have to sort out with the Debconf people. All that considered, I would prefer if we can simply move those money to the regular Debian FFIS account and get rid of the DebConf-specific account at FFIS. I see no point in having those two separate. I agree. (Especially as we want to get rid of the (perceived) seperation between DebConf and Debian.) No problem from our side. Regards, Joey -- Long noun chains don't automatically imply security. -- Bruce Schneier ___ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
[SECURITY] [DSA 2151-1] New OpenOffice.org packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 2151-1secur...@debian.org http://www.debian.org/security/ Martin Schulze January 26th, 2011 http://www.debian.org/security/faq - -- Package: openoffice.org Vulnerability : several Problem type : local (remote) Debian-specific: no CVE ID : CVE-2010-3450 CVE-2010-3451 CVE-2010-3452 CVE-2010-3453 CVE-2010-3454 CVE-2010-3689 CVE-2010-4253 CVE-2010-4643 Several security related problems have been discovered in the OpenOffice.org package that allows malformed documents to trick the system into crashes or even the execution of arbitrary code. CVE-2010-3450 During an internal security audit within Red Hat, a directory traversal vulnerability has been discovered in the way OpenOffice.org 3.1.1 through 3.2.1 processes XML filter files. If a local user is tricked into opening a specially-crafted OOo XML filters package file, this problem could allow remote attackers to create or overwrite arbitrary files belonging to local user or, potentially, execute arbitrary code. CVE-2010-3451 During his work as a consultant at Virtual Security Research (VSR), Dan Rosenberg discovered a vulnerability in OpenOffice.org's RTF parsing functionality. Opening a maliciously crafted RTF document can caus an out-of-bounds memory read into previously allocated heap memory, which may lead to the execution of arbitrary code. CVE-2010-3452 Dan Rosenberg discovered a vulnerability in the RTF file parser which can be leveraged by attackers to achieve arbitrary code execution by convincing a victim to open a maliciously crafted RTF file. CVE-2010-3453 As part of his work with Virtual Security Research, Dan Rosenberg discovered a vulnerability in the WW8ListManager::WW8ListManager() function of OpenOffice.org that allows a maliciously crafted file to cause the execution of arbitrary code. CVE-2010-3454 As part of his work with Virtual Security Research, Dan Rosenberg discovered a vulnerability in the WW8DopTypography::ReadFromMem() function in OpenOffice.org that may be exploited by a maliciously crafted file which allowins an attacker to control program flow and potentially execute arbitrary code. CVE-2010-3689 Dmitri Gribenko discovered that the soffice script does not treat an empty LD_LIBRARY_PATH variable like an unset one, may lead to the execution of arbitrary code. CVE-2010-4253 A heap based buffer overflow has been discovered with unknown impact. CVE-2010-4643 A vulnerability has been discovered in the way OpenOffice.org handles TGA graphics which can be tricked by a specially crafted TGA file that could cause the program to crash due to a heap-based buffer overflow with unknown impact. For the stable distribution (lenny) these problems have been fixed in version 2.4.1+dfsg-1+lenny11. For the upcoming stable distribution (squeeze) these problems have been fixed in version 3.2.1-11+squeeze1. For the unstable distribution (sid) these problems have been fixed in version 3.2.1-11+squeeze1. For the experimental distribution these problems have been fixed in version 3.3.0~rc3-1. We recommend that you upgrade your OpenOffice.org packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: [18]http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFNQEkOW5ql+IAeqTIRAp9GAJ0WTb4z3fzW9x3TK3aux2v/zWtIPQCfRdzx +AX/hG1qBThFdf0f6k2SiMQ= =O7sd -END PGP SIGNATURE-
[Full-disclosure] [SECURITY] [DSA 2151-1] New OpenOffice.org packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 2151-1secur...@debian.org http://www.debian.org/security/ Martin Schulze January 26th, 2011 http://www.debian.org/security/faq - -- Package: openoffice.org Vulnerability : several Problem type : local (remote) Debian-specific: no CVE ID : CVE-2010-3450 CVE-2010-3451 CVE-2010-3452 CVE-2010-3453 CVE-2010-3454 CVE-2010-3689 CVE-2010-4253 CVE-2010-4643 Several security related problems have been discovered in the OpenOffice.org package that allows malformed documents to trick the system into crashes or even the execution of arbitrary code. CVE-2010-3450 During an internal security audit within Red Hat, a directory traversal vulnerability has been discovered in the way OpenOffice.org 3.1.1 through 3.2.1 processes XML filter files. If a local user is tricked into opening a specially-crafted OOo XML filters package file, this problem could allow remote attackers to create or overwrite arbitrary files belonging to local user or, potentially, execute arbitrary code. CVE-2010-3451 During his work as a consultant at Virtual Security Research (VSR), Dan Rosenberg discovered a vulnerability in OpenOffice.org's RTF parsing functionality. Opening a maliciously crafted RTF document can caus an out-of-bounds memory read into previously allocated heap memory, which may lead to the execution of arbitrary code. CVE-2010-3452 Dan Rosenberg discovered a vulnerability in the RTF file parser which can be leveraged by attackers to achieve arbitrary code execution by convincing a victim to open a maliciously crafted RTF file. CVE-2010-3453 As part of his work with Virtual Security Research, Dan Rosenberg discovered a vulnerability in the WW8ListManager::WW8ListManager() function of OpenOffice.org that allows a maliciously crafted file to cause the execution of arbitrary code. CVE-2010-3454 As part of his work with Virtual Security Research, Dan Rosenberg discovered a vulnerability in the WW8DopTypography::ReadFromMem() function in OpenOffice.org that may be exploited by a maliciously crafted file which allowins an attacker to control program flow and potentially execute arbitrary code. CVE-2010-3689 Dmitri Gribenko discovered that the soffice script does not treat an empty LD_LIBRARY_PATH variable like an unset one, may lead to the execution of arbitrary code. CVE-2010-4253 A heap based buffer overflow has been discovered with unknown impact. CVE-2010-4643 A vulnerability has been discovered in the way OpenOffice.org handles TGA graphics which can be tricked by a specially crafted TGA file that could cause the program to crash due to a heap-based buffer overflow with unknown impact. For the stable distribution (lenny) these problems have been fixed in version 2.4.1+dfsg-1+lenny11. For the upcoming stable distribution (squeeze) these problems have been fixed in version 3.2.1-11+squeeze1. For the unstable distribution (sid) these problems have been fixed in version 3.2.1-11+squeeze1. For the experimental distribution these problems have been fixed in version 3.3.0~rc3-1. We recommend that you upgrade your OpenOffice.org packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: [18]http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFNQEkOW5ql+IAeqTIRAp9GAJ0WTb4z3fzW9x3TK3aux2v/zWtIPQCfRdzx +AX/hG1qBThFdf0f6k2SiMQ= =O7sd -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: Missing security build
Cyril Brulebois wrote: Joey Schulze j...@infodrom.org (15/01/2011): we're missing a build of openoffice.org for testing-security for the following architectures: . armel . mips . kfreebsd-i386 . kfreebsd-amd64 Could you check if (a) your buildd is building testing-security and if (b) if ooo requires manual attention? We haven't received a failed build log for the package either, so it hasn't even tried on these architectures. (a) kfreebsd-* apparently lack testing-security for some reason. fa{no,sch} have chroot:squeeze-security-kfreebsd-amd64-sbuild in schroot -l. fi{eld,nzi} have chroot:squeeze-security-kfreebsd-i386-sbuild in schroot -l. Not sure what's missing right now. Maybe something on the wanna-build side? I guess so. Could you check with the wanna-build-team? Regards, Joey -- Open source is important from a technical angle. -- Linus Torvalds -- To UNSUBSCRIBE, email to debian-wb-team-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110115112131.gb14...@finlandia.home.infodrom.org
Re: Missing security build
Philipp Kern wrote: On Sat, Jan 15, 2011 at 12:21:31PM +0100, Martin Schulze wrote: Cyril Brulebois wrote: Joey Schulze j...@infodrom.org (15/01/2011): we're missing a build of openoffice.org for testing-security for the following architectures: . armel . mips . kfreebsd-i386 . kfreebsd-amd64 Could you check if (a) your buildd is building testing-security and if (b) if ooo requires manual attention? We haven't received a failed build log for the package either, so it hasn't even tried on these architectures. (a) kfreebsd-* apparently lack testing-security for some reason. fa{no,sch} have chroot:squeeze-security-kfreebsd-amd64-sbuild in schroot -l. fi{eld,nzi} have chroot:squeeze-security-kfreebsd-i386-sbuild in schroot -l. Not sure what's missing right now. Maybe something on the wanna-build side? I guess so. Could you check with the wanna-build-team? Jan 15 12:16:42 buildd[4374]: Daemon started. (pid=4374) Jan 15 12:16:46 buildd[4374]: testing-security: total 1 packages to build. Jan 15 12:16:49 buildd[4374]: - openoffice.org: Jan 15 12:16:49 buildd[4374]: - status: ok Jan 15 12:16:49 buildd[4374]: - pkg-ver: openoffice.org_1:3.1.1-15+squeeze1 Jan 15 12:16:49 buildd[4374]: Starting build (dist=testing-security) of openoffice.org_1:3.1.1-15+squeeze1 So somebody fixed it. It's present in wanna-build and everything, so I don't think there's something to do for us at the moment. (I guess it was missing in ..builddrc then.) Ok, I'll wait for a few days and search for the build logs then. Let's see if it works as expected now. Regards, Joey -- Open source is important from a technical angle. -- Linus Torvalds -- To UNSUBSCRIBE, email to debian-wb-team-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110115123152.gf14...@finlandia.home.infodrom.org
Re: Missing security build
Kurt Roeckx wrote: On Sat, Jan 15, 2011 at 02:08:23PM +0100, Kurt Roeckx wrote: On Sat, Jan 15, 2011 at 01:48:15PM +0100, Aurelien Jarno wrote: OTOH armel and amd64 don't try to build the same version: aurel32@grieg:~$ wb info openoffice.org . amd64 armel . testing-security | grep Version | Version : 1:3.2.1-11+squeeze1 | Installed-Version : 1:3.2.1-11+squeeze1 | Version : 1:3.1.1-15+squeeze1 Same issue with kfreebsd-amd64 and kfreebsd-i386 Looking into that now. So I've run the trigger manually and things should work now. I'm not sure what happened, but I can't find any obvious errors on our side. For kfreebsd-amd64 the build on fasch just failed. Regards, Joey -- Open source is important from a technical angle. -- Linus Torvalds -- To UNSUBSCRIBE, email to debian-wb-team-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110115154407.gp14...@finlandia.home.infodrom.org
Re: [TYPO3-german] .ba Domains
Suche dafür einen Domainprovider für bosnische Domains (.ba). Es wird nur die Domain benötigt, da der Webspace schon auf einem deutschen Server läuft. Die Domain soll dann auf diesen Webspace geroutet werden. Hallo Bernhard, versuch es mal hier: http://www.internetx.com/de/services/domain-treuhand-service.html Gruß, Martin electronica: 09.-12. November 2010 in München, Halle A1 Stand 351 Boundary Scan Seminar: 23.-24. November 2010 in Jena Sitz der Gesellschaft: GÖPEL electronic GmbH, Göschwitzer Straße 58/60, D-07745 Jena Geschäftsführer: Holger Göpel, Manfred Schneider, Thomas Wenzel Registergericht: Amtsgericht Jena HR B 201550 ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german
Re: [TYPO3-german] content_fallback auf nicht Standardsprache
Hallo Patrik, ...hhmm, ich benutze kein TV und die Übersetzung findet im CE statt. Die CE's sind aber nicht immer 1:1 übersetzt. Wenn ich auf sys_language_overlay = 1 umstelle, dann erscheinen bei uns gemischte Inhalte. Soll heißen, der nicht 1:1 übersetzte Inhalt wird in Standardsprache (Deutsch) angezeigt, alles andere z. B. in Englisch. Bei sys_language_overlay = HideNonTranslated erscheinen die nicht 1:1 übersetzten Inhalte NICHT (genau die, die bei sys_language_overlay = 1 in Deutsch angezeigt wurden). Also nehm ich sys_language_overlay = 0 in der TS-Bedingung. Ich erkläre mir das Verhalten durch die TS-Bedingung und dann erst in der Bedingung sys_language_overlay = 0. In der Standardsprache taucht sys_language_overlay gar nicht auf. Gruß, Martin typo3-german-boun...@lists.typo3.org schrieb am 21.07.2010 13:28:20: Von: Lang, Patrik patrik.l...@centaur.de Hallo Martin, durch das sys_language_overlay = 0 wird aber die Übersetzung komplett deaktiviert und ich sehe garkeine Übersetzung mehr, also nicht mal auf der Sprache, für die es eine gibt. Wenn ich auf eine Sprache gehe, die keine Übersetzung hat, wird wieder die Standardsprache angezeigt. Benutzt du Templavoila? Was hast du denn da in der Datenstruktur drin stehen? Und hast du die Übersetzungen bei deinen Inhaltselementen alle auf einer Seite (im CE dann [Translate to ...]) oder benutzt du die Lokalisierungsansicht im TYPO? Gruß Patrik ___ TYPO3-german mailing list TYPO3-german@lists.typo3.org http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-german
[SECURITY] [DSA 2054-2] New bind9 packages fix cache poisoning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 2054-2secur...@debian.org http://www.debian.org/security/ Martin Schulze June 15th, 2010 http://www.debian.org/security/faq - -- Package: bind9 Vulnerability : DNS cache poisoning Problem type : remote Debian-specific: no CVE Id(s) : CVE-2010-0097 CVE-2010-0290 CVE-2010-0382 This update restores the PID file location for bind to the location before the last security update. For reference, here is the original advisory text that explains the security problems fixed: Several cache-poisoning vulnerabilities have been discovered in BIND. These vulnerabilities are apply only if DNSSEC validation is enabled and trust anchors have been installed, which is not the default. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0097 BIND does not properly validate DNSSEC NSEC records, which allows remote attackers to add the Authenticated Data (AD) flag to a forged NXDOMAIN response for an existing domain. CVE-2010-0290 When processing crafted responses containing CNAME or DNAME records, BIND is subject to a DNS cache poisoning vulnerability, provided that DNSSEC validation is enabled and trust anchors have been installed. CVE-2010-0382 When processing certain responses containing out-of-bailiwick data, BIND is subject to a DNS cache poisoning vulnerability, provided that DNSSEC validation is enabled and trust anchors have been installed. In addition, this update introduce a more conservative query behavior in the presence of repeated DNSSEC validation failures, addressing the roll over and die phenomenon. The new version also supports the cryptographic algorithm used by the upcoming signed ICANN DNS root (RSASHA256 from RFC 5702), and the NSEC3 secure denial of existence algorithm used by some signed top-level domains. This update is based on a new upstream version of BIND 9, 9.6-ESV-R1. Because of the scope of changes, extra care is recommended when installing the update. Due to ABI changes, new Debian packages are included, and the update has to be installed using apt-get dist-upgrade (or an equivalent aptitude command). For the stable distribution (lenny), these problems have been fixed in version 1:9.6.ESV.R1+dfsg-0+lenny2. The unstable distribution is not affected by the wrong PID file location. We recommend that you upgrade your bind9 packages. Upgrade Instructions - wget url will flenny the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Source archives: http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny2.dsc Size/MD5 checksum: 1794 b5951765a8e4aa8bcab2348f1ffa657d http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny2.diff.gz Size/MD5 checksum:45913 dd84c3e333a9ed52eb716faecf65f180 http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg.orig.tar.gz Size/MD5 checksum: 5132628 5ac7e5eadd45b234ce17b3b731dacc3a Architecture independent components: http://security.debian.org/pool/updates/main/b/bind9/bind9-doc_9.6.ESV.R1+dfsg-0+lenny2_all.deb Size/MD5 checksum: 282072 8d6a3f9f97202d085d1302769aa452da Alpha architecture: http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb Size/MD5 checksum: 292140 8e10a8574edd7034941feee2edc03a31 http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb Size/MD5 checksum:64240 ee27fa0b5251fea1d502d75a3513a3a6 http://security.debian.org/pool/updates/main/b/bind9/bind9utils_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb Size/MD5 checksum: 115318 52148b7b9069b8954fb8bb04ce5455ad http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb Size/MD5 checksum: 154542 a190316dcddbeb6973951b38ba2f7ee6 http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb Size/MD5 checksum: 1737448 ff983f8040060267746caf063ff0a8fa http://security.debian.org/pool/updates/main/b/bind9/libbind9-40_9.5.1.dfsg.P3-1+lenny1_alpha.deb
[Full-disclosure] [SECURITY] [DSA 2054-2] New bind9 packages fix cache poisoning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 2054-2secur...@debian.org http://www.debian.org/security/ Martin Schulze June 15th, 2010 http://www.debian.org/security/faq - -- Package: bind9 Vulnerability : DNS cache poisoning Problem type : remote Debian-specific: no CVE Id(s) : CVE-2010-0097 CVE-2010-0290 CVE-2010-0382 This update restores the PID file location for bind to the location before the last security update. For reference, here is the original advisory text that explains the security problems fixed: Several cache-poisoning vulnerabilities have been discovered in BIND. These vulnerabilities are apply only if DNSSEC validation is enabled and trust anchors have been installed, which is not the default. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0097 BIND does not properly validate DNSSEC NSEC records, which allows remote attackers to add the Authenticated Data (AD) flag to a forged NXDOMAIN response for an existing domain. CVE-2010-0290 When processing crafted responses containing CNAME or DNAME records, BIND is subject to a DNS cache poisoning vulnerability, provided that DNSSEC validation is enabled and trust anchors have been installed. CVE-2010-0382 When processing certain responses containing out-of-bailiwick data, BIND is subject to a DNS cache poisoning vulnerability, provided that DNSSEC validation is enabled and trust anchors have been installed. In addition, this update introduce a more conservative query behavior in the presence of repeated DNSSEC validation failures, addressing the roll over and die phenomenon. The new version also supports the cryptographic algorithm used by the upcoming signed ICANN DNS root (RSASHA256 from RFC 5702), and the NSEC3 secure denial of existence algorithm used by some signed top-level domains. This update is based on a new upstream version of BIND 9, 9.6-ESV-R1. Because of the scope of changes, extra care is recommended when installing the update. Due to ABI changes, new Debian packages are included, and the update has to be installed using apt-get dist-upgrade (or an equivalent aptitude command). For the stable distribution (lenny), these problems have been fixed in version 1:9.6.ESV.R1+dfsg-0+lenny2. The unstable distribution is not affected by the wrong PID file location. We recommend that you upgrade your bind9 packages. Upgrade Instructions - wget url will flenny the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Source archives: http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny2.dsc Size/MD5 checksum: 1794 b5951765a8e4aa8bcab2348f1ffa657d http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny2.diff.gz Size/MD5 checksum:45913 dd84c3e333a9ed52eb716faecf65f180 http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg.orig.tar.gz Size/MD5 checksum: 5132628 5ac7e5eadd45b234ce17b3b731dacc3a Architecture independent components: http://security.debian.org/pool/updates/main/b/bind9/bind9-doc_9.6.ESV.R1+dfsg-0+lenny2_all.deb Size/MD5 checksum: 282072 8d6a3f9f97202d085d1302769aa452da Alpha architecture: http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb Size/MD5 checksum: 292140 8e10a8574edd7034941feee2edc03a31 http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb Size/MD5 checksum:64240 ee27fa0b5251fea1d502d75a3513a3a6 http://security.debian.org/pool/updates/main/b/bind9/bind9utils_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb Size/MD5 checksum: 115318 52148b7b9069b8954fb8bb04ce5455ad http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb Size/MD5 checksum: 154542 a190316dcddbeb6973951b38ba2f7ee6 http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb Size/MD5 checksum: 1737448 ff983f8040060267746caf063ff0a8fa http://security.debian.org/pool/updates/main/b/bind9/libbind9-40_9.5.1.dfsg.P3-1+lenny1_alpha.deb
Re: Squeeze, firmware and installation
Petter Reinholdtsen wrote: [Steve McIntyre] Yup, definitely. We already have an unofficial non-free area on cdimage.debian.org which is where we've been pushing the firmware zip/tar.gz files already. I'll set up the extra images to be dropped in there. A few days ago, I extended hw-detect to look for firmware (u)debs in /firmware/ (for PXE boot images) and /cdrom/firmware/, so if you create a CD/DVD with the firmware .deb files in a firmware/ directory in the root of the CD, it should work out of the box. Any license question asked in the package preinst should be displayed, and the firmware package will not be used if the license isn't accepted. The change is in the daily built d-i images already. Please report back if it do not work for you. Very good, thanks a lot. Grüße, Joey -- It's time to close the windows. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100527173245.gb5...@valse.home.infodrom.org
Re: Squeeze, firmware and installation
Bernd Zeimetz wrote: On 05/12/2010 04:27 PM, Martin Schulze wrote: I would like us to provide non-free firmware blobs that may be required during installation in tarballs that can be downloaded or - Downloading is exactly the problem. A lot of modern enterprise network hardware (like the Broadcom Netextreme) requires non-free firmware. You forgot to quote: if this is not possible - be loaded via USB sticks, floppies or cdroms. The installer would need a possibility to include such I'm sure these modern systems do have USB connectors. Regards, Joey -- All language designers are arrogant. Goes with the territory... -- Larry Wall -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100512194151.gx31...@finlandia.home.infodrom.org
Bug#580342: sudo: Memory access after free()
Bdale, what's your stance on this? Regards, Joey Alexandra N. Kossovsky wrote: Package: sudo-ldap Version: 1.6.9p17-2+lenny1 Severity: grave Tags: security patch Justification: user security hole Hello. Following patch fixes memory access after free(): --- parse.c 2010-05-05 13:43:20.0 +0400 +++ parse.c.fixed 2010-05-05 13:42:45.0 +0400 @@ -316,9 +316,11 @@ break; } } - globfree(gl); - if (*ap == NULL) + if (*ap == NULL) { + globfree(gl); return(FALSE); + } + globfree(gl); if (!sudoers_args || (!user_args sudoers_args !strcmp(\\, sudoers_args)) || Since ap points to the memory inside gl_pathv, it is not correct to check ap value when gl is freed. sudo is a security sensitive application, and there may be various effects of such access. I've created this patch after exploring the problem similar to Debian bugs 556562 578601. The patch fixes my problem. -- It's time to close the windows. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#580342: sudo: Memory access after free()
Bdale, what's your stance on this? Regards, Joey Alexandra N. Kossovsky wrote: Package: sudo-ldap Version: 1.6.9p17-2+lenny1 Severity: grave Tags: security patch Justification: user security hole Hello. Following patch fixes memory access after free(): --- parse.c 2010-05-05 13:43:20.0 +0400 +++ parse.c.fixed 2010-05-05 13:42:45.0 +0400 @@ -316,9 +316,11 @@ break; } } - globfree(gl); - if (*ap == NULL) + if (*ap == NULL) { + globfree(gl); return(FALSE); + } + globfree(gl); if (!sudoers_args || (!user_args sudoers_args !strcmp(\\, sudoers_args)) || Since ap points to the memory inside gl_pathv, it is not correct to check ap value when gl is freed. sudo is a security sensitive application, and there may be various effects of such access. I've created this patch after exploring the problem similar to Debian bugs 556562 578601. The patch fixes my problem. -- It's time to close the windows. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Broken signature for DSA-2040-1
Kurt Roeckx wrote: On Sun, May 02, 2010 at 09:06:46PM +0200, Francesco Poli wrote: Hi, I received DSA-2040-1 and verified its GPG signature, as I always do. I found out that I am unable to correctly verify the signature. Works for me: gpg: Signature made Sun 02 May 2010 02:55:15 PM CEST using DSA key ID 4E2ECA5A gpg: Good signature from Moritz Muehlenhoff j...@debian.org gpg: aka Moritz Muehlenhoff j...@inutil.org Without a working signature the mail wouldn't be transported through debian-security-announce. A valid ecurity team member's signature is required. Regards, Joey -- Beware of bugs in the above code; I have only proved it correct, not tried it. -- Donald E. Knuth -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100502194941.gb31...@finlandia.home.infodrom.org
Re: Money for Debian
Hi Eric, eric wrote: I am french, excuse me for the fault in English Language. It is possible for you to create a Paypal account to help you, it's more easy for users. You can donate via donat...@ffis.de to ffis e.V. in Germany to support the Debian project. donat...@ffis.de is a registered address at Paypal. Regards, Joey -- If you come from outside of Finland, you live in wrong country. -- motd of irc.funet.fi -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100409192537.gi24...@finlandia.home.infodrom.org
Re: minidebconf Berlin June 10/11? url?
Sven Guckes wrote: * Jan Hauke Rahm j...@debian.org [2010-03-24 10:39]: .. a mini-debconf in Berlin during the LinuxTag in June 9th to 12th. And we can now say, there is one. Unfortunately it's not as promising as we hoped it would be which means: we need you! does this message and the project have a website? if so then we could post about it. Coordination is probably best done via wiki.debian.org. Regards, Joey -- We all know Linux is great... it does infinite loops in 5 seconds. -- Linus Torvalds Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to debian-events-eu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100324210843.gw24...@finlandia.home.infodrom.org
Re: [last call] Debian at OpenExpo, 24. - 25.3.2010 in Bern
Luca Capello wrote: Hi there! On Sun, 07 Mar 2010 22:37:09 +0100, Gaudenz Steinlin wrote: Only Axel answered to my last call for help and he is unfortunately unable to help staffing the booth. I've now setup a wiki page [1] and this is my last call for help. If we don't find enough people to staff the booth until Thursday I'll cancel the booth. I'm unable and unwilling to staff and organize the booth alone. My main problem is the same for everything German-related: I do not speak German, unfortunately. Nevertheless, I could manage to be there, but only on Thursday, March 25th. Since Debian is an international project, it should not be a problem not speaking the native language of the location the booth will be in. As long as your not the only one at the booth. Our developers speak English and most of our community knows that Debian is international and that not everybody speaks their own native language. Personally, I always appreciate international Debian people at Debian booths. Regards, Joey -- Debian automatically detects USB sticks. This is so non-Debian. -- Joey -- To UNSUBSCRIBE, email to debian-events-eu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100312103749.gj9...@finlandia.home.infodrom.org
Bug#539345: Add formatting parameters to the AuthMySQLUserCondition and AuthMySQLGroupCondition
Craig Andrews wrote: Package: libapache2-mod-auth-mysql Version: 4.3.9-11 Severity: wishlist Version 2.9.0 of mod_auth_mysql from http://modauthmysql.sourceforge.net/ added support for formatting parameters to the condition clause parameters. These parameters are: %h DNS name of the remote host %a IP address of the remote host %f The filename being requested %V Hostname of the Apache server %v Virtual hostname %H Protocol sent with the request (i.e. HTTP/0.9) %m Request method (i.e. GET, HEAD, POST, etc.) %q Arguments following the ? in the request %r Request line %U Path portion of the URI I cannot figure out what is upstream for Debian's libapache2-mod-auth-mysql, or I would report this request for enhancement there as well. This feature would be incredibly useful. Debian is upstream of the Debian package. The package you found on sourceforge is completely different. I'd be glad to review a patch that adds this features. Regards, Joey -- Whenever you meet yourself you're in a time loop or in front of a mirror. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Closed lists as maintainers
Russ Allbery wrote: I hope we can agree that maintainers should be able to receive mail from any legitimate sender. However, some maintainer addresses point to mailing lists that automatically reject mail from non-subscribers (without the intervention of a moderator). The case I am painfully aware of is grub-de...@lists.alioth.debian.org, listed as the maintainer for grub and grub2. I believe this configuration is unacceptable, but would like to check that there is a consensus on this before pressing the matter with the GRUB maintainers. I agree that automatic rejection is bad. I do think that holding for moderation is okay. The configuration that I use for pkg-shibboleth-devel is to automatically allow any message with X-Debian-PR-Package or X-Debian: DAK in the headers and then hold everything else from non-subscribers for moderation, expiring messages after seven days, and disabling the moderation notification messages to the sender. I then review every message held for moderation through my own spam filters and go and approve anything that's legitimate, whitelisting the sender at the same time. I set an expiration time of 7 days for things in the moderation queue so that I don't have to keep going in there and cleaning it out. I also always use discard for things that time out or things that I reject. With an active owner approving messages this sounds like a sane setup. I think it's particularly important to automatically let through BTS messages (X-Debian-PR-Package) and messages from automated archive processes. Spam from those sources is extremely low. ack. Regards, Joey -- Open source is important from a technical angle. -- Linus Torvalds -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#560416: New version alters server configuration
Package: munin Version: 1.4.1-1 [resent as bug report as requested] Hi, after installing a new version of munin (I assume it was 1.4.1-1 or -2) I noticed a link in /etc/apache2/conf.d: munin - ../../munin/apache.conf that suddenly (a) adds /munin/ to all virtual hosts and (b) uses a new directory for /munin/ and (c) disables remote access and (c) enables password-less access from localhost. I am not exactly sure this is the desired behaviour. Notes: /var/cache/munin/www is fine for new installations. For upgrading existing installations it's questionable to use a directory without prior checking the current configuration, since users could have configured a different one in /etc/munin/munin.conf. Please don't get me wrong, I'm more or less fine with this as initial configuration, but I have some problems with altering an existing configuration that way. Regards, Joey -- Still can't talk about what I can't talk about. Sorry. -- Bruce Schneier Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Roadmap for the 1.15.x series
Raphael Hertzog wrote: On Fri, 11 Sep 2009, Guillem Jover wrote: On Mon, 2009-09-07 at 17:21:41 +0200, Raphael Hertzog wrote: On Mon, 07 Sep 2009, Guillem Jover wrote: * Clean up dpkg namespace: - Rename dpkg-ftp as dselect-ftp. I'm the maintainer of this one. Maybe it could be merged in dselect itself, it would make more sense IMO. Yeah, I had that written at some point when preparing the mail, but removed it, cannot remember why. So yes, I think it makes sense to merge even if we end up splitting dselect from the source package afterwards. But I'd keep it as the (renamed) separate binary package, as it has additional dependencies. Ok, but it's only perl the additional dependency. libnet-perl is an old package that's provided by perl-modules nowadays. - Rename dpkg-multicd as dselect-multicd. Maybe we could do the same with this one, given that the goal is to have dselect a separate source package at some point in the future. Right, would need discussing with Martin Schulze first. CCing Joey for this. Joey, what would you think of merging dpkg-multicd into dselect itself? Not the worst idea. Please go ahead. If you're interested in the CVS history for the import, please let me know. Regards, Joey -- It's practically impossible to look at a penguin and feel angry. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to debian-dpkg-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Roadmap for the 1.15.x series
Raphael Hertzog wrote: If you're interested in the CVS history for the import, please let me know. Why not, please make it available. But I'm not sure how to properly integrate it in the git history without having many unbuildable revision that would contain only that code and not the rest. Ccing Pierre Habouzit, maybe he has an idea on how to do it properly. Here's a tarfile of the directory: http://people.debian.org/~joey/stuff/dpkg-multicd.cvs.tar.gz Regards, Joey -- It's practically impossible to look at a penguin and feel angry. -- To UNSUBSCRIBE, email to debian-dpkg-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Debian money, booth on german church meeting
Thomas Koch wrote: There's a german association, Linux user in der Kirche[1] (Linux user in the church), which plans to organize a booth on the next big meeting of the german church in 2010. They aim is to promote the usage of linux in the administrations of church communities and of course private use of linux. The cost of the booth is around 800 Euro, which must be collected from private sponsorship until december to make the booth happen. Maybe debian could sponsor this event? Thanks a lot for your engagement for Debian and GNU/Linux in clerical environments. For other events and shows we have always asked the organisers of the event to sponsor the booth for Free Software. This even worked for highly commercial events such as CeBIT and Systems. Partially these booths weren't sponsored by the organisers but by companies already maintaining a booth on that particular show. I'm not sure the Debian project should start paying for booths now. I would rather like Debian to help running the booth by providing hardware if needed or booth material such as posters and large signs. Regards, Joey -- Have you ever noticed that General Public Licence contains the word Pub? -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Debian money, booth on german church meeting
Thomas Koch wrote: Thomas Koch wrote: There's a german association, Linux user in der Kirche[1] (Linux user in the church), which plans to organize a booth on the next big meeting of the german church in 2010. They aim is to promote the usage of linux in the administrations of church communities and of course private use of linux. The cost of the booth is around 800 Euro, which must be collected from private sponsorship until december to make the booth happen. Maybe debian could sponsor this event? Thanks a lot for your engagement for Debian and GNU/Linux in clerical environments. For other events and shows we have always asked the organisers of the event to sponsor the booth for Free Software. This even worked for highly commercial events such as CeBIT and Systems. Partially these booths weren't sponsored by the organisers but by companies already maintaining a booth on that particular show. I'm not sure the Debian project should start paying for booths now. I would rather like Debian to help running the booth by providing hardware if needed or booth material such as posters and large signs. There's a radical difference between technical exhibitions like CeBIT and the Kirchentag: At the Kirchentag most of the exhibitants are non-profit. Compared to little initiatives supporting schools in poor countries, a linux booth is even more on the profit site: If people switch to linux there is business to be made in consulting. (Still luki is such a small association that there members would not be likely to profite from such business.) It seems to me that these consulting businesses would be good addresses to ask for sponsorship of a Debian/GNU/Linux booth if there is no way getting a free booth for a charitable association such as the Debian Project or the GNU/Linux community. Regards, Joey -- Have you ever noticed that General Public Licence contains the word Pub? -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Debian money, booth on german church meeting
Martin Schulze wrote: Thomas Koch wrote: Thomas Koch wrote: There's a german association, Linux user in der Kirche[1] (Linux user in the church), which plans to organize a booth on the next big meeting of the german church in 2010. They aim is to promote the usage of linux in the administrations of church communities and of course private use of linux. The cost of the booth is around 800 Euro, which must be collected from private sponsorship until december to make the booth happen. Maybe debian could sponsor this event? Thanks a lot for your engagement for Debian and GNU/Linux in clerical environments. For other events and shows we have always asked the organisers of the event to sponsor the booth for Free Software. This even worked for highly commercial events such as CeBIT and Systems. Partially these booths weren't sponsored by the organisers but by companies already maintaining a booth on that particular show. I'm not sure the Debian project should start paying for booths now. I would rather like Debian to help running the booth by providing hardware if needed or booth material such as posters and large signs. There's a radical difference between technical exhibitions like CeBIT and the Kirchentag: At the Kirchentag most of the exhibitants are non-profit. Compared to little initiatives supporting schools in poor countries, a linux booth is even more on the profit site: If people switch to linux there is business to be made in consulting. (Still luki is such a small association that there members would not be likely to profite from such business.) It seems to me that these consulting businesses would be good addresses to ask for sponsorship of a Debian/GNU/Linux booth if there is no way getting a free booth for a charitable association such as the Debian Project or the GNU/Linux community. Hi again, I've just seen that LUKI e.V. is an association that actively seeks donations. If you'd have to pay for a booth at the next Kirchentag and the organisers are unwilling to sponsor a booth, wouldn't LUKI e.V. be the canonical organisation to ask for sponsorship. Regards, Joey -- Have you ever noticed that General Public Licence contains the word Pub? -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Debian money
Frans Pop wrote: On Thursday 10 September 2009, Steve McIntyre wrote: 5 Pay people to do stuff we don't/can't/won't: g website redesign and restructuring This is something we seem unable to make any progress at and that is very much overdue. Especially the restructuring part would involve loads of tedious work and some compensation for that would IMO be in order. Of course we would need to agree on requirements first. Such work should only be done by people inside the project and not by external people. There have been several attempts by external people that haven't caused the required concense and agreement inside the project. New attempts shouldn't be done similar. We also need to recall problems Dunc-Tank caused and don't make similar mistakes again. Regards, Joey -- Have you ever noticed that General Public Licence contains the word Pub? -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
[pygtk] GPollFD/GSource wrappers [was: Re: iosource]
Sorry, it should read the GSource/GPollFD wrappers, not GIOSource wrapper. Also, I should add that I'm using the Linux versions 2.16.1/2.14.1 and the Windows versions 2.14.2/2.12.1 of pygobject/pygtk. Still, the problem remains unchanged ... Regards, Martin Am Sonntag, den 28.06.2009, 23:33 +0200 schrieb Martin Schulze: Hello, I have a problem with the GIOSource wrapper. In the attached test program I'm using either a) gobject.io_add_watch() or b) gobject.iosource.add_poll_fd() and gobject.iosource.attach() to listen on a pipe in the glib main context with the following result: a) works like a charm (see the dialog being updated every second). b) just produces the endlessly repeated error output AttributeError: prepare AttributeError: check Use use_poll_fd={False/True} to switch between a) and b). Can someone guess what's going wrong? Best Regards, Martin P.S.: Background: version b) helps me to port the program to win32. I have already implemented an overlapping i/o version of _multiprocessing.PipeConnection (in python using pywin32). I just need to hook the win32 event handle into the glib main context like in version b) of attached code ... ___ pygtk mailing list pygtk@daa.com.au http://www.daa.com.au/mailman/listinfo/pygtk Read the PyGTK FAQ: http://faq.pygtk.org/ ___ pygtk mailing list pygtk@daa.com.au http://www.daa.com.au/mailman/listinfo/pygtk Read the PyGTK FAQ: http://faq.pygtk.org/
Re: [pygtk] GPollFD/GSource wrappers [was: Re: iosource]
I've got it working! gobject.Source is not functional - you must derive your own class and define the functions prepare, check and dispatch. See attached example. If this is actually intended, the error that's being raised should be a NotImplementedError. Btw, there doesn't seem to be any documentation around for the GSource/GPollFD wrappers. (Who cares, as long as it works - and pygobject/pygtk really rocks ;-) ) Regards, Martin Am Montag, den 29.06.2009, 22:59 +0200 schrieb Martin Schulze: Sorry, it should read the GSource/GPollFD wrappers, not GIOSource wrapper. Also, I should add that I'm using the Linux versions 2.16.1/2.14.1 and the Windows versions 2.14.2/2.12.1 of pygobject/pygtk. Still, the problem remains unchanged ... Regards, Martin Am Sonntag, den 28.06.2009, 23:33 +0200 schrieb Martin Schulze: Hello, I have a problem with the GIOSource wrapper. In the attached test program I'm using either a) gobject.io_add_watch() or b) gobject.iosource.add_poll_fd() and gobject.iosource.attach() to listen on a pipe in the glib main context with the following result: a) works like a charm (see the dialog being updated every second). b) just produces the endlessly repeated error output AttributeError: prepare AttributeError: check Use use_poll_fd={False/True} to switch between a) and b). Can someone guess what's going wrong? Best Regards, Martin P.S.: Background: version b) helps me to port the program to win32. I have already implemented an overlapping i/o version of _multiprocessing.PipeConnection (in python using pywin32). I just need to hook the win32 event handle into the glib main context like in version b) of attached code ... ___ pygtk mailing list pygtk@daa.com.au http://www.daa.com.au/mailman/listinfo/pygtk Read the PyGTK FAQ: http://faq.pygtk.org/ ___ pygtk mailing list pygtk@daa.com.au http://www.daa.com.au/mailman/listinfo/pygtk Read the PyGTK FAQ: http://faq.pygtk.org/ #! /usr/bin/env python import time import multiprocessing import gtk import glib import gobject # --- # background process # --- def client (conn_client): while True: if conn_client.poll(1): break t = time.localtime() msg = str(t.tm_year) + '-' + str(t.tm_mon) + '-' + str(t.tm_mday) + ', ' + str(t.tm_hour) + ':' + str(t.tm_min) + ':' + str(t.tm_sec) conn_client.send_bytes(msg) # --- # SourceFD # --- class SourceFD (gobject.Source): def __init__(self, fd, callback, check): gobject.Source.__init__(self) self.add_poll(fd) self.fd = fd self.__callback = callback self.__check = check def prepare(self): return ((self.__check)(), -1) def check(self): return (self.__check)() def dispatch(self, *args, **kw): return (self.__callback)(*args, **kw) # --- # dialog # --- class ServerDialog (gtk.Dialog): def __init__(self, conn_server): gtk.Dialog.__init__(self, title=Hello World, buttons=(gtk.STOCK_CLOSE,gtk.RESPONSE_ACCEPT)) self.label = gtk.Label(Last Messages:\nN/A) self.get_content_area().pack_start(self.label) self.conn_server = conn_server def destroy(self): self.label = None self.conn_server = None gtk.Dialog.destroy(self) def check(self): return self.conn_server.poll(0) def process_message(self, *args, **kw): msg = self.conn_server.recv_bytes() self.label.set_text(Last Messages:\n + msg) return True # --- # main program # --- if __name__ == '__main__': use_poll_fd = True # set to True to stimulate bug # prepare pipe conn_server, conn_client = multiprocessing.Pipe() # create dialog dialog = ServerDialog(conn_server) # attach a new io source to the main context dialog.conn_server = conn_server if not use_poll_fd: io_source_server = gobject.io_add_watch(conn_server.fileno(), gobject.IO_IN, dialog.process_message) else: poll_fd_server = gobject.PollFD(conn_server.fileno(), gobject.IO_IN) io_source_server = SourceFD(poll_fd_server, dialog.process_message, dialog.check) io_source_server.attach(glib.main_context_default()) # start background process client = multiprocessing.Process(target=client, args=(conn_client,)) client.start() del conn_client
[pygtk] iosource
Hello, I have a problem with the GIOSource wrapper. In the attached test program I'm using either a) gobject.io_add_watch() or b) gobject.iosource.add_poll_fd() and gobject.iosource.attach() to listen on a pipe in the glib main context with the following result: a) works like a charm (see the dialog being updated every second). b) just produces the endlessly repeated error output AttributeError: prepare AttributeError: check Use use_poll_fd={False/True} to switch between a) and b). Can someone guess what's going wrong? Best Regards, Martin P.S.: Background: version b) helps me to port the program to win32. I have already implemented an overlapping i/o version of _multiprocessing.PipeConnection (in python using pywin32). I just need to hook the win32 event handle into the glib main context like in version b) of attached code ... #! /usr/bin/env python import time import multiprocessing import gtk import glib import gobject # --- # background process # --- def client (conn_client): while True: if conn_client.poll(1): break t = time.localtime() msg = str(t.tm_year) + '-' + str(t.tm_mon) + '-' + str(t.tm_mday) + ', ' + str(t.tm_hour) + ':' + str(t.tm_min) + ':' + str(t.tm_sec) conn_client.send_bytes(msg) # --- # dialog # --- class ServerDialog (gtk.Dialog): def __init__(self, conn_server): gtk.Dialog.__init__(self, title=Hello World, buttons=(gtk.STOCK_CLOSE,gtk.RESPONSE_ACCEPT)) self.label = gtk.Label(Last Messages:\nN/A) self.get_content_area().pack_start(self.label) self.conn_server = conn_server def destroy(self): self.label = None self.conn_server = None gtk.Dialog.destroy(self) def process_message(self, source, condition): msg = self.conn_server.recv_bytes() self.label.set_text(Last Messages:\n + msg) return True # --- # main program # --- if __name__ == '__main__': use_poll_fd = True # set to True to stimulate bug # prepare pipe conn_server, conn_client = multiprocessing.Pipe() # create dialog dialog = ServerDialog(conn_server) # attach a new io source to the main context dialog.conn_server = conn_server if not use_poll_fd: io_source_server = gobject.io_add_watch(conn_server.fileno(), gobject.IO_IN, dialog.process_message) else: poll_fd_server = gobject.PollFD(conn_server.fileno(), gobject.IO_IN) io_source_server = gobject.Source() io_source_server.set_callback(dialog.process_message) io_source_server.add_poll(poll_fd_server) io_source_server.attach(glib.main_context_default()) # start background process client = multiprocessing.Process(target=client, args=(conn_client,)) client.start() del conn_client # run the gtk main event loop dialog.show_all() dialog.run() print finished # cleanup if not use_poll_fd: gobject.source_remove(io_source_server) del io_source_server else: io_source_server.destroy() del io_source_server del poll_fd_server conn_server.send_bytes(quit) client.join(1) del client del conn_server dialog.destroy() del dialog ___ pygtk mailing list pygtk@daa.com.au http://www.daa.com.au/mailman/listinfo/pygtk Read the PyGTK FAQ: http://faq.pygtk.org/
[Full-disclosure] [SECURITY] [DSA 1724-1] New moodle packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1724-1secur...@debian.org http://www.debian.org/security/ Steffen Joeris February 13th, 2009 http://www.debian.org/security/faq - -- Package: moodle Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE IDs: CVE-2009-0500 CVE-2009-0502 CVE-2008-5153 Debian Bug : 514284 Several vulnerabilities have been discovered in Moodle, an online course management system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0500 It was discovered that the information stored in the log tables was not properly sanitized, which could allow attackers to inject arbitrary web code. CVE-2009-0502 It was discovered that certain input via the Login as function was not properly sanitised leading to the injection of arbitrary web script. CVE-2008-5153 Dmitry E. Oboukhov discovered that the SpellCheker plugin creates temporary files insecurely, allowing a denial of service attack. Since the plugin was unused, it is removed in this update. For the stable distribution (etch) these problems have been fixed in version 1.6.3-2+etch2. For the testing (lenny) distribution these problems have been fixed in version 1.8.2.dfsg-3+lenny1. For the unstable (sid) distribution these problems have been fixed in version 1.8.2.dfsg-4. We recommend that you upgrade your moodle package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2.dsc Size/MD5 checksum: 793 b86fd980d09fc1f54744962d765a17d7 http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2.diff.gz Size/MD5 checksum:25398 60b9bf677040fbd71e7951deaa8b91d7 http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3.orig.tar.gz Size/MD5 checksum: 7465709 2f9f3fcf83ab0f18c409f3a48e07eae2 Architecture independent components: http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2_all.deb Size/MD5 checksum: 6582298 7a90893e954672f33e129aa4d7ca5aa3 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJldoJW5ql+IAeqTIRAqgIAJ0dhSgFQxBDCq0PoSav/LyyCmtaYQCgj+Ln r8qoVwy7k6F60fJPA1DAKYE= =GzCu -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[SECURITY] [DSA 1724-1] New moodle packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1724-1secur...@debian.org http://www.debian.org/security/ Steffen Joeris February 13th, 2009 http://www.debian.org/security/faq - -- Package: moodle Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE IDs: CVE-2009-0500 CVE-2009-0502 CVE-2008-5153 Debian Bug : 514284 Several vulnerabilities have been discovered in Moodle, an online course management system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0500 It was discovered that the information stored in the log tables was not properly sanitized, which could allow attackers to inject arbitrary web code. CVE-2009-0502 It was discovered that certain input via the Login as function was not properly sanitised leading to the injection of arbitrary web script. CVE-2008-5153 Dmitry E. Oboukhov discovered that the SpellCheker plugin creates temporary files insecurely, allowing a denial of service attack. Since the plugin was unused, it is removed in this update. For the stable distribution (etch) these problems have been fixed in version 1.6.3-2+etch2. For the testing (lenny) distribution these problems have been fixed in version 1.8.2.dfsg-3+lenny1. For the unstable (sid) distribution these problems have been fixed in version 1.8.2.dfsg-4. We recommend that you upgrade your moodle package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2.dsc Size/MD5 checksum: 793 b86fd980d09fc1f54744962d765a17d7 http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2.diff.gz Size/MD5 checksum:25398 60b9bf677040fbd71e7951deaa8b91d7 http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3.orig.tar.gz Size/MD5 checksum: 7465709 2f9f3fcf83ab0f18c409f3a48e07eae2 Architecture independent components: http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2_all.deb Size/MD5 checksum: 6582298 7a90893e954672f33e129aa4d7ca5aa3 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJldoJW5ql+IAeqTIRAqgIAJ0dhSgFQxBDCq0PoSav/LyyCmtaYQCgj+Ln r8qoVwy7k6F60fJPA1DAKYE= =GzCu -END PGP SIGNATURE-
Re: [Secure-testing-team] gnumeric for i386 not migrated to security.debian.org
Nico Golde wrote: Hi, * Martin Schulze j...@infodrom.org [2009-02-09 11:21]: Julian Gilbey wrote: On Sun, Feb 08, 2009 at 10:13:54PM +0100, Martin Schulze wrote: Hi Julian! Julian Gilbey wrote: The i386 compile of gnumeric 1.8.3-5+lenny1 has not reached security.debian.org, whereas the other architectures have. Any ideas why? [...] There is an i386 buildd for security, of course. I guess it is not online at the moment. The build failed in the first place because of a buildd problem. I contacted the i386 buildd team right after seeing this and I guess someone is working on that (I got no reply so far). Please be patient. Good news, thanks. Regards, Joey -- No question is too silly to ask, but, of course, some are too silly to answer. -- Perl book ___ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
Re: [Secure-testing-team] gnumeric for i386 not migrated to security.debian.org
Hi Julian! Julian Gilbey wrote: The i386 compile of gnumeric 1.8.3-5+lenny1 has not reached security.debian.org, whereas the other architectures have. Any ideas why? It has not been built for security by any buildd linked to security. Why that... I don't know, though. Regards, Joey -- Of course, I didn't mean that, which is why I didn't say it. What I meant to say, I said. -- Thomas Bushnell ___ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
Re: The future of clamav wrt. stable/volatile
Michael Tautschnig wrote: In the clamav packaging team we had recurring discussion about how to deal with clamav in the near (== lenny) and more distant (= squeeze) future. The current situation is as follows: - We've got severly outdated clamav packages in etch(-security). - A few packages depend on clamav; those depends are not necessarily versioned. - Any sensible use of clamav requires the packages from volatile to be able to handle all features of upstream's current signature database. - We've had 16 security updates since the release of etch, which constantly required backporting of upstream's fixes that were included in the volatile releases. We could of course continue this game of telling users that nothing but the clamav from volatile is what one should use on production systems, but maybe there are other options as well. Let me see what options we have: - Stick with the current scheme. Possible, but neither user- nor maintainer-friendly. - Move clamav to volatile only. This would, however, also require that all depending packages go to volatile, even the depends are unversioned. Does the clamav interface change between versions? If not, would it be possible that a sufficiently stable version will be included in stable and updates (including new versions) be handled via volatile - including a large note in the clamav package to include volatile. Regards, Joey -- Open source is important from a technical angle. -- Linus Torvalds Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Pkg-clamav-devel] The future of clamav wrt. stable/volatile
Stephen Gran wrote: This one time, at band camp, Martin Schulze said: Michael Tautschnig wrote: In the clamav packaging team we had recurring discussion about how to deal with clamav in the near (== lenny) and more distant (= squeeze) future. The current situation is as follows: - We've got severly outdated clamav packages in etch(-security). - A few packages depend on clamav; those depends are not necessarily versioned. - Any sensible use of clamav requires the packages from volatile to be able to handle all features of upstream's current signature database. - We've had 16 security updates since the release of etch, which constantly required backporting of upstream's fixes that were included in the volatile releases. We could of course continue this game of telling users that nothing but the clamav from volatile is what one should use on production systems, but maybe there are other options as well. Let me see what options we have: - Stick with the current scheme. Possible, but neither user- nor maintainer-friendly. - Move clamav to volatile only. This would, however, also require that all depending packages go to volatile, even the depends are unversioned. Does the clamav interface change between versions? Yes, clamav had several soname changes during the etch release, and several configuration and command line options changed. I don't think we can depend on it staying stable during lenny. *sigh* If not, would it be possible that a sufficiently stable version will be included in stable and updates (including new versions) be handled via volatile - including a large note in the clamav package to include volatile. That's roughly what we're doing now - try to get the most stable version we can into the stable release, and track changes via volatile. The downside for both users and maintainers is that depending packages frequently don't get updated for the changed clamav, leaving them performing poorly, or not catching new viruses, or both. The downside That's the same situation as it is now, right? Somebody needs to forward port reverse depends that require the old interface, it seems. However, getting these into volatile should be easier than getting them into stable (via proposed-updates). Having all of clamav and all revdeps in volatile would be an alternative but is probably not an option... for us as maintainers is that we have to support a version of clamav in stable that no one actually uses. I've done this for 2 releases now, and it always feels vaguely pointless by the end of the release cycle. I can feel your pain. Regards, Joey -- Open source is important from a technical angle. -- Linus Torvalds Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org