On Mon, Oct 17, 2016 at 10:28:53PM +0200, Eduard Bloch wrote:
> Hallo,
> * Andrew Shadura [Mon, Oct 17 2016, 08:23:19PM]:
> > Hi,
> >
> > On 17 October 2016 at 18:57, Sruthi Chandran wrote:
> > > Package: wnpp
> > > Severity: wishlist
> > > Owner: Sruthi Chandran
> > > X-Debbugs-CC: debian-devel
On Tue, Oct 18, 2016 at 04:15:50PM +0100, Steve McIntyre wrote:
>...
> Life's too short to go and fix all the crap in the world personally,
> but we can keep certain minimum standards for what we as a group allow
> into Debian. :-(
What policies and processes should ensure these minimum standards?
On Wed, Oct 19, 2016 at 09:33:14AM -0200, Henrique de Moraes Holschuh wrote:
> On Wed, Oct 19, 2016, at 06:56, Jan Mojzis wrote:
> > >I read manpage on github, but did not understood, what exactly this
> > > program provides. Can it replace creation system users for dropping
> > > privileges?
> >
On Fri, Oct 21, 2016 at 08:55:26AM +0200, Jan Mojzis wrote:
> > "extremely outdated"?
> >
> > This sounds like a hack from ~ 20 years ago when people realized that
> > running several programs at the same time as nobody does not isolate
> > them from each other.
> >
> > Much better solutions for
On Sun, Oct 23, 2016 at 06:04:50AM -0700, Kristian Erik Hermansen wrote:
>...
> The main issue is that a well positioned attacker, such as the NSA or
> Chinese router admins, have the ability to collect and analyze in
> real-time what systems have installed what patches installed by
> monitoring th
On Sun, Oct 23, 2016 at 07:28:23PM -0700, Russ Allbery wrote:
>...
> The value of HTTPS lies in its protection against passive snooping. Given
> the sad state of the public CA infrastructure, you cannot really protect
> against active MITM with HTTPS without certificate pinning.
You are implicite
On Mon, Oct 24, 2016 at 04:00:49AM -0700, Kristian Erik Hermansen wrote:
> On Mon, Oct 24, 2016 at 1:59 AM, Adrian Bunk wrote:
> but also I should point out that your email is being routed
> insecurely via welho.com and lacks TLS in transit, so I also probably
> shouldn't
On Mon, Oct 24, 2016 at 04:00:39PM +0100, Ian Jackson wrote:
> Adrian Bunk writes ("Re: When should we https our mirrors?"):
>...
> Adrian:
> > Noone is arguing that switching to https would be a bad thing,
> > but whether or not it will happen depends solely on whe
On Mon, Oct 24, 2016 at 09:22:39AM -0700, Russ Allbery wrote:
> Adrian Bunk writes:
> > On Sun, Oct 23, 2016 at 07:28:23PM -0700, Russ Allbery wrote:
>
> >>...
> >> The value of HTTPS lies in its protection against passive snooping. Given
> >> the sad sta
On Mon, Oct 24, 2016 at 04:33:57PM -0700, Russ Allbery wrote:
> Adrian Bunk writes:
>...
> > I would assume this can be pretty automated, and that by NSA standards
> > this is not a hard problem.
>
> Since the entire exchange is encrypted, it's not completely
On Wed, Oct 26, 2016 at 05:37:06AM +0200, Adam Borowski wrote:
> On Wed, Oct 26, 2016 at 12:37:18AM +0200, Andreas Cadhalpun wrote:
> > The current policy says:
> > "As to the static libraries, the common case is not to have relocatable
> > code"
> >
> > As of gcc-6 version 6.2.0-7 this is factua
On Thu, Oct 27, 2016 at 08:41:12AM -0200, Henrique de Moraes Holschuh wrote:
>...
> That said, Thaddeus, if you do go ahead with the upload please check if
> you can minimize that size somehow, even just a 10% drop in size would
> already be worth the work it took for something big like this.
>...
On Sun, Oct 30, 2016 at 04:02:48PM +, Ian Jackson wrote:
>...
> Most of our packages use `make' or something like it. make relies on
> timestamps to decide what to rebuild. It seems that sometimes our
> source packages contain combinations of timestamps (and perhaps stamp
> files) which, in p
On Sun, Oct 30, 2016 at 11:48:56PM +, Simon McVittie wrote:
>...
> * Source for generated files in the tarball: should be in both git and
> tarball, but sometimes mistakenly omitted from tarballs (e.g. configure.ac,
> m4/foo.m4, build-aux/git-version-gen). Leaving these out of the tarball i
On Mon, Oct 31, 2016 at 01:42:26AM +, Ian Jackson wrote:
>...
> Adrian Bunk writes ("Re: Rebuilds with unexpected timestamps"):
> > Be prepared to see a lot of such issues when you touch random files.
>
> I'm certainly expecting to see lots of issues.
>
On Mon, Oct 31, 2016 at 03:58:12PM +, Ian Jackson wrote:
> Adrian Bunk writes ("Re: Rebuilds with unexpected timestamps [and 1 more
> messages]"):
> > On Mon, Oct 31, 2016 at 01:42:26AM +, Ian Jackson wrote:
> ...
> > > If it does "sufficiently diff
On Tue, Nov 01, 2016 at 12:05:38PM +, Ian Jackson wrote:
>...
> Personally I think a Linux kernel tarball, without accompanying git
> history, is a GPL violation.
>...
Why would the git *history* matter for GPL compliance?
You can push from a shallow clone.
> Ian.
cu
Adrian
--
"Is
On Mon, Oct 31, 2016 at 03:23:51PM +0100, Bálint Réczey wrote:
> Hi Ian,
>
> 2016-10-31 14:19 GMT+01:00 Ian Campbell :
> > On Mon, 2016-10-31 at 12:17 +0100, Bálint Réczey wrote:
> >> 2016-10-31 10:38 GMT+01:00 Ian Campbell :
> >> > If possible I'd also prefer a solution which fixed qcontrol-stati
On Sun, Oct 30, 2016 at 06:28:41AM +0100, Adam Borowski wrote:
>...
> An user interested in future releases is usually a contributor of sorts,
> thus often has "devscripts" installed.
The typical user of Debian stable is running Debian on servers,
and will become interested in a future release aft
On Thu, Nov 03, 2016 at 06:47:28PM +, Steve McIntyre wrote:
>...
> * it will be a different experience compared to what people will get
>when installing Debian normally, using d-i / debootstrap. Most
>(all?) of our desktop environments already have some automatic
>notification of a
On Fri, Nov 04, 2016 at 09:22:02PM +0100, Ralf Treinen wrote:
> Hi,
Hi Ralf,
> in the Colis project (which aims at analyzing maintainer scripts) we
> found 39 maintainer scripts in stable which do not start on #!. The
> list is attached. Policy 6.1 says about maintainer scripts:
>
> if they ar
On Fri, Nov 04, 2016 at 05:05:33PM -0400, Scott Kitterman wrote:
>
>
> On November 4, 2016 5:01:31 PM EDT, Adrian Bunk wrote:
> >On Fri, Nov 04, 2016 at 09:22:02PM +0100, Ralf Treinen wrote:
> >> Hi,
> >
> >Hi Ralf,
> >
> >> in the Colis proj
On Fri, Nov 04, 2016 at 10:21:13PM +0100, Ralf Treinen wrote:
> On Fri, Nov 04, 2016 at 11:01:31PM +0200, Adrian Bunk wrote:
> > On Fri, Nov 04, 2016 at 09:22:02PM +0100, Ralf Treinen wrote:
> > > Hi,
> >
> > Hi Ralf,
> >
> > > in the Colis project (w
On Thu, Nov 03, 2016 at 10:49:30AM -0300, Lisandro Damián Nicanor Pérez Meyer
wrote:
> On jueves, 3 de noviembre de 2016 12:34:23 P. M. ART Tino Mettler wrote:
> > On Wed, Nov 02, 2016 at 14:02:52 -0300, Lisandro Damián Nicanor Pérez Meyer
> > wrote:
> >
> > [...]
> >
> > > Today we the Qt/KDE t
On Fri, Nov 04, 2016 at 10:27:00PM +, Holger Levsen wrote:
> On Fri, Nov 04, 2016 at 10:51:15PM +0200, Adrian Bunk wrote:
> > Should Debian also default to automatically reboot?
> >
> > If the answer is "no", then nothing is a solution that does not also
> &
On Sat, Nov 05, 2016 at 11:14:02AM +0100, Thomas Goirand wrote:
> Hi,
Hi Thomas,
>...
> Finally, with the above examples as illustration (and please, these
> aren't attacks in any way...), I guess what I'm trying to say here is:
>
> While disruptive changes are necessary evils so we upgrade ever
On Tue, Oct 25, 2016 at 11:06:23AM -0700, Russ Allbery wrote:
> Adrian Bunk writes:
>...
> So, I'm not quite sure how to put this, since I don't know how much work
> you've done professionally in computer security, and I don't want to
> belittle that.
On Sun, Nov 06, 2016 at 05:41:34PM -0200, Henrique de Moraes Holschuh wrote:
> On Sun, 06 Nov 2016, Ben Hutchings wrote:
> > It's worth noting that TSX is broken in 'Haswell' processors and is
> > supposed to be disabled via a microcode update. I don't know whether
> > glibc avoids using it on the
On Sun, Nov 06, 2016 at 08:04:39AM +0100, Petter Reinholdtsen wrote:
> [Henrique de Moraes Holschuh]
> > And what should we do about Debian stretch, then?
>
> I believe a good start would be to add an assert() in a test version of
> glibc and then run all the autopkgtest scripts on the packages in
On Wed, Nov 09, 2016 at 06:45:43PM +, Mattia Rizzolo wrote:
>...
> Also, a personal pledge to everybody who's reading this: please don't
> attach yourself to your packages like mussels on a rock. If you realize
> (or somebody else is making you realize) that you're doing a bad job on
> a packa
On Wed, Nov 09, 2016 at 11:16:36AM +0800, Paul Wise wrote:
> On Wed, Nov 9, 2016 at 1:36 AM, Emilio Pozuelo Monfort wrote:
>
> > Right. We want auto-removals to be useful for the release process, so that
> > we
> > don't end up with a thousand of RC bugs in testing when we freeze, most of
> > th
On Tue, Nov 08, 2016 at 11:16:53AM +0800, Paul Wise wrote:
> On Tue, Nov 8, 2016 at 4:26 AM, Adam Borowski wrote:
>
> > Forced reboot on upgrade is damage. Let's learn from errors of others.
>
> needrestart has a mechanism (needrestart-session) to hook into user
> sessions, perhaps that could be
On Mon, Nov 07, 2016 at 08:58:53PM +0100, Adam Borowski wrote:
> On Sun, Oct 30, 2016 at 06:55:33PM +, Clint Adams wrote:
> > On Sun, Oct 30, 2016 at 06:28:41AM +0100, Adam Borowski wrote:
> > > A maintainer would then file "ITR: dasher" and wait for responses before
> > > requesting RM.
> >
>
On Sun, Nov 06, 2016 at 12:03:03AM +0100, Philipp Kern wrote:
> On 2016-11-05 22:23, Adrian Bunk wrote:
> > The solution you are trying to sell is apt-transport-https as default.
> [...]
> > Your solution would be a lot of work with relatively little improvement.
>
> Well
On Mon, Nov 14, 2016 at 07:10:00PM +, Niels Thykier wrote:
> Marco d'Itri:
> > On Nov 14, Lisandro Damián Nicanor Pérez Meyer wrote:
> >
> >> And yes, I would step back and switch libssl-dev to provide libssl1.0-dev
> >> and
> >> have libssl1.1-dev around for anyone who can really do the sw
On Tue, Nov 15, 2016 at 09:37:01AM -0300, Lisandro Damián Nicanor Pérez Meyer
wrote:
> On lunes, 14 de noviembre de 2016 16:51:04 ART Marco d'Itri wrote:
> > On Nov 14, Lisandro Damián Nicanor Pérez Meyer wrote:
> > > And yes, I would step back and switch libssl-dev to provide libssl1.0-dev
> > >
On Tue, Nov 15, 2016 at 07:03:28PM +1100, Scott Leggett wrote:
> On 2016-11-15.00:16, Adrian Bunk wrote:
> > Bugs like "With Kurt's patch, apache2 crashes on startup with an invalid
> > free."
> > or #843988 will be a common sight on the list of RC bugs fo
On Mon, Nov 14, 2016 at 10:31:18AM +0100, Gert Wollny wrote:
> Am Sonntag, den 06.11.2016, 01:12 -0200 schrieb Henrique de Moraes
> Holschuh:
> >
> >
> >
> > Unfortunately, when hardware lock elision support was added to glibc
> > upstream, libpthreads was *not* changed to properly assert() this
On Wed, Nov 16, 2016 at 12:15:39AM +0100, Sebastian Andrzej Siewior wrote:
> On 2016-11-15 00:16:14 [+0200], Adrian Bunk wrote:
> > And since 80% of all OpenSSL-using packages in unstable are still
> > using libssl1.0.2 (binNMUs have not yet happened), all runtime
> > issue
On Thu, Nov 17, 2016 at 12:27:43AM -0500, Scott Kitterman wrote:
> On Wednesday, November 16, 2016 10:04:00 PM Lisandro Damián Nicanor Pérez
> Meyer wrote:
> > On jueves, 17 de noviembre de 2016 00:40:42 ART Kurt Roeckx wrote:
> > > On Mon, Nov 14, 2016 at 07:10:00PM +, Niels Thykier wrote:
>
On Wed, Nov 16, 2016 at 10:53:18PM +0100, Sebastian Andrzej Siewior wrote:
> On 2016-11-16 19:49:44 [+0200], Adrian Bunk wrote:
> > The problem are not specific bugs, the problem is the whole size of the
> > problem:
> >
> > 1. Sorting out what packages have to stay a
On Thu, Nov 17, 2016 at 09:28:34AM -0200, Henrique de Moraes Holschuh wrote:
> On Thu, Nov 17, 2016, at 09:11, Lucas Nussbaum wrote:
> > On 17/11/16 at 08:31 -0200, Henrique de Moraes Holschuh wrote:
> > > The deal with *current* Debian stable is that, if the breakage is too
> > > widespread, we si
On Thu, Nov 17, 2016 at 11:38:46AM -0200, Henrique de Moraes Holschuh wrote:
> On Thu, Nov 17, 2016, at 09:50, Adrian Bunk wrote:
> > But we do already have > 1 year of widespread testing by users
> > running unstable/testing on machines with TSX enabled.
> >
> > So
On Thu, Nov 17, 2016 at 10:43:53PM +0100, Moritz Mühlenhoff wrote:
> Adrian Bunk schrieb:
> > On Tue, Nov 15, 2016 at 09:37:01AM -0300, Lisandro Damián Nicanor Pérez
> > Meyer wrote:
> >> On lunes, 14 de noviembre de 2016 16:51:04 ART Marco d'Itri wrote:
> >>
On Fri, Nov 18, 2016 at 10:22:59PM +0100, Moritz Mühlenhoff wrote:
> Adrian Bunk schrieb:
> > And/or get sponsorship from companies for supporting ChaCha20-patched
> > 1.0.2
>
> It's not a matter of whipping up some patch; anything less than an
> official backp
On Sat, Nov 19, 2016 at 05:53:04PM +0100, Julien Cristau wrote:
> On Tue, Nov 1, 2016 at 18:11:27 +0100, Thibaut Paumard wrote:
>
> > The -dbg package is Multi-Arch same. It Depends on the packages for
> > which it provides debugging symbols, some of which are Multi-Arch:
> > allowed.
>
> That D
On Wed, Nov 23, 2016 at 11:50:12PM -0200, Henrique de Moraes Holschuh wrote:
> On Thu, 24 Nov 2016, Kurt Roeckx wrote:
>...
> > > So, if Qt *ever* exposes its use of openssl anywere in its APIs, it
> > > might not be safe. If it doesn't (i.e. at most you have a qt flag that
> > > says "use SSL",
On Thu, Nov 24, 2016 at 03:20:06PM +0100, Jan Niehusmann wrote:
> On Thu, Nov 24, 2016 at 03:59:10PM +0200, Adrian Bunk wrote:
> > If inspection is not easily possible, then adding a dependency on
> > libssl1.0-dev to qtbase5-private-dev should be sufficient to
> > ensure th
On Thu, Nov 24, 2016 at 02:45:26PM +0100, Ondřej Surý wrote:
> On Thu, Nov 24, 2016, at 13:39, Philipp Kern wrote:
> > So if you, as an upstream maintainer, have a change that is needed for
> > compatibility with changes in network APIs and the change is reviewable
> > by humans, a stable update co
On Thu, Nov 24, 2016 at 05:22:29PM +0100, Daniel Pocock wrote:
>...
> For networked services, it is different.
>
> Debian has already been carrying updated versions of Firefox and
> Chromium in stable including bundled dependencies too. Maybe we need to
> have an objective way of deciding which o
On Thu, Nov 24, 2016 at 02:50:23PM -0200, Henrique de Moraes Holschuh wrote:
> On Thu, 24 Nov 2016, Adrian Bunk wrote:
> > On Wed, Nov 23, 2016 at 11:50:12PM -0200, Henrique de Moraes Holschuh wrote:
> > > On Thu, 24 Nov 2016, Kurt Roeckx wrote:
> > >...
> > >
On Thu, Nov 24, 2016 at 07:08:33PM +0100, Daniel Pocock wrote:
>
>
> On 24/11/16 17:39, Adrian Bunk wrote:
> > On Thu, Nov 24, 2016 at 05:22:29PM +0100, Daniel Pocock wrote:
> >> ...
> >> For networked services, it is different.
> >>
> >> D
On Sun, Dec 04, 2016 at 01:14:42PM +0100, Christoph Biedl wrote:
>...
> To add a few criteria, I'd remove a package from sid only if it
>...
> * has been orphaned for a longer time, say: a year
> So again users of that package had a grace period to ask for work on
> that package.
>...
Two ques
On Thu, Dec 15, 2016 at 11:11:27AM +0100, Daniel Pocock wrote:
>
> Is there any easy way to contact everybody who made a bug report against
> a package and ask them to check if the latest upload fixes it? Or is
> there any script for maintainers to do this?
I would expect the majority of your us
On Mon, Dec 19, 2016 at 10:15:33PM +0100, Daniel Pocock wrote:
>
>
> On 19/12/16 21:57, Adrian Bunk wrote:
> > On Thu, Dec 15, 2016 at 11:11:27AM +0100, Daniel Pocock wrote:
> >>
> >> Is there any easy way to contact everybody who made a bug report against
> &
On Mon, Apr 01, 2024 at 11:17:21AM -0400, Theodore Ts'o wrote:
> On Sat, Mar 30, 2024 at 08:44:36AM -0700, Russ Allbery wrote:
>...
> > Yes, perhaps it's time to switch to a different build system, although one
> > of the reasons I've personally been putting this off is that I do a lot of
> > featu
On Mon, Apr 01, 2024 at 08:07:27PM +0200, Guillem Jover wrote:
>...
> On Sat, 2024-03-30 at 14:16:21 +0100, Guillem Jover wrote:
>...
> > This seems like a serious bug in autoreconf, but I've not checked if
> > this has been brought up upstream, and whether they consider it's
> > working as intende
On Tue, Apr 02, 2024 at 06:05:22PM +0100, Colin Watson wrote:
> On Tue, Apr 02, 2024 at 06:57:20PM +0300, Adrian Bunk wrote:
> > On Mon, Apr 01, 2024 at 08:07:27PM +0200, Guillem Jover wrote:
> > > On Sat, 2024-03-30 at 14:16:21 +0100, Guillem Jover wrote:
> > > > Th
On Wed, Apr 03, 2024 at 02:31:11AM +0200, kpcyrd wrote:
>...
> I figured out a somewhat straight-forward way to check if a given `git
> archive` output is cryptographically claimed to be the source input of a
> given binary package in either Arch Linux or Debian (or both).
For Debian the proper ap
On Thu, Apr 04, 2024 at 09:39:51PM +0200, kpcyrd wrote:
>...
> I've checked both, upstreams github release page and their website[1], but
> couldn't find any mention of .tar.xz, so I think my claim of Debian doing
> the compression is fair.
>
> [1]: https://www.vim.org/download.php
>...
Perhaps t
On Fri, Apr 05, 2024 at 01:30:51AM +0200, kpcyrd wrote:
> On 4/5/24 12:31 AM, Adrian Bunk wrote:
> > Hashes of "git archive" tarballs are anyway not stable,
> > so whatever a maintainer generates is not worse than what is on Github.
> >
> > Any proper
On Sat, Apr 06, 2024 at 07:13:22PM +0800, Sean Whitton wrote:
> Hello,
>
> On Fri 05 Apr 2024 at 01:31am +03, Adrian Bunk wrote:
>
> >
> > Right now the preferred form of source in Debian is an upstream-signed
> > release tarball, NOT anything from git.
>
> T
On Sat, Apr 06, 2024 at 03:54:51PM +0200, kpcyrd wrote:
>...
> autotools pre-processed source code is clearly not "the preferred form of
> the work for making modifications", which is specifically what I'm saying
> Debian shouldn't consider a "source code input" either, to eliminate this
> vector f
Sorry for being late to this discussion, but there are a few points
and a suggestion I'd like to make:
1. Reproducibility is not a big concern
Quoting policy:
Packages should build reproducibly, which for the purposes of this
document means that given
...
- a set of environment variab
601 - 664 of 664 matches
Mail list logo
