headers
Russell Coker | 1 Jan 2009 01:49
Picon

Re: Override changes standard -> optional

On Wednesday 31 December 2008 11:32, Frans Pop <elendil <at> planet.nl> wrote:
> Russell Coker wrote:
> > Frans Pop wrote:
> > > Not really. SELinux is not even close to functional after a standard
> > > installation. For one thing, it gets installed *after* the initrd gets
> > > generated and the initrd does not get regenerated, so the admin has to
> > > do that manually after rebooting into the installed system.
> >
> > There is no need to regenerate an initrd in Debian.
>
> I just did a standard i386 install using the instructions on the wiki [1]
> (which BTW look to be rather outdated in several respects).

They were, I have just made some significant changes.

> I did my previous test at the time of the discussion in September and
> remember that I did need to regenerate the initrd then to get rid of some
> errors. It does seem better now.
>
> However, I still had to regenerate the initrd because of the instruction
> to add "no_static_dev="1" for udev.

Previously I hadn't realised that was possible.  It's mostly a cosmetic issue.  
Some daemons recursively scan /dev and generate some audit messages if you 
don't do it.  But there is no security issue.  I have all my SE Linux 
machines running without that change.

> I also feel that as long as you need to check for instructions in a wiki
> and manually edit various config files (most importantly in /etc/pam.d)
> in order to activate SELinux support that there is very little gain in
(Continue reading)

Permalink | Reply | 6 comments |
headers
Steve Langasek | 1 Jan 2009 03:05
Picon
Favicon

Re: RFC: adding pre-depends to libpam-modules for lenny

On Wed, Dec 31, 2008 at 08:01:37PM +0100, Marc Haber wrote:
> On Sun, 28 Dec 2008 00:57:22 -0600, Steve Langasek <vorlon <at> debian.org>
> wrote:
> >The issue is that, in order to reliably ensure that a user (such as the
> >admin) is not locked out by xscreensaver or xlockmore in the middle of an
> >upgrade,

> The release notes strongly suggest not doing the upgrade from within
> an X session, so I'd regard a lock-out due to an X screensaver kicking
> in an admin error.

The information in the release notes is outdated in this regard, gdm doesn't
get restarted on upgrade so there's no particular danger of botching the
upgrade by running apt under gdm.  Thanks, I've updated the release notes.

Also, the release notes only say that you shouldn't run the upgrade *from*
such X sessions, this says nothing about leaving X sessions running for
other users during an upgrade.  (Though it's implicit that if you're not
using gdm, these users are going to be mad at you when their sessions
suddenly die.)

Finally, while a stable dist-upgrade is going to include updates to
libpam-modules and the *dm package in the same run, users tracking testing
or unstable could easily find themselves upgrading libpam-modules where they
believed it was safe and hitting this problem in the process.  So a general
fix is still needed for future ABI changes.

--

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Frans Pop | 1 Jan 2009 03:55
Picon

Re: Override changes standard -> optional

Russell Coker wrote:
> On Wednesday 31 December 2008 11:32, Frans Pop wrote:
>> Russell Coker wrote:
>> I just did a standard i386 install using the instructions on the wiki
>> [1] (which BTW look to be rather outdated in several respects).
> 
> They were, I have just made some significant changes.

Thanks a lot for that. BTW, wouldn't it make sense to have separate wiki 
pages with setup info per release? The instructions for Etch probably are 
still valid.

> While SE Linux is disabled by default there is little benefit in having
> the packages pre-installed.

I'm glad we agree on that.

My personal opinion is that having selinux at priority standard is not the 
correct choice for Debian. It's good that we've tried it, but it's also 
good that we've now reverted it.

I'll be happy to work with you on designing some alternative way to 
(optionally) install *and* activate SELinux during new installations. 
Main restriction there will be that policy forbids us to modify config 
files of other packages, so any activation of SELinux in packages such as 
the changes in PAM config files will need to be supported by the relevant 
packages, probably through debconf settings.

From the few tests I've done SELinux has matured a lot and the Debian 
packaging has improved tremendously, mainly through your efforts. There
(Continue reading)

Permalink | Reply | 5 comments |
headers
Nicholas Breen | 1 Jan 2009 04:01

Re: mass bug filing for undefined sn?printf use

On Sun, Dec 28, 2008 at 12:42:46AM -0800, Kees Cook wrote:
> Hi,
> 
> I'd like to seek advice before I perform a mass-bug filing for this
> unstable (though semi-common) use of "sprintf" and "snprintf":
[...]
>   pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,'

While fixing one of the affected packages, I discovered that it was
using similarly problematic syntax to act as a strcat replacement of the
form 'sprintf(buf, "%s\n", buf)', which that regexp didn't catch.  I
can't imagine that's a common mistake, but it's easy enough to match on
as well:

  pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*[,)]'

> gabedit
> gromacs
> openbabel

All pending upload, thanks.

--

-- 
Nicholas Breen
nbreen <at> ofb.net
Permalink | Reply | 11 comments |
headers
Russell Coker | 1 Jan 2009 07:58
Picon

Re: Override changes standard -> optional

On Thursday 01 January 2009 13:55, Frans Pop <elendil <at> planet.nl> wrote:
> > They were, I have just made some significant changes.
>
> Thanks a lot for that. BTW, wouldn't it make sense to have separate wiki
> pages with setup info per release? The instructions for Etch probably are
> still valid.

It would.  In preparation for that I made my personal web page about it 
include Lenny in the name.

Of course Etch SE Linux isn't particularly functional without a set of extra 
packages that are only on my personal web site.  I have been considering 
removing those packages due to an apparent lack of interest.

> I'll be happy to work with you on designing some alternative way to
> (optionally) install *and* activate SELinux during new installations.
> Main restriction there will be that policy forbids us to modify config
> files of other packages, so any activation of SELinux in packages such as
> the changes in PAM config files will need to be supported by the relevant
> packages, probably through debconf settings.

Currently in Debian booting the kernel with "selinux=1" is needed to enable SE 
Linux.  This is in contrast to RHEL, CentOS, and Fedora where it's enabled by 
default and booting with "selinux=0" is required if you want to disable it.

So if the user typed "install selinux=1" from the installer then the install 
kernel would have SE Linux enabled, and querying /proc/cmdline for selinux=1 
could be used for later stages of installation to determine whether SE Linux 
was desired.  Anaconda (the Red Hat installer) looks for selinux=0 to change 
it's installation options.
(Continue reading)

Permalink | Reply | 4 comments |
headers
Joe Smith | 1 Jan 2009 08:02
Picon
Favicon

Re: Override changes standard -> optional


Joerg Jaspert <joerg <at> debian.org> wrote:
>
>>> finger
>> It's been a while since I've seen a useful finger server, I think it's 
>> fine
>> to drop this too.
>
> db.debian.org, but that doesnt need it standard.

For what it's worth finger's local features are still important.
I've recently seen a professor explain to a class of students
mostly unfamilar with Unix-style systems that the command to
list the users current logged in was "finger". Obviously
the normal command for this purpose is "who".

Also AFAIK finger is the only program that normally exposes
the contents of the /etc/passwd GECOS feild, as well as the .plan
and .project file. I'll admit those are rarely used today,
but there is some major tradition behind finger being a basic UNIX
component.
Permalink | Reply | 0 comments |
headers
Bastian Blank | 1 Jan 2009 12:54
Picon
Favicon

Re: Results for General Resolution: Lenny and resolving DFSG violations

On Sun, Dec 28, 2008 at 08:45:16PM -0500, Theodore Tso wrote:
> If there was a GR which chainged the Debian Social contract which
> relaxed the first clause to only include __software__ running on the
> Host CPU, I would enthusiastically vote for such a measure.

I doubt that this a usable definition.

Do you think that the provision that a program is pushed into another
generic purpose cpu should always make them free? An imaginal system can
include several CPU types:
- Host CPU (lets say the Power cores of a Cell processor)
- Slave CPU (the SPUs of a Cell processor, different instruction set
  and ABI then the host)
- GPU (current NVidia and ATI chips can be filled with rather generic
  programs to do vector operations)
- device driving CPU (e.g. the MIPS cores of a broadcom network chip)

Only the last ones are usualy filed by the OS with a firmware and then
started.

Bastian

--

-- 
Yes, it is written.  Good shall always destroy evil.
		-- Sirah the Yang, "The Omega Glory", stardate unknown
Permalink | Reply | 0 comments |
headers
Michel Loos | 1 Jan 2009 16:42
Picon

Bug#510408: ITP: biew -- console hex viewer/editor with disassembler

Package: wnpp
Severity: wishlist
Owner: Michel Loos <loos <at> mloos.eti.br>

* Package name    : biew
  Version         : 5.7.1
  Upstream Author : Nick Kurshev <nickols_k <at> users.sourceforge.net>
* URL             : http://sourceforge.net/projects/biew/
* License         : GPL
  Programming Lang: C
  Description     : console hex viewer/editor with disassembler

BIEW (Binary vIEW) is a free, portable, advanced file viewer with built-in editor for binary, hexadecimal
and disassembler modes. It contains a highlight AVR/Java/i86-AMD64/ARM-XScale/PPC-64 and other
disassembler, full preview 
of MZ,NE,PE,ELF and other.

-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Permalink | Reply | 0 comments |
headers
Stefan Ott | 1 Jan 2009 19:05
Gravatar

Bug#510425: ITP: fookebox -- A jukebox-style web-frontend to mpd

Package: wnpp
Severity: wishlist
Owner: Stefan Ott <stefan <at> ott.net>

* Package name    : fookebox
  Version         : 0.2.0
  Upstream Author : Stefan Ott <stefan <at> ott.net>
* URL             : http://fookebox.googlecode.com/
* License         : GPL
  Programming Lang: PHP
  Description     : A jukebox-style web-frontend to mpd

fookebox is a jukebox-style web-frontend to mpd that can be used as a
keyboard-less jukebox or as a powerful mpd control frontend.

-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (750, 'testing')
Architecture: i386 (i686)
Permalink | Reply | 0 comments |
headers
Stefan Ott | 1 Jan 2009 19:08
Gravatar

Bug#510426: ITP: fookebox -- A jukebox-style web-frontend to mpd

Package: wnpp
Severity: wishlist
Owner: Stefan Ott <stefan <at> ott.net>

* Package name    : fookebox
  Version         : 0.2.0
  Upstream Author : Stefan Ott <stefan <at> ott.net>
* URL             : http://fookebox.googlecode.com/
* License         : GPL
  Programming Lang: PHP
  Description     : A jukebox-style web-frontend to mpd

fookebox is a jukebox-style web-frontend to mpd that can be used as a
keyboard-less jukebox or as a powerful mpd control frontend.

-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (750, 'testing')
Architecture: i386 (i686)
Permalink | Reply | 0 comments |

Gmane