Vagas abertas
Empresa de São Paulo procura interessados com internet, para trabalhar em tempo parcial ou integral, com altos ganhos. Visite: www.redebiz.com.br/pri Paulo
Bug#169744: debian-policy: typos in policy.sgml
Package: debian-policy Version: 3.5.8.0 Severity: minor Tags: patch Hello maintainers, Here is a diff from policy.sgml cvs version 1.81. fixing typos. Best regards, Philippe Batailler. *** diff-policy --- policy.sgml Tue Nov 19 14:23:42 2002 +++ policy-new.sgml Tue Nov 19 14:23:15 2002 @@ -4739,7 +4739,7 @@ if [ $1 = purge ]; then update-rc.d varpackage/var remove fi - /example. Note that is your package changes runlevels + /example. Note that if your package changes runlevels or priority, you may have to remove and recreate the links, since otherwise the old links may persist. Refer to the documentation of @@ -7519,7 +7519,7 @@ p Info documents should be installed in file/usr/share/info/file. - They should be compressed with ttgzip -9/tt./p + They should be compressed with prgngzip/prgntt-9/tt./p p Your package should call prgninstall-info/prgn to update @@ -7564,7 +7564,7 @@ Text documentation should be installed in the directory file/usr/share/doc/varpackage/var/file, where varpackage/var is the name of the package, and - compressed with ttgzip -9/tt unless it is small./p + compressed with prgngzip/prgntt-9/tt unless it is small./p p If a package comes with large amounts of documentation which @@ -7594,7 +7594,7 @@ Any files that are referenced by programs but are also useful as standalone documentation should be installed under file/usr/share/doc//file with symbolic links from - file/usr/share/doc/lt;packagegt;/file + file/usr/share/doc/var or lt;package or gt; see next paragraph/var/file /p p @@ -7742,7 +7742,7 @@ contact the packagedpkg/package maintainer to have the parser script for it included in the prgndpkg/prgn package. (You will need to agree that the parser and its manpage may be -distributed under the GNU GPL, just as the rest of `dpkg' is.) +distributed under the GNU GPL, just as the rest of prgndpkg/prgn is.) /p /footnote /p @@ -,8 +,8 @@ p All of these files should be installed compressed using - ttgzip -9/tt, as they will become large with time even - if they start out small. + prgngzip/prgntt-9/tt, as they will become large with time + even if they start out small. /p p @@ -9444,7 +9444,7 @@ item p - This is a compressed (with ttgzip -9/tt) + This is a compressed (with prgngzip/prgntt-9/tt) prgntar/prgn file containing the source code from the upstream authors of the program. The tarfile unpacks into a directory -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux clalis 2.2.20 #1 Mon Nov 18 21:55:40 CET 2002 i586 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED]
Re: web browser url viewing proposal
On Mon, Nov 18, 2002 at 07:38:22PM -0500, Joey Hess wrote: This proposal grows out of dissatisfaction with the hard-coded browser lists provided by various programs like xchat and urlview to run a browser displaying an url. Also a desire to do right the BROWSER environment variable ESR proposed at http://www.tuxedo.org/~esr/BROWSER/. Mostly because I never want to configure again in a program what web browser to use. Yes, yes, yes!!! Julian -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Julian Gilbey, website: http://www.polya.uklinux.net/ Debian GNU/Linux Developer, see: http://people.debian.org/~jdg/ Visit http://www.thehungersite.com/ to help feed the hungry
Re: web browser url viewing proposal
Joey Hess [EMAIL PROTECTED] writes: This proposal grows out of dissatisfaction with the hard-coded browser lists provided by various programs like xchat and urlview to run a browser displaying an url. Also a desire to do right the BROWSER environment variable ESR proposed at http://www.tuxedo.org/~esr/BROWSER/. Mostly because I never want to configure again in a program what web browser to use. It's modelled on the EDITOR and /usr/bin/editor and /usr/bin/sensible-editor stuff already in policy, with some quirks because the BROWSER variable is more complicated, and to allow for X and non-X browsers. [ ... ] Fully seconded. (In the sense of implementing this mechanism, fixing the affected packages and finally making it policy.) This is especially helpful when packaging programs having an extensive manual in HTML and some Help button in their menu. It hit me when I was trying to package euler, which defaults to calling netscape. (Now someone else packaged it before me and did not bother to look for a sensible solution...) Lukas -- This is not a signature
Re: web browser url viewing proposal
On Mon, Nov 18, 2002 at 07:38:22PM -0500, Joey Hess wrote: This proposal grows out of dissatisfaction with the hard-coded browser lists provided by various programs like xchat and urlview to run a browser displaying an url. Also a desire to do right the BROWSER environment variable ESR proposed at http://www.tuxedo.org/~esr/BROWSER/. Mostly because I never want to configure again in a program what web browser to use. Seconded, with one proviso: can we standardize on the Compatible Secure BROWSER Definition from http://www.dwheeler.com/browse/secure_browser.html instead? This is what man-db implements for the 'man -H' switch; ESR-style BROWSER variables will still work as intended, but %c is added in order to permit a colon in commands and it specifies what shell escaping is to be performed on URLs to get rid of the hideous security flaws. -- Colin Watson [EMAIL PROTECTED]
Bug#167604: debian-policy: provides the exception of static libraries.
On Sat, Nov 16, 2002 at 12:34:43AM +0900, Akira TAGOH wrote: On Fri, 15 Nov 2002 13:27:49 +0100, BA == Bill Allombert [EMAIL PROTECTED] wrote: BA You need to link your executable binary with -export-dynamic: BA man ld: BA-export-dynamic BA When creating an ELF file, add all symbols to the BA dynamic symbol table. Normally, the dynamic symbol BA table contains only symbols which are used by a dy BA namic object. This option is needed for some uses BA of dlopen. No, it doesn't help. try this case: ---Makefile t-static: t.c libfoo.a gcc -static -export-dynamic -o $@ $ -L. -lfoo -ldl Wait a minute, -export-dynamic is an option to *ld* not to gcc! Rewrite this line as t-static: t.c libfoo.a gcc -Xlinker -export-dynamic -o $@ t.c libfoo.a -L. -ldl % rm ./t-static; make % ldd ./t-static libdl.so.2 = /lib/libdl.so.2 (0x40019000) libc.so.6 = /lib/libc.so.6 (0x4001e000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000) % make test yellowpig% make test LD_LIBRARY_PATH=. ./t-shared test. test.: test.: LD_LIBRARY_PATH=. ./t-static test. test.: test.: Anyway, if it is a bug in dlopen() or in some Makefile, then it is not a bug in policy. Cheers, Bill
Re: web browser url viewing proposal
Lukas Geyer wrote: Fully seconded. (In the sense of implementing this mechanism, fixing the affected packages and finally making it policy.) This is especially helpful when packaging programs having an extensive manual in HTML and some Help button in their menu. It hit me when I was trying to package euler, which defaults to calling netscape. (Now someone else packaged it before me and did not bother to look for a sensible solution...) Yes, that's the very common case that I forgot to mention of course. I suppose I'll wait a day or two and then we can begin by starting to send out bugs with patches to the various brosers and browser-using programs. -- see shy jo pgpEqbrnJBZHs.pgp Description: PGP signature
Unidentified subject!
Colin Watson wrote:
Seconded, with one proviso: can we standardize on the Compatible Secure
BROWSER Definition from
http://www.dwheeler.com/browse/secure_browser.html instead? This is what
man-db implements for the 'man -H' switch; ESR-style BROWSER variables
will still work as intended, but %c is added in order to permit a colon
in commands and it specifies what shell escaping is to be performed on
URLs to get rid of the hideous security flaws.
I assume you mean the compatible alternative and not the bare one
(though there's something to be said for the bare one; wrappers are not
hard to write).
First of all, it's possible to write a program that uses ESR's BROWSER
without passing the url through the shell. Here is a modification of my
sensible-browser program that does that:
--- sensible-browser~ 2002-11-19 12:20:14.0 -0500
+++ sensible-browser2002-11-19 12:20:31.0 -0500
@@ -11,7 +11,7 @@
else {
$_.=' '.$url;
}
- exec $_;
+ exec split ' ', $_;
# on failure, continue to next in list
}
Before:
[EMAIL PROTECTED]:~BROWSER='echo' ./sensible-browser 'http://;echo rm -rf /'
http://
rm -rf /
After:
[EMAIL PROTECTED]:~BROWSER='echo' ./sensible-browser 'http://;echo rm -rf /'
http://;echo rm -rf /
So is the increased complexity of making %s be converted to an escaped
absolute reference worth it? I note that the definition of escaped
absolute reference uses a hardcoded list of shell metacharacters to
escape. Such lists are often incomplete, I've seen exploits on bugtraq
of this kind of thing in the past. It seems easier to just program
defensively, not pull the shell into the picture, and not worry about
escaping.
The secure browser page does mention wanting to pass the BROWSER command
through the shell for backwards compatability (with what one wonders)
and to allow complicated shell expressions in BROWSER. I think that's a
bit of a non-starter; if you need something complicated you can
certianly write an external script. The complexity outweighs the gain.
How about we just add something like this to the proposal:
When implementing BROWSER in a program, be careful to not pass the URL
through the shell when running the browser commands, as the url might
contain shell metacharacters and there could be security problems. If
you must pass the URL through the shell, be careful to properly escape
it first.
--
see shy jo
pgpVtLxhnP83E.pgp
Description: PGP signature
Re: web browser url viewing proposal
Joey Hess wrote: First of all, it's possible to write a program that uses ESR's BROWSER without passing the url through the shell. Here is a modification of my sensible-browser program that does that: And I have a patch for urlview now, based on ESR's, that while using system, quotes the url properly even if calling BROWSER, and is also shell-safe. It's really not hard. -- see shy jo pgp9qKY2RNmK8.pgp Description: PGP signature
CVS branden: Branden
CVSROOT:/org/cvs.debian.org/cvs/debian-policy Module name:debian-policy Changes by: branden Tue Nov 19 13:57:58 MST 2002 Modified files: . : policy.sgml Log message: Branden * typographical fixes courtesy of Philippe Batailler (Closes: #169744) * fix two instances of bogus capitalization * stop advising semantic overload of grave accent and apostrophe characters as single-quotes * make Policy Manual consistent with above advice
Bug#169744: debian-policy: typos in policy.sgml
On Tue, Nov 19, 2002 at 02:32:19PM +0100, Philippe Batailler wrote: - They should be compressed with ttgzip -9/tt./p + They should be compressed with prgngzip/prgntt-9/tt./p I disagree this is in any way a typo fix. The right replacement tag in HTML would be kbd; what you did there was remove a perfectly legal space, and split the group into two pieces for no reason. -- 2. That which causes joy or happiness.
CVS branden: Branden
CVSROOT:/org/cvs.debian.org/cvs/debian-policy Module name:debian-policy Changes by: branden Tue Nov 19 16:00:41 MST 2002 Modified files: . : policy.sgml Log message: Branden * Change markup of gzip -9 to a kbd element everywhere. * Change markup of gzip in one place from a tt to a prgn element.
Re: CVS branden: Branden
On Tue, Nov 19, 2002 at 11:00:41PM -0700, debian-policy@lists.debian.org wrote: CVSROOT: /org/cvs.debian.org/cvs/debian-policy Module name: debian-policy Changes by: branden Tue Nov 19 16:00:41 MST 2002 Modified files: . : policy.sgml Log message: Branden * Change markup of gzip -9 to a kbd element everywhere. I said kbd would be used in HTML. This is not HTML. :) /me thwaps Overfiend with `debian/rules build` -- 2. That which causes joy or happiness.
Re: web browser url viewing proposal
- Various browsers register mime types for text/html and so on, and that works ok. It is out of the scope of this proposal. ... My proposal adds: - /usr/bin/x-www-browser alternative formalized in policy - /usr/bin/www-browser alternative added for non-X browsers - /usr/bin/sensible-browser, presumably to debianutils, a sample implementation attached to this message understands BROWSER, and can use www-browser or x-www-browser as fallback - programs that want to open an url in a browser can call sensible-browser or check BROWSER themselves with fallback I agree. I have an open bug about this on one of my packages and in another package I used a hardcoded list of browsers to try in sequence. Therefore I was about to propose something similar. I propose also that sensible-browser is registered as preferred or only handler for text/html and other url mime types. This can obviously be overriden in personal mailcap files but the debian alternative and the BROWSER variable should be the preferred control it. In addition, programs should choose a good default web browser if none is selected by the user or system administrator. This should be done in a centralized way by sensible-browser. Other programs should call only sensible-browser, unless they require some specific browser. If none selects a good default the x-www-browser alternative should do it. Thus, every program that launches a web browser with an URL must use the BROWSER environment variable to determine what browser the user wishes to use. Again, why not just call sensible-browser? A program needing a browser should simply depend on debianutils and www-browser|x-www-browser. Parsing the BROWSER variable and substituting the url value in the proper way in every program seems to me an unnecessary duplication of code. Another utility that I would like to see in debianutils (or some other pkg) is a program to encode/decode an url. This would probably be useful also for the sensible-browser script. -- Massimo Dal Zotto [EMAIL PROTECTED]
Re: web browser url viewing proposal
On Wed, Nov 20, 2002 at 12:48:13AM +0100, Massimo Dal Zotto wrote: Again, why not just call sensible-browser? A program needing a browser should simply depend on debianutils and www-browser|x-www-browser. Parsing the BROWSER variable and substituting the url value in the proper way in every program seems to me an unnecessary duplication of code. sensible-browser won't be available in all distributions. Programs whose upstream developers want to implement BROWSER in a portable way will be duplicating this code. -- Colin Watson [EMAIL PROTECTED]
Re: web browser url viewing proposal
Massimo Dal Zotto wrote: I propose also that sensible-browser is registered as preferred or only handler for text/html and other url mime types. This can obviously be overriden in personal mailcap files but the debian alternative and the BROWSER variable should be the preferred control it. I'm not sure about this. It *would* be nice to have BROWSER contol mailcap, but perhaps some browsers would want to set up mailcap files with more complex tests specific to them. Perhaps we should discuss this separatly to the main proposal after it gets in. In addition, programs should choose a good default web browser if none is selected by the user or system administrator. This should be done in a centralized way by sensible-browser. Other programs should call only sensible-browser, unless they require some specific browser. If none selects a good default the x-www-browser alternative should do it. Thus, every program that launches a web browser with an URL must use the BROWSER environment variable to determine what browser the user wishes to use. Again, why not just call sensible-browser? A program needing a browser should simply depend on debianutils and www-browser|x-www-browser. Parsing the BROWSER variable and substituting the url value in the proper way in every program seems to me an unnecessary duplication of code. It often may be, and in those cases programs can of course just run the sensible-browser script. On the other hand, they may well want more control over what browser is picked as a fallback if BROWSER is not set or if none of the items in that variable are usable. Or they might want to implement it without a fork for speed, or what have you. It seems best to offer the flexability. Anyway, it paralells completly how the editor and pager stuff works. Colin has a good point too. An update on my patching: I have patches for: lynx w3m links debianutils urlview xchat I won't be messing with mozilla or konqueror, as they are too large, and the necessary changes too trivial. I'll just file wishlist bugs on those. Since I just noticed that xpdf has url support (which never worked, because I don't have bloody netscape installed. Argh!!), I'll be patching it too. I think that's all for me. It would be amusing to grep the whole main distro for things that hardcode netscape. Grepping your own /etc for netscape will also show some things to patch. -- see shy jo pgpc5DhvDvL2Z.pgp Description: PGP signature
Re: Unidentified subject!
On Tue, Nov 19, 2002 at 12:39:25PM -0500, Joey Hess wrote:
Colin Watson wrote:
Seconded, with one proviso: can we standardize on the Compatible Secure
BROWSER Definition from
http://www.dwheeler.com/browse/secure_browser.html instead? This is what
man-db implements for the 'man -H' switch; ESR-style BROWSER variables
will still work as intended, but %c is added in order to permit a colon
in commands and it specifies what shell escaping is to be performed on
URLs to get rid of the hideous security flaws.
I assume you mean the compatible alternative and not the bare one
Yep, Compatible Secure BROWSER Definition above.
First of all, it's possible to write a program that uses ESR's BROWSER
without passing the url through the shell. Here is a modification of my
sensible-browser program that does that:
--- sensible-browser~ 2002-11-19 12:20:14.0 -0500
+++ sensible-browser 2002-11-19 12:20:31.0 -0500
@@ -11,7 +11,7 @@
else {
$_.=' '.$url;
}
- exec $_;
+ exec split ' ', $_;
# on failure, continue to next in list
}
[...]
Right, fair enough (although I'd prefer splitting and then appending
$url to the list, but the point stands).
How about we just add something like this to the proposal:
When implementing BROWSER in a program, be careful to not pass the URL
through the shell when running the browser commands, as the url might
contain shell metacharacters and there could be security problems. If
you must pass the URL through the shell, be careful to properly escape
it first.
Sounds good. Proviso withdrawn.
--
Colin Watson [EMAIL PROTECTED]
