Bug#1040914: dev-ref: update best practices around security (Re: Securing Debian Manual too old?)

2023-07-12 Thread Holger Levsen 
package: developers-reference
x-debbugs-cc: debian-security@lists.debian.org

hi,

On Tue, Jul 11, 2023 at 10:46:20PM +0200, Moritz Mühlenhoff wrote:
> > I found the Securing Debian Manual
> > (https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html).
> > This version is from 2017.
> 
> This document is in fact too outdated and not in a shape we should
> prominently present it on the Debian website, thanks for flagging it.
> It even predates systemd and no mention of it at all...
> 
> Can you please "reportbug www.debian.org" asking to remove it from the
> website?

https://www.debian.org/doc/manuals/developers-reference/best-pkging-practices.en.html#best-practices-around-security

currently contains this text:



Best practices around security


A set of suggestions and links to other reference documents around
security aspects for packaging can be found at the `Developer's Best
Practices for OS Security chapter inside the Securing Debian Manual
`__.



and unsure what to do now, as I'd like to keep the anchor and chapter, so
just dropping this would be wrong. Help welcome.

> It's also packaged as src:harden-doc and probably stick around in
> case someone wants to improve it going forward.

I'm not even sure this is useful to keep around. :/


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Just today, over 800 women will have died due to preventable pregnancy and
birth complications, over 130 due to femicide.
https://www.who.int/news-room/fact-sheets/detail/maternal-mortality
https://en.wikipedia.org/wiki/Femicide#Worldwide


signature.asc
Description: PGP signature

Re: CVE-2017-5715

2022-03-30 Thread Holger Levsen 
On Wed, Mar 30, 2022 at 09:36:58AM +0200, Sylvestre Ledru wrote:
> Le 30/03/2022 à 07:07, Salvatore Bonaccorso a écrit :
> > Sylvestre and Holger, would you have time to include the bugfix as
> > well in the future bullseye point release?
> Sure, should be easy.
> Is there a timeline?

as the last point release was last weekend the next one will probably
happen in around two months.

that said, one can file an SRM bug now and do the upload now as well too. :)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Nach wieviel Einzelfällen wird ein Einzelfall zum Normalfall?
(Jan Böhmermann)


signature.asc
Description: PGP signature

thank *you*, team@security.d.o! (was Re: [SECURITY] [DSA 5000-1] openjdk-11 security update)

2021-11-01 Thread Holger Levsen 
hey hey, hear hear!

On Mon, Nov 01, 2021 at 07:44:34PM +, Moritz Muehlenhoff wrote:
> -
> Debian Security Advisory DSA-5000-1   secur...@debian.org

WHHO!

that's *something* to *celebrate*!!1 Very many thanks to the whole Debian
security team, past and present, and to everyone contributing! You rock!
A lot! 5 whooping thousand (counted) times so far!

Thank you very much once more, and not enough, not even close.

!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

It's climate crime, not climate change.


signature.asc
Description: PGP signature

Re: sources.list 4 bullseye-security

2021-06-28 Thread Holger Levsen 
On Sun, Jun 27, 2021 at 04:52:26PM -0400, Boyuan Yang wrote:
> Besides, I believe end users are not supposed to know deb-src line for
> security repos.

sure, they do! and of course we provide source for our security updates!

> Adding such info provides zero benefit except for confusing
> users.

surely not all users compile software, but some certainly do. I do.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

„Faschisten hören niemals auf, Faschisten zu sein
Man diskutiert mit ihnen nicht, hat die Geschichte gezeigt“...


signature.asc
Description: PGP signature

Bug#989307: DSA-4923-1: upgrading libwebkit2gtk-4.0-37 on buster pulls in xdg-desktop-portal

2021-05-31 Thread Holger Levsen 
Package: libwebkit2gtk-4.0-37
Version: 2.32.1-1~deb10u1
Severity: normal

Dear Maintainer,

from #debian-security today, Salvatore asked me to file this as a bug.

< h01ger> DSA 4923 causes xdg-desktop-portal(-gtk) to be installed here, much 
to my surprise and unhappyness
< h01ger> its a recommends, so i can apt remove it, but still...
< h01ger> https://paste.debian.net/1199471/
(which has this content)

Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
The following NEW packages will be installed:
   libpipewire-0.2-1 (0.2.5-1)
   xdg-desktop-portal (1.2.0-1)
   xdg-desktop-portal-gtk (1.2.0-1)
The following packages will be upgraded:
   libjavascriptcoregtk-4.0-18 (2.30.6-1~deb10u1 => 2.32.1-1~deb10u1)
   libwebkit2gtk-4.0-37 (2.30.6-1~deb10u1 => 2.32.1-1~deb10u1)
2 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 20.1 MB of archives.
After this operation, 5,376 kB of additional disk space will be used.
Do you want to continue? [Y/n] 

< carnil> h01ger: thanks forwarded to alberto
* h01ger still busy cleaning systems
< h01ger> carnil: thanks!
< carnil> h01ger: the problem which is to be solved with it is apparently 
https://bugzilla.redhat.com/show_bug.cgi?id=1845743 (according to berto)
< h01ger> carnil: seems like. i've no flatpak and no snap and i dont expect to 
gain a dbus service granting privileges on a buster security update. (i've also 
seen it on bullseye upgrades but given that bullseye is not stable yet i wont 
complain here :)
< h01ger> carnil: do you think it would be useful if i'd file a bug about this 
issue?
< carnil> h01ger: at least the maintainer could comment himself on it, and 
explain on why the recommends, and maybe discussion can lead to that change is 
not suitable for the DSA, and we can drop it in the next upload.
< h01ger> carnil: was that a yes?
< carnil> h01ger: yes
< h01ger> carnil: ok. i'll include some lines from you here...
< carnil> h01ger: yes. I have no proplem if you mention I suggested to fill a 
but to ask to clarify the issue. But note I was only inbetween here.


Personally I think a DSA fixing this would be nice.

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"Climate change" is an euphenism. "Global warming" as well.


signature.asc
Description: PGP signature

Re: "Version less than 0.0" in OVAL definitions

2021-05-16 Thread Holger Levsen 
On Sun, May 16, 2021 at 05:21:50PM +0300, Serkan Özkan wrote:
> We are using Debian OVAL definitions but there are many tests, and states,
> that test for dpkg versions being less than 0.0 which is impossible in
> practice (right?).

no, it's possible:

0~1 is a valid version. It's smaller than zero, yet it's not a negative
number.

It's usually used for versions like 1.0~0alpha1-1 to allow the next
version to be 1.0-1... but 0~1 is a legal and valid version too.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

I'm looking forward to Corona being a beer again and Donald a duck.


signature.asc
Description: PGP signature

fun with mailinglists (was Re: Is chromium updated?)

2020-11-13 Thread Holger Levsen 
On Fri, Nov 13, 2020 at 12:06:50PM +0200, Georgi Guninski wrote:
> On Fri, Nov 13, 2020 at 10:21 AM Pavlos Ponos  wrote:
> > BUT we should not forget to say a THANK YOU to these guys which give their 
> > best in order all of us to use this OS for free ;-)
> I believe I am debian contributor too, search in google for:
> "georgi guninski" site:debian.org
 
you seem to be a very funny person, less than 3h ago you said in 
Message-ID: 
Debian was not responding to this thread and now you are saying you
are Debian too! :)))


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁   holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
 ⠈⠳⣄

Moral, truth, long term- and holistic thinking seem to mean nothing to us. The
emperors are naked. Every single one. It turns out our whole society is just
one big nudist party. (Greta Thunberg about the world reacting to the corona
crisis but not reacting appropriatly to the climate crisis.)


signature.asc
Description: PGP signature

how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)

2019-08-29 Thread Holger Levsen 
hi,

(this started as a discussion whether to update radare2 in (old)stable
and has since then evolved into a discussion about the problem
summarized well by Raphael.)

On Thu, Aug 29, 2019 at 01:48:14PM +0200, Raphael Hertzog wrote:
> On Thu, 29 Aug 2019, Moritz Mühlenhoff wrote:
> > The upstream link makes it sound as if they are one of those upstreams
> > which reject the idea of distributions shipping an older release to
> > a stable distro. For a tool like radare2 that seems fair enough, so
> > how about simply excluding it from stable releases (and retroactively
> > drop it from Buster/Stretch in the forthcoming point releases)?
> 
> 
> While I have no problem in getting it out of stable release, it is
> important that we are able to provide backports so the package must
> stay in Debian testing. 
> 
> 
> 
> Also radare2 is a package that we care about in Kali and we are based
> on Debian testing so we would prefer if it could continue to be there.
> 
> 
> In general, we (Debian) don't have a good answer to this problem and
> virtualbox is clearly a bad precedent. We really need to find a solution
> to this in concertation with the release managers.

so I've added them to this thread.

youtube-dl is in the same boat...


-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature

Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.

2019-08-16 Thread Holger Levsen 
On Fri, Aug 16, 2019 at 08:11:58PM +, Markus Koschany wrote:
> Markus Koschany pushed to branch master at Debian Security Tracker / 
> security-tracker
> 
> Commits:
> bc35662f by Markus Koschany at 2019-08-16T20:11:47Z
> Add radare2 to dla-needed.txt with comments.
> 
> - - - - -
> 1 changed file:
> - data/dla-needed.txt
> +radare2
> +  NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in
> +  NOTE: libr/core/bin.c. Many no-dsa issues in Jessie and Stretch. Should we
> +  NOTE: continue the current approach, update to a newer upstream version or 
> mark
> +  NOTE: radare2 as unsupported? Also note that there is a r2-pwnDebian 
> challenge...
> +  NOTE: https://bananamafia.dev/post/r2-pwndebian/ (apo)

I'd be in favor of marking radare2 as unsupported, probably even for stable,
but definitly for oldstable and older.

I'd be happy to do these changes in src:debian-security-tracker and
uploading this to sid.


-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature

Re: Intel Microcode updates

2019-06-11 Thread Holger Levsen 
On Wed, Jun 12, 2019 at 03:05:13AM +1000, Andrew McGlashan wrote:
> Exploiting the flaws needs malicious code to be running on your box.  If
> you are in total control over all VMs and processes on the box, then you
> should be good.
 
do you use a webbrowser with javascript enabled?


-- 
tschau,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature

Re: rssh security update breaks rsync via Synology's "hyper backup"

2019-02-14 Thread Holger Levsen 
Hi Roman,

the security team is not responsible for Debian LTS, I've thus added 
debian-lts@lists.d.o to the mail recipients, so that they become aware
of your issue.

On Thu, Feb 14, 2019 at 06:06:34PM +0100, Roman Medina-Heigl Hernandez wrote:
> Hi security-fellows,
> 
> I applied recent rssh security updates to Debian 8 (jessie) and I
> noticed that it breaks Synology's "Hyper backup" tool (with rsync method).
> 
> The relevant log lines at my Debian server:
> 
> Feb 10 03:28:21 roman rssh[19985]: cmd 'rsync' approved
> Feb 10 03:28:21 roman rssh[19985]: insecure rsync options in rsync
> command line!
> Feb 10 03:28:21 roman rssh[19985]: user synology attempted to execute
> forbidden commands
> Feb 10 03:28:21 roman rssh[19985]: command: rsync --server --daemon .
> 
> Is it really unsafe to issue a "rsync --server --daemon ." command so it
> deserves to be blocked?`
> 
> 
> PS: OS info:
> 
> root@roman:~# cat /etc/debian_version
> 8.11
> root@roman:~# dpkg -l rssh   
> Deseado=desconocido(U)/Instalar/eliminaR/Purgar/retener(H)
> |
> Estado=No/Inst/ficheros-Conf/desempaqUetado/medio-conF/medio-inst(H)/espera-disparo(W)/pendienTe-disparo
> |/ Err?=(ninguno)/requiere-Reinst (Estado,Err: mayúsc.=malo)
> ||/ Nombre    Versión
> Arquitectura    Descripción
> +++-=-===-===-
> ii  rssh  2.3.4-4+deb8u2 
> amd64   Restricted shell allowing scp, sftp, cvs, svn,
> rsync or rdist
> 
> PS2: I'm not suscribed to LTS-list, but I guess the problem may be both
> in stable and oldstable versions.
> 
> Cheers,
> 
> -Román
> 

-- 
tschau,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

In Europe there are people prosecuted by courts because they saved other people
from drowning in the  Mediterranean Sea.  That is almost as absurd  as if there
were people being prosecuted because they save humans from drowning in the sea.


signature.asc
Description: PGP signature

Re: Should easter eggs be disabled in Debian's php packages?

2019-01-18 Thread Holger Levsen 
On Fri, Jan 18, 2019 at 01:58:12PM +0800, Paul Wise wrote:
> > To answer my own question, after PHP 5.5 the easter egg was removed already.
> So the issue would only be present in wheezy. I guess the ELTS folks
> might like to disable them.

I don't think the behaviour of php should be changed at this time,
unless this is really security relevant, which AFAICS has not been
demonstrated yet.

(Proof of the contrary welcome! :)


-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature

Re: Gaps in security coverage?

2018-11-06 Thread Holger Levsen 
On Tue, Nov 06, 2018 at 07:08:20PM +0800, Paul Wise wrote:
> Bug#908678: security-tracker - Breaks salsa.d.o
 
thank you.


-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature

Re: Gaps in security coverage?

2018-11-06 Thread Holger Levsen 
On Tue, Nov 06, 2018 at 02:42:59PM +0800, Paul Wise wrote:
> Also, a much more important task is restructuring the git repo so that
> it doesn't cause responsiveness and resource usage issues with salsa.

is there a bug or wiki page describing the issues/requirements for that and
what has been tried / the status?

(I just cloned the tracker yesterday and could see the problem 'live'..)


-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature

Re: powerpc update for amd64

2018-03-04 Thread Holger Levsen 
On Sun, Mar 04, 2018 at 04:07:14PM +0100, SZÉPE Viktor wrote:
> Why should one using an amd64 hardware update its kernel/reboot when changes
> are only for powerpc?
 
you should not. (or maybe you should so your monitoring will not
complain about running an outdated kernel.)

however, because the same linux kernel source package is used to build
the linux kernel binary packages for all archs, the amd64 packages are
also updated when there are no changes relevant to amd64.


-- 
cheers,
Holger


signature.asc
Description: PGP signature

Re: retpoline-enabled GCC build for jessie

2018-02-17 Thread Holger Levsen 
On Sat, Feb 17, 2018 at 02:35:22PM +0100, Moritz Mühlenhoff wrote:
> The update for gcc-4.9 has just been released.
> Test packages for gcc-6/stretch are now available at 
> https://people.debian.org/~jmm/gcc6/
 
Thanks for your work on this, Moritz.

I have a stupid/uninformed question: is this gcc only useful for
rebuilding the kernel or would it "in theory" (and practice) be better
to rebuild everything with it? (of course the latter is probably not really
practical for Debian, but others could do it more easily.)


-- 
cheers,
Holger


signature.asc
Description: PGP signature

Re: Is packages build without verifying the source package signatures?

2017-12-03 Thread Holger Levsen 
On Sun, Dec 03, 2017 at 01:11:50PM +0100, Bastian Blank wrote:
> It would still only need to compromise one machine: The one from where
> the keys are handled and distributed.

I rest my case. I'd secure the front door even if the side door (atm
still) can be compromised easy.


-- 
cheers,
Holger


signature.asc
Description: PGP signature

Re: Is packages build without verifying the source package signatures?

2017-12-03 Thread Holger Levsen 
On Sun, Dec 03, 2017 at 12:05:51PM +0100, Bastian Blank wrote:
> > in practice, this also has obvious flaws.
> Please elaborate.

for a start: one only needs to compromise one machine instead of many...

> >   what's the technical reason
> > the buildds are not checking the signatures?
> Unavailability of the keys.  Key may have been expired between upload
> and build attempt.

I'm not sure this is an advantage then... or rather: I'd rather see a
requirement that keys used for signing are valid for at least another
year after the upload.


-- 
cheers,
Holger


signature.asc
Description: PGP signature

Re: Is packages build without verifying the source package signatures?

2017-12-03 Thread Holger Levsen 
On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote:
> The Debian buildds only do the first verification (due to all Debian
> package uploader keys not being installed) but the Debian archive
> verifies that all uploads match a known developer key before passing
> packages to the buildds. So in practice, both verifications are
> happening, but not in the same place.
 
in practice, this also has obvious flaws. what's the technical reason
the buildds are not checking the signatures?


-- 
cheers,
Holger


signature.asc
Description: PGP signature

Re: [buildd-tools-devel] Some Debian package upgrades are corrupting rsync "quick check" backups

2017-05-13 Thread Holger Levsen 
On Sat, May 13, 2017 at 10:48:18PM +0200, Aurelien Jarno wrote:
> The above change should now be deployed on most jessie based buildds,
> it's only missing on the buildds that are currently down.

cool, thank you!


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: [buildd-tools-devel] Some Debian package upgrades are corrupting rsync "quick check" backups

2017-05-13 Thread Holger Levsen 
On Sat, May 13, 2017 at 05:52:04PM +0200, Mattia Rizzolo wrote:
> On Sat, May 13, 2017 at 03:44:57PM +0100, Chris Lamb wrote:
> >  a) Has anything changed in the meantime?
> 
> Yes: sbuild stopped repeating the changelog time taking it from the last
> entry, and will instead generate a new timestamp based on the current
> time:
> 
>   * For binNMUs, instead of copying the timestamp of the last changelog entry,
> generate a new one (closes: #843773)
> 
> In version 0.73.0-1.

this is correct, but AFAIK this hasnt been deployed on the buildd yet.
I'd be glad to be corrected about this…
 
> >  b) Will this affect stretch? If so, what do we need to do now?
> IMHO, nothing.

we might need to reschedule some packages…


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: Some Debian package upgrades are corrupting rsync "quick check" backups

2017-01-30 Thread Holger Levsen 
On Mon, Jan 30, 2017 at 02:47:45PM +0100, Johannes Schauer wrote:
> > (the sbuild maintainer reads the above list which has been cc:ed so he
> > should be able to comment…)
> 
> You were talking about buildd-tools-de...@lists.alioth.debian.org

yes

> You forgot to CC that one (I understood that was your intention) but I'm also
> still subscribed to reproducible-builds@l.a.d.o. :)

no, I didnt forget to cc: the list as I didnt know it's exact name and I
was too lazy to look for it as I knew you read the reproduible list ;)

[nice explaination deleted, nothing to add here, except thanks for
explaining.]

> > so, two questions:
> > 
> > a.) has been fixed, so that no new occurrances of this problem will occur?
> Hopefully. I welcome reports that show the contrary.

you are refering to "fixed in sbuild" here, while I ment (but didnt excplitly
say…) "fixed in the buildd network"…

> > b.) if thats the case, shall we scan all packages in sid for files which
> > have the same timestamp+filename but different checksums and ask for
> > binNMUs of those packages?
> The version of sbuild used on the buildds probably doesn't bump the timestamp
> yet. At least the binNMU-ed packages on my system share the binNMU changelog
> timestamp with the timestamp of the last source upload. :)

so it seems we should 

a.) get this fix deployed on all the buildds. (how?)
b.) do the b.) above… (because AIUI this issue atm is only be noticed
by those running unstable or stretch, while once stretch is released many
more people will notice it…)


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: Some Debian package upgrades are corrupting rsync "quick check" backups

2017-01-30 Thread Holger Levsen 
On Mon, Jan 30, 2017 at 01:10:12PM +0100, Mattia Rizzolo wrote:
> > Would reproducible-bui...@lists.alioth.debian.org be the correct mailing
> > list to discuss this?
 
the debian-buildd list or a bug against sbuild might be more
appropriate…

(the sbuild maintainer reads the above list which has been cc:ed so he
should be able to comment…)

> Not really, because that has been done in sbuild since long before the
> reproducible builds project became active: 0.62.2-1, Tue, 05 Apr 2011:
> - Improve binNMU handling to permit binNMUs for multiarch packages
>   (Closes: #620112).  Currently, binary NMUs use the current date
>   in the new changelog entry, but co-installable packages require
>   an identical changelog.  To avoid this, take the date from the
>   previous changelog entry to ensure the same date for all binNMUs.
>   Thanks to Anders Kaseorg for this patch.
> 
> And, incidentally, this has been kind of reverted in 0.73.0-1 (Sat, 24
> Dec 2016) after a fairly long and annoying discussion in debian-devel:
>   * For binNMUs, instead of copying the timestamp of the last changelog entry,
> generate a new one (closes: #843773)

so, two questions: 

a.) has been fixed, so that no new occurrances of this problem will occur?
b.) if thats the case, shall we scan all packages in sid for files which
have the same timestamp+filename but different checksums and ask for
binNMUs of those packages?

thinking about b.) debian-release@l.d.o might be the right list for
this…


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: Some Debian package upgrades are corrupting rsync "quick check" backups

2017-01-28 Thread Holger Levsen 
On Sat, Jan 28, 2017 at 03:04:56PM +0100, Daniel Reichelt wrote:
> I highly suspect this stems from packages' rules files supporting
> reproducible builds.

I rather think this is due to binNMUs not modifying debian/changelog…
(in the source package while it's modified in the binary packages…)


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: Handling of "malware" in Debian

2016-11-09 Thread Holger Levsen 
On Wed, Nov 09, 2016 at 07:14:45PM +0100, W. Martin Borgert wrote:
> If users of testing or unstable have the malware installed now and
> the package gets removed from the archive, users are left with the
> malware, right?

yes
 
> That's why I thought about uploading an empty package to unstable,

yes, of course.

> it should be released with stretch, but can be safely removed later.

i'm not sure about the releasing with stretch part. Maybe it would be
better to have the updated, empty package in stretch in 5plusX days and
then remove it before the release, say on January 1st.


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: Handling of "malware" in Debian

2016-11-09 Thread Holger Levsen 
On Wed, Nov 09, 2016 at 05:35:20PM +0100, W. Martin Borgert wrote:
> Quoting Holger Levsen :
> >I think so. And I also think this should be done.
> >and, who's gonna file the RM bug for unstable?
> I would RM for buster, because users of stretch might already be affected.

thats not how it works. You file an RM bug for a package in unstable
against ftp.d.o now, and then this RM will propagate to stretch. A RM
for stable needs to be requested via about against release.do.

buster on the other hand doesn't exist until we have released stretch.


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: Handling of "malware" in Debian

2016-11-09 Thread Holger Levsen 
On Wed, Nov 09, 2016 at 04:17:58PM +0100, W. Martin Borgert wrote:
> Would NEWS.Debian be sufficient?

I think so. And I also think this should be done.

and, who's gonna file the RM bug for unstable?


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: flashplugin-nonfree and latest Flash security updates

2016-08-03 Thread Holger Levsen 
On Thu, Aug 04, 2016 at 02:14:55AM +, Nick Boyce wrote:
> > Just don't use that crap. With the amount of zero days in Flash
> > you're subject to serious vulnerabilities even with an up-to-date
> > plugin.
> [...]  Also I
> believe there are quite a few corporate intranet use-cases that *depend*
> on Flash for corporate web-apps (at least according to traffic on the
> Enterprise Firefox list).

plus there are a lot of school + education related websites & other
material, including exams, which need flash… I estimate it will take
some years to weed those out.


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: flash plugin from ubuntu (was: flashplugin-nonfree and latest Flash security updates)

2016-08-03 Thread Holger Levsen 
On Wed, Aug 03, 2016 at 10:46:33PM +0200, Stefan Fritsch wrote:
> Maybe the flashplugin-nonfree package should even be replaced by a package 
> that 
> installs the ubuntu archive signing key, sets up the sources.list line, and 
> tweaks the unattended-updates config to allow automatic updates from that 
> repo. 

please, no.


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: Call for testing: upcoming wordpress security update

2016-08-02 Thread Holger Levsen 
On Tue, Aug 02, 2016 at 04:37:31PM +0200, Jakub Wilk wrote:
> Wiki is world-writable. It's safe to assume that everything there is
> nonsense unless proven otherwise.
 
It's also safe to assume that we'll al die one day, though that's also
not very helpful.

A useful first step to assess the qualilty of the information on any given page
on wiki.d.o is usually to look at the page history and see who edited
it.


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: httpoxy efforts?

2016-07-20 Thread Holger Levsen 
Hi Christoph,

your email doesnt mention whether you searched the BTS for relevant bugs
about these issues. Have you?

And if there are no bugs filed yet, someone should file bugs.

:-)


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: the frustrated administrivia and misdirection hose lacks any abatement visible to mortals

2016-05-24 Thread Holger Levsen 
Hi Drake,

On Tue, May 24, 2016 at 01:32:08PM +0800, Paul Wise wrote:
> > Lacking any obvious way to talk to the security team without potentially 
> > making my
> > message look more urgent than it was, I leave it to whoever else can 
> > navigate the
> > Debian social structure to take it up in the most appropriate manner.  I've 
> > absolutely run
> > out of nerves for having to clear this garbage out of my mailpile, so I'm 
> > done here.
> 
> Two of the security team members responded to the bug report:
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821113#25
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821113#20
> 
> So the only thing that needs doing now is for the listmasters to
> implement the suggestions.

after I read all the quoted above, I was sceptical when I opened
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821113 but after
having read that too, I just want to say "thanks" and "kudos" to you.

As explained by Moritz the current behavior is mostly historic and often it's
not easy to change such historic things. It seems to me that you managed
to make a good+doable proposal *and* put it at right place(!) so I'm looking
forward to an implementation of your proposal now.

Yay!


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: Which Debian packages leak information to the network?

2016-05-18 Thread Holger Levsen 
On Wed, May 18, 2016 at 06:33:52PM +0200, Jakub Wilk wrote:
> Could you explain how any of these tools leak any information "without a
> user's consent/expectation"?

gnome-calculator contacts a web page/service with currency exchange
information *on every start*, I think that's a good example of the kind
of programs Patrick is looking for.


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: Should Debian ask for a CPE when a CVE in Debian is found?

2016-02-15 Thread Holger Levsen 
Hi,

On Samstag, 13. Februar 2016, Paul Wise wrote:
> On Sat, Feb 13, 2016 at 2:51 AM, Wheeler, David A wrote:
> > Should Debian's security team ask for a Common Platform Enumeration (CPE)
> > id when a related CVE is found/reported fixed?
> 
> The debian-security list is a general Debian security discussion list
> rather than a contact point for the Debian security team.

yeah, exactly, that's why I suggested David to discuss this on this list. 

> If you wish
> to contact the Debian security team, please use secur...@debian.org.

That is not an address suited for public discussion (it aint public and there 
is no public archive), so your suggestion aint much helpful here.

Debian usually works in the open, as I understand it secur...@debian.org is 
for telling stuff to the Security team which aint open yet.

If debian-security@lists.debian.org should not be used to discuss security 
topics related to Debian (with and without the security team) this should be 
clarified, though I doubt this is the case.


Now if only someone could reply to the original question at hand! ;-)


cheers,
Holger



signature.asc
Description: This is a digitally signed message part.

Re: Security support incomplete? (was: Re: [SECURITY] [DSA 3455-1] curl security update)

2016-02-02 Thread Holger Levsen 
Hi Wolfgang,

On Dienstag, 2. Februar 2016, Wolfgang Jeltsch wrote:
>   • Where does the tracker talk about security policies? (I actually
> doubt that such information is in the tracker at all.)

That's out of scope for the tracker indeed, however right now I dont know 
where to find such policies.

>   • Where is a list of unfixed security issues?

https://security-tracker.debian.org/tracker/ links to filters for the 
different suites, eg "Vulnerable packages in the stable suite" points to 
https://security-tracker.debian.org/tracker/status/release/stable where you 
can tune your view.

So https://security-
tracker.debian.org/tracker/status/release/stable?filter=1&filter=high_urgency&filter=medium_urgency&filter=low_urgency&filter=unimportant_urgency&filter=unassigned_urgency&filter=undetermined_issues&filter=nodsa
 
is probably the URL which will show you the highest number of security issues 
in stable ;)
 
> URLs would be highly appreciated.

not directly answering your questions, but maybe still useful:

http://security-team.debian.org/security_tracker.html


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: [SECURITY] [DSA 3448-1] linux security update

2016-01-20 Thread Holger Levsen 
Hi,

On Mittwoch, 20. Januar 2016, Bjoern Nyjorden wrote:
> Most appreciated.  So, just to confirm; my take away on this is:
> 
>   * 1. "Wheezy" Linux kernels are NOT AFFECTED.
> 
>   * 2. "Wheezy" & "Jessie" BACKPORTS Linux kernels are VUNERABLE.
> 
> If I have understood correctly?

yes!


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: [SECURITY] [DSA 3448-1] linux security update

2016-01-19 Thread Holger Levsen 
Hi Bjoern (bcc:ed),

On Mittwoch, 20. Januar 2016, Bjoern Nyjorden wrote:
> Are the "Wheezy" Linux kernels affected as well, or are they currently
> okay as far as you know?

on debian-backports@l.d.o Ben wrote:

> [...]  It's fixed in jessie and sid,
> and doesn't affect anything older.  {wheezy,jessie}-backports will be
> fixed soon.

Thanks Ben!


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: apt-build - Authentication warning overridden. - security issue?

2015-03-19 Thread Holger Levsen 
Hi,

On Donnerstag, 19. März 2015, Patrick Schleizer wrote:
> > I think you probably just need to run "apt-get update" before "apt-get
> > install"...
> I did that, I am sure of it. Reproduced this on two different systems.

can you put the output of "apt-get update" and "apt-cache policy" on 
paste.debian.net?


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: apt-build - Authentication warning overridden. - security issue?

2015-03-19 Thread Holger Levsen 
Hi,

I think you probably just need to run "apt-get update" before "apt-get 
install"...

It's definitly not a security issue deserving the attention of the security 
team.


cheers,
Holger



signature.asc
Description: This is a digitally signed message part.

Re: Security EOL within Debian Stable

2015-02-07 Thread Holger Levsen 
On Samstag, 7. Februar 2015, Jan Wagner wrote:
> it would be great if you would open a bug against the
> debian-security-support package if there isn't one pending yet.

#776904 please mark chromium as unsupported in wheezy


signature.asc
Description: This is a digitally signed message part.

Re: [SECURITY] [DSA 3148-1] chromium-browser end of life

2015-02-05 Thread Holger Levsen 
Hi,

On Donnerstag, 5. Februar 2015, Paul van der Vlis wrote:
> There was always a year security support for oldstable.

you are right with that.


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: [SECURITY] [DSA 3148-1] chromium-browser end of life

2015-02-04 Thread Holger Levsen 
Hi,

On Donnerstag, 5. Februar 2015, Paul van der Vlis wrote:
> Iceweasel support for oldstable stopped at 24 Mar 2009:
> Icedove support for oldstable stopped at 12 Jul 2009:
> Icedove security support for oldstable stopped at 09 Mar 2011:
> The security support of Iceweasel for oldstable stopped at 26 Jun 2013:
> Limited security updates for Icedove for oldstable on 29 Aug 2013:
> No updates for oldstable anymore on 22 Apr 2014:

and then finally, sometime later in 2014, security support for oldstable was 
finally introduced for the first time.

I think you have (had?) wrong expectations.

> This is always a problem for me, because
> I have customers with complex desktop systems.

Maybe you should contribute to oldstable then, if that is what your customers 
are using.

Or just use one of the suggested alternatives in this thread. VMs were not 
mentioned explicitly, but thats also an option.


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: security issues in backports (Re: [SECURITY] [DSA 3027-1] libav security update

2014-09-18 Thread Holger Levsen 
Hi,

On Donnerstag, 18. September 2014, Holger Levsen wrote:
> I'm working on getting
> https://security-tracker.debian.org/tracker/status/release/stable-backport
> s meaningful for this task. Give me some more days... ;-)

for those not familar with the current security-tracker development: for the 
regular suites (oldstable, stable, testing and unstable) the above url works 
nicely, just for (oldstable|stable)-backports its currently not correctly 
implemented and thus broken.


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

security issues in backports (Re: [SECURITY] [DSA 3027-1] libav security update

2014-09-18 Thread Holger Levsen 
Hi,

On Donnerstag, 18. September 2014, Henrique de Moraes Holschuh wrote:
> There is one thing that would be of great value:  We need someone to go
> over the debian-backports packages for pending security updates, and
> notify the maintainers of the backports or the backports ML.

I'm working on getting 
https://security-tracker.debian.org/tracker/status/release/stable-backports 
meaningful for this task. Give me some more days... ;-)
 
> Currently, at least "file" and "libav" are vulnerable in debian-backports.
> It is likely that other packages in debian-backports also require updates.

oh, yes! :/


cheers,
Holger




signature.asc
Description: This is a digitally signed message part.

Re: concrete steps for improving apt downloading security and privacy

2014-07-22 Thread Holger Levsen 
Hi Hans,

On Mittwoch, 16. Juli 2014, Hans-Christoph Steiner wrote:
> What I'm talking about already exists in Debian, but is rarely used. 
> dpkg-sig creates a signature that is embedded in the .deb file.  So that
> means no matter how the .deb file got onto a system, that signature can be
> verified. I'm proposing to start making dpkg-sig a standard part of
> official .deb files. This can be done in stages to make it manageable. 
> Here's a rough idea of that:

how about you file a bug against dpkg-sig and put your plan and justification 
in there. Here on the mailinglist it will just be lost...


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: concrete steps for improving apt downloading security and privacy

2014-07-16 Thread Holger Levsen 
Hi,

On Mittwoch, 16. Juli 2014, Michael Stone wrote:
> Yes you are--what you described is exactly how the Release files work.

Well, there are (many) other .debs on the net which are not part of our 
releases, so it still seems to me that making .changes files accessable in 
standardized ways could be very useful.


cheers,
Holger




signature.asc
Description: This is a digitally signed message part.

Re: concrete steps for improving apt downloading security and privacy

2014-07-15 Thread Holger Levsen 
Hi,

On Dienstag, 15. Juli 2014, Michael Stone wrote:
> Except that you haven't addressed *at all* why the current mechanism is
> insufficient, except that you don't like it and want to do something
> else instead. 

AIUI Hans-Christoph wants something else _also_, not instead. And technically 
I think those signed .debs even exist already, via hashes in signed .changes 
files. Or am I getting something wrong?


cheers,
Holger



signature.asc
Description: This is a digitally signed message part.

getting rid of md5 hashes

2014-04-04 Thread Holger Levsen 
Hi,

as I've just been affected by "#700266  fetchmail: --sslfingerprint uses MD5" 
I wonder if someone is tracking all the bugs related to using md5 hashes kind 
of like how we track bugs in software not supporting ipv6.

User debian-security@lists.debian.org
Usertag 700266 md5 

maybe?


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: Compromising Debian Repositories

2013-08-07 Thread Holger Levsen 
Hi Paul,

On Montag, 5. August 2013, Paul Henning wrote:
> Yes, kick Kurt Roeckx from his admin privileges to start. It's the easiest
> most basic thing you can do. [more FUD deleted]

are you paid by some three or four letter agency to spread FUD?


cheers & sorry, I couldnt resist,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: [SECURITY] [DSA 2628-1] nss-pam-ldapd security update

2013-02-19 Thread Holger Levsen 
Hi,

On Dienstag, 19. Februar 2013, Alex Antener wrote:
> > mama fragt ob wir am sonntag zum lasagne essen kommen wollen :-)
> Gern! - Ort & Zeit?

are we invited as well? Whats the exact address? (But beware, this list has 
>10k subscribers :-)


cheers,
Holger


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201302191637.29115.hol...@layer-acht.org

Re: SELinux on Squeeze?

2011-12-31 Thread Holger Levsen 
Dear Russell,

On Freitag, 30. Dezember 2011, Russell Coker wrote:
> I can't imagine what the benefit would be in using "official" packages that
> I created and uploaded to Debian over using "unofficial" packages that I
> created and couldn't get in a Squeeze update 

Frankly, your lack of imagination is pretty sad. The difference is that people 
cannot use squeeze properly without relying on some external repository. 
Imagine if every DD would handle her packages like this. Releases (as in 
Debian stable releases) would be rather useless.

Maybe this can be finally fixed for wheezy?


cheers,
Holger


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201112311204.26040.hol...@layer-acht.org

Re: Bug#645881: critical update 29 available

2011-12-11 Thread Holger Levsen 
On Sonntag, 11. Dezember 2011, Matthias Klose wrote:
> the DLJ bundles were created because you are not allowed to re-distribute
> the jdk packages from oracle. Did that change recently?

I believe inside an organisation I can rebundle their bundles to my prefered 
kind of bundle, that is, form of distribution (inside the organisation), 
anything else would be riciculous, or?

All I suggest is to document how to enhance their "bundles" to proper Debian 
packages :-)


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201112111725.44749.hol...@layer-acht.org

Re: Bug#645881: critical update 29 available

2011-12-11 Thread Holger Levsen 
Hi,

I forgot:

On Sonntag, 11. Dezember 2011, Holger Levsen wrote:
> $ debdiff sun-java6_6.26-3.dsc sun-java6_6.29-1.dsc|diffstat
>  debian/changelog |8
>  debian/rules |6
>  jdk-6u26-dlj-linux-amd64.bin |327520
> -- jdk-6u26-dlj-linux-i586.bin 
> |327113 --
> jdk-6u29-linux-amd64.bin |327526
> +++ jdk-6u29-linux-i586.bin 
> |325585 ++ 6 files changed, 653122
> insertions(+), 654636 deletions(-)

$ sha1sum *bin
a73580ed8ac42040f1bbcab62617719a31c6f487  jdk-6u29-linux-i586.bin
45286e11864285c0d9d5cafd0355dbe04d272951  jdk-6u29-linux-amd64.bin

And I had to rename the second one...


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: Bug#645881: critical update 29 available

2011-12-11 Thread Holger Levsen 
Hi,

On Sonntag, 11. Dezember 2011, Philipp Kern wrote:
> sorry, but I'd rather like to have an announcement that it has a bug,

me too, for all the reasons Philipp noted.

It's also trivial to download the fixed jdk from oracle and 
build a fixed package, so IMHO an announcement containing these information
plus no removal would be best:

diff -Nru sun-java6-6.26/debian/changelog sun-java6-6.29/debian/changelog
--- sun-java6-6.26/debian/changelog 2011-08-26 11:58:59.0 +0200
+++ sun-java6-6.29/debian/changelog 2011-11-23 18:49:33.0 +0100
@@ -1,3 +1,11 @@
+sun-java6 (6.29-1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * New upstream version to fix
+
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html#AppendixJAVA
 
+
+ -- Holger Levsen   Wed, 23 Nov 2011 18:49:02 +0100
+
 sun-java6 (6.26-3) unstable; urgency=low
 
   * "ia32-sun-java6-bin has improperly equal alternatives priority on amd64"
diff -Nru sun-java6-6.26/debian/rules sun-java6-6.29/debian/rules
--- sun-java6-6.26/debian/rules 2011-08-26 11:58:59.0 +0200
+++ sun-java6-6.29/debian/rules 2011-11-23 20:04:38.0 +0100
@@ -43,7 +43,7 @@
 jdirname   := 
$(ia32_prefix)java-$(version)-$(VENDOR)-$(jdkversion).$(releng_ver)
 jdiralias  := $(ia32_prefix)java-$(version)-$(VENDOR)
 srcdir := $(arch)-jdk
-bin_pattern= jdk-$(version)u$(releng_ver)-dlj-linux-%.bin
+bin_pattern= jdk-$(version)u$(releng_ver)-linux-%.bin
 all_archs  = $(filter $(subst =, , $(arch_map)), \
   $(subst -, , $(patsubst %.bin, %, $(wildcard 
*.bin
 priority   := 63
@@ -316,8 +316,8 @@
  exit 1; \
fi
 
-diff_ignore = -I 'Wednesday, May 4' \
-   -I 'Wed May 04' -I '^ *// java GenerateCharacter'
+diff_ignore = -I 'Monday, October 3' \
+   -I 'Mon Oct 03' -I '^ *// java GenerateCharacter'
 
 with_check = yes

$ debdiff sun-java6_6.26-3.dsc sun-java6_6.29-1.dsc|diffstat
 debian/changelog |8 
 debian/rules |6 
 jdk-6u26-dlj-linux-amd64.bin |327520 --
 jdk-6u26-dlj-linux-i586.bin  |327113 --
 jdk-6u29-linux-amd64.bin |327526 
+++
 jdk-6u29-linux-i586.bin  |325585 ++
 6 files changed, 653122 insertions(+), 654636 deletions(-)


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: DSA-2141-2

2011-01-09 Thread Holger Levsen 
Hi,

On Montag, 10. Januar 2011, Hugh McDonald wrote:
> This advisory would be more useful to an administrator if package "nss"
> were known to "http://www.debian.org/packages";, or if it contained
> references to the affected debian package or packages.  

http://packages.qa.debian.org/nss and/or apt-cache showsrc nss

but I agree, I would appreciate if the DSAs would contain the binary packages.


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: [SECURITY] [DSA 1747-1] New glib2.0 packages fix arbitrary code execution

2009-03-20 Thread Holger Levsen 
Hi,

On Freitag, 20. März 2009, Eduardo M KALINOWSKI wrote:
> So as if vacation messages were not enough, now we have nonsense replies?

and yet more nonsense replies. if you mind those mistakes (which happen 
because 3 people are subscribed to d-s-a and people are people), why do 
you annoy 3500 more people with your complaints?

> Listmaster, please unsubscribe this user: rhett.jo...@utbox.net

please just send such requests to the listmasters, and don't cc: the list. 
it's useless noise for 3500 people.


thanks,
Holger, who is more annoyed^whmmmed by annoyed, careless people than by 
those
making their mistakes - which are stored in the eternal hall of 
shame
(the list archive) already - which in my book is punishment 
enough :-)

http://lists.debian.org/stats/debian-security.png - to have at least some 
signal :)
http://lists.debian.org/stats/debian-security-announce.png


signature.asc
Description: This is a digitally signed message part.

Re: Potential expoits via application launchers (aka .desktop files)

2009-02-12 Thread Holger Levsen 
Hi,

On Donnerstag, 12. Februar 2009, Michael S. Gilbert wrote:
> I'll wait for lenny to
> get out the door rather than submitting these apparently complex and
> difficult security (and hence release-critical) issues at the last
> minute.

Please dont hesitate to file bugs (unless the issue at hand is security 
related and not public yet, which is not the case here).

While it's true that Debian tries to release with 0 RC bugs, it's not the case 
that a planned release is stopped, "just because" a bug with severity serious 
or higher pops up. (Because certain bugs can be ignored. If lenny were 
released today and a RC bug pops up tomorrow, we wont pull back the release 
neither.)

It's also much better to ship with a known and reported bug, than to ship with 
a bug, which is not reported :) (Because of "we wont hide problems" and 
because it's generally better to be aware of problems than not.)


regards,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: Scalable Debian vulnerability tracking [REDUX]

2009-01-07 Thread Holger Levsen 
Hi Sheldon,

this sounds like an interesting project, please keep us posted!

On Mittwoch, 7. Januar 2009, Sheldon Hearn wrote:
> On Wednesday 07 January 2009 00:24:09 R. W. Rodolico wrote:
> > I have a package that we have been working on for a while that might
> > be a good starting point.
> >
> > This is gpl'd, and I would be happy to supply the .deb, the source
> > tree or svn access if you would like to look at it.
>
> Suppressing my knee-jerk reaction to PHP, it sounds like you're quite
> far down the track with this one. :-)

sitesummary, as in http://packages.qa.debian.org/s/sitesummary.html might also 
be interested for you to look at. and it's perl, not php.


On a site note, I dont consider mail to be too unreliable here. First, it's 
actually pretty reliable. Second, just resend the mail the next day / time 
slot.

regards,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: Keeping the webserver safe

2008-10-08 Thread Holger Levsen 
Hi Kovács,

On Wednesday 08 October 2008 10:25, Kovács Zoltán wrote:
> I would call the attention to my contributed work, a Wiki at
> http://free.coedu.hu/ describing a step-by-step install procedure making
> a (relatively) safe Debian Etch LAMP server. The procedure contains:

What you write here looks very good...

> Unfortunately is available in Hungarian language only :-(, but lot of
> (self-explanatory, I hope) config file fragments are included.

...if you could rewrite it in english (which you have half done with that mail 
already, I think)... 

> All work is free stuff, licensed under CCL 2.5 (see website).

and change your licencing to GPL2...

...then I think you could help making 
http://www.debian.org/doc/manuals/securing-debian-howto/ up2date again! :-)

And that would really rock!

> Any comments are welcome - and sorry about my terrible English.

I think your english fine, really.


regards,
Holger


pgp5bcw3i8wp3.pgp
Description: PGP signature

Re: Kernel upgrade for 3Ware Driver issues?

2008-04-24 Thread Holger Levsen 
Hi,

On Wednesday 23 April 2008 13:24, Rolf Kutz wrote:
> Ack. But there should be a way to fix rc-bugs even
> after release.

There is. Even for ("only") important bugs. 

The howto in short: have a bug with patch in the BTS, send mail to 
debian-release and ask about this bug to be allowed to be fixed in a point 
release (by an upload to stable-proposed-updates, which is then later allowed 
to be migrated to stable). This happens all the time. (Since sarge IIRC.)

So there is absoletly no need (and use) to turn something into a security 
issue which is none.


regards,
Holger


pgpgsfnmfpVL5.pgp
Description: PGP signature

Re: oCERT

2008-04-14 Thread Holger Levsen 
Hi,

[removed some of the cc:s]

On Sunday 13 April 2008 02:23, Andrea Barisani wrote:
> We already agreed that CC-BY-NC is not open enough, that's why we will
> consider CC-BY.
>
> I believe that license address your concerns, right?

If its CC-BY 3.0, yes. 2.5 is not good enough, afaik ;)


regards,
Holger


pgp1XEL5AZvGr.pgp
Description: PGP signature

Re: Is oldstable security support duration something to be proud of?

2008-03-11 Thread Holger Levsen 
Hi Marc,

and everybody else: please dont feed the troll. He was well known from 
debian-release@, now debian-www@ and debian-security@ know him as well and he 
will probably proceed to another channel.

Business as usual on the internet. I expect you received silly spam today too, 
do you want to hear about mine? I'd rather not. 

BTW, FWIW: the bug in question was closed, before this topic even got moved to 
this list. I have to admit, this was a quite excellent example of trolling, 
kudos!


regards & have a nice day,
Holger


pgpmsLvEMnrc0.pgp
Description: PGP signature

Re: [SECURITY] [DSA 1378-1] New Linux 2.6.18 packages fix several vulnerabilities

2007-09-28 Thread Holger Levsen 
Hi,

On Friday 28 September 2007 14:45, Johannes Wiedersich wrote:
> IIRC, this should apply only to upgrades from sarge. It's covered in
> Etch's release notes [1].

I stand corrected, thanks for pointing this out.

> [1]
> http://www.de.debian.org/releases/stable/i386/release-notes/ch-upgrading.en
>.html#s-for_next


regards,
Holger


pgpwArak6MEIH.pgp
Description: PGP signature

Re: [SECURITY] [DSA 1378-1] New Linux 2.6.18 packages fix several vulnerabilities

2007-09-28 Thread Holger Levsen 
Hi,

On Friday 28 September 2007 14:32, Marcin Owsiany wrote:
> It's just a warning, so not _that_ bad...

Not that bad, but everytime I see it, I think "bad QA", which is bad.


regards,
Holger


pgp2YO9Lmyjk8.pgp
Description: PGP signature

Re: [SECURITY] [DSA 1378-1] New Linux 2.6.18 packages fix several vulnerabilities

2007-09-28 Thread Holger Levsen 
Hi,

On Friday 28 September 2007 11:18, Jan Wagner wrote:
> > Running postinst hook script /sbin/update-grub.
> > You shouldn't call /sbin/update-grub. Please call /usr/sbin/update-grub
> > instead!
> you need to modify /etc/kernel-img.conf!

I believe this happens with a freshly installed etch system, so this is bad. 
(Though off-topic for -security.)


regards,
Holger


pgp1j0Jfo2QjD.pgp
Description: PGP signature

Re: [SECURITY] [DSA 1258-1] New Mozilla Firefox packages fix several vulnerabilities

2007-02-07 Thread Holger Levsen 
Hi Noah,

On Wednesday 07 February 2007 17:36, Noah Meyerhans wrote:
> The errors have already been corrected:
> http://www.debian.org/security/2007/dsa-1258

This is great, as the work of the security team usually is. But still, people 
are subscribed to the lists and it would be nice, if they could get the 
corrected information here as well, and not only on the web. Especially if 
there is a thread about a particular DSA.

Thanks for giving this link now.


regards,
Holger


pgpRoqWNqQw9t.pgp
Description: PGP signature

Re: [SECURITY] [DSA 1258-1] New Mozilla Firefox packages fix several vulnerabilities

2007-02-07 Thread Holger Levsen 
Hi,

On Wednesday 07 February 2007 14:07, Martin Schulze wrote:
> Lalala

WTF? At least you used a proper from:-header...

Could you *please* correct your errors (which are no problem per se) correct 
in a professional way?

Thanks.


regards,
Holger


pgpICbKzWByXh.pgp
Description: PGP signature

Re: What's going on with advisory for phpmyadmin?

2005-10-29 Thread Holger Levsen 
Hi,

On Saturday 29 October 2005 05:53, Horms wrote:
> On Fri, Oct 28, 2005 at 04:26:43PM +0100, Steve Kemp wrote:
> >   If it is useful I could begin sending out a form response, something
> >  like "Yes we recieved your report, yes we will fix it, please have
> >  patience".
> I think some sort of confirmation would be invaluable.

/me nods.

The form should include the note, that it's a form, but send manually.


regards,
Holger


pgp6goCOcG1dE.pgp
Description: PGP signature

Re: Request for example tripwire policy files for "/var"

2005-05-19 Thread Holger Levsen 
Hi,

On Wednesday 18 May 2005 16:18, Thomas Bushnell BSG wrote:
> Declan Mullen <[EMAIL PROTECTED]> writes:
> > I need to develop appropriate tripwire policy rules for the files and
> > directories under "/var/" on Sarge. Being new to Debian, I would
> > appreciate receiving any example policy rules/files that I could learn
> > from, many thanks.
>
> Um, it sounds as if you've decided what you need without knowing
> whether you need it or not, or without knowing what you need it for.

how helpful!  :-(

Declan, you might want to read 
http://www.debian.org/doc/manuals/securing-debian-howto/ - it also has 
chapters dealing with your question, but I suggest you start reading it from 
the beginning...


regards,
Holger


pgpVeXA4W6OjN.pgp
Description: PGP signature