Re: Bug#959066: ITP: amazon-ec2-utils -- Utilities to manage Amazon EC2 instance storage
On Tuesday, 28 April 2020 15:40:37 PDT Noah Meyerhans wrote: > Package: wnpp > Severity: wishlist > Owner: Noah Meyerhans > > * Package name: amazon-ec2-utils > Version : 1.3 > * URL : https://github.com/aws/amazon-ec2-utils > * License : MIT > Programming Lang: Python This seems to be a mistake. The upstream repository does not contain any python code. It is written in bash. > Description : Utilities to manage Amazon EC2 instance storage > > Amazon-ec2-utils contains tools to help manage network attached storage > resources on Amazon EC2 virtual machines. This includes: > > - The ebsnvme-id utility to read and report information about NVME-attached > EBS volumes > - udev configuration to ensure that NVME storage devices are accessible via > names that reflect the Amazon EC2 API drive mapping configuration > > This package will be maintained by the Debian cloud team.
Bug#959066: ITP: amazon-ec2-utils -- Utilities to manage Amazon EC2 instance storage
Package: wnpp Severity: wishlist Owner: Noah Meyerhans * Package name: amazon-ec2-utils Version : 1.3 * URL : https://github.com/aws/amazon-ec2-utils * License : MIT Programming Lang: Python Description : Utilities to manage Amazon EC2 instance storage Amazon-ec2-utils contains tools to help manage network attached storage resources on Amazon EC2 virtual machines. This includes: - The ebsnvme-id utility to read and report information about NVME-attached EBS volumes - udev configuration to ensure that NVME storage devices are accessible via names that reflect the Amazon EC2 API drive mapping configuration This package will be maintained by the Debian cloud team.
Re: Third-party forks of packaged projects
On Sat, 2020-04-25 at 20:31 +0200, Thomas Goirand wrote: > I'd say that it depends, and that it should be addressed on the > case-by-case basis. I do have another scenario I'd like to address. ADIOS uses a stack of closely related but separate projects, all developed by Greg Eisenhauer, which, as far as I know, are not used by any other major software project. ADIOS is the main driver behind them. The projects are the following: https://github.com/GTkorvo/atl https://github.com/GTkorvo/dill https://github.com/GTkorvo/EVPath https://github.com/GTkorvo/ffs ADIOS vendors these projects as well. Are these reasonable to be packaged with ADIOS, or should they be packaged separately? Kyle
Bug#959045: RFP: msbuild -- build platform for .NET and Visual Studio
Package: wnpp Severity: wishlist * Package name: msbuild Version : 1:16.5+xamarinxplat.2020.01.10.05.36 Upstream Author : Jo Shields * URL : http://www.github.com/mono/msbuild * License : MIT Programming Lang: C# Description : build platform for .NET and Visual Studio The Microsoft Build Engine is a platform for building applications. This engine, which is also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software. Visual Studio uses MSBuild, but MSBuild does not depend on Visual Studio. By invoking msbuild.exe on your project or solution file, you can orchestrate and build products in environments where Visual Studio isn't installed. I personally find this request to be important because Debian and its derivatives only ship mono-xbuild, which is deprecated. It tells users to use the MSBuild package instead, but so far there is no MSBuild package except if the Mono repository is added to sources.list. However, because I am planning to make a package for my Visual Basic application to install flawlessly without requiring the addition of Mono's repository, I find that adding the requirement to add their repository just for one MSBuild package is so unnecessary. So, I use it to build Visual Basic and C# solutions during the package build step. There is one package that is Mono's implementation of MSBuild called mono-xbuild, but it's deprecated and based on Visual Studio 2015, so that package doesn't fit my needs, because I don't want to use deprecated packages to build my solutions and to make packages based on them. msbuild as a source has two binary packages: * msbuild: This package contains the main msbuild build system * msbuild-sdkresolver: This package contains the managed portion of the helper library which will auto-discover the .NET Core SDK on your system
Re: Salsa update: no more "-guest" and more
On 2020-04-28 18:48, Jeremy Stanley wrote: On 2020-04-28 14:32:55 +0200 (+0200), Bernd Zeimetz wrote: On 2020-04-28 14:27, PICCA Frederic-Emmanuel wrote: > Is it possible to use it's ssh key in order to have acces to > the salsa api ? I mean instead of the token, which looks to me > quite fragile compare to ssh via a gpg card and the gpg agent. The api works with a token - and without 2fa. That will not change if you enforce 2fa. If you use ssh, you can create an own account for the ssh key and give it very special permissions, if you need it for automatic pushes or similar things. So to summarize, 2FA in Salsa may protect against someone losing control of their WebUI credentials, but does nothing to secure against theft of API keys they've generated, nor of an SSH key persisted/forwarded in an agent or left lying around unencrypted (or easily guessed because someone made unfortunate choices when patching a random number generator). Hopefully adding those requires reauthenticating with 2FA even in an open session. Before adding security controls, it's a good idea to assess your threat model. Is it the same as projects which experienced high profile compromises like the Linux kernel archive or Matrix, where the attackers leveraged stolen SSH keys to gain a foothold? What is Salsa hosting which would be sensitive if altered? Source code. And how are those alterations normally applied? Git over SSH. (Granted, there's discussion of using its WebUI to authenticate sessions for other project systems, so that does potentially change the risks involved.) While that's true that's also a "it needs to provide perfect security" argument. While I'd also like to see 2FA gain proper support for authenticated key use including touch (FIDO/U2F support landed in OpenSSH), it also solves a different problem. The problem here is phishing. And unfortunately even the most technically adept users can be phished when they let their guard down. I agree that having 2FA support in Salsa is great, but providing it for those who want to rely on it for their accounts is different from unilaterally forcing it on all users even if they find it a significant additional inconvenience for little actual benefit. Thankfully, it sounds like the Salsa admins plan to keep use of 2FA voluntary. It's a risk assessment and one of the population it needs to support. I think one should encourage people to set up 2FA and if necessary send out some hardware if there's an undue hardship. And then eventually make it mandatory. I fully understand that this is currently infeasible, but if Salsa is going to be the primary development platform we eventually need to trust, it should probably go into the direction of having a 2FA requirement as an ultimate goal. Or we decide not to trust it because of its exposure and everyone else needs to work around that. I know ftp-master, DSA and other service owners have to do this today for good reasons. That pushes the cost elsewhere of course. On the other hand it's not the worst idea to require signatures on all commits instead. Kind regards Philipp Kern
Re: Salsa update: no more "-guest" and more
On 2020-04-28 14:32:55 +0200 (+0200), Bernd Zeimetz wrote: > On 2020-04-28 14:27, PICCA Frederic-Emmanuel wrote: > > Is it possible to use it's ssh key in order to have acces to > > the salsa api ? I mean instead of the token, which looks to me > > quite fragile compare to ssh via a gpg card and the gpg agent. > > The api works with a token - and without 2fa. That will not change > if you enforce 2fa. > > If you use ssh, you can create an own account for the ssh key and > give it very special permissions, if you need it for automatic > pushes or similar things. So to summarize, 2FA in Salsa may protect against someone losing control of their WebUI credentials, but does nothing to secure against theft of API keys they've generated, nor of an SSH key persisted/forwarded in an agent or left lying around unencrypted (or easily guessed because someone made unfortunate choices when patching a random number generator). Before adding security controls, it's a good idea to assess your threat model. Is it the same as projects which experienced high profile compromises like the Linux kernel archive or Matrix, where the attackers leveraged stolen SSH keys to gain a foothold? What is Salsa hosting which would be sensitive if altered? Source code. And how are those alterations normally applied? Git over SSH. (Granted, there's discussion of using its WebUI to authenticate sessions for other project systems, so that does potentially change the risks involved.) I agree that having 2FA support in Salsa is great, but providing it for those who want to rely on it for their accounts is different from unilaterally forcing it on all users even if they find it a significant additional inconvenience for little actual benefit. Thankfully, it sounds like the Salsa admins plan to keep use of 2FA voluntary. -- Jeremy Stanley signature.asc Description: PGP signature
RE:Salsa update: no more "-guest" and more
> If you use ssh, you can create an own account for the ssh key and give > it very special permissions, if you need it for automatic pushes or > similar things. In fact I would like to use the salsa command from devscripts but without the token. My private ssh key was generated from my private gpg key inside my nitrokey pro card. Is it possible ?
Re: Salsa update: no more "-guest" and more
On Tue, Apr 28, 2020 at 02:32:55PM +0200, Bernd Zeimetz wrote: > If you use ssh, you can create an own account for the ssh key and give > it very special permissions, if you need it for automatic pushes or > similar things. Or add it as writable deploy key to a project. Bastian -- I'm a soldier, not a diplomat. I can only tell the truth. -- Kirk, "Errand of Mercy", stardate 3198.9
Re: Salsa update: no more "-guest" and more
On 4/28/20 2:30 PM, Bernd Zeimetz wrote: > > > On 4/27/20 2:49 AM, Paride Legovini wrote: >> An active MITM attack is way more complicated than just sniffing and >> storing traffic for later analysis. Changing the 2FA or password is not >> a great strategy, as you would immediately realize what's going on. >> Silently gaining access to an account allows to act when the conditions >> are the best from the attacker's point of view. > > Exactly. > An attacker would gain access to a few accounts, wait and see what they > can do with the gained permissions in the long run. And at some point > compromise something. > > 2FA stops this kind of attacks completely. Without a current 2fa token, > your password knowledge is useless. > > Gaining access with a MITM attack once gives you a very short amount of > time to do whatever you want to do, as your login will be gone as soon > as the next login without MITM happens. That's not the case. An MITM attack could gain a session and maintain it open, while the end user would just notice "oh shit, I miss-typed the 2FA numbers, let's try again". Then the only thing the attacker needs to do is keep the session open to not loose access... Cheers, Thomas Goirand (zigo)
RE:Salsa update: no more "-guest" and more
Is it possible to use it's ssh key in order to have acces to the salsa api ? I mean instead of the token, which looks to me quite fragile compare to ssh via a gpg card and the gpg agent. cheers Frederic
Re: Salsa update: no more "-guest" and more
On 2020-04-28 14:27, PICCA Frederic-Emmanuel wrote: Is it possible to use it's ssh key in order to have acces to the salsa api ? I mean instead of the token, which looks to me quite fragile compare to ssh via a gpg card and the gpg agent. The api works with a token - and without 2fa. That will not change if you enforce 2fa. If you use ssh, you can create an own account for the ssh key and give it very special permissions, if you need it for automatic pushes or similar things. -- Bernd ZeimetzDebian GNU/Linux Developer http://bzed.dehttp://www.debian.org GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Re: Salsa update: no more "-guest" and more
On 4/27/20 2:49 AM, Paride Legovini wrote: > An active MITM attack is way more complicated than just sniffing and > storing traffic for later analysis. Changing the 2FA or password is not > a great strategy, as you would immediately realize what's going on. > Silently gaining access to an account allows to act when the conditions > are the best from the attacker's point of view. Exactly. An attacker would gain access to a few accounts, wait and see what they can do with the gained permissions in the long run. And at some point compromise something. 2FA stops this kind of attacks completely. Without a current 2fa token, your password knowledge is useless. Gaining access with a MITM attack once gives you a very short amount of time to do whatever you want to do, as your login will be gone as soon as the next login without MITM happens. -- Bernd ZeimetzDebian GNU/Linux Developer http://bzed.dehttp://www.debian.org GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Re: Salsa update: no more "-guest" and more
On 4/26/20 10:29 PM, Jeremy Stanley wrote: > You're already seeing quite a few folks responding that being > required to use an additional application or device each time they > authenticate would be an inconvenience to them. This is a signal. I > personally wouldn't enjoy being prompted to activate my TOTP client > software every time I invoke `git push` so I can understand the > resistance to your proposal. Well, use an ssh key than. No need for 2fa there. -- Bernd ZeimetzDebian GNU/Linux Developer http://bzed.dehttp://www.debian.org GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F signature.asc Description: OpenPGP digital signature
Bug#959032: ITP: alertmanager-irc-relay -- Send Prometheus Alerts to IRC using Webhooks
Package: wnpp Severity: wishlist Owner: Filippo Giunchedi * Package name: alertmanager-irc-relay Version : 0.1.0-1 Upstream Author : Google * URL : https://github.com/google/alertmanager-irc-relay * License : Apache-2.0 Programming Lang: Go Description : Send Prometheus alerts to IRC using Webhooks Alertmanager IRC Relay Alertmanager IRC Relay is a bot relaying Prometheus (https://prometheus.io/) alerts to IRC. Alerts are received from Prometheus using Webhooks (https://prometheus.io/docs/alerting/configuration/#webhook-receiver-
Bug#959033: ITP: golang-github-fluffle-goirc -- Event-based stateful IRC client framework for Go.
Package: wnpp Severity: wishlist Owner: Filippo Giunchedi * Package name: golang-github-fluffle-goirc Version : 1.0.3-1 Upstream Author : Alex Bee * URL : https://github.com/fluffle/goirc * License : BSD-3-clause Programming Lang: Go Description : Event-based stateful IRC client framework for Go. GoIRC provides a simple to use but fully fledged IRC client implemented in Go.
Трудовите правоотношения в период на извънредно положение – възможности които дават новите разпоредби на КТ и ЗИП - 60 лв. за участник
Ако не четете този имейл, моля натиснете тук [1] [baer_tbsconsulting_2020-18] Трудовите правоотношения в период на извънредно положение – възможности които дават новите разпоредби на Кодекса на труда и Законът за извънредното положение [2] Дата на провеждане: 21.05.2020 г. Регистрация в курса: 09:00 – 09:30 ч. Продължителност: 09:30 – 15:00 ч. Форма на провеждане: Онлайн (уебинар) _Участниците ще получат линк за достъп и ще могат в реално време, в насрочения час да участват в семинара и задават своите въпроси. _Основно съдържание на курса: 1. Регулиране на трудовите правоотношения в Законът за мерките и действията по време на извънредното положение, обявено с решение на Народното събрание (ЗМДВИПОРНС) от 13 март 2020 г. 2. Новите разпоредби в Кодекса на труда, приети с ЗМДВИПОРНС от 13 март 2020 г. Новите и съществуващите възможности в трудовото законодателство за въвеждане на гъвкава работно време и дистанционен труд и намаляване на работното време като предпазна мярка за служителите срещу разпространението на вируса COVID-19. 3. Преустановяване на работата, продължаване на работата в домашни условия или работа в офисите и работните места в предприятието: изисквания при съответния режим на работа. 4. Право на предоставяне на отпуск на служителите, обявяване на престой, прекратяване на трудовите правоотношения. 5. Масови уволнения – за какво следва да внимават работодателите, при прекратяване на трудовите договори на голям брой работници или служители. 6. Особени категории работници, които ползват закрила при уволнение, включително на основание чл. 328, ал.1, т. 4 от КТ. 7. ПМС 55 за определяне на условията и реда за изплащане на компенсации на работодатели с цел запазване на заетостта на работниците и служителите при преустановяване на работа поради извънредното положение, обявено с решение на Народното събрание от 13 март 2020 г. Анализ на разпоредбите: срокове, възможности, ограничения пред работодателите при кандидатстване за изплащане на компенсациите. 8. Промени в: - Наредба за работново време, почивките и отпуските - Наредбата за структурата и организацията на работната заплата за 2020 г. Водещ курса: Теодора Дичева Теодора Дичева е работила е над 21 години в ИА "ГИТ", от които 10 години е била директор дирекция "Правно осигуряване на инспекционната дейност". Към настоящия момент е част от екипа на Омбудсмана на Република България, където е началник на отдел, с ресор "Социална политика, образование и здравеопазване". Автор е на многобройни публикации по теми свързани с трудовото законодателство и здравословните и безопасни условия на труд. Цена за ранно записване до 11 май: 60 лв.без ДДС (72 лв. цена с ДДС). Допълнителна информация и регистрация [3] Адрес гр. София бул."Мария Луиза"92 етаж 5 EMAIL off...@tbsconsulting.eu www.tbsconsulting.eu Контакти 02 8310033 0888 603 724 0888 605 002 _Вие получавате това писмо на основание легитимния интерес на „ТБС консултинг”ЕООД за целите на директния маркетинг.__ __Вярваме и се надяваме, че изпращаната от нас информация за събитията, които организираме, Ви е полезна и облекчава избора Ви за най-подходящата за Вас форма да бъдете в течение с най-новите и актуални промени в нормативната уредба. __Ако не желаете да получавате писма за рекламни цели, върнете отговор на това писмо с текст "ОТПИШИ". _ _Пълна информация за това как обработваме личните Ви данни може да получите от УВЕДОМЛЕНИЕ ЗА ПОВЕРИТЕЛНОСТ [4]_ _Copyright © *2018* *TBS consulting*, All rights reserved._ Links: -- [1] https://events.tbsconsulting.eu/mailster/9463/7f0b9c8cba5f4e9849b5c891c36217d9/aHR0cHM6Ly9ldmVudHMudGJzY29uc3VsdGluZy5ldS9uZXdzbGV0dGVyLyVkMSU4MiVkMSU4MCVkMSU4MyVkMCViNCVkMCViZSVkMCViMiVkMCViOCVkMSU4MiVkMCViNS0lZDAlYmYlZDElODAlZDAlYjAlZDAlYjIlZDAlYmUlZDAlYmUlZDElODIlZDAlYmQlZDAlYmUlZDElODglZDAlYjUlZDAlYmQlZDAlYjglZDElOGYtJWQwJWIyLSVkMCViZiVkMCViNSVkMSU4MCVkMCViOCVkMCViZSVkMCViNC0lZDAlYmQlZDAlYjAtMjAv [2] https://events.tbsconsulting.eu/mailster/9463/7f0b9c8cba5f4e9849b5c891c36217d9/aHR0cHM6Ly90YnNjb25zdWx0aW5nLmV1L2t1cnNvdmUvOTEtc2NoZXRvdm9kc3ZvLzUyOS16YWtvbi1penZhbnJlZG5vLXBvbG9nZW5pZS0yMDIw [3] https://events.tbsconsulting.eu/mailster/9463/7f0b9c8cba5f4e9849b5c891c36217d9/aHR0cHM6Ly90YnNjb25zdWx0aW5nLmV1L2t1cnNvdmUvOTEtc2NoZXRvdm9kc3ZvLzUyOS16YWtvbi1penZhbnJlZG5vLXBvbG9nZW5pZS0yMDIw/1 [4] https://events.tbsconsulting.eu/mailster/9463/7f0b9c8cba5f4e9849b5c891c36217d9/aHR0cHM6Ly90YnNjb25zdWx0aW5nLmV1L3V2ZWRvbWxlbmllLXphLXBvdmVyaXRlbG5vc3Q
Bug#959026: ITP: ironic-tempest-plugin -- OpenStack Integration Test Suite - Ironic plugin
Package: wnpp Severity: wishlist Owner: Thomas Goirand * Package name: ironic-tempest-plugin Version : 2.0.0 Upstream Author : OpenStack Foundation * URL : https://opendev.org/openstack/ironic-tempest-plugin * License : Apache-2.0 Programming Lang: Python Description : OpenStack Integration Test Suite - Ironic plugin Tempest is a set of integration tests to be run against a live Openstack cluster in order to make sure that all components are working as expected. Tempest will start and stop virtual machine in order to check that your cloud is working as expected. . This package contains the Ironic plugin.
Re: Salsa update: no more "-guest" and more
On 2020-04-28 05:08, Wookey wrote: On 2020-04-26 14:07 +0200, Bernd Zeimetz wrote: Hi, Google Authenticator is a software-based authenticator by Google that implements two-step verification services using the Time-based One-time Password Algorithm (TOTP; specified in RFC 6238) and HMAC-based One-time Password algorithm (HOTP; specified in RFC 4226), for authenticating users of software applications. There are even cli tools that do the same stuff. I'd guess there is at least one on Debian. yes oathtool. But this is still a PITA for sites where it is required, like microsoft and google. I don't want to have to do this for Debian stuff too. (run this auth program, then have a menu to say which site I am making the number for so it knows which token to use, then paste the resulting magic number into a webform). Are you proposing something less tiresome than this? I would much prefer to continue to be trusted not to have a shit password and take reasonable care in using it. Or that PAKE thing sounded like it might work quite well and the site didn't have to keep the whole password list. But my experience of 2FA so far has been deeply irksome, so I resent it being enforced, unless there is some way of not having to go through that rigmarole every time (the above sites generally only make me do it every two weeks - if it was every time I'd explode). But if every site started doing this it would be truly awful - one has hundreds of logins these days. Debian is one place that has a reasonably competent userbase - I remain unconvinced that we need to change things. It's kinda weird that the solution exists with 2FA FIDO tokens using webauthn. (Like the current generation of Yubikeys but there are of course others.) Gitlab supports that. I mean I don't want to suggest that buying hardware is required, but that's literally what they were designed for. Automatically dealing with origin information sanely and then a touch signs you in. OTPs are as fishable as passwords. Kind regards Philipp Kern