Bug#893377: RFS: taptempo/1.2.1-1 [ITP]

[Lumin]

Hi François,

I'm trying to apply for DD so I'm helping newcomers to review their
packages. As agreed by Gianfranco, once we've finished polising
the packaging, he will check and sponsor the package.

Now your package is in good shape, and there is nothing left to
be dealt with except for waiting for the sponsorship.
Let's hope Gianfranco will find a time doing the sponsorship.

Regards,

On 9 April 2018 at 17:43, François Mazen  wrote:
> Hi Lumin,
>
> I just want to know if I must do something to go on with the
> integration of TapTempo into Debian.
> Should I submit again a RFS for the new package version?
>
> Thanks a lot for your help,
> François
>
>
> Le mardi 03 avril 2018 à 23:13 +0200, François Mazen a écrit :
>> Hi Lumin,
>>
>> upload to mentors done, please check:
>> https://mentors.debian.net/package/taptempo
>>
>> Regards,
>>
>> François
>>
>>
>>
>> Le mardi 03 avril 2018 à 06:17 +, Lumin a écrit :
>> > Hi François,
>> >
>> > On 31 March 2018 at 21:59, François Mazen  wrote:
>> > >
>> > > This program is useful to quickly find the tempo of a song.
>> > > The idea is to type "taptempo" in a terminal, then hit enter key
>> > > at
>> > > each beat while hearing a song, and display the tempo.
>> > >
>> > > The targeted people are mainly musicians who need to transcribe
>> > > music
>> > > or play the song at the exact original tempo. The typical
>> > > situation
>> > > to
>> > > use this software is when you are in a hurry and you don't have
>> > > time to
>> > > launch a big workstation like Ardour or Lmms in order to find the
>> > > tempo.
>> >
>> > Got it. Thank you for this explanation.
>> >
>> > >
>> > > > 8. When you have built the latest version of the modified
>> > > > package,
>> > > > you could run lintian against it:
>> > > >
>> > > > lintian -EviI --pedantic .changes
>> > > >
>> > > > There generally shouldn't be any Error or Warning.
>> > >
>> > > I've fixed all the error and the lintian output should be clean.
>> >
>> > You have done quite a good job making the package in a good shape,
>> > and making the upstream very standard.
>> >
>> > By the way I'm surprised that you have fixed all lintian outputs,
>> > including the pedantic stuff. The pedantic items are only optional,
>> > not what must be fixed. Errors and Warnings should be dealt with,
>> > and some lintian Info can even pass if the maintainer has a good
>> > reason.
>> >
>> > In return everything's shining and in good shape :-)
>> >
>> > > Let me know if it still require more work.
>> >
>> > Nitpicking:
>> >
>> > 1. Please collapse the two lines in changelog into one. They refer
>> > to
>> > the same thing.
>> >
>> > -  * Initial debian package.
>> > -  * Closes: #893306
>> > +  * Initial debian package. (Closes: #893306)
>> >
>> > 2. there is still an autpkgtest problem:
>> >
>> > autopkgtest [07:01:02]: test version: [---
>> > spawn taptempo --version
>> > couldn't execute "taptempo": no such file or directory
>> > while executing
>> > "spawn taptempo --version"
>> > (file
>> > "/tmp/autopkgtest.C3pEq9/build.uWo/src/debian/tests/version" line
>> > 6)
>> > autopkgtest [07:01:03]: test version: ---]
>> > autopkgtest [07:01:03]: test version:  - - - - - - - - - - results
>> > -
>> > -
>> > - - - - - - - -
>> > version  FAIL non-zero exit status 1
>> > autopkgtest [07:01:03]: test version:  - - - - - - - - - - stderr -
>> > -
>> > - - - - - - - -
>> > couldn't execute "taptempo": no such file or directory
>> > while executing
>> > "spawn taptempo --version"
>> > (file
>> > "/tmp/autopkgtest.C3pEq9/build.uWo/src/debian/tests/version" line
>> > 6)
>> >
>> > this can be fixed by the patch. It looks somewhat wired but we need
>> > it.
>> >
>> > --- a/debian/tests/control
>> > +++ b/debian/tests/control
>> > @@ -1,2 +1,2 @@
>> >  Tests: version, help, tempo
>> > -Depends: expect
>> > +Depends: expect, taptempo
>> >
>> > The autopkgtest result after patched:
>> >
>> > http://debomatic-amd64.debian.net/distribution#unstable/taptempo/1.
>> > 3.
>> > 0-1/autopkgtest
>> >
>> > build result:
>> >
>> > http://debomatic-amd64.debian.net/distribution#unstable/taptempo/1.
>> > 3.
>> > 0-1/buildlog
>> >
>> > > Should I update this new package to the mentors website?
>> >
>> > Yes, please fix the two problem mentioned above, and upload to
>> > mentors.
>> >
>> > Thank you for you contribution to Debian, and have a good day.



-- 
Best,

Bug#895337: RFS: 9wm/1.4.1-1

[Jacob Adams]

Package: sponsorship-requests
Severity: normal

  Dear mentors,

  I am looking for a sponsor for my package "9wm"

 * Package name: 9wm
   Version : 1.4.1-1
   Upstream Author : Jacob Adams 
 * URL : https://github.com/9wm/9wm
 * License : Expat
   Section : x11

  It builds those binary packages:

9wm   - X11 window manager inspired by Plan 9's rio

  To access further information about this package, please visit the
following URL:

  https://mentors.debian.net/package/9wm


  Alternatively, one can download the package with dget using this command:

dget -x
https://mentors.debian.net/debian/pool/main/9/9wm/9wm_1.4.1-1.dsc

  Changes since the last upload:
9wm (1.4.1-1) unstable; urgency=medium

  * New upstream version
  * Manual page now states that 9wm spawns a xterm by default (Closes:
#864194)
  * Bump standards version; no changes

 -- Jacob Adams   Mon, 09 Apr 2018 21:27:48 -0400


  Regards,
   Jacob Adams



signature.asc
Description: OpenPGP digital signature

Bug#894772: RFS: deepin-system-monitor/1.4.3-1 [ITP]

[Yanhao Mo]

On Mon 04/09 14:02, Adam Borowski wrote:
> On Mon, Apr 09, 2018 at 05:29:14PM +0800, Yanhao Mo wrote:
> > Hi, Adam
> > Very thanks for checking my package and pointing these issues.
> > I have communicate with upstream author of deepin-system-monitor, and he
> > confirmed these security problems. As a result, he is willing to modify
> > d-s-m sources to limited the privilege operations within a very small
> > helper program with some capabilities, at the same time he
> > will refactor gui program of d-s-m to perform these operations by
> > sending request to the helper program via dubs. The helper program will
> > refuse any other request which is not sent from d-s-m.
> 
> You might want to ask someone with a clue about policykit/etc for advice.  I
> don't currently even know where to look.
> 
> > I hope this will fix these issues. And that will take some times. So
> > let's wait.
> 
> There's no hurry -- Ubuntu is long since frozen, Debian won't freeze until
> November or December.
> 
> But, you might want to just drop the caps: a system monitor that can kill
> only your own processes is pretty useful; this is what all other similar
> tools do.  Elevating to kill others might be useful but is not the primary
> feature I'd expect from such a program.
> 
> Obviously, this is moot if you prefer to wait for the full fix.
> 
> > For the nethogs part, the situation is: d-m-s need a library from
> > it, but the nethogs maintainer of debian doesn't package libnethogs
> > separately, we(pkg-deepin team) have already request for that [1], but
> > got no reply. So I decided to use the nethogs sources within upstream
> > d-m-s source tree directly to build d-m-s. Maybe this is a bad idea?
> > Maybe it's better to take a nmu upload for nethogs? Some advice is
> > very appreciated.
> 
> Looking at the maintainer's QA page:
> https://qa.debian.org/developer.php?email=kretcheu%40gmail.com
> I see he's not very active but nowhere close to being gone (did three
> uploads of other packages this year).  It's likely he saw the request but
> couldn't act on it immediately -- what about pinging him if that's the case?
> Also, most people are a lot more willing to accept a patch compared to being
> told to do the work themselves.
> 
> > > d-s-m crashed for me twice (segfault) while casually perusing it,
> > As for this. The upstream author says It's very sorry for the insufficient
> > testing. He will try his best to find why and fix it.
> 
> It seems both of these segfaults happened while shutting down the program.
> 
> 
> Meow!
> -- 
> ⢀⣴⠾⠻⢶⣦⠀ 
> ⣾⠁⢰⠒⠀⣿⡁ 
> ⢿⡄⠘⠷⠚⠋⠀ ... what's the frequency of that 5V DC?
> ⠈⠳⣄

I will try to communicate more with the upstream author several times,
to help him to believe policykit is a better solution before he start to
refactor the code. During this time, I will prepare a patch set and send
to nethogs maintainer to try to solve the libnethogs problem. Thanks the
advice about this :) .


-- 
Yanhao Mo


signature.asc
Description: PGP signature

Bug#895310: RFS: golang-github-zyedidia-glob/0.0~git20170209.dd4023a-1 [ITP] -- Go package for glob matching

[I Sagar]

Package: sponsorship-requests
Severity: wishlist

Dear mentors,

I am looking for a sponsor for my package "golang-github-zyedidia-glob"

* Package name    : golang-github-zyedidia-glob
  Version : 0.0~git20170209.dd4023a-1
  Upstream Author : Zachary Yedidia
* URL : https://github.com/zyedidia/glob
* License : Expat
  Section : devel

It builds those binary packages:

golang-github-zyedidia-glob-dev - Go package for glob matching

To access further information about this package, please visit the
following URL:

https://mentors.debian.net/package/golang-github-zyedidia-glob


Alternatively, one can download the package with dget using this command:

dget -x
https://mentors.debian.net/debian/pool/main/g/golang-github-zyedidia-glob/golang-github-zyedidia-glob_0.0~git20170209.dd4023a-1.dsc

More information about golang-github-zyedidia-glob can be obtained from
https://github.com/zyedidia/glob.

Changes since the last upload:

golang-github-zyedidia-glob (0.0~git20170209.dd4023a-1) unstable;
urgency=medium

  * Initial release (Closes: #895021)


Regards,
Sagar Ippalpalli

Bug#895287: marked as done (RFS: groonga/8.0.1-1)

[Debian Bug Tracking System]

Your message dated Mon, 9 Apr 2018 20:47:05 +0200
with message-id <20180409184705.r5ktmdikl6kcq...@angband.pl>
and subject line Re: Bug#895287: RFS: groonga/8.0.1-1
has caused the Debian Bug report #895287,
regarding RFS: groonga/8.0.1-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
895287: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895287
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: sponsorship-requests
Severity: wishlist

Dear mentors,

I am looking for a sponsor for my package "groonga"

* Package name: groonga
  Version : 8.0.1-1
  Upstream Author : Groonga Project 
* Url : http://groonga.org/
* Licenses: LGPL-2.1
  Section : database

It builds those binary packages:

  * groonga
  * groonga-server-common
  * groonga-server-gqtp
  * libgroonga-dev
  * libgroonga0
  * groonga-tokenizer-mecab
  * groonga-token-filter-stem
  * groonga-plugin-suggest
  * groonga-bin
  * groonga-httpd
  * groonga-doc
  * groonga-examples
  * groonga-munin-plugins

To access further information about this package, visit the following URL:

https://mentors.debian.net/package/groonga

Alternatively, one can download the package with dget using this command:
dget -x 
https://mentors.debian.net/debian/pool/main/g/groonga/groonga_8.0.1-1.dsc


More information about groonga can be obtained from
http://groonga.org/

Changes since last upload:

  * New upstream release.
  * debian/patches/fix-nginx-FTBFS-on-kfreebsd.patch
- Refresh patch to fix FTBFS on kFreeBSD.
  * debian/patches/remove-groonga-keyring-postrm.patch
- Remove non-existent file.

Regards,


pgpxrVzFhijDC.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
On Mon, Apr 09, 2018 at 09:44:01PM +0900, Kentaro Hayashi wrote:
> * Package name: groonga
>   Version : 8.0.1-1

> Changes since last upload:
> 
>   * New upstream release.
>   * debian/patches/fix-nginx-FTBFS-on-kfreebsd.patch
> - Refresh patch to fix FTBFS on kFreeBSD.
>   * debian/patches/remove-groonga-keyring-postrm.patch
> - Remove non-existent file.

✓

-- 
⢀⣴⠾⠻⢶⣦⠀ 
⣾⠁⢰⠒⠀⣿⡁ 
⢿⡄⠘⠷⠚⠋⠀ ... what's the frequency of that 5V DC?
⠈⠳⣄--- End Message ---

Re: C++ and Python package combined

[Leopold Palomo-Avellaneda]

Nico,

On 09/04/18 15:13, Nico Schlömer wrote:
> Thanks Leo,
> 
> I've checked out ros-bond-core now and found that it's simpler than what I
> have: The Python package is installed just like the rest of the library
> with CMake, plus there are no compiled Python extensions that would need to
> link against the bond library. That's why d/rules can be so simple.
> Unfortunately, this doesn't help much with my problem.

https://salsa.debian.org/science-team/ros-vision-opencv

there's a python extension cv_bridge

https://salsa.debian.org/science-team/ros-image-common

Cheers,

Leopold


> Cheers,
> Nico
> 
> On Mon, Apr 9, 2018 at 1:18 PM Leopold Palomo-Avellaneda 
> wrote:
> 
>> On 06/04/18 16:38, Nico Schlömer wrote:
>>> Hi everyone,
>>>
>>> I would like to package a piece of software that includes both a C++
>>> library and a Python package. When building locally from scratch, one is
>>> supposed to
>>>
>>>   * build and install the library first,
>>>   (* then build and run the tests, compiling against what just has been
>>> installed,)
>>>   * then build and install the Python package, compiling against what
>> just
>>> has been installed.
>>>
>>> If C++ library and Python packages came from two different sources,
>> things
>>> would be easy. It's not clear to me though how to first install one part
>> of
>>> a source, and then another against it. Perhaps there are example packages
>>> out there that do that already.
>>>
>>> Any hints?
>>
>> Nico,
>>
>> maybe it helps. The ROS robotics packages has a lot of examples of C++
>> libraries
>> and Python code. They are located in salsa, for instance:
>>
>>  https://salsa.debian.org/science-team/ros-bond-core
>>
>> Take one eye. Look any example of package that begins with ros-
>>
>> Best regards,
>>
>> Leopold
>>
>>
>> --
>> --
>> Linux User 152692 GPG: 05F4A7A949A2D9AA
>> Catalonia
>> -
>> A: Because it messes up the order in which people normally read text.
>> Q: Why is top-posting such a bad thing?
>> A: Top-posting.
>> Q: What is the most annoying thing in e-mail?
>>
> 


-- 
--
Linux User 152692 GPG: 05F4A7A949A2D9AA
Catalonia
-
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?



signature.asc
Description: OpenPGP digital signature

Re: C++ and Python package combined

[Nico Schlömer]

Thanks Leo,

I've checked out ros-bond-core now and found that it's simpler than what I
have: The Python package is installed just like the rest of the library
with CMake, plus there are no compiled Python extensions that would need to
link against the bond library. That's why d/rules can be so simple.
Unfortunately, this doesn't help much with my problem.

Cheers,
Nico

On Mon, Apr 9, 2018 at 1:18 PM Leopold Palomo-Avellaneda 
wrote:

> On 06/04/18 16:38, Nico Schlömer wrote:
> > Hi everyone,
> >
> > I would like to package a piece of software that includes both a C++
> > library and a Python package. When building locally from scratch, one is
> > supposed to
> >
> >   * build and install the library first,
> >   (* then build and run the tests, compiling against what just has been
> > installed,)
> >   * then build and install the Python package, compiling against what
> just
> > has been installed.
> >
> > If C++ library and Python packages came from two different sources,
> things
> > would be easy. It's not clear to me though how to first install one part
> of
> > a source, and then another against it. Perhaps there are example packages
> > out there that do that already.
> >
> > Any hints?
>
> Nico,
>
> maybe it helps. The ROS robotics packages has a lot of examples of C++
> libraries
> and Python code. They are located in salsa, for instance:
>
>  https://salsa.debian.org/science-team/ros-bond-core
>
> Take one eye. Look any example of package that begins with ros-
>
> Best regards,
>
> Leopold
>
>
> --
> --
> Linux User 152692 GPG: 05F4A7A949A2D9AA
> Catalonia
> -
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> A: Top-posting.
> Q: What is the most annoying thing in e-mail?
>

Bug#895203: marked as done (RFS: sent/1-1 ITP)

[Debian Bug Tracking System]

Your message dated Mon, 9 Apr 2018 15:17:26 +0200
with message-id <20180409131726.a3hcqxeqaxgcq...@angband.pl>
and subject line Re: Bug#895203: RFS: sent/1-1 ITP
has caused the Debian Bug report #895203,
regarding RFS: sent/1-1 ITP
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
895203: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895203
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: sponsorship-requests
Severity: wishlist

Dear mentors,

I am looking for a sponsor for my package "sent"

* Package name : sent
  Version  : 1-1
  Upstream Author  : Markus Teich 
* Url  : http://tools.suckless.org/sent
* Licenses : ISC
  Programming Lang : C
  Section  : misc

 sent does not need LaTeX, libreoffice or any other fancy file format,
 it uses plaintext files to describe the slides and can include images
 via farbfeld.  Every paragraph represents a slide in the
 presentation.
 .
 The presentation is displayed in a simple X11 window. The content of
 each slide is automatically scaled to fit the window and centered so
 you also don't have to worry about alignment. Instead you can really
 concentrate on the content.

It builds those binary packages:

  * sent

This package succesfully builds on debomatic machine:

  http://debomatic-i386.debian.net/distribution#unstable/sent/1-1
Please note, that package is maintained with dgit(1) tool
using dgit-maint-merge(7) workflow. For more information about how to
sponsor this package, see dgit-sponsorship(7).

  Git repository: https://salsa.debian.org/iu-guest/sent.git
  Git branch: dgit/sid

With /bin/sh following commands should suffice:

  $ git clone https://salsa.debian.org/iu-guest/sent.git sent
  $ dgit sbuild


Regards,
  Dmitry Bogatov
--- End Message ---
--- Begin Message ---
On Sun, Apr 08, 2018 at 02:39:26PM +0300, Dmitry Bogatov wrote:
> * Package name : sent
>   Version  : 1-1

> It builds those binary packages:
> 
>   * sent

Apparently someone sponsored this already; it passed NEW, too.

-- 
⢀⣴⠾⠻⢶⣦⠀ 
⣾⠁⢰⠒⠀⣿⡁ 
⢿⡄⠘⠷⠚⠋⠀ ... what's the frequency of that 5V DC?
⠈⠳⣄--- End Message ---

Bug#895287: RFS: groonga/8.0.1-1

[Kentaro Hayashi]

Package: sponsorship-requests
Severity: wishlist

Dear mentors,

I am looking for a sponsor for my package "groonga"

* Package name: groonga
  Version : 8.0.1-1
  Upstream Author : Groonga Project 
* Url : http://groonga.org/
* Licenses: LGPL-2.1
  Section : database

It builds those binary packages:

  * groonga
  * groonga-server-common
  * groonga-server-gqtp
  * libgroonga-dev
  * libgroonga0
  * groonga-tokenizer-mecab
  * groonga-token-filter-stem
  * groonga-plugin-suggest
  * groonga-bin
  * groonga-httpd
  * groonga-doc
  * groonga-examples
  * groonga-munin-plugins

To access further information about this package, visit the following URL:

https://mentors.debian.net/package/groonga

Alternatively, one can download the package with dget using this command:
dget -x 
https://mentors.debian.net/debian/pool/main/g/groonga/groonga_8.0.1-1.dsc


More information about groonga can be obtained from
http://groonga.org/

Changes since last upload:

  * New upstream release.
  * debian/patches/fix-nginx-FTBFS-on-kfreebsd.patch
- Refresh patch to fix FTBFS on kFreeBSD.
  * debian/patches/remove-groonga-keyring-postrm.patch
- Remove non-existent file.

Regards,


pgp1XQlqRK_Qd.pgp
Description: PGP signature

Bug#894772: RFS: deepin-system-monitor/1.4.3-1 [ITP]

[Adam Borowski]

On Mon, Apr 09, 2018 at 05:29:14PM +0800, Yanhao Mo wrote:
> Hi, Adam
> Very thanks for checking my package and pointing these issues.
> I have communicate with upstream author of deepin-system-monitor, and he
> confirmed these security problems. As a result, he is willing to modify
> d-s-m sources to limited the privilege operations within a very small
> helper program with some capabilities, at the same time he
> will refactor gui program of d-s-m to perform these operations by
> sending request to the helper program via dubs. The helper program will
> refuse any other request which is not sent from d-s-m.

You might want to ask someone with a clue about policykit/etc for advice.  I
don't currently even know where to look.

> I hope this will fix these issues. And that will take some times. So
> let's wait.

There's no hurry -- Ubuntu is long since frozen, Debian won't freeze until
November or December.

But, you might want to just drop the caps: a system monitor that can kill
only your own processes is pretty useful; this is what all other similar
tools do.  Elevating to kill others might be useful but is not the primary
feature I'd expect from such a program.

Obviously, this is moot if you prefer to wait for the full fix.

> For the nethogs part, the situation is: d-m-s need a library from
> it, but the nethogs maintainer of debian doesn't package libnethogs
> separately, we(pkg-deepin team) have already request for that [1], but
> got no reply. So I decided to use the nethogs sources within upstream
> d-m-s source tree directly to build d-m-s. Maybe this is a bad idea?
> Maybe it's better to take a nmu upload for nethogs? Some advice is
> very appreciated.

Looking at the maintainer's QA page:
https://qa.debian.org/developer.php?email=kretcheu%40gmail.com
I see he's not very active but nowhere close to being gone (did three
uploads of other packages this year).  It's likely he saw the request but
couldn't act on it immediately -- what about pinging him if that's the case?
Also, most people are a lot more willing to accept a patch compared to being
told to do the work themselves.

> > d-s-m crashed for me twice (segfault) while casually perusing it,
> As for this. The upstream author says It's very sorry for the insufficient
> testing. He will try his best to find why and fix it.

It seems both of these segfaults happened while shutting down the program.


Meow!
-- 
⢀⣴⠾⠻⢶⣦⠀ 
⣾⠁⢰⠒⠀⣿⡁ 
⢿⡄⠘⠷⠚⠋⠀ ... what's the frequency of that 5V DC?
⠈⠳⣄

Re: C++ and Python package combined

[Leopold Palomo-Avellaneda]

On 06/04/18 16:38, Nico Schlömer wrote:
> Hi everyone,
> 
> I would like to package a piece of software that includes both a C++
> library and a Python package. When building locally from scratch, one is
> supposed to
> 
>   * build and install the library first,
>   (* then build and run the tests, compiling against what just has been
> installed,)
>   * then build and install the Python package, compiling against what just
> has been installed.
> 
> If C++ library and Python packages came from two different sources, things
> would be easy. It's not clear to me though how to first install one part of
> a source, and then another against it. Perhaps there are example packages
> out there that do that already.
> 
> Any hints?

Nico,

maybe it helps. The ROS robotics packages has a lot of examples of C++ libraries
and Python code. They are located in salsa, for instance:

 https://salsa.debian.org/science-team/ros-bond-core

Take one eye. Look any example of package that begins with ros-

Best regards,

Leopold


-- 
--
Linux User 152692 GPG: 05F4A7A949A2D9AA
Catalonia
-
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Bug#894772: [yanha...@gmail.com: Re: Bug#894772: RFS: deepin-system-monitor/1.4.3-1 [ITP]]

[Yanhao Mo]

- Forwarded message from Yanhao Mo  -

Date: Mon, 9 Apr 2018 17:29:14 +0800
From: Yanhao Mo 
To: Adam Borowski 
Subject: Re: Bug#894772: RFS: deepin-system-monitor/1.4.3-1 [ITP]
User-Agent: Mutt/1.9.4 (2018-02-28)

On Sun 04/08 21:55, Adam Borowski wrote:
> Hi!
> As for the packaging itself, the nethogs/ subproject is not included in the
> copyright file; it seems to be already packaged separately, too.
> 
> But, that's easy to fix.  I found a bigger problem though:
> 
> The program has a long list of caps (with a fallback to setuid), that allow
> any user perform most of root-only actions.  For example one of menus allows
> anyone to kill/suspend/resume any process in the system.  No authentication
> of any kind, no policy, just kill any process, period.
> 
> It's not just the GUI user who can do this, it's easy enough to simulate a
> GUI to have deepin-system-monitor do what any process, by any uid, wants.
> 
> And if you say "most computers don't have untrusted users", then well -- you
> still don't want some random thing running as another uid to have full
> control over the system.  And, most schools/etc will install a bunch of
> available desktop environments so individual users can choose; if Deepin is
> one of these environments, you can take over anyone else.
> 
> And even if deepin-system-monitor had appropriate access control, it's still
> a thoroughly bad idea to grant caps to a GUI process.  d-s-m crashed for me
> twice (segfault) while casually perusing it, I imagine it'd be trivial to do
> so intentionally.  And even if your code is 100% perfectly correct and
> solid, d-s-m uses many many libraries, any of which can have bugs that can
> be easy to subvert; various plugins can be loaded into the process, etc.
> There's no way this could be done securely: thus, the security boundary must
> be elsewhere.  Be it a small helper program, some kind of RPC, etc -- the
> privileged action can't be done by the GUI program.
> 
> Thus, I'm afraid that deepin-system-monitor can't go into Debian without
> some serious rethinking.  I cannot adequately assist you here, as I don't
> know the way such policies are done these days, you'd need to ask someone
> more knowledgeable than me.
> 
> I seriously hope I'm failing to understand something here...

Hi, Adam
Very thanks for checking my package and pointing these issues.
I have communicate with upstream author of deepin-system-monitor, and he
confirmed these security problems. As a result, he is willing to modify
d-s-m sources to limited the privilege operations within a very small
helper program with some capabilities, at the same time he
will refactor gui program of d-s-m to perform these operations by
sending request to the helper program via dubs. The helper program will
refuse any other request which is not sent from d-s-m.

I hope this will fix these issues. And that will take some times. So
let's wait.

For the nethogs part, the situation is: d-m-s need a library from
it, but the nethogs maintainer of debian doesn't package libnethogs
separately, we(pkg-deepin team) have already request for that [1], but
got no reply. So I decided to use the nethogs sources within upstream
d-m-s source tree directly to build d-m-s. Maybe this is a bad idea?
Maybe it's better to take a nmu upload for nethogs? Some advice is
very appreciated.

> d-s-m crashed for me twice (segfault) while casually perusing it,
As for this. The upstream author says It's very sorry for the insufficient
testing. He will try his best to find why and fix it.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893715

regards,

-- 
Yanhao Mo



- End forwarded message -

Forward message. Sorry for forgetting to cc 894...@bugs.debian.org and
pkg-deepin-de...@lists.alioth.debian.org .

-- 
Yanhao Mo


signature.asc
Description: PGP signature