Re: Please try expo.debian.net -- a replacement for mentors.debian.net
Il giorno mar, 26/07/2011 alle 15.38 -0400, Asheesh Laroia ha scritto: On Tue, 26 Jul 2011, Julien Valroff wrote: As from the maintainer personal package archive page, I understand that binary packages will be made publicly available? The page states 'deb ...' entries in sources.list. If so, I think it is a bad idea. Only source packages should be available to avoid people use this as a standard repository (I remember it used to be the case for mentors.d.n). For now there is no plan to share the binary packages. Originally debexpo was supposed to do that, but I think it never will actually. (maybe OT? - I was still thinking of debexpo as in the initial plans): in fact there is no hope that we are going to have something like Ubuntu's PPAs for Debian? Is this because of a political choice, or technical mess of doing builds? thanks for the clarification Pietro -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1311750741.3354.65.ca...@voubian.casa
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
On Wed, 27 Jul 2011, Julian Mehnle wrote: Asheesh Laroia wrote: If there are any others, let me know. Otherwise, about 24 hours from now, I plan to ask signum if we can turn mentors.debian.net off, and make it a debexpo instance. That will mean losing the existing uploaded packages. But I think that's not such a huge loss. Don't do that. Such actions tend to piss off a significant portion of the users. Someone may *just* have spent half a day figuring m.d.n out, creating an account, and uploading their packages. Not saying m.d.n shouldn't go away, but don't treat people's work as if it was worthless (not such a huge loss, meaning not worth my time to migrate the data). I can totally see what you mean. Point taken, and a change of plan: Any migration of mentors.debian.net to expo.debian.net will retain the package and user data. Thank you for making this clear to me. -- Asheesh. -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.2.00.1107270326040.22...@rose.makesad.us
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Pietro, On 27.07.2011 09:12, Pietro Battiston wrote: in fact there is no hope that we are going to have something like Ubuntu's PPAs for Debian? Is this because of a political choice, or technical mess of doing builds? this was heavily discussed in the kicking of Wheezy flame^W^Wthread. For example see [1][2] for (some) relevant sub threads. Quintessence, in my opinion, was that there should be something like an Ubuntu PPA for Debian, but with a slightly different focus and purpose. That is, from developers only for specific tasks. For example to supersede the current practice of developers to upload their packages non targeted to the main branches everywhere but not really transparent for their users. That said, the realization mostly suffers from the fact, there is no software available to do this on the software side, as Launchpad is not free software, and usable alternatives don't exist. [1] http://lists.debian.org/debian-devel/2011/05/threads.html#00029 [2] http://lists.debian.org/debian-devel/2011/05/msg00121.html - -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOL89pAAoJEMcrUe6dgPNtLOIP/1nXHgIEmhORzDs+3JfRYcP6 v9t5NeNGnMlwDkvwg0Fj/jHgq7yzsC8LH+s0nVCsXLSh6bEbXNcXBEElq8gX+Xsn ti5kXObU2gVypFJufcdRXgIq3NiSlyy5xyvyfwyOFdCHDS+16Ux8TurDlPysX3JT Hgjd7vtDjMl7Vq1Q0DWHnJLzuTt0avyGxQgtHccnd+P/lAu4TE098q57BxHkCj5p lEaCoioitKsTmTO5mkTEQMtcY8fOJ1tEHjw+yi7TQcQD1NW9lNwB/5/Elb4OakIc UG+o3jTKuBvF5kQE4j8INIMTa5b4eP3NQu0RdwbUr04Ve9IziuOZYeSYbsyoRepd IkoIg1FI50rg+PKefwfYHHABKFfoWqKKgyFg69jbDEvk3jsQfZZxWFft0boZ1Iac EOenDR9iHi4Rz+zFXUFOfB/9WNll3qtqXUnXdIHnL3aZ92XJ3JAJFKlnpw8HLszx TZW8x5vKflos2z+YgQD0mhfZaMj2z0w2phN/nbhjq3SdlEnAepl4Z1zoO924Aj7a xWyAu/G+2h0U0Dv23QlYoKL9HaP5UO0qIFz4x/BvH2s+35GfMNVsB/z4AMZOBlGY Za5Vr7G7G7a7fxliS1lI9r0ihHTll/DSTPmtP4zW9/zblO2WrAyZhvrcH/Hvxa7Q DW5j05DJvvcP5liyvs52 =P6DL -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e2fcf69.1030...@toell.net
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
Hello Asheesh, Before all, thanks you for this information and your work :) . The web design is nice ! A beginner like me, the main stuff will be to have a short text which explain how to upload your package on expo platform and a short reminder on the packaging process. I know this documents are available in debian policy, debian maintainers and wiki but a beginner have not the reflex to check this big documents. :) The menu colors are cool too for underline the sections. Benoît 2011/7/26 Asheesh Laroia ashe...@asheesh.org: Hi all people on debian-mentors, Debexpo is a replacement for http://mentors.debian.net/. I hereby request testers! It is of beta quality -- I think it works fully and has enough features to replace mentors.debian.net. It has the following improvements over http://mentors.debian.net/ : * Maintainable code base * More color on the front page * Publicly-shown lintian results I have been spending the past couple of days at Debconf fixing up the code and the deployment. I'm hereby asking for testing and feedback: * Please try uploading a package and tell me if it works (especially tell me if it fails!). * Please tell me if there are features we need before it can replace mentors.debian.net. Frankly, I think it's ready as-is! Go to http://expo.debian.net/ to try it. My goal with this debexpo work is to get the app and the deployment into a usable, documented state so it can replace mentors.debian.net. Then I will shift into the background and do only patch review and documentation writing. Anyone interested in working on Debexpo, a Python + Pyons web app, should grab the source code. Some fixes require changing only the templates, and I promise to review your patches quickly (within four days, tops). Bug tracker: https://alioth.debian.org/tracker/index.php?group_id=100127atid=413115 (You can get the latest deployed source from git://expo.debian.net/live . I will push that to Alioth once I sort out some confusion with my SSH key.) -- Asheesh. P.S. There is no known way to change the Needs a sponsor field. Just delete the package if you don't need a sponsor, for now. P.P.S. Any bugs that can be fixed by just editing the templates, I hope to see people submitting patches for! -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.2.00.1107261224050.6...@rose.makesad.us -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/calkxa+-nndfackkqbdiyqfp+jbgriscqjo2bap8wrua-jrn...@mail.gmail.com
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
Hi Benoît, On Wed, 2011-07-27 at 17:19 +0200, benoît tuduri wrote: A beginner like me, the main stuff will be to have a short text which explain how to upload your package on expo platform It's already done: You need to use dput to upload packages. See your account page to see how to configure it. Once you have it set up, you can execute: dput debexpo package_version_source.changes ..and when you logged in with your credential, you can see howto configure the service. Is this not enough? (or maybe I don't understand as well what you mean) Cheers, Fabrizio. signature.asc Description: This is a digitally signed message part
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
Le 27 juillet 2011 17:41, benoît tuduri benoit.tud...@gmail.com a écrit : Hi Fabrizio, I have seen this notice on the website for dput command, thanks :) . But after dput, may be explain the process ? Both, briefly the before debexpo uploading workflow ? Imo, to have a little tuto on packaging on this website will be great. :) Benoît Le 27 juillet 2011 17:27, Fabrizio Regalli fab...@fabreg.it a écrit : Hi Benoît, On Wed, 2011-07-27 at 17:19 +0200, benoît tuduri wrote: A beginner like me, the main stuff will be to have a short text which explain how to upload your package on expo platform It's already done: You need to use dput to upload packages. See your account page to see how to configure it. Once you have it set up, you can execute: dput debexpo package_version_source.changes ..and when you logged in with your credential, you can see howto configure the service. Is this not enough? (or maybe I don't understand as well what you mean) Cheers, Fabrizio. -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/calkxa+-btujbd4umwtpp_wykmb6nm3mnaky+_6kvgeoql...@mail.gmail.com
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
On Wed, 2011-07-27 at 17:41 +0200, benoît tuduri wrote: Hi Fabrizio, I have seen this notice on the website for dput command, thanks :) . You are welcome :-) But after dput, may be explain the process ? Both, briefly the before debexpo uploading workflow ? Imo, to have a little tuto on packaging on this website will be great. :) Really? I think there are many documents on how to create a Debian package and from my point of view is not necessary to replicate once again them on expo.d.n. It's just my opinion :-) Cheers, Fabrizio signature.asc Description: This is a digitally signed message part
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
On Wed, Jul 27, 2011 at 4:42 AM, Arno Töll deb...@toell.net wrote: That said, the realization mostly suffers from the fact, there is no software available to do this on the software side, as Launchpad is not free software, and usable alternatives don't exist. Launchpad is most certainly free software (though it would have to be re-branded, the icons/images are not free). [0]: Canonical Ltd (Canonical) distributes the Launchpad source code under the GNU Affero General Public License, version 3 (AGPLv3). Unfortunately it's still not really suitable to the task. -- Andrew Starr-Bochicchio Ubuntu Developer https://launchpad.net/~andrewsomething Debian Contributor http://qa.debian.org/developer.php?login=a.starr.b%40gmail.com PGP/GPG Key ID: D53FDCB1 [0] https://dev.launchpad.net/LaunchpadLicense -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cal6k_ayv_54ytpktrm_hge091x09cg8mxane_j_je5-5ae1...@mail.gmail.com
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
On Wed, Jul 27, 2011 at 05:53:48PM +0200, Fabrizio Regalli wrote: But after dput, may be explain the process ? Both, briefly the before debexpo uploading workflow ? Imo, to have a little tuto on packaging on this website will be great. :) Really? I think there are many documents on how to create a Debian package and from my point of view is not necessary to replicate once again them on expo.d.n. It's just my opinion :-) Well, links to the policy and maint-guide won't hurt. -- WBR, wRAR signature.asc Description: Digital signature
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
On Wed, 2011-07-27 at 22:10 +0600, Andrey Rahmatullin wrote: Well, links to the policy and maint-guide won't hurt. Ok, maybe the links are better solution and add them are quite easy. Cheers, Fabrizio. signature.asc Description: This is a digitally signed message part
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
On Tue, Jul 26, 2011 at 11:08:40PM +0200, Kilian Krause wrote: Thus neither document too publically how we do it nor what the exact internal versions are. I don’t think security through obscurity is acceptable on Debian infrastructure. -- Andrea Bolognani e...@kiyuko.org Resistance is futile, you will be garbage collected. signature.asc Description: Digital signature
Please try expo.debian.net -- a replacement for mentors.debian.net
Hi all people on debian-mentors, Debexpo is a replacement for http://mentors.debian.net/. I hereby request testers! It is of beta quality -- I think it works fully and has enough features to replace mentors.debian.net. It has the following improvements over http://mentors.debian.net/ : * Maintainable code base * More color on the front page * Publicly-shown lintian results I have been spending the past couple of days at Debconf fixing up the code and the deployment. I'm hereby asking for testing and feedback: * Please try uploading a package and tell me if it works (especially tell me if it fails!). * Please tell me if there are features we need before it can replace mentors.debian.net. Frankly, I think it's ready as-is! Go to http://expo.debian.net/ to try it. My goal with this debexpo work is to get the app and the deployment into a usable, documented state so it can replace mentors.debian.net. Then I will shift into the background and do only patch review and documentation writing. Anyone interested in working on Debexpo, a Python + Pyons web app, should grab the source code. Some fixes require changing only the templates, and I promise to review your patches quickly (within four days, tops). Bug tracker: https://alioth.debian.org/tracker/index.php?group_id=100127atid=413115 (You can get the latest deployed source from git://expo.debian.net/live . I will push that to Alioth once I sort out some confusion with my SSH key.) -- Asheesh. P.S. There is no known way to change the Needs a sponsor field. Just delete the package if you don't need a sponsor, for now. P.P.S. Any bugs that can be fixed by just editing the templates, I hope to see people submitting patches for! -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.2.00.1107261224050.6...@rose.makesad.us
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
Hi Asheesh, On Tue, Jul 26, 2011 at 01:55:00PM -0400, Asheesh Laroia wrote: Debexpo is a replacement for http://mentors.debian.net/. I hereby request testers! It is of beta quality -- I think it works fully and has enough features to replace mentors.debian.net. that's great news! I think you saw already at http://expo.debian.net/package/trafficserver: sh: uscan: command not found Looks like there's a path missing for your uscan test. -- Best regards, Kilian signature.asc Description: Digital signature
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
Hi Asheesh, Le mardi 26 juil. 2011 à 19:55:00 (+0200 CEST), Asheesh Laroia a écrit : Hi all people on debian-mentors, Debexpo is a replacement for http://mentors.debian.net/. I hereby request testers! It is of beta quality -- I think it works fully and has enough features to replace mentors.debian.net. Thanks for working on this. Looks very promising! On the package details page, it would be great if URL's could be clickable (Homepage, VCS-Browser). Also Lintian tags could be linked to their description on lintian.d.o I also think it is not necessary to show missing optional fields (eg. various VCS-* fields). It may also help to know whether the package is already in Debian (with a link to packages.d.o in order to know more about the history of the uploads) or if it is a new package. As from the maintainer personal package archive page, I understand that binary packages will be made publicly available? The page states 'deb ...' entries in sources.list. If so, I think it is a bad idea. Only source packages should be available to avoid people use this as a standard repository (I remember it used to be the case for mentors.d.n). Keep up the good work. Cheers, Julien -- .''`. Julien Valroff ~ jul...@kirya.net ~ jul...@debian.org : :' : Debian Developer Free software contributor `. `'` http://www.kirya.net/ `- 4096R/ E1D8 5796 8214 4687 E416 948C 859F EF67 258E 26B1 -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110726183736.gg7...@kirya.net
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
Hi, On Tue, Jul 26, 2011 at 08:37:36PM +0200, Julien Valroff wrote: It may also help to know whether the package is already in Debian (with a link to packages.d.o in order to know more about the history of the uploads) or if it is a new package. packages.qa.d.o please. And while we're writing the wishlist, please also inclulde: * output from lintian -IX --pedantic * changelog entry with colorized RC-bugs that are fixed * whether or not the orig.tar.gz is original * if there is a previous version in debian, debdiff to the source basically more similar to http://ftp-master.debian.org/new.html -- Best regards, Kilian signature.asc Description: Digital signature
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
On Tue, 26 Jul 2011, Julien Valroff wrote: Hi Asheesh, Le mardi 26 juil. 2011 à 19:55:00 (+0200 CEST), Asheesh Laroia a écrit : Hi all people on debian-mentors, Debexpo is a replacement for http://mentors.debian.net/. I hereby request testers! It is of beta quality -- I think it works fully and has enough features to replace mentors.debian.net. Thanks for working on this. Looks very promising! (-: I am grateful to all the people who put energy into this: Signum (Christopher Haas) and Jonny Lamb, first, who started the project. Andrey (wRAR), who helped bring the project back to life about nine months ago. Christine Spang, for providing the hosting. Arno Toell and Karl Goetz, for urging me on in #debexpo, filing bugs, and giving feedback. Jan Dittberner and Ondrej Certik and Paul Wise and Serafeim Zanikolas, for the code they committed and pushed to git. Signum again, for his patience with me over the past year. It's a lot of names, and it's been a lot of work for all those people! My role here, as I will try to repeat and make clear, is to provide our community with something that we can use, and that we can improve. My role will not be to build any more features, but instead focus entirely on making sure that community maintenance is possible. I will be quite happy to deploy patches written by others. The policy for SSH access to the deployment is that anyone who successfully gets a patch merged may have SSH access to the deployment. To encourage that to happen faster, I'm going to reply to many of these requests with the information it would take to write a fix. I won't myself. If the community wants it fixed, someone other than me is going to have to fix it. I'll try to rank things in difficulty 0 (stringfix) to 5 (a full day's work). Some of the more difficult or sysadmin-esque issues I might handle myself, but in general the above is what I'll do. On the package details page, it would be great if URL's could be clickable (Homepage, VCS-Browser). Difficulty: 1 To fix this, you'll probably want to add a 'linkify' string processor to the template system. Steps to fix: Step 0: Do a 'git clone' of debexpo and set up a dev environment Step 1: Add an htmlify function to the app You can copy-paste this one, so long as you cite it, and rtain the Apache License. https://github.com/facebook/tornado/blob/master/tornado/escape.py Step 2: Change the templates to use that htmlify function You can be inspired by http://188.40.52.54/cgit/anzu/commit/demos/chat?h=performanceid=f732f98063f8a0bf9f7e331876964bedbbdc8462 Step 3: Make sure it works In the near future I will get the expo-dev.debian.net site working, but until then, test locally. Step 4: Submit a patch 'git format-patch origin/master' will generate some files. Email them to the debexpo list (debexpo-devel at lists.alioth.org) Also Lintian tags could be linked to their description on lintian.d.o Difficulty: 0.5 (super easy; requires writing code) Step 0: Do a git clone Step 1: Edit debexpo/plugins/lintian.py The call to: self.failed(outcome, output, severity) (currently line 70) is what passes the information to be logged into the database, where the package page will pull it out. 'output' is the line of text from lintian. Change it so that outcome is an HTML string that contains the link. I also think it is not necessary to show missing optional fields (eg. various VCS-* fields). Difficulty: 0 (super easy) Step 0: Get a git clone Step 1: Edit debexpo/plugins/controlfields.py This line: self.info('%s-is-not-present' % item.lower(), None) Just remove it. Step 2. Submit a patch to the mailing list It may also help to know whether the package is already in Debian (with a link to packages.d.o in order to know more about the history of the uploads) or if it is a new package. That would be great! Difficulty: 1.5 (requires writing a plugin, and understanding how plugins are written -- but they are quite easy) Step 0: Get a git clone Step 1: Read a sample plugin Take a look at debexpo/plugins/ubuntuversion.py That's a good, simple quality-assurance plugin. Step 2: Write a new plugin to check if the package is in Debian You'd probably want to do a urllib.urlopen() on some URL -- packages.debian.org/sid/ + packagename, maybe -- and check its value. If the package is in Debian, generate a string that contains a link to the package page. You pass that down the chain by just calling self.info() (if you descend from BasePlugin, as you should). Step 3: (Preferable but not necessary) Write a test It would be great if you submit a test case for this. If you're not sure how to do that, I would explain how. Step 4: Submit a patch As from the maintainer personal package archive page, I understand that binary packages will be made publicly available? The page states 'deb ...' entries in sources.list. If so, I think it is a bad idea. Only source packages should be
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
On Tue, 26 Jul 2011, Kilian Krause wrote: Hi, On Tue, Jul 26, 2011 at 08:37:36PM +0200, Julien Valroff wrote: It may also help to know whether the package is already in Debian (with a link to packages.d.o in order to know more about the history of the uploads) or if it is a new package. packages.qa.d.o please. And while we're writing the wishlist, please also inclulde: Same story from before. I'm going to write up how these can be fixed! * output from lintian -IX --pedantic Difficulty: 0 (super easy) (step 0: get the latest code from git) Step 1: edit debexpo/plugins/lintian.py Right now, we call lintian like this: output = commands.getoutput('lintian %s' % self.changes_file) You can adjust the command however you see fit. Step 2: Submit a patch * changelog entry with colorized RC-bugs that are fixed Difficulty: 1 (step 0: get the latest code from git) Step 1: read how we do I/O to the bug tracker now Read debexpo/plugins/closedbugs.py Step 2: Adjust that plugin, or write a new one, to generate the new report you want Step 3: Make sure it shows up properly w/r/t HTML escaping Step 4: Submit a patch * whether or not the orig.tar.gz is original How do we detect this programmatically? * if there is a previous version in debian, debdiff to the source basically more similar to http://ftp-master.debian.org/new.html That would be a really good thing! I would suggest tying that to a new URL. If there is a previous version in Debian, the package page on expo.debian.net can link to the expo.debian.net/$package/$version/debdiff URL. Difficulty: 2 (a non-trivial bit of code, but no major architecture changes) Step 0: Get the code Step 1: Read the lintian plugin to have a sense of how a non-trivial plugin works That's in debexpo/plugins/lintian.py Step 2: Read the code that makes the package page display That would be: * debexpo/config/routing.py * debexpo/controllers/package.py * debexpo/model/packages.py * debexpo/templates/package/index.mako Step 3: Create a new URL that displays nothing Do that by creating a new method in debexpo/controllers/package.py and tying it to a route in routing.py. Make sure your browser successfully loads it. Step 4: Create a new plugin that will store these debdiffs You'll need to make a new model, also. Step 5: Make the plugin actually run debdiff, which will include downloading the package from Debian Step 6: Make the plugin store those results in the database Step 7: Make the package info page link to the debdiff URL if there is any debdiff content Step 8: Make the debdiff URL actually show the debdiff contents Step 9: Submit a patch -- Asheesh. -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.2.00.1107261538490.9...@rose.makesad.us
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
On 2011-07-26 22:01, Asheesh Laroia wrote: On Tue, 26 Jul 2011, Kilian Krause wrote: [...] * output from lintian -IX --pedantic Difficulty: 0 (super easy) (step 0: get the latest code from git) Step 1: edit debexpo/plugins/lintian.py Right now, we call lintian like this: output = commands.getoutput('lintian %s' % self.changes_file) You can adjust the command however you see fit. Step 2: Submit a patch [...] Hi To anyone interested in this, it might be a good idea to set up a lintianrc file and use it (e.g. via --cfg) to keep the options separated from the code. ~Niels -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e2f1e8f.3000...@thykier.net
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
Hi Asheesh, On Tue, Jul 26, 2011 at 04:01:26PM -0400, Asheesh Laroia wrote: On Tue, 26 Jul 2011, Kilian Krause wrote: [...] * whether or not the orig.tar.gz is original How do we detect this programmatically? Thanks for taking the time to even explain that detailled how to get the code working in the new way we're all proposing! That's an awesome help for any of us having the free time to actually code something together and lend this new project a helping hand! As for the above, I'll happily throw in the technical background I had in mind: - detect whether debian/watch is there and useful - if so and if the version is not mangled (like ~dfsg etc.), run uscan --force-download in a patched version that does not involve uupdate or svn-update (i.e. does call any programs that an attacker might want to turn against us) - diff that against the orig.tar.* uploaded - if different, put up a warning, unpack both and list the diff -urN if any I'm not entirely sure if we want to run get-orig-source targets to rebuild ~dfsg tarballs and compare them. Or rather how we could sandbox that process to make sure we're on the safe side but still don't allow any attacker to abuse the system. -- Best regards, Kilian signature.asc Description: Digital signature
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Kilian, On 26.07.2011 22:25, Kilian Krause wrote: I'm not entirely sure if we want to run get-orig-source targets to rebuild ~dfsg tarballs and compare them. I don't think, you really want to consider to run /anything/ which has been supplied by a completely untrusted sponsoree. Being it a full or partial or just a get-orig-source target run. This is an immediate risk for the infrastructure, being it well protected or not for little benefit. (just my 2c) - -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOLyTpAAoJEMcrUe6dgPNtB40P/jKI4+ml59JN8jZ6Ps+3pDic pgU8lVMjb1QMeRsCc4RjM14+khYmjgja31HpNP/s3GeDnHdjDZha29oPAmTuGLkt 9CC05g9dELKS/eRiY7JHOeEG6o/Y9csnQR96bhaAzcHiSmYqF1NMj4Gl4pPN5RT6 WTOTLog1E6S5kcdfAvtCo7RWU1OWdOV6u8yI+fEFpsEFnc4bx3lIkbJXXI3vJVjH uhWDIP1zDBUmw6Wn8LAWpa9wQPbonx2lX/ByzaccnraCk/fF36hDotoDnhqDM6iG k7d5jo06xU/1HidtZ1BJIFMYCKP8DJT/sdExXjA+AqzC+g04fArQXMftRVRofRkb ffAlTy+kP/PMv4SnWwRtnqdUpoBoU5VGKSWJsiz8MjUdU8OQ4x0prK+pF0BCvShe ZtklUo4JAs3WYOwuTtb/VCDtcHPzZr9RzgV9FHin0Pz7zW4bD51ewgRWLN/rWYip Pbt3BQKp1ZxtrvfA+FabocKyvvC55vjhuG/XY07hCSUg0KEIppg9lMq3PXBkDPy9 y4laBriwO/SyfBl/nLRhSVs8May3bNfu1nQa7XlFFar326O95Gdh6S7jWfBSnDqD RqfhnhEPSHJsrI1dasS4Ay1BvrmNklGCG98K9Vy1vfyBzOejG/8BeE+TPrqv1xWB 1aRy1WEJhg/jhmjlOaI+ =Ou/Z -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e2f24ea.20...@toell.net
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
* Kilian Krause kil...@debian.org, 2011-07-26, 22:25: - detect whether debian/watch is there and useful - if so and if the version is not mangled (like ~dfsg etc.), run uscan --force-download in a patched version that does not involve uupdate or svn-update (i.e. does call any programs that an attacker might want to turn against us) It's a shame that uscan is insecure-by-design. I use my wrapper script to add a bit sanity to it: https://bitbucket.org/jwilk/debian-misc/src/tip/upscan -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110726204044.ga9...@jwilk.net
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
Hi Arno, On Tue, Jul 26, 2011 at 10:34:50PM +0200, Arno Töll wrote: On 26.07.2011 22:25, Kilian Krause wrote: I'm not entirely sure if we want to run get-orig-source targets to rebuild ~dfsg tarballs and compare them. I don't think, you really want to consider to run /anything/ which has been supplied by a completely untrusted sponsoree. Being it a full or partial or just a get-orig-source target run. This is an immediate risk for the infrastructure, being it well protected or not for little benefit. that was pretty much my point. I've currently no idea on how to secure the setup enough so that we can safely sandbox the get-orig-source call sufficiently to be terminated unconditionally after a timeout from the outside and unable to speak to anything except some remote (web) servers and a local disk cachedir where we'd pull a file from once completed. I bet however it'd make an interesting SELinux challenge to put such thing together. ;-) That's nothing urgent and nothing that we should put efforts into now(TM). -- Best regards, Kilian signature.asc Description: Digital signature
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
Hi Jakub, On Tue, Jul 26, 2011 at 10:40:44PM +0200, Jakub Wilk wrote: * Kilian Krause kil...@debian.org, 2011-07-26, 22:25: - detect whether debian/watch is there and useful - if so and if the version is not mangled (like ~dfsg etc.), run uscan --force-download in a patched version that does not involve uupdate or svn-update (i.e. does call any programs that an attacker might want to turn against us) It's a shame that uscan is insecure-by-design. I use my wrapper script to add a bit sanity to it: https://bitbucket.org/jwilk/debian-misc/src/tip/upscan that one isn't packaged by chance and scheduled to also be able to do multiple orig.tar.* as per dpkg-source v3? ;-) Would make it a perfect drop in replacement for my review process. *g* -- Best regards, Kilian signature.asc Description: Digital signature
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
On Tue, 26 Jul 2011, Kilian Krause wrote: Hi Asheesh, On Tue, Jul 26, 2011 at 04:01:26PM -0400, Asheesh Laroia wrote: On Tue, 26 Jul 2011, Kilian Krause wrote: [...] * whether or not the orig.tar.gz is original How do we detect this programmatically? Thanks for taking the time to even explain that detailled how to get the code working in the new way we're all proposing! That's an awesome help for any of us having the free time to actually code something together and lend this new project a helping hand! As for the above, I'll happily throw in the technical background I had in mind: - detect whether debian/watch is there and useful - if so and if the version is not mangled (like ~dfsg etc.), run uscan --force-download in a patched version that does not involve uupdate or svn-update (i.e. does call any programs that an attacker might want to turn against us) - diff that against the orig.tar.* uploaded - if different, put up a warning, unpack both and list the diff -urN if any Out loud, I just found myself saying: Who so cool! That would be pretty awesome. I would completely love to see that. I'm not entirely sure if we want to run get-orig-source targets to rebuild ~dfsg tarballs and compare them. Or rather how we could sandbox that process to make sure we're on the safe side but still don't allow any attacker to abuse the system. To do get-orig-source would be pretty amazingly great. You're right that safety would a challenge when running code from within the debian/rules file. It would be pretty superb to lock that process into a chroot. I would suggest using something like sbox http://packages.debian.org/lenny/sbox-dtc to do it. -- Asheesh. -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.2.00.1107261652250.9...@rose.makesad.us
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
Hi Asheesh, On Tue, Jul 26, 2011 at 05:00:45PM -0400, Asheesh Laroia wrote: On Tue, 26 Jul 2011, Kilian Krause wrote: [...] - detect whether debian/watch is there and useful - if so and if the version is not mangled (like ~dfsg etc.), run uscan --force-download in a patched version that does not involve uupdate or svn-update (i.e. does call any programs that an attacker might want to turn against us) - diff that against the orig.tar.* uploaded - if different, put up a warning, unpack both and list the diff -urN if any Out loud, I just found myself saying: Who so cool! That would be pretty awesome. I would completely love to see that. :-) I'm not entirely sure if we want to run get-orig-source targets to rebuild ~dfsg tarballs and compare them. Or rather how we could sandbox that process to make sure we're on the safe side but still don't allow any attacker to abuse the system. To do get-orig-source would be pretty amazingly great. You're right that safety would a challenge when running code from within the debian/rules file. It would be pretty superb to lock that process into a chroot. I would suggest using something like sbox http://packages.debian.org/lenny/sbox-dtc to do it. just for the record: neither chroot nor sbox will be sufficient to protect a production system. Maybe LXC will be, maybe SELinux, maybe XEN. That's the least protection I'd settle for. Maybe even a combination of those (if we put up an official description we'll be pretty open to being hacked due to the foreseeable results of our architecture). Thus neither document too publically how we do it nor what the exact internal versions are. This being said, of course bringing more complexity will also make the construct more fragile and more error-prone (read: more unsafe). That's why I said it'd be a challenge to put this up in a manageable and yet secure way. Most probably an interpreter with a whitelisting of commands will come in most handy in the end. ;-) -- Best regards, Kilian signature.asc Description: Digital signature
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
Asheesh Laroia ashe...@asheesh.org writes: Debexpo is a replacement for http://mentors.debian.net/. I hereby request testers! It is of beta quality -- I think it works fully and has enough features to replace mentors.debian.net. Like many people, I have far too many online credentials already. Signing up to a new service with new site-specific credentials is a barrier to entry. What hope is there for this new service to make use of existing credentials from mentors.debian.net? -- \ “Working out the social politics of who you can trust and why | `\ is, quite literally, what a very large part of our brain has | _o__) evolved to do.” —Douglas Adams | Ben Finney -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8762mor6af@benfinney.id.au
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
On Wed, 27 Jul 2011, Ben Finney wrote: Asheesh Laroia ashe...@asheesh.org writes: Debexpo is a replacement for http://mentors.debian.net/. I hereby request testers! It is of beta quality -- I think it works fully and has enough features to replace mentors.debian.net. Like many people, I have far too many online credentials already. Signing up to a new service with new site-specific credentials is a barrier to entry. What hope is there for this new service to make use of existing credentials from mentors.debian.net? There are a few major options: 1) Import the mentors.debian.net authentication data 2) Integrate OpenID logins, so you can use existing credentials (e.g. Google Account, your own personal OpenID, 3) Just use a silly password like 'password' 4) See if DSA will create a central authentication web thing, which they are considering (called Shibboleth) 5) Login by asking you to GPG-sign a random message generated by the backend I'm open to other ideas. One difficulty for this is that I don't plan to write much new code for debexpo -- just enough to get it to the point where it can replace mentors.debian.net. But if we come to a community decision about how we want login to work, and specify it well, I think we can find the energy to build it. -- Asheesh. -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.2.00.1107261916420.9...@rose.makesad.us
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
On Tue, 26 Jul 2011, Asheesh Laroia wrote: * Please tell me if there are features we need before it can replace mentors.debian.net. Arno found one showstopper bug, and I just fixed it. If there are any others, let me know. Otherwise, about 24 hours from now, I plan to ask signum if we can turn mentors.debian.net off, and make it a debexpo instance. That will mean losing the existing uploaded packages. But I think that's not such a huge loss. (If Signum is around, and we can work out a way to do it, I will try to copy the accounts over.) -- Asheesh. -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.2.00.1107262007010.18...@rose.makesad.us
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
Asheesh Laroia ashe...@asheesh.org writes: 2) Integrate OpenID logins, so you can use existing credentials (e.g. Google Account, your own personal OpenID, This would be the option I'd most like to see, for the reason you give: it allows a huge number of existing identities, including identities managed by the person and not a corporation, to be re-used if the visitor chooses to. One difficulty for this is that I don't plan to write much new code for debexpo -- just enough to get it to the point where it can replace mentors.debian.net. But if we come to a community decision about how we want login to work, and specify it well, I think we can find the energy to build it. +1 to having DebExpo be an OpenID Relying Party for registration and login. URL:http://wiki.openid.net/w/page/12995223/Relying-Party-Best-Practices -- \ “Pinky, are you pondering what I'm pondering?” “I think so, | `\ Brain, but three round meals a day wouldn't be as hard to | _o__) swallow.” —_Pinky and The Brain_ | Ben Finney -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/871uxcr1tu@benfinney.id.au
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
Asheesh Laroia ashe...@asheesh.org writes: Otherwise, about 24 hours from now, I plan to ask signum if we can turn mentors.debian.net off, and make it a debexpo instance. Gak! I didn't realise the proposal was for existing mentors.debian.net service to be replaced immediately. In that case, please ensure existing credentials continue to work for login to the new service. (If Signum is around, and we can work out a way to do it, I will try to copy the accounts over.) Thank you in advance. -- \ “Everything you read in newspapers is absolutely true, except | `\for that rare story of which you happen to have first-hand | _o__) knowledge.” —Erwin Knoll | Ben Finney -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87wrf4pn60@benfinney.id.au
Re: Please try expo.debian.net -- a replacement for mentors.debian.net
Asheesh Laroia wrote: If there are any others, let me know. Otherwise, about 24 hours from now, I plan to ask signum if we can turn mentors.debian.net off, and make it a debexpo instance. That will mean losing the existing uploaded packages. But I think that's not such a huge loss. Don't do that. Such actions tend to piss off a significant portion of the users. Someone may *just* have spent half a day figuring m.d.n out, creating an account, and uploading their packages. Not saying m.d.n shouldn't go away, but don't treat people's work as if it was worthless (not such a huge loss, meaning not worth my time to migrate the data). Just some advice based on experience. -Julian signature.asc Description: This is a digitally signed message part.