Re: Launchpadlib support in Ubuntu Developer Tools
On Wed, Jan 14, 2009 at 10:58:58AM -0800, Kees Cook wrote:
> On Wed, Jan 14, 2009 at 02:54:11PM +, Jonathan Davies wrote:
> > I've improved the error message so that it asks people to see the
> > manage-credentials manpage.
>
> Please make sure that the tool that creates the credentials stores them in
> a mode 0600 file. The API examples[1] do not mention this, and I think
> it's an important bit of protection.
>
> While playing with lplib for security team work, I took this a step
> further and even make the directory unreadable. e.g.:
er, I missed a rather important last line. Re-paste:
cachedir = os.path.expanduser('~/.launchpadlib/cache')
if not os.path.exists(cachedir):
os.makedirs(cachedir,0700)
credfile = os.path.expanduser('~/.launchpadlib/credentials')
try:
credentials = Credentials()
credentials.load(open(credfile))
launchpad = Launchpad(credentials, EDGE_SERVICE_ROOT, cachedir)
except:
launchpad = Launchpad.get_token_and_login(sys.argv[0],
EDGE_SERVICE_ROOT, cachedir)
launchpad.credentials.save(open(credfile,"w",0600))
--
Kees Cook
Ubuntu Security Team
--
Ubuntu-motu mailing list
Ubuntu-motu@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Launchpadlib support in Ubuntu Developer Tools
On Wed, Jan 14, 2009 at 02:54:11PM +, Jonathan Davies wrote:
> I've improved the error message so that it asks people to see the
> manage-credentials manpage.
Please make sure that the tool that creates the credentials stores them in
a mode 0600 file. The API examples[1] do not mention this, and I think
it's an important bit of protection.
While playing with lplib for security team work, I took this a step
further and even make the directory unreadable. e.g.:
cachedir = os.path.expanduser('~/.launchpadlib/cache')
if not os.path.exists(cachedir):
os.makedirs(cachedir,0700)
credfile = os.path.expanduser('~/.launchpadlib/credentials')
try:
credentials = Credentials()
credentials.load(open(credfile))
launchpad = Launchpad(credentials, EDGE_SERVICE_ROOT, cachedir)
except:
launchpad = Launchpad.get_token_and_login(sys.argv[0],
EDGE_SERVICE_ROOT, cachedir)
-Kees
[1] https://help.launchpad.net/API/launchpadlib
--
Kees Cook
Ubuntu Security Team
--
Ubuntu-motu mailing list
Ubuntu-motu@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: motu-release will revert libgems-ruby to the old state.
On Wed, Sep 03, 2008 at 01:49:02AM -0700, Steve Langasek wrote: > On Mon, Sep 01, 2008 at 09:43:19PM +0200, Loïc Minier wrote: > > Is there any shell which doesn't honor the PATH in /etc/environment? > > If yes, I think it's a bug; if not, we can build on the PATH set in > > this file IMO. > > /etc/environment is not a matter for the shells, but for whatever starts the > user session (e.g., sshd, gdm...). It would not be honored by shells (or > other processes) started from daemons not associated with a PAM login > session. What about the case of setting path for ruby gems running in CGI environments? A /usr/local symlink works for that, but /etc/environment doesn't. -- Kees Cook Ubuntu Security Team -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Good communication with upstream is good idea
Hi, On Tue, Jul 22, 2008 at 12:06:08PM +0200, Stephan Hermann wrote: > On Mon, 21 Jul 2008 21:59:37 +0200 > Florian Weimer <[EMAIL PROTECTED]> wrote: > > * Stephan Hermann: > > >> What's the correct way to get it out of Unbuntu (universe)? I > > >> don't want to relicense it, but if asking politely does not work, > > >> it seems to be my only choice. > > > > > What needs to be done to make it work on Ubuntu, too? > > > > debsecan needs to be patched to download CVE meta-data from Launchpad, > > and someone needs to maintain the data in Launchpad. > > So, we need somehow the CVE data from LP or from a source which is > being trusted by Ubuntu... > A relation between open CVEs in Ubuntu packages and closed CVEs in > ubuntu-security packages... > > I don't know how far the LP guys are in giving out this data, but I > know that we have the CVE tracker of Ubuntu (kees, jd, emgent > please jump in and fill in any gaps ;)) and we could use this data, > right? LP does not currently have a way to record all the information the security team needs recorded for our work, so we use the ubuntu-cve-tracker[1]. And another reason this isn't in LP yet is because there is no stable API for doing data queries -- asking LP for the CVE state of 500 installed packages would take a looong time right now. We are already outputting human-readable state information[2], so perhaps a long-term solution would be for someone to produce an output mode for the tracker on a per-package basis (right now the output is CVE-oriented). > Now I need to find the time to check the source in general, and how > difficult it will to patch it to our needs...and to make Florian > happy :) Perhaps the best short-term solution would be to have the tool check the LSB info and abort on non-Debian machines? -Kees [1] https://launchpad.net/ubuntu-cve-tracker/trunk [2] http://people.ubuntu.com/~ubuntu-security/cve/open.html -- Kees Cook Ubuntu Security Team -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Upcoming Ubuntu Security Team meeting - Thursday, 8th of May - 20:00 UTC - #ubuntu-meeting
Hi, The next Security Team meeting is scheduled for the 8th at 20:00 UTC. We'll be discussing plans for Intrepid, looking back at Hardy, and generally getting ready for the current development cycle. Everyone is welcome. If you have specific topics you'd like to see discussed, please add them to the agenda: https://wiki.ubuntu.com/SecurityTeam/Meeting Thanks, and hope to see everyone there, -Kees -- Kees Cook Ubuntu Security Team -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
new default compiler flags
In Edgy, we enabled "-fstack-protector" to gain protections against
stack overflow attacks. For Intrepid, we've added more:
-Wl,-z,relro
This is designed to provide some protection to ELF binaries so they
can have their runtime link maps not as useful a target for attackers.
Daemons and other programs that are more interested in security than
time-to-load can also add "-Wl,-z,now" for maximal benefit.
If this option causes problems, you can add "-Wl,-z,norelro" to LDFLAGS.
-Wformat -Wformat-security
This is designed to warn during compile-time about potentially unsafe
format string usage. Generally "%s" is missing: 'printf(buffer);'
instead of the correct 'printf("%s",buffer);' These warnings will
frequently not point to security issues, but I urge everyone to fix
them if you see them anyway.
To disable format-security warnings when you run with -Wall, use
"-Wno-format-security". To disable all format warnings, use
"-Wformat=0".
-D_FORTIFY_SOURCE=2
This is going to cause the most pain for this release -- this option
enables checks for common unsafe usage of various libc functions (read,
strcpy, memcpy, sprintf, printf, system, etc). Most of the errors will
be real things that need to be fixed in the source, with varying degree
of importance. Even if they don't turn out to be serious issues, they
will improve the overall quality of code in Ubuntu.
To disable these checks, use "-U_FORTIFY_SOURCE" in your CPPFLAGS.
Further details and examples of failure conditions are written up in the
wiki: https://wiki.ubuntu.com/CompilerFlags
Thanks in advance for everyone's time and attention for fixing the
issues that will crop up. :)
-Kees
--
Kees Cook
Ubuntu Security Team
--
Ubuntu-motu mailing list
Ubuntu-motu@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Security Team IRC Meeting 2007-01-30 20:00 UTC
On Fri, Feb 01, 2008 at 02:47:52PM +, Matt Zimmerman wrote: > On Tue, Jan 29, 2008 at 10:58:52AM -0800, Kees Cook wrote: > > Given all the updates that the MOTU-SWAT[1] team have been doing, the > > testing I'd like to help coordinate for hardened compiler options[2], > > the SELinux development work[3], new kernel features[4], and new projects > > that propose formally organizing a pentesting sub-team, there is clearly > > enough things going on specific to Ubuntu Security that I'd like to > > hold an official Security Team meeting on Wed 2007-01-30 at 20:00 UTC > > in #ubuntu-meeting. > > > > I realize this is rather short notice, but I'd like to at least generate > > a roadmap and TODO list for future meetings. :) > > I didn't hear about this meeting until it had already happened...are there > minutes or logs available (MootBot perhaps?)? I realized I only replied directly to Matt before... For everyone else following along, yes, the SecurityTeam/Meeting wiki page links to the prior meetings[1], which includes links to the MootBot logs as well. -Kees [1] https://wiki.ubuntu.com/MeetingLogs/Security/20080130 -- Kees Cook Ubuntu Security Team -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Security Team IRC Meeting 2007-01-30 20:00 UTC
Given all the updates that the MOTU-SWAT[1] team have been doing, the testing I'd like to help coordinate for hardened compiler options[2], the SELinux development work[3], new kernel features[4], and new projects that propose formally organizing a pentesting sub-team, there is clearly enough things going on specific to Ubuntu Security that I'd like to hold an official Security Team meeting on Wed 2007-01-30 at 20:00 UTC in #ubuntu-meeting. I realize this is rather short notice, but I'd like to at least generate a roadmap and TODO list for future meetings. :) -Kees [1] https://launchpad.net/~motu-swat/+members [2] https://lists.ubuntu.com/archives/ubuntu-devel/2008-January/024958.html [3] https://lists.ubuntu.com/archives/ubuntu-hardened/2007-November/000230.html [4] http://www.outflux.net/blog/archives/2008/01/15/full-aslr-in-hardy/ -- Kees Cook Ubuntu Security Team -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: packaging xca
Hi Mark, On Thu, Sep 27, 2007 at 10:59:02PM -0700, Mark D. Foster wrote: > Yet I'm getting this error... > [EMAIL PROTECTED]:~/proj/xca/xca-0.6.4$ dpkg-buildpackage -S -rfakeroot > parsechangelog/debian: error: unrecognised line, at file > debian/changelog line 3 > dpkg-buildpackage: unable to determine source package is The debian/* files have a very strict format which is sensitive to whitespace in particular. I recommend using something like "dh_make" to lay down the initial debian/* tree, and tools like "dch"[1] to manipulate the changelog. I think the packaging section[2] of the Devel wiki is useful, and found the packaging tutorial[3] quite good. Good luck! -Kees [1] in the "devscripts" package [2] https://wiki.ubuntu.com/UbuntuDevelopment#head-86b3c262f4e4b222c867211cb06bb46523c7cc6f [3] http://women.debian.org/wiki/English/PackagingTutorial -- Kees Cook signature.asc Description: Digital signature -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: KVIrc Security Issue
Hi, On Mon, Jul 02, 2007 at 01:37:56PM -0500, Richard A. Johnson wrote: > Ubuntu Debdiffs: > Dapper: > http://launchpadlibrarian.net/8283483/kvirc_dapper_security_fix.debdiff > Edgy: > http://launchpadlibrarian.net/8283487/kvirc_edgy_security_fix.debdiff > Feisty: > http://launchpadlibrarian.net/8283492/kvirc_feisty_security_fix.debdiff > Gutsy: > http://launchpadlibrarian.net/8283495/kvirc_gutsy_security_fix.debdiff Very nice! Thanks for getting these done. I've made some minor adjustments: - use -security pocket for dapper, edgy, feisty - use regular versioning for gutsy - don't adjust maintainer for dapper/edgy since the build tools for this are less well tested. They are all building now, and I should have them published shortly. Thanks! -Kees -- Kees Cook signature.asc Description: Digital signature -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: SRU for xvid in feisty
Hi Loïc, On Thu, Jun 14, 2007 at 06:10:07PM +0200, Loïc Martin wrote: > I can see new libxvidcore4 packages at > http://archive.ubuntu.com/ubuntu/pool/multiverse/x/xvidcore/ Agreed[1]. This matches my "apt-cache madison libxvidcore4" output[2]. > However, they don't appear in Feisty's repositories, nor do they appear > after a search in http://packages.ubuntu.com/feisty/libs/libxvidcore4 I don't know if packages.ubuntu.com uses the -updates pockets. It seems to include -security, but not -updates. That's frustrating! Are you sure you have the -updates pocket enabled in your /etc/apt/sources.list ? > Even though > http://archive.ubuntu.com/ubuntu/pool/multiverse/x/xvidcore/xvidcore_1.1.2-0.1ubuntu2.dsc > > has Feisty as a target, it seems like the packages might have been > built for Gutsy. Correct, 1.1.2-0.1ubuntu2 was built for gutsy. You want the 1.1.2-0.1ubuntu1.1 from the -updates pocket. I hope this helps! -Kees [1] http://achive.ubuntu.com/ubuntu/pool/multiverse/x/xvidcore/libxvidcore4_1.1.2-0.1ubuntu1.1_i386.deb [2] $ apt-cache madison libxvidcore4 libxvidcore4 | 2:1.1.2-0.1ubuntu1.1 | http://archive.ubuntu.com feisty-updates/multiverse Packages libxvidcore4 | 2:1.1.2-0.1ubuntu1 | http://archive.ubuntu.com feisty/multiverse Packages xvidcore | 2:1.1.2-0.1ubuntu1 | http://archive.ubuntu.com feisty/multiverse Sources xvidcore | 2:1.1.2-0.1ubuntu1.1 | http://archive.ubuntu.com feisty-updates/multiverse Sources -- Kees Cook signature.asc Description: Digital signature -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
REVU: mythbuntu-gdm-theme_0.1-0ubuntu1 uploaded
NEW: mythbuntu-gdm-theme_0.1-0ubuntu1.dsc OK: mythbuntu-gdm-theme_0.1.orig.tar.gz OK: mythbuntu-gdm-theme_0.1-0ubuntu1.diff.gz Format: 1.7 Date: Tue, 05 June 2007 16:41:23 -0500 Source: mythbuntu-gdm-theme Binary: mythbuntu-gdm-theme Architecture: source Version: 0.1-0ubuntu1 Distribution: gutsy Urgency: low Maintainer: Mario Limonciello <[EMAIL PROTECTED]> Changed-By: Mario Limonciello <[EMAIL PROTECTED]> Description: mythbuntu-gdm-theme - mythbuntu gdm greeter theme Changes: mythbuntu-gdm-theme (0.1-0ubuntu1) gutsy; urgency=low . * Initial release. Files: ce81256db4e092c42d647b40a66157b3 626 misc optional mythbuntu-gdm-theme_0.1-0ubuntu1.dsc 74ef2a06de5ce40951f790d9d4e13882 108847 misc optional mythbuntu-gdm-theme_0.1.orig.tar.gz 7eeb6d5394562ba35a36b001874f3b08 1433 misc optional mythbuntu-gdm-theme_0.1-0ubuntu1.diff.gz signature.asc Description: Digital signature -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
motu security reviews
Hi! Since the dedicated security-review mailing list was shut down due to low-traffic, I'd like to explicitly bring MOTU security reviews to the ubuntu-motu list, since it may frequently include packaging issues, and other MOTU-related things. In the past, it was a relatively low-traffic list, so I would expect the impact here to be small as well. Assuming no one has any objections, I can update the SUP[1] to reflect the new place to discuss MOTU security stuff. Thanks! -Kees [1] https://wiki.ubuntu.com/SecurityUpdateProcedures -- Kees Cook signature.asc Description: Digital signature -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: cacti 0.8.6h-1ubuntu3.1 testing
On Sat, Apr 14, 2007 at 10:49:10PM +0800, Trent Lloyd wrote: > I was hoping for a few people to test it, it seems to work fine here. Excellent, thanks for testing this. There hadn't been any other feedback from prior Dapper packages[1], so I'll take this as a good sign that it's fixed. :) > cacti (0.8.6h-1ubuntu3.1) dapper-security; urgency=low I've uploaded this, it should be available on the archives shortly. Thanks again and take care, -Kees [1] https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/78453 -- Kees Cook signature.asc Description: Digital signature -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
needing help: vnc4
Hi everyone, Bug 78282[1] has been a real problem for people for a while now, and is related to vnc4 getting rebuilt for a security update. Unfortunately, it doesn't work on edgy and feisty, and no one know is more familiar with the codebase has been able to help. I tried repackaging vnc4 with a more recent Xorg source[2], but it still fails. Does anyone have some time and knowledge to throw at this problem? Thanks, -Kees [1] https://bugs.launchpad.net/ubuntu/+source/vnc4/+bug/78282 [2] http://people.ubuntu.com/~kees/feisty/vnc4/ -- Kees Cook signature.asc Description: Digital signature -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Clamav?
Hi Eric, On Wed, Mar 14, 2007 at 07:06:25AM -0600, Eric Krieger wrote: > Why is clamav not being maintained for all ubuntu versions (at least > back to Dapper LTS)? Some of us actually use clamav in a production > enviroment in conjuntion with spam filtering. No one (that I've seen) has stepped up to take ownership of clamav. I do, however, try to make time to release security updates for it, since I recognize that a lot of people use it and I don't want to leave them vulnerable. (Lacking new features in a virus scanner, however, could be seen as "vulnerable" too -- that's true. Regardless, it doesn't change the need for performing lots of testing on updates.) Normally for security updates, we don't do full-version upgrades of software since there may be unintended breakage. Security updates (which don't change the base version number) have been ongoing, though, which you can see, for example, in the Dapper changelog[1]. From that, you can also see that backports have happened at times. Usually those need to be explicitly requested (and tested). The best situation would be to have clamav go through a full SRU[2]. > WARNING: Your ClamAV installation is OUTDATED! > WARNING: Local version: 0.88.4 Recommended version: 0.90.1 > WARNING: Your ClamAV installation is OUTDATED! > WARNING: Current functionality level = 8, recommended = 14 So, to recap, I see three things that are possible for clamav: 1) let it age without security updates (ugly) 2) let it age, but backport security updates (middle-ground) 3) always have the latest version (wonderful) Right now I've been treating clamav as "regular" software, and have just been backporting security flaws -- I built some simple tests to do validation, so it doesn't take much time to do basic tests. Doing full-version upgrades will require more testing (e.g. did the library or unix-socket interfaces change?) before it gets published. What's needed to get us to "3" is someone to update the package, file an SRU, and then follow it through the SRU testing process. I'm happy to help test (I use clamav myself), but I don't have the time to drive the process at the moment. Would you be willing to help out with the SRUs? Thanks, -Kees [1] https://launchpad.net/ubuntu/dapper/+source/clamav/+changelog [2] https://wiki.ubuntu.com/StableReleaseUpdates -- Kees Cook signature.asc Description: Digital signature -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Wordpress 2.1.1 Security Issue
[redirected from security-review ml, which is going away...] On Sat, Mar 03, 2007 at 01:38:10AM -0600, Rich Johnson wrote: > Just wondering if this involved the version we currently have in the Feisty > repos? > > http://wordpress.org/development/2007/03/upgrade-212/ > > It seems somebody gained access and modified the 2.1.1 download allowing > installed 2.1.1 version to be exploited allowing remote PHP execution. > > According to Wordpress SVN downloads were not effected. I examined this yesterday; it's clean. The 2.1.1 orig.tar.gz from Debian was taken prior to wordpress.org getting broken into. Based on the report, the described backdoor wasn't present. To avoid (this kind of) confusion, wordpress.org simply declared all of 2.1.1 as "bad", just to make sure no one had a bad version. -- Kees Cook signature.asc Description: Digital signature -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: package ettercap-gtk: typo in ettercap.desktop
Hi, On Sun, Feb 25, 2007 at 02:02:56PM +0100, D. Rudolph wrote: > as I am only humble Ubuntu user and no developer, I don't know how to > report error. Please excuse if this is the wrong way. Normally, you can just open a bug on https://launchpad.net/ For example, for ettercap: https://launchpad.net/ubuntu/+source/ettercap/+filebug > I found a typo error in the file > /usr/share/applications/ettercap.desktop in the Ubuntu package > ettercap-gtk, version 1:0.7.3-1.1ubuntu3 (edgy). Thanks for reporting this. This was already reported as bug 81305[1], and fixed for feisty. Feel free to report any other bugs you find (but please use the bugtracker). > I hope I can contribute to the open source community without using any > Bugtracker/CVS/subversion access. A lot of developers find it much easier to follow issues that are on the bug tracker, so if you want to maximize your contribution, the best leverage will come from using the Ubuntu bug tracker. :) -- Kees Cook signature.asc Description: Digital signature -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Audacity package
On Wed, Feb 14, 2007 at 11:58:59AM -0500, Zach Tibbitts wrote: > Audacity 1.3.2 uses GTK+ widgets. I've managed to build an edgy deb from > Debian's sources, and it seems to work OK, but it would be nice if audacity > 1.3.2 were included into feisty, especially for ubuntu-studio, as I believe > that they plan to include audacity in it, and it would be nice to minimize > the number of GTK1 applications. This looks like a good candidate for requesting a UVF exception[2] (especially since it gets us back into sync with Debian). Could you prepare this, since you've got packages ready? Thanks, -Kees [1] https://wiki.ubuntu.com/FreezeExceptionProcess -- Kees Cook signature.asc Description: Digital signature -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: How do I request a package be updated?
Hi Zach, On Mon, Feb 05, 2007 at 02:07:30PM -0500, Scott Kitterman wrote: > On Monday 05 February 2007 13:09, Zach Tibbitts wrote: > > I'm a developer of an application that's currently in Feisty's universe > > repository. > > Assuming there are no Ubuntu specific changes in the current package: > https://wiki.ubuntu.com/SyncRequestProcess > > If there are Ubuntu specific changes it may need to be merged instead: > https://wiki.ubuntu.com/MOTU/Merging Out of curiosity, which package is it? -- Kees Cook signature.asc Description: Digital signature -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: new team: motu-swat
On Fri, Jan 12, 2007 at 03:21:14AM +0100, Stefan Potyra wrote: > Then it's time to call for the all new motu-swat, the police of universe, who > will squish all security bugs and thus make universe a safer place. Woo-hoo! This team is already rocking! I'm always happy to have more eyes (and debdiffs) on the security issues in universe. A bunch of -security uploads have already gone through as a result of motu-swat attention. :) One thing I'd like to figure out is some way to publicize universe security updates more widely. One place that collects the "recent package updates" is the Ubuntu Weekly Newsletter. There's a Security Updates section which catches USNs (for main), and an Updates section which catches notifications sent to the $RELEASE-changes mailing list, but since security uploads are done kind of side-ways, they seem to bypass the -changes mailing lists (and as a result, the Newsletter). Thanks motu-swat! :) -- Kees Cook signature.asc Description: Digital signature -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Amule crash on search Clear/Seach tab closing
On Tue, Oct 24, 2006 at 05:04:53PM +, Bruno Santos wrote: > (amule:15449): Gtk-CRITICAL **: gtk_container_remove: assertion > `GTK_IS_TOOLBAR (container) || widget->parent == GTK_WIDGET (container)' > failed > > (amule:15449): Gtk-CRITICAL **: gtk_container_remove: assertion > `GTK_IS_TOOLBAR (container) || widget->parent == GTK_WIDGET (container)' > failed > > Gtk-ERROR **: file gtkcontainer.c: line 2447 > (gtk_container_propagate_expose): assertion failed: (child->parent == > GTK_WIDGET (container)) > aborting... > Aborted (core dumped) Hi Bruno! Please file a bug report in launchpad[1]. It is usually pretty hard to track bugs on a mailing list. Thanks! [1] https://launchpad.net/distros/ubuntu/+source/amule/+filebug -- Kees Cook signature.asc Description: Digital signature -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
rebuilds for libssl0.9.7 -> libssl0.9.8
Hi! I've been making my way through packages that were still linked against libssl0.9.7, and have made some good progress (21 successfully rebuilt). I've moved on to small code changes which is mostly the md5.h includes, and minor other fixes (current count: 10). At this point, I've run into some strange stuff that I'm not sure how to deal with: aolserver4-nsopenssl, aolserver4-nsimap: Built fine for all but amd64. Their prereq "aolserver4"'s most recent build only built for amd64[1] (all others failed), and has a bad start-up script (uses "source" instead of "."). Should we try to fix aolserver4's latest version, or is there a way to "reject" the most recent build in favor of the earlier one? arla: build-dep conflicts: The following packages have unmet dependencies: heimdal-dev: Conflicts: kerberos4kth-dev but 1.2.2-11.3ubuntu4 is to be installed kerberos4kth-dev: Depends: libotp0-kerberos4kth (= 1.2.2-11.3ubuntu4) but it is not going to be installed Depends: libroken16-kerberos4kth (= 1.2.2-11.3ubuntu4) but it is not going to be installed Depends: libkafs0-kerberos4kth (= 1.2.2-11.3ubuntu4) but it is not going to be installed Depends: libkafs0-kerberos4kth (>= 1.2.2-11.3ubuntu4) but it is not going to be installed Depends: libroken16-kerberos4kth (>= 1.2.2-11.3ubuntu4) but it is not going to be installed Depends: libdb4.3-dev but it is not going to be installed Any clue on how to fix this up? sope: build-dep conflicts: The following packages have unmet dependencies: apache-dev: Depends: libdb4.4-dev but it is not going to be installed This totally baffles me. I can install the build-dep by hand without any problem, but within my sbuild environment, it breaks as above. Any clues on how to solve this? ldmud: segfaults during build: ./make_func instrs Primary codes: 249 (127 + 122) - Secondary codes: 62 ( 17 + 45) Tabled codes: 73 ( 0 + 73) - Tabled varargs codes: 27 ( 0 + 27) make[1]: *** [instrs.h] Segmentation fault (core dumped) Ignore for now since it's in multiverse? Thanks! [1] https://launchpad.net/distros/ubuntu/edgy/+source/aolserver4/4.0.10-6 -- Kees Cook signature.asc Description: Digital signature -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
