Bug#469803: snort: [debconf_rewrite] Debconf templates and debian/control review
On Thu, Apr 03, 2008 at 07:08:17PM +0200, Christian Perrier wrote:
OK. So here's the patch I now come up with.
Why have you replace {PACKAGE} with ${PACKAGE}???
For example, this is wrong.
-Template: snort{PACKAGE}/configure_db
+Template: snort${PACKAGE}/configure_db
As soon as I get an ACK, I'll launch the translation update round.
NACK. As this patch is not correct. It will actually procude *wrong*
templates.
Regards
Javier
signature.asc
Description: Digital signature
Bug#469803: snort: [debconf_rewrite] Debconf templates and debian/control review
Quoting Javier Fernández-Sanguino Peña ([EMAIL PROTECTED]):
-Template: snort{PACKAGE}/configure_db
+Template: snort${PACKAGE}/configure_db
As soon as I get an ACK, I'll launch the translation update round.
NACK. As this patch is not correct. It will actually procude *wrong*
templates.
/me mumbles...
Corrected patch attached.
diff -Nru snort.old/debian/changelog snort/debian/changelog
--- snort.old/debian/changelog 2008-01-25 06:17:03.837193938 +0100
+++ snort/debian/changelog 2008-03-07 18:57:35.502152334 +0100
@@ -1,3 +1,11 @@
+snort (2.7.0-10) UNRELEASED; urgency=low
+
+ * Debconf templates and debian/control reviewed by the debian-l10n-
+english team as part of the Smith review project. Closes: #469803
+ * [Debconf translation updates]
+
+ -- Christian Perrier [EMAIL PROTECTED] Fri, 07 Mar 2008 18:57:35 +0100
+
snort (2.7.0-9) unstable; urgency=low
* Modify debian/rules to prevent autobuilders from building
diff -Nru snort.old/debian/control snort/debian/control
--- snort.old/debian/control2008-01-25 06:17:03.913192050 +0100
+++ snort/debian/control2008-03-04 17:53:51.499669843 +0100
@@ -6,6 +6,7 @@
Build-Depends: libnet1-dev, libpcap0.8-dev, libpcre3-dev, debhelper (=
4.1.13), libmysqlclient15-dev | libmysqlclient-dev, libpq-dev, po-debconf (=
0.5.0), libprelude-dev, iptables-dev
Build-Depends-Indep: texlive, texlive-latex-base, gs-common
Standards-Version: 3.5.6
+Homepage: http://www.snort.org/
Package: snort
Architecture: any
@@ -14,8 +15,7 @@
Conflicts: snort-mysql, snort-pgsql
Replaces: snort-common ( 2.0.2-3)
Recommends: snort-doc
-Homepage: http://www.snort.org/
-Description: Flexible Network Intrusion Detection System
+Description: flexible Network Intrusion Detection System
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules
based logging and can perform content searching/matching in addition
@@ -25,7 +25,7 @@
sent to syslog, a separate alert file, or even to a Windows computer
via Samba.
.
- This package provides the plain-vanilla snort distribution and does not
+ This package provides the plain-vanilla version of Snort and does not
provide database (available in snort-pgsql and snort-mysql) support.
Package: snort-common
@@ -36,7 +36,7 @@
Replaces: snort ( 1.8.4beta1-1)
Suggests: snort-doc
Homepage: http://www.snort.org/
-Description: Flexible Network Intrusion Detection System [common files]
+Description: flexible Network Intrusion Detection System [common files]
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules
based logging and can perform content searching/matching in addition
@@ -72,7 +72,7 @@
Depends: snort-common-libraries (=${binary:Version}), snort-rules-default (=
${binary:Version}), debconf (= 0.2.80) | debconf-2.0, syslogd |
system-log-daemon, ${shlibs:Depends}, snort-common (= ${binary:Version}),
logrotate
Conflicts: snort, snort-pgsql
Homepage: http://www.snort.org/
-Description: Flexible Network Intrusion Detection System [MySQL]
+Description: flexible Network Intrusion Detection System [MySQL]
Distribution of Snort with support for logging to a MySQL database.
.
Snort is a libpcap-based packet sniffer/logger which can be used as a
@@ -91,7 +91,7 @@
Depends: snort-common-libraries (=${binary:Version}), snort-rules-default (=
${binary:Version}), debconf (= 0.2.80) | debconf-2.0, adduser (= 3.11),
syslogd | system-log-daemon, ${shlibs:Depends}, snort-common (=
${binary:Version}), logrotate
Conflicts: snort, snort-mysql
Homepage: http://www.snort.org/
-Description: Flexible Network Intrusion Detection System [PostgreSQL]
+Description: flexible Network Intrusion Detection System [PostgreSQL]
Distribution of Snort with support for logging to a PostgreSQL dbase.
.
Snort is a libpcap-based packet sniffer/logger which can be used as a
@@ -110,7 +110,7 @@
Suggests: snort (= 2.2.0) | snort-pgsql (= 2.2.0) | snort-mysql (= 2.2.0)
Recommends: oinkmaster
Homepage: http://www.snort.org/rules/
-Description: Flexible Network Intrusion Detection System ruleset
+Description: flexible Network Intrusion Detection System ruleset
Snort default ruleset which provides a common set of accepted and test
network intrusion detection rules developed by the Snort community.
.
@@ -122,7 +122,7 @@
Suggests: snort (= 2.7.0) | snort-pgsql (= 2.7.0) | snort-mysql (= 2.7.0)
Conflicts: snort-common ( 2.7.0-6)
Homepage: http://www.snort.org/
-Description: Flexible Network Intrusion Detection System ruleset
+Description: flexible Network Intrusion Detection System ruleset
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules
based logging and can perform content searching/matching in addition
diff -Nru
Bug#469803: snort: [debconf_rewrite] Debconf templates and debian/control review
On Sat, Apr 05, 2008 at 06:39:30PM +0200, Christian Perrier wrote: Corrected patch attached. Looks fine. Go ahead and ask for updates, notice that you will need to run the debian/rules target that updates the debconf templates first... Regards Javier signature.asc Description: Digital signature
Bug#469803: snort: [debconf_rewrite] Debconf templates and debian/control review
Quoting Javier Fernández-Sanguino Peña ([EMAIL PROTECTED]):
Hi Christian, I have concerns for some of the changes proposed. More
specifically:
- If you want you can specify 'any', to not trust any side of the network.
+ If you specify 'any', Snort will listen on all available networks.
The problem is that the 'snort/address_range' is actually the definition of
$HOME_NET. This is the definition of the local network, i.e. the internal
network that might be attacked from the outside. Snort uses this information
to filter out traffic. Traffic that is destined to other network ranges is
filtered out and those are considered trusted addresses.
This template might better be written as:
_Description: Address range for the local network:
And remove the above line.
Well, the entire template is pretty big, so I'd like to be sure about
what you propose. We had:
Template: snort{PACKAGE}/address_range
Type: string
Default: 192.168.0.0/16
_Description: Address range that Snort will listen on:
Please use the CIDR form - for example, 192.168.1.0/24 for a block of
256 addresses or 192.168.1.42/32 for just one. Multiple values should
be comma-separated (without spaces).
.
If you specify 'any', Snort will listen on all available networks.
.
Please note that if Snort is configured to use multiple interfaces,
it will use this value as the HOME_NET definition for all of them.
Do you propose:
Template: snort{PACKAGE}/address_range
Type: string
Default: 192.168.0.0/16
_Description: Address range for the local network:
Please use the CIDR form - for example, 192.168.1.0/24 for a block of
256 addresses or 192.168.1.42/32 for just one. Multiple values should
be comma-separated (without spaces).
.
Please note that if Snort is configured to use multiple interfaces,
it will use this value as the HOME_NET definition for all of them.
This omits the explanation about 'any', doesn't it?
signature.asc
Description: Digital signature
Bug#469803: snort: [debconf_rewrite] Debconf templates and debian/control review
2008/4/3, Christian Perrier [EMAIL PROTECTED]: Well, the entire template is pretty big, so I'd like to be sure about what you propose. We had: (...) Do you propose: Yes. That's what I propose. This omits the explanation about 'any', doesn't it? Yes, it does. The use of 'any' is actually a bad idea (and the template was wrong in how it was used). I'm looking at way to tell the user how to set it to 'none' (so that Snort considers EXTERNAL_NET as 'any') but that might be something more for advanced users. For the time being, it could be left as is until I find the best way to provide a do not trust any IP address setting. Regards Javier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#469803: snort: [debconf_rewrite] Debconf templates and debian/control review
Quoting Javier Fernandez-Sanguino ([EMAIL PROTECTED]):
2008/4/3, Christian Perrier [EMAIL PROTECTED]:
Well, the entire template is pretty big, so I'd like to be sure about
what you propose. We had:
(...)
Do you propose:
Yes. That's what I propose.
This omits the explanation about 'any', doesn't it?
Yes, it does. The use of 'any' is actually a bad idea (and the
template was wrong in how it was used). I'm looking at way to tell the
user how to set it to 'none' (so that Snort considers EXTERNAL_NET as
'any') but that might be something more for advanced users.
OK. So here's the patch I now come up with.
As soon as I get an ACK, I'll launch the translation update round.
diff -Nru snort.old/debian/changelog snort/debian/changelog
--- snort.old/debian/changelog 2008-01-25 06:17:03.837193938 +0100
+++ snort/debian/changelog 2008-03-07 18:57:35.502152334 +0100
@@ -1,3 +1,11 @@
+snort (2.7.0-10) UNRELEASED; urgency=low
+
+ * Debconf templates and debian/control reviewed by the debian-l10n-
+english team as part of the Smith review project. Closes: #469803
+ * [Debconf translation updates]
+
+ -- Christian Perrier [EMAIL PROTECTED] Fri, 07 Mar 2008 18:57:35 +0100
+
snort (2.7.0-9) unstable; urgency=low
* Modify debian/rules to prevent autobuilders from building
diff -Nru snort.old/debian/control snort/debian/control
--- snort.old/debian/control2008-01-25 06:17:03.913192050 +0100
+++ snort/debian/control2008-03-04 17:53:51.499669843 +0100
@@ -6,6 +6,7 @@
Build-Depends: libnet1-dev, libpcap0.8-dev, libpcre3-dev, debhelper (=
4.1.13), libmysqlclient15-dev | libmysqlclient-dev, libpq-dev, po-debconf (=
0.5.0), libprelude-dev, iptables-dev
Build-Depends-Indep: texlive, texlive-latex-base, gs-common
Standards-Version: 3.5.6
+Homepage: http://www.snort.org/
Package: snort
Architecture: any
@@ -14,8 +15,7 @@
Conflicts: snort-mysql, snort-pgsql
Replaces: snort-common ( 2.0.2-3)
Recommends: snort-doc
-Homepage: http://www.snort.org/
-Description: Flexible Network Intrusion Detection System
+Description: flexible Network Intrusion Detection System
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules
based logging and can perform content searching/matching in addition
@@ -25,7 +25,7 @@
sent to syslog, a separate alert file, or even to a Windows computer
via Samba.
.
- This package provides the plain-vanilla snort distribution and does not
+ This package provides the plain-vanilla version of Snort and does not
provide database (available in snort-pgsql and snort-mysql) support.
Package: snort-common
@@ -36,7 +36,7 @@
Replaces: snort ( 1.8.4beta1-1)
Suggests: snort-doc
Homepage: http://www.snort.org/
-Description: Flexible Network Intrusion Detection System [common files]
+Description: flexible Network Intrusion Detection System [common files]
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules
based logging and can perform content searching/matching in addition
@@ -72,7 +72,7 @@
Depends: snort-common-libraries (=${binary:Version}), snort-rules-default (=
${binary:Version}), debconf (= 0.2.80) | debconf-2.0, syslogd |
system-log-daemon, ${shlibs:Depends}, snort-common (= ${binary:Version}),
logrotate
Conflicts: snort, snort-pgsql
Homepage: http://www.snort.org/
-Description: Flexible Network Intrusion Detection System [MySQL]
+Description: flexible Network Intrusion Detection System [MySQL]
Distribution of Snort with support for logging to a MySQL database.
.
Snort is a libpcap-based packet sniffer/logger which can be used as a
@@ -91,7 +91,7 @@
Depends: snort-common-libraries (=${binary:Version}), snort-rules-default (=
${binary:Version}), debconf (= 0.2.80) | debconf-2.0, adduser (= 3.11),
syslogd | system-log-daemon, ${shlibs:Depends}, snort-common (=
${binary:Version}), logrotate
Conflicts: snort, snort-mysql
Homepage: http://www.snort.org/
-Description: Flexible Network Intrusion Detection System [PostgreSQL]
+Description: flexible Network Intrusion Detection System [PostgreSQL]
Distribution of Snort with support for logging to a PostgreSQL dbase.
.
Snort is a libpcap-based packet sniffer/logger which can be used as a
@@ -110,7 +110,7 @@
Suggests: snort (= 2.2.0) | snort-pgsql (= 2.2.0) | snort-mysql (= 2.2.0)
Recommends: oinkmaster
Homepage: http://www.snort.org/rules/
-Description: Flexible Network Intrusion Detection System ruleset
+Description: flexible Network Intrusion Detection System ruleset
Snort default ruleset which provides a common set of accepted and test
network intrusion detection rules developed by the Snort community.
.
@@ -122,7 +122,7 @@
Suggests: snort (= 2.7.0) | snort-pgsql (= 2.7.0) | snort-mysql (= 2.7.0)
Conflicts: snort-common ( 2.7.0-6)
Homepage: http://www.snort.org/
-Description: Flexible Network
Bug#469803: snort: [debconf_rewrite] Debconf templates and debian/control review
Hi Christian, I have concerns for some of the changes proposed. More specifically: - If you want you can specify 'any', to not trust any side of the network. + If you specify 'any', Snort will listen on all available networks. The problem is that the 'snort/address_range' is actually the definition of $HOME_NET. This is the definition of the local network, i.e. the internal network that might be attacked from the outside. Snort uses this information to filter out traffic. Traffic that is destined to other network ranges is filtered out and those are considered trusted addresses. This template might better be written as: _Description: Address range for the local network: And remove the above line. Also, the patch changes the template files, but it should change the following files instead: snort.TEMPLATE.templates, snort.DATABASE.templates, snort-mysql.ADD.templates and snort-pgsql.ADD.templates. I think I described how templates are handled in the review, but you have to patch these files and then run 'debian/rules update-templates' All the other changes look OK. Feel free to make the changes as I said above and make the call of translators. Regards Javier signature.asc Description: Digital signature
Bug#469803: snort: [debconf_rewrite] Debconf templates and debian/control review
Quoting Christian Perrier ([EMAIL PROTECTED]): Quoting Christian Perrier ([EMAIL PROTECTED]): I push the deadline by 2 weeks and will nag you again when that time has come if I have no news. That new deadline is about to expire. Javier, any news or do you need /me to push it again? I actually got no news. As I know that last week was a long holiday week in Spain, I'll pugh the deadline again by one week, but please javier give me some hint signature.asc Description: Digital signature
Bug#469803: snort: [debconf_rewrite] Debconf templates and debian/control review
Quoting Christian Perrier ([EMAIL PROTECTED]): I push the deadline by 2 weeks and will nag you again when that time has come if I have no news. That new deadline is about to expire. Javier, any news or do you need /me to push it again? -- signature.asc Description: Digital signature
Bug#469803: snort: [debconf_rewrite] Debconf templates and debian/control review
2008/3/7, Christian Perrier [EMAIL PROTECTED]: The debian-l10n-english contributors have now reviewed these templates, and the proposed changes are attached to this bug report. Please review the suggested changes are suggested, and if you have any objections, let me know in the next 3 days. Please, don't impose this deadline. I will not be able to review this in three days. Please try to avoid uploading snort with these changes right now. The second phase of this process will begin on Monday, March 10, 2008, when I will coordinate updates to translations of debconf templates. Don't do this until I review and confirm all the changes introduced by this bug report. Please, start the update phase when I give you the OK. Thanks Javier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#469803: snort: [debconf_rewrite] Debconf templates and debian/control review
Quoting Javier Fernandez-Sanguino ([EMAIL PROTECTED]): Please, don't impose this deadline. I will not be able to review this in three days. OK, no problem. These are the standard deadlines I use but they can be adapted to maintainers' contextas long as the review doesn't stand for ages..:-) I push the deadline by 2 weeks and will nag you again when that time has come if I have no news. signature.asc Description: Digital signature
Bug#469803: snort: [debconf_rewrite] Debconf templates and debian/control review
Package: snort Version: N/A Severity: normal Tags: patch Dear Debian maintainer, On Thursday, February 14, 2008, I notified you of the beginning of a review process concerning debconf templates for snort. The debian-l10n-english contributors have now reviewed these templates, and the proposed changes are attached to this bug report. Please review the suggested changes are suggested, and if you have any objections, let me know in the next 3 days. Please try to avoid uploading snort with these changes right now. The second phase of this process will begin on Monday, March 10, 2008, when I will coordinate updates to translations of debconf templates. The existing translators will be notified of the changes: they will receive an updated PO file for their language. Simultaneously, a general call for new translations will be sent to the debian-i18n mailing list. Both these calls for translations will request updates to be sent as individual bug reports. That will probably trigger a lot of bug reports against your package, but these should be easier to deal with. The call for translation updates and new translations will run until about Monday, March 31, 2008. Please avoid uploading a package with fixed or changed debconf templates and/or translation updates in the meantime. Of course, other changes are safe. Please note that this is an approximative delay, which depends on my own availability to process this work and is influenced by the fact that I simultaneously work on many packages. Around Tuesday, April 01, 2008, I will contact you again and will send a final patch summarizing all the updates (changes to debconf templates, updates to debconf translations and new debconf translations). Again, thanks for your attention and cooperation. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash --- snort.old/debian/snort.templates2008-01-25 06:17:03.829193343 +0100 +++ snort/debian/snort.templates2008-03-07 07:36:30.896056315 +0100 @@ -1,130 +1,132 @@ +# These templates have been reviewed by the debian-l10n-english +# team +# +# If modifications/additions/rewording are needed, please ask +# [EMAIL PROTECTED] for advice. +# +# Even minor modifications require translation updates and such +# changes should be coordinated with translators and reviewers. + Template: snort/startup Type: select -_Choices: boot, dialup, manual +__Choices: boot, dialup, manual Default: boot -_Description: When should Snort be started? +_Description: Snort start method: Snort can be started during boot, when connecting to the net with pppd or - only when you manually start it via /usr/sbin/snort. + only manually with the /usr/sbin/snort command. Template: snort/interface Type: string Default: eth0 _Description: Interface(s) which Snort should listen on: - This value usually is 'eth0', but you might want to vary this depending - on your environment, if you are using a dialup connection 'ppp0' might - be more appropiate (Hint: use 'ip link show' of 'ifconfig'). - . - Typically this is the same interface than the 'default route' is on. You can - determine which interface is used for this running either '/sbin/ip ro sh' or - '/sbin/route -n' (look for 'default' or '0.0.0.0'). + This value is usually 'eth0', but this may be inappropriate in some + network environments; for a dialup connection 'ppp0' might be more + appropriate (see the output of '/sbin/ifconfig'). + . + Typically, this is the same interface as the 'default route' is on. You can + determine which interface is used for this by running '/sbin/route -n' + (look for '0.0.0.0'). . - It is also not uncommon to use an interface with no IP - and configured in promiscuous mode, if this is your case, select the + It is also not uncommon to use an interface with no IP address + configured in promiscuous mode. For such cases, select the interface in this system that is physically connected to the network - you want to inspect, enable promiscuous mode later on and make sure + that should be inspected, enable promiscuous mode later on and make sure that the network traffic is sent to this interface (either connected - to a 'port mirroring/spanning' port in a switch, to a hub or to a tap) + to a 'port mirroring/spanning' port in a switch, to a hub or to a tap). . - You can configure multiple interfaces here, just by adding more than + You can configure multiple interfaces, just by adding more than one interface name separated by spaces. Each interface can have its - specific configuration. + own specific configuration. Template: snort/address_range Type: string Default: 192.168.0.0/16 _Description: Address range that Snort will listen on: - You have to use CIDR form, i.e. 192.168.1.0/24 for a block of 256 IPs or - 192.168.1.42/32
