On Wed, Apr 18, 2012 at 3:08 AM, Ben Finney ben+deb...@benfinney.id.au wrote:
Agreed. Vladimir, this long thread highlights the fact that you need to
find a community for this code *first*, and fix many of the bugs that
would be found that way, before presenting it as a package for inclusion
Vladimir Stavrinov vstavri...@gmail.com writes:
I believe due to this long thread all those bugs (or rather security
vulnerability), apart from last only about using $RANDOM are fixed.
At same time I think this small utility has less significant, and less
bugs then most software already
Vladimir Stavrinov vstavri...@gmail.com writes:
http://mentors.debian.net/debian/pool/main/r/rpg/rpg_1.0.4-1.dsc
Now there is at least the problem that you are using the $RANDOM
variable of bash. It is easily predictable and should not be used to
produce passwords.
--
To UNSUBSCRIBE, email to
On Tue, Apr 17, 2012 at 09:40:50PM +0300, Timo Juhani Lindfors wrote:
Now there is at least the problem that you are using the $RANDOM
Yes, I am aware of this already and will consider other solutions.
variable of bash. It is easily predictable and should not be used to
In some degree it is
Vladimir Stavrinov vstavri...@gmail.com writes:
In some degree it is compensated by the fact, that double letters are
excluded as well as other combinations. This forces to to call $RANDOM
again and again before pick up a symbol.
Calling $RANDOM again and again does not help at all. If you
Perhaps taking d-mentors@l.d.o off future replies could be done.
Thanks!
-mz
On Tue, Apr 17, 2012 at 3:17 PM, Timo Juhani Lindfors
timo.lindf...@iki.fi wrote:
Vladimir Stavrinov vstavri...@gmail.com writes:
In some degree it is compensated by the fact, that double letters are
excluded as
Matt Zagrabelny mzagr...@d.umn.edu writes:
Perhaps taking d-mentors@l.d.o off future replies could be done.
Agreed. Vladimir, this long thread highlights the fact that you need to
find a community for this code *first*, and fix many of the bugs that
would be found that way, before presenting it
Vladimir Stavrinov vstavri...@gmail.com writes:
Ok. Show me where You see password. What command in process list does show
password?
It's the tr commands this time.
$ stap -e 'probe syscall.execve { printf(%s\n, argstr); }' -c './rpg'
parketdufime
./rpg
/usr/bin/cut -c 7
/usr/bin/tr
On Wed, Apr 11, 2012 at 09:32:22AM +0300, Timo Juhani Lindfors wrote:
Ok. Show me where You see password. What command in process list does show
password?
It's the tr commands this time.
Thank You. I will fix this.
--
***
## Vladimir Stavrinov
##
On Wed, Apr 11, 2012 at 09:32:22AM +0300, Timo Juhani Lindfors wrote:
It's the tr commands this time.
$ stap -e 'probe syscall.execve { printf(%s\n, argstr); }' -c './rpg'
Fixed. Please, check it again:
http://mentors.debian.net/debian/pool/main/r/rpg/rpg_1.0.4-1.dsc
--
Vladimir Stavrinov vstavri...@gmail.com writes:
Fixed. Please, check it again:
I'm too busy at least at the moment.
--
To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive:
On Wed, Apr 11, 2012 at 08:15:56PM +0300, Timo Juhani Lindfors wrote:
I'm too busy at least at the moment.
Don't worry, we have nowhere to rush. I can't check it myself, so I'll
wait for You. Thank You for Your assistance.
***
### Vladimir Stavrinov
###
Vladimir Stavrinov vstavri...@gmail.com writes:
Don't worry, we have nowhere to rush. I can't check it myself, so I'll
wait for You. Thank You for Your assistance.
If you are going to maintain this package you really need to learn how
to audit it for security issues :)
--
To UNSUBSCRIBE,
On Wed, Apr 11, 2012 at 10:16:15PM +0300, Timo Juhani Lindfors wrote:
If you are going to maintain this package you really need to learn how
to audit it for security issues :)
Certainly! But to resolve last issue, I should compile custom kernel,
while at this time I am using Debian binary
Vladimir Stavrinov vstavri...@gmail.com writes:
Certainly! But to resolve last issue, I should compile custom kernel,
while at this time I am using Debian binary kernel.
Why? systemtap works with debian stable kernels.
--
To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org
with
On Wed, Apr 11, 2012 at 10:46:06PM +0300, Timo Juhani Lindfors wrote:
Why? systemtap works with debian stable kernels.
I am on 3.2.0-2
***
### Vladimir Stavrinov
### vstavri...@gmail.com
***
--
To UNSUBSCRIBE, email to
Vladimir Stavrinov vstavri...@gmail.com writes:
I am on 3.2.0-2
I'm on linux-image-3.2.0-1-amd64 3.2.4-1 and it works.
--
To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive:
On Wed, Apr 11, 2012 at 11:00:27PM +0300, Timo Juhani Lindfors wrote:
Vladimir Stavrinov vstavri...@gmail.com writes:
I am on 3.2.0-2
I'm on linux-image-3.2.0-1-amd64 3.2.4-1 and it works.
root@mana:~# stap -e 'probe syscall.execve { printf(%s\n, argstr); }' -c 'rpg'
semantic error:
[ Dropping extra people from Cc since this I don't think my reply is
related rpg anymore. ]
Vladimir Stavrinov vstavri...@gmail.com writes:
root@mana:~# stap -e 'probe syscall.execve { printf(%s\n, argstr); }' -c
'rpg'
semantic error: missing x86_64 kernel/module debuginfo under
On Wed, Apr 11, 2012 at 11:13:35PM +0300, Timo Juhani Lindfors wrote:
Yep, you need to install the -dbg package. It'd be nice if we could just
Installation started, but it will take about 20 minutes.
Installed now, it brought no success:
root@mana:~# stap -e 'probe syscall.execve {
Timo Juhani Lindfors timo.lindf...@iki.fi writes:
[ Dropping extra people from Cc since this I don't think my reply is
related rpg anymore. ]
Please also drop ‘debian-mentors’; the discussion has been off-topic
here for a long time.
--
\ “Working out the social politics of who you
On Sunday 08 April 2012 12:58:08 Vladimir Stavrinov wrote:
The problem is that I don't see this review process here. Instead, all of
You are explaining what Debian is and what is not. But I've got no much
new. You are trying to breach into opened door. But point is that all this
discussion
On Sun, Apr 08, 2012 at 04:24:19AM +0400, Vladimir Stavrinov wrote:
As for security, I hope there are no such problems in last uploaded
version.
Please clearly state somewhere that your software doesn't attempt to
generate cryptographically secure passwords.
--
WBR, wRAR
signature.asc
On Sun, Apr 08, 2012 at 04:18:55PM +1000, Dmitry Smirnov wrote:
Shortly after you published your RFS I tried 'rpg' but quickly discarded it
because from the first look I found no new functionality. (pwgen is more
feature rich)
It is not issue of functionality. Need to repeat again: the only
On Sun, Apr 08, 2012 at 01:00:09PM +0600, Andrey Rahmatullin wrote:
Please clearly state somewhere that your software doesn't attempt to
generate cryptographically secure passwords.
Thank You very much. This is one of two only valuable messages in this
thread. The paradox is that it is most
On Sat, Apr 07, 2012 at 09:14:44AM +0900, Charles Plessy wrote:
What about repagen i.e. REadable PAssword GENerator ? Is it OK.?
That is nice.
Good. But. There are too many things to be renamed:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659047
On Sat, Apr 7, 2012 at 9:46 AM, Vladimir Stavrinov vstavri...@gmail.com wrote:
ecosystem. Consider for instance that if one day you suddenly can not
contribute anymore, somebody else will need to care of the package. Summed
together, even removals takes time.
It would be a nice behavior, if
On Sat, Apr 07, 2012 at 01:13:35PM -0300, Fernando Lemos wrote:
First, If you're proposing a different algorithm for password
generation, have you looked into contributing the algorithm to apg? If
not, why?
Please also note that while apg generates secure passwords, rpg doesn't
care about such
On Sat, Apr 07, 2012 at 01:13:35PM -0300, Fernando Lemos wrote:
maintainers to request removals before they leave Debian. You seem to
have an overly simplified view of how the distribution works.
You don't let me know something new.
Now, about the package in question. The alternative
Le Sat, Apr 07, 2012 at 04:46:33PM +0400, Vladimir Stavrinov a écrit :
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659047
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652718
http://mentors.debian.net/package/rpg
Hi,
There is no need to rename bugs and mentors uploads retroactively.
Vladimir Stavrinov vstavri...@gmail.com writes:
But for a last at least 15 years I've wrote tens of such scripts, that
I am using for years in my work and life with enjoy and no problems.
And now, I think, why don't make those lot of software available for
Debian users? But I see: because
On Sun, Apr 08, 2012 at 09:05:25AM +0900, Charles Plessy wrote:
As a side note, I think that the comments about security in this
thread are very relevant. If your package were accepted in Debian, it
would need to meet Debian's and Debian's users expectations, not only
your vision as an
On Sun, Apr 08, 2012 at 10:08:08AM +1000, Ben Finney wrote:
barrier to entry there: Debian should be a coherent operating system
Very good. But to keep system in coherent state You should not only
build barrier on entry, but also remove packages that break such
coherence. And this should be not
On Sat, Apr 7, 2012 at 10:28 PM, Vladimir Stavrinov
vstavri...@gmail.com wrote:
On Sun, Apr 08, 2012 at 10:08:08AM +1000, Ben Finney wrote:
barrier to entry there: Debian should be a coherent operating system
Very good. But to keep system in coherent state You should not only
build barrier
On Sat, Apr 07, 2012 at 11:20:55PM -0300, Fernando Lemos wrote:
to get rid of it. It's thus reasonable that we want to make sure
packages are in good shape for entry in Debian. It's also natural that
It is very easy to execute this task: please, read this shell script. It
is short and simple
Vladimir Stavrinov vstavri...@gmail.com writes:
The problem is that I don't see this review process here. Instead,
all of You are explaining what Debian is and what is not. But I've got
no much new. You are trying to breach into opened door. But point is
that all this discussion have no
On Thu, Apr 05, 2012 at 06:48:26PM +0400, Vladimir Stavrinov wrote:
On Thu, Apr 05, 2012 at 05:35:21PM +0300, Timo Juhani Lindfors wrote:
When the generator prints Vipeza as a password it does
/bin/grep -qw vi
Yes, I see: it is another invocation of grep. Should be fixed in similar
On Fri, Apr 6, 2012 at 3:34 AM, Charles Plessy ple...@debian.org wrote:
I also think that we should refrain from using short and common names for the
What about repagen i.e. REadable PAssword GENerator ? Is it OK.?
--
To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org
with a
Vladimir Stavrinov vstavri...@gmail.com writes:
Fixed:
Unfortunately not. I can still see the password. Writing security
sensitive software a shell script is quite challenging. I would really
urge you to improve some existing program instead.
--
To UNSUBSCRIBE, email to
On Fri, Apr 06, 2012 at 10:48:33PM +0300, Timo Juhani Lindfors wrote:
Vladimir Stavrinov vstavri...@gmail.com writes:
Fixed:
Unfortunately not. I can still see the password. Writing security
How? It is impossible: to fix the last bug, I have removed grep at all
and used shell variable
On Sat, Apr 07, 2012 at 12:22:05AM +0400, Vladimir Stavrinov wrote:
How? It is impossible: to fix the last bug, I have removed grep at all
and used shell variable editing instead. And I can't reproduce this bug.
Please, show me where and how do You see password.
May be You are using old
Vladimir Stavrinov vstavri...@gmail.com writes:
May be You are using old version? Please, show me output from:
rpg -V
$ ./rpg -V
rpg 1.0.2
(C) Vladimir Stavrinov vstavri...@gmail.com, GPL
Just think about all the commands you execute. It shouldn't be too
difficult. I can
On Sat, Apr 07, 2012 at 12:23:11AM +0300, Timo Juhani Lindfors wrote:
rpg 1.0.2
Ok. Show me where You see password. What command in process list does show
password?
***
### Vladimir Stavrinov
### vstavri...@gmail.com
***
--
To
On Sat, Apr 07, 2012 at 01:36:10AM +0400, Vladimir Stavrinov wrote:
rpg 1.0.2
Ok. Show me where You see password. What command in process list does show
password?
Please, check new version:
http://mentors.debian.net/debian/pool/main/r/rpg/rpg_1.0.3-1.dsc
Le Fri, Apr 06, 2012 at 07:04:08PM +0400, Vladimir Stavrinov a écrit :
On Fri, Apr 6, 2012 at 3:34 AM, Charles Plessy ple...@debian.org wrote:
I also think that we should refrain from using short and common names for
the
What about repagen i.e. REadable PAssword GENerator ? Is it OK.?
On Wed, Apr 04, 2012 at 01:39:07PM +0300, Timo Juhani Lindfors wrote:
I think rpg is very insecure since all local users of the system can see
the passwords that you generate. All they need to do is to look for the
grep commands that appear in the process list.
Fixed. See:
Vladimir Stavrinov vstavri...@gmail.com writes:
On Wed, Apr 04, 2012 at 01:39:07PM +0300, Timo Juhani Lindfors wrote:
I think rpg is very insecure since all local users of the system can see
the passwords that you generate. All they need to do is to look for the
grep commands that appear in
Vladimir Stavrinov vstavri...@gmail.com writes:
I've ran rpg in continues loop, but no password was caught, because it
fed to grep via stdin directly from shell. To be sure, please, test it
again.
I can still see the password.
When the generator prints Vipeza as a password it does
/bin/grep
On Thu, Apr 05, 2012 at 05:35:21PM +0300, Timo Juhani Lindfors wrote:
When the generator prints Vipeza as a password it does
/bin/grep -qw vi
Yes, I see: it is another invocation of grep. Should be fixed in similar
way. But it is more tricky, because here the stdin already used by grep
for
On Thu, Apr 05, 2012 at 04:34:05PM +0200, Gergely Nagy wrote:
the name. RPG is commonly the abbreviation for role playing game, and
There are many others:
From The Free On-line Dictionary of Computing (26 July 2010) [foldoc]:
RPG
1. games {Role-Playing Game}.
2. tool {Report
Vladimir Stavrinov vstavri...@gmail.com writes:
To advantage of this utility points it's name: READABLE password
generator. If You can read (i.e. to pronounce), then it is easy for
remembering. But readable doesn't means weak - it is strong enough
as long as dictionary is available for
On Thu, Apr 05, 2012 at 10:56:19AM -0700, Russ Allbery wrote:
Debian already has the apg package, which purports to do the same thing
and is a compiled C binary, so doesn't have the various problems with
grep. Is the readability of the passwords generated by rpg really
sufficiently better
Le Thu, Apr 05, 2012 at 07:05:16PM +0400, Vladimir Stavrinov a écrit :
But there no package named rpg.
Hi,
I also think that we should refrain from using short and common names for the
packages. That there is no package named rpg does not say that it is free for
you, it says that there was
To advantage of this utility points it's name: READABLE password
generator. If You can read (i.e. to pronounce), then it is easy for
remembering. But readable doesn't means weak - it is strong enough
as long as dictionary is available for consulting to exclude words from
out of there.
--
W dniu 04.04.2012 12:17, Vladimir Stavrinov pisze:
To advantage of this utility points it's name: READABLE password
generator. If You can read (i.e. to pronounce), then it is easy for
remembering. But readable doesn't means weak - it is strong enough
as long as dictionary is available for
Vladimir Stavrinov vstavri...@gmail.com writes:
To advantage of this utility points it's name: READABLE password
generator. If You can read (i.e. to pronounce), then it is easy for
remembering. But readable doesn't means weak - it is strong enough
as long as dictionary is available for
On Wed, Apr 04, 2012 at 12:22:44PM +0200, Bartosz FeÅski wrote:
So basically this is another tool like the apg?
http://packages.debian.org/sid/apg
I've used apg few years ago, but was not satisfied with it. That is
exactly why I have started to write my own alternative. The main point
was
On Wed, Apr 04, 2012 at 01:39:07PM +0300, Timo Juhani Lindfors wrote:
I think rpg is very insecure since all local users of the system can see
the passwords that you generate. All they need to do is to look for the
grep commands that appear in the process list.
First of all in most cases it
On 04/04/2012 01:09 PM, Vladimir Stavrinov wrote:
I've used apg few years ago, but was not satisfied with it. That is
exactly why I have started to write my own alternative. The main point
was pronounceability.
We also have pwgen which generates pronounceable passwords according
to its man
On Wed, Apr 04, 2012 at 01:41:43PM +0200, Ansgar Burchardt wrote:
We also have pwgen which generates pronounceable passwords according
to its man page.
As You can see, it is first utility mentioned here in this thread before apg,
and
again, I have used it too before apg. But it generates even
Vladimir Stavrinov vstavri...@gmail.com writes:
First of all in most cases it is using on workstation where are no other
live users then You (or hacker breached into Your system) . Second, it
is used sporadically and rarely. To catch those passwords You need
continuously watching and analyze
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Package: sponsorship-requests
Severity: normal
Dear mentors,
I am looking for a sponsor for my package rpg.
* Package name: rpg
Version : 1.0.0-1
Upstream Author : Vladimir Stavrinov vstavri...@gmail.com
* URL :
What advantages does this program have over pwgen (which has been around
for a long time and is already package)?
--
Richard
signature.asc
Description: This is a digitally signed message part
-Oorspronkelijk bericht-
Van: Richard Laager [mailto:rlaa...@wiktel.com]
Verzonden: dinsdag 7 februari 2012 21:26
Aan: Bas van den Dikkenberg; 659...@bugs.debian.org
Onderwerp: Re: Bug#659047: RFS: rpg - Readable Password Generator
What advantages does this program have over pwgen
64 matches
Mail list logo
