Re: New DD applications from the team: wiene and sge

Hi Samuel and Team, On Sun, 2024-03-03 at 18:10 +, Samuel Henrique wrote: > Peter Wienemann and Sven Geuer just started their DD application: > https://nm.debian.org/process/1264 > https://nm.debian.org/process/1268 > > They are long time contributors and I'm happy we are having them as DDs.

Re: RFS: HexWalk Request for sponsor

Hi Samuel, Thank you for your time, actually the reviewers on mentors started only few days ago, it's the first time that I submit a package to debian, so pardon me if I didn't follow all the best practices. I think I have catched your point, as long as the package is going on on mentors it is

Re: RFS: HexWalk Request for sponsor

Hello Carmine, > Anyway could you simply use the package that I have generated on mentors? Now I understand it better, yes the one on mentors does build, and in your sources you put the packaging under deb-packaging. >From a technical standpoint, the package has a few lintian findings that have

Re: RFS: HexWalk Request for sponsor

Hi Samuel, I just updated the repo both on git and on mentors with your hints: https://mentors.debian.net/package/hexwalk For packaging I'm using a different method than yours, I use "pdebuild --debbuildopts -sa --debsign-k xx" Effectively I noticed that "debian" folder is not

Re: RFS: HexWalk Request for sponsor

Hello Carmine, On Tue, 21 May 2024 at 05:41, Carmine wrote: > Thank you for your time, I'll try to fix the issues by myself and will return > to you asap. > The strange thing is that I already generated the package here: > https://mentors.debian.net/package/hexwalk/ > > and I didn't face all

Re: RFS: HexWalk Request for sponsor

Hi Samuel, Thank you for your time, I'll try to fix the issues by myself and will return to you asap. The strange thing is that I already generated the package here: https://mentors.debian.net/package/hexwalk/ and I didn't face all these issues Am I missing something? Thank you again, Carmix

Re: Request to join your team as new member

Hello Alicherif, On Mon, 20 May 2024 at 14:54, Alicherif Samir wrote: > I'm working on the Wapiti web scanner with a team of motivated people, and we > want to see our work published on the Salsa repositories. That's great, feel free to send an MR against the debian branch, you can skip doing

Re: Request to join as new member

Hello Simon, On Sat, 11 May 2024 at 10:59, Simon Josefsson wrote: > I'm not up to speed on all the pkg-security tooling, so please review > and fix anything that needs fixing. I feel uncomfortable having a salsa > write permission token in plain text on my laptop, which seemed required > to use

Re: pkg-security-team vs debian namespace

Hello Simon, On Sat, 11 May 2024 at 11:51, Simon Josefsson wrote: > Following up on the namespace question separately.  To clarify: I'm not > proposing any change.  I'm mostly trying to learn and understand why > some decisions were made and if the rationale still apply. No worries, I think

Re: RFS: HexWalk Request for sponsor

Hello carmix, I've had some time to review the package today, I didn't review everything in depth so there might be more comments after these changes. 1) d/changelog: unstable distribution I see that you're targeting "stable" in the changelog, but in Debian we do uploads to unstable or

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello everyone, Just wondering if the Security team could spend some time availiating my proposal. Feedback from others is always welcomed too, but in order to go ahead I would like to understand where the team stands. Cheers, -- Samuel Henrique

Re: Request to join as new member

Arnaud Rebillout writes: > On 11/05/2024 16:59, Simon Josefsson wrote: >> I feel uncomfortable having a salsa >> write permission token in plain text on my laptop, which seemed required >> to use some of the suggested tools > > Just passing by. > > What are you referring to, why is a salsa token

Re: Request to join as new member

On 11/05/2024 16:59, Simon Josefsson wrote: I feel uncomfortable having a salsa write permission token in plain text on my laptop, which seemed required to use some of the suggested tools Just passing by. What are you referring to, why is a salsa token required? Often enough, you can store

Re: Request to join as new member

Thanks for adding me to the pkg-security group! To get started, I have moved libntlm's git repo from the pkg-auth-maintainers group on Salsa to the pkg-security. I did an upload updating debian/control, together with some other fixes. I'm not up to speed on all the pkg-security tooling, so

Re: REMINDER: Re: ITA: vpnc -- Cisco-compatible VPN client

Hello Samuel, On Thu, 2024-05-09 at 23:51 +0100, Samuel Henrique wrote: > Hello Sven, > > > Would you do a final review and grant DM rights to me? > > Done, I suggest in the future you try to minimize the amount of > "update > changelog" commits by only running gbp dch once you're about to >

Re: RFS: assetfinder package

I've sent this to Aquila last month but CC'ed the wrong list, sending it to the right one for tracking purposes now. Hello Aquila, > I have taken the initiative to package assetfinder for Debian, and the > package is > readily accessible in my Salsa repository at >

Re: RFS: paramspider package

I've sent this to Aquila last month but CC'ed the wrong list, sending it to the right one for tracking purposes now. Hello Aquila, > I have taken the initiative to package paramspider for Debian, and the > package is readily accessible in my Salsa repository at >

Re: RFS: HexWalk Request for sponsor

Hello carmix, > I didn't receive any response from you on my last mail. I added the > debian material on github. Sorry, I didn't have time to look into this yet, but it's on my todo list. Regards, -- Samuel Henrique

Re: REMINDER: Re: ITA: vpnc -- Cisco-compatible VPN client

Hello Sven, > Would you do a final review and grant DM rights to me? Done, I suggest in the future you try to minimize the amount of "update changelog" commits by only running gbp dch once you're about to upload. This will help considerably reduce the amount of commits (would be half of them for

REMINDER: Re: ITA: vpnc -- Cisco-compatible VPN client

Hello Samuel, I hope you find the time to deal with my request below soonish. On Thu, 2024-04-25 at 16:04 +0200, Sven Geuer wrote: > Hello Samuel, > > [...] > > > The vpnc package has been moved to the group recently [1] and I > updated > this repo with the changes from my personal repository

Re: ITA: vpnc -- Cisco-compatible VPN client

Hello Samuel, On Sun, 2024-03-03 at 20:35 +0100, Sven Geuer wrote: > Hello Samuel, > > On Sun, 2024-03-03 at 18:23 +, Samuel Henrique wrote: > > Hello Sven, > > > > > Would you be kind enough to review my work under my personal repo > > > [3]? > > > > > > If everything looks good to you,

Re: golang-github-disintegration-imaging: CVE-2023-36308

Hi Security team, There's a third party patch for this CVE[2], and at least testing locally with the PoC in[1] seems to mitigate the issue. Do you think this is OK to pick and upload? Maytham Alsudany wrote: > Hi Anthony, > > As you are the uploader for golang-github-disintegration-imaging,

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello everyone, I've done some small updates to the proposal, mostly improving readability and making my suggestion more clear. v2 below: I would like to propose something which will lower the amount of reported false-positive CVEs to our users by about 20%. # tl;dr We don't have a unique way

Re: RFS: HexWalk Request for sponsor

Hi Samuel, I didn't receive any response from you on my last mail. I added the debian material on github. As for adding also to Salsa I don't have rights to register to your gitlab, anyway if it is enough I would proceed with github. I keep waiting for your indications, Thank you,

Re: Request to join as new member

Hello Gürkan, > I would like to help out. Read all about me on my wiki.d.o page or > github.com/alexmyczko. > IRC regular user (office hours/europe). I've just noticed you're a DD, so you should get instant approval :). > At the moment I saw radare2 and how outdated it is, thus updated it (but

Re: Request to add tss to security packages

ned by gbp. 1.3) There should be an "upstream" or "upstream/latest" branch with the upstream code, automatically generated and maintained by gbp, without the debian/folder. There are multiple ways this can be solved, but the simplest one is by re-creating the git repo, with a si

Re: RFS: HexWalk Request for sponsor

Hi Samuel, thank you for your response, I just added the debian folder content to the repository on github as you asked. It's the first time for me in packaging for the official debian repository, so I appreciate your help in this task. There is no problem for me to put the project also

Re: RFS: HexWalk Request for sponsor

Hello carmix, > I would like to have it into Debian and I have started following the guides > so I packaged it on mentors: > > https://mentors.debian.net/package/hexwalk/ > > I made a ITP and a RFS, now I need a sponsor, I saw that in this > team there is ImHex software that is something similar

Re: Request to join as new member

Hello Simon, I've just realized I forgot to reply to this, sorry about that. On Sat, 16 Dec 2023 at 11:04, Simon Josefsson wrote: > I help maintain a couple of security-related packages in the pkg-auth- > maintainers, pkg-sssd, pkg-xmpp-devel, oath-toolkit-help groups; gsasl, > libntlm,

Re: RFS: paramspider package

Hello Aquila, > I have taken the initiative to package paramspider for Debian, and the > package is readily accessible in my Salsa repository at > https://salsa.debian.org/aquilamacedo/paramspider > > I would be grateful if you would consider sponsoring the paramspider > package. I am confident

Re: RFS: assetfinder package

Hello Aquila, > I have taken the initiative to package assetfinder for Debian, and the > package is > readily accessible in my Salsa repository at > https://salsa.debian.org/aquilamacedo/assetfinder I see that the package is currently in NEW by Josenilson. Me and you spoke about this but I'm

Re: RFS: dfdatetime, new upstream release and RC bug fixed

Hello Sven, > I would be pleased if one of the DDs would review my work and upload > the package to unstable. Uploaded, thank you for contributing! Cheers, -- Samuel Henrique

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

* [Wed, Apr 03, 2024 at 11:11:20PM +0100] Samuel Henrique: On the proposed solution I also mention that we can use the "(free text comment)" section to indicate that, while sticking to "not-affected", this would simplify things as no new value is needed. But parsing the cases where only the

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

On Wed, 3 Apr 2024 at 17:04, Gian Piero Carrubba wrote: > > * [Wed, Apr 03, 2024 at 09:21:41AM +0100] Samuel Henrique: > ># Alternative solutions: > >If we really want to distinguish the case when we don't produce any affected > >packages but the source contains the vulnerability (a build with

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

* [Wed, Apr 03, 2024 at 09:21:41AM +0100] Samuel Henrique: # Alternative solutions: If we really want to distinguish the case when we don't produce any affected packages but the source contains the vulnerability (a build with different flags might result in an affected package), we can create a

Re: xz backdoor prevention and hosts.deny?

* [Sun, Mar 31, 2024 at 09:28:46PM +] Nick Sal: With respect to debian testing, assume we filter SSH access only to a subnet using the files host.{deny,allow} (see below). Would this prevent the attack if a malicious payload was not sent from the allowed subnet? I've not seen any

Re: Upcoming stable point release (12.6)

On 17184 March 1977, Gian Piero Carrubba wrote: Due to recent events, the point release has been postponed. A new date will be announced when possible. Given the centrality of xz, and standing that AFAIK the intricacies of the attack are not yet fully understood, should we expect a complete

Re: Upcoming stable point release (12.6)

* [Fri, Mar 29, 2024 at 10:24:09PM +] Adam D. Barratt: Due to recent events, the point release has been postponed. A new date will be announced when possible. Given the centrality of xz, and standing that AFAIK the intricacies of the attack are not yet fully understood, should we expect a

Re: Requesting sponsorship for the httprobe package

Hi Aquila, As promised, here's my review. Please Cc me when replying :-). - lintian is complaining that there's no manual page for the program. As I've recently reviewed some of your packages and I know you do a great job at writing these missing upstream manpages, could you do it for

Re: Upcoming stable point release (12.6)

On Fri, 2024-02-16 at 17:35 +, Jonathan Wiltshire wrote: > The next point release for "bookworm" (12.6) is scheduled for > Saturday, April 6th. Processing of new uploads into bookworm- > proposed-updates will be frozen during the preceeding weekend. Due to recent events, the point release has

Re: joining the security team

Hello, I might have added you G. Il lunedì 11 marzo 2024 alle ore 16:57:15 CET, Nilson Silva ha scritto:      Hello team members. I hope you are well!  I come through this email to request my membership to the team. My contribution to the team was to bring Kali packages

Re: c-ares, CVE-2023-31147, CVE-2023-31124

On 23/06/2023 10:21, Moritz Muehlenhoff wrote: But in fact the view in the Debian security is a little misleading, given that it displays "vulnerable" all over the place, e.g. https://security-tracker.debian.org/tracker/CVE-2023-31147 It would be nice if that "unimportant" issues it would

Re: CVE-2023-41105 not fixed in bookworm

On 10/03/2024 21:23, StealthMode Hu wrote: Im just going to state this and let yall figure it out. Security Exploits / CVE? Look no matter what OS, or SOFTWARE you run on your electronics hardware. At the end of the day, Electronics has a fatal flaw. And cannot be secured. That flaw has been

Re: Request to add tss to security packages

On Fri, 2023-09-29 at 22:12 +0100, Samuel Henrique wrote: > Hello Debora, Hello. Apologies for my absense on this, I had some personal life changing event at the end of last year but am now able to focus on this project again. > > > > If you agree, I can create the repo on salsa and give you

Re: CVE-2023-41105 not fixed in bookworm

Im just going to state this and let yall figure it out. Security Exploits / CVE? Look no matter what OS, or SOFTWARE you run on your electronics hardware. At the end of the day, Electronics has a fatal flaw. And cannot be secured. That flaw has been known about since Electronics was invented /

Re: CVE-2023-41105 not fixed in bookworm

Hi, On Fri, Mar 01, 2024 at 09:11:34AM +0100, Richard van den Berg wrote: > Dear security team, > > May I ask why CVE-2023-41105 was marked as " (Minor issue)"[1] ? > > As the CVE description says there are plausible cases where this can lead to > security issues. > > There is a backport

Re: ITA: vpnc -- Cisco-compatible VPN client

Hello Carlos, On Sun, 2024-03-03 at 16:10 -0300, Carlos Henrique Lima Melara wrote: > Hi, > > On Sun, Mar 03, 2024 at 06:23:55PM +, Samuel Henrique wrote: > > Hello Sven, > > > > > Would you be kind enough to review my work under my personal repo > > > [3]? > > > > > > If everything looks

Re: ITA: vpnc -- Cisco-compatible VPN client

Hello Samuel, On Sun, 2024-03-03 at 18:23 +, Samuel Henrique wrote: > Hello Sven, > > > Would you be kind enough to review my work under my personal repo > > [3]? > > > > If everything looks good to you, would you state you're agreeing to > > moving the repository from the Debian group to

Re: ITA: vpnc -- Cisco-compatible VPN client

Hi, On Sun, Mar 03, 2024 at 06:23:55PM +, Samuel Henrique wrote: > Hello Sven, > > > Would you be kind enough to review my work under my personal repo [3]? > > > > If everything looks good to you, would you state you're agreeing to > > moving the repository from the Debian group to the

Re: ITA: vpnc -- Cisco-compatible VPN client

Hello Sven, > Would you be kind enough to review my work under my personal repo [3]? > > If everything looks good to you, would you state you're agreeing to > moving the repository from the Debian group to the Debian Security > Tools Packaging Team? I would raise a ticket with the Salsa Team

Re: vulnerable libgit2 in unstable

Hi, On Fri, Feb 23, 2024 at 02:51:34AM +0100, Christoph Anton Mitterer wrote: > Hey there. > > I've just noted that: > > https://security-tracker.debian.org/tracker/source-package/libgit2 > > lists CVE-2024-24577 as fixed for unstable (and CVE-2024-24575 is only > listed in the resolved list).

Re: ccrypt updated, review and upload needed

On 29/02/2024 6:13 pm, Sven Geuer wrote: On Thu, 2024-02-29 at 08:37 +0700, Arnaud Rebillout wrote: -t, --trailing-comma: Add a trailing comma at the end of the sorted fields.  This minimizes future differences in the VCS commits when additional dependencies are appended or removed.

Re: ccrypt updated, review and upload needed

Hello Arnaud, On Thu, 2024-02-29 at 08:37 +0700, Arnaud Rebillout wrote: > Hello Sven, > > Regarding your commit "Apply 'wrap-and-sort -a' to d/control": did > you > consider using the option -t of wrap-and-sort as well? From the man > page: > > -t, --trailing-comma: Add a trailing comma

Re: ccrypt updated, review and upload needed

Hello Sven, On 29/02/2024 6:13 am, Sven Geuer wrote: Hello Team, I have been working on the ccrypt package [1] and pushed the result to salsa, the CI pipeline was processed without any complaint. I would be pleased if one of the DDs would review my work and upload the package to unstable.

Re: ITA: vpnc -- Cisco-compatible VPN client

Hi Samuel, On Wed, 07 Feb 2024 15:23:16 +0100 Sven Geuer wrote: > [...] > > I forked the vpnc package from the Debian group [1] to my personal > projects [2] and started to work on it. > > In the end I would like to maintain the package under the umbrella of > the Debian Security Tools

Re: Upcoming oldstable point release (11.9)

On Wed, 2024-01-24 at 18:21 +, Adam D. Barratt wrote: > Hi, > > The next point release for "bullseye" (11.9) is scheduled for > Saturday, > February 10th. Processing of new uploads into bullseye-proposed- > updates > will be frozen during the preceding weekend. The archive side of the point

Re: Upcoming stable point release (12.5)

On Wed, 2024-01-24 at 18:20 +, Adam D. Barratt wrote: > Hi, > > The next point release for "bookworm" (12.5) is scheduled for > Saturday, > February 10th. Processing of new uploads into bookworm-proposed- > updates > will be frozen during the preceding weekend. The archive side of the point

Re: "Leaky Vessels" CVEs affecting debian packages (incorrect NOT-FOR-US tag)

Hi Will, On Wed, Feb 07, 2024 at 04:34:11PM +, Will Sewell wrote: > Hello, > > Your security tracker claims that the CVEs related to "Leaky Vessels" ( > https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/) > are NOT-FOR-US: > > -

Re: bullseye (security) represents old version on security-tracker.d.o

Hi, I've misunderstood the intent of that security-tracker.d.o Your explanation make me understand. Thanks! 2024年1月9日(火) 23:41 Moritz Muehlenhoff : > > Hi Kentaro, > > > I've found a bit strange status about some tracked issue > > on security-tracker.debian.org. > > > > 1. CVE-2023-36054 krb5 >

Re: bullseye (security) represents old version on security-tracker.d.o

Hi Kentaro, > I've found a bit strange status about some tracked issue > on security-tracker.debian.org. > > 1. CVE-2023-36054 krb5 > https://security-tracker.debian.org/tracker/CVE-2023-36054 > > it shows like: > > bullseye 1.18.3-6+deb11u4 fixed > bullseye (security) 1.18.3-6+deb11u3

Re: Two bug fixes for ncrack

Dear Sven, On 2024-01-06 10:58:41 +0100, Sven Geuer wrote: On Fri, 2024-01-05 at 20:59 +, Peter Wienemann wrote: The suggested fix for #1048666 works but it is not particularly nice. If someone knows a smarter way how to address this issue, I am eager to learn about it. Instead of

Re: Two bug fixes for ncrack

Hi again, On Sat, 2024-01-06 at 10:58 +0100, Sven Geuer wrote: > Hi Peter, > > On Fri, 2024-01-05 at 20:59 +, Peter Wienemann wrote: > > Dear security tools packaging team, > > > > I pushed two commits to the ncrack repository [0] fixing two bugs: > > > > https://bugs.debian.org/1058286 >

Re: Two bug fixes for ncrack

Hi Peter, On Fri, 2024-01-05 at 20:59 +, Peter Wienemann wrote: > Dear security tools packaging team, > > I pushed two commits to the ncrack repository [0] fixing two bugs: > > https://bugs.debian.org/1058286 > https://bugs.debian.org/1048666 > > #1058286 is an RC bug. The suggested fix

Re: new redirects for www.d.o/security and www.d.o/lts/security

Hi Thomas, On Fri, Jan 05, 2024 at 12:06:58AM +0100, Thomas Lange wrote: > Hi all, > > we now redirect all DSA/DLA URLs under security and lts/security with > or without having the year in the path and with or without a version > to their announcement mail: > Examples: > /security/dsa-5576 >

Re: Causa Radare2 / Cutter / Rizin

Hello, On 02/01/2024 16:39, Robert Haist wrote: Hi team, As I initially introduced the radare2-cutter package into Debian I would like to bring up the proposal to remove it. The upstream situation around the two projects and their front-ends is still flaky and I don't see any value to keep

SOP migration (was Re: Reaction to potential PGP schism)

Hi! Daniel thanks for all your work on the OpenPGP working group, and on SOP! :) On Wed, 2023-12-20 at 22:16:28 -0500, Daniel Kahn Gillmor wrote: > # What Can Debian Do About This? > > I've attempted to chart one possible path out of part of this situation > by proposing a minimized, simplified

Re: TEMP-1059163-BDCC5F is inaccurate

Hi, On Thu, Dec 21, 2023 at 05:28:51PM +0100, Ingo Brückl wrote: > Hi, > > neither buster nor buster (security) is affected by bug #1059163. > > Thanks to debian/patches/CVE-2015-1197.patch, Debian cpio 2.12 isn't > vulnerable. Thanks, I have adjusted the security-tracker entry. Regards,

Re: Reaction to potential PGP schism

Hi Daniel, Quick backstory: I stayed away from hardware crypto for a long while since there were so many incompatibilities, partial support, or side patches to get basic things to work. Over time, it seems it got to a point where it's mainstream enough that you can buy a Yubikey without much of a

Re: Reaction to potential PGP schism

Hi Gioele-- On Thu 2023-12-21 11:02:06 +0100, Gioele Barabucci wrote: > On 21/12/23 04:16, Daniel Kahn Gillmor wrote: > As the Uploader of rust-sequoia-openpgp, what do you think of the > related sequoia-chameleon-gnupg project [1] (drop-in replacement for gpg > that uses sequoia internally)? >

Re: Reaction to potential PGP schism

Interesting point in this talk: The APT team is already working on non- PGP signatures. https://wiki.debian.org/Teams/Apt/Spec/AptSign I can see the advantages of that for release signatures which use a rarely changing set of keys. However, I do not see any good alternative for PGP for personal

Re: Reaction to potential PGP schism

On Wed, Dec 20, 2023 at 10:16:28PM -0500, Daniel Kahn Gillmor wrote: > # Why is GnuPG on Debian's Critical Path? > > In 2023, I believe GnuPG is baked into our infrastructure largely due to > that project's idiosyncratic interface. It is challenging even for a > sophisticated engineer to figure

Re: Reaction to potential PGP schism

On 21/12/23 04:16, Daniel Kahn Gillmor wrote: # What Can Debian Do About This? I've attempted to chart one possible path out of part of this situation by proposing a minimized, simplified interface to some common baseline OpenPGP semantics -- in particular, the "Stateless OpenPGP" interface, or

Re: Reaction to potential PGP schism

Thank you very much  for your explanation  On Thu, Dec 21, 2023 at 2:13 AM, Christoph Biedl wrote: Daniel Kahn Gillmor wrote...(...)Thanks for your exhaustive description. I'd just like to point out onepoint:> In practice, i think it makes the most sense to

Re: Reaction to potential PGP schism

Daniel Kahn Gillmor wrote... (...) Thanks for your exhaustive description. I'd just like to point out one point: > In practice, i think it makes the most sense to engage with > well-documented, community-reviewed, interoperably-tested standards, and > the implementations that try to follow

Re: Reaction to potential PGP schism

hey folks-- [ This message won't make sense unless the reader distinguishes clearly between OpenPGP the protocol and GnuPG the implementation! As a community we have a history of fuzzily conflating the two terms, which is one of the reasons that we're in this mess today. Please read

Re: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246

On Tue, Dec 19, 2023 at 05:13:34PM +0100, Sylvain Beucler wrote: > On 16/12/2023 11:15, ChangZhuo Chen (陳昌倬) wrote: > > I am jq maintainer, and right now CVE-2023-49355 is listed in security > > tracker [0]. However, this CVE is equal to CVE-2023-50246 according to > > upstream [1], which has been

Re: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246

Hi, On 16/12/2023 11:15, ChangZhuo Chen (陳昌倬) wrote: I am jq maintainer, and right now CVE-2023-49355 is listed in security tracker [0]. However, this CVE is equal to CVE-2023-50246 according to upstream [1], which has been fixed in 1.7.1-1 [2]. In this case, how should I handle

Re: Reaction to potential PGP schism

On 17077 March 1977, Stephan Verbücheln wrote: How can Debian deal with this? Should Debian intervene to prevent the worst? We, as Debian, look and wait what comes out. And then *MAY* at some point decide to add (or switch to) a new thing, if that appears better. Also, it will be a high bar

Re: Reaction to potential PGP schism

Hi, Personal view here. Stephan Verbücheln wrote on 14/12/2023 at 11:29:17+0100: > [[PGP Signed Part:No public key for 603542590A3C7C62 created at > 2023-12-14T11:29:17+0100 using EDDSA]] > Hello everyone > > As you probably know, Debian relies heavily on GnuPG for various > purposes,

Re: [arm64] secure boot breach via VFIO_NOIOMMU

On Thu, Dec 14, 2023 at 09:26:09AM +0100, Salvatore Bonaccorso wrote: >Hi, > >On Wed, Dec 13, 2023 at 10:45:01PM +0100, Bastian Blank wrote: >> Hi >> >> Over six years ago, support for VFIO without IOMMU was enabled for >> arm64. This is a breach of the integrity lockdown requirement of secure

Re: [arm64] secure boot breach via VFIO_NOIOMMU

Hi, On Wed, Dec 13, 2023 at 10:45:01PM +0100, Bastian Blank wrote: > Hi > > Over six years ago, support for VFIO without IOMMU was enabled for > arm64. This is a breach of the integrity lockdown requirement of secure > boot. > > VFIO is a framework for handle devices in userspace. To make >

Re: Upcoming stable point release (12.3)

On Sun, 2023-11-12 at 17:46 +, Adam D. Barratt wrote: > The next point release for "bookworm" (12.3) is scheduled for > Saturday, > December 9th. Processing of new uploads into bookworm-proposed- > updates > will be frozen during the preceding weekend. The archive side of the point release

Re: Update request for CVE-2023-5561 (WordPress)

Hello, On Thu, Nov 09, 2023 at 09:09:47AM +0100, Christian Fischer wrote: > Hello, > > i would like to request an update of the status for the following CVE: > > https://security-tracker.debian.org/tracker/CVE-2023-5561 > > Currently it has: > > > NOT-FOR-US: WordPress plugin > > which was

Processed: Re: Bug#1053702: NIST data feed to be retired in December 2023

Processing control commands: > tags -1 + confirmed Bug #1053702 [security-tracker] NIST data feed to be retired in December 2023 Added tag(s) confirmed. -- 1053702: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053702 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems

Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function

Hello Samuel, On Sun, 2023-10-29 at 18:05 +, Samuel Henrique wrote: > $ dcut dm --uid "Sven Geuer" --allow argon2 > Uploading commands file to ftp.upload.debian.org (incoming: > /pub/UploadQueue/) > Picking DM Sven Geuer with fingerprint > 3DF5E8AA43FC9FDFD086F195ADF50EDAF8ADD585 > Uploading

Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function

Hello Sven, > Can you please review my work [1]? If it is sound, would you mind to > grant me DM rights for the package? The changes are all looking good, I appreciate the attention to details and I can see you have put a lot of effort into it. $ dcut dm --uid "Sven Geuer" --allow argon2

Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function

Hello Samuel, On Fri, 2023-10-27 at 01:00 +0100, Samuel Henrique wrote: > From Sven: > > To comply with DEP-14, I just created the branch debian/latest and > > intend to drop the branch debian/sid eventually. > > Can you please set debian/latest to 'default' and 'protected'? I > > don't > > have

Re: Bug#1040901: Upcoming changes to Debian Linux kernel packages

On Fri, Oct 27, 2023 at 10:55:48AM +0200, Bastian Blank wrote: > On Fri, Oct 27, 2023 at 08:43:46AM +0200, Julian Andres Klode wrote: > > > > ## Image packages contains more version info > > > > > > > > Example: linux-image-6.5.3-cloud-arm64 > > > > > > > It will not longer be possible to

Re: Bug#1040901: Upcoming changes to Debian Linux kernel packages

On Fri, Oct 27, 2023 at 08:43:46AM +0200, Julian Andres Klode wrote: > > > ## Image packages contains more version info > > > > > > Example: linux-image-6.5.3-cloud-arm64 > > > > > It will not longer be possible to reliably derive the package name from > > > kernel release (see above), as both

Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function

Hello Samuel and Peter, On Fri, 2023-10-27 at 01:00 +0100, Samuel Henrique wrote: > From Sven: > > To comply with DEP-14, I just created the branch debian/latest and > > intend to drop the branch debian/sid eventually. > > Can you please set debian/latest to 'default' and 'protected'? I don't > >

Re: Bug#1040901: Upcoming changes to Debian Linux kernel packages

OK, it seems my original email got lost somewhere in tech hickups, it's possible the kernel crashed before sending the email, AMD just crashes once or twice a day. So I'm writing this email a bit in a hurry, so it's not quite as thought out as the last one weeks ago, but yesterday's email was

Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function

Hello Peter and Sven, >From Sven: > To comply with DEP-14, I just created the branch debian/latest and > intend to drop the branch debian/sid eventually. > Can you please set debian/latest to 'default' and 'protected'? I don't > have the rights to do this. Awesome, I've done these changes and

Re: Upcoming changes to Debian Linux kernel packages

On Thu, Oct 05, 2023 at 07:59:54AM -0600, Sam Hartman wrote: > I think that's what you mean by the first-level error. > If not, I'm still confused. > In the second level error case you are talking about is: No, the first level is always: but the new kernel does not work. The second is: I need to

Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function

Hi Sven, On 24.10.23 01:13, Sven Geuer wrote: Thanks for pointing this out. However, I am unsure if lintian would still complain in regards to argon2 (and also dnstwist) as the package is not a new one anymore. The explanation in [1] cleary states This package appears to be the first

Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function

Hello Peter, On Mon, 2023-10-23 at 17:26 +, Peter Wienemann wrote: > Dear Sven, > > On 23.10.23 17:19, Sven Geuer wrote: > > I would prefer to remove the 0~ prefix from the package version, > > resulting in an upcoming version of 20190702+dfsg-4 instead of > > 0~20190702+dfsg-4. This would

Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function

Dear Sven, On 23.10.23 17:19, Sven Geuer wrote: I would prefer to remove the 0~ prefix from the package version, resulting in an upcoming version of 20190702+dfsg-4 instead of 0~20190702+dfsg-4. This would align the version in Debian to other distros, see [1] for details. Are there arguments

Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function

One more thing... I would prefer to remove the 0~ prefix from the package version, resulting in an upcoming version of 20190702+dfsg-4 instead of 0~20190702+dfsg-4. This would align the version in Debian to other distros, see [1] for details. Are there arguments to not change the versioning in

Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function

Hi Samuel, may I ping you about the my below request? On Mon, 2023-10-16 at 11:08 +0200, Sven Geuer wrote: > Hello Samuel, > > On Fri, 2023-10-13 at 13:37 +0200, Sven Geuer wrote: > > [...] > > I am fine with the salsa admins moving the package. Here's the > > issue > > I logged: > >

Re: Bug#1040901: Upcoming changes to Debian Linux kernel packages

t; > kernel release (see above), as both values are not really related > > anymore. > What should work: We define a new control field. It contains both the > kernel name and a version prefix. Or would it be easier to re-use normal dependency resolving, like: Kernel-Provides: linux (&g

Re: Follow-up update for src:aom / CVE-2023-39616

Am Sat, Oct 14, 2023 at 07:33:36PM -0400 schrieb Boyuan Yang: > Dear Team, > > Just a friendly reminder that CVE-2023-39616 was fixed in Trixie > and Sid, and that https://security-tracker.debian.org/tracker/CVE-2023-39616 > should be updated accordingly. I mentioned it in the package changelog

  1   2   3   4   5   6   7   8   9   10   >