The following Fedora EPEL 6 Security updates need testing:
Age URL
594
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5620/bugzilla-3.4.14-2.el6
108
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11274/ssmtp-2.61-21.el6
50
On 12/05/2013 07:43 PM, Jan Lieskovsky wrote:
From: Ralf Corsepius
Would you mind to explain why you guys are putting such an emphasize on
-Wformat-security?
Some possible ways how to look at it:
* because when all reported packages are patched, it would remove one
whole class of
Am 06.12.2013 10:37, schrieb Ralf Corsepius:
IMO, -Wformat-security is almost negibile in comparison to these and you
are making way too much noise about it than it deserves.
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string [*]
Yeah, a vulnerability - So what?
I'd guess the
Hello,
I'd like to add abrt-cli package to the comps group 'standard'.
The package pulls core ABRT functionality for catching C/C++ crashes,
uncaught Python exceptions, Kernel oopses and VMCore processing.
There is a bugzilla bug requesting this change:
On Fri, 2013-12-06 at 10:37 +0100, Ralf Corsepius wrote:
On 12/05/2013 07:43 PM, Jan Lieskovsky wrote:
From: Ralf Corsepius
Would you mind to explain why you guys are putting such an emphasize on
-Wformat-security?
Some possible ways how to look at it:
* because when all reported
Am 06.12.2013 11:30, schrieb Adam Williamson:
On Fri, 2013-12-06 at 10:37 +0100, Ralf Corsepius wrote:
On 12/05/2013 07:43 PM, Jan Lieskovsky wrote:
From: Ralf Corsepius
Would you mind to explain why you guys are putting such an emphasize on
-Wformat-security?
Some possible ways how to
On 12/06/2013 09:56 AM, Jakub Filak wrote:
Hello,
I'd like to add abrt-cli package to the comps group 'standard'.
The package pulls core ABRT functionality for catching C/C++ crashes,
uncaught Python exceptions, Kernel oopses and VMCore processing.
There is a bugzilla bug requesting this
Compose started at Fri Dec 6 07:15:02 UTC 2013
Broken deps for armhfp
--
[avro]
avro-mapred-1.7.5-1.fc20.noarch requires hadoop-mapreduce
avro-mapred-1.7.5-1.fc20.noarch requires hadoop-client
[blueman]
On 12/06/13 at 11:57am, Reindl Harald wrote:
but what is the plan if this does not work out for a unknown number
of packages because upstream is not willing or able to fix it or
only in a later release giving that the package is not buildable
at all
Contingency mechanism: Revert changes to
On 12/06/2013 11:30 AM, Adam Williamson wrote:
On Fri, 2013-12-06 at 10:37 +0100, Ralf Corsepius wrote:
On 12/05/2013 07:43 PM, Jan Lieskovsky wrote:
From: Ralf Corsepius
Would you mind to explain why you guys are putting such an emphasize on
-Wformat-security?
Some possible ways how to
On 12/06/2013 12:14 PM, Jóhann B. Guðmundsson wrote:
I would say that abrt should not be installed et all unless user has agreed to
it at install time.
+1
My mother would be puzzled, if ABRT would popup on her Fedora box.
--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Software Engineer, #brno,
On 12/06/2013 12:25 PM, Brendan Jones wrote:
On 12/06/2013 11:30 AM, Adam Williamson wrote:
On Fri, 2013-12-06 at 10:37 +0100, Ralf Corsepius wrote:
On 12/05/2013 07:43 PM, Jan Lieskovsky wrote:
From: Ralf Corsepius
Would you mind to explain why you guys are putting such an
emphasize on
On 12/04/13 at 07:10pm, Brendan Jones wrote:
This is just a pain. Can someone explain to me why this is good?
Original Message
Subject: [Bug 1037125] hydrogen FTBFS if -Werror=format-security flag is
https://bugzilla.redhat.com/show_bug.cgi?id=1037125
Hi Brendan,
Can you
On 12/06/2013 12:59 PM, Dhiru Kholia wrote:
On 12/04/13 at 07:10pm, Brendan Jones wrote:
This is just a pain. Can someone explain to me why this is good?
Original Message
Subject: [Bug 1037125] hydrogen FTBFS if -Werror=format-security flag is
On 12/06/2013 12:59 PM, Dhiru Kholia wrote:
Can you *really* pass a QByteArray object directly to printf (and similar
functions)?
Yes, as the format string argument, because the user-defined conversion
comparison operator to const char * kicks in.
--
Florian Weimer / Red Hat Product
On 12/06/2013 01:26 PM, Florian Weimer wrote:
On 12/06/2013 12:59 PM, Dhiru Kholia wrote:
Can you *really* pass a QByteArray object directly to printf (and similar
functions)?
Yes, as the format string argument, because the user-defined conversion
comparison operator to const char * kicks
Dne 6.12.2013 12:39, Miroslav Suchý napsal(a):
On 12/06/2013 12:14 PM, Jóhann B. Guðmundsson wrote:
I would say that abrt should not be installed et all unless user has
agreed to it at install time.
+1
My mother would be puzzled, if ABRT would popup on her Fedora box.
Your mother will be
On Pá 6. prosinec 2013, 12:39:09 CET, Miroslav Suchý wrote:
On 12/06/2013 12:14 PM, Jóhann B. Guðmundsson wrote:
I would say that abrt should not be installed et all unless user has
agreed to it at install time.
I think abrt serves as good source of info in case of unexpected
crashes,
On 12/06/2013 01:59 PM, Václav Pavlín wrote:
I think abrt serves as good source of info in case of unexpected crashes, which
is quite important to have stable
system. So although being puzzled is not very nice, being disappointed by
crashing applications is much worse from my
point of view.
On 12/06/2013 12:51 PM, Vít Ondruch wrote:
Dne 6.12.2013 12:39, Miroslav Suchý napsal(a):
On 12/06/2013 12:14 PM, Jóhann B. Guðmundsson wrote:
I would say that abrt should not be installed et all unless user has
agreed to it at install time.
+1
My mother would be puzzled, if ABRT would
On 12/05/2013 08:27 PM, Kevin Kofler wrote:
The vast majority of those warnings are actually false positives, not actual
security issues. Putting my upstream hat on, if asked to fix such a false
positive, I'd do one of:
(a) close the bug as INVALID/NOTABUG/WONTFIX or
(b) hardcode
On 12/06/2013 01:05 PM, Miroslav Suchý wrote:
On 12/06/2013 01:59 PM, Václav Pavlín wrote:
I think abrt serves as good source of info in case of unexpected
crashes, which is quite important to have stable
system. So although being puzzled is not very nice, being
disappointed by crashing
On 12/06/2013 02:06 PM, Jóhann B. Guðmundsson wrote:
On 12/06/2013 12:51 PM, Vít Ondruch wrote:
Dne 6.12.2013 12:39, Miroslav Suchý napsal(a):
On 12/06/2013 12:14 PM, Jóhann B. Guðmundsson wrote:
I would say that abrt should not be installed et all unless user has
agreed to it at install
On 12/06/2013 10:43 AM, Reindl Harald wrote:
Am 06.12.2013 10:37, schrieb Ralf Corsepius:
IMO, -Wformat-security is almost negibile in comparison to these and you
are making way too much noise about it than it deserves.
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string [*]
On 12/06/2013 12:14 PM, Jóhann B. Guðmundsson wrote:
On 12/06/2013 09:56 AM, Jakub Filak wrote:
Hello,
I'd like to add abrt-cli package to the comps group 'standard'.
The package pulls core ABRT functionality for catching C/C++ crashes,
uncaught Python exceptions, Kernel oopses and VMCore
On 12/06/2013 02:08 PM, Jóhann B. Guðmundsson wrote:
On 12/06/2013 01:05 PM, Miroslav Suchý wrote:
On 12/06/2013 01:59 PM, Václav Pavlín wrote:
I think abrt serves as good source of info in case of unexpected
crashes, which is quite important to have stable
system. So although being puzzled
Dne 6.12.2013 14:05, Miroslav Suchý napsal(a):
On 12/06/2013 01:59 PM, Václav Pavlín wrote:
I think abrt serves as good source of info in case of unexpected
crashes, which is quite important to have stable
system. So although being puzzled is not very nice, being
disappointed by crashing
On 12/06/2013 02:10 PM, Ralf Corsepius wrote:
On 12/06/2013 12:14 PM, Jóhann B. Guðmundsson wrote:
On 12/06/2013 09:56 AM, Jakub Filak wrote:
Hello,
I'd like to add abrt-cli package to the comps group 'standard'.
The package pulls core ABRT functionality for catching C/C++ crashes,
uncaught
On 12/06/2013 01:59 PM, Václav Pavlín wrote:
So try to look at it from broader perspective - I see more benefits in
having abrt installed.
Such as confidential business information being forwarded to RedHat and
being snooped by the NSA to forward it to your enterprise's competitor?
You
On 12/06/2013 01:14 PM, Vít Ondruch wrote:
Dne 6.12.2013 14:05, Miroslav Suchý napsal(a):
On 12/06/2013 01:59 PM, Václav Pavlín wrote:
I think abrt serves as good source of info in case of unexpected
crashes, which is quite important to have stable
system. So although being puzzled is not
On 12/06/2013 02:14 PM, Jiri Moskovcak wrote:
On 12/06/2013 02:10 PM, Ralf Corsepius wrote:
On 12/06/2013 12:14 PM, Jóhann B. Guðmundsson wrote:
On 12/06/2013 09:56 AM, Jakub Filak wrote:
Hello,
I'd like to add abrt-cli package to the comps group 'standard'.
The package pulls core ABRT
On 06.12.2013 14:34, Ralf Corsepius wrote:
On 12/06/2013 02:14 PM, Jiri Moskovcak wrote:
On 12/06/2013 02:10 PM, Ralf Corsepius wrote:
On 12/06/2013 12:14 PM, Jóhann B. Guðmundsson wrote:
On 12/06/2013 09:56 AM, Jakub Filak wrote:
Hello,
I'd like to add abrt-cli package to the comps group
On Fri, Dec 06, 2013 at 01:06:14PM +, Jóhann B. Guðmundsson wrote:
My mother would be puzzled, if ABRT would popup on her Fedora box.
Your mother will be puzzled with crashing application as well.
Better to explain ABRT and have less crashing applications then
the opposite.
ABRT does
On 12/06/2013 01:47 PM, Lukas Zapletal wrote:
We all do fix the application for his mother, after it's reported by
ABRT or any other means:-)
No not really our distribution is filled with just packagers that dont
know what to do with those reports...
ABRT should not be installed by default
Am 06.12.2013 14:08, schrieb Ralf Corsepius:
On 12/06/2013 10:43 AM, Reindl Harald wrote:
Am 06.12.2013 10:37, schrieb Ralf Corsepius:
IMO, -Wformat-security is almost negibile in comparison to these and you
are making way too much noise about it than it deserves.
On 12/06/2013 02:07 PM, Przemek Klosowski wrote:
On 12/05/2013 08:27 PM, Kevin Kofler wrote:
The vast majority of those warnings are actually false positives, not actual
security issues. Putting my upstream hat on, if asked to fix such a false
positive, I'd do one of:
(a) close the bug as
On 12/06/2013 02:34 PM, Ralf Corsepius wrote:
On 12/06/2013 02:14 PM, Jiri Moskovcak wrote:
On 12/06/2013 02:10 PM, Ralf Corsepius wrote:
On 12/06/2013 12:14 PM, Jóhann B. Guðmundsson wrote:
On 12/06/2013 09:56 AM, Jakub Filak wrote:
Hello,
I'd like to add abrt-cli package to the comps
On 06.12.2013 14:51, Jóhann B. Guðmundsson wrote:
On 12/06/2013 01:47 PM, Lukas Zapletal wrote:
We all do fix the application for his mother, after it's reported by
ABRT or any other means:-)
No not really our distribution is filled with just packagers that dont
know what to do with those
On 12/06/2013 02:57 PM, Reindl Harald wrote:
Am 06.12.2013 14:08, schrieb Ralf Corsepius:
On 12/06/2013 10:43 AM, Reindl Harald wrote:
Am 06.12.2013 10:37, schrieb Ralf Corsepius:
IMO, -Wformat-security is almost negibile in comparison to these and you
are making way too much noise about it
On 12/06/2013 02:45 PM, Michal Toman wrote:
On 06.12.2013 14:34, Ralf Corsepius wrote:
On 12/06/2013 02:14 PM, Jiri Moskovcak wrote:
ABRT does not send *any* information unless you agree to do it. Not even
the anonymous reports. It is true that the settings could be in Anaconda
and I think
https://bugzilla.redhat.com/show_bug.cgi?id=1018330
--- Comment #1 from Iain Arnell iarn...@gmail.com ---
Unfortunately, I don't have time any more - please feel free to request branch
and maintain yourself.
--
You are receiving this mail because:
You are on the CC list for the bug.
On 12/06/2013 04:07 PM, Ralf Corsepius wrote:
On 12/06/2013 02:45 PM, Michal Toman wrote:
On 06.12.2013 14:34, Ralf Corsepius wrote:
On 12/06/2013 02:14 PM, Jiri Moskovcak wrote:
ABRT does not send *any* information unless you agree to do it. Not even
the anonymous reports. It is true that
On 12/06/2013 12:26 PM, Dhiru Kholia wrote:
On 12/06/13 at 11:57am, Reindl Harald wrote:
but what is the plan if this does not work out for a unknown number
of packages because upstream is not willing or able to fix it or
only in a later release giving that the package is not buildable
at all
Main topic we covered today was the janitorial work for Base related
packages to do a build requires cleanup in the coming months.
I'll be sending out a separate email about that on Monday to explain the
ins and outs and hopefully with a bit more info/queries/statistics about
the whole idea.
On Fri, 2013-12-06 at 02:21 +0100, Kevin Kofler wrote:
QString line;
line.fill( '-', 60 );
qDebug( line.ascii() );
As you can see, the format string being passed here is provably constant.
So fix the compiler.
- ajax
--
devel mailing list
devel@lists.fedoraproject.org
Greetings.
systemd-208-9.fc20 was pushed into the base fedora 20 repos last night
(as it fixed a blocker bug for the upcoming release).
However, it was not signed properly, so Fedora 20 prerelease users
will see an error about the package not being signed.
This has already been corrected and
Petr Pisar wrote:
On 2013-12-04, Kevin Kofler kevin.kof...@chello.at wrote:
Petr Pisar wrote:
[snip] and GPLv2 and GPLv3+.
Huh? WTF is upstream smoking there?
Upstream releases a tar ball bundling a lot of subprojects. Thus the
complicated license. I do a licence review each new release
On Mon, Dec 2, 2013 at 8:33 AM, Petr Vobornik pvobo...@redhat.com wrote:
This solution is much nicer and can be used by other font packages as well.
Here's the new package: https://bugzilla.redhat.com/show_bug.cgi?id=1036754
Very awesome, thanks! I'll sponsor you and review. :-)
Luckily, I
Ralf Corsepius wrote:
On 12/06/2013 12:26 PM, Dhiru Kholia wrote:
There is still plenty of time left before this flag is even enabled in
rawhide configuration by default.
IMO, this plan has failed - period.
+1
Kevin Kofler
--
devel mailing list
devel@lists.fedoraproject.org
PS:
Przemek Klosowski wrote:
| __attribute__((__format__(__printf, 1, 2)));
is also compiler-specific, which some upstreams also won't like. Of course,
it can be #ifdef-wrapped, but many upstreams try to avoid #ifdef as much as
possible.
Kevin Kofler
--
devel mailing list
Przemek Klosowski wrote:
Given that pretty much all those cases can be solved by either %s or
| __attribute__((__format__(__printf, 1, 2)));
pretty much all maybe, but not all!
See e.g. the examples I have given in the FESCo ticket:
* a printf wrapper for logging which adds a timestamp in
On Fri, Dec 6, 2013 at 10:56 AM, Jakub Filak jfi...@redhat.com wrote:
I'd like to add abrt-cli package to the comps group 'standard'.
The package pulls core ABRT functionality for catching C/C++ crashes,
uncaught Python exceptions, Kernel oopses and VMCore processing.
If -cli means no GUI,
Adam Jackson wrote:
On Fri, 2013-12-06 at 02:21 +0100, Kevin Kofler wrote:
QString line;
line.fill( '-', 60 );
qDebug( line.ascii() );
As you can see, the format string being passed here is provably constant.
So fix the compiler.
I don't think GCC will ever be able to
Ben Boeckel wrote:
Use the printf attribute on the function to fix this.
That doesn't work if I have to prepend a date to my format string.
Kevin Kofler
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct:
mrnuke (mr.nuke...@gmail.com) said:
Because packagers will just ignore it [...]
I think this is a childish argument, but let's take it. So what? You're
going to start stepping on people's lawns and change things just because
you want to impose your greater good?
Wow, nice mixed metaphor.
On Fri, Dec 6, 2013 at 4:50 PM, Ralf Corsepius rc040...@freenet.de wrote:
On 12/06/2013 12:26 PM, Dhiru Kholia wrote:
On 12/06/13 at 11:57am, Reindl Harald wrote:
but what is the plan if this does not work out for a unknown number
of packages because upstream is not willing or able to fix it
Miroslav Suchý (msu...@redhat.com) said:
On 12/06/2013 01:59 PM, Václav Pavlín wrote:
I think abrt serves as good source of info in case of unexpected crashes,
which is quite important to have stable
system. So although being puzzled is not very nice, being disappointed by
crashing
On Fri, Dec 06, 2013 at 07:57:04PM +0100, Kevin Kofler wrote:
Ralf Corsepius wrote:
On 12/06/2013 12:26 PM, Dhiru Kholia wrote:
There is still plenty of time left before this flag is even enabled in
rawhide configuration by default.
IMO, this plan has failed - period.
+1
In the
On Fri, Dec 6, 2013 at 8:02 PM, Kevin Kofler kevin.kof...@chello.at wrote:
See e.g. the examples I have given in the FESCo ticket:
* a printf wrapper for logging which adds a timestamp in front of the
format string, e.g.
log(processed %d items, foo);
which would be printed as
On Fri, Dec 06, 2013 at 08:02:06PM +0100, Kevin Kofler wrote:
* translatable format strings, e.g.
printf(translate(processed %d items), foo);
Translatable strings are handled just fine.
Try e.g.:
extern int my_printf (void *my_object, const char *my_format, ...)
__attribute__ ((format
On Fri, Dec 06, 2013 at 02:27:05AM +0100, Kevin Kofler wrote:
Michael scherer wrote:
Let's rather ask the contrary, why is this so much a issue to communicate
with upstream to fix things, and add patches ?
The vast majority of those warnings are actually false positives, not actual
On Fri, 2013-12-06 at 16:07 +0100, Ralf Corsepius wrote:
This approach has been
working perfectly for many years and I don't think much has changed in
that area lately.
There were reports of abrt sending out private and confidential
information to the net and reports of abrt sending
On Fri, 2013-12-06 at 12:39 +0100, Miroslav Suchý wrote:
On 12/06/2013 12:14 PM, Jóhann B. Guðmundsson wrote:
I would say that abrt should not be installed et all unless user has agreed
to it at install time.
+1
My mother would be puzzled, if ABRT would popup on her Fedora box.
That's
On Fri, 2013-12-06 at 13:18 +, Jóhann B. Guðmundsson wrote:
And what purpose does abrt serve if there aren't people fixing the issue
it reports on the other end...
Well, that's easy enough to shoot down.
On Fri, 2013-12-06 at 15:06 -0500, Darryl L. Pierce wrote:
On Fri, Dec 06, 2013 at 02:27:05AM +0100, Kevin Kofler wrote:
Michael scherer wrote:
Let's rather ask the contrary, why is this so much a issue to communicate
with upstream to fix things, and add patches ?
The vast majority
On Fri, Dec 06, 2013 at 12:08:22PM -0800, Adam Williamson wrote:
On Fri, 2013-12-06 at 13:18 +, Jóhann B. Guðmundsson wrote:
And what purpose does abrt serve if there aren't people fixing the issue
it reports on the other end...
Well, that's easy enough to shoot down.
On Fri, 2013-12-06 at 20:06 +0100, Miloslav Trmač wrote:
On Fri, Dec 6, 2013 at 10:56 AM, Jakub Filak jfi...@redhat.com wrote:
I'd like to add abrt-cli package to the comps group 'standard'.
The package pulls core ABRT functionality for catching C/C++ crashes,
uncaught Python exceptions,
On Thu, Dec 05, 2013 at 07:40:36PM -0600, mrnuke wrote:
On 12/05/2013 11:38 AM, Michael scherer wrote:
On Wed, Dec 04, 2013 at 08:25:54PM -0600, mrnuke wrote:
This change is Sofa King stupid. Why couldn't we have just enabled the
warning without turning it into an error, THEN let
On Fri, 2013-12-06 at 13:51 +, Jóhann B. Guðmundsson wrote:
No not really our distribution is filled with just packagers that
dont
know what to do with those reports...
So you're saying: Our maintainers can't fix bugs, why bother filing
them at all?? That doesn't make sense to me at all.
Am 06.12.2013 15:59, schrieb Ralf Corsepius:
On 12/06/2013 02:57 PM, Reindl Harald wrote:
if arbitary users are allowed to call CLI applications from a webserver
?!? Calling cli-tools underneath of webservices is the norm on many
webservers. Often these calls are wrapped into
scripting
fre 2013-12-06 klockan 15:06 -0500 skrev Darryl L. Pierce:
On Fri, Dec 06, 2013 at 02:27:05AM +0100, Kevin Kofler wrote:
Michael scherer wrote:
Let's rather ask the contrary, why is this so much a issue to communicate
with upstream to fix things, and add patches ?
The vast majority
On 12/07/2013 03:39 AM, Reindl Harald wrote:
Am 06.12.2013 15:59, schrieb Ralf Corsepius:
On 12/06/2013 02:57 PM, Reindl Harald wrote:
if arbitary users are allowed to call CLI applications from a webserver
?!? Calling cli-tools underneath of webservices is the norm on many webservers.
perl-Language-Expr has broken dependencies in the F-20 tree:
On x86_64:
perl-Language-Expr-0.19-4.fc19.noarch requires
perl(:MODULE_COMPAT_5.16.2)
On i386:
perl-Language-Expr-0.19-4.fc19.noarch requires
perl(:MODULE_COMPAT_5.16.2)
On armhfp:
perl-Language-Expr has broken dependencies in the rawhide tree:
On x86_64:
perl-Language-Expr-0.19-4.fc19.noarch requires
perl(:MODULE_COMPAT_5.16.2)
On i386:
perl-Language-Expr-0.19-4.fc19.noarch requires
perl(:MODULE_COMPAT_5.16.2)
On armhfp:
commit a16de53dba34ad8e145c3ac22acf8153b6852861
Author: Paul Howarth p...@city-fan.org
Date: Fri Dec 6 14:05:04 2013 +
Fix usage of OBJ_cmp in the test suite (CPAN RT#91215)
Net-SSLeay-1.55-OBJ_cmp.patch | 12
perl-Net-SSLeay.spec |9 -
2 files
The lightweight tag 'perl-Net-SSLeay-1.55-6.fc21' was created pointing to:
a16de53... Fix usage of OBJ_cmp in the test suite (CPAN RT#91215)
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
https://bugzilla.redhat.com/show_bug.cgi?id=1000318
--- Comment #1 from Iain Arnell iarn...@gmail.com ---
Sorry for the delay. I don't have time to maintain more packages in EPEL at the
minute. Please feel free to branch and maintain it yourself.
--
You are receiving this mail because:
You
77 matches
Mail list logo