[gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
Hello. Anatoly raised really important concern and currently I've started to think about fix. One possible solution requires virtual/editor to suite glep 37 and thus affects many packages. So... wondering why this change was not done I'd like to discuss the problem on the list. Problem: There are programs (fcrontab, visudo, vipw and etc.) which require default editor to work. To select editor they use these two steps: 1.) take editor name from environment (EDITOR or VISUAL vars) 2.) if there is not editor use defined at build time compiled in default The problem is that both of methods suck in some special situations which, of course, happen in Gentoo with its extreme configurability. Currently it is impossible to specify build time dependency reliably for virtual/editor: most of packages either use nano or vi (either trough ./configure option or #define in sources) but in the system without nano or vi this package either not emerges [1,2] or fails to work[3,4] (yes... if EDITOR is not set). But EDITOR *is not* set when program is started from sudo because sudo for security reasons drops environment (are there any other cases when environment is dropped?). Well. One possible answer that this is not a problem: build time dependencies are weird, always set EDITOR and never run such programs from sudo because this allows to do everything with the system. But I'd like to point at two points: firstly, some users use sudo just to avoid logging in as root and, secondly, upstream consider compiled in defaults to work. Thus IMO this is a problem. The possible solution is to add virtual/editor ebuild which will besides enumerating all virtual providers install /usr/bin/editor program. This will be a simple wrapper (bash) script which will use EDITOR environment variable to start editor, in case environment variable does not exist use EDITOR from /etc/rc.conf and as the last resolve just issue error message identifying possible ways to setup editor. All programs that use compiled in default editor should use this wrapper script. This will solve ambiguity of build time dependency and allow to use sudo reliably. While I continue playing in my overlay I'd like to know if there are any problems with this solution? Currently this change seems to satisfy KISS concept and fix some problems... thus should be implemented. I'll wait for some time and open two trackers one for virtual/editor providers another for virtual/editor build time dependency users and then add virtual/editor ebuild, remove PROVIDErs and continue working on packages that use compiled in editor defaults. References: [1] https://bugs.gentoo.org/show_bug.cgi?id=124904 [2] https://bugs.gentoo.org/show_bug.cgi?id=94771 [3] https://bugs.gentoo.org/show_bug.cgi?id=149376 [4] https://bugs.gentoo.org/show_bug.cgi?id=149339 Thank you for your time, Peter. signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On 11/12/06, Peter Volkov (pva) [EMAIL PROTECTED] wrote: The possible solution is to add virtual/editor ebuild this is a horrible idea why not modify sudo to not filter the EDITOR env var then there is no more problem -mike -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On Sun, Nov 12, 2006 at 04:34:25AM -0500, Mike Frysinger wrote: On 11/12/06, Peter Volkov (pva) [EMAIL PROTECTED] wrote: The possible solution is to add virtual/editor ebuild this is a horrible idea why not modify sudo to not filter the EDITOR env var then there is no more problem Except for a gaping security hole. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On 11/12/06, Harald van Dijk [EMAIL PROTECTED] wrote: On Sun, Nov 12, 2006 at 04:34:25AM -0500, Mike Frysinger wrote: On 11/12/06, Peter Volkov (pva) [EMAIL PROTECTED] wrote: The possible solution is to add virtual/editor ebuild this is a horrible idea why not modify sudo to not filter the EDITOR env var then there is no more problem Except for a gaping security hole. pulling a ciaranm here huh ? if a guy has access to `sudo`, then having a modified environment isnt going to make much difference -mike -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
why not modify sudo to not filter the EDITOR env var then there is no more problem no, there is a very valid reason why sudo filters the EDITOR env var. sudo should probably be fixed to (re)set the EDITOR variable to a 'safe' systemwide default, instead of stripping it completely. is there a list of sudo 'safe' EDITORs somewhere? bangert pgpzezmkmrGXW.pgp Description: PGP signature
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On Sun, Nov 12, 2006 at 04:56:33AM -0500, Mike Frysinger wrote: On 11/12/06, Harald van Dijk [EMAIL PROTECTED] wrote: On Sun, Nov 12, 2006 at 04:34:25AM -0500, Mike Frysinger wrote: On 11/12/06, Peter Volkov (pva) [EMAIL PROTECTED] wrote: The possible solution is to add virtual/editor ebuild this is a horrible idea why not modify sudo to not filter the EDITOR env var then there is no more problem Except for a gaping security hole. pulling a ciaranm here huh ? if a guy has access to `sudo`, then having a modified environment isnt going to make much difference sudo can be configured to only allow access to a select few applications. Allowing arbitrary EDITOR settings completely bypasses this. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On 2006-11-12 at 04:34 -0500, Mike Frysinger wrote: why not modify sudo to not filter the EDITOR env var then there is no more problem Considering that this is the only situation where environment is dropped... yes this fixes sudo problem. The other possible solution is: #!/bin/bash export EDITOR=/usr/bin/editor /usr/bin/fcrontab -e BUT. 1. upstream uses this in the code. Then to avoid mess and unify approach we should remove all such things from the code itself. In other cases this will stay as a bug in gentoo. 2. And I see possibility to write secure editor, which will write only in predefined locations. Use of such editor became possible only through clumsy wrapper scripts (like above) if we chose to force people never to use built in defaults. And in anyway we need solution to make things more predictable. Peter. signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On 11/12/06, Thilo Bangert [EMAIL PROTECTED] wrote: is there a list of sudo 'safe' EDITORs somewhere? then we end up with having to maintain a list of safe EDITORs and dealing with people who want to edit their own favorite editor the sudo file has the ability to specify editor's, so why not tell people to change their sudo config file ? -mike -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On Sun, 2006-11-12 at 05:26 -0500, Mike Frysinger wrote: then we end up with having to maintain a list of safe EDITORs and dealing with people who want to edit their own favorite editor the sudo file has the ability to specify editor's, so why not tell people to change their sudo config file ? How? May be I'm wrong, but: Defaults editor=/usr/bin/vim, !env_editor is only to use this list with visudo. And does not prevents sudo from removing EDITOR from environment. Or did you mean something else? Also from man sudoers: The default is the path to vi on your system. Should we drop this from sources then? Or leave this broken on systems with only nano installed? Peter. signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
then we end up with having to maintain a list of safe EDITORs anddealing with people who want to edit their own favorite editor the sudo file has the ability to specify editor's, so why not tellpeople to change their sudo config file ?It's not automatic.Other way is remove virtual/editor. And set depend to nano. But i'm think its bad idea.
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On 11/12/06, Peter Volkov (pva) [EMAIL PROTECTED] wrote: And does not prevents sudo from removing EDITOR from environment. in the example usages you cited, people where using `sudo` to just avoid running `su -` first ... in other words, their sudo was unlimited ... updating the sudoers file to allow EDITOR via env_keep would work fine for them in that scenario, running any app via EDITOR is not a concern as they already have the ability to run any command -mike -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On Sun, Nov 12, 2006 at 12:27:12PM +0300, Peter Volkov (pva) wrote: work[3,4] (yes... if EDITOR is not set). But EDITOR *is not* set when program is started from sudo because sudo for security reasons drops environment (are there any other cases when environment is dropped?). You can set `Defaults env_keep=EDITOR` in your sudoers file if you want, or what I do is `Defaults:%wheel !env_reset`, to allow users in group wheel to use sudo without the environment being scrubbed. Thanks, Tavis. -- - [EMAIL PROTECTED] | finger me for my pgp key. --- pgpDWFMPiMc5m.pgp Description: PGP signature
[gentoo-dev] Re: [ANNOUNCE] Anonymous CVS and SVN now available
Robin H. Johnson wrote: KingTaco and I are pleased to announce that we've completed setting up and testing the anonymous read-only CVS and SVN services for Gentoo repositories, and that they are now available for use. Thanks go to: kengland, robbat2, kingtaco, ramereth, and several others for helping this to happen. Thanks to everyone who put their time and effort into this. :D -- by design, by neglect [EMAIL PROTECTED]for a fact or just for effect 9B81 6C9F E791 83BB 3AB3 5B2D E625 A073 8379 37E8 (0x837937E8) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On Sun, 2006-11-12 at 05:54 -0500, Mike Frysinger wrote: in the example usages you cited, people where using `sudo` to just avoid running `su -` first ... in other words, their sudo was unlimited ... updating the sudoers file to allow EDITOR via env_keep would work fine for them in that scenario, running any app via EDITOR is not a concern as they already have the ability to run any command That is right. And I've already raised concerns about this approach in my mail: http://thread.gmane.org/gmane.linux.gentoo.devel/44218/focus=44238 And that is not an answer on question I've asked in this sub-thread: Do you know any way *how* to specify safe editors list inside sudoers? I've spent some time and did not found how can I force sudo to edit files with only known editors inside EDITOR. env_keep just keep env variable and does not allow to specify safe editors list. I suppose that this is impossible. Or... what do you mean by that: the sudo file has the ability to specify editor's, so why not tell people to change their sudo config file ? English is not my native language thus may be I just misunderstood your idea here. Sorry. Peter. signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On Sun, 2006-11-12 at 11:06 +, Tavis Ormandy wrote: You can set `Defaults env_keep=EDITOR` in your sudoers file if you want, or what I do is `Defaults:%wheel !env_reset`, to allow users in group wheel to use sudo without the environment being scrubbed. Of course I know about that. And I hope we continue this discussion starting with this mail: http://thread.gmane.org/gmane.linux.gentoo.devel/44218/focus=44238 But to restate the question raised in that mail I'll repeat: Should we remove built in editors from packages or how should we set defaults without keeping them broken? Peter. signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
Peter Volkov (pva) wrote: Or... what do you mean by that: the sudo file has the ability to specify editor's, so why not tell people to change their sudo config file ? English is not my native language thus may be I just misunderstood your idea here. Sorry. ...that the people should specify their allowed/preferred value of $EDITOR inside the sudo's configuration file, I guess. Cheers, -jkt -- cd /local/pub more beer /dev/mouth signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On Sun, Nov 12, 2006 at 02:32:56PM +0300, Peter Volkov (pva) wrote: On Sun, 2006-11-12 at 11:06 +, Tavis Ormandy wrote: You can set `Defaults env_keep=EDITOR` in your sudoers file if you want, or what I do is `Defaults:%wheel !env_reset`, to allow users in group wheel to use sudo without the environment being scrubbed. Of course I know about that. So please explain what the problem is with sudo, I maintain the ebuild so need to know. The only `hardcoded` editor is the fallback editor for visudo, which can be set with the editor default in sudoers. -- - [EMAIL PROTECTED] | finger me for my pgp key. --- pgpzCIUSMY81F.pgp Description: PGP signature
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On Sun, Nov 12, 2006 at 04:30:48PM +0500, Anatoly Shipitsin wrote: You can set `Defaults env_keep=EDITOR` in your sudoers file if you want, or what I do is `Defaults:%wheel !env_reset`, to allow users in group wheel to use sudo without the environment being scrubbed. Ok. How you plan set default editor at emerge sudo fcron ? This question is nonsensical. I guess you dont understand what sudo does, it's too complicated to explain here, you should consult the documentation. Thanks, Tavis. -- - [EMAIL PROTECTED] | finger me for my pgp key. --- pgpqa4Dw1oWQs.pgp Description: PGP signature
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On Sun, 2006-11-12 at 12:15 +, Tavis Ormandy wrote: The only `hardcoded` editor is the fallback editor for visudo And this is the problem I'm talking about. I do not see any reasons to keep this not working fallback. There are parts of code that just do not work in Gentoo. which can be set with the editor default in sudoers. That's good. But some packages (I'm talking about practically *all* crontab, vipw, vigr and may be other applications) do not have such configuration file to configure that default editor. And IMO configuration file should change *sane* defaults but I do not think nano is sane default ;) Thus I suggested either remove non working fallback in packages (patching sources) or fix unpredictable and non-working fallback by adding some sane default (that was /usr/bin/editor in my initial mail). In other cases current behavior is a bug (some part of program is not working as intended by upstream). And note suggested trivial fix as a side effect makes virtual/editor conform glep 37 (also good). Hope I've made points a bit clearer. Peter. signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
This question is nonsensical. I guess you dont understand what sudodoes, it's too complicated to explain here, you should consult the documentation.I'm told about emerge package not runtime. May you don't understand me.Check sudo-1.6.8_p9-r2.ebuildIn DEPEND we see virtual/editor butin configure --with-editor=/bin/nano But virtual/editor can provide by vi nano etc editor. You think its right? DEPEND set virtual/editor but configure use nano as hardcoded editor.I'm think if we set hardcoded editor nano at configure in sudo,ebuild its should DEPEND at nano editor not virtual/editor.
Re: [gentoo-dev] [ANNOUNCE] Anonymous CVS and SVN now available
On behalf of Russian translators team members I'd like to say thank you for your work guys! This greatly simplifies translators work to translate and keep translations updated. This also allows to create Russian website synchronized with gentoo.org also with Russian specific additions. Thank you again :) Peter. signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On Sun, Nov 12, 2006 at 04:21:21PM +0300, Peter Volkov (pva) wrote: On Sun, 2006-11-12 at 12:15 +, Tavis Ormandy wrote: The only `hardcoded` editor is the fallback editor for visudo And this is the problem I'm talking about. I do not see any reasons to keep this not working fallback. There are parts of code that just do not work in Gentoo. Talking specifically about sudo, I think you're making a big deal out of a very minor thing, primarily because I cannot think of a sane example of when $EDITOR and $VISUAL are not set and visudo (which requires an interactive editor) would be invoked. If you can give some examples, maybe I would understand. which can be set with the editor default in sudoers. That's good. But some packages (I'm talking about practically *all* crontab, vipw, vigr and may be other applications) do not have such configuration file to configure that default editor. I dont have much of an opinion on these things, although I think expecting /bin/vi to be an screen oriented interactive editor (not nescessarily vi) should be a sane assumption, and if it isnt, that is the real bug. And IMO configuration file should change *sane* defaults but I do not think nano is sane default ;) I really hate nano and pico, I cannot understand how people use them, it isnt the default because I'm a closet pico fan, I can assure you :) sudo's default fallback is /bin/vi, but I received some bugs about this several years ago, and after some discussion on -dev, we decided that nano should take this place. Things have changed since then, nano used to be `special` in that we could make assumptions about it, maybe i'll change it back to /bin/vi, but I dont think it matters much. -- - [EMAIL PROTECTED] | finger me for my pgp key. --- pgptPg17Nfsxg.pgp Description: PGP signature
Re: [gentoo-dev] Resolve build time default editor dependency.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Harald van Dijk wrote: On Sun, Nov 12, 2006 at 04:56:33AM -0500, Mike Frysinger wrote: On 11/12/06, Harald van Dijk [EMAIL PROTECTED] wrote: On Sun, Nov 12, 2006 at 04:34:25AM -0500, Mike Frysinger wrote: On 11/12/06, Peter Volkov (pva) [EMAIL PROTECTED] wrote: The possible solution is to add virtual/editor ebuild this is a horrible idea why not modify sudo to not filter the EDITOR env var then there is no more problem Except for a gaping security hole. pulling a ciaranm here huh ? if a guy has access to `sudo`, then having a modified environment isnt going to make much difference sudo can be configured to only allow access to a select few applications. Allowing arbitrary EDITOR settings completely bypasses this. so force EDITOR to something secure (infra uses rvim) but really, visudo, vipw, crontab these can all be exploited to gain root access thus making it silly to try to prevent in these cases. - -- === Mike Doty kingtaco -at- gentoo.org Gentoo/AMD64 Strategic Lead Gentoo Council Gentoo Developer Relations Gentoo Recruitment Lead Gentoo Infrastructure GPG: E1A5 1C9C 93FE F430 C1D6 F2AF 806B A2E4 19F4 AE05 === -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iQCVAwUBRVczQIBrouQZ9K4FAQKPrwQAk6vH/W7BRpEK896RE11PpFOJyPKxhYQZ V0UPKHclNs3WEyx4jw8m743hHPQqd8OZ2Dn6GM5H88m9PdH+S7JtickCXH9SmN0w E1ODtFbdS6Hg1T5N3Pghf6K+HWkyyvEBIvoffQW7jFpBAmhSWHBFcAwNuETey6pL sIE+oLQo+48= =5lw7 -END PGP SIGNATURE- -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Gentoo group on Flickr - repost from pl.g.o
On Tuesday 31 October 2006 6:00 am, Stuart Herbert wrote: Reposted from http://planet.gentoo.org for the devs who live in caves^H^H^Hdon't read planet.gentoo.org. Best regards, Stu -- http://www.flickr.com/groups/gentoo/ Whilst sat here this morning waiting for the NX packages to build, it occured to me that we don't have our own group on Flickr. Bit odd really, when you think of how many of us enjoy photography as a hobby. Well, we do now :) So, if you're a Gentoo dev, come join the group, and share your photos with the rest of us :) Let's see if, between us, we can build a rich and varied view of the world that we live, work, and play in. Just one request ... please, no screenies. Let's keep this to photography. I put a few photos out there. Nothing special, as I'm not a great photographer. Enjoy! :-) -- Jason Huebel Gentoo Developer GPG Public Key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x9BA9E230 Do not weep; do not wax indignant. Understand. Baruch Spinoza (1632 - 1677) pgpo2v6n403y6.pgp Description: PGP signature
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
Talking specifically about sudo, I think you're making a big deal out ofa very minor thing, primarily because I cannot think of a sane example of when $EDITOR and $VISUAL are not set and visudo (which requires aninteractive editor) would be invoked.It's problem exist for any package use configure for set default editor.If i'm not use nano (see sudo ebuild) and not set EDITOR i'm got bug. I dont have much of an opinion on these things, although I thinkexpecting /bin/vi to be an screen oriented interactive editor (not nescessarily vi) should be a sane assumption, and if it isnt, that isthe real bug.Okey. Then remove DEPEND virtual/editor from sudo and other package with hardcoded default editor. Set instead right editor. For example nano or vi. Or set USE flag for switch. I really hate nano and pico, I cannot understand how people use them, itisnt the default because I'm a closet pico fan, I can assure you :) Gentoo contains same editors provided virtual/editor. We got two ways. Create virtual-editor package wrapper or remove provide virtual-editor. sudo's default fallback is /bin/vi, but I received some bugs about thisseveral years ago, and after some discussion on -dev, we decided thatnano should take this place. Things have changed since then, nano used to be `special` in that we could make assumptions about it, maybe i'llchange it back to /bin/vi, but I dont think it matters much.Set any editor but set right depend not virtual/editor.
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On Sun, Nov 12, 2006 at 06:21:56PM +0500, Anatoly Shipitsin wrote: This question is nonsensical. I guess you dont understand what sudo does, it's too complicated to explain here, you should consult the documentation. I'm told about emerge package not runtime. May you don't understand me. I understand just fine. Check sudo-1.6.8_p9-r2.ebuild In DEPEND we see virtual/editor but in configure --with-editor=/bin/nano But virtual/editor can provide by vi nano etc editor. You think its right? DEPEND set virtual/editor but configure use nano as hardcoded editor. Yes, I think it's right. That option doesnt do what you think it does. I'm think if we set hardcoded editor nano at configure in sudo,ebuild its should DEPEND at nano editor not virtual/editor. Then you would be wrong. Thanks, Tavis. -- - [EMAIL PROTECTED] | finger me for my pgp key. --- pgpEWevr0GoEV.pgp Description: PGP signature
Re: [gentoo-dev] Retirement
On Friday 03 November 2006 1:15 pm, Jon Portnoy wrote: I've been mostly inactive for a good while but hanging on mostly for sentimentality's sake, it's past time for that to stop. I mostly only maintain a small handful of ebuilds, I'm sure they can find proper homes quickly. None are maintenance-intensive. And of course, the only thing anyone is really concerned about; robbat2 has already laid claim to fortune-mod-gentoo-dev ;) Later. It's been fun, it's been real, but it hasn't been real fun. :) I'll be around #gentoo/#-dev. -- Jon Portnoy avenj/irc.freenode.net Sorry to see you go Jon. I've appreciated your guidance over the years, particularly when I took on the daunting task of managing Gentoo/amd64 in early 2004. Gentoo feels a little smaller with your departure. -- Jason Huebel Gentoo Developer GPG Public Key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x9BA9E230 Do not weep; do not wax indignant. Understand. Baruch Spinoza (1632 - 1677) pgpvMK35rJlJa.pgp Description: PGP signature
Re: [gentoo-dev] Resolve build time default editor dependency.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anatoly Shipitsin wrote: This question is nonsensical. I guess you dont understand what sudo does, it's too complicated to explain here, you should consult the documentation. I'm told about emerge package not runtime. May you don't understand me. Check sudo-1.6.8_p9-r2.ebuild In DEPEND we see virtual/editor but in configure --with-editor=/bin/nano then fcron(or whatever package this is from) is *broken* - -- === Mike Doty kingtaco -at- gentoo.org Gentoo/AMD64 Strategic Lead Gentoo Council Gentoo Developer Relations Gentoo Recruitment Lead Gentoo Infrastructure GPG: E1A5 1C9C 93FE F430 C1D6 F2AF 806B A2E4 19F4 AE05 === -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iQCVAwUBRVc96YBrouQZ9K4FAQKg4QQA7dI0JNad9lcjmuaYZiueYfUY1BPZJkk2 VFsZk5IMzrhDxtA8hl/lYsSlKC1f3vuQWx0kvg6qmtB5/p3+qca16HYjSOWvVimW rLWyj06vCrZrvEnk3/sR4AIzQARv2lzhA5OZg2rV7aEq2/gZtT1HnPqDsmjp21fs 6X/YIITbzeg= =DEfd -END PGP SIGNATURE- -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Resolve build time default editor dependency.
On Sun, Nov 12, 2006 at 09:29:48AM -0600, Mike Doty wrote: then fcron(or whatever package this is from) is *broken* Either that, or you dont know what it does. Thanks, Tavis. -- - [EMAIL PROTECTED] | finger me for my pgp key. --- pgpZYgXg2vopH.pgp Description: PGP signature
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
Check sudo-1.6.8_p9-r2.ebuild In DEPEND we see virtual/editor but in configure --with-editor=/bin/nano But virtual/editor can provide by vi nano etc editor. You think its right? DEPEND set virtual/editor but configure use nano as hardcoded editor. Yes, I think it's right. That option doesnt do what you think it does.What this option does ? I'm think if we set hardcoded editor nano at configure in sudo,ebuild its should DEPEND at nano editor not virtual/editor.Then you would be wrong.Use abstract depend provide by same packages and set hardcoded depend provided by one package (nano) is right?
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On Sun, Nov 12, 2006 at 08:38:52PM +0500, Anatoly Shipitsin wrote: I'm think if we set hardcoded editor nano at configure in sudo,ebuild its should DEPEND at nano editor not virtual/editor. Then you would be wrong. Use abstract depend provide by same packages and set hardcoded depend provided by one package (nano) is right? No, is not right. -- - [EMAIL PROTECTED] | finger me for my pgp key. --- pgpk0QoKktqA4.pgp Description: PGP signature
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On Sun, Nov 12, 2006 at 08:17:18PM +0500, Anatoly Shipitsin wrote: Talking specifically about sudo, I think you're making a big deal out of a very minor thing, primarily because I cannot think of a sane example of when $EDITOR and $VISUAL are not set and visudo (which requires an interactive editor) would be invoked. It's problem exist for any package use configure for set default editor. If i'm not use nano (see sudo ebuild) and not set EDITOR i'm got bug. Doctor, it hurts when I do this I dont have much of an opinion on these things, although I think expecting /bin/vi to be an screen oriented interactive editor (not nescessarily vi) should be a sane assumption, and if it isnt, that is the real bug. Okey. Then remove DEPEND virtual/editor from sudo and other package with hardcoded default editor. It isnt hardcoded, it's configurable. Set instead right editor. For example nano or vi. Or set USE flag for switch. No, you set the correct editor, I dont know which one you use. Thanks, Tavis. -- - [EMAIL PROTECTED] | finger me for my pgp key. --- pgp5euCruBi9f.pgp Description: PGP signature
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
Use abstract depend provide by same packages and set hardcoded depend provided by one package (nano) is right?No, is not right.But why it's not need change? I'm talk not only sudo.
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
Doctor, it hurts when I do thisvery funny :) It isnt hardcoded, it's configurable.If this not hardcoded. I'm think use this at new fcron ebuild. This really close problem bug #149376 ;) No, you set the correct editor, I dont know which one you use. I'm told about ebuild. I'm can use virtual/editor and then set nano as editor in fcron.ebuild ?If not, we need provide virtual-editor.ebuild with wrapper.
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On Sun, Nov 12, 2006 at 08:59:03PM +0500, Anatoly Shipitsin wrote: Use abstract depend provide by same packages and set hardcoded depend provided by one package (nano) is right? No, is not right. But why it's not need change? I'm talk not only sudo. I dont know about the other packages, I'm only talking about sudo. Although I do think you're making a big fuss over a tiny cosmetic issue. Thanks, Tavis. -- - [EMAIL PROTECTED] | finger me for my pgp key. --- pgpf6BvIwPm4N.pgp Description: PGP signature
[gentoo-dev] openssh sftplogging patch
Hi! Recently I have noticed that the openssh-4.4p1 ebuild lists the sftplogging use flag as deprecated (4.3 does have it). I found no mention of this being removed for any reason in the ChangeLog. Could anybody please tell what happened? Thanks! Regards, Sab -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
Although I do think you're making a big fuss over a tiny cosmeticissue. This changes need not for sudo. It's need for fcron. And probaly any package use define editor on configuration stage.
[gentoo-dev] New developer: Cédric Krier
It's my pleasure to introduce to you Cédric cedk Krier. He is joining us to help with the netmon herd. Previously he has been filling the bugzilla with new ebuilds and participating in the sunrise overlay. He hails from Liège, Belgium. He works as an architect engineer in a tiny company. He likes independent movies, music and comic strips (manga). During he his free time he also likes to go climbing. So please give cedk the usual warm welcome. -- Petteri Räty (betelgeuse) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Resolve build time default editor dependency.
On Sun, Nov 12, 2006 at 08:43:55AM -0600, Mike Doty wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Harald van Dijk wrote: On Sun, Nov 12, 2006 at 04:56:33AM -0500, Mike Frysinger wrote: On 11/12/06, Harald van Dijk [EMAIL PROTECTED] wrote: On Sun, Nov 12, 2006 at 04:34:25AM -0500, Mike Frysinger wrote: On 11/12/06, Peter Volkov (pva) [EMAIL PROTECTED] wrote: The possible solution is to add virtual/editor ebuild this is a horrible idea why not modify sudo to not filter the EDITOR env var then there is no more problem Except for a gaping security hole. pulling a ciaranm here huh ? if a guy has access to `sudo`, then having a modified environment isnt going to make much difference sudo can be configured to only allow access to a select few applications. Allowing arbitrary EDITOR settings completely bypasses this. so force EDITOR to something secure (infra uses rvim) rvim is less insecure than vim, but isn't secure if called as root, nor are most editors. If you can choose to edit other files than those specified on the command line, you can edit the boot scripts, and do anything after that. Anyway, if you have something safe (even if it's only /bin/false), forcing EDITOR to it would be good, but I do not believe sudo has an option for this. You can remove variables from the environment, but not add them. There is a special case for visudo, but that's not handled via the environment. And if there is no way to force EDITOR to something safe, unsetting it (the current situation) is the next best thing. but really, visudo, vipw, crontab these can all be exploited to gain root access thus making it silly to try to prevent in these cases. Obviously you shouldn't allow access to such programs to users that are not completely trusted. This isn't about such programs. For example, in ufed, I used to read the PAGER variable (if you believe that is significantly different, please explain) to display the help. Since sudo clears it, ufed is usable even when it's not possible to display the help, and ufed can't do anything other than edit /etc/make.conf, it would be safe to allow it to run via sudo (emerge --ask should of course be used if ufed can be run, but that's a separate issue). That's the kind of thing that would no longer be safe. -- gentoo-dev@gentoo.org mailing list
[gentoo-dev] Re: Scheme Herd
Tach Hector, 0x2B859DE3 (PGP-PK-ID) Hector E. Gomez Morales schrieb: My name is Hector I am a CS student in third year. I have a interest in programming languages specially in functional programming, I have been using scheme for some time so I will like to help with the mantainance of the ebuilds. Any pointers to begin helping will be very helpful. If the help is not longer need sorry to bothe,r hehe I read the GWN notice like a week later. Help working on the bugs by submitting patches, comments etc. And contact Matthew Kennedy directly, he can advise you further...maybe he already did. V-Li -- Fingerprint: 68C5 D381 B69A A777 6A91 E999 350A AD7C 2B85 9DE3 http://www.gnupg.org/ -- gentoo-dev@gentoo.org mailing list
[gentoo-dev] Xbox-sources
Xbox-sources has multiple pending security bugs against it, and is unmaintained. As such, it is going into package.mask in the next few days, and will be removed from the tree 30 days after it goes into package.mask if no one takes over maintaining. -- Harlan Lieberman-Berg Gentoo Kernel Security Developer -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] New developer: Cédric Krier
It's nice to see someone from nearby join Gentoo. (I live in Leuven) Welcome to the project!! I suppose we'll see you at the next FOSDEM? :) Stefaan -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On Sun, 12 Nov 2006 21:57:07 +0500 Anatoly Shipitsin [EMAIL PROTECTED] wrote: Although I do think you're making a big fuss over a tiny cosmetic issue. This changes need not for sudo. It's need for fcron. And probaly any package use define editor on configuration stage. No, it's not needed for fcron at all, and I already explained why in [1]. Progressing through [2-4] I thought the fcron issue might have been fixed, but the virtual/editor discussion had started by then and I decided I had nothing more to add. Again: fcron builds and works fine without at all setting ./configure --with-editor= and the ebuild should not set that option at all. Problem solved. Kind regards, JeR [1] https://bugs.gentoo.org/show_bug.cgi?id=149376#c15 (don't set --with-editor in the ebuild and just let it default to /usr/bin/vi, which is only used if your env doesn't have EDITOR set to something useful) [2] https://bugs.gentoo.org/show_bug.cgi?id=149376#c17 (where I explained that bug #65263 fixed the wrong problem) [3] https://bugs.gentoo.org/show_bug.cgi?id=149376#c19 (where I suggested setting it to something proper and available on hopefully every system, like --with-editor=/bin/nano) [4] https://bugs.gentoo.org/show_bug.cgi?id=149376#c22 (where I continued to argue this approach and CC'd bsd@ to get their view) -- gentoo-dev@gentoo.org mailing list
[gentoo-dev] Re: New developer: Cédric Krier
Petteri Räty schrieb: So please give cedk the usual warm welcome. Welcome and make yourself at home :D Jokey -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] [ANNOUNCE] Anonymous CVS and SVN now available
On Sat, Nov 11, 2006 at 10:33:00PM -0500, Michael Cummings wrote: On Sat, Nov 11, 2006 at 02:54:01AM -0800, Robin H. Johnson wrote: svn has the following repos: gli glsr devmanual sandbox baselayout eselect apache livecd-tools hardened linux-patches catalyst hwdata gentoo-python genkernel gentoo-syntax gentoo-alt gentoo-vdr gentoolkit keychain portage nice work! is there a tracker bug for requesting other sources.g.o svn's to be added? Please file new bugs. -- Robin Hugh Johnson E-Mail : [EMAIL PROTECTED] GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 pgppVPyEhls7W.pgp Description: PGP signature
Re: [gentoo-dev] Re: Scheme Herd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Christian: Thanks for the response, I will try to help with all the bugs I can in dev-scheme, Matthew has sent me some pointers for becoming a developer and helping with the ebuilds. Hector Christian Faulhammer wrote: Tach Hector, 0x2B859DE3 (PGP-PK-ID) Hector E. Gomez Morales schrieb: My name is Hector I am a CS student in third year. I have a interest in programming languages specially in functional programming, I have been using scheme for some time so I will like to help with the mantainance of the ebuilds. Any pointers to begin helping will be very helpful. If the help is not longer need sorry to bothe,r hehe I read the GWN notice like a week later. Help working on the bugs by submitting patches, comments etc. And contact Matthew Kennedy directly, he can advise you further...maybe he already did. V-Li -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFV9ZMPqb941WkDssRAvGzAJ9SkwfxiCTQUoX5s3UXoUQS9uQ+9QCeNuLR 7qcXltMBGHBKgGfwRBR2tNk= =uFMJ -END PGP SIGNATURE- -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] last rites for net-im/gabber and dev-libs/jabberoo
On Sun, 2006-01-10 at 11:08 -0400, Olivier Crête wrote: Hi, There have been no release since June 2004, the newer versions have p.masked since 2004. The older versions doesnt build. They have open bugs #62182, #88929 and #101581. I'll remove them on November 1st. Gabber is gone.. All hail Gossip! -- Olivier Crête [EMAIL PROTECTED] Gentoo Developer signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
No, it's not needed for fcron at all, and I already explained why in[1]. Progressing through [2-4] I thought the fcron issue might have been fixed, but the virtual/editor discussion had started by then and Idecided I had nothing more to add. Again: fcron builds and works finewithout at all setting ./configure --with-editor= and the ebuild should not set that option at all. Problem solved.Without --with-editor fcrom configure get editor from enviroment parameter EDITOR. This is wrong see bug 149376.
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On Mon, 13 Nov 2006 09:20:09 +0500 Anatoly Shipitsin [EMAIL PROTECTED] wrote: Without --with-editor fcrom configure get editor from enviroment parameter EDITOR. This is wrong see bug 149376. You mean I ought to go read the bug I referred to a few times in the message you are responding to? I did. In fact, I wrote a lot of the comments there. I am CC'd on that bug. I even recorded the original complaint on that bug stating that the ebuild should not rely on the environment to find a value for EDITOR. I might say I care about the issue. :) As I recorded on that bug, fcron's build system sets it to a default of /usr/bin/vi unless you set the --with-editor option. There's nothing wrong with that. It just means that running crontab will fail if you do not set EDITOR after it installs, which is what /etc/rc.conf sets to a system-wide default. fcron *always* uses EDITOR from the environment when running crontab, no matter what you pass to --with-editor at configure time. Consider it a feature. Anyway, all this is already documented on the bug you mentioned. I do not see any need to cover this ground again and again. A simple ./configure --help should really help you find out why not setting --with-editor fixes the problem I brought up on that bug, which then got turned into this huge kludge (virtual/editor) to fix a cosmetic problem, IMHO. Kind regards, JeR -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] openssh sftplogging patch
On Sunday 12 November 2006 11:38, Rumi Szabolcs wrote: Could anybody please tell what happened? it's been integrated upstream so there's no point in having a patch anymore -mike -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
On Sunday 12 November 2006 06:29, Peter Volkov (pva) wrote: On Sun, 2006-11-12 at 05:54 -0500, Mike Frysinger wrote: in the example usages you cited, people where using `sudo` to just avoid running `su -` first ... in other words, their sudo was unlimited ... updating the sudoers file to allow EDITOR via env_keep would work fine for them in that scenario, running any app via EDITOR is not a concern as they already have the ability to run any command That is right. And I've already raised concerns about this approach in my mail: http://thread.gmane.org/gmane.linux.gentoo.devel/44218/focus=44238 i dont see you discussing this approach at all Do you know any way *how* to specify safe editors list inside sudoers? trying to maintain such a list is pointless as there will always be someone who likes to use some editor which is not specified in the list ... to answer your question though, i dont believe there is a way in sudoers to say this env var may only contain XXX list of values I've spent some time and did not found how can I force sudo to edit files with only known editors inside EDITOR. env_keep just keep env variable and does not allow to specify safe editors list. I suppose that this is impossible. i think you're confusing situations here ... trying to edit files should be done with `sudo -e` as that will use the user's EDITOR env var ... running `sudo crontab -e` is a different scenario as only crontab knows about the editing as it happens indirectly if you have the ability to edit root's crontab however, then you have full access to the machine ... that means you should be using env_keep in the sudoers file for the EDITOR var -mike pgpZfG2vBdUev.pgp Description: PGP signature
Re: [gentoo-dev] Xbox-sources
On Sunday 12 November 2006 16:16, Harlan Lieberman-Berg wrote: Xbox-sources has multiple pending security bugs against it #'s ? searching bugzilla for xbox doesnt give me any results -mike and is unmaintained. says you :P -mike pgpO3uvUpTD6Q.pgp Description: PGP signature
[gentoo-dev] add --docdir to default econf()
how do people feel about adding --docdir=/usr/share/doc/${PF} to the default econf() arguments ? -mike pgpPzp9cOoqXM.pgp Description: PGP signature
Re: [gentoo-dev] add --docdir to default econf()
Mike Frysinger wrote: how do people feel about adding --docdir=/usr/share/doc/${PF} to the default econf() arguments ? -mike As my first Gentoo related thing since my 3 day trip... Sounds great by me. I know it'll remove the need to do that manually in a couple of ebuilds since upstream uses stupid directories sometimes. And it seems like a default which won't cause something unnecessary. -- Doug Goldstein [EMAIL PROTECTED] http://dev.gentoo.org/~cardoe/ signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Resolve build time default editor dependency. (was: How get ebuild provider virtual/category.)
You mean I ought to go read the bug I referred to a few times in themessage you are responding to? I did. In fact, I wrote a lot of the comments there. I am CC'd on that bug. I even recorded the originalcomplaint on that bug stating that the ebuild should not rely on theenvironment to find a value for EDITOR. I might say I care about theissue. :) Okey. I'm remove all get editor from runtime enviroment EDITOR and disable --with-editor. The run emerge fcron. I'm got:checking for vi... noconfigure: error:Cannot determine path to vi: try option --with-editor=PATH But i'm can't get editor from runtime. How emerge obtain right editor ?As I recorded on that bug, fcron's build system sets it to a default of /usr/bin/vi unless you set the --with-editor option. There's nothingwrong with that. It just means that running crontab will fail if you donot set EDITOR after it installs, which is what /etc/rc.conf sets to a system-wide default.Can i'm use solution from sudo package ? fcron *always* uses EDITOR from the environment when running crontab, nomatter what you pass to --with-editor at configure time. Consider it afeature.I'm know! If this broke at configure run without this :( Anyway, all this is already documented on the bug you mentioned. I donot see any need to cover this ground again and again. A simple ./configure --help should really help you find out why notsetting --with-editor fixes the problem I brought up on that bug, whichthen got turned into this huge kludge (virtual/editor) to fix acosmetic problem, IMHO. Remove --with-editor not fix it. For this it need set enviroment paramenter EDITOR. How resolve this problem. I'm not get any solution.
Re: [gentoo-dev] add --docdir to default econf()
Hi, On Mon, Nov 13, 2006 at 12:51:45AM -0500, Doug Goldstein wrote: Mike Frysinger wrote: how do people feel about adding --docdir=/usr/share/doc/${PF} to the default econf() arguments ? -mike [...] And it seems like a default which won't cause something unnecessary. Let's see how much it breaks. It should be easier to add it manually in an ebuild than leaving it out when econf arguments it by default ;) Hannes -- gentoo-dev@gentoo.org mailing list