True, I had not considered this, however it will be possible for me to point to this message and the thread in general if I see that message resurfacing.
I will bear this in mind for the future though. Thanks.
That sounds like a great idea for a home machine, or even a dedicated box.
But if you're trying to maintain an open collection of machines like Debian is, where developers from all over the world can connect from wherever they are (dialup/dhcp/cable/travelling) you can't easily restrict their IP.
It's like saying a mail server should only accept mail from ip a.b.c.d - it just doesnt work.
They are doing good, they have a certified platform for Oracle which is big in the enterprise/corporate world.
My site is 50/50 Debian and SuSE - and I'm very glad I was able to resist the temptation to move to RedHat eclusively, as that would have meant having to spend lots of time upgrading from server to "advanced server edition" - and a hike in the prices.
That should be a simple enough thing to write as a client-server setup.
On the remote side create a socket/dev/Ndsp and attach that to a simple server - any attempts to read or write to it should trigger the same read/write operation over the network to/dev/dsp on the other machine.
Point the apps you want sound forward to use/dev/ndsp isntead of/dev/dsp. All done.
Testing doesn't get a fix until the package migrates from unstable (minimun 10 days).
That's true for normal uploads - things move from unstable into testing after ten days.
However when a security update is released for stable usually an unstable package will be made available shortly afterwards - and that will have it's "urgency" field set to high.
When an urgent package is uploaded into unstable it will move into testing, barring problems, after only two days.
1.Right now, I can use 'reportbug' to report problems related to:
When a package is installed it may include a file/usr/share/reportbug/$package, and that will be used as the text.
This allows non-free packages to have their bugs reported in an integrated fashion.
3.How would people be assured of the QA processes used by a non-Debian produced contrib and non-free repository?
Agreed this couldn't be handled. However I don't see a problem with this. How are people assured of the quality of random sourceforge project? Or random RPM's downloaded from the net?
4. How would package GPG signing remain consistant?
If there was a cohesive whole project/group dedicated to the non-free package maintainence as looks like is being suggested then there's no reason why there couldn't bee "keyring-non-free-maintainers".
Yes I'm ignoring the joining question. I believe the checks are rigerous as necessary. Sure people wait too long, but the checks and things they must do are worthwhile and I passed in a few months...
Hopefully Debian will get some new maintainers with this amendment.
You don't need to be a maintainer to help Debian, using it and reporting bugs is one kind of help.
Fixing bugs is another; and fixing bugs for Debian will help all distributions with that software in it.
Funny how some people want others to do all the work for them.. Debian is definately a distribution for people that are prepared to help themselves, and each other.
I grew up living down a street which backed onto a small convent, (Poor Claires in York for any local people).
This convent had hourly bells/chimes that would go off 24 hours a day, every day of the year. For variation the bells at midday or midnight would be louder/longer/different. (Too long ago, I forget).
During the day these were hard to hear, but at night time you could hear each of them if you were paying attention - visitors would often ask what the noise was.
After a while though you just stopped noticing it; Indeed after moving house I remember being suprised I didn't hear the bell on the hour. The bells I'd been listening to for years.
Many nights I'd wake up just after midnight wondering why they'd not rung.
I have no idea either, but I guess that at some level somebody must suggest a new package to be included and then one of the people involved in putting together the distribution must maintain it.
They'd be responsible for updating the package, building it, and making sure it worked properly.
I'd expect them to forward any changes they had to make to the upstream author, like the Debian people do, and then add the packages details to some internal database - so they know where to look to check for a new release in time for the next release burning..
Yes we should support people who produce open source, and not just the big projects like Samba, Apache, Rsync, etc. I have software included in the SuSE professional edition that I wrote.
When it's displayed in Yast there's a field for Author name / Homepage. Do you think those fields give me credit? Do you think I even got an email from SuSE? Do you think I might have received a free boxed copy?
Nope.
I only noticed as a colleague pointed it out to me when setting up a SuSE professional box to install Oracle upon..
I love Easily they let you register and maintain the sites very easily. I'm not sure why you limit them to just "best for co.uk" I have several.com's with them...
The only down side is that you have very little flexibility with DNS - you either nominate the IP's of your own DNS servers or you setup the A and MX records.
There's no ability to create different subdomains like 'foo.bar.com' which is a shame.
In my previous job we had a lone dedicated PC which ran DOS and some custom Wang stuff with the full size internal hardware card it used to drive things.
The machine's power supply and motherboard fried one day and we had a horrible time finding a machine locally under severe pressure that not only had an EISA slot, but had the space inside for this full-size card.
A replacement was duly found and we were back up and running with a DOS based phone system..
So rather than relying upon full disclosure, as practised by Bugtraq, etc, and hoping this will shame companies into fixing their buggy products. Instead we find problems and don't tell anybody so that the bad terrorists, err, people, don't find out?
I think this is appalling, and will happily offer before the google cache expires.
I may be simplifying, but you mention a Mall - so I'm guessing you may be American.
If that is the case you may sue.
I've learnt from reading the news that American's can sue over whatever they like.
Winning may be a different story... can you prove she didn't sign it? I guess you'd need to get somebody to compare her signature to that which was used to open the account.
Finding the original slip is probably not possible - so it comes down to their word against yours.
Slashdot Mirror
That wasn't one of mine, but I've been auditing a lot of Debian packages recently.
Games are an easy target as many of them are setgid(games); so that they may access a global high-score file.
Most of the vulnerabilities I've found have been in games - easy to start with the low hanging fruit and work your way up ;)
True, I had not considered this, however it will be possible for me to point to this message and the thread in general if I see that message resurfacing.
I will bear this in mind for the future though. Thanks.
That sounds like a great idea for a home machine, or even a dedicated box.
But if you're trying to maintain an open collection of machines like Debian is, where developers from all over the world can connect from wherever they are (dialup/dhcp/cable/travelling) you can't easily restrict their IP.
It's like saying a mail server should only accept mail from ip a.b.c.d - it just doesnt work.
--- snip here ---
K ik pLMtJKcxSKUgvyn NTi4sT01MVEtMTM/ OKS4CCqQrZqZUK1 K5dHW5OuyZWUE27o M5QZDp9w6GBQtO+ hFp+fRBXM7HXcYc1 6Xj5A9DwA=
This is a truthful report.
You may validate this message against the key for skx@debian.org.
Steve
--
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.2.3 (GNU/Linux)
owGbwMvMwCR44PyxzWd9eOcyns5PYrDfJ7EiJCOzWAGIEhV
i0r0uLgi80sVchMrFcoSczJTEktSFUpAi
aflFCsXZFQ4pqUmZiXl6+UXpQCO4gktSy
SLxI+1madnvjbIZVrZu0HcTnzGdY0LBFy
=xVtr
-----END PGP MESSAGE-----
Yes Debian's machines run Debian, this breakin wasn't anything to do with the software installed upon the box, as it was due to a password compromise.
If anything it's more embaressing that somebody lost their password than that the software wasn't up to date.
Password stealing is pretty OS independent.
So this compromise, whilst undenyably bad, isn't really going to show much about Debian, or Windows.
MD5 sums are used for the contents of packages, but packages may only be uploaded and processed by the build system if they're correctly signed.
So yes it's not trivial to backdoor a package - unless you're already a Debian Developer...
Nah .. you want to use GNUMP3d which supports streaming MP3s OGGs and other media types.
It's portable perl too, and will stream music to Freeamp, XMMS, etc.
Completely free - unless you want to make a donation.
They are doing good, they have a certified platform for Oracle which is big in the enterprise/corporate world.
My site is 50/50 Debian and SuSE - and I'm very glad I was able to resist the temptation to move to RedHat eclusively, as that would have meant having to spend lots of time upgrading from server to "advanced server edition" - and a hike in the prices.
I would .. but in my version I spelt "somebody" correctly.
Still, following the principle of karmic balance I've misspelt a word or tow in this relpy.
This actually happened on Advogato.
There was a lack of filtering on one of the sites variables and a crafty user created a "virus" that spread from profile to profile.
If you viewed an infected page when logged in your own profile was updated to contain a copy of the infectuous code.
Full details here.
It was used on bugtraq once or twice and just stuck - there are a few more examples in this XSS FAQ.
That should be a simple enough thing to write as a client-server setup.
On the remote side create a socket /dev/Ndsp and attach that to a simple server - any attempts to read or write to it should trigger the same read/write operation over the network to /dev/dsp on the other machine.
Point the apps you want sound forward to use /dev/ndsp isntead of /dev/dsp. All done.
I don't see any obvious flaws in that approach ..
Did I misunderstand? I thought the point of Gentoo was that everything was cutting edge and up to date?
Can't you just download the sources and the old ebuild files and rebuild? Or is there more magic involved?
That's true for normal uploads - things move from unstable into testing after ten days.
However when a security update is released for stable usually an unstable package will be made available shortly afterwards - and that will have it's "urgency" field set to high.
When an urgent package is uploaded into unstable it will move into testing, barring problems, after only two days.
When a package is installed it may include a file /usr/share/reportbug/$package, and that will be used as the text.
This allows non-free packages to have their bugs reported in an integrated fashion.
3.How would people be assured of the QA processes used by a non-Debian produced contrib and non-free repository?Agreed this couldn't be handled. However I don't see a problem with this. How are people assured of the quality of random sourceforge project? Or random RPM's downloaded from the net?
4. How would package GPG signing remain consistant?If there was a cohesive whole project/group dedicated to the non-free package maintainence as looks like is being suggested then there's no reason why there couldn't bee "keyring-non-free-maintainers".
Yes I'm ignoring the joining question. I believe the checks are rigerous as necessary. Sure people wait too long, but the checks and things they must do are worthwhile and I passed in a few months...
You don't need to be a maintainer to help Debian, using it and reporting bugs is one kind of help.
Fixing bugs is another; and fixing bugs for Debian will help all distributions with that software in it.
Funny how some people want others to do all the work for them .. Debian is definately a distribution for people that are prepared to help themselves, and each other.
I grew up living down a street which backed onto a small convent, (Poor Claires in York for any local people).
This convent had hourly bells/chimes that would go off 24 hours a day, every day of the year. For variation the bells at midday or midnight would be louder/longer/different. (Too long ago, I forget).
During the day these were hard to hear, but at night time you could hear each of them if you were paying attention - visitors would often ask what the noise was.
After a while though you just stopped noticing it; Indeed after moving house I remember being suprised I didn't hear the bell on the hour. The bells I'd been listening to for years.
Many nights I'd wake up just after midnight wondering why they'd not rung.
Ummmm, irony is..?
I have no idea either, but I guess that at some level somebody must suggest a new package to be included and then one of the people involved in putting together the distribution must maintain it.
They'd be responsible for updating the package, building it, and making sure it worked properly.
I'd expect them to forward any changes they had to make to the upstream author, like the Debian people do, and then add the packages details to some internal database - so they know where to look to check for a new release in time for the next release burning..
Yes we should support people who produce open source, and not just the big projects like Samba, Apache, Rsync, etc. I have software included in the SuSE professional edition that I wrote.
When it's displayed in Yast there's a field for Author name / Homepage. Do you think those fields give me credit? Do you think I even got an email from SuSE? Do you think I might have received a free boxed copy?
Nope.
I only noticed as a colleague pointed it out to me when setting up a SuSE professional box to install Oracle upon..
*sighs*
I love Easily they let you register and maintain the sites very easily. I'm not sure why you limit them to just "best for co.uk" I have several .com's with them...
The only down side is that you have very little flexibility with DNS - you either nominate the IP's of your own DNS servers or you setup the A and MX records.
There's no ability to create different subdomains like 'foo.bar.com' which is a shame.
Pricing is good, spam free, and easy to use.
In my previous job we had a lone dedicated PC which ran DOS and some custom Wang stuff with the full size internal hardware card it used to drive things.
The machine's power supply and motherboard fried one day and we had a horrible time finding a machine locally under severe pressure that not only had an EISA slot, but had the space inside for this full-size card.
A replacement was duly found and we were back up and running with a DOS based phone system..
So rather than relying upon full disclosure, as practised by Bugtraq, etc, and hoping this will shame companies into fixing their buggy products. Instead we find problems and don't tell anybody so that the bad terrorists, err, people, don't find out?
I think this is appalling, and will happily offer before the google cache expires.
I may be simplifying, but you mention a Mall - so I'm guessing you may be American.
If that is the case you may sue.
I've learnt from reading the news that American's can sue over whatever they like.
Winning may be a different story... can you prove she didn't sign it? I guess you'd need to get somebody to compare her signature to that which was used to open the account.
Finding the original slip is probably not possible - so it comes down to their word against yours.