=== megha is now known as Guest99477
=== wcchandl1r is now known as wcchandler
halfiedoes Ubuntu maintain a list of packages which must be hardened for security reasons?05:31
keeshalfie: everything hardened by default in Ubuntu06:13
kees(though you may have a more specific definition of "hardened")06:13
=== doko_ is now known as doko
halfiekees, are you sure? by hardening I mean stuff like RELO / PIE being enabled.07:59
halfieit seems that the Ubuntu compiler doesn't enable hardening by default. so do you enable hardening for every packages on individual basis?08:05
jtaylorhalfie: since ~quantal or precise yes08:15
jtaylorautomatic hardening is not enabled anymore08:15
halfiebut like kees says hardening is enabled for almost all packages? correct?08:16
halfieseems hard to believe08:16
jtaylorprobably almost all in main08:16
jtaylorin universe coverage is probably less good08:16
halfiecool :)08:16
halfieI can use Ubuntu's example to drive hardening in Fedora then08:17
jtaylorI think some things may still be enabled by default, like FORTIFY_SOURCE_08:17
halfieand same rules apply on both x86 and AMD64, right? if a package is hardened then it is hardened on both?08:17
jtayloryes, though pie is seldom enabled08:17
jtayloron i386 it has a rather large performance impact08:18
halfieaha I see. yes on i383 PIE is crap.08:18
halfieso do you disable PIE on i386 then ?08:18
halfiebut enable it for the same package when building for AMD6408:19
jtaylorits enabled on per package basis, so far I know its usually all off or all on08:19
halfieok, makes less of a maintenance burden this way I guess.08:19
jtayloryou may want to read this: http://wiki.debian.org/Hardening08:20
halfiejtaylor, already been there :). I have scanned all Fedora packages using custom written script. Now I am planning to do the same for Ubuntu.08:20
halfieI will be using "python-debian" package for doing this08:20
jtaylorwe already have scripts for checking if hardening is enabled08:20
jtaylorit does have some sisues though08:21
halfiejtaylor, does it work on any platform and does it run straight on .deb files without installing them?08:21
jtaylorit works on ELF files08:21
halfiemy script doesn't need packages to be installed and it doesn't touch the disk except for reading. I have "checksec" for running on ELF files.08:22
jtaylorwhat does it do?08:23
halfieI will take a look at hardening-check though. Maybe it has some neat ideas :)08:23
halfiehttps://github.com/kholia/checksec <== it scans package repositories and figures out various bits08:23
halfieNow I am planning to add .deb support to it.08:24
halfieBTW is there a Python / Ruby library for parsing .deb files? "python-debian" is kind of broken.08:24
jtaylorbroken in what way?08:28
halfiejtaylor, debian packages use "xz" compression now I believe? python-debian doesn't work for such files and python 2.x doesn't have lzma module08:28
halfieI am porting python-debian to Python 308:29
infinityhalfie: You may be interested in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=50686108:31
ubottuDebian bug 506861 in python-debian "python-debian: Please add support for lzma-compressed debs" [Wishlist,Open]08:31
jtaylorisn't pylzma support backported to py2?08:32
halfieinfinity, awesome! :) you saved me hours of work :)08:32
jtaylorthere is a python-lzmq module08:32
jtaylorah thats also mentioned in the bug :)08:32
halfiealso "xz" is the recommend scheme?08:34
infinitydpkg-deb defaults to gzip, but xz and bz2 are both widely used.08:34
infinitydpkg-deb (and python-debian) are meant to abstract that away, so you never need to care.08:35
infinityWell, python-debian would do so with the patch in that bug. :P08:35
halfieI am giving up porting to Python 3. It is hard :)08:36
infinityIt's already ported in unstable, quantal, and raring.08:37
halfieto Python 3?08:37
infinityThe patch in that bug applies to said ported version, if I recall.08:37
infinityYes.  Binary package is python3-debian.08:38
halfieso the "python2-debian" has no support for "xz" ?08:38
infinityNeither one has support for xz, without that patch applied.08:38
jtaylorthe changelog says it has support08:38
jtayloras the mentioned bug in python is fixed08:39
infinityIf you read the notes on the patch, it works with both py2 and py3, but cheats with py2 by just forking the xz binaries instead of using a module.08:39
dokoyou give up early ...08:41
halfiegot disconnected. thanks infinity !08:52
halfieyay! success :)08:56
halfienow where exactly is metadata like packager's name, checksums stores? in the "control" section?08:57
jtaylordoko: I somehow managed to break python installation in a autopkgtest, see line 342909:19
jtaylordoko: I can't seem to create a minimal testcase though :/ maybe you already see the cause09:19
dokojtaylor, which line/where?09:19
jtaylorthe issue is python2.7-minimal is configured before libpython2.7-minimal09:19
dokomaybe that should be a Pre-Depends ...09:28
pjotrHello, I encountered a bug in Ubiquity that I've reported on Launchpad:10:04
ubottuLaunchpad bug 1165344 in ubiquity (Ubuntu) "Ubiquity hangs on disk with many partitions" [Undecided,New]10:04
pjotrcjwatson: maybe you could take a look at it (if you have the time, of course....)?10:05
jtaylorpjotr: probably a duplicate of bug 108070110:06
ubottubug 1080701 in ubiquity (Ubuntu Raring) "After 'Preparing to install Ubuntu' screen, raring installation hangs" [High,Confirmed] https://launchpad.net/bugs/108070110:06
pjotrjtaylor: yes, that looks like the same bug.... I'll tag mine as a duplicate. Thanks. :-)10:08
cjwatsonhalfie: Confused as to why you're porting python-debian to Python 3.  I did that port last year or so.10:12
cjwatsonOh, yeah, infinity already said that.10:12
dokojtaylor, please could you check https://launchpad.net/~doko/+archive/ppa ?10:42
jtaylordoko: seems to fix my problem10:52
jtaylordoes it really need a pre-depends? isn't it the postinst that fails?10:54
dokojtaylor, please check it without it10:58
=== hggdh is now known as hggdh_
=== hggdh_ is now known as hggdh
=== hggdh is now known as hggdh_
halfiecjohnston, thanks for porting python-debian to Python 3.13:08
halfieI am running Fedora and trying to analyze Ubuntu packages. What would be a good way to get all the packages in "main" pool. It would be great if I could only get the latest versions of programs.13:33
halfieIf there is no "bright" idea, then I will run rsync as the last option.13:36
siretarthalfie: try 'debmirror'13:39
siretarthalfie: http://manpages.ubuntu.com/manpages/precise/en/man1/debmirror.1.html13:40
halfiesiretart, thanks, I am reading about it on https://help.ubuntu.com/community/Debmirror13:40
halfiehow do I interpret this mode value "493" ? I found it in sudo 's .deb file.13:46
cjwatsonhalfie: on which file?13:47
halfie493 ./usr/sbin/visudo13:48
cjwatsonhalfie: I think you would be less confused if you quoted modes in the conventional octal base, not decimal13:48
cjwatson493 decimal == 755 octal13:48
cjwatsoni.e. -rwxr-xr-x13:48
halfieoh, I could not guess the base earlier :) thanks!13:48
cjwatsonThe oct() builtin in Python may help13:49
halfiedo you know a package which has a setuid file?13:49
cjwatsonin the sudo package you're already looking at13:49
halfieoh right, its right in front of me13:50
halfieBTW PIE and  RELRO are disabled for sudo13:50
cjwatsonNot in the current version13:50
cjwatsonthat's sudo 1.8.6p3-0ubuntu3 on amd6413:51
halfienow where did I get my package from then :S ?13:52
cjwatsonI don't think that's a recent change either ...13:52
cjwatsonWell, first you might like to cite which version you're looking at?13:52
halfiesudo_1.6.9p10-1ubuntu3.10_amd64.deb <== seems to be old13:52
halfieI got it from archive.ubuntu.com13:53
cjwatsonThat's the version in hardy, which is ancient13:53
halfieah okay. I need to find a mirror which has latest packages.13:53
cjwatsonEither use a mirroring tool to get raring, or parse raring's Packages files13:53
cjwatsonDon't poke about in the pool directly unless you know exactly what you're doing13:53
cjwatsondists/raring/*/binary-*/Packages.gz are the indices13:54
cjwatsonarchive.ubuntu.com has all versions; it is not plausible that it doesn't have the latest ones13:54
halfiecjwatson, debmirror seems the way to go. does "python-debian" support parsing of those indices?13:54
cjwatsonBut it also has versions from every still-supported release13:54
halfieI see. Then I screwed up navigation of the archive.ubuntu.com tree :)13:55
cjwatsondebian.deb822 specifically13:55
cjwatsonOr just grep for the Filename fields13:55
halfiecan I ask debmirror just to get latest "sudo" package? (I don't think so but is there an utility which can do this?). Maybe python-debian can help (parse indices and wget)13:56
halfieahh okay, got it13:56
cjwatsonThat's not a sensible use of debmirror13:56
cjwatsonDoesn't Fedora have an apt port?  You could set apt up with a local configuration file and use the apt-get download subcommand13:57
cjwatsonOr as you say debian.deb822 + urllib or whatever can do it13:57
cjwatsonOr you could set up an Ubuntu raring chroot with debootstrap and work in that13:57
cjwatsonSeveral options :)13:58
halfiecjohnston, the first option is quite interesting, giving it a try :)13:58
cjwatson(Could you please remember to type more characters before hitting tab to avoid bugging poor cj ohnston all the time?)13:59
halfieohh sorry, sure :)14:00
halfieI have gotten used to tabbing so much everywhere14:00
cjohnstonhalfie: 1 + 2 + 3 + tab14:01
=== glebihan_ is now known as glebihan
=== bigon_ is now known as bigon
=== debfx_ is now known as debfx
mdeslaurhrm, http://utcc.utoronto.ca/~cks/space/blog/linux/UbuntuAccountsServiceProblems16:43
=== Sp4rKy_ is now known as Sp4rKy
=== Ursinha_ is now known as Ursinha

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!