=== megha is now known as Guest99477 | ||
=== wcchandl1r is now known as wcchandler | ||
halfie | does Ubuntu maintain a list of packages which must be hardened for security reasons? | 05:31 |
---|---|---|
kees | halfie: everything hardened by default in Ubuntu | 06:13 |
kees | (though you may have a more specific definition of "hardened") | 06:13 |
=== doko_ is now known as doko | ||
doko | kees! | 06:30 |
halfie | kees, are you sure? by hardening I mean stuff like RELO / PIE being enabled. | 07:59 |
halfie | it seems that the Ubuntu compiler doesn't enable hardening by default. so do you enable hardening for every packages on individual basis? | 08:05 |
jtaylor | halfie: since ~quantal or precise yes | 08:15 |
jtaylor | automatic hardening is not enabled anymore | 08:15 |
halfie | but like kees says hardening is enabled for almost all packages? correct? | 08:16 |
halfie | seems hard to believe | 08:16 |
jtaylor | probably almost all in main | 08:16 |
jtaylor | in universe coverage is probably less good | 08:16 |
halfie | cool :) | 08:16 |
halfie | I can use Ubuntu's example to drive hardening in Fedora then | 08:17 |
jtaylor | I think some things may still be enabled by default, like FORTIFY_SOURCE_ | 08:17 |
halfie | and same rules apply on both x86 and AMD64, right? if a package is hardened then it is hardened on both? | 08:17 |
jtaylor | yes, though pie is seldom enabled | 08:17 |
jtaylor | on i386 it has a rather large performance impact | 08:18 |
halfie | aha I see. yes on i383 PIE is crap. | 08:18 |
halfie | so do you disable PIE on i386 then ? | 08:18 |
halfie | but enable it for the same package when building for AMD64 | 08:19 |
jtaylor | its enabled on per package basis, so far I know its usually all off or all on | 08:19 |
halfie | ok, makes less of a maintenance burden this way I guess. | 08:19 |
jtaylor | you may want to read this: http://wiki.debian.org/Hardening | 08:20 |
halfie | jtaylor, already been there :). I have scanned all Fedora packages using custom written script. Now I am planning to do the same for Ubuntu. | 08:20 |
halfie | I will be using "python-debian" package for doing this | 08:20 |
jtaylor | we already have scripts for checking if hardening is enabled | 08:20 |
jtaylor | hardening-check | 08:21 |
jtaylor | it does have some sisues though | 08:21 |
halfie | jtaylor, does it work on any platform and does it run straight on .deb files without installing them? | 08:21 |
jtaylor | it works on ELF files | 08:21 |
halfie | my script doesn't need packages to be installed and it doesn't touch the disk except for reading. I have "checksec" for running on ELF files. | 08:22 |
jtaylor | what does it do? | 08:23 |
halfie | I will take a look at hardening-check though. Maybe it has some neat ideas :) | 08:23 |
halfie | https://github.com/kholia/checksec <== it scans package repositories and figures out various bits | 08:23 |
halfie | Now I am planning to add .deb support to it. | 08:24 |
halfie | BTW is there a Python / Ruby library for parsing .deb files? "python-debian" is kind of broken. | 08:24 |
jtaylor | broken in what way? | 08:28 |
halfie | jtaylor, debian packages use "xz" compression now I believe? python-debian doesn't work for such files and python 2.x doesn't have lzma module | 08:28 |
halfie | I am porting python-debian to Python 3 | 08:29 |
infinity | halfie: You may be interested in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506861 | 08:31 |
ubottu | Debian bug 506861 in python-debian "python-debian: Please add support for lzma-compressed debs" [Wishlist,Open] | 08:31 |
jtaylor | isn't pylzma support backported to py2? | 08:32 |
halfie | infinity, awesome! :) you saved me hours of work :) | 08:32 |
jtaylor | there is a python-lzmq module | 08:32 |
jtaylor | ah thats also mentioned in the bug :) | 08:32 |
halfie | also "xz" is the recommend scheme? | 08:34 |
infinity | dpkg-deb defaults to gzip, but xz and bz2 are both widely used. | 08:34 |
infinity | dpkg-deb (and python-debian) are meant to abstract that away, so you never need to care. | 08:35 |
infinity | Well, python-debian would do so with the patch in that bug. :P | 08:35 |
halfie | I am giving up porting to Python 3. It is hard :) | 08:36 |
infinity | It's already ported in unstable, quantal, and raring. | 08:37 |
halfie | to Python 3? | 08:37 |
infinity | The patch in that bug applies to said ported version, if I recall. | 08:37 |
infinity | Yes. Binary package is python3-debian. | 08:38 |
halfie | so the "python2-debian" has no support for "xz" ? | 08:38 |
infinity | Neither one has support for xz, without that patch applied. | 08:38 |
jtaylor | the changelog says it has support | 08:38 |
jtaylor | as the mentioned bug in python is fixed | 08:39 |
infinity | If you read the notes on the patch, it works with both py2 and py3, but cheats with py2 by just forking the xz binaries instead of using a module. | 08:39 |
doko | you give up early ... | 08:41 |
halfie | got disconnected. thanks infinity ! | 08:52 |
halfie | yay! success :) | 08:56 |
halfie | now where exactly is metadata like packager's name, checksums stores? in the "control" section? | 08:57 |
jtaylor | doko: I somehow managed to break python installation in a autopkgtest, see line 3429 | 09:19 |
jtaylor | doko: I can't seem to create a minimal testcase though :/ maybe you already see the cause | 09:19 |
doko | jtaylor, which line/where? | 09:19 |
jtaylor | the issue is python2.7-minimal is configured before libpython2.7-minimal | 09:19 |
jtaylor | http://paste.ubuntu.com/5682267/ | 09:20 |
doko | maybe that should be a Pre-Depends ... | 09:28 |
pjotr | Hello, I encountered a bug in Ubiquity that I've reported on Launchpad: | 10:04 |
pjotr | https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1165344 | 10:04 |
ubottu | Launchpad bug 1165344 in ubiquity (Ubuntu) "Ubiquity hangs on disk with many partitions" [Undecided,New] | 10:04 |
pjotr | cjwatson: maybe you could take a look at it (if you have the time, of course....)? | 10:05 |
jtaylor | pjotr: probably a duplicate of bug 1080701 | 10:06 |
ubottu | bug 1080701 in ubiquity (Ubuntu Raring) "After 'Preparing to install Ubuntu' screen, raring installation hangs" [High,Confirmed] https://launchpad.net/bugs/1080701 | 10:06 |
pjotr | jtaylor: yes, that looks like the same bug.... I'll tag mine as a duplicate. Thanks. :-) | 10:08 |
cjwatson | halfie: Confused as to why you're porting python-debian to Python 3. I did that port last year or so. | 10:12 |
cjwatson | Oh, yeah, infinity already said that. | 10:12 |
doko | jtaylor, please could you check https://launchpad.net/~doko/+archive/ppa ? | 10:42 |
jtaylor | doko: seems to fix my problem | 10:52 |
jtaylor | does it really need a pre-depends? isn't it the postinst that fails? | 10:54 |
doko | jtaylor, please check it without it | 10:58 |
=== hggdh is now known as hggdh_ | ||
=== hggdh_ is now known as hggdh | ||
=== hggdh is now known as hggdh_ | ||
halfie | cjohnston, thanks for porting python-debian to Python 3. | 13:08 |
cjwatson | yw | 13:15 |
halfie | I am running Fedora and trying to analyze Ubuntu packages. What would be a good way to get all the packages in "main" pool. It would be great if I could only get the latest versions of programs. | 13:33 |
halfie | If there is no "bright" idea, then I will run rsync as the last option. | 13:36 |
siretart | halfie: try 'debmirror' | 13:39 |
siretart | halfie: http://manpages.ubuntu.com/manpages/precise/en/man1/debmirror.1.html | 13:40 |
halfie | siretart, thanks, I am reading about it on https://help.ubuntu.com/community/Debmirror | 13:40 |
halfie | how do I interpret this mode value "493" ? I found it in sudo 's .deb file. | 13:46 |
cjwatson | halfie: on which file? | 13:47 |
halfie | 493 ./usr/sbin/visudo | 13:48 |
cjwatson | halfie: I think you would be less confused if you quoted modes in the conventional octal base, not decimal | 13:48 |
cjwatson | 493 decimal == 755 octal | 13:48 |
cjwatson | i.e. -rwxr-xr-x | 13:48 |
halfie | oh, I could not guess the base earlier :) thanks! | 13:48 |
cjwatson | The oct() builtin in Python may help | 13:49 |
halfie | do you know a package which has a setuid file? | 13:49 |
siretart | su? | 13:49 |
cjwatson | /usr/bin/sudo | 13:49 |
cjwatson | in the sudo package you're already looking at | 13:49 |
halfie | oh right, its right in front of me | 13:50 |
halfie | BTW PIE and RELRO are disabled for sudo | 13:50 |
cjwatson | Not in the current version | 13:50 |
cjwatson | http://paste.ubuntu.com/5682875/ | 13:50 |
cjwatson | that's sudo 1.8.6p3-0ubuntu3 on amd64 | 13:51 |
halfie | now where did I get my package from then :S ? | 13:52 |
cjwatson | I don't think that's a recent change either ... | 13:52 |
cjwatson | Well, first you might like to cite which version you're looking at? | 13:52 |
halfie | sudo_1.6.9p10-1ubuntu3.10_amd64.deb <== seems to be old | 13:52 |
halfie | I got it from archive.ubuntu.com | 13:53 |
cjwatson | That's the version in hardy, which is ancient | 13:53 |
halfie | ah okay. I need to find a mirror which has latest packages. | 13:53 |
cjwatson | Either use a mirroring tool to get raring, or parse raring's Packages files | 13:53 |
cjwatson | Don't poke about in the pool directly unless you know exactly what you're doing | 13:53 |
cjwatson | dists/raring/*/binary-*/Packages.gz are the indices | 13:54 |
cjwatson | archive.ubuntu.com has all versions; it is not plausible that it doesn't have the latest ones | 13:54 |
halfie | cjwatson, debmirror seems the way to go. does "python-debian" support parsing of those indices? | 13:54 |
cjwatson | But it also has versions from every still-supported release | 13:54 |
cjwatson | Yes | 13:54 |
halfie | I see. Then I screwed up navigation of the archive.ubuntu.com tree :) | 13:55 |
cjwatson | debian.deb822 specifically | 13:55 |
cjwatson | Or just grep for the Filename fields | 13:55 |
halfie | can I ask debmirror just to get latest "sudo" package? (I don't think so but is there an utility which can do this?). Maybe python-debian can help (parse indices and wget) | 13:56 |
halfie | ahh okay, got it | 13:56 |
cjwatson | That's not a sensible use of debmirror | 13:56 |
halfie | true | 13:56 |
cjwatson | Doesn't Fedora have an apt port? You could set apt up with a local configuration file and use the apt-get download subcommand | 13:57 |
cjwatson | Or as you say debian.deb822 + urllib or whatever can do it | 13:57 |
cjwatson | Or you could set up an Ubuntu raring chroot with debootstrap and work in that | 13:57 |
cjwatson | Several options :) | 13:58 |
halfie | cjohnston, the first option is quite interesting, giving it a try :) | 13:58 |
cjwatson | (Could you please remember to type more characters before hitting tab to avoid bugging poor cj ohnston all the time?) | 13:59 |
halfie | ohh sorry, sure :) | 14:00 |
halfie | I have gotten used to tabbing so much everywhere | 14:00 |
cjohnston | halfie: 1 + 2 + 3 + tab | 14:01 |
cjohnston | :-) | 14:01 |
halfie | :D | 14:01 |
=== glebihan_ is now known as glebihan | ||
=== bigon_ is now known as bigon | ||
=== debfx_ is now known as debfx | ||
mdeslaur | hrm, http://utcc.utoronto.ca/~cks/space/blog/linux/UbuntuAccountsServiceProblems | 16:43 |
=== Sp4rKy_ is now known as Sp4rKy | ||
=== Ursinha_ is now known as Ursinha |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!