| === megha is now known as Guest99477 | ||
| === wcchandl1r is now known as wcchandler | ||
| halfie | does Ubuntu maintain a list of packages which must be hardened for security reasons? | 05:31 |
|---|---|---|
| kees | halfie: everything hardened by default in Ubuntu | 06:13 |
| kees | (though you may have a more specific definition of "hardened") | 06:13 |
| === doko_ is now known as doko | ||
| doko | kees! | 06:30 |
| halfie | kees, are you sure? by hardening I mean stuff like RELO / PIE being enabled. | 07:59 |
| halfie | it seems that the Ubuntu compiler doesn't enable hardening by default. so do you enable hardening for every packages on individual basis? | 08:05 |
| jtaylor | halfie: since ~quantal or precise yes | 08:15 |
| jtaylor | automatic hardening is not enabled anymore | 08:15 |
| halfie | but like kees says hardening is enabled for almost all packages? correct? | 08:16 |
| halfie | seems hard to believe | 08:16 |
| jtaylor | probably almost all in main | 08:16 |
| jtaylor | in universe coverage is probably less good | 08:16 |
| halfie | cool :) | 08:16 |
| halfie | I can use Ubuntu's example to drive hardening in Fedora then | 08:17 |
| jtaylor | I think some things may still be enabled by default, like FORTIFY_SOURCE_ | 08:17 |
| halfie | and same rules apply on both x86 and AMD64, right? if a package is hardened then it is hardened on both? | 08:17 |
| jtaylor | yes, though pie is seldom enabled | 08:17 |
| jtaylor | on i386 it has a rather large performance impact | 08:18 |
| halfie | aha I see. yes on i383 PIE is crap. | 08:18 |
| halfie | so do you disable PIE on i386 then ? | 08:18 |
| halfie | but enable it for the same package when building for AMD64 | 08:19 |
| jtaylor | its enabled on per package basis, so far I know its usually all off or all on | 08:19 |
| halfie | ok, makes less of a maintenance burden this way I guess. | 08:19 |
| jtaylor | you may want to read this: http://wiki.debian.org/Hardening | 08:20 |
| halfie | jtaylor, already been there :). I have scanned all Fedora packages using custom written script. Now I am planning to do the same for Ubuntu. | 08:20 |
| halfie | I will be using "python-debian" package for doing this | 08:20 |
| jtaylor | we already have scripts for checking if hardening is enabled | 08:20 |
| jtaylor | hardening-check | 08:21 |
| jtaylor | it does have some sisues though | 08:21 |
| halfie | jtaylor, does it work on any platform and does it run straight on .deb files without installing them? | 08:21 |
| jtaylor | it works on ELF files | 08:21 |
| halfie | my script doesn't need packages to be installed and it doesn't touch the disk except for reading. I have "checksec" for running on ELF files. | 08:22 |
| jtaylor | what does it do? | 08:23 |
| halfie | I will take a look at hardening-check though. Maybe it has some neat ideas :) | 08:23 |
| halfie | https://github.com/kholia/checksec <== it scans package repositories and figures out various bits | 08:23 |
| halfie | Now I am planning to add .deb support to it. | 08:24 |
| halfie | BTW is there a Python / Ruby library for parsing .deb files? "python-debian" is kind of broken. | 08:24 |
| jtaylor | broken in what way? | 08:28 |
| halfie | jtaylor, debian packages use "xz" compression now I believe? python-debian doesn't work for such files and python 2.x doesn't have lzma module | 08:28 |
| halfie | I am porting python-debian to Python 3 | 08:29 |
| infinity | halfie: You may be interested in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506861 | 08:31 |
| ubottu | Debian bug 506861 in python-debian "python-debian: Please add support for lzma-compressed debs" [Wishlist,Open] | 08:31 |
| jtaylor | isn't pylzma support backported to py2? | 08:32 |
| halfie | infinity, awesome! :) you saved me hours of work :) | 08:32 |
| jtaylor | there is a python-lzmq module | 08:32 |
| jtaylor | ah thats also mentioned in the bug :) | 08:32 |
| halfie | also "xz" is the recommend scheme? | 08:34 |
| infinity | dpkg-deb defaults to gzip, but xz and bz2 are both widely used. | 08:34 |
| infinity | dpkg-deb (and python-debian) are meant to abstract that away, so you never need to care. | 08:35 |
| infinity | Well, python-debian would do so with the patch in that bug. :P | 08:35 |
| halfie | I am giving up porting to Python 3. It is hard :) | 08:36 |
| infinity | It's already ported in unstable, quantal, and raring. | 08:37 |
| halfie | to Python 3? | 08:37 |
| infinity | The patch in that bug applies to said ported version, if I recall. | 08:37 |
| infinity | Yes. Binary package is python3-debian. | 08:38 |
| halfie | so the "python2-debian" has no support for "xz" ? | 08:38 |
| infinity | Neither one has support for xz, without that patch applied. | 08:38 |
| jtaylor | the changelog says it has support | 08:38 |
| jtaylor | as the mentioned bug in python is fixed | 08:39 |
| infinity | If you read the notes on the patch, it works with both py2 and py3, but cheats with py2 by just forking the xz binaries instead of using a module. | 08:39 |
| doko | you give up early ... | 08:41 |
| halfie | got disconnected. thanks infinity ! | 08:52 |
| halfie | yay! success :) | 08:56 |
| halfie | now where exactly is metadata like packager's name, checksums stores? in the "control" section? | 08:57 |
| jtaylor | doko: I somehow managed to break python installation in a autopkgtest, see line 3429 | 09:19 |
| jtaylor | doko: I can't seem to create a minimal testcase though :/ maybe you already see the cause | 09:19 |
| doko | jtaylor, which line/where? | 09:19 |
| jtaylor | the issue is python2.7-minimal is configured before libpython2.7-minimal | 09:19 |
| jtaylor | http://paste.ubuntu.com/5682267/ | 09:20 |
| doko | maybe that should be a Pre-Depends ... | 09:28 |
| pjotr | Hello, I encountered a bug in Ubiquity that I've reported on Launchpad: | 10:04 |
| pjotr | https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1165344 | 10:04 |
| ubottu | Launchpad bug 1165344 in ubiquity (Ubuntu) "Ubiquity hangs on disk with many partitions" [Undecided,New] | 10:04 |
| pjotr | cjwatson: maybe you could take a look at it (if you have the time, of course....)? | 10:05 |
| jtaylor | pjotr: probably a duplicate of bug 1080701 | 10:06 |
| ubottu | bug 1080701 in ubiquity (Ubuntu Raring) "After 'Preparing to install Ubuntu' screen, raring installation hangs" [High,Confirmed] https://launchpad.net/bugs/1080701 | 10:06 |
| pjotr | jtaylor: yes, that looks like the same bug.... I'll tag mine as a duplicate. Thanks. :-) | 10:08 |
| cjwatson | halfie: Confused as to why you're porting python-debian to Python 3. I did that port last year or so. | 10:12 |
| cjwatson | Oh, yeah, infinity already said that. | 10:12 |
| doko | jtaylor, please could you check https://launchpad.net/~doko/+archive/ppa ? | 10:42 |
| jtaylor | doko: seems to fix my problem | 10:52 |
| jtaylor | does it really need a pre-depends? isn't it the postinst that fails? | 10:54 |
| doko | jtaylor, please check it without it | 10:58 |
| === hggdh is now known as hggdh_ | ||
| === hggdh_ is now known as hggdh | ||
| === hggdh is now known as hggdh_ | ||
| halfie | cjohnston, thanks for porting python-debian to Python 3. | 13:08 |
| cjwatson | yw | 13:15 |
| halfie | I am running Fedora and trying to analyze Ubuntu packages. What would be a good way to get all the packages in "main" pool. It would be great if I could only get the latest versions of programs. | 13:33 |
| halfie | If there is no "bright" idea, then I will run rsync as the last option. | 13:36 |
| siretart | halfie: try 'debmirror' | 13:39 |
| siretart | halfie: http://manpages.ubuntu.com/manpages/precise/en/man1/debmirror.1.html | 13:40 |
| halfie | siretart, thanks, I am reading about it on https://help.ubuntu.com/community/Debmirror | 13:40 |
| halfie | how do I interpret this mode value "493" ? I found it in sudo 's .deb file. | 13:46 |
| cjwatson | halfie: on which file? | 13:47 |
| halfie | 493 ./usr/sbin/visudo | 13:48 |
| cjwatson | halfie: I think you would be less confused if you quoted modes in the conventional octal base, not decimal | 13:48 |
| cjwatson | 493 decimal == 755 octal | 13:48 |
| cjwatson | i.e. -rwxr-xr-x | 13:48 |
| halfie | oh, I could not guess the base earlier :) thanks! | 13:48 |
| cjwatson | The oct() builtin in Python may help | 13:49 |
| halfie | do you know a package which has a setuid file? | 13:49 |
| siretart | su? | 13:49 |
| cjwatson | /usr/bin/sudo | 13:49 |
| cjwatson | in the sudo package you're already looking at | 13:49 |
| halfie | oh right, its right in front of me | 13:50 |
| halfie | BTW PIE and RELRO are disabled for sudo | 13:50 |
| cjwatson | Not in the current version | 13:50 |
| cjwatson | http://paste.ubuntu.com/5682875/ | 13:50 |
| cjwatson | that's sudo 1.8.6p3-0ubuntu3 on amd64 | 13:51 |
| halfie | now where did I get my package from then :S ? | 13:52 |
| cjwatson | I don't think that's a recent change either ... | 13:52 |
| cjwatson | Well, first you might like to cite which version you're looking at? | 13:52 |
| halfie | sudo_1.6.9p10-1ubuntu3.10_amd64.deb <== seems to be old | 13:52 |
| halfie | I got it from archive.ubuntu.com | 13:53 |
| cjwatson | That's the version in hardy, which is ancient | 13:53 |
| halfie | ah okay. I need to find a mirror which has latest packages. | 13:53 |
| cjwatson | Either use a mirroring tool to get raring, or parse raring's Packages files | 13:53 |
| cjwatson | Don't poke about in the pool directly unless you know exactly what you're doing | 13:53 |
| cjwatson | dists/raring/*/binary-*/Packages.gz are the indices | 13:54 |
| cjwatson | archive.ubuntu.com has all versions; it is not plausible that it doesn't have the latest ones | 13:54 |
| halfie | cjwatson, debmirror seems the way to go. does "python-debian" support parsing of those indices? | 13:54 |
| cjwatson | But it also has versions from every still-supported release | 13:54 |
| cjwatson | Yes | 13:54 |
| halfie | I see. Then I screwed up navigation of the archive.ubuntu.com tree :) | 13:55 |
| cjwatson | debian.deb822 specifically | 13:55 |
| cjwatson | Or just grep for the Filename fields | 13:55 |
| halfie | can I ask debmirror just to get latest "sudo" package? (I don't think so but is there an utility which can do this?). Maybe python-debian can help (parse indices and wget) | 13:56 |
| halfie | ahh okay, got it | 13:56 |
| cjwatson | That's not a sensible use of debmirror | 13:56 |
| halfie | true | 13:56 |
| cjwatson | Doesn't Fedora have an apt port? You could set apt up with a local configuration file and use the apt-get download subcommand | 13:57 |
| cjwatson | Or as you say debian.deb822 + urllib or whatever can do it | 13:57 |
| cjwatson | Or you could set up an Ubuntu raring chroot with debootstrap and work in that | 13:57 |
| cjwatson | Several options :) | 13:58 |
| halfie | cjohnston, the first option is quite interesting, giving it a try :) | 13:58 |
| cjwatson | (Could you please remember to type more characters before hitting tab to avoid bugging poor cj ohnston all the time?) | 13:59 |
| halfie | ohh sorry, sure :) | 14:00 |
| halfie | I have gotten used to tabbing so much everywhere | 14:00 |
| cjohnston | halfie: 1 + 2 + 3 + tab | 14:01 |
| cjohnston | :-) | 14:01 |
| halfie | :D | 14:01 |
| === glebihan_ is now known as glebihan | ||
| === bigon_ is now known as bigon | ||
| === debfx_ is now known as debfx | ||
| mdeslaur | hrm, http://utcc.utoronto.ca/~cks/space/blog/linux/UbuntuAccountsServiceProblems | 16:43 |
| === Sp4rKy_ is now known as Sp4rKy | ||
| === Ursinha_ is now known as Ursinha | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!