=== megha is now known as Guest99477 === wcchandl1r is now known as wcchandler [05:31] does Ubuntu maintain a list of packages which must be hardened for security reasons? [06:13] halfie: everything hardened by default in Ubuntu [06:13] (though you may have a more specific definition of "hardened") === doko_ is now known as doko [06:30] kees! [07:59] kees, are you sure? by hardening I mean stuff like RELO / PIE being enabled. [08:05] it seems that the Ubuntu compiler doesn't enable hardening by default. so do you enable hardening for every packages on individual basis? [08:15] halfie: since ~quantal or precise yes [08:15] automatic hardening is not enabled anymore [08:16] but like kees says hardening is enabled for almost all packages? correct? [08:16] seems hard to believe [08:16] probably almost all in main [08:16] in universe coverage is probably less good [08:16] cool :) [08:17] I can use Ubuntu's example to drive hardening in Fedora then [08:17] I think some things may still be enabled by default, like FORTIFY_SOURCE_ [08:17] and same rules apply on both x86 and AMD64, right? if a package is hardened then it is hardened on both? [08:17] yes, though pie is seldom enabled [08:18] on i386 it has a rather large performance impact [08:18] aha I see. yes on i383 PIE is crap. [08:18] so do you disable PIE on i386 then ? [08:19] but enable it for the same package when building for AMD64 [08:19] its enabled on per package basis, so far I know its usually all off or all on [08:19] ok, makes less of a maintenance burden this way I guess. [08:20] you may want to read this: http://wiki.debian.org/Hardening [08:20] jtaylor, already been there :). I have scanned all Fedora packages using custom written script. Now I am planning to do the same for Ubuntu. [08:20] I will be using "python-debian" package for doing this [08:20] we already have scripts for checking if hardening is enabled [08:21] hardening-check [08:21] it does have some sisues though [08:21] jtaylor, does it work on any platform and does it run straight on .deb files without installing them? [08:21] it works on ELF files [08:22] my script doesn't need packages to be installed and it doesn't touch the disk except for reading. I have "checksec" for running on ELF files. [08:23] what does it do? [08:23] I will take a look at hardening-check though. Maybe it has some neat ideas :) [08:23] https://github.com/kholia/checksec <== it scans package repositories and figures out various bits [08:24] Now I am planning to add .deb support to it. [08:24] BTW is there a Python / Ruby library for parsing .deb files? "python-debian" is kind of broken. [08:28] broken in what way? [08:28] jtaylor, debian packages use "xz" compression now I believe? python-debian doesn't work for such files and python 2.x doesn't have lzma module [08:29] I am porting python-debian to Python 3 [08:31] halfie: You may be interested in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506861 [08:31] Debian bug 506861 in python-debian "python-debian: Please add support for lzma-compressed debs" [Wishlist,Open] [08:32] isn't pylzma support backported to py2? [08:32] infinity, awesome! :) you saved me hours of work :) [08:32] there is a python-lzmq module [08:32] ah thats also mentioned in the bug :) [08:34] also "xz" is the recommend scheme? [08:34] dpkg-deb defaults to gzip, but xz and bz2 are both widely used. [08:35] dpkg-deb (and python-debian) are meant to abstract that away, so you never need to care. [08:35] Well, python-debian would do so with the patch in that bug. :P [08:36] I am giving up porting to Python 3. It is hard :) [08:37] It's already ported in unstable, quantal, and raring. [08:37] to Python 3? [08:37] The patch in that bug applies to said ported version, if I recall. [08:38] Yes. Binary package is python3-debian. [08:38] so the "python2-debian" has no support for "xz" ? [08:38] Neither one has support for xz, without that patch applied. [08:38] the changelog says it has support [08:39] as the mentioned bug in python is fixed [08:39] If you read the notes on the patch, it works with both py2 and py3, but cheats with py2 by just forking the xz binaries instead of using a module. [08:41] you give up early ... [08:52] got disconnected. thanks infinity ! [08:56] yay! success :) [08:57] now where exactly is metadata like packager's name, checksums stores? in the "control" section? [09:19] doko: I somehow managed to break python installation in a autopkgtest, see line 3429 [09:19] doko: I can't seem to create a minimal testcase though :/ maybe you already see the cause [09:19] jtaylor, which line/where? [09:19] the issue is python2.7-minimal is configured before libpython2.7-minimal [09:20] http://paste.ubuntu.com/5682267/ [09:28] maybe that should be a Pre-Depends ... [10:04] Hello, I encountered a bug in Ubiquity that I've reported on Launchpad: [10:04] https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1165344 [10:04] Launchpad bug 1165344 in ubiquity (Ubuntu) "Ubiquity hangs on disk with many partitions" [Undecided,New] [10:05] cjwatson: maybe you could take a look at it (if you have the time, of course....)? [10:06] pjotr: probably a duplicate of bug 1080701 [10:06] bug 1080701 in ubiquity (Ubuntu Raring) "After 'Preparing to install Ubuntu' screen, raring installation hangs" [High,Confirmed] https://launchpad.net/bugs/1080701 [10:08] jtaylor: yes, that looks like the same bug.... I'll tag mine as a duplicate. Thanks. :-) [10:12] halfie: Confused as to why you're porting python-debian to Python 3. I did that port last year or so. [10:12] Oh, yeah, infinity already said that. [10:42] jtaylor, please could you check https://launchpad.net/~doko/+archive/ppa ? [10:52] doko: seems to fix my problem [10:54] does it really need a pre-depends? isn't it the postinst that fails? [10:58] jtaylor, please check it without it === hggdh is now known as hggdh_ === hggdh_ is now known as hggdh === hggdh is now known as hggdh_ [13:08] cjohnston, thanks for porting python-debian to Python 3. [13:15] yw [13:33] I am running Fedora and trying to analyze Ubuntu packages. What would be a good way to get all the packages in "main" pool. It would be great if I could only get the latest versions of programs. [13:36] If there is no "bright" idea, then I will run rsync as the last option. [13:39] halfie: try 'debmirror' [13:40] halfie: http://manpages.ubuntu.com/manpages/precise/en/man1/debmirror.1.html [13:40] siretart, thanks, I am reading about it on https://help.ubuntu.com/community/Debmirror [13:46] how do I interpret this mode value "493" ? I found it in sudo 's .deb file. [13:47] halfie: on which file? [13:48] 493 ./usr/sbin/visudo [13:48] halfie: I think you would be less confused if you quoted modes in the conventional octal base, not decimal [13:48] 493 decimal == 755 octal [13:48] i.e. -rwxr-xr-x [13:48] oh, I could not guess the base earlier :) thanks! [13:49] The oct() builtin in Python may help [13:49] do you know a package which has a setuid file? [13:49] su? [13:49] /usr/bin/sudo [13:49] in the sudo package you're already looking at [13:50] oh right, its right in front of me [13:50] BTW PIE and RELRO are disabled for sudo [13:50] Not in the current version [13:50] http://paste.ubuntu.com/5682875/ [13:51] that's sudo 1.8.6p3-0ubuntu3 on amd64 [13:52] now where did I get my package from then :S ? [13:52] I don't think that's a recent change either ... [13:52] Well, first you might like to cite which version you're looking at? [13:52] sudo_1.6.9p10-1ubuntu3.10_amd64.deb <== seems to be old [13:53] I got it from archive.ubuntu.com [13:53] That's the version in hardy, which is ancient [13:53] ah okay. I need to find a mirror which has latest packages. [13:53] Either use a mirroring tool to get raring, or parse raring's Packages files [13:53] Don't poke about in the pool directly unless you know exactly what you're doing [13:54] dists/raring/*/binary-*/Packages.gz are the indices [13:54] archive.ubuntu.com has all versions; it is not plausible that it doesn't have the latest ones [13:54] cjwatson, debmirror seems the way to go. does "python-debian" support parsing of those indices? [13:54] But it also has versions from every still-supported release [13:54] Yes [13:55] I see. Then I screwed up navigation of the archive.ubuntu.com tree :) [13:55] debian.deb822 specifically [13:55] Or just grep for the Filename fields [13:56] can I ask debmirror just to get latest "sudo" package? (I don't think so but is there an utility which can do this?). Maybe python-debian can help (parse indices and wget) [13:56] ahh okay, got it [13:56] That's not a sensible use of debmirror [13:56] true [13:57] Doesn't Fedora have an apt port? You could set apt up with a local configuration file and use the apt-get download subcommand [13:57] Or as you say debian.deb822 + urllib or whatever can do it [13:57] Or you could set up an Ubuntu raring chroot with debootstrap and work in that [13:58] Several options :) [13:58] cjohnston, the first option is quite interesting, giving it a try :) [13:59] (Could you please remember to type more characters before hitting tab to avoid bugging poor cj ohnston all the time?) [14:00] ohh sorry, sure :) [14:00] I have gotten used to tabbing so much everywhere [14:01] halfie: 1 + 2 + 3 + tab [14:01] :-) [14:01] :D === glebihan_ is now known as glebihan === bigon_ is now known as bigon === debfx_ is now known as debfx [16:43] hrm, http://utcc.utoronto.ca/~cks/space/blog/linux/UbuntuAccountsServiceProblems === Sp4rKy_ is now known as Sp4rKy === Ursinha_ is now known as Ursinha