[05:31] <halfie> does Ubuntu maintain a list of packages which must be hardened for security reasons?
[06:13] <kees> halfie: everything hardened by default in Ubuntu
[06:13] <kees> (though you may have a more specific definition of "hardened")
[06:30] <doko> kees!
[07:59] <halfie> kees, are you sure? by hardening I mean stuff like RELO / PIE being enabled.
[08:05] <halfie> it seems that the Ubuntu compiler doesn't enable hardening by default. so do you enable hardening for every packages on individual basis?
[08:15] <jtaylor> halfie: since ~quantal or precise yes
[08:15] <jtaylor> automatic hardening is not enabled anymore
[08:16] <halfie> but like kees says hardening is enabled for almost all packages? correct?
[08:16] <halfie> seems hard to believe
[08:16] <jtaylor> probably almost all in main
[08:16] <jtaylor> in universe coverage is probably less good
[08:16] <halfie> cool :)
[08:17] <halfie> I can use Ubuntu's example to drive hardening in Fedora then
[08:17] <jtaylor> I think some things may still be enabled by default, like FORTIFY_SOURCE_
[08:17] <halfie> and same rules apply on both x86 and AMD64, right? if a package is hardened then it is hardened on both?
[08:17] <jtaylor> yes, though pie is seldom enabled
[08:18] <jtaylor> on i386 it has a rather large performance impact
[08:18] <halfie> aha I see. yes on i383 PIE is crap.
[08:18] <halfie> so do you disable PIE on i386 then ?
[08:19] <halfie> but enable it for the same package when building for AMD64
[08:19] <jtaylor> its enabled on per package basis, so far I know its usually all off or all on
[08:19] <halfie> ok, makes less of a maintenance burden this way I guess.
[08:20] <jtaylor> you may want to read this: http://wiki.debian.org/Hardening
[08:20] <halfie> jtaylor, already been there :). I have scanned all Fedora packages using custom written script. Now I am planning to do the same for Ubuntu.
[08:20] <halfie> I will be using "python-debian" package for doing this
[08:20] <jtaylor> we already have scripts for checking if hardening is enabled
[08:21] <jtaylor> hardening-check
[08:21] <jtaylor> it does have some sisues though
[08:21] <halfie> jtaylor, does it work on any platform and does it run straight on .deb files without installing them?
[08:21] <jtaylor> it works on ELF files
[08:22] <halfie> my script doesn't need packages to be installed and it doesn't touch the disk except for reading. I have "checksec" for running on ELF files.
[08:23] <jtaylor> what does it do?
[08:23] <halfie> I will take a look at hardening-check though. Maybe it has some neat ideas :)
[08:23] <halfie> https://github.com/kholia/checksec <== it scans package repositories and figures out various bits
[08:24] <halfie> Now I am planning to add .deb support to it.
[08:24] <halfie> BTW is there a Python / Ruby library for parsing .deb files? "python-debian" is kind of broken.
[08:28] <jtaylor> broken in what way?
[08:28] <halfie> jtaylor, debian packages use "xz" compression now I believe? python-debian doesn't work for such files and python 2.x doesn't have lzma module
[08:29] <halfie> I am porting python-debian to Python 3
[08:31] <infinity> halfie: You may be interested in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506861
[08:32] <jtaylor> isn't pylzma support backported to py2?
[08:32] <halfie> infinity, awesome! :) you saved me hours of work :)
[08:32] <jtaylor> there is a python-lzmq module
[08:32] <jtaylor> ah thats also mentioned in the bug :)
[08:34] <halfie> also "xz" is the recommend scheme?
[08:34] <infinity> dpkg-deb defaults to gzip, but xz and bz2 are both widely used.
[08:35] <infinity> dpkg-deb (and python-debian) are meant to abstract that away, so you never need to care.
[08:35] <infinity> Well, python-debian would do so with the patch in that bug. :P
[08:36] <halfie> I am giving up porting to Python 3. It is hard :)
[08:37] <infinity> It's already ported in unstable, quantal, and raring.
[08:37] <halfie> to Python 3?
[08:37] <infinity> The patch in that bug applies to said ported version, if I recall.
[08:38] <infinity> Yes.  Binary package is python3-debian.
[08:38] <halfie> so the "python2-debian" has no support for "xz" ?
[08:38] <infinity> Neither one has support for xz, without that patch applied.
[08:38] <jtaylor> the changelog says it has support
[08:39] <jtaylor> as the mentioned bug in python is fixed
[08:39] <infinity> If you read the notes on the patch, it works with both py2 and py3, but cheats with py2 by just forking the xz binaries instead of using a module.
[08:41] <doko> you give up early ...
[08:52] <halfie> got disconnected. thanks infinity !
[08:56] <halfie> yay! success :)
[08:57] <halfie> now where exactly is metadata like packager's name, checksums stores? in the "control" section?
[09:19] <jtaylor> doko: I somehow managed to break python installation in a autopkgtest, see line 3429
[09:19] <jtaylor> doko: I can't seem to create a minimal testcase though :/ maybe you already see the cause
[09:19] <doko> jtaylor, which line/where?
[09:19] <jtaylor> the issue is python2.7-minimal is configured before libpython2.7-minimal
[09:20] <jtaylor> http://paste.ubuntu.com/5682267/
[09:28] <doko> maybe that should be a Pre-Depends ...
[10:04] <pjotr> Hello, I encountered a bug in Ubiquity that I've reported on Launchpad:
[10:04] <pjotr> https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1165344
[10:05] <pjotr> cjwatson: maybe you could take a look at it (if you have the time, of course....)?
[10:06] <jtaylor> pjotr: probably a duplicate of bug 1080701
[10:08] <pjotr> jtaylor: yes, that looks like the same bug.... I'll tag mine as a duplicate. Thanks. :-)
[10:12] <cjwatson> halfie: Confused as to why you're porting python-debian to Python 3.  I did that port last year or so.
[10:12] <cjwatson> Oh, yeah, infinity already said that.
[10:42] <doko> jtaylor, please could you check https://launchpad.net/~doko/+archive/ppa ?
[10:52] <jtaylor> doko: seems to fix my problem
[10:54] <jtaylor> does it really need a pre-depends? isn't it the postinst that fails?
[10:58] <doko> jtaylor, please check it without it
[13:08] <halfie> cjohnston, thanks for porting python-debian to Python 3.
[13:15] <cjwatson> yw
[13:33] <halfie> I am running Fedora and trying to analyze Ubuntu packages. What would be a good way to get all the packages in "main" pool. It would be great if I could only get the latest versions of programs.
[13:36] <halfie> If there is no "bright" idea, then I will run rsync as the last option.
[13:39] <siretart> halfie: try 'debmirror'
[13:40] <siretart> halfie: http://manpages.ubuntu.com/manpages/precise/en/man1/debmirror.1.html
[13:40] <halfie> siretart, thanks, I am reading about it on https://help.ubuntu.com/community/Debmirror
[13:46] <halfie> how do I interpret this mode value "493" ? I found it in sudo 's .deb file.
[13:47] <cjwatson> halfie: on which file?
[13:48] <halfie> 493 ./usr/sbin/visudo
[13:48] <cjwatson> halfie: I think you would be less confused if you quoted modes in the conventional octal base, not decimal
[13:48] <cjwatson> 493 decimal == 755 octal
[13:48] <cjwatson> i.e. -rwxr-xr-x
[13:48] <halfie> oh, I could not guess the base earlier :) thanks!
[13:49] <cjwatson> The oct() builtin in Python may help
[13:49] <halfie> do you know a package which has a setuid file?
[13:49] <siretart> su?
[13:49] <cjwatson> /usr/bin/sudo
[13:49] <cjwatson> in the sudo package you're already looking at
[13:50] <halfie> oh right, its right in front of me
[13:50] <halfie> BTW PIE and  RELRO are disabled for sudo
[13:50] <cjwatson> Not in the current version
[13:50] <cjwatson> http://paste.ubuntu.com/5682875/
[13:51] <cjwatson> that's sudo 1.8.6p3-0ubuntu3 on amd64
[13:52] <halfie> now where did I get my package from then :S ?
[13:52] <cjwatson> I don't think that's a recent change either ...
[13:52] <cjwatson> Well, first you might like to cite which version you're looking at?
[13:52] <halfie> sudo_1.6.9p10-1ubuntu3.10_amd64.deb <== seems to be old
[13:53] <halfie> I got it from archive.ubuntu.com
[13:53] <cjwatson> That's the version in hardy, which is ancient
[13:53] <halfie> ah okay. I need to find a mirror which has latest packages.
[13:53] <cjwatson> Either use a mirroring tool to get raring, or parse raring's Packages files
[13:53] <cjwatson> Don't poke about in the pool directly unless you know exactly what you're doing
[13:54] <cjwatson> dists/raring/*/binary-*/Packages.gz are the indices
[13:54] <cjwatson> archive.ubuntu.com has all versions; it is not plausible that it doesn't have the latest ones
[13:54] <halfie> cjwatson, debmirror seems the way to go. does "python-debian" support parsing of those indices?
[13:54] <cjwatson> But it also has versions from every still-supported release
[13:54] <cjwatson> Yes
[13:55] <halfie> I see. Then I screwed up navigation of the archive.ubuntu.com tree :)
[13:55] <cjwatson> debian.deb822 specifically
[13:55] <cjwatson> Or just grep for the Filename fields
[13:56] <halfie> can I ask debmirror just to get latest "sudo" package? (I don't think so but is there an utility which can do this?). Maybe python-debian can help (parse indices and wget)
[13:56] <halfie> ahh okay, got it
[13:56] <cjwatson> That's not a sensible use of debmirror
[13:56] <halfie> true
[13:57] <cjwatson> Doesn't Fedora have an apt port?  You could set apt up with a local configuration file and use the apt-get download subcommand
[13:57] <cjwatson> Or as you say debian.deb822 + urllib or whatever can do it
[13:57] <cjwatson> Or you could set up an Ubuntu raring chroot with debootstrap and work in that
[13:58] <cjwatson> Several options :)
[13:58] <halfie> cjohnston, the first option is quite interesting, giving it a try :)
[13:59] <cjwatson> (Could you please remember to type more characters before hitting tab to avoid bugging poor cj ohnston all the time?)
[14:00] <halfie> ohh sorry, sure :)
[14:00] <halfie> I have gotten used to tabbing so much everywhere
[14:01] <cjohnston> halfie: 1 + 2 + 3 + tab
[14:01] <cjohnston> :-)
[14:01] <halfie> :D
[16:43] <mdeslaur> hrm, http://utcc.utoronto.ca/~cks/space/blog/linux/UbuntuAccountsServiceProblems