Active Topics

 


Reply
Thread Tools
Posts: 1,421 | Thanked: 1,540 times | Joined on Feb 2011
#21
Originally Posted by javispedro View Post
Note that the popcorn comes from the fact that we are going to repeat (again) a discussion that has been made quite a few times, that usually gets little positive results (if any).
Sorry, too new to have experienced that (though I have been closely watching this forum for a year at least and I cannot for the life of me come up with similar thread/discussion, pls share)

I mean trivial as in "script that is doing that check is a few chars long". And buggy, as Estel commented.
Trivial cases of autobuilder checks I hope we are discussing. If so, we just agreed that AB while having limited ability to control packages submitted to it, lacks any degree of security control (if we'd start listing how many pakages have no maintainer as libxau6 we'd probably break this forum). True, but I know this only to be the case for -devel. Hoping this is not the case with extras(-testing)
 
Posts: 125 | Thanked: 95 times | Joined on Nov 2011 @ Sweden
#22
Originally Posted by misiak View Post
It's super-amazing that noone got an idea yet to create a package with postinstall script "rm -rf /" and upload it to extras-devel with name maemo-fremantle-pr ;P.
If this could actually be done, it's an abhorrent oversight.

And this libxau6 ****up isn't the only example. Someone (not the original maintainer) uploaded an updated libcurl3 package to devel a while back. As you may know, virtually half of Maemo depends on libcurl3. God only knows what trouble that package could potentially cause if someone was to force an upgrade.
 
Posts: 1,421 | Thanked: 1,540 times | Joined on Feb 2011
#23
Originally Posted by bocephus View Post
If this could actually be done, it's an abhorrent oversight.

And this libxau6 ****up isn't the only example. Someone (not the original maintainer) uploaded an updated libcurl3 package to devel a while back. As you may know, virtually half of Maemo depends on libcurl3. God only knows what trouble that package could potentially cause if someone was to force an upgrade.
Funny, seen same package as update candidate, but no threads about it. Did you have any bad experience with it?
 
Posts: 125 | Thanked: 95 times | Joined on Nov 2011 @ Sweden
#24
Originally Posted by szopin View Post
Funny, seen same package as update candidate, but no threads about it. Did you have any bad experience with it?
I of course haven't "upgraded" to it, so I couldn't say. It might be legit, but since I couldn't verify that it was or what potential benefit the new version offered, I ignored it - which in lieu of recent events seem to have been a wise decision. But I am also interested in hearing more about the devel libcurl3 if someone has any info.
 

The Following User Says Thank You to bocephus For This Useful Post:
javispedro's Avatar
Posts: 2,110 | Thanked: 4,083 times | Joined on Jan 2009 @ Barcelona
#25
Originally Posted by szopin View Post
Sorry, too new to have experienced that (though I have been closely watching this forum for a year at least and I cannot for the life of me come up with similar thread/discussion, pls share)
http://talk.maemo.org/showpost.php?p...&postcount=683
http://talk.maemo.org/showthread.php?t=56094
https://bugs.maemo.org/show_bug.cgi?id=11709
http://talk.maemo.org/showpost.php?p...&postcount=284

Originally Posted by szopin View Post
Trivial cases of autobuilder checks I hope we are discussing. If so, we just agreed that AB while having limited ability to control packages submitted to it, lacks any degree of security control (if we'd start listing how many pakages have no maintainer as libxau6 we'd probably break this forum). True, but I know this only to be the case for -devel. Hoping this is not the case with extras(-testing)
There is NO security at all in either extras or extras-testing. It even says so in the repository www page! Everyone can upload a rm -rf / script there.

Which is why I think that those who blindly upgrade with it enabled must love risk more than anything...
 

The Following 4 Users Say Thank You to javispedro For This Useful Post:
Estel's Avatar
Posts: 4,903 | Thanked: 8,148 times | Joined on Mar 2011
#26
From maemo-community@maemo.org:

From: Lucas Maneos <maemo@subs.maneos.org>
To: List for community development <maemo-community@maemo.org>

On Sat, Apr 28, 2012 at 01:24:00PM +0200, Estel wrote:
Code:
> unrelated package uploaded to community repos, that cause overwrite over
> crucial SSU package.
>
> Sure, this mess is mainly due to lack of common sense on uploader's
> side (which he has history for...), but isn't it also repo bug?
Definitely. The build log[1] shows that the builder correctly detected
the conflict and aborted the armel build, but somehow a binary package
ended up in the repository anyway[2]. Could you file a bug report under
<https://bugs.maemo.org/enter_bug.cgi?product=maemo.org+Website>?

L.

[1] <https://garage.maemo.org/pipermail/extras-cauldron-builds/2012-April/042984.html>
[2] <http://maemo.org/packages/view/libxau6/>
So, it seems it's indeed bug after all.

/Estel

// edit

bug submitted:
https://bugs.maemo.org/show_bug.cgi?id=12605
__________________
N900's aluminum backcover / body replacement
-
N900's HDMI-Out
-
Camera cover MOD
-
Measure battery's real capacity on-device
-
TrueCrypt 7.1 | ereswap | bnf
-
Hardware's mods research is costly. To support my work, please consider donating. Thank You!

Last edited by Estel; 2012-04-29 at 21:13.
 

The Following 5 Users Say Thank You to Estel For This Useful Post:
Estel's Avatar
Posts: 4,903 | Thanked: 8,148 times | Joined on Mar 2011
#27
Originally Posted by bocephus View Post
Someone (not the original maintainer) uploaded an updated libcurl3 package to devel a while back. As you may know, virtually half of Maemo depends on libcurl3. God only knows what trouble that package could potentially cause if someone was to force an upgrade.
Hey, I've updated it some time ago, and haven't had any problems. should I be worried anyway? Does anyone knowledgeable know, what this new version changes, actually?

/Estel
__________________
N900's aluminum backcover / body replacement
-
N900's HDMI-Out
-
Camera cover MOD
-
Measure battery's real capacity on-device
-
TrueCrypt 7.1 | ereswap | bnf
-
Hardware's mods research is costly. To support my work, please consider donating. Thank You!
 
Estel's Avatar
Posts: 4,903 | Thanked: 8,148 times | Joined on Mar 2011
#28
Well, I'll answer myself:

(From maemo-community@maemo.org mailing list)
Originally Posted by Pali
Hi! I looked at this problematic package.

Package has changelog in debian subfolder. Here is:

===
curl (7.25.0-1maemo2) fremantle; urgency=low
* Maemo package cleanup

-- Ludek Finstrle <luf@pzkagis.cz> Fri, 30 Mar 2012 10:07:43 +0200

curl (7.25.0-1maemo1) fremantle; urgency=high
* New upstream release
- Fix builds with proxy or http disabled
- Fix a numeric overflow in parsing date
- COOKIES: strip the numerical ipv6 host properly
- Fix CONNECT: fix multi interface regression
http://curl.haxx.se/mail/lib-2012-03/0162.html
- SWS: refuse to serve CONNECT unless running as proxy
- Update detection logic of getaddrinfo() thread-safeness
- Fix --libcurl option output file text translation mode
- Fix OOM handling
- Fix resolve with c-ares: don't resolve IPv6 when not working
http://curl.haxx.se/mail/lib-2012-03/0045.html
- SMTP: Changed the curl error code for EHLO and HELO responses

-- Ludek Finstrle <luf@pzkagis.cz> Fri, 23 Mar 2012 09:29:36 +0100
===

Source code of version in extras is here:
http://repository.maemo.org/extras-d...source/c/curl/

tarball curl_7.25.0.orig.tar.gz from extras-devel is same as
upstream 7.25.0 version on: http://curl.haxx.se/download.html

I checked also additional patches and all are only compile flags, nothing more.

So I did not found anything strange in source code (no backdoor, etc..).

Package is only "New upstream release". But still it is bad that anybody
can push new version of maemo core packages (also if it fixing strange bugs)
without any informations...
So, this package seems legit. It's pity, that uploader haven't wrote a single note on TMO, we could say "thank You" Of course, it still doesn't mean that it doesn't break anything Maemo-specific, but due few weeks of usage, I haven't had any problems.
__________________
N900's aluminum backcover / body replacement
-
N900's HDMI-Out
-
Camera cover MOD
-
Measure battery's real capacity on-device
-
TrueCrypt 7.1 | ereswap | bnf
-
Hardware's mods research is costly. To support my work, please consider donating. Thank You!
 

The Following 2 Users Say Thank You to Estel For This Useful Post:
Posts: 1,385 | Thanked: 2,087 times | Joined on Nov 2009 @ Dublin, Ireland
#29
Originally Posted by Estel View Post
Well, I'll answer myself:

(From maemo-community@maemo.org mailing list)


So, this package seems legit. It's pity, that uploader haven't wrote a single note on TMO, we could say "thank You" Of course, it still doesn't mean that it doesn't break anything Maemo-specific, but due few weeks of usage, I haven't had any problems.
Then the package should be moved to CSSU and wiped out from Extras, but the problem here is who's able to do that?

We have already discussed about giving Testers the ability to remove packages but up to now nothing has been done.

Last edited by ivgalvez; 2012-05-01 at 18:52. Reason: Typo
 

The Following 3 Users Say Thank You to ivgalvez For This Useful Post:
Estel's Avatar
Posts: 4,903 | Thanked: 8,148 times | Joined on Mar 2011
#30
If package is going to be part of CSSU, there should be someone who will maintain it and fix, in case bugs appear. There is no chance to putting into CSSU something, that doesn't have even single person knowing it's internals.

Of course generally, I agree with You...

/Estel
__________________
N900's aluminum backcover / body replacement
-
N900's HDMI-Out
-
Camera cover MOD
-
Measure battery's real capacity on-device
-
TrueCrypt 7.1 | ereswap | bnf
-
Hardware's mods research is costly. To support my work, please consider donating. Thank You!
 

The Following 3 Users Say Thank You to Estel For This Useful Post:
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 08:30.