Oops thought I sent this to the list too... Alright, let me qualify first before I talk about ports. For the last 3 months I've been using my own distribution of Linux made. I don't know whether a lot of linux-from- scratch people can say that or not, but I'm pretty proud of it. You can find some documents on it here: http://sonic.net/~someone/slothware/. I have two people that mirror it if you want to actually look at what I have. Before I rolled my own distribution I used gentoo since about 2001 or so, when it first showed up. I am familiar with port systems. Like I said, I used gentoo, I use OpenBSD and NetBSD's pkgsrc was my original ports system for Slothware (my distribution). I've also worked with the GAR ports system as well (not my favorite). I, with a few others, do my best in #linux-help to help out "newbies." I have a fairly solid understanding of how the original UNIX kernel and the Linux kernel work. In particular, I've studied the virtual memory subsystem, the filesystem and ELF. I'm familiar with gcc and the linkers. I haven't put out any massive projects, aside from Slothware, but I continue continue to learn about and use C, assembly and bash (my favorite languages) as time goes by. Most importantly of all; what I don't know, I can learn. Personally? I'm a computer science major and will be doing the computer systems program at either U.C. Berekely or Davis Right now I'm finishing up General education at Santa Rosa Junior College (in northern California). You can see my class schedule here: http://www.sonic.net/ ~someone/classes.html. I guess you can find a picture of me here: http://sonic.net/~someone/photos/. I'm 21 years old, dedicated to computers and school. Right now I'd have to say my interests are still in security, assembly, and studying the Linux kernel. Okay, let's get back to ports. Stack-smashing protector isn't exactly a simple matter, but I can point you at some documents you might want to look at: http://www.trl.ibm.com/projects/security/ssp/node1.html and http://immunix.org/StackGuard/usenixsc98.pdf The first is what I'm porting and the second, the pdf, is the original proposal for the work, back in 1998. Basically, what you want to know, is it does a good job "preventing" buffer overflows. It is by no means the solution to all security problems. Please read this document http://pax.grsecurity.net/docs/pax.txt . Some security is better than no security. This deals with the problem at a source level, when you compile code with SSP, the binary produced will actually differ between that and what would normally come out. It's not a Non-Executable stack implementation but gives, reorders the layout of the process in memory (the stack rest of the stack comes after the return address) and it puts a little barrier there as well. Anyway, please read the first document at least if you're interested. Is this a port that people need? Let me put it this way; if you're running a sevrer, I'd highly recommend it (as well as PaX and some kind of MAC.) It's pretty widley used right now. Check out the gentoo hardened project http://hardened.gentoo.org. It's also become default in a few distributions of gcc. People do use it. I should note that it will only protect the executables and libraries that you compile with it. If an executable uses a shared object that is compiled with ssp, that code will be protected but the main applications will not be. This doesn't get rid of the buffer overflow itself but "prevents" it from doing much of anything. I have a preliminary port of gcc-ssp here: http://sonic.net/~someone/files/gcc-ssp.tar.bz2 It's not finished right now, I'd advise against using it with ccache right now, although I do use it for everything it needs some more testing. The other thing I'm interest in porting right now is gaim-encryption (see: http://gaim-encryption.sourceforge.net) which is just a method of encrypting conversation over AOL's instant messaging network via gaim (see http://gaim.sourceforge.net), a very popular IM client for Linux. I will check out the 'unmaintained' section of the CRUX ports tree as well. Please let me know what else you want to know about me or if you have any other questions. Sorry if this sounds kind of resume-ish. Have a good day, I'm off to school now. * tony On Mon, 2004-08-30 at 12:05 +0200, Johannes Winkelmann wrote:
Hi,
I'd like to know how to apply to be a package maintainer. The MaintainerGuidlines document on the wiki is pretty vague on that. Please let us know what parts are vague; we've tried to make it clear, but we tend to forget things we think are obvious, so we're happy to fix
On Sun, Aug 29, 2004 at 15:51:16 -0700, Anthony de Almeida Lopes wrote: those things.
The process to apply is about the following:
1. package software, create ports, publish them, maintain them 2. Read http://clc.morpheus.net:6999/clc/wiki?p=MaintainerGuidelines and see whether you agree to the rules and requirements metioned there; also read the CLC package guidelines, available through the "Documents" section of the CLC webpage, and validate your ports against them. 3. Send an application to clc-devel@lists.berlios.de, containing "links to packages the applicant did, and a list of packages she/he'd like to maintain. It's best to send an URL to some ports the applicant made".
We also like to know who we're dealing with, so some notes about you are definitely appreciated. There are some examples in the mailing list archive at https://lists.berlios.de/pipermail/clc-devel/
After that, some maintainers will look into the ports and advocate for the applicant if they think he/she is a good match, or give some tips how to improve them to fit
I'd also like to know how I register an account for the bug reporting system, or whether all bugs are supposed to be anonymous. For now, we've never had someone asking for an account, but if you plan to do a lot of bug reporting, this could be arranged. Anonymous reporting is fine though.
Hope this helps, Regards, Johannes