From Juergen.Daubert at t-online.de  Sun Aug  1 09:46:24 2004
From: Juergen.Daubert at t-online.de (Juergen Daubert)
Date: Sun, 1 Aug 2004 11:46:24 +0200
Subject: [clc-devel] CLC application
In-Reply-To: <26564976.1091298859883.JavaMail.vector@pp.nic.fi>
References: <26564976.1091298859883.JavaMail.vector@pp.nic.fi>
Message-ID: <20040801094623.GA7042@jue.netz>

On Sat, Jul 31, 2004 at 09:34:19PM +0300, Jukka Heino wrote:
> Hello everyone,

Hi Jukka,

[...]
> Let me know what you think of all this,

Thanks for your application which I advocate herewith.

Greetings
J?rgen


-- 
juergen.daubert at t-online.de


From jw at tks6.net  Sun Aug  1 18:25:34 2004
From: jw at tks6.net (Johannes Winkelmann)
Date: Sun, 1 Aug 2004 20:25:34 +0200
Subject: [clc-devel] CLC application
In-Reply-To: <26564976.1091298859883.JavaMail.vector@pp.nic.fi>
References: <26564976.1091298859883.JavaMail.vector@pp.nic.fi>
Message-ID: <20040801182534.GA25123@hoc>

Hi Jukka,

On Sat, Jul 31, 2004 at 21:34:19 +0300, Jukka Heino wrote:
> Hello everyone,
> 
> After having given the thought some time (and persuaded by jue on IRC),
> I've decided to apply for the position of a CLC maintainer. 
Just like Tilman and J?rgen before, I support your application to become
a CLC maintainer. I've had a quick look at some of your ports and they
look very clean. Looking forward to have you on board.

Kind regards, Johannes
-- 
Johannes Winkelmann              mailto:jw at tks6.net
Bern, Switzerland                http://jw.tks6.net


From victord at v600.net  Mon Aug  2 16:09:27 2004
From: victord at v600.net (Victor)
Date: Mon, 02 Aug 2004 12:09:27 -0400
Subject: [clc-devel] CLC application
In-Reply-To: <26564976.1091298859883.JavaMail.vector@pp.nic.fi>
References: <26564976.1091298859883.JavaMail.vector@pp.nic.fi>
Message-ID: <410E6737.5090800@v600.net>

I used some ports, and they looked fine. I am all for it. We could 
always use more good people.

Oh, and what is "civilian service" ?  :)

Victor


From vector at pp.nic.fi  Mon Aug  2 17:13:27 2004
From: vector at pp.nic.fi (Jukka Heino)
Date: Mon, 2 Aug 2004 20:13:27 +0300 (EEST)
Subject: [clc-devel] CLC application
Message-ID: <17598764.1091466807478.JavaMail.vector@pp.nic.fi>

> I used some ports, and they looked fine. I am all for it. We could 
> always use more good people.

Thank you.

> Oh, and what is "civilian service" ?  :)

Civilian service is an alternative to military service. Since every
Finnish male of 18 years or more is required to serve the country, some
decide to not take up arms because of moral or religious reasons. They
fulfill their duty doing civilian service, which consists of work
beneficial to the society, for example working at mental institutes or
taking care of elderly people. Or coding PHP. ;)



From clc-devel at berlios.de  Tue Aug  3 01:25:41 2004
From: clc-devel at berlios.de (clc-devel at berlios.de)
Date: 3 Aug 2004 03:25:41 +0200
Subject: [clc-devel] [port update] An Update for centericq
Message-ID: <20040803012541.21376.qmail@rfhpc8082.fh-regensburg.de>

Description: Ive updated the Pkgfile for centericq and put it on my HTTPUP repository. Ive tested it and it works great!

http://tito.homelinux.org:8080/httpup/centericq/

Contact: jj at tek dot net

User: anonymous

http://crux.fh-regensburg.de/cgi-bin/cvstrac/tktview?tn=157 


From clc-devel at berlios.de  Tue Aug  3 01:36:31 2004
From: clc-devel at berlios.de (clc-devel at berlios.de)
Date: 3 Aug 2004 03:36:31 +0200
Subject: [clc-devel] [port update] An Update for centericq
Message-ID: <20040803013631.21573.qmail@rfhpc8082.fh-regensburg.de>

Your port submission has been marked 'defer'

General advise:
Please don't answer to this message unless you are subscribed to the
clc-devel mailinglist; reopen your original submission
(set state to 'new') and add a remark instead

Description: Ive updated the Pkgfile for centericq and put it on my HTTPUP repository. Ive tested it and it works great!

http://tito.homelinux.org:8080/httpup/centericq/

User: rrm3

http://crux.fh-regensburg.de/cgi-bin/cvstrac/tktview?tn=157

Remark: you also need the .footprint and .md5sum files in your httpup repository.


From martin.opel at informatik.fh-regensburg.de  Tue Aug  3 05:45:36 2004
From: martin.opel at informatik.fh-regensburg.de (martin.opel at informatik.fh-regensburg.de)
Date: 3 Aug 2004 07:45:36 +0200
Subject: [clc-devel] new maintainer 'vector'
Message-ID: <20040803054536.24793.qmail@rfhpc8082.fh-regensburg.de>

Hi list,

we have a new maintainer in our team:

  His berlios account: vector (if he has one)
  His mail: vector at pp.nic.fi
  His real name: Jukka Heino

Regards
Martin Opel <mo at obbl-net.de>


From dwalpole at iinet.net.au  Tue Aug  3 08:12:19 2004
From: dwalpole at iinet.net.au (Daniel W.)
Date: Tue, 03 Aug 2004 18:12:19 +1000
Subject: [clc-devel] new maintainer 'vector'
In-Reply-To: <20040803054536.24793.qmail@rfhpc8082.fh-regensburg.de>
References: <20040803054536.24793.qmail@rfhpc8082.fh-regensburg.de>
Message-ID: <410F48E3.2090900@iinet.net.au>

martin.opel at informatik.fh-regensburg.de wrote:

>Hi list,
>
>we have a new maintainer in our team:
>
>  His berlios account: vector (if he has one)
>  His mail: vector at pp.nic.fi
>  His real name: Jukka Heino
>
>Regards
>Martin Opel <mo at obbl-net.de>
>_______________________________________________
>clc-devel mailing list
>clc-devel at lists.berlios.de
>http://lists.berlios.de/mailman/listinfo/clc-devel
>
>  
>
Welcome vector!




From ncrfgs at tin.it  Tue Aug  3 23:44:10 2004
From: ncrfgs at tin.it (ncrfgs)
Date: Wed, 4 Aug 2004 01:44:10 +0200
Subject: [clc-devel] httpup's REPO file
Message-ID: <20040803234410.GA10914@ncrfgs3.ncrfgs>

Hi,

When httpup fail to connect to the repository it exit with: 

  Failed to download REPO: Connect failed; Operation now in progress

and creates an empty REPO file in the directory where he had 
to download the repository, but it doesn't delete it.

Is this intentional?


Best regards.
-- 
Value your freedom, or you will lose it, teaches history. 
``Don't bother us with politics,'' respond those who don't 
want to learn.

 -- Richard M. Stallman
    http://www.gnu.org/philosophy/linux-gnu-freedom.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.crux.nu/pipermail/crux-devel/attachments/20040804/4727834b/attachment.asc>

From clc-devel at berlios.de  Fri Aug  6 22:41:33 2004
From: clc-devel at berlios.de (clc-devel at berlios.de)
Date: 7 Aug 2004 00:41:33 +0200
Subject: [clc-devel] [port update] update for centericq
Message-ID: <20040806224133.18919.qmail@rfhpc8082.fh-regensburg.de>

Description: added the .footprint and .md5sum

its located at http://tito.homelinux.org:8080/httpup/centericq/

thank you for all your help

Contact: jj at tek dot net

User: anonymous

http://crux.fh-regensburg.de/cgi-bin/cvstrac/tktview?tn=158 


From rrm3 at rrm3.org  Sat Aug  7 21:02:51 2004
From: rrm3 at rrm3.org (Robert McMeekin)
Date: Sat, 07 Aug 2004 17:02:51 -0400
Subject: [clc-devel] Gone hiking...
Message-ID: <1091912571.3980.5.camel@mundus.rrm3.org>

I have just been given an oppurtunity to hike the John Muir trail [1]
and unless something dreadful happens, I plan on leaving tomorrow.  I do
not know how long I will stay away from the real world.  I may be back
in a month, I may not ever be back, or I might even be back in a few
days.  I have marked all my ports as unmaintained, and I recommend
removing my key from crux.fh-regensburg.de.  It has been a real
pleasure.

;; Rob

[1] http://www.pcta.org/about_trail/muir/over.asp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.crux.nu/pipermail/crux-devel/attachments/20040807/b13d15cc/attachment.asc>

From clc-devel at berlios.de  Mon Aug  9 02:04:10 2004
From: clc-devel at berlios.de (clc-devel at berlios.de)
Date: 9 Aug 2004 04:04:10 +0200
Subject: [clc-devel] [port update] mplayerplug-in
Message-ID: <20040809020410.25709.qmail@rfhpc8082.fh-regensburg.de>

Description: update from .80 to 2.66

Contact: bile at landofbile dot com

User: anonymous

http://crux.fh-regensburg.de/cgi-bin/cvstrac/tktview?tn=159 


From jw at tks6.net  Mon Aug  9 09:37:27 2004
From: jw at tks6.net (Johannes Winkelmann)
Date: Mon, 9 Aug 2004 11:37:27 +0200
Subject: [clc-devel] Re: httpup's REPO file
In-Reply-To: <20040803234410.GA10914@ncrfgs3.ncrfgs>
References: <20040803234410.GA10914@ncrfgs3.ncrfgs>
Message-ID: <20040809093727.GA5432@hoc>

Him

On Wed, Aug 04, 2004 at 01:44:10 +0200, ncrfgs wrote:
> Hi,
> 
> When httpup fail to connect to the repository it exit with: 
> 
>   Failed to download REPO: Connect failed; Operation now in progress
> 
> and creates an empty REPO file in the directory where he had 
> to download the repository, but it doesn't delete it.
> 
> Is this intentional?
Well, not really, no :-)

I have a patch which cleans this up (and more important also removes
directories created by httpup on failure), but it'll need some work to
get make it clean(er); that said, it will most certainly go into the next
minor release, but it might take a little 'til then.

Thanks for reporting,
Regards, Johannes
-- 
Johannes Winkelmann              mailto:jw at tks6.net
Bern, Switzerland                http://jw.tks6.net


From rstokka at online.no  Thu Aug 12 20:56:49 2004
From: rstokka at online.no (Rune Stokka)
Date: Thu, 12 Aug 2004 20:56:49 +0000
Subject: [clc-devel] Re: Amaya new version...
In-Reply-To: <Pine.LNX.4.60.0408122110360.483@mayuresh>
References: <Pine.LNX.4.60.0408122110360.483@mayuresh>
Message-ID: <200408122056.49139.rstokka@online.no>

On Thursday 12 August 2004 15:41, you wrote:
> Hi,
>
> The new version of Amaya is out, can you update the Pkgfile to use 8.6
> instead of 8.0?
>
> ~Mayuresh

Hi, last time I updated Amaya was version 8.5, the updated port is however not 
reflected in the unmaintained ports collection even though I submitted it 
(I'll think the maintainers is busy men). The 8.6 release is just a snapshot 
(like a showcase), version 8.5 is still the most recent.

The version 8.5 posted in april:
https://lists.berlios.de/pipermail/clc-devel/2004-April/000429.html

Cheers, 
Rune Stokka


From clc-devel at berlios.de  Thu Aug 12 19:08:26 2004
From: clc-devel at berlios.de (clc-devel at berlios.de)
Date: 12 Aug 2004 21:08:26 +0200
Subject: [clc-devel] [port update] mplayerplug-in
Message-ID: <20040812190826.26195.qmail@rfhpc8082.fh-regensburg.de>

Your port submission has been marked 'defer'

General advise:
Please don't answer to this message unless you are subscribed to the
clc-devel mailinglist; reopen your original submission
(set state to 'new') and add a remark instead

Description: update from .80 to 2.66

User: winkj

http://crux.fh-regensburg.de/cgi-bin/cvstrac/tktview?tn=159

Remark: Please read the port submission guidelines and submit an httpup repo url as requested


From jw at tks6.net  Thu Aug 12 19:13:38 2004
From: jw at tks6.net (Johannes Winkelmann)
Date: Thu, 12 Aug 2004 21:13:38 +0200
Subject: [clc-devel] Re: Amaya new version...
In-Reply-To: <200408122056.49139.rstokka@online.no>
References: <Pine.LNX.4.60.0408122110360.483@mayuresh> <200408122056.49139.rstokka@online.no>
Message-ID: <20040812191338.GA562@hoc>

Hey Rune, Mayuresh,

On Thu, Aug 12, 2004 at 20:56:49 +0000, Rune Stokka wrote:
> On Thursday 12 August 2004 15:41, you wrote:
> > Hi,
> >
> > The new version of Amaya is out, can you update the Pkgfile to use 8.6
> > instead of 8.0?
> >
> > ~Mayuresh
> 
> Hi, last time I updated Amaya was version 8.5, the updated port is however not 
> reflected in the unmaintained ports collection even though I submitted it 
> (I'll think the maintainers is busy men). The 8.6 release is just a snapshot 
> (like a showcase), version 8.5 is still the most recent.
> 
> The version 8.5 posted in april:
> https://lists.berlios.de/pipermail/clc-devel/2004-April/000429.html

As announced in
  http://marc.theaimsgroup.com/?l=crux&m=108205702820149&w=2
we have changed the port submission policy a while before the posting
mentioned above; submission guidelines are available at 
  http://crux.fh-regensburg.de/cgi-bin/cvstrac/wiki?p=PortSubmissionRules
and the submission queue
  http://crux.fh-regensburg.de/cgi-bin/cvstrac/rptview?rn=7
doesn't have a report for amaya right now, so if you are interested in
having the port in unmaintained updated, please read the port submission
rules and submit a report according to the submission rules.

Regards, Johannes
-- 
Johannes Winkelmann              mailto:jw at tks6.net
Bern, Switzerland                http://jw.tks6.net


From clc-devel at berlios.de  Sat Aug 14 21:41:59 2004
From: clc-devel at berlios.de (clc-devel at berlios.de)
Date: 14 Aug 2004 23:41:59 +0200
Subject: [clc-devel] [port update] opt/xfsprogs Ports version update from 2.6.10 to 2.6.13
Message-ID: <20040814214159.28064.qmail@rfhpc8082.fh-regensburg.de>

Description: 2.6.13 is the xfsprogs current version.

2.6.10 is the xfsprogs Ports current version.

Could you please update it?

Thanks in advance.

Best regards.

Contact: ncrfgs at tin dot it

User: anonymous

http://crux.fh-regensburg.de/cgi-bin/cvstrac/tktview?tn=163 


From jaeger at morpheus.net  Tue Aug 17 22:23:16 2004
From: jaeger at morpheus.net (Matt Housh)
Date: Tue, 17 Aug 2004 17:23:16 -0500
Subject: [clc-devel] CLC ports available again...
Message-ID: <41228554.5030303@morpheus.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

With a lot of help and patience from Daniel (danm) and Johannes (cptn),
I've gotten the ports up again and available for use. If you're a
maintainer, you'll need to send me an email requesting your access be
reinstated. I've still got all your keys but I'd like to know who's
active and who's not.

In order get the ports using cvsup and ports -u, simply edit
/etc/ports/clc.cvsup and change the host line from:

*default host=crux.fh-regensburg.de
	to
*default host=clc.morpheus.net

If you're lazy, grab it here:
http://jaeger.morpheus.net/linux/crux/files/clc.cvsup

Go forth and port!

Matt (jaeger at freenode/#crux)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBIoVUGFVQ7mavvGgRAqkcAJ9ShpRHNhf4roAH8IxXirtS2IuQogCeLdVL
W9VtWWRCQLGGDoyjeE2oTP0=
=wAxH
-----END PGP SIGNATURE-----


From jw at tks6.net  Fri Aug 20 17:59:44 2004
From: jw at tks6.net (Johannes Winkelmann)
Date: Fri, 20 Aug 2004 19:59:44 +0200
Subject: [clc-devel] httpup repositories and unmaintained (next try) [long]
Message-ID: <20040820175944.GA29527@hoc>

Hi there,

I have yet another proposal about a change I'd like to make, addressing
the problems I see with the current httpup repositories and
unmaintained. I think this one is good; at least better than the
situation as it is now.


First of all, the following are the problems I'd like to address:
- distributed port repositories suffer from the following flaws:
  1. it's confusing at least to subscribe to ports; especially for new
     users
  2. People put just everything into they're repositories, e.g. duplicates
     over contrib ports, but also duplicates when using multiple private
     collections. This has two bad consequences: there is no improved
     version by merging the ports, and it is important to choose the
     right order in prt-get.conf

- ports in unmaintained are outdated; often, there are newer variant
  in private httpup repositories

When looking closely at unmaintained, there are two kinds of ports
there: first those of us CLC maintainers which we don't think are quite
ready yet; second such from external guys, often submitted with the
submission service we had a long time ago, and maybe updated by an
update report.


What I'd like to suggest differs a bit from my httpup mirror service
proposal I wrote to crux@ a while ago and is rather what Jay Dolan
suggested: Create a new httpup collection, called 'people' (for example;
I have no strong opinion about the name of this thing); packager can
apply to have their repository included in this collection. There are a
few basic rules to follow:
- No dups over base, opt or contrib; use a separate repository for this
- Rather have few but well maintained ports, than many outdated ones
- React on conflicts
- subscribe to and read the clc-people-admin (naming comment from above
  applies again) mailing list

If a conflict (duplicate) is detected, a notification is sent to a
clc-people-admin; the packagers are required to resolve it.
-> there must be an instance to decide if the packagers can't agree on a
  compromise

If a repository goes offline, the port remains in the collection, but is
marked as unmaintained. This way, a new packager can pick it up by
simply adding the port to his/her collection. This is exactly the same
sitation we have now, except for the fact that once a new package
appears, the new version will be used.
We can still use an external tool to check which ports have been
unmaintained for a long time and remove them.


The other purpose of the current 'unmaintained' collection, the ports
from CLC maintainers which are not ready for contrib, should be moved
into private port repositories. Many of us have them anyway.


This solution has the following properties (with respect to the current
sitution):
- people can easily pick up ports from unmaintained and provide new
  versions through the 'people' collection
- httpup repositories are available at a central location
- all ports are in the ports tree -> use find/grep/prt-get to search
  them; disadvantage: large number of ports (probably)
- httpup repo maintainer have a meeting point with others in the same
  position, which might help to improve ports

Most important, this would change the meaning of unmaintained:
'unmaintained' would mean that there's no CLC maintainer and no httpup
maintainer looking after the port.


I have a script ready to do most of the required work to collect the
repositories, find dups, merge the ports, mark them 'unmaintained' if a
repository fades away etc. It can definitely be optimized, but it is
ready for a test run.


For those still reading, what do you think? is this a viable solution?
I'll happy write a more detailed description and drafts of requirements,
but I'd like to avoid it if there are objections.

Feedback is (guess what ;-)) highly appreciated.

Thanks for bearing with me && kind regards, 
Johannes
-- 
Johannes Winkelmann              mailto:jw at tks6.net
Bern, Switzerland                http://jw.tks6.net


From vector at pp.nic.fi  Sat Aug 21 15:54:39 2004
From: vector at pp.nic.fi (Jukka Heino)
Date: Sat, 21 Aug 2004 18:54:39 +0300 (EEST)
Subject: [clc-devel] httpup repositories and unmaintained (next try) [long]
Message-ID: <24412154.1093103679029.JavaMail.vector@pp.nic.fi>

Hi,

On Fri, 20 Aug 2004 19:59:44 +0200, Johannes Winkelmann <jw at tks6.net> wrote:

> What I'd like to suggest differs a bit from my httpup mirror service
> proposal I wrote to crux@ a while ago and is rather what Jay Dolan
> suggested: Create a new httpup collection, called 'people' (for example;
> I have no strong opinion about the name of this thing); packager can
> apply to have their repository included in this collection. There are a
> few basic rules to follow:
> - No dups over base, opt or contrib; use a separate repository for this
> - Rather have few but well maintained ports, than many outdated ones
> - React on conflicts
> - subscribe to and read the clc-people-admin (naming comment from above
>   applies again) mailing list
>
> If a conflict (duplicate) is detected, a notification is sent to a
> clc-people-admin; the packagers are required to resolve it.
> -> there must be an instance to decide if the packagers can't agree on a
>   compromise

I agree that this could be a working solution to the problem of 
distributed repositories. What I'm not really sure about is whether 
there should be a strict set of rules on this new 'people' collection. 
Having to subscribe to and read a whole new mailing list etc. might 
scare off some of the potential repository maintainers. Maybe we should 
more actively recruit new CLC members instead of creating a sort of 
pseudo-CLC? I'm not bashing the idea, I'm just wondering how much 
duplication of tasks this would cause.

The way I see it is that the 'people' collection could be just a central 
mirror with a subdirectory for each repository. That way people could 
immediately see who is maintaining what and over time trust some 
maintainer enough to e.g. add their repository directory to 
/etc/prt-get.conf.

Regards,

// Jukka



From jw at tks6.net  Sat Aug 21 17:33:04 2004
From: jw at tks6.net (Johannes Winkelmann)
Date: Sat, 21 Aug 2004 19:33:04 +0200
Subject: [clc-devel] httpup repositories and unmaintained (next try) [long]
In-Reply-To: <24412154.1093103679029.JavaMail.vector@pp.nic.fi>
References: <24412154.1093103679029.JavaMail.vector@pp.nic.fi>
Message-ID: <20040821173304.GB29527@hoc>

Hi,

On Sat, Aug 21, 2004 at 18:54:39 +0300, Jukka Heino wrote:
> Hi,
> 
> On Fri, 20 Aug 2004 19:59:44 +0200, Johannes Winkelmann <jw at tks6.net> wrote:
[...]
> I agree that this could be a working solution to the problem of 
> distributed repositories. What I'm not really sure about is whether 
> there should be a strict set of rules on this new 'people' collection. 
> Having to subscribe to and read a whole new mailing list etc. might 
> scare off some of the potential repository maintainers. 
Well, I think it should. If this is potentionally too much for a
maintainer, he/she shouldn't take part. But it might very well be
possible that I'm way off and that little to none httpup repo
maintainers would want to take part if there are regulations like this.

> Maybe we should more actively recruit new CLC members instead of
> creating a sort of pseudo-CLC? 
To me, there's a major difference between the CLC and the people
project: all it takes to be part of the later is the will to be active
(read the mailing list, react on problems); no matter how you behave
etc. This doesn't apply to CLC, where it is more important (at least to
me) to have a working team than the largest collection of ports ever.

It is true that we are still looking for maintainers, as the website
says... but I think this is a different story, IMHO, and the 'people'
collection could even be a good place to recruit them.

> I'm not bashing the idea, I'm just wondering how much duplication of
> tasks this would cause.
None, I think. There are people who don't fit in CLC but maintain ports
(good ports even).  Many of them might become perfect members once they
have some experience with CRUX and CLC. The people collection would give
them a place to prove themselves under the eyes of many, show that they
can follow a minimal set of guidelines and are willing to do some work
if required.


> The way I see it is that the 'people' collection could be just a central 
> mirror with a subdirectory for each repository. That way people could 
> immediately see who is maintaining what and over time trust some 
> maintainer enough to e.g. add their repository directory to 
> /etc/prt-get.conf.
This sounds very much like the latest suggestion we discussed:
  http://marc.theaimsgroup.com/?l=crux&m=109108750918706&w=2

The disadvantage is that you either introduce a new tool, or that people
still have to go the a webpage to search a port, find its repository,
download the *.httpup file, execute ports -u and add the new directory
to prt-get.conf. Works fine, it's just not obvious, especially to new
users. 

Also, I think this wouldn't address the problems with unmaintained,
would it? This is one of the very strong properties of the "one
collection" solution.

Just my opinion, though, off for lunch now ;-)
Kind regards, Johannes
-- 
Johannes Winkelmann              mailto:jw at tks6.net
Bern, Switzerland                http://jw.tks6.net


From vector at pp.nic.fi  Sat Aug 21 18:08:37 2004
From: vector at pp.nic.fi (Jukka Heino)
Date: Sat, 21 Aug 2004 21:08:37 +0300 (EEST)
Subject: [clc-devel] httpup repositories and unmaintained (next try) [long]
Message-ID: <10592332.1093111717451.JavaMail.vector@pp.nic.fi>

> Well, I think it should. If this is potentionally too much for a
> maintainer, he/she shouldn't take part. But it might very well be
> possible that I'm way off and that little to none httpup repo
> maintainers would want to take part if there are regulations like this.

It all depends on what we're aiming for. If it's only important to have 
a central access point for the repositories, we're better off with no 
rules. But if we're trying provide the highest quality ports while 
bridging the gap between CLC and external repositories, there's an 
apparent need for regulation.

> To me, there's a major difference between the CLC and the people
> project: all it takes to be part of the later is the will to be active
> (read the mailing list, react on problems); no matter how you behave
> etc. This doesn't apply to CLC, where it is more important (at least to
> me) to have a working team than the largest collection of ports ever.
> 
> It is true that we are still looking for maintainers, as the website
> says... but I think this is a different story, IMHO, and the 'people'
> collection could even be a good place to recruit them.

Now I see what you mean. Come to think of it, this reminds me a bit of 
Arch Linux's Trusted User Repositories (http://tur.archlinux.org/). An 
intermediate stage like this _could_ prove to be useful.

> > The way I see it is that the 'people' collection could be just a central 
> > mirror with a subdirectory for each repository. That way people could 
> > immediately see who is maintaining what and over time trust some 
> > maintainer enough to e.g. add their repository directory to 
> > /etc/prt-get.conf.
> This sounds very much like the latest suggestion we discussed:
>   http://marc.theaimsgroup.com/?l=crux&m=109108750918706&w=2
> 
> The disadvantage is that you either introduce a new tool, or that people
> still have to go the a webpage to search a port, find its repository,
> download the *.httpup file, execute ports -u and add the new directory
> to prt-get.conf. Works fine, it's just not obvious, especially to new
> users. 

What I meant was that all the ports would be downloaded by default, e.g. 
my repository would go into /usr/ports/people/jheino. No need to go to a 
webpage for anything, since everything is already downloaded on the 
user's computer. If he needs a port, he can search in the 'people' 
collection.

But I guess this comes down to what level of trust we're trying to 
achieve. I trust some external repository maintainers more than others, 
so I'd like to be able to say "I trust xyz, let prt-get use his ports 
automatically." I can install the ports in contrib with no worries, but 
when dealing with unknown external repositories I usually at least take 
a look at the Pkgfile.

Regards,

// Jukka



From victord at v600.net  Sat Aug 21 20:01:38 2004
From: victord at v600.net (Victor)
Date: Sat, 21 Aug 2004 16:01:38 -0400
Subject: [clc-devel] httpup repositories and unmaintained (next try) [long]
In-Reply-To: <20040820175944.GA29527@hoc>
References: <20040820175944.GA29527@hoc>
Message-ID: <4127AA22.1060103@v600.net>

Johannes Winkelmann wrote:
> Hi there,

Well, I wanted to write so as to not look as though I wasn't 
participating at all, but I have mixed feelings about this. It seems to 
me the "right" way of doing this is to do  web service type 
architecture, where people just log in, upload their ports, and then the 
system can sort them out and send them to clients that connect via curl 
and request data.

However since this system would require some development and effort, and 
noone (including myself) can/want allocate time to it, this sounds ok to 
me, I am just not sure this would scale or solve/automate the current 
issues.

Victor


From danm at gmx.li  Sat Aug 21 21:52:23 2004
From: danm at gmx.li (Daniel Mueller)
Date: Sat, 21 Aug 2004 23:52:23 +0200
Subject: [clc-devel] httpup repositories and unmaintained (next try)
 [long]
In-Reply-To: <24412154.1093103679029.JavaMail.vector@pp.nic.fi>
References: <24412154.1093103679029.JavaMail.vector@pp.nic.fi>
Message-ID: <20040821235223.56a0edaa@torax.danm.de>

Hi

On Sat, 21 Aug 2004 18:54:39 +0300 (EEST)
Jukka Heino <vector at pp.nic.fi> wrote:

> Maybe we should more actively recruit new CLC members instead of
> creating a sort of pseudo-CLC? I'm not bashing the idea, I'm just
> wondering how much duplication of tasks this would cause.

I would appreciate new CLC members. 

On Fri, 20 Aug 2004 19:59:44 +0200
Johannes Winkelmann <jw at tks6.net> wrote:

> What I'd like to suggest differs a bit from my httpup mirror service
> proposal I wrote to crux@ a while ago and is rather what Jay Dolan
> suggested: Create a new httpup collection, called 'people'
> [..]

The 'people' collection might be a good idea, but we should consider the
security aspect. I mean, do you trust in everybodys ports ? By running a
simple 'prt-get install <portname>' you can easily invite Harry H4cker.

> Most important, this would change the meaning of unmaintained:
> 'unmaintained' would mean that there's no CLC maintainer and no httpup
> maintainer looking after the port.

I'd be happy to get rid of 'unmaintained'. Most ports are poorly
out-dated - or - simply don't work (which is even worse). We don't need
to delete those ports - in my opinion 'unmaintained' shouldn't be
activated in clc.cvsup by default.

I remember that we used to have an 'unstable' tree some time ago. A lot
of us are using 'special' ports which don't really fit into 'contrib'.
For example, I've made an RPM port which is definitely not a candidate
for 'contrib' :-) but I take care of version updates. Robert's udev
is(/was) another example - many people are currently using it - but it's
in unmaintained because Robert doesn't think it's stable enough. So, if
we decide to revive 'unstable' I would place special stuff there.

bye, danm

-- 
Daniel Mueller
Berlin, Germany		(OpenPGP:  1024D/126EC290)


From tilman at code-monkey.de  Sat Aug 21 22:57:41 2004
From: tilman at code-monkey.de (Tilman Sauerbeck)
Date: Sun, 22 Aug 2004 00:57:41 +0200
Subject: [clc-devel] httpup repositories and unmaintained (next try) [long]
In-Reply-To: <20040821235223.56a0edaa@torax.danm.de>
References: <24412154.1093103679029.JavaMail.vector@pp.nic.fi> <20040821235223.56a0edaa@torax.danm.de>
Message-ID: <20040821225741.GA32460@code-monkey.de>

Daniel Mueller <danm at gmx.li> [2004-08-22 00:08]:
> > What I'd like to suggest differs a bit from my httpup mirror service
> > proposal I wrote to crux@ a while ago and is rather what Jay Dolan
> > suggested: Create a new httpup collection, called 'people'
> > [..]
> 
> The 'people' collection might be a good idea, but we should consider the
> security aspect. I mean, do you trust in everybodys ports ? By running a
> simple 'prt-get install <portname>' you can easily invite Harry H4cker.

That's not worse than the current situation with unmaintained, is it?
Of course we should make sure users know that "people" might include
flawed ports - that they aren't checked by CLC.

I don't think security is a problem here.

> I remember that we used to have an 'unstable' tree some time ago. A lot
> of us are using 'special' ports which don't really fit into 'contrib'.
> For example, I've made an RPM port which is definitely not a candidate
> for 'contrib' :-) but I take care of version updates. Robert's udev
> is(/was) another example - many people are currently using it - but it's
> in unmaintained because Robert doesn't think it's stable enough. So, if
> we decide to revive 'unstable' I would place special stuff there.

Yeah, this seems to be a better place to put stuff like udev etc.
Why was the unstable collection removed?

I like the original idea as a convenience thing for the user and as long
as it's made clear that the "people" collection contains ports that
aren't reviewed by CLC, I don't see a problem there either.

-- 
Regards,
Tilman


From jw at tks6.net  Sun Aug 22 10:15:49 2004
From: jw at tks6.net (Johannes Winkelmann)
Date: Sun, 22 Aug 2004 12:15:49 +0200
Subject: [clc-devel] httpup repositories and unmaintained (next try) [long]
In-Reply-To: <20040821235223.56a0edaa@torax.danm.de>
References: <24412154.1093103679029.JavaMail.vector@pp.nic.fi> <20040821235223.56a0edaa@torax.danm.de>
Message-ID: <20040822101549.GA31958@hoc>

Hi,

On Sat, Aug 21, 2004 at 23:52:23 +0200, Daniel Mueller wrote:
> Hi
[...]
> On Fri, 20 Aug 2004 19:59:44 +0200
> Johannes Winkelmann <jw at tks6.net> wrote:
> 
> > What I'd like to suggest differs a bit from my httpup mirror service
> > proposal I wrote to crux@ a while ago and is rather what Jay Dolan
> > suggested: Create a new httpup collection, called 'people'
> > [..]
> 
> The 'people' collection might be a good idea, but we should consider the
> security aspect. I mean, do you trust in everybodys ports ? By running a
> simple 'prt-get install <portname>' you can easily invite Harry H4cker.
That's true, but this is the very same for ports from private
repositories right now. People should not necessarily trust them, but if
you look at the reality, e.g. new users come to #crux and ask where they
can find a ports for XYZ, and are guided through the whole task of
getting the file.httpup, installing httpup, doing ports -u (installing
cvsup and doing ports -u again ;-)), and finally installing it; no
questions asked, no remark regarding security. The 'people' collection
wouldn't be any safer, but since it's centralized, there would be more
eyes watching it, which will definitely help to rule out black sheeps.

With respect to  trust, the bigger problem I see is that people
"pretend" to be someone else; in which case you'll be fooled when
looking at the Pkgfile first, since you probably stop looking that hard
if the maintainer is a well know person. The simple solution here is to
let the repository merge script set the "# Maintainer: " line using some
meta information on the repository the port cames from. 
This still doesn't guarantee the maintainer's repository wasn't hacked
itself; if we want strong confidence, then we need to introduce GPG/PGP
signing of the REPO file; this just imposes an extra step each time you
update your repository. Also note that if there was such a verification
process in place, it would be possible to have prt-get check the
signatures against a number of trusted ones, so you could configure it
to be paranoid and simply bail out if a package was made by a
non-trusted maintainer (meaning one not in your key ring).


Still I'd like to place emphasis on the fact that the problem of
potentially malicious ports is the very same right now, just better
hidden since it's not in a central, official place. No matter whether
we're going to implement an additional measure of trust, the situation
will rather improve than become worse IMO.

With respect to unmaintained, it is probably true that the current ports
in unmaintained are a bit better controlled since at least one CLC
maintainer checked them once... but this is pointless if they are older
than the ones in the httpup repositories, since in these cases, people
will use the newer one anyway.

Regards, Johannes
-- 
Johannes Winkelmann              mailto:jw at tks6.net
Bern, Switzerland                http://jw.tks6.net


From vector at pp.nic.fi  Tue Aug 24 09:50:52 2004
From: vector at pp.nic.fi (Jukka Heino)
Date: Tue, 24 Aug 2004 12:50:52 +0300 (EEST)
Subject: [clc-devel] httpup repositories and unmaintained (next try) [long]
Message-ID: <29323028.1093341052133.JavaMail.vector@pp.nic.fi>

Hi,

Since discussion seems to be dying out and the solution Johannes 
suggested could apparently only improve the current situation of rotting 
unmaintained ports and decentralized repositories, I propose we start 
implementing the 'people' collection if no one has anything major 
against it. My Perl and PHP skills are at your disposal if I can be of 
any help.

Regards,

// Jukka Heino



From jw at tks6.net  Tue Aug 24 10:56:48 2004
From: jw at tks6.net (Johannes Winkelmann)
Date: Tue, 24 Aug 2004 12:56:48 +0200
Subject: [clc-devel] httpup repositories and unmaintained (next try) [long]
In-Reply-To: <29323028.1093341052133.JavaMail.vector@pp.nic.fi>
References: <29323028.1093341052133.JavaMail.vector@pp.nic.fi>
Message-ID: <20040824105648.GA2356@hoc>

Hey,

On Tue, Aug 24, 2004 at 12:50:52 +0300, Jukka Heino wrote:
> Hi,
> 
> Since discussion seems to be dying out and the solution Johannes 
> suggested could apparently only improve the current situation of rotting 
> unmaintained ports and decentralized repositories, I propose we start 
> implementing the 'people' collection if no one has anything major 
> against it.
Actually, I asked Per about his opinion and he mentioned that there's a
servere security risk: if someone puts something malicious into a
Pkgfile like the following:

--- quote ---
name=xyz
version=1000
release=1
rm -rf /

build() {
    ...
}
--- /quote --

A simple 'ports -d' would be sufficient to make you appreciate your
backups. Obviously, this can be done in a private repository as well,
but with a central big collection with somewhat implied trust (since
it's controlled by CLC after all), we'd simplify such an attack a lot.

There are a few solutions which come to mind, but all terminate the goal
of "no access restrictions":
- only accept repos from known persons
- require a GnuPG signatures conforming to a yet-to-be-defined level of
  trust

So I guess we have to reconsider the situation, and maybe try to arrange
a get together to discuss this and further issues.

Kind regards, 
Johannes
-- 
Johannes Winkelmann              mailto:jw at tks6.net
Bern, Switzerland                http://jw.tks6.net


From victord at v600.net  Tue Aug 24 15:06:04 2004
From: victord at v600.net (Victor)
Date: Tue, 24 Aug 2004 11:06:04 -0400
Subject: [clc-devel] httpup repositories and unmaintained (next try) [long]
In-Reply-To: <20040824105648.GA2356@hoc>
References: <29323028.1093341052133.JavaMail.vector@pp.nic.fi> <20040824105648.GA2356@hoc>
Message-ID: <412B595C.70304@v600.net>

Johannes Winkelmann wrote:
> Hey,
> 
> On Tue, Aug 24, 2004 at 12:50:52 +0300, Jukka Heino wrote:
> 
>>Hi,
>>
>>Since discussion seems to be dying out and the solution Johannes 
>>suggested could apparently only improve the current situation of rotting 
>>unmaintained ports and decentralized repositories, I propose we start 
>>implementing the 'people' collection if no one has anything major 
>>against it.
> 
> Actually, I asked Per about his opinion and he mentioned that there's a
> servere security risk: if someone puts something malicious into a
> Pkgfile like the following:
> 
> --- quote ---
> name=xyz
> version=1000
> release=1
> rm -rf /
> 
> build() {
>     ...
> }
> --- /quote --
> 
> A simple 'ports -d' would be sufficient to make you appreciate your
> backups. Obviously, this can be done in a private repository as well,
> but with a central big collection with somewhat implied trust (since
> it's controlled by CLC after all), we'd simplify such an attack a lot.
> 
> There are a few solutions which come to mind, but all terminate the goal
> of "no access restrictions":
> - only accept repos from known persons
> - require a GnuPG signatures conforming to a yet-to-be-defined level of
>   trust

I do not think this is a Repository issue but a package system issue. 
Perhaps what we should revisit is chroot approaches to building packages 
or maybe using fakeroot to at least limit the damage. After all, sooner 
or later, someone, by error or otherwise, will do something like this. 
however protecting people from themselves introduces complexity that 
most don't want, so...

Unfortunately, mount -r --bind /lib lib didn't seem to work, well, just 
an idea.

Victor


From victord at v600.net  Fri Aug 27 05:23:50 2004
From: victord at v600.net (Victor)
Date: Fri, 27 Aug 2004 01:23:50 -0400
Subject: [clc-devel] Rsync for Maintainers
Message-ID: <412EC566.3040802@v600.net>

I am just curious, what was the reason again for not using rsync for 
port distribution?

Just an idea, why can't we make people who submit ports have an rsync 
account:

---------------- rsyncd.cruxusers.conf -----------------
victord:pass1
cptn:pass2
---------------- rsyncd.cruxusers.conf -----------------

---------------- rsyncd.conf -----------------
#
# /etc/rsyncd.conf
#

uid = nobody
gid = nobody
# use chroot = no
max connections = 4
pid file = /var/run/rsyncd.pid
log file = /var/log/rsyncd.log

[victord]
    path = /data/PORTS/victord
    use chroot = true
    secrets file = /etc/rsyncd.cruxusers.secrets
    auth users = victord
    read only = false

[cptn]
    path = /data/PORTS/cptn
    use chroot = true
    secrets file = /etc/rsyncd.cruxusers.secrets
    auth users = cptn
    read only = false

# End of file
---------------- rsyncd.conf -----------------
(I checked, they don't seem to support %u to replace username)

Then people who want their repos to be public, can ask for the account, 
and a simple script where user:pass is specified can generate these 
config files. Then it's up to them to update their trees. A gui (I have 
a php one that can handle this) can then list/search/etc the ports.

Wouldn't this be an easy solutoion? It centralizes all the HTTPUP repos 
with minimal work.

Am I missing something? We can even make httpup take -user -pass -rsync 
server, args so they can distribute them without learning rsync 
commands. And httpup can just sync their repo to central location with 
some default settings set for calling rsync.

Victor


From guerrilla_thought at gmx.de  Sun Aug 29 22:51:16 2004
From: guerrilla_thought at gmx.de (Anthony de Almeida Lopes)
Date: Sun, 29 Aug 2004 15:51:16 -0700
Subject: [clc-devel] Applying to be a package maintainer
Message-ID: <1093819876.17717.17.camel@emptyness>

I'd like to know how to apply to be a package maintainer. The
MaintainerGuidlines document on the wiki is pretty vague on that. I'd
also like to know how I register an account for the bug reporting
system, or whether all bugs are supposed to be anonymous. 

Thanks,
* Anthony



From jw at tks6.net  Mon Aug 30 07:29:13 2004
From: jw at tks6.net (Johannes Winkelmann)
Date: Mon, 30 Aug 2004 09:29:13 +0200
Subject: [clc-devel] Rsync for Maintainers
In-Reply-To: <412EC566.3040802@v600.net>
References: <412EC566.3040802@v600.net>
Message-ID: <20040830072912.GA23878@hoc>

Hi,
 
On Fri, Aug 27, 2004 at 01:23:50 -0400, Victor wrote:
> I am just curious, what was the reason again for not using rsync for 
> port distribution?
> 
> Just an idea, why can't we make people who submit ports have an rsync 
> account:
[...]
> Then people who want their repos to be public, can ask for the account, 
> and a simple script where user:pass is specified can generate these 
> config files. Then it's up to them to update their trees. A gui (I have 
> a php one that can handle this) can then list/search/etc the ports.
> 
> Wouldn't this be an easy solutoion? It centralizes all the HTTPUP repos 
> with minimal work.
I don't really see any big advantage over the other proposals (httpup
mirror collection, people collection). I'm somewhat missing a
comparison, so I'll run my own:

Advantages:
- Changes are transmitted using diffs (httpup: whole files)

Disadvantages:
- Requires running a service (rsyncd)
- Configurations looks rather complicated
- If a repo maintainer decides to just not update his repo anymore, we
  have to detect that he's not accessing our repo anymore; this is a bit
  harder in a "push" model than it is in a "pull" model (as the httpup
  ideas implement).
- To merge those ports into one collection, you'll need another script
  (I don't think rsync does this); therefore, you'll end up with more
  components to maintain (rsync, script), which run independently, which
  means that you have to manually ensure that there are no "commits" to
  the collection while merging it (I know this is simple to do, but it
  will cause some disk load).

Furthermore, one obvious difference is the distributed vs. centralized
approach, which has the following properties:
- Dist: people who want to keep their repository have to sync to two places
        (their webspace and our rsync space); 
  Central: those that don't want a repository don't have to create one.
- Dist: People interested in maintaining ports can start at once and
        will have their repo synced eventually. 
  Central: People are dependent to get an account to get started


I know I'm biased so I'm probably missing something, but I know I'd be
willing to maintain the system pointed out in the 'people' collection on
a private server without concerns regarding security and effort
required; in my case, this doesn't hold true for the rsync idea.

Whether distributed or centralized development is better is really a
matter of taste. I think that contrib should be central, and 'people'
distributed; and we should try to get more talented packagers to join
CLC.

Kind regards, Johannes
-- 
Johannes Winkelmann              mailto:jw at tks6.net
Bern, Switzerland                http://jw.tks6.net


From jw at tks6.net  Mon Aug 30 10:05:56 2004
From: jw at tks6.net (Johannes Winkelmann)
Date: Mon, 30 Aug 2004 12:05:56 +0200
Subject: [clc-devel] Applying to be a package maintainer
In-Reply-To: <1093819876.17717.17.camel@emptyness>
References: <1093819876.17717.17.camel@emptyness>
Message-ID: <20040830100556.GA25668@hoc>

Hi,

On Sun, Aug 29, 2004 at 15:51:16 -0700, Anthony de Almeida Lopes wrote:
> I'd like to know how to apply to be a package maintainer. The
> MaintainerGuidlines document on the wiki is pretty vague on that.
Please let us know what parts are vague; we've tried to make it clear,
but we tend to forget things we think are obvious, so we're happy to fix
those things.

The process to apply is about the following:

1. package software, create ports, publish them, maintain them
2. Read http://clc.morpheus.net:6999/clc/wiki?p=MaintainerGuidelines and
   see whether you agree to the rules and requirements metioned there;
   also read the CLC package guidelines, available through the
   "Documents" section of the CLC webpage, and validate your ports
   against them.
3. Send an application to clc-devel at lists.berlios.de, containing "links
   to packages the applicant did, and a list of packages she/he'd like to
   maintain. It's best to send an URL to some ports the applicant made".

We also like to know who we're dealing with, so some notes about you are
definitely appreciated. There are some examples in the mailing list
archive at
  https://lists.berlios.de/pipermail/clc-devel/  

After that, some maintainers will look into the ports and advocate for
the applicant if they think he/she is a good match, or give some tips
how to improve them to fit  


> I'd also like to know how I register an account for the bug reporting
> system, or whether all bugs are supposed to be anonymous.
For now, we've never had someone asking for an account, but if you plan
to do a lot of bug reporting, this could be arranged. Anonymous
reporting is fine though.

Hope this helps,
Regards, Johannes
-- 
Johannes Winkelmann              mailto:jw at tks6.net
Bern, Switzerland                http://jw.tks6.net


From guerrilla_thought at gmx.de  Mon Aug 30 17:53:36 2004
From: guerrilla_thought at gmx.de (Anthony de Almeida Lopes)
Date: Mon, 30 Aug 2004 19:53:36 +0200 (MEST)
Subject: [clc-devel] Applying to be a package maintainer
References: <20040830100556.GA25668@hoc>
Message-ID: <1191.1093888416@www6.gmx.net>

Yes, I meat that it just doesn't say where to apply to. I ended up sending 
an e-mail to Per Liden and this mailing list. That's all. 

About the bug reporting system... The reason I asked about an account is 
because bugzilla usually requires one and it sends you updates when people 
reassign, close as duplicate, close as fixed, etc. a bug. Also sometimes I 
find out more information, or a solution of my own. Anyway, it's not 
necessary, but you'd definitely get more information out of people if you 
could ask them for clarification or something. 
 
Oh and I forgot to say (in my application I sumbitted a few minutes ago) 
that I did read the MaintainerGuidlines and agree to them. I wanted to 
make a note too, that I will do my best to mantain my ports. For the gcc-
ssp I will have to follow what gcc CRUX has in ports as well as what patch 
Etoh has out and for gaim I'd have to follow both Gaim and the 
corresponding gaim-encrption plugin. 

Okay, class in 10 minutes. Have a good one.
* tony

> Hi,
> 
> On Sun, Aug 29, 2004 at 15:51:16 -0700, Anthony de Almeida Lopes wrote:
> > I'd like to know how to apply to be a package maintainer. The
> > MaintainerGuidlines document on the wiki is pretty vague on that.
> Please let us know what parts are vague; we've tried to make it clear,
> but we tend to forget things we think are obvious, so we're happy to fix
> those things.
> 
> The process to apply is about the following:
> 
> 1. package software, create ports, publish them, maintain them
> 2. Read http://clc.morpheus.net:6999/clc/wiki?p=MaintainerGuidelines and
>    see whether you agree to the rules and requirements metioned there;
>    also read the CLC package guidelines, available through the
>    "Documents" section of the CLC webpage, and validate your ports
>    against them.
> 3. Send an application to clc-devel at lists.berlios.de, containing "links
>    to packages the applicant did, and a list of packages she/he'd like 
to
>    maintain. It's best to send an URL to some ports the applicant made".
> 
> We also like to know who we're dealing with, so some notes about you are
> definitely appreciated. There are some examples in the mailing list
> archive at
>   https://lists.berlios.de/pipermail/clc-devel/  
> 
> After that, some maintainers will look into the ports and advocate for
> the applicant if they think he/she is a good match, or give some tips
> how to improve them to fit  
> 
> 
> > I'd also like to know how I register an account for the bug reporting
> > system, or whether all bugs are supposed to be anonymous.
> For now, we've never had someone asking for an account, but if you plan
> to do a lot of bug reporting, this could be arranged. Anonymous
> reporting is fine though.
> 
> Hope this helps,
> Regards, Johannes
> -- 
> Johannes Winkelmann              mailto:jw at tks6.net
> Bern, Switzerland                http://jw.tks6.net
> _______________________________________________
> clc-devel mailing list
> clc-devel at lists.berlios.de
> http://lists.berlios.de/mailman/listinfo/clc-devel
> 

-- 
*    *    *
Anthony de Almeida Lopes
guerrilla_thought at gmx.de
AIM: whatsheon
*    *    *    

"And someone else might feel something
scratching in his mouth. he goes 
to the mirror opens his mouth: and his tongue
is an enormous, live 
centipede, rubbing its legs together and
scraping his palate. He'd like to spit 
it out, but the centipede is part of him and
he will to tear it out with his own 
hands..." -- Jean Paul Sartre 
*    *    *    

NEU: Bis zu 10 GB Speicher f?r e-mails & Dateien!
1 GB bereits bei GMX FreeMail http://www.gmx.net/de/go/mail



From guerrilla_thought at gmx.de  Tue Aug 31 16:57:32 2004
From: guerrilla_thought at gmx.de (Anthony de Almeida Lopes)
Date: Tue, 31 Aug 2004 09:57:32 -0700
Subject: [clc-devel] Applying to be a package maintainer
In-Reply-To: <20040830100556.GA25668@hoc>
References: <1093819876.17717.17.camel@emptyness>
	 <20040830100556.GA25668@hoc>
Message-ID: <1093971453.31482.43.camel@emptyness>

Oops thought I sent this to the list too... 

Alright, let me qualify first before I talk about ports. For the last 3
months I've been using my own
distribution of Linux made. I don't know whether a lot of linux-from-
scratch people can say that or not, but I'm pretty proud of it. You can
find some documents on it here:
http://sonic.net/~someone/slothware/.  I have two people that mirror it
if you want to actually look at what I have. Before I rolled my own
distribution I used gentoo since about 2001 or so, when it first showed
up. I am familiar with port systems. Like I said, I used gentoo, I use
OpenBSD and NetBSD's pkgsrc was my original ports system for Slothware
(my distribution). I've also worked with the GAR ports system as well
(not my favorite). I, with a few others, do my best in #linux-help to
help out "newbies." I have a fairly solid understanding of how the
original UNIX kernel and the Linux kernel work. In particular, I've
studied the virtual memory subsystem, the filesystem and ELF. I'm
familiar with gcc and the linkers. I haven't put out any massive
projects, aside from Slothware, but I continue continue to learn about
and use C, assembly and bash (my favorite languages) as time goes by. 
Most importantly of all; what I don't know, I can learn.

Personally? I'm a computer science major and will be doing the computer
systems program at either U.C. Berekely or Davis Right now I'm finishing
up General education at Santa Rosa Junior College (in northern
California). You can see my class schedule here: http://www.sonic.net/
~someone/classes.html. I guess you can find a picture of me here:
http://sonic.net/~someone/photos/. I'm 21 years old, dedicated to
computers and school. Right now I'd have to say my interests are still
in security, assembly, and studying the Linux kernel. 

Okay, let's get back to ports. Stack-smashing protector isn't exactly a
simple matter, but I can point you at some documents you might want to
look at: http://www.trl.ibm.com/projects/security/ssp/node1.html  and
http://immunix.org/StackGuard/usenixsc98.pdf  The first is what I'm
porting and the second, the pdf, is the original proposal for the work,
back in 1998. Basically, what you want to know, is it does a good job
"preventing" buffer overflows. It is by no means the solution to all
security problems. Please read this document
http://pax.grsecurity.net/docs/pax.txt . Some security is better than no
security. This deals with the problem at a source level, when you
compile code with SSP, the binary produced will actually differ between
that and what would normally come out. It's not a Non-Executable stack
implementation but gives, reorders the layout of the process in memory
(the stack rest of the stack comes after the return address) and it puts
a little barrier there as well. Anyway, please read the first document
at least if you're interested. 
Is this a port that people need? Let me put it this way; if you're
running a sevrer, I'd highly recommend it (as well as PaX and some kind
of MAC.) It's pretty widley used right now. Check out the gentoo
hardened project http://hardened.gentoo.org. It's also become default in
a few distributions of gcc. People do use it. I should note that it will
only protect the executables and libraries that you compile with it. If
an executable uses a shared object that is compiled with ssp, that code
will be protected but the main applications will not be. This doesn't
get rid of the buffer overflow itself but "prevents" it from doing much
of anything.
I have a preliminary port of gcc-ssp  here:
http://sonic.net/~someone/files/gcc-ssp.tar.bz2
It's not finished right now, I'd advise against using it with ccache
right now, although I do use it for everything it needs some more
testing.

The other thing I'm interest in porting right now is gaim-encryption
(see: http://gaim-encryption.sourceforge.net) which is just a method of
encrypting conversation over AOL's instant messaging network via gaim
(see http://gaim.sourceforge.net), a very popular IM client for Linux. 

I will check out the 'unmaintained' section of the CRUX ports tree as
well. 

Please let me know what else you want to know about me or if you have
any other questions. Sorry if this sounds kind of resume-ish.

Have a good day, I'm off to school now.
 * tony

On Mon, 2004-08-30 at 12:05 +0200, Johannes Winkelmann wrote:
> Hi,
> 
> On Sun, Aug 29, 2004 at 15:51:16 -0700, Anthony de Almeida Lopes wrote:
> > I'd like to know how to apply to be a package maintainer. The
> > MaintainerGuidlines document on the wiki is pretty vague on that.
> Please let us know what parts are vague; we've tried to make it clear,
> but we tend to forget things we think are obvious, so we're happy to fix
> those things.
> 
> The process to apply is about the following:
> 
> 1. package software, create ports, publish them, maintain them
> 2. Read http://clc.morpheus.net:6999/clc/wiki?p=MaintainerGuidelines and
>    see whether you agree to the rules and requirements metioned there;
>    also read the CLC package guidelines, available through the
>    "Documents" section of the CLC webpage, and validate your ports
>    against them.
> 3. Send an application to clc-devel at lists.berlios.de, containing "links
>    to packages the applicant did, and a list of packages she/he'd like to
>    maintain. It's best to send an URL to some ports the applicant made".
> 
> We also like to know who we're dealing with, so some notes about you are
> definitely appreciated. There are some examples in the mailing list
> archive at
>   https://lists.berlios.de/pipermail/clc-devel/  
> 
> After that, some maintainers will look into the ports and advocate for
> the applicant if they think he/she is a good match, or give some tips
> how to improve them to fit  
> 
> 
> > I'd also like to know how I register an account for the bug reporting
> > system, or whether all bugs are supposed to be anonymous.
> For now, we've never had someone asking for an account, but if you plan
> to do a lot of bug reporting, this could be arranged. Anonymous
> reporting is fine though.
> 
> Hope this helps,
> Regards, Johannes