[clc-devel] Applying to be a package maintainer

Anthony de Almeida Lopes guerrilla_thought at gmx.de
Tue Aug 31 16:57:32 UTC 2004


Oops thought I sent this to the list too... 

Alright, let me qualify first before I talk about ports. For the last 3
months I've been using my own
distribution of Linux made. I don't know whether a lot of linux-from-
scratch people can say that or not, but I'm pretty proud of it. You can
find some documents on it here:
http://sonic.net/~someone/slothware/.  I have two people that mirror it
if you want to actually look at what I have. Before I rolled my own
distribution I used gentoo since about 2001 or so, when it first showed
up. I am familiar with port systems. Like I said, I used gentoo, I use
OpenBSD and NetBSD's pkgsrc was my original ports system for Slothware
(my distribution). I've also worked with the GAR ports system as well
(not my favorite). I, with a few others, do my best in #linux-help to
help out "newbies." I have a fairly solid understanding of how the
original UNIX kernel and the Linux kernel work. In particular, I've
studied the virtual memory subsystem, the filesystem and ELF. I'm
familiar with gcc and the linkers. I haven't put out any massive
projects, aside from Slothware, but I continue continue to learn about
and use C, assembly and bash (my favorite languages) as time goes by. 
Most importantly of all; what I don't know, I can learn.

Personally? I'm a computer science major and will be doing the computer
systems program at either U.C. Berekely or Davis Right now I'm finishing
up General education at Santa Rosa Junior College (in northern
California). You can see my class schedule here: http://www.sonic.net/
~someone/classes.html. I guess you can find a picture of me here:
http://sonic.net/~someone/photos/. I'm 21 years old, dedicated to
computers and school. Right now I'd have to say my interests are still
in security, assembly, and studying the Linux kernel. 

Okay, let's get back to ports. Stack-smashing protector isn't exactly a
simple matter, but I can point you at some documents you might want to
look at: http://www.trl.ibm.com/projects/security/ssp/node1.html  and
http://immunix.org/StackGuard/usenixsc98.pdf  The first is what I'm
porting and the second, the pdf, is the original proposal for the work,
back in 1998. Basically, what you want to know, is it does a good job
"preventing" buffer overflows. It is by no means the solution to all
security problems. Please read this document
http://pax.grsecurity.net/docs/pax.txt . Some security is better than no
security. This deals with the problem at a source level, when you
compile code with SSP, the binary produced will actually differ between
that and what would normally come out. It's not a Non-Executable stack
implementation but gives, reorders the layout of the process in memory
(the stack rest of the stack comes after the return address) and it puts
a little barrier there as well. Anyway, please read the first document
at least if you're interested. 
Is this a port that people need? Let me put it this way; if you're
running a sevrer, I'd highly recommend it (as well as PaX and some kind
of MAC.) It's pretty widley used right now. Check out the gentoo
hardened project http://hardened.gentoo.org. It's also become default in
a few distributions of gcc. People do use it. I should note that it will
only protect the executables and libraries that you compile with it. If
an executable uses a shared object that is compiled with ssp, that code
will be protected but the main applications will not be. This doesn't
get rid of the buffer overflow itself but "prevents" it from doing much
of anything.
I have a preliminary port of gcc-ssp  here:
http://sonic.net/~someone/files/gcc-ssp.tar.bz2
It's not finished right now, I'd advise against using it with ccache
right now, although I do use it for everything it needs some more
testing.

The other thing I'm interest in porting right now is gaim-encryption
(see: http://gaim-encryption.sourceforge.net) which is just a method of
encrypting conversation over AOL's instant messaging network via gaim
(see http://gaim.sourceforge.net), a very popular IM client for Linux. 

I will check out the 'unmaintained' section of the CRUX ports tree as
well. 

Please let me know what else you want to know about me or if you have
any other questions. Sorry if this sounds kind of resume-ish.

Have a good day, I'm off to school now.
 * tony

On Mon, 2004-08-30 at 12:05 +0200, Johannes Winkelmann wrote:
> Hi,
> 
> On Sun, Aug 29, 2004 at 15:51:16 -0700, Anthony de Almeida Lopes wrote:
> > I'd like to know how to apply to be a package maintainer. The
> > MaintainerGuidlines document on the wiki is pretty vague on that.
> Please let us know what parts are vague; we've tried to make it clear,
> but we tend to forget things we think are obvious, so we're happy to fix
> those things.
> 
> The process to apply is about the following:
> 
> 1. package software, create ports, publish them, maintain them
> 2. Read http://clc.morpheus.net:6999/clc/wiki?p=MaintainerGuidelines and
>    see whether you agree to the rules and requirements metioned there;
>    also read the CLC package guidelines, available through the
>    "Documents" section of the CLC webpage, and validate your ports
>    against them.
> 3. Send an application to clc-devel at lists.berlios.de, containing "links
>    to packages the applicant did, and a list of packages she/he'd like to
>    maintain. It's best to send an URL to some ports the applicant made".
> 
> We also like to know who we're dealing with, so some notes about you are
> definitely appreciated. There are some examples in the mailing list
> archive at
>   https://lists.berlios.de/pipermail/clc-devel/  
> 
> After that, some maintainers will look into the ports and advocate for
> the applicant if they think he/she is a good match, or give some tips
> how to improve them to fit  
> 
> 
> > I'd also like to know how I register an account for the bug reporting
> > system, or whether all bugs are supposed to be anonymous.
> For now, we've never had someone asking for an account, but if you plan
> to do a lot of bug reporting, this could be arranged. Anonymous
> reporting is fine though.
> 
> Hope this helps,
> Regards, Johannes




More information about the crux-devel mailing list