packaging ckermit: lots of questions
I recently ITA'd ckermit, ("a serial and network communications
package"). Packaging the latest version raised lots of (hopefully
ckermit has support for a config file in /etc (and someone on the BTS
has requested one). By default it ships with a big config file which
takes a while to parse on slow machines, but upstream suggests it is
As ckermit config files are executable via
upstream suggests shipping with an executable config file and letting
the user run that if desired. This would mean a config file in
/usr/bin which is sure to violate policy and certainly feels
immoral. I suppose I could cop out and stick it in
For now (in my test package, see end of message for URL) it ships with
a minimal /etc/kermit/kermrc and the full config file in
/etc/kermit/kermrc.full There is a symlink called kermrc in /usr/bin
to /etc/kermit/kermrc.full which runs kermit with the full
config. This strikes me as a bit inelegant.
By default, the upstream makefile installs the full config file in
When I say config file, it is actually a kermit script file, but it is
configurable, should be marked as a conffile, and (imho) not in
Any better ideas?
ckermit comes with support for iksd, the Internet Kermit Service
Daemon, which runs from inetd and acts as a kermit and telnet
server. I've added a debconf question, priority medium, for whether to
enable it, and if they say yes to that, another question of priority
medium, asking if they want to enable anonymous access (essentially
the same as anon ftp but via kermit with secure connection options,
kermit scripting, etc)
Are those priorities right? Regular kermit users will find iksd
useful, but many people will never use it I imagine (although even
less if they aren't aware of it, it's a relatively new ckermit
After talking with upstream, I'm going with an /etc/pam.d/kermit
auth required pam_unix_auth.so shadow nullok
account required pam_unix_acct.so
session required pam_unix_session.so
Is this correct? Upstream says iksd should behave like ftpd with
regards to pam, but it handles anonymous logins and checking
The current version in debian does not have any of the crypto options
enabled. I have enabled kerberos (4&5), openssl, TLS, DES, CAST and
support for an external ssh client. From reading of the crypto-in-main
stuff, it looks like I need to get debian to file a BXA announcement,
is that still the case? It won't have been done before because none of
the crypto was enabled.
ckermit is currently in non-free (although I plan to raise this on
debian-legal at some point, it is at least close to DFSG-free, and I
hope I can resolve things with upstream). The initial crypto-in-main
announcement excluded non-free stuff, is that still the case, or will
it have to go into the ghetto that is non-US/non-free?
I have enabled socks support using libsocksd. Is it wise to ship with
socks support compiled-in by default?
socksd appears to only support socks4. Is there a socks5 server/libs
in debian? I couldn't find one.
As kermit is possibly the most portable piece of software on the
planet (the makefile has 740 targets!) I have no excuse for it not
running on all debian architectures. However, I am not yet a DD, which
makes testing this harder.
db.debian.org/machines.cgi mentions several machines with access: all
Does this mean I can gain access to them to test ckermit? Who do I
ask? I realise post-compromise this is probably a bad time, should I
just wait for nasty mail from the buildds?
I plan to start the NM process soon. I imagine my best chance for a
keysigning meetup will be on a future trip to London (I live in
Preston, NW England), which probably will happen in a few months.
Should I apply as soon as possible or wait till I have an opportunity
for keysigning and/or an advocate?
The current version of my ckermit package is at:
Upstream is about to release ckermit-210, so I've packaged the
prerelease version for now (as ckermit-209.pre210-1), I expect 210 to
be ready and included by the time I upload/find a sponsor.
The package is lintian- and linda-clean, however there is currently a
bug in option/config parsing (that iksd triggers) that upstream is looking
The upstream tar.gz unpacks into the current directory. For the
.orig.tar.gz I unpacked it and repacked it into a subdirectory. Is
Comments are welcome. When it's ready, I'll be looking for a sponsor,
preferably one who will be prepared to advocate me if they are happy
with my work.
Ian Beckwith - email@example.com - http://nessie.mcc.ac.uk/~ianb/
GPG fingerprint: AF6C C0F1 1E74 424B BCD5 4814 40EC C154 A8BA C1EA
Listening to: Swans - Various Failures (Yellow) - When She Breathes