[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Upstreaming patches (Re: Ask for review)

Hi,

thanks for your reply.

On Wed, 26 Apr 2017 19:04:55 +0200
Raphael Hertzog <hertzog at debian.org> wrote:

> Adding a word about this in README.Debian (or even in the package
> description in debian/control) is a possibility.

README.Debian from dsniff currently contains:

  Dsniff should depend on libx11-6 because webspy use it. But forcing to
  the user to install a lot of X stuff in a server for one (and maybe
  useless, in certain environments) binary. If you want to use webspy,
  please run this command before: apt-get install libx11-6

This is no longer correct: the current version of dsniff in the archive
does depend on libx11-6 (expanded from ${shlibs:Depends}).

Can someone offer advice if we should remove the dependency on libx11-6
again (and have a non-working webspy binary on systems that do not have
libx11-6 installed) or if we should remove the notice (my preference)?

> http://dep.debian.net is actually http://dep.alioth.debian.org
> and I don't think that alioth offers https access for the project
> websites it hosts.
> 
> https://alioth.debian.org/projects/dep/

Good to know, https://dep.alioth.debian.org offers TLS too.


I still have one more problem. Sometimes I can't access
dep.alioth.debian.org (or dep.debian.net, both give SRVFAIL) and I think
a DNSSEC misconfiguration is responsible for that. From the four
nameservers

    $ host -t ns alioth.debian.org
    alioth.debian.org name server dns4.easydns.info.
    alioth.debian.org name server sec2.rcode0.net.
    alioth.debian.org name server sec1.rcode0.net.
    alioth.debian.org name server dns1.easydns.com.

one (dns4.easydns.info) does return an RRSIG:

    $ dig +noall +dnssec +answer @dns4.easydns.info dep.alioth.debian.org A
    dep.alioth.debian.org.	600	IN	A	5.153.231.21

The other three behave as expected, for example:

    $ dig +noall +dnssec +answer @sec1.rcode0.net dep.alioth.debian.org A
    dep.alioth.debian.org.	600	IN	A	5.153.231.21
    dep.alioth.debian.org.	600	IN	RRSIG	A 8 3 600 (...)


My guess is that if my unbound picks the faulty nameserver I'm getting
the SRVFAIL until the cache has expired and it tries again (hopefully
using one of the others). dnsviz.net also shows the error [1].

What's the correct place to report that? DSA? I posted it on #alioth on
irc a few hours ago but noone responded.


Regards
Lukas

[1] http://dnsviz.net/d/dep.debian.net/dnssec/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-security-team/attachments/20170426/f0d7fad4/attachment.sig>
Reply to: