On 00-12-05 Javier Fernandez-Sanguino Peña wrote: > Christian Kurz escribió: > > On 00-12-04 Javier Fernandez-Sanguino Peña wrote: > > > Christian Kurz escribió: > > > > > > > > > > > > > I have checked it out and would really like to see it included in > > > > > the DDP and think that debian security guru's should help in > > > > > > > > Well, which package should include this documentation? May I also say, > > > > that some debian security interested guys helped in creating this > > > > document? > > > > > As for the first one I do not know, maybe we should create a > > > debian-security package to provide this kind of information like the > > > java-common package provides the Java FAQ and the Java policy as > > > > Well, I think including this documentation into doc-debian would then be > > more sinful, because creating a new package for one document isn't a > > good idea. > As a matter of fact, all documents in the DDP are made as separate packages, > doc-debian, for example, includes only the FAQ, the package-maintainer the > document of the same name, maint-guide the "New Maintainer Guide", java-common > the "Debian JAVA FAQ". So I would say that the standard procedure is to have > this documents in different packages. Well, now we have two or three different formats, so an extra package would be alright, but I had the one format in mind and create a package for 1 doc is a bit to much. :) > > > well as being a suited metapackage. How about having a package > > > providing this document and some useful scripts (for example > > > cron.daily updates from security.debian.org) and dependancies on > > > security-related packages. Kind of a meta-package... > > > > No, we had one discussion about this some time ago and came to the > > conclusion that such a metapackage isn't a good idea. > Umm.. I have looked in the archive and I have only seen references > to a meta-package to do automatica updates from the > security.debian.org site. Did you talk on documentation and > dependancies too? Yes, look in the archives, I think the discussion was on -devel. But you should be able to find it. > > > > > ideas? Also, since the package would depend on other packages we > > > > > need to have this in the chrooted environment too, is there an > > > > > *easy* way to do this? (without needing to have two package > > > > > databases) > > > > > > > > No, that's why I think chroots should always be set up by the admin and > > > > not by any tool. And a good idea knows how to create chroots even for > > > > programs using dynamic linking. > > > > > > > I'm not quite the same thinking here. You could use the powerful package > > > management tools in order to automatically do this like: > > > > > (user) - ok I want bind installed but chrooted in /home/bind > > > (apt/dpkg) - downloading bind > > > (apt/dpkg) - installing in /home/bind > > > > No, if you would have read the discussion on debian-devel you would also > > know, that this won't be possible. > Because the discussion in debian-devel (which I missed but I have > read a resumed text on debian-planet) was centered on other issues. > Was the chroot case pushed into the discussion there. I am sorry, I > do *not* read debian-devel, I barely have time to keep up with the > weekly news and debian planet summaries. Yes, this issue came also up and it was noticed, that this is absolutely not possible and would be to difficult. > > > (apt/dpkg) - checking dependancies of bind (apt/dpkg) - > > > moving related libraries (to allow dynamic linking) into > > > /home/bind (apt/dpkg) - changing default init.d script to > > > run bind but chrooted into /home/bind > > > > Can always be done via an external script, that the administrator > > starts, if he really wants to chroot the daemon. > > > > > > (....) > > > > > (user) - dpkg --status bind (dpkg) Package: bind... > > > Chrooted-in: /home/bind > > > > Won't work and I think this is somehting that Wichert won't include > > in dpkg. Also you should be free to choose the place to chroot for > > yourself. > I do know that it will not work since it is not implemented in dpkg. > The main issue here is: "Is it useful? (security-wise)" No, because for example you should force the admin to use a certain dir for chroots. The admin should also be free to decide where he want to put the chroot. > > > Did it make any sense? > > > > Some and please turn that v-card of. > Sorry If I do, I sometimes forget to remove it when I send mails... > will have to look on how to do it on a per-address basis. Well, depends on your mailer. With mutt it would be possible to do that. Ciao Christian -- Debian Developer and Quality Assurance Team Member 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853
Attachment:
pgpIZ0ykHnumr.pgp
Description: PGP signature