&
or !
, have special meaning on the web or the shell and can wreak
havoc when transferred. Certain software also has policies of refusing
(or requiring!) some special characters exactly for that reason. Weird
characters also make it harder for humans to communicate passwords
across voice channels or different cultural backgrounds. In a more
extreme example, the popular Signal software even resorted to using
only digits to
transfer key fingerprints. They outlined that numbers are "easy to
localize" (as opposed to words, which are language-specific) and
"visually distinct".
But the critical piece is the "memorable" part: it is trivial to
generate a random string of characters, but those passwords are hard for
humans to remember. As xkcd noted,
"through 20 years of effort, we've successfully trained everyone
to use passwords that are hard for human to remember but easy for
computers to guess". It explains how a series of words is a
better password than a single word with some characters replaced.
Obviously, you should not need to remember all passwords. Indeed, you
may store some in password managers (which we'll look at in another
article) or write them down in your wallet. In those cases, what you
need is not a password, but something I would rather call a "token", or,
as Debian Developer Daniel Kahn Gillmor (dkg) said in a private email, a
"high entropy, compact, and transferable string". Certain APIs are
specifically crafted to use tokens. OAuth, for
example, generates "access tokens" that are random strings that give
access to services. But in our discussion, we'll use the term "token" in
a broader sense.
Notice how we removed the "memorable" property and added the "compact"
one: we want to efficiently convert the most entropy into the shortest
password possible, to work around possibly limiting password policies.
For example, some bank cards only allow 5-digit security PINs and most
web sites have an upper limit in the password length. The "compact"
property applies less to "passwords" than tokens, because I assume that
you will only use a password in select places: your password manager,
SSH and OpenPGP keys, your computer login, and encryption keys.
Everything else should be in a password manager. Those tools are
generally under your control and should allow large enough passwords
that the compact property is not particularly important.
$ xkcdpass
estop mixing edelweiss conduct rejoin flexitime
In verbose mode, it will show the actual entropy of the generated
passphrase:
$ xkcdpass -V
The supplied word list is located at /usr/lib/python3/dist-packages/xkcdpass/static/default.txt.
Your word list contains 38271 words, or 2^15.22 words.
A 6 word password from this list will have roughly 91 (15.22 * 6) bits of entropy,
assuming truly random word selection.
estop mixing edelweiss conduct rejoin flexitime
Note that the above password has 91 bits of entropy, which is about what
a fifteen-character password would have, if chosen at random from
uppercase, lowercase, digits, and ten symbols:
log2((26 + 26 + 10 + 10)^15) = approx. 92.548875
It's also interesting to note that this is closer to the entropy of a
fifteen-letter base64 encoded password: since each character is six
bits, you end up with 90 bits of entropy. xkcdpass is scriptable and
easy to use. You can also customize the word list, separators, and so on
with different command-line options. By default, xkcdpass uses the 2 of
12 word list from 12
dicts, which is not specifically
geared toward password generation but has been curated for "common
words" and words of different sizes.
Another option is the diceware system. Diceware
works by having a word list in which you look up words based on dice
rolls. For example, rolling the five dice "1 4 2 1 4" would give the
word "bilge". By rolling those dice five times, you generate a five word
password that is both memorable and random. Since paper and dice do not
seem to be popular anymore, someone wrote that as an actual program,
aptly called diceware. It works in a
similar fashion, except that passwords are not space separated by
default:
$ diceware
AbateStripDummy16thThanBrock
Diceware can obviously change the output to look similar to xkcdpass,
but can also accept actual dice rolls for those who do not trust their
computer's entropy source:
$ diceware -d ' ' -r realdice -w en_orig
Please roll 5 dice (or a single dice 5 times).
What number shows dice number 1? 4
What number shows dice number 2? 2
What number shows dice number 3? 6
[...]
Aspire O's Ester Court Born Pk
The diceware software ships with a few word lists, and the default list
has been deliberately created for generating passwords. It is derived
from the standard diceware list with additions from the SecureDrop
project. Diceware ships with the EFF word
list
that has words chosen for better recognition, but it is not enabled by
default, even though diceware recommends using it when generating
passwords with dice. That is because the EFF list was added later
on. The project is
currently considering
making the EFF list be the default.
One disadvantage of diceware is that it doesn't actually show how much
entropy the generated password has those interested need to compute it
for themselves. The actual number depends on the word list: the default
word list has 13 bits of entropy per word (since it is exactly 8192
words long), which means the default 6 word passwords have 78 bits of
entropy:
log2(8192) * 6 = 78
Both of these programs are rather new, having, for example, entered
Debian only after the last stable release, so they may not be directly
available for your distribution. The manual diceware method, of course,
only needs a set of dice and a word list, so that is much more portable,
and both the diceware and xkcdpass programs can be installed through
pip. However, if this is all too complicated,
you can take a look at Openwall's
passwdqc, which is older and more
widely available. It generates more memorable passphrases while at the
same time allowing for better control over the level of entropy:
$ pwqgen
vest5Lyric8wake
$ pwqgen random=78
Theme9accord=milan8ninety9few
For some reason, passwdqc
restricts the entropy of passwords between
the bounds of 24 and 85 bits. That tool is also much less customizable
than the other two: what you see here is pretty much what you get. The
4096-word list is also hardcoded in the C source code; it comes from a
Usenet sci.crypt
posting
from 1997.
A key feature of xkcdpass and diceware is that you can craft your own
word list, which can make dictionary-based attacks harder. Indeed, with
such word-based password generators, the only viable way to crack those
passwords is to use dictionary attacks, because the password is so long
that character-based exhaustive searches are not workable, since they
would take centuries to complete. Changing from the default dictionary
therefore brings some advantage against attackers. This may be yet
another "security through obscurity" procedure, however: a naive
approach may be to use a dictionary localized to your native language
(for example, in my case, French), but that would deter only an attacker
that doesn't do basic research about you, so that advantage is quickly
lost to determined attackers.
One should also note that the entropy of the password doesn't depend on
which word list is chosen, only its length. Furthermore, a larger
dictionary only expands the search space logarithmically; in other
words, doubling the word-list length only adds a single bit of entropy.
It is actually much better to add a word to your password than words to
the word list that generates it.
pass
, the standard UNIX password
manager, delegates this task to the widely known
pwgen
program. It turns out
that pwgen
has a pretty bad track record for security issues,
especially in the default "phoneme" mode, which generates non-uniformly
distributed passwords. While pass
uses the more "secure" -s
mode, I
figured it was worth removing that option to discourage the use of
pwgen
in the default mode. I made a trivial patch to pass so that it
generates passwords correctly on its own. The gory details are in this
email.
It turns out that there are lots of ways to skin this particular cat. I
was suggesting the following pipeline to generate the password:
head -c $entropy /dev/random base64 tr -d '\n='
The above command reads a certain number of bytes from the kernel
(head -c $entropy /dev/random
) encodes that using the base64
algorithm and strips out the trailing equal sign and newlines (for large
passwords). This is what Gillmor described as a "high-entropy compact
printable/transferable string". The priority, in this case, is to have a
token that is as compact as possible with the given entropy, while at
the same time using a character set that should cause as little trouble
as possible on sites that restrict the characters you can use. Gillmor
is a co-maintainer of the Assword
password manager, which chose base64 because it is widely available and
understood and only takes up 33% more space than the original 8-bit
binary encoding. After a lengthy discussion, the pass maintainer, Jason
A. Donenfeld, chose the following pipeline:
read -r -n $length pass < <(LC_ALL=C tr -dc "$characters" < /dev/urandom)
The above is similar, except it uses tr
to directly to read characters
from the kernel, and selects a certain set of characters ($characters
)
that is defined earlier as consisting of [:alnum:]
for letters and
digits and [:graph:]
for symbols, depending on the user's
configuration. Then the read
command extracts the chosen number of
characters from the output and stores the result in the pass
variable.
A participant on the mailing list, Brian Candler, has
argued
that this wastes entropy as the use of tr
discards bits from
/dev/urandom
with little gain in
entropy
when compared to base64. But in the end, the maintainer
argued
that reading "reading from /dev/urandom
has no [effect] on
/proc/sys/kernel/random/entropy_avail
on Linux" and dismissed
the objection.
Another password manager, KeePass uses its own
routines to generate tokens, but the procedure is the same: read from
the kernel's entropy source (and user-generated sources in case of
KeePass) and transform that data into a transferable string.
pwgen
software showed. Furthermore, left to their own devices, users will
generate passwords that can be easily guessed by a skilled attacker,
especially if they can profile the user. It is therefore essential we
provide easy tools for users to generate strong passwords and encourage
them to store secure tokens in password managers.
Note: this article first appeared in the Linux Weekly News.
year | number of bugs closed |
2011 | 63 |
2012 | 28 |
2013 | 73 |
2014 | 5 |
2015 | 150 |
2016 | 95 |
dak
to preserve .buildinfo
files on the local ftp-master filesystem. This is a temporary measure to prevent some "historical" data loss; the files are currently being silently discarded.__latent_entropy
. These functions have their branches and loops adjusted to mix random values (selected at build time) into a global entropy gathering variable. Since the branch and loop ordering is very specific to boot conditions, CPU quirks, memory layout, etc, this provides some additional uncertainty to the kernel s entropy pool. Since the entropy actually gathered is hard to measure, no entropy is credited , but rather used to mix the existing pool further. Probably the best place to enable this plugin is on small devices without other strong sources of entropy.
vmapped kernel stack and thread_info relocation on x86
Normally, kernel stacks are mapped together in memory. This meant that attackers could use forms of stack exhaustion (or stack buffer overflows) to reach past the end of a stack and start writing over another process s stack. This is bad, and one way to stop it is to provide guard pages between stacks, which is provided by vmalloc
ed memory. Andy Lutomirski did a bunch of work to move to vmapped kernel stack via CONFIG_VMAP_STACK
on x86_64. Now when writing past the end of the stack, the kernel will immediately fault instead of just continuing to blindly write.
Related to this, the kernel was storing thread_info
(which contained sensitive values like addr_limit
) at the bottom of the kernel stack, which was an easy target for attackers to hit. Between a combination of explicitly moving targets out of thread_info
, removing needless fields, and entirely moving thread_info
off the stack, Andy Lutomirski and Linus Torvalds created CONFIG_THREAD_INFO_IN_TASK
for x86.
CONFIG_DEBUG_RODATA mandatory on arm64
As recently done for x86, Mark Rutland made CONFIG_DEBUG_RODATA mandatory on arm64. This feature controls whether the kernel enforces proper memory protections on its own memory regions (code memory is executable and read-only, read-only data is actually read-only and non-executable, and writable data is non-executable). This protection is a fundamental security primitive for kernel self-protection, so there s no reason to make the protection optional.
random_page()
cleanup
Cleaning up the code around the userspace ASLR implementations makes them easier to reason about. This has been happening for things like the recent consolidation on arch_mmap_rnd()
for ET_DYN
and during the addition of the entropy sysctl. Both uncovered some awkward uses of get_random_int()
(or similar) in and around arch_mmap_rnd()
(which is used for mmap
(and therefore shared library) and PIE ASLR), as well as in randomize_stack_top()
(which is used for stack ASLR). Jason Cooper cleaned things up further by doing away with randomize_range()
entirely and replacing it with the saner random_page()
, making the per-architecture arch_randomize_brk()
(responsible for brk
ASLR) much easier to understand.
That s it for now! Let me know if there are other fun things to call attention to in v4.9.
2016, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
O(n^2)
complexity for archive member lookup..par
files as Zip archives, including a patch which was merged into master
..debian.org
machines.jenkins.debian.net
and tests.reproducible-builds.org
run. Many thanks to Profitbricks for supporting jenkins.debian.net
since August 2012!jenkins.debian.net
.strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.
jenkins.debian.net runs our comprehensive testing framework.
docker
command line client is something you can do, but there you leave the gap between dev and ops.
To implement a patch, update the base image and then rebuild the application image. This will require systems and development teams to work closely together.So patching security issues in the container world changes workflow significant. In the old world operation teams mostly rolled security fixes for the base systems independent from development teams.
It's already Dhan Terash so I better pick up the pace if I want to beat my blogging challenge before Diwali so in this post I'll discuss a program I wrote earlier this year.
I dread to look up anything on Wikipedia because I always end up going down a rabbit hole and surfacing hours later on a totally unrelated topic. Case in point, some months ago, I ended up on the page of the title. This is an interesting little experiment illustrating how random selection can result in the evolution of a specific form. The algorithm is:
$ ./weasel
0000 DNCFICBLUZVC JF KKNVJJASCJRW (0)
0001 DNIFICOLUZVC JFLIKNVAJASCJEW (6)
0002 DNNWICKSUZVCRSFLIKNVA ASCJEL (11)
0003 DNNWICKSUZVCRSFLIKNVA ASCJEL (11)
0004 MNNVICKSQZVCRSFLIKNVA WSCJEL (13)
0005 MENVICKSQZVCRSFLIKNVA WSCJEL (14)
0006 MENVISKS ZTCRSFLIKNVA WLCJEL (16)
0007 MENVISKS ZTCRSFLIKNVA WLCJEL (16)
0008 MEDHISKS ZTCISFLIKNVA WLCJEL (18)
0009 MEDHISKS ZTCISFLIKNVA WLCJEL (18)
0010 MEDHISKS ZTCISFLIKNVA WLCJEL (18)
0011 MEDHISKS ZTCIS LIKTKA WLCZEL (19)
0012 MEDHISKS ZTCIS LIKTKA WLCZEL (19)
0013 MEDHISKS ZTCIS LIKT A WLCZEL (20)
0014 MEDHISKS ZTCIS LIKT A WLCZEL (20)
0015 MEDHISKS ZTCIS LIKE A WLAZEL (22)
0016 MEDHIGKS ITCIS LIKE A WLAZEL (23)
0017 MEDHIGKS ITCIS LIKE A WLAZEL (23)
0018 MEDHIGKS ITCIS LIKE A WLAZEL (23)
0019 MEDHIGKS ITCIS LIKE A WLAZEL (23)
0020 MEDHIGKS ITCIS LIKE A WLAZEL (23)
0021 MEDHIGKS ITCIS LIKE A WLAZEL (23)
0022 METHINKS ITCIS LIKE A WLASEL (26)
0023 METHINKS ITCIS LIKE A WLASEL (26)
0024 METHINKS ITCIS LIKE A WLASEL (26)
0025 METHINKS ITCIS LIKE A WEASEL (27)
0026 METHINKS ITCIS LIKE A WEASEL (27)
0027 METHINKS ITCIS LIKE A WEASEL (27)
0028 METHINKS ITCIS LIKE A WEASEL (27)
0029 METHINKS ITCIS LIKE A WEASEL (27)
0030 METHINKS ITCIS LIKE A WEASEL (27)
0031 METHINKS ITCIS LIKE A WEASEL (27)
0032 METHINKS ITCIS LIKE A WEASEL (27)
0033 METHINKS ITCIS LIKE A WEASEL (27)
0034 METHINKS ITCIS LIKE A WEASEL (27)
0035 METHINKS ITCIS LIKE A WEASEL (27)
0036 METHINKS ITCIS LIKE A WEASEL (27)
0037 METHINKS ITCIS LIKE A WEASEL (27)
0038 METHINKS ITCIS LIKE A WEASEL (27)
0039 METHINKS ITCIS LIKE A WEASEL (27)
0040 METHINKS ITCIS LIKE A WEASEL (27)
0041 METHINKS ITCIS LIKE A WEASEL (27)
0042 METHINKS ITCIS LIKE A WEASEL (27)
0043 METHINKS ITCIS LIKE A WEASEL (27)
0044 METHINKS ITCIS LIKE A WEASEL (27)
0045 METHINKS ITCIS LIKE A WEASEL (27)
0046 METHINKS ITCIS LIKE A WEASEL (27)
0047 METHINKS ITCIS LIKE A WEASEL (27)
0048 METHINKS ITCIS LIKE A WEASEL (27)
0049 METHINKS ITCIS LIKE A WEASEL (27)
0050 METHINKS ITCIS LIKE A WEASEL (27)
0051 METHINKS ITCIS LIKE A WEASEL (27)
0052 METHINKS ITCIS LIKE A WEASEL (27)
0053 METHINKS ITCIS LIKE A WEASEL (27)
0054 METHINKS IT IS LIKE A WEASEL (28)
My program lets you adjust the input string, the number of copies, and the mutation threshold. I also thought it might be interesting to implement the Generator design pattern. In C++ this is done by making a class which implements begin() and end() methods and atleast a forward iterator.
You can find the source code on Github.
Install and setup OBS server, api, worker and osc CLI packages# echo "deb http://httpredir.debian.org/debian experimental main" >> /etc/apt/sources.list.d/experimental.list # apt-get update
In the install process mysql database is needed, therefore if mysql server is not setup, a password needs to be provided.# apt-get install obs-server obs-api obs-worker osc
Accept dummy certificate and provide credentials (defaults: Admin/opensuse)$ osc -A https://stretch ls
Create an OBS project for Download on Demand (DoD) Create a meta project file:# backend services obsrun 813 0.0 0.9 104960 20448 ? Ss 08:33 0:03 /usr/bin/perl -w /usr/lib/obs/server/bs_dodup obsrun 815 0.0 1.5 157512 31940 ? Ss 08:33 0:07 /usr/bin/perl -w /usr/lib/obs/server/bs_repserver obsrun 1295 0.0 1.6 157644 32960 ? S 08:34 0:07 \_ /usr/bin/perl -w /usr/lib/obs/server/bs_repserver obsrun 816 0.0 1.8 167972 38600 ? Ss 08:33 0:08 /usr/bin/perl -w /usr/lib/obs/server/bs_srcserver obsrun 1296 0.0 1.8 168100 38864 ? S 08:34 0:09 \_ /usr/bin/perl -w /usr/lib/obs/server/bs_srcserver memcache 817 0.0 0.6 346964 12872 ? Ssl 08:33 0:11 /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1 obsrun 818 0.1 0.5 78548 11884 ? Ss 08:33 0:41 /usr/bin/perl -w /usr/lib/obs/server/bs_dispatch obsserv+ 819 0.0 0.3 77516 7196 ? Ss 08:33 0:05 /usr/bin/perl -w /usr/lib/obs/server/bs_service mysql 851 0.0 0.0 4284 1324 ? Ss 08:33 0:00 /bin/sh /usr/bin/mysqld_safe mysql 1239 0.2 6.3 1010744 130104 ? Sl 08:33 1:31 \_ /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306 # web services root 1452 0.0 0.1 110020 3968 ? Ss 08:34 0:01 /usr/sbin/apache2 -k start root 1454 0.0 0.1 435992 3496 ? Ssl 08:34 0:00 \_ Passenger watchdog root 1460 0.3 0.2 651044 5188 ? Sl 08:34 1:46 \_ Passenger core nobody 1465 0.0 0.1 444572 3312 ? Sl 08:34 0:00 \_ Passenger ust-router www-data 1476 0.0 0.1 855892 2608 ? Sl 08:34 0:09 \_ /usr/sbin/apache2 -k start www-data 1477 0.0 0.1 856068 2880 ? Sl 08:34 0:09 \_ /usr/sbin/apache2 -k start www-data 1761 0.0 4.9 426868 102040 ? Sl 08:34 0:29 delayed_job.0 www-data 1767 0.0 4.8 425624 99888 ? Sl 08:34 0:30 delayed_job.1 www-data 1775 0.0 4.9 426516 101708 ? Sl 08:34 0:28 delayed_job.2 nobody 1788 0.0 5.7 496092 117480 ? Sl 08:34 0:03 Passenger RubyApp: /usr/share/obs/api nobody 1796 0.0 4.9 488888 102176 ? Sl 08:34 0:00 Passenger RubyApp: /usr/share/obs/api www-data 1814 0.0 4.5 282576 92376 ? Sl 08:34 0:22 delayed_job.1000 www-data 1829 0.0 4.4 282684 92228 ? Sl 08:34 0:22 delayed_job.1010 www-data 1841 0.0 4.5 282932 92536 ? Sl 08:34 0:22 delayed_job.1020 www-data 1855 0.0 4.9 427988 101492 ? Sl 08:34 0:29 delayed_job.1030 www-data 1865 0.2 5.0 492500 102964 ? Sl 08:34 1:09 clockworkd.clock www-data 1899 0.0 0.0 87100 1400 ? S 08:34 0:00 /usr/bin/searchd --pidfile --config /usr/share/obs/api/config/production.sphinx.conf www-data 1900 0.1 0.4 161620 8276 ? Sl 08:34 0:51 \_ /usr/bin/searchd --pidfile --config /usr/share/obs/api/config/production.sphinx.conf # OBS worker root 1604 0.0 0.0 28116 1492 ? Ss 08:34 0:00 SCREEN -m -d -c /srv/obs/run/worker/boot/screenrc root 1605 0.0 0.9 75424 18764 pts/0 Ss+ 08:34 0:06 \_ /usr/bin/perl -w ./bs_worker --hardstatus --root /srv/obs/worker/root_1 --statedir /srv/obs/run/worker/1 --id stretch:1 --reposerver http://obs:5252 --jobs 1
$ osc -A https://stretch:443 meta prj Debian:8 -e
<project name= Debian:8 >Visit webUI to check project configuration Create a meta project configuration file:
<title>Debian 8 DoD</title>
<description>Debian 8 DoD</description>
<person userid= Admin role= maintainer />
<repository name= main >
<download arch= x86_64 url= http://deb.debian.org/debian/jessie/main repotype= deb />
<arch>x86_64</arch>
</repository>
</project>
Add the following file, as found at build.opensuse.org$ osc -A https://stretch:443 meta prjconf Debian:8 -e
Visit webUI to check project configuration Create an OBS project linked to DoDRepotype: debian # create initial user Preinstall: base-passwd Preinstall: user-setup # required for preinstall images Preinstall: perl # preinstall essentials + dependencies Preinstall: base-files base-passwd bash bsdutils coreutils dash debconf Preinstall: debianutils diffutils dpkg e2fslibs e2fsprogs findutils gawk Preinstall: gcc-4.9-base grep gzip hostname initscripts insserv libacl1 Preinstall: libattr1 libblkid1 libbz2-1.0 libc-bin libc6 libcomerr2 libdb5.3 Preinstall: libgcc1 liblzma5 libmount1 libncurses5 libpam-modules Preinstall: libpcre3 libsmartcols1 Preinstall: libpam-modules-bin libpam-runtime libpam0g libreadline6 Preinstall: libselinux1 libsemanage-common libsemanage1 libsepol1 libsigsegv2 Preinstall: libslang2 libss2 libtinfo5 libustr-1.0-1 libuuid1 login lsb-base Preinstall: mount multiarch-support ncurses-base ncurses-bin passwd perl-base Preinstall: readline-common sed sensible-utils sysv-rc sysvinit sysvinit-utils Preinstall: tar tzdata util-linux zlib1g Runscripts: base-passwd user-setup base-files gawk VMinstall: libdevmapper1.02.1 Order: user-setup:base-files # Essential packages (this should also pull the dependencies) Support: base-files base-passwd bash bsdutils coreutils dash debianutils Support: diffutils dpkg e2fsprogs findutils grep gzip hostname libc-bin Support: login mount ncurses-base ncurses-bin perl-base sed sysvinit Support: sysvinit-utils tar util-linux # Build-essentials Required: build-essential Prefer: build-essential:make # build script needs fakeroot Support: fakeroot # lintian support would be nice, but breaks too much atm #Support: lintian # helper tools in the chroot Support: less kmod net-tools procps psmisc strace vim # everything below same as for Debian:6.0 (apart from the version macros ofc) # circular dependendencies in openjdk stack Order: openjdk-6-jre-lib:openjdk-6-jre-headless Order: openjdk-6-jre-headless:ca-certificates-java Keep: binutils cpp cracklib file findutils gawk gcc gcc-ada gcc-c++ Keep: gzip libada libstdc++ libunwind Keep: libunwind-devel libzio make mktemp pam-devel pam-modules Keep: patch perl rcs timezone Prefer: cvs libesd0 libfam0 libfam-dev expect Prefer: gawk locales default-jdk Prefer: xorg-x11-libs libpng fam mozilla mozilla-nss xorg-x11-Mesa Prefer: unixODBC libsoup glitz java-1_4_2-sun gnome-panel Prefer: desktop-data-SuSE gnome2-SuSE mono-nunit gecko-sharp2 Prefer: apache2-prefork openmotif-libs ghostscript-mini gtk-sharp Prefer: glib-sharp libzypp-zmd-backend mDNSResponder Prefer: -libgcc-mainline -libstdc++-mainline -gcc-mainline-c++ Prefer: -libgcj-mainline -viewperf -compat -compat-openssl097g Prefer: -zmd -OpenOffice_org -pam-laus -libgcc-tree-ssa -busybox-links Prefer: -crossover-office -libgnutls11-dev # alternative pkg-config implementation Prefer: -pkgconf Prefer: -openrc Prefer: -file-rc Conflict: ghostscript-library:ghostscript-mini Ignore: sysvinit:initscripts Ignore: aaa_base:aaa_skel,suse-release,logrotate,ash,mingetty,distribution-release Ignore: gettext-devel:libgcj,libstdc++-devel Ignore: pwdutils:openslp Ignore: pam-modules:resmgr Ignore: rpm:suse-build-key,build-key Ignore: bind-utils:bind-libs Ignore: alsa:dialog,pciutils Ignore: portmap:syslogd Ignore: fontconfig:freetype2 Ignore: fontconfig-devel:freetype2-devel Ignore: xorg-x11-libs:freetype2 Ignore: xorg-x11:x11-tools,resmgr,xkeyboard-config,xorg-x11-Mesa,libusb,freetype2,libjpeg,libpng Ignore: apache2:logrotate Ignore: arts:alsa,audiofile,resmgr,libogg,libvorbis Ignore: kdelibs3:alsa,arts,pcre,OpenEXR,aspell,cups-libs,mDNSResponder,krb5,libjasper Ignore: kdelibs3-devel:libvorbis-devel Ignore: kdebase3:kdebase3-ksysguardd,OpenEXR,dbus-1,dbus-1-qt,hal,powersave,openslp,libusb Ignore: kdebase3-SuSE:release-notes Ignore: jack:alsa,libsndfile Ignore: libxml2-devel:readline-devel Ignore: gnome-vfs2:gnome-mime-data,desktop-file-utils,cdparanoia,dbus-1,dbus-1-glib,krb5,hal,libsmbclient,fam,file_alteration Ignore: libgda:file_alteration Ignore: gnutls:lzo,libopencdk Ignore: gnutls-devel:lzo-devel,libopencdk-devel Ignore: pango:cairo,glitz,libpixman,libpng Ignore: pango-devel:cairo-devel Ignore: cairo-devel:libpixman-devel Ignore: libgnomeprint:libgnomecups Ignore: libgnomeprintui:libgnomecups Ignore: orbit2:libidl Ignore: orbit2-devel:libidl,libidl-devel,indent Ignore: qt3:libmng Ignore: qt-sql:qt_database_plugin Ignore: gtk2:libpng,libtiff Ignore: libgnomecanvas-devel:glib-devel Ignore: libgnomeui:gnome-icon-theme,shared-mime-info Ignore: scrollkeeper:docbook_4,sgml-skel Ignore: gnome-desktop:libgnomesu,startup-notification Ignore: python-devel:python-tk Ignore: gnome-pilot:gnome-panel Ignore: gnome-panel:control-center2 Ignore: gnome-menus:kdebase3 Ignore: gnome-main-menu:rug Ignore: libbonoboui:gnome-desktop Ignore: postfix:pcre Ignore: docbook_4:iso_ent,sgml-skel,xmlcharent Ignore: control-center2:nautilus,evolution-data-server,gnome-menus,gstreamer-plugins,gstreamer,metacity,mozilla-nspr,mozilla,libxklavier,gnome-desktop,startup-notification Ignore: docbook-xsl-stylesheets:xmlcharent Ignore: liby2util-devel:libstdc++-devel,openssl-devel Ignore: yast2:yast2-ncurses,yast2-theme-SuSELinux,perl-Config-Crontab,yast2-xml,SuSEfirewall2 Ignore: yast2-core:netcat,hwinfo,wireless-tools,sysfsutils Ignore: yast2-core-devel:libxcrypt-devel,hwinfo-devel,blocxx-devel,sysfsutils,libstdc++-devel Ignore: yast2-packagemanager-devel:rpm-devel,curl-devel,openssl-devel Ignore: yast2-devtools:perl-XML-Writer,libxslt,pkgconfig Ignore: yast2-installation:yast2-update,yast2-mouse,yast2-country,yast2-bootloader,yast2-packager,yast2-network,yast2-online-update,yast2-users,release-notes,autoyast2-installation Ignore: yast2-bootloader:bootloader-theme Ignore: yast2-packager:yast2-x11 Ignore: yast2-x11:sax2-libsax-perl Ignore: openslp-devel:openssl-devel Ignore: java-1_4_2-sun:xorg-x11-libs Ignore: java-1_4_2-sun-devel:xorg-x11-libs Ignore: kernel-um:xorg-x11-libs Ignore: tetex:xorg-x11-libs,expat,fontconfig,freetype2,libjpeg,libpng,ghostscript-x11,xaw3d,gd,dialog,ed Ignore: yast2-country:yast2-trans-stats Ignore: susehelp:susehelp_lang,suse_help_viewer Ignore: mailx:smtp_daemon Ignore: cron:smtp_daemon Ignore: hotplug:syslog Ignore: pcmcia:syslog Ignore: avalon-logkit:servlet Ignore: jython:servlet Ignore: ispell:ispell_dictionary,ispell_english_dictionary Ignore: aspell:aspel_dictionary,aspell_dictionary Ignore: smartlink-softmodem:kernel,kernel-nongpl Ignore: OpenOffice_org-de:myspell-german-dictionary Ignore: mediawiki:php-session,php-gettext,php-zlib,php-mysql,mod_php_any Ignore: squirrelmail:mod_php_any,php-session,php-gettext,php-iconv,php-mbstring,php-openssl Ignore: simias:mono(log4net) Ignore: zmd:mono(log4net) Ignore: horde:mod_php_any,php-gettext,php-mcrypt,php-imap,php-pear-log,php-pear,php-session,php Ignore: xerces-j2:xml-commons-apis,xml-commons-resolver Ignore: xdg-menu:desktop-data Ignore: nessus-libraries:nessus-core Ignore: evolution:yelp Ignore: mono-tools:mono(gconf-sharp),mono(glade-sharp),mono(gnome-sharp),mono(gtkhtml-sharp),mono(atk-sharp),mono(gdk-sharp),mono(glib-sharp),mono(gtk-sharp),mono(pango-sharp) Ignore: gecko-sharp2:mono(glib-sharp),mono(gtk-sharp) Ignore: vcdimager:libcdio.so.6,libcdio.so.6(CDIO_6),libiso9660.so.4,libiso9660.so.4(ISO9660_4) Ignore: libcdio:libcddb.so.2 Ignore: gnome-libs:libgnomeui Ignore: nautilus:gnome-themes Ignore: gnome-panel:gnome-themes Ignore: gnome-panel:tomboy Substitute: utempter %ifnarch s390 s390x ppc ia64 Substitute: java2-devel-packages java-1_4_2-sun-devel %else %ifnarch s390x Substitute: java2-devel-packages java-1_4_2-ibm-devel %else Substitute: java2-devel-packages java-1_4_2-ibm-devel xorg-x11-libs-32bit %endif %endif Substitute: yast2-devel-packages docbook-xsl-stylesheets doxygen libxslt perl-XML-Writer popt-devel sgml-skel update-desktop-files yast2 yast2-devtools yast2-packagemanager-devel yast2-perl-bindings yast2-testsuite # # SUSE compat mappings # Substitute: gcc-c++ gcc Substitute: libsigc++2-devel libsigc++-2.0-dev Substitute: glibc-devel-32bit Substitute: pkgconfig pkg-config %ifarch %ix86 Substitute: kernel-binary-packages kernel-default kernel-smp kernel-bigsmp kernel-debug kernel-um kernel-xen kernel-kdump %endif %ifarch ia64 Substitute: kernel-binary-packages kernel-default kernel-debug %endif %ifarch x86_64 Substitute: kernel-binary-packages kernel-default kernel-smp kernel-xen kernel-kdump %endif %ifarch ppc Substitute: kernel-binary-packages kernel-default kernel-kdump kernel-ppc64 kernel-iseries64 %endif %ifarch ppc64 Substitute: kernel-binary-packages kernel-ppc64 kernel-iseries64 %endif %ifarch s390 Substitute: kernel-binary-packages kernel-s390 %endif %ifarch s390x Substitute: kernel-binary-packages kernel-default %endif %define debian_version 800 Macros: %debian_version 800
$ osc -A https://stretch:443 meta prj test -e
<project name= test >Visit webUI to check project configuration Adding a package to the project
<title>test</title>
<description>test</description>
<person userid= Admin role= maintainer />
<repository name= Debian_8.0 >
<path project= Debian:8 repository= main />
<arch>x86_64</arch>
</repository>
</project>
$ osc -A https://stretch:443 co test ; cd test $ mkdir hello ; cd hello ; apt-get source -d hello ; cd - ; $ osc add hello $ osc ci -m "New import" helloThe package should go to dispatched state then get in blocked state while it downloads build dependencies from DoD link, eventually it should start building. Please check the journal logs to check if something went wrong or gets stuck. Visit webUI to check hello package build state OBS logging to the journal Check in the journal logs everything went fine:
$ sudo journalctl -u obsdispatcher.service -u obsdodup.service -u obsscheduler@x86_64.service -u obsworker.service -u obspublisher.serviceTroubleshooting Currently we are facing few issues with web UI:
$ LD=afl-gcc CC=afl-gcc AFL_HARDEN=1 make VARIANT=debug test
afl-cc 2.32b by <lcamtuf@google.com>
afl-cc 2.32b by <lcamtuf@google.com>
COMPILE: src/libnsbmp.c
afl-cc 2.32b by <lcamtuf@google.com>
afl-as 2.32b by <lcamtuf@google.com>
[+] Instrumented 751 locations (64-bit, hardened mode, ratio 100%).
AR: build-x86_64-linux-gnu-x86_64-linux-gnu-debug-lib-static/libnsbmp.a
COMPILE: test/decode_bmp.c
afl-cc 2.32b by <lcamtuf@google.com>
afl-as 2.32b by <lcamtuf@google.com>
[+] Instrumented 52 locations (64-bit, hardened mode, ratio 100%).
LINK: build-x86_64-linux-gnu-x86_64-linux-gnu-debug-lib-static/test_decode_bmp
afl-cc 2.32b by <lcamtuf@google.com>
COMPILE: test/decode_ico.c
afl-cc 2.32b by <lcamtuf@google.com>
afl-as 2.32b by <lcamtuf@google.com>
[+] Instrumented 65 locations (64-bit, hardened mode, ratio 100%).
LINK: build-x86_64-linux-gnu-x86_64-linux-gnu-debug-lib-static/test_decode_ico
afl-cc 2.32b by <lcamtuf@google.com>
Test bitmap decode
Tests:606 Pass:606 Error:0
Test icon decode
Tests:392 Pass:392 Error:0
TEST: Testing complete
afl-fuzz -i test/bmp -o findings_dir -- ./build-x86_64-linux-gnu-x86_64-linux-gnu-debug-lib-static/test_decode_bmp @@ /dev/null
$ afl-whatsup sync_dir/
Summary stats
=============
Fuzzers alive : 19
Total run time : 5 days, 12 hours
Total execs : 214 million
Cumulative speed : 8317 execs/sec
Pending paths : 0 faves, 542 total
Pending per fuzzer : 0 faves, 28 total (on average)
Crashes found : 554 locally unique
if ((width <= 0) (height == 0))
return BMP_DATA_ERROR;
if (height < 0)
bmp->reversed = true;
height = -height;
5371 Luca Falavigna 5121 Alexander Reichle-Schmehl 4401 Ansgar Burchardt 3928 DAK's auto-decrufter 3257 Scott Kitterman 2225 Joerg Jaspert 1983 James Troup 1793 Torsten Werner 1025 Jeroen van Wolffelaar 763 Ryan MurrayFor comparison, here is the number removals by year for the past 6 years:
5103 2011 2765 2012 3342 2013 3394 2014 3766 2015 (1842 removed by auto-decrufter) 2845 2016 (2086 removed by auto-decrufter)Which tells us that in 2015, the FTP masters and the decrufter performed on average over 10 removals a day. And by the looks of it, 2016 will surpass that. Of course, the auto-decrufter has a tendency to increase the number of removed items since it is an advocate of remove early, remove often! . Data is from https://ftp-master.debian.org/removals-full.txt. Scoreboard computed as:
grep ftpmaster: removals-full.txt \ perl -pe 's/.*ftpmaster:\s+//; s/\]$//;' \ sort uniq -c sort --numeric --reverse head -n10Removals by year computed as:
grep ftpmaster: removals-full.txt \ perl -pe 's/.* (\d 4 ) \d 2 :\d 2 :\d 2 .*/$1/' uniq -c tail -n6(yes, both could be done with fewer commands)
Next.