So Debian Stretch froze packages today, by the time it's out everything will 4-5 months old

wiki.debian.org/DebianStretch

So Debian Stretch froze packages today, by the time it's out everything will 4-5 months old.

What are you sad didn't make it in?

Other urls found in this thread:

tests.reproducible-builds.org/debian/reproducible.html
bugs.debian.org/cgi-bin/bugreport.cgi?bug=794466
mozilla.debian.net/
bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=status:Fixed,Verified Type:Bug-Security proj:openssl,gnutls&colspec=ID Type Component Status Proj Reported Owner Summary&cells=ids
github.com/google/oss-fuzz
tracker.debian.org/pkg/ntfs-3g
openwall.com/lists/oss-security/2017/02/04/1
twitter.com/SFWRedditVideos

all the future bloat of systemd :^)

mesa 17

linux 4.10

Did they reach their 100% reproducible source to binary packages goal?

>tests.reproducible-builds.org/debian/reproducible.html

93.6 percent is pretty good I guess.

Why would you use stable unless you're running a server? Stay on testing.

What's the point of reproducible builds? Who cares if you can prove a binary came from a source that will never be read?

Python 3.6.

They finally transitioned back to ffmpeg. I guess libav will finally die.

Still peeved they build a lot of software against gnutls instead of openssl.

Virtualbox is being completely removed because of Oracle's security policy. It will only be in unstable which means it won't be eligible for backports (debian policies are stupid). bugs.debian.org/cgi-bin/bugreport.cgi?bug=794466

An up-to-date version of Firefox and LibreOffice Fresh, as always.

In all seriousness, you barely, if ever, notice the outdated packages. Unless you fap to version numbers, there's little to no reason to have the latest packages. Most of the packages don't offer new features anyways, so it's kind of a waste.

I just wish Snappy/Flatpak are finished already so I can run my Stable version of Debian with the latest version of LO, VLC and Firefox without cluttering the system with unstable dependencies.


Stability. Turning on my laptop on a class and knowing that everything will work as intended, even after updating, is a huge plus.

a decent distro

They have an 'unoffical' offical repo for latest firefox releases.

mozilla.debian.net/

Wait what
Already?
Didn't Jessie turn stable not too long ago?
Fuck how time goes by.

It doesn't even try to install new packages. Thanks.

What's wrong with gnutls?

fucking LOL

Necessity is the mother of all invention

GnuTLS is just painfully mediocre, it's not a war crime like OpenSSL. So anything that uses it will be using it forever, they won't get the benefit of a god-tier drop-in replacement like LibreSSL :^)

I mean, google new oss-fuzz project found many serious issues in gnutls after a few days of fuzzing, it's like it's not even being tested. 1 minor bug in openssl was found.

bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=status:Fixed,Verified Type:Bug-Security proj:openssl,gnutls&colspec=ID Type Component Status Proj Reported Owner Summary&cells=ids

github.com/google/oss-fuzz

If someone wrote a fuzz target for a project like Tox, do you think google you accept it?

No.

Testing is the worst place security-wise, because you won't get fixes as fast as unstable (from upstream) or stable (patched by debian team).

Packages from unstable are automatically moved to testing after 3 to 5 days (10 days during transiston freezes). They will sometimes make exceptions for critical security patches.

During the freeze, stretch security will be bad unless the security team starts patching the frozen packages.

Example:

tracker.debian.org/pkg/ntfs-3g

This has a public PoC out, allowing an unprivileged user to load custom kernel modules. openwall.com/lists/oss-security/2017/02/04/1 (i think this only works if fuse isn't already loaded in lsmod)

It is fixed in stable and unstable but won't be getting into stretch because of the freeze. When will the patching start?

...

Any good reads that you can recommend?

If you want something to question your sanity: GNU coreutils
If you want something interesting read glibc, especially its strlen() hack.
If you like very low level stuff KolibriOS is really interesting, especially the initialisation sequence.
I've also heard good things about ReactOS and Dolphin but I haven't had the time to do more than a few skim reads, though from what I can see I'd have to agree.

I don't understand, without knowing the length how can you read more than one byte at a time? Won't you read past the end of the string?

Most of glibc is really ugly and hard to follow

I said this once here but nobody gave a shit really, in a strict x86 segmentation glibc strlen won't work since you can allocate memory in bytes, like a 5 byte segment at 0x1000, when strlen tries to access an integer at 0x1004, it will segfault.
Today we use paging and have some alignment/allocation "guarantees" by most operating systems, so we know it is safe to access past the null character as long as we are accessing in aligned addresses.

You should read the thank you speech Ken Thompson's gave for his Turing Award.

[Speech attached]

Thanks, good read.

Nice reply to an award.

25% performance improvement in dictionaries
Now I'm also sad