Discussion:
Bug#945478: scanlogd: wrong patch, wrong copyright, new upstream release 2.2.7
Add Reply
Andreas Beckmann
2019-11-25 17:40:01 UTC
Reply
Permalink
Source: scanlogd
Version: 2.2.5-3.3
Severity: serious
Control: submitter -1 <***@openwall.com>

[ Turning the private messages into a public bug report with submitters
consent. ]
[ RC severity for DFSG violations (wrong copyright file) ]

-------- Forwarded Message --------
Subject: Debian scanlogd package
Date: Mon, 25 Nov 2019 16:04:15 +0100
From: Solar Designer <***@openwall.com>
To: Michael Vogt <***@debian.org>, Scott Kitterman
<***@kitterman.com>, Andreas Beckmann <***@debian.org>, Joao Eriberto
Mota Filho <***@debian.org>

Hi,

Can one of you please update the scanlogd package in Debian to current
upstream version 2.2.7, and drop the patching of CLK_TCK to
CLOCKS_PER_SEC, which is a subtly wrong workaround previously applied in
the Debian package. The actual correct value can only be reliably
determined at runtime (which version 2.2.7 does), and besides
CLOCKS_PER_SEC is for clock(3) whereas we use times(2).

As upstream author, I am getting occasional problem reports about the
Debian package, and I wonder whether issues are introduced by effects of
the above change on some systems (in particular, non-x86, where these
constants in the kernel are more likely to differ).

Debian's patching of the historical Phrack article is especially weird,
and is a misattribution of your newer changes to me. Please revert
those edits (e.g. take the original article off the scanlogd homepage).

While at it, please update "copyright" to reflect scanlogd's current
license (it's changed since someone copied the old one into that file).

Thanks,

Alexander
Debian Bug Tracking System
2019-11-25 17:40:02 UTC
Reply
Permalink
Bug #945478 [src:scanlogd] scanlogd: wrong patch, wrong copyright, new upstream release 2.2.7
Changed Bug submitter to '<***@openwall.com>' from 'Andreas Beckmann <***@debian.org>'.
--
945478: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945478
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Andreas Beckmann
2019-11-25 18:30:02 UTC
Reply
Permalink
-------- Forwarded Message --------
Subject: Re: Debian scanlogd package
Date: Mon, 25 Nov 2019 17:58:04 +0100
Post by Andreas Beckmann
As upstream author, I am getting occasional problem reports about the
Debian package, and I wonder whether issues are introduced by effects of
the above change on some systems (in particular, non-x86, where these
constants in the kernel are more likely to differ).
A user has just reported that building 2.2.7 from source made the
problem (of not detecting scans) go away. This is on ARM.

Alexander
Andreas Beckmann
2019-11-25 18:30:02 UTC
Reply
Permalink
-------- Forwarded Message --------
Subject: Re: Debian scanlogd package
Date: Mon, 25 Nov 2019 16:07:46 +0100
Post by Andreas Beckmann
Can one of you please update the scanlogd package in Debian to current
upstream version 2.2.7, and drop the patching of CLK_TCK to
CLOCKS_PER_SEC, which is a subtly wrong workaround previously applied in
the Debian package. The actual correct value can only be reliably
determined at runtime (which version 2.2.7 does), and besides
CLOCKS_PER_SEC is for clock(3) whereas we use times(2).
More on this issue:

https://www.openwall.com/lists/xvendor/2006/04/17/1

Debian's wrong fix made instead of simply updating to new upstream
version at the time (would be 2.2.6):

scanlogd (2.2.5-2.1) unstable; urgency=medium

* Non-maintainer upload during BSP.
* Substitute CLK_TCK with CLOCKS_PER_SEC in scanlogd.c and P53-13 to avoid
FTBFS with new glibc. (Closes: #421085).
* Use now dh_installman instead of dh_installmanpages
Post by Andreas Beckmann
As upstream author, I am getting occasional problem reports about the
Debian package, and I wonder whether issues are introduced by effects of
the above change on some systems (in particular, non-x86, where these
constants in the kernel are more likely to differ).
Debian's patching of the historical Phrack article is especially weird,
and is a misattribution of your newer changes to me. Please revert
those edits (e.g. take the original article off the scanlogd homepage).
While at it, please update "copyright" to reflect scanlogd's current
license (it's changed since someone copied the old one into that file).
Thanks,
Alexander
Mike Gabriel
2021-02-22 11:40:02 UTC
Reply
Permalink
Hi Michael,
Hi Michael,
I am currently working on hardening some servers for a customer and
the customer asked for a portscan detection tool on their machine.
I have used scanlogd in the (very) past and have today returned to
scanlogd in Debian. It seems the packages is in some not-quite-right
state and its upstream version is outdated.
Would you mind if I step in, do an upstream release bump, fix all
packaging formalisms and upload (maybe as co-maintainer under
Uploaders: field)?
I'll have to see if the customer steps in and pays for the work involved...
Feedback? Comment?
Mike
I have now uploaded scanlogd 2.2.7-0.1 as an NMU with a 5-days delay.

As there has never been a VCS repo for this package, I created one [1]
and imported all previous versions of the package that I could find on
snapshot.debian.org.

Greets,
Mike (aka sunweaver)

[1] https://salsa.debian.org/debian/scanlogd/
--
mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: ***@debian.org, http://sunweavers.net
Debian Bug Tracking System
2021-02-27 12:00:02 UTC
Reply
Permalink
Your message dated Sat, 27 Feb 2021 11:50:31 +0000
with message-id <E1lFy7D-000B4U-***@fasolo.debian.org>
and subject line Bug#945478: fixed in scanlogd 2.2.7-0.1
has caused the Debian Bug report #945478,
regarding scanlogd: wrong patch, wrong copyright, new upstream release 2.2.7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
945478: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945478
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...