From asaf at lingnu.com Mon Jul 5 14:39:18 2010 From: asaf at lingnu.com (Asaf Ohaion) Date: Mon, 5 Jul 2010 17:39:18 +0300 (IDT) Subject: [sbopkg-users] using http Message-ID: <42906.193.106.52.26.1278340758.squirrel@www.lingnu.com> I could not find option to use http protocol instead of rsync. is it possible ? -- Asaf Ohaion Lingnu Open Source Consulting Ltd 09-7655871 (204), 0547-920828 http://www.lingnu.com From mauro.giachero at gmail.com Tue Jul 6 10:30:50 2010 From: mauro.giachero at gmail.com (Mauro Giachero) Date: Tue, 6 Jul 2010 12:30:50 +0200 Subject: [sbopkg-users] using http In-Reply-To: <42906.193.106.52.26.1278340758.squirrel@www.lingnu.com> References: <42906.193.106.52.26.1278340758.squirrel@www.lingnu.com> Message-ID: On Mon, Jul 5, 2010 at 4:39 PM, Asaf Ohaion wrote: > I could not find option to use http protocol instead of rsync. > is it possible ? > AFAIK SBo doesn't offer an HTTP interface to the repository (ok, there are the web pages, but those aren't exactly suited for batch downloads). If you need HTTP access to the repository (damn firewalls...) you could ask the SBo admins to provide it. For example, setting up an http mirror for the git repository _should_ be quite easy, and once that is set up you could use it just like we do for the SB64 repository. Otherwise you could set up a machine that offers the repository as a single archive through http. Or something like that. If you in any way manage to have a downloadable repository, then adding support to sbopkg isn't that hard: - choose a protocol name, like "myhttp" - on lines ~233, ~1011 and ~2386 add "myhttp" to the list of supported protocols - implement checkout_myhttp_branch() to manage branches (see the other implementations from line 933 on) - implement myhttp_command() to perform the actual download of the currently selected branch (see the other implementations from line 2283 on) - add a file in /etc/sbopkg/repos.d to let sbopkg know about your repository. Good luck -- Mauro Giachero -------------- next part -------------- An HTML attachment was scrubbed... URL: From slakmagik at gmail.com Tue Jul 20 02:09:17 2010 From: slakmagik at gmail.com (slakmagik) Date: Mon, 19 Jul 2010 22:09:17 -0400 Subject: [sbopkg-users] Sbopkg 0.33.2 Released Message-ID: <20100720020917.GA2580@devbox> sbopkg 0.33.2 is released. Unfortunately, it's not a very fun release. Here's the change since the last release: * fix security issue involving unsafe creation of temp{dir,file} It takes an unlikely series of events but most exploits do. Without this fix or a known secure SBOPKGTMP, it's possible for an attacker to execute an arbitrary shell script as root. * A user creates /tmp/sbopkg on a system where sbopkg has not yet been installed or run. * Root installs/runs sbopkg without noticing /tmp/sbopkg's ownership. * The attacker detects root is running sbopkg. * The attacker puts arbitrary code in /tmp/sbopkg/sbopkg_updates_tempfile * Root runs the 'update' function and crosses ll. 744, 745 and 749 (of 0.33.1). The code is executed. Unfortunately, sbopkg.org and googlecode aren't communicating well at the moment - IIRC, sbopkg.org looks to trunk to update its data and this is in a branch and I don't have access to sbopkg.org, so you'll need to get it directly from googlecode: http://code.google.com/p/sbopkg/ Alternatively, you can check googlecode for the diff of r836 and apply it. Altalternatively, you can just make absolutely certain that SBOPKGTMP is owned by root and contains nothing it shouldn't before running sbopkg. Fixing this issue one way or another is strongly recommended. Meanwhile, there's a lot of fun stuff in trunk at the moment. A release shouldn't be too far off but this issue caught us by surprise and it was important to get this addressed quickly. Also, trunk features a much more aggressive (though maybe not yet complete) fix for this issue, but it's only received *very* cursory testing so anyone wanting to try it out could help a lot.