Archive for September, 2006

Adding automatically ez_setup in your SVN repository

0

For users that don’t yet have setuptools installed (or a too old version) or who want to include a copy of ez_setup.py in their package distribution, here is the one-true-way. This method is already documented on Phillip J. Eby‘s setuptools pages, but it’s buried in the middle, and I keep forgetting how to do it. So here it is:

First, go to the root (trunk) of your project, and edit the properties of your SVN folder using the following command:

svn propedit svn:externals .

This will open your favorite text editor where you’ll put the following line:

ez_setup svn://svn.eby-sarna.com/svnroot/ez_setup

Then do a svn ci, and then svn update, you’re all set!
Note: If you use the find_packages method in your project, you’ll have to explicitely exclude the ez_setup folder. You can edit your setup.py file to add:

setup(

packages = find_packages(exclude=[‘ez_setup’]),
)

Security monitoring of Debian alerts is less than practical

0

I was looking for a program (command-line) that would allow me to check if a Debian system
was up to date against all the offical security annoucements (DSA). Something like the program glsa-check which is available for Gentoo systems.

I just found two, none of them being really useful:

  • forgotten_name: It works, but the bad point is that the inner working is to test the upgrade for ALL packages, which is quite slow…
  • tiger: They cheated a little, as they made a “static” file used to compare to a filesystem.

So I decided to make my own. Alas, the people responsible for Debian security
don’t seem to give any easy way to get the DSA in a stable/correct way.

Here are the different possibilities, and why they’re hard/impossible to use:

  • There’s a “search engine” that is supposed to allow you to search for CVE entries, but it doesn’t work (has it worked at one time?) and now you only get a message “Debian Search disabled”.
  • You can get the “latest” security alerts (DSA) from the Debian security page, even in a RDF format. That would be cool, except:
    • It’s just the 15 or less last alerts
    • The contents are just a title, a link, a two words description and the issued date
  • There is the security-announce mailing list. Not really practical.

To correct the problem of the 15 or less entries in the distributed RDF file, I took instead the “year” page which gives exactly the same thing but in HTML. Some regexp, and we get the same result as the RDFs, but with the whole list of DSAs (but still not enough information).

Next, to get the detailed data, that is, the affected packages and the corrected version numbers (the most important things) we need to download the corresponding DSA page. For example, for the DSA 1174, you would get the content of the page http://www.debian.org/security/2006/dsa-1174 .

Here begins the fun. That page doesn’t have a static structure at all! Many inconsistencies are making the parsing of the page unreliable.
For example, let’s just start with the DSA number. For example, for the DSA 1174, you find that on the details page, it’s 1174-1.

Next, you would think that with the use of templates, that page would have some kind of fixed format. Que nenni! The text is not always the same. For example, the text ‘has been fixed in’ isn’t always formatted the same way.

About the affected packages, you have a paragraph named ‘Affected Packages’, which is inconsistent with the really affected packages (never more that one package), which can be found later in the page in ‘Fixed in’.

Redhat is submitting its alerts to OVAL, which uses a really nice format and also gives an interpreter for the language. I saw just one or two messages on the OVAL mailing list about debian :-(

Another fine new web framework: Clever Harold

1

Clever Harold is a new python web framework (another one :-) that uses WSGI as its core glue. This allows you to define your own stack of elements (sessions, authentications, compression, templates, etc.).
It is really well done (for a 0.1 version), and, compared to other WSGI based frameworks (like RhubarbTart or Pylons), seems easier to grasp. The big difference (except it’s well organized, thanks to Paste) is that it automatically guesses the required modules, so you don’t need to specify them in your source header.
Take a look at it, and don’t forget to register on the mailing list!

Go to Top