[Pkg-security-team] Maintenance of aircrack-ng

Samuel Henrique samueloph at gmail.com
Thu Oct 20 01:43:46 UTC 2016 

Hi all,

we can fix this when version will be 1.2 stable, in that case
> 1:1.2-0 will be replaced by 1:1.2-1
> (even if I'm not really sure about this)
>

Yeah, the 1.2 release won't fix that problem, i've made some tests here and
"1:1.2-0~beta3-4" > "1:1.2-1".

I don't know, I usually prefer avoiding to commit stuff, because in case
> upstream adds another .gitignore you will have merge conflicts on almost
> every new release.
> I usually do something like:
> quilt pop -a && git stash && git clean -f -d to delete it, and in such
> case it will remain hidden forever.
>

That's an interesting workaround. When you say "upstream adds another
.gitignore", you mean the case of upstream adding only .gitignore (not
.git, because in that case we'll have problems anyway) and mistakenly
shipping it on the tarball, right? In that case, i think we should be
pretty safe from conflicts because this should be pretty rare.


I tried hard to convince Thomas to switch from svn to git and the most I
> managed to get is a git-svn mirror on github.
>
> So I think is safe to add a .gitignore file.
>
> In the unlikely case upstream switches to git, we can merge our
> gitignore file with the upstream one. I have commit rights on upstream.
>

That's nice, i will wait for Gianfranco's reply and then commit a gitignore
containing only the ".pc" folder.
As you're a DM with upload rights to aircrack-ng, i think you can upload it
yourself (this aircrack-ng new release) after reviewing my changes. And if
you don't have the time, then I would ask for Gianfranco's review and
upload.

>From my POV, there's two things left to discuss:
1) The python problem:

> Not 100% sure why the dependency on python, but with quick check I see
> that the current package ships
> /usr/share/doc/aircrack-ng/examples/replay.py which is a python program.
>
I'm not really sure if that script (and others) should be there, and even
if that's ok, do we need to add a python depends just for them? Can we ship
the script and left the python dependency out, as they're not needed for
aircrack-ng usage?

2) The Harkonen tests failure:
Please have a look at https://trac.aircrack-ng.org/ticket/1680 in order to
understand the problem.
There are two possible workarounds (i listed them on the last comment):
* Remove the Harkonen test (which we're doing right now and its bad because
the Harkonen decrypt doesn't work deterministically).
* Remove the fortify hardening flag (which is bad because it will disable
fortify for all the binaries)

The two problems are already ~fixed~ with what i believe are the best
workarounds, if you disagree, please feel free to reply and push your
changes :)

Carlos, by any chance, are you able to get in contact with mdk3's developer
(he's the creator of aircrack, IIRC)? I've tried to send him some patches
but his email address seems to be disabled. If not, is there someone from
the aircrack-ng community who could accept my patches and maybe trigger a
new release of mdk3? I can do more work on it if there's someone willing to
accept them.

Thanks a lot Gianfranco and Carlos, i'm really glad i can help in the
packaging of aircrack-ng.

Samuel Henrique <samueloph>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-security-team/attachments/20161019/4cb53de2/attachment-0001.html>

More information about the Pkg-security-team mailing list