[Pkg-security-team] Maintenance of aircrack-ng

Thu Oct 20 06:06:07 UTC 2016

>Yeah, the 1.2 release won't fix that problem, i've made some tests here and "1:1.2-0~beta3-4" > "1:1.2-1".

$ dpkg --compare-versions "1:1.2-0~beta3-4" gt "1:1.2-1" && echo yes
yes

sad

>That's an interesting workaround. When you say "upstream adds another .gitignore", you mean the case of upstream adding only .gitignore (not .git, because in that >case we'll have problems anyway) and mistakenly shipping it on the tarball, right? In that case, i think we should be pretty safe from conflicts because this should >be pretty rare.

exacly, and with the world moving to git is not rare anymore :)
(but this isn't a real problem, and you get merge failures when the .gitignore changes upstream)

>That's nice, i will wait for Gianfranco's reply and then commit a gitignore containing only the ".pc" folder.
>
>As you're a DM with upload rights to aircrack-ng, i think you can upload it yourself (this aircrack-ng new release) after reviewing my changes. And if you don't >have the time, then I would ask for Gianfranco's review and upload.

feel free to do whatever you prefer :)

>From my POV, there's two things left to discuss:
>
>1) The python problem:
>I'm not really sure if that script (and others) should be there, and even if that's ok, do we need to add a python depends just for them? Can we ship the script and >left the python dependency out, as they're not needed for aircrack-ng usage?

it might make sense, and Python is somewhat installed almost everywhere already (I mean, I don't
think there is an user needing only aircrack-ng in a almost empty system, and needs that single
Python script)
>Please have a look at https://trac.aircrack-ng.org/ticket/1680 in order to understand the problem.
>
>There are two possible workarounds (i listed them on the last comment):
>
>* Remove the Harkonen test (which we're doing right now and its bad because the Harkonen decrypt doesn't work deterministically).
>
>* Remove the fortify hardening flag (which is bad because it will disable fortify for all the binaries)
>The two problems are already ~fixed~ with what i believe are the best workarounds, if you disagree, please feel free to reply and push your changes :)

there is a patch on that track (github issue), did you try it?
You already know this, but:
Disabling a test means that in the real world this use-case will make the program segfault
(I don't know how many people will need such code).
Disabling hardening seems bad, but not so much as disabling the test.

Asking for advices on -mentors or whatever might help you in finding the root cause and fix it
(also bisecting the issue with git bisect might help)

>Carlos, by any chance, are you able to get in contact with mdk3's developer (he's the creator of aircrack, IIRC)? I've tried to send him some patches but his email >address seems to be disabled. If not, is there someone from the aircrack-ng community who could accept my patches and maybe trigger a new release of mdk3? I can do >more work on it if there's someone willing to accept them.

thanks

>Thanks a lot Gianfranco and Carlos, i'm really glad i can help in the packaging of aircrack-ng.

thanks to you, lets hope to upload soon :)

G.