[solar@openwall.com: Re: Upload of john 1.7 to experimental]

Javier Fernández-Sanguino Peña jfs at computer.org
Mon Feb 20 16:56:17 UTC 2006 

Another answer...

----- Forwarded message from Solar Designer <solar at openwall.com> -----

From: Solar Designer <solar at openwall.com>
Date: Mon, 20 Feb 2006 17:50:56 +0300
To: pkg-john-devel at lists.alioth.debian.org
Cc: jfs at computer.org
Subject: Re: Upload of john 1.7 to experimental
User-Agent: Mutt/1.4.2.1i

I am directing copies of these messages to pkg-john-devel, but I expect
them to bounce like my previous messages did.  I'd appreciate it if you
get this mailing list setup fixed.

On Mon, Feb 20, 2006 at 10:33:23AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> On Mon, Feb 20, 2006 at 02:56:16AM +0300, Solar Designer wrote:
> > confusion with the cron jobs, etc.
> 
> What confusion regarding cron jobs?

To me, this whole approach is ridiculous.  It is not recommended
anywhere in JtR documentation to automate John runs like that.  Rather,
the system should have a password checker such as my pam_passwdqc
installed and JtR should be used eventually to validate that such
proactive password checker is working as intended.

There are also plenty of implementation details - although things are
not as bad as they were before my initial comments (years ago).

> > I'll comment on a few specific things, though:
> > 
> > +if grep -q '^flags.* mmx' /proc/cpuinfo; then
> > +    exec -a $MYNAME /usr/lib/john/john-mmx $*
> > +else
> > +    exec -a $MYNAME /usr/lib/john/john-any $*
> > +fi
> > 
> > I think this wrapper should be dropped in favor of the runtime fallback
> > feature that John 1.7 implements itself.  For an example of that feature
> > in use, see:
> > 
> > http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/john/john.spec?rev=HEAD
> 
> From what I see there you define CPU_FALLBACK for i386 (in john) and then
> place the john-non-mmx binary in %buildroot%_libexecdir/john. Does john then
> take care of calling 'john-non-mmx' for non MMX systems. Is that correct?

That's correct.

The directory where JtR searches for its fallback binary can be adjusted
in params.h or with -DJOHN_SYSTEMWIDE_EXEC="..." in CFLAGS if needed.

> > +++ john-1.7/debian/patches/amd64.diff
> > 
> > What are these changes for?  If something didn't build otherwise or if
> > there were compiler warnings, I'd appreciate a proper bug report.
> > Otherwise, please drop this patch.
> 
> This stems, IIRC, from bug report #251095:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=251095

Oh, I had fixed the bug described in the original report many years ago -
I think in 1999 - but you were packaging the 1.6 release from 1998, which
is why you still needed to patch it.  (OK, it was my fault that I did
not release 1.7 for this long.  I understand that Debian and many others
didn't want to use development snapshots.)

If that's the only reason for the amd64.diff, then please drop that
patch.  It is buggy in itself (in other ways).

> > Also, I suggest that you obfuscate all e-mail addresses in man pages.
> > This stuff gets on the web, attracting more spam to people.  s/@/ at /
> > for e-mail addresses would do for now.  That's what we're doing in Owl.
> 
> Personal note: obfuscation is usually moot. Most spammers are subscribed to
> mailing lists you and I read and get hold of addresses from there. At least
> that's what I've seen with my spam honeypot.

I don't fully agree with you on this, but it is off-topic for this
discussion.

I'll mention only one quick argument: not all people whose e-mail
addresses you might include in a man page post to public mailing lists
from those same e-mail addresses, if at all.

> > +++ john-1.7/debian/docs
> > 
> > This does not list all of the docs.  In particular, it misses CHANGES
> > and CONTACT.  I understand that you may want to omit INSTALL and LICENSE.
> 
> CHANGES is installed as upstream's changelog  in debian/rules:
> 
>         install doc/CHANGES $(DEB_DESTDIR)/usr/share/doc/john/changelog

Oh, I had missed that.  Thank you.

> I will add CONTACT in.

Thanks.

> As for INSTALL, it is already omitted, and LICENSE is
> included in debian/copyright (which is the mandatory location for that stuff)

Yes, I had noticed that.

> > I've just tried building for linux-x86-mmx with the Debian patches
> > applied - and the package built, albeit with one added warning (because
> > of a bug in a Debian patch).  But I did that on an Owl system.
> 
> The problem seems to be when you try to compile 'linux-x86-mmx' after
> compiling (and cleaning) linux-x86, see attached log.

The bug is yours.  What you are doing is essentially:

make linux-x86-any
make clean
make linux-x86-mmx
make linux-x86-any

Notice that there's no "make clean" between the last two makes - and
that's precisely what causes the last make to fail.  (No idea why you
need to build linux-x86-any twice.)

The compiler warnings are most likely a result of the amd64.diff - they
should be gone once you drop that patch.  If not, please let me know.

Thanks,

-- 
/sd

----- End forwarded message -----

More information about the Pkg-john-devel mailing list