Re: join us!

To: "Kurt Seifried" <seifried@securityportal.com>, debian-devel@lists.debian.org
Subject: Re: join us!
From: Jim Lynch <jim@laney.edu>
Date: Sun, 17 Sep 2000 02:46:50 -0700
Message-id: <[🔎] 200009170946.CAA22199@earth.laney.edu>
In-reply-to: Your message of "Sun, 17 Sep 2000 00:47:19 MDT." <[🔎] 000e01c02073$22167980$6900030a@seifried.org>
References: <[🔎] 20000916233630.A8527@greybeard95a.com> <[🔎] 000e01c02073$22167980$6900030a@seifried.org>

Kurt,

The only "slam" I'll do is that your review came out of nowhere... there
are several things you could have done: 1, you could have actually filed
some bugs against appropriate packages, especially those that kept the
holes open. 2, you were on #debian, you could have clued us in that the
review was coming. If you had at least done (1), and the maintainer slacked,
then I'd say punch and punch hard.

You have made up for this, however, by letting us know a more detailed review
is forthcoming. Maybe I'll get a little team together to go thru your site
and get what we can from it, and file bugs that seem to violate principles.
Umm, thanks for that.

On the -other- hand... you do nothing but bring up good points. Before
the resource of your site, the only things we had to go on were bugtraq,
cert and being slammed by occasional hackers on an individual basis, 
gathering whatever info remained in the aftermath and (again) filing
bugs against packages.

See if you agree:

If I had my way, this idea of a package called base-passwd with lots
of sys accounts, would go -away-. The only way a system account should
be created is if a package gets -installed- that requires it.

I already know what reply I'll get: the base packages need these accounts,
but when you take those away, some still remain, which would be needed if
certain packages outside the base were to be installed.

Then I'll get: but these accounts are standard! To which I'll reply: what
uses them? I don't have package installed for some of them.

Maybe base-passwd should represent a standard of user - user ID pairs and
group - group ID pairs (or tuplets), -without- taking on the specific form
of a passwd/shadow/group/gshadow set of files. Then, if a package -requests-,
the account would be made, but should and would not exist otherwise.

-Jim

---
Jim Lynch       Finger for pgp key
as Laney College CIS admin:  jim@laney.edu   http://www.laney.edu/~jim/
as Debian developer:         jwl@debian.org  http://www.debian.org/~jwl/

Reply to:

Follow-Ups:
- Re: join us!
  - From: "Kurt Seifried" <seifried@securityportal.com>

References:
- Re: join us!
  - From: David Benfell <dbenfell@linuxcare.com>
- Re: join us!
  - From: "Kurt Seifried" <seifried@securityportal.com>

Prev by Date: Re: NM Page info.
Next by Date: why are improperly signed uploads accepted?
Previous by thread: Re: join us!
Next by thread: Re: join us!
Index(es):
- Date
- Thread