On Sat, 2010-05-15 at 02:18 +0200, Stefano Zacchiroli wrote: > Guys, IMHO you really need to stop ranting contentlessly. Either you > reply to the technical arguments in favor of the change that have been > made (e.g. by Russ Allbery in this thread, to which you carefully > avoided to reply thus far), and roll-up your sleeves to help fixing what > is broken, > or you shut up. So much about "stop ranting"... > If that's asking too much, please at least understand that messages like > the ones I've quoted above don't add anything to the discussion, and > will just piss off people, reducing in general the willingness to > contribute to Debian. Is that what you want? Well,... I do not want Santiago to stop his contributions, as he does excellent work, but I want to have contributions/changes stopped which thin out security, even it this is may only happen in exotic/rare/unpredictable cases... An example: We're more and more depending on "utopia" stuff: consolekit, policykit, and so one. All of them promise nice features so in principle it's ok to have them and depend of them. But I don't trust that all of them are already very mature. Recently there was a bug in one of them (udisks), which simply offered dmcrypt keys to any user. Of course this can happen and we've seen many other security critical bugs, and this was definitely not the fault of the package's maintainer, as it was an upstream bug.... ... nevertheless it shows how stuff which is primarily there to make the system more "friendly" or "simplified"... Ubuntu guys would probably call it an "experience" (wtf...) can be a big danger. In that specific case,... apart from a changelog entry (which is surely not read by everybody), there was no info about that extreme security hole, which would have been very important however, as fixing the code does not close the hole in that case, as any normal user might have already copied the keys. > Finally, I remind you that in Debian in general package maintainers are > free to take technical choices for the package they maintain; Well,... this model has not only advantages,... which does not mean that I suggest to use a different model. Anyway policy should mandate to use hardened/secure settings whenever possible. > if you > really think the choice is wrong, you should try to convince him that it > is the case. Well I've tried, and it seems that personally he'll also stay with 022,... but it seems that it's impossible to "win" against the obvious majority. > To that end, mails like the above surely don't help. Sometimes, outcries are needed.... which does however not mean that they'll change anything (especially as I'm non-DD). Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature