Re: Draft new DFSG
On Sun, Nov 29, 1998 at 10:26:00PM -0800, Joey Hess wrote:
> Dale Scheetz wrote:
> > > * because it implements something inherently unsecure, or is written in such
> > > an insecure manner that fixing it would require a rewrite
> > We have many such programs now.
> Um, really? Could you name a few?
Sendmail (no flames, please). rsh/rlogin. Any out-of-the-box X11
authentication scheme. Any program that can crash because of bad arguments.
Often, the usefulness of such programs outweighs their crappy security when
used judiciously, so we still include them in the distribution. Complete
rewrites would be better, but we don't have time for that.
> > If the package indicates its known insecurities, we have been willing to
> > let folks use it. Isn't that what "freedom" means?
> Someone gave the example of a package to mail them /etc/shadow. Do you
> really think that would belong in debian if I made and packaged it?
Such a program might fall under the label "malicious" instead of "insecure."
Typically, common sense will help us decide borderline issues. It's been a
serious Debian fallacy lately that absolutely everything we do has to be
written down in legalese. The DFSG2 document is too bloated to read, and
"official Debian opinion statements" read like a novel. We don't need a
policy that says "Programs that mail some random user your /etc/shadow file
will not be allowed in the distribution." We simply need to think for a
moment when it comes up and say "Hey, that's a malicious package, and we
shouldn't allow it."
Now, I'm all for allowing that package if there's some non-malicious reason
to e-mail your shadow file around, and it clearly advertises that it does
so. My popularity-contest package mails out possibly-confidential
information about your system, but it loudly warns you first.