On Tue, 17 Jul 2001, "Jürgen A. Erhard" wrote: > I actually don't see what all the fuss is about: a package was > uploaded, and was buggy. Big deal. Happens all the fuckin time. No, like this it does not. The problem is NOT the fact that buggy stuff was uploaded -- that indeed happens far more than it should. Maybe we should have a hall of shame to award bad karma points to people not responsible enough to do at least minimal tests (i.e. install) the packages they upload. But that's a flamewar for another time, and I digress. The problem is that crap from an untrusted source was UPLOADED (and installed?) into the archive. I'll not flame the ftp masters if the stuff really got installed, they're overworked as it stands and I don't recall "last security bastion" to be in their job description (but do please correct me if it does). But I *will* hold the sponsor at a fault for it. And the prospective NM for not even reading the damn docs and running his packages through lintian, too, I should add (yes, I am one of those that would want his NMs to learn packaging before applying as packagers). The only reason I did not (and will not) bother to try to find out who the sponsor was, is that we didn't have guidelines (let's not bother about how wise it is to upload code that runs as root in god-knows-how-many machines unverified, only because no docs said not to do it), and it is (no matter how improbable) indeed possible this person actually had a good excuse for doing it. An excuse such as an unconscious desire to force sponsoring guidelines to be written, added to the good will to give us a bit more prime flamewar fuel, a severe lack of sleep, and not enough remaining brain power/experience to warn oneself not to upload when sleepy... but I digress yet again. > Isn't it called "unstable"? It's called "unstable", not "root-kit delivery device". Uploading unverified (i.e not checked at all), untrusted (i.e. not from a registered Debian maintainer as far as the Debian project is concerned) stuff that run as root to the Debian archive is *NOT* a joke. > PS: This is *very* reminiscent of the old NM flamewar... Indeed. Guess what? It will not make the problem go away this time either. Well, I am in need of sleep, or I'd not even bothered to write this ;) At least it happened to common buggy crap, and not a trojan. Lets not make little of this, and honour the trouble we went through to verify that nothing was tampered with the last time we had a security breach. Mr. Sponsor, do not do it again. Mr. NM, get out of our sights for 1 month and learn to package well while at it -- we all will be better off if you do. Mr. hmh, go to bed; you're ranting again. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Attachment:
pgpOqZ8EHlm80.pgp
Description: PGP signature