[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: on potato's proftpd

also sprach Nathan E Norman <nnorman@micromuse.com> [2002.04.03.0732 +0200]:
> > well, i am calm, but i disagree. sure, it boils down to the question
> > who debian's audience are, but for all i am concerned, debian's
> > reputation _used_ to include "security", and the reason why i'd (as in
> > "would" and "had") install(ed) debian was because i didn't need to be
> > worrying about the obvious and hence i could spend my resources on
> > other things. had i wanted to patch one-year-old bugs in software that
> > installs from the "security archives", then i might have just chosen
> > to "fly" redhat. i don't understand why you aren't understanding this.
> > i am not at all against finding the real bug as well as investigating
> > why:
> See, paragraphs like this directly contradict you statement above that
> you don't want a flame war.  Debian "used to include security"?
> Apparently you no longer run Debian?  Does this mean you've wiothdrawn
> your name for the NM queue?

no and no. i will continue to run debian and i'll support the project!
i am just joining in with the group of people who see debian's
reputation and quality not keeping up with what it used to be. i see
no alternative to debian and so i want to prevent this degradation,
simple as that.

i am also not attacking anyone, not even the project. what i wrote is
based on facts and experience, and if at all, then it should give
everyone partaking in the project something to think about.

> Are you willing to abandon the hyperbole and put forward rational
> arguments as to why your solution is best?

because it will prevent s.d.o from serving a buggy package. it's not
fixed perfectly, but at least it's not subject to a known exploit.
it's not the best, but it's IMHO really only beaten by the fix of the
root of the bug *right now*. this fix isn't available, so i suggest
bridging the time until we can patch proftpd properly with a temporary
fix. you know, just so that when i have s.d.o in my sources.list,
i can actually rely on debian as i usually do.

> The temporary patch is, well, temporary.  It only works on a new
> install; otherwise the admin has to examine their config file by hand
> to make the change.

well, we have debconf to help. and postinst scripts can be quite

> Worst of all, since the bug was thought to be fixed but isn't, the
> temporary fix may not in fact prevent the exploit.  If the exploit
> is part of libc globbing code, it may be exploitable in other code,
> not just proftpd.

of course. i am not arguing against that.

martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
there's an old proverb that says just about whatever you want it to.

Attachment: pgpJhPXCmb7Gn.pgp
Description: PGP signature

Reply to: