[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal for removal of mICQ package



>>>>> In article <20030214094725.GB1208@krikkit.ukeer.de>, Rico -mc- Gloeckner <debian@ukeer.de> writes:

 > On Fri, Feb 14, 2003 at 02:54:44AM -0600, Manoj Srivastava wrote:
 >> Fine. This particular cracker hid a poison pill in the program,
 >> which would attempt to evade developer checks, and, at a point in
 >> time, trigger to deny the use the services of the program. Denial
 >> of services trojan, rahter cleverly disguised.

 > No. Its not a poisonpill.

	Oh? 

 > It just refuses to work if it cant give an extrabit of verbosity
 > that the developer needs to debug it.

	Bullshit. It was deliberately obfuscated, targeted towards
 Debian users, and time delayed to pass through normal testing.

 >> Still, the upstream is a cracker, and next time, he'll do worse.

 > Stop being ridiculous.  You are doing acussations which are simply
 > silly.  You are turning this into a flamewar against Upstream and
 > that is becoming more annoying than anything what Upstream did.

	   I am silly? You want to ignore a denial of service poison
 pill, and you think I am being silly? What is this, and old boy
 cracker club? We'll hit our users with a denial of service attack in
 a pissing contest and we'll then just kiss and make up? The hell
 with the users and the social contract? 

	Are we out to send the message that the Debian project feels
 denial of service poison pills are funny? Not to take this
 distribution seriously, since it is likely to be just a bunch of
 unprofessional, or incompetent hacks who don't care two hoot about
 security? (yes, I am annoyed).

 > I get the impression you feel *personally* *offended* by the damage
 > you see done by upstream to the debian project.

	Hell yes I am offended by the attack on the debian users and
 on the reputation of the project. What kind of message are *YOU*
 sending - that the Debian project ought not to care about pe0ple who
 hide malicious code in the program that at a certain time causes the
 program to stop working? We should think denial of service attacks
 are funny ha-ha and cool hacks? Whatever happened to the social
 contract? 

 > Although iam not backing Ruediger up in this case - the Debian
 > Project does not only consist of the Debian maintainer only, there
 > could have happend a lot of talk to prevent all what happened now -
 > i do not see how removing the Package would do the Users any good.

	We have to yank the package until we know there are no other
 such cool hacks waiting to hit our users again. Who knows who else he
 may have gotten mad at in the past and included other such brilliant
 pieces of hackery, just waiting to be triggered? Who knows whom he
 may get mad at in the future? 

	Or are you standing up to legeally indemnify all parties for
 future damage caused by someone we know to be unstrustworthy?

	Once the code has been audited, we may put it back in the
 project, perhaps with a big notice in README.Debian.

 > It does not help the debian project if people imply destructive
 > behaviour on Ruediger.

	I am implying nothing. The facts speak for themselves -- he
 did cause a loss of service to debian users.

	manoj
-- 
The profession of book writing makes horse racing seem like a solid,
stable business. John Steinbeck [Horse racing *is* a stable business
...]
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C



Reply to: