Re: Proposal for removal of mICQ package
>>>>> In article <[🔎] 20030214094725.GB1208@krikkit.ukeer.de>, Rico -mc- Gloeckner <debian@ukeer.de> writes:
> On Fri, Feb 14, 2003 at 02:54:44AM -0600, Manoj Srivastava wrote:
>> Fine. This particular cracker hid a poison pill in the program,
>> which would attempt to evade developer checks, and, at a point in
>> time, trigger to deny the use the services of the program. Denial
>> of services trojan, rahter cleverly disguised.
> No. Its not a poisonpill.
Oh?
> It just refuses to work if it cant give an extrabit of verbosity
> that the developer needs to debug it.
Bullshit. It was deliberately obfuscated, targeted towards
Debian users, and time delayed to pass through normal testing.
>> Still, the upstream is a cracker, and next time, he'll do worse.
> Stop being ridiculous. You are doing acussations which are simply
> silly. You are turning this into a flamewar against Upstream and
> that is becoming more annoying than anything what Upstream did.
I am silly? You want to ignore a denial of service poison
pill, and you think I am being silly? What is this, and old boy
cracker club? We'll hit our users with a denial of service attack in
a pissing contest and we'll then just kiss and make up? The hell
with the users and the social contract?
Are we out to send the message that the Debian project feels
denial of service poison pills are funny? Not to take this
distribution seriously, since it is likely to be just a bunch of
unprofessional, or incompetent hacks who don't care two hoot about
security? (yes, I am annoyed).
> I get the impression you feel *personally* *offended* by the damage
> you see done by upstream to the debian project.
Hell yes I am offended by the attack on the debian users and
on the reputation of the project. What kind of message are *YOU*
sending - that the Debian project ought not to care about pe0ple who
hide malicious code in the program that at a certain time causes the
program to stop working? We should think denial of service attacks
are funny ha-ha and cool hacks? Whatever happened to the social
contract?
> Although iam not backing Ruediger up in this case - the Debian
> Project does not only consist of the Debian maintainer only, there
> could have happend a lot of talk to prevent all what happened now -
> i do not see how removing the Package would do the Users any good.
We have to yank the package until we know there are no other
such cool hacks waiting to hit our users again. Who knows who else he
may have gotten mad at in the past and included other such brilliant
pieces of hackery, just waiting to be triggered? Who knows whom he
may get mad at in the future?
Or are you standing up to legeally indemnify all parties for
future damage caused by someone we know to be unstrustworthy?
Once the code has been audited, we may put it back in the
project, perhaps with a big notice in README.Debian.
> It does not help the debian project if people imply destructive
> behaviour on Ruediger.
I am implying nothing. The facts speak for themselves -- he
did cause a loss of service to debian users.
manoj
--
The profession of book writing makes horse racing seem like a solid,
stable business. John Steinbeck [Horse racing *is* a stable business
...]
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: