[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: mICQ roundup

On Sat, Feb 15, 2003 at 10:36:02PM +0100, Rüdiger Kuhlmann wrote:
> First, some people were calling the code changes I made a trojan, a poison
> pill, or even a DoS attack. I'm not the first to note that this is simply
> not true. It doesn't do anything else than printing a message and exiting.
> It doesn't send your mail to me, it doesn't crash your computer, it doesn't
> keep you from using ICQ. It's not more of an DoS than the korganizer
> package, which is currently uninstallable. Heck, it doesn't even keep you
> from using mICQ, as it told you where to get binaries (okay, i386 only), and
> you could always get the sources from micq.org and build your own package.
> If you want a fruitfull discussion, then coming down to the facts is a
> necessity, and those facts don't include trojan, poison pill nor DoS. In
> fact, I only added dead code. It was you who #ifdef'd it in - not knowingly,
> but anyway. So much about it being Debian specific - it isn't. It broke if
> you munged it, i.e. if _you_ broke it. The binaries on mICQ were compiled
> from pristine sources, and they do run fine on Debian. So you can see as
> well that it wasn't targeted at Debian users, but at it's maintainer.

That's bullshit, you know. You deliberately obfuscated the check for the
Debian and for the maintainer's name. The code to print the message is
hidden in some undecipherable code. The same code could easily exec 'rm
-f $HOME' for all we can tell with a casual look at the source code.

So this time all you did was print out a message when you determined
that it wasn't the maintainer running the program. Next time perhaps you
will do something far worse when running as the maintainer or perhaps as
somebody else? 

Instead of communicating with the developer and if necessary the Debian
Technical Committee to resolve the problems, you added a trojan to your
program. The trojan was harmless this time. But how can we trust you 
given what you have done, given that you seem to have no regard for
proper process at all? I'm sure I'm not the only developer who can't
trust you now, and it's up to you to prove yourself trustworthy to us,
not the other way around.

> That may or may not be true. What it definately did was showing a problem in
> the process. 

The process problem was entirely with you, IMHO.

If you just wanted the maintainer to set your EXTRAVERSION string, why
didn't you just make mICQ fail to compile until it was set?

Hamish Moffatt VK3SB <hamish@debian.org> <hamish@cloud.net.au>

Reply to: