Re: setuid/setgid binaries contained in the Debian repository.
On Sun, 3 Aug 2003 23:52:57 -0400, Joey Hess <joeyh@debian.org> said:
> Manoj Srivastava wrote:
>> Policy can make it so that packages are not accepted into Debian
>> unless you hop through certain hoops. Like making sure the upload
>> has a signature. Or that it has an entry in the override file.
> No, those have nothing to do with policy and are implemented solely
> at the ftp master's discretion. If I had intended to "gate" setuid
> binaries from debian, I would have posted to debian-cabal, not
> debian-devel.
If it is policy to prevent setuid programs to get in to the
archive without consensus on the devel list, I am sure ftp admin
would have no difficulty implementing the solution.
I am sorry for having believed that the proposed draft meant
what is seemed to say, given that it would have, with everyone
agreeing, gone into the policy document as it stood -- making it a
bug not to have achieved consensus on -devel.
>> Are you saying that the review was not discussed as a gating
>> mechanism? If that is the case, then I admit I, for one, was
>> fooled.
>>
>> Message-ID: <[🔎] 20030801151852.GB15502@alcor.net> Message-ID:
>> <[🔎] 20030801153312.GA23610@uk.intasys.com>
>> >> All set[ug]id setups should be reviewed before they go into the
>> >> archive.
> Manoj, you have misquoted Matt here. After the word "archive", he
> put not a period, but the rest of his sentence. If you read the
> whole thing:
> I absolutely support this idea. All set[ug]id setups should be
> reviewed before they go in the archive, and I volunteer to do the
> review (though I hope that others will help). Does this need a
> proposal to go into policy with the same force as the existing
> pre-depends verbiage?
Does in no way change the point I made in my excerpt: given
the language of the policy diff, it is not unreasonale to think that
the the should is meant in policy terms. As I said, I sure was
fooled. I guess I am just perverse.
> Matt is here, I belive, expressing a heartfelt opinion that it would
> be good for us to find security problems before they become *our*
> security problems. Moreover he's volenteering to do work. If his use
> of "should" was not satisfactory, well, he was not making a formal
> policy poposal either. I'm willing to cut people who do work a lot
> more slack than those who impede it.
As I have said before, I have no beef with programs being
audited. My point, from the beginning, was that the proposal seemed
to talk about consensus on the list, and seemed to state it was a bug
not to have achieved such a consensus.
Rather than telling me that program permissions were packaging
matters, I could simply have been told that the language of the draft
was not to be interpreted in terms of the policy document.
Despite your belittling comments, one of the tasks I have
undertaken is to ensure the quality of the policy document; and this
was supposed to be a draft of a policy change. However, I am used to
having work on policy being considered mere bureaucracy, and
impediments in the way of the worker bees. So be it.
>> The idea is not to only be nice and freindly to yes men, but also
>> to be able to discuss rationally with people who do not share your
>> view, without bringing in ridiculously insulting strawmen like
>> hopping on one foot.
> One of my rules of thumb is to stop replying to threads when my
> opponents resort to terms they learned in debating class, or to
> misquoting, since nothing good ever comes of it. Bye.
Disparaging remarks from you are kosher, but terms from
debating class (since I never took any, I can only suppose you mean
strawmen) are not. Fine. Your call.
manoj
--
The destruction of the Berlin wall marked history's first feminine
revolution: There had been no violence and when it ended everybody
went shopping.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: