Intro + Re: Heads up: Bug#981055: O: john -- active password cracking tool

To: debian-security-tools@lists.debian.org
Subject: Intro + Re: Heads up: Bug#981055: O: john -- active password cracking tool
From: Axel Beckert <abe@debian.org>
Date: Wed, 27 Jan 2021 02:23:46 +0100
Message-id: <[🔎] 20210127012345.vku6632pxs3tjot2@sym.noone.org>
Mail-followup-to: debian-security-tools@lists.debian.org
In-reply-to: <20210126122117.3sw2cdg73ikvkmyo@sym.noone.org>
References: <20210126015423.2o65m6iwzk65rzmk@sym.noone.org> <YA/ULvTvKgxBY62T@t14-buxy.home.ouaza.com> <20210126122117.3sw2cdg73ikvkmyo@sym.noone.org>

Hi together,

switching the thread from team+pkg-security@tracker.debian.org to
debian-security-tools@lists.debian.org (in case you're missing the
context for this mail).

Axel Beckert wrote:
> > > john has been orphaned by the MIA team just today:
> > > https://bugs.debian.org/981055
> > 
> > Thanks for the notification. I believe it's a good idea, yes. We'll take
> > care of it.
> 
> Cool, thanks.

It seems as if the previous co-maintainer of john is still interested,
despite he did the last upload in 2014. I wrote him (and Cc'ed this
list), that it is probably a good idea to join the team, too, and
continue his work on the package there. I hope, that works out.

Will wait a bit more for feedback from him before moving the john git
repo under the pkg-security-team umbrella.

Nearly full quote due to the list change:
> I imported the upload history from snapshots.d.o and did that QA
> upload last night. I fixed a small number of low hanging fruit bugs,
> just to make sure it is at least in a decent state for bullseye:
> https://tracker.debian.org/news/1224220/accepted-john-180-3-source-into-unstable/
> 
> Nevertheless I didn't (yet) feel competent enough to import 1.9.0
> (quite some new files and functionality) or even the 1.9.0 Jumbo
> thingy Kali already has packaged — which is already requested in at
> least two bug reports against john in Debian and which I'd be happy to
> see in Debian, too.
> 
> The Git repo for that is for now at
> https://salsa.debian.org/debian/john, but feel free to move that under
> the pkg-security-team umbrella on Salsa.
> 
> > > but I do not intent to take over the package maintenance as I'm
> > > sure some of you can do that much better than I can do and the
> > > Kali people already have john 1.9.0 packaged.
> > 
> > I would not mind if you joined pkg-security :-)
> 
> Good point. Thanks for the invitation! Will think about that.

Will join. I'm now subscribed to this list on l.d.o as well as to the
package list on tracker.d.o.

Regarding https://wiki.debian.org/Teams/pkg-security#Introduce_yourself:

I assume most of you already know me as DD with a focus on CLI and TUI
stuff (zsh, screen, aptitude, debian-goodies, autossh, fping, gpm,
mmv, zile, etc.), perl-written tools (ack, debsums, equivs,
dh-dist-zilla, unburden-home-dir, systray-mdstat, etc.) and lean web
browser stuff, again with a focus on text mode and keyboard control
(links2, lynx, dillo, qutebrowser, conkeror, etc.). And maybe you even
know me for the German-written Debian Package Management Book
(https;//www.dpmb.org/).

But due to my job as "Network Security Specialist" (and sysadmin :-)
in a CSIRT team, I also have an interest in security-related and
especially tools for network security monitoring and forensic
analyses.

E.g. I package ipt_NETFLOW as iptables-netflow-dkms and I'm working
with Sascha Steinbiss (also a pkg-security team member as I saw) on
packaging passivedns — which currently is stuck in a missing-license
issue. *sigh*

I'm also working on a parallel grep for faster log analyses on fast
enough disks without effort-expensive indexing
(https://github.com/ETHZ-IT-SeC/pxzgrep) and on a tool to guess
Unix/Linux distribution releases based on the SSH (and in future
other) banners/versions (https://github.com/xtaran/dist-detect). Both
are still work in progress, but dist-detect is definitely more matured
than pxzgrep (which I think about renaming to just pzgrep once it
supports more than just xzgrep).

I also run multiple Kali Linux installations at home and at work,
ranging from small VMs and Raspberry Pis over my Debian/Kali dual-boot
company laptop to powerful rackmount server hardware. The latter is
mostly used by our pen-testers and auditors while the Raspberry Pis
are often used for malware analyses. (For forensic analyses of
compromised x86 server installations, e.g. with huge hardware RAIDs
where I can't just take out the disks, I though prefer Grml Forensic
over Kali. Greetings to Mika. :-)

So please add me to pkg-security-team on Salsa.

> Would also have some side effects:
> 
> E.g. there is at least one RC bug (https://bugs.debian.org/976860)
> open against a package of the team (plaso) which I reported and which
> made plaso being kicked out of testing. So I'd become kinda
> responsible for that, too. Might have look if the also available new
> upstream release would fix that.

Will definitely work on this. A coworker wants plaso back (and working
:-) in Kali and my boss gave me a bit of time to work on it.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Reply to:

Follow-Ups:
- Re: Intro + Re: Heads up: Bug#981055: O: john -- active password cracking tool
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Re: Bug#981055: O: john -- active password cracking tool
Next by Date: Re: Bug#981055: O: john -- active password cracking tool
Previous by thread: Re: Bug#981055: O: john -- active password cracking tool
Next by thread: Re: Intro + Re: Heads up: Bug#981055: O: john -- active password cracking tool
Index(es):
- Date
- Thread