Re: RFS: chkrootkit 0.58b-2

To: debian-security-tools@lists.debian.org
Subject: Re: RFS: chkrootkit 0.58b-2
From: Richard Lewis <richard.lewis.debian@googlemail.com>
Date: Fri, 27 Sep 2024 02:18:44 +0100
Message-id: <[🔎] 86r0957v2j.fsf@simplex.rtf.org.uk>
Mail-followup-to: debian-security-tools@lists.debian.org
References: <[🔎] 86y13f75hl.fsf@simplex.rtf.org.uk> <[🔎] 87cykrexw1.fsf@kaka.sjd.se>

Simon Josefsson <simon@josefsson.org> writes:

> Richard Lewis <richard.lewis.debian@googlemail.com> writes:
>
>> Hi,
>>
>> Would someone be able to sponsor an upload of chkrootkit?
>
> Done.

Thank-you!

Unfortunately, i messed up and made one part the tests too specific so
it fails on non-amd64. Can we try a 0.58b-3, based on the 3 new commits in
https://salsa.debian.org/pkg-security-team/chkrootkit/

Sorry for this - I believe it will work this time (if not i will work on
it on saturday), but I cant test on other architectures (i suppose i will
attempt to understand quemu again).

> I reviewed debian/* and it would be nice if more of the
> debian/patches/* had DEP3 headers and upstreamed as appropriate.

Agree

> It
> seems chkutmp.c and ifpromisc.c (including probably the patch
> debian/patches/87a_ifpromisc-Add-a-return-value.patch) are covered by
> GPLv3+ and not BSD-2-Clause, could you take a look and update
> debian/copyright for this?

Thanks - I have updated debian/copyright for this and some other things
i spotted.

(im not sure that that patch is really doing enough to count as
copyrightable, but makes sense to list it under the same license as the
.c).

> Upstream publish tarballs on insecure ftp:// URLs with no GPG
> signatures.  They do sign the *-m.zip with GPG.  Could you ask them to
> sign the release source code tarball with GPG too?  Or at least move the
> distribution to a https:// URL.

Thanks -- i will do this: The whole website was http until recently, and
they did change that, so hopefully this can be improved  (I dont think i
spotted the GPG before).

> I did verify the MD5sum (wtf?!)  against
> ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.md5 as being
> de110f07f37b1b5caff2e90cc6172dd8 so I'm hoping you worked on the same
> tarball.  Maybe we should check the tarball for rootkits :)

I confirm the same md5sum is what i used --- I have also read most of
the code (apart from ifpromisc.c, although i have looked at parts of
this), and checked the diff to the previous upstream version: no
rootkits, but some bugs and issues (not all solved)

Sorry again for the repeat

Reply to:

Follow-Ups:
- Re: RFS: chkrootkit 0.58b-2
  - From: Simon Josefsson <simon@josefsson.org>

References:
- RFS: chkrootkit 0.58b-2
  - From: Richard Lewis <richard.lewis.debian@googlemail.com>
- Re: RFS: chkrootkit 0.58b-2
  - From: Simon Josefsson <simon@josefsson.org>

Prev by Date: Re: RFS: chkrootkit 0.58b-2
Next by Date: Re: request to join the team
Previous by thread: Re: RFS: chkrootkit 0.58b-2
Next by thread: Re: RFS: chkrootkit 0.58b-2
Index(es):
- Date
- Thread