Re: join us!

To: <johno@cruithne.org>
Cc: "Ben Collins" <bcollins@debian.org>, <debian-user@lists.debian.org>
Subject: Re: join us!
From: "Kurt Seifried" <seifried@securityportal.com>
Date: Thu, 31 Aug 2000 07:18:18 -0600
Message-id: <005d01c0134d$ede39b20$6900030a@seifried.org>
Reply-to: "Kurt Seifried" <seifried@securityportal.com>
References: <011801c012ca$bbcad5a0$6900030a@seifried.org> <20000831132140.A15181@pluto.cruithne.org>

> Yes I read the update. I'd be happy to review your articles for you, but I
> don't think you should stop at one reviewer. Debian is a very big project
and I'm
> still finding my way around parts of it. You may have been in contact with
Ben
> Collins. If so I suggest you ask him too.

Yeah, he did email me, not terribly friendly. I think it's rather obvious I
researched the article if I was taking apart files like lilo.conf/etc.

Ben Collins wrote:

"If you would have bothered to check the changelogs for the packages you
noted as having "root hacks in them", you would have noticed that every
daemon you pointed out is not vulnerbale to the holes you point out. Here is
a list:"

One question: where is it explicitly stated that Debian backports fixes and
that one needs to read /usr/doc/*/changelog?

I spoke to several friends, comp sci, one with a degree in software
engineering, and they all agree this is a horrible way to do things (the
software engineer went so far as to say "a little piece of me dies everytime
someon does something like that"). When I see ProFTPD 1.2.0pre10 I think
"aha, this has a root hack, fixed in 1.2.0rc2". But Debian goes "ProFTPD
1.2.0pre10-revision 4 (or whatever) has the root hack fixed", of course you
need to read the changelog to figure this out. If more vendors do this (and
unfortunately I am told Caldera does, I haven't confirmed it) life will be a
living hell for people, my Linux digest will be something like:

original source package from ftp.proftpd.net - ProFTPD 1.2.0pre10 has a root
hack, fixed in 1.2.0rc2

Debian ProFTPD 1.2.0pre10 revision 3 has the root hack mentioned above
however fixed in 1.2.0pre10revision 4, revision 5 also fixes some of the
problems that were possible in rc1

Caldera ProFTPD 1.2.0pre10 revision 2 has the root hack, partially fixed in
rev 4, completely fixed in rev 5 (whatever).

RedHat, SuSE, TurboLinux, Mandrake are all shipping 1.2.0rc2.

You see where this leads I think.

As for the "code freeze", well the code is NOT frozen if Debian is
backporting changes into it, Apache 1.3.9 as shipped by Debian for example
is more like a 1.3.9 sortof 10/11/12 but not really. While the argument "we
are not adding new features" can be used, the fact of the matter is that
Debian is making (in some cases significant) changes to code that changes
behaviour (like fixing root hacks, cross site scripting vulnerability,
whatever).

<not directed at anyone in general>P.S I am sick and tired of being flamed,
if you feel like it go outside and yell at the sky. It's not like I bother
to read emails with a subject line of "you retard"</>

> regards,
> johno - jos@debian.org

-Kurt

Reply to:

Follow-Ups:
- Re: join us!
  - From: "Paul D. Smith" <psmith@gnu.org>
- Re: join us!
  - From: Ben Collins <bcollins@debian.org>
- Re: join us!
  - From: Dave Sherohman <esper@sherohman.org>

Prev by Date: Frozen message
Next by Date: Re: LI after install
Previous by thread: Re: Frozen message
Next by thread: Re: join us!
Index(es):
- Date
- Thread