[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1013361: Fwd: ruptime_1.4-1_amd64.changes REJECTED



this is perfectly fine for me, if it free software. feel free to do the changes you want yourself.

if you cant there is always a debian consultants page.

From: Gürkan Myczko <gurkan@phys.ethz.ch>
Date: March 25, 2024 at 00:21:38 GMT+1
To: Thorsten Alteholz <ftpmaster@ftp-master.debian.org>
Subject: Re: ruptime_1.4-1_amd64.changes REJECTED

Hi,

after a short glimpse even I already found some issues with this software:
 If you install ruptime.key as described in README.md, you will get a world readable key file.
 As this is a symmetric key, everyone who has access to the key on one machine can forge messages on every other machine.
 I would not say that this can be called "encrypted messages" at all.

It is encrypted to all users on that machine. This is a design choice, and there's now README.Debian
that describes how to overcome the issue, if it is one for you. It is none to me, and majority of users.

Please have a look at xymon and xymon-client. Not encrypted messages at all, no builtin ACL either, anyone on
ther internet can forge messages on every xymon server.

 It uses mcrypt in version 2.6.8 which is from 2009. It uses CBC as default encryption algorithm.
 Nowadays this is no longer recommended to use.

This has been fixed with 1.8, no more mcrypt. Now we're with openssl.

 Doing something like
   echo "/*/*/*/*/*/* asd" |nc localhost 51300
 for each core of your ruptimed server makes it really busy.
 There is no check, no ACL, nothing to prevent this.

I was not able to do anything like that, if you look at the ruptimed, you can
clearly see this is not simply possible, never has been.

This software might be nice, but there is still some work to do.

I believe it is indeed nice, compared to the existing rwhod packages in the archive.
Further work will happen, as the software is maintained upstream.

Best,
Alex

  Thorsten
===
Please feel free to respond to this email if you don't understand why
your files were rejected, or if you upload new files which address our
concerns.

Reply to: