> From: Thorsten Alteholz <ftpmas...@ftp-master.debian.org>
> Date: March 22, 2024 at 20:00:15 GMT+1
> To: Gürkan Myczko <t...@debian.org>
> Subject: ruptime_1.4-1_amd64.changes REJECTED
>
>
> Hi,
>
> after a short glimpse even I already found some issues with this software:
>
> If you install ruptime.key as described in README.md, you will get a world
> readable key file.
> As this is a symmetric key, everyone who has access to the key on one
> machine can forge messages on every other machine.
> I would not say that this can be called "encrypted messages" at all.
>
> It uses mcrypt in version 2.6.8 which is from 2009. It uses CBC as default
> encryption algorithm.
> Nowadays this is no longer recommended to use.
>
> Doing something like
> echo "/*/*/*/*/*/* asd" |nc localhost 51300
> for each core of your ruptimed server makes it really busy.
> There is no check, no ACL, nothing to prevent this.
>
> This software might be nice, but there is still some work to do.
>
> Thorsten
>
>
>
> ===
>
> Please feel free to respond to this email if you don't understand why
> your files were rejected, or if you upload new files which address our
> concerns.
>
