On Sun, Nov 29, 2015 at 7:07 PM, Christoph Anton Mitterer wrote: > Left aside, that NTP by itself isn't secured in any way (i.e. > cryptographically)... people could in principle set up a VPN to a NTP > server they know they can trust.
Please go write SecureNTP then. > But even if that isn't done, I don't see how using the debian pool > helps. > If the DHCP advertises it's own evil NTP server, than that will be > used. At least ifupdown does so (network manager interestingly seems to > ignore that part of DHCP). Then you shouldn't use the Debian ntp package or any other Debian package at all for that matter. > This doesn't mention that it only applies to issues at Debian, or to > issues that can easily be fixed. > It also doesn't state that it would apply to code security issues (i.e. > buffer overruns or so). Like I said, the security tag is for now removed because I am not going to deal with it as a security issue until you defend it to your peers. I am not interested in looking at it because I am far beyond my tolerance threshold with your behavior. It is up to you to change that. > The only thing negative I can find in my mail is > "Security-ignorance at it's finest o.O" > which simply describes that fact that this issue is apparently ignored > in Debian (based already on the fact that the security-tag is removed). > It doesn't claim anything about you, whether you're smart, supid, > friendly, hostile or anything else. Clearly prior behavior plays a huge role here. >> Good work, should be excellent justification for your CVE request >> (with real details of course)! > AFAIU, people couldn't just directly request CVEs, can they? > I though that need to happen via a CNA, which Debian, to my knowledge, > was one. CNA's only issue ids for non-public issues. Absolutely anyone can and should send CVE requests to oss-sec for issues that are already public. > Anyway. I wasn't aware that only security issues with a CVE may be > recorded and marked as such in the Debian BTS. That is not true. But like I said, I am not interested in dealing with your negativity any more, so please make your case to others. Best wishes, Mike

