Hello, Don't get me wrong with this bug. I am thankful for your packaging for Debian. It's just that I (we?) want to avoid upset users, that may discover that their system isn't as secure as they thought.
On Thu, 2009-12-17 at 11:20 +0100, Jakub Wilk wrote: > Thanks for your report! > > * Frank Lin PIAT <fp...@klabs.be>, 2009-12-17, 09:59: > >I am seriously concerned by the fake sense of security that such tool > >provides (I must say that some other pam modules are scarry). > > > >For instance, using vlock and libpam-alreadyloggedin on the same machine > >provides the same level of security as a blank password, if not less. > > Of course, if you take two arbitrary tools, you can always combine them > in a nonsensical way. Installing any two arbitrary tools, with their default settings, should never expose the system. (Let me know if you know any, I'll take care of filing bugs.) > Why should I care particularly about vlock? This is not specific to vlock. It's just the one at top of my mind. It is common for documentations to warn about security risk. > I thought that Unix software is supposed to assume that users know what > they do. We aren't in the 70s~90s anymore, Debian does target end-users. > >Please, add appropriate warning to this package description and README. > > Feel free to propose wording, but I really think the current description > clearly describes what this software do. Maybe something like: "Security note: The interaction with other programs that leaves console sessions active should be considered seriously, this especially applies to console screen-saver, like vlock." I tried to write it in a way which isn't too scary. You probably want to improve my suggestion, since you probably have a better understanding of the security implication of this tool than I do. > >BTW, It is recommended to submit an ITP bug before uploading a new > >package in the archive, so other DDs can provide feed-back. > > Why do you think I didn't submit one? I probably made a typo when I searched my debian-devel folder, sorry for the noise. Thanks, Franklin -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
