Re: on potato's proftpd
On Fri, 2002-04-05 at 21:54, Petro wrote: > On Thu, Apr 04, 2002 at 06:24:18PM +, Martin WHEELER wrote: > > Fine. You wear the same size suit from birth to death; me, I'll adjust > > according to circumstances. > > You *like* upgrading 100 servers every few days? Certainly. Compared to cleaning up the mess after 100 servers get r00ted, or 100 servers get DOS'd, running apt-get upgrade on 100 servers is a walk in the park. Especially since apt-get upgrade on 100 servers could be scripted to run off a secure internal mirror, whereas doing the cleanup might require attention at the console for each of them. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Fri, 2002-04-05 at 21:54, Petro wrote: > On Thu, Apr 04, 2002 at 06:24:18PM +, Martin WHEELER wrote: > > Fine. You wear the same size suit from birth to death; me, I'll adjust > > according to circumstances. > > You *like* upgrading 100 servers every few days? Certainly. Compared to cleaning up the mess after 100 servers get r00ted, or 100 servers get DOS'd, running apt-get upgrade on 100 servers is a walk in the park. Especially since apt-get upgrade on 100 servers could be scripted to run off a secure internal mirror, whereas doing the cleanup might require attention at the console for each of them. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Sat, Apr 06, 2002 at 08:48:59AM +, Martin WHEELER wrote: > On Fri, 5 Apr 2002, Petro wrote: > > > You *like* upgrading 100 servers every few days? > > You'll have to ask the scripts that do that stuff for me :) So you don't mind verifying ever couple days that none of your quantity one software is going to break because a "security fix" changed something? -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Sat, Apr 06, 2002 at 08:48:59AM +, Martin WHEELER wrote: > On Fri, 5 Apr 2002, Petro wrote: > > > You *like* upgrading 100 servers every few days? > > You'll have to ask the scripts that do that stuff for me :) So you don't mind verifying ever couple days that none of your quantity one software is going to break because a "security fix" changed something? -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Fri, 5 Apr 2002, Petro wrote: > You *like* upgrading 100 servers every few days? You'll have to ask the scripts that do that stuff for me :) -- Martin Wheeler <[EMAIL PROTECTED]> gpg key 01269BEB @ the.earth.li -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Fri, 5 Apr 2002, Petro wrote: > You *like* upgrading 100 servers every few days? You'll have to ask the scripts that do that stuff for me :) -- Martin Wheeler <[EMAIL PROTECTED]> gpg key 01269BEB @ the.earth.li -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Thu, Apr 04, 2002 at 06:24:18PM +, Martin WHEELER wrote: > On Wed, Apr 03, 2002 at 09:22:34AM +, Martin WHEELER wrote: > > "Release early; release often." > > On Wed, 3 Apr 2002, Petro wrote: > > > > NO > > > > Measure twice, cut once. > > Fine. You wear the same size suit from birth to death; me, I'll adjust > according to circumstances. You *like* upgrading 100 servers every few days? -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Thu, Apr 04, 2002 at 06:24:18PM +, Martin WHEELER wrote: > On Wed, Apr 03, 2002 at 09:22:34AM +, Martin WHEELER wrote: > > "Release early; release often." > > On Wed, 3 Apr 2002, Petro wrote: > > > > NO > > > > Measure twice, cut once. > > Fine. You wear the same size suit from birth to death; me, I'll adjust > according to circumstances. You *like* upgrading 100 servers every few days? -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
also sprach Andrew Pimlott <[EMAIL PROTECTED]> [2002.04.04.0135 +0200]: > > this problem is understood by the developers of proftpd > > Wichert said that nobody has explained why the current fix on s.d.o > doesn't work. If the problem is understood, why hasn't someone > explained this? That's all that is asked, AFAICT. i have no clue if the fix repaired anything or even how it works, but the actual problem as it affects proftpd is known. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] nobody expects the spanish inquisition. -- monty python pgpAtXkwn2fpc.pgp Description: PGP signature
Re: on potato's proftpd
also sprach Michael Stone <[EMAIL PROTECTED]> [2002.04.04.0211 +0200]: > > because it will prevent s.d.o from serving a buggy package. it's not > > fixed perfectly, but at least it's not subject to a known exploit. > > Could you be a little more careful with your terms? A DOS is not an > exploit, it's a DOS. By saying "exploit" your implying a far more > critical problem than actually exists. will do, sorry. a DOS is still a form of exploit - you exploit services without giving in return, but then again the exploit has no direct benefit for the instigator... but no, i'll keep my head down and simply say i'm sorry. you are absolutely right. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] "and if the cloud bursts, thunder in your ear you shout and no one seems to hear and if the band you're in starts playing different tunes i'll see you on the dark side of the moon." -- pink floyd, 1972 pgpOk0Asz4PTh.pgp Description: PGP signature
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 09:22:34AM +, Martin WHEELER wrote: > "Release early; release often." On Wed, 3 Apr 2002, Petro wrote: > > NO > > Measure twice, cut once. Fine. You wear the same size suit from birth to death; me, I'll adjust according to circumstances. -- Martin Wheeler <[EMAIL PROTECTED]> gpg key 01269BEB @ the.earth.li -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
also sprach Andrew Pimlott <[EMAIL PROTECTED]> [2002.04.04.0135 +0200]: > > this problem is understood by the developers of proftpd > > Wichert said that nobody has explained why the current fix on s.d.o > doesn't work. If the problem is understood, why hasn't someone > explained this? That's all that is asked, AFAICT. i have no clue if the fix repaired anything or even how it works, but the actual problem as it affects proftpd is known. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck nobody expects the spanish inquisition. -- monty python msg06211/pgp0.pgp Description: PGP signature
Re: on potato's proftpd
also sprach Michael Stone <[EMAIL PROTECTED]> [2002.04.04.0211 +0200]: > > because it will prevent s.d.o from serving a buggy package. it's not > > fixed perfectly, but at least it's not subject to a known exploit. > > Could you be a little more careful with your terms? A DOS is not an > exploit, it's a DOS. By saying "exploit" your implying a far more > critical problem than actually exists. will do, sorry. a DOS is still a form of exploit - you exploit services without giving in return, but then again the exploit has no direct benefit for the instigator... but no, i'll keep my head down and simply say i'm sorry. you are absolutely right. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck "and if the cloud bursts, thunder in your ear you shout and no one seems to hear and if the band you're in starts playing different tunes i'll see you on the dark side of the moon." -- pink floyd, 1972 msg06210/pgp0.pgp Description: PGP signature
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 09:22:34AM +, Martin WHEELER wrote: > "Release early; release often." On Wed, 3 Apr 2002, Petro wrote: > > NO > > Measure twice, cut once. Fine. You wear the same size suit from birth to death; me, I'll adjust according to circumstances. -- Martin Wheeler <[EMAIL PROTECTED]> gpg key 01269BEB @ the.earth.li -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Thu, Apr 04, 2002 at 01:06:26AM +0200, martin f krafft wrote: > because it will prevent s.d.o from serving a buggy package. it's not > fixed perfectly, but at least it's not subject to a known exploit. Could you be a little more careful with your terms? A DOS is not an exploit, it's a DOS. By saying "exploit" your implying a far more critical problem than actually exists. -- Mike Stone pgph90bx8uvSu.pgp Description: PGP signature
Re: on potato's proftpd
On Thu, Apr 04, 2002 at 01:09:27AM +0200, martin f krafft wrote: > this problem is understood by the developers of proftpd Wichert said that nobody has explained why the current fix on s.d.o doesn't work. If the problem is understood, why hasn't someone explained this? That's all that is asked, AFAICT. Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 02:43:10PM -0800, Petro wrote: > On Wed, Apr 03, 2002 at 09:22:34AM +, Martin WHEELER wrote: > > "Release early; release often." > > NO > > Measure twice, cut once. i haven't really been following this thread, but i like analogies as much as the next person, so how's this: if you don't have a tape measure, cut large and sand down as needed. xn > -- > Share and Enjoy. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
also sprach Nathan E Norman <[EMAIL PROTECTED]> [2002.04.03.0732 +0200]: > > well, i am calm, but i disagree. sure, it boils down to the question > > who debian's audience are, but for all i am concerned, debian's > > reputation _used_ to include "security", and the reason why i'd (as in > > "would" and "had") install(ed) debian was because i didn't need to be > > worrying about the obvious and hence i could spend my resources on > > other things. had i wanted to patch one-year-old bugs in software that > > installs from the "security archives", then i might have just chosen > > to "fly" redhat. i don't understand why you aren't understanding this. > > i am not at all against finding the real bug as well as investigating > > why: > > See, paragraphs like this directly contradict you statement above that > you don't want a flame war. Debian "used to include security"? > Apparently you no longer run Debian? Does this mean you've wiothdrawn > your name for the NM queue? no and no. i will continue to run debian and i'll support the project! i am just joining in with the group of people who see debian's reputation and quality not keeping up with what it used to be. i see no alternative to debian and so i want to prevent this degradation, simple as that. i am also not attacking anyone, not even the project. what i wrote is based on facts and experience, and if at all, then it should give everyone partaking in the project something to think about. > Are you willing to abandon the hyperbole and put forward rational > arguments as to why your solution is best? because it will prevent s.d.o from serving a buggy package. it's not fixed perfectly, but at least it's not subject to a known exploit. it's not the best, but it's IMHO really only beaten by the fix of the root of the bug *right now*. this fix isn't available, so i suggest bridging the time until we can patch proftpd properly with a temporary fix. you know, just so that when i have s.d.o in my sources.list, i can actually rely on debian as i usually do. > The temporary patch is, well, temporary. It only works on a new > install; otherwise the admin has to examine their config file by hand > to make the change. well, we have debconf to help. and postinst scripts can be quite intelligent... > Worst of all, since the bug was thought to be fixed but isn't, the > temporary fix may not in fact prevent the exploit. If the exploit > is part of libc globbing code, it may be exploitable in other code, > not just proftpd. of course. i am not arguing against that. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] there's an old proverb that says just about whatever you want it to. pgpuzwr05YVtu.pgp Description: PGP signature
Re: on potato's proftpd
also sprach Andrew Pimlott <[EMAIL PROTECTED]> [2002.04.03.1805 +0200]: > On Wed, Apr 03, 2002 at 10:54:25AM -0500, Andrew Pimlott wrote: > > I think Wichert's position > > ... reflects appropriate discipline, given the (relatively modest) > severity of the problem. i also have to agree with you here since the problem isn't all that bad after all. but it's not the problem which is making me react in such "loud" ways, it's the principle of why a buggy package in s.d.o doesn't get prioritized attention... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] printer not ready. could be a fatal error. have a pen handy? pgp967E9LC6aY.pgp Description: PGP signature
Re: on potato's proftpd
also sprach Andrew Pimlott <[EMAIL PROTECTED]> [2002.04.03.1754 +0200]: > There are several good reasons: > > - If a band-aid fix is allowed, there is less incentive to find > the correct fix. true. doesn't mean that we have to fall into that hole. > - If the problem isn't understood, there is a good chance that the > band-aid doesn't really fix the problem, and a fair chance that > it creates new problems. If there are related problems (eg, > similar bugs in different programs), they may go undiscovered. this problem is understood by the developers of proftpd, and their suggestion (if an upgrade to a newer version isn't an option -- which applies to potato) is this temporary fix. then look at the fix and ask yourself how this "band-aid" could cause other problems, keeping the FTP protocol in mind. > - Users would have to upgrade again when the permanent fix is > released. People running production systems like to minimize > changes, so this could make them unhappy. i also administer production systems, and while i just as well possess a certain inertia with respect to upgrading the packages their, i always try to get "security" updates tested and distributed as soon as possible... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] "information superhighway" is just an anagram for "i'm on a huge wispy rhino fart". pgpcKekOX0o7x.pgp Description: PGP signature
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 09:22:34AM +, Martin WHEELER wrote: > "Release early; release often." NO Measure twice, cut once. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 10:56:32AM +0900, Howland, Curtis wrote: > I would bet that the vast majority of "flame wars" begin because someone > mistakes "terse" or "concise" for hostility. > > The reverse, being the endless spewing of meaningless words, all the while > saying nothing at all or even the opposite of what it sounds like, is the art > of politicians and diplomats. > > I'll take a flame war any day, when compared to the alternative. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Thu, Apr 04, 2002 at 01:06:26AM +0200, martin f krafft wrote: > because it will prevent s.d.o from serving a buggy package. it's not > fixed perfectly, but at least it's not subject to a known exploit. Could you be a little more careful with your terms? A DOS is not an exploit, it's a DOS. By saying "exploit" your implying a far more critical problem than actually exists. -- Mike Stone msg06198/pgp0.pgp Description: PGP signature
Re: on potato's proftpd
On Thu, Apr 04, 2002 at 01:09:27AM +0200, martin f krafft wrote: > this problem is understood by the developers of proftpd Wichert said that nobody has explained why the current fix on s.d.o doesn't work. If the problem is understood, why hasn't someone explained this? That's all that is asked, AFAICT. Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 02:43:10PM -0800, Petro wrote: > On Wed, Apr 03, 2002 at 09:22:34AM +, Martin WHEELER wrote: > > "Release early; release often." > > NO > > Measure twice, cut once. i haven't really been following this thread, but i like analogies as much as the next person, so how's this: if you don't have a tape measure, cut large and sand down as needed. xn > -- > Share and Enjoy. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
also sprach Nathan E Norman <[EMAIL PROTECTED]> [2002.04.03.0732 +0200]: > > well, i am calm, but i disagree. sure, it boils down to the question > > who debian's audience are, but for all i am concerned, debian's > > reputation _used_ to include "security", and the reason why i'd (as in > > "would" and "had") install(ed) debian was because i didn't need to be > > worrying about the obvious and hence i could spend my resources on > > other things. had i wanted to patch one-year-old bugs in software that > > installs from the "security archives", then i might have just chosen > > to "fly" redhat. i don't understand why you aren't understanding this. > > i am not at all against finding the real bug as well as investigating > > why: > > See, paragraphs like this directly contradict you statement above that > you don't want a flame war. Debian "used to include security"? > Apparently you no longer run Debian? Does this mean you've wiothdrawn > your name for the NM queue? no and no. i will continue to run debian and i'll support the project! i am just joining in with the group of people who see debian's reputation and quality not keeping up with what it used to be. i see no alternative to debian and so i want to prevent this degradation, simple as that. i am also not attacking anyone, not even the project. what i wrote is based on facts and experience, and if at all, then it should give everyone partaking in the project something to think about. > Are you willing to abandon the hyperbole and put forward rational > arguments as to why your solution is best? because it will prevent s.d.o from serving a buggy package. it's not fixed perfectly, but at least it's not subject to a known exploit. it's not the best, but it's IMHO really only beaten by the fix of the root of the bug *right now*. this fix isn't available, so i suggest bridging the time until we can patch proftpd properly with a temporary fix. you know, just so that when i have s.d.o in my sources.list, i can actually rely on debian as i usually do. > The temporary patch is, well, temporary. It only works on a new > install; otherwise the admin has to examine their config file by hand > to make the change. well, we have debconf to help. and postinst scripts can be quite intelligent... > Worst of all, since the bug was thought to be fixed but isn't, the > temporary fix may not in fact prevent the exploit. If the exploit > is part of libc globbing code, it may be exploitable in other code, > not just proftpd. of course. i am not arguing against that. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck there's an old proverb that says just about whatever you want it to. msg06196/pgp0.pgp Description: PGP signature
Re: on potato's proftpd
also sprach Andrew Pimlott <[EMAIL PROTECTED]> [2002.04.03.1805 +0200]: > On Wed, Apr 03, 2002 at 10:54:25AM -0500, Andrew Pimlott wrote: > > I think Wichert's position > > ... reflects appropriate discipline, given the (relatively modest) > severity of the problem. i also have to agree with you here since the problem isn't all that bad after all. but it's not the problem which is making me react in such "loud" ways, it's the principle of why a buggy package in s.d.o doesn't get prioritized attention... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck printer not ready. could be a fatal error. have a pen handy? msg06195/pgp0.pgp Description: PGP signature
Re: on potato's proftpd
also sprach Andrew Pimlott <[EMAIL PROTECTED]> [2002.04.03.1754 +0200]: > There are several good reasons: > > - If a band-aid fix is allowed, there is less incentive to find > the correct fix. true. doesn't mean that we have to fall into that hole. > - If the problem isn't understood, there is a good chance that the > band-aid doesn't really fix the problem, and a fair chance that > it creates new problems. If there are related problems (eg, > similar bugs in different programs), they may go undiscovered. this problem is understood by the developers of proftpd, and their suggestion (if an upgrade to a newer version isn't an option -- which applies to potato) is this temporary fix. then look at the fix and ask yourself how this "band-aid" could cause other problems, keeping the FTP protocol in mind. > - Users would have to upgrade again when the permanent fix is > released. People running production systems like to minimize > changes, so this could make them unhappy. i also administer production systems, and while i just as well possess a certain inertia with respect to upgrading the packages their, i always try to get "security" updates tested and distributed as soon as possible... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck "information superhighway" is just an anagram for "i'm on a huge wispy rhino fart". msg06194/pgp0.pgp Description: PGP signature
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 09:22:34AM +, Martin WHEELER wrote: > "Release early; release often." NO Measure twice, cut once. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 10:56:32AM +0900, Howland, Curtis wrote: > I would bet that the vast majority of "flame wars" begin because someone mistakes >"terse" or "concise" for hostility. > > The reverse, being the endless spewing of meaningless words, all the while saying >nothing at all or even the opposite of what it sounds like, is the art of politicians >and diplomats. > > I'll take a flame war any day, when compared to the alternative. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
[ Followup to incomplete send. ] On Wed, Apr 03, 2002 at 10:54:25AM -0500, Andrew Pimlott wrote: > I think Wichert's position ... reflects appropriate discipline, given the (relatively modest) severity of the problem. Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 03:22:39AM +0200, martin f krafft wrote: > but give me at least one argument why these acts cannot combine with > a *temporary* fix uploaded to the so-called "security archives". There are several good reasons: - If a band-aid fix is allowed, there is less incentive to find the correct fix. - If the problem isn't understood, there is a good chance that the band-aid doesn't really fix the problem, and a fair chance that it creates new problems. If there are related problems (eg, similar bugs in different programs), they may go undiscovered. - Users would have to upgrade again when the permanent fix is released. People running production systems like to minimize changes, so this could make them unhappy. I think Wichert's position Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
[ Followup to incomplete send. ] On Wed, Apr 03, 2002 at 10:54:25AM -0500, Andrew Pimlott wrote: > I think Wichert's position ... reflects appropriate discipline, given the (relatively modest) severity of the problem. Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 03:22:39AM +0200, martin f krafft wrote: > but give me at least one argument why these acts cannot combine with > a *temporary* fix uploaded to the so-called "security archives". There are several good reasons: - If a band-aid fix is allowed, there is less incentive to find the correct fix. - If the problem isn't understood, there is a good chance that the band-aid doesn't really fix the problem, and a fair chance that it creates new problems. If there are related problems (eg, similar bugs in different programs), they may go undiscovered. - Users would have to upgrade again when the permanent fix is released. People running production systems like to minimize changes, so this could make them unhappy. I think Wichert's position Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
"Release early; release often." -- Martin Wheeler <[EMAIL PROTECTED]> gpg key 01269BEB @ the.earth.li -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
"Release early; release often." -- Martin Wheeler <[EMAIL PROTECTED]> gpg key 01269BEB @ the.earth.li -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 03:22:39AM +0200, martin f krafft wrote: > dear list, > > look, i am really not here to start a flame war and heck no, i don't > want one. please excuse if my behaviour has been leading you onto this > belief (or maybe not). i am simply failing to grasp the arguments laid > out by wichert. that is, i don't disagree with him per se, but i have > the feeling that i am also not being understood. so, please read this > last attempt to clarify and then either respond, or give me a straight > "shut up" and i will. and i apologize up front to sven for posting > parts of his personal reply to the list. > > also sprach Sven Hoexter <[EMAIL PROTECTED]> [2002.04.02.2240 +0200]: > > Calm down :) It's "just" a DoS attack and if you use a Software you as > > the admin should look at the normal flood of information and pick out what > > you need. If you do so you know the problem and you can work around it in > > different ways. One way is the Deny directiv or some of the Ulimit options > > introduced into proftpd after the problem occured the first time. > > In the Debian way the deny directiv is the working one. > > well, i am calm, but i disagree. sure, it boils down to the question > who debian's audience are, but for all i am concerned, debian's > reputation _used_ to include "security", and the reason why i'd (as in > "would" and "had") install(ed) debian was because i didn't need to be > worrying about the obvious and hence i could spend my resources on > other things. had i wanted to patch one-year-old bugs in software that > installs from the "security archives", then i might have just chosen > to "fly" redhat. i don't understand why you aren't understanding this. > i am not at all against finding the real bug as well as investigating > why: See, paragraphs like this directly contradict you statement above that you don't want a flame war. Debian "used to include security"? Apparently you no longer run Debian? Does this mean you've wiothdrawn your name for the NM queue? Are you willing to abandon the hyperbole and put forward rational arguments as to why your solution is best? > > their is a patch that doesn't work and it seems like nobody proved > > the patch after it was applied for the first time. > > but give me at least one argument why these acts cannot combine with > a *temporary* fix uploaded to the so-called "security archives". The temporary patch is, well, temporary. It only works on a new install; otherwise the admin has to examine their config file by hand to make the change. Worst of all, since the bug was thought to be fixed but isn't, the temporary fix may not in fact prevent the exploit. If the exploit is part of libc globbing code, it may be exploitable in other code, not just proftpd. > > With this I'm falling back to another topic: Is the way of keeping > > exploit code behind bars realy good for the admin without the > > special coding skills or just new stones in the proccess of running > > a secure server? > > exactly my point. debian's the "hacker OS", but it's also damn good. > so why not take little steps such as this and keep it that way even > for the ones that don't spend 20 hours a day in front of a computer > and know assembler backwards... > > > Just my personal thoughts about your flames with Wichert. > > they really weren't intended to be flames. i am sorry if they felt > that way. i am really just trying to be concise since i don't have > much more to say than i did. I have to wonder. -- Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Gil-galad was an Elven-king.| The Fellowship Of him the harpers sadly sing: |of the last whose realm was fair and free | the Ring between the Mountains and the Sea. | J.R.R. Tolkien pgpW8cs6OcoV1.pgp Description: PGP signature
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 03:22:39AM +0200, martin f krafft wrote: > dear list, > > look, i am really not here to start a flame war and heck no, i don't > want one. please excuse if my behaviour has been leading you onto this > belief (or maybe not). i am simply failing to grasp the arguments laid > out by wichert. that is, i don't disagree with him per se, but i have > the feeling that i am also not being understood. so, please read this > last attempt to clarify and then either respond, or give me a straight > "shut up" and i will. and i apologize up front to sven for posting > parts of his personal reply to the list. > > also sprach Sven Hoexter <[EMAIL PROTECTED]> [2002.04.02.2240 +0200]: > > Calm down :) It's "just" a DoS attack and if you use a Software you as > > the admin should look at the normal flood of information and pick out what > > you need. If you do so you know the problem and you can work around it in > > different ways. One way is the Deny directiv or some of the Ulimit options > > introduced into proftpd after the problem occured the first time. > > In the Debian way the deny directiv is the working one. > > well, i am calm, but i disagree. sure, it boils down to the question > who debian's audience are, but for all i am concerned, debian's > reputation _used_ to include "security", and the reason why i'd (as in > "would" and "had") install(ed) debian was because i didn't need to be > worrying about the obvious and hence i could spend my resources on > other things. had i wanted to patch one-year-old bugs in software that > installs from the "security archives", then i might have just chosen > to "fly" redhat. i don't understand why you aren't understanding this. > i am not at all against finding the real bug as well as investigating > why: See, paragraphs like this directly contradict you statement above that you don't want a flame war. Debian "used to include security"? Apparently you no longer run Debian? Does this mean you've wiothdrawn your name for the NM queue? Are you willing to abandon the hyperbole and put forward rational arguments as to why your solution is best? > > their is a patch that doesn't work and it seems like nobody proved > > the patch after it was applied for the first time. > > but give me at least one argument why these acts cannot combine with > a *temporary* fix uploaded to the so-called "security archives". The temporary patch is, well, temporary. It only works on a new install; otherwise the admin has to examine their config file by hand to make the change. Worst of all, since the bug was thought to be fixed but isn't, the temporary fix may not in fact prevent the exploit. If the exploit is part of libc globbing code, it may be exploitable in other code, not just proftpd. > > With this I'm falling back to another topic: Is the way of keeping > > exploit code behind bars realy good for the admin without the > > special coding skills or just new stones in the proccess of running > > a secure server? > > exactly my point. debian's the "hacker OS", but it's also damn good. > so why not take little steps such as this and keep it that way even > for the ones that don't spend 20 hours a day in front of a computer > and know assembler backwards... > > > Just my personal thoughts about your flames with Wichert. > > they really weren't intended to be flames. i am sorry if they felt > that way. i am really just trying to be concise since i don't have > much more to say than i did. I have to wonder. -- Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Gil-galad was an Elven-king.| The Fellowship Of him the harpers sadly sing: |of the last whose realm was fair and free | the Ring between the Mountains and the Sea. | J.R.R. Tolkien msg06182/pgp0.pgp Description: PGP signature
RE: on potato's proftpd
I would bet that the vast majority of "flame wars" begin because someone mistakes "terse" or "concise" for hostility. The reverse, being the endless spewing of meaningless words, all the while saying nothing at all or even the opposite of what it sounds like, is the art of politicians and diplomats. I'll take a flame war any day, when compared to the alternative. Curt- > they really weren't intended to be flames. i am sorry if they felt > that way. i am really just trying to be concise since i don't have > much more to say than i did. > > -- > martin; (greetings from the heart of the sun.) > \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
well, you make sense to me. 2c from an end-user. martin f krafft wrote: dear list, look, i am really not here to start a flame war and heck no, i don't want one. please excuse if my behaviour has been leading you onto this belief (or maybe not). i am simply failing to grasp the arguments laid out by wichert. that is, i don't disagree with him per se, but i have the feeling that i am also not being understood. so, please read this last attempt to clarify and then either respond, or give me a straight "shut up" and i will. and i apologize up front to sven for posting parts of his personal reply to the list. also sprach Sven Hoexter <[EMAIL PROTECTED]> [2002.04.02.2240 +0200]: Calm down :) It's "just" a DoS attack and if you use a Software you as the admin should look at the normal flood of information and pick out what you need. If you do so you know the problem and you can work around it in different ways. One way is the Deny directiv or some of the Ulimit options introduced into proftpd after the problem occured the first time. In the Debian way the deny directiv is the working one. well, i am calm, but i disagree. sure, it boils down to the question who debian's audience are, but for all i am concerned, debian's reputation _used_ to include "security", and the reason why i'd (as in "would" and "had") install(ed) debian was because i didn't need to be worrying about the obvious and hence i could spend my resources on other things. had i wanted to patch one-year-old bugs in software that installs from the "security archives", then i might have just chosen to "fly" redhat. i don't understand why you aren't understanding this. i am not at all against finding the real bug as well as investigating why: their is a patch that doesn't work and it seems like nobody proved the patch after it was applied for the first time. but give me at least one argument why these acts cannot combine with a *temporary* fix uploaded to the so-called "security archives". With this I'm falling back to another topic: Is the way of keeping exploit code behind bars realy good for the admin without the special coding skills or just new stones in the proccess of running a secure server? exactly my point. debian's the "hacker OS", but it's also damn good. so why not take little steps such as this and keep it that way even for the ones that don't spend 20 hours a day in front of a computer and know assembler backwards... Just my personal thoughts about your flames with Wichert. they really weren't intended to be flames. i am sorry if they felt that way. i am really just trying to be concise since i don't have much more to say than i did. -- Chris Massam <[EMAIL PROTECTED]> YellowTuna Networks Ltd PO Box 91493, A.M.S.C., Auckland, NZ Level 2, 272 Parnell Road, Parnell Tel. +64 9 3077844 Fax. +64 9 3077846 Cel(NZ). +64 21 2220564 http://www.yellowtuna.co.nz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
dear list, look, i am really not here to start a flame war and heck no, i don't want one. please excuse if my behaviour has been leading you onto this belief (or maybe not). i am simply failing to grasp the arguments laid out by wichert. that is, i don't disagree with him per se, but i have the feeling that i am also not being understood. so, please read this last attempt to clarify and then either respond, or give me a straight "shut up" and i will. and i apologize up front to sven for posting parts of his personal reply to the list. also sprach Sven Hoexter <[EMAIL PROTECTED]> [2002.04.02.2240 +0200]: > Calm down :) It's "just" a DoS attack and if you use a Software you as > the admin should look at the normal flood of information and pick out what > you need. If you do so you know the problem and you can work around it in > different ways. One way is the Deny directiv or some of the Ulimit options > introduced into proftpd after the problem occured the first time. > In the Debian way the deny directiv is the working one. well, i am calm, but i disagree. sure, it boils down to the question who debian's audience are, but for all i am concerned, debian's reputation _used_ to include "security", and the reason why i'd (as in "would" and "had") install(ed) debian was because i didn't need to be worrying about the obvious and hence i could spend my resources on other things. had i wanted to patch one-year-old bugs in software that installs from the "security archives", then i might have just chosen to "fly" redhat. i don't understand why you aren't understanding this. i am not at all against finding the real bug as well as investigating why: > their is a patch that doesn't work and it seems like nobody proved > the patch after it was applied for the first time. but give me at least one argument why these acts cannot combine with a *temporary* fix uploaded to the so-called "security archives". > With this I'm falling back to another topic: Is the way of keeping > exploit code behind bars realy good for the admin without the > special coding skills or just new stones in the proccess of running > a secure server? exactly my point. debian's the "hacker OS", but it's also damn good. so why not take little steps such as this and keep it that way even for the ones that don't spend 20 hours a day in front of a computer and know assembler backwards... > Just my personal thoughts about your flames with Wichert. they really weren't intended to be flames. i am sorry if they felt that way. i am really just trying to be concise since i don't have much more to say than i did. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] "we should have a volleyballocracy. we elect a six-pack of presidents. each one serves until they screw up, at which point they rotate." -- dennis miller pgpF6mZE4pAIk.pgp Description: PGP signature
RE: on potato's proftpd
I would bet that the vast majority of "flame wars" begin because someone mistakes "terse" or "concise" for hostility. The reverse, being the endless spewing of meaningless words, all the while saying nothing at all or even the opposite of what it sounds like, is the art of politicians and diplomats. I'll take a flame war any day, when compared to the alternative. Curt- > they really weren't intended to be flames. i am sorry if they felt > that way. i am really just trying to be concise since i don't have > much more to say than i did. > > -- > martin; (greetings from the heart of the sun.) > \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
well, you make sense to me. 2c from an end-user. martin f krafft wrote: > dear list, > > look, i am really not here to start a flame war and heck no, i don't > want one. please excuse if my behaviour has been leading you onto this > belief (or maybe not). i am simply failing to grasp the arguments laid > out by wichert. that is, i don't disagree with him per se, but i have > the feeling that i am also not being understood. so, please read this > last attempt to clarify and then either respond, or give me a straight > "shut up" and i will. and i apologize up front to sven for posting > parts of his personal reply to the list. > > also sprach Sven Hoexter <[EMAIL PROTECTED]> [2002.04.02.2240 +0200]: > >>Calm down :) It's "just" a DoS attack and if you use a Software you as >>the admin should look at the normal flood of information and pick out what >>you need. If you do so you know the problem and you can work around it in >>different ways. One way is the Deny directiv or some of the Ulimit options >>introduced into proftpd after the problem occured the first time. >>In the Debian way the deny directiv is the working one. >> > > well, i am calm, but i disagree. sure, it boils down to the question > who debian's audience are, but for all i am concerned, debian's > reputation _used_ to include "security", and the reason why i'd (as in > "would" and "had") install(ed) debian was because i didn't need to be > worrying about the obvious and hence i could spend my resources on > other things. had i wanted to patch one-year-old bugs in software that > installs from the "security archives", then i might have just chosen > to "fly" redhat. i don't understand why you aren't understanding this. > i am not at all against finding the real bug as well as investigating > why: > > >>their is a patch that doesn't work and it seems like nobody proved >>the patch after it was applied for the first time. >> > > but give me at least one argument why these acts cannot combine with > a *temporary* fix uploaded to the so-called "security archives". > > >>With this I'm falling back to another topic: Is the way of keeping >>exploit code behind bars realy good for the admin without the >>special coding skills or just new stones in the proccess of running >>a secure server? >> > > exactly my point. debian's the "hacker OS", but it's also damn good. > so why not take little steps such as this and keep it that way even > for the ones that don't spend 20 hours a day in front of a computer > and know assembler backwards... > > >>Just my personal thoughts about your flames with Wichert. >> > > they really weren't intended to be flames. i am sorry if they felt > that way. i am really just trying to be concise since i don't have > much more to say than i did. > > -- Chris Massam <[EMAIL PROTECTED]> YellowTuna Networks Ltd PO Box 91493, A.M.S.C., Auckland, NZ Level 2, 272 Parnell Road, Parnell Tel. +64 9 3077844 Fax. +64 9 3077846 Cel(NZ). +64 21 2220564 http://www.yellowtuna.co.nz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
dear list, look, i am really not here to start a flame war and heck no, i don't want one. please excuse if my behaviour has been leading you onto this belief (or maybe not). i am simply failing to grasp the arguments laid out by wichert. that is, i don't disagree with him per se, but i have the feeling that i am also not being understood. so, please read this last attempt to clarify and then either respond, or give me a straight "shut up" and i will. and i apologize up front to sven for posting parts of his personal reply to the list. also sprach Sven Hoexter <[EMAIL PROTECTED]> [2002.04.02.2240 +0200]: > Calm down :) It's "just" a DoS attack and if you use a Software you as > the admin should look at the normal flood of information and pick out what > you need. If you do so you know the problem and you can work around it in > different ways. One way is the Deny directiv or some of the Ulimit options > introduced into proftpd after the problem occured the first time. > In the Debian way the deny directiv is the working one. well, i am calm, but i disagree. sure, it boils down to the question who debian's audience are, but for all i am concerned, debian's reputation _used_ to include "security", and the reason why i'd (as in "would" and "had") install(ed) debian was because i didn't need to be worrying about the obvious and hence i could spend my resources on other things. had i wanted to patch one-year-old bugs in software that installs from the "security archives", then i might have just chosen to "fly" redhat. i don't understand why you aren't understanding this. i am not at all against finding the real bug as well as investigating why: > their is a patch that doesn't work and it seems like nobody proved > the patch after it was applied for the first time. but give me at least one argument why these acts cannot combine with a *temporary* fix uploaded to the so-called "security archives". > With this I'm falling back to another topic: Is the way of keeping > exploit code behind bars realy good for the admin without the > special coding skills or just new stones in the proccess of running > a secure server? exactly my point. debian's the "hacker OS", but it's also damn good. so why not take little steps such as this and keep it that way even for the ones that don't spend 20 hours a day in front of a computer and know assembler backwards... > Just my personal thoughts about your flames with Wichert. they really weren't intended to be flames. i am sorry if they felt that way. i am really just trying to be concise since i don't have much more to say than i did. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck "we should have a volleyballocracy. we elect a six-pack of presidents. each one serves until they screw up, at which point they rotate." -- dennis miller msg06177/pgp0.pgp Description: PGP signature
Re: on potato's proftpd
Previously martin f krafft wrote: > wrong. fix things with bandaid to give you more time to find the real > problem. i am not saying that this is the final fix. put it this way, > you aren't going to wait for intruders to make use of the opportunity > while you search the drunkbold who broke your window last night. dig? Lets put is this way: two people from the security team have stated they want to know why the current security fix is broken before they will consider introducing a bandaid. So lets just stop this discussion and start looking why the glibc glob fix fails for proftpd. EOD. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
also sprach Wichert Akkerman <[EMAIL PROTECTED]> [2002.04.02.1250 +0200]: > I does, and in fact it's a very good approach: make sure you study > what the real problem is instead of trying to fix things with bandaid. wrong. fix things with bandaid to give you more time to find the real problem. i am not saying that this is the final fix. put it this way, you aren't going to wait for intruders to make use of the opportunity while you search the drunkbold who broke your window last night. dig? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] "the human brain is like an enormous fish -- it is flat and slimy and has gills through which it can see." -- monty python pgpk9VTLEbvSh.pgp Description: PGP signature
Re: on potato's proftpd
Previously martin f krafft wrote: > wrong. fix things with bandaid to give you more time to find the real > problem. i am not saying that this is the final fix. put it this way, > you aren't going to wait for intruders to make use of the opportunity > while you search the drunkbold who broke your window last night. dig? Lets put is this way: two people from the security team have stated they want to know why the current security fix is broken before they will consider introducing a bandaid. So lets just stop this discussion and start looking why the glibc glob fix fails for proftpd. EOD. Wichert. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
also sprach Wichert Akkerman <[EMAIL PROTECTED]> [2002.04.02.1250 +0200]: > I does, and in fact it's a very good approach: make sure you study > what the real problem is instead of trying to fix things with bandaid. wrong. fix things with bandaid to give you more time to find the real problem. i am not saying that this is the final fix. put it this way, you aren't going to wait for intruders to make use of the opportunity while you search the drunkbold who broke your window last night. dig? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck "the human brain is like an enormous fish -- it is flat and slimy and has gills through which it can see." -- monty python msg06168/pgp0.pgp Description: PGP signature
Re: on potato's proftpd
Previously martin f krafft wrote: > that's a purist approach which doesn't work with security. I does, and in fact it's a very good approach: make sure you study what the real problem is instead of trying to fix things with bandaid. With all the energy wasted on this someone could have found the real problem already.. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
also sprach Wichert Akkerman <[EMAIL PROTECTED]> [2002.03.31.2009 +0200]: > Because it might impact other packages as well. sure, but the upload won't. > I'ld rather make sure we don't have a bug in multiple packages then > a reasonably harmless semi-bug in a single package. that's a purist approach which doesn't work with security. there's nothing keeping us from updating s.d.o again when the bug is fixed where it's supposed to be fixed, but for now we should fix proftpd the way we know how to fix it before trying to isolate the root of the problem. uh, if you care for debian's reputation that is... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] due to lack of interest tomorrow has been cancelled. pgpWxNWaJjOHF.pgp Description: PGP signature
Re: on potato's proftpd
Previously martin f krafft wrote: > that's a purist approach which doesn't work with security. I does, and in fact it's a very good approach: make sure you study what the real problem is instead of trying to fix things with bandaid. With all the energy wasted on this someone could have found the real problem already.. Wichert. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
also sprach Wichert Akkerman <[EMAIL PROTECTED]> [2002.03.31.2009 +0200]: > Because it might impact other packages as well. sure, but the upload won't. > I'ld rather make sure we don't have a bug in multiple packages then > a reasonably harmless semi-bug in a single package. that's a purist approach which doesn't work with security. there's nothing keeping us from updating s.d.o again when the bug is fixed where it's supposed to be fixed, but for now we should fix proftpd the way we know how to fix it before trying to isolate the root of the problem. uh, if you care for debian's reputation that is... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck due to lack of interest tomorrow has been cancelled. msg06162/pgp0.pgp Description: PGP signature
Re: on potato's proftpd
Previously martin f krafft wrote: > wichert, it didn't. why should we discuss this before pushing the > temporary fix into the security archives??? Because it might impact other packages as well. > i'd also like to see answered, but right now, debian's got a semi-bug > in a package found on security.debian.org, we know about it, why do we > even hesitate? I'ld rather make sure we don't have a bug in multiple packages then a reasonably harmless semi-bug in a single package. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Sun, Mar 31, 2002 at 05:53:35PM +0200, martin f krafft wrote: > why should we discuss this before pushing the temporary fix into the > security archives??? Maybe because, as you say, the fix (read: workaround) is only temporary? :) Including a new rule in the conffile won't automatically fix everything, people who changed their copies of those conffiles will have to inspect their stuff and merge in the fix. A solution coded into the program would be much better... -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
also sprach Wichert Akkerman <[EMAIL PROTECTED]> [2002.03.31.1602 +0200]: > > i don't get it. will someone please push this package ivo made as an > > NMU into security.debian.org ASAP? i'd do it myself, but i am still > > waiting for DAM approval... > > I'ld like someone to answer my question first: how come the glob > fix in glibc doesn't fix proftpd? wichert, it didn't. why should we discuss this before pushing the temporary fix into the security archives??? it's a good question which i'd also like to see answered, but right now, debian's got a semi-bug in a package found on security.debian.org, we know about it, why do we even hesitate? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] 1-800-psych hello, welcome to the psychiatric hotline. if you are schizophrenic, listen carefully and a little voice will tell you which number to press. pgpoo6dZru1be.pgp Description: PGP signature
Re: on potato's proftpd
Previously martin f krafft wrote: > wichert, it didn't. why should we discuss this before pushing the > temporary fix into the security archives??? Because it might impact other packages as well. > i'd also like to see answered, but right now, debian's got a semi-bug > in a package found on security.debian.org, we know about it, why do we > even hesitate? I'ld rather make sure we don't have a bug in multiple packages then a reasonably harmless semi-bug in a single package. Wichert. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Sun, Mar 31, 2002 at 05:53:35PM +0200, martin f krafft wrote: > why should we discuss this before pushing the temporary fix into the > security archives??? Maybe because, as you say, the fix (read: workaround) is only temporary? :) Including a new rule in the conffile won't automatically fix everything, people who changed their copies of those conffiles will have to inspect their stuff and merge in the fix. A solution coded into the program would be much better... -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
also sprach Wichert Akkerman <[EMAIL PROTECTED]> [2002.03.31.1602 +0200]: > > i don't get it. will someone please push this package ivo made as an > > NMU into security.debian.org ASAP? i'd do it myself, but i am still > > waiting for DAM approval... > > I'ld like someone to answer my question first: how come the glob > fix in glibc doesn't fix proftpd? wichert, it didn't. why should we discuss this before pushing the temporary fix into the security archives??? it's a good question which i'd also like to see answered, but right now, debian's got a semi-bug in a package found on security.debian.org, we know about it, why do we even hesitate? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck 1-800-psych hello, welcome to the psychiatric hotline. if you are schizophrenic, listen carefully and a little voice will tell you which number to press. msg06134/pgp0.pgp Description: PGP signature
Re: on potato's proftpd
Previously martin f krafft wrote: > i don't get it. will someone please push this package ivo made as an > NMU into security.debian.org ASAP? i'd do it myself, but i am still > waiting for DAM approval... I'ld like someone to answer my question first: how come the glob fix in glibc doesn't fix proftpd? Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
Previously martin f krafft wrote: > i don't get it. will someone please push this package ivo made as an > NMU into security.debian.org ASAP? i'd do it myself, but i am still > waiting for DAM approval... I'ld like someone to answer my question first: how come the glob fix in glibc doesn't fix proftpd? Wichert. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
also sprach Ivo Timmermans <[EMAIL PROTECTED]> [2002.03.30.0845 +0100]: > > okay, but noone knows about it. why isn't it on security.debian.org > > yet??? > > Beats me... i don't get it. will someone please push this package ivo made as an NMU into security.debian.org ASAP? i'd do it myself, but i am still waiting for DAM approval... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] "it would be truly surprising if sound were not capable of suggesting colour, if colours could not give the idea of the melody, if sound and colour were not adequate to express ideas." -- claude debussy pgp0lYkJCFcZl.pgp Description: PGP signature
Re: on potato's proftpd
also sprach Ivo Timmermans <[EMAIL PROTECTED]> [2002.03.30.0845 +0100]: > > okay, but noone knows about it. why isn't it on security.debian.org > > yet??? > > Beats me... i don't get it. will someone please push this package ivo made as an NMU into security.debian.org ASAP? i'd do it myself, but i am still waiting for DAM approval... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck "it would be truly surprising if sound were not capable of suggesting colour, if colours could not give the idea of the melody, if sound and colour were not adequate to express ideas." -- claude debussy msg06127/pgp0.pgp Description: PGP signature
Re: on potato's proftpd
martin f krafft wrote: > also sprach Noah Meyerhans <[EMAIL PROTECTED]> [2002.03.29.2332 +0100]: > > Such a package has existed at http://people.debian.org/~ivo/ for over a > > year. > > okay, but noone knows about it. why isn't it on security.debian.org > yet??? Beats me... Ivo -- Hey, it compiles! Ship it! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
martin f krafft wrote: > also sprach Noah Meyerhans <[EMAIL PROTECTED]> [2002.03.29.2332 +0100]: > > Such a package has existed at http://people.debian.org/~ivo/ for over a > > year. > > okay, but noone knows about it. why isn't it on security.debian.org > yet??? Beats me... Ivo -- Hey, it compiles! Ship it! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
also sprach Noah Meyerhans <[EMAIL PROTECTED]> [2002.03.29.2332 +0100]: > Such a package has existed at http://people.debian.org/~ivo/ for over a > year. okay, but noone knows about it. why isn't it on security.debian.org yet??? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] it is practically impossible to teach good programming style to students that have had prior exposure to basic: as potential programmers they are mentally mutilated beyond hope of regeneration. -- dijkstra pgpmJwlmiyLA1.pgp Description: PGP signature
Re: on potato's proftpd
On Fri, Mar 29, 2002 at 10:47:18PM +0100, martin f krafft wrote: > so proftpd_1.2.0pre10-2.0potato1_i386.deb is buggy. and that's known > for over a year, supposedly. i can't NMU yet, so someone please > rebuild the package, add the following to the context of > /etc/proftpd.conf > > DenyFilter \*.*/ > > and then NMU it, or Johnie's listening and will do it himself. this > will take 5 minutes, 5 minutes during which debian's reputation will > fall! let's go! Such a package has existed at http://people.debian.org/~ivo/ for over a year. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpGopW6WmDov.pgp Description: PGP signature
on potato's proftpd
so proftpd_1.2.0pre10-2.0potato1_i386.deb is buggy. and that's known for over a year, supposedly. i can't NMU yet, so someone please rebuild the package, add the following to the context of /etc/proftpd.conf DenyFilter \*.*/ and then NMU it, or Johnie's listening and will do it himself. this will take 5 minutes, 5 minutes during which debian's reputation will fall! let's go! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] may the bluebird of happiness twiddle your bits. pgpt90l2OVKV1.pgp Description: PGP signature
Re: on potato's proftpd
also sprach Noah Meyerhans <[EMAIL PROTECTED]> [2002.03.29.2332 +0100]: > Such a package has existed at http://people.debian.org/~ivo/ for over a > year. okay, but noone knows about it. why isn't it on security.debian.org yet??? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck it is practically impossible to teach good programming style to students that have had prior exposure to basic: as potential programmers they are mentally mutilated beyond hope of regeneration. -- dijkstra msg06124/pgp0.pgp Description: PGP signature
Re: on potato's proftpd
On Fri, Mar 29, 2002 at 10:47:18PM +0100, martin f krafft wrote: > so proftpd_1.2.0pre10-2.0potato1_i386.deb is buggy. and that's known > for over a year, supposedly. i can't NMU yet, so someone please > rebuild the package, add the following to the context of > /etc/proftpd.conf > > DenyFilter \*.*/ > > and then NMU it, or Johnie's listening and will do it himself. this > will take 5 minutes, 5 minutes during which debian's reputation will > fall! let's go! Such a package has existed at http://people.debian.org/~ivo/ for over a year. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg06123/pgp0.pgp Description: PGP signature
on potato's proftpd
so proftpd_1.2.0pre10-2.0potato1_i386.deb is buggy. and that's known for over a year, supposedly. i can't NMU yet, so someone please rebuild the package, add the following to the context of /etc/proftpd.conf DenyFilter \*.*/ and then NMU it, or Johnie's listening and will do it himself. this will take 5 minutes, 5 minutes during which debian's reputation will fall! let's go! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck may the bluebird of happiness twiddle your bits. msg06121/pgp0.pgp Description: PGP signature