Re: [DNG] Fwd: April's fools mess
On Tue, 2019-04-02 at 09:21 +0200, marc...@welz.org.za wrote: > Weirdly enough I trust devuan a bit more after this incident: Yup, same here. A good prank on Apr 1 is perfectly in keeping with the finest UNIX traditions. It is the humorless scolds who should be suspected. Seeing the poo flinging on this mailing list over a April Fool gag reminded of the Fedora code name antics in the "Beefy Miracle" incident that eventually ended the whole release code names entirely. Useless snowflakes that "just couldn't even!" kept squalling until the corporate types stepped in and ended the game. Yes this is serious work but it also has to be fun or people aren't going to want to do it. signature.asc Description: This is a digitally signed message part ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] searx
On 4/2/19 9:53 PM, Martin Steigerwald wrote: > Just in case someone hits the page via > a search engine. https://search.disroot.org luckily does not seem to > catch it via a simple search for "Devuan", at least not within the first > few dozens of search results. thanks for sharing a privacy friendly (meta)search engine like searx. also run a couple of instances (full list here [1]) and co-maintain searx-instances mailing list (very low volume). searx is also available as a deb package in testing/unstable, so people can give it a try. (be sure to check debian.readme, if you install from repo.) d. [1] https://github.com/asciimoo/searx/wiki/Searx-instances signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What you saw on devuan.org yesterday was an April's fools joke
Jaromil writes: he is now in moderation. if the trolling comes back from other accounts please don't feed. Thank you, I was coming to suggest that as well. The whole going-for-blood-or-else thing was getting on my nerves. People particularly concerned with security did the sensible thing as a temporary measure and with all the assurances already given, are back to normal as there is indeed no ill-intent or reason to distrust the people with access to infrastructure. Also thank you for the non-exhaustive list of KatolaZ' contributions; I didn't personify this, even if he apologised (which is indeed highly appreciated), because I don't consider this event a few people's fault, but something to be analysed and solved to avoid issues in the future. In my experience, blaming never solves things. -- Evilham ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What you saw on devuan.org yesterday was an April's fools joke
On Tue, 2 Apr 2019 09:46:28 -0700, Mike wrote in message <201904020946.28450.mgb-dev...@yosemite.net>: > On Tue April 2 2019 07:30:58 Jaromil wrote: > > 1. There was no break-in on any part of Devuan's infrastructure on > > 1st April. This was the most skillfull prank I've witnessed in my > > life. ..skillful, yes, on wisdom, right down there with forking off Debian Jessie rather than Debian Wheezy, Katolaz has apologized, I totally accept his apology, we survived stumbling across our Jessie fork, and we will survive this and future April Fool pranks with about the same style and finesse the judges will laugh Mike's Bird-Brained lawsuits out of the courts of law. ;o) > You are easily impressed. And you double down on KatolaZ's > irresponsible vandalism with a display of lazy wishful thinking. > You are claiming no break-in but you have reported nothing to > establish the integrity of your systems and software from > the ground up as any real Veteran Unix Admin knows how to do. ..what I did: a quick md5sum -c down my devuan/devuan only lan mirror, I don't have devuan/merged mirrored yet: arnt@nb6:~$ cd /var/www/devuan/mirror/ arnt@nb6:/var/www/devuan/mirror$ md5sum -c ../var/MD5 >md5sum-c arnt@nb6:/var/www/devuan/mirror$ grep -v OK md5sum-c ..no output means all lines ended ":OK", if that helps, checks: arnt@nb6:/var/www/devuan/mirror$ less md5sum-c arnt@nb6:/var/www/devuan/mirror$ ll ../var/MD5 md5sum-c -rw-r--r-- 1 arnt arnt 1469035 Mar 31 04:00 ../var/MD5 -rw-r--r-- 1 arnt arnt 1119475 Apr 1 02:38 md5sum-c arnt@nb6:/var/www/devuan/mirror$ md5sum ../var/MD5 md5sum-c 80e6b5f84d77837a953b8c0fc0a7d439 ../var/MD5 47c7978715d75472080a6edfa59f7f38 md5sum-c arnt@nb6:/var/www/devuan/mirror$ ...and killed my mirror cronjob for one day. Back up now. :o) -- ..med vennlig hilsen = with Kind Regards from Arnt Karlsen ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] April's fools mess
Rick Moen wrote: > > Quoting etech3 (ete...@e-tech-systems.com): > >> My advice to you is like the Marines motto: Lead, follow or get the >> hell out of the way. > > > > That might be the motto of _some_ group of marines, but FWIW actual > service mottos are: I suspect that he wasn't meaning official mottos, but a generic unofficial motto that's probably attributed to most armed services. And very applicable to civvy life as well. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What you saw on devuan.org yesterday was an April's fools joke
Jaromil - 02.04.19, 20:10: > he is now in moderation. if the trolling comes back from other > accounts please don't feed. And I already thought I just overreacted. I suggest to just let the whole topic rest for a while. If there is anything remaining, I bet its much more easy to clear up with a few nights in between. Only thing I might do is to add a note to https://www.devuan.org/pwned.html that is was an April fools joke. Just in case someone hits the page via a search engine. https://search.disroot.org luckily does not seem to catch it via a simple search for "Devuan", at least not within the first few dozens of search results. Thanks, -- Martin ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What you saw on devuan.org yesterday was an April's fools joke
Mike Bird - 02.04.19, 18:46: > On Tue April 2 2019 07:30:58 Jaromil wrote: > > 1. There was no break-in on any part of Devuan's infrastructure on > > 1st> > >April. This was the most skillfull prank I've witnessed in my > >life. > > You are easily impressed. And you double down on KatolaZ's > irresponsible vandalism with a display of lazy wishful thinking. > You are claiming no break-in but you have reported nothing to > establish the integrity of your systems and software from > the ground up as any real Veteran Unix Admin knows how to do. Mike, please, pretty please: Drop it. You made your point pretty clear by now. To all moderators of the mailing list: I am fully okay with enabling moderation for Mike, at least for the while it needs to calm down a bit. This just crosses a line. I do not think that the Devuan project needs to take this kind of abuse. Thanks, -- Martin signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What you saw on devuan.org yesterday was an April's fools joke
Dear Jaromil. Jaromil - 02.04.19, 16:30: > dear readers, > > as a Devuan caretaker and co-founder, in my own personal capacity, let > me state that: > > 1. There was no break-in on any part of Devuan's infrastructure on 1st > April. This was the most skillfull prank I've witnessed in my life. Thank you. For me it was not needed anymore, but I bet it is important for others to regain trust. > 2. Devuan comes WITHOUT ANY WARRANTY. Bluntly put, if you want to hold […] Fully seconded. > 3. At Dyne.org - a public ICT research institution working with the Just so others do not need to search what ICT stands for: Information and Communication Technology. >European Commission and some major municipalities - we use Devuan >in production. Clearly we need the reliability: so we work for >it. We are not only developing Devuan, but also we have an in-house > continuous-integration infrastructure to build packages and new > images for Devuan's many targets. I encourage everyone reading to > consider contributing to Devuan and at the same time plan your own > way of making a community project reliable for your own >professional use. > > 4. Katolaz is not just one of the caretakers of Devuan, but is by far >the developer making the most significant contributions to this >project. If it wasn't for him, we would be stuck at Jessie, >IMHO. For our community project, he has done: > - about 75 Devuan packages > - all the Devuan installers since Jessie RC > - all the minimal-live images since Jessie Beta2 > - development on the Devuan SDK > - work on the sysvinit package in Debian > - maintainance of all our critical infrastructure, including > all the building hosts, jenkins, dak, amprolla, pkgmaster, > mirrors, BTS, file server, all the ganeti nodes, DNS, web, > and what not. Thank you for filling that in. I knew he did a lot, but I did not think it was this much! Thank you KatolaZ for all you did and I add on top of it: For just being here. Thank you Jaromil and all other contributers as well! I appreciate your work. Best. -- Martin signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What you saw on devuan.org yesterday was an April's fools joke
dear Antony On Tue, 02 Apr 2019, Antony Stone wrote: > > I also fail to see how a lawyer can possibly decide whether it's "safe to > keep > a production system on Devuan". my thanks to you and many others here for having taken the time to gracefully comment on the issue and show your solidarity in other threads. I'm afraid this Mike is yet another hooligan not deserving our attention, his arguments already don't follow a logic anymore. It is a sad reality we all have to cope: troll attacks directed at us. he is now in moderation. if the trolling comes back from other accounts please don't feed. ciao ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What you saw on devuan.org yesterday was an April's fools joke
On Tue April 2 2019 10:31:11 Antony Stone wrote: > Well, as Jaromil eloquently pointed out, since you have no contract with > Devuan, and it is clearly distributed WITHOUT ANY WARRANTY (I only > capitalise because that's the way it's written in all the notices letting > you know), I don't think you (or anyone else) is going to get a lawyer to > express a professional opinion either way. > > I also fail to see how a lawyer can possibly decide whether it's "safe to > keep a production system on Devuan". What do lawyers know about software? Lawyers apply the law to real world facts of all kinds. You should talk to one. There is far more to the law than warranty disclaimers. DO NOT GO INTO AN AIRPORT AND SHOUT "BOMB", with or without a contract to fly. > Without a contract and an agreement of liability, any lawyer is just going > to say "you want to use this software? Fine, your choice, no backup, no > option to sue." You argue against all production use of F/LOSS. Are you Bill Gates? Fortunately your argument is flawed. I am not your lawyer and I'm not giving you legal advice. I'm giving you the world class gold standard non-legal advice: Talk to your lawyers. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2/4/19 11:33 pm, Rowland Penny via Dng wrote: > On Tue, 2 Apr 2019 14:28:52 +0200 Arnt Karlsen > wrote: > >> On Tue, 2 Apr 2019 14:29:46 +0300, Dimitris wrote in message >> : >> >>> - TZ difference is bad. we should all go GMT or something >>> unique, and know when april fools starts/ends. >> >> ..disagreed, good pranks can use the extra bonus time. ;o) >> > > Yes, but your 1st of April may be my 31st March. Many April Fools are done /around/ the time of 1st April some get in early on purpose, irregardless of time zones. Still, moving on; we've been promised that this won't happen again. Thank you. Cheers A. -BEGIN PGP SIGNATURE- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXKOdbQAKCRCoFmvLt+/i +8IKAQDf6G0rDdOoNE6HIuLxVBqIqEv1IgG+uRtRE9AHjGNjbgD/RcEJU/nGYjUp t4eeNpEidzOAMM9zkToXEQ9iIqafs9I= =eBgE -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What you saw on devuan.org yesterday was an April's fools joke
On Tuesday 02 April 2019 at 18:46:28, Mike Bird wrote: > On Tue April 2 2019 07:30:58 Jaromil wrote: > > There was no break-in on any part of Devuan's infrastructure on 1st > > April. This was the most skillfull prank I've witnessed in my life. > > You are easily impressed. And you double down on KatolaZ's > irresponsible vandalism with a display of lazy wishful thinking. Mike, please just drop this public display of your personal opinions and decide whatever you want to do, and then go and do it. As you've said yourself, several times: > Sysadmins will now each decide for themselves or with their > lawyers whether they can continue to use Devuan. So, leave it up to sysadmins and whomever they wish to consult with to make up their own minds. I'm sure none of them is going to whine on this list to the extent that you have. You continued rants are getting us nowhere. If you no longer trust or like Devuan, just go elsewhere. It's a free choice, and only you can make it. > If anyone finds a lawyer who says that it's safe to keep a production > system on Devuan I'd love to hear their reasoning. Well, as Jaromil eloquently pointed out, since you have no contract with Devuan, and it is clearly distributed WITHOUT ANY WARRANTY (I only capitalise because that's the way it's written in all the notices letting you know), I don't think you (or anyone else) is going to get a lawyer to express a professional opinion either way. I also fail to see how a lawyer can possibly decide whether it's "safe to keep a production system on Devuan". What do lawyers know about software? Without a contract and an agreement of liability, any lawyer is just going to say "you want to use this software? Fine, your choice, no backup, no option to sue." Please, take your own personal concerns about this unfortunately executed joke and quietly make your own mind up what you want to do next. Antony. -- Atheism is a non-prophet-making organisation. Please reply to the list; please *don't* CC me. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What you saw on devuan.org yesterday was an April's fools joke
On Tue April 2 2019 07:30:58 Jaromil wrote: > 1. There was no break-in on any part of Devuan's infrastructure on 1st >April. This was the most skillfull prank I've witnessed in my life. You are easily impressed. And you double down on KatolaZ's irresponsible vandalism with a display of lazy wishful thinking. You are claiming no break-in but you have reported nothing to establish the integrity of your systems and software from the ground up as any real Veteran Unix Admin knows how to do. Your claim comes after KatolaZ wrote: We know. Seems to be quite serious. No access to our infra. We are working on it, and we will post updates. And Evilham wrote: Had it been just about devuan-web, it wouldn't have been as terrible as this is: going the lengths of doing it with gdo and the build system undermines that trust of users towards Devuan. It's been now well over 12 hours and the "joke" is still on, it still hints at all parts of the infraestructure being compromised, it still looks as if gdo and the build system were compromised. While golinux indicated this had not been discussed in advance by the team: I was not aware of any discussion about this action. Nor has there been any explanation of why other core team members were unable to shutdown or redirect DNS, shutdown or repair the compromised systems, or take any other measures to mitigate the attack during the 24 hours it lasted. You simply don't know what happened during those 24 hours or what is still compromised and any reliance on the claims of an admitted attacker is beyond ridiculous. If any of you were the Veteran Unix Admins that you claimed to be you would know that a hand-waving "nothing happened" is utterly inadequate to prove that your systems and software have not been compromised without your knowledge. You have taken zero steps to prove Devuan trustworthy and you seem to think that's the end of the matter. Sysadmins will now each decide for themselves or with their lawyers whether they can continue to use Devuan. I'll be reading this list until our switch is complete. If anyone finds a lawyer who says that it's safe to keep a production system on Devuan I'd love to hear their reasoning. The work now to switch distros is a drag but worst of all is that you have just done more in one day to undermine the viability of alternatives to SystemD than its proponents could ever have dreamed of. > 2. Devuan comes WITHOUT ANY WARRANTY. Bluntly put, if you >want to hold someone liable, you need a contract. That's why people who cause airports to be evacuated by shouting "bomb" can't be both sued for the cost of the delays and prosecuted, right? No contract? How many billable person hours do you think your little stunt is going to end up costing worldwide? --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Mon, Apr 01, 2019 at 08:37:43PM -0500, goli...@dyne.org wrote: > > Apologies for the tardy response but I'm on my way to AMS atm and don't own > a mobile device to keep current. Sadly, I won't be meeting any of you in AMS next weekend. I'm rooted to Montreal for medical reasons. -- hendrik ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] What you saw on devuan.org yesterday was an April's fools joke
dear readers, as a Devuan caretaker and co-founder, in my own personal capacity, let me state that: 1. There was no break-in on any part of Devuan's infrastructure on 1st April. This was the most skillfull prank I've witnessed in my life. 2. Devuan comes WITHOUT ANY WARRANTY. Bluntly put, if you want to hold someone liable, you need a contract. There are many professionals here and in the world who can offer you support. Blaming any Devuan developer for problems caused by his/her actions, be it a joke or a mistake, is nonsense. Do read the license, if you need to hold anyone liable for your own needs then make sure you have a contract with somoene. It is entirely up to you to trust us or not 3. At Dyne.org - a public ICT research institution working with the European Commission and some major municipalities - we use Devuan in production. Clearly we need the reliability: so we work for it. We are not only developing Devuan, but also we have an in-house continuous-integration infrastructure to build packages and new images for Devuan's many targets. I encourage everyone reading to consider contributing to Devuan and at the same time plan your own way of making a community project reliable for your own professional use. 4. Katolaz is not just one of the caretakers of Devuan, but is by far the developer making the most significant contributions to this project. If it wasn't for him, we would be stuck at Jessie, IMHO. For our community project, he has done: - about 75 Devuan packages - all the Devuan installers since Jessie RC - all the minimal-live images since Jessie Beta2 - development on the Devuan SDK - work on the sysvinit package in Debian - maintainance of all our critical infrastructure, including all the building hosts, jenkins, dak, amprolla, pkgmaster, mirrors, BTS, file server, all the ganeti nodes, DNS, web, and what not. I wish there would be no need for a personalising argument in this email, however given the attack Katolaz received I think of it as necessary. I've been through something like this myself on this very list, leading also to vandalization of wikipedia pages about my work. Is not funny at all and some solidarity helps a lot. This mail is signed with the same 8192B RSA GPG key who signs all packages distributed by Devuan. I'm not sure if we can go deeper in trust... my former key signs this one too and was in turn signed by GPG's author. Perhaps now I'll ask Werner to reach us in Amsterdam and cuddle on the couch a bit ;^) ciao -- Denis "Jaromil" Roio https://Dyne.org think tank Ph.D, CTO & co-foundersoftware to empower communities ✉ Haparandadam 7-A1, 1013AK Amsterdam, The Netherlands ✩ Profile and publications: https://jaromil.dyne.org 턞 crypto κρυπτο крипто गुप्त् 加密 האנוסים المشفره ⚷ 6113D89C A825C5CE DD02C872 73B35DA5 4ACB7D10 signature.asc Description: PGP signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
Anno domini 2019 Tue, 2 Apr 13:33:20 +0100 Rowland Penny via Dng scripsit: > On Tue, 2 Apr 2019 14:28:52 +0200 > Arnt Karlsen wrote: > > > On Tue, 2 Apr 2019 14:29:46 +0300, Dimitris wrote in message > > : > > > > > - TZ difference is bad. we should all go GMT or something unique, > > > and know when april fools starts/ends. > > > > ..disagreed, good pranks can use the extra bonus time. ;o) > > > > Yes, but your 1st of April may be my 31st March. It pays off knowing the local timezone of the sender :-) > > Rowland > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ... ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Update on the Green Hat Hackers attack
On Tue, 02 Apr 2019 13:38:32 +0200, Martin wrote in message <2435606.oUQQ83ams4@merkaba>: > Adrian Zaugg - 01.04.19, 22:10: > > I'd definitively preferred: > > > > Devuan embraces Systemd! > > After thorough discussions in our technical committee Devuan decided > > to ship systemd with its next release "Beowulf" as the standard > > init. Systemd is a complete pot of terware that will enhance Devuan > > to an industry approved, enterprise grade blackbox system, that > > demands highest trust in its developers. Ubiquitous access for any > > user, no more security concerns combined with highest computing > > power needs for any system will be the remarkable achievement of > > this wise decision. Init freedom salutes you, veterans. > > +1 > > :) ..hush. ;o) -- ..med vennlig hilsen = with Kind Regards from Arnt Karlsen ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Tue, 2 Apr 2019 14:28:52 +0200 Arnt Karlsen wrote: > On Tue, 2 Apr 2019 14:29:46 +0300, Dimitris wrote in message > : > > > - TZ difference is bad. we should all go GMT or something unique, > > and know when april fools starts/ends. > > ..disagreed, good pranks can use the extra bonus time. ;o) > Yes, but your 1st of April may be my 31st March. Rowland ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Tue, 2 Apr 2019 14:29:46 +0300, Dimitris wrote in message : > - TZ difference is bad. we should all go GMT or something unique, and > know when april fools starts/ends. ..disagreed, good pranks can use the extra bonus time. ;o) -- ..med vennlig hilsen = with Kind Regards from Arnt Karlsen ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Update on the Green Hat Hackers attack
Adrian Zaugg - 01.04.19, 22:10: > I'd definitively preferred: > > Devuan embraces Systemd! > After thorough discussions in our technical committee Devuan decided > to ship systemd with its next release "Beowulf" as the standard init. > Systemd is a complete pot of terware that will enhance Devuan to an > industry approved, enterprise grade blackbox system, that demands > highest trust in its developers. Ubiquitous access for any user, no > more security concerns combined with highest computing power needs > for any system will be the remarkable achievement of this wise > decision. Init freedom salutes you, veterans. +1 :) Thanks, -- Martin ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On 4/2/19 9:14 AM, Ralph Ronnquist via Dng wrote: > This ancient religion that I just made up relies on goat liver for > guidance in professional decisions. I'll confer with my butcher. vegetarian-wanna-be here. my spiritual leader (=gardener) suggested i try water. indeed, i could reproduce, and can now confirm it helps grow up and make better decisions. in other DNG news today : - Weapons of Mass Distraction found in AMS. marine corps ready to act upon. - Lawyers across the globe give thanks to dramadmin for keeping them busy with nothing. - Grown ups suck. you knew that as a kid, it's now confirmed and you're probably one of them. tip: go back to school. - if it wasn't for this bad/good joke, we'd never have guessed gopher is still working to this date! - troll bullying is easy to perform on community mailing lists as well. sheeple are everywhere. - defacing dev1 web, and the whole net/world is hacked. - TZ difference is bad. we should all go GMT or something unique, and know when april fools starts/ends. and last but not least, the - free software community recipe of the day (brought to you by DNG bullies united): 100% professionalism 0% ego 100% security (is there such a thing?) 0% fun about a dozen lawyers put all these together and you get a nice shitstorm of failed projects. if you leave it too long on the oven, you might be rewarded, in the form of an evil corp acquisition. even maybe get a nice house in the bahamas as bonus. signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On 4/1/19 8:05 PM, Mike Bird wrote: Anyone using Devuan in production will, like us, have frozen updates for now. This situation cannot persist long. If Devuan/VUA cannot quickly prove itself worthy of trust we too will have to rebuild our systems, and in doing so migrate away from Devuan. Devuan/VUA's lame response thus far has been infinitely worse than anything ever done by SystemD. +1 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Mon, Apr 01, 2019 at 12:27:25PM -0700, Mike Bird wrote: > On Mon April 1 2019 12:18:53 Antony Stone wrote: > > If this incident has made you distrust the Devuan project, you're probably > > better off using a different distro. > > Are you a sysadmin? Are you responsible for other people's data? At this time, no longer a sysadmin, yet software I'm working on is being deployed for data on the upper extreme of sizes. > Let's say you have the misfortune to have one of your servers hacked > one day. Credit card numbers are stolen. Lawsuits are filed. Oookay, but what does this have to do with a website's front page? You install packages from the repository, not from the landing. Heck, despite using Debian for two decades, I've visited the front page of https://debian.org probably less than ten times, every time having a hard time to find what I wanted (even for stale^Wstable install images, it's the d-i page I'm accustomed to). > You claim in your defense that you were doing your best to keep the > information secure. Which depends on merits of your actions, not the colours of a webpage. > Plaintiff's lawyers discover that you were using Devuan and Devuan > had not responded seriously to this incident. What incident? > You are now bankrupt, unemployed, and unemployable. > > Believe me, the other four need to get their acts together and very > quickly if they want anyone other than themselves to continue using > Devuan. At this point, I'd be vary of using whatever product the company that employs _you_ makes. If a sysadmin is so naive to not spot such an obvious joke, he or she can't be trusted to not fall for social engineering attacks or to spot any actual security threat. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Did ya know that typing "test -j8" instead of "ctest -j8" ⢿⡄⠘⠷⠚⠋⠀ will make your testsuite pass much faster, and fix bugs? ⠈⠳⣄ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On 4/1/19 1:30 PM, KatolaZ wrote: > There was no attack. There was no security incident. It was an April fool. We have clarified that several times. I have apologised for that. I am very sorry for the distress caused :\ I think it's noteworthy when a person steps up and owns a mistake. Especially on an internet forum. FWIW, this isn't the first time a lapse in judgement on 4/1 ended badly. KatolaZ has put a lot of effort into making Devan awesome and offering help on the many (oftentimes poorly asked) questions that arise on this list. Let's move on. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Update on the Green Hat Hackers attack
On Tue, 2 Apr 2019 09:32:51 +0300, Lars wrote in message <720e36b0-096f-879a-6a9f-ca0c2aa84...@gmail.com>: > On 4/2/19 12:26 AM, Rick Moen wrote: > > Quoting KatolaZ (kato...@freaknet.org): > > > >> Dear D1rs, > >> > >> we have analysed in depth the attack from the "Green Hat Hackers" > >> that compromised the Devuan infrastructure in the last hours, and > >> we concluded that you all are: > >> > >>* APRIL FOOLS * > > > > It was well done, IMO. I'm impressed as heck (and nostaligic) that > > you created a fully populated Gopher presence. > [snip] > > Indeed. I was worried quite a bit until nudged to look at the epoch > dates. > > +1 for fitting gopher into the joke. Gopher is quite underrated. > With OpenPGP-signed files, the lack of encryption is less of a > problem, at least for public information. Maybe next year the gopher > site could be done as an Onion service and thus wrap the gopher in an > encrypted protocol. Though that may raise the bar for participation > a bit too much. ..meanwhile: 'grep proxy /etc/lynx/lynx.cfg ' for ideas on where try your own --proxy-server="socks://127.0.0.1:9050" on http://check.torproject.org/ and gopher sites. -- ..med vennlig hilsen = with Kind Regards from Arnt Karlsen ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
> The surviving Devuan core team members will take zero or > more steps to prove Devuan trustworthy and sysadmins will > each decide for themselves or with their lawyers whether > they can continue to use Devuan. Weirdly enough I trust devuan a bit more after this incident: - I now know that the devuan servers are run by a very small team. Small is good. I now know that there isn't a humorless communications, legal or hr department which can overrule public facing communications. That is good for the longevity of the project, as it means the odds of it staying fun for longer are better. Too many procedures cause necrosis. Also: there is somebody who has the inclination and ability to build a complex technical prank. That means that somebody sees this as more than just a job and has some technical and time reserves. - This event has had more than one person think about what would happen if devuan were really compromised. How would you have restored/rolled back your systems ? So instead of complaining about a bad joke, consider it a dress-rehearsal for a real compromise. Is it worth the effort to keep a many month old copy of devuan sources offline, as a starting point for recovery from a catastrophic compromise ? Should you pick a few packages and mirror their upstream sources ? Can you even build a package from source - if not might it not be worth understanding how ? If you aren't thinking about these things now, then you aren't taking security seriously. This is not to say that the prank had problems: When confronted with somebody asking on April 1st: "is this really true, were you compromised ?" one doesn't answer "yes, we are investigating". One either fesses up or tries to strech credulity beyond breaking: "Yes we are investigating, and there is this green light shining from server rack. It turns the hackers aren't just wearing green hats, they are totally green and rather little - we are negotiating with them at the moment for access to our leader. Must be this time of year again..." regards marc ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Update on the Green Hat Hackers attack
On 4/2/19 12:26 AM, Rick Moen wrote: > Quoting KatolaZ (kato...@freaknet.org): > >> Dear D1rs, >> >> we have analysed in depth the attack from the "Green Hat Hackers" that >> compromised the Devuan infrastructure in the last hours, and we >> concluded that you all are: >> >>* APRIL FOOLS * > > It was well done, IMO. I'm impressed as heck (and nostaligic) that you > created a fully populated Gopher presence. [snip] Indeed. I was worried quite a bit until nudged to look at the epoch dates. +1 for fitting gopher into the joke. Gopher is quite underrated. With OpenPGP-signed files, the lack of encryption is less of a problem, at least for public information. Maybe next year the gopher site could be done as an Onion service and thus wrap the gopher in an encrypted protocol. Though that may raise the bar for participation a bit too much. /Lars ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
Mike Bird wrote on 2/4/19 5:02 pm: > The surviving Devuan core team members will take zero or > more steps to prove Devuan trustworthy and sysadmins will > each decide for themselves or with their lawyers whether > they can continue to use Devuan. This ancient religion that I just made up relies on goat liver for guidance in professional decisions. I'll confer with my butcher. Ralph. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Mon April 1 2019 22:49:31 Steve Litt wrote: > Mike, please speak for yourself. I get it: This incident caused you to > take evasive action, and now you have serious doubts about using Devuan > further. That's fine: There are other sans-systemd distros and BSDS > that might be more or less secure and reliable than Devuan. > > But you can't dictate that everyone using Devuan in production must > drop Devuan unless a set of further procedures are followed. Move if > you must, but have the respect to allow each of us to handle this our > own way. The surviving Devuan core team members will take zero or more steps to prove Devuan trustworthy and sysadmins will each decide for themselves or with their lawyers whether they can continue to use Devuan. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
