On Sun, Nov 13, 2011 at 04:59:19PM +0800, Paul Wise wrote: > These two links are referenced by the Debian security audit pages but > the domain has been taken by squatters.
I have modified the pages to a) remove the point to http://shellcode.org/Setuid/, there is currently no alternative (that I know of) b) point maintainers and interested users/developers to the public debian-security mailing list instead of to the old debian-audit mailing list (which was also public BTW) > Could someone from the security > team suggest the correct course of action here? I'm not a security team member, but an (inactive) member of the debian-audit team. I think the best course of action is to keep the pages since they describe processes, tool and information that is relevant for developers and for prospective auditors. The pages do not highlight currently, however, that the Debian Audit team is currently unmanned. I'm adjusting intro/organization also somewhat. > Does the security team > generate a list of all setuid/setgid executables in Debian? There does > not appear to be a replacement for the debian-audit list, should mails > about that be directed to debian-security? For the time being I have updated the webpages to point to debian-security to replace the previous mailing list. I have also submitted a project registration at Alioth ('debian-audit') so that the project has its own space for tools and for mailing list. Once the project is approved I will point to that mailing list, and will try to have the old content of the mailing list (old posts) restored there too. > http://shellcode.org/Setuid/ As for this tool, it was developed by Steve Kemp and I'm not sure the code was made public. It would not be very difficult to produce a similar tool if developers are still interested. For the time being, I've removed pointers to that tool from the webpage so that we do not point to cyber-squatter domains. Regards Javier
signature.asc
Description: Digital signature