I personally don't want to see us hold up this release any longer, especially for something like this. If folks really want to use this file, it's easy enough to have puppet put the file in place and use it in your own Traffic Control installation. We can add documentation suggesting as much as well. Rob, if you think you can find a suitable replacement in a decent timeframe then be my guest. Otherwise, I think we should replace the file with a blank file (or create our own version) and move on. If legal comes back and decides the file is ok, we can re-introduce it in the 2.2 release.
--Dave On Mon, Dec 18, 2017 at 12:08 PM, Robert Butts <robert.o.bu...@gmail.com> wrote: > That's correct. No RPM, unfortunately. License is here: > https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project. > > -1 on downloading during rpmbuild, or especially postinstall. Both pose a > security risk. Moreover, it makes our build or install dependent on the > internet and a particular website. Neither building nor installing should > require either internet or a particular website; we should be working to > get away from that, not towards it. > > I'd prefer to find something Apache is ok with vendoring, if we have to. > Though, ideally we'd keep this one, Daniel Miessler is a well-known name in > the security community. > > > On Mon, Dec 18, 2017 at 11:51 AM, Dan Kirkwood <dang...@gmail.com> wrote: > > > Thanks, Eric.. Then it's possible we could download it during > > rpmbuild or postinstall. > > > > On Mon, Dec 18, 2017 at 11:40 AM, Eric Friedrich (efriedri) > > <efrie...@cisco.com> wrote: > > > It can be downloaded from Github. > > > > > > I think this is the file (Rob correct me if I picked the wrong > variant): > > https://github.com/danielmiessler/SecLists/blob/ > > master/Passwords/10_million_password_list_top_100000.txt > > > > > > —Eric > > > > > > On Dec 18, 2017, at 1:38 PM, Dan Kirkwood <dang...@gmail.com<mailto: > dang > > o...@gmail.com>> wrote: > > > > > > Rob, is there a specific download location for this file? I see it > > > referenced as "Projects/OWASP SecLists Project", but didn't find it > > > with a quick search. Is it possible it's provided by an rpm we could > > > list as a dependency rather than including in our source? > > > > > > -dan > > > > > > On Mon, Dec 18, 2017 at 11:11 AM, Robert Butts < > robert.o.bu...@gmail.com > > <mailto:robert.o.bu...@gmail.com>> wrote: > > > I'd really like to keep this, or replace it with a similar file from > > > another source. Which I'd be willing to investigate, if necessary. > > > > > > Having a good blacklist of most-common passwords specifically puts > > Traffic > > > Ops in compliance with NIST SP 800-63B. > > > > > > I also don't understand the objections, the Apache Legal FAQ > specifically > > > says CC-SA is permissible, and doesn't say anything about being limited > > to > > > binary (which would be odd, CC is designed for text, not binary). > > > https://www.apache.org/legal/resolved.html#cc-sa > > > > > > I'd vote we wait for the legal resolution, or find a suitable > > replacement, > > > in order to remain in NIST compliance. > > > > > > > > > On Mon, Dec 18, 2017 at 10:55 AM, David Neuman < > david.neuma...@gmail.com > > > > > > wrote: > > > > > > Hey all, > > > I don't know if you have been following the release 2.1 thread on the > > > incubator list [1] , but we have been given a -1 vote by the IPMC for > > > having a file in our release [2] that has an incompatible license. > There > > > is some debate about the license, and we have reached out to Legal for > > more > > > information [3] (thanks Eric!), but we haven't heard back from legal > yet. > > > Instead of waiting for legal to get back to us, I would like to propose > > > that we instead remove this file from our release. The file in > question > > is > > > just a list of weak passwords and I feel like we can easily include a > > blank > > > file, or a file with a couple passwords that we generate, and > individual > > > installs of Traffic Control can replace this file as they see fit. > This > > > will > > > remove issue of having an incompatible license in our release and > should > > > also not require us to do a code change. The downside of removing this > > > file is that we will need to create another 2.1 release candidate and > go > > > through the vote process again. I would really like to see us get 2.1 > > > released before the end of the year, and at this point our chances are > > > looking pretty slim. So, does anyone object to removing this file from > > our > > > release? If not, I will put an issue into github, remove the file, and > > > back port the change so that we can get another 2.1 release candidate > > out. > > > > > > Thanks, > > > Dave > > > > > > > > > [1] > > > https://lists.apache.org/thread.html/c211f049e3d68af90196c30f6b6d31 > > > a67b3072029dea1efe7d35c9dc@%3Cdev.trafficcontrol.apache.org%3E > > > [2] > > > apache-trafficcontrol-2.1.0-incubating/traffic_ops/app/ > > > conf/invalid_passwords.txt > > > [3] https://issues.apache.org/jira/browse/LEGAL-356 > > > > > > > > >