+1
On Mon, Dec 18, 2017 at 12:43 PM, Dave Neuman <neu...@apache.org> wrote: > I personally don't want to see us hold up this release any longer, > especially for something like this. If folks really want to use this file, > it's easy enough to have puppet put the file in place and use it in your > own Traffic Control installation. We can add documentation suggesting as > much as well. Rob, if you think you can find a suitable replacement in a > decent timeframe then be my guest. Otherwise, I think we should replace > the file with a blank file (or create our own version) and move on. > If legal comes back and decides the file is ok, we can re-introduce it in > the 2.2 release. > > --Dave > > On Mon, Dec 18, 2017 at 12:08 PM, Robert Butts <robert.o.bu...@gmail.com> > wrote: > >> That's correct. No RPM, unfortunately. License is here: >> https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project. >> >> -1 on downloading during rpmbuild, or especially postinstall. Both pose a >> security risk. Moreover, it makes our build or install dependent on the >> internet and a particular website. Neither building nor installing should >> require either internet or a particular website; we should be working to >> get away from that, not towards it. >> >> I'd prefer to find something Apache is ok with vendoring, if we have to. >> Though, ideally we'd keep this one, Daniel Miessler is a well-known name in >> the security community. >> >> >> On Mon, Dec 18, 2017 at 11:51 AM, Dan Kirkwood <dang...@gmail.com> wrote: >> >> > Thanks, Eric.. Then it's possible we could download it during >> > rpmbuild or postinstall. >> > >> > On Mon, Dec 18, 2017 at 11:40 AM, Eric Friedrich (efriedri) >> > <efrie...@cisco.com> wrote: >> > > It can be downloaded from Github. >> > > >> > > I think this is the file (Rob correct me if I picked the wrong >> variant): >> > https://github.com/danielmiessler/SecLists/blob/ >> > master/Passwords/10_million_password_list_top_100000.txt >> > > >> > > —Eric >> > > >> > > On Dec 18, 2017, at 1:38 PM, Dan Kirkwood <dang...@gmail.com<mailto: >> dang >> > o...@gmail.com>> wrote: >> > > >> > > Rob, is there a specific download location for this file? I see it >> > > referenced as "Projects/OWASP SecLists Project", but didn't find it >> > > with a quick search. Is it possible it's provided by an rpm we could >> > > list as a dependency rather than including in our source? >> > > >> > > -dan >> > > >> > > On Mon, Dec 18, 2017 at 11:11 AM, Robert Butts < >> robert.o.bu...@gmail.com >> > <mailto:robert.o.bu...@gmail.com>> wrote: >> > > I'd really like to keep this, or replace it with a similar file from >> > > another source. Which I'd be willing to investigate, if necessary. >> > > >> > > Having a good blacklist of most-common passwords specifically puts >> > Traffic >> > > Ops in compliance with NIST SP 800-63B. >> > > >> > > I also don't understand the objections, the Apache Legal FAQ >> specifically >> > > says CC-SA is permissible, and doesn't say anything about being limited >> > to >> > > binary (which would be odd, CC is designed for text, not binary). >> > > https://www.apache.org/legal/resolved.html#cc-sa >> > > >> > > I'd vote we wait for the legal resolution, or find a suitable >> > replacement, >> > > in order to remain in NIST compliance. >> > > >> > > >> > > On Mon, Dec 18, 2017 at 10:55 AM, David Neuman < >> david.neuma...@gmail.com >> > > >> > > wrote: >> > > >> > > Hey all, >> > > I don't know if you have been following the release 2.1 thread on the >> > > incubator list [1] , but we have been given a -1 vote by the IPMC for >> > > having a file in our release [2] that has an incompatible license. >> There >> > > is some debate about the license, and we have reached out to Legal for >> > more >> > > information [3] (thanks Eric!), but we haven't heard back from legal >> yet. >> > > Instead of waiting for legal to get back to us, I would like to propose >> > > that we instead remove this file from our release. The file in >> question >> > is >> > > just a list of weak passwords and I feel like we can easily include a >> > blank >> > > file, or a file with a couple passwords that we generate, and >> individual >> > > installs of Traffic Control can replace this file as they see fit. >> This >> > > will >> > > remove issue of having an incompatible license in our release and >> should >> > > also not require us to do a code change. The downside of removing this >> > > file is that we will need to create another 2.1 release candidate and >> go >> > > through the vote process again. I would really like to see us get 2.1 >> > > released before the end of the year, and at this point our chances are >> > > looking pretty slim. So, does anyone object to removing this file from >> > our >> > > release? If not, I will put an issue into github, remove the file, and >> > > back port the change so that we can get another 2.1 release candidate >> > out. >> > > >> > > Thanks, >> > > Dave >> > > >> > > >> > > [1] >> > > https://lists.apache.org/thread.html/c211f049e3d68af90196c30f6b6d31 >> > > a67b3072029dea1efe7d35c9dc@%3Cdev.trafficcontrol.apache.org%3E >> > > [2] >> > > apache-trafficcontrol-2.1.0-incubating/traffic_ops/app/ >> > > conf/invalid_passwords.txt >> > > [3] https://issues.apache.org/jira/browse/LEGAL-356 >> > > >> > > >> > >>
