Re: openssh-blacklist - careless waste of space.

[Jan Chadima]

- "Steve Grubb"  wrote

> I think this is a bit like virus definitions. 800Mb is excessive to
> ship in a 
> package. I think the definitions could be created by a script, but
> will take 
> some time to generate. Maybe adding a generator for people not
> connected would 
> let them recreate the content?
> 
> But a 800Mb package is bigger than the livecd.
> 
> -Steve
> 
To make working generator is not so easy. It is necessary to provide it in 3 
archs 
32bit le, 64 le and 32bit be. To run it on all the architectures. (Problematic 
is 
the big endian architecture) The generation of the keysets is time consumpting 
process.
 


-- 
JFCh

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: openssh-blacklist - careless waste of space.

[Gregory Maxwell]

On Fri, Jul 31, 2009 at 11:31 AM, Steve Grubb wrote:
> On Friday 31 July 2009 04:42:12 am Frank Murphy wrote:
>> I think what is meant, it that the app is useless, without either
>> web\media input. Which the user should not have to do to take full
>> advantage of it.
>
> I think this is a bit like virus definitions.

It's more akin to a bad password list.

> 800Mb is excessive to ship in a
> package. I think the definitions could be created by a script, but will take
> some time to generate. Maybe adding a generator for people not connected would
> let them recreate the content?
>
> But a 800Mb package is bigger than the livecd.


What?!

Openssh-blacklist is a list of bad keys that could have been generated
by the debian lack of entropy bug.

In it should be a couple of text files: A DSA key file, and an RSA key
file for each of a couple common key sizes.  Each file should have
100k lines or so with just a fingerprint on them.. all in all it
should just be a couple of mbytes.

It looks like that distribution also includes the full public and
private keyparts for the bad keys in addition to the fingerprints.
That isn't needed for bad key screening— that additional info is only
really needed by attackers.

After the vulnerability I screened the accounts on my systems and
found a couple of these bad keys just from giving my ubuntu/debian
running friends access to rsync data, so this is a risk for fedora
users too.

Not only should this install without requiring a live internet
connection but these, or at least a subset with the most common key
sizes, should really be part of the default ssh install along with the
feature in SSH that causes it to refuse to use these keys.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: openssh-blacklist - careless waste of space.

[Frank Murphy]

On 31/07/09 17:37, Adam Williamson wrote:
> On Fri, 2009-07-31 at 09:42 +0100, Frank Murphy wrote:
> 
>> I think what is meant, it that the app is useless, without either 
>> web\media input. Which the user should not have to do to take full 
>> advantage of it.
> 
> We ship rather a lot of applications which are fairly useless without an
> internet connection. If the data is downloaded from the internet when
> you run _the installed program_, I don't see any problem here.
> 

I agree, but thought I was clarifying Conrad's comment :(
Back to the TV

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: openssh-blacklist - careless waste of space.

[Adam Miller]

On Fri, Jul 31, 2009 at 11:37 AM, Adam Williamson wrote:

> We ship rather a lot of applications which are fairly useless without an
> internet connection. If the data is downloaded from the internet when
> you run _the installed program_, I don't see any problem here.
>


+1

-Adam

-- 
http://maxamillion.googlepages.com
-
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: openssh-blacklist - careless waste of space.

[Adam Williamson]

On Fri, 2009-07-31 at 09:42 +0100, Frank Murphy wrote:

> I think what is meant, it that the app is useless, without either 
> web\media input. Which the user should not have to do to take full 
> advantage of it.

We ship rather a lot of applications which are fairly useless without an
internet connection. If the data is downloaded from the internet when
you run _the installed program_, I don't see any problem here.

-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: openssh-blacklist - careless waste of space.

[Steve Grubb]

On Friday 31 July 2009 04:42:12 am Frank Murphy wrote:
> I think what is meant, it that the app is useless, without either
> web\media input. Which the user should not have to do to take full
> advantage of it.

I think this is a bit like virus definitions. 800Mb is excessive to ship in a 
package. I think the definitions could be created by a script, but will take 
some time to generate. Maybe adding a generator for people not connected would 
let them recreate the content?

But a 800Mb package is bigger than the livecd.

-Steve

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: openssh-blacklist - careless waste of space.

[Jan Chadima]

- "Frank Murphy"  wrote:

> On 31/07/09 09:37, Jan Chadima wrote:
> > - "Conrad Meyer"  wrote:
> 
> --snip--
> 
> > Maybe I do not understand your question. Now the srpm and noarch.rpm
> also<  20kB.
> 
> The build is normal koji build. User (or admin) run the program and
> then 
> program synchronize the local database of keys to the internet one.
> 
> I someone have no Internet, it is also the possibility transfer the
> data 
> on CD, DVD, FLASH or else 
> >
> 
> I think what is meant, it that the app is useless, without either 
> web\media input. Which the user should not have to do to take full 
> advantage of it.
> 

1) who is unable to get data from Internet and transfer it by other mains to 
another computer today?
2) how put various set of data of total size up to 1GB (2GB in future) into 
distro?
3) why user without Internet want to test his network security?
--- if it is user on great intranet, admins should provide internal mirror.
--- if it is single computer then the whole package is useless 
:)  and the user should not have to do to take full advantage of it. :)

> -- 
> fedora-devel-list mailing list
> fedora-devel-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list

-- 
JFCh

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: openssh-blacklist - careless waste of space.

[Frank Murphy]

On 31/07/09 09:37, Jan Chadima wrote:

- "Conrad Meyer"  wrote:


--snip--


Maybe I do not understand your question. Now the srpm and noarch.rpm also<  
20kB.


The build is normal koji build. User (or admin) run the program and then 
program synchronize the local database of keys to the internet one.


I someone have no Internet, it is also the possibility transfer the data 
on CD, DVD, FLASH or else 




I think what is meant, it that the app is useless, without either 
web\media input. Which the user should not have to do to take full 
advantage of it.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: openssh-blacklist - careless waste of space.

[Jan Chadima]

- "Conrad Meyer"  wrote:

> On Thursday 30 July 2009 08:49:12 am Jan Chadima wrote:
> > Hi
> > I've just solve the problem with the openssh-blacklist package.
> > Now the packae is only the 16 kbytes. It contains the downloader.
> The data
> > are downloaded from the server on user request. Excuse me the first
> > (big)package. I hope that way will work.
> 
> If I'm reading this correctly, this behavior is also broken. The user
> should 
> not have to be connected to the internet to use the package after
> (s)he 
> installs it.
> 
> Another interpretation suggests that you download the data in the
> build 
> process; that won't work on Koji (and should be fixed).
> 

Maybe I do not understand your question. Now the srpm and noarch.rpm also < 
20kB. The build is normal koji build. User (or admin) run the program and then 
program synchronize the local database of keys to the internet one. I someone 
have no Internet, it is also the possibility transfer the data on CD, DVD, 
FLASH or else 


> Regards,
> -- 
> Conrad Meyer 
> 
> -- 
> fedora-devel-list mailing list
> fedora-devel-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list

-- 
JFCh

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: openssh-blacklist - careless waste of space.

[drago01]

On Thu, Jul 30, 2009 at 7:00 PM, Conrad Meyer wrote:
> On Thursday 30 July 2009 08:49:12 am Jan Chadima wrote:
>> Hi
>> I've just solve the problem with the openssh-blacklist package.
>> Now the packae is only the 16 kbytes. It contains the downloader. The data
>> are downloaded from the server on user request. Excuse me the first
>> (big)package. I hope that way will work.
>
> If I'm reading this correctly, this behavior is also broken. The user should
> not have to be connected to the internet to use the package after (s)he
> installs it.
>
> Another interpretation suggests that you download the data in the build
> process; that won't work on Koji (and should be fixed).

just upload a custom (modified) tarball.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: openssh-blacklist - careless waste of space.

[Conrad Meyer]

On Thursday 30 July 2009 08:49:12 am Jan Chadima wrote:
> Hi
> I've just solve the problem with the openssh-blacklist package.
> Now the packae is only the 16 kbytes. It contains the downloader. The data
> are downloaded from the server on user request. Excuse me the first
> (big)package. I hope that way will work.

If I'm reading this correctly, this behavior is also broken. The user should 
not have to be connected to the internet to use the package after (s)he 
installs it.

Another interpretation suggests that you download the data in the build 
process; that won't work on Koji (and should be fixed).

Regards,
-- 
Conrad Meyer 

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: openssh-blacklist - careless waste of space.

[Jan Chadima]

Hi
I've just solve the problem with the openssh-blacklist package.
Now the packae is only the 16 kbytes. It contains the downloader. The data
are downloaded from the server on user request. Excuse me the first
(big)package. I hope that way will work.

> -- 
> fedora-devel-list mailing list
> fedora-devel-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list

-- 
JFCh

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: openssh-blacklist - careless waste of space.

[Adrian Reber]

On Fri, Jul 24, 2009 at 05:30:27PM +0300, Yanko Kaneti wrote:
> openssh-blacklist-0.7-1.fc11.src.rpm - size 1072930614
> http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372950
> openssh-blacklist-0.7-1.fc10.src.rpm - size 1072930519
> http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372948
> openssh-blacklist-0.7-1.fc12.src.rpm - size 1072930637
> http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372843
> 
> ~3GB to produce 3 ~15MB rpms of copied ~20MB fingerprints.

and it is the biggest source RPM on my mirror in the development branch

 646584862 2009-05-27 15:37 nexuiz-data-2.5.1-1.fc12.src.rpm
1072930637 2009-07-22 12:43 openssh-blacklist-0.7-1.fc12.src.rpm

(nexuiz-data being the second with probably more useful data)

Adrian

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: openssh-blacklist - careless waste of space.

[Daniel P. Berrange]

On Fri, Jul 24, 2009 at 05:30:27PM +0300, Yanko Kaneti wrote:
> So
> 
> openssh-blacklist-0.7-1.fc11.src.rpm - size 1072930614
> http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372950
> openssh-blacklist-0.7-1.fc10.src.rpm - size 1072930519
> http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372948
> openssh-blacklist-0.7-1.fc12.src.rpm - size 1072930637
> http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372843
> 
> ~3GB to produce 3 ~15MB rpms of copied ~20MB fingerprints.
> 
> Seriously wtf!?. And where is the frikken package review for it?

This really is insane. The source tar.gz contains

openssh-blacklist-0.7$ du -h -c -s *
4.0KCONTENT
16K COPYING
26M fingerprints
797Mprivate
358Mpublic
1.2Gtotal


The SPEC file just does

  mv fingerprints/* $RPM_BUILD_ROOT%{_datadir}/%{name}

So there is 1.2 GB of data there that is never used for any purpose
whatsoever, its not even being used to build the final data that
goes into the binary RPM.


Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: openssh-blacklist - careless waste of space.

[Jason L Tibbitts III]

> "YK" == Yanko Kaneti  writes:

YK> Seriously wtf!?

Can't answer that.

YK> And where is the frikken package review for it?

https://bugzilla.redhat.com/show_bug.cgi?id=509990

Unfortunately neither the reviewer nor the packager updated the ticket
title with the changed name of the package.  I've fixed that.

I don't see any mention of the size of the package in the review.

 - J<

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: openssh-blacklist - careless waste of space.

[Guido Grazioli]

2009/7/24 Yanko Kaneti 

> So
>
> openssh-blacklist-0.7-1.fc11.src.rpm - size 1072930614
> http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372950
> openssh-blacklist-0.7-1.fc10.src.rpm-
>  size 1072930519
> http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372948
> openssh-blacklist-0.7-1.fc12.src.rpm-
>  size 1072930637
> http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372843
>
> ~3GB to produce 3 ~15MB rpms of copied ~20MB fingerprints.
>
> Seriously wtf!?. And where is the frikken package review for it?
>


It seems that files in the rpm packages were cut off ~ 32000 lines / 1MB.



>
> --
> fedora-devel-list mailing list
> fedora-devel-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>



-- 
Guido Grazioli 
Via Parri 11 48011 - Alfonsine (RA)
Mobile: +39 347 1017202 (10-18)
Key FP = 7040 F398 0DED A737 7337  DAE1 12DC A698 5E81 2278
Linked in: http://www.linkedin.com/in/guidograzioli
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

openssh-blacklist - careless waste of space.

[Yanko Kaneti]

So

openssh-blacklist-0.7-1.fc11.src.rpm - size 1072930614
http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372950
openssh-blacklist-0.7-1.fc10.src.rpm - size 1072930519
http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372948
openssh-blacklist-0.7-1.fc12.src.rpm - size 1072930637
http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372843

~3GB to produce 3 ~15MB rpms of copied ~20MB fingerprints.

Seriously wtf!?. And where is the frikken package review for it?


-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list