Bug#648595: broken links under www.d.o/security/audit/
On Sun, Nov 13, 2011 at 04:59:19PM +0800, Paul Wise wrote:
These two links are referenced by the Debian security audit pages but
the domain has been taken by squatters.
I have modified the pages to
a) remove the point to http://shellcode.org/Setuid/, there is currently no
alternative (that I know of)
b) point maintainers and interested users/developers to the public
debian-security mailing list instead of to the old debian-audit mailing list
(which was also public BTW)
Could someone from the security
team suggest the correct course of action here?
I'm not a security team member, but an (inactive) member of the debian-audit
team. I think the best course of action is to keep the pages since they
describe processes, tool and information that is relevant for developers and
for prospective auditors.
The pages do not highlight currently, however, that the Debian Audit team is
currently unmanned. I'm adjusting intro/organization also somewhat.
Does the security team
generate a list of all setuid/setgid executables in Debian? There does
not appear to be a replacement for the debian-audit list, should mails
about that be directed to debian-security?
For the time being I have updated the webpages to point to debian-security to
replace the previous mailing list. I have also submitted a project
registration at Alioth ('debian-audit') so that the project has its own space
for tools and for mailing list.
Once the project is approved I will point to that mailing list, and will try
to have the old content of the mailing list (old posts) restored there too.
http://shellcode.org/Setuid/
As for this tool, it was developed by Steve Kemp and I'm not sure the code
was made public. It would not be very difficult to produce a similar tool if
developers are still interested.
For the time being, I've removed pointers to that tool from the webpage so
that we do not point to cyber-squatter domains.
Regards
Javier
signature.asc
Description: Digital signature
Bug#648595: broken links under www.d.o/security/audit/
On Sat, 2011-11-19 at 10:46 +0100, Javier Fernández-Sanguino Peña wrote: On Sun, Nov 13, 2011 at 04:59:19PM +0800, Paul Wise wrote: These two links are referenced by the Debian security audit pages but the domain has been taken by squatters. I have modified the pages to Thanks! a) remove the point to http://shellcode.org/Setuid/, there is currently no alternative (that I know of) I wonder if these pages could be an alternative? http://lintian.debian.org/tags/setuid-binary.html http://lintian.debian.org/tags/setgid-binary.html -- bye, pabs http://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#648595: broken links under www.d.o/security/audit/
On Sat, Nov 19, 2011 at 05:54:40PM +0800, Paul Wise wrote: a) remove the point to http://shellcode.org/Setuid/, there is currently no alternative (that I know of) I wonder if these pages could be an alternative? http://lintian.debian.org/tags/setuid-binary.html http://lintian.debian.org/tags/setgid-binary.html This might actually be an alternative. It lacks the 'searchable' function that the previous tool had, but I'm going to use it nevertheless. Regards Javier signature.asc Description: Digital signature
Bug#648595: broken links under www.d.o/security/audit/
Package: www.debian.org Severity: normal X-Debbugs-CC: debian-secur...@lists.debian.org These two links are referenced by the Debian security audit pages but the domain has been taken by squatters. Could someone from the security team suggest the correct course of action here? Does the security team generate a list of all setuid/setgid executables in Debian? There does not appear to be a replacement for the debian-audit list, should mails about that be directed to debian-security? http://shellcode.org/Setuid/ http://shellcode.org/mailman/listinfo/debian-audit -- bye, pabs http://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
