Re: Source Code One Line Change [patch] and Copyright holder
Nanakos V. Chrysostomos, le Fri 26 Aug 2011 12:50:05 +0300, a écrit : The upstream author and developer of this software claims that I am not intended to add my name for such a small change to the Copyright holders of the file and he should ask for legal advise. What is your opinion? Is this right? This is too simple a change to get copyrights on it. Even if the implication may be huge. Of course you get credits for the bug fix (thanks!), but this is not what copyright protects. Samuel -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110826103645.ge5...@type.irill.org
Re: Source Code One Line Change [patch] and Copyright holder
]] Nanakos V. Chrysostomos | recently I have contributed a on-line patch [0] that resolves a | significant and major security bug in a PAM module. I added myself to the | Copyright holders of the file and added this change to the changelog file | as you can easily see in [1]. The upstream author and developer of this | software claims that I am not intended to add my name for such a small | change to the Copyright holders of the file and he should ask for legal | advise. What is your opinion? Is this right? I think he's in the right, your contribution does not really consist of any significant creative effort. I'm also unable to reproduce your bug. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87zkiwqvmx@qurzaw.varnish-software.com
Re: Source Code One Line Change [patch] and Copyright holder
Hi, I agree that the change is not Copyrightable. The bug is there and its easyli reproducable. Cheers, Chris ]] Nanakos V. Chrysostomos | recently I have contributed a on-line patch [0] that resolves a | significant and major security bug in a PAM module. I added myself to the | Copyright holders of the file and added this change to the changelog file | as you can easily see in [1]. The upstream author and developer of this | software claims that I am not intended to add my name for such a small | change to the Copyright holders of the file and he should ask for legal | advise. What is your opinion? Is this right? I think he's in the right, your contribution does not really consist of any significant creative effort. I'm also unable to reproduce your bug. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87zkiwqvmx@qurzaw.varnish-software.com
Re: Source Code One Line Change [patch] and Copyright holder
]] Nanakos V. Chrysostomos (please follow normal mailing list conventions and quote properly.) Hi, | I agree that the change is not Copyrightable. The bug | is there and its easyli reproducable. If it is so easily reproducible you should improve the description. I can't reproduce it by using pam_yubico with login and just pressing C-d for my password, at least. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87vctkqrhr@qurzaw.varnish-software.com
Re: Source Code One Line Change [patch] and Copyright holder
Yes of course. Authentication succeeded when no password was given, unless use_first_pass was being used. This is fatal if pam_yubico is considered 'sufficient' in the PAM configuration. Use the configuration for pam_yubico below for su, for example: auth sufficient pam_yubico.so id=1 debug authfile=/etc/yubikey_whatever_u_have When doing su - and prompts for Yibikey for 'root' just press Ctrl-D. Cheers, Chris. ]] Nanakos V. Chrysostomos (please follow normal mailing list conventions and quote properly.) Hi, | I agree that the change is not Copyrightable. The bug | is there and its easyli reproducable. If it is so easily reproducible you should improve the description. I can't reproduce it by using pam_yubico with login and just pressing C-d for my password, at least. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87vctkqrhr@qurzaw.varnish-software.com -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/24257.194.177.215.120.1314362787.squir...@www.wired-net.gr
Re: Source Code One Line Change [patch] and Copyright holder
Yes of course. Authentication succeeded when no password was given, unless use_first_pass was being used. This is fatal if pam_yubico is considered 'sufficient' in the PAM configuration. Use the configuration for pam_yubico below for su, for example: auth sufficient pam_yubico.so id=1 debug authfile=/etc/yubikey_whatever_u_have When doing su - and prompts for Yubikey for 'root' just press Ctrl-D. Cheers, Chris. ]] Nanakos V. Chrysostomos (please follow normal mailing list conventions and quote properly.) Hi, | I agree that the change is not Copyrightable. The bug | is there and its easyli reproducable. If it is so easily reproducible you should improve the description. I can't reproduce it by using pam_yubico with login and just pressing C-d for my password, at least. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87vctkqrhr@qurzaw.varnish-software.com -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/16075.194.177.215.120.1314362812.squir...@www.wired-net.gr
Re: Source Code One Line Change [patch] and Copyright holder
On Fri, 26 Aug 2011, Nanakos V. Chrysostomos nana...@wired-net.gr wrote: recently I have contributed a on-line patch [0] that resolves a significant and major security bug in a PAM module. I added myself to the Copyright holders of the file and added this change to the changelog file Regardless of the issue of whether you can claim copyright on a single line (which AFAIK has never been tested by a court) there is the issue of whether it's reasonable to make such a claim by community standards. I know that I'm not the only person here who has sent in many patches that are much more significant without asking for credit in the copyright file. It seems to be a common expectation that one doesn't make such claims about small patches. Fixing security flaws is a really good thing to do. Send in lots more patches like that and you can count on getting a good reputation for it, even if you don't end up in any copyright files. -- My Main Blog http://etbe.coker.com.au/ My Documents Bloghttp://doc.coker.com.au/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201108262347.40797.russ...@coker.com.au
Re: Source Code One Line Change [patch] and Copyright holder
Russell Coker, le Fri 26 Aug 2011 23:47:40 +1000, a écrit : Fixing security flaws is a really good thing to do. Send in lots more patches like that and you can count on getting a good reputation for it, even if you don't end up in any copyright files. Reputation is actually way more useful than owning copyright, yes :) Samuel -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110826135306.gs5...@type.irill.org
Re: Source Code One Line Change [patch] and Copyright holder
]] Nanakos V. Chrysostomos | Authentication succeeded when no password | was given, unless use_first_pass was being used. | This is fatal if pam_yubico is considered 'sufficient' in the PAM | configuration. It also requires you to use the client mode (which is the default) and not the challenge response mode, which explains why I couldn't reproduce your issue. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87r548qnp0@qurzaw.varnish-software.com
Re: Source Code One Line Change [patch] and Copyright holder
I think you are right. Thanks for mentioning that. Cheers, Chris. On Fri, 26 Aug 2011, Nanakos V. Chrysostomos nana...@wired-net.gr wrote: recently I have contributed a on-line patch [0] that resolves a significant and major security bug in a PAM module. I added myself to the Copyright holders of the file and added this change to the changelog file Regardless of the issue of whether you can claim copyright on a single line (which AFAIK has never been tested by a court) there is the issue of whether it's reasonable to make such a claim by community standards. I know that I'm not the only person here who has sent in many patches that are much more significant without asking for credit in the copyright file. It seems to be a common expectation that one doesn't make such claims about small patches. Fixing security flaws is a really good thing to do. Send in lots more patches like that and you can count on getting a good reputation for it, even if you don't end up in any copyright files. -- My Main Blog http://etbe.coker.com.au/ My Documents Bloghttp://doc.coker.com.au/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/58456.194.177.215.120.1314366926.squir...@www.wired-net.gr
Re: Source Code One Line Change [patch] and Copyright holder
This is the default and proposed installation in the README file. Many many people claim until now (I have received plenty of email's!!!) that they use this installation and could never imagine that there was such a bug for more than a year now. Another guy reported that he has installed pam_yubico module to more than 130 CentOS server's and you could easily imagine what the consequences will be if someone has discovered the bug and solely used it for his own profit. Cheers, Chris. ]] Nanakos V. Chrysostomos | Authentication succeeded when no password | was given, unless use_first_pass was being used. | This is fatal if pam_yubico is considered 'sufficient' in the PAM | configuration. It also requires you to use the client mode (which is the default) and not the challenge response mode, which explains why I couldn't reproduce your issue. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87r548qnp0@qurzaw.varnish-software.com
Re: Source Code One Line Change [patch] and Copyright holder
This is the default and proposed installation in the README file. Many many people claim until now (I have received plenty of email's!!!) that they use this installation and could never imagine that there was such a bug for more than a year now. Another guy reported that he has installed pam_yubico module to more than 130 CentOS server's and you could easily imagine what the consequences will be if someone has discovered the bug and solely used it for his own profit. Cheers, Chris. ]] Nanakos V. Chrysostomos | Authentication succeeded when no password | was given, unless use_first_pass was being used. | This is fatal if pam_yubico is considered 'sufficient' in the PAM | configuration. It also requires you to use the client mode (which is the default) and not the challenge response mode, which explains why I couldn't reproduce your issue. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87r548qnp0@qurzaw.varnish-software.com This is the default and proposed installation in the README file. Many many people claim until now (I have received plenty of email's!!!) that they use this installation and could never imagine that there was such a bug for more than a year now. Another guy reported that he has installed pam_yubico module to more than 130 CentOS server's and you could easily imagine what the consequences will be if someone has discovered the bug and solely used it for his own profit. Cheers, Chris. ]] Nanakos V. Chrysostomos | Authentication succeeded when no password | was given, unless use_first_pass was being used. | This is fatal if pam_yubico is considered 'sufficient' in the PAM | configuration. It also requires you to use the client mode (which is the default) and not the challenge response mode, which explains why I couldn't reproduce your issue. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87r548qnp0@qurzaw.varnish-software.com This is the default and proposed installation in the README file. Many many people claim until now (I have received plenty of email's!!!) that they use this installation andcould never imagine that there was such a bug for more than a year now. Another guy reported that he has installed pam_yubico module to more than 130 CentOS server's and you could easily imagine what the consequences will be if someone has discovered the bug and solely used it for his own profit.Cheers,Chris. ]] Nanakos V. Chrysostomos | Authentication succeeded when no password | was given, unless use_first_pass was being used. | This is fatal if pam_yubico is considered 'sufficient' in the PAM | configuration. It also requires you to use the client mode (which is the default) and not the challenge response mode, which explains why I couldn't reproduce your issue. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are-- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87r548qnp0@qurzaw.varnish-software.com
Re: Source code
On Mon, Jan 03, 2011 at 04:55:52PM -0800, Don Armstrong wrote: On Tue, 04 Jan 2011, Stephen Grant Brown wrote: I would like to install dpkg under Windows Vista. This is almost certainly going to be an exercise in pain. For building it, maybe, but not for getting it prebuilt. Cygwin ports has a version: (From ftp://sourceware.org/pub/cygwinports/portslist.txt) dpkg 1.15.7.2-1 Some years ago there was an attempt to port Debian to windows kernel. If I remember correctly, blocking problem was that windows does not allow to replace opened files, which dpkg deeply depends on. Nikita signature.asc Description: This is a digitally signed message part.
Re: Source code
On Tue, Jan 4, 2011 at 3:30 PM, Nikita V. Youshchenko yo...@debian.org wrote: On Mon, Jan 03, 2011 at 04:55:52PM -0800, Don Armstrong wrote: On Tue, 04 Jan 2011, Stephen Grant Brown wrote: I would like to install dpkg under Windows Vista. This is almost certainly going to be an exercise in pain. For building it, maybe, but not for getting it prebuilt. Cygwin ports has a version: (From ftp://sourceware.org/pub/cygwinports/portslist.txt) dpkg 1.15.7.2-1 Some years ago there was an attempt to port Debian to windows kernel. If I remember correctly, blocking problem was that windows does not allow to replace opened files, which dpkg deeply depends on. Renaming open files works, so that should no longer be a problem. Olaf -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlkti=_jp-wd6mskwuo4pcd0snvk2uy6fusn_zjj...@mail.gmail.com
Re: Source code
On Tue, Jan 4, 2011 at 7:20 PM, Ian Jackson ijack...@chiark.greenend.org.uk wrote: Olaf van der Spek writes (Re: Source code): Renaming open files works, so that should no longer be a problem. They have to be able to be deleted. Why? Olaf -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktimg-z3yxmvgqozp=w-fvw-scum3stn2gr93g...@mail.gmail.com
Re: Source code
Olaf van der Spek writes (Re: Source code): Renaming open files works, so that should no longer be a problem. They have to be able to be deleted. But this is just the start of your woes. I advise against the attempt. Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/19747.25833.743537.319...@chiark.greenend.org.uk
Re: Source code
On Tue, Jan 04, 2011 at 07:22:26PM +0100, Olaf van der Spek wrote: On Tue, Jan 4, 2011 at 7:20 PM, Ian Jackson ijack...@chiark.greenend.org.uk wrote: Olaf van der Spek writes (Re: Source code): Renaming open files works, so that should no longer be a problem. They have to be able to be deleted. Why? Because lots of programs expect something like fd = open(/tmp/foo, O_WRONLY|O_CREAT|O_EXCL); unlink(/tmp/foo); write(fd, data, 4); to succeed. This is how Unix filesystem semantics work and pretty much always have. POSIX allows unlink(2) to return EBUSY, but that's not at all Unixy. The only case I can see for EBUSY is what NetBSD and OpenBSD do: restrict unlinking a mount point. (This is also the only case for EBUSY on Solaris, Ultrix, and HP-UX.) -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Re: Source code
On Tue, Jan 4, 2011 at 8:45 PM, brian m. carlson sand...@crustytoothpaste.net wrote: Because lots of programs expect something like fd = open(/tmp/foo, O_WRONLY|O_CREAT|O_EXCL); unlink(/tmp/foo); write(fd, data, 4); to succeed. This is how Unix filesystem semantics work and pretty much always have. POSIX allows unlink(2) to return EBUSY, but that's not at all Unixy. The only case I can see for EBUSY is what NetBSD and OpenBSD do: restrict unlinking a mount point. (This is also the only case for EBUSY on Solaris, Ultrix, and HP-UX.) unlink will probably return an error, but since that's not checked, that snippet will succeed. WRONLY seems weird, what's the purpose of a snippet like this? Olaf -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktiknvk8a=uukoo2ceogclrcybyuejom+lkp9s...@mail.gmail.com
Re: Source code
On Tue, Jan 04, 2011 at 08:55:41PM +0100, Olaf van der Spek wrote: On Tue, Jan 4, 2011 at 8:45 PM, brian m. carlson sand...@crustytoothpaste.net wrote: Because lots of programs expect something like fd = open(/tmp/foo, O_WRONLY|O_CREAT|O_EXCL); unlink(/tmp/foo); write(fd, data, 4); to succeed. This is how Unix filesystem semantics work and pretty much always have. POSIX allows unlink(2) to return EBUSY, but that's not at all Unixy. The only case I can see for EBUSY is what NetBSD and OpenBSD do: restrict unlinking a mount point. (This is also the only case for EBUSY on Solaris, Ultrix, and HP-UX.) unlink will probably return an error, but since that's not checked, that snippet will succeed. WRONLY seems weird, what's the purpose of a snippet like this? It was an example, so I omitted error checking. And, yes, it probably should have been O_RDWR. AFAIK, the only way Windows has anything resembling Unix filesystem semantics (or Unix semantics in general) is Services for Unix, since the Win32 API on which mingw32 and cygwin are based just does not support them. And even that does not allow setuid/setgid programs by default. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Re: Source code
On Tue, Jan 04, 2011 at 08:55:41PM +0100, Olaf van der Spek wrote: On Tue, Jan 4, 2011 at 8:45 PM, brian m. carlson sand...@crustytoothpaste.net wrote: Because lots of programs expect something like fd = open(/tmp/foo, O_WRONLY|O_CREAT|O_EXCL); unlink(/tmp/foo); write(fd, data, 4); to succeed. This is how Unix filesystem semantics work and pretty much always have. POSIX allows unlink(2) to return EBUSY, but that's not at all Unixy. The only case I can see for EBUSY is what NetBSD and OpenBSD do: restrict unlinking a mount point. (This is also the only case for EBUSY on Solaris, Ultrix, and HP-UX.) unlink will probably return an error, but since that's not checked, that snippet will succeed. WRONLY seems weird, what's the purpose of a snippet like this? There are several reasons to do something like that. One is that in the event of the process (or even entire OS) crashing, cleanup of the disk space is essentially automatic, because once no open file descriptors reference, the OS reclaims it. Another reason to do something like that is to give you a more secure temporary file. By adding mktemp() (or something similar) into the example Brian gave, you can defend against attacks that depend on file name collisions. By quickly unlinking, the file will no longer appear in directory listings, making exploits of the data written to the file more challenging (not impossible, just more challenging). Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Source code
On Tue, 04 Jan 2011, Stephen Grant Brown wrote: I would like to install dpkg under Windows Vista. This is almost certainly going to be an exercise in pain. /home/Stephen/src/dpkg-1.14.30/lib/nfmalloc.c:67: undefined reference to `_obstck_free' ../lib/libdpkg.a(nfmalloc.o): In function `nfobstack_init': /home/Stephen/src/dpkg-1.14.30/lib/nfmalloc.c:43: undefined reference to `__obsack_begin' ../lib/libdpkg.a(nfmalloc.o): In function `nfstrnsave': /home/Stephen/src/dpkg-1.14.30/lib/nfmalloc.c:62: undefined reference to `__obsack_newchunk' You aren't linking with GNU libc for whatever reason. Where do I find the source code for `_obstck_free', `__obsack_begin' etcetera. http://www.eglibc.org/home or http://www.gnu.org/software/libc/ Don Armstrong -- Who is thinking this? I am. -- Greg Egan _Diaspora_ p38 http://www.donarmstrong.com http://rzlab.ucr.edu -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110104005552.gk4...@rzlab.ucr.edu
Re: Source code
On Mon, Jan 03, 2011 at 04:55:52PM -0800, Don Armstrong wrote: On Tue, 04 Jan 2011, Stephen Grant Brown wrote: I would like to install dpkg under Windows Vista. This is almost certainly going to be an exercise in pain. For building it, maybe, but not for getting it prebuilt. Cygwin ports has a version: (From ftp://sourceware.org/pub/cygwinports/portslist.txt) dpkg 1.15.7.2-1 HTH. Kumar -- ...Unix, MS-DOS, and Windows NT (also known as the Good, the Bad, and the Ugly). -- Matt Welsh signature.asc Description: Digital signature
Re: source code forensic practices
* Yaroslav Halchenko: The question is: are there any helper tools for doing source code validation subject to possibly available snippets of code which might be for illegal activity (ie sending out private information, or serve as backdoors, etc)? There are several commercial bug finding tools and services. I don't know how good they are at detecting logic bombs and similar things. May be some language specific tools (JS, Java, python) which could catch snippets intended for data transmission/receival? Java is doable at least, but due to their dynamic nature, JavaScript and Python are in a completely different league. JavaScript is extremely obnoxious because you can easily download scripts from the Net, triggered from self-modifying code. In fact, this is a common practice in the online advertising world. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: source code forensic practices
* Yaroslav Halchenko: The question is: are there any helper tools for doing source code validation subject to possibly available snippets of code which might be for illegal activity (ie sending out private information, or serve as backdoors, etc)? There are several commercial bug finding tools and services. I don't know how good they are at detecting logic bombs and similar things. some googling helped me to find some interesting pieces from 1995: MCF: A Malicious Code Filter http://seclab.cs.ucdavis.edu/papers/llo95.ps Unfortunately articles such as Detecting and Removing Malicious Code http://www.securityfocus.com/infocus/1610 do not list about any source code analysis. This one http://www.dsv.su.se/research/seclab/pages/pdf-files/2005-x-208.pdf seems to be quite nice but talks about MS Access source code analysis but it referred me to another interesting reading Secure Software Development and Code Analysis Tools http://www.sans.org/reading_room/whitepapers/securecode/389.php Unfortunately I have to agree with When a programmer intends to cause harm developing software, he will try to obfuscate the code to hide it in many line codes. There are even automated tools that any programmer could use to obfuscate code (they can also be used to avoid reverse engineering). Essentially, when an auditor finds code with non-sense structures or that is particularly difficult to follow it could point him to two different conclusions, first, that the programmer intends to obfuscate the code, or second, that the system wasn't properly programmed, since it not only makes security analysis complex, but maintenance as well. Many times we hear that so many tools have been developed and the complexity of choosing the right one makes it even harder to effectively protect an information technology environment. Ashyby's law on requisite variety, variety kills variety (referenced by Louise Yngstr�m in [LY03]) is in my opinion a realistic approach to security in today's environment. We can not today, and probably never will, rely on a silver bullet tool that will resolve all our security issues. This is due to the high level of complexity we are facing; therefore we need several tools that can cope with several different and specific problems. Just wanted to share and see if there is any opinion/ideas on how to give at least some assurance that the software which we package is safe to use. Most of the time we are to rely on how obvious is a good intent of the upstream authors from our subjective judgment. -- .-. =-- /v\ = Keep in touch// \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User^^-^^[17]
Re: source code forensic practices
Hi Yaroslav, Yaroslav Halchenko wrote: I ITPed a package which unfortunately ended up not providing original sources (sources everybody gets were indentation removed). Unreasonable denial of providing original source forced me to question good intent of the author to provide useful and spam/crap-free software. Since I could not possibly to examine that code, I've decided to look at other software written by the same author, and which has original source code, which probably nobody else ever examined anyways. regardless of any possible outcome of your audit, I'm not sure that it's a very good idea to include such code in Debian. IMO the results of your analysys cast a shadow on the author's intend to provide free software in the spirit of DFSG. There have been issues with upstream authors in the the past and it seems these things offer a huge amount of agony we best avoid. That said, if you feel like it, you could approach the author and potentially advocate better release practices to him. Kind regards T. -- Thomas Viehmann, http://thomas.viehmann.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Source code for unpacking Debian archives
* Tommy Nordgren: Where can I find the source code for unpacking .deb files, when downloading them via http or ftp? Have a look at the dpkg source code. Alternatively, use ar, gunzip and tar. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Source code for unpacking Debian archives
Re: Tommy Nordgren in [EMAIL PROTECTED] Where can I find the source code for unpacking .deb files, when downloading them via http or ftp? ar t package.deb ar x ... OTOH, the dpkg sources can be compiled on non-Debian and non-Linux OSs. Christoph -- [EMAIL PROTECTED] | http://www.df7cb.de/ signature.asc Description: Digital signature
Re: Source code for unpacking Debian archives
On Thu, Sep 01, 2005 at 01:29:27PM +0200, Tommy Nordgren wrote: Where can I find the source code for unpacking .deb files, when downloading them via http or ftp? Please email a copy of any replies. I'm not subsribed. I wan't to do this because my own OS don't contain any built in support tools for Debian Archives $ cat /usr/share/doc/debian/source-unpack.txt HOW TO UNPACK A DEBIAN SOURCE PACKAGE There are two kinds of Debian source packages: old ones and new ones. A. Old ones look like this: hello-1.3-4.tar.gz hello-1.3-4.diff.gz You unpack them by untarring the .tar.gz. There is NO need to apply the diff. B. New ones look like this: hello_1.3-11.dsc hello_1.3-11.diff.gz hello_1.3-11.orig.tar.gz - note the `.orig' part Here you MUST use dpkg-source or apply the diff manually - see below. If you have `dpkg-source' you should put the files in the same directory and type `dpkg-source -x whatever.dsc'. If you do not you can extract the Debian source as follows: 1. untar P_V.orig.tar.gz. 2. rename the resulting P-V.orig directory to P-V. If some other directory results, rename *it* to P-V. 3. mkdir P-V/debian. 4. apply the diff with patch -p0. 5. do `chmod +x P-V/debian/rules' (where P is the package name and V the version.) C. There are some packages where the Debian source is the upstream source. In this case there will be no .diff.gz and you can just use the .tar.gz. If a .dsc is provided you can use `dpkg-source -x'. -- Ian Jackson [EMAIL PROTECTED] Sat, 31 Aug 1996 -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Source code for unpacking Debian archives
#include hallo.h * Tommy Nordgren [Thu, Sep 01 2005, 01:29:27PM]: Where can I find the source code for unpacking .deb files, when downloading them via http or ftp? Please email a copy of any replies. I'm not subsribed. I wan't to do this because my own OS don't contain any built in support tools for Debian Archives unp -u foo.deb Eduard. -- mechanix anyone from the MIA team around? tbm? Ganneff sounds nice. how long do you have to be MIA to get into that team? :) mhp you need to have a pgp key, I suppose. and no gpg one, and only a bo box Np237 yes, but it must be expired -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Source code for unpacking Debian archives
Tommy Nordgren writes: I wan't to do this because my own OS don't contain any built in support tools for Debian Archives You want the 'alien' program. It should be available for your distribution. -- John Hasler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: source code on sh4
On Friday 29 August 2003 10:29, wrote: debian-develHi Where can I find the source code on sh4 for Debian linux http://www.m17n.org/linux-sh/debian/ and go from there. greetings -- vbi -- Sterility is inherited. If your parents never had kids, odds are you wont either. -- William R. James in news.admin.net-abuse.email pgp04io0V5TgU.pgp Description: signature