Re: Questions

[Phil.]

Hi all,

For openscap, you can also check these pages:
https://wiki.debian.org/SCAPGuide
https://wiki.debian.org/UsingSCAP

Cheers, 


Le 5 décembre 2018 00:32:49 GMT+01:00, "Bardot Jérôme" 
 a écrit :
>Le 04/12/2018 à 21:32, Ruslanas Gžibovskis a écrit :
>> Hi all,
>>
>> Jerome, I would say that most 'users' will go to pop choice, like
>only
>> some hardcore lovers would listen to "Tsjuder" but most of the people
>> would go with "Lady Gaga". Same here, if you do not want to learn,
>you
>> use *buntu or any "*" made of, else if you wanna learn and use stable
>> and updated distro you will go with Debian.
>
>Look a good black metal band :D
>
>>
>> I would still agree that would be nice to have some package which
>> would do some hardening settings. BUT, please note, that it might
>give
>> a false confidence. Why?! Because once hardening done, you believe
>> that it is safe, but any moment by accident your perm tuning might
>> change. Your hardend setup might not run correctly some app AND then
>> tired user will do "chmod  -R /" and a package will still remain.
>>
>I’m aware of this trouble. My most trouble come with the fact some
>hardening can broke some setup. And more upstream it’s less problems
>there will are and more easy is to maintain (Aka more people, not just
>me). One of my other concern is about knowledge and manage admin,
>maintener, dev ressources; maybe i’m wrong but it’s look likethere is
>less and less people can do some needed task (package & maintain, code
>with C, etc )
>
>> So if you want to ensure hardening is set and exist, make puppet
>> profile! Run puppet all the time! And before running puppet check,
>> have OpenSCAP test to check compliance. It has very nice compliance
>> checks for different standards! Try it!
>
>I will try openscap. As say before i also set up an openvas if it want
>to work. And for puppet i think i will more like ansible instead of
>puppet ;) I will check if already existing recipes are security aware.
>
>Thx
>
>
>>
>> On Tue, 4 Dec 2018, 20:31 Jérôme Bardot >  wrote:
>>
>> Agree about some hardening only are usefull in certain use case.
>But
>> some of them should be set as default i guess because they are
>usefull
>> for most of the case and case not include require skills and in
>this
>> skill are include change an option in some not all the day open
>conf
>> file. Maybe i’m wrong. I think about kernel conf for ie. And or
>maybe
>> provide a way to choose some preset conf maybe in package.
>>
>> Without any troll there is more and more non ready users on
>GNU\linux,
>> and debian, they can’t do real choices, do they really want ? I’m
>> agree it’s bad. But we don’t offer real way to help users to
>> understand. Maybe gnome have now some pretty first start tutorial
>? I
>> don’t use it.
>>
>> What threat i want to be protect against :
>> - hardware & physical attack
>> - network attack (including vulnerable world open app)
>> - compromise user attack
>>
>> What want to protect : multi purpose server and laptop.
>>
>>
>> And by the way i love doing this kind of stuff. It’s like a
>problem to
>> solve. And more automate it can be better it is (for each use
>case
>> ofc) :)
>> Why automatisation instead of just make snapshot ? because it (my
>> point of view) permit to also test the setup step and keep the
>doc up
>> to date.
>>
>> Sry for my really bad english. I need to sleep.
>> Thx for all your messages.
>>
>> J.
>> Le mar. 4 déc. 2018 à 19:44, Jonathan Hutchins
>> mailto:hutch...@tarcanfel.org>> a écrit
>:
>> >
>> > On 2018-12-03 05:10, Jérôme Bardot wrote:
>> >
>> > > Why debian is not more harden by default ?
>> >
>> >
>> > Debian's hardening is adequate for most users, who are
>typically
>> behind
>> > some sort of protection such as a router/firewall.
>> >
>> > If you actually need a hardened system, it's far better for you
>> to do
>> > the hardening yourself to address the specific threats you feel
>> > vulnerable to.  That way you have a better understanding of
>what has
>> > been done, why, and how.  Unlike Windows, where users typically
>> allow
>> > Microsoft to make all of the decisions for them, Linux in
>> general and
>> > Debian specifically put user choice ahead of cookie-cutter
>> solutions.
>> >
>> > --
>> > Jonathan
>>

-- 
O Philippe Thierry. 
/Y\/ GPG: 7010 9a3c e210 763e 6341 4581 c257 b91b cdaf c1ea
o#o

Re: Questions

[Paul Wise]

On Tue, 2018-12-04 at 21:34 +0100, Ruslanas Gžibovskis wrote:

> Paul Wise, what help is needed? I would like to commit, but not sure
> how, never done that, but would LOVE TO! Could you guide?

Check the pages I mentioned and look through each of them, there should
be enough documentation there for you to figure it out. Feel free to
ask any questions if something isn't clear.

If you're looking for info about using git, check out the docs:

https://git-scm.com/doc

Which area would you like to work on?

-- 
bye,
pabs

https://wiki.debian.org/PaulWise



signature.asc
Description: This is a digitally signed message part

Re: Questions

[Bardot Jérôme]

Le 04/12/2018 à 21:32, Ruslanas Gžibovskis a écrit :
> Hi all,
>
> Jerome, I would say that most 'users' will go to pop choice, like only
> some hardcore lovers would listen to "Tsjuder" but most of the people
> would go with "Lady Gaga". Same here, if you do not want to learn, you
> use *buntu or any "*" made of, else if you wanna learn and use stable
> and updated distro you will go with Debian.

Look a good black metal band :D

>
> I would still agree that would be nice to have some package which
> would do some hardening settings. BUT, please note, that it might give
> a false confidence. Why?! Because once hardening done, you believe
> that it is safe, but any moment by accident your perm tuning might
> change. Your hardend setup might not run correctly some app AND then
> tired user will do "chmod  -R /" and a package will still remain.
>
I’m aware of this trouble. My most trouble come with the fact some
hardening can broke some setup. And more upstream it’s less problems
there will are and more easy is to maintain (Aka more people, not just
me). One of my other concern is about knowledge and manage admin,
maintener, dev ressources; maybe i’m wrong but it’s look likethere is
less and less people can do some needed task (package & maintain, code
with C, etc )

> So if you want to ensure hardening is set and exist, make puppet
> profile! Run puppet all the time! And before running puppet check,
> have OpenSCAP test to check compliance. It has very nice compliance
> checks for different standards! Try it!

I will try openscap. As say before i also set up an openvas if it want
to work. And for puppet i think i will more like ansible instead of
puppet ;) I will check if already existing recipes are security aware.

Thx


>
> On Tue, 4 Dec 2018, 20:31 Jérôme Bardot   wrote:
>
> Agree about some hardening only are usefull in certain use case. But
> some of them should be set as default i guess because they are usefull
> for most of the case and case not include require skills and in this
> skill are include change an option in some not all the day open conf
> file. Maybe i’m wrong. I think about kernel conf for ie. And or maybe
> provide a way to choose some preset conf maybe in package.
>
> Without any troll there is more and more non ready users on GNU\linux,
> and debian, they can’t do real choices, do they really want ? I’m
> agree it’s bad. But we don’t offer real way to help users to
> understand. Maybe gnome have now some pretty first start tutorial ? I
> don’t use it.
>
> What threat i want to be protect against :
> - hardware & physical attack
> - network attack (including vulnerable world open app)
> - compromise user attack
>
> What want to protect : multi purpose server and laptop.
>
>
> And by the way i love doing this kind of stuff. It’s like a problem to
> solve. And more automate it can be better it is (for each use case
> ofc) :)
> Why automatisation instead of just make snapshot ? because it (my
> point of view) permit to also test the setup step and keep the doc up
> to date.
>
> Sry for my really bad english. I need to sleep.
> Thx for all your messages.
>
> J.
> Le mar. 4 déc. 2018 à 19:44, Jonathan Hutchins
> mailto:hutch...@tarcanfel.org>> a écrit :
> >
> > On 2018-12-03 05:10, Jérôme Bardot wrote:
> >
> > > Why debian is not more harden by default ?
> >
> >
> > Debian's hardening is adequate for most users, who are typically
> behind
> > some sort of protection such as a router/firewall.
> >
> > If you actually need a hardened system, it's far better for you
> to do
> > the hardening yourself to address the specific threats you feel
> > vulnerable to.  That way you have a better understanding of what has
> > been done, why, and how.  Unlike Windows, where users typically
> allow
> > Microsoft to make all of the decisions for them, Linux in
> general and
> > Debian specifically put user choice ahead of cookie-cutter
> solutions.
> >
> > --
> > Jonathan
>



0x053A41EF03878A98.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Re: Questions

[Bardot Jérôme]

Me too.

Le 04/12/2018 à 21:34, Ruslanas Gžibovskis a écrit :
> Paul Wise, what help is needed? I would like to commit, but not sure
> how, never done that, but would LOVE TO! Could you guide?
>
> On Tue, 4 Dec 2018, 02:46 Paul Wise   wrote:
>
> On Mon, Dec 3, 2018 at 7:10 PM Jérôme Bardot wrote:
>
> > Why debian is not more harden by default ?
>
> We need more people who are interested in working on this topic, some
> links for anyone who is interested in contributing:
>
> https://security-tracker.debian.org/tracker/data/report
> https://www.debian.org/security/audit/
> 
> https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security
> https://www.debian.org/security/
> https://wiki.debian.org/Hardening
> https://wiki.debian.org/Hardening/Daemons
> https://wiki.debian.org/Hardening/RepoAndImages
> https://wiki.debian.org/Hardening/Goals
>
> -- 
> bye,
> pabs
>
> https://wiki.debian.org/PaulWise
>



0x053A41EF03878A98.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Re: Questions

[Ruslanas Gžibovskis]

Paul Wise, what help is needed? I would like to commit, but not sure how,
never done that, but would LOVE TO! Could you guide?

On Tue, 4 Dec 2018, 02:46 Paul Wise  On Mon, Dec 3, 2018 at 7:10 PM Jérôme Bardot wrote:
>
> > Why debian is not more harden by default ?
>
> We need more people who are interested in working on this topic, some
> links for anyone who is interested in contributing:
>
> https://security-tracker.debian.org/tracker/data/report
> https://www.debian.org/security/audit/
>
> https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security
> https://www.debian.org/security/
> https://wiki.debian.org/Hardening
> https://wiki.debian.org/Hardening/Daemons
> https://wiki.debian.org/Hardening/RepoAndImages
> https://wiki.debian.org/Hardening/Goals
>
> --
> bye,
> pabs
>
> https://wiki.debian.org/PaulWise
>
>

Re: Questions

[Ruslanas Gžibovskis]

Hi all,

Jerome, I would say that most 'users' will go to pop choice, like only some
hardcore lovers would listen to "Tsjuder" but most of the people would go
with "Lady Gaga". Same here, if you do not want to learn, you use *buntu or
any "*" made of, else if you wanna learn and use stable and updated distro
you will go with Debian.

I would still agree that would be nice to have some package which would do
some hardening settings. BUT, please note, that it might give a false
confidence. Why?! Because once hardening done, you believe that it is safe,
but any moment by accident your perm tuning might change. Your hardend
setup might not run correctly some app AND then tired user will do "chmod
 -R /" and a package will still remain.

So if you want to ensure hardening is set and exist, make puppet profile!
Run puppet all the time! And before running puppet check, have OpenSCAP
test to check compliance. It has very nice compliance checks for different
standards! Try it!

On Tue, 4 Dec 2018, 20:31 Jérôme Bardot  Agree about some hardening only are usefull in certain use case. But
> some of them should be set as default i guess because they are usefull
> for most of the case and case not include require skills and in this
> skill are include change an option in some not all the day open conf
> file. Maybe i’m wrong. I think about kernel conf for ie. And or maybe
> provide a way to choose some preset conf maybe in package.
>
> Without any troll there is more and more non ready users on GNU\linux,
> and debian, they can’t do real choices, do they really want ? I’m
> agree it’s bad. But we don’t offer real way to help users to
> understand. Maybe gnome have now some pretty first start tutorial ? I
> don’t use it.
>
> What threat i want to be protect against :
> - hardware & physical attack
> - network attack (including vulnerable world open app)
> - compromise user attack
>
> What want to protect : multi purpose server and laptop.
>
>
> And by the way i love doing this kind of stuff. It’s like a problem to
> solve. And more automate it can be better it is (for each use case
> ofc) :)
> Why automatisation instead of just make snapshot ? because it (my
> point of view) permit to also test the setup step and keep the doc up
> to date.
>
> Sry for my really bad english. I need to sleep.
> Thx for all your messages.
>
> J.
> Le mar. 4 déc. 2018 à 19:44, Jonathan Hutchins
>  a écrit :
> >
> > On 2018-12-03 05:10, Jérôme Bardot wrote:
> >
> > > Why debian is not more harden by default ?
> >
> >
> > Debian's hardening is adequate for most users, who are typically behind
> > some sort of protection such as a router/firewall.
> >
> > If you actually need a hardened system, it's far better for you to do
> > the hardening yourself to address the specific threats you feel
> > vulnerable to.  That way you have a better understanding of what has
> > been done, why, and how.  Unlike Windows, where users typically allow
> > Microsoft to make all of the decisions for them, Linux in general and
> > Debian specifically put user choice ahead of cookie-cutter solutions.
> >
> > --
> > Jonathan
>
>

Re: Questions

[SZÉPE Viktor]

Idézem/Quoting Jérôme Bardot :


Agree about some hardening only are usefull in certain use case. But
some of them should be set as default i guess because they are usefull
for most of the case and case not include require skills and in this
skill are include change an option in some not all the day open conf
file. Maybe i’m wrong. I think about kernel conf for ie. And or maybe
provide a way to choose some preset conf maybe in package.


You can also try https://github.com/CISOfy/lynis



SZÉPE Viktor, honlap üzemeltetés / Running your application
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
ügyelet/hotline: +36-20-4242498  s...@szepe.net  skype: szepe.viktor
Budapest, III. kerület

Re: Questions

[Jérôme Bardot]

Agree about some hardening only are usefull in certain use case. But
some of them should be set as default i guess because they are usefull
for most of the case and case not include require skills and in this
skill are include change an option in some not all the day open conf
file. Maybe i’m wrong. I think about kernel conf for ie. And or maybe
provide a way to choose some preset conf maybe in package.

Without any troll there is more and more non ready users on GNU\linux,
and debian, they can’t do real choices, do they really want ? I’m
agree it’s bad. But we don’t offer real way to help users to
understand. Maybe gnome have now some pretty first start tutorial ? I
don’t use it.

What threat i want to be protect against :
- hardware & physical attack
- network attack (including vulnerable world open app)
- compromise user attack

What want to protect : multi purpose server and laptop.


And by the way i love doing this kind of stuff. It’s like a problem to
solve. And more automate it can be better it is (for each use case
ofc) :)
Why automatisation instead of just make snapshot ? because it (my
point of view) permit to also test the setup step and keep the doc up
to date.

Sry for my really bad english. I need to sleep.
Thx for all your messages.

J.
Le mar. 4 déc. 2018 à 19:44, Jonathan Hutchins
 a écrit :
>
> On 2018-12-03 05:10, Jérôme Bardot wrote:
>
> > Why debian is not more harden by default ?
>
>
> Debian's hardening is adequate for most users, who are typically behind
> some sort of protection such as a router/firewall.
>
> If you actually need a hardened system, it's far better for you to do
> the hardening yourself to address the specific threats you feel
> vulnerable to.  That way you have a better understanding of what has
> been done, why, and how.  Unlike Windows, where users typically allow
> Microsoft to make all of the decisions for them, Linux in general and
> Debian specifically put user choice ahead of cookie-cutter solutions.
>
> --
> Jonathan

Re: Questions

[Jonathan Hutchins]

On 2018-12-03 05:10, Jérôme Bardot wrote:


Why debian is not more harden by default ?



Debian's hardening is adequate for most users, who are typically behind 
some sort of protection such as a router/firewall.


If you actually need a hardened system, it's far better for you to do 
the hardening yourself to address the specific threats you feel 
vulnerable to.  That way you have a better understanding of what has 
been done, why, and how.  Unlike Windows, where users typically allow 
Microsoft to make all of the decisions for them, Linux in general and 
Debian specifically put user choice ahead of cookie-cutter solutions.


--
Jonathan

Re: Questions

[Paul Wise]

On Mon, Dec 3, 2018 at 7:10 PM Jérôme Bardot wrote:

> Why debian is not more harden by default ?

We need more people who are interested in working on this topic, some
links for anyone who is interested in contributing:

https://security-tracker.debian.org/tracker/data/report
https://www.debian.org/security/audit/
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security
https://www.debian.org/security/
https://wiki.debian.org/Hardening
https://wiki.debian.org/Hardening/Daemons
https://wiki.debian.org/Hardening/RepoAndImages
https://wiki.debian.org/Hardening/Goals

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: Questions

[Jérôme Bardot]

Thx,
Why debian is not more harden by default ?
I try to set up openvas but it’s look like there more to do than a
apt, i will look deeper when i have the time.
Le mer. 28 nov. 2018 à 22:26, qmi  a écrit :
>
> Hi
>
> On Fri, Nov 16, 2018 at 04:31:39PM +0100, Jérôme Bardot wrote:
> > Hello i try to harden my debian server.
> You are welcome to do so.
>
> > I want do understand all of this «warning».
> > If they are false positive maybe this part should be update because
> > it’s debian related ?
> On Debian by default the files and directories have 644 or 755 perms
> unless special cases (i.e. shadow has 640, /root has 740).
> See the relevant section of the Debian Policy at
> https://www.debian.org/doc/debian-policy/ch-files.html#permissions-and-owners.
> By default the Debian OS is not hardened. However, your mileage may
> vary, so you are welcome to harden your Debian OS if you are concerned
> about security or you simply would like to apply a more stringent security
> policy. In addition to making sure you apply the latest security updates from
> security.debian.org in your APT settings (i.e. /etc/apt/sources.list), you can
> harden the your OS by using one or the combination of the following methods:
>
> 1- Set up HIDS (OSSEC)
> 2- Install file/directory integrity checker (i.e. Tripwire)
> 3- Run remote vulnerability scans (i.e. Openvas, Nessus)
>
> See
> https://www.debian.org/doc/manuals/securing-debian-howto/ch10.en.html#s-intrusion-detect
> .
>
> Regards,
> --
> qmi | Debian GNU/Linux enthusiast
> WWW: www.miklos.info
> GPG: 3C4B 1364 A379 7366 7FED  260A 2208 F2CE 3FCE A0D3
>

Re: Questions

[qmi]

Hi

On Fri, Nov 16, 2018 at 04:31:39PM +0100, Jérôme Bardot wrote:
> Hello i try to harden my debian server.
You are welcome to do so. 

> I want do understand all of this «warning».
> If they are false positive maybe this part should be update because
> it’s debian related ?
On Debian by default the files and directories have 644 or 755 perms 
unless special cases (i.e. shadow has 640, /root has 740). 
See the relevant section of the Debian Policy at 
https://www.debian.org/doc/debian-policy/ch-files.html#permissions-and-owners. 
By default the Debian OS is not hardened. However, your mileage may
vary, so you are welcome to harden your Debian OS if you are concerned
about security or you simply would like to apply a more stringent security
policy. In addition to making sure you apply the latest security updates from 
security.debian.org in your APT settings (i.e. /etc/apt/sources.list), you can 
harden the your OS by using one or the combination of the following methods:

1- Set up HIDS (OSSEC)
2- Install file/directory integrity checker (i.e. Tripwire)
3- Run remote vulnerability scans (i.e. Openvas, Nessus)

See 
https://www.debian.org/doc/manuals/securing-debian-howto/ch10.en.html#s-intrusion-detect
. 

Regards,
-- 
qmi | Debian GNU/Linux enthusiast
WWW: www.miklos.info
GPG: 3C4B 1364 A379 7366 7FED  260A 2208 F2CE 3FCE A0D3

Re: questions about chrooting bind 8.3.3

[Javier Fernández-Sanguino Peña]

On Wed, Oct 30, 2002 at 11:43:28PM +0100, J.J. van Gorkum wrote:
 
 Maybe I'm too much an old school admin but 'they' allways told me to
 move all the libraries into the chroot environment (no symlinks
 watsoever) and even (if possible) move the whole chroot environment 
 onto an special (read-only) filesystem...

Then you might like the 'makejail' method best. See
http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.en.html

Talks about sshd, but the switch to bind is just as easy.

 
 In my second example when I start the named daemon without the -t option
 and use the (buggy) start-stop-daemon --chroot option the libraries are
 used from the chroot environment. That was my point -- and it seems that
 the 'standard' debian method of using a chroot environment (the link
 from my original post) is moving the libraries into the chroot
 environment and not using them.

Standard? There is no such think as a standard Debian method of
setting up a chroot environment. Although we might need to write/implement
one down... 

Javi


pgp9dDmwDHyR9.pgp
Description: PGP signature

Re: questions about chrooting bind 8.3.3

[Sean McAvoy]

Hello,
Bind has the built in ability to chroot itself (-t). then all that needs
to be done is altering the bind init script(/etc/init.d/bind), which
contains the OPTS variable. Add '-u [username] -t [chroot_dir]' into
that variable and you should be ok. I've done this with Bind 8, and now
upgraded them to 9. 

On Tue, 2002-10-29 at 17:35, J.J. van Gorkum wrote:
 Hi, I have a question about chrooting bind 8.3.3 
 
 I have used the setup as described in
 http://people.debian.org/~pzn/howto/chroot-bind.sh.txt ... but when I
 then start bind evrything looks right but when I do a lsof -p pid of
 named I see:
 
 command to start bind:
 
 start-stop-daemon --start --quiet --exec /usr/sbin/named -- -u named -g
 named -t /var/lib/chroot/named/
 
 # lsof -p 22119
 COMMAND   PID  USER   FD   TYPE DEVICESIZENODE NAME
 named   22119 named  cwdDIR   8,224096  145479
 /var/lib/chroot/named/var/cache/bind
 named   22119 named  rtdDIR   8,224096  145467
 /var/lib/chroot/named
 named   22119 named  txtREG8,6  512088  130880
 /usr/sbin/named
 named   22119 named  memREG8,5   82503   30185
 /lib/ld-2.2.5.so
 named   22119 named  memREG8,5 1145456   30223
 /lib/libc-2.2.5.so
 named   22119 named  memREG8,5   32664   30232
 /lib/libnss_files-2.2.5.so
 named   22119 named0u   CHR1,3  145480
 /var/lib/chroot/named/dev/null
 named   22119 named1u   CHR1,3  145480
 /var/lib/chroot/named/dev/null
 named   22119 named2u   CHR1,3  145480
 /var/lib/chroot/named/dev/null
 named   22119 named3u  unix 0xe1086560 5375674 socket
 named   22119 named4u  IPv45375686 UDP *:32943 
 named   22119 named5u  unix 0xd9d1ec40 5375676 /var/run/ndc
 named   22119 named   20u  IPv45375680 UDP
 localhost:domain 
 named   22119 named   21u  IPv45375681 TCP
 localhost:domain (LISTEN)
 
 and when I change the command to start bind to :
 
 start-stop-daemon --chroot /var/lib/chroot/named/ --start --pidfile
 /var/run/named.pid --exec /usr/sbin/named -- -u named -g named
 
 I see:
 # lsof -p 23433
 COMMAND   PID  USER   FD   TYPE DEVICESIZENODE NAME
 named   23433 named  cwdDIR   8,224096  145479
 /var/lib/chroot/named/var/cache/bind
 named   23433 named  rtdDIR   8,224096  145467
 /var/lib/chroot/named
 named   23433 named  txtREG   8,22  512088  145502
 /var/lib/chroot/named/usr/sbin/named
 named   23433 named  memREG   8,22   82503  145501
 /var/lib/chroot/named/lib/ld-linux.so.2
 named   23433 named  memREG   8,22 1145456  145500
 /var/lib/chroot/named/lib/libc.so.6
 named   23433 named  memREG   8,22   32664  146115
 /var/lib/chroot/named/lib/libnss_files.so.2
 named   23433 named0u   CHR1,3  145480
 /var/lib/chroot/named/dev/null
 named   23433 named1u   CHR1,3  145480
 /var/lib/chroot/named/dev/null
 named   23433 named2u   CHR1,3  145480
 /var/lib/chroot/named/dev/null
 named   23433 named3u  unix 0xef055a80 5239772 socket
 named   23433 named4u  IPv45239784 UDP *:32942 
 named   23433 named5u  unix 0xeee6d140 5239774 /var/run/ndc
 named   23433 named   20u  IPv45239778 UDP
 localhost:domain 
 named   23433 named   21u  IPv45239779 TCP
 localhost:domain (LISTEN)
 
 
 Look at the difference in the libraries, as I can see when I start named
 as stated in the script the libraries in the chrooted environment are
 not used 
 
 Am I wrong here?
 -- 
 J.J. van GorkumKnowledge Zone
 --
 If UNIX isn't the solution, you've got the wrong problem.
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 
-- 
Sean McAvoy
Network Analyst
Megawheels Technologies Inc.
Phone: 416.360.8211
Fax:   416.360.1403
Cell:  416.616.6599



signature.asc
Description: This is a digitally signed message part

Re: questions about chrooting bind 8.3.3

[J.J. van Gorkum]

On Wed, 2002-10-30 at 18:40, Sean McAvoy wrote:
 Hello,
 Bind has the built in ability to chroot itself (-t). then all that needs
 to be done is altering the bind init script(/etc/init.d/bind), which
 contains the OPTS variable. Add '-u [username] -t [chroot_dir]' into
 that variable and you should be ok. I've done this with Bind 8, and now
 upgraded them to 9. 

You are missing the point here, if I do it the way bind tells me in the
man pages bind is NOT using the libraries inside the chroot environment.
That is wat I try to proove with the lsmod command...



-- 
J.J. van GorkumKnowledge Zone
--
If UNIX isn't the solution, you've got the wrong problem.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: questions about chrooting bind 8.3.3

[Sean McAvoy]

Yes it is true that it's making use of the systems libs, but they can't
be touched by the process as it has been chrooted. In order for someone
to overwrite those files, they would first have to break of the chroot. 
I'm not sure of the real security implications of using the system libs
are vs. using chrooted libs. 


On Wed, 2002-10-30 at 15:53, J.J. van Gorkum wrote:
 On Wed, 2002-10-30 at 18:40, Sean McAvoy wrote:
  Hello,
  Bind has the built in ability to chroot itself (-t). then all that needs
  to be done is altering the bind init script(/etc/init.d/bind), which
  contains the OPTS variable. Add '-u [username] -t [chroot_dir]' into
  that variable and you should be ok. I've done this with Bind 8, and now
  upgraded them to 9. 
 
 You are missing the point here, if I do it the way bind tells me in the
 man pages bind is NOT using the libraries inside the chroot environment.
 That is wat I try to proove with the lsmod command...
 
 
 
 -- 
 J.J. van GorkumKnowledge Zone
 --
 If UNIX isn't the solution, you've got the wrong problem.
 
-- 
Sean McAvoy
Network Analyst
Megawheels Technologies Inc.
Phone: 416.360.8211
Fax:   416.360.1403
Cell:  416.616.6599



signature.asc
Description: This is a digitally signed message part

Re: questions about chrooting bind 8.3.3

[J.J. van Gorkum]

On Wed, 2002-10-30 at 22:15, Sean McAvoy wrote:
 Yes it is true that it's making use of the systems libs, but they can't
 be touched by the process as it has been chrooted. In order for someone
 to overwrite those files, they would first have to break of the chroot. 
 I'm not sure of the real security implications of using the system libs
 are vs. using chrooted libs. 
 
 

Maybe I'm too much an old school admin but 'they' allways told me to
move all the libraries into the chroot environment (no symlinks
watsoever) and even (if possible) move the whole chroot environment 
onto an special (read-only) filesystem...

In my second example when I start the named daemon without the -t option
and use the (buggy) start-stop-daemon --chroot option the libraries are
used from the chroot environment. That was my point -- and it seems that
the 'standard' debian method of using a chroot environment (the link
from my original post) is moving the libraries into the chroot
environment and not using them.

-- 
J.J. van GorkumKnowledge Zone
--
If UNIX isn't the solution, you've got the wrong problem.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: questions about chrooting bind 8.3.3

[Lupe Christoph]

Hi1

Please try not to wrap long lines in command output.

On Tuesday, 2002-10-29 at 23:35:42 +0100, J.J. van Gorkum wrote:
 Hi, I have a question about chrooting bind 8.3.3 

 I have used the setup as described in
 http://people.debian.org/~pzn/howto/chroot-bind.sh.txt ... but when I
 then start bind evrything looks right but when I do a lsof -p pid of
 named I see:

 command to start bind:

 start-stop-daemon --start --quiet --exec /usr/sbin/named -- -u named -g
 named -t /var/lib/chroot/named/

 # lsof -p 22119
 COMMAND   PID  USER   FD   TYPE DEVICESIZENODE NAME
 named   22119 named  cwdDIR   8,224096  145479 
 /var/lib/chroot/named/var/cache/bind
 named   22119 named  rtdDIR   8,224096  145467 
 /var/lib/chroot/named
 named   22119 named  txtREG8,6  512088  130880 /usr/sbin/named
 named   22119 named  memREG8,5   82503   30185 /lib/ld-2.2.5.so
 named   22119 named  memREG8,5 1145456   30223 /lib/libc-2.2.5.so
 named   22119 named  memREG8,5   32664   30232 
 /lib/libnss_files-2.2.5.so
 named   22119 named0u   CHR1,3  145480 
 /var/lib/chroot/named/dev/null
 named   22119 named1u   CHR1,3  145480 
 /var/lib/chroot/named/dev/null
 named   22119 named2u   CHR1,3  145480 
 /var/lib/chroot/named/dev/null
 named   22119 named3u  unix 0xe1086560 5375674 socket
 named   22119 named4u  IPv45375686 UDP *:32943 
 named   22119 named5u  unix 0xd9d1ec40 5375676 /var/run/ndc
 named   22119 named   20u  IPv45375680 UDP localhost:domain 
 named   22119 named   21u  IPv45375681 TCP localhost:domain 
 (LISTEN)

 and when I change the command to start bind to :

 start-stop-daemon --chroot /var/lib/chroot/named/ --start --pidfile
 /var/run/named.pid --exec /usr/sbin/named -- -u named -g named

 I see:
 # lsof -p 23433
 COMMAND   PID  USER   FD   TYPE DEVICESIZENODE NAME
 named   23433 named  cwdDIR   8,224096  145479 
 /var/lib/chroot/named/var/cache/bind
 named   23433 named  rtdDIR   8,224096  145467 
 /var/lib/chroot/named
 named   23433 named  txtREG   8,22  512088  145502 
 /var/lib/chroot/named/usr/sbin/named
 named   23433 named  memREG   8,22   82503  145501 
 /var/lib/chroot/named/lib/ld-linux.so.2
 named   23433 named  memREG   8,22 1145456  145500 
 /var/lib/chroot/named/lib/libc.so.6
 named   23433 named  memREG   8,22   32664  146115 
 /var/lib/chroot/named/lib/libnss_files.so.2
 named   23433 named0u   CHR1,3  145480 
 /var/lib/chroot/named/dev/null
 named   23433 named1u   CHR1,3  145480 
 /var/lib/chroot/named/dev/null
 named   23433 named2u   CHR1,3  145480 
 /var/lib/chroot/named/dev/null
 named   23433 named3u  unix 0xef055a80 5239772 socket
 named   23433 named4u  IPv45239784 UDP *:32942 
 named   23433 named5u  unix 0xeee6d140 5239774 /var/run/ndc
 named   23433 named   20u  IPv45239778 UDP localhost:domain 
 named   23433 named   21u  IPv45239779 TCP localhost:domain 
 (LISTEN)

 Look at the difference in the libraries, as I can see when I start named
 as stated in the script the libraries in the chrooted environment are
 not used 

 Am I wrong here?

Wrong in asssuming that named's dynamic libraries are linked in after
named has chorooted? Yes. Dynamic linking *must* take place before the
program gets control, or how could it use a library function otherwise?

You may need the libraries in the jail if named runs external programs.
AFAIR, named versions 4 and 8 do that, version 9 doesn't.

HTH,
Lupe Christoph
-- 
| [EMAIL PROTECTED]   |   http://www.lupe-christoph.de/ |
| Big Misunderstandings #6398: The Titanic was not supposed to be|
| unsinkable. The designer had a speech impediment. He said: I have |
| thith great unthinkable conthept ...  |

Re: questions about chrooting bind 8.3.3

[Sean McAvoy]

Hello,
Bind has the built in ability to chroot itself (-t). then all that needs
to be done is altering the bind init script(/etc/init.d/bind), which
contains the OPTS variable. Add '-u [username] -t [chroot_dir]' into
that variable and you should be ok. I've done this with Bind 8, and now
upgraded them to 9. 

On Tue, 2002-10-29 at 17:35, J.J. van Gorkum wrote:
 Hi, I have a question about chrooting bind 8.3.3 
 
 I have used the setup as described in
 http://people.debian.org/~pzn/howto/chroot-bind.sh.txt ... but when I
 then start bind evrything looks right but when I do a lsof -p pid of
 named I see:
 
 command to start bind:
 
 start-stop-daemon --start --quiet --exec /usr/sbin/named -- -u named -g
 named -t /var/lib/chroot/named/
 
 # lsof -p 22119
 COMMAND   PID  USER   FD   TYPE DEVICESIZENODE NAME
 named   22119 named  cwdDIR   8,224096  145479
 /var/lib/chroot/named/var/cache/bind
 named   22119 named  rtdDIR   8,224096  145467
 /var/lib/chroot/named
 named   22119 named  txtREG8,6  512088  130880
 /usr/sbin/named
 named   22119 named  memREG8,5   82503   30185
 /lib/ld-2.2.5.so
 named   22119 named  memREG8,5 1145456   30223
 /lib/libc-2.2.5.so
 named   22119 named  memREG8,5   32664   30232
 /lib/libnss_files-2.2.5.so
 named   22119 named0u   CHR1,3  145480
 /var/lib/chroot/named/dev/null
 named   22119 named1u   CHR1,3  145480
 /var/lib/chroot/named/dev/null
 named   22119 named2u   CHR1,3  145480
 /var/lib/chroot/named/dev/null
 named   22119 named3u  unix 0xe1086560 5375674 socket
 named   22119 named4u  IPv45375686 UDP *:32943 
 named   22119 named5u  unix 0xd9d1ec40 5375676 /var/run/ndc
 named   22119 named   20u  IPv45375680 UDP
 localhost:domain 
 named   22119 named   21u  IPv45375681 TCP
 localhost:domain (LISTEN)
 
 and when I change the command to start bind to :
 
 start-stop-daemon --chroot /var/lib/chroot/named/ --start --pidfile
 /var/run/named.pid --exec /usr/sbin/named -- -u named -g named
 
 I see:
 # lsof -p 23433
 COMMAND   PID  USER   FD   TYPE DEVICESIZENODE NAME
 named   23433 named  cwdDIR   8,224096  145479
 /var/lib/chroot/named/var/cache/bind
 named   23433 named  rtdDIR   8,224096  145467
 /var/lib/chroot/named
 named   23433 named  txtREG   8,22  512088  145502
 /var/lib/chroot/named/usr/sbin/named
 named   23433 named  memREG   8,22   82503  145501
 /var/lib/chroot/named/lib/ld-linux.so.2
 named   23433 named  memREG   8,22 1145456  145500
 /var/lib/chroot/named/lib/libc.so.6
 named   23433 named  memREG   8,22   32664  146115
 /var/lib/chroot/named/lib/libnss_files.so.2
 named   23433 named0u   CHR1,3  145480
 /var/lib/chroot/named/dev/null
 named   23433 named1u   CHR1,3  145480
 /var/lib/chroot/named/dev/null
 named   23433 named2u   CHR1,3  145480
 /var/lib/chroot/named/dev/null
 named   23433 named3u  unix 0xef055a80 5239772 socket
 named   23433 named4u  IPv45239784 UDP *:32942 
 named   23433 named5u  unix 0xeee6d140 5239774 /var/run/ndc
 named   23433 named   20u  IPv45239778 UDP
 localhost:domain 
 named   23433 named   21u  IPv45239779 TCP
 localhost:domain (LISTEN)
 
 
 Look at the difference in the libraries, as I can see when I start named
 as stated in the script the libraries in the chrooted environment are
 not used 
 
 Am I wrong here?
 -- 
 J.J. van GorkumKnowledge Zone
 --
 If UNIX isn't the solution, you've got the wrong problem.
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 
-- 
Sean McAvoy
Network Analyst
Megawheels Technologies Inc.
Phone: 416.360.8211
Fax:   416.360.1403
Cell:  416.616.6599


signature.asc
Description: This is a digitally signed message part

Re: questions about chrooting bind 8.3.3

[J.J. van Gorkum]

On Wed, 2002-10-30 at 18:40, Sean McAvoy wrote:
 Hello,
 Bind has the built in ability to chroot itself (-t). then all that needs
 to be done is altering the bind init script(/etc/init.d/bind), which
 contains the OPTS variable. Add '-u [username] -t [chroot_dir]' into
 that variable and you should be ok. I've done this with Bind 8, and now
 upgraded them to 9. 

You are missing the point here, if I do it the way bind tells me in the
man pages bind is NOT using the libraries inside the chroot environment.
That is wat I try to proove with the lsmod command...



-- 
J.J. van GorkumKnowledge Zone
--
If UNIX isn't the solution, you've got the wrong problem.

Re: questions about chrooting bind 8.3.3

[Sean McAvoy]

Yes it is true that it's making use of the systems libs, but they can't
be touched by the process as it has been chrooted. In order for someone
to overwrite those files, they would first have to break of the chroot. 
I'm not sure of the real security implications of using the system libs
are vs. using chrooted libs. 


On Wed, 2002-10-30 at 15:53, J.J. van Gorkum wrote:
 On Wed, 2002-10-30 at 18:40, Sean McAvoy wrote:
  Hello,
  Bind has the built in ability to chroot itself (-t). then all that needs
  to be done is altering the bind init script(/etc/init.d/bind), which
  contains the OPTS variable. Add '-u [username] -t [chroot_dir]' into
  that variable and you should be ok. I've done this with Bind 8, and now
  upgraded them to 9. 
 
 You are missing the point here, if I do it the way bind tells me in the
 man pages bind is NOT using the libraries inside the chroot environment.
 That is wat I try to proove with the lsmod command...
 
 
 
 -- 
 J.J. van GorkumKnowledge Zone
 --
 If UNIX isn't the solution, you've got the wrong problem.
 
-- 
Sean McAvoy
Network Analyst
Megawheels Technologies Inc.
Phone: 416.360.8211
Fax:   416.360.1403
Cell:  416.616.6599


signature.asc
Description: This is a digitally signed message part

Re: questions about chrooting bind 8.3.3

[J.J. van Gorkum]

On Wed, 2002-10-30 at 22:15, Sean McAvoy wrote:
 Yes it is true that it's making use of the systems libs, but they can't
 be touched by the process as it has been chrooted. In order for someone
 to overwrite those files, they would first have to break of the chroot. 
 I'm not sure of the real security implications of using the system libs
 are vs. using chrooted libs. 
 
 

Maybe I'm too much an old school admin but 'they' allways told me to
move all the libraries into the chroot environment (no symlinks
watsoever) and even (if possible) move the whole chroot environment 
onto an special (read-only) filesystem...

In my second example when I start the named daemon without the -t option
and use the (buggy) start-stop-daemon --chroot option the libraries are
used from the chroot environment. That was my point -- and it seems that
the 'standard' debian method of using a chroot environment (the link
from my original post) is moving the libraries into the chroot
environment and not using them.

-- 
J.J. van GorkumKnowledge Zone
--
If UNIX isn't the solution, you've got the wrong problem.

Re: Questions on Sysloging with a DMZ

[Federico Grau]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, Jun 14, 2002 at 10:13:09AM -0400, Mike Dresser wrote:
 I've done some looking around on the web, and haven't really found an
 answer to the following question.
 
 How do you securely handle syslogging when you have servers in the DMZ,
 and then the servers that are inside on the internal network?  Seems that
 the fundamental rule is never allow internal lan access from an external
 or dmz host.  But if that rule is followed, that means the syslog server
 ends up in the DMZ, and that seems just as wrong.
 
 Dual firewall setup:
 
 Internet -- Firewall1 -- Firewall2 -- LAN
 |
 DMZ (connected to NIC on firewall1)
 
 Lets say I have 4 servers in the DMZ, and 3 on the lan.  Do I build two
 syslog servers, one attached to each network?
 
 I was thinking of using a digiboard on the syslog machine, and connecting
 a serial link to each server.  However, that doesn't help me on stuff like
 cisco's and jetdirect boxes that can only output syslog over ethernet.
 
 I was also considering maintenance, if I used serial links over another
 digiboard plugged into a secured internal lan machine, that would remove
 the requirement for ssh on the servers, just login to the maintenance
 machine, and then connect to the appropriate server via the serial link.
 Make sense/practical/secure?
 
 And one last question.  It's generally considered ok to go from internal
 lan to DMZ server with limited access, correct?  Like say my internal mail
 server polling the DMZ mail server for mail.  Or alternatively, the APC
 network card notifying servers inside and outside the dmz that the
 batteries are almost dead, shut down.
 
 Ideas/comments/flames/amazon.com_links_to_RTFM?

For what it's worth, we keep 1 syslog server in our DMZ with a very tight
configuration (we also have another syslog server in our internal lan).  The
only listening service is syslog and even that is limited to our servers.  A
better solution would be to use ipsec / freeswan, but I have yet to learn
that.

good luck,
donfede
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9ChFeSeRbV/op2s4RAiqeAJ4g7B9GH/vKdqzwJyJuxP9el35jygCfRwDJ
Ek2LXluo0VsBIt201tgMOhY=
=AH+q
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions on Sysloging with a DMZ

[Rich Puhek]

Mike Dresser wrote:
 
 I was thinking of using a digiboard on the syslog machine, and connecting
 a serial link to each server.  However, that doesn't help me on stuff like
 cisco's and jetdirect boxes that can only output syslog over ethernet.

logging console level

should get what you need on a cisco. Might have to set that serial port
to no password, which brings up an additional home if physical security
is a concern.

--Rich

_
 
Rich Puhek   
ETN Systems Inc. 
_


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions on Sysloging with a DMZ

[Mike Dresser]

 logging console level

 should get what you need on a cisco. Might have to set that serial port
 to no password, which brings up an additional home if physical security
 is a concern.

 --Rich

What about the cisco that's 35 miles away?

I'm thinking with what these cisco's do, and actually log, that there's no
much point in having the syslog on them, actually.

Mike


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[John Galt]

On Tue, 23 Oct 2001, Martin Schulze wrote:

John Galt wrote:
 On Tue, 23 Oct 2001, Martin Schulze wrote:
 
 John Galt wrote:
  
  It really didn't need to go to -devel in the first place: this is internal 
  to debian-security until there's a candidate. Folloups redirected.
 
 Err... you have noticed that there are already two people filling
 this position, haven't you?
 
 An since the candidate wasn't announced on -devel, once can only assume 

I'm sorry, but things are announced to -devel-announce, -news or
-announce.  If you don't follow these lists, I'm sorry...

Wherever they're announced is pretty much irrelevant, the issue at hand is 
that 1) somebody complained about the crosspost 2) -devel was the obvious 
extra and 3) I redirected it.  I cannot be expected to unilaterally 
redirect, so my comment was my way of throwing up my hands: crosspost it 
to hell as far as I'm concerned, just don't blame me anymore for where it 
goes.

Regards,

   Joey



-- 
Be Careful! I have a black belt in sna-fu!

Who is John Galt?  [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[John Galt]

On 22 Oct 2001, Thomas Bushnell, BSG wrote:

John Galt [EMAIL PROTECTED] writes:

 On 22 Oct 2001, Thomas Bushnell, BSG wrote:
 
 John Galt [EMAIL PROTECTED] writes:
 
  I take it then that you volunteer.  If not, shut up.  Throwing artifical 
  barriers at this office isn't going to add volunteers.
 
 How is it a barrier?
 
 It's an extra qualification.  It's one that until you objected, didn't 
 exist.  My point still stands: if you want to add qualifications, add them 
 by raising the bar and volunteering yourself.

I think it's an entirely appropriate qualification.  But it's no
barrier: it simply requires that we know who the person is and that
they share our commitments.  I think those are reasonable things to
expect.  

They aren't reasonable things to add at the last minute.  The search 
happened, AFAICT there is a candidate, yet you had to object now.  If it 
was so reasonable, why didn't you mention it when it came up?  
Reasonableness cannot be applied to concepts that are brought up at the 
last minute: the very fact that they were shoved in at the last minute 
makes them unreasonable.  Now do as I asked and shut up.

Thomas




-- 
Be Careful! I have a black belt in sna-fu!

Who is John Galt?  [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Thomas Bushnell, BSG]

John Galt [EMAIL PROTECTED] writes:

 They aren't reasonable things to add at the last minute.  The search 
 happened, AFAICT there is a candidate, yet you had to object now.  If it 
 was so reasonable, why didn't you mention it when it came up?  
 Reasonableness cannot be applied to concepts that are brought up at the 
 last minute: the very fact that they were shoved in at the last minute 
 makes them unreasonable.  Now do as I asked and shut up.

Actually, the security team was operating all the time under the
expectation that the person should be a developer, despite the public
statement on the list (as has already been said).

Nor for that matter is it unreasonable for me to make a suggestion
late in the day; it is for the appropriate people to decide whether or
not they want to take the suggestion--where that is the security
team--and I'm happy to let them take whatever suggestions I might
offer and do with them what they think fit.

As for why I didn't bring it up sooner: I simply hadn't noticed it
sooner.  I don't therefore void my right to bring it up, though the
security team would be well within its rights to decide that it's too
late to change things.

Thomas

Re: Questions regarding the Security Secretary Position

[John Galt]

On 22 Oct 2001, Thomas Bushnell, BSG wrote:

John Galt [EMAIL PROTECTED] writes:

 They aren't reasonable things to add at the last minute.  The search 
 happened, AFAICT there is a candidate, yet you had to object now.  If it 
 was so reasonable, why didn't you mention it when it came up?  
 Reasonableness cannot be applied to concepts that are brought up at the 
 last minute: the very fact that they were shoved in at the last minute 
 makes them unreasonable.  Now do as I asked and shut up.

Actually, the security team was operating all the time under the
expectation that the person should be a developer, despite the public
statement on the list (as has already been said).

You just don't know when to drop things, do you?  I've told you to shut 
up twice, at least two others have at various times told us to drop it, 
and one person's pointed out that you ECP'd it in the first place.  I'm 
almost positive Joey's ready to kill us (I've finally removed him from the 
CC list, as he really isn't germane to this discussion any more...)

Nor for that matter is it unreasonable for me to make a suggestion
late in the day; it is for the appropriate people to decide whether or
not they want to take the suggestion--where that is the security
team--and I'm happy to let them take whatever suggestions I might
offer and do with them what they think fit.

The whole problem here is they DIDN'T ask you.  You threw in your two 
cents worth without a corresponding pledge of support.  

As for why I didn't bring it up sooner: I simply hadn't noticed it
sooner.  I don't therefore void my right to bring it up, though the

No, but you DO make yourself a hypocrite for calling ME obstructionist...  
Compared to you, I'm a piker in this context apparently.

security team would be well within its rights to decide that it's too
late to change things.

Thomas


-- 
Be Careful! I have a black belt in sna-fu!

Who is John Galt?  [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Thomas Bushnell, BSG]

John Galt [EMAIL PROTECTED] writes:

 The whole problem here is they DIDN'T ask you.  You threw in your two 
 cents worth without a corresponding pledge of support.  

It's a public mailing list, and I was simply contributing my
suggestion.  You decided it should be a big Federal case.

I'll make you a deal.  When you rudely say shut up, I'll pay
attention if you return the favor when I say shut up to you.

 No, but you DO make yourself a hypocrite for calling ME obstructionist...  
 Compared to you, I'm a piker in this context apparently.

I'm not trying to obstruct anything.

Re: Questions regarding the Security Secretary Position

[Martin Schulze]

John Galt wrote:
 
 It really didn't need to go to -devel in the first place: this is internal 
 to debian-security until there's a candidate. Folloups redirected.

Err... you have noticed that there are already two people filling
this position, haven't you?

Regards,

Joey

-- 
This is Linux Country.  On a quiet night, you can hear Windows reboot.

Please always Cc to me when replying to me on the lists.

Re: Questions regarding the Security Secretary Position

[John Galt]

On Tue, 23 Oct 2001, Martin Schulze wrote:

John Galt wrote:
 
 It really didn't need to go to -devel in the first place: this is internal 
 to debian-security until there's a candidate. Folloups redirected.

Err... you have noticed that there are already two people filling
this position, haven't you?

An since the candidate wasn't announced on -devel, once can only assume 
that their qualifications aren't germane to -devel (followups NOT 
redirected, I've futilely tried too many times to redirect to care who the 
hell gets this).

Regards,

   Joey



-- 
Be Careful! I have a black belt in sna-fu!

Who is John Galt?  [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Martin Schulze]

John Galt wrote:
 On Tue, 23 Oct 2001, Martin Schulze wrote:
 
 John Galt wrote:
  
  It really didn't need to go to -devel in the first place: this is internal 
  to debian-security until there's a candidate. Folloups redirected.
 
 Err... you have noticed that there are already two people filling
 this position, haven't you?
 
 An since the candidate wasn't announced on -devel, once can only assume 

I'm sorry, but things are announced to -devel-announce, -news or
-announce.  If you don't follow these lists, I'm sorry...

Regards,

Joey

-- 
This is Linux Country.  On a quiet night, you can hear Windows reboot.

Please always Cc to me when replying to me on the lists.

Re: Questions regarding the Security Secretary Position

[John Galt]

On Tue, 23 Oct 2001, Martin Schulze wrote:

John Galt wrote:
 On Tue, 23 Oct 2001, Martin Schulze wrote:
 
 John Galt wrote:
  
  It really didn't need to go to -devel in the first place: this is 
  internal 
  to debian-security until there's a candidate. Folloups redirected.
 
 Err... you have noticed that there are already two people filling
 this position, haven't you?
 
 An since the candidate wasn't announced on -devel, once can only assume 

I'm sorry, but things are announced to -devel-announce, -news or
-announce.  If you don't follow these lists, I'm sorry...

Wherever they're announced is pretty much irrelevant, the issue at hand is 
that 1) somebody complained about the crosspost 2) -devel was the obvious 
extra and 3) I redirected it.  I cannot be expected to unilaterally 
redirect, so my comment was my way of throwing up my hands: crosspost it 
to hell as far as I'm concerned, just don't blame me anymore for where it 
goes.

Regards,

   Joey



-- 
Be Careful! I have a black belt in sna-fu!

Who is John Galt?  [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Lauri Tischler]

Matt Zimmerman wrote:
 
  I think the security secretary, if we have one, should be a Debian
  developer.
 
 We have two of them, and they are both card-carrying developers.
 
Unnghhh...
'Card-carrying' sounds like fiery-eyed anarchist or extreme left
revolutionary, some kind of luddite the least..
 
--
Lauri Tischler, Network Admin
Tel:+358-9-47846331*   Mouse movement detected  *
Fax:+358-9-47846500* Reboot Windows to activate changes *
Mobile: +358-40-5569010
EMail:  [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Matt Zimmerman]

On Mon, Oct 22, 2001 at 09:40:45AM +0300, Lauri Tischler wrote:

 Matt Zimmerman wrote:
  
   I think the security secretary, if we have one, should be a Debian
   developer.
  
  We have two of them, and they are both card-carrying developers.
  
 Unnghhh...
 'Card-carrying' sounds like fiery-eyed anarchist or extreme left
 revolutionary, some kind of luddite the least..

I hate spoiling a joke this way, but a surprising number of people seem
to have misinterpreted my remark.  It was tongue-in-cheek humour,
reflecting on the present political atmosphere of Debian.

-- 
 - mdz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Petro]

On Mon, Oct 22, 2001 at 09:40:45AM +0300, Lauri Tischler wrote:
 Matt Zimmerman wrote:
  
   I think the security secretary, if we have one, should be a Debian
   developer.
  
  We have two of them, and they are both card-carrying developers.
  
 Unnghhh...
 'Card-carrying' sounds like fiery-eyed anarchist or extreme left
 revolutionary, some kind of luddite the least..

And the problem with this is? (No, I don't like leftists or
luddites, but I'm all in favor of fiery-eyed anarchists).

-- 
Share and Enjoy. 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[John Galt]

It really didn't need to go to -devel in the first place: this is internal 
to debian-security until there's a candidate. Folloups redirected.

On Tue, 23 Oct 2001, Jason Thomas wrote:

only one thing, does this have to go to both lists, I'm alot of messages
twice, and yes they have different message id's.

On Mon, Oct 22, 2001 at 09:43:05AM -0700, Thomas Bushnell, BSG wrote:
 John Galt [EMAIL PROTECTED] writes:
 
  I take it then that you volunteer.  If not, shut up.  Throwing artifical 
  barriers at this office isn't going to add volunteers.
 
 How is it a barrier?
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 



-- 
Be Careful! I have a black belt in sna-fu!

Who is John Galt?  [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Thomas Bushnell, BSG]

John Galt [EMAIL PROTECTED] writes:

 On 22 Oct 2001, Thomas Bushnell, BSG wrote:
 
 John Galt [EMAIL PROTECTED] writes:
 
  I take it then that you volunteer.  If not, shut up.  Throwing artifical 
  barriers at this office isn't going to add volunteers.
 
 How is it a barrier?
 
 It's an extra qualification.  It's one that until you objected, didn't 
 exist.  My point still stands: if you want to add qualifications, add them 
 by raising the bar and volunteering yourself.

I think it's an entirely appropriate qualification.  But it's no
barrier: it simply requires that we know who the person is and that
they share our commitments.  I think those are reasonable things to
expect.  

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[John Galt]

On 22 Oct 2001, Thomas Bushnell, BSG wrote:

John Galt [EMAIL PROTECTED] writes:

 On 22 Oct 2001, Thomas Bushnell, BSG wrote:
 
 John Galt [EMAIL PROTECTED] writes:
 
  I take it then that you volunteer.  If not, shut up.  Throwing artifical 
  barriers at this office isn't going to add volunteers.
 
 How is it a barrier?
 
 It's an extra qualification.  It's one that until you objected, didn't 
 exist.  My point still stands: if you want to add qualifications, add them 
 by raising the bar and volunteering yourself.

I think it's an entirely appropriate qualification.  But it's no
barrier: it simply requires that we know who the person is and that
they share our commitments.  I think those are reasonable things to
expect.  

They aren't reasonable things to add at the last minute.  The search 
happened, AFAICT there is a candidate, yet you had to object now.  If it 
was so reasonable, why didn't you mention it when it came up?  
Reasonableness cannot be applied to concepts that are brought up at the 
last minute: the very fact that they were shoved in at the last minute 
makes them unreasonable.  Now do as I asked and shut up.

Thomas




-- 
Be Careful! I have a black belt in sna-fu!

Who is John Galt?  [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Thomas Bushnell, BSG]

John Galt [EMAIL PROTECTED] writes:

 They aren't reasonable things to add at the last minute.  The search 
 happened, AFAICT there is a candidate, yet you had to object now.  If it 
 was so reasonable, why didn't you mention it when it came up?  
 Reasonableness cannot be applied to concepts that are brought up at the 
 last minute: the very fact that they were shoved in at the last minute 
 makes them unreasonable.  Now do as I asked and shut up.

Actually, the security team was operating all the time under the
expectation that the person should be a developer, despite the public
statement on the list (as has already been said).

Nor for that matter is it unreasonable for me to make a suggestion
late in the day; it is for the appropriate people to decide whether or
not they want to take the suggestion--where that is the security
team--and I'm happy to let them take whatever suggestions I might
offer and do with them what they think fit.

As for why I didn't bring it up sooner: I simply hadn't noticed it
sooner.  I don't therefore void my right to bring it up, though the
security team would be well within its rights to decide that it's too
late to change things.

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[John Galt]

On 22 Oct 2001, Thomas Bushnell, BSG wrote:

John Galt [EMAIL PROTECTED] writes:

 They aren't reasonable things to add at the last minute.  The search 
 happened, AFAICT there is a candidate, yet you had to object now.  If it 
 was so reasonable, why didn't you mention it when it came up?  
 Reasonableness cannot be applied to concepts that are brought up at the 
 last minute: the very fact that they were shoved in at the last minute 
 makes them unreasonable.  Now do as I asked and shut up.

Actually, the security team was operating all the time under the
expectation that the person should be a developer, despite the public
statement on the list (as has already been said).

You just don't know when to drop things, do you?  I've told you to shut 
up twice, at least two others have at various times told us to drop it, 
and one person's pointed out that you ECP'd it in the first place.  I'm 
almost positive Joey's ready to kill us (I've finally removed him from the 
CC list, as he really isn't germane to this discussion any more...)

Nor for that matter is it unreasonable for me to make a suggestion
late in the day; it is for the appropriate people to decide whether or
not they want to take the suggestion--where that is the security
team--and I'm happy to let them take whatever suggestions I might
offer and do with them what they think fit.

The whole problem here is they DIDN'T ask you.  You threw in your two 
cents worth without a corresponding pledge of support.  

As for why I didn't bring it up sooner: I simply hadn't noticed it
sooner.  I don't therefore void my right to bring it up, though the

No, but you DO make yourself a hypocrite for calling ME obstructionist...  
Compared to you, I'm a piker in this context apparently.

security team would be well within its rights to decide that it's too
late to change things.

Thomas


-- 
Be Careful! I have a black belt in sna-fu!

Who is John Galt?  [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Thomas Bushnell, BSG]

John Galt [EMAIL PROTECTED] writes:

 The whole problem here is they DIDN'T ask you.  You threw in your two 
 cents worth without a corresponding pledge of support.  

It's a public mailing list, and I was simply contributing my
suggestion.  You decided it should be a big Federal case.

I'll make you a deal.  When you rudely say shut up, I'll pay
attention if you return the favor when I say shut up to you.

 No, but you DO make yourself a hypocrite for calling ME obstructionist...  
 Compared to you, I'm a piker in this context apparently.

I'm not trying to obstruct anything.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[John Galt]

On 22 Oct 2001, Thomas Bushnell, BSG wrote:

John Galt [EMAIL PROTECTED] writes:

 The whole problem here is they DIDN'T ask you.  You threw in your two 
 cents worth without a corresponding pledge of support.  

It's a public mailing list, and I was simply contributing my
suggestion.  You decided it should be a big Federal case.

I find that hilarious coming from you.  Didn't you once try to muzzle 
myself and another on -legal, claiming that lists.debian.org wasn't a 
public resource?  Hypocrite.

I'll make you a deal.  When you rudely say shut up, I'll pay
attention if you return the favor when I say shut up to you.

Yeah, sure.  You have yet to back that statement with lack of words...

 No, but you DO make yourself a hypocrite for calling ME obstructionist...  
 Compared to you, I'm a piker in this context apparently.

I'm not trying to obstruct anything.

No, you're just making reasonable suggestions after the fact.  Whatever, 
if you can't figure that what you're doing is being obstructionist, there 
ain't nothing I'm going to tell you that will change it, even if I could.  



-- 
Be Careful! I have a black belt in sna-fu!

Who is John Galt?  [EMAIL PROTECTED]





-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Robert van der Meulen]

Hi,

Quoting Colin Phipps ([EMAIL PROTECTED]):
 On Mon, Oct 22, 2001 at 07:12:57AM -0600, John Galt wrote:
  I take it then that you volunteer.  If not, shut up.  Throwing artifical 
  barriers at this office isn't going to add volunteers.
 The barriers to becoming a developer are mainly commitment to the project 
 and to the social contract, both of which should be requirements for any 
 security secretary. It doesn't imply package maintenance (IIRC). Sure they 
 don't have to be a developer *yet*, but they should (either in fact or in 
 effect) become one.
 Which was what Thomas suggested.
Please read the thread first :)
mdz already noted that we already have two security secretaries.
A couple of members of the security team, including me, feel that the
person(s) to be appointed secretary should already _be_ developers.
Not that this all matters anymore, as the whole thing already has been
resolved.

Greets,
Robert

-- 
  Linux Generation
   encrypted mail preferred. finger [EMAIL PROTECTED] for my GnuPG/PGP key.
Life is a sexually transmitted disease with 100% mortality.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Thomas Bushnell, BSG]

John Galt [EMAIL PROTECTED] writes:

 I take it then that you volunteer.  If not, shut up.  Throwing artifical 
 barriers at this office isn't going to add volunteers.

How is it a barrier?


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[John Galt]

On 21 Oct 2001, Thomas Bushnell, BSG wrote:

Martin Schulze [EMAIL PROTECTED] writes:

 Q: Is a requirement being a Debian developer?
 
No.  It is my understanding that it would be good to have fresh
blood in the team.  Working on security can cost a lot of time,
thus it could even be helpful not being a Debian developer since
that implies active package maintenance as well.  However, similar
knowledge is very helpful, and may be required when working on
issues.

I think the security secretary, if we have one, should be a Debian
developer.

I take it then that you volunteer.  If not, shut up.  Throwing artifical 
barriers at this office isn't going to add volunteers.

But it doesn't have to be someone who is already a Debian developer,
and I have no objection to fast-tracking their application.  




-- 
Be Careful! I have a black belt in sna-fu!

Who is John Galt?  [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Jason Thomas]

only one thing, does this have to go to both lists, I'm alot of messages
twice, and yes they have different message id's.

On Mon, Oct 22, 2001 at 09:43:05AM -0700, Thomas Bushnell, BSG wrote:
 John Galt [EMAIL PROTECTED] writes:
 
  I take it then that you volunteer.  If not, shut up.  Throwing artifical 
  barriers at this office isn't going to add volunteers.
 
 How is it a barrier?
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 

-- 
Jason Thomas   Phone:  +61 2 6257 7111
System Administrator  -  UID 0 Fax:+61 2 6257 7311
tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81
1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/

 PGP signature

Re: Questions regarding the Security Secretary Position

[John Galt]

On 22 Oct 2001, Thomas Bushnell, BSG wrote:

John Galt [EMAIL PROTECTED] writes:

 I take it then that you volunteer.  If not, shut up.  Throwing artifical 
 barriers at this office isn't going to add volunteers.

How is it a barrier?

It's an extra qualification.  It's one that until you objected, didn't 
exist.  My point still stands: if you want to add qualifications, add them 
by raising the bar and volunteering yourself.


-- 
Be Careful! I have a black belt in sna-fu!

Who is John Galt?  [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Colin Phipps]

On Mon, Oct 22, 2001 at 07:12:57AM -0600, John Galt wrote:
 On 21 Oct 2001, Thomas Bushnell, BSG wrote:
 Martin Schulze [EMAIL PROTECTED] writes:
 
  Q: Is a requirement being a Debian developer?
  
 No.  It is my understanding that it would be good to have fresh
 blood in the team.  Working on security can cost a lot of time,
 thus it could even be helpful not being a Debian developer since
 that implies active package maintenance as well.  However, similar
 knowledge is very helpful, and may be required when working on
 issues.
 
 I think the security secretary, if we have one, should be a Debian
 developer.
 
 I take it then that you volunteer.  If not, shut up.  Throwing artifical 
 barriers at this office isn't going to add volunteers.

The barriers to becoming a developer are mainly commitment to the project and
to the social contract, both of which should be requirements for any security
secretary. It doesn't imply package maintenance (IIRC). Sure they don't have to
be a developer *yet*, but they should (either in fact or in effect) become one.
Which was what Thomas suggested.

-- 
Colin Phipps PGP 0x689E463E http://www.netcraft.com/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[John Galt]

On Mon, 22 Oct 2001, Colin Phipps wrote:

On Mon, Oct 22, 2001 at 07:12:57AM -0600, John Galt wrote:
 On 21 Oct 2001, Thomas Bushnell, BSG wrote:
 Martin Schulze [EMAIL PROTECTED] writes:
 
  Q: Is a requirement being a Debian developer?
  
 No.  It is my understanding that it would be good to have fresh
 blood in the team.  Working on security can cost a lot of time,
 thus it could even be helpful not being a Debian developer since
 that implies active package maintenance as well.  However, similar
 knowledge is very helpful, and may be required when working on
 issues.
 
 I think the security secretary, if we have one, should be a Debian
 developer.
 
 I take it then that you volunteer.  If not, shut up.  Throwing artifical 
 barriers at this office isn't going to add volunteers.

The barriers to becoming a developer are mainly commitment to the project and
to the social contract, both of which should be requirements for any security
secretary. It doesn't imply package maintenance (IIRC). Sure they don't have to

Actually, it does.  

be a developer *yet*, but they should (either in fact or in effect) become one.
Which was what Thomas suggested.





-- 
Be Careful! I have a black belt in sna-fu!

Who is John Galt?  [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Martin Schulze]

John Galt wrote:
 
 It really didn't need to go to -devel in the first place: this is internal 
 to debian-security until there's a candidate. Folloups redirected.

Err... you have noticed that there are already two people filling
this position, haven't you?

Regards,

Joey

-- 
This is Linux Country.  On a quiet night, you can hear Windows reboot.

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[John Galt]

On Tue, 23 Oct 2001, Martin Schulze wrote:

John Galt wrote:
 
 It really didn't need to go to -devel in the first place: this is internal 
 to debian-security until there's a candidate. Folloups redirected.

Err... you have noticed that there are already two people filling
this position, haven't you?

An since the candidate wasn't announced on -devel, once can only assume 
that their qualifications aren't germane to -devel (followups NOT 
redirected, I've futilely tried too many times to redirect to care who the 
hell gets this).

Regards,

   Joey



-- 
Be Careful! I have a black belt in sna-fu!

Who is John Galt?  [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Martin Schulze]

John Galt wrote:
 On Tue, 23 Oct 2001, Martin Schulze wrote:
 
 John Galt wrote:
  
  It really didn't need to go to -devel in the first place: this is internal 
  to debian-security until there's a candidate. Folloups redirected.
 
 Err... you have noticed that there are already two people filling
 this position, haven't you?
 
 An since the candidate wasn't announced on -devel, once can only assume 

I'm sorry, but things are announced to -devel-announce, -news or
-announce.  If you don't follow these lists, I'm sorry...

Regards,

Joey

-- 
This is Linux Country.  On a quiet night, you can hear Windows reboot.

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Colin Watson]

On Mon, Oct 22, 2001 at 08:23:24AM -0600, John Galt wrote:
 On Mon, 22 Oct 2001, Colin Phipps wrote:
 The barriers to becoming a developer are mainly commitment to the
 project and to the social contract, both of which should be
 requirements for any security secretary. It doesn't imply package
 maintenance (IIRC).
 
 Actually, it does.  

No. *Most* developers maintain packages, sure, but they don't have to.

http://nm.debian.org/newnm.html (I think that's the URL, I'm looking at
it in CVS because pandora seems inaccessible):

  If you intend to package software, do you have a Debian package you
  have adopted or created ready to show your AM?  And if you intend to
  do other things (e.g. port Debian to other architectures, help with
  documentation, Quality Assurance or Security), do you have experience
  in those things which you can tell your AM about?

-- 
Colin Watson  [[EMAIL PROTECTED]]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Lauri Tischler]

Matt Zimmerman wrote:
 
  I think the security secretary, if we have one, should be a Debian
  developer.
 
 We have two of them, and they are both card-carrying developers.
 
Unnghhh...
'Card-carrying' sounds like fiery-eyed anarchist or extreme left
revolutionary, some kind of luddite the least..
 
--
Lauri Tischler, Network Admin
Tel:+358-9-47846331*   Mouse movement detected  *
Fax:+358-9-47846500* Reboot Windows to activate changes *
Mobile: +358-40-5569010
EMail:  [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Matt Zimmerman]

On Mon, Oct 22, 2001 at 09:40:45AM +0300, Lauri Tischler wrote:

 Matt Zimmerman wrote:
  
   I think the security secretary, if we have one, should be a Debian
   developer.
  
  We have two of them, and they are both card-carrying developers.
  
 Unnghhh...
 'Card-carrying' sounds like fiery-eyed anarchist or extreme left
 revolutionary, some kind of luddite the least..

I hate spoiling a joke this way, but a surprising number of people seem
to have misinterpreted my remark.  It was tongue-in-cheek humour,
reflecting on the present political atmosphere of Debian.

-- 
 - mdz

Re: Questions regarding the Security Secretary Position

[Petro]

On Mon, Oct 22, 2001 at 09:40:45AM +0300, Lauri Tischler wrote:
 Matt Zimmerman wrote:
  
   I think the security secretary, if we have one, should be a Debian
   developer.
  
  We have two of them, and they are both card-carrying developers.
  
 Unnghhh...
 'Card-carrying' sounds like fiery-eyed anarchist or extreme left
 revolutionary, some kind of luddite the least..

And the problem with this is? (No, I don't like leftists or
luddites, but I'm all in favor of fiery-eyed anarchists).

-- 
Share and Enjoy. 

Re: Questions regarding the Security Secretary Position

[John Galt]

On 21 Oct 2001, Thomas Bushnell, BSG wrote:

Martin Schulze [EMAIL PROTECTED] writes:

 Q: Is a requirement being a Debian developer?
 
No.  It is my understanding that it would be good to have fresh
blood in the team.  Working on security can cost a lot of time,
thus it could even be helpful not being a Debian developer since
that implies active package maintenance as well.  However, similar
knowledge is very helpful, and may be required when working on
issues.

I think the security secretary, if we have one, should be a Debian
developer.

I take it then that you volunteer.  If not, shut up.  Throwing artifical 
barriers at this office isn't going to add volunteers.

But it doesn't have to be someone who is already a Debian developer,
and I have no objection to fast-tracking their application.  




-- 
Be Careful! I have a black belt in sna-fu!

Who is John Galt?  [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Colin Phipps]

On Mon, Oct 22, 2001 at 07:12:57AM -0600, John Galt wrote:
 On 21 Oct 2001, Thomas Bushnell, BSG wrote:
 Martin Schulze [EMAIL PROTECTED] writes:
 
  Q: Is a requirement being a Debian developer?
  
 No.  It is my understanding that it would be good to have fresh
 blood in the team.  Working on security can cost a lot of time,
 thus it could even be helpful not being a Debian developer since
 that implies active package maintenance as well.  However, similar
 knowledge is very helpful, and may be required when working on
 issues.
 
 I think the security secretary, if we have one, should be a Debian
 developer.
 
 I take it then that you volunteer.  If not, shut up.  Throwing artifical 
 barriers at this office isn't going to add volunteers.

The barriers to becoming a developer are mainly commitment to the project and
to the social contract, both of which should be requirements for any security
secretary. It doesn't imply package maintenance (IIRC). Sure they don't have to
be a developer *yet*, but they should (either in fact or in effect) become one.
Which was what Thomas suggested.

-- 
Colin Phipps PGP 0x689E463E http://www.netcraft.com/

Re: Questions regarding the Security Secretary Position

[John Galt]

On Mon, 22 Oct 2001, Colin Phipps wrote:

On Mon, Oct 22, 2001 at 07:12:57AM -0600, John Galt wrote:
 On 21 Oct 2001, Thomas Bushnell, BSG wrote:
 Martin Schulze [EMAIL PROTECTED] writes:
 
  Q: Is a requirement being a Debian developer?
  
 No.  It is my understanding that it would be good to have fresh
 blood in the team.  Working on security can cost a lot of time,
 thus it could even be helpful not being a Debian developer since
 that implies active package maintenance as well.  However, similar
 knowledge is very helpful, and may be required when working on
 issues.
 
 I think the security secretary, if we have one, should be a Debian
 developer.
 
 I take it then that you volunteer.  If not, shut up.  Throwing artifical 
 barriers at this office isn't going to add volunteers.

The barriers to becoming a developer are mainly commitment to the project and
to the social contract, both of which should be requirements for any security
secretary. It doesn't imply package maintenance (IIRC). Sure they don't have to

Actually, it does.  

be a developer *yet*, but they should (either in fact or in effect) become one.
Which was what Thomas suggested.





-- 
Be Careful! I have a black belt in sna-fu!

Who is John Galt?  [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Robert van der Meulen]

Hi,

Quoting Colin Phipps ([EMAIL PROTECTED]):
 On Mon, Oct 22, 2001 at 07:12:57AM -0600, John Galt wrote:
  I take it then that you volunteer.  If not, shut up.  Throwing artifical 
  barriers at this office isn't going to add volunteers.
 The barriers to becoming a developer are mainly commitment to the project 
 and to the social contract, both of which should be requirements for any 
 security secretary. It doesn't imply package maintenance (IIRC). Sure they 
 don't have to be a developer *yet*, but they should (either in fact or in 
 effect) become one.
 Which was what Thomas suggested.
Please read the thread first :)
mdz already noted that we already have two security secretaries.
A couple of members of the security team, including me, feel that the
person(s) to be appointed secretary should already _be_ developers.
Not that this all matters anymore, as the whole thing already has been
resolved.

Greets,
Robert

-- 
  Linux Generation
   encrypted mail preferred. finger [EMAIL PROTECTED] for my GnuPG/PGP key.
Life is a sexually transmitted disease with 100% mortality.

Re: Questions regarding the Security Secretary Position

[Thomas Bushnell, BSG]

John Galt [EMAIL PROTECTED] writes:

 I take it then that you volunteer.  If not, shut up.  Throwing artifical 
 barriers at this office isn't going to add volunteers.

How is it a barrier?

Re: Questions regarding the Security Secretary Position

[Colin Watson]

On Mon, Oct 22, 2001 at 08:23:24AM -0600, John Galt wrote:
 On Mon, 22 Oct 2001, Colin Phipps wrote:
 The barriers to becoming a developer are mainly commitment to the
 project and to the social contract, both of which should be
 requirements for any security secretary. It doesn't imply package
 maintenance (IIRC).
 
 Actually, it does.  

No. *Most* developers maintain packages, sure, but they don't have to.

http://nm.debian.org/newnm.html (I think that's the URL, I'm looking at
it in CVS because pandora seems inaccessible):

  If you intend to package software, do you have a Debian package you
  have adopted or created ready to show your AM?  And if you intend to
  do other things (e.g. port Debian to other architectures, help with
  documentation, Quality Assurance or Security), do you have experience
  in those things which you can tell your AM about?

-- 
Colin Watson  [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Jason Thomas]

only one thing, does this have to go to both lists, I'm alot of messages
twice, and yes they have different message id's.

On Mon, Oct 22, 2001 at 09:43:05AM -0700, Thomas Bushnell, BSG wrote:
 John Galt [EMAIL PROTECTED] writes:
 
  I take it then that you volunteer.  If not, shut up.  Throwing artifical 
  barriers at this office isn't going to add volunteers.
 
 How is it a barrier?
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 

-- 
Jason Thomas   Phone:  +61 2 6257 7111
System Administrator  -  UID 0 Fax:+61 2 6257 7311
tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81
1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/


pgph88wE2aMSn.pgp
Description: PGP signature

Re: Questions regarding the Security Secretary Position

[John Galt]

On 22 Oct 2001, Thomas Bushnell, BSG wrote:

John Galt [EMAIL PROTECTED] writes:

 I take it then that you volunteer.  If not, shut up.  Throwing artifical 
 barriers at this office isn't going to add volunteers.

How is it a barrier?

It's an extra qualification.  It's one that until you objected, didn't 
exist.  My point still stands: if you want to add qualifications, add them 
by raising the bar and volunteering yourself.


-- 
Be Careful! I have a black belt in sna-fu!

Who is John Galt?  [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[John Galt]

It really didn't need to go to -devel in the first place: this is internal 
to debian-security until there's a candidate. Folloups redirected.

On Tue, 23 Oct 2001, Jason Thomas wrote:

only one thing, does this have to go to both lists, I'm alot of messages
twice, and yes they have different message id's.

On Mon, Oct 22, 2001 at 09:43:05AM -0700, Thomas Bushnell, BSG wrote:
 John Galt [EMAIL PROTECTED] writes:
 
  I take it then that you volunteer.  If not, shut up.  Throwing artifical 
  barriers at this office isn't going to add volunteers.
 
 How is it a barrier?
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 



-- 
Be Careful! I have a black belt in sna-fu!

Who is John Galt?  [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Thomas Bushnell, BSG]

John Galt [EMAIL PROTECTED] writes:

 On 22 Oct 2001, Thomas Bushnell, BSG wrote:
 
 John Galt [EMAIL PROTECTED] writes:
 
  I take it then that you volunteer.  If not, shut up.  Throwing artifical 
  barriers at this office isn't going to add volunteers.
 
 How is it a barrier?
 
 It's an extra qualification.  It's one that until you objected, didn't 
 exist.  My point still stands: if you want to add qualifications, add them 
 by raising the bar and volunteering yourself.

I think it's an entirely appropriate qualification.  But it's no
barrier: it simply requires that we know who the person is and that
they share our commitments.  I think those are reasonable things to
expect.  

Thomas

Re: Questions regarding the Security Secretary Position

[Thomas Bushnell, BSG]

Martin Schulze [EMAIL PROTECTED] writes:

 Q: Is a requirement being a Debian developer?
 
No.  It is my understanding that it would be good to have fresh
blood in the team.  Working on security can cost a lot of time,
thus it could even be helpful not being a Debian developer since
that implies active package maintenance as well.  However, similar
knowledge is very helpful, and may be required when working on
issues.

I think the security secretary, if we have one, should be a Debian
developer.

But it doesn't have to be someone who is already a Debian developer,
and I have no objection to fast-tracking their application.  


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Matt Zimmerman]

On Sun, Oct 21, 2001 at 09:23:03AM -0700, Thomas Bushnell, BSG wrote:

 Martin Schulze [EMAIL PROTECTED] writes:
 
  Q: Is a requirement being a Debian developer?
  
 No.  It is my understanding that it would be good to have fresh
 blood in the team.  Working on security can cost a lot of time,
 thus it could even be helpful not being a Debian developer since
 that implies active package maintenance as well.  However,
 similar knowledge is very helpful, and may be required when
 working on issues.
 
 I think the security secretary, if we have one, should be a Debian
 developer.

We have two of them, and they are both card-carrying developers.

-- 
 - mdz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Thomas Bushnell, BSG]

Matt Zimmerman [EMAIL PROTECTED] writes:

 On Sun, Oct 21, 2001 at 09:23:03AM -0700, Thomas Bushnell, BSG wrote:
 
  Martin Schulze [EMAIL PROTECTED] writes:
  
   Q: Is a requirement being a Debian developer?
   
  No.  It is my understanding that it would be good to have fresh
  blood in the team.  Working on security can cost a lot of time,
  thus it could even be helpful not being a Debian developer since
  that implies active package maintenance as well.  However,
  similar knowledge is very helpful, and may be required when
  working on issues.
  
  I think the security secretary, if we have one, should be a Debian
  developer.
 
 We have two of them, and they are both card-carrying developers.

Sorry; I was referring to the QA, not the present incumbents.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Questions regarding the Security Secretary Position

[Thomas Bushnell, BSG]

Martin Schulze [EMAIL PROTECTED] writes:

 Q: Is a requirement being a Debian developer?
 
No.  It is my understanding that it would be good to have fresh
blood in the team.  Working on security can cost a lot of time,
thus it could even be helpful not being a Debian developer since
that implies active package maintenance as well.  However, similar
knowledge is very helpful, and may be required when working on
issues.

I think the security secretary, if we have one, should be a Debian
developer.

But it doesn't have to be someone who is already a Debian developer,
and I have no objection to fast-tracking their application.  

Re: Questions regarding the Security Secretary Position

[Matt Zimmerman]

On Sun, Oct 21, 2001 at 09:23:03AM -0700, Thomas Bushnell, BSG wrote:

 Martin Schulze [EMAIL PROTECTED] writes:
 
  Q: Is a requirement being a Debian developer?
  
 No.  It is my understanding that it would be good to have fresh
 blood in the team.  Working on security can cost a lot of time,
 thus it could even be helpful not being a Debian developer since
 that implies active package maintenance as well.  However,
 similar knowledge is very helpful, and may be required when
 working on issues.
 
 I think the security secretary, if we have one, should be a Debian
 developer.

We have two of them, and they are both card-carrying developers.

-- 
 - mdz

Re: Questions regarding the Security Secretary Position

[Thomas Bushnell, BSG]

Matt Zimmerman [EMAIL PROTECTED] writes:

 On Sun, Oct 21, 2001 at 09:23:03AM -0700, Thomas Bushnell, BSG wrote:
 
  Martin Schulze [EMAIL PROTECTED] writes:
  
   Q: Is a requirement being a Debian developer?
   
  No.  It is my understanding that it would be good to have fresh
  blood in the team.  Working on security can cost a lot of time,
  thus it could even be helpful not being a Debian developer since
  that implies active package maintenance as well.  However,
  similar knowledge is very helpful, and may be required when
  working on issues.
  
  I think the security secretary, if we have one, should be a Debian
  developer.
 
 We have two of them, and they are both card-carrying developers.

Sorry; I was referring to the QA, not the present incumbents.

Re: Questions regarding the Security Secretary Position

[orly-fu]

Are they both around 20 years of age and steaming hot ? - like the ones we 
all hope wish we had as receptionists in our corps ? =)

-xbud
On Sunday 21 October 2001 04:52 pm, Thomas Bushnell, BSG wrote:
 Matt Zimmerman [EMAIL PROTECTED] writes:
  On Sun, Oct 21, 2001 at 09:23:03AM -0700, Thomas Bushnell, BSG wrote:
   Martin Schulze [EMAIL PROTECTED] writes:
Q: Is a requirement being a Debian developer?
   
   No.  It is my understanding that it would be good to have fresh
   blood in the team.  Working on security can cost a lot of time,
   thus it could even be helpful not being a Debian developer since
   that implies active package maintenance as well.  However,
   similar knowledge is very helpful, and may be required when
   working on issues.
  
   I think the security secretary, if we have one, should be a Debian
   developer.
 
  We have two of them, and they are both card-carrying developers.

 Sorry; I was referring to the QA, not the present incumbents.

Re: Questions concerning S/390 OCO-modules

[Jochen Röhrig]

On Tue, Aug 14, 2001 at 10:43:27AM -0700, Josh M. McKee wrote:
 
 How is this related to Debian security?

It's been a long day ... I am really sorry! This one should go to
debian-legal ...

 
 Josh
 
  -Original Message-
  From: Jochen Rohrig [mailto:[EMAIL PROTECTED]]
  Sent: Tuesday, August 14, 2001 10:42 AM
  To: [EMAIL PROTECTED]
  Cc: [EMAIL PROTECTED]
  Subject: Questions concerning S/390 OCO-modules
  
...


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Questions concerning S/390 OCO-modules

[Dorsey James - jdorse]

I would be nice if pressure could be put on IBM to walk the walk.

Peace, Love and Linux?  yeah right.

IBM needs to release these as source... I don't know what would 
need to happen to convince them that this would be a good thing.
I suspect most of the community doesn't know that IBM has these closed
drivers.
Perhaps someone could write an insightful article about it and post 
it online somewhere for the LinuxToday/Slashdot/Newsforge types to 
pick up.


-Original Message-
From: Jochen Röhrig [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 14, 2001 12:42 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Questions concerning S/390 OCO-modules


Hi,

I would like to package three network device drivers for IBM S/390 (see
ITPs #108709, #108710, #108711).

The device drivers are provided by IBM as OCO (object code only) modules
(i.e. there are no sources available) and they are released under a
special IBM International License Agreement for Non-Warranted Programs
(to see the license agreement click on one of the
{lcs,qdio,qeth}-2.4.5-s390-2.tar.gz hyperlinks on
http://oss.software.ibm.com/developerworks/opensource/linux390/download_obj.
html+).

This raises a few questions:

 - Does the license allow distribution of the oco-drivers with Debian?

   From item 1. of the license agreement I derive that this is possible
   as long as
   
   a) Debian assures that the license agreement is distributed with the
  oco-driver and

   b) that the user explicitely agrees with the terms of the license
  (actually the user can not download the oco-drivers from the
  IBM web site without explicitely accepting the agreement).

   I think a) is definitely not a problem and b) could be realized by
   asking the user before installing the oco-driver whether (s)he agrees
   with the license (could probably be done in the preinstall-script?).

 - Are there any pitfalls in the license agreement I may have overseen?

 - Can the oco-drivers go into non-free?

   Since there is no source code available, the oco-drivers are not DFSG
   compliant and therefore could not go into main or contrib. So,
   from the Debian POV, is it acceptable to put them into non-free?
   Citing from a footnote in the Debian Policy Manual (version 3.5.5.0,
   2001-06-01, section 2.1.4 The non-free section):

 It is possible that there are policy requirements which the
  package is unable to meet, for example, if the source is
  unavailable. These situations will need to be handled on a
  case-by-case basis.

   Who finally decides whether such a package can go into non-free? What
   would be the alternative, if the package could not go into non-free
   (i.e. not be part of the distribution at all)?

   Since the oco-drivers are needed on S/390 to establish direct
   external network connections they play an essential role in making
   Debian usable on S/390. If we could not integrate them into the
   distribution, this would be a major problem. We could, e.g., not
   provide an official Debian install-ramdisk (that would have to go
   into non-free as well) that supports installation via one of the
   devices driven by the oco-drivers...

Awaiting your comments!

Jochen


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Questions concerning S/390 OCO-modules

[Josh M. McKee]

How is this related to Debian security?

Josh

 -Original Message-
 From: Jochen Rohrig [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, August 14, 2001 10:42 AM
 To: debian-security@lists.debian.org
 Cc: debian-s390@lists.debian.org
 Subject: Questions concerning S/390 OCO-modules
 
 
 Hi,
 
 I would like to package three network device drivers for IBM S/390 (see
 ITPs #108709, #108710, #108711).
 
 The device drivers are provided by IBM as OCO (object code only) modules
 (i.e. there are no sources available) and they are released under a
 special IBM International License Agreement for Non-Warranted Programs
 (to see the license agreement click on one of the
 {lcs,qdio,qeth}-2.4.5-s390-2.tar.gz hyperlinks on
 http://oss.software.ibm.com/developerworks/opensource/linux390/dow
 nload_obj.html+).
 
 This raises a few questions:
 
  - Does the license allow distribution of the oco-drivers with Debian?
 
From item 1. of the license agreement I derive that this is possible
as long as

a) Debian assures that the license agreement is distributed with the
   oco-driver and
 
b) that the user explicitely agrees with the terms of the license
   (actually the user can not download the oco-drivers from the
   IBM web site without explicitely accepting the agreement).
 
I think a) is definitely not a problem and b) could be realized by
asking the user before installing the oco-driver whether (s)he agrees
with the license (could probably be done in the preinstall-script?).
 
  - Are there any pitfalls in the license agreement I may have overseen?
 
  - Can the oco-drivers go into non-free?
 
Since there is no source code available, the oco-drivers are not DFSG
compliant and therefore could not go into main or contrib. So,
from the Debian POV, is it acceptable to put them into non-free?
Citing from a footnote in the Debian Policy Manual (version 3.5.5.0,
2001-06-01, section 2.1.4 The non-free section):
 
  It is possible that there are policy requirements which the
   package is unable to meet, for example, if the source is
   unavailable. These situations will need to be handled on a
   case-by-case basis.
 
Who finally decides whether such a package can go into non-free? What
would be the alternative, if the package could not go into non-free
(i.e. not be part of the distribution at all)?
 
Since the oco-drivers are needed on S/390 to establish direct
external network connections they play an essential role in making
Debian usable on S/390. If we could not integrate them into the
distribution, this would be a major problem. We could, e.g., not
provide an official Debian install-ramdisk (that would have to go
into non-free as well) that supports installation via one of the
devices driven by the oco-drivers...
 
 Awaiting your comments!
 
 Jochen
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact 
 [EMAIL PROTECTED]
 
 

Re: Questions concerning S/390 OCO-modules

[Jochen Röhrig]

On Tue, Aug 14, 2001 at 10:43:27AM -0700, Josh M. McKee wrote:
 
 How is this related to Debian security?

It's been a long day ... I am really sorry! This one should go to
debian-legal ...

 
 Josh
 
  -Original Message-
  From: Jochen Rohrig [mailto:[EMAIL PROTECTED]
  Sent: Tuesday, August 14, 2001 10:42 AM
  To: debian-security@lists.debian.org
  Cc: debian-s390@lists.debian.org
  Subject: Questions concerning S/390 OCO-modules
  
...

RE: Questions concerning S/390 OCO-modules

[Dorsey James - jdorse]

I would be nice if pressure could be put on IBM to walk the walk.

Peace, Love and Linux?  yeah right.

IBM needs to release these as source... I don't know what would 
need to happen to convince them that this would be a good thing.
I suspect most of the community doesn't know that IBM has these closed
drivers.
Perhaps someone could write an insightful article about it and post 
it online somewhere for the LinuxToday/Slashdot/Newsforge types to 
pick up.


-Original Message-
From: Jochen Röhrig [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 14, 2001 12:42 PM
To: debian-security@lists.debian.org
Cc: debian-s390@lists.debian.org
Subject: Questions concerning S/390 OCO-modules


Hi,

I would like to package three network device drivers for IBM S/390 (see
ITPs #108709, #108710, #108711).

The device drivers are provided by IBM as OCO (object code only) modules
(i.e. there are no sources available) and they are released under a
special IBM International License Agreement for Non-Warranted Programs
(to see the license agreement click on one of the
{lcs,qdio,qeth}-2.4.5-s390-2.tar.gz hyperlinks on
http://oss.software.ibm.com/developerworks/opensource/linux390/download_obj.
html+).

This raises a few questions:

 - Does the license allow distribution of the oco-drivers with Debian?

   From item 1. of the license agreement I derive that this is possible
   as long as
   
   a) Debian assures that the license agreement is distributed with the
  oco-driver and

   b) that the user explicitely agrees with the terms of the license
  (actually the user can not download the oco-drivers from the
  IBM web site without explicitely accepting the agreement).

   I think a) is definitely not a problem and b) could be realized by
   asking the user before installing the oco-driver whether (s)he agrees
   with the license (could probably be done in the preinstall-script?).

 - Are there any pitfalls in the license agreement I may have overseen?

 - Can the oco-drivers go into non-free?

   Since there is no source code available, the oco-drivers are not DFSG
   compliant and therefore could not go into main or contrib. So,
   from the Debian POV, is it acceptable to put them into non-free?
   Citing from a footnote in the Debian Policy Manual (version 3.5.5.0,
   2001-06-01, section 2.1.4 The non-free section):

 It is possible that there are policy requirements which the
  package is unable to meet, for example, if the source is
  unavailable. These situations will need to be handled on a
  case-by-case basis.

   Who finally decides whether such a package can go into non-free? What
   would be the alternative, if the package could not go into non-free
   (i.e. not be part of the distribution at all)?

   Since the oco-drivers are needed on S/390 to establish direct
   external network connections they play an essential role in making
   Debian usable on S/390. If we could not integrate them into the
   distribution, this would be a major problem. We could, e.g., not
   provide an official Debian install-ramdisk (that would have to go
   into non-free as well) that supports installation via one of the
   devices driven by the oco-drivers...

Awaiting your comments!

Jochen


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]

Re: questions on ident, postfix proftp

[Nick Phillips]

Kevin van Haaren wrote:

 Postfix question
 
 I have a laptop user that travels around and I'd like to let them
 send mail through postfix using authenticated smtp  from anywhere on
 the internet (I like this better than the pop authentication == smtp
 authentication, as it seems more secure).  Reading through the sample
 configs it looks like postfix provides this through sasl but it isn't
 recommended using it yet.  Is there another way to securely provide
 authenticated smtp?

We use exim (using SMTP auth) and stunnel to provide encrypted,
authenticated
access from any laptop, anywhere. It was a complete pain to set up
initially,
but well worth it. And if I had the config files handy (I don't -
they're at work
and I'm not) I'm sure it would be easier second time round.



Cheers,



NIck

Re: questions on ident, postfix proftp

[Christian Kurz]

On 00-12-17 Kevin van Haaren wrote:
 Ident questions
 
 Going through the Securing Debian HOW-TO I don't see a specific 
 mention either for or against running the ident service (either 
 through inetd or standalone.)  Is there a consensus about if this 
 service is particularly useful or not?

It is useful to identify your users in case of abuse. 

 Digging around on the internet it mainly seems to be useful for IRC 
 clients although some mention is made that it can be useful for 
 preventing users of your system from forging e-mail from your system. 

It will also be useful if any kind of abuse happens and your logfiles
say nothing. If the admin can provide you with the ident-entry from your
ident-server, you will still be able to identify the user, but if you
have no ident running you will never find out which user abused your
server.

 As far as security on the system itself it appears mainly to be a 
 point of DoS attacks, is this a valid evaluation?  IRC clients won't 

Well, depends on your identd configuration.

Ciao
 Christian
-- 
  Debian Developer and Quality Assurance Team Member
1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853

 PGP signature

Re: questions on ident, postfix proftp

[Bastian Blank]

On Sun, Dec 17, 2000 at 10:36:03AM -0600, Kevin van Haaren wrote:
Is there another way to securely provide 
 authenticated smtp?

you can use TLS insteed. but you must read the documentation for bring
it to work

bastian

-- 
No more blah, blah, blah!
-- Kirk, "Miri", stardate 2713.6

 PGP signature

Re: questions on ident, postfix proftp

[Christian Kurz]

On 00-12-17 Kevin van Haaren wrote:
 Ident questions
 
 Going through the Securing Debian HOW-TO I don't see a specific 
 mention either for or against running the ident service (either 
 through inetd or standalone.)  Is there a consensus about if this 
 service is particularly useful or not?

It is useful to identify your users in case of abuse. 

 Digging around on the internet it mainly seems to be useful for IRC 
 clients although some mention is made that it can be useful for 
 preventing users of your system from forging e-mail from your system. 

It will also be useful if any kind of abuse happens and your logfiles
say nothing. If the admin can provide you with the ident-entry from your
ident-server, you will still be able to identify the user, but if you
have no ident running you will never find out which user abused your
server.

 As far as security on the system itself it appears mainly to be a 
 point of DoS attacks, is this a valid evaluation?  IRC clients won't 

Well, depends on your identd configuration.

Ciao
 Christian
-- 
  Debian Developer and Quality Assurance Team Member
1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853


pgpc9gZKF4yDW.pgp
Description: PGP signature

Re: questions on ident, postfix proftp

[Tom Marshall]

 I've got a server setup to provide e-mail, web, ftp services on the 
 internet.  I also run a masquerading/firewall box to protect an 
 internal network (these are separate boxes).  Both run Debian Woody 
 (one is intel box, the other is a powerpc box.)

Why are you running an unstable distribution on a firewall?  I would
recommend against it.

 Is there a recommended way 
 of setting ident up on a firewall?  I've seen servers that provide 
 proxying ident requests for internal machines, or responding with 
 random responses, is one preferred over the other?

Personally, I run a masq-aware identd on my masq box and nullidentd on my
internal machines.

Re: questions on ident, postfix proftp

[Bastian Blank]

On Sun, Dec 17, 2000 at 10:36:03AM -0600, Kevin van Haaren wrote:
Is there another way to securely provide 
 authenticated smtp?

you can use TLS insteed. but you must read the documentation for bring
it to work

bastian

-- 
No more blah, blah, blah!
-- Kirk, Miri, stardate 2713.6


pgp3sjr89AQqD.pgp
Description: PGP signature