Re: openssh-blacklist - careless waste of space.
- Steve Grubb sgr...@redhat.com wrote I think this is a bit like virus definitions. 800Mb is excessive to ship in a package. I think the definitions could be created by a script, but will take some time to generate. Maybe adding a generator for people not connected would let them recreate the content? But a 800Mb package is bigger than the livecd. -Steve To make working generator is not so easy. It is necessary to provide it in 3 archs 32bit le, 64 le and 32bit be. To run it on all the architectures. (Problematic is the big endian architecture) The generation of the keysets is time consumpting process. -- JFCh -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: openssh-blacklist - careless waste of space.
On Fri, Jul 31, 2009 at 11:31 AM, Steve Grubbsgr...@redhat.com wrote: On Friday 31 July 2009 04:42:12 am Frank Murphy wrote: I think what is meant, it that the app is useless, without either web\media input. Which the user should not have to do to take full advantage of it. I think this is a bit like virus definitions. It's more akin to a bad password list. 800Mb is excessive to ship in a package. I think the definitions could be created by a script, but will take some time to generate. Maybe adding a generator for people not connected would let them recreate the content? But a 800Mb package is bigger than the livecd. What?! Openssh-blacklist is a list of bad keys that could have been generated by the debian lack of entropy bug. In it should be a couple of text files: A DSA key file, and an RSA key file for each of a couple common key sizes. Each file should have 100k lines or so with just a fingerprint on them.. all in all it should just be a couple of mbytes. It looks like that distribution also includes the full public and private keyparts for the bad keys in addition to the fingerprints. That isn't needed for bad key screening— that additional info is only really needed by attackers. After the vulnerability I screened the accounts on my systems and found a couple of these bad keys just from giving my ubuntu/debian running friends access to rsync data, so this is a risk for fedora users too. Not only should this install without requiring a live internet connection but these, or at least a subset with the most common key sizes, should really be part of the default ssh install along with the feature in SSH that causes it to refuse to use these keys. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: openssh-blacklist - careless waste of space.
- Conrad Meyer ceme...@u.washington.edu wrote: On Thursday 30 July 2009 08:49:12 am Jan Chadima wrote: Hi I've just solve the problem with the openssh-blacklist package. Now the packae is only the 16 kbytes. It contains the downloader. The data are downloaded from the server on user request. Excuse me the first (big)package. I hope that way will work. If I'm reading this correctly, this behavior is also broken. The user should not have to be connected to the internet to use the package after (s)he installs it. Another interpretation suggests that you download the data in the build process; that won't work on Koji (and should be fixed). Maybe I do not understand your question. Now the srpm and noarch.rpm also 20kB. The build is normal koji build. User (or admin) run the program and then program synchronize the local database of keys to the internet one. I someone have no Internet, it is also the possibility transfer the data on CD, DVD, FLASH or else Regards, -- Conrad Meyer ceme...@u.washington.edu -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list -- JFCh -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: openssh-blacklist - careless waste of space.
On 31/07/09 09:37, Jan Chadima wrote: - Conrad Meyerceme...@u.washington.edu wrote: --snip-- Maybe I do not understand your question. Now the srpm and noarch.rpm also 20kB. The build is normal koji build. User (or admin) run the program and then program synchronize the local database of keys to the internet one. I someone have no Internet, it is also the possibility transfer the data on CD, DVD, FLASH or else I think what is meant, it that the app is useless, without either web\media input. Which the user should not have to do to take full advantage of it. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: openssh-blacklist - careless waste of space.
- Frank Murphy frankl...@gmail.com wrote: On 31/07/09 09:37, Jan Chadima wrote: - Conrad Meyerceme...@u.washington.edu wrote: --snip-- Maybe I do not understand your question. Now the srpm and noarch.rpm also 20kB. The build is normal koji build. User (or admin) run the program and then program synchronize the local database of keys to the internet one. I someone have no Internet, it is also the possibility transfer the data on CD, DVD, FLASH or else I think what is meant, it that the app is useless, without either web\media input. Which the user should not have to do to take full advantage of it. 1) who is unable to get data from Internet and transfer it by other mains to another computer today? 2) how put various set of data of total size up to 1GB (2GB in future) into distro? 3) why user without Internet want to test his network security? --- if it is user on great intranet, admins should provide internal mirror. --- if it is single computer then the whole package is useless :) and the user should not have to do to take full advantage of it. :) -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list -- JFCh -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: openssh-blacklist - careless waste of space.
On Friday 31 July 2009 04:42:12 am Frank Murphy wrote: I think what is meant, it that the app is useless, without either web\media input. Which the user should not have to do to take full advantage of it. I think this is a bit like virus definitions. 800Mb is excessive to ship in a package. I think the definitions could be created by a script, but will take some time to generate. Maybe adding a generator for people not connected would let them recreate the content? But a 800Mb package is bigger than the livecd. -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: openssh-blacklist - careless waste of space.
On Fri, 2009-07-31 at 09:42 +0100, Frank Murphy wrote: I think what is meant, it that the app is useless, without either web\media input. Which the user should not have to do to take full advantage of it. We ship rather a lot of applications which are fairly useless without an internet connection. If the data is downloaded from the internet when you run _the installed program_, I don't see any problem here. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: openssh-blacklist - careless waste of space.
On Fri, Jul 31, 2009 at 11:37 AM, Adam Williamsonawill...@redhat.com wrote: snip We ship rather a lot of applications which are fairly useless without an internet connection. If the data is downloaded from the internet when you run _the installed program_, I don't see any problem here. snip +1 -Adam -- http://maxamillion.googlepages.com - () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: openssh-blacklist - careless waste of space.
On 31/07/09 17:37, Adam Williamson wrote: On Fri, 2009-07-31 at 09:42 +0100, Frank Murphy wrote: I think what is meant, it that the app is useless, without either web\media input. Which the user should not have to do to take full advantage of it. We ship rather a lot of applications which are fairly useless without an internet connection. If the data is downloaded from the internet when you run _the installed program_, I don't see any problem here. I agree, but thought I was clarifying Conrad's comment :( Back to the TV -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: openssh-blacklist - careless waste of space.
Hi I've just solve the problem with the openssh-blacklist package. Now the packae is only the 16 kbytes. It contains the downloader. The data are downloaded from the server on user request. Excuse me the first (big)package. I hope that way will work. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list -- JFCh -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: openssh-blacklist - careless waste of space.
On Fri, Jul 24, 2009 at 05:30:27PM +0300, Yanko Kaneti wrote: openssh-blacklist-0.7-1.fc11.src.rpm - size 1072930614 http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372950 openssh-blacklist-0.7-1.fc10.src.rpm - size 1072930519 http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372948 openssh-blacklist-0.7-1.fc12.src.rpm - size 1072930637 http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372843 ~3GB to produce 3 ~15MB rpms of copied ~20MB fingerprints. and it is the biggest source RPM on my mirror in the development branch 646584862 2009-05-27 15:37 nexuiz-data-2.5.1-1.fc12.src.rpm 1072930637 2009-07-22 12:43 openssh-blacklist-0.7-1.fc12.src.rpm (nexuiz-data being the second with probably more useful data) Adrian -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
openssh-blacklist - careless waste of space.
So openssh-blacklist-0.7-1.fc11.src.rpm - size 1072930614 http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372950 openssh-blacklist-0.7-1.fc10.src.rpm - size 1072930519 http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372948 openssh-blacklist-0.7-1.fc12.src.rpm - size 1072930637 http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372843 ~3GB to produce 3 ~15MB rpms of copied ~20MB fingerprints. Seriously wtf!?. And where is the frikken package review for it? -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: openssh-blacklist - careless waste of space.
2009/7/24 Yanko Kaneti yan...@declera.com So openssh-blacklist-0.7-1.fc11.src.rpm - size 1072930614 http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372950 openssh-blacklist-0.7-1.fc10.src.rpmhttp://koji.fedoraproject.org/koji/rpminfo?rpmID=1372950%0Aopenssh-blacklist-0.7-1.fc10.src.rpm- size 1072930519 http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372948 openssh-blacklist-0.7-1.fc12.src.rpmhttp://koji.fedoraproject.org/koji/rpminfo?rpmID=1372948%0Aopenssh-blacklist-0.7-1.fc12.src.rpm- size 1072930637 http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372843 ~3GB to produce 3 ~15MB rpms of copied ~20MB fingerprints. Seriously wtf!?. And where is the frikken package review for it? It seems that files in the rpm packages were cut off ~ 32000 lines / 1MB. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list -- Guido Grazioli guido.grazi...@gmail.com Via Parri 11 48011 - Alfonsine (RA) Mobile: +39 347 1017202 (10-18) Key FP = 7040 F398 0DED A737 7337 DAE1 12DC A698 5E81 2278 Linked in: http://www.linkedin.com/in/guidograzioli -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: openssh-blacklist - careless waste of space.
YK == Yanko Kaneti yan...@declera.com writes: YK Seriously wtf!? Can't answer that. YK And where is the frikken package review for it? https://bugzilla.redhat.com/show_bug.cgi?id=509990 Unfortunately neither the reviewer nor the packager updated the ticket title with the changed name of the package. I've fixed that. I don't see any mention of the size of the package in the review. - J -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: openssh-blacklist - careless waste of space.
On Fri, Jul 24, 2009 at 05:30:27PM +0300, Yanko Kaneti wrote:
So
openssh-blacklist-0.7-1.fc11.src.rpm - size 1072930614
http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372950
openssh-blacklist-0.7-1.fc10.src.rpm - size 1072930519
http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372948
openssh-blacklist-0.7-1.fc12.src.rpm - size 1072930637
http://koji.fedoraproject.org/koji/rpminfo?rpmID=1372843
~3GB to produce 3 ~15MB rpms of copied ~20MB fingerprints.
Seriously wtf!?. And where is the frikken package review for it?
This really is insane. The source tar.gz contains
openssh-blacklist-0.7$ du -h -c -s *
4.0KCONTENT
16K COPYING
26M fingerprints
797Mprivate
358Mpublic
1.2Gtotal
The SPEC file just does
mv fingerprints/* $RPM_BUILD_ROOT%{_datadir}/%{name}
So there is 1.2 GB of data there that is never used for any purpose
whatsoever, its not even being used to build the final data that
goes into the binary RPM.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
