On Sun, Feb 24, 2008 at 8:17 AM, Kartik Mistry [EMAIL PROTECTED] wrote:
On Thu, Feb 21, 2008 at 9:59 AM, Kumar Appaiah [EMAIL PROTECTED] wrote:
See e.g. http://wiki.debian.org/DpkgConffileHandling
So, based on this, I have prepared a packages which does the
needful. Please do give
Package: festival
Version: 1.96~beta-6
Severity: grave
Tags: security
Most users of festival have no reason to use its server mode, so the
server should not be started by default. Putting an annoying password
prompt in place is not a good way to get secure systems for users who
have festival
Dear Joey,
On Wed, Feb 20, 2008 at 08:03:41PM -0500, Joey Hess wrote:
1. Festival's server doesn't take any countermeasures against dictionary
attacks, allowing 300 or more passwords to be tried per second on not very
fast hardware.
2. There's absolutely no incentive to provide a good
Kumar Appaiah wrote:
I accept this. Therefore, would you advocate:
1. Disabling server mode by default (which users wanted enabled by
default, but I see what you mean).
Perhaps some small subset of users did. It should be disabled by
default.
2. Removing the init script: Maybe leaving it
tags 466796 confirmed
thanks
On Wed, Feb 20, 2008 at 08:49:03PM -0500, Joey Hess wrote:
1. Disabling server mode by default (which users wanted enabled by
default, but I see what you mean).
Perhaps some small subset of users did. It should be disabled by
default.
Agreed. It would also
Processing commands for [EMAIL PROTECTED]:
tags 466796 confirmed
Bug#466796: has no business starting a server by default; existing
implementation massively insecure; debconf used incorrectly and throws away
passwords
Tags were: security
Tags added: confirmed
thanks
Stopping processing here.
On Thu, Feb 21, 2008 at 07:33:56AM +0530, Kumar Appaiah wrote:
On Wed, Feb 20, 2008 at 08:49:03PM -0500, Joey Hess wrote:
1. Disabling server mode by default (which users wanted enabled by
default, but I see what you mean).
Perhaps some small subset of users did. It should be disabled
On Thu, 21 Feb 2008, Kumar Appaiah wrote:
OK, so removing some stuff was easy. However, an upgrade to the new
version of festival would now put me in the following dilemma: Upon
upgrade, the package would disown the /etc/init.d/festival file. Do I
remove it upon upgrade? But what if users who
On Wed, Feb 20, 2008 at 09:50:26PM -0500, Jaldhar Vyas wrote:
OK, so removing some stuff was easy. However, an upgrade to the new
version of festival would now put me in the following dilemma: Upon
upgrade, the package would disown the /etc/init.d/festival file. Do I
remove it upon upgrade?
9 matches
Mail list logo