The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security: How we did it

To: Bruce Perens <bruce@pixar.com>
Subject: Re: Security: How we did it
From: Christoph Lameter <clameter@waterf.org>
Date: Sat, 16 Nov 1996 22:04:00 -0800 (PST)
Cc: debian-private@lists.debian.org
Importance: low
In-reply-to: <m0vOdDC-00LxXgC@golem.pixar.com>
Priority: non-urgent
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"OcLKB3.0.6z1.yNhZo"@master.debian.org>
Resent-reply-to: debian-private@lists.debian.org
Resent-sender: debian-private-request@lists.debian.org

On Fri, 15 Nov 1996, Bruce Perens wrote:

bruce >Christoph, I understand that you don't want to deal with these security
bruce >problems. However I don't feel its a good idea for the project as a whole
bruce >to take a lassez-faire (pardon my spelling) attitude toward them.

I dont think I have been lassez-faire in regard to the packages in Debian.
I have faithfully rendered the intended security schemes of the developers
and I think that is the best one can do unless one intends to get involved
in the development process.

We are here relaxed in that we can and do run potentially security hole
prone applications (sendmail,dosemu, other tools) in our secure
environment and that we have made for example access to the network
diagnostic commands available for all administrators by default.

bruce >In the case of dosemu, it should be passed to another maintainer who can
bruce >perform a thorough security review, as soon as we can find such a person.
bruce >I understand it may have some serious privilege issues because it can provide
bruce >direct access to hardware, bypassing Linux.

I dont think we stand a chance to make dosemu "completely secure" in an
environment where you invite anybody on a system. Plus there is the
great complexity of dosemu, the need to make DOS itself secure and the
dosemu developers where no one really knows the complete system.

There are other issues more urgent in other parts of the Linux or
Debian system as well, sometimes due to the very nature of Unix, sometimes
unrelated to setsuid issues. One example: the very existence of
a must world readable file like /etc/passwd.

IMHO
If you have to run a one unit system then you need to make sure you know
who is on the system and what he is doing. I would not recommend letting
anybody unknown accessing shell level on such a system. Give them limited
ftp and that should be fine.

[ lecturing mode off... ]

I'd be glad if someone else took those packages (And some of the other
packages as well)

--- +++ --- +++ --- +++ --- +++ --- +++ --- +++ --- +++ ---
PGP Public Key  =  FB 9B 31 21 04 1E 3A 33  C7 62 2F C0 CD 81 CA B5 

--
This message was distributed manually by Bruce@debian.org after the list
initially failed to distribute it.

Follow-Ups:
- Re: Security: How we did it
  - From: Daniel Quinlan <quinlan@proton.pathname.com>
- level of discourse
  - From: bruce@pixar.com (Bruce Perens)

References:
- Re: Security: How we did it
  - From: bruce@pixar.com (Bruce Perens)

Prev by Date: Binary-Only packages
Next by Date: Re: Security: How we did it
Previous by thread: Re: Security: How we did it
Next by thread: Re: Security: How we did it
Index(es):
- Date
- Thread