The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Buffer overruns etc.



joost witteveen wrote:

>> a) suid programs, which a malicious user may use to gain privileges
>> 
>> b) programs which interface with an untrusted environment, e.g.
>>    networking software.
>> 
>> c) Programs which, when run by user foo, may grant user bar foo's
>>    privileges.
>
>(BTW, I cannot see in what group ld.so fits, here. is that "d) ld.so"?)

Hmm... OK, another category:

d) Shared libraries, loaders or other system services which are
   executed at runtime by any of the three above.

>Maybe to create an extra insentive, we could add a "security" field
>to the packages[1]. All packages in the above list would start of
>with something like "insecure" in that field (all packages outside
>the above list would have something like "doesnotapply").

Ok, but we'd need to add quite a lot of packages to c).  Any program
which opens a temporary file, for example, can potentially put a .forward
or .rhosts into your home directory.

>After some kind of source-code review has passed for the "insecure"
>packages, the security field would be upgraded to "checked".

Yep.  We'd have to make sure that this status is propagated along
dependencies.
-- 
Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de, ig25@dkauni2.bitnet.
The joy of engineering is to find a straight line on a double
logarithmic diagram.


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .