]] Serafeim Zanikolas | On Sun, Dec 06, 2009 at 11:56:37AM +0100, Tollef Fog Heen wrote: | > ]] Serafeim Zanikolas | > | > | The service supports no authorisation/authentication and, as of now, has no | > | way of limiting the size of inserted messages. Would it be acceptable if I | > | were to patch the tests to accept connections only from the localhost? | > | (implies a potential risk of a local user attack) | > | > What are the implications of a user inserting a message? Test failing | > where it should succeed? DoS causing the build to fail? DoS causing | > the disk to fill up? Local root exploit? If it's just the build | > failing, I think it's fine. If it becomes a root exploit, it's | > certainly not. | | beanstalkd keeps messages in-memory (non-persistent by default) so one could | potentially force the host to thrash by stuffing big messages (limiting msg | size is considered for future releases).
Just like any other user can, by default. [...] | For now at least I'll upload with testing disabled. I would rather just have it uploaded with testing enabled. Tests are good and useful and I would not be surprised if you find a bug on a somewhat esoteric architecture that upstream hasn't tested on. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
