Bug#648595: broken links under www.d.o/security/audit/

[Javier Fernández-Sanguino Peña]

On Sun, Nov 13, 2011 at 04:59:19PM +0800, Paul Wise wrote:
> These two links are referenced by the Debian security audit pages but
> the domain has been taken by squatters. 

I have modified the pages to

a) remove the point to http://shellcode.org/Setuid/, there is currently no
alternative (that I know of)

b) point maintainers and interested users/developers to the public
debian-security mailing list instead of to the old debian-audit mailing list
(which was also public BTW)

> Could someone from the security
> team suggest the correct course of action here? 

I'm not a security team member, but an (inactive) member of the debian-audit
team. I think the best course of action is to keep the pages since they
describe processes, tool and information that is relevant for developers and
for prospective auditors.

The pages do not highlight currently, however, that the Debian Audit team is
currently unmanned. I'm adjusting intro/organization also somewhat.

> Does the security team
> generate a list of all setuid/setgid executables in Debian? There does
> not appear to be a replacement for the debian-audit list, should mails
> about that be directed to debian-security?

For the time being I have updated the webpages to point to debian-security to
replace the previous mailing list. I have also submitted a project
registration at Alioth ('debian-audit') so that the project has its own space
for tools and for mailing list.

Once the project is approved I will point to that mailing list, and will try
to have the old content of the mailing list (old posts) restored there too.


> http://shellcode.org/Setuid/

As for this tool, it was developed by Steve Kemp and I'm not sure the code
was made public. It would not be very difficult to produce a similar tool if
developers are still interested.

For the time being, I've removed pointers to that tool from the webpage so
that we do not point to cyber-squatter domains.


Regards

Javier



signature.asc
Description: Digital signature

Bug#648595: broken links under www.d.o/security/audit/

[Paul Wise]

On Sat, 2011-11-19 at 10:46 +0100, Javier Fernández-Sanguino Peña wrote:
> On Sun, Nov 13, 2011 at 04:59:19PM +0800, Paul Wise wrote:
> > These two links are referenced by the Debian security audit pages but
> > the domain has been taken by squatters. 
> 
> I have modified the pages to

Thanks!

> a) remove the point to http://shellcode.org/Setuid/, there is currently no
> alternative (that I know of)

I wonder if these pages could be an alternative?

http://lintian.debian.org/tags/setuid-binary.html
http://lintian.debian.org/tags/setgid-binary.html

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


signature.asc
Description: This is a digitally signed message part

Bug#648595: broken links under www.d.o/security/audit/

[Javier Fernández-Sanguino Peña]

On Sat, Nov 19, 2011 at 05:54:40PM +0800, Paul Wise wrote:
> > a) remove the point to http://shellcode.org/Setuid/, there is currently no
> > alternative (that I know of)
> 
> I wonder if these pages could be an alternative?
> 
> http://lintian.debian.org/tags/setuid-binary.html
> http://lintian.debian.org/tags/setgid-binary.html

This might actually be an alternative. It lacks the 'searchable' function
that the previous tool had, but I'm going to use it nevertheless.

Regards

Javier


signature.asc
Description: Digital signature

Re: Changes in the Security Team - Please update the website

[Moritz Mühlenhoff]

On Fri, Nov 18, 2011 at 06:12:50PM -0400, David Prévot wrote:
> Hi Moritz,
> 
> On 18/11/2011 17:32, Moritz Muehlenhoff wrote:
> 
> > please update the Security Team section of
> > http://www.debian.org/intro/organization
> 
> Thanks for the input, the needed change has just been committed, the
> online page will be updated in a few hours on all mirrors.
> 
> http://anonscm.debian.org/viewvc/webwml/webwml/english/intro/organization.data?r1=1.412&r2=1.413

Thanks! 

Something else, Paul Wise noticed that the domain listed
for the Security Audit Project has been taken over:

 * Security Audit Project -- 
member Steve Kemp
member Ulf H�rnhammar
member Swaraj Bontula
member Javier Fern�ndez-Sanguino

The Debian Audit project is dead for a long time now. Please 
remove the entire entry.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2019105806.GB3648@pisco.westfalen.local

Bug#648595: marked as done (broken links under www.d.o/security/audit/)

[Debian Bug Tracking System]

Your message dated Sat, 19 Nov 2011 19:42:42 +0100
with message-id <20191942.43833.th...@debian.org>
and subject line Re: Bug#648595: broken links under www.d.o/security/audit/
has caused the Debian Bug report #648595,
regarding broken links under www.d.o/security/audit/
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
648595: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648595
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: www.debian.org
Severity: normal
X-Debbugs-CC: debian-secur...@lists.debian.org

These two links are referenced by the Debian security audit pages but
the domain has been taken by squatters. Could someone from the security
team suggest the correct course of action here? Does the security team
generate a list of all setuid/setgid executables in Debian? There does
not appear to be a replacement for the debian-audit list, should mails
about that be directed to debian-security?

http://shellcode.org/Setuid/
http://shellcode.org/mailman/listinfo/debian-audit

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Hi Paul,

Op zondag 13 november 2011 09:59:19 schreef Paul Wise:
> Package: www.debian.org
> Severity: normal
> X-Debbugs-CC: debian-secur...@lists.debian.org
> 
> These two links are referenced by the Debian security audit pages but
> the domain has been taken by squatters. Could someone from the security
> team suggest the correct course of action here? Does the security team
> generate a list of all setuid/setgid executables in Debian? There does
> not appear to be a replacement for the debian-audit list, should mails
> about that be directed to debian-security?
> 
> http://shellcode.org/Setuid/
> http://shellcode.org/mailman/listinfo/debian-audit

Thanks for checking this with us. The Debian Security Audit Project has been 
inactive for a long time now.

I see the mentioned links have been removed by jfs already. The current 
solution seems OK: point interested people to the debian-security list and 
reference Lintian for setuid binaries in the archive. That's all we have now, 
so I think no further action is necessary on this. If the audit team is 
revived they can always further improve their pages or add new links.


Thijs

--- End Message ---

Re: broken link - - - Reference Card - Translations

[Holger Wansing]

Hello,

Vince Forgetta  wrote:
> The two links entitled "Debian GNU/Linux Reference Card" at
> http://www.debian.org/doc/ do not exists anymore (link to
> http://tangosoft.com/refcard/).

This link has been changed to 
http://www.debian.org/doc/manuals/refcard/refcard
which brings you to the english version of the refcard.

As translator of the german version:
Maybe we should tell users that there are also translations
available?

Patch attached.

Holger



--- index.wml   2011-11-07 21:52:18.213925879 +0100
+++ index_workingcopy.wml   2011-11-20 00:11:53.919112745 +0100
@@ -31,7 +31,9 @@
 
 Finally, make sure you print out and have at hand the http://www.debian.org/doc/manuals/refcard/refcard";>Debian GNU/Linux 
Reference
-Card, a listing of the most important commands for Debian systems.
+Card, a listing of the most important commands for Debian systems (there
+are also http://www.debian.org/doc/manuals/refcard/";>several
+translations available).
 
 If you want to start developing packages for Debian we recommend
 you go through:



-- 
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Powered by Sylpheed 3.0.2 under
Debian GNU/ / _  _  _  _  _ __  __
 / /__  / / / \// //_// \ \/ /
// /_/ /_/\/ /___/  /_/\_\6.0 / Squeeze.
Registered LinuxUser #311290 - http://counter.li.org/
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


-- 
To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2020001657.7f3f9905.li...@wansing-online.de

Re: broken link - - - Reference Card - Translations

[Holger Wansing]

Hi,

Holger Wansing  wrote:
> Vince Forgetta  wrote:
> > The two links entitled "Debian GNU/Linux Reference Card" at
> > http://www.debian.org/doc/ do not exists anymore (link to
> > http://tangosoft.com/refcard/).
> 
> This link has been changed to 
> http://www.debian.org/doc/manuals/refcard/refcard
> which brings you to the english version of the refcard.
> 
> As translator of the german version:
> Maybe we should tell users that there are also translations
> available?

Or even better:
Link to http://www.debian.org/doc/user-manuals#refcard
which provides a list of all available languages with 
direct links.


Holger

-- 
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Powered by Sylpheed 3.0.2 under
Debian GNU/ / _  _  _  _  _ __  __
 / /__  / / / \// //_// \ \/ /
// /_/ /_/\/ /___/  /_/\_\6.0 / Squeeze.
Registered LinuxUser #311290 - http://counter.li.org/
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


-- 
To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2020002517.47db778c.li...@wansing-online.de

Re: broken link - - - Reference Card - Translations

[David Prévot]

Hi,

On 19/11/2011 19:25, Holger Wansing wrote:

> Holger Wansing  wrote:
>> Vince Forgetta  wrote:
>>> The two links entitled "Debian GNU/Linux Reference Card" at
>>> http://www.debian.org/doc/ do not exists anymore

>> This link has been changed to 
>> http://www.debian.org/doc/manuals/refcard/refcard

Indeed, this issue has been raised in #647062, is solved on the website,
and is pending for the refcard package.

>> which brings you to the english version of the refcard.

No, it doesn't. Thanks to content negotiation, it actually brings the
preferred available language translation to the reader, providing that
the browser is actually set up correctly [1].

1: http://www.debian.org/intro/cn

>> As translator of the german version:
>> Maybe we should tell users that there are also translations
>> available?

It's not needed since the translation is already served.

> Or even better:
> Link to http://www.debian.org/doc/user-manuals#refcard
> which provides a list of all available languages with 
> direct links.

Well, this page is already linked from the IMHO already too long index
page [2], so I doubt it would be a good idea add sentences there. On the
other hand adding such a link in the *Manuals specific to Debian* →
/Users' manuals/ list won't make the page longer, but the index page
would then offer three section about the Debian Reference Card (I don't
know if it's a good or bad idea, but maybe should we discuss this before
changing the page in that direction). Feel free to coordinate with the
documentation team if you wish to improve this page.

2: http://www.debian.org/doc/

Regards

David



signature.asc
Description: OpenPGP digital signature

Re: Draft: policy for vendors listed on Debian website

[Javier Fernandez-Sanguino]

On 17 October 2011 20:40, Luca Capello  wrote:
> Hi there!
>
> On Mon, 17 Oct 2011 20:12:34 +0200, Luca Capello wrote:
>> On Thu, 13 Oct 2011 20:25:16 +0200, David Prévot wrote:
>>> Le 13/10/2011 04:16, Luca Capello a écrit :
 On Thu, 13 Oct 2011 02:23:42 +0200, Javier Fernández-Sanguino Peña wrote:
>  - Vendor has to sell the "Official CD Debian images".
>
>    Note: Even though vendors can send "additional CDs with unofficial
>    software" I believe we should not list vendors which provide only
>    "modified" CD Debian images.

 What is the rationale for that?  "modified" could also means that they
 change the default theme to their logo, for example, which I found fair.
>>>
>>> If the CD is modified, how would it be possible to check if it is indeed
>>> an official CD? It would brake the trust path…
>>
>> Point taken, but I still think that there are different levels of
>> modification.
>
> Just to be sure we are aware of our website (I was not), please note
> that, as Richard Atterer replied [1] at Francesca's initail email, we
> ATM specifically allow such modifications [2].

> [1] 
> [2] 

(sorry for the late reply, I'll try to bring closure to this
discussion, let's see if I manage to :)

Take into account that, while we allow for modifications, we do not
allow people to refer to these CDs as "official Debian CDs". If we
list vendors that distribute CDs that are not the official ones we
should explicitly label them in the list.

In any case, we don't say in that page that we will list any vendor
regardless of what they do with our brand or with the CDs. We do not
say that vendors have to provide "official Debian CDs" is the
requirements for listing vendors (see "Requirements for being added to
the vendor list" in that same page) but we do say: "The website should
offer the current stable Debian release".

>From my POV, that requirement rules out vendors that distribute
*modified* versions of the stable Debian release. That is, they can
provide the "official Debian CDs" of the stable Debian release AND
other modified CDs but they CANNOT just provide "custom stable Debian
release CDs".

If we want to consider the option of listing vendors that do not
distribute the official CDs for stable but, instead, provide modified
(unofficial) stable CDs the we should disctinctly mark them in the web
page. Users are typically interested in the official stable CDs,
pointing to vendors that do not provide them without warning them
beforehand might be:

- a disservice to our users

- a source of confusion and problems. Thinkg of what would happen if
user went to a vendor to purchase unofficial CDs thinking (as they are
linked from our web page) that they are the official CDs and are
"blessed" by the project.

Notice that this does not prevent us from listing vendors that ship
the official CDs and ship *addittional* CDs with software or
*additional* (properly labelled) custom versions in the same
website/store.

It also does not prevent vendors from distributing only modified CDs
on their own,  we just will not list them in the vendors page.

For example, IMHO, we should not list vendors that *only* sell in
their site substantially modified versions of Debian (i.e.
derivatives) which could considered by some as being an "unofficial
modified Debian CD". I'm thinking of derivatives should as (in the
past) CoreLinux or any others that might come along.

> I am pointing it out to also understand if the policy Francesca and
> Javier were referring to will be added/merged with [2] or if it is a
> different thing.

I hope I have made my point clear. Is the above something you can
agree with? If so, and other members agree, I will commit changes to
the info page.

Regards


Javier

PS: If no consensus is reached maybe we should try IRC instead to
discuss this topic :)


--
To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAB9B7Uspsi-Ch5DE3f2ULY=z2xctv6pov4adhrr+yxrg31y...@mail.gmail.com